Softpedia >Windows >Network Tools >Network Monitoring >Snort >  Changelog

Snort Changelog

What's new in Snort 2.9.20

Jun 9, 2022
  • Src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
  • Fixed a scenario where SSL traffic was not detected correctly.
  • Src/dynamic-preprocessors/smtp/snort_smtp.c :
  • Fixed a possible memory corruption.
  • Src/dynamic-preprocessors/imap/imap_util.c
  • Src/dynamic-preprocessors/pop/pop_util.c
  • Src/dynamic-preprocessors/smtp/smtp_util.c
  • Src/preprocessors/spp_httpinspect.c :
  • Fixed malformed packet debug engine output.
  • Src/preprocessors/Stream6/snort_stream_tcp.c :
  • Fixed security zones info in intrusion events.
  • Src/dynamic-preprocessors/appid/fw_appid.c :
  • Fixed URL lookup failure.
  • Src/preprocessors/HttpInspect/server/hi_server.c :
  • Fixed a possible memory leak.
  • Src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c
  • Src/dynamic-preprocessors/appid/fw_appid.c
  • Src/dynamic-preprocessors/appid/fw_appid.h
  • Src/dynamic-preprocessors/appid/detector_plugins/service_plugins/service_api.h :
  • Added support for dns root queries and underflow.
  • Src/dynamic-preprocessors/smtp/snort_smtp.c
  • Src/Makefile.am
  • Src/dynamic-examples/Makefile.am
  • Src/dynamic-plugins/sf_dynamic_plugins.c
  • Src/dynamic-plugins/sf_dynamic_preprocessor.h
  • Src/dynamic-preprocessors/Makefile.am
  • Src/dynamic-preprocessors/smtp/snort_smtp.h
  • Src/dynamic-preprocessors/smtp/spp_smtp.c
  • Src/smtp_api.h :
  • Added support to get extra data from SMTP and HTTP into IPS event.
  • Src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c
  • Src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c :
  • Added support for login success and failure eventing for IMAP and POP3.
  • Src/dynamic-preprocessors/appid/hi_server.c :
  • Added support to handle empty string for SNI/CN/SAN/ORG.

New in Snort 2.9.19 (Dec 8, 2021)

  • New Additions:
  • Added support for AppID to detect login success and failure for IMAP and POP3 protocols.
  • Improvements / Fix:
  • Fixed an issue where the verdict will be applied to the next session when a timeout occurs in some scenarios.
  • Removed an excessively flooding log.
  • Fixed possible integer overflow.
  • Added fix to GCC compiled snort to use AC-BNFA-Q search-method when Intel-CPM is enabled.
  • Fixed terminology to be bias-free in log/error messages.
  • Fixed a potential race condition.
  • Added fix to not to drop packets when the window size is 0 by TCP normalizer and added a new alert with GID 129 and SID 21 when such packets are seen.

New in Snort 2.9.18.1 (Sep 3, 2021)

  • Fixed possible memory corruption in SMB preprocessor.

New in Snort 2.9.18.0 (Jun 16, 2021)

  • New Additions:
  • Added range field support in HTTP preprocessor.
  • Added alert for HTTP chunk size mismatch.
  • Added support to detect SNMP 'report pdu'.
  • Added additional stats for SMB preprocessor.
  • Improvements and fixes:
  • Fixed a condition in which an alert would not be generated.
  • Fixed possible memory corruption in SMB preprocessor.
  • Fixed handling ICMP error code -4 .
  • Fixed an error when the debugmsgs option enabled in compilation.

New in Snort 2.9.17.1 (Mar 29, 2021)

  • Improvements / Fix:
  • Fixed wrong reference to configuration during
  • Fixed possible memleak in appid.
  • Fixed a race-condition in http preproc and IPS.
  • Fixed a race-condition in stream preproc.

New in Snort 2.9.16.1 (Aug 5, 2020)

  • New Additions:
  • Added support for GCC version 10.1.1.
  • Improvements / Fix:
  • Added packet counters to make sure flows with one-way data don't pend forever.
  • Fixed potential race condition between reload and exit path.

New in Snort 2.9.16 (Apr 13, 2020)

  • New Additions:
  • Added support for early inspection of HTTP payload before flushing in pre-ack mode.
  • This feature can be enabled using fast_blocking in http inspect configuration.
  • Added 64-bit support for Windows 10 operating system.
  • Added support for glibc version 2.30.
  • Improvements / Fix:
  • Fixed file policy not working with character prefix in chunk size.
  • Updated the file magic to detect ALZ file types.
  • Addressed an issue when out-of-order FIN is received by dropping it.
  • Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.

New in Snort 2.9.15 (Oct 10, 2019)

  • New Additions:
  • Added new debugs to print detection, file_processing and Preproc time consumption info and verdict.
  • Added support to detect new Korean file formats .egg and .alg in the file preprocessor.
  • Added support to detect new RAR file-type in the file preprocessor.
  • Improvements / Fix:
  • Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
  • Fix to whitelist ftp data sessions when no file policy exists.
  • Fix RTF file magic to a more generic value to prevent evasions.
  • Added debug logs during HTTP reload
  • Added rule SID check during validation
  • Fix an issue where HTTP was processing non-HTTP traffic on port 443
  • Added new debugs to print detection, file processing, and Prepro time consumption info and verdicts

New in Snort 2.9.14 (Jul 19, 2019)

  • New AdditionsL
  • Added support for wild card port numbers in host cache and overwriting port service AppId.
  • Added new client patterns to prompt client validation.
  • Added SMTP Microsoft Outlook client for Mac.
  • Added a new preprocessor alert 120:27 to alert if there is no proper end-of-header.
  • Improvements:
  • Improved appId detection for proxied traffic.
  • Fix to ensure Snort is ready for packet commencing before DAQ starts.
  • Fix for enabling flow profiling mode without restarting Snort detection engine.

New in Snort 2.9.13 (Apr 11, 2019)

  • New Additions:
  • Snort now supports reload on snort rules update.
  • Addition of a scenario to add a packet to blacklist verdict to ensure the new session will be allowed.
  • Handled a new pre-processor alert in case of the improper end of t HTTP header.
  • Improvements:
  • Modified the calculation of file hash for FTP/HTTP with offset values.
  • Fixed portal authentication connection stuck in half closed state.
  • Updated UDP global timeout for a non-standard port.

New in Snort 2.9.11.1 (Jan 4, 2018)

  • New Additions:
  • Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means Snort will block the packet and generate logs.
  • Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.
  • Improvements:
  • Fixed issue to detect RTP up to two SSRC switches in each traffic direction.
  • Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers.
  • Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
  • Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
  • Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
  • Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
  • Fixed issue of applying new configuration in file inspection after Snort reload.

New in Snort 2.9.11 (Oct 11, 2017)

  • New additions:
  • Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.
  • Added support for storing filenames in Unicode for SMB protocol.
  • Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.
  • Improvements:
  • Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
  • Performance improvement when SYN rate limit has reached and drop is configured as next action
  • Control-socket and side-channel support for FreeBSD platform.
  • Fixed issue in file signature lookup for retransmitted FTP packet.
  • Enhanced the processing of SIP/RTP future flows without ignoring them.
  • Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
  • Added a null check to prevent copy unless debugHostIp is configured in AppId.
  • Fixed issue where FTP file type block doesn't work for retried download.
  • Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
  • Performance improvements for SIP/RTP audio and video data flow in AppId.
  • Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
  • Stability improvement by resolving valgrind reported issues in AppId.
  • Improved flushing mechanism for HTTP POST header.
  • Added changes to display AppId for IPv6 unified events.
  • Fixed issues with printing of messages for out-of-order packets.
  • Fixed issue in increment of detection filter counter when rule is used in multiple configurations.
  • Fixed dynamic preprocessor compilation failure in OpenBSD platform.
  • Added changes to improve performance of ipvar list comparison.
  • Enhanced SMTP client detection by allowing line folding and all authentication methods.

New in Snort 2.9.9.0 (Dec 14, 2016)

  • New additions:
  • New rule option for byte_math. See the Snort manual for details.
  • Added bitmask and from_end operations to byte_test. See the Snort manual for details.
  • Added a Buffer Dump utility to trace all of the buffers used by snort during inspection.
  • Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details.
  • Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length.
  • Added support for SMTP Traffic detection over SSL (SMTPS).
  • Improvements:
  • Fixed an issue which reduces extra service discovery to improve performance.
  • Fixed multiple issues in AppID.
  • Reconstructed the call to port-service detection.
  • Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect.
  • Preventing third-party application identification for expected connections.
  • Stability improvement for Stream preprocessor.
  • Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX.
  • Fixed an issue where incorrect length argument in memcpy caused out of bound memory access.
  • Fixed multiple issues in HttpInspect preprocessor.
  • Handling chunk encoding followed by rrrn and nnnrrn.
  • Fixed an issue with LZMA flash decompression.
  • Fixed mime data processing issue in SMTP stateless inspection.
  • Added support to decode packets that contains VLAN with Secure Group Tag (SGT).
  • Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417.

New in Snort 2.9.9 RC (Nov 14, 2016)

  • New additions:
  • Snort manual for Buffer Dump feature.
  • Snort manual for rule options - byte_math, bitmask and from_end.
  • Added new HTTP Preprocessor alerts.
  • Added SMTP detection to AppID.
  • Improvements:
  • Performance improvements to AppID.
  • Fixed multiple issue in AppID.
  • Stability improvement for Stream6 preprocessor.
  • Fixed multiple issues in HttpInspect preprocessor.
  • Fixed mime data processing issue in SMTP stateless inpection.
  • Able to decode packets that contains VLAN and SGT.
  • Fixed few issues in byte_math rule option.

New in Snort 2.9.9 Beta (Jul 12, 2016)

  • NEW ADDITIONS:
  • HTTP/2 support
  • HTTP2 SUPPORT IS STILL EXPERIMENTAL
  • By default, HTTP2 traffic is not supported. To enable it you need:
  • Install nghttp library from https://nghttp2.org/
  • If nghttp is not installed in default path, use with_libnghttp2_includes and with_libnghttp2_libraries to point to the correct path during "configure" step Enable HTTP2 support in http_inspect configuration with "legacy_mode no"
  • Refer README.http_inspect for details
  • Buffer Dump feature: enable buffer dump feature with "--enable-buffer-dump" configure option
  • Rule options - byte_math, bitmask and from_end
  • IMPROVEMENTS:
  • Performance improvements to AppID
  • Fixed Flash LZMA decompression issue
  • Added 802.11/wifi header support in ARP Preprocessor
  • Stability improvement for Stream6 preprocessor
  • Fixed multiple issues in HttpInspect preprocessor
  • Fixed an issue of incorrect masking of sensitive data

New in Snort 2.9.8.3 (Jun 23, 2016)

  • Improvements:
  • Stability improvement for Stream6 preprocessor
  • Fixed multiple issues in HttpInspect preprocessor
  • Fixed an issue of incorrect masking of sensitive data

New in Snort 2.9.8.2 (Mar 30, 2016)

