+17/12/15 - build 241
+
+-- add back the ref count for file config
+-- alert_csv: various fixes to match alert_json
+-- alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers
+-- alert_json: various fixes
+ thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issues
+-- appid: close all Lua states when thread exits
+-- appid: gracefully handle failed Lua state instantiation
+ thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue.
+-- appid: only update session flags and discovery state if service id actually set to http
+-- appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow
+-- appid: return false from is_third_party_appid_available when no third party module is available.
+-- appid: tweak warnings and errors
+-- binder: activate profiler support
+-- binder: add FIXIT re creating default bindings when the wizard is not configured
+-- binder: fix ingress / egress test
+-- binder: minor perf and readability tweaks
+-- build: fixed build issues on OSX with clang with cd_pbb, alert_json
+-- build: fixed several dyanmic modules on OSX / clang
+-- build: suppress appid warnings for valid case statement fall throughs
+-- byte_test: fix string bounds check
+-- catch: Update to Catch v2.0.1
+-- cmake: add --define to configure_cmake.sh for arbitrary defines
+-- codec: added wlan support for arp_spoof
+-- codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc
+-- conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP
+-- conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups
+-- control: must execute from default policy only
+-- control: process flow first
+-- cppcheck: More miscellaneous fixes, mostly for new Catch
+-- daq: explicitly initialize more fields in SFDAQInstance constructor
+-- daq: handle real IP and port
+-- data_bus: also publish to default policy
+-- data_bus: refactor basic access for pub / sub
+-- dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc)
+-- detection: fix option tree looping issue
+-- detection: rename ServiceInfo to SignatureServiceInfo
+-- doc: fix type in style section
+-- doc: update default manuals
+-- file api: move file verdict enforcement out of file policy
+-- file api: support file verdict delay during signature lookup
+-- file policy and file config update to allow user define customized file policy through file api
+-- file policy: add support for file event logging
+-- file_api: Set the FileContext verdict, not a local verdict
+-- file_id: add interface to access file info from file capture
+-- file_id: support groups
+-- hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable
+-- http_inspect: add profiler support
+-- http_inspect: fix bugs related to stream interaction
+-- http_inspect: use configured max_pdu as base target reassembly size
+-- inspection: default policy mode depends on adaptor mode
+-- ips options: error if lookup fails due to bad case, typos, etc.
+ thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue
+-- memory: no stats output unless configured
+-- normalizer: added test mode
+-- normalizer: fix enable checks
+-- parsing: resolve paths from the current config directory instead of process directory
+-- policy: added inspection policy config.
+-- port_scan: add alert_all to make alerting on all events in window optional
+-- port_scan: fix flow checks
+-- profiler: fix focus of eventq
+-- reputation: tweak warning message
+-- rules: default msg = "no msg in rule"
+-- sfrt: remove cruft and reformat header
+-- shell: fixed crash when issuing control commands
+-- sip: use log splitter for tcp
+-- snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
+-- snort2lua: Convert file_magic.conf to Lua format.
+-- snort2lua: added inspection uuid
+-- snort2lua: added na_policy_mode. added ability amend tables if created.
+-- snort2lua: added normalize_tcp: ftp
+-- snort2lua: fix stream_size: to_client, to_server conversion
+-- snort2lua: future proof --bind-wizard binding order
+-- snort2lua: no sticky buffer for relative pcre
+-- snort2lua: remove when udp from binding to support tcp too
+-- snort2lua: tweak const name for clarity (internal)
+-- snort2lua: urilen:<> --> bufferlen:<=>
+-- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
+-- soid: allow stub to contain any or all options
+-- --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
+-- stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
+-- stream_*: separate session profiler data from flow cache profiler data
+-- stream_ip: fix non-frag counting
+-- stream_size: fix eval packet checks
+-- stream_tcp: delete superfluous memsets to zero
+-- stream_tcp: ignore flush requests on unitialized sessions (early abort condition)
+-- stream_tcp: instantiate wizard only when needed
+-- stream_tcp: remove empty default state action
+-- stream_user: clear splitter properly
+-- target_based: Install header
+-- wizard: abort if no match
+-- wizard: activate profiler support
+-- wizard: usage is inspect
