by Lawrence R. Rogers (2018-10-11):
- Release 2.9.12-1
Parsing HTTP CONNECT to extract the tunnel IP and port information.
Alerting and dechunking for chunked encoding in HTTP1.0 request and response.
Fixed an issue where, if we have a junk line before HTTP response header, the header was wrongly parsed.
Fixed GZIP evasions where an HTTP response with content-encoding:gzip contains a body that has a GZIP-related anomaly.
Fixed an issue in certain scenarios where a BitTorrent pattern is seen only on the third packet of the session, causing us to miss our client detection.
SMB improvements for file detection and processing.
by Lawrence R. Rogers (2017-12-06):
- Release 126.96.36.199-1
* Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets,
which means Snort will block the packet and generate logs.
* Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.
* Fixed issue to detect RTP up to two SSRC switches in each traffic direction.
* Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive
copy of segment data by not splitting them when flushing headers.
* Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
* Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
* Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
* Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
* Fixed issue of applying new configuration in file inspection after Snort reload.
by Lawrence R. Rogers (2017-09-05):
- Release 2.9.11-1
* src/build.h : updating build number to 125.
* src/preprocessors/: spp_session.c, Stream6/snort_stream_tcp.c :
Fixed issue with updation of global IPS id before packet processing.
* src/output-plugins/spo_unified2.c :
Added changes to display AppId for IPv6 unified events.
* src/: dynamic-preprocessors/Makefile.am,
sfutil/sfmemcap.c, sfutil/sfmemcap.h :
Fixed dynamic preprocessor compilation failure in OpenBSD platform.
* src/: parser.c, snort.h, detection-plugins/sp_replace.c :
Fixed issues while parsing rules in snort reload path.
* src/: appIdApi.h, dynamic-preprocessors/appid/appId.h,
Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.
* src/preprocessors/spp_normalize.c :
Fixed incorrect usage of snort configuration in snort reload path.
* src/dynamic-preprocessors/appid/: flow.c, flow.h, fw_appid.c :
Fixed issues with printing of messages for out-of-order packets.
* src/: mempool.c, mempool.h, reg_test.h, reload.c,
Added support for forced allocation of TCP protocol memory pool after maximum limit is reached.
* src/reload.c :
Fixed synchronisation issue during snort reload.
* src/sfutil/: sf_ip.h, sf_ipvar.c, sf_ipvar.h :
Added changes to improve performance of ipvar list comparison.
* src/: dynamic-output/plugins/output_lib.h,
sfutil/sf_textlog.c, sfutil/sf_textlog.h :
Added support for storing filenames in unicode format for SMB protocol.
* src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c :
Enhanced SMTP client detection by allowing line folding and all authentication methods.
* src/: fpcreate.c, sfutil/sfthd.c, sfutil/sfxhash.c :
Fixed issue in detection filter counter when rule is used in multiple configurations.
by Lawrence R. Rogers (2016-04-26):
- Release 188.8.131.52-1
2016-04-26 Rahul Burman <email@example.com>
* src/build.h: updating build number to 383
* configure.in, src/preprocessors/HttpInspect/server/hi_server.c:
Modified Http header parsing of multiline content-encoding header.
* src/preprocessors/: snort_httpinspect.c,
Fixed an issue where file position pointer was incorrectly set for HTTP response
containing chunked and gzip data.
* src/preprocessors/Stream6/: snort_stream_tcp.c
Added sanity check to TCP trimming in out-of-order FIN case.
Disabled port groups that are not useful unless adapative profiling is enabled.
* src/: dynamic-preprocessors/sdf/spp_sdf.c, obfuscation.c:
Fixed an issue of incorrect masking of sensitive data.
2016-03-18 Gaurav Nagare <firstname.lastname@example.org>
* src/build.h: updating build number to 335
* src/dynamic-plugins/: sf_engine/examples/detection_lib_meta.h,
Updated detection API version to 2.6 to use the latest snort SO rules.
* src/: dynamic-preprocessors/sdf/spp_sdf.c,
Fixed several issues with SDF and obfuscation.
* src/: profiler.h, preprocessors/perf_indicators.c,
Resolved snort build issue with "--disable-perfprofiling" configure
* src/: decode.c, decode.h:
Added Double VLAN tagging support.
Enhanced mime parsing by adding support for detecting files
after unknown headers and no headers.
Fixed memory leak.
Fixed issue with gzip decompression. If the server response specifies
Content-Encoding as GZIP, but no Content-Length field for HTTP version 1.0.
* doc/snort_manual.pdf, src/preprocessors/snort_httpinspect.c,
Fixed Snort memory leak in parsing HTTP xff options.
Fixed Coverity issues.
* src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
Improved End of Header(EOH) identification for response header spanning multiple
* src/preprocessors/: HttpInspect/utils/hi_paf.c,
Improved packet reassembly for HTTP, added code to purge segment correctly when
PAF decides to ignore packet upon reaching paf_max.
Fixed to use outer header callback functions when checking IP rule against outer IPs
and inner header callback when checking against inner IPs.
Fixed an issue where http_inspect current and default config had
different file depth.
Handled malformed DNS host in AppId.
* src/file-process/: file_api.h, file_segment_process.c, file_service.c:
Prevented access to file contexts which are pruned when memcap is
* src/dynamic-preprocessors/appid/: app_forecast.c, app_forecast.h,
flow.h, fw_appid.c, spp_appid.c, thirdparty_appid_types.h:
Performance improvements to AppID.
Created a future-flow API for lua detector.
Exposed DNS API to lua detector.
Fixed an issue where unexpected SSL negotiation starts for FTP
with explicit SSL.
Updated HTTP PAF to accept all tokens between method and version
string in request URI.
Fixed Flash LZMA decompression issue.
Fixed file_depth intialization issue during Snort reload.