+2025-06-29: 3.9.1.0
+
+* appid: appid_debug_test and critical log fix
+* appid: broadcast command for third party tfini during tterm rather than doing it sequentially
+* appid: differentiate between request and response DNS host
+* appid: fixed APPID_LOG macro for correct usage of log_level
+* appid: fixed stash issue by fixing publishing shadow traffic
+* appid: fix tcp dns multiple transaction support
+* appid: queue analyzer command for third party setup during appid id tinit and stagger packet threads during third party tinit
+* appid: sync flow service with protocol based detection
+* binder, flow, framework: add a facility to block binding based on a do_not_decrypt flow flag and inspector can_decrypt method
+* build: address coverity warnings
+* connectors: add buffered output to std_connector
+* connectors: add redirect option to print to a file
+* connectors: give name to flusher thread
+* connectors: rebuild readers as they might be outdated at exit
+* connectors: rename text log field
+* connectors: set affinity for flusher thread
+* dns: handle multi DNS transactions one TCP connection
+* extractor: add context logging event for notice
+* helpers: add 1-reader-1-writer ring buffer
+* helpers: fix JSON stream flags after escaping
+* http_inspect: add support for partial_depth configuration option
+* main: clarify the DAQ verdict for inject
+* mime: fix crash in folding right after colon
+* mime: fix eol search and add unit tests
+* mp_dbus: transfer ownership of MPDataBus to new config during reload
+* mp_unix_transport: refactored socket reconnect
+* mp_unix_transport: use shared mutex in message processing
+* profiler: add note for total percentage for profiler_dump
+* ssl: fix integer underflow in certificate parsing
+* unixdomain_connector: explicit include of select.h
+
2025-05-28: 3.9.0.0
* codec, flow: make mpls layers in flow pointers to save memory
The Snort Team
Revision History
-Revision 3.9.0.0 2025-05-28 13:58:01 EDT TST
+Revision 3.9.1.0 2025-06-29 23:11:37 EDT TST
---------------------------------------------------------------------
* string std_connector[].connector: connector name
* enum std_connector[].direction: usage { receive | transmit |
duplex }
+ * int std_connector[].buffer_size = 0: per-instance buffer size in
+ bytes (0 no buffering, otherwise buffered and synchronized across
+ threads) { 0:max32 }
+ * string std_connector[].redirect: output file name where printout
+ is redirected
Peg counts:
received (sum)
* std_connector.messages_transmitted: total number of messages
transmitted (sum)
+ * std_connector.messages_stalled: total number of messages
+ attempted for transmission but overflowed (sum)
4.3. tcp_connector
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
+ * int http_inspect.partial_depth = 0: maximum request body to send
+ to early detection (0 disabled, -1 no limit) { -1:16384 }
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* int http_inspect.maximum_host_length = -1: maximum allowed length
* 119:287 (http_inspect) HTTP request method is not on allowed
methods list or is on disallowed methods list
* 119:288 (http_inspect) HTTP gzip body with reserved flag set
+ * 119:289 (http_inspect) Too many partial flushes
Peg counts:
encodings in response bodies
* int http_inspect.oversize_dir_length = 300: maximum length for
URL directory { 1:65535 }
+ * int http_inspect.partial_depth = 0: maximum request body to send
+ to early detection (0 disabled, -1 no limit) { -1:16384 }
* bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
* implied ssl_version.!tls1.2: check for records that are not
tls1.2
* implied ssl_version.tls1.2: check for tls1.2
+ * int std_connector[].buffer_size = 0: per-instance buffer size in
+ bytes (0 no buffering, otherwise buffered and synchronized across
+ threads) { 0:max32 }
* string std_connector[].connector: connector name
* enum std_connector[].direction: usage { receive | transmit |
duplex }
+ * string std_connector[].redirect: output file name where printout
+ is redirected
* bool stream.allowlist_cache.enable = false: enable allowlist
cache
* bool stream.allowlist_cache.move_on_excess = false: move flows to
* ssl.unrecognized_records: total unrecognized records (sum)
* std_connector.messages_received: total number of messages
received (sum)
+ * std_connector.messages_stalled: total number of messages
+ attempted for transmission but overflowed (sum)
* std_connector.messages_transmitted: total number of messages
transmitted (sum)
* stream.allowlist_flows: number of flows moved to the allowlist
HTTP reserved GZIP flags are set
+119:289 (http_inspect) Too many partial flushes
+
+Too many partial flushes. Partial depth is enabled and 20 or more
+partial flushes are made before a regular flush.
