Snort Changelog

What's new in Snort 3.1.32.0

Jun 17, 2022

appid: config for logging eve process to client mappings
dce_smb: reduce smb_max_credit range to avoid uint16_t overflow
detection: remove redundant FIXIT
ftp_telnet: correct the implementation for check_encrypted and encrypted_data config, handle form-feed as non-encrypted traffic
ftp_telnet: handle all space characters as a seperator between FTP request command and arguments
http_inspect: add explicit check for HTML script opening tag ending
http_inspect: remove unneeded header inclusions and improve cleanup before trailers
ips_options: improve ips_hash and ips_cvs code coverage
log: Fixed missing include for Clear Linux build.
logger: added reload function to create new files when snort reloads
main: add null check for scratch handler
mime: cleanup
modules: resolve int type mismatch in config options
netflow: fix build on MacOS
netflow: implement RNA integration for host/service discovery
netflow: support memcap reconfiguration upon reload
openssl: Openssl minimum version is set to 1.1.1
profiler: fix issue with negative number cast to unsigned for max_depth
rna: reduce range for ttl, fix cast for df, minor and major options. Thanks to liangxwa01 for pointing this out.
stream_tcp: fix splitter abort handling
stream_tcp: flip the server_side flag in fallback() and assert what it should be
utils, parser: remove redundant fixits
utils: remove curly brace parsing from regex literals
utils: remove redundant checks in regex groups
wizard: use const reference instead of copying

New in Snort 3.1.31.0 (Jun 3, 2022)

New in Snort 3.1.30.0 (Jun 3, 2022)

New in Snort 3.1.29.0 (May 20, 2022)

New in Snort 2.9.19 (Dec 6, 2021)

New in Snort 2.9.18.1 (Sep 2, 2021)

New in Snort 2.9.18 (Jun 15, 2021)

New in Snort 2.9.17.1 (Mar 30, 2021)

New in Snort 2.9.17 (Nov 22, 2020)

