Monday, May 3, 2021

New Snort 3 release available — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.4.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible, and to upgrade to Snort 3 if they have not already done so.

  • appid: (fix style) Local variable 'version' shadows outer variable
  • appid: Delete third-party connections with context only if third-party reload is not in progress
  • appid: clean up Lua stack on C->lua function exit
  • appid: clean-up parameters in service_bootp
  • appid: detect payload based on DNS host
  • appid: in continue state for FTP traffic, do not change service to unknown on validation failure
  • appid: monitor only the networks specified in RNA configuration
  • appid: refactor to set HTTP scan flags in one place
  • appid: remove detectors which are available in odp
  • appid: remove duplicate RTMP code
  • binder: update flow data inspector on a service change
  • build: add better support for flex lexer; Thanks to Özkan KIRIK and Moin for reporting the issue.
  • codecs: use held packet SYN in Tcp header creation
  • copyright: Update year to 2021
  • dce_rpc: Added a cleanup condition for DCERPC in close request
  • dce_rpc: DCERPC Support over SMBv2
  • dce_rpc: Fixed prototype mismatch. Smb2Tid doesn't need to be inline.
  • doc: add documentation for script_data IPS option
  • doc: revert documentation related to script_data IPS option
  • framework: Adding IT_FIRST inspector type to analyze the first packet of a flow
  • hash: prepond object creation in LRU cache find_else_create
  • host_tracker: fix bug in set_visibility
  • http2_inspect: fix possible read-after-free in hpack decoder
  • http2_inspect: free streams in completed/error state
  • http_inspect: fix end of script match after reload
  • http_inspect: remove detained inspection config
  • IPS: allow null detection trees with negated lists
  • ips_options: add sticky buffer script_data ips option within normalized JavaScript payload
  • main: Adding reload id to track config/module/policy reloads
  • main: Log holding verdict only if packet was actually held.
  • main: Update memcap for detained packets.
  • Netflow: add device list configuration
  • Netflow: add filter matching for v5 decoder
  • Netflow: get correct zone info from packet
  • packet_io: If packet has no daq_instance, use thread-local daq_instance.
  • packet_tracer: Appid daq trace log
  • packet_tracer: fix trace condition for setting IP_PROTO
  • payload_injector: send go away frame
  • pcre: revert change that disabled jit
  • reputation: Registering inspector to the IT_FIRST type
  • RNA: add the smb fingerprint processor to the get_or_create / set processor api
  • SSL: refactoring SSLData out so it can be reused
  • stream: Add held packet to retry queue when requested.
  • stream: Add partial_flush. Flush one side of flow immediately.
  • stream: IP frag packets won't have a flow so do not try to hold them.
  • stream: fetch held packet SYN
  • stream: fix race condition in HPQReloadTuner
  • stream: store held packet SYN
  • utils: enable Flex C++ mode via its option

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats