Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Tags ids logger traffic ips network security analysis tcp udp cpp c
License GNU GPLv3
State initial

Recent Releases Jun 2024 16:05 major feature: Appid: appid cpu profiler max columns. Appid: re-enabling appid cpu profiler making it thread safe. Appid: store and retrieve only SNI in AppIdSession. Appid: updating file_magic.rules with some new file types added to the VDB. Dce_smb: do not prune from LRU cache during file tracker update. Doc: formatting in dev_notes.txt. Flow: add the newly-created flow to p- flow to avoid segv. Js_norm: stop PDF processing on syntax error. Main: apply loaded configuration only once. Packet_capture: make sure packet_capture executed before detection. Service_inspectors: get_buf handling. Sip: flow clean-up based on lina configured timeout. Src: remove repetitive words. Thanks @gopherorg for finding those typos. Src: udpate to resolve new stream_tcp: don't attempt to verify or process keep-alive probes with data. Stream_tcp: infinite recursion cases. Thanks to scloder-ut-iso for helping with deinformation that uncovered a case of infinite recursion. Utils: add explicit include. May 2024 13:25 major bugfix: Framework: supply directories to system headers to Main: updates for types used by Alpine. Memory: unit test. Apr 2024 08:25 major bugfix: Appid: enhanced appid config parsing. Appid: remove locks from peg counts. Appid: separate main thread and packet thread appid_pub_id. Dce_smb: ing an ASAN memory corruption detection: handle policy changes in continuation. Framework: add correct cast from double to unsigned. Http_inspect: add file_data to buffer list. Packet_capture: include cstdint in a header file. Thanks to Plup and Hauke Mehrtens for reporting this!. Xhash: typo. Mar 2024 03:25 major bugfix: Detection: use correct packet in trace logs. Doc: add libml to optional dependencies. Flow: add filter to dump flows. Flow: UT. Hash: exception handling for random device. Packet_capture: wrong dlt in pcap header when nfq is used. Stream: count retransmits when we disable content rules. Trace: replace colon delimiter for tenant with whitespace in the trace_logger output. Mar 2024 10:05 major feature: Appid: broadcast commands with ctrlcon. Appid: change eve pattern matching logic. Appid: replaced warning log with logging api for CBD. File_api: do not clear the file capture and user file data pointers when updating the verdict from the cache. Filters: updated dyn array with vector. Flow: updated flow_data linklist with STL container. Framework: validate parameter of number type in a string form. Kaizen: rename to Snort ML. Main: clear lua stack when registering commands in a shell. Main: reset main-thread stats from the main thread. Main: update limits help. Packet_capture: add packet capturing per tenant. Sfip: remove references to unused mode feature. Sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload. Smb: for improper session cache destruction in tterm during config reload. Snort2lua: change deprecated use of ptr_fn to lambda. Stats: timing stats. Stats: perf improvement changes. Stream: remove splitter from session before inspectors. Stream_tcp: add reasons for drops due to trims. Stream_tcp: implement support for proxy mode normalization behavior. Stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts. Trace: add tenants logging. Feb 2024 18:05 major feature: Appid: check tenant_match() if required. Appid: log error message instead of fatal error if appid stats logfile is not accessible. Appid: Lowering max packet count before service fail. Control: Adds counting to ctrlcon blocked to allow for nested commands. Detection: add c'tors, use new instead of snort_calloc. Detection: copy ip var name in dup_rtn. Flow: added ips event suppression flags. Host_cache: update_stats to remove race_condition. Http_inspect: recreate JSNorm if reload takes place inside transaction. Ips_context: add lazy-allocation of alt buffer. Kaizen: provide an option to enable Kaizen's mock. Kaizen: remove redundant semicolon and add explicit cast. Kaizen: rename modules. Lua: improve spell of wizard for HTTP. Memory: prevent data race between main and packet threads. Service_inspectors: add check for JSNorm config actuality. Stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments. Stream_tcp: add check to verify seglist head is not nullptr and only initialize PAF when it is not. Utils: add macro for setting thread name. Jan 2024 13:32 major bugfix: * appid: print odp version and odp detector count on startup * copyright: update year to 2024 * doc: update arg list for "". Add parity to "generate_" scripts arg list, thanks to @puck( * main: fix inconsistent lua variables assignment * parser: fix --dump-rule-meta for negated ports