Posted by: Dan O'Connor
ids, ips, oisf, snort, suricata, vrt
I have been following this since there was first talk of creating a new engine. They have released version 0.80.
The engine is to load the current Snort rule sets and VRT rule sets out of the box!
Once I complete my exam this week I will have some extra time and will provide install instructions for FreeBSD.
The list of what they have added is extensive. (A the list to come is pretty long) There is more features on the way, listed in the official documentation.
Automatic Protocol Detection
- IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB.
Independent HTP Library
- A total independant HTP libary that is also released under the GPLv2.
Standard Input Methods
- You can use NFQueue, IPFRing, and the standard LibPcap to capture traffic.
- You can use your standard output tools and methods with the new engine, 100% compatible!
- It’s possible to capture information out of a stream and save that in a variable which can then be matched again later.
Fast IP Matching
- The engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor.
HTTP Log Module
- All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer.