+2025-11-05: 3.9.7.0
+
+* appid: add multi-stream support for DNS
+* appid: fix high inspected packets count
+* appid: fix printf args
+* appid: fix ssh service detection with dropped packets
+* appid, http_inspect, dns: add support for DNS over HTTPS and DNS over QUIC
+* appid: ignore arcserve so dcerpc protocol is used when syncing to flow service
+* appid: more restrictive checks for DNS client detection
+* appid: SNI and CNAME patterns matching fix
+* appid: solve coverity warnings
+* appid: suppress false positive coverity warning
+* build: only enable libml for supported versions
+* codec: fix byte math, codec coverity issues
+* dce_rpc: checking out of bounds
+* detection_engine: use const where possible
+* filters: resolve lock issues, 2k38 issues in rate_filter and sfthd
+* flow: new pegs and packet tracer log for flow prune
+* ha: guard against negative shift
+* hash: add FNV-1a hash
+* http_inspect: add waf buffers
+* http_inspect: partial inpection on start line
+* imap: parse_command OOB fix
+* js_norm: prevent memory leak when temp buffer was processing
+* log: increase max length of LogMessage output.
+* memory: resolve race condition on global stats
+* mp_data_bus: fixing coverity issues
+* perf_monitor: don't decrement index if already zero
+* perf_monitor: fix minor issue with int overflow
+* pop: fixing OOB in pop_paf search_for_command
+* rna: use std::move on RnaTracker to move instead of copying
+* s7commplus: out of bounds check during decode
+* sfthd: fix issues with printf type specifier, cppcheck issues
+* snort2lua: use std::move where possible
+* snort_ml: add mpse and lru cache
+* ssl: SSL extractor event
+* stream: add additional lock/unlock when we do extra_data_log
+* stream, loggers: use std::move where possible
+* stream: remove lock on extra_data_log as it is only changed at Analyzer startup
+* stream_tcp: copy all layers from original packet during pseudo packet creation
+* stream_tcp: enhance rst validation to follow RFC 5961 recommendations
+
2025-10-06: 3.9.6.0
* actions: fix integer underflow in ips_actions pegcount aggregation
The Snort Team
Revision History
-Revision 3.9.6.0 2025-10-06 12:42:39 EDT TST
+Revision 3.9.7.0 2025-11-05 22:23:59 EST TST
---------------------------------------------------------------------
* enum extractor.default_filter = pick: default action for protocol
with no filter provided { pick | skip }
* enum extractor.protocols[].service: service to extract from {
- http | ftp | conn | dns | weird | notice }
+ http | ftp | ssl | conn | dns | weird | notice }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* string extractor.protocols[].on_events: specify events to log
(sum)
* snort_ml.client_body_bytes: total number of HTTP client body
bytes processed (sum)
- * snort_ml.libml_calls: total libml calls (sum)
5.46. snort_ml_engine
Configuration:
* string snort_ml_engine.http_param_model: path to model file(s)
+ * string snort_ml_engine.http_param_filter[].filter_pattern:
+ pattern that triggers ML classification
+ * string snort_ml_engine.http_param_ignore[].ignore_pattern:
+ pattern that skips ML classification
+ * int snort_ml_engine.cache_memcap = 0: maximum memory for verdict
+ cache in bytes, 0 = disabled { 0:maxSZ }
+
+Peg counts:
+
+ * snort_ml_engine.cache_adds: snort_ml_engine cache added new entry
+ (sum)
+ * snort_ml_engine.cache_hits: snort_ml_engine cache found existing
+ entry (sum)
+ * snort_ml_engine.cache_misses: snort_ml_engine cache did not find
+ entry (sum)
+ * snort_ml_engine.cache_replaces: snort_ml_engine cache found entry
+ and replaced its value (sum)
+ * snort_ml_engine.cache_max: snort_ml_engine cache’s maximum byte
+ usage (max)
