Snort v3.7.4.0

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.4.0:

• appid: fixed crash while printing appid debug
• appid: multiprocess init for appid third-party syncevents
• build: apply workaround only for lower versions of LuaJIT. Thanks to Michael Cho for reporting the issue.
• extractor: add weird and notice logging
• extractor: extend dns support
• extractor: support conn.log orig_bytes, resp_bytes
• flow: don't offset flow instance number by 1 when printing flows
• http_inspect: add dynamic length-limited publishing of request and response body
• mp_data_bus: adding peg stats and socket commands for multiprocess databus
• mp_data_bus: core logic for multi-process databus
• mp_data_bus: standartize data types
• mp_unix_transport: clang compilation fix for multiprocess
• mp_unix_transport: multiprocess_transport plugin type, implementation of unix domain name based multiprocess transport

Snort v3.7.3.0

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.2.0

• appid: added caching for dns detector
• appid: fixed unknown payload case for domain fronting
• control: fix data race in ControlConn touch method
• dns: handle multi transaction-IDs in single DNS-UDP flow
• extractor: enable TSV(Tab-Separated Values) formatting
• extractor: extend dns logging
• extractor: fix static checker warning
• extractor: make parsing more strict
• extractor: simplify CSV logger implementation and add configurable delimiter
• filters: initialize struct fields when instance is defined
• flow: fix coverity SWAPPED ARGUMENTS and Y2K38_SAFETY issues
• helpers: validate input from conf file to verify port number string is valid digits
• host_tracker: recode while loop to avoid bogus coverity infinite loop warning
• http2_inspect: added settings_max_frame_size parameter and built-in rule 121:44 to check for max frame size
• http: initialize class member variables in the ctor
• ips_options: allocate large buffer for base64 decode from heap instead of on stack
• loggers: allocate large buffer for writing unified2 extra data from heap instead of stack
• main: added show_snort_packet_latency() help command support
• main: do not collect configurations for utility shells
• main: redirect stdin, stdout, stderr to /dev/null with the freopen system call
• main: refactor signal handling switch statement, return codes and FatalError
• managers: use std::move to pass shared ptr to new owner to avoid a copy
• packet_capture: rename pcaps and change default values

Snort v3.7.2.0

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.1.0

• appid: added flag to inspect out-of-order packets
• appid: modified shadow traffic status to default
• connectors: new unix domain connector
• dce_rpc: ignoring false positives and fixing spell checks
• dns: pass packet in DnsResponseEvent
• dump_config: include PID into dump file name
• file_api: making current_context as nullptr before it gets the value of ctx and removing redundant check
• imap:pop: delete if expression that compared session flag to the packet_flag filed
• main: initialize openssl at startup
• packet_capture: support packet capture limit and location
• packet_capture: use existing util function to check directory path
• pub_sub: basic framework with skeleton APIs multiprocess databus
• stream_tcp: eliminate redundant calls to initialize the normalizer policy
• stream_tcp: initialize each tracker's normalizer for missed 3whs behavior invidually when the initial packet is processed by the tracker
• stream_tcp: make member variables private to improve tracker class encapsulation
• stream_tcp: only allow legacy OS and FIRST normalizer policies to be configurable. Proxy and missed 3whs modes are determined dynamically per flow
• stream_tcp: reduce verbosity of packet tracer log messages for normalizer initialization actions
• stream_tcp: rename OS policy names to prevent conflict with existing macros
• stream_tcp: split StreamPolicy enum into enums specific to normalization and to overlap resolution
• unified2: add packet dump to unified event with reassembled udp packet

Snort v3.7.1.0

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.0.0

• appid: added publishing of domain fronting event
• appid: adding general appid support and encrypted dns
• appid: adding log while creating third party context to monitor hanging
• appid: change get_appid_session_api to use the stash
• appid: convert appid flow data to use objects
• appid: fixes for coverity and cppcheck issues
• appid: implemented domain fronting support for shadow traffic
• appid: implemented support for shadow traffic evasive vpn & multihop proxy
• build: add version check for numactl
• copyright: update year to 2025
• detection: fix leave_group call which should be against current packet only
• extractor: add configuration option for time formatting
• extractor: add escaping for special characters
• extractor: add support for file name and type for mime
• extractor: add tenant id as common field
• extractor: add time formatting in loggers
• extractor: dns support
• extractor: fix spelling
• extractor: print null for fields that require missing packet context
• extractor: remove obsolete includes
• file_api: add log message for reset ctx
• file_api: file event generated for asymmetric flow
• file_api, http_inspect: add info about partial download to FileInfo
• file_api: making sha256 point to null to avoid dangling cases
• file_api: setting current file data inside mutex with file data received before accessing it
• ftp_telnet: flow data creation when port command is issued for active ftp
• helpers: add missing include for unit tests
• ips: fix tsan issue with logging rule tree construction
• main: allow toggling generation of instance_map output
• main: snort --create-pidfile cmd line parameter update and support for --max-peers command line parameter implemented
• network_inspectors: rename kaizen to snort_ml
• pub_sub: add ips rule event for extractor
• pub_sub: changes for domain faking for shadowtraffic_aggregator
• snort_ml: build models into a BinaryClassifierSet
• stream_tcp: changed asymmetric flows counter increment conditions
• thread_config: add option for setting NUMA memory policy
• thread_config: fix numa build issue
• utils: add is_directory_path