src/preprocessors/Stream6/snort_stream_tcp.c,
src/preprocessors/spp_stream6.c
Fixed Memory leak in reassembly networks and ports config during reload.
src/file-process/file_resume_block.c,
src/file-process/file_service.c,
src/file-process/file_lib.c,
src/file-process/file_lib.h
Fixed resume-block for SMBv2 partial content retry and pending verdicts.
src/win32/WIN32-Prj/snort_installer.nsi
Added user visible message to choose 4.1.1 or any higher version of winpcap, in windows 32 installer.
src/win32/WIN32-Prj/snort_installer_x64.nsi,
src/win32/WIN32-Prj/snort_installer.nsi
Fixed popup message that was not honoring windows silent uninstaller option.
src/preprocessors/snort_httpinspect.c
Fix to populate original client IP for drop events, when inline normalization is disabled.
src/dynamic-preprocessors/appid/luaDetectorApi.c
Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic.
src/detection-plugins/sp_react.c,
src/dynamic-preprocessors/sdf/spp_sdf.c,
src/parser.c,
src/preprocessors/Stream6/snort_stream_tcp.c,
tools/u2streamer/Unified2File.c,
src/dynamic-preprocessors/appid/luaDetectorApi.c,
src/dynamic-preprocessors/appid/appInfoTable.c,
snort/src/dynamic-plugins/sf_dynamic_plugins.c,
src/memory_stats.c,
src/sfutil/sfportobject.c,
src/snort.h :
Fixed multiple static analysis issues.
src/dynamic-preprocessors/appid/appInfoTable.c
Fixed a potential race condition.
configure.in,
src/reload.c
Fix to not rely on the last-modified-time for loading the dynamic detection libs.
src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c,
src/file-process/file_capture.c,
src/file-process/file_resume_block.c,
src/file-process/file_segment_process.c,
src/file-process/file_service.c
Added debug messages in file-process packet flow.
src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c
Fix to address cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO.
src/file-process/file_segment_process.c
Fixed issue of generating multiple events for a single file transfer over SMB.
src/dynamic-preprocessors/appid/appIdConfig.h,
src/dynamic-preprocessors/appid/appInfoTable.c,
src/dynamic-preprocessors/appid/appInfoTable.h,
src/dynamic-preprocessors/appid/flow.h,
src/dynamic-preprocessors/appid/fw_appid.c,
src/dynamic-preprocessors/appid/flow.h
Fixed false positives for ultrasurf.
src/dynamic-preprocessors/sip/spp_sip.c
Fixed SIP pre-processor to detect SSL encrypted SIP traffic better.
src/dynamic-preprocessors/appid/luaDetectorApi.c,
etc/gen-msg.map,
preproc_rules/preprocessor.rules,
src/file-process/file_service.c,
src/generators.h,
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_client.h,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/include/hi_server.h,
src/preprocessors/HttpInspect/server/hi_server.c,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/snort_httpinspect.h
Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.
src/preprocessors/spp_session.c
Fixed TCP memcap oversize.
src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h,
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/client/hi_client_norm.c,
src/preprocessors/HttpInspect/include/hi_include.h,
src/preprocessors/HttpInspect/include/hi_paf.h,
src/preprocessors/HttpInspect/utils/hi_paf.c,
src/preprocessors/Stream6/snort_stream_icmp.c,
src/preprocessors/Stream6/snort_stream_icmp.h,
src/preprocessors/Stream6/snort_stream_ip.c,
src/preprocessors/Stream6/snort_stream_ip.h,
src/preprocessors/Stream6/snort_stream_tcp.c,
src/preprocessors/Stream6/snort_stream_tcp.h,
src/preprocessors/Stream6/snort_stream_udp.c,
src/preprocessors/Stream6/snort_stream_udp.h,
src/preprocessors/Stream6/stream_common.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/snort_httpinspect.h,
src/preprocessors/spp_httpinspect.c,
src/preprocessors/spp_httpinspect.h,
src/preprocessors/spp_stream6.c,
src/dynamic-preprocessors/appid/fw_appid.c,
src/dynamic-preprocessors/appid/fw_appid.h,
src/dynamic-preprocessors/appid/spp_appid.c
Enhanced statistics dumped during snort exit and SIGUSR1.
src/dynamic-preprocessors/imap/imap_paf.c,
src/dynamic-preprocessors/imap/snort_imap.h,
src/dynamic-preprocessors/pop/pop_paf.c,
src/dynamic-preprocessors/pop/snort_pop.h,
src/dynamic-preprocessors/sip/spp_sip.h,
src/dynamic-preprocessors/smtp/smtp_paf.c,
src/dynamic-preprocessors/smtp/snort_smtp.h,
src/dynamic-preprocessors/appid/flow.h,
src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
src/dynamic-preprocessors/dcerpc2/dce2_list.h,
src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
src/file-process/file_segment_process.h,
src/file-process/libs/file_lib.h,
src/preprocessors/sip_common.h,
src/preprocessors/snort_httpinspect.h
Optimized structures in several preprocessors.
src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
src/dynamic-preprocessors/dcerpc2/dce2_smb.h
src/file-process/file_service.c
Fixed SMBv1 file block for pending verdict retry packets.
src/dynamic-preprocessors/dcerpc2/dce2_smb.c :
Fixed SMBv1 unknown file size upload block.
src/detect.c,
src/detect.h,
src/parser.c,
src/parser.h,
src/preprocessors/Session/session_common.h,
src/preprocessors/Stream6/snort_stream_udp.c,
src/preprocessors/Stream6/snort_stream_udp.h,
src/preprocessors/spp_stream6.c,
src/preprocessors/Stream6/stream_common.c,
src/preprocessors/Stream6/stream_common.h,
src/preprocessors/spp_stream6.c,
src/reload.c,
src/snort.c,
src/snort.h
Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured.
src/detection-plugins/sp_session.c,
src/detection-plugins/sp_session.h,
src/sfutil/util_jsnorm.c
Fixed GCC 10.1.1 compilation issues.
src/decode.c,
src/decode.h,
src/log_text.c,
src/log.c,
src/preprocessors/Stream6/snort_stream_tcp.c
Added support to detect TCP Fast Open packets.
src/preprocessors/Stream6/snort_stream_tcp.c
Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.
src/detection-plugins/detection_leaf_node.c,
src/detection-plugins/detection_options.c,
src/dynamic-preprocessors/appid/appInfoTable.c,
src/dynamic-preprocessors/appid/fw_appid.c,
src/dynamic-preprocessors/appid/service_plugins/service_base.c,
src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
src/dynamic-preprocessors/appid/service_plugins/service_rshell.c,
src/dynamic-preprocessors/appid/service_plugins/service_snmp.c,
src/dynamic-preprocessors/appid/service_plugins/service_tftp.c,
src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
src/fpcreate.c,
src/parser.c,
src/preprocessors/Session/session_common.h,
src/preprocessors/spp_session.c,
src/reload.c,
src/snort.c
Fixed build when some configure options were disabled.
src/detection-plugins/sp_byte_math.c
Fixed byte_math operation for multiplication integer overflow.
src/dynamic-preprocessors/appid/appId.h,
src/dynamic-preprocessors/appid/service_plugins/service_ssl.c
Fix to include 853 port in SSL detector for DNS over TLS runs on SSL.
src/dynamic-plugins/sf_dynamic_plugins.c,
src/dynamic-plugins/sf_dynamic_preprocessor.h,
src/dynamic-preprocessors/appid/Makefile_defs,
src/dynamic-preprocessors/appid/luaDetectorApi.c,
src/dynamic-preprocessors/appid/util/common_util.h
Fix for excessive logging of lua detector invalid LUA (null).
snort/src/detection-plugins/sp_byte_check.c,
src/detection-plugins/sp_byte_extract.c,
src/detection-plugins/sp_byte_jump.c,
src/detection-plugins/sp_byte_math.c,
src/detection-plugins/sp_byte_math.h,
src/detection-plugins/sp_isdataat.c,
src/detection-plugins/sp_pattern_match.c
Added support for allowing common names across rule options.
src/memory_stats.c
Removed a redundant log.
spp_sip.c
Fixed handling encrypted traffic by SIP preprocessor.
snort/configure.in,
snort/doc/README.s7commplus,
snort/etc/sf_rule_options,
snort/etc/sf_rule_validation.conf,
snort/src/dynamic-preprocessors/Makefile.am,
snort/src/dynamic-preprocessors/s7commplus/Makefile.am,
snort/src/dynamic-preprocessors/s7commplus/s7comm_decode.c,
snort/src/dynamic-preprocessors/s7commplus/s7comm_decode.h,
snort/src/dynamic-preprocessors/s7commplus/s7comm_paf.c,
snort/src/dynamic-preprocessors/s7commplus/s7comm_paf.h,
snort/src/dynamic-preprocessors/s7commplus/s7comm_roptions.c,
snort/src/dynamic-preprocessors/s7commplus/s7comm_roptions.h,
snort/src/dynamic-preprocessors/s7commplus/spp_s7comm.c,
snort/src/dynamic-preprocessors/s7commplus/spp_s7comm.h,
snort/src/generators.h,
snort/src/preprocids.h
Added support for s7Commplus protocol.
src/preprocessors/Stream6/snort_stream_tcp.c
Fixed out of order FIN packet leading to segment trimming.
src/output-plugins/spo_unified2.c,
src/preprocessors/Stream6/snort_stream_tcp.c
Fix to populate original IP in dropped events when inline normalization is enabled.
snort/src/sfutil/sf_ip.h
Fixed compiler warnings.
src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c
Fixed DNS application detector failing to detect DNS traffic in some scenarios.

