+2024-02-01: 3.1.79.0
+
+appid: add tenants filter for appid debug
+appid: process organization unit instead of organization name
+appid: return false in is_appid_inspecting_session for quic if not decrypting
+appid: update peg counts to be thread safe
+coverity: fix for stream and hash
+filters: make rate_filter multithreaded + some cleanup
+kaizen: add dev_notes.txt
+kaizen: change default value of uri_depth to -1
+kaizen: change kaizen gid to 411
+kaizen: extend mock object with simple matching mechanism
+kaizen: make kaizen configurable per policy
+kaizen: register module only when LibML present or REG_TEST defined
+kaizen: update copyright
+mercury: updating alpn info without sni in 7.6
+network_inspectors: add kaizen ML based exploit detector
+packet_tracer: add tenants to filters
+profiler: improve multithread rule percentage calculation
+ssl: heap overflow issue when processing handshake records
+stream_tcp: correct labeling of in-sequence and out-of-sequence packets
+stream_tcp: persist disable_reassembly in Flow
+stream_tcp: set packet direction flag based on direction saved in reassembly state
+
2024-01-16: 3.1.78.0
* appid: print odp version and odp detector count on startup
The Snort Team
Revision History
-Revision 3.1.78.0 2024-01-16 01:22:50 EST TST
+Revision 3.1.79.0 2024-02-01 19:30:03 UTC TST
---------------------------------------------------------------------
1. Help
2. Basic Modules
-
2.1. active
2.2. alerts
2.3. attribute_table
2.31. snort
2.32. suppress
2.33. trace
-
3. Codec Modules
-
3.1. arp
3.2. auth
3.3. ciscometadata
3.25. udp
3.26. vlan
3.27. wlan
-
4. Connector Modules
-
4.1. file_connector
4.2. tcp_connector
-
5. Inspector Modules
-
5.1. appid
5.2. appid_listener
5.3. arp_spoof
5.53. stream_user
5.54. telnet
5.55. wizard
-
6. IPS Action Modules
-
6.1. react
6.2. reject
-
7. IPS Option Modules
-
7.1. ack
7.2. appids
7.3. base64_decode
7.128. vba_data
7.129. window
7.130. wscale
-
8. Search Engine Modules
9. SO Rule Modules
10. Logger Modules
-
10.1. alert_csv
10.2. alert_ex
10.3. alert_fast
10.10. log_hext
10.11. log_pcap
10.12. unified2
-
11. Appendix
-
11.1. Build Options
11.2. Environment Variables
11.3. Command Line Options
Commands:
- * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port):
- enable packet tracer debugging
+ * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port,
+ tenants): enable packet tracer debugging
* packet_tracer.disable(): disable packet tracer
Commands:
- * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port):
- enable appid debugging
+ * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port,
+ tenants): enable appid debugging
* appid.disable_debug(): disable appid debugging
* appid.reload_third_party(): reload appid third-party module
* appid.reload_detectors(): reload appid detectors
The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST
flag set.
-116:424 (pbb) truncated ethernet header
+116:424 (eth) truncated ethernet header
The packet length is less than the minimum ethernet header size (14
bytes)
-116:424 (pbb) truncated ethernet header
+116:424 (eth) truncated ethernet header
A truncated ethernet header was detected.
