Pull request #5222: build: generate and tag 3.12.1.0

Merge in SNORT/snort3 from ~PRBG/snort3:build_3.12.1.0 to master

Squashed commit of the following:

commit 32e37e40dbf03e08aa8eabfec2ddf943bc32da5b
Author: Priyanka Gurudev <prbg@cisco.com>
Date:   Tue Mar 17 18:08:00 2026 -0400

    build: generate and tag 3.12.1.0

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9e8a5e58f0bcdf6822c868d3ffc6f9c826cae4fc..438fa8a78451e218f5e90356b43d2181698b33c9 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -3,7 +3,7 @@ project (snort CXX C)
 
 set (VERSION_MAJOR 3)
 set (VERSION_MINOR 12)
 
 set (VERSION_MAJOR 3)
 set (VERSION_MINOR 12)

-set (VERSION_PATCH 0)
+set (VERSION_PATCH 1)

 set (VERSION_SUBLEVEL 0)
 set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
 
 set (VERSION_SUBLEVEL 0)
 set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
 

diff --git a/ChangeLog.md b/ChangeLog.md
index e3b947470db58c11bdd963e63e4ab86145fe4632..6c7bdf8193d477e700572f6f13ec2d3fdf297bdc 100644 (file)
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,44 @@
+2026-03-17: 3.12.1.0
+
+* appid: address FIXIT comments related to http inspector
+* appid: add unit test to cover DNS payload handler null dsession
+* appid: fix app detection when sni is spoofed
+* appid: removing dead code in service ssl
+* appid: sync host attributes on http event service detection
+* decompress: fix tsan data race
+* decompress: fix tsan data race in decompress_buffer_size
+* dns: prevent unbounded TCP session vector growth
+* extractor: add FILE logging
+* extractor: add more details in SSH
+* extractor: add SSH direction field
+* extractor: add SSH version field
+* extractor: compute shared (selected) algorithm in SSH
+* extractor: log SSH events
+* extractor: move details under 'algorithm' event
+* extractor: refine code
+* extractor: rename ssl.server_name_identifier
+* file_api: change file_service termination order after MPDatabus
+* file_api: fix tsan datarace in circular buffer, file cache and file policy
+* file_inspect: fix reload error messages
+* file names: add unit tests for get_main_file and get_instance_file
+* framework: return original string if list is empty
+* hash: clamp max_size to entry_size minimum
+* http_inspect: decompress optimization
+* http_inspect: fix Out-Of-Bounds read in find_next_header
+* kerberos: fix race condition when reloading and setting failed_login
+* logs: do not add / to run prefix for main thread logs
+* main: fallback to specified process affinity if we can't satisfy process.lua
+* mime: partial header memory optimization using vectors to preallocate memory rather than allocating for every new chunk of header appended
+* opcua: buf size increase and service modifications
+* plugins: move trash pickup from analyzers to main
+* pub_sub: add content-length validation
+* snort: relax memory order for reload_id updates
+* snort: tweak config dtor so that tuners are released before their inspector
+* socks: remove block_udp_fragmentation configuration option
+* ssl: adding additional parser data fields checks
+* stream: pass opaque during IP fragment reassembly in FragRebuild
+* stream_tcp: make sure to check for bad seq only when ISS is initialized
+

 2026-03-03: 3.12.0.0
 
 * alert_syslog, snort, syslog_trace: refactor syslog calls
 2026-03-03: 3.12.0.0
 
 * alert_syslog, snort, syslog_trace: refactor syslog calls

diff --git a/cmake/FindDAQ.cmake b/cmake/FindDAQ.cmake
index 930b400a7a7db0c67d65146d13421044b6a952bd..d6672771b644956357f37085d73c0e72c9134e62 100644 (file)
--- a/cmake/FindDAQ.cmake
+++ b/cmake/FindDAQ.cmake
@@ -16,7 +16,7 @@ This module defines:
 #]=======================================================================]
 
 find_package(PkgConfig)
 #]=======================================================================]
 
 find_package(PkgConfig)

-pkg_check_modules(PC_DAQ libdaq>=3.0.26)
+pkg_check_modules(PC_DAQ libdaq>=3.0.27)

 
 # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints
 # and then package config information after that.
 
 # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints
 # and then package config information after that.

diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text
index b61bfc1718dd80a31a2d116981c4e3366a24a90d..6f684e19fe5f7dd38a252f675ecd7d94ade794ee 100644 (file)
--- a/doc/reference/snort_reference.text
+++ b/doc/reference/snort_reference.text
@@ -8,7 +8,7 @@ Snort 3 Reference Manual
 The Snort Team
 
 Revision History
 The Snort Team
 
 Revision History

-Revision 3.12.0.0 2026-03-03 21:22:32 EST TST
+Revision 3.12.1.0 2026-03-17 18:01:08 EDT TST

 
 ---------------------------------------------------------------------
 
 
 ---------------------------------------------------------------------
 


@@ -3747,7 +3747,8 @@ Configuration:
   * enum extractor.default_filter = pick: default action for protocol
     with no filter provided { pick | skip }
   * enum extractor.protocols[].service: service to extract from { 
   * enum extractor.default_filter = pick: default action for protocol
     with no filter provided { pick | skip }
   * enum extractor.protocols[].service: service to extract from { 

-    http | ftp | ssl | conn | dns | quic | weird | notice }
+    http | ssh | ftp | ssl | conn | dns | quic | file | weird | 
+    notice }

   * int extractor.protocols[].tenant_id = 0: tenant_id of target
     tenant { 0:max32 }
   * string extractor.protocols[].on_events: specify events to log
   * int extractor.protocols[].tenant_id = 0: tenant_id of target
     tenant { 0:max32 }
   * string extractor.protocols[].on_events: specify events to log


@@ -4316,7 +4317,6 @@ Rules:
   * 119:213 (http_inspect) HTTP chunk misformatted
   * 119:214 (http_inspect) white space adjacent to chunk length
   * 119:215 (http_inspect) white space within header name
   * 119:213 (http_inspect) HTTP chunk misformatted
   * 119:214 (http_inspect) white space adjacent to chunk length
   * 119:215 (http_inspect) white space within header name

-  * 119:216 (http_inspect) excessive gzip compression

   * 119:217 (http_inspect) gzip decompression failed
   * 119:218 (http_inspect) HTTP 0.9 requested followed by another
     request
   * 119:217 (http_inspect) gzip decompression failed
   * 119:218 (http_inspect) HTTP 0.9 requested followed by another
     request


@@ -4417,6 +4417,9 @@ Rules:
     methods list or is on disallowed methods list
   * 119:288 (http_inspect) HTTP gzip body with reserved flag set
   * 119:289 (http_inspect) Too many partial flushes
     methods list or is on disallowed methods list
   * 119:288 (http_inspect) HTTP gzip body with reserved flag set
   * 119:289 (http_inspect) Too many partial flushes

+  * 119:290 (http_inspect) deflate compressed data followed by
+    unexpected non-deflate data
+  * 119:291 (http_inspect) deflate decompression failed

 
 Peg counts:
 
 
 Peg counts:
 


@@ -4476,6 +4479,14 @@ Peg counts:
     too many MIME attachments to inspect (sum)
   * http_inspect.compressed_gzip: total number of HTTP bodies
     compressed with GZIP (sum)
     too many MIME attachments to inspect (sum)
   * http_inspect.compressed_gzip: total number of HTTP bodies
     compressed with GZIP (sum)

+  * http_inspect.compressed_gzip_failed: total number of HTTP bodies
+    with failed GZIP decompression (sum)
+  * http_inspect.compressed_deflate: total number of HTTP bodies
+    compressed with Deflate (sum)
+  * http_inspect.incorrect_deflate_header: total number of HTTP
+    bodies compressed with Deflate that had incorrect header (sum)
+  * http_inspect.compressed_deflate_failed: total number of HTTP
+    bodies with failed Deflate decompression (sum)

   * http_inspect.compressed_not_supported: total number of HTTP
     bodies compressed with known but not supported methods (sum)
   * http_inspect.compressed_unknown: total number of HTTP bodies
   * http_inspect.compressed_not_supported: total number of HTTP
     bodies compressed with known but not supported methods (sum)
   * http_inspect.compressed_unknown: total number of HTTP bodies


@@ -4971,7 +4982,7 @@ Instance Type: multiton
 Rules:
 
   * 153:1 (opcua) invalid OPC UA MessageSize value detected
 Rules:
 
   * 153:1 (opcua) invalid OPC UA MessageSize value detected

-  * 153:2 (opcua) abnormal OPC UA MessageSize value detected
+  * 153:2 (opcua) large OPC UA MessageSize value detected

