+20/02/21 - build 268
+
+-- appid: Adding support for appid detection on decrypted SSL sessions
+-- appid: Adding support for wildcard ports in static host port cache
+-- appid: clean up ENABLE_APPID_THIRD_PARTY from configure_cmake
+-- appid: cleanup terminology
+-- appid: delete odp context on exit
+-- appid: detect payload for http tunnel traffic
+-- appid: do not reload third party on reload_config
+-- appid: Don't mark HTTP session done if the ssl detector is still in progress
+-- appid: Fix array initialization on Appid
+-- appid: get rid of ENABLE_APPID_THIRD_PARTY flag
+-- appid: handle invalid uri in http tunnel traffic
+-- appid: load app mapping data to odp context
+-- appid: move dns, sip, ssl and http pattern matchers to odp context; move client discovery
+ manager to odp context
+-- appid: move odp config, host-port cache and length cache to a separate class OdpContext; remove
+ obsolete port detector code
+-- appid: reset tp packet counters each time we do reinspect
+-- appid: support third party reload when snort is running with single packet thread
+-- bufferlen: match on total length unless remaining is specified
+-- build: Clean up accumulated tabs and trailing whitespace in the code
+-- build: clean up non-hyperscan builds
+-- build: Fix more Clang 9 compiler warnings
+-- build: Remove some extraneous semicolons (compiler warnings)
+-- build: Rename parameters that shadow class members (compiler warnings)
+-- build: Updates across the board for stricter Clang const-casting warnings
+-- catch: Update to Catch v2.11.1
+-- cip: explicitly include sys/time.h header
+-- codecs: Use unions for checksum pseudoheaders
+-- content: add hyperscan content literal matching alternative to boyer-moore
+-- content: delete flawed hyper search test
+-- content: use hs_compile if hs_compile_lit is not available
+-- copyright: update year to 2020
+-- dce_tcp: fixup flow data handling
+-- detection: add config option to enable conversion of pcre expressions to use the regex engine
+-- detection: add hyperscan_literals option
+-- detection: add pcre_override to enable/disable pcre/O
+-- detection: signature evaluation looping based on literal contents only (exclude regex)
+-- doc: manual updates for HTTP/2
+-- doc: update documentation for lua whitelist
+-- doc: update reload_limitations.txt
+-- file_api: enable Active when there are reset rules in the file policy
+-- framework: introduce ScratchAllocator class to help with scratch memory management
+-- gtp_inspect: fix default port binding
+-- hash: refactor ghash implementation to convert it to an actual C++ class
+-- hash: refactor key compare function prototype and functions to return boolean
+-- hash: refactor to move common definitions into hash_defs.h
+-- hash: refactor xhash to be a real C++ class
+-- host_tracker: Check lock in a separate thread in unit-test
+-- host_tracker: make current_size atomic to save some locks
+-- host_tracker: Support host_cache reload with RRT when memcap changes
+-- http2_inspect: add transfer encoding chunked at end of decoded http1 header block
+-- http2_inspect: data frame http inspection walking skeleton first phase
+-- http2_inspect: fast pattern support
+-- http2_inspect: fix string decode error
+-- http2_inspect: frame data no longer in file_data
+-- http2_inspect: integration with NHI
+-- http2_inspect: support disabling detection for uninteresting HTTP/2 frames
+-- http2_inspect: support HPACK dynamic table size updates
+-- http_inspect: add http_param rule option
+-- http_inspect: gzip splitting beyond request_depth should use correct target size
+-- http_inspect: no duplicate built-in events for a flow
+-- http_inspect: patch H2I-related xtra data crash
+-- http_inspect: process multiple files simultaneously over HTTP/1.1
+-- http_inspect: refactoring
+-- http_inspect: update test tool to support the HTTP/2 macros and new insert command
+-- http_inspect: when detection is disabled, disable all rules not just content rules
+-- http_inspect/http2_inspect: H2I unified2 extra data logging
+-- hyperscan: convert thread locals to scan context
+-- inspectors: ensure correct lookup by type, name, or service
+-- inspectors: print label for type and alias in inspector manager. Remove printing module name in
+ inspectors ::show() method.
+-- ips: alert service rules check ports
+-- ips_pcre: compile/evaluate pcre rule option regular expressions with the hyperscan regex engine
+ when possible
+-- ips_pcre: support the O & R modifiers when converting pcre to regex
+-- ips: refactor rule parsing
+-- ips: remove dead code from rule parser
+-- ips: use service "file" instead of "user"
+-- loggers: update vlan logging in csv and json loggers
+-- lua: Added missing file magic pattern for FLIC
+-- lua: Added missing file magic pattern for IntelHEX
+-- lua: fix typo in default smtp's alt_max_command_line_len
+-- lua: update default lua files to whitelist the defined tables
+-- main: add verbose inspector output during reload
+-- main: make IPS actions (reject, react, replace) configurable per-IPS policy
+-- main: move config_lua to Shell::configure
+-- memory: Treating config value memory.cap as per thread instead of global
+-- metadata: add --metadata-filter to load matching rules only
+-- mime: support simultaneous file processing of MIME-encoded files over HTTP/1.1
+-- module_manager: add snort_whitelist_append and snort_whitelist_add_prefix FFIs
+-- normalizer: disable all normalizations by default except for tcp.ips
+-- packet_io: provide default reset action (bidirectional reset for TCP, ICMP unreachable for the
+ rest)
+-- packet_io: refactor Active and IPS Actions to start disentangling them
+-- parser: add service http2 to http rules
+-- parser: store local copy of service name
+-- pcre: ensure use of maximal ovector size and simplify logic
+-- port_scan: Supporting reload config when memcap changes
+-- protocols: provide direct access to the CiscoMetaData layer
+-- regex: convert thread locals to scan context
+-- reload: eliminate FatalError calls that can't happen because snort_calloc always returns valid
+ memory
+-- rna: use standard uint8_t type instead of u_int8_t
+-- search_engine: trivial reformatting
+-- smtp: update defaults to better align with Snort 2
+-- snort2lua: conversion of path containing variables
+-- snort: add new warn flag warn-conf-strict that will throw out warning when table is not found
+-- snort: Adding some verbose logs for appid, file_id, and reputation inspectors
+-- stream_tcp: ensure that flows with mss and timestamps are picked up on syn
+-- tweaks: set reasonable stream_ip.min_fragment_length values
+-- tweaks: update per new normalizer defaults
+-- tweaks: update policy configs to better align with Snort 2
+
19/12/20 - build 267
-- appid: Adding command for third-party reload
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 267)\r
+o" )~ Version 3.0.0 (Build 268)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
- Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
+ Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>\r
</div></div>\r
<div id="toc">\r
</div></div>\r
</div>\r
<div class="sect3">\r
+<h4 id="_whitelist">Whitelist</h4>\r
+<div class="paragraph"><p>When Snort is run with the --warn-conf-strict option, warnings will be\r
+generated for all Lua tables present in the configuration files that do\r
+not map to Snort module names. Like with other warnings, these will\r
+upgraded to errors when Snort is run in pedantic mode.</p></div>\r
+<div class="paragraph"><p>To dynamically add exceptions that should bypass this strict validation,\r
+two Lua functions are made available to be called during the evaluation\r
+of Snort configuration files: snort_whitelist_append() and\r
+snort_whitelist_add_prefix(). Each function takes a whitespace-delimited\r
+list, the former a list of exact table names and the latter a list of table\r
+name prefixes to allow.</p></div>\r
+<div class="paragraph"><p>Examples:\r
+snort_whitelist_append("table1 table2")\r
+snort_whitelist_add_prefix("local_ foobar_")</p></div>\r
+<div class="paragraph"><p>The accumulated contents of the whitelist (both exact and prefix) will be\r
+dumped when Snort is run in verbose mode (-v).</p></div>\r
+</div>\r
+<div class="sect3">\r
<h4 id="_rules">Rules</h4>\r
<div class="paragraph"><p>Rules determine what Snort is looking for. They can be put directly in\r
your Lua configuration file with the ips module, on the command line with\r
percent_u = false\r
utf8_bare_byte = false\r
