Softpedia >Linux >Security >Snort >  Changelog

Snort Changelog

What's new in Snort 2.9.8.3

Jun 22, 2016
  • Stability improvement for Stream6 preprocessor
  • Fixed multiple issues in HttpInspect preprocessor
  • Fixed an issue of incorrect masking of sensitive data

New in Snort 2.9.8.2 (Mar 31, 2016)

  • New additions:
  • Future-flow and DNS API exposed to lua detector.
  • Double VLAN tagging support.
  • Improvements:
  • Performance improvements to AppID.
  • Stability improvements to file and ftp_telnet preprocessor.
  • Fixed several issues with SDF and obfuscation.
  • Resolved an issue of improper handling of malformed DNS host in AppID.
  • HTTP PAF accepts all tokens between method and version strings in a request URI.
  • Resolved snort build issue with "--disable-perfprofiling" configure option.
  • Enhanced mime parsing by adding support for detecting files after unknown headers and no headers.
  • Fixed issue with gzip decompression. If the server response specifies. Content-Encoding as GZIP, but no Content-Length field for HTTP ver 1.0.
  • End of Header(EOH) identification for HTTP response header spanning multiple packets.
  • Improved packet reassembly for HTTP.
  • Fixed Flash LZMA decompression issue.

New in Snort 2.9.8.0 (Dec 2, 2015)

  • New additions:
  • SMBv2/SMBv3 support for file inspection.
  • Port override for metadata service in IPS rules.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (120:18) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configuration |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detectors for AppID.
  • Improvements:
  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluating on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix perfmon tracking of pruned packets.
  • Stability improvements for AppID.
  • Stability improvements for Stream6 preprocessor.
  • Added improved support to block malware in FTP preprocessor.
  • Added support to differentiate between active and passive FTP connections.
  • Improvements done in Stream6 preprocessor to avoid having duplicate packets in the DAQ retry queue.
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured.
  • Added support for multiple expected sessions created per packet
  • Active response now supports MPLS

New in Snort 2.9.7.6 (Sep 30, 2015)

  • New additions:
  • Added support for detecting 'SSH tunneling over HTTP'.
  • Improvements:
  • Behavioral change in file processing to block malware files in inline-test mode also.
  • Improvements to XFF handling in case of pipelined HTTP requests.
  • Stability improvements for Stream6 preprocessor.
  • Resolved an issue where min_ttl decoder was dropping packets in alert mode also.
  • Added improved support to inspect unlimited packets in HTTP.
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured.

New in Snort 2.9.7.5 (Jul 23, 2015)

  • Added improved support to the Stream preprocessor for asynchronous TCP traffic.
  • Active response no longer sets the FIN flag on the last segment sent.

New in Snort 2.9.7.3 (May 20, 2015)

  • New additions:
  • Added PAF support for SIP based traffic
  • Improvements:
  • Resolved a backtracking issue where the 'protected_content' rule option was not matching on content following a content rule option that is not matched.
  • Resolved an issue where snort dropped privilege levels before attempting to delete its PID file created during the higher privilege level
  • Improved processing of SSLv3 traffic, IPv6 extensions, HTTPS session reassembly and normalization
  • Performance improvements for file preprocessor
  • Stability improvements for ftp_telnet preprocessor

New in Snort 2.9.7.2 (Mar 13, 2015)

  • src/build.h: updating build number to 177
  • src/preprocessors/Stream6/snort_stream_tcp.c: Documentation: Fixed issue in which TCP trim normalization would occur when it was not necessary.
  • src/decode.c, src/encode.c: Added support for Cisco FabricPath decoding/encoding. Ensure flow_id is copied into the DAQ_PktHdr_t.
  • src/snort.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h src/target-based/sftarget_reader.c: Moved ntohl conversion inside of the sfrt api for both IPv4 and IPv6.
  • src/target-based/sftarget_protocol_reference.c Lookup application protocol id only after the session is established. Assign application protocol id to the session when using host attribute table.
  • src/util.c: Changes for suppressing configuration logging.
  • src/file-process/file_service.c: Assign the file config to a file context prior to checking if HTTP continuation.

New in Snort 2.9.6.2 (Oct 7, 2014)

  • New additions:
  • Added the ability to specify additional custom 'x-forwarder-for' http field names. A new http inspection configuration element is used to specify a set of field names and their respective precedence order.
  • Added cache flow timeout for IP.
  • Improvements:
  • Fixed handling of ICMPv6 traffic.
  • Fixed inline stream reassembly during file processing.
  • Addressed race condition issue with Perfmon stats file rollover.