--------------
- * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port):
- enable appid debugging
+ * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port,
+ tenants): enable appid debugging
* appid.disable_debug(): disable appid debugging
* appid.reload_third_party(): reload appid third-party module
* appid.reload_detectors(): reload appid detectors
the user policy id
* packet_capture.enable(filter, group): dump raw packets
* packet_capture.disable(): stop packet dump
- * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port):
- enable packet tracer debugging
+ * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port,
+ tenants): enable packet tracer debugging
* packet_tracer.disable(): disable packet tracer
* perf_monitor.enable_flow_ip_profiling(seconds, packets): enable
statistics on host pairs
The Snort Team
Revision History
-Revision 3.1.78.0 2024-01-16 01:23:57 EST TST
+Revision 3.1.79.0 2024-02-01 19:29:51 UTC TST
---------------------------------------------------------------------
Table of Contents
1. Overview
-
1.1. Efficacy
1.2. Performance
1.3. Scalability
1.4. Usability
1.5. Extensibility
-
2. Snort 3 vs Snort 2
-
2.1. Features New to Snort 3
2.2. Features Improved over Snort 2
2.3. Build Options
2.7. Output
2.8. Sensitive Data
2.9. Features Not Yet Supported by Snort 3
-
3. Snort2Lua
-
3.1. Snort2Lua Command Line
3.2. Known Problems
3.3. Usage
-
4. Configuration Changes
change -> config 'daq_dir' ==> 'daq.module_dirs'
change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap'
change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection'
-change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic'
change -> config 'event_filter' ==> 'alerts.event_filter_memcap'
change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts'
change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host'
change -> daq_mode: 'config daq_mode:' ==> 'mode'
change -> daq_var: 'config daq_var:' ==> 'variables'
change -> detection: 'ac' ==> 'ac_full'
-change -> detection: 'ac-banded' ==> 'ac_full'
+change -> detection: 'ac-banded' ==> 'ac_banded'
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
change -> detection: 'ac-nq' ==> 'ac_full'
change -> detection: 'ac-q' ==> 'ac_full'
-change -> detection: 'ac-sparsebands' ==> 'ac_full'
+change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
change -> detection: 'ac-split' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'split_any_any'
-change -> detection: 'ac-std' ==> 'ac_full'
-change -> detection: 'acs' ==> 'ac_full'
+change -> detection: 'ac-std' ==> 'ac_std'
+change -> detection: 'acs' ==> 'ac_sparse'
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
change -> detection: 'intel-cpm' ==> 'hyperscan'
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
change -> detection: 'search-method' ==> 'search_method'
+change -> detection: 'search-optimize' ==> 'search_optimize'
change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
change -> detection: 'split-any-any' ==> 'split_any_any'
change -> dnp3: 'ports' ==> 'bindings'
change -> reputation: 'shared_mem' ==> 'list_dir'
change -> sfportscan: 'proto' ==> 'protos'
change -> sfportscan: 'scan_type' ==> 'scan_types'
-change -> sip: 'max_requestName_len' ==> 'max_request_name_len'
change -> sip: 'ports' ==> 'bindings'
change -> smtp: 'ports' ==> 'bindings'
change -> ssh: 'server_ports' ==> 'bindings'
deleted -> config 'disable_inline_init_failopen'
deleted -> config 'disable_ipopt_alerts'
deleted -> config 'disable_ipopt_drops'
-deleted -> config 'disable_replace'
deleted -> config 'disable_tcpopt_alerts'
deleted -> config 'disable_tcpopt_drops'
deleted -> config 'disable_tcpopt_experimental_alerts'
deleted -> config 'enable_decode_oversized_drops'
deleted -> config 'enable_gtp'
deleted -> config 'enable_ipopt_drops'
-deleted -> config 'enable_mpls_multicast'
deleted -> config 'enable_tcpopt_drops'
deleted -> config 'enable_tcpopt_experimental_drops'
deleted -> config 'enable_tcpopt_obsolete_drops'
deleted -> config 'sflog_unified2'
deleted -> config 'sidechannel'
deleted -> config 'so_rule_memcap'
-deleted -> config 'stateful'
deleted -> csv: '<filename> can no longer be specific'
deleted -> csv: 'default'
deleted -> csv: 'trheader'
deleted -> detection: 'mwm'
-deleted -> detection: 'search-optimize is always true'
deleted -> dnp3: 'disabled'
deleted -> dnp3: 'memcap'
deleted -> dns: 'enable_experimental_types'
deleted -> full: '<filename> can no longer be specific'
deleted -> http_inspect: 'detect_anomalous_servers'
deleted -> http_inspect: 'disabled'
-deleted -> http_inspect: 'fast_blocking'
-deleted -> http_inspect: 'normalize_random_nulls_in_text'
deleted -> http_inspect: 'proxy_alert'
deleted -> http_inspect_server: 'allow_proxy_use'
deleted -> http_inspect_server: 'enable_cookie'
deleted -> stream5_tcp: 'log_asymmetric_traffic'
deleted -> stream5_tcp: 'policy noack'
deleted -> stream5_tcp: 'policy unknown'
-deleted -> stream5_tcp: 'use_static_footprint_sizes'
deleted -> stream5_udp: 'ignore_any_rules'
deleted -> tcpdump: '<filename> can no longer be specific'
deleted -> test: 'file'
projects / thirdparty / snort3.git / commitdiff