  • New additions:
  • Future-flow and DNS API exposed to lua detector.
  • Double VLAN tagging support.
  • Improvements:
  • Performance improvements to AppID.
  • Stability improvements to file and ftp_telnet preprocessor.
  • Fixed several issues with SDF and obfuscation.
  • Resolved an issue of improper handling of malformed DNS host
  • in AppID.
  • HTTP PAF accepts all tokens between method and version strings in a request URI.
  • Resolved snort build issue with "--disable-perfprofiling" configure option.
  • Enhanced mime parsing by adding support for detecting files after unknown headers and no headers.
  • Fixed issue with gzip decompression. If the server response specifies Content-Encoding as GZIP, but no Content-Length field for HTTP ver 1.0.
  • End of Header(EOH) identification for HTTP response header spanning multiple packets.
  • Improved packet reassembly for HTTP.
  • Fixed Flash LZMA decompression issue.

New in Snort 2.9.8.0 (Dec 1, 2015)

  • NEW ADDITIONS:
  • SMBv2/SMBv3 support for file inspection.
  • Port override for metadata service in IPS rules.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (120:18) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configuration |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detectors for AppID.
  • IMPROVEMENTS:
  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluating on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix perfmon tracking of pruned packets.
  • Stability improvements for AppID.
  • Stability improvements for Stream6 preprocessor.
  • Added improved support to block malware in FTP preprocessor.
  • Added support to differentiate between active and passive FTP connections.
  • Improvements done in Stream6 preprocessor to avoid having duplicate packets
  • in the DAQ retry queue.
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in
  • priority field even though 'whitelist' option was configured.
  • Added support for multiple expected sessions created per packet
  • Active response now supports MPLS

New in Snort 2.9.8.0 RC (Oct 8, 2015)

  • New additions:
  • SMBv2/SMBv3 support for file inspection
  • Port override for metadata service in IPS rules
  • AppID Lua detector performance profiling
  • Perfmon dumps stats at fixed intervals from absolute time
  • New preprocessor alert (18:120) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option
  • New Stream configuration |log_asymmetric_traffic| to control logging to syslog
  • New shell script in tools to create simple Lua detectors for AppID
  • Improvements:
  • sfip_t refactored to use struct in6_addr for all ip addresses
  • Post-detection callback for preprocessors
  • AppID support for multiple server/client detectors evaluating on same flow
  • AppID API for DNS packets
  • Memory optimizations throughout
  • Support sending UDP active responses
  • Fix perfmon tracking of pruned packets
  • Stability improvements for AppID
  • Stability improvements for Stream6 preprocessor
  • Added improved support to block malware in FTP preprocessor
  • Added support to differentiate between active and passive FTP connections
  • Improvements done in Stream6 preprocessor to avoid having duplicate packets
  • in the DAQ retry queue
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in
  • priority field even though 'whitelist' option was configured

New in Snort 2.9.7.6 (Sep 30, 2015)

  • New additions:
  • Added support for detecting 'SSH tunneling over HTTP'.
  • Improvements:
  • Behavioral change in file processing to block malware files in inline-test mode also.
  • Improvements to XFF handling in case of pipelined HTTP requests.
  • Stability improvements for Stream6 preprocessor.
  • Resolved an issue where min_ttl decoder was dropping packets in alert mode also.
  • Added improved support to inspect unlimited packets in HTTP.
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured.

New in Snort 2.9.8.0 Beta (Aug 17, 2015)

  • New additions:
  • AppID is no longer experimental.
  • SMBv2/SMBv3 support for file inspection.
  • Port override for metadata service in IPS rules.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (18:120) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configraution |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detetors for AppID.
  • Improvements:
  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluting on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix permon tracking of pruned packets.
  • Improved support for expected sessions.

New in Snort 2.9.7.5 (Jul 24, 2015)

  • Added improved support to the Stream preprocessor for asynchronous TCP traffic
  • Active response no longer sets the FIN flag on the last segment sent

New in Snort 2.9.7.3 (May 20, 2015)

  • New additions:
  • Added PAF support for SIP based traffic
  • Improvements:
  • Resolved a backtracking issue where the 'protected_content' rule option was not matching on content following a content rule option that is not matched
  • Resolved an issue where snort dropped privilege levels before attempting to delete its PID file created during the higher privilege level
  • Improved processing of SSLv3 traffic, IPv6 extensions, HTTPS session reassembly and normalization
  • Performance improvements for file preprocessor
  • Stability improvements for ftp_telnet preprocessor

New in Snort 2.9.7.2 (Mar 13, 2015)

  • New additions:
  • Support for Cisco FabricPath decoding/encoding
  • Improvements:
  • Resolved an issue where the inline normalization preprocessor incorrectly
  • resized packets when 'preprocessor normalize_tcp: trim' was enabled
  • Resolved crash in file processing of HTTP continuations

New in Snort 2.9.7.0 (Oct 28, 2014)

