From: Priyanka Bangalore Gurudev (prbg) Date: Tue, 1 Jul 2025 17:20:33 +0000 (+0000) Subject: Pull request #4792: build: generate and tag 3.9.1.0 X-Git-Tag: 3.9.1.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fsnort3.git Pull request #4792: build: generate and tag 3.9.1.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.9.1.0 to master Squashed commit of the following: commit 3fd3bfd2a978c0995229d023f45d2f16fdc33802 Author: Priyanka Gurudev Date: Sun Jun 29 23:15:14 2025 -0400 build: generate and tag 3.9.1.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 59a293620..98fbcb669 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 9) -set (VERSION_PATCH 0) +set (VERSION_PATCH 1) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index 4846a3b61..4a4293342 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,36 @@ +2025-06-29: 3.9.1.0 + +* appid: appid_debug_test and critical log fix +* appid: broadcast command for third party tfini during tterm rather than doing it sequentially +* appid: differentiate between request and response DNS host +* appid: fixed APPID_LOG macro for correct usage of log_level +* appid: fixed stash issue by fixing publishing shadow traffic +* appid: fix tcp dns multiple transaction support +* appid: queue analyzer command for third party setup during appid id tinit and stagger packet threads during third party tinit +* appid: sync flow service with protocol based detection +* binder, flow, framework: add a facility to block binding based on a do_not_decrypt flow flag and inspector can_decrypt method +* build: address coverity warnings +* connectors: add buffered output to std_connector +* connectors: add redirect option to print to a file +* connectors: give name to flusher thread +* connectors: rebuild readers as they might be outdated at exit +* connectors: rename text log field +* connectors: set affinity for flusher thread +* dns: handle multi DNS transactions one TCP connection +* extractor: add context logging event for notice +* helpers: add 1-reader-1-writer ring buffer +* helpers: fix JSON stream flags after escaping +* http_inspect: add support for partial_depth configuration option +* main: clarify the DAQ verdict for inject +* mime: fix crash in folding right after colon +* mime: fix eol search and add unit tests +* mp_dbus: transfer ownership of MPDataBus to new config during reload +* mp_unix_transport: refactored socket reconnect +* mp_unix_transport: use shared mutex in message processing +* profiler: add note for total percentage for profiler_dump +* ssl: fix integer underflow in certificate parsing +* unixdomain_connector: explicit include of select.h + 2025-05-28: 3.9.0.0 * codec, flow: make mpls layers in flow pointers to save memory diff --git a/cmake/FindDAQ.cmake b/cmake/FindDAQ.cmake index 24238ac88..ffccd31f9 100644 --- a/cmake/FindDAQ.cmake +++ b/cmake/FindDAQ.cmake @@ -16,7 +16,7 @@ This module defines: #]=======================================================================] find_package(PkgConfig) -pkg_check_modules(PC_DAQ libdaq>=3.0.19) +pkg_check_modules(PC_DAQ libdaq>=3.0.20) # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints # and then package config information after that. diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index e17f1cbd4..0ee6b0486 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.9.0.0 2025-05-28 13:58:01 EDT TST +Revision 3.9.1.0 2025-06-29 23:11:37 EDT TST --------------------------------------------------------------------- @@ -2644,6 +2644,11 @@ Configuration: * string std_connector[].connector: connector name * enum std_connector[].direction: usage { receive | transmit | duplex } + * int std_connector[].buffer_size = 0: per-instance buffer size in + bytes (0 no buffering, otherwise buffered and synchronized across + threads) { 0:max32 } + * string std_connector[].redirect: output file name where printout + is redirected Peg counts: @@ -2651,6 +2656,8 @@ Peg counts: received (sum) * std_connector.messages_transmitted: total number of messages transmitted (sum) + * std_connector.messages_stalled: total number of messages + attempted for transmission but overflowed (sum) 4.3. tcp_connector @@ -4074,6 +4081,8 @@ Configuration: bytes to examine (-1 no limit) { -1:max53 } * int http_inspect.response_depth = -1: maximum response message body bytes to examine (-1 no limit) { -1:max53 } + * int http_inspect.partial_depth = 0: maximum request body to send + to early detection (0 disabled, -1 no