+ * snort_ml_engine.cache_prunes: snort_ml_engine cache pruned entry
+ to make space for new entry (sum)
+ * snort_ml_engine.cache_removes: snort_ml_engine cache removed
+ existing entry (sum)
+ * snort_ml_engine.filter_searches: total filter searches (sum)
+ * snort_ml_engine.filter_matches: total filter matches (sum)
+ * snort_ml_engine.filter_allows: total filter allows (sum)
+ * snort_ml_engine.libml_calls: total libml calls (sum)
5.47. so_proxy
* stream.ha_prunes: sessions pruned by high availability sync (sum)
* stream.stale_prunes: sessions pruned due to stale connection
(sum)
+ * stream.closed_prunes: sessions pruned due to stream closed (sum)
* stream.expected_flows: total expected flows created within snort
(sum)
* stream.expected_realized: number of expected flows realized (sum)
memcap (sum)
* stream.allowlist_memcap_prunes: number of allowlist flows pruned
due to memcap (sum)
+ * stream.ip_eof_prunes: number of IP flows pruned due to EOF (sum)
+ * stream.tcp_eof_prunes: number of TCP flows pruned due to EOF
+ (sum)
+ * stream.udp_eof_prunes: number of UDP flows pruned due to EOF
+ (sum)
+ * stream.icmp_eof_prunes: number of ICMP flows pruned due to EOF
+ (sum)
+ * stream.user_eof_prunes: number of USER flows pruned due to EOF
+ (sum)
+ * stream.file_eof_prunes: number of FILE flows pruned due to EOF
+ (sum)
+ * stream.pdu_eof_prunes: number of PDU flows pruned due to EOF
+ (sum)
+ * stream.allowlist_eof_prunes: number of allowlist flows pruned due
+ to EOF (sum)
* stream.excess_to_allowlist: number of flows moved to the
allowlist due to excess (sum)
* stream.allowlist_flows: number of flows moved to the allowlist
* stream_tcp.closing: number of sessions currently closing (now)
* stream_tcp.syns: number of syn packets (sum)
* stream_tcp.syn_acks: number of syn-ack packets (sum)
- * stream_tcp.resets: number of reset packets (sum)
+ * stream_tcp.rsts: number of rst packets (sum)
+ * stream_tcp.rsts_ok_rfc793: number of valid rst packets per RFC
+ 793 (sum)
+ * stream_tcp.rsts_ok_rfc5961: number of valid rst packets per RFC
+ 5961 (sum)
+ * stream_tcp.rsts_in_window: number of rst packets in window per
+ RFC 5961 (sum)
+ * stream_tcp.rsts_bad_seq: number of invalid rst packets, seq out
+ of window (sum)
+ * stream_tcp.rsts_ack_ok: number of valid rst packets good ack (RST
+ in syn sent) (sum)
+ * stream_tcp.rsts_ack_bad: number of invalid rst packets bad ack
+ (RST in syn sent) (sum)
* stream_tcp.fins: number of fin packets (sum)
* stream_tcp.meta_acks: number of meta acks processed (sum)
* stream_tcp.packets_held: number of packets held (sum)
* string extractor.protocols[].fields: specify fields to log
* string extractor.protocols[].on_events: specify events to log
* enum extractor.protocols[].service: service to extract from {
- http | ftp | conn | dns | weird | notice }
+ http | ftp | ssl | conn | dns | weird | notice }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* enum extractor.time = unix: output format for timestamp values {
containing filter string in metadata if set
* int snort_ml.client_body_depth = 0: number of input HTTP client
body bytes to scan (-1 unlimited) { -1:max31 }
+ * int snort_ml_engine.cache_memcap = 0: maximum memory for verdict
+ cache in bytes, 0 = disabled { 0:maxSZ }
+ * string snort_ml_engine.http_param_filter[].filter_pattern:
+ pattern that triggers ML classification
+ * string snort_ml_engine.http_param_ignore[].ignore_pattern:
+ pattern that skips ML classification
* string snort_ml_engine.http_param_model: path to model file(s)
* real snort_ml.http_param_threshold = 0.95: alert threshold for
http_param_model { 0:1 }
HTTP client body (sum)
* snort_ml.client_body_bytes: total number of HTTP client body