New in Snort 2.9.16.1 (Aug 5, 2020)

New in Snort 2.9.15.1 (Feb 25, 2020)

New in Snort 2.9.15 (Oct 11, 2019)

src/snort.c,
src/control/sfcontrol.c,
src/preprocessors/Session/stream5_ha.c,
src/preprocessors/session_api.h,
src/dynamic-plugins/sp_dynamic.c: Fixed a potential race condition.
src/detect.c: Fixed static analysis issues.
src/detect.c,
src/detect.h,
src/file-process/file_service.c,
src/reload.c,
src/sfdaq.h,
src/snort.c,
src/snort.h: Added new debugs to print detection, file_processing and Preproc time consumption info and verdict.
src/dynamic-preprocessors/appid/fw_appid.c: Added NULL check before dereferencing tcp_header.
src/file-process/libs/file_lib.h, src/sfdaq.h: Fix to make daq_pktHdr globally visible and removed the extra Packet variable from the FILE_PKT_DEBUG macro.
snort/etc/file_magic.conf: Added support to detect new Korean file formats .egg and .alz to the file preprocessor.
src/dynamic-preprocessors/gtp/gtp_parser.c,
src/dynamic-preprocessors/gtp/spp_gtp.h: Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
src/detect.c: Added a check before printing the Packet latency trace when detection is enabled or not.
src/file-process/file_capture.c,
src/file-process/file_mime_process.c,
src/file-process/file_resume_block.c,
src/file-process/file_segment_process.c,
src/file-process/file_service.c,
src/file-process/libs/file_lib.c,
src/file-process/libs/file_lib.h,
src/sfdaq.h: Added debug messages in file-process packet flow.
src/dynamic-plugins/sp_dynamic.c,
src/reload.c,
src/reload.h,
src/snort.c: Fixed dynamic rules from getting disabled after multiple reloads.
src/pkt_tracer.c: Fix to print packet trace information in the direction of the packet on the wire.
etc/file_magic.conf: Added new file magic to detect RAR file-type.
src/dynamic-plugins/sf_dynamic_preprocessor.h: Updated preproc version.
src/dynamic-plugins/sf_dynamic_preprocessor.h: Provided an API to query non-flow related information from DAQ.
src/dynamic-plugins/sf_dynamic_plugins.c,
src/dynamic-plugins/sf_dynamic_preprocessor.h,
src/sfdaq.c,
src/sfdaq.h: Added a generic api DAQ_Ioctl for dynamic preprocs to use for various daq clis.
src/dynamic-preprocessors/appid/Makefile_defs,
src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c,
src/dynamic-preprocessors/appid/service_plugins/service_base.h,
src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
src/dynamic-preprocessors/appid/service_plugins/service_netbios.c,
src/dynamic-preprocessors/appid/service_plugins/service_nntp.c: Fix to whitelist ftp data sessions when no file policy exists.
src/dynamic-preprocessors/appid/fw_appid.c: Fixed -Wparentheses warning.
src/dynamic-preprocessors/appid/fw_appid.c: Fixed the algorithm that triggers port only detection.
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/include/hi_paf.h,
src/preprocessors/HttpInspect/utils/hi_paf.c: Fixed an issue where HTTP was wrongly processing non HTTP traffic on port 443.
src/dynamic-preprocessors/appid/appIdConfig.h,
src/dynamic-preprocessors/appid/fw_appid.c,
src/dynamic-preprocessors/appid/service_plugins/service_base.c,
src/dynamic-preprocessors/appid/service_plugins/service_base.h: Fixed IPS alerts generation for ICMP packets.
src/file-process/file_resume_block.c: Fixed signature lookup when the context is not present.
src/preprocessors/HttpInspect/utils/hi_paf.c: Added a new state to handle HTTP responses, having no status message followed by status code.
src/dynamic-plugins/sf_dynamic_plugins.c,
src/dynamic-plugins/sf_dynamic_preprocessor.h,
src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: Added DPD callbacks for receiving ftp transfer mode before generating file events.
snort/etc/file_magic.conf: Fixed RTF file magic to a more generic value to prevent evasions.
src/preprocessors/spp_httpinspect.c: Added debug logs during HTTP Reload.
src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c: Fix to bypass munmap if shmemSegptr points to zeroSegptr.
src/parser.c: Added rule SID check during Snort validation.
src/pkt_tracer.c: Corrected endianness representation for some of the parameters in the debug log.

