Snort 2.8.4 - New version simplifies coding of detection rules

Snort is an open source tool to evaluate network traffic.  The latest version uses a new simplified rules approach as noted below.

Snort 2.8.4 upgrade is out -- Upgrade now!
http://isc.sans.org/diary.html?storyid=6151

Snort Intrusion Detection Monitoring
http://www.sourcefire.com/products/snort/

QUOTE: The wide availability of open source Snort brings many advantages.

• Because the source code is open, development can occur at a markedly accelerated pace compared to proprietary models

• A vast community of security experts that continually reviews, tests and proposes improvements to the code

• Security engineers and specialists the world over write Snort rules for new and evolving threats every hour of the day, often in record time.

CONFICKER DETECTION SIMPLIFIED FROM 168 RULES TO 2 -- For awhile now, a lot of netbios flow tracking has been done with our rules language.  This results in 100's of rules to do flow tracking for a particular exploit.  For example, the rules that detect the exploit that Confiker uses (MS08-067), before the preprocessor, there were 168 rules.  Introduced in 2.8.4 is a new target based DCE/RPC preprocessor, called "DCE/RPC2".  This preprocessor provides a bunch of the flow tracking internally and provides rule options that rule writers can call.  So, after the new netbios rules go out (in the next few days, according to Snort.org), the number of MS08-067 rules will be reduced to 2.