+
17/10/31 - build 240
-- active: fix packet modify vs resize handling
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 239) from 2.9.8-383\r
+o" )~ Version 3.0.0 (Build 240) from 2.9.8-383\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_inspection">inspection</h3>\r
+<div class="paragraph"><p>What: configure basic inspection policy parameters</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>inspection.id</strong> = 0: correlate policy and events with other items in configuration { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>inspection.uuid</strong>: correlate events by uuid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline | inline-test }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_ips">ips</h3>\r
<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.uuid</strong>: IPS policy uuid\r
+string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--parsing-follows-files</strong>: parse relative paths from the perspective of the current configuration file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>116:475</strong> (ipv6) IPv6 mobility header includes an invalid value for the <em>payload protocol</em> field\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+string <strong>file_id.file_rules[].group</strong>: comma separated list of groups associated with file type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>file_id.file_rules[].version</strong>: file type version\r
</p>\r
</li>\r
bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0: }\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)\r
+<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations (sum)\r
+<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)\r
+<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)\r
+<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)\r
+<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)\r
+<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)\r
+<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)\r
+<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)\r
+<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)\r
+<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)\r
+<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)\r
+<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)\r
+<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)\r
+<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)\r
+<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)\r
+<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)\r
+<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)\r
+<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)\r
+<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)\r
+<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)\r
+<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)\r
+<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)\r
+<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)\r
+<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)\r
+<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)\r
+<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)\r
+<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_block</strong>: blocked segments (sum)\r
+<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)\r
</p>\r
</li>\r
<li>\r
<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>normalizer.tcp_block</strong>: blocked segments (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+bool <strong>port_scan.alert_all</strong> = false: alert on all events over threshold within window if true; else alert on first only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:65535 }\r
+int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }\r
</p>\r
</li>\r
<li>\r
<h3 id="_wizard_2">wizard</h3>\r
<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>soid.~</strong>: SO rule ID has <gid>|<sid> format, like 3|12345\r
+string <strong>soid.~</strong>: SO rule ID is unique key, eg <gid>_<sid>_<rev> like 3_45678_9\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--bind-wizard</strong> Add default wizard to bindings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--conf-file</strong> Same as <em>-c</em>. A Snort <snort_conf> file which will be\r
converted\r
</p>\r
</li>\r
<li>\r
<p>\r
-Heed Tim Ottinger’s Rule on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):\r
+Heed Tim Ottinger’s Rule
s on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):
\r </p>\r
<div class="olist arabic"><ol class="arabic">\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--parsing-follows-files</strong> parse relative paths from the perspective of the current configuration file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--pause</strong> wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>file_id.file_rules[].group</strong>: comma separated list of groups associated with file type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>inspection.id</strong> = 0: correlate policy and events with other items in configuration { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline | inline-test }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>inspection.uuid</strong>: correlate events by uuid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.uuid</strong>: IPS policy uuid\r
