set (VERSION_MAJOR 3)
set (VERSION_MINOR 12)
-set (VERSION_PATCH 0)
+set (VERSION_PATCH 1)
set (VERSION_SUBLEVEL 0)
set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
+2026-03-17: 3.12.1.0
+
+* appid: address FIXIT comments related to http inspector
+* appid: add unit test to cover DNS payload handler null dsession
+* appid: fix app detection when sni is spoofed
+* appid: removing dead code in service ssl
+* appid: sync host attributes on http event service detection
+* decompress: fix tsan data race
+* decompress: fix tsan data race in decompress_buffer_size
+* dns: prevent unbounded TCP session vector growth
+* extractor: add FILE logging
+* extractor: add more details in SSH
+* extractor: add SSH direction field
+* extractor: add SSH version field
+* extractor: compute shared (selected) algorithm in SSH
+* extractor: log SSH events
+* extractor: move details under 'algorithm' event
+* extractor: refine code
+* extractor: rename ssl.server_name_identifier
+* file_api: change file_service termination order after MPDatabus
+* file_api: fix tsan datarace in circular buffer, file cache and file policy
+* file_inspect: fix reload error messages
+* file names: add unit tests for get_main_file and get_instance_file
+* framework: return original string if list is empty
+* hash: clamp max_size to entry_size minimum
+* http_inspect: decompress optimization
+* http_inspect: fix Out-Of-Bounds read in find_next_header
+* kerberos: fix race condition when reloading and setting failed_login
+* logs: do not add / to run prefix for main thread logs
+* main: fallback to specified process affinity if we can't satisfy process.lua
+* mime: partial header memory optimization using vectors to preallocate memory rather than allocating for every new chunk of header appended
+* opcua: buf size increase and service modifications
+* plugins: move trash pickup from analyzers to main
+* pub_sub: add content-length validation
+* snort: relax memory order for reload_id updates
+* snort: tweak config dtor so that tuners are released before their inspector
+* socks: remove block_udp_fragmentation configuration option
+* ssl: adding additional parser data fields checks
+* stream: pass opaque during IP fragment reassembly in FragRebuild
+* stream_tcp: make sure to check for bad seq only when ISS is initialized
+
2026-03-03: 3.12.0.0
* alert_syslog, snort, syslog_trace: refactor syslog calls
#]=======================================================================]
find_package(PkgConfig)
-pkg_check_modules(PC_DAQ libdaq>=3.0.26)
+pkg_check_modules(PC_DAQ libdaq>=3.0.27)
# Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints
# and then package config information after that.
The Snort Team
Revision History
-Revision 3.12.0.0 2026-03-03 21:22:32 EST TST
+Revision 3.12.1.0 2026-03-17 18:01:08 EDT TST
---------------------------------------------------------------------
* enum extractor.default_filter = pick: default action for protocol
with no filter provided { pick | skip }
* enum extractor.protocols[].service: service to extract from {
- http | ftp | ssl | conn | dns | quic | weird | notice }
+ http | ssh | ftp | ssl | conn | dns | quic | file | weird |
+ notice }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* string extractor.protocols[].on_events: specify events to log
* 119:213 (http_inspect) HTTP chunk misformatted
* 119:214 (http_inspect) white space adjacent to chunk length
* 119:215 (http_inspect) white space within header name
- * 119:216 (http_inspect) excessive gzip compression
* 119:217 (http_inspect) gzip decompression failed
* 119:218 (http_inspect) HTTP 0.9 requested followed by another
request
methods list or is on disallowed methods list
* 119:288 (http_inspect) HTTP gzip body with reserved flag set
* 119:289 (http_inspect) Too many partial flushes
+ * 119:290 (http_inspect) deflate compressed data followed by
+ unexpected non-deflate data
+ * 119:291 (http_inspect) deflate decompression failed
Peg counts:
too many MIME attachments to inspect (sum)
* http_inspect.compressed_gzip: total number of HTTP bodies
compressed with GZIP (sum)
