<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 270)\r
+o" )~ Version 3.0.1 (Build 1)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>decode.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>decode.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:max53 }\r
+int <strong>detection.trace.all</strong> = 0: enable detection module trace logging options { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:max53 }\r
+int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.buf_min</strong> = 0: enable min buffer trace logging { 0:max53 }\r
+int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.buf_verbose</strong> = 0: enable verbose buffer trace logging { 0:max53 }\r
+int <strong>detection.trace.buffer</strong> = 0: enable buffer trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:max53 }\r
+int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:max53 }\r
+int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:max53 }\r
+int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:max53 }\r
+int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:max53 }\r
+int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
+int <strong>latency.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>snort.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>appid.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>dce_smb.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_udp.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>dce_udp.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>gtp_inspect.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>119:250</strong> (http_inspect) HTTP/2 Transfer-Encoding header other than identity\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:251</strong> (http_inspect) HTTP/2 message body overruns Content-Length header value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:252</strong> (http_inspect) HTTP/2 message body smaller than Content-Length header value\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_so_proxy">so_proxy</h3>\r
+<div class="paragraph"><p>What: a proxy inspector to track flow data from SO rules (internal use only)</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_ssh">ssh</h3>\r
<div class="paragraph"><p>What: ssh inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>stream.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>stream_ip.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_user.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>stream_user.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>wizard.trace.all</strong> = 0: enable traces in module { 0:255 }\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-Presently using FIXIT-X where X = A | W | P | H | M | L | D, indicating\r
- analysis, warning, perf, high, med, low priority, or deprecated. Place A and\r
- W comments on the exact warning line so we can match up comments and build\r
- output. Supporting comments can be added above.\r
+Presently using FIXIT-X where X is one of the characters below. Place A\r
+ and W comments on the exact warning line so we can match up comments and\r
+ build output. Supporting comments can be added above.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+A = known static analysis issue\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+D = deprecated - code to be removed after users update\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+E = enhancement - next steps for incomplete features (not a bug)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+H = high priority - urgent deficiency\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+L = low priority - cleanup or similar technical debt (not a bug)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+M = medium priority - suspected non-urgent deficiency\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+P = performance issue (not a bug)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+W = warning - known compiler warning\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>appid.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>dce_smb.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_udp.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>dce_udp.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>decode.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>decode.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.buf_min</strong> = 0: enable min buffer trace logging { 0:max53 }\r
+int <strong>detection.trace.all</strong> = 0: enable detection module trace logging options { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.buf_verbose</strong> = 0: enable verbose buffer trace logging { 0:max53 }\r
+int <strong>detection.trace.buffer</strong> = 0: enable buffer trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:max53 }\r
+int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:max53 }\r
+int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:max53 }\r
+int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:max53 }\r
+int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:max53 }\r
+int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:max53 }\r
+int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:max53 }\r
+int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>gtp_inspect.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>latency.trace.all</strong> = 0: enable traces in module { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>snort.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>stream_ip.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>stream.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_user.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
+int <strong>stream_user.trace.all</strong> = 0: enable traces in module { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>wizard.trace.all</strong> = 0: enable traces in module { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>119:250</strong> (http_inspect) HTTP/2 Transfer-Encoding header other than identity\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:251</strong> (http_inspect) HTTP/2 message body overruns Content-Length header value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:252</strong> (http_inspect) HTTP/2 message body smaller than Content-Length header value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
</p>\r
</li>\r
change -> perfmonitor: 'time' ==> 'seconds'\r
change -> policy_mode: 'inline_test' ==> 'inline-test'\r
change -> pop: 'ports' ==> 'bindings'\r
-change -> ppm: ''both'' ==> ''alert_and_log''\r
change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'\r
change -> ppm: 'max-pkt-time' ==> 'packet.max_time'\r
change -> ppm: 'max-rule-time' ==> 'rule.max_time'\r
-change -> ppm: 'pkt-log' ==> 'packet.action'\r
change -> ppm: 'ppm' ==> 'latency'\r
-change -> ppm: 'rule-log' ==> 'rule.action'\r
change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'\r
