2019-12-15 - Snort 2.9.15.1
New Additions
Added support for glibc version 2.30.
Improvements/Fix
Fixed Snort core seen during SSL re-configuration.
Fixed file access issues on files from SMB share.
Snort 2.9.15.0
New Additions
Added new debugs to print detection, file_processing and Preproc time
consumption info and verdict.
Added support to detect new Korean file formats .egg and .alg in the file
preprocessor.
Added support to detect new RAR file-type in the file preprocessor.
Improvements / Fix
Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
Fix to whitelist FTP data sessions when no file policy exists.
Fix RTF file magic to a more generic value to prevent evasions.
Added debug logs during HTTP reload.
Added rule SID check during validation.
Fix an issue where HTTP was processing non-HTTP traffic on port 443.
Added new debugs to print detection, file processing, and Prepro time
consumption info and verdicts.
Snort 2.9.14.1
[*] New Additions
* Added support for wild card port numbers in host cache and overwriting port
service AppId.
* Added support for new STLS client patterns to help better detect POP3S over
SSL.
* Added support for detecting Mac based SMTP Microsoft Outlook client
application.
* Added a new preprocessor alert 120:27 to alert if there is no proper end of
header.
[*] Improvements / Fix
* Improved appId detection for proxied traffic.
* Fix for enabling flow profiling mode without restarting snort detection
engine.
* Fixed packet drop scenario.
Snort 2.9.13.0
New Additions
Snort now supports reload on snort rules update.
Addition of a scenario to add a packet to blacklist verdict to ensure the
new session will be allowed.
Handled a new pre-processor alert in case of the improper end of t HTTP
header.
Improvements
Modified the calculation of file hash for FTP/HTTP with offset values.
Fixed portal authentication connection stuck in half closed state.
Updated UDP global timeout for a non-standard port.
This release also patched the following two vulnerabilities:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort
Snort 2.9.12.0
New Additions
Parsing HTTP CONNECT to extract the tunnel IP and port information.
Alerting and dechunking for chunked encoding in HTTP1.0 request and
response.
Improvements
Fixed an issue where, if we have a junk line before HTTP response header,
the header was wrongly parsed.
Fixed GZIP evasions where an HTTP response with content-encoding:gzip
contains a body that has a GZIP-related anomaly.
Fixed an issue in certain scenarios where a BitTorrent pattern is seen
only on the third packet of the session, causing us to miss our client
detection.
SMB improvements for file detection and processing.
2017-12-06 - Snort 2.9.11.1
New Additions
Added support to block portscan. In addition to tracking the scanning
packets, action(drop/sdrop/reject) will be taken for all the packets, which
means Snort will block the packet and generate logs.
Added support to re-evaluate reputation after reputation update for all
flows except those that have already been blacklisted.
Improvements
Fixed issue to detect RTP up to two SSRC switches in each traffic
direction.
Fixed issues related to HTTP POST header flushing, calling file processing
directly if it is not a multipart header and changes to avoid expensive copy
of segment data by not splitting them when flushing headers.
Fixed issue of triggering protocol sweep alert when there are multiple
destinations from single source ip protocol scan.
Added changes to fix IP portscan for protocol other than ICMP and fixed
issue of bad fragment size event not being generated for oversized packets.
Added changes to use raw data in case of PDF and SWF files during file
processing for SHA calculation and Malware Cloud Lookup.
Fixed issue of correct session matching for TCP SYN packets without window
scale option so that FTP data channels match the same rule as FTP control
channels.
Fixed issue of applying new configuration in file inspection after Snort
reload.
Snort 2.9.11
[*] New additions
Changes to eliminate Snort restart when there are changes to the memory
allocated for preprocessors, by releasing unused or least recently used memory
when needed.
Added support for storing filenames in Unicode for SMB protocol.
Added implementation of hostPortCache versioning for unknown flows in
AppID to detect and block BitTorrent.
[*] Improvements
Enhanced RTSP metadata parsing to match the user-agent field to detect
RTSP traffic over Windows Media.
Performance improvement when SYN rate limit has reached and drop is
configured as next action
Control-socket and side-channel support for FreeBSD platform.
Fixed issue in file signature lookup for retransmitted FTP packet.
Enhanced the processing of SIP/RTP future flows without ignoring them.
Changes made in PDF/SWF decompression by adding boundary to the size of
the decompressed data.
Added a null check to prevent copy unless debugHostIp is configured in
AppId.
