Snort

An issue was fixed where "uricontent" didn't behave correctly with "depth", "offset", "distance", and "within" modifiers. Overlapping flags in the Shared Object rule API were fixed. Error checking was improved for invalid combinations of "depth", "offset", "distance", and "within" modifiers in rules. Rules that mix relative and non-relative options on the same content will now cause errors. The documentation was updated to fix some inconsistencies.

The HTTP Inspect "server_flow_depth" option is now applied once per HTTP session, instead of once per packet. Issues with the handling of TCP urgent data, with using file_data:mime within shared library rules, with TCP reassembly of single packets, and with DAQ building were fixed.

This release fixes maximum flowbits configuration parsing to specify the number of bits in accordance with the Snort manual, rather than the number of bytes. If you have 'config flowbits_size' in your snort.conf, double check that it has the correct setting. It fixes a packet size issue with the IPQ and NFQ DAQs. It fixes an issue with Stream5 overlap limit processing. It updates the version of LibPCRE bundled with the Windows installer. This update fixes a bug that caused some PCRE matches to fail on Windows.

This release added a feature-rich IPS mode, including improvements to Stream, a Data Acquisition API (DAQ) that supports many different packet access methods, and a new 'byte_extract' rule option that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset. Two new rule options were added to support Base64 decoding of certain pieces of data and inspection of the Base64 data via subsequent rule options. A new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms was added.

This release fixes installer packages to include the correct version of the sensitive data preprocessor for Linux and Windows. It eliminates false positives when using fast_pattern:only and having only one HTTP content in the pattern matcher. It addresses false positives in the FTP preprocessor with string format verification. It also addresses issue with handling of response codes to data transfer commands where the response code didn't contain a message.