+19/12/04 - build 266
+
+-- appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs
+-- appid: Enabling host cache for unknown SSL flows
+-- appid: Fix for better classification on pinholed data session and control session for
+ rshell/rexec
+-- appid: Format detected apps stats in columns akin to file stats
+-- appid: Handle memcap during reload_config using RRT
+-- appid: Minor cleanup
+-- cmake: Cache static DAQ module info in FindDAQ
+-- file_api: Fixed eventing when FILE_SIG_DEPTH failed when store files enabled
+-- flow: Add ability to defer whitelist verdict
+-- flow: Clean up unit test compiler warnings
+-- flow: Disabling the inspection if the Flow state is BLOCK
+-- http2_inspect: Generate status lines for responses and be more lenient on RFC violations
+-- http2_inspect: Implement hpack dynamic index lookups
+-- http_inspect: Implement show method for verbose config output
+-- http_inspect: Update user manual for detained inspection
+-- hyperscan: Select max scratch from among all compiler threads
+-- ips: Add support for parallel fast-pattern MPSE FSM compilation
+-- ips: Only use multiple threads for rule group compilation at startup
+-- ips: Support 2 rule vars same as Snort 2
+-- mpse: Only hyperscan currently supports parallel compilation
+-- port_scan: Only update scanner for ICMP if we have one
+-- profiler: Fix module profile for multithreaded runs
+-- search_engine: Ensure configured search_method is applied to search tools
+-- search_engine: Process intermediate fast-pattern matches in batches of 32 same as Snort 2
+-- search_engine: Raise an error if any MPSE compilation fails
+-- sfip: Replace copy setter with implicit copy constructor
+-- stats: Removal of mallinfo as it only support 32bit
+-- stream_tcp: Move and update the libtcp source files to the tcp source directory to consolidate
+ the stream tcp code into one component (libtcp goes away)
+-- stream_tcp: Updates from PR review comments
+
19/11/22 - build 265
-- analyzer_command: support resource tuning on reload
-- main: Improve performance of control connection polling
-- plugin_manager: allow loading individual plugin files in plugin-path
-- reject: Setting defaults for reset and control options
--- snort: update reload resource tuner to return status indicating if there is work to be done in the packet thread
--- stream: register reload resource tuner unconditionally. move checks for config changes to the tuner tinit method
+-- snort: update reload resource tuner to return status indicating if there is work to be done in
+ the packet thread
+-- stream: register reload resource tuner unconditionally. move checks for config changes to the
+ tuner tinit method
-- stream_tcp: fix state machine instantiation
-- wizard: handle NBSS startup in dce_smb_curse
19/11/06 - build 264
+
-- appid: Handle DNS responses with compression pointers at last record
-- dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only
-- detection: negated fast patterns are last choice
-- telnet: fix check_encrypted help string
19/10/31 - build 263
+
-- appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id
was not not found
-- appid: check inferred services in host cache only if there were updates
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 264)\r
+o" )~ Version 3.0.0 (Build 266)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
processing.</p></div>\r
</div>\r
<div class="sect4">\r
-<h5 id="_accelerated_blocking">accelerated_blocking</h5>\r
-<div class="paragraph"><p>Accelerated blocking is an experimental feature currently under\r
-development. It enables Snort to more quickly detect and block response\r
-messages containing malicious JavaScript. As this feature involves\r
-actively blocking traffic it is designed for use with inline mode\r
-operation (-Q).</p></div>\r
+<h5 id="_detained_inspection">detained_inspection</h5>\r
+<div class="paragraph"><p>Detained inspection is an experimental feature currently under development.\r
+It enables Snort to more quickly detect and block response messages\r
+containing malicious JavaScript. As this feature involves actively blocking\r
+traffic it is designed for use with inline mode operation (-Q).</p></div>\r
<div class="paragraph"><p>This feature only functions with response_depth = -1 (unlimited). This\r
limitation will be removed in a future version.</p></div>\r
-<div class="paragraph"><p>This feature is off by default. accelerated_blocking = true will activate\r
+<div class="paragraph"><p>This feature is off by default. detained_inspection = true will activate\r
it.</p></div>\r
</div>\r
<div class="sect4">\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--plugin-path</strong>: <path> a colon separated list of directories or plugin libraries\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.--version</strong>: show version number (same as -V)\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
</p>\r
</li>\r
<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>appid.service_cache_prunes</strong>: number of times the service cache was pruned (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.service_cache_adds</strong>: number of times an entry was added to the service cache (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.service_cache_removes</strong>: number of times an item was removed from the service cache (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="paragraph"><p>What: HTTP/2 inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
