New versions of Snort (Beta and Production)are both out. Release notes are here ==> http://www.snort.org/news/2010/07/28/snort-2-8-6-1-and-snort-2-9-beta-released/
New features that I'm finding interesting in 2.9 (Beta):
- A Data Acquisition API (DAQ) is introduced in this version
- A byte extract option that bears some investigation - this allows extracted values from one rule to be used in subsequent rule options
- Some welcome updates for IPv6
- Support for Intel's QuickAssist for use in pattern matching. This is by far the most interesting feature in the bunch (to me at least) - support for hardware based acceleration (on boxes that have this feature). QuickAssist uses FSB attached FPGAs for this, so builds on previous FPGA work. Attaching the FPGAs to the server FSB overcomes previous limitations in FPGA I/O rates (talk about the sledgehammer approach!), this likely raises the maximum throughput for Snort considerably!
More info on Quck Assist, and Snort's integration with it can be found here ==> http://www.intel.com/technology/platforms/quickassist/
and here ==> http://download.intel.com/embedded/applications/networksecurity/324029.pdf
If anyone has used the new QuickAssist feature and has formal or informal benchmarks, please feel free to comment !
=============== Rob VandenBrink, Metafore ===============