change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'\r
change -> ppm: 'threshold' ==> 'rule.suspend_threshold'\r
</li>\r
<li>\r
<p>\r
+<strong>so_proxy</strong> (inspector): a proxy inspector to track flow data from SO rules (internal use only)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>soid</strong> (ips_option): rule option to specify a shared object rule ID\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::so_proxy</strong>: a proxy inspector to track flow data from SO rules (internal use only)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::ssh</strong>: ssh inspection\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2020-03-25 09:21:03 EDT\r
+ 2020-03-31 10:05:15 EDT\r
</div>\r
</div>\r
</body>\r
9.39. s7commplus
9.40. sip
9.41. smtp
- 9.42. ssh
- 9.43. ssl
- 9.44. stream
- 9.45. stream_file
- 9.46. stream_icmp
- 9.47. stream_ip
- 9.48. stream_tcp
- 9.49. stream_udp
- 9.50. stream_user
- 9.51. telnet
- 9.52. wizard
+ 9.42. so_proxy
+ 9.43. ssh
+ 9.44. ssl
+ 9.45. stream
+ 9.46. stream_file
+ 9.47. stream_icmp
+ 9.48. stream_ip
+ 9.49. stream_tcp
+ 9.50. stream_udp
+ 9.51. stream_user
+ 9.52. telnet
+ 9.53. wizard
10. IPS Action Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 270)
+o" )~ Version 3.0.1 (Build 1)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Configuration:
- * int decode.trace.all = 0: enabling traces in module { 0:max32 }
+ * int decode.trace.all = 0: enable traces in module { 0:255 }
Rules:
instead of pcre for compatible expressions
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
+ * int detection.trace.all = 0: enable detection module trace
+ logging options { 0:255 }
* int detection.trace.detect_engine = 0: enable detection engine
- trace logging { 0:max53 }
+ trace logging { 0:255 }
* int detection.trace.rule_eval = 0: enable rule evaluation trace
- logging { 0:max53 }
- * int detection.trace.buf_min = 0: enable min buffer trace logging
- { 0:max53 }
- * int detection.trace.buf_verbose = 0: enable verbose buffer trace
- logging { 0:max53 }
+ logging { 0:255 }
+ * int detection.trace.buffer = 0: enable buffer trace logging {
+ 0:255 }
* int detection.trace.rule_vars = 0: enable rule variables trace
- logging { 0:max53 }
+ logging { 0:255 }
* int detection.trace.fp_search = 0: enable fast pattern search
- trace logging { 0:max53 }
+ trace logging { 0:255 }
* int detection.trace.pkt_detect = 0: enable packet detection trace
- logging { 0:max53 }
+ logging { 0:255 }
* int detection.trace.opt_tree = 0: enable tree option trace
- logging { 0:max53 }
- * int detection.trace.tag = 0: enable tag trace logging { 0:max53 }
+ logging { 0:255 }
+ * int detection.trace.tag = 0: enable tag trace logging { 0:255 }
Peg counts:
thresholding (usec) { 0:max53 }
* bool latency.packet.fastpath = false: fastpath expensive packets
(max_time exceeded)
- * enum latency.packet.action = none: event action if packet times
- out and is fastpathed { none | alert | log | alert_and_log }
* int latency.rule.max_time = 500: set timeout for rule evaluation
(usec) { 0:max53 }
* bool latency.rule.suspend = false: temporarily suspend expensive
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
- * enum latency.rule.action = none: event action for rule latency
- enable and suspend events { none | alert | log | alert_and_log }
+ * int latency.trace.all = 0: enable traces in module { 0:255 }
Rules:
* string snort.--x2s: output ASCII string for given byte code (see
also --x2c)
* implied snort.--trace: turn on main loop debug trace
- * int snort.trace.all = 0: enabling traces in module { 0:max32 }
+ * int snort.trace.all = 0: enable traces in module { 0:255 }
Commands:
on startup
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
- * int appid.trace.all = 0: enabling traces in module { 0:max32 }
+ * int appid.trace.all = 0: enable traces in module { 0:255 }
Commands:
(-1 = disabled, 0 = unlimited) { -1:32767 }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
- * int dce_smb.trace.all = 0: enabling traces in module { 0:max32 }
+ * int dce_smb.trace.all = 0: enable traces in module { 0:255 }
Rules:
defragmentation
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
- * int dce_udp.trace.all = 0: enabling traces in module { 0:max32 }
+ * int dce_udp.trace.all = 0: enable traces in module { 0:255 }
Rules:
* string gtp_inspect[].infos[].name: information element name
* int gtp_inspect[].infos[].length = 0: information element type
code { 0:255 }
- * int gtp_inspect.trace.all = 0: enabling traces in module {
- 0:max32 }
+ * int gtp_inspect.trace.all = 0: enable traces in module { 0:255 }
Rules:
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
* 119:249 (http_inspect) excessive HTTP parameter key repeats
+ * 119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than
+ identity
+ * 119:251 (http_inspect) HTTP/2 message body overruns
+ Content-Length header value
+ * 119:252 (http_inspect) HTTP/2 message body smaller than
+ Content-Length header value
Peg counts:
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.42. ssh
+9.42. so_proxy
+
+--------------
+
+What: a proxy inspector to track flow data from SO rules (internal
+use only)
+
+Type: inspector
+
+Usage: global
+
+
+9.43. ssh
--------------
(max)
-9.43. ssl
+9.44. ssl
--------------
(max)
-9.44. stream
+9.45. stream
--------------
before retiring session tracker { 1:max32 }
* int stream.file_cache.cap_weight = 32: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.trace.all = 0: enabling traces in module { 0:max32 }
+ * int stream.trace.all = 0: enable traces in module { 0:255 }
Rules:
deleted by config reloads (sum)
-9.45. stream_file
+9.46. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.46. stream_icmp
+9.47. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.47. stream_ip
+9.48. stream_ip
--------------
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_ip.trace.all = 0: enabling traces in module { 0:max32
- }
+ * int stream_ip.trace.all = 0: enable traces in module { 0:255 }
Rules:
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.48. stream_tcp
+9.49. stream_tcp
--------------
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
-9.49. stream_udp
+9.50. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.50. stream_user
+9.51. stream_user
--------------
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_user.trace.all = 0: enabling traces in module {
- 0:max32 }
+ * int stream_user.trace.all = 0: enable traces in module { 0:255 }
-9.51. telnet
+9.52. telnet
--------------
sessions (max)
-9.52. wizard
+9.53. wizard
--------------
wild cards (*)
* multi wizard.curses: enable service identification based on
internal algorithm { dce_smb | dce_udp | dce_tcp }
+ * int wizard.trace.all = 0: enable traces in module { 0:255 }
Peg counts:
* Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
for a day or even just a minute. That way we can find them easily
and won’t lose track of them.
