Friday, July 28, 2017

Snort++ Build 239 Available Now on Snort.org

A new release of Snort++ is now available on Snort.org which includes lots of new functionality and important bug fixes.  Here is an overview of the updates since the prior release:

Important changes since the last release:
  • DAQ: version 2.2.2 now required
  • rules: removed sample.rules; Talos now publishes Snort 3 community rules on snort.org
  • rules: promoted metadata:service to a separate option since it is not metadata
  • mpse: removed Intel Soft CPM support (use Hyperscan!)
  • unified2: deprecated ip4 and ip6 specific events and added a single event for both
  • http_server: removed old inspector (use new http_inspect instead)
  • hyperscan: now require version >= 4.4.0
  • loggers: removed units options; all limits expressed in MB
Issues reported by the community:
  • logging: fixed handling of out of range timeval
    thanks to kamil@frankowicz.me for reporting the issue
  • rules: tolerate spaces in positional parameters
    thanks to Joao Soares for reporting the issue
  • search_engine: set range for max_queue_events parameter
    thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
  • packet manager: ensure ether type proto ids don't masquerade as ip proto ids
    thanks to Bhargava Shastry  for reporting the issue
  • codec manager: fixed off-by-1 mapping array size
    thanks to Bhargava Shastry for reporting the issue
  • hyperscan: check runtime support
    thanks to justin.viiret@intel.com for submitting the patch
  • mpse: fixed issue with empty pattern database
    thanks to justin.viiret@intel.com for reporting the issue

New Features:
  • perf_monitor: added FlatBuffers output and JSON formatter
  • also added tool to convert FlatBuffers files to yaml
  • alerts: improved -A cmg formatting
  • numerous control socket and shell updates
  • byte_math and bitmask: ported rule option from 2X
  • regex: added fast_pattern; do not use for fast pattern unless explicitly indicated
  • detection: added new trace capability to debug rules
  • output: added packet trace feature
  • port_scan: now fully configurable
There are many other updates not mentioned.  Check the ChangeLog for a summary of changes including new features and build and bug fixes.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org periodically.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Posted by Russ Combs
Labels: , ,