Snort Changelog

New in version 2.9.7.2

March 13th, 2015
  • src/build.h: updating build number to 177
  • src/preprocessors/Stream6/snort_stream_tcp.c: Documentation: Fixed issue in which TCP trim normalization would occur when it was not necessary.
  • src/decode.c, src/encode.c: Added support for Cisco FabricPath decoding/encoding. Ensure flow_id is copied into the DAQ_PktHdr_t.
  • src/snort.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h src/target-based/sftarget_reader.c: Moved ntohl conversion inside of the sfrt api for both IPv4 and IPv6.
  • src/target-based/sftarget_protocol_reference.c Lookup application protocol id only after the session is established. Assign application protocol id to the session when using host attribute table.
  • src/util.c: Changes for suppressing configuration logging.
  • src/file-process/file_service.c: Assign the file config to a file context prior to checking if HTTP continuation.

New in version 2.9.6.2 (October 7th, 2014)

  • New additions:
  • Added the ability to specify additional custom 'x-forwarder-for' http field names. A new http inspection configuration element is used to specify a set of field names and their respective precedence order.
  • Added cache flow timeout for IP.
  • Improvements:
  • Fixed handling of ICMPv6 traffic.
  • Fixed inline stream reassembly during file processing.
  • Addressed race condition issue with Perfmon stats file rollover.

New in version 2.9.6.0 (January 24th, 2014)

  • New additionsAdd support to do file specific processing within DCERPC preprocessor for files being transferred over SMB.
  • File capture and storage -- saves files as they traverse the network via a new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and README.file_server (under tools/file_server) for details.
  • Add = operators to byte_test rule option.
  • Update SMTP to detect Cyrus SASL authentication attack.
  • Add capability to capture a single session from start to end.
  • EXPERIMENTAL: Add support to leverage file type identification in snort rules. See README.file_ips for details.
  • ImprovementsOnly inject active responses when a TCP session is established.
  • Update the POP and IMAP protocols to support simple PAF for improved identification and capture of files.
  • Update SMTP, POP, IMAP to improve inspection when mime boundaries are split across packets.
  • Address issue to address end of line incorrectly for Quoted Printable email attachments.
  • Handle out of order SSL handshake in SMTP when STARTTLS is used and fix checks for SSL type only within the SSL hand shake.
  • Update sensitive data preprocessor to handle a stateful search of patterns across multiple packets.
  • Address a few issues in the Snort manual and other READMEs for flowbits and tunneling.
  • Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS.
  • Fix alignment of sfxhash node for SPARC platforms.

New in version 2.9.6.0 RC (December 14th, 2013)

  • We've improved a few very minor things, but we're really looking for more testing in the engine and feedback about the capabilities we've built into it.

New in version 2.9.6.0 Beta (November 20th, 2013)

