Release Notes:
2017-12-06 - Snort 2.9.11.1
New Additions
- Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means Snort will block the packet and generate logs.
- Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.
Improvements
- Fixed issue to detect RTP up to two SSRC switches in each traffic direction.
- Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers.
- Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
- Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
- Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
- Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
- Fixed issue of applying new configuration in file inspection after Snort reload.
We'd like to thank the following Snort Community members for working us to fix issues released in 2.9.11.1:
Markus Lude
BlueSky
David Binderman
You can download Snort version 2.9.11.1 from it's usual location on Snort.org. Talos will be releasing the ruleset for 2.9.11.1 later today (January 4th, 2018).
As always, you can report issues with Snort via our Snort-devel mailing list, and continue discussion for users on our Snort-users mailing list.
Thanks for your support of Snort and Happy New Year!