Tuesday, February 13, 2018

Snort++ Build 243 Available Now on Snort.org

A new release of Snort++ (build 243) is now available on snort.org which includes lots of new functionality and important bug fixes.  Here is an overview of the updates since the prior release:

Important changes since the last release:


  • build: dropping automake support - only cmake tarballs provided
    (automake files are still included but will be removed soon)

Issues reported by the community:

  • alert_json: various fixes
    thanks to Noah Dietrich for reporting the issues
  • appid: gracefully handle failed Lua state instantiation
    thanks to Noah Dietrich for reporting the issue
  • build: add STATIC to add_library call of port_scan to build it statically
    thanks to Fabrice Fontaine
  • cd_pbb: initial version of codec for 802.1ah
    thanks to jan hugo prins  for reporting the issue
  • cd_pflog: fix comments
    thanks to Markus Lude for the 2X patch
  • http_inspect: handle borked reassembly gracefully
    thanks to João Soares for reporting the issue
  • ips options: error if lookup fails due to bad case, typos, etc.
    thanks to Noah Dietrich   for reporting the issue

New Features:

  • alert_json: added json event logger
  • arp_spoof: added wlan support
  • binder: added zones, network policy selection
  • daq: add support for DAQ_VERDICT_RETRY
  • daq: add support for packet trace
  • daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
  • dce_smb: added unicode filename support
  • file policy: add support for file event logging
  • http_inspect: added http_raw_buffer rule option
  • inspectors: added peg count for max concurrent sessions
  • loggers: added base64 encoder based on libb64 from devolve
  • modules: add usage designating global, context, inspect, or detect policy applicability
  • mss: add extra rule option to check mss
  • port_scan: add alert_all to make alerting on all events in window optional
  • snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
  • snort2lua: convert file_magic.conf to Lua format.
  • snort2lua: bindings now merge and propagate to top level of corresponsing policy
  • snort2lua: '# alert' rules and pass comments in *.rules files
  • snort: -T does not compile mpse; --mem-check does
  • snort: add --dump-msg-map
  • snort: add warnings count to -T ouptut
  • target: add rule option to indicate target of attack
  • unified2: add legacy_events bool for out-of-date barnyard2
  • wscale: add extra rule option to check tcp window scaling

Bug Fixes:

  • byte_test: fixed string bounds check
  • content: fixed relative loop condition
  • dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / ce_udp = dcerpc)
  • detection: fixed option tree looping issue
  • detection: use detection limit (alt_dsize)
  • http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
  • http_inspect: apply request/response depth to packet data
  • pcre: fixed relative search with ^
  • shell: fixed --pause to accept control commands while in paused state
  • snort2lua: no sticky buffer for relative pcre
  • snort: fixed --dump-builtin-rules to accept optional module prefix
  • u2spewfoo: fixed build on FreeBSD
There are many other updates not mentioned.  Check the ChangeLog for a summary of changes including new features and build and bug fixes.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org periodically.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team