Ubuntu
snort package

Snort 2.8.5.2 no longer receives rule updates

Bug #872582 reported by mikelococo on 2011-10-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snort (Ubuntu)	Fix Released	Wishlist	Unassigned

Bug Description

The version of Snort slated for release with 11.10 is deprecated by its developers and should be updated to a current version. Snort 2.8.5.2 is slated for release with Onieric, but Snort 2.9.1.1 is current. Although in many projects this notation would represent a small version bump, in the Snort project it represents a significant amount of development work, and more importantly, compatibility breaks in the supported syntax for rules.

Snort 2.8.5.2 was released in almost 2 years ago in December of 2009 [1], and was EOL'ed at least a year ago by October 2010 [2]. It's no longer possible to download rules targeted toward the 2.8.5 series from Snort.org [3]. Additionally, many new features are available in the 2.9.1 series, including improvements in preprocessors that handle web, voip, and email traffic [4]. While it's possible to download 2.8.5-compatible rules from the Emerging Threats project, Ubuntu should track the current release of Snort with each new release of Ubuntu as it does with other projects.

[1] http://seclists.org/snort/2009/q4/588
[2] http://www.mcabee.org/lists/snort-users/Oct-10/msg00019.html
[3] http://www.snort.org/snort-rules/#rules
[4] http://blog.snort.org/2011/08/snort-291-has-been-released-including.html

Tags:

CVE References

2009-3641

Revision history for this message

Ilya Barygin (randomaction) wrote on 2011-10-15:

Note: 2.9.0.1 is available in Debian experimental.

tags:	added: upgrade-software-version
Changed in snort (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

mikelococo (mikelococo) wrote on 2011-10-30:

Thanks for responding to this bug. I would classify this as medium instead of wishlist, though. The inability to run current rules severely impacts this non-core application, the sole function of Snort is to check traffic against an up-to-date list of signatures that correspond to malicious traffic and that functionality is crippled by the inability of this version to operate with current sigs.

There is also a security impact to this bug because Snort is an application that users expect to provide security protection, similar to anti-virus. As a network-based security application, it may be used to provide protection to many systems at once (I operate Snort sensors that protect tens of thousands of client-systems by inspecting traffic at the border of my network). Like anti-virus sigs that are a year or more old, the sigs that this version of Snort is capable of running provide much less protection than current versions and probably less protection than users believe they are getting.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-14:

Download full text (4.8 KiB)

This bug was fixed in the package snort - 2.9.2-3ubuntu1

---------------
snort (2.9.2-3ubuntu1) precise; urgency=low

  * Merge from Debian testing. (LP: #931454) Remaining changes:
    - debian/rules: use mysql_config to find libraries to fix FTBFS with
      multiarch libmysqlclient.
  * Dropped "Fixed typo in snort.8": patched upstream.

snort (2.9.2-3) unstable; urgency=low

  * Restore code from the 2.8.5.2-5 package onwards which was lost when
    the version of experimental was moved to the archive.
     - Now /var/lib/snort is created through package configuration, as
       it should have been
     - Remove md5sum files when purging (Closes: #657038)
  * debian/rules:
      - Enable IPv6 support which was optional in version 2.8 for the Snort
        binary package. This is not enabled for the database binary packages
        (snort-pgsql and snort-mysql) as the database schemas do not support
        IPv6. (Closes: #633064) (LP: #703707)
      - Include the quilt makefile and add dependencies in -stamp and
        clean targets
  * debian/snort.init.d:
      - Do not abort if the package is not configured to use a database but
        the db-pending-config semaphore is found. Remove it instead and
        continue. This can happen if a database-related package was installed,
        removed and then 'snort' is installed afterwards.
        (LP: #316878, #639755, #722488, #754230, #798608, #876615, #816634, #891904, #918250)
  * debian/snort-{mysql,pgsql}.postrm:
      - Remove the db-pending-config semaphore file when removing the package.
        This prevents errors with the snort.init.d logic if a database package
        is left unconfigured and then replaced with the snort (non-database)
        package.
  * debian/README-database.Debian: Indicate that database support will be
    deprecated in 2.9 and document that IPv6 is not supported either
  * debian/control:
     - Add Build-Depends on quilt
     - Add VCS entries
     - Put the complete maintainer's name in UTF-8
     - Change Uploaders, add Andrew Pollock and remove Pascal Hakim
     - Update Standards Version

snort (2.9.2-2) unstable; urgency=low

  * debian/control: Add net-tools to Depends: of snort, snort-mysql and
    snort-pgsql since 'ifconfig' is required for the configuration script
    to work. (Closes: #656445)
  * debian/snort{,-mysql,-psql}.postinst: Create the checksum directory if it
    does not exist right at the beginning since it might not be created.
    (Closes: #656445)

snort (2.9.2-1) unstable; urgency=low

This bug was fixed in the package snort - 2.9.2-3ubuntu1

---------------
snort (2.9.2-3ubuntu1) precise; urgency=low

* Merge from Debian testing. (LP: #931454)  Remaining changes:
    - debian/rules: use mysql_config to find libraries to fix FTBFS with
      multiarch libmysqlclient.
  * Dropped "Fixed typo in snort.8": patched upstream.

