Wednesday, December 8, 2021

The newest version of Snort 3 is available now — Here are the latest updates and features


The SNORTⓇ team recently released a new version of Snort 3 on and the Snort 3 GitHub.


Snort contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

We are also excited to release a new installation guide for Snort 3 for Ubuntu 18 and 20. This guide teachers users on how to install Snort on the aforementioned operating systems. A huge thanks to Noah Dietrich for his work on these guides as always.

Here's a rundown of all the changes and new features in this latest version of Snort 3.
  • alert_sf_socket: Removed an obsolete logger.
  • AppID: Exclude stubs from coverage.
  • build: Remove config.h from headers.
  • build: Remove unreachable code.
  • build: Update configure options.
  • catch: Update catch to v2.13.7.
  • dev_notes.txt: Fixed miscellaneous typos.
  • doc: Removed a mention of Automake.
  • doc: Updated builtin_subs.txt with EVENT_JS_SCOPE_NEST_OVERFLOW alert.
  • doc: Updated module usage and inspector types in the dev guide.
  • doc: Updated user/http_inspect.txt with http_inspect.js_norm_max_scope_depth option description.
  • doc: Updated wizard documentation.
  • file_api: file_data changes.
  • framework: Add support for multiple tenants.
  • framework: Don't call a gadget's eval() or clear() after its stream splitter stops.
  • framework: Replace Value::get_long() with a platform-independent type.
  • framework: Update base API version to 11.
  • helpers: Fix stream unit test on 32-bit platforms.
  • http2_inspect: Discard with padding.
  • http_inspect: Fix total_bytes peg count.
  • http_inspect: New rule options num_headers and num_trailers.
  • http_inspect: Store ole data in msg_body.
  • http_inspect: Update comments for asserts in eval and clear.
  • http_inspect: Update dev_notes.txt.
  • hyperscan: Disable incorrect unit test leak warnings.
  • ips_options: Create LiteralSearch object for VBA decompression at the time of Snort initialization.
  • memory: Add max RSS to verbose memory output.
  • memory: Add original overload manager.
  • memory: Add support for jemalloc.
  • memory: Expand profile report field widths.
  • memory: Fix accounting issues.
  • memory: Free space per DAQ message, not per allocation.
  • memory: Move mem_stats to MemoryCap.
  • memory: Refactoring.
  • memory: Refactor pruning and update unit tests.
  • memory: Remove explicit allocation tracking.
  • memory: Update dev notes.
  • perf_monitor: Allow constraint seconds = 0.
  • piglets: Refactor support code
  • reputation: Remove unused SFRT code.
  • RNA: Refactor unit test stubs
  • search_engines: Remove unused test code.
  • stream_tcp: Delete unused unit test cruft
  • stream_tcp: Only fall back if stream splitter aborted and don't keep processing fragments after MagicSplitter returned STOP.
  • stream_tcp: Remove unused unit test code.
  • stream_user: Refactor and remove cruft.
  • unified2: Remove cruft.
  • utils: Adjust output in case of carryover.
  • utils: Enable batch mode for Flex.
  • utils: (JSNormalizer) add program scope tracking and alias resolution.
  • utils: (JSNormalizer) rework the split over multiple chunks behavior.
  • utils: Pass an address into memset instead of the object.
  • utils: Reduce flex generation of unused JS normalizer code.
  • utils: Reset Normalizer context when a new script starts.
  • VBA: Fix buffer overflow in ole parser.
  • wizard: Add patterns to match unknown HTTP and SIP methods.
  • wizard: Change default value of max_search_depth from 64 to 8192.
  • wizard: Remove telnet IAC pattern.

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.