From: Priyanka Gurudev (prbg) Date: Wed, 18 Mar 2026 01:38:38 +0000 (+0000) Subject: Pull request #5222: build: generate and tag 3.12.1.0 X-Git-Tag: 3.12.1.0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;ds=sidebyside;p=thirdparty%2Fsnort3.git Pull request #5222: build: generate and tag 3.12.1.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.12.1.0 to master Squashed commit of the following: commit 32e37e40dbf03e08aa8eabfec2ddf943bc32da5b Author: Priyanka Gurudev Date: Tue Mar 17 18:08:00 2026 -0400 build: generate and tag 3.12.1.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 9e8a5e58f..438fa8a78 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 12) -set (VERSION_PATCH 0) +set (VERSION_PATCH 1) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index e3b947470..6c7bdf819 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,44 @@ +2026-03-17: 3.12.1.0 + +* appid: address FIXIT comments related to http inspector +* appid: add unit test to cover DNS payload handler null dsession +* appid: fix app detection when sni is spoofed +* appid: removing dead code in service ssl +* appid: sync host attributes on http event service detection +* decompress: fix tsan data race +* decompress: fix tsan data race in decompress_buffer_size +* dns: prevent unbounded TCP session vector growth +* extractor: add FILE logging +* extractor: add more details in SSH +* extractor: add SSH direction field +* extractor: add SSH version field +* extractor: compute shared (selected) algorithm in SSH +* extractor: log SSH events +* extractor: move details under 'algorithm' event +* extractor: refine code +* extractor: rename ssl.server_name_identifier +* file_api: change file_service termination order after MPDatabus +* file_api: fix tsan datarace in circular buffer, file cache and file policy +* file_inspect: fix reload error messages +* file names: add unit tests for get_main_file and get_instance_file +* framework: return original string if list is empty +* hash: clamp max_size to entry_size minimum +* http_inspect: decompress optimization +* http_inspect: fix Out-Of-Bounds read in find_next_header +* kerberos: fix race condition when reloading and setting failed_login +* logs: do not add / to run prefix for main thread logs +* main: fallback to specified process affinity if we can't satisfy process.lua +* mime: partial header memory optimization using vectors to preallocate memory rather than allocating for every new chunk of header appended +* opcua: buf size increase and service modifications +* plugins: move trash pickup from analyzers to main +* pub_sub: add content-length validation +* snort: relax memory order for reload_id updates +* snort: tweak config dtor so that tuners are released before their inspector +* socks: remove block_udp_fragmentation configuration option +* ssl: adding additional parser data fields checks +* stream: pass opaque during IP fragment reassembly in FragRebuild +* stream_tcp: make sure to check for bad seq only when ISS is initialized + 2026-03-03: 3.12.0.0 * alert_syslog, snort, syslog_trace: refactor syslog calls diff --git a/cmake/FindDAQ.cmake b/cmake/FindDAQ.cmake index 930b400a7..d6672771b 100644 --- a/cmake/FindDAQ.cmake +++ b/cmake/FindDAQ.cmake @@ -16,7 +16,7 @@ This module defines: #]=======================================================================] find_package(PkgConfig) -pkg_check_modules(PC_DAQ libdaq>=3.0.26) +pkg_check_modules(PC_DAQ libdaq>=3.0.27) # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints # and then package config information after that. diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index b61bfc171..6f684e19f 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.12.0.0 2026-03-03 21:22:32 EST TST +Revision 3.12.1.0 2026-03-17 18:01:08 EDT TST --------------------------------------------------------------------- @@ -3747,7 +3747,8 @@ Configuration: * enum extractor.default_filter = pick: default action for protocol with no filter provided { pick | skip } * enum extractor.protocols[].service: service to extract from { - http | ftp | ssl | conn | dns | quic | weird | notice } + http | ssh | ftp | ssl | conn | dns | quic | file | weird | + notice } * int extractor.protocols[].tenant_id = 0: tenant_id of target tenant { 0:max32 } * string extractor.protocols[].on_events: specify events to log @@ -4316,7 +4317,6 @@ Rules: * 119:213 (http_inspect) HTTP chunk misformatted * 119:214 (http_inspect) white space adjacent to chunk length * 119:215 (http_inspect) white space within header name - * 119:216 (http_inspect) excessive gzip compression * 119:217 (http_inspect) gzip decompression failed * 119:218 (http_inspect) HTTP 0.9 requested followed by another request @@ -4417,6 +4417,9 @@ Rules: methods list or is on disallowed methods list * 119:288 (http_inspect) HTTP gzip body with reserved flag set * 119:289 (http_inspect) Too many partial flushes + * 119:290 (http_inspect) deflate compressed data followed by + unexpected non-deflate data + * 119:291 (http_inspect) deflate decompression failed Peg counts: @@ -4476,6 +4479,14 @@ Peg counts: too many MIME attachments to inspect (sum) * http_inspect.compressed_gzip: total number of HTTP bodies compressed with GZIP (sum) + * http_inspect.compressed_gzip_failed: total number of HTTP bodies + with failed GZIP decompression (sum) + * http_inspect.compressed_deflate: total number of HTTP bodies + compressed with Deflate (sum) + * http_inspect.incorrect_deflate_header: total number of HTTP + bodies compressed with Deflate that had incorrect header (sum) + * http_inspect.compressed_deflate_failed: total number of HTTP + bodies with failed Deflate decompression (sum) * http_inspect.compressed_not_supported: total number of HTTP bodies compressed with known but not supported methods (sum) * http_inspect.compressed_unknown: total number of HTTP bodies @@ -4971,7 +4982,7 @@ Instance Type: multiton Rules: * 153:1 (opcua) invalid OPC UA MessageSize value detected - * 153:2 (opcua) abnormal OPC UA MessageSize value detected + * 153:2 (opcua) large OPC UA MessageSize value detected * 153:3 (opcua) invalid OPC UA MsgType value detected * 153:4 (opcua) invalid OPC UA IsFinal value detected * 153:5 (opcua) OPC UA message split across multiple packets @@ -6064,11 +6075,6 @@ Usage: inspect Instance Type: multiton -Configuration: - - * bool socks.block_udp_fragmentation = true: block flow when SOCKS5 - UDP fragmentation detected (frag > 0) - Rules: * 155:1 (socks) SOCKS unknown command @@ -6095,9 +6101,7 @@ Peg counts: * socks.udp_expectations_created: UDP expectations created for dynamic ports (sum) * socks.udp_packets: UDP packets processed (sum) - * socks.udp_frags_dropped: UDP fragments dropped (sum) - * socks.udp_frags_blocked: flows blocked due to UDP fragmentation - (sum) + * socks.udp_frags: UDP fragmented packets detected (sum) 5.48. ssh @@ -10545,7 +10549,8 @@ libraries see the Getting Started section of the manual. * string extractor.protocols[].fields: specify fields to log * string extractor.protocols[].on_events: specify events to log * enum extractor.protocols[].service: service to extract from { - http | ftp | ssl | conn | dns | quic | weird | notice } + http | ssh | ftp | ssl | conn | dns | quic | file | weird | + notice } * int extractor.protocols[].tenant_id = 0: tenant_id of target tenant { 0:max32 } * enum extractor.time = unix: output format for timestamp values { @@ -12165,8 +12170,6 @@ libraries see the Getting Started section of the manual. the system; default is 1 { 0:max32 } * int socks_address_type.~type: address type (1=IPv4, 3=Domain, 4= IPv6) { 1:4 } - * bool socks.block_udp_fragmentation = true: block flow when SOCKS5 - UDP fragmentation detected (frag > 0) * int socks_command.~command: SOCKS command (1=CONNECT, 2=BIND, 3= UDP_ASSOCIATE) { 1:3 } * string socks_remote_address.~: address to match (substring) @@ -13060,6 +13063,12 @@ libraries see the Getting Started section of the manual. * http2_inspect.total_bytes: total HTTP/2 data bytes inspected (sum) * http_inspect.chunked: chunked message bodies (sum) + * http_inspect.compressed_deflate_failed: total number of HTTP + bodies with failed Deflate decompression (sum) + * http_inspect.compressed_deflate: total number of HTTP bodies + compressed with Deflate (sum) + * http_inspect.compressed_gzip_failed: total number of HTTP bodies + with failed GZIP decompression (sum) * http_inspect.compressed_gzip: total number of HTTP bodies compressed with GZIP (sum) * http_inspect.compressed_not_supported: total number of HTTP @@ -13077,6 +13086,8 @@ libraries see the Getting Started section of the manual. * http_inspect.flows: HTTP connections inspected (sum) * http_inspect.get_requests: GET requests inspected (sum) * http_inspect.head_requests: HEAD requests inspected (sum) + * http_inspect.incorrect_deflate_header: total number of HTTP + bodies compressed with Deflate that had incorrect header (sum) * http_inspect.inspections: total message sections inspected (sum) * http_inspect.js_external_scripts: total number of external JavaScripts processed (sum) @@ -13616,9 +13627,7 @@ libraries see the Getting Started section of the manual. * socks.udp_associations_created: UDP ASSOCIATE completions (sum) * socks.udp_expectations_created: UDP expectations created for dynamic ports (sum) - * socks.udp_frags_blocked: flows blocked due to UDP fragmentation - (sum) - * socks.udp_frags_dropped: UDP fragments dropped (sum) + * socks.udp_frags: UDP fragmented packets detected (sum) * socks.udp_packets: UDP packets processed (sum) * ssh.aborted_sessions: total session aborted (sum) * ssh.concurrent_sessions: total concurrent ssh sessions (now) @@ -15182,7 +15191,7 @@ and trailing whitespace. An HTTP header name contains whitespace. -119:216 (http_inspect) excessive gzip compression +119:216 A