Snort version 2.9.18.1 has been released

We released the latest version of Snort 2.9, SNORTⓇ version 2.9.18.1, this afternoon. 

This version is a very small update that fixes a possible memory corruption issue in the SMB preprocessor. If you haven't already, we also encourage users to upgrade to Snort 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, and much more.

Here's a rundown of what's new in 2.9.18.1:

2.9.17.1 has been released!

 Join us as we are pleased to release a minor bug fix version of Snort 2.9.17.1!  Since all new development focus in on Snort 3, we encourage you to take a look.  

First, some release notes:

Snort 2.9.17.1

Improvements / Fix

Fixed wrong reference to configuration during
Fixed possible memleak in appid.
Fixed a race-condition in http preproc and IPS.
Fixed a race-condition in stream preproc.

As always this maintenance release of Snort 2.9.17.1 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Snort 2.9.17.0 has been released

Join us as we are pleased to release a bug fix version of Snort 2.9.17.0!  First, some release notes:

Snort 2.9.17.0

New Additions

• Added support for s7Commplus protocol.
• Support for allowing common names across rule options.
• Added support to detect TCP Fast Open packets.

Improvements / Fix

• Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.
• Miscellaneous SMB bug fixes.
• Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.
• Fixed multiple static analysis issues.
• Fixed DNS application detector failing to detect DNS traffic in some scenarios
• Fixed complier warnings
• Fix to populate original IP in dropped events when inline normalization is enabled in unified2 output method
• Fixed handling of encrypted traffic by the SIP preprocessor
• Added port 853 to the SSL detector for DNS over TLS runs on SSL
• Also improved SIP preprocessor to detect SSL encrypted SIP traffic better
• Fixes to byte_math operation
• Fixed GCC 10.1.1 compile issues
• Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured
• Fix to address some cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO
• Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic
• Fixed popup message on Windows uninstall operation
• Added message to ask users to choose 4.1.1 of winpcap when on Windows.

As always this maintenance release of Snort 2.9.17.0 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Snort 2.9.16.1 has been released

Join us as we are pleased to release a bug fix version of Snort 2.9.16.1!  First, some release notes:

Snort 2.9.16.1
New Additions
Added support for GCC version 10.1.1.
Improvements/Fixes
Added packet counters to make sure flows with one-way data don't stay pending forever.
Fixed potential race condition between reload and exit path.

As always this maintenance release of Snort 2.9.16.1 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Snort 2.9.16.0 has been released

We just released Snort major release, 2.9.16.0  Take a look at the release notes below for more information:

Snort version 2.9.16.0

New Additions

• Added support for early inspection of HTTP payload before flushing in pre-ack mode. This feature can be enabled using fast_blocking in http inspect configuration.
• Added 64-bit support for Windows 10 operating system.
• Added support for glibc version 2.30.

Improvements and fixes

• Fixed file policy not working with character prefix in chunk size.
• Updated the file magic to detect ALZ file types.
• Addressed an issue when out-of-order FIN is received by dropping it.
• Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.

As always, feedback on this release and any other release may be sent to the Snort mailing lists.

You may download this latest version of Snort from our downloads site.

Snort 2.9.15.1 has been released

We just released Snort minor bug update, version 2.9.15.1.  Take a look at the release notes below for more information:

2019-12-15 - Snort 2.9.15.1

New Additions

• Added support for glibc version 2.30.

Improvements/Fix

• Fixed Snort core seen during SSL re-configuration.
• Fixed file access issues on files from SMB share.

Special thanks for this release go out to David Binderman for the reporting of an issue.

As always, feedback on this release and any other release may be sent to the Snort mailing lists.

You may download this latest version of Snort from our downloads site.

Snort 2.9.15.0 is here

Today, we added Snort 2.9.15.0 to the family!

As always, available from our download site on Snort.org, this new version contains the following features:

New Additions

• Added new debugs to print detection, file_processing and Preproc time consumption info and verdict.
• Added support to detect new Korean file formats .egg and .alg in the file preprocessor.
• Added support to detect new RAR file-type in the file preprocessor.

Improvements / Fix

• Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
• Fix to whitelist FTP data sessions when no file policy exists.
• Fix RTF file magic to a more generic value to prevent evasions.
• Added debug logs during HTTP reload.
• Added rule SID check during validation.
• Fix an issue where HTTP was processing non-HTTP traffic on port 443.
• Added new debugs to print detection, file processing, and Prepro time consumption info and verdicts.

