Snort Changelog

New in version 2.9.6.2

October 7th, 2014
  • New additions:
  • Added the ability to specify additional custom 'x-forwarder-for' http field names. A new http inspection configuration element is used to specify a set of field names and their respective precedence order.
  • Added cache flow timeout for IP.
  • Improvements:
  • Fixed handling of ICMPv6 traffic.
  • Fixed inline stream reassembly during file processing.
  • Addressed race condition issue with Perfmon stats file rollover.

New in version 2.9.6.0 (January 24th, 2014)

  • New additionsAdd support to do file specific processing within DCERPC preprocessor for files being transferred over SMB.
  • File capture and storage -- saves files as they traverse the network via a new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and README.file_server (under tools/file_server) for details.
  • Add = operators to byte_test rule option.
  • Update SMTP to detect Cyrus SASL authentication attack.
  • Add capability to capture a single session from start to end.
  • EXPERIMENTAL: Add support to leverage file type identification in snort rules. See README.file_ips for details.
  • ImprovementsOnly inject active responses when a TCP session is established.
  • Update the POP and IMAP protocols to support simple PAF for improved identification and capture of files.
  • Update SMTP, POP, IMAP to improve inspection when mime boundaries are split across packets.
  • Address issue to address end of line incorrectly for Quoted Printable email attachments.
  • Handle out of order SSL handshake in SMTP when STARTTLS is used and fix checks for SSL type only within the SSL hand shake.
  • Update sensitive data preprocessor to handle a stateful search of patterns across multiple packets.
  • Address a few issues in the Snort manual and other READMEs for flowbits and tunneling.
  • Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS.
  • Fix alignment of sfxhash node for SPARC platforms.

New in version 2.9.6.0 RC (December 14th, 2013)

  • We've improved a few very minor things, but we're really looking for more testing in the engine and feedback about the capabilities we've built into it.

New in version 2.9.6.0 Beta (November 20th, 2013)