limit) { -1:16384 } * bool http_inspect.unzip = true: decompress gzip and deflate message bodies * int http_inspect.maximum_host_length = -1: maximum allowed length @@ -4332,6 +4341,7 @@ Rules: * 119:287 (http_inspect) HTTP request method is not on allowed methods list or is on disallowed methods list * 119:288 (http_inspect) HTTP gzip body with reserved flag set + * 119:289 (http_inspect) Too many partial flushes Peg counts: @@ -10252,6 +10262,8 @@ libraries see the Getting Started section of the manual. encodings in response bodies * int http_inspect.oversize_dir_length = 300: maximum length for URL directory { 1:65535 } + * int http_inspect.partial_depth = 0: maximum request body to send + to early detection (0 disabled, -1 no limit) { -1:16384 } * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN encodings * bool http_inspect.plus_to_space = true: replace + with when @@ -11476,9 +11488,14 @@ libraries see the Getting Started section of the manual. * implied ssl_version.!tls1.2: check for records that are not tls1.2 * implied ssl_version.tls1.2: check for tls1.2 + * int std_connector[].buffer_size = 0: per-instance buffer size in + bytes (0 no buffering, otherwise buffered and synchronized across + threads) { 0:max32 } * string std_connector[].connector: connector name * enum std_connector[].direction: usage { receive | transmit | duplex } + * string std_connector[].redirect: output file name where printout + is redirected * bool stream.allowlist_cache.enable = false: enable allowlist cache * bool stream.allowlist_cache.move_on_excess = false: move flows to @@ -12804,6 +12821,8 @@ libraries see the Getting Started section of the manual. * ssl.unrecognized_records: total unrecognized records (sum) * std_connector.messages_received: total number of messages received (sum) + * std_connector.messages_stalled: total number of messages + attempted for transmission but overflowed (sum) * std_connector.messages_transmitted: total number of messages transmitted (sum) * stream.allowlist_flows: number of flows moved to the allowlist @@ -14657,6 +14676,11 @@ disallowed methods list. HTTP reserved GZIP flags are set +119:289 (http_inspect) Too many partial flushes + +Too many partial flushes. Partial depth is enabled and 20 or more +partial flushes are made before a regular flush. + 121:1 (http2_inspect) invalid flag set on HTTP/2 frame Invalid flag set on HTTP/2 frame header diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 1ecb48569..9eca87725 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.9.0.0 2025-05-28 13:58:55 EDT TST +Revision 3.9.1.0 2025-06-29 23:12:18 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 5e45e9e3d..d891c74ea 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.9.0.0 2025-05-28 13:58:18 EDT TST +Revision 3.9.1.0 2025-06-29 23:11:50 EDT TST --------------------------------------------------------------------- @@ -4094,7 +4094,23 @@ consumes somewhat more of the sensor’s resources. This feature is off by default. script_detection = true will activate it. -5.10.3.4. gzip +5.10.3.4. partial_depth + +Partial depth detection is a feature that enables Snort to more +quickly detect and block malicious requests. It is configured by the +partial_depth parameter which can take values in the range -1-16384 +bytes. The feature is enabled by setting partial_depth to some non +zero value. When the feature is enabled and either, the number of +bytes received in the request body is below the value specified by +partial_depth, or partial_depth is set to -1, unlimited; it +immediately forwards the available part of the message body for early +detection. This enables earlier threat detection but consumes +somewhat more of the sensor’s resources. + +This feature is turned off by default by setting partial_depth = 0. +To activate it, set partial_depth to the desired value. + +5.10.3.5. gzip http_inspect by default decompresses deflate and gzip message bodies before inspecting them. This feature can be turned off by unzip = @@ -4103,14 +4119,14 @@ improvement but at a very high price. It is unlikely that any meaningful inspection of message bodies will be possible. Effectively HTTP processing would be limited to the headers. -5.10.3.5. normalize_utf +5.10.3.6. normalize_utf http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le, and utf-32be in response message bodies based on the Content-Type header. This feature is on by default: normalize_utf = false will deactivate it. -5.10.3.6. decompress_pdf +5.10.3.7. decompress_pdf decompress_pdf = true will enable decompression of compressed portions of PDF files encountered in a message body. http_inspect @@ -4119,7 +4135,7 @@ locate PDF streams with a single /FlateDecode filter. The compressed content is decompressed and made available through the file data rule option. -5.10.3.7. decompress_swf +5.10.3.8. decompress_swf decompress_swf = true will enable decompression of compressed SWF (Adobe Flash content) files encountered in a message body. The @@ -4129,13 +4145,13 @@ LZMA. The compressed content is decompressed and made available through the file data rule option. The compressed SWF file signature is converted to FWS to indicate an uncompressed file. -5.10.3.8. decompress_zip +5.10.3.9. decompress_zip decompress_zip = true will enable decompression of compressed zip archives encountered in a message body. The compressed content is decompressed and made available through the file_data rule option. -5.10.3.9. decompress_vba +5.10.3.10. decompress_vba decompress_vba = true will enable decompression of RLE (Run Length Encoding) compressed vba (Visual Basic for Applications) macro data @@ -4145,7 +4161,7 @@ Linking and Embedding) file embedded with the files containing RLE compressed vba macro data. The decompressed vba macro data is then made available through the vba_data ips rule option. -5.10.3.10. max_mime_attach +5.10.3.11. max_mime_attach HTTP request message bodies may be in MIME format. Each file attachment is separately incorporated in the file_data rule option. @@ -4154,7 +4170,7 @@ may consume a lot of processing power. This parameter limits the number of files from one message that are inspected. The default value is 5. -5.10.3.11. normalize_javascript +5.10.3.12. normalize_javascript normalize_javascript = true will enable legacy normalizer of JavaScript within the HTTP response body. http_inspect looks for @@ -4167,7 +4183,7 @@ http_inspect also replaces consecutive whitespaces with a single space and normalizes the plus by concatenating the strings. Such normalizations refer to basic JavaScript normalization. -5.10.3.12. xff_headers +5.10.3.13. xff_headers This configuration supports defining custom x-forwarded-for type headers. In a multi-vendor world, it is quite possible that the @@ -4182,7 +4198,7 @@ they are defined, e.g "x-forwarded-for" will be preferred than "true-client-ip" if both headers are present in the stream. The header names should be delimited by a space. -5.10.3.13. maximum_host_length +5.10.3.14. maximum_host_length Setting maximum_host_length causes http_inspect to generate 119:25 if the Host header value including optional white space exceeds the @@ -4190,7 +4206,7 @@ specified length. In the abnormal case of multiple Host headers, the total length of the combined values is used. The default value is -1, meaning do not perform this check. -5.10.3.14. maximum_chunk_length +5.10.3.15. maximum_chunk_length http_inspect strictly limits individual chunks within a chunked message body to be less than four gigabytes. @@ -4198,17 +4214,17 @@ message body to be less than four gigabytes. A lower limit may be configured by setting maximum_chunk_length. Any chunk longer than maximum chunk length will generate a 119:16 alert. -5.10.3.15. maximum_header_length +5.10.3.16. maximum_header_length http_inspect generates 119:19 when the length of a header exceeds maximum_header_length = N {0 : 65535} (default 4096). -5.10.3.16. maximum_headers +5.10.3.17. maximum_headers http_inspect generates 119:20 when the number of headers exceeds maximum_headers = N {0 : 65535} (default 200). -5.10.3.17. maximum_pipelined_requests +5.10.3.18. maximum_pipelined_requests http_inspect generates 119:34 when the number of pipelined requests exceeds maximum_pipelined_requests = N {0 : 99} (default 99). This @@ -4218,7 +4234,7 @@ the case of an alternating sequence of requests and responses. It will trigger the alert once the client issue a request before getting the response to a previous request. -5.10.3.18. URI processing +5.10.3.19. URI processing Normalization and inspection of the URI in the HTTP request message is a key aspect of what http_inspect does. The best way to normalize @@ -5911,6 +5927,7 @@ Services and their events: * triggered IPS rule, whether built-in or text or SO (notice) + ips_logging (matched rules sent to IPS logging) + + context_logging (matched rule in an IPS logger) Common fields available for every service: