Snort 2.9.4 includes changes for the following:
[*] New additions
* Consolidation of IPv6 — now only a single build supports both IPv4 & IPv6, and removal of the IPv4 “only” code paths.
* File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support
* Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ
* Logging of packet data that triggers PPM for post-analysis via Snort event
* Decoding of IPv6 with PPPoE
* Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.
* Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.
* Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort
* Allow disabling of global thresholds via a count of -1
* Prevent blocking duplicate SYNs when using inline normalization
* Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages
* Allow active responses to packets without data (eg, a TCP SYN)
* Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The ‘NOT’ matching now happens within each of the individual rule option evaluation functions.
* Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category – X-EXPS, XEXCH50, and BDAT.
* Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.
Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger, or a full network intrusion prevention system.
- Protocol analysis and content searching/matching
- Uses a flexible rules language to describe traffic that it should collect or pass
- Detection engine that utilizes a modular plug-in architecture
- Real-time alerting capability
- Detects buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more