  • src/detection-plugins/sp_icmp_code_check.c: Allow a negative value in the ICMP icode xy range check. This permits the rule to include a check for zero
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Disable detection when the TCP connection was already closed.
  • src/: dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, file-process/file_api.h: Fix FTP-Data file processing.
  • src/snort_bounds.h: Avoid assertion for zero size memory copy
  • src/: dynamic-plugins/sf_dynamic_plugins.c, detection-plugins/sp_react.c: Only inject response page when session is established.
  • src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, preproc_rules/preprocessor.rules, etc/gen-msg.map: Add a new preprocessor alert to detect Cyrus SASL authentication attack.
  • src/dynamic-preprocessors/ssh/spp_ssh.c: Set_reassembly to ABSOLUTE only if the traffic is SSH. Statefully process ssh version/ssh key exchange init/key exchange and/or encrypted data within a single reassembled packet. Thanks to Florian Westphal for reporting this.
  • src/file-process/file_mime_process.c: For IMAP, the MIME and message will be inside fetch body, which will be end at ")".
  • src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ssh/spp_ssh.c, Change preprocessor reassembly policy; Changed SSH preprocessor state transition based on the dir rather than both.
  • src/: preprocessors/Stream5/snort_stream5_tcp.c: Ignore the gap when turning on reassembly dynamically on the very first packet of the session.
  • src/dynamic-preprocessors/dnp3/spp_dnp3.c: Fix the incorrect mempool warnings. Thanks to Bram for reporting this
  • doc/snort_manual.pdf, doc/snort_manual.tex, configure.in, src/snort.c, src/util.c: Trim freed memory before and after configuration reload.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, file-process/file_mime_process.c, sfutil/sf_email_attach_decode.c: Allow 7bit decoding of binary file attachments.
  • src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h: Avoid partial rule tree match during reload.
  • src/tag.c: Fix boundary check error so that the global tagged packet limit doesn't allow an extra tag.
  • src/: file-process/file_mime_process.h, file-process/file_api.h, file-process/file_mime_process.c, file-process/file_service.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/spp_pop.c: Add simple PAF support for POP and IMAP.
  • src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs Add sfip_convert_ip_text_to_binary() to enforce platform agnostic IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values within specified range
  • doc/snort_manual.tex: Update the document to include the '=' operators to the byte_test command
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Make sure INTERNAL_EVENT_SESSION_ADD event only in the ESTABLISHED state.
  • src/sfutil/sf_email_attach_decode.c: Check the QP encoding string is valid to avoid decoding end of line incorrectly.
  • src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Tweak config output to correspond to config input. Thanks to Reinoud Koornstra for the suggestion.
  • src/preprocessors/Stream5/: snort_stream5_icmp.c, snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c: dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/ssl/spp_ssl.c, encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c, dynamic-preprocessors/dcerpc2/dce2_session.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/snort_imap.c: preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c: Handle out of order SSL handshake in SMTP. Thanks to Bram for the reporting this.
  • src/preprocessors/perf-base.c: Update the header printed at top of now file.
  • src/preprocessors/perf-base.c: Change name of stat from Blocked Packets to Block Verdicts.
  • src/preprocessors/Stream5/snort_stream5_session.c: Timeout a session when session timeout reaches instead of waiting for session nominal timeout.
  • configure.in, src/plugbase.c, src/rule_option_types.h, src/snort.c, src/detection-plugins/Makefile.am, src/detection-plugins/: sp_file_type.c, sp_file_type.h, src/detection-plugins/detection_options.c, src/dynamic-preprocessors/Makefile.am, src/file-process/Makefile.am, src/file-process/file_api.h, src/file-process/file_service.c, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/libs/Makefile.am, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/spp_stream5.c, tools/Makefile.am, doc/: README.file, README.file_ips, Makefile.am: File inspection keywords for IPS rules.
  • src/dynamic-preprocessors/sdf/: sdf_pattern_match.c, sdf_pattern_match.h, spp_sdf.c, spp_sdf.h: Add stateful pattern match of sdf patterns across packets.
  • mkinstalldirs, doc/snort_manual.tex, src/detect.c, src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c, src/tag.h, src/target-based/sf_attribute_table.y, tools/u2spewfoo/u2spewfoo.c: Support single session capture via tag rule option. Log all packets to the same place as original alert. Enable tagging on pass rules.
  • src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h, file-process/file_mime_process.c, preprocessors/str_search.c, preprocessors/str_search.h, sfutil/bnfa_search.c: Add Stateful mime boundary search when split between packets.
  • src/preprocessors/HttpInspect/client/hi_client.c: Change the uri search to start from method end instead of the start of payload.
  • configure.in, doc/README.file, doc/snort_manual.pdf, src/parser.c, src/preprocids.h, src/snort.c, src/util.c, src/detection-plugins/.cvsignore, src/dynamic-examples/Makefile.am, src/dynamic-plugins/sf_engine/.cvsignore, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/file/Makefile.am, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/file/file_agent.h, src/dynamic-preprocessors/file/file_event_log.c, src/dynamic-preprocessors/file/file_event_log.h, src/dynamic-preprocessors/file/file_inspect_config.c, src/dynamic-preprocessors/file/file_inspect_config.h, src/dynamic-preprocessors/file/file_sha.c, src/dynamic-preprocessors/file/file_sha.h, src/dynamic-preprocessors/file/sf_file.dsp, src/dynamic-preprocessors/file/spp_file.c, src/dynamic-preprocessors/file/spp_file.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/file-process/Makefile.am, src/file-process/circular_buffer.c, src/file-process/circular_buffer.h, src/file-process/file_api.h, src/file-process/file_capture.c, src/file-process/file_capture.h, src/file-process/file_mempool.c, src/file-process/file_mempool.h, src/file-process/file_resume_block.c, src/file-process/file_service.c, src/file-process/file_service.h, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/file_stats.c, src/file-process/file_stats.h, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/file-process/libs/file_sha256.h, tools/Makefile.am, tools/file_server/Makefile.am, tools/file_server/README.file_server, tools/file_server/file_server.c: Add file capture feature and introduce file inspect preprocessor
  • src/preprocessors/Stream5/snort_stream5_tcp.c: Parse error if there are missing direction specifiers. Thanks to Bram Fabeg for the report.
  • src/ipv6_port.h: Remove duplicate macro for GET_ORIG_IPH_PROTO.
  • doc/: README.decode, README.gre, README.mpls, snort_manual.pdf, snort_manual.tex: Update manual and other docs related to tunneling. Thanks to Jason Poley for noting it.
  • src/parser.c: Not so silently skip duplicate service metadata.
  • src/: log.c, mempool.c, parser.c, snort.c, util.c, detection-plugins/sp_ip_tos_check.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_replace.c, detection-plugins/sp_session.c, detection-plugins/sp_tcp_win_check.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/sdf/sdf_pattern_match.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream5/snort_stream5_tcp.c: Replace obsolete bzero and index calls. Credits to Bill Parker
  • src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c, libs/ssl.c, libs/ssl.h: Check for SSL type only when the SSL handshake is not complete. Don't check for type in SSL data. Thanks to Bram Fabeg for reporting this.
  • src/preprocessors/: HttpInspect/server/hi_server.c, HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c: Only check charset bom once per response body; Only set charset once per charset=
  • src/profiler.c: Fix issue when reading pcaps from command line and using multiple policies and --pcap-reset.
  • src/detection-plugins/detection_options.c: Don't count RTN perf time in OTN perf time. Credits to Reinoud for reporting this.
  • doc/README.flowbits: Fix typo in flowbits isnotset examples
  • src/snort.c, src/snort.h, src/util.c, snort.8, doc/snort_manual.pdf, doc/snort_manual.tex: Add a command line switch --no-interface-pidfile to snort.
  • src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h: Updated Stream's exit stats to use 'filtered' instead of dropped.
  • src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c: Don't set sip/http buffers to null
  • src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Return mismatch if requested http buffer was not set
  • src/snort.c: Bugs Fixed: Capture packet data for sigabrt and sigbus
  • doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/active.c, src/active.h, src/encode.c, src/encode.h, src/generators.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/file-process/file_api.h, src/file-process/file_mime_process.c, src/file-process/file_service.c, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Add SMB file support