- * Presently using FIXIT-X where X = A | W | P | H | M | L | D,
- indicating analysis, warning, perf, high, med, low priority, or
- deprecated. Place A and W comments on the exact warning line so
- we can match up comments and build output. Supporting comments
- can be added above.
+ * Presently using FIXIT-X where X is one of the characters below.
+ Place A and W comments on the exact warning line so we can match
+ up comments and build output. Supporting comments can be added
+ above.
+ * A = known static analysis issue
+ * D = deprecated - code to be removed after users update
+ * E = enhancement - next steps for incomplete features (not a bug)
+ * H = high priority - urgent deficiency
+ * L = low priority - cleanup or similar technical debt (not a bug)
+ * M = medium priority - suspected non-urgent deficiency
+ * P = performance issue (not a bug)
+ * W = warning - known compiler warning
* Put the copyright(s) and license in a comment block at the top of
each source file (.h and .cc). Don’t bother with trivial scripts
and make foo. Some interesting Lua code should get a comment
library
* bool appid.tp_appid_stats_enable: enable collection of stats and
print stats on exit in third party module
- * int appid.trace.all = 0: enabling traces in module { 0:max32 }
+ * int appid.trace.all = 0: enable traces in module { 0:255 }
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
* int asn1.absolute_offset: absolute offset from the beginning of
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
* int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
* int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
- * int dce_smb.trace.all = 0: enabling traces in module { 0:max32 }
+ * int dce_smb.trace.all = 0: enable traces in module { 0:255 }
* multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 |
v2 | all }
* bool dce_tcp.disable_defrag = false: disable DCE/RPC
per signature per flow
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
- * int dce_udp.trace.all = 0: enabling traces in module { 0:max32 }
- * int decode.trace.all = 0: enabling traces in module { 0:max32 }
+ * int dce_udp.trace.all = 0: enable traces in module { 0:255 }
+ * int decode.trace.all = 0: enable traces in module { 0:255 }
* int detection.asn1 = 0: maximum decode nodes { 0:65535 }
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
overrides when pattern matching (ie ignore /O)
* bool detection.pcre_to_regex = false: enable the use of regex
instead of pcre for compatible expressions
- * int detection.trace.buf_min = 0: enable min buffer trace logging
- { 0:max53 }
- * int detection.trace.buf_verbose = 0: enable verbose buffer trace
- logging { 0:max53 }
+ * int detection.trace.all = 0: enable detection module trace
+ logging options { 0:255 }
+ * int detection.trace.buffer = 0: enable buffer trace logging {
+ 0:255 }
* int detection.trace.detect_engine = 0: enable detection engine
- trace logging { 0:max53 }
+ trace logging { 0:255 }
* int detection.trace.fp_search = 0: enable fast pattern search
- trace logging { 0:max53 }
+ trace logging { 0:255 }
* int detection.trace.opt_tree = 0: enable tree option trace
- logging { 0:max53 }
+ logging { 0:255 }
* int detection.trace.pkt_detect = 0: enable packet detection trace
- logging { 0:max53 }
+ logging { 0:255 }
* int detection.trace.rule_eval = 0: enable rule evaluation trace
- logging { 0:max53 }
+ logging { 0:255 }
* int detection.trace.rule_vars = 0: enable rule variables trace
- logging { 0:max53 }
- * int detection.trace.tag = 0: enable tag trace logging { 0:max53 }
+ logging { 0:255 }
+ * int detection.trace.tag = 0: enable tag trace logging { 0:255 }
* bool dnp3.check_crc = false: validate checksums in DNP3 link
layer frames
* string dnp3_func.~: match DNP3 function code or name
* string gtp_inspect[].messages[].name: message name
* int gtp_inspect[].messages[].type = 0: message type code { 0:255
}
- * int gtp_inspect.trace.all = 0: enabling traces in module {
- 0:max32 }
+ * int gtp_inspect.trace.all = 0: enable traces in module { 0:255 }
* int gtp_inspect[].version = 2: GTP version { 0:2 }
* string gtp_type.~: list of types to match
* int gtp_version.~: version to match { 0:2 }
buffer
* interval itype.~range: check if ICMP type is in given range {
0:255 }
