From: Priyanka Bangalore Gurudev (prbg) Date: Tue, 27 May 2025 16:48:22 +0000 (+0000) Subject: Pull request #4761: build: generate and tag 3.8.1.0 X-Git-Tag: 3.8.1.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=614a3fbc7c80a873bca9e7ee131b1e297f014f16;p=thirdparty%2Fsnort3.git Pull request #4761: build: generate and tag 3.8.1.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.8.1.0 to master Squashed commit of the following: commit 04fcb95f47537de9076f4f0143dfbbef3dc27ecf Author: Priyanka Gurudev Date: Mon May 26 18:26:33 2025 -0400 build: generate and tag 3.8.1.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index e10fe449b..f9acc865a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 8) -set (VERSION_PATCH 0) +set (VERSION_PATCH 1) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index 716dc039b..23bcbc5d7 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,27 @@ +2025-05-26: 3.8.1.0 + +* analyzer: print DAQ input specification next to its message +* build: set CMake minimal version to 3.5 +* extractor: support conn.log history field +* file_api: introduced atomicity for is_file_service_enabled +* flow: add id_offset to filenames created by stream.dump_flows() +* flow: add option to move excess flows to allowlist +* flow: always count stale packets, only drop if that is enabled by config, set default value for drop_stale_packets to false (disabled) +* flow: implement a per flow check of the packet timestamp and drop packets if the timestamp is earlier than the timestamp of the previous packet +* http2_inspect: rid of removed base template +* http2_inspect: rid of removed base template in unit tests +* main: change process_id to a global var such that we don't require constant access to the SnortConfig +* main: remove snort cpu command output from log +* protocol: add ESP to valid next headers in IPv6 +* pub_sub: get all headers, response str and method from HttpEvent +* rna: coverity fixes +* snort2lua: add include for cstdint to provide standard c++ integer types +* stream: detection of gaps in packet stream +* stream_tcp: deprecate the reassemble_async configuration option +* stream_tcp: do not purge seglist data on held packet retransmit +* stream_tcp: print stream_tcp state upon hitting queue_limits +* telnet: handle ayt commands in splitter + 2025-05-08: 3.8.0.0 * framework: make alias name internal to inspector instance diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index ee72580ed..49efbd9e6 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.8.0.0 2025-05-09 10:27:32 EDT TST +Revision 3.8.1.0 2025-05-26 18:17:09 EDT TST --------------------------------------------------------------------- @@ -5901,6 +5901,10 @@ Configuration: after given seconds from start up; -1 tracks all { -1:max31 } * bool stream.allowlist_cache.enable = false: enable allowlist cache + * bool stream.allowlist_cache.move_on_excess = false: move flows to + allowlist instead of removing when max flows limit reached + * bool stream.drop_stale_packets = false: enable dropping of + packets with stale timestamp * int stream.ip_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * int stream.icmp_cache.idle_timeout = 180: maximum inactive time @@ -5991,7 +5995,9 @@ Peg counts: memcap (sum) * stream.allowlist_memcap_prunes: number of allowlist flows pruned due to memcap (sum) - * stream.allowlist_flows: number of flows moved to the allow list + * stream.excess_to_allowlist: number of flows moved to the + allowlist due to excess (sum) + * stream.allowlist_flows: number of flows moved to the allowlist (now) * stream.current_flows: current number of flows in cache (now) * stream.uni_flows: number of uni flows in cache (now) @@ -6040,6 +6046,7 @@ Peg counts: * stream_icmp.released: icmp session trackers released (sum) * stream_icmp.timeouts: icmp session timeouts (sum) * stream_icmp.prunes: icmp session prunes (sum) + * stream_icmp.stale_packets: icmp stale packets (sum) 5.53. stream_ip @@ -6093,6 +6100,7 @@ Peg counts: * stream_ip.released: ip session trackers released (sum) * stream_ip.timeouts: ip session timeouts (sum) * stream_ip.prunes: ip session prunes (sum) + * stream_ip.stale_packets: ip stale packets (sum) * stream_ip.total_bytes: total number of bytes processed (sum) * stream_ip.total_frags: total fragments (sum) * stream_ip.current_frags: current fragments (now) @@ -6211,6 +6219,7 @@ Peg counts: * stream_tcp.released: tcp session trackers released (sum) * stream_tcp.timeouts: tcp session timeouts (sum) * stream_tcp.prunes: tcp session prunes (sum) + * stream_tcp.stale_packets: tcp stale packets (sum) * stream_tcp.instantiated: new sessions instantiated (sum) * stream_tcp.setups: session initializations (sum) * stream_tcp.restarts: sessions restarted (sum) @@ -6310,6 +6319,10 @@ Peg counts: asymmetric flows (sum) * stream_tcp.asymmetric_flows: number of completed flows having one-way traffic only (sum) + * stream_tcp.max_bytes_exceeded_hole: number of times max bytes + were exceeded due to a hole (sum) + * stream_tcp.max_segs_exceeded_hole: number of times max segs were + exceeded due to a hole (sum) 5.55. stream_udp @@ -6337,6 +6350,7 @@ Peg counts: * stream_udp.released: udp session trackers released (sum) * stream_udp.timeouts: udp session timeouts (sum) * stream_udp.prunes: udp session prunes (sum) + * stream_udp.stale_packets: udp stale packets (sum) * stream_udp.total_bytes: total number of bytes processed (sum) * stream_udp.ignored: udp packets ignored (sum) @@ -11467,6 +11481,10 @@ libraries see the Getting Started section of the manual. duplex } * bool stream.allowlist_cache.enable = false: enable allowlist cache + * bool stream.allowlist_cache.move_on_excess = false: move flows to + allowlist instead of removing when max flows limit reached + * bool stream.drop_stale_packets = false: enable dropping of + packets with stale timestamp * int stream.file_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * bool stream_file.upload = false: indicate file transfer direction @@ -12788,12 +12806,14 @@ libraries see the Getting Started section of the manual. received (sum) * std_connector.messages_transmitted: total number of messages transmitted (sum) - * stream.allowlist_flows: number of flows moved to the allow list + * stream.allowlist_flows: number of flows moved to the allowlist (now) * stream.allowlist_memcap_prunes: number of allowlist flows pruned due to memcap (sum) * stream.current_flows: current number of flows in cache (now) * stream.excess_prunes: sessions pruned due to excess (sum) + * stream.excess_to_allowlist: number of flows moved to the + allowlist due to excess (sum) * stream.expected_flows: total expected flows created within snort (sum) * stream.expected_overflows: number of expected cache overflows @@ -12813,6 +12833,7 @@ libraries see the Getting Started section of the manual. * stream_icmp.prunes: icmp session prunes (sum) * stream_icmp.released: icmp session trackers released (sum) * stream_icmp.sessions: total icmp sessions (sum) + * stream_icmp.stale_packets: icmp stale packets (sum) * stream.icmp_timeout_prunes: number of ICMP flows pruned due to timeout (sum) * stream_icmp.timeouts: icmp session timeouts (sum) @@ -12840,6 +12861,7 @@ libraries see the Getting Started section of the manual. * stream_ip.reassembled: reassembled datagrams (sum) * stream_ip.released: ip session trackers released (sum) * stream_ip.sessions: total ip sessions (sum) + * stream_ip.stale_packets: ip stale packets (sum) * stream.ip_timeout_prunes: number of IP flows pruned due to timeout (sum) * stream_ip.timeouts: ip session timeouts (sum) @@ -12923,11 +12945,15 @@ libraries see the Getting Started section of the manual. sequence number (sum) * stream_tcp.keep_alive_probes: number of tcp keep-alive probes (sum) + * stream_tcp.max_bytes_exceeded_hole: number of times max bytes + were exceeded due to a hole (sum) * stream_tcp.max_bytes: maximum number of bytes queued in any flow (max) * stream_tcp.max: max tcp sessions (max) * stream_tcp.max_packets_held: maximum number of packets held simultaneously (max) + * stream_tcp.max_segs_exceeded_hole: number of times max segs were + exceeded due to a hole (sum) * stream_tcp.max_segs: maximum number of segments queued in any flow (max) * stream.tcp_memcap_prunes: number of TCP flows pruned due to @@ -12965,6 +12991,7 @@ libraries see the Getting Started section of the manual. flushed when session released (sum) * stream_tcp.sessions: total tcp sessions (sum) * stream_tcp.setups: session initializations (sum) + * stream_tcp.stale_packets: tcp stale packets (sum) * stream_tcp.syn_acks: number of syn-ack packets (sum) * stream_tcp.syn_ack_trackers: tcp session tracking started on syn-ack (sum) @@ -12990,6 +13017,7 @@ libraries see the Getting Started section of the manual. * stream_udp.prunes: udp session prunes (sum) * stream_udp.released: udp session trackers released (sum) * stream_udp.sessions: total udp sessions (sum) + * stream_udp.stale_packets: udp stale packets (sum) * stream.udp_timeout_prunes: number of UDP flows pruned due to timeout (sum) * stream_udp.timeouts: udp session timeouts (sum) diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index c2dad5dc8..a105d25a8 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.8.0.0 2025-05-09 10:28:14 EDT TST +Revision 3.8.1.0 2025-05-26 18:18:18 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index d4406db7d..34cb4c539 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.8.0.0 2025-05-09 10:27:45 EDT TST +Revision 3.8.1.0 2025-05-26 18:17:32 EDT TST --------------------------------------------------------------------- @@ -72,7 +72,7 @@ Table of Contents 5.15. Performance Monitor 5.16. POP and IMAP 5.17. Port Scan - 5.18. Protocol Data Logging + 5.18. Advanced Logging 5.19. Sensitive Data Filtering 5.20. SMTP 5.21. Telnet @@ -5825,7 +5825,7 @@ require the least tuning. The low sensitivity level does not catch filtered scans, since these are more prone to false positives. -5.18. Protocol Data Logging +5.18. Advanced Logging -------------- @@ -6024,6 +6024,40 @@ sequence number and next expected sequence number. These are reset during TCP flow restart. For this case only bytes seen following the restart will be reported. + * conn_state - records the connection state, which varies depending + on the protocol (UDP, TCP, or others): + +UDP Connection States: + + * CLT_SRV_UDP_SEEN: Packets were seen from both the client and + server. + * CLT_UDP_SEEN: Only client packets were observed. + * SRV_UDP_SEEN: Only server packets were observed. + +TCP Connection States: + +The TCP connection state tracks both client and server states, each +prefixed with CLT_ (for the client) and SRV_ (for the server). These +states follow the TCP state machine as defined by the RFC, with the +addition of TCP_MID_STREAM_SENT and TCP_MID_STREAM_REC to handle +mid-stream traffic and TCP_STATE_NONE. + +OTH (Other Traffic): + +The OTH state is used for all non-UDP and non-TCP traffic, as well as +for error cases. + + * history - a string that tracks the connection’s history. It uses + letters to represent events, with uppercase letters denoting + client-side events and lowercase letters for server-side events. + Each letter appears only once for each direction, regardless of + how many times the event occurs. + +UDP Events: d: Packet with payload. + +TCP Events: s: SYN, h: SYN-ACK, a: Pure ACK or PUSH, d: Packet with +payload, f: FIN, r: Reset. + Fields supported for weird and notice logs: * sid - unique signature number of the rule