set (VERSION_MAJOR 3)
set (VERSION_MINOR 7)
-set (VERSION_PATCH 0)
+set (VERSION_PATCH 1)
set (VERSION_SUBLEVEL 0)
set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
+2025-03-11: 3.7.1.0
+
+* appid: added publishing of domain fronting event
+* appid: adding general appid support and encrypted dns
+* appid: adding log while creating third party context to monitor hanging
+* appid: change get_appid_session_api to use the stash
+* appid: convert appid flow data to use objects
+* appid: fixes for coverity and cppcheck issues
+* appid: implemented domain fronting support for shadow traffic
+* appid: implemented support for shadow traffic evasive vpn & multihop proxy
+* build: add version check for numactl
+* copyright: update year to 2025
+* detection: fix leave_group call which should be against current packet only
+* extractor: add configuration option for time formatting
+* extractor: add escaping for special characters
+* extractor: add support for file name and type for mime
+* extractor: add tenant id as common field
+* extractor: add time formatting in loggers
+* extractor: dns support
+* extractor: fix spelling
+* extractor: print null for fields that require missing packet context
+* extractor: remove obsolete includes
+* file_api: add log message for reset ctx
+* file_api: file event generated for asymmetric flow
+* file_api, http_inspect: add info about partial download to FileInfo
+* file_api: making sha256 point to null to avoid dangling cases
+* file_api: setting current file data inside mutex with file data received before accessing it
+* ftp_telnet: flow data creation when port command is issued for active ftp
+* helpers: add missing include for unit tests
+* ips: fix tsan issue with logging rule tree construction
+* main: allow toggling generation of instance_map output
+* main: snort --create-pidfile cmd line parameter update and support for --max-peers command line parameter implemented
+* network_inspectors: rename kaizen to snort_ml
+* pub_sub: add ips rule event for extractor
+* pub_sub: changes for domain faking for shadowtraffic_aggregator
+* snort_ml: build models into a BinaryClassifierSet
+* stream_tcp: changed asymmetric flows counter increment conditions
+* thread_config: add option for setting NUMA memory policy
+* thread_config: fix numa build issue
+* utils: add is_directory_path
+
2025-02-04: 3.7.0.0
* extractor: add default filter
#]=======================================================================]
find_package(PkgConfig)
-pkg_check_modules(PC_DAQ libdaq>=3.0.18)
+pkg_check_modules(PC_DAQ libdaq>=3.0.19)
# Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints
# and then package config information after that.
The Snort Team
Revision History
-Revision 3.7.0.0 2025-02-04 17:21:58 EST TST
+Revision 3.7.1.0 2025-03-12 00:16:10 EDT TST
---------------------------------------------------------------------
(seconds, 0 to disable) { 0:60 }
* int process.watchdog_min_thread_count = 1: minimum unresponsive
threads for watchdog to trigger { 1:65535 }
- * string process.numa_memory_policy = "preferred": set
- default|preferred|bind|local memory policy for NUMA
+ * string process.numa_memory_policy = preferred: set default|
+ preferred|bind|local memory policy for NUMA
2.27. profiler
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
* string snort.--control-socket: <file> to create unix socket
- * implied snort.--create-pidfile: create PID file, even when not in
- Daemon mode
+ * implied snort.--create-instance-file: create instance mappings
+ file for this Snort process at startup
+ * string snort.--create-pidfile: create PID file, even when not in
+ Daemon mode { (optional) }
+ * int snort.--max-procs: number of simultaneous Snort processes {
+ 1: }
* string snort.--daq: <type> select packet acquisition module
(default is pcap)
* int snort.--daq-batch-size: <size> set the DAQ receive batch
* enum extractor.formatting = csv: output format for extractor {
csv | json }
* string extractor.connector: output destination for extractor
+ * enum extractor.time = unix: output format for timestamp values {
+ snort | snort_yy | unix | unix_s | unix_us }
* enum extractor.default_filter = pick: default action for protocol