+ * http_inspect.compressed_gzip_failed: total number of HTTP bodies
+ with failed GZIP decompression (sum)
+ * http_inspect.compressed_deflate: total number of HTTP bodies
+ compressed with Deflate (sum)
+ * http_inspect.incorrect_deflate_header: total number of HTTP
+ bodies compressed with Deflate that had incorrect header (sum)
+ * http_inspect.compressed_deflate_failed: total number of HTTP
+ bodies with failed Deflate decompression (sum)
* http_inspect.compressed_not_supported: total number of HTTP
bodies compressed with known but not supported methods (sum)
* http_inspect.compressed_unknown: total number of HTTP bodies
Rules:
* 153:1 (opcua) invalid OPC UA MessageSize value detected
- * 153:2 (opcua) abnormal OPC UA MessageSize value detected
+ * 153:2 (opcua) large OPC UA MessageSize value detected
* 153:3 (opcua) invalid OPC UA MsgType value detected
* 153:4 (opcua) invalid OPC UA IsFinal value detected
* 153:5 (opcua) OPC UA message split across multiple packets
Instance Type: multiton
-Configuration:
-
- * bool socks.block_udp_fragmentation = true: block flow when SOCKS5
- UDP fragmentation detected (frag > 0)
-
Rules:
* 155:1 (socks) SOCKS unknown command
* socks.udp_expectations_created: UDP expectations created for
dynamic ports (sum)
* socks.udp_packets: UDP packets processed (sum)
- * socks.udp_frags_dropped: UDP fragments dropped (sum)
- * socks.udp_frags_blocked: flows blocked due to UDP fragmentation
- (sum)
+ * socks.udp_frags: UDP fragmented packets detected (sum)
5.48. ssh
* string extractor.protocols[].fields: specify fields to log
* string extractor.protocols[].on_events: specify events to log
* enum extractor.protocols[].service: service to extract from {
- http | ftp | ssl | conn | dns | quic | weird | notice }
+ http | ssh | ftp | ssl | conn | dns | quic | file | weird |
+ notice }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* enum extractor.time = unix: output format for timestamp values {
the system; default is 1 { 0:max32 }
* int socks_address_type.~type: address type (1=IPv4, 3=Domain, 4=
IPv6) { 1:4 }
- * bool socks.block_udp_fragmentation = true: block flow when SOCKS5
- UDP fragmentation detected (frag > 0)
* int socks_command.~command: SOCKS command (1=CONNECT, 2=BIND, 3=
UDP_ASSOCIATE) { 1:3 }
* string socks_remote_address.~: address to match (substring)
* http2_inspect.total_bytes: total HTTP/2 data bytes inspected
(sum)
* http_inspect.chunked: chunked message bodies (sum)
+ * http_inspect.compressed_deflate_failed: total number of HTTP
+ bodies with failed Deflate decompression (sum)
+ * http_inspect.compressed_deflate: total number of HTTP bodies
+ compressed with Deflate (sum)
+ * http_inspect.compressed_gzip_failed: total number of HTTP bodies
+ with failed GZIP decompression (sum)
* http_inspect.compressed_gzip: total number of HTTP bodies
compressed with GZIP (sum)
* http_inspect.compressed_not_supported: total number of HTTP
* http_inspect.flows: HTTP connections inspected (sum)
* http_inspect.get_requests: GET requests inspected (sum)
* http_inspect.head_requests: HEAD requests inspected (sum)
+ * http_inspect.incorrect_deflate_header: total number of HTTP
+ bodies compressed with Deflate that had incorrect header (sum)
* http_inspect.inspections: total message sections inspected (sum)
* http_inspect.js_external_scripts: total number of external
JavaScripts processed (sum)
* socks.udp_associations_created: UDP ASSOCIATE completions (sum)
* socks.udp_expectations_created: UDP expectations created for
dynamic ports (sum)
- * socks.udp_frags_blocked: flows blocked due to UDP fragmentation
- (sum)
- * socks.udp_frags_dropped: UDP fragments dropped (sum)
+ * socks.udp_frags: UDP fragmented packets detected (sum)
* socks.udp_packets: UDP packets processed (sum)
* ssh.aborted_sessions: total session aborted (sum)
* ssh.concurrent_sessions: total concurrent ssh sessions (now)
An HTTP header name contains whitespace.
-119:216 (http_inspect) excessive gzip compression
+119:216
A gzip-encoded HTTP message body was found to have an excessive
compression ratio during decompression.
