+2025-05-26: 3.8.1.0
+
+* analyzer: print DAQ input specification next to its message
+* build: set CMake minimal version to 3.5
+* extractor: support conn.log history field
+* file_api: introduced atomicity for is_file_service_enabled
+* flow: add id_offset to filenames created by stream.dump_flows()
+* flow: add option to move excess flows to allowlist
+* flow: always count stale packets, only drop if that is enabled by config, set default value for drop_stale_packets to false (disabled)
+* flow: implement a per flow check of the packet timestamp and drop packets if the timestamp is earlier than the timestamp of the previous packet
+* http2_inspect: rid of removed base template
+* http2_inspect: rid of removed base template in unit tests
+* main: change process_id to a global var such that we don't require constant access to the SnortConfig
+* main: remove snort cpu command output from log
+* protocol: add ESP to valid next headers in IPv6
+* pub_sub: get all headers, response str and method from HttpEvent
+* rna: coverity fixes
+* snort2lua: add include for cstdint to provide standard c++ integer types
+* stream: detection of gaps in packet stream
+* stream_tcp: deprecate the reassemble_async configuration option
+* stream_tcp: do not purge seglist data on held packet retransmit
+* stream_tcp: print stream_tcp state upon hitting queue_limits
+* telnet: handle ayt commands in splitter
+
2025-05-08: 3.8.0.0
* framework: make alias name internal to inspector instance
The Snort Team
Revision History
-Revision 3.8.0.0 2025-05-09 10:27:32 EDT TST
+Revision 3.8.1.0 2025-05-26 18:17:09 EDT TST
---------------------------------------------------------------------
after given seconds from start up; -1 tracks all { -1:max31 }
* bool stream.allowlist_cache.enable = false: enable allowlist
cache
+ * bool stream.allowlist_cache.move_on_excess = false: move flows to
+ allowlist instead of removing when max flows limit reached
+ * bool stream.drop_stale_packets = false: enable dropping of
+ packets with stale timestamp
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
memcap (sum)
* stream.allowlist_memcap_prunes: number of allowlist flows pruned
due to memcap (sum)
- * stream.allowlist_flows: number of flows moved to the allow list
+ * stream.excess_to_allowlist: number of flows moved to the
+ allowlist due to excess (sum)
+ * stream.allowlist_flows: number of flows moved to the allowlist
(now)
* stream.current_flows: current number of flows in cache (now)
* stream.uni_flows: number of uni flows in cache (now)
* stream_icmp.released: icmp session trackers released (sum)
* stream_icmp.timeouts: icmp session timeouts (sum)
* stream_icmp.prunes: icmp session prunes (sum)
+ * stream_icmp.stale_packets: icmp stale packets (sum)
5.53. stream_ip
* stream_ip.released: ip session trackers released (sum)
* stream_ip.timeouts: ip session timeouts (sum)
* stream_ip.prunes: ip session prunes (sum)
+ * stream_ip.stale_packets: ip stale packets (sum)
* stream_ip.total_bytes: total number of bytes processed (sum)
* stream_ip.total_frags: total fragments (sum)
* stream_ip.current_frags: current fragments (now)
* stream_tcp.released: tcp session trackers released (sum)
* stream_tcp.timeouts: tcp session timeouts (sum)
* stream_tcp.prunes: tcp session prunes (sum)
+ * stream_tcp.stale_packets: tcp stale packets (sum)
* stream_tcp.instantiated: new sessions instantiated (sum)
* stream_tcp.setups: session initializations (sum)
* stream_tcp.restarts: sessions restarted (sum)
asymmetric flows (sum)
* stream_tcp.asymmetric_flows: number of completed flows having
one-way traffic only (sum)
+ * stream_tcp.max_bytes_exceeded_hole: number of times max bytes
+ were exceeded due to a hole (sum)
+ * stream_tcp.max_segs_exceeded_hole: number of times max segs were
+ exceeded due to a hole (sum)
5.55. stream_udp
* stream_udp.released: udp session trackers released (sum)
* stream_udp.timeouts: udp session timeouts (sum)
* stream_udp.prunes: udp session prunes (sum)
+ * stream_udp.stale_packets: udp stale packets (sum)
* stream_udp.total_bytes: total number of bytes processed (sum)
* stream_udp.ignored: udp packets ignored (sum)
duplex }
* bool stream.allowlist_cache.enable = false: enable allowlist
cache
+ * bool stream.allowlist_cache.move_on_excess = false: move flows to
+ allowlist instead of removing when max flows limit reached
+ * bool stream.drop_stale_packets = false: enable dropping of
+ packets with stale timestamp
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
received (sum)