iis_unicode = false\r
-iis_double_decode = false</code></pre>\r
+iis_double_decode = true</code></pre>\r
</div></div>\r
<div class="paragraph"><p>The HTTP inspector normalizes percent encodings found in URIs. For instance\r
it will convert "%48%69%64%64%65%6e" to "Hidden". All the options listed\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>simplify_path = true\r
-backslash_to_slash = false</code></pre>\r
+backslash_to_slash = true</code></pre>\r
</div></div>\r
<div class="paragraph"><p>HTTP inspector simplifies directory paths in URIs by eliminating extra\r
traversals using ., .., and /.</p></div>\r
<div class="content">\r
<pre><code>\this\is\the\other\way\to\write\a\path</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>backslash_to_slash is turned off by default. If you are protecting such a\r
-server then set backslash_to_slash = true and all the backslashes will be\r
-replaced with slashes during normalization.</p></div>\r
+<div class="paragraph"><p>backslash_to_slash is turned on by default. It replaces all the backslashes\r
+with slashes during normalization.</p></div>\r
</div>\r
</div>\r
<div class="sect3">\r
</div></div>\r
<div class="paragraph"><p>Frame type 0 is DATA which carries the HTTP message body. This rule will\r
search for MaLwArE inside an HTTP message body.</p></div>\r
+<div class="paragraph"><p>To smooth the transition to inspecting HTTP/2, rules that specify\r
+service:http will be treated as if they also specify service:http2.\r
+Thus:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp any any -> any any (flow:established, to_server;\r
+http_uri; content:"/foo";\r
+service: http; sid:10; rev:1;)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>is understood to mean:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp any any -> any any (flow:established, to_server;\r
+http_uri; content:"/foo";\r
+service: http,http2; sid:10; rev:1;)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2 traffic.</p></div>\r
+<div class="paragraph"><p>The reverse is not true. "service: http2" without http will match on HTTP/2\r
+flows but not HTTP/1 flows.</p></div>\r
+<div class="paragraph"><p>This feature makes it easy to add HTTP/2 inspection without modifying\r
+large numbers of existing rules. New rules should explicitly specify\r
+"service http,http2;" if that is the desired behavior. Eventually\r
+support for http implies http2 may be deprecated and removed.</p></div>\r
<div class="paragraph"><p>In the future, http2_inspect will support HPACK header decompression and\r
be fully integrated with http_inspect to provide full inspection of the\r
individual HTTP/1.1 streams.</p></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule { 1:255 }\r
+int <strong>attribute_table.max_metadata_services</strong> = 9: maximum number of services in rule { 1:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.hyperscan_literals</strong> = false: use hyperscan for content literal searches instead of boyer-moore\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching\r
+bool <strong>detection.pcre_enable</strong> = true: enable pcre pattern matching\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.pcre_override</strong> = true: enable pcre match limit overrides when pattern matching (ie ignore /O)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>detection.pcre_to_regex</strong> = false: enable the use of regex instead of pcre for compatible expressions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)\r
+<strong>host_cache.adds</strong>: lru cache added new entry (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>host_cache.alloc_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
+<strong>host_cache.find_hits</strong>: lru cache found entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)\r
+<strong>host_cache.find_misses</strong>: lru cache did not find entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)\r
+<strong>host_cache.reload_prunes</strong>: lru cache pruned entry for lower memcap during reload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)\r
+<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--metadata-filter</strong>: <filter> load only rules containing filter string in metadata if set\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--warn-conf-strict</strong>: warn about unrecognized elements in configuration files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
</p>\r
</li>\r
<strong>121:12</strong> (http2_inspect) unknown parameter in HTTP/2 settings frame\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>121:13</strong> (http2_inspect) invalid HTTP/2 frame sequence\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>http2_inspect.max_table_entries</strong>: maximum entries in an HTTP/2 dynamic table (max)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters\r
+bool <strong>http_inspect.iis_double_decode</strong> = true: perform double decoding of percent encodings to normalize characters\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
+bool <strong>http_inspect.backslash_to_slash</strong> = true: replace \ with / when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>http_inspect.excess_parameters</strong>: repeat parameters exceeding max (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http_inspect.parameters</strong>: HTTP parameters inspected (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.base</strong> = true: clear options\r
+bool <strong>normalizer.ip4.base</strong> = false: clear options\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues\r
+bool <strong>normalizer.tcp.base</strong> = false: clear reserved bits and option padding and fix urgent pointer / flags issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization\r
+bool <strong>normalizer.tcp.block</strong> = false: allow packet drops during TCP normalization\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length\r
+bool <strong>normalizer.tcp.urp</strong> = false: adjust urgent pointer if beyond segment length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes\r
+bool <strong>normalizer.tcp.pad</strong> = false: clear any option padding bytes\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
+bool <strong>normalizer.tcp.opts</strong> = false: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set\r
+bool <strong>normalizer.tcp.req_urg</strong> = false: clear the urgent pointer if the urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload\r
+bool <strong>normalizer.tcp.req_pay</strong> = false: clear the urgent pointer and the urgent flag if there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header\r
+bool <strong>normalizer.tcp.rsv</strong> = false: clear the reserved bits in the TCP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set\r
+bool <strong>normalizer.tcp.req_urp</strong> = false: clear the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200:maxSZ }\r
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 236:maxSZ }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>port_scan.packets</strong>: total packets (sum)\r
+<strong>port_scan.packets</strong>: number of packets processed by port scan (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>port_scan.trackers</strong>: number of trackers allocated by port scan (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>port_scan.alloc_prunes</strong>: number of trackers pruned on allocation of new tracking (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>port_scan.reload_prunes</strong>: number of trackers pruned on reload due to reduced memcap (sum)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
+int <strong>smtp.max_command_line_len</strong> = 512: max Command Line Length { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }\r
+int <strong>smtp.max_header_line_len</strong> = 1000: max SMTP DATA header line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }\r
+int <strong>smtp.max_response_line_len</strong> = 512: max SMTP response line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }\r
+interval <strong>bufferlen.~range</strong>: check that total length of current buffer is in given range { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>bufferlen.relative</strong>: use remaining length (from current position) instead of total length\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http_param">http_param</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>http_param.~param</strong>: parameter to match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_param.nocase</strong>: case insensitive match\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http_raw_body_2">http_raw_body</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized message body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_metadata">metadata</h3>\r