Any notes or feedback for us on Snort 2.9.15.0?  Please shoot us a note over on the Snort-Users mailing list.

Snort 2.9.14.1 has been released!

Snort Community!

We know it's a Friday, so we don't expect everyone to run right out and update, but in trying to get everything done before Black hat / Defcon, we wanted to make sure that 2.9.14.1 was shipped before we all got on planes to head out to "Hacker Summer Camp".

We've just pushed 2.9.14.1 live on the website (snort.org/downloads).  Please head on over and check it out at your earliest convenience.

Release notes are essentially the same as 2.9.14.0, with one minor fix, so I'll repost those:

[*] New Additions

 * Added support for wild card port numbers in host cache and overwriting port service AppId.

 * Added support for new STLS client patterns to help better detect POP3S over SSL.

 * Added support for detecting Mac based SMTP Microsoft Outlook client application.

 * Added a new preprocessor alert 120:27 to alert if there is no proper end of header.

[*] Improvements / Fix

 * Improved appId detection for proxied traffic.

 * Fix for enabling flow profiling mode without restarting snort detection engine.

 * Fixed packet drop scenario.

Thanks so much for bearing with us while we figured out the little bug with packet acquisition.

As always, feedback can be directed to the Snort-users list.  Happy Snorting!

Snort 2.9.13.0 has been released

Please join us as we welcome SNORTⓇ 2.9.13.0 to the family.

The release notes for the newest version are below:

New Additions

• Snort now supports reload on snort rules update.
• Addition of a scenario to add a packet to blacklist verdict to ensure the new session will be allowed.
• Handled a new pre-processor alert in case of the improper end of t HTTP header.

Improvements

• Modified the calculation of file hash for FTP/HTTP with offset values.
• Fixed portal authentication connection stuck in half closed state.
• Updated UDP global timeout for a non-standard port.

This release also patched the following two vulnerabilities:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort

As always, we welcome feedback and community participation in Snort on the snort-users mailing list.

Snort rule update for Oct. 30, 2018

Just released:
Snort Subscriber Rule Set Update for Oct. 30, 2018

The newest SNORTⓇ rule release from Cisco Talos is here with 10 new rules, five of which are shared object rules. There are also two modified rules, of which one is a shared object rule.

Snort 2.9.12.0 has been released

Please join us as we welcome SNORTⓇ 2.9.12.0 to the family!

Some release notes on this latest version:

New Additions

• Parsing HTTP CONNECT to extract the tunnel IP and port information.
• Alerting and dechunking for chunked encoding in HTTP1.0 request and response.

Snort 3.0 Ruleset Announcement!

Join as we welcome the first official builds of the Snort 3 subscriber and registered ruleset to the family!

Today marks the first day that we will begin publishing the Snort 3 subscriber and registered rulesets along side of the Snort 2.x rulesets on Snort.org.  These are going to be downloadable via API (Oinkcode) the same as Snort 2.x rulesets, and will be published on the same dates.

The same subscription rules apply for Snort 3.  New rules will be added to the registered ruleset after a 30-day delay.  The licensing is the exact same as it is today on Snort 2.x.  Our license can be viewed here:  https://www.snort.org/snort_license

False Positives against Snort 3 rules can be filed by following the same instructions as Snort 2.x rules.  Instructions on how to file false positives can be found here: http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html

There are a couple caveats to the Snort 3 ruleset:

1. Keep in mind that the format and layout of the Snort 3 ruleset is different than Snort 2.  If you want to start testing the Alpha (and coming soon, Beta!) builds of Snort 3, and you have a custom ruleset, you can convert your Snort 2 ruleset into the Snort 3 language by using the snort2lua tool found in the Snort 3 tarball available on www.snort.org/downloads
2. Shared Object rules are not part of this initial build.  We have not begun to transition the share object rules that we build for Snort 2.x’s rule tree into Snort 3.  Work on that will begin very soon.
3. The files within the Snort 3 ruleset tarball are named slightly differently, this is on purpose, not only for a clean separation from the old rule set to the new one, but also, if someone writes the Snort-Sigs list asking for assistance with a rule and they are trying to run a Snort 3 rule on a Snort 2 engine, it’ll be easily identifiable. 
1. For instance, in Snort 2.x rules, an example rule file may be named:  “server-webapp.rules”
2. In Snort 3’s rule package, the same file would be named: “snort3-server-webapp.rules”
4. We have removed all the old dead categories.  Exploit.rules, blacklist.rules, web-iis.rules and the like, all gone.