snort (2.9.2-3) unstable; urgency=low

* Restore code from the 2.8.5.2-5 package onwards which was lost when
    the version of experimental was moved to the archive.
     - Now /var/lib/snort is created through package configuration, as
       it should have been
     - Remove md5sum files when purging (Closes: #657038)
  * debian/rules:
      - Enable IPv6 support which was optional in version 2.8 for the Snort
        binary package. This is not enabled for the database binary packages
        (snort-pgsql and snort-mysql) as the database schemas do not support
        IPv6.  (Closes: #633064) (LP: #703707)
      - Include the quilt makefile and add dependencies in -stamp and
        clean targets
  * debian/snort.init.d:
      - Do not abort if the package is not configured to use a database but
        the db-pending-config semaphore is found.  Remove it instead and
        continue. This can happen if a database-related package was installed,
        removed and then 'snort' is installed afterwards.
        (LP: #316878, #639755, #722488, #754230, #798608, #876615, #816634, #891904, #918250)
  * debian/snort-{mysql,pgsql}.postrm:
      - Remove the db-pending-config semaphore file when removing the package.
        This prevents errors with the snort.init.d logic if a database package
        is left unconfigured and then replaced with the snort (non-database)
        package.
  * debian/README-database.Debian: Indicate that database support will be
    deprecated in 2.9 and document that IPv6 is not supported either
  * debian/control:
     - Add Build-Depends on quilt
     - Add VCS entries
     - Put the complete maintainer's name in UTF-8
     - Change Uploaders, add Andrew Pollock and remove Pascal Hakim
     - Update Standards Version

snort (2.9.2-2) unstable; urgency=low

* debian/control:  Add net-tools to Depends: of snort, snort-mysql and
    snort-pgsql since 'ifconfig' is required for the configuration script
    to work. (Closes: #656445)
  * debian/snort{,-mysql,-psql}.postinst: Create the checksum directory if it
    does not exist right at the beginning since it might not be created.
    (Closes: #656445)

snort (2.9.2-1) unstable; urgency=low

[ Andrew Pollock ]
  * New upstream release, upload to unstable
     - Fixes CVE-2009-3641: DoS while printing specially-crafted IPv6 packet
       using the -v option (Closes: 553584)
     - The package no longer build-depends on iptables-dev and the negated list
       of architectures is no longer used (Closes: 634660)
     - debian/patches/config: Patch the configuration file to remove include
       files not currently available (Closes: #619446)
     - This version is fully supported rule-wise (LP: #872582)
  * Switch to dpkg-source 3.0 (quilt) format
  * Port across all changes from Snort 2.8.5.2-5 and later in unstable
  * debian/snort.postinst: create the directory that the checksum for
    snort.debian.conf will be created in if it doesn't already exist
  * debian/rules: tell dh_makeshlibs to not call ldconfig in the
    preinst/postinst of snort-common-libraries
  * debian/rules: don't install README.WIN32 into snort-doc

[ Javier Fernandez-Sanguino Peña ]
  * debian/rules:
     - Set enable-zlib when configuring all packages to force it to be
       enabled as this is required by the http_inspect preprocessor which
       is enabled by default (Closes: #631854)
     - Included (commented) the patch provided by Clint Byrum and included in
       Ubuntu to prevent snort from FTFS with libmysqlclient-dev which will be
       multiarch in the future. The patch uses mysql_config to find libraries
       to fix FTBFS with multiarch libmysqlclient. Not enabled since the
       version of libmysqlclient in unstable currently does not support the
       --variable=pkglibdir option
  * debian/snort{,-inline}.config: Use LC_ALL=C when calling ifconfig to make
    the postinst work when ifconfig's output is internationalised (Closes: 577033)
  * debian/control: Fix link in the rules package, point to
    http://www.snort.org/snort-rules/ (Closes: 646547)
  * debian/my/snort-stat: Modify so that alerts with Priority but without classification
    are analysed when parsing syslog information. Also set the class to 'Undefined'
    instead of leaving it empty. (Closes: 590061)
  * po-debconf translation updates:
    - Danish, provided by Joe Dalton (Closes: 638678)
    - Dutch, provided by Jeroen Schot (Closes: 654239)
 -- Jean-Louis Dupond <jean-louis@dupond.be>   Tue, 14 Feb 2012 12:47:26 +0200

Changed in snort (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusnort package

Snort 2.8.5.2 no longer receives rule updates

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
snort package