Changelog: https://github.com/snort3/snort3/releases/tag/3.9.7.0
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.9.7.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.22
Using Vectorscan version 5.4.12 2025-11-02
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.8.1
Using OpenSSL 3.5.4 30 Sep 2025
Using PCRE2 version 10.46 2025-08-27
Using ZLIB version 1.3.1
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
Running as a dedicated user is better from both a security and an
isolation perspective than running as root.
Signed-off-by: John Audia <therealgraysky@proton.me>
Add a comment to the package description to inform users that the build
system will not automatically pick gperftools-runtime and vectorscan-
runtime when building from source.
References to performance benefits of using them:
c1b4e80825b6b2d1e305
Signed-off-by: John Audia <therealgraysky@proton.me>
Release notes: https://github.com/snort3/snort3/releases/tag/3.9.6.0
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.9.6.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.21
Using Vectorscan version 5.4.12 2025-10-06
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.8.1
Using OpenSSL 3.6.0 1 Oct 2025
Using PCRE2 version 10.46 2025-08-27
Using ZLIB version 1.3.1
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
Since vectorscan-runtime was dropped in the following commit, need to
replace references to it with just vectorscan in order to compile
snort3 against it: 8a3c7a69e6
Without this change, even having CONFIG_PACKAGE_vectorscan=y in the
.config will result in a failure to compile against it, e.g:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: OFF
...
Signed-off-by: John Audia <therealgraysky@proton.me>
The gperftools and vectorscan packages have been simplified by removing
their -runtime and -headers splits. Update snort3 to use the new package
names.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This simplifies checks enabling/disabling features, if packages are present
instead of having checks for specific architectures.
TCMALLOC_LIBRARIES is removed as it's auto-detected, unlike vectorscan
which requires explicit HS_INCLUDE_DIRS.
Fixes: 126364e105 ("snort3: refactor architecture-specific dependencies and CMake options")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
The libtirpc package is only needed when building with musl, as glibc
includes the required RPC functionality. This change makes libtirpc a
conditional dependency and adjusts the build flags accordingly.
Building with x86_64-glibc:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: ON
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: Built-in
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: OFF
LibML: OFF
...
Building with aarch64_cortex-a76_musl:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: ON
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: TIRPC
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: OFF
LibML: OFF
...
Build system: x86/64
Build-tested: x86/64-glibc, bcm27flogic/xiaomi_redmi-router-ax6000-ubootmod (for musl)
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
1. Enabled hyperscan/vectorscan together with adding dependency only for x86_64 and aarch64.
2. Disabled tmalloc (from gperftools package) for powerpc and mips.
By doing this refactor, snort3 is going to be available for more OpenWrt devices
(as it was in the past) as currently it was compiled only for x86_x64 and aarch64 by mistake.
Fixes: 257e2fc38a ("snort3: fix logic in gpertools-runtime depends")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
When snort is run with the --version option, it advertises components'
versions in the output. Add a patch to modify the output to clearly
show vectorscan is in use.
Signed-off-by: John Audia <therealgraysky@proton.me>
* Replacement of hyperscan-runtime reference with vectorscan-runtime
* Added support for all aarch64 targets which I believe is exhaustive
For x86 and x86/64, I found that vectorscan is truly a drop-in
replacement for hyperscan as assessed by speedtests with snort3 running
on my Intel N150 PC. CPU load during the test with each condition was
nearly saturating on a single core for both cases on a symmetrical
Gbps line.
Using: https://www.waveform.com/tools/bufferbloat in IPS mode:
Download speed w/ hyperscan: 950-960 Mbit/s (n=2)
Download speed w/ vectorscan: 942-960 Mbit/s (n=2)
Using: https://www.speedtest.net in IPS mode:
Download speed w/ hyperscan: 996-1002 Mbit/s (n=2)
Download speed w/ vectorscan: 993-988 Mbit/s (n=2)
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc (Intel N150 based box running snort3)
Signed-off-by: John Audia <therealgraysky@proton.me>
Drop 100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch as
it was only needed to fix the build against hyperscan. Vectorscan
builds fine without it.
Signed-off-by: John Audia <therealgraysky@proton.me>
Simplification of Makefile: replace complex sed calls with a patch to
improve readability. This commit also renames an existing patch.