We look forward to people starting to use this ruleset and test it out.  Please provide us feedback on the Snort-sigs list.

Snort 2.9.11.1 has been released!

Snort 2.9.11.1 has been released!

Release Notes:

2017-12-06 - Snort 2.9.11.1

New Additions

• Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means Snort will block the packet and generate logs.
• Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.

Improvements

• Fixed issue to detect RTP up to two SSRC switches in each traffic direction.
• Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers.
• Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
• Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
• Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
• Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
• Fixed issue of applying new configuration in file inspection after Snort reload.

We'd like to thank the following Snort Community members for working us to fix issues released in 2.9.11.1:

Markus Lude

BlueSky

David Binderman

You can download Snort version 2.9.11.1 from it's usual location on Snort.org.  Talos will be releasing the ruleset for 2.9.11.1 later today (January 4th, 2018).

As always, you can report issues with Snort via our Snort-devel mailing list, and continue discussion for users on our Snort-users mailing list.

Thanks for your support of Snort and Happy New Year!

PulledPork 0.7.3 release!

Released last night, PulledPork 0.7.3 has hit the streets and is downloadable from the pulledpork Github page.

The release notes say the following:

This release includes bug fixes related to some versioning code in the latest version of Snort and other outstanding issues.

The next version of PulledPork will begin work on Snort 3 as we are looking forward to the first beta and compatible ruleset with the engine.

Snort 2.9.11.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.11.0 to general availability!

Snort 2.9.11.0 can be downloaded from the usual location on Snort.org.

Below are the release notes:


Snort 2.9.11
[*] New additions

• Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.
• Added support for storing filenames in Unicode for SMB protocol.
• Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.

[*] Improvements

• Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
• Performance improvement when SYN rate limit has reached and drop is configured as next action
• Control-socket and side-channel support for FreeBSD platform.
• Fixed issue in file signature lookup for retransmitted FTP packet.
• Enhanced the processing of SIP/RTP future flows without ignoring them.
• Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
• Added a null check to prevent copy unless debugHostIp is configured in AppId.
• Fixed issue where FTP file type block doesn't work for retried download.
• Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
• Performance improvements for SIP/RTP audio and video data flow in AppId.
• Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
• Stability improvement by resolving valgrind reported issues in AppId.
• Improved flushing mechanism for HTTP POST header.
• Added changes to display AppId for IPv6 unified events.
• Fixed issues with printing of messages for out-of-order packets.
• Fixed issue in increment of detection filter counter when rule is used in multiple configurations.
• Fixed dynamic preprocessor compilation failure in OpenBSD platform.
• Added changes to improve performance of ipvar list comparison.
• Enhanced SMTP client detection by allowing line folding and all authentication methods.

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!

Snort 2.9.9.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.9.0 to general availability!

Snort 2.9.9.0 can be downloaded from the usual location on Snort.org.

The new keywords, when they are used, will cause older versions of Snort to fail.  (Meaning, you cannot use 2.9.9.0 rules in 2.9.8.3 and below, once those keywords are used.)

Below are the release notes:

Snort 2.9.9.0
[*] New additions
 
 *  New rule option for byte_math. See the Snort manual for details.

 *  Added bitmask and from_end operations to byte_test. See the Snort manual for details.

 *  Added a Buffer Dump utility to trace all of the buffers used by snort during inspection.
    Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details.

 *  Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length.

 *  Added support for SMTP Traffic detection over SSL (SMTPS).
[*] Improvements
 *  Fixed an issue which reduces extra service discovery to improve performance.

 *  Fixed multiple issues in AppID.
      - Reconstructed the call to port-service detection.
      - Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect.
      - Preventing third-party application identification for expected connections.

 *  Stability improvement for Stream preprocessor. 
      - Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX.
      - Fixed an issue where incorrect length argument in memcpy caused out of bound memory access.

 *  Fixed multiple issues in HttpInspect preprocessor.
      - Handling chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n.
      - Fixed an issue with LZMA flash decompression.

 *  Fixed mime data processing issue in SMTP stateless inspection.

