Log Message:
Update to Snort 2.9.15.1

2019-12-15 - Snort 2.9.15.1
New Additions

    Added support for glibc version 2.30.

Improvements/Fix

    Fixed Snort core seen during SSL re-configuration.
    Fixed file access issues on files from SMB share.

Snort 2.9.15.0
New Additions

    Added new debugs to print detection, file_processing and Preproc time
consumption info and verdict.
    Added support to detect new Korean file formats .egg and .alg in the file
preprocessor.
    Added support to detect new RAR file-type in the file preprocessor.

Improvements / Fix

    Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
    Fix to whitelist FTP data sessions when no file policy exists.
    Fix RTF file magic to a more generic value to prevent evasions.
    Added debug logs during HTTP reload.
    Added rule SID check during validation.
    Fix an issue where HTTP was processing non-HTTP traffic on port 443.
    Added new debugs to print detection, file processing, and Prepro time
consumption info and verdicts.

Snort 2.9.14.1
[*] New Additions

 * Added support for wild card port numbers in host cache and overwriting port
service AppId.

 * Added support for new STLS client patterns to help better detect POP3S over
SSL.

 * Added support for detecting Mac based SMTP Microsoft Outlook client
application.

 * Added a new preprocessor alert 120:27 to alert if there is no proper end of
header.

[*] Improvements / Fix

 * Improved appId detection for proxied traffic.

 * Fix for enabling flow profiling mode without restarting snort detection
engine.

 * Fixed packet drop scenario.

Snort 2.9.13.0
New Additions

    Snort now supports reload on snort rules update.
    Addition of a scenario to add a packet to blacklist verdict to ensure the
new session will be allowed.
    Handled a new pre-processor alert in case of the improper end of t HTTP
header.

Improvements

    Modified the calculation of file hash for FTP/HTTP with offset values.
    Fixed portal authentication connection stuck in half closed state.
    Updated UDP global timeout for a non-standard port.

This release also patched the following two vulnerabilities:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort

Snort 2.9.12.0
New Additions

    Parsing HTTP CONNECT to extract the tunnel IP and port information.
    Alerting and dechunking for chunked encoding in HTTP1.0 request and
response.

Improvements

    Fixed an issue where, if we have a junk line before HTTP response header,
the header was wrongly parsed.
    Fixed GZIP evasions where an HTTP response with content-encoding:gzip
contains a body that has a GZIP-related anomaly.
    Fixed an issue in certain scenarios where a BitTorrent pattern is seen
only on the third packet of the session, causing us to miss our client
detection.
    SMB improvements for file detection and processing.

2017-12-06 - Snort 2.9.11.1
New Additions

    Added support to block portscan. In addition to tracking the scanning
packets, action(drop/sdrop/reject) will be taken for all the packets, which
means Snort will block the packet and generate logs.
    Added support to re-evaluate reputation after reputation update for all
flows except those that have already been blacklisted.

Improvements

    Fixed issue to detect RTP up to two SSRC switches in each traffic
direction.
    Fixed issues related to HTTP POST header flushing, calling file processing
directly if it is not a multipart header and changes to avoid expensive copy
of segment data by not splitting them when flushing headers.
    Fixed issue of triggering protocol sweep alert when there are multiple
destinations from single source ip protocol scan.
    Added changes to fix IP portscan for protocol other than ICMP and fixed
issue of bad fragment size event not being generated for oversized packets.
    Added changes to use raw data in case of PDF and SWF files during file
processing for SHA calculation and Malware Cloud Lookup.
    Fixed issue of correct session matching for TCP SYN packets without window
scale option so that FTP data channels match the same rule as FTP control
channels.
    Fixed issue of applying new configuration in file inspection after Snort
reload.

Snort 2.9.11
[*] New additions

    Changes to eliminate Snort restart when there are changes to the memory
allocated for preprocessors, by releasing unused or least recently used memory
when needed.
    Added support for storing filenames in Unicode for SMB protocol.
    Added implementation of hostPortCache versioning for unknown flows in
AppID to detect and block BitTorrent.

[*] Improvements

    Enhanced RTSP metadata parsing to match the user-agent field to detect
RTSP traffic over Windows Media.
    Performance improvement when SYN rate limit has reached and drop is
configured as next action
    Control-socket and side-channel support for FreeBSD platform.
    Fixed issue in file signature lookup for retransmitted FTP packet.
    Enhanced the processing of SIP/RTP future flows without ignoring them.
    Changes made in PDF/SWF decompression by adding boundary to the size of
the decompressed data.
    Added a null check to prevent copy unless debugHostIp is configured in
AppId.
    Fixed issue where FTP file type block doesn't work for retried download.
    Resolved issue where Snort is inappropriately handling traffic for which
AppId was creating future flow.
    Performance improvements for SIP/RTP audio and video data flow in AppId.
    Performance and stability improvements in FTP preprocessor like incorrect
referencing of ftp_data_session after its pruned.
    Stability improvement by resolving valgrind reported issues in AppId.
    Improved flushing mechanism for HTTP POST header.
    Added changes to display AppId for IPv6 unified events.
    Fixed issues with printing of messages for out-of-order packets.
    Fixed issue in increment of detection filter counter when rule is used in
multiple configurations.
    Fixed dynamic preprocessor compilation failure in OpenBSD platform.
    Added changes to improve performance of ipvar list comparison.
    Enhanced SMTP client detection by allowing line folding and all
authentication methods.