After seven years of development, Cisco has released the first stable release of the attack prevention system Snort 3 which was completely redesigned, in addition to simplifying the configuration and launch of Snort, as well as the possibility to automate configuration, simplify the rulemaking language, automatically detect all protocols, provide a shell for command line control, active multi-threaded use with shared access of different controllers to a single configuration and more.
For those unaware of Snort, you should know that can analyze traffic in real time, respond to detected malicious activity and maintain a detailed package log for later incident analysis.
The Snort 3 branch, also known as the Snort ++ project, has completely rethought the concept and architecture of their product.
Work on Snort 3 started in 2005 but was soon abandoned and only resumed in 2013 after Cisco took over the project.
Snort 3 main news
In the new version of Snort 3 has been transitioned to a new setup system, which offers a simplified syntax and enables the use of scripts to dynamically generate configurations. LuaJIT is used to process configuration files, and LuaJIT-based plugins have additional options for rules and a registry system.
Another change that stands out is that the engine has been modernized to detect attacks, the rules have been updated, the ability to bind buffers has been added in the rules (sticky buffers) and the Hyperscan search engine was also used, which made it possible to use triggered patterns faster and more precisely based on regular expressions in the rules;
Also, in Snort 3 added a new introspection mode for HTTP which is session stateful and covers 99% of the scenarios supported by the HTTP Evader test suite, plus the added inspection system for HTTP / 2 traffic.
The performance of deep packet inspection mode has been significantly improved. Multi-threaded packet processing capability has been added, allowing simultaneous execution of multiple threads with packet handlers and providing linear scalability based on the number of CPU cores.
A common storage of configuration tables has been implemented and attributes, which is shared in different subsystems, which has significantly reduced memory consumption by eliminating duplication of information.
On the other hand, also the transition to a modular architecture is highlighted, the ability to extend functionality through plug-in connection and implementation of key subsystems in the form of replaceable plug-ins.
There are currently more than 200 plugins for Snort 3, covering a variety of uses, such as allowing you to add your own codecs, introspection modes, registration methods, actions, and options in the rules.
Of the other changes that stand out from the new version:
- Added file support to quickly override settings relative to default settings.
- The use of snort_config.lua and SNORT_LUA_PATH has been discontinued to simplify configuration.
- Added support for reloading settings on the fly.
- New event log system that uses JSON format and easily integrates with external platforms such as Elastic Stack.
- Automatic detection of running services, eliminating the need to manually specify active network ports.
- The code provides the ability to use the C ++ constructs defined in the C ++ 14 standard (the assembly requires a compiler that supports C ++ 14).
- A new VXLAN controller has been added.
- Improved search of content types by content using updated alternative implementations of the Boyer-Moore and Hyperscan algorithms.
- Accelerated launch by using multiple threads to compile rule groups;
- Added a new registration mechanism.
- The RNA (Real-time Network Awareness) inspection system has been added, which collects information about resources, hosts, applications and services available on the network.
Finally if you want to know more about it about the new version, you can check the details in the following link.