New in Snort 2.9.14.1 (Aug 5, 2019)

New in Snort 2.9.14 (Jul 19, 2019)

New in Snort 2.9.13 (Apr 12, 2019)

New in Snort 3.0.0 Beta (Aug 30, 2018)

New in Snort 2.9.11.1 (Jan 6, 2018)

New in Snort 3.0.0 Build 239 Alpha (Oct 14, 2017)

rules: remove sample.rules; Talos will publish Snort 3 rules on snort.org
logging: fix handling of out of range timeval thanks to [email protected] for reporting the issue
wizard: fix direction issue
wizard: fix imap spell
check: update hyperscan and regex tests
cpputests: clean up some header include issues
daq_socket: update to support query of pci
detection: fix debug print of fast pattern only
detection: rule evaluation trace utility
doc: update concepts and differences
file_api: memory leak fixed
file_id: fixes for file capture exit
http_inspect: added 119:97 for lower case letters in version field
http_inspect: alert 119:96 added for unsolicited 206 response.
http_inspect: specific alert added 119:95 for Content-Encoding chunked.
ipv6: fix flow label access method; thanks to schrx3b6 for the patch
loggers: remove units options; all limits expressed in MB
mpse: Remove Intel Soft CPM support
mpse: make regex capability generic
mpse: only use literals for fast patterns if search_method is not hyperscan
output: add packet trace feature
perf_monitor: fixed main table (perf_monitor) having same name as pegs for
perfmon field
regex: fix pass through of mpse flags to hyperscan
replace: do not trip over fast pattern only
rpc: revert to positional params, fix tcp logic, clean up formatting
rules: promote metadata:service to a separate option since it is not metadata
snort2lua: Fixed incorrect file names errors
snort2lua: move footprint to stream from stream_tcp
spell check: fix message and comment typos
stream: add ip_proto as part of flow key
stream: fix user dependency on flush bucket
text logs: fix default unlimited file size
u2: add event3 to u2spewfoo
u2: convert thread local buffers to heap
u2: deprecate ip4 and ip6 specific events and add a single event for both
u2: remove obsolete configurations
u2: support mixed IP versions
build: add support for appending EXTRABUILD to the BUILD string
build: Clean up some ICC 2017 warnings
build: clean up some GCC 7 warnings
build: support OpenSSL 1.1.0 API
build: clean up some cppcheck warnings
appid: port some missing 2.9.X FEAT_OPEN_APPID code
appid: fix thread-unsafe sharing of HTTP pattern tables
DAQ: fix leaking instance memory when configure fails
daq_hext and daq_file: pass PCI via query method
icmp6: reject non-ip6, raise 116:474
http_inspect: header normalization improvements
http_inspect: port fixes for UTF decoding
http_inspect: added 119:87 - 119:90 for expect / continue issues
http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0
http_inspect: added 119:92 for Content-Transfer-Encoding
http_inspect: added 119:93 for issues with chunked message trailers
PDF decompression: fix missing reset in state machine transition
ftp_server: implement splitter to improve EOF processing
port_scan: merge global settings into main module and other improvements
perf_monitor: add JSON formatter
ssl: add splitter to improve PDU processing
detection: fix segfault in DetectionEngine::idle sans thread_init
rules: tolerate spaces in positional parameters thanks to Joao Soares for reporting the issue
ip and tcp options: fix max length handling and clean up logging
cmg: improved alert formatting
doc: updates re control channel
snort2lua: added line number and file name to error output
snort2lua: fix removal of ignore_ports in stream_tcp.small_segments
snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
snort2lua: update for port_scan
appid: clean up shutdown stats
appid: fix memory leak
conf: update defaults
decode: updated ipv6 valid next headers
detection: avoid superfluous leaf nodes in detection option trees
http_inspect: improved handling of badly terminated chunks
http_inspect: improved transfer-encoding header processing
ips options: add validation for range check types such as dsize
perf_monitor: add more tcp and udp peg counts
perf_monitor: update cpu tracker output to thread_#.cpu_*
port_scan: alert on all scan attempts so blocking is possible
port_scan: make fully configurable
sip: fix get body buffer for fast patterns
ssl: use stop-and-wait splitter (protocol aware splitter is next)
stream_ip: fix 123:7
http_inspect: improve handling of improper bare r separator
appid: fix bug where TNS detector corrupted the flow data object
search_engine: set range for max_queue_events parameter thanks to [email protected] for reporting the issue
arp_spoof: reject non-ethernet packets
stream_ip: remove dead code and tweak formatting
ipproto: remove unreachable code
control_mgmt: add support for daq module reload
control_mgmt: add support for unix sockets
doc: update default manuals
doc: update differences section
doc: update README
byte_math: port rule option from 2X and add feature documentation
pgm: don't calculate checksum if header length is not divisible by 4
appid: fix sip event handling, http pattern lists, thread locals
build: fix issues with OpenSolaris and FreeBSD builds
cmake: fix issues with libpcap and miscellaneous
offload: refactor for initial (experimental) version of regex offload to other threads
cmg: revamp hex buffer dump format with 16 or 20 bytes per line
rules: reject positional parameters containing spaces
packet manager: ensure ether type proto ids don't masquerade as ip proto ids thanks to Bhargava Shastry for reporting the issue
codec manager: fix off-by-1 mapping array size thanks to Bhargava Shastry for reporting the issue
codec: fix extraction of ether type from cisco metadata
appid: add new unit tests to the cmake build, fix missing lib reference to sfip
sfghash: clean up and add unit tests
http: fix 119:38 false positive
main: fix compiler warnings when SHELL is not enabled
perf_monitor: fix flatbuffers handling of empty strings
modbus: port fix for false positives on length field
http: port simple UTF decoding w/o byte order mark
build: updated code to resolve cppcheck warnings
cleanup: fix typos in source code string literals and comments
doc: fix typos
build: clean up Intel compiler warnings and remarks
build: fix FreeBSD compilation issues
cmake: fix building with and without flatbuffers present
autoconf: check for lua.hpp as well as luajit.h to ensure C++ support
shell: make commands non-blocking
shell: allow multiple remote connections
snort2lua: fix generated stream_tcp bindings
snort2lua: fix basic error handling with non-conformant 2.X conf
decode: fix 116:402
dnp3: fix 145:5
appid: numerous fixes and cleanup
http_server: removed (use new http_inspect instead)
byte_jump: add bitmask and from_end (from 2.9.9 Snort)
byte_extract: add bitmask (from 2.9.9 Snort)
flatbuffers: add version to banner if present
loggers: build alert_sf_socket on all platforms
add decode of MPLS in IP
add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
cleanup: remove dead code
require hyperscan >= 4.4.0, check runtime support thanks to [email protected] for submitting the patch
fix search tool issue with empty pattern database thanks to [email protected] for reporting the issue
fix sip_method to error out if sip not instantiated
major appid overhaul to address lingering concerns: refactor, cleanup, simplify
major detection overhaul to address lingering concerns: refactor, cleanup, release memory ASAP
add FlatBuffers output format to perf_monitor also added tool to convert FlatBuffers files to yaml
add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
update copyrights to 2017
fixed mpse to ensure all search methods return consistent results
updated search tool to use fast pattern config's search method (benefits appid, http_inspect, imap, pop, and smtp)
snort2lua parsing bug fixes to recognize incomplete constructs
http_inspect: added alert 119:81 for nonprinting character in header name
http_inspect: added alert 119:82 for bad Content-Length value
http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace

New in Snort 2.9.11 (Oct 14, 2017)

New in Snort 2.9.11 Beta 1 (Aug 11, 2017)

New in Snort 3.0.0 Build 228 Alpha 4 (Mar 3, 2017)

New in Snort 2.9.9.0 (Feb 2, 2017)

New in Snort 3.0.0 Build 225 Alpha 4 (Feb 2, 2017)

New in Snort 3.0.0 Build 223 Alpha 4 (Dec 24, 2016)

port 2983 smb active response updates
fix reload crash with file inspector
fix appid service dispatch handling issue thanks to João Soares for reporting the issue
fix paf-type flushing of single segments thanks to João Soares for reporting the issue
fix daemonization thanks to João Soares for reporting the issue
also fixes double counting of reassembled buffers
fix fallback from paf to atom splitter if flushing past gap
fix thread termination segfaults after DAQ module initialization fails
fix non-x86 builds - do not build tsc clock scaling
added appid to user manual features
update default user manuals
minor refactor of flush loop for clarity
improve http_inspect Field class
refactor plugin loading
add JavaScript Normalization to http_inspect
fix appid service check dispatch list
fix modbus_data handling to not skip options thanks to [email protected] for reporting the issue
fix sensitive data filtering documentation issues
build: Illumos build fixes
build: Address some cppcheck concerns
miscellaneous const tweaks
reformat builtin rule text for consistency
reformat help text for consistency
refactor user manual for clarity
update default user manuals
fix appid handling of sip inspection events
fix wizard to prevent use-after-free of service name
fix various issues reported by cppcheck
fix reload race condition
fix cmake + clang builds
add padding guards around hash key structs
update manual for dce_* inspectors
refactor IP address handling
fixed uu and qp decode issue
fixed file signature calculation for ftp
fixed file resume blocking
fix 135:2 to be upon completion of 3-way handshake
fix memory leak with libcrypto use
fix multithreaded use of libcrypto
fix default snort2lua output for gtp and modbus
fix Lua ordering issue with net and port vars
fix miscellaneous multithreading issues with appid
fix comment in snort.lua re install directory use; thanks to Yang Wang for sending the pull request
add alternate fast patterns for dce_udp endianness
removed underscores from all peg counts
document sensitive data use
user manual refactoring and updates
add dce auto detect to wizard
add MIME file processing to new http_inspect
add chapters on perf_monitor and file processing to user manual
appid refactoring and cleanup
many appid fixes for leaks, sanitizer, and analyzer issues
fix appid pattern matching for http
fix various race conditions reported by thread sanitizer
fix out-of-order FIN handling
fix cmake package name used in HS and HWLOC so that REQUIRED works
fix out-of-tree doc builds
fix image sizes to fit page; thanks to wyatuestc for reporting the issue
fix fast pattern selection when multiple designated thanks to [email protected] for reporting the issue
change -L to -K in README and manual; thanks to jncornett for reporting the issue
support compiling catch tests in standalone source files
create pid file after dropping privileges
improve detection and use of CppUTest in non-standard locations
fix shutdown stats
fix misc appid issues
rewrite appid loading of lua detectors
add sip inspector events for appid
update default manuals