+
121:1 (http2_inspect) invalid flag set on HTTP/2 frame
Invalid flag set on HTTP/2 frame header
The Snort Team
Revision History
-Revision 3.9.0.0 2025-05-28 13:58:18 EDT TST
+Revision 3.9.1.0 2025-06-29 23:11:50 EDT TST
---------------------------------------------------------------------
This feature is off by default. script_detection = true will activate
it.
-5.10.3.4. gzip
+5.10.3.4. partial_depth
+
+Partial depth detection is a feature that enables Snort to more
+quickly detect and block malicious requests. It is configured by the
+partial_depth parameter which can take values in the range -1-16384
+bytes. The feature is enabled by setting partial_depth to some non
+zero value. When the feature is enabled and either, the number of
+bytes received in the request body is below the value specified by
+partial_depth, or partial_depth is set to -1, unlimited; it
+immediately forwards the available part of the message body for early
+detection. This enables earlier threat detection but consumes
+somewhat more of the sensor’s resources.
+
+This feature is turned off by default by setting partial_depth = 0.
+To activate it, set partial_depth to the desired value.
+
+5.10.3.5. gzip
http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip =
meaningful inspection of message bodies will be possible. Effectively
HTTP processing would be limited to the headers.
-5.10.3.5. normalize_utf
+5.10.3.6. normalize_utf
http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
and utf-32be in response message bodies based on the Content-Type
header. This feature is on by default: normalize_utf = false will
deactivate it.
-5.10.3.6. decompress_pdf
+5.10.3.7. decompress_pdf
decompress_pdf = true will enable decompression of compressed
portions of PDF files encountered in a message body. http_inspect
content is decompressed and made available through the file data rule
option.
-5.10.3.7. decompress_swf
+5.10.3.8. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
(Adobe Flash content) files encountered in a message body. The
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-5.10.3.8. decompress_zip
+5.10.3.9. decompress_zip
decompress_zip = true will enable decompression of compressed zip
archives encountered in a message body. The compressed content is
decompressed and made available through the file_data rule option.
-5.10.3.9. decompress_vba
+5.10.3.10. decompress_vba
decompress_vba = true will enable decompression of RLE (Run Length
Encoding) compressed vba (Visual Basic for Applications) macro data
compressed vba macro data. The decompressed vba macro data is then
made available through the vba_data ips rule option.
-5.10.3.10. max_mime_attach
+5.10.3.11. max_mime_attach
HTTP request message bodies may be in MIME format. Each file
attachment is separately incorporated in the file_data rule option.
number of files from one message that are inspected. The default
value is 5.
-5.10.3.11. normalize_javascript
+5.10.3.12. normalize_javascript
normalize_javascript = true will enable legacy normalizer of
JavaScript within the HTTP response body. http_inspect looks for
space and normalizes the plus by concatenating the strings. Such
normalizations refer to basic JavaScript normalization.
-5.10.3.12. xff_headers
+5.10.3.13. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-5.10.3.13. maximum_host_length
+5.10.3.14. maximum_host_length
Setting maximum_host_length causes http_inspect to generate 119:25 if
the Host header value including optional white space exceeds the
total length of the combined values is used. The default value is -1,
meaning do not perform this check.
-5.10.3.14. maximum_chunk_length
+5.10.3.15. maximum_chunk_length
http_inspect strictly limits individual chunks within a chunked
message body to be less than four gigabytes.
A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert.
-5.10.3.15. maximum_header_length
+5.10.3.16. maximum_header_length
http_inspect generates 119:19 when the length of a header exceeds
maximum_header_length = N {0 : 65535} (default 4096).
-5.10.3.16. maximum_headers
+5.10.3.17. maximum_headers
http_inspect generates 119:20 when the number of headers exceeds
maximum_headers = N {0 : 65535} (default 200).
-5.10.3.17. maximum_pipelined_requests
+5.10.3.18. maximum_pipelined_requests
http_inspect generates 119:34 when the number of pipelined requests
exceeds maximum_pipelined_requests = N {0 : 99} (default 99). This
will trigger the alert once the client issue a request before getting
the response to a previous request.
-5.10.3.18. URI processing
+5.10.3.19. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
* triggered IPS rule, whether built-in or text or SO (notice)
+ ips_logging (matched rules sent to IPS logging)
+ + context_logging (matched rule in an IPS logger)
Common fields available for every service:
projects / thirdparty / snort3.git / commitdiff