with no filter provided { pick | skip }
* enum extractor.protocols[].service: service to extract from {
- http | ftp | conn }
+ http | ftp | conn | dns }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* string extractor.protocols[].on_events: specify events to log
Configuration:
- * string snort_ml_engine.http_param_model: path to the model file
+ * string snort_ml_engine.http_param_model: path to model file(s)
5.47. so_proxy
TCPDump
* --c2x output hex for given char (see also --x2c)
* --control-socket <file> to create unix socket
+ * --create-instance-file create instance mappings file for this
+ Snort process at startup
* --create-pidfile create PID file, even when not in Daemon mode
+ (optional)
+ * --max-procs number of simultaneous Snort processes (1:)
* --daq <type> select packet acquisition module (default is pcap)
* --daq-batch-size <size> set the DAQ receive batch size; default
is 64 (1:)
* string extractor.protocols[].fields: specify fields to log
* string extractor.protocols[].on_events: specify events to log
* enum extractor.protocols[].service: service to extract from {
- http | ftp | conn }
+ http | ftp | conn | dns }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
+ * enum extractor.time = unix: output format for timestamp values {
+ snort | snort_yy | unix | unix_s | unix_us }
* string file_connector[].connector: connector name
* enum file_connector[].direction: usage { receive | transmit |
duplex }
* string process.chroot: set chroot directory (same as -t)
* bool process.daemon = false: fork as a daemon (same as -D)
* bool process.dirty_pig = false: shutdown without internal cleanup
+ * string process.numa_memory_policy = preferred: set default|
+ preferred|bind|local memory policy for NUMA
* string process.set_gid: set group ID (same as -g)
* string process.set_uid: set user ID (same as -u)
* string process.threads[].cpuset: pin the associated thread to
threads for watchdog to trigger { 1:65535 }
* int process.watchdog_timer = 0: watchdog timer for packet threads
(seconds, 0 to disable) { 0:60 }
- * string process.numa_memory_policy = "preferred": set
- default|preferred|bind|local memory policy for NUMA
* int profiler.memory.count = 0: limit results to count items per
level (0 = no limit) { 0:max32 }
* int profiler.memory.dump_file_size = 1073741824: files will be
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
hex)
- * implied snort.--create-pidfile: create PID file, even when not in
- Daemon mode
+ * implied snort.--create-instance-file: create instance mappings
+ file for this Snort process at startup
+ * string snort.--create-pidfile: create PID file, even when not in
+ Daemon mode { (optional) }
* int snort.--daq-batch-size: <size> set the DAQ receive batch
size; default is 64 { 1: }
* string snort.--daq-dir: <dir> tell snort where to find desired
* implied snort.--markup: output help in asciidoc compatible format
* int snort.--max-packet-threads: <count> configure maximum number
of packet threads (same as -z) { 0:max32 }
+ * int snort.--max-procs: number of simultaneous Snort processes {
+ 1: }
* implied snort.--mem-check: like -T but also compile search
engines
* string snort.--metadata-filter: <filter> load only rules
containing filter string in metadata if set
* int snort_ml.client_body_depth = 0: number of input HTTP client
body bytes to scan (-1 unlimited) { -1:max31 }
- * string snort_ml_engine.http_param_model: path to the model file
+ * string snort_ml_engine.http_param_model: path to model file(s)
* real snort_ml.http_param_threshold = 0.95: alert threshold for
http_param_model { 0:1 }
* implied snort.-M: log messages to syslog (not alerts)
The Snort Team
Revision History
-Revision 3.7.0.0 2025-02-04 17:22:43 EST TST
+Revision 3.7.1.0 2025-03-12 00:16:50 EDT TST
---------------------------------------------------------------------
The Snort Team
Revision History
-Revision 3.7.0.0 2025-02-04 17:22:15 EST TST
+Revision 3.7.1.0 2025-03-12 00:16:23 EDT TST
---------------------------------------------------------------------
+ formatting - log record format
+ connector - Connector object through which logs will be sent.
See Connectors page for more details.