- * enum latency.packet.action = none: event action if packet times
- out and is fastpathed { none | alert | log | alert_and_log }
* bool latency.packet.fastpath = false: fastpath expensive packets
(max_time exceeded)
* int latency.packet.max_time = 500: set timeout for packet latency
thresholding (usec) { 0:max53 }
- * enum latency.rule.action = none: event action for rule latency
- enable and suspend events { none | alert | log | alert_and_log }
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
rules
* int latency.rule.suspend_threshold = 5: set threshold for number
of timeouts before suspending a rule { 1:max32 }
+ * int latency.trace.all = 0: enable traces in module { 0:255 }
* bool log_codecs.file = false: output to log_codecs.txt instead of
stdout
* bool log_codecs.msg = false: include alert msg
talos)
* string snort.-t: <dir> chroots process to <dir> after
initialization
- * int snort.trace.all = 0: enabling traces in module { 0:max32 }
+ * int snort.trace.all = 0: enable traces in module { 0:255 }
* implied snort.--trace: turn on main loop debug trace
* implied snort.--treat-drop-as-alert: converts drop, block, and
reset rules into alert rules when loaded
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_ip.trace.all = 0: enabling traces in module { 0:max32
- }
+ * int stream_ip.trace.all = 0: enable traces in module { 0:255 }
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
* int stream.pruning_timeout = 30: minimum inactive time before
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 }
* bool stream_tcp.track_only = false: disable reassembly if true
- * int stream.trace.all = 0: enabling traces in module { 0:max32 }
+ * int stream.trace.all = 0: enable traces in module { 0:255 }
* int stream.udp_cache.cap_weight = 128: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_user.trace.all = 0: enabling traces in module {
- 0:max32 }
+ * int stream_user.trace.all = 0: enable traces in module { 0:255 }
* int suppress[].gid = 0: rule generator ID { 0:max32 }
* string suppress[].ip: restrict suppression to these addresses
according to track
wild cards (*)
* string wizard.spells[].to_server[].spell: sequence of data with
wild cards (*)
+ * int wizard.trace.all = 0: enable traces in module { 0:255 }
* interval wscale.~range: check if TCP window scale is in given
range { 0:65535 }
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
* 119:249 (http_inspect) excessive HTTP parameter key repeats
+ * 119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than
+ identity
+ * 119:251 (http_inspect) HTTP/2 message body overruns
+ Content-Length header value
+ * 119:252 (http_inspect) HTTP/2 message body smaller than
+ Content-Length header value
* 121:1 (http2_inspect) error in HPACK integer value
* 121:2 (http2_inspect) HPACK integer value has leading zeros
* 121:3 (http2_inspect) error in HPACK string value
change -> perfmonitor: 'time' ==> 'seconds'
change -> policy_mode: 'inline_test' ==> 'inline-test'
change -> pop: 'ports' ==> 'bindings'
-change -> ppm: ''both'' ==> ''alert_and_log''
change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'
change -> ppm: 'max-pkt-time' ==> 'packet.max_time'
change -> ppm: 'max-rule-time' ==> 'rule.max_time'
-change -> ppm: 'pkt-log' ==> 'packet.action'
change -> ppm: 'ppm' ==> 'latency'
-change -> ppm: 'rule-log' ==> 'rule.action'
change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'
change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'
change -> ppm: 'threshold' ==> 'rule.suspend_threshold'
* smtp (inspector): smtp inspection
* snort (basic): command line configuration and shell commands
* so (ips_option): rule option to call custom eval function
+ * so_proxy (inspector): a proxy inspector to track flow data from
+ SO rules (internal use only)
* soid (ips_option): rule option to specify a shared object rule ID
* ssh (inspector): ssh inspection
* ssl (inspector): ssl inspection
* inspector::s7commplus: s7commplus inspection
* inspector::sip: sip inspection
* inspector::smtp: smtp inspection
+ * inspector::so_proxy: a proxy inspector to track flow data from SO
+ rules (internal use only)
* inspector::ssh: ssh inspection
* inspector::ssl: ssl inspection
* inspector::stream: common flow tracking
projects / thirdparty / snort3.git / commitdiff