  • New additions:
  • Application Identification Preprocessor, when used in conjunction with open app ID detector content, that will identify application protocol, client, server, and web applications (including those using SSL) and include the info in Snort alert data. In addition, a new rule option keyword 'appid' that can be used to constrain Snort rules based on one or more applications that are identified for the connection.
  • A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator.
  • Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments.
  • Added ability to test normalization behavior without modifying network traffic. When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments.
  • The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents.
  • Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Fowarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence.
  • Added support for Heartbleed detection.
  • Added control socket command to dump packets.
  • Added an option to suppress configuration information logging to output.
  • The Stream5 preprocessor functionality is now split between the new Session and Stream preprocessors.
  • Improvements:
  • Maximum IP6 extensions decoded is now configurable.
  • Update active response to allow for responses of 1500+ bytes that span multiple TCP packets.
  • Check limits of multiple configurations to not exceed a maximum ID of 4095.
  • Updated the error output of byte_test, byte_jump, byte_extract to including details on offending options for a given rule.
  • Update build and install scripts to install preprocessor and engine libraries into user specified libdir.
  • Improved performance of IP Reputation preprocessor.
  • The control socket will now report success when reloading empty IP Reputation whitelists/blacklists.
  • All TCP normalizations can now be enabled individually. See README.normalize for details on using the new options. For consistency with other options, the "urp" tcp normalization keyword now enables the normalization instead of disabling it.
  • Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
  • Updated profiler output to remove duplicate results when using multiple configurations.
  • Improved performance of FTP reassembly.
  • Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD
  • Stability improvements in Stream6 preprocessor and FTP preprocessor.

New in Snort 2.9.6.2 (Jul 17, 2014)

  • New additions:
  • Added the ability to specify additional custom 'x-forwarder-for' http field names
  • A new http inspection configuration element is used to specify a set of
  • field names and their respective precedence order
  • Added cache flow timeout for IP
  • Improvements:
  • Fixed handling of ICMPv6 traffic
  • Fixed inline stream reassembly during file processing
  • Addressed race condition issue with Perfmon stats file rollover

New in Snort 2.9.7.0 Beta (Jul 2, 2014)

  • New additions:
  • Application Identification Preprocessor, when used in conjunction with open app ID detector content, that will identify application protocol, client, server, and web applications (including those using SSL) and include the info in Snort alert data. In addition, a new rule option keyword 'appid' that can be used to constrain Snort rules based on one or more applications that are identified for the connection. See README.appid for details.
  • A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator.
  • Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments.
  • Added ability to test normalization behavior without modifying network traffic.
  • When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments.
  • The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents.
  • Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Fowarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence.
  • Added control socket command to dump packets.
  • The Stream5 preprocessor functionality is now split between the new Session and Stream preprocessors. This makes for easier tracking of sessions independent of TCP stream reassembly.
  • Improvements:
  • Update active response to allow for responses of 1500+ bytes that span multiple TCP packets.
  • Check limits of multiple configurations to not exceed a maximum ID of 4095.
  • Updated the error output of byte_test, byte_jump, byte_extract to including details on offending options for a given rule.
  • Update build and install scripts to install preprocessor and engine libraries into user specified libdir.
  • Improved performance of IP Reputation preprocessor.
  • The control socket will now report success when reloading empty IP Reputation whitelists/blacklists.
  • All TCP normalizations can now be enabled individually. See README.normalize for details on usingthe new options. For consistency with other options, the "urp" tcp normalization keyword nowenables the normalization instead of disabling it.
  • Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
  • Updated profiler output to remove duplicate results when using multiple configurations.
  • Improved performance of FTP reassembly.
  • Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD.

New in Snort 2.9.6.1 (Apr 24, 2014)

  • Improvements:
  • Added a control command to dump all packets matching a BPF to a pcap file for capturing specific traffic for further analysis
  • Address issue for encoded packets and icmp header length determination
  • Provide more detailed error output for parsing of invalid rules when byte_test, byte_check, content, and isdataat use a byte_extract value
  • Updated sensitive data to better address partial matches between packets

New in Snort 2.9.6.0 (Mar 4, 2014)

  • Includes changes from the previous Beta version

New in Snort 2.9.6.0 Beta (Nov 19, 2013)

  • New additions:
  • Add support to do file specific processing within DCERPC preprocessor for files being transferred over SMB.
  • File capture and storage -- saves files as they traverse the network via a new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and README.file_server (under tools/file_server) for details.
  • Add = operators to byte_test rule option.
  • Update SMTP to detect Cyrus SASL authentication attack.
  • Add capability to capture a single session from start to end.
  • EXPERIMENTAL: Add support to leverage file type identification in snort rules. See README.file_ips for details.
  • Improvements:
  • Only inject active responses when a TCP session is established.
  • Update the POP and IMAP protocols to support simple PAF for improved identification and capture of files.
  • Update SMTP, POP, IMAP to improve inspection when mime boundaries are split across packets.
  • Address issue to address end of line incorrectly for Quoted Printable email attachments.
  • Handle out of order SSL handshake in SMTP when STARTTLS is used and fix checks for SSL type only within the SSL hand shake.
  • Update sensitive data preprocessor to handle a stateful search of patterns across multiple packets.
  • Address a few issues in the Snort manual and other READMEs for flowbits and tunneling.
  • Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS.

New in Snort 2.9.5.6 (Nov 19, 2013)

  • src/build.h:
  • updating build number to 208
  • src/preprocessors/Stream5/snort_stream5_tcp.c:
  • add NULL check for preprocessors that check for PAF before they check for any actual tcp session
  • src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c,
  • sp_isdataat.c, sp_pattern_match.c:
  • Test if the byte extracted distance and/or offset is within bounds of the search buffer.
  • src/preprocessors/HttpInspect/client/hi_client.c:
  • clear cookie normalization buffer to avoid accidental null dereference in pipelined request.

New in Snort 2.9.5.5 (Sep 17, 2013)

  • Improvements:
  • Address issue with SMTP preprocessor and the ignore_tls_data configuration to correctly stop inspection after an SMTP session is encrypted.
  • Disable all rule evaluation (as opposed to just rules with fast patterns) for packets on a previously blocked session.
  • Corrected when perfmon preprocessor writes stats to occur as soon as both the time and packet count criteria are met.
  • Enforce same restrictions on relative PCRE for HTTP buffers from shared library rules as already existed with text rules.