+string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>port_scan.alert_all</strong> = false: alert on all events over threshold within window if true; else alert on first only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>port_scan.icmp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--parsing-follows-files</strong>: parse relative paths from the perspective of the current configuration file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>soid.~</strong>: SO rule ID has <gid>|<sid> format, like 3|12345\r
+string <strong>soid.~</strong>: SO rule ID is unique key, eg <gid>_<sid>_<rev> like 3_45678_9\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:65535 }\r
+int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>116:475</strong> (ipv6) IPv6 mobility header includes an invalid value for the <em>payload protocol</em> field\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>119:1</strong> (http_inspect) ascii encoding\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspection</strong> (basic): configure basic inspection policy parameters\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ip_proto</strong> (ips_option): rule option to check the IP protocol number\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>codec::bad_proto</strong>: bad protocol id\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>codec::ciscometadata</strong>: support for cisco metadata\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::pim</strong>: support for protocol independent multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::ppp</strong>: support for point-to-point encapsulation (DLT 9)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::sun_nd</strong>: support for Sun ND\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::swipe</strong>: support for Swipe\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::tcp</strong>: support for transmission control protocol\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2017-10-31 00:00:56 EDT\r
+Last updated 2017-12-14 00:01:02 EST\r
</div>\r
</div>\r
</body>\r
6.11. host_cache
6.12. host_tracker
6.13. hosts
- 6.14. ips
- 6.15. latency
- 6.16. memory
- 6.17. network
- 6.18. output
- 6.19. packets
- 6.20. process
- 6.21. profiler
- 6.22. rate_filter
- 6.23. references
- 6.24. rule_state
- 6.25. search_engine
- 6.26. side_channel
- 6.27. snort
- 6.28. suppress
+ 6.14. inspection
+ 6.15. ips
+ 6.16. latency
+ 6.17. memory
+ 6.18. network
+ 6.19. output
+ 6.20. packets
+ 6.21. process
+ 6.22. profiler
+ 6.23. rate_filter
+ 6.24. references
+ 6.25. rule_state
+ 6.26. search_engine
+ 6.27. side_channel
+ 6.28. snort
+ 6.29. suppress
7. Codec Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 239) from 2.9.8-383
+o" )~ Version 3.0.0 (Build 240) from 2.9.8-383
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
* port hosts[].services[].port: port number
-6.14. ips
+6.14. inspection
+
+--------------
+
+What: configure basic inspection policy parameters
+
+Type: basic
+
+Usage: inspect
+
+Configuration:
+
+ * int inspection.id = 0: correlate policy and events with other
+ items in configuration { 0:65535 }
+ * string inspection.uuid: correlate events by uuid
+ * enum inspection.mode = inline-test: set policy mode { inline |
+ inline-test }
+
+
+6.15. ips
--------------
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
- * string ips.uuid: IPS policy uuid
+ * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
+ policy uuid
Peg counts:
provided (sum)
-6.15. latency
+6.16. latency
--------------
* latency.rule_tree_enables: rule tree re-enables (sum)
-6.16. memory
+6.17. memory
--------------
preemptive cleanup actions (percent, 0 to disable) { 0: }
-6.17. network
+6.18. network
--------------
unlimited) { 0:255 }
-6.18. output
+6.19. output
--------------
state that determined packet verdict
-6.19. packets
+6.20. packets
--------------
is used to track fragments and connections
-6.20. process
+6.21. process
--------------
timestamps
-6.21. profiler
+6.22. profiler
--------------
avg_match | avg_no_match }
-6.22. rate_filter
+6.23. rate_filter
--------------
according to track
-6.23. references
+6.24. references
--------------
* string references[].url: where this reference is defined
-6.24. rule_state
+6.25. rule_state
--------------
policies
-6.25. search_engine
+6.26. search_engine
--------------
* search_engine.searched_bytes: total bytes searched (sum)
-6.26. side_channel
+6.27. side_channel
--------------
* side_channel.packets: total packets (sum)
-6.27. snort
+6.28. snort
--------------
