Snort

Consolidation of IPv6, file API and improvements to file processing, use of address space ID for tracking Frag & Stream connections, logging of packet data that triggers PPM for post-analysis, decoding of IPv6 with PPPoE, and more.

This release fixes a check for TCP RST flags to prevent sending resets to reset packets with inline and active responses, updates hashing for internal storage of rule options for 64bit platforms when checking uniqueness to remove duplicate copies in memory and addresses some small memory leaks from parsing snort.conf. Please note that 2.9.3.1 and later packages are signed with a new PGP key (which is signed with the previous key).

Updates to the flowbit rule option, dcerpc2, and reputation preprocessors. A new dynamic output plugin architecture API. Various updates and improvements to http_inspect, SMTP mempool allocations, and email attachment processing. pflog v4 support has been added to packet decoders. Logging of multiple unified2 alerts with reassembled packets has been fixed. Compiler warning cleanup across multiple platforms. All database output support has been removed.

The GTP preprocessor was updated to better handle GTPv1 data. The DNP3 preprocessor now has stricter packet checking. Checking in the reassembly buffer was improved. PCRE rule option processing was fixed to prevent issues seen with libpcre 8.30 and certain rules. dcerpc2 no longer aborts reassembly if the target-based protocol is undefined.

Updates to HTTP Inspect, stream handling for TCP session cleanup with RSTs and other TCP state tracking, active responses to fragmented IPv6 traffic and to the react page configuration, and SIP preprocessor and state tracking improvements to SMB processing in the dcerpc2 preprocessor when missing packets on a session.