   * 153:3 (opcua) invalid OPC UA MsgType value detected
   * 153:4 (opcua) invalid OPC UA IsFinal value detected
   * 153:5 (opcua) OPC UA message split across multiple packets
   * 153:3 (opcua) invalid OPC UA MsgType value detected
   * 153:4 (opcua) invalid OPC UA IsFinal value detected
   * 153:5 (opcua) OPC UA message split across multiple packets


@@ -6064,11 +6075,6 @@ Usage: inspect
 
 Instance Type: multiton
 
 
 Instance Type: multiton
 

-Configuration:
-
-  * bool socks.block_udp_fragmentation = true: block flow when SOCKS5
-    UDP fragmentation detected (frag > 0)
-

 Rules:
 
   * 155:1 (socks) SOCKS unknown command
 Rules:
 
   * 155:1 (socks) SOCKS unknown command


@@ -6095,9 +6101,7 @@ Peg counts:
   * socks.udp_expectations_created: UDP expectations created for
     dynamic ports (sum)
   * socks.udp_packets: UDP packets processed (sum)
   * socks.udp_expectations_created: UDP expectations created for
     dynamic ports (sum)
   * socks.udp_packets: UDP packets processed (sum)

-  * socks.udp_frags_dropped: UDP fragments dropped (sum)
-  * socks.udp_frags_blocked: flows blocked due to UDP fragmentation
-    (sum)
+  * socks.udp_frags: UDP fragmented packets detected (sum)

 
 
 5.48. ssh
 
 
 5.48. ssh


@@ -10545,7 +10549,8 @@ libraries see the Getting Started section of the manual.
   * string extractor.protocols[].fields: specify fields to log
   * string extractor.protocols[].on_events: specify events to log
   * enum extractor.protocols[].service: service to extract from { 
   * string extractor.protocols[].fields: specify fields to log
   * string extractor.protocols[].on_events: specify events to log
   * enum extractor.protocols[].service: service to extract from { 

-    http | ftp | ssl | conn | dns | quic | weird | notice }
+    http | ssh | ftp | ssl | conn | dns | quic | file | weird | 
+    notice }

   * int extractor.protocols[].tenant_id = 0: tenant_id of target
     tenant { 0:max32 }
   * enum extractor.time = unix: output format for timestamp values { 
   * int extractor.protocols[].tenant_id = 0: tenant_id of target
     tenant { 0:max32 }
   * enum extractor.time = unix: output format for timestamp values { 


@@ -12165,8 +12170,6 @@ libraries see the Getting Started section of the manual.
     the system; default is 1 { 0:max32 }
   * int socks_address_type.~type: address type (1=IPv4, 3=Domain, 4=
     IPv6) { 1:4 }
     the system; default is 1 { 0:max32 }
   * int socks_address_type.~type: address type (1=IPv4, 3=Domain, 4=
     IPv6) { 1:4 }

-  * bool socks.block_udp_fragmentation = true: block flow when SOCKS5
-    UDP fragmentation detected (frag > 0)

   * int socks_command.~command: SOCKS command (1=CONNECT, 2=BIND, 3=
     UDP_ASSOCIATE) { 1:3 }
   * string socks_remote_address.~: address to match (substring)
   * int socks_command.~command: SOCKS command (1=CONNECT, 2=BIND, 3=
     UDP_ASSOCIATE) { 1:3 }
   * string socks_remote_address.~: address to match (substring)


@@ -13060,6 +13063,12 @@ libraries see the Getting Started section of the manual.
   * http2_inspect.total_bytes: total HTTP/2 data bytes inspected
     (sum)
   * http_inspect.chunked: chunked message bodies (sum)
   * http2_inspect.total_bytes: total HTTP/2 data bytes inspected
     (sum)
   * http_inspect.chunked: chunked message bodies (sum)

+  * http_inspect.compressed_deflate_failed: total number of HTTP
+    bodies with failed Deflate decompression (sum)
+  * http_inspect.compressed_deflate: total number of HTTP bodies
+    compressed with Deflate (sum)
+  * http_inspect.compressed_gzip_failed: total number of HTTP bodies
+    with failed GZIP decompression (sum)

   * http_inspect.compressed_gzip: total number of HTTP bodies
     compressed with GZIP (sum)
   * http_inspect.compressed_not_supported: total number of HTTP
   * http_inspect.compressed_gzip: total number of HTTP bodies
     compressed with GZIP (sum)
   * http_inspect.compressed_not_supported: total number of HTTP


