Cisco on the formation of a release candidate for a completely redesigned attack prevention system , also known as the Snort++ project, has been in progress intermittently since 2005. A stable release is planned to be published within a month.
The Snort 3 branch completely rethought the concept of the product and redesigned the architecture. Among the key areas for the development of Snort 3: simplifying the configuration and launch of Snort, automating configuration, simplifying the language for constructing rules, automatically detecting all protocols, providing a shell for control from the command line, actively using multithreading with shared access of different handlers to a single configuration.
The following significant innovations have been implemented:
- A transition to a new configuration system has been made, offering a simplified syntax and allowing the use of scripts to dynamically generate settings. LuaJIT is used to process configuration files. LuaJIT-based plugins are provided with the implementation of additional options for rules and a logging system;
- The engine for detecting attacks has been modernized, the rules have been updated, the ability to bind buffers in rules (sticky buffers) has been added. The Hyperscan search engine was used, which made it possible to use fast and more accurate templates based on regular expressions in the rules;
- Added a new introspection mode for HTTP that is session stateful and covers 99% of the situations supported by the test suite . Added HTTP/2 traffic inspection system;
- The performance of Deep Packet Inspection mode has been significantly improved. Added the ability to multithread packet processing, allowing simultaneous execution of several threads with packet handlers and providing linear scalability depending on the number of CPU cores;
- Implemented a common repository of configuration and attribute tables, which is shared between different subsystems, which has significantly reduced memory consumption due to the elimination of duplication of information;
- New event logging system using JSON format and easily integrated with external platforms such as Elastic Stack;
- The transition to a modular architecture, the ability to expand functionality through the connection of plug-ins and the implementation of key subsystems in the form of replaceable plug-ins. Currently, several hundred plugins have already been implemented for Snort 3, covering various areas of application, for example, allowing you to add your own codecs, introspection modes, logging methods, actions and options in rules;
- Automatic detection of running services, eliminating the need to manually specify active network ports.
- Added support for files to quickly override settings relative to the default configuration. The use of snort_config.lua and SNORT_LUA_PATH has been deprecated to simplify configuration.
Added support for reloading settings on the fly; - The code provides the ability to use C++ constructs defined in the C++14 standard (build requires a compiler that supports C++14);
- Added new VXLAN handler;
- Improved search for content types by content using updated alternative implementations of algorithms ΠΈ ;
- Startup is accelerated due to the use of several threads for compiling groups of rules;
- Added a new logging mechanism;
- An RNA (Real-time Network Awareness) inspection system has been added that collects information about resources, hosts, applications and services available on the network.
Source: opennet.ru