Snort v3.7.0.0

Dependencies:

• Libdaq v3.0.18
• If you are using rules from snort.org, please use latest Talos_lightSPD package from version 2025-02-12-001 onward (due to API bump)

Changes in this release since 3.6.3.0

• extractor: add default filter
• extractor: add logging constraints
• framework: add interface to warn about reaching limit of ips opt re-usage
• framework: bump base API version
• framework: bump ips option version
• ips_options: warn about excessive detection options

Snort v3.6.3.0

Dependencies:

• Libdaq v3.0.18

Changes in this release since 3.6.2.0

• appid: added check for brute force manager presence
• dump_config: implement dump config generation in a file
• extractor: add handling for connector creation failure
• extractor: support connection logs
• file: malware and file events when action changed from block malware to cloud malware lookup event
• file: retrying the packet when file cache is full
• flow: add command that dumps only flow summaries
• framework: remove inspector slot and use get_instance_id instead
• ftp_telnet: only add expected flows when the daq_msg field in the control packet is not null.
• hosts: added check to verify ip protocol match on hosts lookup
• main: add thread_id in instance_mapping output file
• main: acquire TSC time scale at the startup
• mercury: telemetry file changes for multiprocess snort
• packet_io: check the DAQ_Msg_h parameter on api calls and return an error code when it is a null pointer
• perf_monitor: update structure clearing to C++ method
• perf_monitor: update flow state value reset

Snort v3.6.2.0

Dependencies:

• Libdaq v3.0.18
• Libpcre2

Changes in this release since 3.6.1.0

• appid: adding thresholds to brute-force detection
• appid: optimised appid logs and trace
• cmake: modification to search custom jemalloc first
• data_bus: fix publisher registration data races
• data_bus: remove unsubscribe methods
• doc: stylize dependency names in README.md
• file_api: add pending expire time reset for FileInfo
• flow: use timeout set on flow rather than using configured timeout
• hyperscan: fix debug log tsan issue
• ips: add access to Event references
• ips_options: ips_content.cc given width and endian parameters for simpler multi-byte char matches
• ips: update pcre to pcre2
• js_norm: add stoi out of range exception handling
• main: support an instance ID dump per-thread
• pcap: filter Geneve encapsulated packets using inner headers
• pub_sub: implemented header defintions for shadow traffic aggregator
• ssl: added length check for cert data processing
• stream_tcp: evaluate flush policy on asymmetric connections when the connection closes or the tcp session is cleared
• stream_tcp: initialize 3whs normalizer for peer tracker separately
• tcp_pdu: rename to tlv_pdu
• utils: add new header/wrapper for pcre2 code unit width

Snort v3.6.1.0

Dependencies:

• Libdaq v3.0.17

Changes in this release since 3.6.0.0

• appid: enhanced control error message with additional info
• build: include/exclude snort_ml module conditionally
• dns: adding fallback functionality
• file_api: add re_eval flag to fileinfo
• inspector_manager: refactored instrumentation code of connection profiling
• log: print all warnings before command line is parsed
• main: improve logging reload_config arguments
• pop: adding wrong bytes threshold to determine if pop splitter should fallback
• smtp: smtp inspector fallback functionality for invalid commands and responses
• stream_tcp: refactor tcp reasseabler class structure and init to avoid thread data race scenarios

Snort v3.6.0.0

Dependencies:

• Libdaq v3.0.17

Changes in this release since 3.5.2.0

• analyzer: add logging for resource tuning progress
• appid: adding full path to read list of lua detectors
• build: update docs about the bump of C++ compiler supported feature set requirement
• connectors: add std I/O connector and connector API update
• connectors: fix cppcheck warning in std_connector test
• extractor: update logger
• file_api: add unit tests for fileinfo methods
• flow: publish flow end event
• http_inspect, mime: add hostname and url for http with mime
• http_inspect: remove semicolon http_param delimiter
• ips_options: update module::begin method and reset 'relative' flag
• main: remove mutex from snort command to show snort cpu

Snort v3.5.2.0

Dependencies:

• Same as 3.5.1.0

Changes in this release since 3.5.1.0

• decompress: handle ZIP central directory
• doc: add extractor logging feature
• extractor: add ftp service implementation
• extractor: add imaginary transaction event to FTP
• extractor: add user field
• extractor: enable logging for FTP aggregated event
• extractor: event handlers subscribe by themselves
• extractor: fix memory management
• extractor: include type support header explicitly
• extractor: introduce flow data
• extractor: log on last response
• extractor: move extractor event out of snort namespace
• extractor: refactor code
• extractor: update dev_notes.txt
• file_api: add helper methods to unset filename and reset sha
• ftp: reset cmd_size when reset cmd_str
• sip: parse all the SIP methods defined
• stream_tcp: initialize the daq_instance field in the Packet instance allocated for a meta-ack to the value from the wire packet
• thread: get_relative_instance_number now zero-based