April 25th, 2013· Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
· Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.
April 4th, 2013· Removed proxy information from normalized HTTP Uri to enable correct matching of patterns.
· Update to log packets to unified2 across all alerts on stream reassembled packets.
March 5th, 2013· Updated File processing for partial HTTP content and MIME attachments.
· Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
· Handle excessive overlaps in frag3.
· Stream API updates to return session key for a session.
· Reduce false positives for TCP window slam events.
· Updates to provide better encoding for TCP packets generated for respond and react.
· Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.
December 4th, 2012New additions:
· Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.
· File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
· Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
· Logging of packet data that triggers PPM for post-analysis via Snort event
· Decoding of IPv6 with PPPoE
· Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
Improvements:
· Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
· Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
· Allow disabling of global thresholds via a count of -1
· Prevent blocking duplicate SYNs when using inline normalization
· Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
· Allow active responses to packets without data (eg, a TCP SYN)
· Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.
· Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
· Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.
January 20th, 2012· Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).
· Updates to the Stream preprocessor in TCP session tracking to avoid re-queuing retransmitted data that was already flushed. Also various tweaks for PAF flushing.
· Updates to the reputation preprocessor to handle shared memory switching.
· Updates to the SCADA preprocessors in their handling of PAF flushing and Modbus request/response length checking. Also tweaks in alerts for reserved DNP3 functions.
· Updates to flowbit groups to always use the group when some rules refer to a flow group while others do not refer to a group for the same flowbit.
· Updates to GTP preprocessor to check invalid extension header length for GTPv1.
· Updates to sfrt library, used in reputation preprocessor and target based configuration, when calculating memory allocated and support for IPv6.
October 21st, 2011· Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response.
September 12th, 2010· Snort 2.8.6.a fixes installer packages to include correct version of sensitive data preprocessor for linux and Windows
· Eliminates false positives when using fast_pattern:only and having only one http content in the pattern matcher
· Addresses false positives in FTP preprocessor with string format verification. 2.8.6.1 also addresses an issue with handling response codes to data transfer commands where the response code didn't contain a message
Find us on Google+
