Wednesday, August 29, 2018

Snort 3 beta available now!

We know our customers and community members have been waiting a while for this — so we are thrilled to announce that Snort 3 (build 247) is available in beta now. Snort 3 is a redesign of Snort 2 with a number of significant improvements.

Here are some highlights you should know about before downloading:
  • Configuration — We use LuaJIT for configuration. The config syntax is simple, consistent, and executable. LuaJIT plugins for rule options and loggers are supported, too.
  • Detection — We have worked closely with Cisco Talos to update rules to meet their needs, including a feature they call "sticky buffers." With the use of the Hyperscan search engine, regex fast patterns make rules faster and more accurate.
  • HTTP — We have a new and stateful HTTP inspector that currently handles 99 percent of the HTTP Evader cases, and will soon cover all of them. There are many new features, as well, including new rule options. HTTP/2 support is under development.
  • Performance — We have substantially increased performance for deep packet inspection.  Snort 3 supports multiple packet-processing threads, and scales linearly with a much smaller amount of memory required for shared configs, like rule engines.
  • JSON event logging — These can be used to integrate with tools such as the Elastic Stack.  See this blog post for more details.
  • Plugins — Snort 3 was designed to be extensible and there are over 225 of plugins of various types. It is easy to add your own codec, inspector, rule action, rule option, or logger.  SO rules are plugins, too, and it is much easier to add your own.
You can get Snort 3 from snort.org or from GitHub.

These packages / repositories are available:
  • snort3 — The main engine source code and plugins
  • snort3_extra — Other experimental and example plugins
  • snort3_demo — A test suite with working examples
We push updates to GitHub multiple times per week, and the master branch is always stable.

In addition to the cool new features, Snort 3 also supports all the capabilities of Snort 2.9.11, but we aren't done. Coming soon, we have:
  • Next generation DAQ
  • Connection events
  • Search engine acceleration
  • ... and much more.
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team