New in Snort 2.9.9 RC 1 (Nov 14, 2016)

New in Snort 3.0.0 Build 217 Alpha 4 (Oct 31, 2016)

New in Snort 3.0.0 Build 213 Alpha 4 (Sep 29, 2016)

ported full retransmit changes from snort 2X
fixed carved smb2 filenames
fixed multithread hyperscan mpse
fixed sd_pattern iterative validation
add dce udp snort2lua
add file detection when they are transferred in segments in SMB2
fix another case of CPPUTest header order issues
separate idle timeouts from session timeouts counts
close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
doc: update style guide for 'using' statements and underscores
packet_capture: Include top-level pcap.h for backward compatibility
main: remove unused -w commandline option
lua: fix conflict with _L macro from ctype.h on OpenBSD
cmake: clean dead variables out of config.cmake.h
build: fix 32-bit compiler warnings
build: fix illumos/OpenSolaris build and remove SOLARIS/SUNOS defines
build: remove superfluous LINUX and MACOS definitions
build: remove superfluous OPENBSD and FREEBSD definitions
build: entering 'std' namespace should be after all headers are included
build: clean up u_int*_t usage
build: remove SPARC support
build: clean up some DAQ header inclusion creep.
fix hyperscan detection with nocase
fix shutdown sequence
fix --dirty-pig
fix FreeBSD build re appid / service_rpc
started dce_udp porting
added HA details to stream/* dev_notes
added stream.ip_frag_only to avoid tracking unwanted flows
updated default stream cache sizes to match 2.X
fixed tcp_connector_test for OSX build
fixed binder make files to include binder.h
fixed double counting of ip and udp timeouts and prunes
fixed clearing of SYN - RST flows
add dce iface fast pattern for tcp
add --enable-tsc-clock to build/use TSC register (on x86)
update latency to use ticks during runtime
tcp stream reassembly tweaks
fix inverted detection_filter logic
fix stream profile stats parents
fix most bogus gap counts
unit test fixes for high availability, hyperscan, and regex
fixed for TCP high availability
fixed install of file_decomp.h for consistency between Snort and extras
added smtp client counters and unit tests
ported Smbv2/3 file support
ported mpls encode fixes from 2983
cleaned up compiler warnings
ported smb file processing
ported the 2.9.8 ciscometadata decoder
ported the 2.9.8 double and triple vlan tagging changes
use sd_pattern as a fast-pattern
rewrite and fix the rpc option
cleanup fragbits option implementation
finish up cutover to the new http_inspect by default
added appid counts for rsync
added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
moved file capture to offload thread
numerous fixes, cleanup, and refactoring for appid
numerous fixes, cleanup, and refactoring for high availability
fixed regex as fast pattern with hyperscan mpse
fixed http_inspect and tcp valgrind errors
fixed extra auto build from dist

New in Snort 3.0.0 Build 206 Alpha 4 (Aug 12, 2016)

New in Snort 2.9.9 Beta 1 (Jul 12, 2016)

New in Snort 3.0.0 Build 201 Alpha 4 (Jun 26, 2016)

New in Snort 3.0.0 Build 200 Alpha 4 (Jun 26, 2016)

New in Snort 3.0.0 Build 199 Alpha 4 (Jun 26, 2016)

New in Snort 3.0.0 Build 198 Alpha 4 (Jun 26, 2016)

New in Snort 2.9.8.3 (Jun 22, 2016)

New in Snort 3.0.0 Build 197 Alpha 4 (May 4, 2016)

New in Snort 3.0.0 Build 196 Alpha 4 (May 4, 2016)

New in Snort 3.0.0 Build 195 Alpha 4 (May 4, 2016)

New in Snort 3.0.0 Build 194 Alpha 4 (May 4, 2016)

New in Snort 3.0.0 Build 193 Alpha 4 (May 4, 2016)

New in Snort 3.0.0 Build 192 Alpha 4 (May 4, 2016)

New in Snort 2.9.8.2 (Mar 30, 2016)

New in Snort 3.0.0 Build 191 Alpha 4 (Mar 8, 2016)

New in Snort 3.0.0 Build 186 Alpha 4 (Feb 2, 2016)

New in Snort 3.0.0 Build 182 Alpha 3 (Dec 14, 2015)

New in Snort 2.9.8.0 (Dec 1, 2015)

New in Snort 3.0.0 Build 177 Alpha 2 (Nov 6, 2015)