New in Snort 2.9.6.0 (Jan 24, 2014)

  • New additionsAdd support to do file specific processing within DCERPC preprocessor for files being transferred over SMB.
  • File capture and storage -- saves files as they traverse the network via a new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and README.file_server (under tools/file_server) for details.
  • Add = operators to byte_test rule option.
  • Update SMTP to detect Cyrus SASL authentication attack.
  • Add capability to capture a single session from start to end.
  • EXPERIMENTAL: Add support to leverage file type identification in snort rules. See README.file_ips for details.
  • ImprovementsOnly inject active responses when a TCP session is established.
  • Update the POP and IMAP protocols to support simple PAF for improved identification and capture of files.
  • Update SMTP, POP, IMAP to improve inspection when mime boundaries are split across packets.
  • Address issue to address end of line incorrectly for Quoted Printable email attachments.
  • Handle out of order SSL handshake in SMTP when STARTTLS is used and fix checks for SSL type only within the SSL hand shake.
  • Update sensitive data preprocessor to handle a stateful search of patterns across multiple packets.
  • Address a few issues in the Snort manual and other READMEs for flowbits and tunneling.
  • Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS.
  • Fix alignment of sfxhash node for SPARC platforms.

New in Snort 2.9.6.0 RC (Dec 14, 2013)

  • We've improved a few very minor things, but we're really looking for more testing in the engine and feedback about the capabilities we've built into it.

New in Snort 2.9.6.0 Beta (Nov 20, 2013)

