Monday, September 27, 2021

Snort version released — Here are all the updates and improvements


The SNORTⓇ team recently released a new version of Snort 3 on and the Snort 3 GitHub.


Snort contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.
  • AppID: Prioritize appid's client detection over third-party.
  • AppID: Stay in success state after RPC is detected.
  • builtins: add --dump-builtin-options.
  • catch: Enable benchmarking.
  • CIP, iec104: Update stub rule messages for consistent format.
  • control: Explicitly include ctime header in control.
  • detection: Add fast patterns only once per service group.
  • doc: Add support for details on builtin rules in the reference.
  • doc: Update reference for 2:1 and 129:13.
  • doc: Update the documentation of the "replace" option and "rewrite" action.
  • doc: Update user tutorial with '--enable-benchmark-tests' option.
  • file_api: New API added for URLs.
  • file_api: Revert store processing flow in context.
  • flow: Don't prune memcap if pruning is in progress.
  • host_cache: Avoid data race in cache size access.
  • host_tracker: Removing unused methods.
  • http_inspect: http_raw_trailer fast pattern.
  • http_inspect: Pass file_api the URI with the filename and extract the filename from the URI path.
  • http_inspect: Remove memrchr for portability.
  • netflow: Use device IP and template ID to ensure that the template cache keys are unique.
  • output: Adopt the orphaned tag alert (2:1).
  • RNA: Avoid data races in VLAN and mac addresses.
  • RNA: Avoid infinite loop in ICMPv6 options.
  • SMB: Added a null check when current_flow is not present.
  • snort2lua: Fixed version output (issue #213). Thanks to community member A-Pisani for the fix.
  • stream: Change session_timeout default for TCP, IP, ICMP and user.
  • stream: Fix session timeout of expired flows.
  • trough: Avoid data race in file count.
  • utils: Add benchmark tests for JSNormalizer.
  • utils: Add reference and description for ClamAV test cases.
  • utils: Avoid using pubsetbuf which is STL implementation-dependent.
  • utils: Fix typo in js_normalizer_test.

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.