Cisco final beta version of a completely redesigned attack prevention system , also known as the Snort++ project, which has been working on intermittently since 2005. A release candidate is planned to be published later this year.
In the new branch, the product concept is completely rethought and the architecture is redesigned. Among the areas that were emphasized when preparing a new branch, there was a simplification of setting up and launching Snort, automation of configuration, simplification of the language for constructing rules, automatic detection of all protocols, provision of a shell for control from the command line, active use of multithreading with shared access of different processors to single configuration.
The following significant innovations have been implemented:
- A transition to a new configuration system has been made, offering a simplified syntax and allowing the use of scripts to dynamically generate settings. LuaJIT is used to process configuration files. LuaJIT-based plugins are provided with the implementation of additional options for rules and a logging system;
- The engine for detecting attacks has been modernized, the rules have been updated, the ability to bind buffers in rules (sticky buffers) has been added. The Hyperscan search engine was used, which made it possible to use fast and more accurate templates based on regular expressions in the rules;
- Added a new introspection mode for HTTP that is session stateful and covers 99% of the situations supported by the test suite . Code to support HTTP/2 is in development;
- The performance of Deep Packet Inspection mode has been significantly improved. Added the ability to multithread packet processing, allowing simultaneous execution of several threads with packet handlers and providing linear scalability depending on the number of CPU cores;
- Implemented a common repository of configuration and attribute tables, which is shared between different subsystems, which has significantly reduced memory consumption due to the elimination of duplication of information;
- New event logging system using JSON format and easily integrated with external platforms such as Elastic Stack;
- The transition to a modular architecture, the ability to expand functionality through the connection of plug-ins and the implementation of key subsystems in the form of replaceable plug-ins. Currently, several hundred plugins have already been implemented for Snort 3, covering various areas of application, for example, allowing you to add your own codecs, introspection modes, logging methods, actions and options in rules;
- Automatic detection of running services, eliminating the need to manually specify active network ports.
Changes compared to the last test release, which was published in 2018:
- Added support for files to quickly override settings relative to the default configuration;
- The code provides the ability to use C++ constructs defined in the C++14 standard (build requires a compiler that supports C++14);
- Added new VXLAN handler;
- Improved search for content types by content using updated alternative implementations of algorithms ΠΈ ;
- The HTTP/2 traffic inspection system has almost been brought to full readiness;
- Startup is accelerated due to the use of several threads for compiling groups of rules;
- Added a new logging mechanism;
- Improved detection of Lua errors and optimized whitelists;
- Changes have been made to allow reloading of settings on the fly;
- An RNA (Real-time Network Awareness) inspection system has been added, collecting information about resources, hosts, applications and services available on the network;
- To simplify configuration, the use of snort_config.lua and SNORT_LUA_PATH has been discontinued.
Source: opennet.ru