set (VERSION_MAJOR 3)
set (VERSION_MINOR 1)
-set (VERSION_PATCH 81)
+set (VERSION_PATCH 82)
set (VERSION_SUBLEVEL 0)
set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
+2024-03-12: 3.1.82.0
+
+* appid: broadcast commands with ctrlcon
+* appid: change eve pattern matching logic
+* appid: replaced warning log with logging api for CBD
+* file_api: do not clear the file capture and user file data pointers when updating the verdict from the cache
+* filters: updated dyn array with vector
+* flow: updated flow_data linklist with STL container
+* framework: validate parameter of number type in a string form
+* kaizen: rename to Snort ML
+* main: clear lua stack when registering commands in a shell
+* main: reset main-thread stats from the main thread
+* main: update limits help
+* packet_capture: add packet capturing per tenant
+* sfip: remove references to unused mode feature
+* sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload
+* smb: fix for improper session cache destruction in tterm during config reload
+* snort2lua: change deprecated use of ptr_fn to lambda
+* stats: fix timing stats
+* stats: perf improvement changes
+* stream: remove splitter from session before inspectors
+* stream_tcp: add reasons for drops due to trims
+* stream_tcp: implement support for proxy mode normalization behavior
+* stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts
+* trace: add tenants logging
+
2024-02-20: 3.1.81.0
* appid: check tenant_match() if required
The Snort Team
Revision History
-Revision 3.1.81.0 2024-02-16 22:51:25 UTC TST
+Revision 3.1.82.0 2024-03-12 12:50:44 EDT TST
---------------------------------------------------------------------
1. Help
2. Basic Modules
+
2.1. active
2.2. alerts
2.3. attribute_table
2.31. snort
2.32. suppress
2.33. trace
+
3. Codec Modules
+
3.1. arp
3.2. auth
3.3. ciscometadata
3.25. udp
3.26. vlan
3.27. wlan
+
4. Connector Modules
+
4.1. file_connector
4.2. tcp_connector
+
5. Inspector Modules
+
5.1. appid
5.2. appid_listener
5.3. arp_spoof
5.53. stream_user
5.54. telnet
5.55. wizard
+
6. IPS Action Modules
+
6.1. react
6.2. reject
+
7. IPS Option Modules
+
7.1. ack
7.2. appids
7.3. base64_decode
7.128. vba_data
7.129. window
7.130. wscale
+
8. Search Engine Modules
9. SO Rule Modules
10. Logger Modules
+
10.1. alert_csv
10.2. alert_ex
10.3. alert_fast
10.10. log_hext
10.11. log_pcap
10.12. unified2
+
11. Appendix
+
11.1. Build Options
11.2. Environment Variables
11.3. Command Line Options
}
* bool trace.constraints.match = true: use constraints to filter
traces
+ * string trace.constraints.tenants: tenants filter
* enum trace.output: output method for trace log messages { stdout
| syslog }
* bool trace.ntuple = false: print packet n-tuple info with trace
Configuration:
- * bool packet_capture.enable = false: initially enable packet
- dumping
- * string packet_capture.filter: bpf filter to use for packet dump
- * int packet_capture.group = -1: group filter to use for the packet
- dump { -1:32767 }
+ * bool packet_capture.enable = false: state of packet capturing
+ * string packet_capture.filter: bpf filter to use for packet
+ capturing
+ * int packet_capture.group = -1: group filter to use for packet
+ capturing { -1:32767 }
+ * string packet_capture.tenants: comma-separated tenants filter to
+ use for packet capturing
Commands:
- * packet_capture.enable(filter, group): dump raw packets
- * packet_capture.disable(): stop packet dump
+ * packet_capture.enable(filter, group, tenants): capture raw
+ packets
+ * packet_capture.disable(): stop packet capturing
Peg counts:
* packet_capture.processed: packets processed against filter (sum)
- * packet_capture.captured: packets matching dumped after matching
- filter (sum)
+ * packet_capture.captured: packets captured after matching filter
+ (sum)
5.35. perf_monitor
(sum)
* stream_tcp.zero_win_probes: number of tcp zero window probes
(sum)
+ * stream_tcp.proxy_mode_flows: number of flows set to proxy
+ normalization policy (sum)
5.52. stream_udp
* bool output.verbose = false: be verbose (same as -v)
* bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
- * bool packet_capture.enable = false: initially enable packet
- dumping
- * string packet_capture.filter: bpf filter to use for packet dump
- * int packet_capture.group = -1: group filter to use for the packet
- dump { -1:32767 }
+ * bool packet_capture.enable = false: state of packet capturing
+ * string packet_capture.filter: bpf filter to use for packet
+ capturing
+ * int packet_capture.group = -1: group filter to use for packet
+ capturing { -1:32767 }
+ * string packet_capture.tenants: comma-separated tenants filter to
+ use for packet capturing
* bool packets.address_space_agnostic = false: determines whether
DAQ address space info is used to track fragments and connections
* string packets.bpf_file: file with BPF to select traffic for
traces
* string trace.constraints.src_ip: source IP address filter
* int trace.constraints.src_port: source port filter { 0:65535 }
+ * string trace.constraints.tenants: tenants filter
* int trace.modules.all: enable trace for all modules { 0:255 }
* int trace.modules.appid.all: enable all trace options { 0:255 }
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
* normalizer.test_tcp_ts_nop: test timestamp options cleared (sum)
* normalizer.test_tcp_urgent_ptr: test packets without data with
urgent pointer cleared (sum)
- * packet_capture.captured: packets matching dumped after matching
- filter (sum)
+ * packet_capture.captured: packets captured after matching filter
+ (sum)
* packet_capture.processed: packets processed against filter (sum)
* payload_injector.http2_injects: total number of http2 injections
(sum)
(sum)
* stream_tcp.payload_fully_trimmed: segments with no data after
trimming (sum)
+ * stream_tcp.proxy_mode_flows: number of flows set to proxy
+ normalization policy (sum)
* stream_tcp.prunes: tcp session prunes (sum)
* stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum)
* stream_tcp.rebuilt_bytes: total rebuilt bytes (sum)
The TCP 3-way handshake was not seen for this TCP session.
+129:21 (stream_tcp) TCP max queued reassembly bytes exceeded
+threshold
+
+The maximum bytes allowed to be queued for reassembly for an endpoint
+has been exceeded.
+
+129:22 (stream_tcp) TCP max queued reassembly segments exceeded
+threshold
+
+The maximum number of segments allowed to be queued for reassembly
+for an endpoint has been exceeded.
+
131:1 (dns) obsolete DNS RR types
DNS Response Resource Record Type is Obsolete.
cache segment(s)
* network.set_policy(id): set the network policy for commands given
the user policy id
- * packet_capture.enable(filter, group): dump raw packets
- * packet_capture.disable(): stop packet dump
+ * packet_capture.enable(filter, group, tenants): capture raw
+ packets
+ * packet_capture.disable(): stop packet capturing
* packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port,
tenants): enable packet tracer debugging
* packet_tracer.disable(): disable packet tracer
The Snort Team
Revision History
-Revision 3.1.81.0 2024-02-16 22:51:13 UTC TST
+Revision 3.1.82.0 2024-03-12 12:51:51 EDT TST
---------------------------------------------------------------------
Table of Contents
1. Overview
+
1.1. Efficacy
1.2. Performance
1.3. Scalability
1.4. Usability
1.5. Extensibility
+
2. Snort 3 vs Snort 2
+
2.1. Features New to Snort 3
2.2. Features Improved over Snort 2
2.3. Build Options
2.7. Output
2.8. Sensitive Data
2.9. Features Not Yet Supported by Snort 3
+
3. Snort2Lua
+
3.1. Snort2Lua Command Line
3.2. Known Problems
3.3. Usage
+
4. Configuration Changes
change -> config 'daq_dir' ==> 'daq.module_dirs'
change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap'
change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection'
+change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic'
change -> config 'event_filter' ==> 'alerts.event_filter_memcap'
change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts'
change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host'
change -> daq_mode: 'config daq_mode:' ==> 'mode'
