Snort Changelog

New in version

July 23rd, 2015
  • Added improved support to the Stream preprocessor for asynchronous TCP traffic.
  • Active response no longer sets the FIN flag on the last segment sent.

New in version (May 20th, 2015)

  • New additions:
  • Added PAF support for SIP based traffic
  • Improvements:
  • Resolved a backtracking issue where the 'protected_content' rule option was not matching on content following a content rule option that is not matched.
  • Resolved an issue where snort dropped privilege levels before attempting to delete its PID file created during the higher privilege level
  • Improved processing of SSLv3 traffic, IPv6 extensions, HTTPS session reassembly and normalization
  • Performance improvements for file preprocessor
  • Stability improvements for ftp_telnet preprocessor

New in version (March 13th, 2015)

  • src/build.h: updating build number to 177
  • src/preprocessors/Stream6/snort_stream_tcp.c: Documentation: Fixed issue in which TCP trim normalization would occur when it was not necessary.
  • src/decode.c, src/encode.c: Added support for Cisco FabricPath decoding/encoding. Ensure flow_id is copied into the DAQ_PktHdr_t.
  • src/snort.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h src/target-based/sftarget_reader.c: Moved ntohl conversion inside of the sfrt api for both IPv4 and IPv6.
  • src/target-based/sftarget_protocol_reference.c Lookup application protocol id only after the session is established. Assign application protocol id to the session when using host attribute table.
  • src/util.c: Changes for suppressing configuration logging.
  • src/file-process/file_service.c: Assign the file config to a file context prior to checking if HTTP continuation.

New in version (October 7th, 2014)

  • New additions:
  • Added the ability to specify additional custom 'x-forwarder-for' http field names. A new http inspection configuration element is used to specify a set of field names and their respective precedence order.
  • Added cache flow timeout for IP.
  • Improvements:
  • Fixed handling of ICMPv6 traffic.
  • Fixed inline stream reassembly during file processing.
  • Addressed race condition issue with Perfmon stats file rollover.

New in version (January 24th, 2014)

  • New additionsAdd support to do file specific processing within DCERPC preprocessor for files being transferred over SMB.
  • File capture and storage -- saves files as they traverse the network via a new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and README.file_server (under tools/file_server) for details.
  • Add = operators to byte_test rule option.
  • Update SMTP to detect Cyrus SASL authentication attack.
  • Add capability to capture a single session from start to end.
  • EXPERIMENTAL: Add support to leverage file type identification in snort rules. See README.file_ips for details.
  • ImprovementsOnly inject active responses when a TCP session is established.
  • Update the POP and IMAP protocols to support simple PAF for improved identification and capture of files.
  • Update SMTP, POP, IMAP to improve inspection when mime boundaries are split across packets.
  • Address issue to address end of line incorrectly for Quoted Printable email attachments.
  • Handle out of order SSL handshake in SMTP when STARTTLS is used and fix checks for SSL type only within the SSL hand shake.
  • Update sensitive data preprocessor to handle a stateful search of patterns across multiple packets.
  • Address a few issues in the Snort manual and other READMEs for flowbits and tunneling.
  • Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS.
  • Fix alignment of sfxhash node for SPARC platforms.

New in version RC (December 14th, 2013)

  • We've improved a few very minor things, but we're really looking for more testing in the engine and feedback about the capabilities we've built into it.

New in version Beta (November 20th, 2013)

