Snort 1.7 ships
Snort 1.7 has been released as stable. Three months of using the beta on my own sensor has given me confidence to deploy. A short note on the upgrade and on what is now operationally feasible.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged ids — 6 results.
Writing my first Snort preprocessor
I committed to writing a custom Snort preprocessor as a learning exercise. A weekend later I have a working one. The exercise has taught me more about Snort's internals than any amount of reading.
Snort plugins and the rise of the preprocessor
Pure pattern-matching IDS engines are easy to evade. Snort's plugin architecture is starting to ship modules that defeat specific evasion techniques. A walk through how preprocessors work and why they matter.
Snort rule-writing: what a fortnight of trying has taught me
Two weeks of trying to write Snort rules that fire on actual attacks and silent on actual not-attacks. The lessons are nearly all about negative space — what your rule does not match.
What I expect to be reading about in 1999
An opening note for the year. The five trends in defensive computing I expect to spend my evenings on, with notes on why each one is interesting beyond its current obvious form.
Snort: a new IDS worth watching
Marty Roesch has just released Snort, an open-source network intrusion detection system. I have been running it for a fortnight. It is small, fast, and the rule language is one of those rare things that is obviously right.