bytes processed (sum)
- * snort_ml.libml_calls: total libml calls (sum)
+ * snort_ml_engine.cache_adds: snort_ml_engine cache added new entry
+ (sum)
+ * snort_ml_engine.cache_hits: snort_ml_engine cache found existing
+ entry (sum)
+ * snort_ml_engine.cache_max: snort_ml_engine cache’s maximum byte
+ usage (max)
+ * snort_ml_engine.cache_misses: snort_ml_engine cache did not find
+ entry (sum)
+ * snort_ml_engine.cache_prunes: snort_ml_engine cache pruned entry
+ to make space for new entry (sum)
+ * snort_ml_engine.cache_removes: snort_ml_engine cache removed
+ existing entry (sum)
+ * snort_ml_engine.cache_replaces: snort_ml_engine cache found entry
+ and replaced its value (sum)
+ * snort_ml_engine.filter_allows: total filter allows (sum)
+ * snort_ml_engine.filter_matches: total filter matches (sum)
+ * snort_ml_engine.filter_searches: total filter searches (sum)
+ * snort_ml_engine.libml_calls: total libml calls (sum)
* snort_ml.uri_alerts: total number of alerts triggered on HTTP URI
(sum)
* snort_ml.uri_bytes: total number of HTTP URI bytes processed
attempted for transmission but overflowed (sum)
* std_connector.messages_transmitted: total number of messages
transmitted (sum)
+ * stream.allowlist_eof_prunes: number of allowlist flows pruned due
+ to EOF (sum)
* stream.allowlist_flows: number of flows moved to the allowlist
(now)
* stream.allowlist_memcap_prunes: number of allowlist flows pruned
due to memcap (sum)
+ * stream.closed_prunes: sessions pruned due to stream closed (sum)
* stream.current_flows: current number of flows in cache (now)
* stream.excess_prunes: sessions pruned due to excess (sum)
* stream.excess_to_allowlist: number of flows moved to the
(sum)
* stream.expected_pruned: number of expected flows pruned (sum)
* stream.expected_realized: number of expected flows realized (sum)
+ * stream.file_eof_prunes: number of FILE flows pruned due to EOF
+ (sum)
* stream.file_memcap_prunes: number of FILE flows pruned due to
memcap (sum)
* stream.file_timeout_prunes: number of FILE flows pruned due to
* stream.flows: total sessions (sum)
* stream.ha_prunes: sessions pruned by high availability sync (sum)
* stream_icmp.created: icmp session trackers created (sum)
+ * stream.icmp_eof_prunes: number of ICMP flows pruned due to EOF
+ (sum)
* stream_icmp.max: max icmp sessions (max)
* stream.icmp_memcap_prunes: number of ICMP flows pruned due to
memcap (sum)
* stream_ip.current_frags: current fragments (now)
* stream_ip.discards: fragments discarded (sum)
* stream_ip.drops: fragments dropped (sum)
+ * stream.ip_eof_prunes: number of IP flows pruned due to EOF (sum)
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
* stream_ip.frag_timeouts: datagrams abandoned (sum)
* stream_ip.max_frags: max fragments (max)
* stream_ip.trackers_completed: datagram trackers completed (sum)
* stream_ip.trackers_freed: datagram trackers released (sum)
* stream.memcap_prunes: sessions pruned due to memcap (sum)
+ * stream.pdu_eof_prunes: number of PDU flows pruned due to EOF
+ (sum)
* stream.pdu_memcap_prunes: number of PDU flows pruned due to
memcap (sum)
* stream.pdu_timeout_prunes: number of PDU flows pruned due to
* stream_tcp.discards_skipped: tcp packet discards skipped due to
normalization disabled (sum)
* stream_tcp.discards: tcp packets discarded (sum)
+ * stream.tcp_eof_prunes: number of TCP flows pruned due to EOF
+ (sum)
* stream_tcp.established: number of sessions currently established
(now)
* stream_tcp.events: events generated (sum)
* stream_tcp.rebuilt_bytes: total rebuilt bytes (sum)
* stream_tcp.rebuilt_packets: total reassembled PDUs (sum)
* stream_tcp.released: tcp session trackers released (sum)
