April 25th, 2013
· Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
· Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.
April 4th, 2013
· Removed proxy information from normalized HTTP Uri to enable correct matching of patterns.
· Update to log packets to unified2 across all alerts on stream reassembled packets.
March 5th, 2013
· Updated File processing for partial HTTP content and MIME attachments.
· Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
· Handle excessive overlaps in frag3.
· Stream API updates to return session key for a session.
· Reduce false positives for TCP window slam events.
· Updates to provide better encoding for TCP packets generated for respond and react.
· Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.
December 4th, 2012New additions:
· Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.
· File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
· Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
· Logging of packet data that triggers PPM for post-analysis via Snort event
· Decoding of IPv6 with PPPoE
· Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
· Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
· Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
· Allow disabling of global thresholds via a count of -1
· Prevent blocking duplicate SYNs when using inline normalization
· Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
· Allow active responses to packets without data (eg, a TCP SYN)
· Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.
· Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
· Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.
January 20th, 2012
· Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).
· Updates to the Stream preprocessor in TCP session tracking to avoid re-queuing retransmitted data that was already flushed. Also various tweaks for PAF flushing.
· Updates to the reputation preprocessor to handle shared memory switching.
· Updates to the SCADA preprocessors in their handling of PAF flushing and Modbus request/response length checking. Also tweaks in alerts for reserved DNP3 functions.
· Updates to flowbit groups to always use the group when some rules refer to a flow group while others do not refer to a group for the same flowbit.
· Updates to GTP preprocessor to check invalid extension header length for GTPv1.
· Updates to sfrt library, used in reputation preprocessor and target based configuration, when calculating memory allocated and support for IPv6.
October 21st, 2011
· Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response.
September 12th, 2010
· Snort 2.8.6.a fixes installer packages to include correct version of sensitive data preprocessor for linux and Windows
· Eliminates false positives when using fast_pattern:only and having only one http content in the pattern matcher
· Addresses false positives in FTP preprocessor with string format verification. 220.127.116.11 also addresses an issue with handling response codes to data transfer commands where the response code didn't contain a message