  • src/detection-plugins/sp_icmp_code_check.c: Allow a negative value in the ICMP icode xy range check. This permits the rule to include a check for zero
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Disable detection when the TCP connection was already closed.
  • src/: dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, file-process/file_api.h: Fix FTP-Data file processing.
  • src/snort_bounds.h: Avoid assertion for zero size memory copy
  • src/: dynamic-plugins/sf_dynamic_plugins.c, detection-plugins/sp_react.c: Only inject response page when session is established.
  • src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, preproc_rules/preprocessor.rules, etc/gen-msg.map: Add a new preprocessor alert to detect Cyrus SASL authentication attack.
  • src/dynamic-preprocessors/ssh/spp_ssh.c: Set_reassembly to ABSOLUTE only if the traffic is SSH. Statefully process ssh version/ssh key exchange init/key exchange and/or encrypted data within a single reassembled packet. Thanks to Florian Westphal for reporting this.
  • src/file-process/file_mime_process.c: For IMAP, the MIME and message will be inside fetch body, which will be end at ")".
  • src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ssh/spp_ssh.c, Change preprocessor reassembly policy; Changed SSH preprocessor state transition based on the dir rather than both.
  • src/: preprocessors/Stream5/snort_stream5_tcp.c: Ignore the gap when turning on reassembly dynamically on the very first packet of the session.
  • src/dynamic-preprocessors/dnp3/spp_dnp3.c: Fix the incorrect mempool warnings. Thanks to Bram for reporting this
  • doc/snort_manual.pdf, doc/snort_manual.tex, configure.in, src/snort.c, src/util.c: Trim freed memory before and after configuration reload.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, file-process/file_mime_process.c, sfutil/sf_email_attach_decode.c: Allow 7bit decoding of binary file attachments.
  • src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h: Avoid partial rule tree match during reload.
  • src/tag.c: Fix boundary check error so that the global tagged packet limit doesn't allow an extra tag.
  • src/: file-process/file_mime_process.h, file-process/file_api.h, file-process/file_mime_process.c, file-process/file_service.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/spp_pop.c: Add simple PAF support for POP and IMAP.
  • src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs Add sfip_convert_ip_text_to_binary() to enforce platform agnostic IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values within specified range
  • doc/snort_manual.tex: Update the document to include the '=' operators to the byte_test command
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Make sure INTERNAL_EVENT_SESSION_ADD event only in the ESTABLISHED state.
  • src/sfutil/sf_email_attach_decode.c: Check the QP encoding string is valid to avoid decoding end of line incorrectly.
  • src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Tweak config output to correspond to config input. Thanks to Reinoud Koornstra for the suggestion.
  • src/preprocessors/Stream5/: snort_stream5_icmp.c, snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c: dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/ssl/spp_ssl.c, encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c, dynamic-preprocessors/dcerpc2/dce2_session.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/snort_imap.c: preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c: Handle out of order SSL handshake in SMTP. Thanks to Bram for the reporting this.
  • src/preprocessors/perf-base.c: Update the header printed at top of now file.
  • src/preprocessors/perf-base.c: Change name of stat from Blocked Packets to Block Verdicts.
  • src/preprocessors/Stream5/snort_stream5_session.c: Timeout a session when session timeout reaches instead of waiting for session nominal timeout.
  • configure.in, src/plugbase.c, src/rule_option_types.h, src/snort.c, src/detection-plugins/Makefile.am, src/detection-plugins/: sp_file_type.c, sp_file_type.h, src/detection-plugins/detection_options.c, src/dynamic-preprocessors/Makefile.am, src/file-process/Makefile.am, src/file-process/file_api.h, src/file-process/file_service.c, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/libs/Makefile.am, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/spp_stream5.c, tools/Makefile.am, doc/: README.file, README.file_ips, Makefile.am: File inspection keywords for IPS rules.
  • src/dynamic-preprocessors/sdf/: sdf_pattern_match.c, sdf_pattern_match.h, spp_sdf.c, spp_sdf.h: Add stateful pattern match of sdf patterns across packets.
  • mkinstalldirs, doc/snort_manual.tex, src/detect.c, src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c, src/tag.h, src/target-based/sf_attribute_table.y, tools/u2spewfoo/u2spewfoo.c: Support single session capture via tag rule option. Log all packets to the same place as original alert. Enable tagging on pass rules.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h, file-process/file_mime_process.c, preprocessors/str_search.c, preprocessors/str_search.h, sfutil/bnfa_search.c: Add Stateful mime boundary search when split between packets.
  • src/preprocessors/HttpInspect/client/hi_client.c: Change the uri search to start from method end instead of the start of payload.
  • configure.in, doc/README.file, doc/snort_manual.pdf, src/parser.c, src/preprocids.h, src/snort.c, src/util.c, src/detection-plugins/.cvsignore, src/dynamic-examples/Makefile.am, src/dynamic-plugins/sf_engine/.cvsignore, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/file/Makefile.am, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/file/file_agent.h, src/dynamic-preprocessors/file/file_event_log.c, src/dynamic-preprocessors/file/file_event_log.h, src/dynamic-preprocessors/file/file_inspect_config.c, src/dynamic-preprocessors/file/file_inspect_config.h, src/dynamic-preprocessors/file/file_sha.c, src/dynamic-preprocessors/file/file_sha.h, src/dynamic-preprocessors/file/sf_file.dsp, src/dynamic-preprocessors/file/spp_file.c, src/dynamic-preprocessors/file/spp_file.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/file-process/Makefile.am, src/file-process/circular_buffer.c, src/file-process/circular_buffer.h, src/file-process/file_api.h, src/file-process/file_capture.c, src/file-process/file_capture.h, src/file-process/file_mempool.c, src/file-process/file_mempool.h, src/file-process/file_resume_block.c, src/file-process/file_service.c, src/file-process/file_service.h, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/file_stats.c, src/file-process/file_stats.h, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/file-process/libs/file_sha256.h, tools/Makefile.am, tools/file_server/Makefile.am, tools/file_server/README.file_server, tools/file_server/file_server.c: Add file capture feature and introduce file inspect preprocessor
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Parse error if there are missing direction specifiers. Thanks to Bram Fabeg for the report.
  • src/ipv6_port.h: Remove duplicate macro for GET_ORIG_IPH_PROTO.
  • doc/: README.decode, README.gre, README.mpls, snort_manual.pdf, snort_manual.tex: Update manual and other docs related to tunneling. Thanks to Jason Poley for noting it.
  • src/parser.c: Not so silently skip duplicate service metadata.
  • src/: log.c, mempool.c, parser.c, snort.c, util.c, detection-plugins/sp_ip_tos_check.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_replace.c, detection-plugins/sp_session.c, detection-plugins/sp_tcp_win_check.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/sdf/sdf_pattern_match.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream5/snort_stream5_tcp.c: Replace obsolete bzero and index calls. Credits to Bill Parker
  • src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c, libs/ssl.c, libs/ssl.h: Check for SSL type only when the SSL handshake is not complete. Don't check for type in SSL data. Thanks to Bram Fabeg for reporting this.
  • src/preprocessors/: HttpInspect/server/hi_server.c, HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c: Only check charset bom once per response body; Only set charset once per charset=
  • src/profiler.c: Fix issue when reading pcaps from command line and using multiple policies and --pcap-reset.
  • src/detection-plugins/detection_options.c: Don't count RTN perf time in OTN perf time. Credits to Reinoud for reporting this.
  • doc/README.flowbits: Fix typo in flowbits isnotset examples
  • src/snort.c, src/snort.h, src/util.c, snort.8, doc/snort_manual.pdf, doc/snort_manual.tex: Add a command line switch --no-interface-pidfile to snort.
  • src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h: Updated Stream's exit stats to use 'filtered' instead of dropped.
  • src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c: Don't set sip/http buffers to null
  • src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Return mismatch if requested http buffer was not set
  • src/snort.c: Bugs Fixed: Capture packet data for sigabrt and sigbus
  • doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/active.c, src/active.h, src/encode.c, src/encode.h, src/generators.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/file-process/file_api.h, src/file-process/file_mime_process.c, src/file-process/file_service.c, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Add SMB file support

