Monday, December 3, 2012

Snort 2.9.4.0 has been released!

Snort 2.9.4 is now available on snort.org, at https://www.snort.org/downloads in the Latest Release section.

************ Please note: 2.9.3.1 & later packages are signed with a new PGP key (that key is signed with the previous key). ************

Snort 2.9.4 includes changes for the following:

[*] New additions

* Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.

* File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support

* Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ

* Logging of packet data that triggers PPM for post-analysis via Snort event

* Decoding of IPv6 with PPPoE

* Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.

[*] Improvements

* Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.

* Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort

* Allow disabling of global thresholds via a count of -1

* Prevent blocking duplicate SYNs when using inline normalization

* Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages

* Allow active responses to packets without data (eg, a TCP SYN)

* Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.

* Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.

* Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting! The Snort Release Team