Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Official Release Note of Snort 2.9.1:-
- Protocol aware reassembly support for HTTP and DCE/RPC preprocessors. Updates to Stream5 allowing Snort to more intelligently inspect HTTP and DCE/RPC requests and responses. See README.stream5 subsection related to Protocol Aware Flushing (PAF).
- SIP preprocessor to identify SIP call channels and provide rule access via new rule option keywords. Also includes new preprocessor rules for anomalies in the SIP communications. See the Snort Manual and README.sip for details.
- POP3 & IMAP preprocessors to decode email attachments in Base64, Quoted Printable, and uuencode formats, and updates to SMTP preprocessor for decoding email attachments encoded as Quoted Printable and uuencode formats. See the Snort Manual, README.pop, README.imap, and README.SMTP for details.
- Support for reading large pcap files.
- Logging of HTTP URL (host and filename), SMTP attachment filenames and email recipients to unified2 when Snort generates events on related traffic.
- IP Reputation preprocessor, allowing Snort to blacklist or whitelist packets based on their IP addresses. This preprocessor is still in an experimental state, so please report any issues to the Snort team. See README.reputation for more information.