Wednesday, September 28, 2016

Snort++ Build 213 Available Now

Snort++ build 213 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Snort++ is very close to overtaking Snort 2.X and with any luck Alpha 4 will be completed with the next monthly release.  If you haven't tried out Snort++ now is a good time to do so.

Enhancements:
  • added dce udp snort2lua
  • added file detection when they are transferred in segments in SMB2
  • added dce iface fast pattern for tcp
  • added --enable-tsc-clock to build/use TSC register (on x86)
  • updated latency to use ticks during runtime
  • updated default stream cache sizes to match 2.X
  • close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
  • separate idle timeouts from session timeouts counts
  • ported full retransmit changes from snort 2X
  • ported Smbv2/3 file support
  • ported mpls encode fixes from 2983
  • ported smb file processing
  • ported the 2.9.8 ciscometadata decoder
  • ported the 2.9.8 double and triple vlan tagging changes
  • started dce_udp porting
Bug Fixes:
  • fixed carved smb2 filenames
  • fixed multithread hyperscan mpse
  • fixed sd_pattern iterative validation
  • fixed another case of CPPUTest header order issues
  • fixed lua conflict with _L macro from ctype.h on OpenBSD
  • fixed hyperscan detection with nocase
  • fixed shutdown sequence
  • fixed --dirty-pig
  • fixed FreeBSD build re appid / service_rpc
  • fixed tcp_connector_test for OSX build
  • fixed binder make files to include binder.h
  • fixed double counting of ip and udp timeouts and prunes
  • fixed clearing of SYN - RST flows
  • fixed inverted detection_filter logic
  • fixed stream profile stats parents
  • fixed most bogus gap counts
  • fixed unit test for high availability, hyperscan, and regex
  • fixed for TCP high availability
  • fixed install of file_decomp.h for consistency between Snort and extras
  • fixed regex as fast pattern with hyperscan mpse
  • fixed http_inspect and tcp valgrind errors
  • fixed extra auto build from dist
  • numerous fixes, cleanup, and refactoring for appid
  • numerous fixes, cleanup, and refactoring for high availability
Other Changes:
  • removed unused -w commandline option
  • added HA details to stream/* dev_notes
  • added stream.ip_frag_only to avoid tracking unwanted flows
  • added smtp client counters and unit tests
  • added appid counts for rsync
  • added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
  • tcp stream reassembly tweaks
  • use sd_pattern as a fast-pattern
  • rewrite and fix the rpc option
  • cleanup fragbits option implementation
  • finish up cutover to the new http_inspect by default
  • moved file capture to offload thread
  • updated style guide for 'using' statements and underscores
  • cmake: clean dead variables out of config.cmake.h
  • build: fixed 32-bit compiler warnings
  • build: fixed illumos/OpenSolaris build and remove SOLARIS/SUNOS defines
  • build: remove superfluous LINUX and MACOS definitions
  • build: remove superfluous OPENBSD and FREEBSD definitions
  • build: entering 'std' namespace should be after all headers are included
  • build: clean up u_int*_t usage
  • build: remove SPARC support
  • build: clean up some DAQ header inclusion creep
  • cleaned up compiler warnings

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team