Fixed issue where FTP file type block doesn't work for retried download.
Resolved issue where Snort is inappropriately handling traffic for which
AppId was creating future flow.
Performance improvements for SIP/RTP audio and video data flow in AppId.
Performance and stability improvements in FTP preprocessor like incorrect
referencing of ftp_data_session after its pruned.
Stability improvement by resolving valgrind reported issues in AppId.
Improved flushing mechanism for HTTP POST header.
Added changes to display AppId for IPv6 unified events.
Fixed issues with printing of messages for out-of-order packets.
Fixed issue in increment of detection filter counter when rule is used in
multiple configurations.
Fixed dynamic preprocessor compilation failure in OpenBSD platform.
Added changes to improve performance of ipvar list comparison.
Enhanced SMTP client detection by allowing line folding and all
authentication methods.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
This is a HUGE bump, so look at the changelog on the Snort website !
For example, Snort does not natively handle MySQL anymore.
As for the pkgsrc changes :
- updated deps (net/daq) ;
- updated config files ;
- updated MASTER_SITE ;
- some substitution to handle pkgsrc paths ;
- updated compile options.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
Upstream NEWS is weak; release notes for 2.8.5.1 follow.
[*] Improvements
* Fixed syslog output when running on Windows.
* Fixed potential segfault when printing IPv6 packets using the -v option.
Thanks to Laurent Gaffie for reporting this issue.
* Fixed segfault when additional policies were added during a configuration
reload.
* Update rule latency thresholding
* The flow and stream4 preprocessors will be deprecated in a future release.
* DCE/RPC preprocessor changes to handle abnormal TCP segmentation.
Added option to reassemble fragmentation buffers early. Updated
documentation.
* Fixed handling of MPLS label in checking Stream session uniqueness
when IPv4 packets are received and build is IPv6.
See the ChangeLog for all the details
Fix non-priv'ed builds which should fix PR 39260
2008-07-24 - Snort 2.8.2.2
[*] Improvements
* Fix issue with evaluating PCRE rule options with /U modifier that
are followed by a relative content rule option.
* Fix issue with dsize range check.
2008-06-12 - Snort 2.8.2.1
[*] Improvements
* Fix support for pass rules that sometimes did not take precedence
over alert and/or drop rules.
Includes fix for CVE-2008-1804
[*] New Additions
* Target-Based support to allow rules to use an attribute table
describing services running on various hosts on the network.
Eliminates reliance on port-based rules.
* Support for GRE encapsulation for both IPv4 & IPv6.
* Support for IP over IP tunneling for both IPv4 & IPv6.
* SSL preprocessor to allow ability to not inspect encrypted traffic.
* Ability to read mulitple PCAPs from the command line.
* Support for new CVS rule detection options.
[*] Improvements
* Update to HTTP Inspect to identify overly long HTTP header fields.
* Updates to IPv6 support, including changes to avoid namespace
conflicts for certain Operating systems.
* Updates to address issues seen on various Sparc platforms.
* Stricter enforcement of shared object versions to avoid API
conflicts.
[*] Improvements
* Updates to build with new versions of libPCRE.
* Fix Stream5 debugging output to actually compile and have correct output
for normal & IPv6 enabled builds.
* Correct perfmonitor statistic calculation for pattern matcher percentage.
* Port lists
* IPv6 support
* Packet performance monitoring
* Experimental support for target-based stream and IP frag reassembly
* Ability to take actions on preprocessor events
* Detection for TCP session hijacking based on MAC address
* Unified2 output plugin
* Improved performance and detection capabilities
Fixed header files to avoid conflicts with system files on BSD for
IPv6 data structures.
Added code to prevent URI-related alerts from firing when the
body is being normalized.
Make Stream5 the default stream engine.
Add alert for multiple GRE encapsulations.
Added ability for Snort to track fragmented ICMPv6 to check for the
remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
Code cleanup, change malloc/calloc to SnortAlloc, use safer functions
SnortSnprintf, SnortStrncpy, etc. Check pointers before use.
Additional updates for bounds checking.
And many more . . . check the ChangeLog for all the details
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Snort v2.6.1.5 includes:
* A new http_post rule keyword used to search for content in normalized
HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events
Snort v2.6.1.4 includes detection functionality for a BSD IPv6 fragmentation
overflow, and addresses a number of potential security-related issues in
Snort as reported by customers, uncovered by internal investigations, and
through third-party code audits.