New in Snort 2.9.5.3 (Jul 31, 2013)

  • Improvements:
  • Performance improvements to eliminate some unnecessary work, reduction
  • of sizes of data structures, and cleanup of processing for HTTP normalized
  • buffers
  • Cap the number of expected connections (eg FTP data channel) to prevent
  • memory growth
  • Address issue with reloading reputation lookup tables when more addresses
  • are added.
  • Address issue with potential hang during shutdown of control socket config
  • reload processing thread.

New in Snort 2.9.5 (Jul 2, 2013)

  • New additions:
  • Added tracking of FTP data channel for file transfers as file_data
  • for Snort rules.
  • Add support for doing PAF based on services loaded thru the
  • attribute table and hardened PAF code/removed --disable-paf
  • Added decoding support for Cisco ERSPAN
  • Added tracking of HTTP uploads as file_data for Snort rules.
  • Added ability to use event filters with PPM rules
  • Added a control channel command to reload the Snort configuration to
  • give feedback on new configuration. This improves on the older sigHUP
  • which would just result in Snort exiting and restarting if the new
  • configuration required a restart.
  • Added a configuration option to perfmon to write flow-ip data to a
  • file
  • New decoding alert for IPv6 Routing type 0 header.
  • Added the ability to sync basic session state from one Snort to
  • another via a side channel communication between the two Snort
  • instances. NOTE: This is currently experimental.
  • Improvements:
  • Improved Stream's midstream pickup handling for TCP state processing,
  • sequence validation, and reassembly. Thanks to John Eure.
  • Added a parse error for a rule if there is a relative content used
  • after a content that is 'fast_pattern only'.
  • Improved HTTP PAF reassembly capabilities to be better aligned on PDU
  • boundaries, terminate if not actually HTTP, and to include all
  • appropriate line feeds.
  • Hardened the code related to dynamic modules. Removed --disable-
  • dynamicplugin configuration option since rule and preprocessor shared
  • libraries are here to stay.
  • Improved parsing of IP lists for reputation
  • Update to Teredo processing and Snort rule evaluation when the inner
  • IPv6 packet doesn't have payload. Thanks to Yun Zheng Hu &
  • L0rd Ch0de1m0rt for reporting the issue & crafting traffic to reproduce.
  • Improved logging of packets associated with alerts when a Stream
  • reassembled packet triggers multiple Snort rules.
  • Improvements to the Snort manual including documentation of specific
  • rule options and configuration items. Thanks to Nicholas Horton and many others.
  • Removed a bunch of dead code paths, updated to use more current memory
  • functions for easier code maintenance and portability. Thanks to William Parker.
  • Deletions:
  • Remove deprecated unified support, use unified2 for all of your
  • logging needs.

New in Snort 2.9.4.6 (Apr 25, 2013)

  • Improvements:
  • Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
  • Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.

New in Snort 2.9.4.5 (Apr 4, 2013)

  • Improvements:
  • Removed proxy information from HTTP URI searching so that the URI matches are just on the actual URI so that offsets work as expected.
  • Addressed an issue when logging of packet data via unified2 when alerting on a packet with multiple HTTP PDUs.
  • Continue to search for patterns within the HTTP URI until the end of the URI.

New in Snort 2.9.4.1 (Mar 5, 2013)

  • Updated File processing for partial HTTP content and MIME attachments.
  • Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
  • Handle excessive overlaps in frag3.
  • Stream API updates to return session key for a session.
  • Reduce false positives for TCP window slam events.
  • Updates to provide better encoding for TCP packets generated for respond and react.
  • Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.

New in Snort 2.9.4.0 (Dec 4, 2012)

  • New additions:
  • Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.
  • File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
  • Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
  • Logging of packet data that triggers PPM for post-analysis via Snort event
  • Decoding of IPv6 with PPPoE
  • Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
  • Improvements:
  • Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
  • Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
  • Allow disabling of global thresholds via a count of -1
  • Prevent blocking duplicate SYNs when using inline normalization
  • Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
  • Allow active responses to packets without data (eg, a TCP SYN)
  • Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.
  • Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
  • Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

New in Snort 2.9.3.1 (Aug 9, 2012)

  • Corrected check for TCP RST flags to prevent sending resets to reset packets with inline and active response.
  • Update hashing for internal storage of rule options for 64bit platforms when checking uniqueness to remove duplicate copies in memory.
  • Address some small memory leaks from parsing snort.conf.

New in Snort 2.9.3.0 (Jul 19, 2012)