-<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>\r
+<div class="paragraph"><p>What: rule option for conveying arbitrary comma-separated name, value data within the rule text</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_rules</strong>: total rules processed with pcre option (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_to_hyper</strong>: total pcre rules by hyperscan engine (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_native</strong>: total pcre rules compiled by pcre engine (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_negated</strong>: total pcre rules using negation syntax (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_pkt_data">pkt_data</h3>\r
</li>\r
<li>\r
<p>\r
+<strong>--metadata-filter</strong> <filter> load only rules containing filter string in metadata if set\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--nostamps</strong> don’t include timestamps in log file names\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--warn-conf-strict</strong> warn about unrecognized elements in configuration files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule { 1:255 }\r
+int <strong>attribute_table.max_metadata_services</strong> = 9: maximum number of services in rule { 1:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }\r
+interval <strong>bufferlen.~range</strong>: check that total length of current buffer is in given range { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>bufferlen.relative</strong>: use remaining length (from current position) instead of total length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.hyperscan_literals</strong> = false: use hyperscan for content literal searches instead of boyer-moore\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching\r
+bool <strong>detection.pcre_enable</strong> = true: enable pcre pattern matching\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.pcre_override</strong> = true: enable pcre match limit overrides when pattern matching (ie ignore /O)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>detection.pcre_to_regex</strong> = false: enable the use of regex instead of pcre for compatible expressions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
+bool <strong>http_inspect.backslash_to_slash</strong> = true: replace \ with / when normalizing URIs\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters\r
+bool <strong>http_inspect.iis_double_decode</strong> = true: perform double decoding of percent encodings to normalize characters\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_param.nocase</strong>: case insensitive match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>http_param.~param</strong>: parameter to match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.base</strong> = true: clear options\r
+bool <strong>normalizer.ip4.base</strong> = false: clear options\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues\r
+bool <strong>normalizer.tcp.base</strong> = false: clear reserved bits and option padding and fix urgent pointer / flags issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization\r
+bool <strong>normalizer.tcp.block</strong> = false: allow packet drops during TCP normalization\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
+bool <strong>normalizer.tcp.opts</strong> = false: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes\r
+bool <strong>normalizer.tcp.pad</strong> = false: clear any option padding bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload\r
+bool <strong>normalizer.tcp.req_pay</strong> = false: clear the urgent pointer and the urgent flag if there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set\r
+bool <strong>normalizer.tcp.req_urg</strong> = false: clear the urgent pointer if the urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set\r
+bool <strong>normalizer.tcp.req_urp</strong> = false: clear the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header\r
+bool <strong>normalizer.tcp.rsv</strong> = false: clear the reserved bits in the TCP header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length\r
+bool <strong>normalizer.tcp.urp</strong> = false: adjust urgent pointer if beyond segment length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200:maxSZ }\r
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 236:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
+int <strong>smtp.max_command_line_len</strong> = 512: max Command Line Length { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }\r
+int <strong>smtp.max_header_line_len</strong> = 1000: max SMTP DATA header line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }\r
+int <strong>smtp.max_response_line_len</strong> = 512: max SMTP response line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--metadata-filter</strong>: <filter> load only rules containing filter string in metadata if set\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--warn-conf-strict</strong>: warn about unrecognized elements in configuration files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)\r
+<strong>host_cache.adds</strong>: lru cache added new entry (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>host_cache.alloc_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)\r
+<strong>host_cache.find_hits</strong>: lru cache found entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)\r
+<strong>host_cache.find_misses</strong>: lru cache did not find entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
+<strong>host_cache.reload_prunes</strong>: lru cache pruned entry for lower memcap during reload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)\r
+<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>http2_inspect.max_table_entries</strong>: maximum entries in an HTTP/2 dynamic table (max)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_inspect.chunked</strong>: chunked message bodies (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>http_inspect.excess_parameters</strong>: repeat parameters exceeding max (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>http_inspect.parameters</strong>: HTTP parameters inspected (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>pcre.pcre_native</strong>: total pcre rules compiled by pcre engine (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_negated</strong>: total pcre rules using negation syntax (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_rules</strong>: total rules processed with pcre option (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pcre.pcre_to_hyper</strong>: total pcre rules by hyperscan engine (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>perf_monitor.alloc_prunes</strong>: flows pruned on allocation of IP flows (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>port_scan.packets</strong>: total packets (sum)\r
+<strong>port_scan.alloc_prunes</strong>: number of trackers pruned on allocation of new tracking (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>port_scan.packets</strong>: number of packets processed by port scan (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>port_scan.reload_prunes</strong>: number of trackers pruned on reload due to reduced memcap (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>port_scan.trackers</strong>: number of trackers allocated by port scan (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>121:13</strong> (http2_inspect) invalid HTTP/2 frame sequence\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>http_param</strong> (ips_option): rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_raw_body</strong> (ips_option): rule option to set the detection cursor to the unnormalized message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>hyperscan</strong> (search_engine): intel hyperscan-based mpse with regex support\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>icmp4</strong> (codec): support for Internet control message protocol v4\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>metadata</strong> (ips_option): rule option for conveying arbitrary name, value data within the rule text\r