New in Snort 3.0.0 Build 172 Alpha 1 (Oct 2, 2015)

New in Snort 2.9.7.6 (Oct 1, 2015)

New in Snort 3.0.0 Build 167 Alpha 2 (Sep 10, 2015)

New in Snort 2.9.8.0 Beta 1 (Aug 17, 2015)

New in Snort 3.0.0 Build 163 Alpha 2 (Aug 15, 2015)

New in Snort 2.9.7.5 (Jul 24, 2015)

New in Snort 3.0.0 Build 160 Alpha 2 (Jul 7, 2015)

New in Snort 3.0.0 Build 155 Alpha 1 (Jun 2, 2015)

New in Snort 3.0.0 Build 150 Alpha 1 (May 1, 2015)

New in Snort 3.0.0 Build 144 Alpha 1 (Apr 1, 2015)

New in Snort 2.9.7.2 (Mar 13, 2015)

New additions:
Application Identification Preprocessor, when used in conjunction with open app ID detector content, that will identify application protocol, client, server, and web applications (including those using SSL) and include the info in Snort alert data. In addition, a new rule option keyword 'appid' that can be used to constrain Snort rules based on one or more applications that are identified for the connection. See README.appid for details.
A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator.
Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments.
Added ability to test normalization behavior without modifying network traffic. When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments.
The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents.
Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Fowarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence.
Added control socket command to dump packets.
The Stream5 preprocessor functionality is now split between the new Session and Stream preprocessors.
Added decoding capability for Cisco FabricPath
Improvements:
Update active response to allow for responses of 1500+ bytes that span multiple TCP packets.
Check limits of multiple configurations to not exceed a maximum ID of 4095.
Updated the error output of byte_test, byte_jump, byte_extract to including details on offending options for a given rule.
Update build and install scripts to install preprocessor and engine libraries into user specified libdir.
Improved performance of IP Reputation preprocessor.
The control socket will now report success when reloading empty IP Reputation whitelists/blacklists.
All TCP normalizations can now be enabled individually. See README.normalize for details on using the new options. For consistency with other options, the "urp" tcp normalization keyword now enables the normalization instead of disabling it.
Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.
Updated profiler output to remove duplicate results when using multiple configurations.
Improved performance of FTP reassembly.
Improved compatibility with Mac OS X 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD

New in Snort 3.0.0 Build 140 Alpha 1 (Mar 3, 2015)

New in Snort 3.0.0 Build 135 Alpha 1 (Jan 30, 2015)

New in Snort 3.0.0 Build 130 Alpha 1 (Jan 30, 2015)

New in Snort 2.9.7.0 (Oct 28, 2014)

New in Snort 2.9.5.5 (Sep 23, 2013)

New in Snort 2.9.5 (Jul 4, 2013)

New additions:
Added tracking of FTP data channel for file transfers as file_data for Snort rules.
Add support for doing PAF based on services loaded thru the attribute table and hardened PAF code/removed --disable-paf
Added decoding support for Cisco ERSPAN
Added tracking of HTTP uploads as file_data for Snort rules.
Added ability to use event filters with PPM rules
Added a control channel command to reload the Snort configuration to give feedback on new configuration. This improves on the older sigHUP which would just result in Snort exiting and restarting if the new configuration required a restart.
Added a configuration option to perfmon to write flow-ip data to a file
New decoding alert for IPv6 Routing type 0 header.
Added the ability to sync basic session state from one Snort to another via a side channel communication between the two Snort instances. NOTE: This is currently experimental.
Improvements:
Improved Stream's midstream pickup handling for TCP state processing, sequence validation, and reassembly.
Improved HTTP PAF reassembly capabilities to be better aligned on PDU boundaries, terminate if not actually HTTP, and to include all appropriate line feeds.
Hardened the code related to dynamic modules. Removed --disable-dynamicplugin configuration option since rule and preprocessor shared libraries are here to stay.
Added a parse error for a rule if there is a relative content used after a content that is 'fast_pattern only'.
Improved parsing of IP lists for reputation
Update to Teredo processing and Snort rule evaluation when the inner IPv6 packet doesn't have payload
Improved logging of packets associated with alerts when a Stream reassembled packet triggers multiple Snort rules.
Improvements to the Snort manual including documentation of specific rule options and configuration items.
Removed a bunch of dead code paths, updated to use more current memory functions for easier code maintenance and portability.
Deletions:
Remove deprecated unified support, use unified2 for all of your logging needs.