  • New additions:
  • Update to flowbit rule option to allow for OR and AND of individual bits within a single rule, and allow flowbits to be used in multiple groups. See README.flowbits and the Snort manual for details.
  • Dynamic output plugin architecture to provide an API that developers can write their own output mechanisms to log alert and packet data from Snort.
  • Update to dcerpc2 preprocessor for improved accuracy and handling of different OSs for SMB processing. See README.dcerpc2 and the Snort manual for details.
  • Updates to reputation preprocessor for handling of whitlelist and trustlists and zone information. See README.reputation and the Snort manual for details.
  • Improvements:
  • Updates to http_inspect client PAF handling and server flow_depth handling.
  • Logging updates to the smtp preprocessor.
  • Added detailed documentation of unified2 logging configuration and logging.
  • Removed --enable-decoder-preprocessor-rules configure option and hardened preprocessor and decoder rule event code. To enable old behavior such that specific preprocessor and decoder rules don't have to be explicitly added to snort.conf, add "config autogenerate_preprocessor_decoder_rules" to your snort.conf.
  • Fixed SMTP mempool allocation for significant memory savings. Also tweaked memory required per stream5 session tracker.
  • Force exact versioning match of running dynamic engine and dynamic engine used to build SO rules.
  • User can now query reputation pp for routing table and management information.
  • Update to return error messages through the control channel.
  • Updates to the processing of email attachments for better handling of non-encoded attachments, and improved memory management for attachment processing.
  • Improvements in HTTP Inspect for better performance with gzip decompression. Also improvements for handling simple responses, encoded query strings, transfer encoding and chunk encoding processing.
  • Updates to the packet decoders to support pflog v4.
  • Fix logging of multiple unified2 alerts with reassembled packets.
  • Compiler warning cleanup across multiple platforms.
  • Added 116:458 and 116:459 to cover fragmentation issues.
  • Deletions:
  • Removed all database outputs.

New in Snort 2.9.2.3 (May 16, 2012)

  • Update to GTP preprocessor to better handle GTPv1 data.
  • Update to DNP3 preprocessor to add stricter checking on packets before processing by dnp3. Improved checking on reassembly buffer
  • Update to PCRE rule option processing to prevent issues seen w/ libpcre-8.30 and certain rules.
  • Update to dcerpc2 to not abort reassembly if target-based protocol is undefined.

New in Snort 2.9.2.2 (Mar 28, 2012)

  • Updates to HTTP Inspect to handle normalization with large number of directories, eliminate false positives when chunks span multiple packets, and remove the upper limit on the gzip memcap.
  • Update stream handling for TCP session cleanup with RSTs and other TCP state tracking.
  • Update for active responses to fragmented IPv6 traffic and to the react page configuration.
  • Updates to SIP preprocessor to limit false positives.
  • Update for correct logging in unified2 when interface is passive.
  • Add stats for SMTP preprocessor at termination.
  • State tracking improvements to SMB processing in the dcerpc2 preprocessor when missing packets on a session

New in Snort 2.9.2.1 (Jan 20, 2012)

  • Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests)
  • Updates to the Stream preprocessor in TCP session tracking to avoid re-queuing retransmitted data that was already flushed. Also various tweaks for PAF flushing
  • Updates to the reputation preprocessor to handle shared memory switching
  • Updates to the SCADA preprocessors in their handling of PAF flushing and Modbus request/response length checking. Also tweaks in alerts for reserved DNP3 functions
  • Updates to flowbit groups to always use the group when some rules refer to a flow group while others do not refer to a group for the same flowbit
  • Updates to GTP preprocessor to check invalid extension header length for GTPv1
  • Updates to sfrt library, used in reputation preprocessor and target based configuration, when calculating memory allocated and support for IPv6

New in Snort 2.9.1.2 (Oct 21, 2011)

  • configure.in,
  • rpm/snort.spec,
  • src/build.h,
  • src/win32/WIN32-Includes/config.h,
  • src/win32/WIN32-Prj/snort_installer.nsi:
  • Incremented version numbers to Snort 2.9.1.2, Build 84.
  • src/preprocessors/snort_httpinspect.c,
  • src/sfutil/util_utf.c:
  • Fixed an issue where Snort would sometimes stop processing traffic
  • in a persistent HTTP 1.1 connection with a UTF-32 encoded response
  • followed by a UTF-16 encoded response.

New in Snort 2.9.1.1 (Oct 7, 2011)

  • src/decode.c:
  • Fixed decode.c to allow building with --enable-debug.
  • src/: dynamic-plugins/sf_engine/sf_decompression.c, dynamic-plugins/sf_engine/sf_decompression.h, preprocessors/snort_httpinspect.h, preprocessors/HttpInspect/server/hi_server.c:
  • Fixed http_inspect decompression and decompression API to decompress both raw and zlib deflated data. Support locating utf charset when spaces are present.
  • src/: preprocessors/HttpInspect/server/hi_server_norm.c, sfutil/util_utf.h:
  • Added "Byte Order Mark" support for unicode in http_inspect.
  • src/detection-plugins/sp_urilen_check.c:
  • Fixed potential false positives when using urilen detection option.
  • src/preprocessors/Stream5/stream5_paf.c:
  • Fixed flushing beyond "paf_max".
  • Verify paf configuration before enabling.
  • src/preprocessors/Stream5/snort_stream5_tcp.c:
  • Free application and protocol state when a session is blocked.
  • Ensure that seglist_next is NULL after being freed.
  • src/dynamic-preprocessors/smtp/smtp_util.c:
  • Fixed an issue with SMTP logging while running in inline mode.
  • src/dynamic-preprocessors/reputation/Makefile.am,
  • src/dynamic-preprocessors/reputation/reputation_config.c,
  • src/dynamic-preprocessors/reputation/reputation_config.h,
  • src/dynamic-preprocessors/reputation/spp_reputation.c,
  • src/dynamic-preprocessors/reputation/spp_reputation.h,
  • src/Makefile.am, src/idle_processing.c, src/idle_processing.h,
  • src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h,
  • src/snort.c, src/snort.h, src/util.c, src/util.h,
  • src/dynamic-examples/Makefile.am,
  • src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
  • src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
  • src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
  • src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
  • src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
  • src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
  • src/control/Makefile.am, src/control/sfcontrol.c,
  • src/control/sfcontrol.h, src/control/sfcontrol_funcs.h,
  • src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
  • src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
  • src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
  • src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
  • src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
  • src/sfutil/Makefile.am, src/sfutil/segment_mem.c,
  • src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c,
  • src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c,
  • src/sfutil/sfrt_flat_dir.h,
  • src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am,
  • tools/control/README.snort_control, tools/control/sfcontrol.c,
  • src/dynamic-plugins/sf_dynamic_plugins.c,
  • src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in,
  • tools/Makefile.am:
  • Added support for shared memory between Snort processes. This is used in the IP Reputation preprocessor to share a single copy of IP whitelists & blacklists.
  • Added a control channel, so that commands may be issued to a running Snort process by way of a Unix socket.
  • src/preprocessors/HttpInspect/utils/hi_paf.c:
  • Ensure HTTP 1.1 responses without length indicators (e.g. 304) are flushed at the end of the headers.
  • Preprocessor rule 120:8 is fired at end of headers if content-length and transfer-encoding: chunked are not present, but not for response codes 1XX, 204, 304.
  • doc/README.reputation, doc/snort_manual.pdf,
  • doc/snort_manual.tex:
  • Updated Snort documentation, added documentation for Shared Memory and the Control Socket.
  • src/: dynamic-preprocessors/reputation/sf_reputation.dsp,
  • dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
  • win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp,
  • win32/WIN32-Prj/snort.dsw:
  • Updated Win32 build files.