+<strong>metadata</strong> (ips_option): rule option for conveying arbitrary comma-separated name, value data within the rule text\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http_param</strong>: rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::http_raw_body</strong>: rule option to set the detection cursor to the unnormalized message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::metadata</strong>: rule option for conveying arbitrary name, value data within the rule text\r
+<strong>ips_option::metadata</strong>: rule option for conveying arbitrary comma-separated name, value data within the rule text\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-daq.no_promisc\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
detection.asn1\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-port_scan.memcap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
process.chroot\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-stream.footprint\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.ip_cache.max_sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.ip_cache.pruning_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.ip_cache.idle_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.icmp_cache.max_sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.icmp_cache.pruning_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.icmp_cache.idle_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.tcp_cache.max_sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.tcp_cache.pruning_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.tcp_cache.idle_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.udp_cache.max_sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.udp_cache.pruning_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.udp_cache.idle_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.user_cache.max_sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.user_cache.pruning_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.user_cache.idle_timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.file_cache.max_sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream.file_cache.pruning_timeout\r
+snort.--bpf\r
</p>\r
</li>\r
<li>\r
<p>\r
-stream.file_cache.idle_timeout\r
+snort.-l\r
</p>\r
</li>\r
</ul></div>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-12-20 13:13:48 EST\r
+ 2020-02-21 11:32:57 EST\r
</div>\r
</div>\r
</body>\r
11.51. http_cookie
11.52. http_header
11.53. http_method
- 11.54. http_raw_body
- 11.55. http_raw_cookie
- 11.56. http_raw_header
- 11.57. http_raw_request
- 11.58. http_raw_status
- 11.59. http_raw_trailer
- 11.60. http_raw_uri
- 11.61. http_stat_code
- 11.62. http_stat_msg
- 11.63. http_trailer
- 11.64. http_true_ip
- 11.65. http_uri
- 11.66. http_version
- 11.67. icmp_id
- 11.68. icmp_seq
- 11.69. icode
- 11.70. id
- 11.71. ip_proto
- 11.72. ipopts
- 11.73. isdataat
- 11.74. itype
- 11.75. md5
- 11.76. metadata
- 11.77. modbus_data
- 11.78. modbus_func
- 11.79. modbus_unit
- 11.80. msg
- 11.81. mss
- 11.82. pcre
- 11.83. pkt_data
- 11.84. pkt_num
- 11.85. priority
- 11.86. raw_data
- 11.87. reference
- 11.88. regex
- 11.89. rem
- 11.90. replace
- 11.91. rev
- 11.92. rpc
- 11.93. s7commplus_content
- 11.94. s7commplus_func
- 11.95. s7commplus_opcode
- 11.96. sd_pattern
- 11.97. seq
- 11.98. service
- 11.99. session
- 11.100. sha256
- 11.101. sha512
- 11.102. sid
- 11.103. sip_body
- 11.104. sip_header
- 11.105. sip_method
- 11.106. sip_stat_code
- 11.107. so
- 11.108. soid
- 11.109. ssl_state
- 11.110. ssl_version
- 11.111. stream_reassemble
- 11.112. stream_size
- 11.113. tag
- 11.114. target
- 11.115. tos
- 11.116. ttl
- 11.117. urg
- 11.118. window
- 11.119. wscale
+ 11.54. http_param
+ 11.55. http_raw_body
+ 11.56. http_raw_cookie
+ 11.57. http_raw_header
+ 11.58. http_raw_request
+ 11.59. http_raw_status
+ 11.60. http_raw_trailer
+ 11.61. http_raw_uri
+ 11.62. http_stat_code
+ 11.63. http_stat_msg
+ 11.64. http_trailer
+ 11.65. http_true_ip
+ 11.66. http_uri
+ 11.67. http_version
+ 11.68. icmp_id
+ 11.69. icmp_seq
+ 11.70. icode
+ 11.71. id
+ 11.72. ip_proto
+ 11.73. ipopts
+ 11.74. isdataat
+ 11.75. itype
+ 11.76. md5
+ 11.77. metadata
+ 11.78. modbus_data
+ 11.79. modbus_func
+ 11.80. modbus_unit
+ 11.81. msg
+ 11.82. mss
+ 11.83. pcre
+ 11.84. pkt_data
+ 11.85. pkt_num
+ 11.86. priority
+ 11.87. raw_data
+ 11.88. reference
+ 11.89. regex
+ 11.90. rem
+ 11.91. replace
+ 11.92. rev
+ 11.93. rpc
+ 11.94. s7commplus_content
+ 11.95. s7commplus_func
+ 11.96. s7commplus_opcode
+ 11.97. sd_pattern
+ 11.98. seq
+ 11.99. service
+ 11.100. session
+ 11.101. sha256
+ 11.102. sha512
+ 11.103. sid
+ 11.104. sip_body
+ 11.105. sip_header
+ 11.106. sip_method
+ 11.107. sip_stat_code
+ 11.108. so
+ 11.109. soid
+ 11.110. ssl_state
+ 11.111. ssl_version
+ 11.112. stream_reassemble
+ 11.113. stream_size
+ 11.114. tag
+ 11.115. target
+ 11.116. tos
+ 11.117. ttl
+ 11.118. urg
+ 11.119. window
+ 11.120. wscale
12. Search Engine Modules
13. SO Rule Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 267)
+o" )~ Version 3.0.0 (Build 268)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
- Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
+ Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
active = { max_responses = 1, min_interval = 5 }
-1.2.3. Rules
+1.2.3. Whitelist
+
+When Snort is run with the --warn-conf-strict option, warnings will
+be generated for all Lua tables present in the configuration files
+that do not map to Snort module names. Like with other warnings,
+these will upgraded to errors when Snort is run in pedantic mode.
+
+To dynamically add exceptions that should bypass this strict
+validation, two Lua functions are made available to be called during
+the evaluation of Snort configuration files: snort_whitelist_append()
+and snort_whitelist_add_prefix(). Each function takes a
+whitespace-delimited list, the former a list of exact table names and
+the latter a list of table name prefixes to allow.
+
+Examples: snort_whitelist_append("table1 table2")
+snort_whitelist_add_prefix("local_ foobar_")
+
+The accumulated contents of the whitelist (both exact and prefix)
+will be dumped when Snort is run in verbose mode (-v).
+
+1.2.4. Rules
Rules determine what Snort is looking for. They can be put directly
in your Lua configuration file with the ips module, on the command
You can use both approaches together.
-1.2.4. Includes
+1.2.5. Includes
Your configuration file file may include other files, either directly
via Lua or via various parameters. Snort will find relative includes
relative to the working directory. These will be updated in a
future release.
-1.2.5. Converting Your 2.X Configuration
+1.2.6. Converting Your 2.X Configuration
If you have a working 2.X configuration snort2lua makes it easy to
get up and running with Snort 3. This tool will convert your
percent_u = false
utf8_bare_byte = false
iis_unicode = false
-iis_double_decode = false
+iis_double_decode = true
The HTTP inspector normalizes percent encodings found in URIs. For
instance it will convert "%48%69%64%64%65%6e" to "Hidden". All the
generating an alert.
simplify_path = true
-backslash_to_slash = false
+backslash_to_slash = true
HTTP inspector simplifies directory paths in URIs by eliminating
extra traversals using ., .., and /.
\this\is\the\other\way\to\write\a\path
-backslash_to_slash is turned off by default. If you are protecting
-such a server then set backslash_to_slash = true and all the
-backslashes will be replaced with slashes during normalization.
+backslash_to_slash is turned on by default. It replaces all the
+backslashes with slashes during normalization.
5.9.3. Detection rules
Frame type 0 is DATA which carries the HTTP message body. This rule
will search for MaLwArE inside an HTTP message body.
+To smooth the transition to inspecting HTTP/2, rules that specify
+service:http will be treated as if they also specify service:http2.
+Thus:
+
+alert tcp any any -> any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http; sid:10; rev:1;)
+
+is understood to mean:
+
+alert tcp any any -> any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http,http2; sid:10; rev:1;)
+
+Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2
+traffic.
+
+The reverse is not true. "service: http2" without http will match on
+HTTP/2 flows but not HTTP/1 flows.
+
+This feature makes it easy to add HTTP/2 inspection without modifying
+large numbers of existing rules. New rules should explicitly specify
+"service http,http2;" if that is the desired behavior. Eventually
+support for http implies http2 may be deprecated and removed.