+<strong>121:2</strong> (http2_inspect) HPACK integer value has leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
+<strong>121:3</strong> (http2_inspect) error in HPACK string value\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
+<strong>121:4</strong> (http2_inspect) missing HTTP/2 continuation frame\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:2</strong> (http2_inspect) integer value has leading zeros\r
+<strong>121:5</strong> (http2_inspect) unexpected HTTP/2 continuation frame\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:3</strong> (http2_inspect) error in HPACK string value\r
+<strong>121:6</strong> (http2_inspect) misformatted HTTP/2 traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:4</strong> (http2_inspect) missing continuation frame\r
+<strong>121:7</strong> (http2_inspect) HTTP/2 connection preface does not match\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:5</strong> (http2_inspect) unexpected continuation frame\r
+<strong>121:9</strong> (http2_inspect) HTTP/2 request missing required header field\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:6</strong> (http2_inspect) misformatted HTTP/2 traffic\r
+<strong>121:10</strong> (http2_inspect) HTTP/2 response has no status code\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:7</strong> (http2_inspect) HTTP/2 connection preface does not match\r
+<strong>121:11</strong> (http2_inspect) invalid HTTP/2 header field\r
</p>\r
</li>\r
</ul></div>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>--print-binding-order</strong>\r
- Print sorting priority used when generating binder table\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
differences, between the Snort and Snort++ configurations to\r
the <out_file>\r
</li>\r
<li>\r
<p>\r
-<strong>--pause-after-n</strong> <count> pause after count packets (1:max53)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--piglet</strong> enable piglet test harness mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--plugin-path</strong> <path> a colon separated list of directories or plugin libraries\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--version</strong> show version number (same as -V)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.-c</strong>: <conf> use this configuration\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--plugin-path</strong>: <path> a colon separated list of directories or plugin libraries\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.service_cache_adds</strong>: number of times an entry was added to the service cache (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.service_cache_prunes</strong>: number of times the service cache was pruned (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.service_cache_removes</strong>: number of times an item was removed from the service cache (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.total_sessions</strong>: count of sessions created (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>121:2</strong> (http2_inspect) integer value has leading zeros\r
+<strong>121:2</strong> (http2_inspect) HPACK integer value has leading zeros\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>121:4</strong> (http2_inspect) missing continuation frame\r
+<strong>121:4</strong> (http2_inspect) missing HTTP/2 continuation frame\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:5</strong> (http2_inspect) unexpected continuation frame\r
+<strong>121:5</strong> (http2_inspect) unexpected HTTP/2 continuation frame\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>121:9</strong> (http2_inspect) HTTP/2 request missing required header field\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:10</strong> (http2_inspect) HTTP/2 response has no status code\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:11</strong> (http2_inspect) invalid HTTP/2 header field\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>piglet::pp_codec</strong>: Codec piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_inspector</strong>: Inspector piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_ips_action</strong>: Ips action piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_ips_option</strong>: Ips option piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_logger</strong>: Logger piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_search_engine</strong>: Search engine piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_so_rule</strong>: SO rule piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_test</strong>: Test piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-11-21 02:51:52 EST\r
+ 2019-12-04 10:58:36 EST\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 264)
+o" )~ Version 3.0.0 (Build 266)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
These limits have no effect on how much data is forwarded to file
processing.
-5.9.2.2. accelerated_blocking
+5.9.2.2. detained_inspection
-Accelerated blocking is an experimental feature currently under
+Detained inspection is an experimental feature currently under
development. It enables Snort to more quickly detect and block
response messages containing malicious JavaScript. As this feature
involves actively blocking traffic it is designed for use with inline
This feature only functions with response_depth = -1 (unlimited).
This limitation will be removed in a future version.
-This feature is off by default. accelerated_blocking = true will
+This feature is off by default. detained_inspection = true will
activate it.