New in Snort 2.9.1 (Aug 24, 2011)

  • Protocol aware reassembly support for HTTP and DCE/RPC preprocessors. Updates to Stream5 allowing Snort to more intelligently inspect HTTP and DCE/RPC requests and responses. See README.stream5 subsection related to Protocol Aware Flushing (PAF).
  • SIP preprocessor to identify SIP call channels and provide rule access via new rule option keywords. Also includes new preprocessor rules for anomalies in the SIP communications. See the Snort Manual and README.sip for details.
  • POP3 & IMAP preprocessors to decode email attachments in Base64, Quoted Printable, and uuencode formats, and updates to SMTP preprocessor for decoding email attachments encoded as Quoted Printable and uuencode formats. See the Snort Manual, README.pop, README.imap, and README.SMTP for details.
  • Support for reading large pcap files.
  • Logging of HTTP URL (host and filename), SMTP attachment filenames and email recipients to unified2 when Snort generates events on related traffic.
  • IP Reputation preprocessor, allowing Snort to blacklist or whitelist packets based on their IP addresses. This preprocessor is still in an experimental state, so please report any issues to the Snort team. See README.reputation for more information.
  • Additionally, the following updates and improvements have been made:
  • Updates to give shared library rules direct access to gzip decoding capabilities.
  • Rule Option Improvements:
  • Updates to content modifier http_cookie to not include the HTTP header names themselves in the buffer. This change may affect existing rules that leverage this keyword.
  • Updates to the file_data and base64_data rule option keywords and added a pkt_data rule option keyword that sets the buffer to be used for subsequent content/pcre/etc rule options.
  • Updates to the tcp flag rule option keyword to support 'C' and 'E' for CWR and ECN bits.
  • Updates to byte_extract rule option keyword to support the same string formats as with byte_test and byte_jump.
  • Updates to Snort's build infrastructure and autoconf script for portability and improved checks for library dependencies. To facilitate easier building of Snort on many of the different platforms supported, Snort now uses pkg-config to check for certain library locations.
  • Many updates and improvements to the Snort documentation. Special thanks to all of the contributors from the Snort community for working with us and making the documentation more accurate and usable.
  • Updates to the sensitive data preprocessor for handling HTTP traffic and reducing false positives.
  • Updates to Snort's config parsing to provide more meaningful error messages relating to snort.conf errors and configuration display at startup.
  • Updates to Snort's active response packets whether via response keyword or part of inline normalization.
  • Improvements to HTTP Inspect processing of chunked HTTP data. Additional HTTP Inspect alerts for evasion attempts such as small chunks and excessive whitespace in folded headers.
  • Updates to the statistics Snort prints to console or syslog at exit for different preproessors.

New in Snort 2.9.0.5 (Apr 7, 2011)