+
In the future, http2_inspect will support HPACK header decompression
and be fully integrated with http_inspect to provide full inspection
of the individual HTTP/1.1 streams.
attribute table { 32:max53 }
* int attribute_table.max_services_per_host = 8: maximum number of
services per host entry in attribute table { 1:65535 }
- * int attribute_table.max_metadata_services = 8: maximum number of
+ * int attribute_table.max_metadata_services = 9: maximum number of
services in rule { 1:255 }
disable rules by default (overridden by ips policy settings)
* bool detection.global_rule_state = false: apply rule_state
against all policies
+ * bool detection.hyperscan_literals = false: use hyperscan for
+ content literal searches instead of boyer-moore
* int detection.offload_limit = 99999: minimum sizeof PDU to
offload fast pattern search (defaults to disabled) { 0:max32 }
* int detection.offload_threads = 0: maximum number of simultaneous
offloads (defaults to disabled) { 0:max32 }
- * bool detection.pcre_enable = true: disable pcre pattern matching
+ * bool detection.pcre_enable = true: enable pcre pattern matching
* int detection.pcre_match_limit = 1500: limit pcre backtracking, 0
= off { 0:max32 }
* int detection.pcre_match_limit_recursion = 1500: limit pcre stack
consumption, 0 = off { 0:max32 }
+ * bool detection.pcre_override = true: enable pcre match limit
+ overrides when pattern matching (ie ignore /O)
+ * bool detection.pcre_to_regex = false: enable the use of regex
+ instead of pcre for compatible expressions
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
* int detection.trace: mask for enabling debug traces in module {
Peg counts:
- * host_cache.lru_cache_adds: lru cache added new entry (sum)
- * host_cache.lru_cache_prunes: lru cache pruned entry to make space
- for new entry (sum)
- * host_cache.lru_cache_find_hits: lru cache found entry in cache
+ * host_cache.adds: lru cache added new entry (sum)
+ * host_cache.alloc_prunes: lru cache pruned entry to make space for
+ new entry (sum)
+ * host_cache.find_hits: lru cache found entry in cache (sum)
+ * host_cache.find_misses: lru cache did not find entry in cache
(sum)
- * host_cache.lru_cache_find_misses: lru cache did not find entry in
- cache (sum)
- * host_cache.lru_cache_removes: lru cache found entry and removed
- it (sum)
+ * host_cache.reload_prunes: lru cache pruned entry for lower memcap
+ during reload (sum)
+ * host_cache.removes: lru cache found entry and removed it (sum)
6.12. host_tracker
of packet threads (same as -z) { 0:max32 }
* implied snort.--mem-check: like -T but also compile search
engines
+ * string snort.--metadata-filter: <filter> load only rules
+ containing filter string in metadata if set
* implied snort.--nostamps: don’t include timestamps in log file
names
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
+ * implied snort.--warn-conf-strict: warn about unrecognized
+ elements in configuration files
* implied snort.--warn-daq: warn about DAQ issues, usually related
to mode
* implied snort.--warn-flowbits: warn about flowbits that are
* 121:10 (http2_inspect) invalid HTTP/2 header field
* 121:11 (http2_inspect) error in HTTP/2 settings frame
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
+ * 121:13 (http2_inspect) invalid HTTP/2 frame sequence
+ * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
Peg counts:
sessions (now)
* http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
sessions (max)
+ * http2_inspect.max_table_entries: maximum entries in an HTTP/2
+ dynamic table (max)
9.24. http_inspect
points for IIS unicode. { (optional) }
* int http_inspect.iis_unicode_code_page = 1252: code page to use
from the IIS unicode map file { 0:65535 }
- * bool http_inspect.iis_double_decode = false: perform double
+ * bool http_inspect.iis_double_decode = true: perform double
decoding of percent encodings to normalize characters
* int http_inspect.oversize_dir_length = 300: maximum length for
URL directory { 1:65535 }
- * bool http_inspect.backslash_to_slash = false: replace \ with /
+ * bool http_inspect.backslash_to_slash = true: replace \ with /
when normalizing URIs
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
value
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
+ * 119:249 (http_inspect) excessive HTTP parameter key repeats
Peg counts:
inspection (sum)
* http_inspect.partial_inspections: pre-inspections for detained
inspection (sum)
+ * http_inspect.excess_parameters: repeat parameters exceeding max
+ (sum)
+ * http_inspect.parameters: HTTP parameters inspected (sum)
9.25. imap
Configuration:
- * bool normalizer.ip4.base = true: clear options
+ * bool normalizer.ip4.base = false: clear options
* bool normalizer.ip4.df = false: clear don’t frag flag
* bool normalizer.ip4.rf = false: clear reserved flag
* bool normalizer.ip4.tos = false: clear tos / differentiated
services byte
* bool normalizer.ip4.trim = false: truncate excess payload beyond
datagram length
- * bool normalizer.tcp.base = true: clear reserved bits and option
+ * bool normalizer.tcp.base = false: clear reserved bits and option
padding and fix urgent pointer / flags issues
- * bool normalizer.tcp.block = true: allow packet drops during TCP
+ * bool normalizer.tcp.block = false: allow packet drops during TCP
normalization
- * bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
+ * bool normalizer.tcp.urp = false: adjust urgent pointer if beyond
segment length
* bool normalizer.tcp.ips = true: ensure consistency in
retransmitted data
* select normalizer.tcp.ecn = off: clear ecn for all packets |
sessions w/o ecn setup { off | packet | stream }
- * bool normalizer.tcp.pad = true: clear any option padding bytes
+ * bool normalizer.tcp.pad = false: clear any option padding bytes
* bool normalizer.tcp.trim_syn = false: remove data on SYN
* bool normalizer.tcp.trim_rst = false: remove any data from RST
packet
* bool normalizer.tcp.trim_mss = false: trim data to MSS
* bool normalizer.tcp.trim = false: enable all of the TCP trim
options
- * bool normalizer.tcp.opts = true: clear all options except mss,
+ * bool normalizer.tcp.opts = false: clear all options except mss,
wscale, timestamp, and any explicitly allowed
- * bool normalizer.tcp.req_urg = true: clear the urgent pointer if
+ * bool normalizer.tcp.req_urg = false: clear the urgent pointer if
the urgent flag is not set
- * bool normalizer.tcp.req_pay = true: clear the urgent pointer and
+ * bool normalizer.tcp.req_pay = false: clear the urgent pointer and
the urgent flag if there is no payload
- * bool normalizer.tcp.rsv = true: clear the reserved bits in the
+ * bool normalizer.tcp.rsv = false: clear the reserved bits in the
TCP header
- * bool normalizer.tcp.req_urp = true: clear the urgent flag if the
+ * bool normalizer.tcp.req_urp = false: clear the urgent flag if the
urgent pointer is not set
* multi normalizer.tcp.allow_names: don’t clear given option names
{ sack | echo | partial_order | conn_count | alt_checksum | md5 }
0:max32 }
* int perf_monitor.seconds = 60: report interval { 1:max32 }
* int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
- bytes for flow tracking { 8200:maxSZ }
+ bytes for flow tracking { 236:maxSZ }
* int perf_monitor.max_file_size = 1073741824: files will be rolled
over if they exceed this size { 4096:max53 }
* int perf_monitor.flow_ports = 1023: maximum ports to track {
Peg counts:
- * port_scan.packets: total packets (sum)