 *  Added support to decode packets that contains VLAN with Secure Group Tag (SGT).
 
 *  Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417. 

The Snort Team would like to thank the following for their contributions in the Snort 2.9.9.0 release:

Secureworks
Marcel da Silva
Al Lewis
Steffen Ullrich

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!

PulledPork 0.7.2 has been released!

The newest version of PulledPork has been released and is available for download from the PulledPork Github repository!

This release fixes several bugs.  For those of you that haven't updated their version of PulledPork in awhile, this will fix many download issues you may have with the blacklist and official rulesets from Snort.org.

Everyone using PulledPork should grab it, and for the stragglers left that still use oinkmaster, you should start upgrading too.  For those of you that have oinkmaster configurations, you'll see in the contrib directory, a community member has submitted a small perl script that converts your oinkmaster configuration files to pulledpork configuration files.

Please start your upgrade engines, as Snort 2.9.9.0 should be released soon, and you'll want to be ready!

Snort 2.9.8.3 has been released!

Please join us in welcoming Snort 2.9.8.3 to the family!

Please see below for the release notes:

2016-04-25 - Snort 2.9.8.3
[*] Improvements
 *  Stability improvement for Stream6 preprocessor

 *  Fixed multiple issues in HttpInspect preprocessor

 *  Fixed an issue of incorrect masking of sensitive data

You can download Snort at our downloads site at Snort.org.

Snort 2.9.8.2 has been released!

Snort 2.9.8.2 is now available on snort.org at
http://www.snort.org/downloads in the Snort Stable Release section.

2016-03-09 - Snort 2.9.8.2
[*] New additions
  *  Future-flow and DNS API exposed to lua detector.

  *  Double VLAN tagging support.

[*] Improvements
  *  Performance improvements to AppID.

  *  Stability improvements to file and ftp_telnet preprocessor.

  *  Fixed several issues with SDF and obfuscation.

  *  Resolved an issue of improper handling of malformed DNS host
     in AppID.

  *  HTTP PAF accepts all tokens between method and version strings in a request URI.

  *  Resolved snort build issue with "--disable-perfprofiling" configure option.

  *  Enhanced mime parsing by adding support for detecting files after unknown headers and no headers.

  *  Fixed issue with gzip decompression. If the server response specifies Content-Encoding as GZIP, but no Content-Length field for HTTP ver 1.0.

  *  End of Header(EOH) identification for HTTP response header spanning multiple packets.

  *  Improved packet reassembly for HTTP.

  *  Fixed Flash LZMA decompression issue.

See the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Snort 2.9.8.0 has been released!

Please join us in welcoming Snort 2.9.8.0 to the family! The following are the release notes:

Snort 2.9.8.0
[*] New additions
* SMBv2/SMBv3 support for file inspection.

* Port override for metadata service in IPS rules.

* AppID Lua detector performance profiling.

* Perfmon dumps stats at fixed intervals from absolute time.

* New preprocessor alert (120:18) to detect SSH tunneling over HTTP

* New config option |disable_replace| to disable replace rule option.

* New Stream configuration |log_asymmetric_traffic| to control logging to syslog.

* New shell script in tools to create simple Lua detectors for AppID.

[*] Improvements
* sfip_t refactored to use struct in6_addr for all ip addresses.

* Post-detection callback for preprocessors.

* AppID support for multiple server/client detectors evaluating on same flow.

* AppID API for DNS packets.

* Memory optimizations throughout.

* Support sending UDP active responses.

* Fix perfmon tracking of pruned packets.

* Stability improvements for AppID.

* Stability improvements for Stream6 preprocessor.

* Added improved support to block malware in FTP preprocessor.

* Added support to differentiate between active and passive FTP connections.

* Improvements done in Stream6 preprocessor to avoid having duplicate packets
in the DAQ retry queue.

* Resolved an issue where reputation config incorrectly displayed 'blacklist' in
priority field even though 'whitelist' option was configured.

* Added support for multiple expected sessions created per packet

* Active response now supports MPLS


As always Snort can be downloaded from the Snort Downloads page on Snort.org! Please provide your feedback via the Snort Mailing lists!

We'd like to thank the following Snort Community members for their submissions to Snort which have been released in Snort 2.9.8.0:

Mike Cox
Gabriel Corre
Alexander Bubnov