Convenience

We did a number of things to make Snort_inline a little more convenient for inline users.

• inline is enabled by default in ./configure
• we got rid of libnet 1.0.2a, switched to libdnet 1.1 instead
• a snort_inline specific manual page was added, as well as some extra docs
• a example configuration file for inline use is supplied

Added functionality

• we support Linux’ new queue’ing mechanism called nfqueue. This was contributed by Nitro Security. Nfqueue supports running multiple copies of Snort_inline to take advantage of SMP and reduce risk of denial of service when Snort_inline should crash.
• stickydrop preprocessor enables you to add options to the rules to block an ipaddress for a configurable amount of time
• bait-and-switch preprocessor (Linux only) allows you to redirect traffic from a host to a honeypot based on the rules
• clamav preprocessor is included (you still need to pass –enable-clamav to ./configure)
• reinject action for FreeBSD: reinjects an accepted packet into the ipfw list at a specific rule number

Improved for inline use

• reject action can send RST packets to both source and destination
• stream4 can drop attacks detected in the reassembled stream. It also enforces the TCP window. It implements a number of ideas from Vern Paxson on TCP reassembly, such as a limit on the number of out of order packets and bytes that are accepted in a stream.
• some fixes for FreeBSD

As the list shows, if you are interested in Snort running inline, using Snort_inline might be a better choice for you!

Will is preparing a release based on this, which should also build with ClamAV 0.90.

Anyway, svn is up to date, so if you are using Snort_inline and rely on the DCE/RPC preprocessor, please pull the code from svn.

Check it out!