Thema: Netzwerk-Schwein Snort ...

[SiLæncer]

Release Notes

• New Additions

        Added support for dns root queries and underflow.
        Added support to get extra data from SMTP and HTTP into IPS event.
        Added support for login success and failure eventing for IMAP and POP3.
        Added support to handle empty string for SNI/CN/SAN/ORG.

• Improvements / Fix

        Fixed a scenario where SSL traffic was not detected correctly.
        Fixed security zones info in intrusion events.
        Fixed URL lookup failure.

[close]

Changelog

snort 2.9.20

   * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
     Fixed a scenario where SSL traffic was not detected correctly.

   * src/dynamic-preprocessors/smtp/snort_smtp.c :
     Fixed a possible memory corruption.

   * src/dynamic-preprocessors/imap/imap_util.c
     src/dynamic-preprocessors/pop/pop_util.c
     src/dynamic-preprocessors/smtp/smtp_util.c
     src/preprocessors/spp_httpinspect.c :
     Fixed malformed packet debug engine output.

   * src/preprocessors/Stream6/snort_stream_tcp.c :
     Fixed security zones info in intrusion events.

   * src/dynamic-preprocessors/appid/fw_appid.c :
     Fixed URL lookup failure.

   * src/preprocessors/HttpInspect/server/hi_server.c :
     Fixed a possible memory leak.

   * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c
     src/dynamic-preprocessors/appid/fw_appid.c
     src/dynamic-preprocessors/appid/fw_appid.h
     src/dynamic-preprocessors/appid/detector_plugins/service_plugins/service_api.h :
     Added support for dns root queries and underflow.

   * src/dynamic-preprocessors/smtp/snort_smtp.c
     src/Makefile.am
     src/dynamic-examples/Makefile.am
     src/dynamic-plugins/sf_dynamic_plugins.c
     src/dynamic-plugins/sf_dynamic_preprocessor.h
     src/dynamic-preprocessors/Makefile.am
     src/dynamic-preprocessors/smtp/snort_smtp.h
     src/dynamic-preprocessors/smtp/spp_smtp.c
     src/smtp_api.h :
     Added support to get extra data from SMTP and HTTP into IPS event.

   * src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c
     src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c :
     Added support for login success and failure eventing for IMAP and POP3.

   * src/dynamic-preprocessors/appid/hi_server.c :
     Added support to handle empty string for SNI/CN/SAN/ORG.

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Changes in this release since 3.1.47.0:

    appid: added config for logging alpn service mappings
    appid: fixed addition of duplicate entries in app_info_table
    appid: make appid availability independent from TP state
    cmake: add FLEX build macro
    doc: update sensitive data documentation
    doc: update user/js_norm.txt for PDF
    flow: add an event for retry packets
    flow: added an event to allow post processing of new expected flows
    flow: fix deferred trust clear when packet is dropped
    flow, stream: added code to track and event for one-sided TCP sessions and generate an event for established or one-sided flows
    http_inspect: add decompression failure check before normalization
    http_inspect: remove port from xff header
    ips_option: keep cursor intact for a negated content mismatched
    ips_option: keep cursor intact for a negated hash mismatched
    js_norm: implement Enhanced JS Normalization for PDF
    js_norm: use FLEX macro to build parser
    process: watchdog to abort snort when multiple packet thread becomes unresponsive
    smb: handling smb duplicate sessions
    stream: add logic to ensure metaACKs cause flushing

[close]

Quelle : https://github.com/snort3/snort3

http://www.snort.org/

[SiLæncer]

Changelog

Dependencies:

    LibDAQ v3.0.10

Changes in this release since 3.1.48.0:

    alert_fast: fix initialization of http_inspect cheat codes
    appid: appid_detector_builder.sh addPortPatternService call fixed
    appid: do not reset session data when built-in discovery is not done
    appid: fixed assert condition for odp_ctxt and odp_thread_local_ctxt
    config: ensure table state is reset when starting a new shell
    config: fix talos tweaks for the daq module
    data_bus: improve pub-sub performance
    doc: add decompression mention to js_norm reference
    doc: update user/js_norm.txt for PDF in email protocols
    geneve: if daq has the capability, do not bypass geneve tunnel
    host_cache: fix initialization from Lua
    ips_options: fix offset related bug in byte_test eval()
    js_norm: add PDF stream processing
    js_norm: add support for email protocols
    js_norm: fix pdf_tokenizer_test on FreeBSD platform
    js_norm: update PDF tokenizer to use glue input streambuf
    pop, imap, smtp: gracefully decline buffer requests when flow data is not present
    stream: ignore PAWS timestamp checks when in no_ack mode
    wizard: remove client_first option