New in version 2.9.5.6 (November 19th, 2013)

  • src/preprocessors/Stream5/snort_stream5_tcp.c: add NULL check for preprocessors that check for PAF before they check for any actual tcp session
  • src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: Test if the byte extracted distance and/or offset is within bounds of the search buffer. Thanks to Nathan Fowler for noting the issue.
  • src/preprocessors/HttpInspect/client/hi_client.c: clear cookie normalization buffer to avoid accidental null dereference in pipelined request. Thanks to Michael Galapchuk for reporting the problem.

New in version 2.9.5.5 (September 17th, 2013)

  • Improvements:
  • Address issue with SMTP preprocessor and the ignore_tls_data configuration to correctly stop inspection after an SMTP session is encrypted.
  • Disable all rule evaluation (as opposed to just rules with fast patterns) for packets on a previously blocked session.
  • Corrected when perfmon preprocessor writes stats to occur as soon as both the time and packet count criteria are met.
  • Enforce same restrictions on relative PCRE for HTTP buffers from shared library rules as already existed with text rules.

New in version 2.9.5.3 (July 31st, 2013)

  • Improvements:
  • Performance improvements to eliminate some unnecessary work, reduction of sizes of data structures, and cleanup of processing for HTTP normalized buffers.
  • Cap the number of expected connections (eg FTP data channel) to prevent memory growth
  • Address issue with reloading reputation lookup tables when more addresses are added.
  • Address issue with potential hang during shutdown of control socket config reload processing thread.

New in version 2.9.4.6 (April 25th, 2013)

  • Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.
  • Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.

New in version 2.9.4.5 (April 4th, 2013)

  • Removed proxy information from normalized HTTP Uri to enable correct matching of patterns.
  • Update to log packets to unified2 across all alerts on stream reassembled packets.