Snort 3 beta available now!
// Snort Blog
Here are some highlights you should know about before downloading:
- Configuration — We use LuaJIT for configuration. The config syntax is simple, consistent, and executable. LuaJIT plugins for rule options and loggers are supported, too.
- Detection — We have worked closely with Cisco Talos to update rules to meet their needs, including a feature they call "sticky buffers." With the use of the Hyperscan search engine, regex fast patterns make rules faster and more accurate.
- HTTP — We have a new and stateful HTTP inspector that currently handles 99 percent of the HTTP Evader cases, and will soon cover all of them. There are many new features, as well, including new rule options. HTTP/2 support is under development.
- Performance — We have substantially increased performance for deep packet inspection. Snort 3 supports multiple packet-processing threads, and scales linearly with a much smaller amount of memory required for shared configs, like rule engines.
- JSON event logging — These can be used to integrate with tools such as the Elastic Stack. See this blog post for more details.
- Plugins — Snort 3 was designed to be extensible and there are over 225 of plugins of various types. It is easy to add your own codec, inspector, rule action, rule option, or logger. SO rules are plugins, too, and it is much easier to add your own.
These packages / repositories are available:
- snort3 — The main engine source code and plugins
- snort3_extra — Other experimental and example plugins
- snort3_demo — A test suite with working examples
In addition to the cool new features, Snort 3 also supports all the capabilities of Snort 2.9.11, but we aren't done. Coming soon, we have:
- Next generation DAQ
- Connection events
- Search engine acceleration
- ... and much more.
The Snort Release Team
Read in my feedly