+ + time - timestamp format
* protocol-targeted parameters bind the targeted service and events
with filters and a set of fields to log
protocols =
{
- { service = 'http', tenant_id = 1, on_events = 'eot', fields = 'ts, uri, host, method' },
- { service = 'ftp', tenant_id = 1, on_events = 'request', fields = 'ts, command, arg' },
- { service = 'http', tenant_id = 2, on_events = 'eot', fields = 'ts, uri' },
- { service = 'conn', tenant_id = 1, on_events = 'eof', fields = 'ts, uid, service' }
+ { service = 'http', on_events = 'eot', fields = 'ts, uri, host, method' },
+ { service = 'ftp', on_events = 'request', fields = 'ts, command, arg' },
+ { service = 'http', on_events = 'eot', fields = 'ts, uri' },
+ { service = 'conn', on_events = 'eof', fields = 'ts, uid, service' },
+ { service = 'dns', on_events = 'response', fields = 'ts, uid, query, answers' }
}
}
5.18.2. Supported Parameters
+Timestamp formats:
+
+ * snort prints timestamp as in IPS events (see snort command line
+ options -U and -y) (string ts field)
+ * snort_yy same as above, but using YYYY-MM-DD format (string ts
+ field)
+ * unix prints UTC time in seconds (integer part) and microseconds
+ (fractional part) (floating ts field)
+ * unix_s prints UTC time in seconds (integer ts field)
+ * unix_us prints UTC time in microseconds (integer ts field)
+
Services and their events:
* HTTP, HTTP2
+ response
+ eot (a session defined by the following commands: APPE, DELE,
RETR, STOR, STOU, ACCT, PORT, PASV, EPRT, EPSV)
+ * DNS
+
+ + response
* connection (conn)
+ eof (end of flow)
* id.resp_h - server IP address
* id.resp_p - server TCP port
* pkt_num - packet number
+ * tenant_id - tenant identifier
Fields supported for HTTP:
* status_msg - status message returned by server
* trans_depth - number of request-response pairs seen in the
session
+ * request_body_len - length of the body, decompressed and
+ normalized, of the HTTP request
+ * response_body_len - length of the body, decompressed and
+ normalized, of the HTTP response
+ * info_code - last informational status code returned by the server
+ * info_msg - last informational reason phrase returned by the
+ server
+ * proxied - list with the headers associated with proxied requests
+ * orig_filenames - list with the names of the files sent by client
+ * resp_filenames - list with the names of the files sent by server
+ * orig_mime_types - list with the content types of the files sent
+ by client
+ * resp_mime_types - list with the content types of the files sent
+ by server
Fields supported for FTP:
* data_channel.resp_h - IP address of data channel receiving point
* data_channel.resp_p - TCP port of data channel receiving point
+Fields supported for DNS:
+
+ * proto - transport protocol for DNS connection
+ * trans_id - A 16 bit identifier assigned by the program that
+ generates the query
+ * query - The domain name that is the subject of this DNS
+ transaction
+ * qclass - A 16 bit integer that specifies the class of the query
+ * qclass_name - A descriptive name for the class of the query
+ * qtype - A 16 bit integer that specifies the type of the query
+ * qtype_name - A descriptive name for the type of the query
+ * rcode - A 16 bit integer that specifies the response code to the
+ query
+ * rcode_name - A descriptive name for the response code to the
+ query
+ * AA - A boolean, true when this is an Authoritative Answer to the
+ query
+ * TC - A boolean, true when the message was truncated due to UDP
+ PDU size limits
+ * RD - A boolean, true when the client asks the server to pursue
+ the query recursively
+ * RA - A boolean, denotes the availability of recursive query
+ support at the server
+ * Z - A 3 bit integer set to 0 unless DNSSEC is used (see RFC 2535)
+ * answers - The list of answers to the query, only A and AAAA types
+ are currently supported
+ * rejected - A boolean, true when the server responds with an error
+ code and no query
+
Fields supported for connection:
* duration - connection duration in seconds
projects / thirdparty / snort3.git / commitdiff