- * stream_tcp.resets: number of reset packets (sum)
* stream_tcp.restarts: sessions restarted (sum)
* stream_tcp.resyns: SYN received on established session (sum)
+ * stream_tcp.rsts_ack_bad: number of invalid rst packets bad ack
+ (RST in syn sent) (sum)
+ * stream_tcp.rsts_ack_ok: number of valid rst packets good ack (RST
+ in syn sent) (sum)
+ * stream_tcp.rsts_bad_seq: number of invalid rst packets, seq out
+ of window (sum)
+ * stream_tcp.rsts_in_window: number of rst packets in window per
+ RFC 5961 (sum)
+ * stream_tcp.rsts: number of rst packets (sum)
+ * stream_tcp.rsts_ok_rfc5961: number of valid rst packets per RFC
+ 5961 (sum)
+ * stream_tcp.rsts_ok_rfc793: number of valid rst packets per RFC
+ 793 (sum)
* stream_tcp.segs_queued: total segments queued (sum)
* stream_tcp.segs_released: total segments released (sum)
* stream_tcp.segs_split: tcp segments split when reassembling PDUs
(sum)
* stream.total_prunes: total sessions pruned (sum)
* stream_udp.created: udp session trackers created (sum)
+ * stream.udp_eof_prunes: number of UDP flows pruned due to EOF
+ (sum)
* stream_udp.ignored: udp packets ignored (sum)
* stream_udp.max: max udp sessions (max)
* stream.udp_memcap_prunes: number of UDP flows pruned due to
* stream.uni_flows: number of uni flows in cache (now)
* stream.uni_ip_flows: number of uni ip flows in cache (now)
* stream.uni_prunes: uni sessions pruned (sum)
+ * stream.user_eof_prunes: number of USER flows pruned due to EOF
+ (sum)
* stream.user_memcap_prunes: number of USER flows pruned due to
memcap (sum)
* stream.user_timeout_prunes: number of USER flows pruned due to
The Snort Team
Revision History
-Revision 3.9.6.0 2025-10-06 12:42:57 EDT TST
+Revision 3.9.7.0 2025-11-05 22:24:16 EST TST
---------------------------------------------------------------------
immediately forwarding partial message data to the detection engine
before the complete message arrives. This feature can be configured
independently for HTTP request bodies (partial_depth_body) and
-headers (partial_depth_header).
+headers and request line (partial_depth_header).
Configuration options:
0 (default): Feature disabled
16,384 bytes. Use partial_depth_body = -1 when early detection is
needed beyond this limit. HTTP headers have no such limitation.
+Partially inspected request lines are not parsed, the raw content is
+available in the http_raw_request buffer. Incomplete lines in
+partially inspected headers are not parsed. The raw content of the
+partial header is available in the http_raw_header buffer.
+
This feature is turned off by default by setting partial_depth_body =
0 and partial_depth_header = 0. To activate it, set the corresponding
parameter to the desired value.
+ response
+ eot (a session defined by the following commands: APPE, DELE,
RETR, STOR, STOU, ACCT, PORT, PASV, EPRT, EPSV)
+ * SSL
+
+ + tls_metadata_event
* DNS
+ response
* data_channel.resp_h - IP address of data channel receiving point
* data_channel.resp_p - TCP port of data channel receiving point
+Fields supported for SSL:
+
+ * version - SSL/TLS version that the server chose
+ * server_name_identifier - Server Name Identifier ( SNI ) extracted
+ from Client Hello
+ * validation_status - result of certificate validation
+ * subject - RFC2253 formatted certificate subject information
+ * issuer - RFC2253 formatted certificate issuer information
+ * module_identifier - name of snort module that populated the event
+ * cipher - SSL/TLS cipher suite that the server chose
+ * curve - named elliptic curve the server chose
+
Fields supported for DNS:
* proto - transport protocol for DNS connection
projects / thirdparty / snort3.git / commitdiff
