Snort 1.7 ships
Snort 1.7 has been released as stable. Three months of using the beta on my own sensor has given me confidence to deploy. A short note on the upgrade and on what is now operationally feasible.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged snort — 8 results.
Writing my first Snort preprocessor
I committed to writing a custom Snort preprocessor as a learning exercise. A weekend later I have a working one. The exercise has taught me more about Snort's internals than any amount of reading.
Reading Snort 1.7 source
Snort 1.7 is in beta. Reading the source has clarified several things about how the engine actually processes packets, and revealed a few design decisions that I think are going to influence future IDS work.
Spring rule-writing review
Six months on from a serious overhaul of my Snort ruleset, time for a structured review. What is firing usefully, what is producing noise, what I have learned about rule design from running them at scale.
An unusual scan signature
A scan footprint that does not match any tool I recognise. A walk through the diagnostic process — what I tried, what I ruled out, what I think it actually was.
Snort plugins and the rise of the preprocessor
Pure pattern-matching IDS engines are easy to evade. Snort's plugin architecture is starting to ship modules that defeat specific evasion techniques. A walk through how preprocessors work and why they matter.
Snort rule-writing: what a fortnight of trying has taught me
Two weeks of trying to write Snort rules that fire on actual attacks and silent on actual not-attacks. The lessons are nearly all about negative space — what your rule does not match.
Snort: a new IDS worth watching
Marty Roesch has just released Snort, an open-source network intrusion detection system. I have been running it for a fortnight. It is small, fast, and the rule language is one of those rare things that is obviously right.