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
+ * implied snort.--parsing-follows-files: parse relative paths from
+ the perspective of the current configuration file
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* snort.attribute_table_hosts: total number of hosts in table (sum)
-6.28. suppress
+6.29. suppress
--------------
* 116:458 (ipv6) bogus fragmentation packet, possible BSD attack
* 116:461 (ipv6) IPv6 routing type 0 extension header
* 116:456 (ipv6) too many IPv6 extension headers
+ * 116:475 (ipv6) IPv6 mobility header includes an invalid value for
+ the payload protocol field
7.17. llc
* string file_id.file_rules[].type: file type name
* int file_id.file_rules[].id = 0: file type id { 0: }
* string file_id.file_rules[].category: file type category
+ * string file_id.file_rules[].group: comma separated list of groups
+ associated with file type
* string file_id.file_rules[].version: file type version
* string file_id.file_rules[].magic[].content: file magic content
* int file_id.file_rules[].magic[].offset = 0: file magic offset {
signature info
* bool file_id.trace_stream = false: enable runtime dump of file
data
+ * int file_id.verdict_delay = 0: number of queries to return final
+ verdict { 0: }
Peg counts:
Peg counts:
- * normalizer.ip4_trim: eth packets trimmed to datagram size (sum)
* normalizer.test_ip4_trim: test eth packets trimmed to datagram
size (sum)
- * normalizer.ip4_tos: type of service normalizations (sum)
+ * normalizer.ip4_trim: eth packets trimmed to datagram size (sum)
* normalizer.test_ip4_tos: test type of service normalizations
(sum)
- * normalizer.ip4_df: don’t frag bit normalizations (sum)
+ * normalizer.ip4_tos: type of service normalizations (sum)
* normalizer.test_ip4_df: test don’t frag bit normalizations (sum)
- * normalizer.ip4_rf: reserved flag bit clears (sum)
+ * normalizer.ip4_df: don’t frag bit normalizations (sum)
* normalizer.test_ip4_rf: test reserved flag bit clears (sum)
- * normalizer.ip4_ttl: time-to-live normalizations (sum)
+ * normalizer.ip4_rf: reserved flag bit clears (sum)
* normalizer.test_ip4_ttl: test time-to-live normalizations (sum)
- * normalizer.ip4_opts: ip4 options cleared (sum)
+ * normalizer.ip4_ttl: time-to-live normalizations (sum)
* normalizer.test_ip4_opts: test ip4 options cleared (sum)
- * normalizer.icmp4_echo: icmp4 ping normalizations (sum)
+ * normalizer.ip4_opts: ip4 options cleared (sum)
* normalizer.test_icmp4_echo: test icmp4 ping normalizations (sum)
- * normalizer.ip6_hops: ip6 hop limit normalizations (sum)
+ * normalizer.icmp4_echo: icmp4 ping normalizations (sum)
* normalizer.test_ip6_hops: test ip6 hop limit normalizations (sum)
- * normalizer.ip6_options: ip6 options cleared (sum)
+ * normalizer.ip6_hops: ip6 hop limit normalizations (sum)
* normalizer.test_ip6_options: test ip6 options cleared (sum)
- * normalizer.icmp6_echo: icmp6 echo normalizations (sum)
+ * normalizer.ip6_options: ip6 options cleared (sum)
* normalizer.test_icmp6_echo: test icmp6 echo normalizations (sum)
- * normalizer.tcp_syn_options: SYN only options cleared from non-SYN
- packets (sum)
+ * normalizer.icmp6_echo: icmp6 echo normalizations (sum)
* normalizer.test_tcp_syn_options: test SYN only options cleared
from non-SYN packets (sum)
- * normalizer.tcp_options: packets with options cleared (sum)
+ * normalizer.tcp_syn_options: SYN only options cleared from non-SYN
+ packets (sum)
* normalizer.test_tcp_options: test packets with options cleared
(sum)
- * normalizer.tcp_padding: packets with padding cleared (sum)
+ * normalizer.tcp_options: packets with options cleared (sum)
* normalizer.test_tcp_padding: test packets with padding cleared
(sum)
- * normalizer.tcp_reserved: packets with reserved bits cleared (sum)
+ * normalizer.tcp_padding: packets with padding cleared (sum)
* normalizer.test_tcp_reserved: test packets with reserved bits
cleared (sum)
- * normalizer.tcp_nonce: packets with nonce bit cleared (sum)
+ * normalizer.tcp_reserved: packets with reserved bits cleared (sum)
* normalizer.test_tcp_nonce: test packets with nonce bit cleared
(sum)
- * normalizer.tcp_urgent_ptr: packets without data with urgent
- pointer cleared (sum)
+ * normalizer.tcp_nonce: packets with nonce bit cleared (sum)
* normalizer.test_tcp_urgent_ptr: test packets without data with
urgent pointer cleared (sum)
- * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum)
+ * normalizer.tcp_urgent_ptr: packets without data with urgent
+ pointer cleared (sum)
* normalizer.test_tcp_ecn_pkt: test packets with ECN bits cleared
(sum)
- * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum)
+ * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum)
* normalizer.test_tcp_ts_ecr: test timestamp cleared on non-ACKs
(sum)
- * normalizer.tcp_req_urg: cleared urgent pointer when urgent flag
- is not set (sum)
+ * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum)
