Hey Hey people,

I've been doing little bit of testing recently, and I noticed that the option --buffer-dump-alert is enabled, even if the buffer dump checkbox on the web interface is unchecked, and even in the case for old versions of snort that do not support dumping buffers.

This causes older versions of snort (prior to 2.9.9.0 in my testing) to fail with an unrecognized option error that is visible on the IDS Engine tab of the results page.

2.9.8.3:

2.9.7.5:

2.9.5:

I'm sure you get the pattern from here.

I think the root of this problem is in how the command for snort is formed. Take a look at line 920 in dalton-agent.py:

https://github.com/secureworks/dalton/blob/master/dalton-agent/dalton-agent.py#L920C5-L920C19

Is there a way to map the buffer dump output option on the Dalton Controller and have it map to the snort_command? e.g. if the checkbox isn't checked (or if its snort /2\.9\.[0-8]\.\d+/) then don't allow the option to be present in the snort_command pushed to the agent?

Here is an attached job zip file, if you would like to test on your own.
6bcce887f10d5699.zip

Other thoughts: None of these versions of snort are technically supported anymore, so this is a bug that is REALLY low on the priority scale, but it still exists so I thought it should be documented somewhere.