The Snort Team
Revision History
-Revision 3.12.0.0 2026-03-03 21:23:26 EST TST
+Revision 3.12.1.0 2026-03-17 18:01:46 EDT TST
---------------------------------------------------------------------
The Snort Team
Revision History
-Revision 3.12.0.0 2026-03-03 21:22:50 EST TST
+Revision 3.12.1.0 2026-03-17 18:01:20 EDT TST
---------------------------------------------------------------------
* HTTP, HTTP2
+ eot (request-response pair)
+ * SSH
+
+ + algorithm (key exchange with details)
+ + exchange (key exchange complete)
* FTP
+ request
* connection (conn)
+ eof (end of flow)
+ * file
+
+ + eof (end of file)
* internal built-in checks which failed (weird)
+ builtin (internally-detected infraction is queued for further
* resp_mime_types - list with the content types of the files sent
by server
+Fields supported for SSH:
+
+ * version - major version
+ * direction - direction of the connection (LAN/WAN outbound/
+ inbound)
+ * client.version - the client’s version string
+ * client.kex_alg - key exchange algorithms listed by client
+ * client.host_key_alg - server host key algorithms listed by client
+ * client.cipher_c2s_alg - symmetric encryption algorithms
+ (client-to-server direction) listed by client
+ * client.cipher_s2c_alg - symmetric encryption algorithms
+ (server-to-client direction) listed by client
+ * client.mac_c2s_alg - MAC algorithms (client-to-server direction)
+ listed by client
+ * client.mac_s2c_alg - MAC algorithms (server-to-client direction)
+ listed by client
+ * client.compression_c2s_alg - compression algorithms
+ (client-to-server direction) listed by client
+ * client.compression_s2c_alg - compression algorithms
+ (server-to-client direction) listed by client
+ * server.version - the server’s version string
+ * server.kex_alg - key exchange algorithms listed by server
+ * server.host_key_alg - server host key algorithms listed by server
+ * server.cipher_c2s_alg - symmetric encryption algorithms
+ (client-to-server direction) listed by server
+ * server.cipher_s2c_alg - symmetric encryption algorithms
+ (server-to-client direction) listed by server
+ * server.mac_c2s_alg - MAC algorithms (client-to-server direction)
+ listed by server
+ * server.mac_s2c_alg - MAC algorithms (server-to-client direction)
+ listed by server
+ * server.compression_c2s_alg - compression algorithms
+ (client-to-server direction) listed by server
+ * server.compression_s2c_alg - compression algorithms
+ (server-to-client direction) listed by server
+ * kex_alg - key exchange algorithms in use (separated by comma if
+ not the same: c2s, s2c)
+ * host_key_alg - server host key algorithms in use (separated by
+ comma if not the same: c2s, s2c)
+ * cipher_alg - symmetric encryption algorithms in use (separated by
+ comma if not the same: c2s, s2c)
+ * mac_alg - MAC algorithms in use (separated by comma if not the
+ same: c2s, s2c)
+ * compression_alg - compression algorithms in use (separated by
+ comma if not the same: c2s, s2c)
+
Fields supported for FTP:
* command - last command seen in a session
Fields supported for SSL:
* version - SSL/TLS version that the server chose
- * server_name_identifier - Server Name Identifier ( SNI ) extracted
- from Client Hello
+ * server_name - Server Name Identifier ( SNI ) extracted from
+ Client Hello
* validation_status - result of certificate validation
* subject - RFC2253 formatted certificate subject information
* issuer - RFC2253 formatted certificate issuer information
TCP Events: s: SYN, h: SYN-ACK, a: Pure ACK or PUSH, d: Packet with
payload, f: FIN, r: Reset.
+Fields supported for file:
+
+ * filename - filename from headers in network protocols
+ * fuid - unique file identifier
+ * source - a protocol associated with the file
+ * inspector - inspector associated with the file analysis
+ * mime_type - mime attachment type (or file type identified by file
+ magic)
+ * is_orig - if sender was originator of the file transfer
+ * seen_bytes - number of bytes processed for analysis
+ * total_bytes - total file size in bytes
+ * duration - duration the file was analyzed for, in seconds
+ * timeout - if file analysis timed out
+ * sha256 - SHA256 digest of the file contents
+ * extracted- name of captured file
+ * extracted_size - number of bytes captured
+ * extracted_cutoff - true if the file being captured was cut off so
+ the whole file was not logged
+
Fields supported for weird and notice logs:
* sid - unique signature number of the rule
projects / thirdparty / snort3.git / commitdiff