  • src/build.h:
  • Increment Snort build number to 132
  • src/snort.c:
  • src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
  • Stream5/snort_stream5_tcp.c:
  • TCP timestamp options are only NOPed by the Normalization preprocessor if Stream5 has seen a full 3-way handshake, and timestamps weren't negotiated.
  • The IPS mode reassembly policy has been refactored to do stream normalization within the first policy.
  • Packets injected by the normalization preprocessor are now counted in the packet statistics.
  • doc/snort_manual.tex:
  • src/: parser.c, parser.h:
  • src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
  • Added a "config vlan_agnostic" setting that globally disables Stream's use of vlan tag in session tracking.
  • src/: snort.c, preprocessors/normalize.c, preprocessors/spp_normalize.c, preprocessors/spp_normalize.h, preprocessors/perf-base.c, preprocessors/perf-base.h:
  • doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
  • Fixed the normalization preprocessor to call its post-initialization config functions during a policy reload.
  • Packets can no longer be trimmed below the minimum ethernet frame length. Trimming is now configurable with the "normalize_ip4: trim;" option. TOS clearing is now configurable with "normalize_ip4: tos;".
  • The "normalize_ip4: trim" option is automatically disabled if the DAQ can't inject packets. If the DAQ tries and fails to inject a given packet, the wire packet is not blocked.
  • Updated documentation regarding these changes.
  • src/detection-plugins/sp_cvs.c:
  • Fixed a false positive in the CVS detection plugin. It was incorrectly parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
  • src/preprocessors/HttpInspect/: client/hi_client.c,
  • server/hi_server.c:
  • Changed a pointer comparison to a size check for code readability.
  • Belated thanks to Dwane Atkins and Parker Crook for reporting a related issue that was fixed in Snort 2.9.0.4 build 111.
  • Moved the zlib initialization such that gzipped responses are still inspected if the zipped data starts after the first Stream-reassembled packet is inspected.
  • src/decode.c:
  • Fixed an issue with decoding too many IP layers in a single packet. The Teredo proto bit was not unset after hitting the limit on IP layers.
  • IPv6 fragmented packets are no longer inspected unless they have an offset of zero and the next layer is UDP. This behavior is consistent with IPv4 decoding.
  • Thanks to Martin Schütte for reporting an issue where fragged ICMPv6
  • packets were being inspected.
  • The decoder no longer attempts to decode Teredo packets inside of IPv4 fragments, instead waiting for the reassembled packet.
  • src/encode.c:
  • Fixed a problem where encoded packets had their lengths calculated incorrectly. This caused the active response feature to generate incorrect RST packets if the original packet had a VLAN tag.
  • preproc_rules/preprocessor.rules:
  • Updated references to rule 125:1:1
  • src/preprocessors/spp_perfmonitor.c:
  • Perfmonitor files are now created after Snort changes uid/gid.
  • src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
  • Fixed the size formatting of an error message argument when compiling with --enable-rzb-saac.
  • etc/snort.conf:
  • Updated the default snort.conf with max compress and decompress depths to enable unlimited decompression of gzipped HTTP responses.
  • snort.8:
  • Fixed the man page's URL regarding the location of Snort rules.
  • Thanks to Michael Scheidell for reporting an out-of-date man page section.
  • doc/README.http_inspect, doc/snort_manual.tex,
  • src/preprocessors/snort_httpinspect.c:
  • HTTP Inspect's "unlimited_decompress" option now requires that "compress_depth" and "decompress_depth" are set to their max values.
  • src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h, dynamic-plugins/sf_dynamic_engine.h,
  • preprocessors/Stream5/snort_stream5_tcp.c:
  • Fixed an error that prevented compiling with --disable-dynamicplugin.
  • src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, snort_ftptelnet.h, spp_ftptelnet.c:
  • Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside the ftp_telnet preprocessor to avoid a naming conflict with similar functions in HTTP Inspect.
  • src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
  • perf-flow.h:
  • Fixed comparisons between signed and unsigned int, which lead to a faulty length check.

New in Snort 2.9.0.4 (Feb 11, 2011)

  • Added the Razorback "Snort as a Collector" (SaaC) dynamic preprocessor. This is for experimental use only! Enable it by compiling with enable-rzb-saac.
  • Fixed false positives in HTTP traffic, which were caused by large HTTP chunks split across two packets.
  • Made several updates to the Snort manual and READMEs.
  • Fixed a false positive on Stream5 rule 129:15, caused by a RST following
  • a FIN.

New in Snort 2.9.0.3 (Dec 22, 2010)

  • Fixed an issue where "uricontent" didn't behave correctly with "depth", "offset", "distance", and "within" modifiers.
  • Fixed overlapping flags in the Shared Object rule API.
  • Improved error checking for invalid combinations of "depth", "offset",
  • "distance", and "within" modifiers in rules. Rules that mix relative and non-relative options on the same content will now cause errors.
  • Updated the documentation to fix some inconsistencies.

New in Snort 2.9.0.2 (Dec 5, 2010)

  • Bug fixes:
  • The HTTP Inspect "server_flow_depth" option is now applied once per HTTP session, instead of once per packet. This will improve performance by inspecting fewer packets.
  • Fixed an issue with the handling of TCP urgent data.
  • Fixed an issue with using file_data:mime within shared library rules.
  • Fixed an issue with TCP reassembly of single packets
  • Fixed an issue with DAQ building when using “–disable-bundled-modules” combined with other enables.

New in Snort 2.9.0.1 (Nov 3, 2010)

  • Improvements
  • Fixed maximum flowbits configuration parsing to specify the number of bits in accordance with the Snort manual, rather than number of bytes. If you have 'config flowbits_size' in your snort.conf, double check that it has the correct setting.
  • Fixed a packet size issue with the IPQ and NFQ DAQs.
  • Updated the version of LibPCRE bundled with the Windows installer.This update fixes a bug that caused some PCRE matches to fail on Windows

New in Snort 2.9.0 (Oct 5, 2010)

  • Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
  • Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links.
  • Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
  • A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
  • Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
  • Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
  • Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
  • Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
  • Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology
  • Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.

New in Snort 2.8.5.2 (Jan 4, 2010)

  • Improvements to HTTP Inspect for handling of pipelined requests and chunked encodings.
  • Updated the documentation for output plugins and log limits.
  • Fixed building on AIX 6.
  • Fixed reloading of auto-iface variables when privileges had been dropped.
  • Updates to HTTP Inspect to allow server-specific configurations to normalize the HTTP header and/or cookies have been added.
  • Updates to HTTP Inspect Support gzip decompression across multiple packets. Enable via --enable-zip during the build.
  • Added a Sensitive Data preprocessor, which performs detection of Personally Identifiable Information (PII). A new rule option is available to define new PII. See README.sensitive_data and the Snort Manual for configuration details.
  • Added a new pattern matcher and related configurations. The new pattern matcher is optimized to use less memory and perform at AC speed.

New in Snort 2.8.5.1 (Oct 23, 2009)

  • A new SSH preprocessor
  • Support for multiple configurations
  • New and updated filtering options
  • Improved restart and update processes