+ * port_scan.packets: number of packets processed by port scan (sum)
+ * port_scan.trackers: number of trackers allocated by port scan
+ (sum)
+ * port_scan.alloc_prunes: number of trackers pruned on allocation
+ of new tracking (sum)
+ * port_scan.reload_prunes: number of trackers pruned on reload due
+ to reduced memcap (sum)
9.33. reputation
extracted from the RCPT TO command
* int smtp.max_auth_command_line_len = 1000: max auth command Line
Length { 0:65535 }
- * int smtp.max_command_line_len = 0: max Command Line Length {
+ * int smtp.max_command_line_len = 512: max Command Line Length {
0:65535 }
- * int smtp.max_header_line_len = 0: max SMTP DATA header line {
+ * int smtp.max_header_line_len = 1000: max SMTP DATA header line {
0:65535 }
- * int smtp.max_response_line_len = 0: max SMTP response line {
+ * int smtp.max_response_line_len = 512: max SMTP response line {
0:65535 }
* enum smtp.normalize = none: turns on/off normalization { none |
cmds | all }
Configuration:
- * interval bufferlen.~range: check that length of current buffer is
- in given range { 0:65535 }
+ * interval bufferlen.~range: check that total length of current
+ buffer is in given range { 0:65535 }
+ * implied bufferlen.relative: use remaining length (from current
+ position) instead of total length
11.8. byte_extract
message trailers
-11.54. http_raw_body
+11.54. http_param
+
+--------------
+
+What: rule option to set the detection cursor to the value of the
+specified HTTP parameter key which may be in the query or body
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string http_param.~param: parameter to match
+ * implied http_param.nocase: case insensitive match
+
+
+11.55. http_raw_body
--------------
Usage: detect
-11.55. http_raw_cookie
+11.56. http_raw_cookie
--------------
HTTP message trailers
-11.56. http_raw_header
+11.57. http_raw_header
--------------
HTTP message trailers
-11.57. http_raw_request
+11.58. http_raw_request
--------------
HTTP message trailers
-11.58. http_raw_status
+11.59. http_raw_status
--------------
HTTP message trailers
-11.59. http_raw_trailer
+11.60. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.60. http_raw_uri
+11.61. http_raw_uri
--------------
URI only
-11.61. http_stat_code
+11.62. http_stat_code
--------------
HTTP message trailers
-11.62. http_stat_msg
+11.63. http_stat_msg
--------------
HTTP message trailers
-11.63. http_trailer
+11.64. http_trailer
--------------
message body (must be combined with request)
-11.64. http_true_ip
+11.65. http_true_ip
--------------
HTTP message trailers
-11.65. http_uri
+11.66. http_uri
--------------
only
-11.66. http_version
+11.67. http_version
--------------
HTTP message trailers
-11.67. icmp_id
+11.68. icmp_id
--------------
0:65535 }
-11.68. icmp_seq
+11.69. icmp_seq
--------------
given range { 0:65535 }
-11.69. icode
+11.70. icode
--------------
0:255 }
-11.70. id
+11.71. id
--------------
}
-11.71. ip_proto
+11.72. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.72. ipopts
+11.73. ipopts
--------------
lsrre|ssrr|satid|any }
-11.73. isdataat
+11.74. isdataat
--------------
buffer
-11.74. itype
+11.75. itype
--------------
0:255 }
-11.75. md5
+11.76. md5
--------------
of buffer
-11.76. metadata
+11.77. metadata
--------------
-What: rule option for conveying arbitrary name, value data within the
-rule text
+What: rule option for conveying arbitrary comma-separated name, value
+data within the rule text
Type: ips_option
pairs
-11.77. modbus_data
+11.78. modbus_data
--------------
Usage: detect
-11.78. modbus_func
+11.79. modbus_func
--------------
* string modbus_func.~: function code to match
-11.79. modbus_unit
+11.80. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.80. msg
+11.81. msg
--------------
* string msg.~: message describing rule
-11.81. mss
+11.82. mss
--------------
}
-11.82. pcre
+11.83. pcre
--------------
* string pcre.~re: Snort regular expression
+Peg counts:
+
+ * pcre.pcre_rules: total rules processed with pcre option (sum)
+ * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum)
+ * pcre.pcre_native: total pcre rules compiled by pcre engine (sum)
+ * pcre.pcre_negated: total pcre rules using negation syntax (sum)
-11.83. pkt_data
+
+11.84. pkt_data
--------------
Usage: detect
-11.84. pkt_num
+11.85. pkt_num
--------------
{ 1: }
-11.85. priority
+11.86. priority
--------------
1:max31 }
-11.86. raw_data
+11.87. raw_data
--------------
Usage: detect
-11.87. reference
+11.88. reference
--------------
* string reference.~id: reference id
-11.88. regex
+11.89. regex
--------------
instead of start of buffer
-11.89. rem
+11.90. rem
--------------
* string rem.~: comment
-11.90. replace
+11.91. replace
--------------
* string replace.~: byte code to replace with
-11.91. rev
+11.92. rev
--------------
* int rev.~: revision { 1:max32 }
-11.92. rpc
+11.93. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.93. s7commplus_content
+11.94. s7commplus_content
--------------
Usage: detect
-11.94. s7commplus_func
+11.95. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-11.95. s7commplus_opcode
+11.96. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-11.96. sd_pattern
+11.97. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.97. seq
+11.98. seq
--------------
range { 0: }
-11.98. service
+11.99. service
--------------
* string service.*: one or more comma-separated service names
-11.99. session
+11.100. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.100. sha256
+11.101. sha256
--------------
start of buffer
-11.101. sha512
+11.102. sha512
--------------
start of buffer
-11.102. sid
+11.103. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.103. sip_body
+11.104. sip_body
--------------
Usage: detect
-11.104. sip_header
+11.105. sip_header
--------------
Usage: detect
-11.105. sip_method
+11.106. sip_method
--------------
* string sip_method.*method: sip method
-11.106. sip_stat_code
+11.107. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.107. so
+11.108. so
--------------
buffer
-11.108. soid
+11.109. soid
--------------
like 3_45678_9
-11.109. ssl_state
+11.110. ssl_state
--------------
unknown
-11.110. ssl_version
+11.111. ssl_version
--------------
tls1.2
-11.111. stream_reassemble
+11.112. stream_reassemble
--------------
remainder of the session
-11.112. stream_size
+11.113. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.113. tag
+11.114. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.114. target
+11.115. target
--------------
dst_ip }
-11.115. tos
+11.116. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.116. ttl
+11.117. ttl
--------------
0:255 }
-11.117. urg
+11.118. urg
--------------
{ 0:65535 }
-11.118. window
+11.119. window
--------------
range { 0:65535 }
-11.119. wscale
+11.120. wscale
--------------
* --max-packet-threads <count> configure maximum number of packet
threads (same as -z) (0:max32)
* --mem-check like -T but also compile search engines
+ * --metadata-filter <filter> load only rules containing filter
+ string in metadata if set
* --nostamps don’t include timestamps in log file names
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
+ * --warn-conf-strict warn about unrecognized elements in
+ configuration files
* --warn-daq warn about DAQ issues, usually related to mode
* --warn-flowbits warn about flowbits that are checked but not set
and vice-versa
-65535:65535 }