Signed-off-by: John Audia <therealgraysky@proton.me>
Use upstream tarballs for source rather than using git. If we ever need
to build from git we can cherry pick and make a patch. This gives a
cleaner Makefile and faster build.
Signed-off-by: John Audia <therealgraysky@proton.me>
The logic in e57cc9898a was flawed causing
gperftools-runtime to fail to get detected when building resulting in:
...
ninja: Entering directory `/scratch/union/build_dir/target-x86_64_glibc/snort3-3.9.1.0'
ninja: error: '/scratch/union/staging_dir/target-x86_64_glibc/usr/lib/libtcmalloc.so', needed by 'src/snort', missing and no known rule to make it
make[2]: *** [Makefile:161: /scratch/union/build_dir/target-x86_64_glibc/snort3-3.9.1.0/.built] Error 1
It was missed due testing in build root that already had gperftools-runtime
built only discovered when building from a clean build root.
This commit fixes this flaw.
Test:
cat <<EOF > .config
CONFIG_TARGET_x86=y
CONFIG_TARGET_x86_64=y
CONFIG_TARGET_x86_64_DEVICE_generic=y
CONFIG_PACKAGE_snort3=y
EOF
make defconfig
grep gperftools-run .config
CONFIG_PACKAGE_gperftools-runtime=y
cat <<EOF > .config
CONFIG_TARGET_qoriq=y
CONFIG_TARGET_qoriq_generic=y
CONFIG_TARGET_qoriq_generic_DEVICE_watchguard_firebox-m300=y
CONFIG_PACKAGE_snort3=y
EOF
make defconfig
grep gperftools-run .config
Signed-off-by: John Audia <therealgraysky@proton.me>
Add conditional to disable gperftools-runtime depends for powerpc and mips due to inability
to compile introduced with 7345b73c30
Co-authored-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: John Audia <therealgraysky@proton.me>
hangelog: https://github.com/snort3/snort3/releases/tag/3.9.1.0
% # snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.9.1.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.20
Using Hyperscan version 5.4.2 2025-06-30
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.6.2
Using OpenSSL 3.5.0 8 Apr 2025
Using PCRE2 version 10.42 2022-12-11
Using ZLIB version 1.3.1
Build system: x86/64
Build-tested: x86/64
Run-tested: x86/64
Signed-off-by: John Audia <therealgraysky@proton.me>
Changelog: https://github.com/snort3/snort3/releases/tag/3.8.1.0
,,_ -*> Snort++ <*-
o" )~ Version 3.8.1.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.19
Using Hyperscan version 5.4.2 2025-05-27
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.6.2
Using OpenSSL 3.5.0 8 Apr 2025
Using PCRE2 version 10.42 2022-12-11
Using ZLIB version 1.3.1
Build system: x86/64
Build-tested: x86/64
Run-tested: x86/64
Signed-off-by: John Audia <therealgraysky@proton.me>
This patch is wrongly rebased and applied twice as
the same change might be possible and it does not break anything.
Since that, the patch is still being refreshed and included in
this repository.
No need as the patch is already included in the snort3 repository:
70b811ca11
Drop it once for all. :-)
Fixes: 65f6fee7c0 ("snort3: update to 3.1.84.0")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Changelog: https://github.com/snort3/snort3/releases/tag/3.6.2.0
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.6.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.18
Using Hyperscan version 5.4.2 2025-01-28
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.6.2
Using OpenSSL 3.0.15 3 Sep 2024
Using PCRE2 version 10.42 2022-12-11
Using ZLIB version 1.3.1
Signed-off-by: John Audia <therealgraysky@proton.me>
- Take advantage of bug fix in jsonfilter to get rid of array hack, should
improve memory footprint quite a bit
- Implement substring matching in dates so you can collect data for a specific
day, hour or run bin reports for histograms
- Report title now contains specified date range, footer percentages
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Other targets should be able to build against gperftools and
realize speed and efficiency gains.
