Fresh FOSS

Snort 3.6.0.0

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Tags	ids logger traffic ips network security analysis tcp udp cpp c
License	GNU GPLv3
State	initial

Homepage Download

Recent Releases

3.6.0.006 Dec 2024 12:25 major feature: Analyzer: add logging for resource tuning progress. Appid: adding full path to read list of lua detectors. Build: update docs about the bump of C++ compiler supported feature set requirement. Connectors: add std I/O connector and connector API update. Connectors: cppcheck warning in std_connector test. Extractor: update logger. File_api: add unit tests for fileinfo methods. Flow: publish flow end event. Http_inspect, mime: add hostname and url for http with mime. Http_inspect: remove semicolon http_param delimiter. Ips_options: update module::begin method and reset 'relative' flag. Main: remove mutex from snort command to show snort cpu.

3.5.2.030 Nov 2024 12:25 major feature: Decompress: handle ZIP central directory. Doc: add extractor logging feature. Extractor: add ftp service implementation. Extractor: add imaginary transaction event to FTP. Extractor: add user field. Extractor: enable logging for FTP aggregated event. Extractor: event handlers subscribe by themselves. Extractor: memory management. Extractor: include type support header explicitly. Extractor: introduce flow data. Extractor: log on last response. Extractor: move extractor event out of snort namespace. Extractor: refactor code. Extractor: update dev_notes.txt. File_api: add helper methods to unset filename and reset sha. Ftp: reset cmd_size when reset cmd_str. Sip: parse all the SIP methods defined. Stream_tcp: initialize the daq_instance field in the Packet instance allocated for a meta-ack to the value from the wire packet. Thread: get_relative_instance_number now zero-based.

3.5.1.029 Nov 2024 12:25 major feature: Appid: add new api to check if service is over quic. Appid: add tls_version capture in appid_session. Appid: implement an API that allows users to specify values for data items used in lua detectors. Appid: unit-test added for is_service_over_quic. Doc: add details regarding RTN evaluation. Flow: new allowlist LRU. Http2_inspect: handle multiple cookie header fields. Js_norm: add cross-PDU PDF token reassembly. Side_channel: compiler warning in side channel formatting test. Smtp: ing the processing of SMTP response in case of encrypted traffic. Stream: add thread instance number to dump_flows control command output. Stream_tcp: pass tracker and seglist to TcpReassembler as refs, define dummy tracker seglist for use by TcpReassemblerIgnore. Stream_tcp: when queue limit thresholds are exceeded in IDS mode on asymmetric connections only skip a hole at the beginning of the seglist before flushing.

3.5.0.027 Nov 2024 19:25 major bugfix: Connectors: tsan warning in tcp connector. Framework: update connector interface. Main: move connectors initialization from SideChannel. Managers: update connector manager.

3.3.7.025 Nov 2024 17:45 major feature: Appid: dns sinkhole support for edns. Appid: early SSH detection brute-force appid: for one definiton rule violation. Binder: change binding to have single service. Extractor: flush data on unlocking a writer. Extractor: notify handler whether it is a -width formatting. Extractor: refactor data pipe between an inspector and extractor's logger. Extractor: rewrite std writer to use text_log utility. Extractor: update logger with an internal set of fields for logging. Ftp_telnet: adding fallback functionality for ftp. Http2_inspect: add IPS options for frame header and data. Memory: add shell commands for jemalloc heap profiling. Process: skip vDSO frame on aarch64. Ssh: added abort session in streamsplitter. Stream: to dump all flows. Stream_tcp: add assert to verify configured normalizer policy is valid. Stream_tcp: do not overwrite global normalizer policy config option when proxy mode is enabled.

3.3.5.023 Nov 2024 19:05 major feature: Appid: added new logs for reload third party. Extractor: add field name to logging function. Extractor: add json logger. Extractor: add unit tests for enum types. Extractor: guard-macro names. Extractor: local variable. Extractor: mention a field in initialization list. Extractor: remove unused headers. Extractor: take a note of IT-P in key points. File_api: set file name for file processing. Http_inspect: when cutting chunks check for MAX_OCTETS too. Packet_tracer: add tcp window size, options and meta-ack info.