  • src/detection-plugins/sp_icmp_code_check.c: Allow a negative value in the ICMP icode xy range check. This permits the rule to include a check for zero
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Disable detection when the TCP connection was already closed.
  • src/: dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, file-process/file_api.h: Fix FTP-Data file processing.
  • src/snort_bounds.h: Avoid assertion for zero size memory copy
  • src/: dynamic-plugins/sf_dynamic_plugins.c, detection-plugins/sp_react.c: Only inject response page when session is established.
  • src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, preproc_rules/preprocessor.rules, etc/ Add a new preprocessor alert to detect Cyrus SASL authentication attack.
  • src/dynamic-preprocessors/ssh/spp_ssh.c: Set_reassembly to ABSOLUTE only if the traffic is SSH. Statefully process ssh version/ssh key exchange init/key exchange and/or encrypted data within a single reassembled packet. Thanks to Florian Westphal for reporting this.
  • src/file-process/file_mime_process.c: For IMAP, the MIME and message will be inside fetch body, which will be end at ")".
  • src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ssh/spp_ssh.c, Change preprocessor reassembly policy; Changed SSH preprocessor state transition based on the dir rather than both.
  • src/: preprocessors/Stream5/snort_stream5_tcp.c: Ignore the gap when turning on reassembly dynamically on the very first packet of the session.
  • src/dynamic-preprocessors/dnp3/spp_dnp3.c: Fix the incorrect mempool warnings. Thanks to Bram for reporting this
  • doc/snort_manual.pdf, doc/snort_manual.tex,, src/snort.c, src/util.c: Trim freed memory before and after configuration reload.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, file-process/file_mime_process.c, sfutil/sf_email_attach_decode.c: Allow 7bit decoding of binary file attachments.
  • src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h: Avoid partial rule tree match during reload.
  • src/tag.c: Fix boundary check error so that the global tagged packet limit doesn't allow an extra tag.
  • src/: file-process/file_mime_process.h, file-process/file_api.h, file-process/file_mime_process.c, file-process/file_service.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/spp_pop.c: Add simple PAF support for POP and IMAP.
  • src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs Add sfip_convert_ip_text_to_binary() to enforce platform agnostic IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values within specified range
  • doc/snort_manual.tex: Update the document to include the '=' operators to the byte_test command
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Make sure INTERNAL_EVENT_SESSION_ADD event only in the ESTABLISHED state.
  • src/sfutil/sf_email_attach_decode.c: Check the QP encoding string is valid to avoid decoding end of line incorrectly.
  • src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Tweak config output to correspond to config input. Thanks to Reinoud Koornstra for the suggestion.
  • src/preprocessors/Stream5/: snort_stream5_icmp.c, snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c: dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/ssl/spp_ssl.c, encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c, dynamic-preprocessors/dcerpc2/dce2_session.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/snort_imap.c: preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c: Handle out of order SSL handshake in SMTP. Thanks to Bram for the reporting this.
  • src/preprocessors/perf-base.c: Update the header printed at top of now file.
  • src/preprocessors/perf-base.c: Change name of stat from Blocked Packets to Block Verdicts.
  • src/preprocessors/Stream5/snort_stream5_session.c: Timeout a session when session timeout reaches instead of waiting for session nominal timeout.
  •, src/plugbase.c, src/rule_option_types.h, src/snort.c, src/detection-plugins/, src/detection-plugins/: sp_file_type.c, sp_file_type.h, src/detection-plugins/detection_options.c, src/dynamic-preprocessors/, src/file-process/, src/file-process/file_api.h, src/file-process/file_service.c, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/libs/, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/spp_stream5.c, tools/, doc/: README.file, README.file_ips, File inspection keywords for IPS rules.
  • src/dynamic-preprocessors/sdf/: sdf_pattern_match.c, sdf_pattern_match.h, spp_sdf.c, spp_sdf.h: Add stateful pattern match of sdf patterns across packets.
  • mkinstalldirs, doc/snort_manual.tex, src/detect.c, src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c, src/tag.h, src/target-based/sf_attribute_table.y, tools/u2spewfoo/u2spewfoo.c: Support single session capture via tag rule option. Log all packets to the same place as original alert. Enable tagging on pass rules.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h, file-process/file_mime_process.c, preprocessors/str_search.c, preprocessors/str_search.h, sfutil/bnfa_search.c: Add Stateful mime boundary search when split between packets.
  • src/preprocessors/HttpInspect/client/hi_client.c: Change the uri search to start from method end instead of the start of payload.
  •, doc/README.file, doc/snort_manual.pdf, src/parser.c, src/preprocids.h, src/snort.c, src/util.c, src/detection-plugins/.cvsignore, src/dynamic-examples/, src/dynamic-plugins/sf_engine/.cvsignore, src/dynamic-preprocessors/, src/dynamic-preprocessors/file/, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/file/file_agent.h, src/dynamic-preprocessors/file/file_event_log.c, src/dynamic-preprocessors/file/file_event_log.h, src/dynamic-preprocessors/file/file_inspect_config.c, src/dynamic-preprocessors/file/file_inspect_config.h, src/dynamic-preprocessors/file/file_sha.c, src/dynamic-preprocessors/file/file_sha.h, src/dynamic-preprocessors/file/sf_file.dsp, src/dynamic-preprocessors/file/spp_file.c, src/dynamic-preprocessors/file/spp_file.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/file-process/, src/file-process/circular_buffer.c, src/file-process/circular_buffer.h, src/file-process/file_api.h, src/file-process/file_capture.c, src/file-process/file_capture.h, src/file-process/file_mempool.c, src/file-process/file_mempool.h, src/file-process/file_resume_block.c, src/file-process/file_service.c, src/file-process/file_service.h, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/file_stats.c, src/file-process/file_stats.h, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/file-process/libs/file_sha256.h, tools/, tools/file_server/, tools/file_server/README.file_server, tools/file_server/file_server.c: Add file capture feature and introduce file inspect preprocessor
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Parse error if there are missing direction specifiers. Thanks to Bram Fabeg for the report.
  • src/ipv6_port.h: Remove duplicate macro for GET_ORIG_IPH_PROTO.
  • doc/: README.decode, README.gre, README.mpls, snort_manual.pdf, snort_manual.tex: Update manual and other docs related to tunneling. Thanks to Jason Poley for noting it.
  • src/parser.c: Not so silently skip duplicate service metadata.
  • src/: log.c, mempool.c, parser.c, snort.c, util.c, detection-plugins/sp_ip_tos_check.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_replace.c, detection-plugins/sp_session.c, detection-plugins/sp_tcp_win_check.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/sdf/sdf_pattern_match.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream5/snort_stream5_tcp.c: Replace obsolete bzero and index calls. Credits to Bill Parker
  • src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c, libs/ssl.c, libs/ssl.h: Check for SSL type only when the SSL handshake is not complete. Don't check for type in SSL data. Thanks to Bram Fabeg for reporting this.
  • src/preprocessors/: HttpInspect/server/hi_server.c, HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c: Only check charset bom once per response body; Only set charset once per charset=
  • src/profiler.c: Fix issue when reading pcaps from command line and using multiple policies and --pcap-reset.
  • src/detection-plugins/detection_options.c: Don't count RTN perf time in OTN perf time. Credits to Reinoud for reporting this.
  • doc/README.flowbits: Fix typo in flowbits isnotset examples
  • src/snort.c, src/snort.h, src/util.c, snort.8, doc/snort_manual.pdf, doc/snort_manual.tex: Add a command line switch --no-interface-pidfile to snort.
  • src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h: Updated Stream's exit stats to use 'filtered' instead of dropped.
  • src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c: Don't set sip/http buffers to null
  • src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Return mismatch if requested http buffer was not set
  • src/snort.c: Bugs Fixed: Capture packet data for sigabrt and sigbus
  • doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex, etc/, preproc_rules/preprocessor.rules, src/active.c, src/active.h, src/encode.c, src/encode.h, src/generators.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/file-process/file_api.h, src/file-process/file_mime_process.c, src/file-process/file_service.c, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Add SMB file support