@@ -13077,6 +13086,8 @@ libraries see the Getting Started section of the manual.
   * http_inspect.flows: HTTP connections inspected (sum)
   * http_inspect.get_requests: GET requests inspected (sum)
   * http_inspect.head_requests: HEAD requests inspected (sum)
   * http_inspect.flows: HTTP connections inspected (sum)
   * http_inspect.get_requests: GET requests inspected (sum)
   * http_inspect.head_requests: HEAD requests inspected (sum)

+  * http_inspect.incorrect_deflate_header: total number of HTTP
+    bodies compressed with Deflate that had incorrect header (sum)

   * http_inspect.inspections: total message sections inspected (sum)
   * http_inspect.js_external_scripts: total number of external
     JavaScripts processed (sum)
   * http_inspect.inspections: total message sections inspected (sum)
   * http_inspect.js_external_scripts: total number of external
     JavaScripts processed (sum)


@@ -13616,9 +13627,7 @@ libraries see the Getting Started section of the manual.
   * socks.udp_associations_created: UDP ASSOCIATE completions (sum)
   * socks.udp_expectations_created: UDP expectations created for
     dynamic ports (sum)
   * socks.udp_associations_created: UDP ASSOCIATE completions (sum)
   * socks.udp_expectations_created: UDP expectations created for
     dynamic ports (sum)

-  * socks.udp_frags_blocked: flows blocked due to UDP fragmentation
-    (sum)
-  * socks.udp_frags_dropped: UDP fragments dropped (sum)
+  * socks.udp_frags: UDP fragmented packets detected (sum)

   * socks.udp_packets: UDP packets processed (sum)
   * ssh.aborted_sessions: total session aborted (sum)
   * ssh.concurrent_sessions: total concurrent ssh sessions (now)
   * socks.udp_packets: UDP packets processed (sum)
   * ssh.aborted_sessions: total session aborted (sum)
   * ssh.concurrent_sessions: total concurrent ssh sessions (now)


@@ -15182,7 +15191,7 @@ and trailing whitespace.
 
 An HTTP header name contains whitespace.
 
 
 An HTTP header name contains whitespace.
 

-119:216 (http_inspect) excessive gzip compression
+119:216

 
 A gzip-encoded HTTP message body was found to have an excessive
 compression ratio during decompression.
 
 A gzip-encoded HTTP message body was found to have an excessive
 compression ratio during decompression.

diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text
index 8f358b53d344dbdffbb73ea7008a864a363632c9..bd6c89a65a12cad768f7c317baba7585f23e1b37 100644 (file)
--- a/doc/upgrade/snort_upgrade.text
+++ b/doc/upgrade/snort_upgrade.text
@@ -8,7 +8,7 @@ Snort 3 Upgrade Manual
 The Snort Team
 
 Revision History
 The Snort Team
 
 Revision History

-Revision 3.12.0.0 2026-03-03 21:23:26 EST TST
+Revision 3.12.1.0 2026-03-17 18:01:46 EDT TST

 
 ---------------------------------------------------------------------
 
 
 ---------------------------------------------------------------------
 

diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text
index d198da1df3975259ab794d932409c689ed5405df..e0165734118900a10d630f64045e194df32685f0 100644 (file)
--- a/doc/user/snort_user.text
+++ b/doc/user/snort_user.text
@@ -8,7 +8,7 @@ Snort 3 User Manual
 The Snort Team
 
 Revision History
 The Snort Team
 
 Revision History

-Revision 3.12.0.0 2026-03-03 21:22:50 EST TST
+Revision 3.12.1.0 2026-03-17 18:01:20 EDT TST

 
 ---------------------------------------------------------------------
 
 
 ---------------------------------------------------------------------
 


@@ -5924,6 +5924,10 @@ Services and their events:
   * HTTP, HTTP2
 
       + eot (request-response pair)
   * HTTP, HTTP2
 
       + eot (request-response pair)

+  * SSH
+
+      + algorithm (key exchange with details)
+      + exchange (key exchange complete)

   * FTP
 
       + request
   * FTP
 
       + request


@@ -5939,6 +5943,9 @@ Services and their events:
   * connection (conn)
 
       + eof (end of flow)
   * connection (conn)
 
       + eof (end of flow)

+  * file
+
+      + eof (end of file)

   * internal built-in checks which failed (weird)
 
       + builtin (internally-detected infraction is queued for further
   * internal built-in checks which failed (weird)
 
       + builtin (internally-detected infraction is queued for further


@@ -5991,6 +5998,52 @@ Fields supported for HTTP:
   * resp_mime_types - list with the content types of the files sent
     by server
 
