2015-11-17 - Snort 2.9.8.0 [*] New additions * SMBv2/SMBv3 support for file inspection. * Port override for metadata service in IPS rules. * AppID Lua detector performance profiling. * Perfmon dumps stats at fixed intervals from absolute time. * New preprocessor alert (120:18) to detect SSH tunneling over HTTP * New config option |disable_replace| to disable replace rule option. * New Stream configuration |log_asymmetric_traffic| to control logging to syslog. * New shell script in tools to create simple Lua detectors for AppID. [*] Improvements * sfip_t refactored to use struct in6_addr for all ip addresses. * Post-detection callback for preprocessors. * AppID support for multiple server/client detectors evaluating on same flow. * AppID API for DNS packets. * Memory optimizations throughout. * Support sending UDP active responses. * Fix perfmon tracking of pruned packets. * Stability improvements for AppID. * Stability improvements for Stream6 preprocessor. * Added improved support to block malware in FTP preprocessor. * Added support to differentiate between active and passive FTP connections. * Improvements done in Stream6 preprocessor to avoid having duplicate packets in the DAQ retry queue. * Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured. * Added support for multiple expected sessions created per packet * Active response now supports MPLS