change -> daq_var: 'config daq_var:' ==> 'variables'
change -> detection: 'ac' ==> 'ac_full'
-change -> detection: 'ac-banded' ==> 'ac_banded'
+change -> detection: 'ac-banded' ==> 'ac_full'
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
change -> detection: 'ac-nq' ==> 'ac_full'
change -> detection: 'ac-q' ==> 'ac_full'
-change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
+change -> detection: 'ac-sparsebands' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'split_any_any'
-change -> detection: 'ac-std' ==> 'ac_std'
-change -> detection: 'acs' ==> 'ac_sparse'
+change -> detection: 'ac-std' ==> 'ac_full'
+change -> detection: 'acs' ==> 'ac_full'
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
change -> detection: 'intel-cpm' ==> 'hyperscan'
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
change -> detection: 'search-method' ==> 'search_method'
-change -> detection: 'search-optimize' ==> 'search_optimize'
change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
change -> detection: 'split-any-any' ==> 'split_any_any'
change -> dnp3: 'ports' ==> 'bindings'
change -> reputation: 'shared_mem' ==> 'list_dir'
change -> sfportscan: 'proto' ==> 'protos'
change -> sfportscan: 'scan_type' ==> 'scan_types'
+change -> sip: 'max_requestName_len' ==> 'max_request_name_len'
change -> sip: 'ports' ==> 'bindings'
change -> smtp: 'ports' ==> 'bindings'
change -> ssh: 'server_ports' ==> 'bindings'
deleted -> config 'disable_inline_init_failopen'
deleted -> config 'disable_ipopt_alerts'
deleted -> config 'disable_ipopt_drops'
+deleted -> config 'disable_replace'
deleted -> config 'disable_tcpopt_alerts'
deleted -> config 'disable_tcpopt_drops'
deleted -> config 'disable_tcpopt_experimental_alerts'
deleted -> config 'enable_decode_oversized_drops'
deleted -> config 'enable_gtp'
deleted -> config 'enable_ipopt_drops'
+deleted -> config 'enable_mpls_multicast'
deleted -> config 'enable_tcpopt_drops'
deleted -> config 'enable_tcpopt_experimental_drops'
deleted -> config 'enable_tcpopt_obsolete_drops'
deleted -> config 'sflog_unified2'
deleted -> config 'sidechannel'
deleted -> config 'so_rule_memcap'
+deleted -> config 'stateful'
deleted -> csv: '<filename> can no longer be specific'
deleted -> csv: 'default'
deleted -> csv: 'trheader'
deleted -> detection: 'mwm'
+deleted -> detection: 'search-optimize is always true'
deleted -> dnp3: 'disabled'
deleted -> dnp3: 'memcap'
deleted -> dns: 'enable_experimental_types'
deleted -> full: '<filename> can no longer be specific'
deleted -> http_inspect: 'detect_anomalous_servers'
deleted -> http_inspect: 'disabled'
+deleted -> http_inspect: 'fast_blocking'
+deleted -> http_inspect: 'normalize_random_nulls_in_text'
deleted -> http_inspect: 'proxy_alert'
deleted -> http_inspect_server: 'allow_proxy_use'
deleted -> http_inspect_server: 'enable_cookie'
deleted -> stream5_tcp: 'log_asymmetric_traffic'
deleted -> stream5_tcp: 'policy noack'
deleted -> stream5_tcp: 'policy unknown'
+deleted -> stream5_tcp: 'use_static_footprint_sizes'
deleted -> stream5_udp: 'ignore_any_rules'
deleted -> tcpdump: '<filename> can no longer be specific'
deleted -> test: 'file'
The Snort Team
Revision History
-Revision 3.1.81.0 2024-02-16 22:51:13 UTC TST
+Revision 3.1.82.0 2024-03-12 12:51:07 EDT TST
---------------------------------------------------------------------
Table of Contents
1. Overview
+
1.1. First Steps
1.2. Configuration
1.3. Output
+
2. Concepts
+
2.1. Terminology
2.2. Modules
2.3. Parameters
2.5. Operation
2.6. Rules
2.7. Pattern Matching
+
3. Tutorial
+
3.1. Dependencies
3.2. Building
3.3. Running
3.5. Common Errors
3.6. Gotchas
3.7. Known Issues
+
4. Usage
+
4.1. Help
4.2. Sniffing and Logging
4.3. Configuration
4.8. Logger Alternatives
4.9. Shell
4.10. Signals
+
5. Features
+
5.1. Active Response
5.2. AppId
5.3. Binder
5.20. Telnet
5.21. Trace
5.22. Wizard
+
6. DAQ Configuration and Modules
+
6.1. Building the DAQ Library and Its Bundled DAQ Modules
6.2. Configuration
6.3. Interaction With Multiple Packet Threads