New in version 2.9.5.6 (November 19th, 2013)

  • src/preprocessors/Stream5/snort_stream5_tcp.c: add NULL check for preprocessors that check for PAF before they check for any actual tcp session
  • src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: Test if the byte extracted distance and/or offset is within bounds of the search buffer. Thanks to Nathan Fowler for noting the issue.
  • src/preprocessors/HttpInspect/client/hi_client.c: clear cookie normalization buffer to avoid accidental null dereference in pipelined request. Thanks to Michael Galapchuk for reporting the problem.

New in version 2.9.5.5 (September 17th, 2013)

  • Improvements:
  • Address issue with SMTP preprocessor and the ignore_tls_data configuration to correctly stop inspection after an SMTP session is encrypted.
  • Disable all rule evaluation (as opposed to just rules with fast patterns) for packets on a previously blocked session.
  • Corrected when perfmon preprocessor writes stats to occur as soon as both the time and packet count criteria are met.
  • Enforce same restrictions on relative PCRE for HTTP buffers from shared library rules as already existed with text rules.

New in version 2.9.5.3 (July 31st, 2013)

  • Improvements:
  • Performance improvements to eliminate some unnecessary work, reduction of sizes of data structures, and cleanup of processing for HTTP normalized buffers.
  • Cap the number of expected connections (eg FTP data channel) to prevent memory growth
  • Address issue with reloading reputation lookup tables when more addresses are added.
  • Address issue with potential hang during shutdown of control socket config reload processing thread.

New in version 2.9.4.6 (April 25th, 2013)

  • Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
  • Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.

New in version 2.9.4.5 (April 4th, 2013)

  • Removed proxy information from normalized HTTP Uri to enable correct matching of patterns.
  • Update to log packets to unified2 across all alerts on stream reassembled packets.

New in version 2.9.4.1 (March 5th, 2013)

  • Updated File processing for partial HTTP content and MIME attachments.
  • Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
  • Handle excessive overlaps in frag3.
  • Stream API updates to return session key for a session.
  • Reduce false positives for TCP window slam events.
  • Updates to provide better encoding for TCP packets generated for respond and react.
  • Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.

New in version 2.9.4.0 (December 4th, 2012)

  • New additions:
  • Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.
  • File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
  • Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
  • Logging of packet data that triggers PPM for post-analysis via Snort event
  • Decoding of IPv6 with PPPoE
  • Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
  • Improvements:
  • Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
  • Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
  • Allow disabling of global thresholds via a count of -1
  • Prevent blocking duplicate SYNs when using inline normalization
  • Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
  • Allow active responses to packets without data (eg, a TCP SYN)
  • Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.
  • Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
  • Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

New in version 2.9.2.1 (January 20th, 2012)

  • Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).
  • Updates to the Stream preprocessor in TCP session tracking to avoid re-queuing retransmitted data that was already flushed. Also various tweaks for PAF flushing.
  • Updates to the reputation preprocessor to handle shared memory switching.
  • Updates to the SCADA preprocessors in their handling of PAF flushing and Modbus request/response length checking. Also tweaks in alerts for reserved DNP3 functions.
  • Updates to flowbit groups to always use the group when some rules refer to a flow group while others do not refer to a group for the same flowbit.
  • Updates to GTP preprocessor to check invalid extension header length for GTPv1.
  • Updates to sfrt library, used in reputation preprocessor and target based configuration, when calculating memory allocated and support for IPv6.

New in version 2.9.1.2 (October 21st, 2011)

  • Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response.

New in version 2.8.6.1 (September 12th, 2010)

  • Snort 2.8.6.a fixes installer packages to include correct version of sensitive data preprocessor for linux and Windows
  • Eliminates false positives when using fast_pattern:only and having only one http content in the pattern matcher
  • Addresses false positives in FTP preprocessor with string format verification. 2.8.6.1 also addresses an issue with handling response codes to data transfer commands where the response code didn't contain a message