Snort 1.8 shipped in April. The improvements over 1.7 are substantive enough to be worth writing about briefly.
What is new
Three main areas.
Improved stream reassembly. The stream4 preprocessor handles more edge cases correctly — particularly around overlapping segments, retransmissions under unusual conditions, and asymmetric routing scenarios. The improvement makes the engine more robust against Ptacek-Newsham-style evasion.
Better rule expressiveness. New rule keywords include byte_test (testing specific byte values at offsets), byte_jump (jumping to dynamic offsets), and improved pcre integration for regular-expression matching. Rules that previously required custom preprocessors can now be written in the standard rule language.
Performance improvements. The matching engine has been optimised; my sensor's CPU utilisation has dropped roughly 15% on the same workload. Larger deployments will see larger gains.
What I have observed running it
Upgrade procedure: build 1.8 from source on a test machine, run alongside 1.7 for a week, then swap. The transition was smooth; no rule incompatibilities.
My alert volume is essentially unchanged. The detection patterns are the same; the new rules I have written using byte_test are catching events the old rules would have missed.
The stream-reassembly improvements are subtle but visible — fewer false positives on TCP traffic with retransmissions; cleaner handling of long-running connections.
A small note
Snort 1.8 is, on balance, a polish release on the 1.7 architecture. The bigger architectural changes are reportedly deferred to 2.0 (still in development).
For anyone running Snort: the upgrade to 1.8 is straightforward and the improvements are real. Worth doing.
More as the year develops.