  • src/detection-plugins/sp_icmp_code_check.c: Allow a negative value in the ICMP icode xy range check. This permits the rule to include a check for zero
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Disable detection when the TCP connection was already closed.
  • src/: dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, file-process/file_api.h: Fix FTP-Data file processing.
  • src/snort_bounds.h: Avoid assertion for zero size memory copy
  • src/: dynamic-plugins/sf_dynamic_plugins.c, detection-plugins/sp_react.c: Only inject response page when session is established.
  • src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, preproc_rules/preprocessor.rules, etc/gen-msg.map: Add a new preprocessor alert to detect Cyrus SASL authentication attack.
  • src/dynamic-preprocessors/ssh/spp_ssh.c: Set_reassembly to ABSOLUTE only if the traffic is SSH. Statefully process ssh version/ssh key exchange init/key exchange and/or encrypted data within a single reassembled packet. Thanks to Florian Westphal for reporting this.
  • src/file-process/file_mime_process.c: For IMAP, the MIME and message will be inside fetch body, which will be end at ")".
  • src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ssh/spp_ssh.c, Change preprocessor reassembly policy; Changed SSH preprocessor state transition based on the dir rather than both.
  • src/: preprocessors/Stream5/snort_stream5_tcp.c: Ignore the gap when turning on reassembly dynamically on the very first packet of the session.
  • src/dynamic-preprocessors/dnp3/spp_dnp3.c: Fix the incorrect mempool warnings. Thanks to Bram for reporting this
  • doc/snort_manual.pdf, doc/snort_manual.tex, configure.in, src/snort.c, src/util.c: Trim freed memory before and after configuration reload.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, file-process/file_mime_process.c, sfutil/sf_email_attach_decode.c: Allow 7bit decoding of binary file attachments.
  • src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h: Avoid partial rule tree match during reload.
  • src/tag.c: Fix boundary check error so that the global tagged packet limit doesn't allow an extra tag.
  • src/: file-process/file_mime_process.h, file-process/file_api.h, file-process/file_mime_process.c, file-process/file_service.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/spp_pop.c: Add simple PAF support for POP and IMAP.
  • src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs Add sfip_convert_ip_text_to_binary() to enforce platform agnostic IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values within specified range
  • doc/snort_manual.tex: Update the document to include the '=' operators to the byte_test command
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Make sure INTERNAL_EVENT_SESSION_ADD event only in the ESTABLISHED state.
  • src/sfutil/sf_email_attach_decode.c: Check the QP encoding string is valid to avoid decoding end of line incorrectly.
  • src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Tweak config output to correspond to config input. Thanks to Reinoud Koornstra for the suggestion.
  • src/preprocessors/Stream5/: snort_stream5_icmp.c, snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c: dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/ssl/spp_ssl.c, encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c, dynamic-preprocessors/dcerpc2/dce2_session.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/snort_imap.c: preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c: Handle out of order SSL handshake in SMTP. Thanks to Bram for the reporting this.
  • src/preprocessors/perf-base.c: Update the header printed at top of now file.
  • src/preprocessors/perf-base.c: Change name of stat from Blocked Packets to Block Verdicts.
  • src/preprocessors/Stream5/snort_stream5_session.c: Timeout a session when session timeout reaches instead of waiting for session nominal timeout.
  • configure.in, src/plugbase.c, src/rule_option_types.h, src/snort.c, src/detection-plugins/Makefile.am, src/detection-plugins/: sp_file_type.c, sp_file_type.h, src/detection-plugins/detection_options.c, src/dynamic-preprocessors/Makefile.am, src/file-process/Makefile.am, src/file-process/file_api.h, src/file-process/file_service.c, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/libs/Makefile.am, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/spp_stream5.c, tools/Makefile.am, doc/: README.file, README.file_ips, Makefile.am: File inspection keywords for IPS rules.
  • src/dynamic-preprocessors/sdf/: sdf_pattern_match.c, sdf_pattern_match.h, spp_sdf.c, spp_sdf.h: Add stateful pattern match of sdf patterns across packets.
  • mkinstalldirs, doc/snort_manual.tex, src/detect.c, src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c, src/tag.h, src/target-based/sf_attribute_table.y, tools/u2spewfoo/u2spewfoo.c: Support single session capture via tag rule option. Log all packets to the same place as original alert. Enable tagging on pass rules.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h, file-process/file_mime_process.c, preprocessors/str_search.c, preprocessors/str_search.h, sfutil/bnfa_search.c: Add Stateful mime boundary search when split between packets.
  • src/preprocessors/HttpInspect/client/hi_client.c: Change the uri search to start from method end instead of the start of payload.
  • configure.in, doc/README.file, doc/snort_manual.pdf, src/parser.c, src/preprocids.h, src/snort.c, src/util.c, src/detection-plugins/.cvsignore, src/dynamic-examples/Makefile.am, src/dynamic-plugins/sf_engine/.cvsignore, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/file/Makefile.am, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/file/file_agent.h, src/dynamic-preprocessors/file/file_event_log.c, src/dynamic-preprocessors/file/file_event_log.h, src/dynamic-preprocessors/file/file_inspect_config.c, src/dynamic-preprocessors/file/file_inspect_config.h, src/dynamic-preprocessors/file/file_sha.c, src/dynamic-preprocessors/file/file_sha.h, src/dynamic-preprocessors/file/sf_file.dsp, src/dynamic-preprocessors/file/spp_file.c, src/dynamic-preprocessors/file/spp_file.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/file-process/Makefile.am, src/file-process/circular_buffer.c, src/file-process/circular_buffer.h, src/file-process/file_api.h, src/file-process/file_capture.c, src/file-process/file_capture.h, src/file-process/file_mempool.c, src/file-process/file_mempool.h, src/file-process/file_resume_block.c, src/file-process/file_service.c, src/file-process/file_service.h, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/file_stats.c, src/file-process/file_stats.h, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/file-process/libs/file_sha256.h, tools/Makefile.am, tools/file_server/Makefile.am, tools/file_server/README.file_server, tools/file_server/file_server.c: Add file capture feature and introduce file inspect preprocessor
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Parse error if there are missing direction specifiers. Thanks to Bram Fabeg for the report.
  • src/ipv6_port.h: Remove duplicate macro for GET_ORIG_IPH_PROTO.
  • doc/: README.decode, README.gre, README.mpls, snort_manual.pdf, snort_manual.tex: Update manual and other docs related to tunneling. Thanks to Jason Poley for noting it.
  • src/parser.c: Not so silently skip duplicate service metadata.
  • src/: log.c, mempool.c, parser.c, snort.c, util.c, detection-plugins/sp_ip_tos_check.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_replace.c, detection-plugins/sp_session.c, detection-plugins/sp_tcp_win_check.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/sdf/sdf_pattern_match.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream5/snort_stream5_tcp.c: Replace obsolete bzero and index calls. Credits to Bill Parker
  • src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c, libs/ssl.c, libs/ssl.h: Check for SSL type only when the SSL handshake is not complete. Don't check for type in SSL data. Thanks to Bram Fabeg for reporting this.
  • src/preprocessors/: HttpInspect/server/hi_server.c, HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c: Only check charset bom once per response body; Only set charset once per charset=
  • src/profiler.c: Fix issue when reading pcaps from command line and using multiple policies and --pcap-reset.
  • src/detection-plugins/detection_options.c: Don't count RTN perf time in OTN perf time. Credits to Reinoud for reporting this.
  • doc/README.flowbits: Fix typo in flowbits isnotset examples
  • src/snort.c, src/snort.h, src/util.c, snort.8, doc/snort_manual.pdf, doc/snort_manual.tex: Add a command line switch --no-interface-pidfile to snort.
  • src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h: Updated Stream's exit stats to use 'filtered' instead of dropped.
  • src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c: Don't set sip/http buffers to null
  • src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Return mismatch if requested http buffer was not set
  • src/snort.c: Bugs Fixed: Capture packet data for sigabrt and sigbus
  • doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/active.c, src/active.h, src/encode.c, src/encode.h, src/generators.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/file-process/file_api.h, src/file-process/file_mime_process.c, src/file-process/file_service.c, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Add SMB file support