* std_connector.messages_transmitted: total number of messages
transmitted (sum)
- * stream.allowlist_flows: number of flows moved to the allow list
+ * stream.allowlist_flows: number of flows moved to the allowlist
(now)
* stream.allowlist_memcap_prunes: number of allowlist flows pruned
due to memcap (sum)
* stream.current_flows: current number of flows in cache (now)
* stream.excess_prunes: sessions pruned due to excess (sum)
+ * stream.excess_to_allowlist: number of flows moved to the
+ allowlist due to excess (sum)
* stream.expected_flows: total expected flows created within snort
(sum)
* stream.expected_overflows: number of expected cache overflows
* stream_icmp.prunes: icmp session prunes (sum)
* stream_icmp.released: icmp session trackers released (sum)
* stream_icmp.sessions: total icmp sessions (sum)
+ * stream_icmp.stale_packets: icmp stale packets (sum)
* stream.icmp_timeout_prunes: number of ICMP flows pruned due to
timeout (sum)
* stream_icmp.timeouts: icmp session timeouts (sum)
* stream_ip.reassembled: reassembled datagrams (sum)
* stream_ip.released: ip session trackers released (sum)
* stream_ip.sessions: total ip sessions (sum)
+ * stream_ip.stale_packets: ip stale packets (sum)
* stream.ip_timeout_prunes: number of IP flows pruned due to
timeout (sum)
* stream_ip.timeouts: ip session timeouts (sum)
sequence number (sum)
* stream_tcp.keep_alive_probes: number of tcp keep-alive probes
(sum)
+ * stream_tcp.max_bytes_exceeded_hole: number of times max bytes
+ were exceeded due to a hole (sum)
* stream_tcp.max_bytes: maximum number of bytes queued in any flow
(max)
* stream_tcp.max: max tcp sessions (max)
* stream_tcp.max_packets_held: maximum number of packets held
simultaneously (max)
+ * stream_tcp.max_segs_exceeded_hole: number of times max segs were
+ exceeded due to a hole (sum)
* stream_tcp.max_segs: maximum number of segments queued in any
flow (max)
* stream.tcp_memcap_prunes: number of TCP flows pruned due to
flushed when session released (sum)
* stream_tcp.sessions: total tcp sessions (sum)
* stream_tcp.setups: session initializations (sum)
+ * stream_tcp.stale_packets: tcp stale packets (sum)
* stream_tcp.syn_acks: number of syn-ack packets (sum)
* stream_tcp.syn_ack_trackers: tcp session tracking started on
syn-ack (sum)
* stream_udp.prunes: udp session prunes (sum)
* stream_udp.released: udp session trackers released (sum)
* stream_udp.sessions: total udp sessions (sum)
+ * stream_udp.stale_packets: udp stale packets (sum)
* stream.udp_timeout_prunes: number of UDP flows pruned due to
timeout (sum)
* stream_udp.timeouts: udp session timeouts (sum)
The Snort Team
Revision History
-Revision 3.8.0.0 2025-05-09 10:27:45 EDT TST
+Revision 3.8.1.0 2025-05-26 18:17:32 EDT TST
---------------------------------------------------------------------
5.15. Performance Monitor
5.16. POP and IMAP
5.17. Port Scan
- 5.18. Protocol Data Logging
+ 5.18. Advanced Logging
5.19. Sensitive Data Filtering
5.20. SMTP
5.21. Telnet
filtered scans, since these are more prone to false positives.
-5.18. Protocol Data Logging
+5.18. Advanced Logging
--------------
during TCP flow restart. For this case only bytes seen following the
restart will be reported.
+ * conn_state - records the connection state, which varies depending
+ on the protocol (UDP, TCP, or others):
+
+UDP Connection States:
+
+ * CLT_SRV_UDP_SEEN: Packets were seen from both the client and
+ server.
+ * CLT_UDP_SEEN: Only client packets were observed.
+ * SRV_UDP_SEEN: Only server packets were observed.
+
+TCP Connection States:
+
+The TCP connection state tracks both client and server states, each
+prefixed with CLT_ (for the client) and SRV_ (for the server). These
+states follow the TCP state machine as defined by the RFC, with the
+addition of TCP_MID_STREAM_SENT and TCP_MID_STREAM_REC to handle
+mid-stream traffic and TCP_STATE_NONE.
+
+OTH (Other Traffic):
+
+The OTH state is used for all non-UDP and non-TCP traffic, as well as
+for error cases.
+
+ * history - a string that tracks the connection’s history. It uses
+ letters to represent events, with uppercase letters denoting
+ client-side events and lowercase letters for server-side events.
+ Each letter appears only once for each direction, regardless of
+ how many times the event occurs.
+
+UDP Events: d: Packet with payload.
+
+TCP Events: s: SYN, h: SYN-ACK, a: Pure ACK or PUSH, d: Packet with
+payload, f: FIN, r: Reset.
+
Fields supported for weird and notice logs:
* sid - unique signature number of the rule
projects / thirdparty / snort3.git / commitdiff