3.3.4.012 Nov 2024 05:05 major bugfix: Appid: notify binder on service change. Appid: replaced hsessions vector of raw pointers into vector of smart pointers. Ftp_telnet: refactoring ftp-data. Latency, dce, stream_ip: max pegs incorrectly declared sum. Telnet: avoid flush when cr or lf is between commands.

3.3.3.016 Oct 2024 16:45 major feature: Control: code cleanup. Control: handle control commands after packet threads are fully initialised. Daq: add outstanding packets counter. Extractor: add flow hash key. File_api: max depth is set as part of initial config. File: remove unused variable in FileFlows destructor. Filters: update dev_notes.txt with details for event_filter. Flow: optimize timeout handling for different packet type. Http_inspect: add peg counts for gzip, known-not-supported, and unknown. Http_inspect: log normalized URI in extra data. Ips_options: separate main thread pcre counts from packet threads stats. Memory: account memory for profiler only when packet thread is involved. Src: resolve various warnings. Stream_tcp: make sure ports are correctly swapped when filling a meta-ACK packet.

3.3.2.028 Aug 2024 13:25 major bugfix: Appid: ing cpp warnings and cosmetic changes for appid cpu profiler. Appid: removing trailing whitespaces. Daq: added outstanding packets counter. Doc: builtin rule documentation updates. Flow: added compile-time option to disable tenant_id. Flow: clear deferred trust after the flow is trusted to stop repeated trusting. Js_norm: address pdf tokenizer kaizen: verbose mode output for unlimited options. Main: coverage. Sip: fallback functionality for sip inspector. Stream: refactor paf logic into a c++ class. Stream_tcp: delete lws_init, it was redundant with tcp_init; delete ITs that are no longer relevant. Stream_tcp: improve variable and function names for overlap processing. Stream_tcp: integrate and streamline setting of flush policy and splitter. Stream_tcp: merge TcpStreamSession into TcpSession. Stream_tcp: refactor segment nodes to implement reassembly cursor and eliminate tracking variables. Stream_tcp: refactor TcpReassembler into a virtual base class and subclasses for each mode: ignore, IPS and IDS. Stream_tcp: refactor to move alert functions to their own class. Stream_tcp: refactor to move tcp overlap processing out of reassembly class.

3.3.1.024 Jul 2024 02:45 major feature: Appid: restructure the appid code to make it easier to follow and maintain. Appid: updating appid cpu profiler cli. Dce_rpc: correct the session counters post the upgrade to smb v2 from v1. Detection: include OPT_TREE traces in release build. Detection: make print of fast pattern as a trace module. Extractor: support trans_depth, origin and referrer fields. File: ing file context reuse. Flow: clear flow stash when freeing the flow data. Flow: handle significant groups with unknown group value as non-group flow keys. Http_inspect: add origin header. Parser: do not skip symbols while expanding variables. Perf_monitor: introducing new parameters for ip flow profiling. Stream_tcp: move prev_norm object from TcpNormalizer to TcpNormalizerState. Stream_tcp: set daq_msg field in meta-ack pseudo-packet header to the value from the wire packet. Stream_tcp: support tracing without compilation flags. Wizard: expand MMS curse.

3.3.0.011 Jul 2024 07:45 major feature: Appid: display rows limit of table and totals. Appid: using different api for picking appids for appid cpu profiler. Build: bump version to 3.2.0. Codecs: add handling of NDP types. Dns: set Flow timeout after getting DNS response. Extractor: add protocol logging for HTTP. Framework: add new Cursor Action Type. Http_inspect: set CAT_SET_SUB_SECTION for buffer with a sub-selector configured. Js_norm: prerequisites for FlexLexer includes. Main: add CLI command to show snort cpu percentage. Stream_tcp: use default size atomsplitter on fallback. Utils: remove duplication of definition. Thanks to xxxx81 for reporting the.

