Snort 3 beta available now!

A girl holding a piglet

2 min read

On 29th August 2018, the team at Snort released the fourth alpha of the next generation Snort IPS– Snort 3, in beta version. Along with all the Snort 2.X features, this version of Snort++ includes new features as well as bug fixes for the base version of Snort.

Here are some key features of Snort++:

Support provided for multiple packet processing threads
Shared configuration and attribute table available
Simple, scriptable configuration
Key components are now pluggable
Autodetect services for portless configuration
Support for sticky buffers in rules
Autogenerate reference documentation
Provide better cross-platform support
Facilitate component testing
Support pipelining of packet processing, hardware offload and data plane integration, and proxy mode

Below is a brief gist of these upgrades,

Easy Configuration

LuaJIT is used for configuration with a consistent, and executable syntax.

Better Detection of Services

The team has worked closely with Cisco Talos to update rules to meet their needs, including a feature they call “sticky buffers.” The Hyperscan search engine, and regex fast patterns make rules faster and more accurate.

HTTP Support

Snort 3 has a stateful HTTP inspector that handles 99 percent of the HTTP Evader cases. The aim is to achieve 100% coverage soon. The HTTP support also includes new rule options.

Better Performance

Deep packet inspection now gives a better performance. Snort 3 supports multiple packet-processing threads, and scales linearly with a much smaller amount of memory required for shared configs.

JSON event logging

This can be used to integrate with tools such as the Elastic Stack. Check out the Snort blog post for more details on the same.

More Plugins!

Snort 3 was designed to be extensible. It has over 225 of plugins of various types. It is easy for users to add their own codec, inspector, rule action, rule option, or logger.

In addition to all these features, users can also watch out for additional upgrades like next generation DAQ, connection events, search engine acceleration among others. To know more about the release of Snort 3, head over to Snort’s official page.