   * resp_mime_types - list with the content types of the files sent
     by server
 

+Fields supported for SSH:
+
+  * version - major version
+  * direction - direction of the connection (LAN/WAN outbound/
+    inbound)
+  * client.version - the client’s version string
+  * client.kex_alg - key exchange algorithms listed by client
+  * client.host_key_alg - server host key algorithms listed by client
+  * client.cipher_c2s_alg - symmetric encryption algorithms
+    (client-to-server direction) listed by client
+  * client.cipher_s2c_alg - symmetric encryption algorithms
+    (server-to-client direction) listed by client
+  * client.mac_c2s_alg - MAC algorithms (client-to-server direction)
+    listed by client
+  * client.mac_s2c_alg - MAC algorithms (server-to-client direction)
+    listed by client
+  * client.compression_c2s_alg - compression algorithms
+    (client-to-server direction) listed by client
+  * client.compression_s2c_alg - compression algorithms
+    (server-to-client direction) listed by client
+  * server.version - the server’s version string
+  * server.kex_alg - key exchange algorithms listed by server
+  * server.host_key_alg - server host key algorithms listed by server
+  * server.cipher_c2s_alg - symmetric encryption algorithms
+    (client-to-server direction) listed by server
+  * server.cipher_s2c_alg - symmetric encryption algorithms
+    (server-to-client direction) listed by server
+  * server.mac_c2s_alg - MAC algorithms (client-to-server direction)
+    listed by server
+  * server.mac_s2c_alg - MAC algorithms (server-to-client direction)
+    listed by server
+  * server.compression_c2s_alg - compression algorithms
+    (client-to-server direction) listed by server
+  * server.compression_s2c_alg - compression algorithms
+    (server-to-client direction) listed by server
+  * kex_alg - key exchange algorithms in use (separated by comma if
+    not the same: c2s, s2c)
+  * host_key_alg - server host key algorithms in use (separated by
+    comma if not the same: c2s, s2c)
+  * cipher_alg - symmetric encryption algorithms in use (separated by
+    comma if not the same: c2s, s2c)
+  * mac_alg - MAC algorithms in use (separated by comma if not the
+    same: c2s, s2c)
+  * compression_alg - compression algorithms in use (separated by
+    comma if not the same: c2s, s2c)
+

 Fields supported for FTP:
 
   * command - last command seen in a session
 Fields supported for FTP:
 
   * command - last command seen in a session


@@ -6007,8 +6060,8 @@ Fields supported for FTP:
 Fields supported for SSL:
 
   * version - SSL/TLS version that the server chose
 Fields supported for SSL:
 
   * version - SSL/TLS version that the server chose

-  * server_name_identifier - Server Name Identifier ( SNI ) extracted
-    from Client Hello
+  * server_name - Server Name Identifier ( SNI ) extracted from
+    Client Hello

   * validation_status - result of certificate validation
   * subject - RFC2253 formatted certificate subject information
   * issuer - RFC2253 formatted certificate issuer information
   * validation_status - result of certificate validation
   * subject - RFC2253 formatted certificate subject information
   * issuer - RFC2253 formatted certificate issuer information


@@ -6119,6 +6172,25 @@ UDP Events: d: Packet with payload.
 TCP Events: s: SYN, h: SYN-ACK, a: Pure ACK or PUSH, d: Packet with
 payload, f: FIN, r: Reset.
 
 TCP Events: s: SYN, h: SYN-ACK, a: Pure ACK or PUSH, d: Packet with
 payload, f: FIN, r: Reset.
 

+Fields supported for file:
+
+  * filename - filename from headers in network protocols
+  * fuid - unique file identifier
+  * source - a protocol associated with the file
+  * inspector - inspector associated with the file analysis
+  * mime_type - mime attachment type (or file type identified by file
+    magic)
+  * is_orig - if sender was originator of the file transfer
+  * seen_bytes - number of bytes processed for analysis
+  * total_bytes - total file size in bytes
+  * duration - duration the file was analyzed for, in seconds
+  * timeout - if file analysis timed out
+  * sha256 - SHA256 digest of the file contents
+  * extracted- name of captured file
+  * extracted_size - number of bytes captured
+  * extracted_cutoff - true if the file being captured was cut off so
+    the whole file was not logged
+

 Fields supported for weird and notice logs:
 
   * sid - unique signature number of the rule
 Fields supported for weird and notice logs:
 
   * sid - unique signature number of the rule