3.2.2.007 Jun 2024 16:05 major feature: Appid: appid cpu profiler max columns. Appid: re-enabling appid cpu profiler making it thread safe. Appid: store and retrieve only SNI in AppIdSession. Appid: updating file_magic.rules with some new file types added to the VDB. Dce_smb: do not prune from LRU cache during file tracker update. Doc: formatting in dev_notes.txt. Flow: add the newly-created flow to p- flow to avoid segv. Js_norm: stop PDF processing on syntax error. Main: apply loaded configuration only once. Packet_capture: make sure packet_capture executed before detection. Service_inspectors: get_buf handling. Sip: flow clean-up based on lina configured timeout. Src: remove repetitive words. Thanks @gopherorg for finding those typos. Src: udpate to resolve new stream_tcp: don't attempt to verify or process keep-alive probes with data. Stream_tcp: infinite recursion cases. Thanks to scloder-ut-iso for helping with deinformation that uncovered a case of infinite recursion. Utils: add explicit include.

3.2.1.022 May 2024 13:25 major bugfix: Framework: supply directories to system headers to plug_gen.sh. Main: updates for types used by Alpine. Memory: unit test.

3.1.84.012 Apr 2024 08:25 major bugfix: Appid: enhanced appid config parsing. Appid: remove locks from peg counts. Appid: separate main thread and packet thread appid_pub_id. Dce_smb: ing an ASAN memory corruption detection: handle policy changes in continuation. Framework: add correct cast from double to unsigned. Http_inspect: add file_data to buffer list. Packet_capture: include cstdint in a header file. Thanks to Plup and Hauke Mehrtens for reporting this!. Xhash: typo.

3.1.83.026 Mar 2024 03:25 major bugfix: Detection: use correct packet in trace logs. Doc: add libml to optional dependencies. Flow: add filter to dump flows. Flow: UT. Hash: exception handling for random device. Packet_capture: wrong dlt in pcap header when nfq is used. Stream: count retransmits when we disable content rules. Trace: replace colon delimiter for tenant with whitespace in the trace_logger output.

3.1.82.015 Mar 2024 10:05 major feature: Appid: broadcast commands with ctrlcon. Appid: change eve pattern matching logic. Appid: replaced warning log with logging api for CBD. File_api: do not clear the file capture and user file data pointers when updating the verdict from the cache. Filters: updated dyn array with vector. Flow: updated flow_data linklist with STL container. Framework: validate parameter of number type in a string form. Kaizen: rename to Snort ML. Main: clear lua stack when registering commands in a shell. Main: reset main-thread stats from the main thread. Main: update limits help. Packet_capture: add packet capturing per tenant. Sfip: remove references to unused mode feature. Sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload. Smb: for improper session cache destruction in tterm during config reload. Snort2lua: change deprecated use of ptr_fn to lambda. Stats: timing stats. Stats: perf improvement changes. Stream: remove splitter from session before inspectors. Stream_tcp: add reasons for drops due to trims. Stream_tcp: implement support for proxy mode normalization behavior. Stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts. Trace: add tenants logging.

3.1.81.021 Feb 2024 18:05 major feature: Appid: check tenant_match() if required. Appid: log error message instead of fatal error if appid stats logfile is not accessible. Appid: Lowering max packet count before service fail. Control: Adds counting to ctrlcon blocked to allow for nested commands. Detection: add c'tors, use new instead of snort_calloc. Detection: copy ip var name in dup_rtn. Flow: added ips event suppression flags. Host_cache: update_stats to remove race_condition. Http_inspect: recreate JSNorm if reload takes place inside transaction. Ips_context: add lazy-allocation of alt buffer. Kaizen: provide an option to enable Kaizen's mock. Kaizen: remove redundant semicolon and add explicit cast. Kaizen: rename modules. Lua: improve spell of wizard for HTTP. Memory: prevent data race between main and packet threads. Service_inspectors: add check for JSNorm config actuality. Stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments. Stream_tcp: add check to verify seglist head is not nullptr and only initialize PAF when it is not. Utils: add macro for setting thread name.

3.1.78.019 Jan 2024 13:32 major bugfix: * appid: print odp version and odp detector count on startup * copyright: update year to 2024 * doc: update arg list for "generate_builtin.sh". Add parity to "generate_" scripts arg list, thanks to @puck(https://github.com/puck) * main: fix inconsistent lua variables assignment * parser: fix --dump-rule-meta for negated ports