Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
- HTTP Inspect now splits requests into 5 components – Method, URI, Header (non-cookie), Cookies, Body. Content and PCRE rule options can now search one or more of these buffers.
- HTTP server-specific configurations to normalize the HTTP header and/or cookies have been added.
- Support gzip decompression across multiple packets.
- Added a Sensitive Data preprocessor, which performs detection of Personally Identifiable Information (PII). A new rule option is available to define new PII.
- Added a new pattern matcher and related configurations. The new pattern matcher is optimized to use less memory and perform at AC speed.
- Addressed problem to resolve output obfuscation affecting packets when Snort is inline.
- Preprocessors with memcap settings can now be configured in a “disabled” state. This allows you to configure that memcap globally, but only enable the preprocessor in targeted configurations.