5.9.2.3. gzip
* bool output.verbose = false: be verbose (same as -v)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.wide_hex_dump = true: output 20 bytes per lines
+ * bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
- * int snort.--pause-after-n: <count> pause after count packets {
- 1:max53 }
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> a colon separated list of
directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
Configuration:
- * int appid.first_decrypted_packet_debug = 0: the first packet of
- an already decrypted SSL flow (debug single session only) {
- 0:max32 }
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
* appid.total_sessions: count of sessions created (sum)
* appid.appid_unknown: count of sessions where appid could not be
determined (sum)
+ * appid.service_cache_prunes: number of times the service cache was
+ pruned (sum)
+ * appid.service_cache_adds: number of times an entry was added to
+ the service cache (sum)
+ * appid.service_cache_removes: number of times an item was removed
+ from the service cache (sum)
9.2. arp_spoof
Usage: inspect
-Configuration:
-
- * bool http2_inspect.test_input = false: read HTTP/2 messages from
- text file
- * bool http2_inspect.test_output = false: print out HTTP section
- data
- * int http2_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http2_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http2_inspect.show_pegs = true: display peg counts with test
- output
- * bool http2_inspect.show_scan = false: display scanned segments
-
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
- * 121:2 (http2_inspect) integer value has leading zeros
+ * 121:2 (http2_inspect) HPACK integer value has leading zeros
* 121:3 (http2_inspect) error in HPACK string value
- * 121:4 (http2_inspect) missing continuation frame
- * 121:5 (http2_inspect) unexpected continuation frame
+ * 121:4 (http2_inspect) missing HTTP/2 continuation frame
+ * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame
* 121:6 (http2_inspect) misformatted HTTP/2 traffic
* 121:7 (http2_inspect) HTTP/2 connection preface does not match
+ * 121:9 (http2_inspect) HTTP/2 request missing required header
+ field
+ * 121:10 (http2_inspect) HTTP/2 response has no status code
+ * 121:11 (http2_inspect) invalid HTTP/2 header field
Peg counts:
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
- * bool http_inspect.show_scan = false: display scanned segments
Rules:
* --output-file=<out_file> Same as -o. output the new Snort++ lua
configuration to <out_file>
* --print-all Same as -a. default option. print all data
- * --print-binding-order Print sorting priority used when generating
- binder table
* --print-differences Same as -d. output the differences, and only
the differences, between the Snort and Snort++ configurations to
the <out_file>
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
- * --pause-after-n <count> pause after count packets (1:max53)
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
between pcaps
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
- * --piglet enable piglet test harness mode
* --plugin-path <path> a colon separated list of directories or
plugin libraries
* --process-all-events process all action groups
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
session traffic when not inline
* --tweaks tune configuration
- * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
- * int appid.first_decrypted_packet_debug = 0: the first packet of
- an already decrypted SSL flow (debug single session only) {
- 0:max32 }
* int appid.instance_id = 0: instance id - ignored { 0:max32 }
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
- * int http2_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http2_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http2_inspect.show_pegs = true: display peg counts with test
- output
- * bool http2_inspect.show_scan = false: display scanned segments
- * bool http2_inspect.test_input = false: read HTTP/2 messages from
- text file
- * bool http2_inspect.test_output = false: print out HTTP section
- data
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
- * bool http_inspect.show_scan = false: display scanned segments
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
- * bool output.wide_hex_dump = true: output 20 bytes per lines
+ * bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
* bool packet_capture.enable = false: initially enable packet
dumping
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
* string snort.-c: <conf> use this configuration
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
- * int snort.--pause-after-n: <count> pause after count packets {
- 1:max53 }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> a colon separated list of
directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* appid.ignored_packets: count of packets ignored (sum)
* appid.packets: count of packets received (sum)
* appid.processed_packets: count of packets processed (sum)
+ * appid.service_cache_adds: number of times an entry was added to
+ the service cache (sum)
+ * appid.service_cache_prunes: number of times the service cache was
+ pruned (sum)
+ * appid.service_cache_removes: number of times an item was removed
+ from the service cache (sum)
* appid.total_sessions: count of sessions created (sum)
* arp_spoof.packets: total packets (sum)
* back_orifice.packets: total packets (sum)
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
* 121:1 (http2_inspect) error in HPACK integer value
- * 121:2 (http2_inspect) integer value has leading zeros
+ * 121:2 (http2_inspect) HPACK integer value has leading zeros
* 121:3 (http2_inspect) error in HPACK string value
- * 121:4 (http2_inspect) missing continuation frame
- * 121:5 (http2_inspect) unexpected continuation frame
+ * 121:4 (http2_inspect) missing HTTP/2 continuation frame
+ * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame
* 121:6 (http2_inspect) misformatted HTTP/2 traffic
* 121:7 (http2_inspect) HTTP/2 connection preface does not match
+ * 121:9 (http2_inspect) HTTP/2 request missing required header
+ field
+ * 121:10 (http2_inspect) HTTP/2 response has no status code
+ * 121:11 (http2_inspect) invalid HTTP/2 header field
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
- * piglet::pp_codec: Codec piglet
- * piglet::pp_inspector: Inspector piglet
- * piglet::pp_ips_action: Ips action piglet
- * piglet::pp_ips_option: Ips option piglet
- * piglet::pp_logger: Logger piglet
- * piglet::pp_search_engine: Search engine piglet
- * piglet::pp_so_rule: SO rule piglet
- * piglet::pp_test: Test piglet
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
projects / thirdparty / snort3.git / commitdiff
