Thursday, August 11, 2016

Snort++ Build 206 Available Now

Snort++ build 206 is now available on  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

  • converted sd_pattern to use hyperscan
  • ported smb reassembly and raw commands processing, segmentation support
  • ported smb write and close command, deprecated dialect check, smb fingerprint
  • ported appid rule option as "appids"
  • ported appid detectors: kereberos, bittorrent, imap, pop
  • added appid counts for mdns, timbuktu, battlefield, bgp, and netbios services
  • added smtp.max_auth_command_line_len
  • added new_http_inspect unbounded POST alert
  • added oversize directory alert to new_http_inspect
  • snort2lua updates for new_http_inspect
Bug Fixes:
  • fixed asn1:print help
  • fixed event queue buffer log size
  • fixed make distcheck; thanks to jack jackson <> for reporting the issue
  • fixed help text for rule options ack, fragoffset, seq, tos, ttl,  and win
  • fixed endianness issues with rule options seq and win
  • fixed rule option session binary vs all
  • fixed issue with icmp_seq and icmp_id field matching
  • fixed off-by-1 line number in rule parsing errors
  • fixed cmake make check issue with new_http_inspect
  • fixed new_http_inspect handling of 100 response
  • fixed dynamic build of new_http_inspect
  • fixed outstanding strndup calls
  • fixed static analysis issues
Other Changes:
  • moved http_inspect (old) to http_server (in extras)
  • moved new_http_inspect to http_inspect
  • code refactoring and cleanup
Please submit bugs, questions, and feedback to or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team