* int attribute_table.max_hosts = 1024: maximum number of hosts in
attribute table { 32:max53 }
- * int attribute_table.max_metadata_services = 8: maximum number of
+ * int attribute_table.max_metadata_services = 9: maximum number of
services in rule { 1:255 }
* int attribute_table.max_services_per_host = 8: maximum number of
services per host entry in attribute table { 1:65535 }
* bit_list binder[].when.src_zone: source zone { 63 }
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
* bit_list binder[].when.zones: zones { 63 }
- * interval bufferlen.~range: check that length of current buffer is
- in given range { 0:65535 }
+ * interval bufferlen.~range: check that total length of current
+ buffer is in given range { 0:65535 }
+ * implied bufferlen.relative: use remaining length (from current
+ position) instead of total length
* int byte_extract.align = 0: round the number of converted bytes
up to the next 2- or 4-byte boundary { 0:4 }
* implied byte_extract.big: big endian
disable rules by default (overridden by ips policy settings)
* bool detection.global_rule_state = false: apply rule_state
against all policies
+ * bool detection.hyperscan_literals = false: use hyperscan for
+ content literal searches instead of boyer-moore
* int detection.offload_limit = 99999: minimum sizeof PDU to
offload fast pattern search (defaults to disabled) { 0:max32 }
* int detection.offload_threads = 0: maximum number of simultaneous
offloads (defaults to disabled) { 0:max32 }
- * bool detection.pcre_enable = true: disable pcre pattern matching
+ * bool detection.pcre_enable = true: enable pcre pattern matching
* int detection.pcre_match_limit = 1500: limit pcre backtracking, 0
= off { 0:max32 }
* int detection.pcre_match_limit_recursion = 1500: limit pcre stack
consumption, 0 = off { 0:max32 }
+ * bool detection.pcre_override = true: enable pcre match limit
+ overrides when pattern matching (ie ignore /O)
+ * bool detection.pcre_to_regex = false: enable the use of regex
+ instead of pcre for compatible expressions
* int detection.trace: mask for enabling debug traces in module {
0:max53 }
* bool dnp3.check_crc = false: validate checksums in DNP3 link
examining HTTP message headers
* implied http_header.with_trailer: parts of this rule examine HTTP
message trailers
- * bool http_inspect.backslash_to_slash = false: replace \ with /
+ * bool http_inspect.backslash_to_slash = true: replace \ with /
when normalizing URIs
* bit_list http_inspect.bad_characters: alert when any of specified
bytes are present in URI after percent decoding { 255 }
specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
tilde, and minus. { (optional) }
- * bool http_inspect.iis_double_decode = false: perform double
+ * bool http_inspect.iis_double_decode = true: perform double
decoding of percent encodings to normalize characters
* int http_inspect.iis_unicode_code_page = 1252: code page to use
from the IIS unicode map file { 0:65535 }
examining HTTP message headers
* implied http_method.with_trailer: parts of this rule examine HTTP
message trailers
+ * implied http_param.nocase: case insensitive match
+ * string http_param.~param: parameter to match
* implied http_raw_cookie.request: match against the cookie from
the request message even when examining the response
* implied http_raw_cookie.with_body: parts of this rule examine
normalizing { 1:255 }
* bool normalizer.icmp4 = false: clear reserved flag
* bool normalizer.icmp6 = false: clear reserved flag
- * bool normalizer.ip4.base = true: clear options
+ * bool normalizer.ip4.base = false: clear options
* bool normalizer.ip4.df = false: clear don’t frag flag
* bool normalizer.ip4.rf = false: clear reserved flag
* bool normalizer.ip4.tos = false: clear tos / differentiated
* string normalizer.tcp.allow_codes: don’t clear given option codes
* multi normalizer.tcp.allow_names: don’t clear given option names
{ sack | echo | partial_order | conn_count | alt_checksum | md5 }
- * bool normalizer.tcp.base = true: clear reserved bits and option
+ * bool normalizer.tcp.base = false: clear reserved bits and option
padding and fix urgent pointer / flags issues
- * bool normalizer.tcp.block = true: allow packet drops during TCP
+ * bool normalizer.tcp.block = false: allow packet drops during TCP
normalization
* select normalizer.tcp.ecn = off: clear ecn for all packets |
sessions w/o ecn setup { off | packet | stream }
* bool normalizer.tcp.ips = true: ensure consistency in
retransmitted data
- * bool normalizer.tcp.opts = true: clear all options except mss,
+ * bool normalizer.tcp.opts = false: clear all options except mss,
wscale, timestamp, and any explicitly allowed
- * bool normalizer.tcp.pad = true: clear any option padding bytes
- * bool normalizer.tcp.req_pay = true: clear the urgent pointer and
+ * bool normalizer.tcp.pad = false: clear any option padding bytes
+ * bool normalizer.tcp.req_pay = false: clear the urgent pointer and
the urgent flag if there is no payload
- * bool normalizer.tcp.req_urg = true: clear the urgent pointer if
+ * bool normalizer.tcp.req_urg = false: clear the urgent pointer if
the urgent flag is not set
- * bool normalizer.tcp.req_urp = true: clear the urgent flag if the
+ * bool normalizer.tcp.req_urp = false: clear the urgent flag if the
urgent pointer is not set
- * bool normalizer.tcp.rsv = true: clear the reserved bits in the
+ * bool normalizer.tcp.rsv = false: clear the reserved bits in the
TCP header
* bool normalizer.tcp.trim = false: enable all of the TCP trim
options
packet
* bool normalizer.tcp.trim_syn = false: remove data on SYN
* bool normalizer.tcp.trim_win = false: trim data to window
- * bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
+ * bool normalizer.tcp.urp = false: adjust urgent pointer if beyond
segment length
* bool output.dump_chars_only = false: turns on character dumps
(same as -C)
* bool perf_monitor.flow_ip = false: enable statistics on host
pairs
* int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
- bytes for flow tracking { 8200:maxSZ }
+ bytes for flow tracking { 236:maxSZ }
* int perf_monitor.flow_ports = 1023: maximum ports to track {
0:65535 }
* enum perf_monitor.format = csv: output format for stats { csv |
extracted from the RCPT TO command
* int smtp.max_auth_command_line_len = 1000: max auth command Line
Length { 0:65535 }
- * int smtp.max_command_line_len = 0: max Command Line Length {
+ * int smtp.max_command_line_len = 512: max Command Line Length {
0:65535 }
- * int smtp.max_header_line_len = 0: max SMTP DATA header line {
+ * int smtp.max_header_line_len = 1000: max SMTP DATA header line {
0:65535 }
- * int smtp.max_response_line_len = 0: max SMTP response line {
+ * int smtp.max_response_line_len = 512: max SMTP response line {
0:65535 }
* string smtp.normalize_cmds: list of commands to normalize
* enum smtp.normalize = none: turns on/off normalization { none |
of packet threads (same as -z) { 0:max32 }
* implied snort.--mem-check: like -T but also compile search
engines
+ * string snort.--metadata-filter: <filter> load only rules
+ containing filter string in metadata if set
* implied snort.-M: log messages to syslog (not alerts)
* int snort.-m: <umask> set the process file mode creation mask {
0x000:0x1FF }
* implied snort.--version: show version number (same as -V)
* implied snort.-V: (same as --version)
* implied snort.--warn-all: enable all warnings
+ * implied snort.--warn-conf-strict: warn about unrecognized