gzip-encoded HTTP message body was found to have an excessive compression ratio during decompression. diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 8f358b53d..bd6c89a65 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.12.0.0 2026-03-03 21:23:26 EST TST +Revision 3.12.1.0 2026-03-17 18:01:46 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index d198da1df..e01657341 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.12.0.0 2026-03-03 21:22:50 EST TST +Revision 3.12.1.0 2026-03-17 18:01:20 EDT TST --------------------------------------------------------------------- @@ -5924,6 +5924,10 @@ Services and their events: * HTTP, HTTP2 + eot (request-response pair) + * SSH + + + algorithm (key exchange with details) + + exchange (key exchange complete) * FTP + request @@ -5939,6 +5943,9 @@ Services and their events: * connection (conn) + eof (end of flow) + * file + + + eof (end of file) * internal built-in checks which failed (weird) + builtin (internally-detected infraction is queued for further @@ -5991,6 +5998,52 @@ Fields supported for HTTP: * resp_mime_types - list with the content types of the files sent by server +Fields supported for SSH: + + * version - major version + * direction - direction of the connection (LAN/WAN outbound/ + inbound) + * client.version - the client’s version string + * client.kex_alg - key exchange algorithms listed by client + * client.host_key_alg - server host key algorithms listed by client + * client.cipher_c2s_alg - symmetric encryption algorithms + (client-to-server direction) listed by client + * client.cipher_s2c_alg - symmetric encryption algorithms + (server-to-client direction) listed by client + * client.mac_c2s_alg - MAC algorithms (client-to-server direction) + listed by client + * client.mac_s2c_alg - MAC algorithms (server-to-client direction) + listed by client + * client.compression_c2s_alg - compression algorithms + (client-to-server direction) listed by client + * client.compression_s2c_alg - compression algorithms + (server-to-client direction) listed by client + * server.version - the server’s version string + * server.kex_alg - key exchange algorithms listed by server + * server.host_key_alg - server host key algorithms listed by server + * server.cipher_c2s_alg - symmetric encryption algorithms + (client-to-server direction) listed by server + * server.cipher_s2c_alg - symmetric encryption algorithms + (server-to-client direction) listed by server + * server.mac_c2s_alg - MAC algorithms (client-to-server direction) + listed by server + * server.mac_s2c_alg - MAC algorithms (server-to-client direction) + listed by server + * server.compression_c2s_alg - compression algorithms + (client-to-server direction) listed by server + * server.compression_s2c_alg - compression algorithms + (server-to-client direction) listed by server + * kex_alg - key exchange algorithms in use (separated by comma if + not the same: c2s, s2c) + * host_key_alg - server host key algorithms in use (separated by + comma if not the same: c2s, s2c) + * cipher_alg - symmetric encryption algorithms in use (separated by + comma if not the same: c2s, s2c) + * mac_alg - MAC algorithms in use (separated by comma if not the + same: c2s, s2c) + * compression_alg - compression algorithms in use (separated by + comma if not the same: c2s, s2c) + Fields supported for FTP: * command - last command seen in a session @@ -6007,8 +6060,8 @@ Fields supported for FTP: Fields supported for SSL: * version - SSL/TLS version that the server chose - * server_name_identifier - Server Name Identifier ( SNI ) extracted - from Client Hello + * server_name - Server Name Identifier ( SNI ) extracted from + Client Hello * validation_status - result of certificate validation * subject - RFC2253 formatted certificate subject information * issuer - RFC2253 formatted certificate issuer information @@ -6119,6 +6172,25 @@ UDP Events: d: Packet with payload. TCP Events: s: SYN, h: SYN-ACK, a: Pure ACK or PUSH, d: Packet with payload, f: FIN, r: Reset. +Fields supported for file: + + * filename - filename from headers in network protocols + * fuid - unique file identifier + * source - a protocol associated with the file + * inspector - inspector associated with the file analysis + * mime_type - mime attachment type (or file type identified by file + magic) + * is_orig - if sender was originator of the file transfer + * seen_bytes - number of bytes processed for analysis + * total_bytes - total file size in bytes + * duration - duration the file was analyzed for, in seconds + * timeout - if file analysis timed out + * sha256 - SHA256 digest of the file contents + * extracted- name of captured file + * extracted_size - number of bytes captured + * extracted_cutoff - true if the file being captured was cut off so + the whole file was not logged + Fields supported for weird and notice logs: * sid - unique signature number of the rule