Build system: x86/64
Build-tested: bcm27xx/bcm2712
Run-tested: bcm27xx/bcm2712
Signed-off-by: John Audia <therealgraysky@proton.me>
- Parameter not set in two places:
/usr/bin/snort-mgr: eval: line 125: options: parameter not set
Reported-by: @klingon888
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Add experimental patch and move package to PCRE2 as PCRE is EOL and
won't receive any security updates anymore.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
1. Update to latest version
2. Remove redundant section in Makefile
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.84.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.84.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.13 30 Jan 2024
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3.1
Using Hyperscan version 5.4.2 2024-04-10
Using LZMA version 5.4.6
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.82.0
Removed patches/010-gcc13.patch
,,_ -*> Snort++ <*-
o" )~ Version 3.1.82.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.13 30 Jan 2024
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3.1
Using Hyperscan version 5.4.2 2024-03-06
Using LZMA version 5.4.6
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Should provide increases in snort3 performance thanks to thread-
caching malloc provided by gperftools. Avg CPU usage is down.
Another user reported higher throughput achieved with snort3
compiled with this on samba transfers on system with CPU-limited
snort3 performance.[1]
1. https://forum.openwrt.org/t/some-help-with-a-makefile-gperftools/165656/22
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.81.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.81.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.13 30 Jan 2024
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3.1
Using Hyperscan version 5.4.2 2024-02-16
Using LZMA version 5.4.6
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Increases snort's IPS fast pattern matching by 2x (compared to
the ac_full engine) and 3x (compared to ac_bfna). This is most
noticeable for users of large rules sets and when doing deep flow
inspection.
For more see: https://blog.snort.org/2020/09/snort-3-hyperscan-.html
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
- Enable missing variable checking by default
- Explicitly check variables are defined in all 'rm' commands
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Reporting
- Use json alert data for 10x speed improvement in report generation
- Include both gid and sid, plus packet direction in report output
- Add by-date incident filtering
- Add verbose mode which displays actual rules triggered and their source
- Attempt to look up host names from IPs in verbose mode
- Clean up display of port number involved in incidents
Rules
- Complete downloader for subscription rules using oinkcode (only tested
with snort.org's "free" tier subscription)
- Auto-detect multiple rules files and include them in lua 'ips.rules'
- Add '--backup' option to copy out current rules before installing new
- Add '--persistent' option to 'snort-rules', storing in persistent location
CLI interface
- Completely rework command line option parsing in all user scripts
- Allow options and commands to be in any order on command line
- Add long-form names for all options ('--help' for '-h' and so on)
- Detect errors properly in options, enhance help pages
Bug fixes
- Use 'mkdir -p' on all directory creation
- Use proper tmp directory from 'snort.snort.temp_dir' everywhere
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Upstream bump
,,_ -*> Snort++ <*-
o" )~ Version 3.1.78.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.12 24 Oct 2023
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3
Using Hyperscan version 5.4.2 2024-01-15
Using LZMA version 5.4.4
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Allow use of rules as-defined, and don't override their actions. This
is generally the best way to use the ruleset, and overriding their
actions should only be undertaken when you fully understand how it
affects their use.
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
This PR adds the ability of snort to process rules that target
swf and pdf files requiring lzma decompression to look for
malicious payloads therein. This change only increases the size
of the snort3 executable by a fraction of a KB and the added
dependency of liblzma (based on currently offered 5.4.4-1) is
only a 169 KB shared object. Based on CPU requirements of snort,
x86 users likely represent the majority user-base and space their
rootfs is not an issue as it may be for lower-powered SoCs.
Size of snort3-3.1.76.0-2: 7354403 bytes
Size of snort3-3.1.76.0-3: 7354435 bytes
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.77.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.77.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.13
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.12 24 Oct 2023
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3
Using Hyperscan version 5.4.2 2023-12-20
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
- Delete legacy configuration files homenet.lua and local.lua
- Add snort config 'include' to allow user customizations in the lua
- Enhance 'check' to test generated nftables file
- Suppress inclusion of rules file when doing silent config check
- Suppress warnings on configuration check unless '-v'erbose
- Replace text logging with json logging to reduce footprint and make reports easier
- Fix some typos in the snort.uc template
- Fix up some error messages suggesting solutions
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.76.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.76.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.13
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.12 24 Oct 2023
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3
Using Hyperscan version 5.4.2 2023-12-03
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
- Add many options to config file.
- Move rules and generated snort.lua to /tmp.
- Add script for downloading rules.
- Add preliminary reporting capabilites.
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