New in Snort 2.9.4.6 (Apr 25, 2013)

New in Snort 2.9.4.5 (Apr 11, 2013)

New in Snort 2.9.4.1 (Mar 6, 2013)

New in Snort 2.9.4.0 (Dec 8, 2012)

New in Snort 2.9.3.1 (Aug 11, 2012)

New in Snort 2.9.3.0 (Jul 21, 2012)

New in Snort 2.9.2.3 (May 17, 2012)

New in Snort 2.9.2.2 (Mar 29, 2012)

New in Snort 2.9.2.1 (Jan 24, 2012)

New in Snort 2.9.2 (Dec 16, 2011)

New Additions:
SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors to support writing rules for detecting attacks for control systems. New rule keywords are supported, and DNP3 leverages Stream5 PAF support for TCP reassembly. See the Snort Manual, README.dnp3 and README.modbus for details of the configurations and new rule options.
GTP decoding and preprocessor. Updated the Snort packet decoders and added a preprocessor to support detecting attacks over GTP (GPRS Tunneling Protocol). Snort's GTP support handles multiple versions of GTP and has a rich configuration set. See the Snort Manual and README.GTP for details.
Updates to the HTTP preprocessor to normalize HTTP responses that include javascript escaped data in the HTTP response body. This expands Snort's coverage in detecting HTTP client-side attacks. See the Snort Manual and README.http_inspect for configuration details.
Added Protocol-Aware Flushing (PAF) support for FTP.
Improvements:
Updates to Stream preprocessor to be able to track and store "stream" data for non TCP/UDP flows. Also improvements to handle when memory associated with a blocked stream is released and usable for other connections.
Updates to dce_stub_data to make it act the same as file_data and pkt_data rule option keywords in how it interacts with subsequent content/pcre/etc rule options.
Updates to how Snort handles and processes signals received from the OS.
Enabled logging of normalized JavaScript to unified2 without the use of the --enable-sourcefire configuration option.
Improved handling of gaps and overlaps for "first" and "vista" policies in Stream5.
Added support for signal handler customization. At compile-time, Snort can be customized to use different signal numbers. This allows problems with overlapping signals to be fixed on a per-platform basis, which is especially helpful for the BSDs. See the Snort Manual for more details.
Perfmonitor's output files ("now" files) are now created after Snort drops privileges. Output files will now be owned by the user and group specified with "-u" and "-g" at the command line.

New in Snort 2.9.2 RC (Dec 8, 2011)

New in Snort 2.9.1.2 (Dec 8, 2011)

New in Snort 2.9.1 (Aug 30, 2011)

New Additions:
HTTP aware TCP reassembly support within HTTP Inspect andStream5, allowing Snort to more intelligently inspect HTTPrequests and responses.See README.stream5 subsectionrelated to Protocol Aware Flushing (PAF).
SIP preprocessor to identify SIP call channels and providerule access via new rule option keywords.See the SnortManual and README.sip for details.
POP3 & IMAP preprocessors to decode email attachments inBase64, Quoted Printable, and uuencode formats, and updatesto SMTP preprocessor for decoding email attachments encodedas Quoted Printable and uuencode formats.See the SnortManual, README.pop, README.imap, and README.SMTP for details.
Add support for reading large pcap files.
IP Reputation preprocessor, allowing Snort to blacklist orwhitelist packets based on their IP addresses. Thispreprocessor is still in an experimental state, so pleasereport any issues to the Snort team.See README.reputation for more information.
DCE aware TCP reassembly has been added to the dcerpc2 preprocessor.See README.stream5 subsection related to Protocol Aware Flushing (PAF).
Improvements:
Logging of HTTP URL (host and filename), SMTP attachmentfilenames and email recipients when Snort generates eventson related traffic.
Updates to give shared library rules direct access to gzipdecoding capabilities.
Rule Option Improvements:
Updates to content modifier http_cookie to not includethe HTTP header names themselves in the buffer.This changemay affect existing rules that leverage this keyword.
Updates to the file_data and base64_data rule option keywordsand added a pkt_data rule option keyword that sets the bufferto be used for subsequent content/pcre/etc rule options.
Updates to the tcp flag rule option keyword to support 'C'and 'E' for CWR and ECN bits.
Updates to byte_extract rule option keyword to supportthe same string formats as with byte_test and byte_jump.
Updates to Snort's build infrastructure and autoconf scriptfor portability and improved checks for library dependencies.
Many updates and improvements to the Snort documentation.Specialthanks to all of the contributors from the Snort community forworking with us and making the documentation more accurate andusable.
Updates to the sensitive data preprocessor for handling HTTPtraffic and reducing false positives.
Updates to Snort's config parsing to give more meaningfulerror messages relating to snort.conf errors and configurationdisplay at startup.
Updates to Snort's active response packets whether via responsekeyword or part of inline normalization.
Improvements to HTTP Inspect processing of chunked HTTP data.
Updates to the statistics Snort prints to console or syslogat exit for different preproessors.
To facilitate easier building of Snort on many of the differentplatforms supported, Snort now uses pkg-config to check forcertain library locations. Obtain pkg-config from freedesktop.org.
HTTP Inspect has new options to detect the following anomalies: Excessive whitespace in a folded header line Series of HTTP chunks with small lengths
SIP preprocessor has new alerts for the following anomalies: Invalid SIP version Unknown SIP method SIP method mis-match Missing content-type header
Several bug fixes for Stream5's Protocol Aware Flushing
Fixed a bug where the socket output plugin sent the wrong data whenIPv6 was enabled
Other bug fixes

New in Snort 2.9.0.5 (Apr 8, 2011)

New in Snort 2.9.0.4 (Feb 11, 2011)

New in Snort 2.9.0.3 (Dec 22, 2010)

New in Snort 2.9.0.2 (Dec 4, 2010)

New in Snort 2.9.0.1 (Nov 3, 2010)

New in Snort 2.9.0 (Oct 5, 2010)

Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.
Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.