* normalizer.test_tcp_req_urg: test cleared urgent pointer when
urgent flag is not set (sum)
- * normalizer.tcp_req_pay: cleared urgent pointer and urgent flag
- when there is no payload (sum)
+ * normalizer.tcp_req_urg: cleared urgent pointer when urgent flag
+ is not set (sum)
* normalizer.test_tcp_req_pay: test cleared urgent pointer and
urgent flag when there is no payload (sum)
- * normalizer.tcp_req_urp: cleared the urgent flag if the urgent
- pointer is not set (sum)
+ * normalizer.tcp_req_pay: cleared urgent pointer and urgent flag
+ when there is no payload (sum)
* normalizer.test_tcp_req_urp: test cleared the urgent flag if the
urgent pointer is not set (sum)
- * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum)
+ * normalizer.tcp_req_urp: cleared the urgent flag if the urgent
+ pointer is not set (sum)
* normalizer.test_tcp_trim_syn: test tcp segments trimmed on SYN
(sum)
- * normalizer.tcp_trim_rst: RST packets with data trimmed (sum)
+ * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum)
* normalizer.test_tcp_trim_rst: test RST packets with data trimmed
(sum)
- * normalizer.tcp_trim_win: data trimmed to window (sum)
+ * normalizer.tcp_trim_rst: RST packets with data trimmed (sum)
* normalizer.test_tcp_trim_win: test data trimmed to window (sum)
- * normalizer.tcp_trim_mss: data trimmed to MSS (sum)
+ * normalizer.tcp_trim_win: data trimmed to window (sum)
* normalizer.test_tcp_trim_mss: test data trimmed to MSS (sum)
- * normalizer.tcp_ecn_session: ECN bits cleared (sum)
+ * normalizer.tcp_trim_mss: data trimmed to MSS (sum)
* normalizer.test_tcp_ecn_session: test ECN bits cleared (sum)
- * normalizer.tcp_ts_nop: timestamp options cleared (sum)
+ * normalizer.tcp_ecn_session: ECN bits cleared (sum)
* normalizer.test_tcp_ts_nop: test timestamp options cleared (sum)
- * normalizer.tcp_ips_data: normalized segments (sum)
+ * normalizer.tcp_ts_nop: timestamp options cleared (sum)
* normalizer.test_tcp_ips_data: test normalized segments (sum)
- * normalizer.tcp_block: blocked segments (sum)
+ * normalizer.tcp_ips_data: normalized segments (sum)
* normalizer.test_tcp_block: test blocked segments (sum)
+ * normalizer.tcp_block: blocked segments (sum)
9.24. packet_capture
ports to ignore if the source of scan alerts
* string port_scan.ignore_scanned: list of CIDRs with optional
ports to ignore if the destination of scan alerts
+ * bool port_scan.alert_all = false: alert on all events over
+ threshold within window if true; else alert on first only
* bool port_scan.include_midstream = false: list of CIDRs with
optional ports
* int port_scan.tcp_ports.scans = 100: scan attempts { 0: }
sessions tracked before pruning { 2: }
* int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
- * int stream.tcp_cache.idle_timeout = 180: maximum inactive time
+ * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1: }
* int stream.udp_cache.max_sessions = 131072: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream_tcp.overlap_limit = 0: maximum number of allowed
overlapping segments per session { 0:255 }
* int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
- 1460:65535 }
+ 1460:32768 }
* enum stream_tcp.policy = bsd: determines operating system
characteristics like reassembly { first | last | linux |
old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 |
Type: inspector
-Usage: global
+Usage: inspect
Configuration:
Configuration:
- * string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
+ * string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev>
+ like 3_45678_9
11.89. ssl_state
dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | service | sid | src_addr |
- src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ | priority | proto | rev | rule | seconds | service | sid |
+ src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
+ tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
+ vlan }
* int alert_csv.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0: }
* string alert_csv.separator = , : separate fields with this
dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | service | sid | src_addr |
- src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ | priority | proto | rev | rule | seconds | service | sid |
+ src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
+ tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
+ vlan }
* int alert_json.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0: }
* string alert_json.separator = , : separate fields with this
information, excluding rules, to <out_file>. Meaningless if -i
provided
* -V Print the current Snort2Lua version
+ * --bind-wizard Add default wizard to bindings
* --conf-file Same as -c. A Snort <snort_conf> file which will be
converted
* --dont-parse-includes Same as -p. if <snort_conf> file contains
* Write comments sparingly with a mind towards future proofing.
Often the comments can be obviated with better code. Clear code
is better than a comment.
