Wednesday, October 24, 2012

Snort 2.9.4 RC Now Available!

Snort 2.9.4 RC is now available on, at in the Latest Release section.

Snort 2.9.4 includes changes for the following:

[*] New additions

 * Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.

 * File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support

 * Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ

 * Logging of packet data that triggers PPM for post-analysis via Snort event

 * Decoding of IPv6 with PPPoE

[*] Improvements

 * Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.

 * Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort

 * Allow disabling of global thresholds via a count of -1

 * Prevent blocking duplicate SYNs when using inline normalization

 * Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages

 * Allow active responses to packets without data (eg, a TCP SYN)

 * Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used.  The 'NOT' matching now happens within each of the individual rule option evaluation functions.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to

Happy Snorting!
The Snort Release Team