[close]

Quelle : https://github.com/snort3/snort3

http://www.snort.org/

[SiLæncer]

Changelog

    appid: publish tls host set in eve process event handler only when appid discovery is complete
    detection: show search algorithm configured
    file_api: handling filedata in multithreading context
    flow: add stream interface to get parent flow from child flow
    memory: added memusage pegs
    memory: fix unit test build w/o reg test

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Changes in this release since 3.1.53.0:

    appid: first packet detector creation support in appid detector builder script
    appid: support for IPv4 and IPv6 subnets for First Packet API
    appid: updating lua API to accomodate netbios domain extraction, substring search, and substring index.
    appid: use packet thread's odp context instead of inspector's context for packet processing
    build: fix configure_cmake.sh 'too many arguments' error
    detection: add new pegcount
    main: avoid race conditions when accessing id to tid map
    ssl: refactor ssl client hello parser to be used by appid/ssl inspectors
    stream_tcp: fix passive pickups with missing packets. Thanks to nagmtuc and hedayat for reporting and helping debug the issue.
    wizard: ensure Wizard is refcounted by MagicSplitter to prevent snort crashes due to memory corruption

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Changes in this release since 3.1.55.0:

    appid: add validation for rpcbind universal address
    appid: merge cname pattern matchers with ssl pattern matchers
    configure: fix typo in jemalloc with tcmalloc error message
    copyright: update for year 2023
    doc: update sd_pattern docs after obfuscation changes
    sd_pattern: keep obfuscation blocks per buffer

[close]

http://www.snort.org/

[SiLæncer]

Whats new:>>

    ftp_telnet: updated flushing around subnegotiation parameters
    profiler: add rule time percentage table field
    search_engine: allocate a single shared scratch space

http://www.snort.org/

[SiLæncer]

Whats new:>>

    file_api: handling file cache context
    flow_cache: prune multiple flows
    http2_inspect: clear flow stream_intf with flow_data
    http2_inspect: make flow data reload safe
    memory: subtract the allocated memory from the thread pruned before comparing to the target
    stream: store thread local flow control pointer in global
    thread_config: add preemptive watchdog kick for flow deletion
    thread_config: remove message use in watchdog timer

http://www.snort.org/

[SiLæncer]

Whats new:>>

    appid: fixed TSAN warnings
    appid: log max rss difference and pattern count during appid initialization and reload detectors
    appid: make ssl app group id lookup set payload and client
    appid: making free_servicematch_list thread local
    src: change a few operator bool functions to named functions
    src: fix broken unit test/tweak define related to previous operator bool fixes

http://www.snort.org/

[SiLæncer]

Changelog

    appid: appIdPegCounters thread data handling refactored to prevent data races
    appid: ensure that TP SSL detection is not overwrite SMTPS service and client in a starttls session
    appid: validate data size of SSL certificate record before parsing
    build: remove unused header. Thanks to Rui Chen for reporting the issue.
    cmake: update sed call. Thanks to graysky for reporting the issue.
    flow: defensive fix to prevent crash if flow->prev is nullptr.
    flow, hash, stream: add a free list node count that is output as a peg count
    managers: check main SnortConfig pointer in InspectorManager::get_inspector() to avoid memory bad access calls
    memory: fix memory pruning race condition and bail on reap failure
    memory: provide a default value for pointers if the module has not been initialized
    profiler: add shell commands
    profiler: move profiler module to separate files
    snort: add show_config_generation() command
    stream_tcp: populate TCP pseudopackets with VLAN ids in TCP reassembler to avoid issues with secondary flow creation / expected flow cache

[close]

http://www.snort.org/

[SiLæncer]