+ elements in configuration files
* implied snort.--warn-conf: warn about configuration issues
* implied snort.--warn-daq: warn about DAQ issues, usually related
to mode
received without a local flow (sum)
* high_availability.update_msgs_recv: update messages received
(sum)
- * host_cache.lru_cache_adds: lru cache added new entry (sum)
- * host_cache.lru_cache_find_hits: lru cache found entry in cache
+ * host_cache.adds: lru cache added new entry (sum)
+ * host_cache.alloc_prunes: lru cache pruned entry to make space for
+ new entry (sum)
+ * host_cache.find_hits: lru cache found entry in cache (sum)
+ * host_cache.find_misses: lru cache did not find entry in cache
(sum)
- * host_cache.lru_cache_find_misses: lru cache did not find entry in
- cache (sum)
- * host_cache.lru_cache_prunes: lru cache pruned entry to make space
- for new entry (sum)
- * host_cache.lru_cache_removes: lru cache found entry and removed
- it (sum)
+ * host_cache.reload_prunes: lru cache pruned entry for lower memcap
+ during reload (sum)
+ * host_cache.removes: lru cache found entry and removed it (sum)
* host_tracker.service_adds: host service adds (sum)
* host_tracker.service_finds: host service finds (sum)
* http2_inspect.concurrent_sessions: total concurrent HTTP/2
* http2_inspect.flows: HTTP connections inspected (sum)
* http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
sessions (max)
+ * http2_inspect.max_table_entries: maximum entries in an HTTP/2
+ dynamic table (max)
* http_inspect.chunked: chunked message bodies (sum)
* http_inspect.concurrent_sessions: total concurrent http sessions
(now)
* http_inspect.delete_requests: DELETE requests inspected (sum)
* http_inspect.detained_packets: TCP packets delayed by detained
inspection (sum)
+ * http_inspect.excess_parameters: repeat parameters exceeding max
+ (sum)
* http_inspect.flows: HTTP connections inspected (sum)
* http_inspect.get_requests: GET requests inspected (sum)
* http_inspect.head_requests: HEAD requests inspected (sum)
* http_inspect.options_requests: OPTIONS requests inspected (sum)
* http_inspect.other_requests: other request methods inspected
(sum)
+ * http_inspect.parameters: HTTP parameters inspected (sum)
* http_inspect.partial_inspections: pre-inspections for detained
inspection (sum)
* http_inspect.post_requests: POST requests inspected (sum)
* packet_capture.captured: packets matching dumped after matching
filter (sum)
* packet_capture.processed: packets processed against filter (sum)
+ * pcre.pcre_native: total pcre rules compiled by pcre engine (sum)
+ * pcre.pcre_negated: total pcre rules using negation syntax (sum)
+ * pcre.pcre_rules: total rules processed with pcre option (sum)
+ * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum)
* perf_monitor.alloc_prunes: flows pruned on allocation of IP flows
(sum)
* perf_monitor.packets: total packets processed by performance
* pop.sessions: total pop sessions (sum)
* pop.uu_attachments: total uu attachments decoded (sum)
* pop.uu_decoded_bytes: total uu decoded bytes (sum)
- * port_scan.packets: total packets (sum)
+ * port_scan.alloc_prunes: number of trackers pruned on allocation
+ of new tracking (sum)
+ * port_scan.packets: number of packets processed by port scan (sum)
+ * port_scan.reload_prunes: number of trackers pruned on reload due
+ to reduced memcap (sum)
+ * port_scan.trackers: number of trackers allocated by port scan
+ (sum)
* rate_filter.no_memory: number of times rate filter ran out of
memory (sum)
* reputation.blacklisted: number of packets blacklisted (sum)
value
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
+ * 119:249 (http_inspect) excessive HTTP parameter key repeats
* 121:1 (http2_inspect) error in HPACK integer value
* 121:2 (http2_inspect) HPACK integer value has leading zeros
* 121:3 (http2_inspect) error in HPACK string value
* 121:10 (http2_inspect) invalid HTTP/2 header field
* 121:11 (http2_inspect) error in HTTP/2 settings frame
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
+ * 121:13 (http2_inspect) invalid HTTP/2 frame sequence
+ * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* http_inspect (inspector): HTTP inspector
* http_method (ips_option): rule option to set the detection cursor
to the HTTP request method
+ * http_param (ips_option): rule option to set the detection cursor
+ to the value of the specified HTTP parameter key which may be in
+ the query or body
* http_raw_body (ips_option): rule option to set the detection
cursor to the unnormalized message body
* http_raw_cookie (ips_option): rule option to set the detection
the normalized URI buffer
* http_version (ips_option): rule option to set the detection
cursor to the version buffer
+ * hyperscan (search_engine): intel hyperscan-based mpse with regex
+ support
* icmp4 (codec): support for Internet control message protocol v4
* icmp6 (codec): support for Internet control message protocol v6
* icmp_id (ips_option): rule option to check ICMP ID
* md5 (ips_option): payload rule option for hash matching
* mem_test (inspector): for testing memory management
* memory (basic): memory management configuration
- * metadata (ips_option): rule option for conveying arbitrary name,
- value data within the rule text
+ * metadata (ips_option): rule option for conveying arbitrary
+ comma-separated name, value data within the rule text
* modbus (inspector): modbus inspection
* modbus_data (ips_option): rule option to set cursor to modbus
data
to the normalized headers
* ips_option::http_method: rule option to set the detection cursor
to the HTTP request method
+ * ips_option::http_param: rule option to set the detection cursor
+ to the value of the specified HTTP parameter key which may be in
+ the query or body
* ips_option::http_raw_body: rule option to set the detection
cursor to the unnormalized message body
* ips_option::http_raw_cookie: rule option to set the detection
payload data
* ips_option::itype: rule option to check ICMP type
* ips_option::md5: payload rule option for hash matching
- * ips_option::metadata: rule option for conveying arbitrary name,
- value data within the rule text
+ * ips_option::metadata: rule option for conveying arbitrary
+ comma-separated name, value data within the rule text
* ips_option::modbus_data: rule option to set cursor to modbus data
* ips_option::modbus_func: rule option to check modbus function
code
* attribute_table.max_hosts
* attribute_table.max_services_per_host
* daq.snaplen
- * daq.no_promisc
* detection.asn1
* file_id.max_files_cached
- * port_scan.memcap
* process.chroot
* process.daemon
* process.set_gid
* process.set_uid
- * stream.footprint
- * stream.ip_cache.max_sessions
- * stream.ip_cache.pruning_timeout
- * stream.ip_cache.idle_timeout
- * stream.icmp_cache.max_sessions
- * stream.icmp_cache.pruning_timeout
- * stream.icmp_cache.idle_timeout
- * stream.tcp_cache.max_sessions
- * stream.tcp_cache.pruning_timeout
- * stream.tcp_cache.idle_timeout
- * stream.udp_cache.max_sessions
- * stream.udp_cache.pruning_timeout
- * stream.udp_cache.idle_timeout
- * stream.user_cache.max_sessions
- * stream.user_cache.pruning_timeout
- * stream.user_cache.idle_timeout
- * stream.file_cache.max_sessions
- * stream.file_cache.pruning_timeout
- * stream.file_cache.idle_timeout
+ * snort.--bpf
+ * snort.-l
In addition, the following scenarios require a restart:
projects / thirdparty / snort3.git / commitdiff