New in Snort 2.9.5.6 (Nov 19, 2013)

  • src/preprocessors/Stream5/snort_stream5_tcp.c: add NULL check for preprocessors that check for PAF before they check for any actual tcp session
  • src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: Test if the byte extracted distance and/or offset is within bounds of the search buffer. Thanks to Nathan Fowler for noting the issue.
  • src/preprocessors/HttpInspect/client/hi_client.c: clear cookie normalization buffer to avoid accidental null dereference in pipelined request. Thanks to Michael Galapchuk for reporting the problem.

New in Snort 2.9.5.5 (Sep 17, 2013)

  • Improvements:
  • Address issue with SMTP preprocessor and the ignore_tls_data configuration to correctly stop inspection after an SMTP session is encrypted.
  • Disable all rule evaluation (as opposed to just rules with fast patterns) for packets on a previously blocked session.
  • Corrected when perfmon preprocessor writes stats to occur as soon as both the time and packet count criteria are met.
  • Enforce same restrictions on relative PCRE for HTTP buffers from shared library rules as already existed with text rules.

New in Snort 2.9.5.3 (Jul 31, 2013)

  • Improvements:
  • Performance improvements to eliminate some unnecessary work, reduction of sizes of data structures, and cleanup of processing for HTTP normalized buffers.
  • Cap the number of expected connections (eg FTP data channel) to prevent memory growth
  • Address issue with reloading reputation lookup tables when more addresses are added.
  • Address issue with potential hang during shutdown of control socket config reload processing thread.

New in Snort 2.9.4.6 (Apr 25, 2013)

  • Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
  • Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.

New in Snort 2.9.4.5 (Apr 4, 2013)

  • Removed proxy information from normalized HTTP Uri to enable correct matching of patterns.
  • Update to log packets to unified2 across all alerts on stream reassembled packets.

New in Snort 2.9.4.1 (Mar 5, 2013)

  • Updated File processing for partial HTTP content and MIME attachments.
  • Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
  • Handle excessive overlaps in frag3.
  • Stream API updates to return session key for a session.
  • Reduce false positives for TCP window slam events.
  • Updates to provide better encoding for TCP packets generated for respond and react.
  • Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.

New in Snort 2.9.4.0 (Dec 4, 2012)

  • New additions:
  • Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.
  • File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
  • Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
  • Logging of packet data that triggers PPM for post-analysis via Snort event
  • Decoding of IPv6 with PPPoE
  • Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
  • Improvements:
  • Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
  • Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
  • Allow disabling of global thresholds via a count of -1
  • Prevent blocking duplicate SYNs when using inline normalization
  • Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
  • Allow active responses to packets without data (eg, a TCP SYN)
  • Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.
  • Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
  • Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

New in Snort 2.9.2.1 (Jan 20, 2012)

  • Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).
  • Updates to the Stream preprocessor in TCP session tracking to avoid re-queuing retransmitted data that was already flushed. Also various tweaks for PAF flushing.
  • Updates to the reputation preprocessor to handle shared memory switching.
  • Updates to the SCADA preprocessors in their handling of PAF flushing and Modbus request/response length checking. Also tweaks in alerts for reserved DNP3 functions.
  • Updates to flowbit groups to always use the group when some rules refer to a flow group while others do not refer to a group for the same flowbit.
  • Updates to GTP preprocessor to check invalid extension header length for GTPv1.
  • Updates to sfrt library, used in reputation preprocessor and target based configuration, when calculating memory allocated and support for IPv6.

New in Snort 2.9.1.2 (Oct 21, 2011)

  • Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response.

New in Snort 2.8.6.1 (Sep 12, 2010)

  • Snort 2.8.6.a fixes installer packages to include correct version of sensitive data preprocessor for linux and Windows
  • Eliminates false positives when using fast_pattern:only and having only one http content in the pattern matcher
  • Addresses false positives in FTP preprocessor with string format verification. 2.8.6.1 also addresses an issue with handling response codes to data transfer commands where the response code didn't contain a message