New in version (November 19th, 2013)

  • src/preprocessors/Stream5/snort_stream5_tcp.c: add NULL check for preprocessors that check for PAF before they check for any actual tcp session
  • src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: Test if the byte extracted distance and/or offset is within bounds of the search buffer. Thanks to Nathan Fowler for noting the issue.
  • src/preprocessors/HttpInspect/client/hi_client.c: clear cookie normalization buffer to avoid accidental null dereference in pipelined request. Thanks to Michael Galapchuk for reporting the problem.

New in version (September 17th, 2013)

  • Improvements:
  • Address issue with SMTP preprocessor and the ignore_tls_data configuration to correctly stop inspection after an SMTP session is encrypted.
  • Disable all rule evaluation (as opposed to just rules with fast patterns) for packets on a previously blocked session.
  • Corrected when perfmon preprocessor writes stats to occur as soon as both the time and packet count criteria are met.
  • Enforce same restrictions on relative PCRE for HTTP buffers from shared library rules as already existed with text rules.

New in version (July 31st, 2013)

  • Improvements:
  • Performance improvements to eliminate some unnecessary work, reduction of sizes of data structures, and cleanup of processing for HTTP normalized buffers.
  • Cap the number of expected connections (eg FTP data channel) to prevent memory growth
  • Address issue with reloading reputation lookup tables when more addresses are added.
  • Address issue with potential hang during shutdown of control socket config reload processing thread.

New in version (April 25th, 2013)

  • Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
  • Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.

New in version (April 4th, 2013)

  • Removed proxy information from normalized HTTP Uri to enable correct matching of patterns.
  • Update to log packets to unified2 across all alerts on stream reassembled packets.

New in version (March 5th, 2013)

  • Updated File processing for partial HTTP content and MIME attachments.
  • Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
  • Handle excessive overlaps in frag3.
  • Stream API updates to return session key for a session.
  • Reduce false positives for TCP window slam events.
  • Updates to provide better encoding for TCP packets generated for respond and react.
  • Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.

New in version (December 4th, 2012)

  • New additions:
  • Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.
  • File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
  • Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
  • Logging of packet data that triggers PPM for post-analysis via Snort event
  • Decoding of IPv6 with PPPoE
  • Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
  • Improvements:
  • Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
  • Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
  • Allow disabling of global thresholds via a count of -1
  • Prevent blocking duplicate SYNs when using inline normalization
  • Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
  • Allow active responses to packets without data (eg, a TCP SYN)
  • Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.
  • Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.
  • Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

New in version (January 20th, 2012)

  • Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).
  • Updates to the Stream preprocessor in TCP session tracking to avoid re-queuing retransmitted data that was already flushed. Also various tweaks for PAF flushing.
  • Updates to the reputation preprocessor to handle shared memory switching.
  • Updates to the SCADA preprocessors in their handling of PAF flushing and Modbus request/response length checking. Also tweaks in alerts for reserved DNP3 functions.
  • Updates to flowbit groups to always use the group when some rules refer to a flow group while others do not refer to a group for the same flowbit.
  • Updates to GTP preprocessor to check invalid extension header length for GTPv1.
  • Updates to sfrt library, used in reputation preprocessor and target based configuration, when calculating memory allocated and support for IPv6.

New in version (October 21st, 2011)

  • Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response.

New in version (September 12th, 2010)

  • Snort 2.8.6.a fixes installer packages to include correct version of sensitive data preprocessor for linux and Windows
  • Eliminates false positives when using fast_pattern:only and having only one http content in the pattern matcher
  • Addresses false positives in FTP preprocessor with string format verification. also addresses an issue with handling response codes to data transfer commands where the response code didn't contain a message