Changelog

    appid: added logic to check for encrypted appid before assigning SSL service based on port
    decompress, detetion, file_api, framework: cppcheck fixes
    flow: clean up flow termination
    flow: do not recycle flow cache entries
    http_inspect: add support for file transfer using Partial Content
    main: disable watchdog when Snort 3 process exits gracefully
    main, managers: set the network policy using the user id during inspector delete
    memory: add extra jemalloc counts for tracking
    memory: use jemalloc stats.mapped for process total
    profiler: add json formatter
    protocols: add check for missing Geneve layer in get_geneve_options.
    protocols,codecs: decode Geneve variable length options.
    sfip/test: fix a miscalculation of the number of codes entries.
    snort2lua: remove 'reference' option during conversion

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Changes in this release since 3.1.65.0:

    appid: cache Complex HTTP Pattern glossary before detectors reload
    appid: early detection of ssh and ignoring third-party detection
    appid: fix for opportunistic tls detected as ssl
    binder: in case of a service change, remove flags indicating an abort of the direction
    flow: changes to support derived classes of parent class Flow
    ftp: remove file_data dependency on file_id
    helpers: added additional log in print_backtrace for debugging purpose
    ips_options: add gadget check for vba_data
    ips_options: add unit tests for vba_data
    ips_options: update dev_notes about IPS options input values
    perf_mon: fix dump_stats collision with perf mon
    rna: add stats for rna graphs
    stream_tcp: validate proper update of stream_tcp state when seglist head follows a hole

[close]

http://www.snort.org/

[SiLæncer]

Changelog

    appid, cip: parsing cip safety segments
    appid: mark ssl appid lookup successful if a service id is available
    appid: prefer eve client over appid detected client after decryption and use appid detected client version if eve client equals appid client
    dce_rpc: fix stats for client/server segments reassembled. Thanks to Bader-eddine Ouaich for addressing the issue.
    dns: parse and publish dns response with ip, fqdn/ttl data
    dns: updates to allow DNS to be compiled dynamically.
    doc: udpate tutorial
    framework: add virtual for inspectors that publish data when no ips policy is enabled.
    http2_inspect: add frame when logging a packet
    http2_inspect: handle empty header name
    http2_inspect: update connection settings on ack
    http2_inspect: update test tool configurations
    http_inspect: adjust formatting
    http_inspect: disable rule evaluation caching for MIME attachments
    inspector: export get_service_inspector_by_service method
    managers: fix get_inspector to use the passed in snort config for context and inspection inspectors
    mime: fix boundary search
    mime: postpone boundary-look-alike data till the next PDU arrives
    mime: support transport padding in boundary strings
    sfip: Add < operator so SfIp can be used in std::map and std::set.
    src: remove ips option asn1
    stream: init meta ack packet action field
    wizard: refactoring - split curses to multiple files by protocol

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Changes in this release since 3.1.69.0:

    appid: makes regex error more of a warning
    detection: fix assert expression
    helpers: improve hyperscan_search error message
    host_cache: added segmented host cache
    main: prevent reloading unprepared thread
    search_engines: allow a snort config to be passed to find_all

[close]

http://www.snort.org/

[SiLæncer]

Changelog

Changes in this release since 3.1.70.0:

    appid, http_inspect, http2_inspect: create appid session if not present in decrypt event handler, add message section as part of StreamFlowIntf for httpx
    codecs: Add IPv6 Reserved Address to GID:116 Rules
    detection: avoid multiple fixups of duplicated trees
    detection: fix of default ips policy switching
    flow: allow reinspection for blocked icmp flows after reload
    flow: generate flow setup and established events for ha flows
    host_cache: cppcheck fix
    http2_inspect: fix http2 frame length for logging
    main: fix signals handling after failed started instances
    main: reset_stats argument type improvement
    parser: add file_id rule syntax evaluation
    smtp: add alert for mixed LF and CRLF
    smtp: process DATA\n (no \r)
    stream: extend list of arguments for extra data logging
    stream_tcp: ensure all data segments after a zero window are blocked when NAP is inline
    stream_tcp: examine whether a segment plugs a hole before blocking due to exceeding queue_limit

[close]

http://www.snort.org/