- * Heed Tim Ottinger’s Rule on Comments (https://disqus.com/by/
+ * Heed Tim Ottinger’s Rules on Comments (https://disqus.com/by/
tim_ottinger/):
1. Comments should only say what the code is incapable of
* -O obfuscate the logged IP addresses
* -? <option prefix> output matching command line option quick help
(same as --help-options) (optional)
+ * --parsing-follows-files parse relative paths from the perspective
+ of the current configuration file
* --pause wait for resume/quit command before processing packets/
terminating
* --pcap-dir <dir> a directory to recurse to look for pcaps - read
dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | service | sid | src_addr |
- src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ | priority | proto | rev | rule | seconds | service | sid |
+ src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
+ tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
+ vlan }
* bool alert_csv.file = false: output to alert_csv.txt instead of
stdout
* int alert_csv.limit = 0: set maximum size in MB before rollover
dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | service | sid | src_addr |
- src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ | priority | proto | rev | rule | seconds | service | sid |
+ src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
+ tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
+ vlan }
* bool alert_json.file = false: output to alert_json.txt instead of
stdout
* int alert_json.limit = 0: set maximum size in MB before rollover
file type in file magic rule { 0: }
* string file_id.file_policy[].when.sha256: SHA 256
* string file_id.file_rules[].category: file type category
+ * string file_id.file_rules[].group: comma separated list of groups
+ associated with file type
* int file_id.file_rules[].id = 0: file type id { 0: }
* string file_id.file_rules[].magic[].content: file magic content
* int file_id.file_rules[].magic[].offset = 0: file magic offset {
data
* bool file_id.trace_type = false: enable runtime dump of type info
* int file_id.type_depth = 1460: stop type ID at this point { 0: }
+ * int file_id.verdict_delay = 0: number of queries to return final
+ verdict { 0: }
* bool file_log.log_pkt_time = true: log the packet time when event
generated
* bool file_log.log_sys_time = false: log the system time when
{ -1:65535 }
* int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
-1:65535 }
+ * int inspection.id = 0: correlate policy and events with other
+ items in configuration { 0:65535 }
+ * enum inspection.mode = inline-test: set policy mode { inline |
+ inline-test }
+ * string inspection.uuid: correlate events by uuid
* select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
lsrre|ssrr|satid|any }
* string ip_proto.~proto: [!|>|<] name or number
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
- * string ips.uuid: IPS policy uuid
+ * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
+ policy uuid
* string isdataat.~length: num | !num
* implied isdataat.relative: offset from cursor instead of start of
buffer
-1:65535 }
* int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
-1:65535 }
+ * bool port_scan.alert_all = false: alert on all events over
+ threshold within window if true; else alert on first only
* int port_scan.icmp_sweep.nets = 25: number of times address
changed from prior attempt { 0: }
* int port_scan.icmp_sweep.ports = 25: number of times port (or
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
+ * implied snort.--parsing-follows-files: parse relative paths from
+ the perspective of the current configuration file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
as --max-packet-threads); 0 gets the number of CPU cores reported
by the system; default is 1 { 0: }
* string so.~func: name of eval function
- * string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
+ * string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev>
+ like 3_45678_9
* int ssh.max_client_bytes = 19600: number of unanswered bytes
before alerting on challenge-response overflow or CRC32 { 0:65535
}
direction(s) { either|to_server|to_client|both }
* interval stream_size.~range: check if the stream size is in the
given range { 0: }
- * int stream.tcp_cache.idle_timeout = 180: maximum inactive time
+ * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1: }
* int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
sessions tracked before pruning { 2: }
* bool stream_tcp.ignore_any_rules = false: process tcp content
rules w/o ports only if rules with ports are present
* int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
- 1460:65535 }
+ 1460:32768 }
* int stream_tcp.max_window = 0: maximum allowed tcp window {
0:1073725440 }
* int stream_tcp.overlap_limit = 0: maximum number of allowed
* 116:472 (decode) too many protocols present
* 116:473 (decode) ether type out of range
* 116:474 (icmp6) ICMPv6 not encapsulated in IPv6
+ * 116:475 (ipv6) IPv6 mobility header includes an invalid value for
+ the payload protocol field
* 119:1 (http_inspect) ascii encoding
* 119:2 (http_inspect) double decoding attack
* 119:3 (http_inspect) u encoding
* id (ips_option): rule option to check the IP ID field
* igmp (codec): support for Internet group management protocol
* imap (inspector): imap inspection
+ * inspection (basic): configure basic inspection policy parameters
* ip_proto (ips_option): rule option to check the IP protocol
number
* ipopts (ips_option): rule option to check for IP options
* codec::arp: support for address resolution protocol
* codec::auth: support for IP authentication header
+ * codec::bad_proto: bad protocol id
* codec::ciscometadata: support for cisco metadata
* codec::eapol: support for extensible authentication protocol over
LAN
* codec::pbb: support for 802.1ah protocol
* codec::pflog: support for OpenBSD PF log (DLT 117)
* codec::pgm: support for pragmatic general multicast
- * codec::pim: support for protocol independent multicast
* codec::ppp: support for point-to-point encapsulation (DLT 9)
* codec::ppp_encap: support for point-to-point encapsulation
* codec::pppoe_disc: support for point-to-point discovery
* codec::raw4: support for unencapsulated IPv4 (DLT 12) (DLT 228)
* codec::raw6: support for unencapsulated IPv6 (DLT 229)
* codec::slip: support for slip protocol (DLT 8)
- * codec::sun_nd: support for Sun ND
- * codec::swipe: support for Swipe
* codec::tcp: support for transmission control protocol
* codec::teredo: support for teredo
* codec::token_ring: support for token ring decoding
projects / thirdparty / snort3.git / commitdiff
