static const RuleMap tkr_rules[] =
{
- { DECODE_BAD_TRH, "(" TR_NAME ") Bad Token Ring Header" },
- { DECODE_BAD_TR_ETHLLC, "(" TR_NAME ") Bad Token Ring ETHLLC Header" },
- { DECODE_BAD_TR_MR_LEN, "(" TR_NAME ") Bad Token Ring MRLENHeader" },
- { DECODE_BAD_TRHMR, "(" TR_NAME ") Bad Token Ring MR Header" },
+ { DECODE_BAD_TRH, "bad Token Ring header" },
+ { DECODE_BAD_TR_ETHLLC, "bad Token Ring ETHLLC header" },
+ { DECODE_BAD_TR_MR_LEN, "bad Token Ring MRLEN header" },
+ { DECODE_BAD_TRHMR, "bad Token Ring MR header" },
{ 0, nullptr }
};
static const RuleMap general_decode_rules[] =
{
- { DECODE_IP_BAD_PROTO, "BAD-TRAFFIC bad IP protocol" },
+ { DECODE_IP_BAD_PROTO, "bad IP protocol" },
{ DECODE_IP_MULTIPLE_ENCAPSULATION,
"two or more IP (v4 and/or v6) encapsulation layers present" },
{ DECODE_ZERO_LENGTH_FRAG, "fragment with zero length" },
- { DECODE_BAD_TRAFFIC_LOOPBACK, "bad traffic loopback IP" },
- { DECODE_BAD_TRAFFIC_SAME_SRCDST, "bad traffic same src/dst IP" },
- { DECODE_IP_UNASSIGNED_PROTO, "BAD-TRAFFIC unassigned/reserved IP protocol" },
+ { DECODE_BAD_TRAFFIC_LOOPBACK, "loopback IP" },
+ { DECODE_BAD_TRAFFIC_SAME_SRCDST, "same src/dst IP" },
+ { DECODE_IP_UNASSIGNED_PROTO, "unassigned/reserved IP protocol" },
{ DECODE_TOO_MANY_LAYERS, "too many protocols present" },
{ 0, nullptr },
{ DECODE_ICMP4_DST_MULTICAST, "ICMP4 packet to multicast dest address" },
{ DECODE_ICMP4_DST_BROADCAST, "ICMP4 packet to broadcast dest address" },
{ DECODE_ICMP4_TYPE_OTHER, "ICMP4 type other" },
- { DECODE_ICMP_PING_NMAP, "ICMP ping NMAP" },
+ { DECODE_ICMP_PING_NMAP, "ICMP ping Nmap" },
{ DECODE_ICMP_ICMPENUM, "ICMP icmpenum v1.1.1" },
{ DECODE_ICMP_REDIRECT_HOST, "ICMP redirect host" },
{ DECODE_ICMP_REDIRECT_NET, "ICMP redirect net" },
{ DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED,
"ICMP destination unreachable communication administratively prohibited" },
{ DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED,
- "ICMP destination unreachable communication with destination host is administratively prohibited" },
+ "ICMP destination unreachable communication with destination host is "
+ "administratively prohibited" },
{ DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED,
- "ICMP destination unreachable communication with destination network is administratively prohibited" },
+ "ICMP destination unreachable communication with destination network is "
+ "administratively prohibited" },
{ DECODE_ICMP_PATH_MTU_DOS, "ICMP path MTU denial of service attempt" },
- { DECODE_ICMP_DOS_ATTEMPT, "BAD-TRAFFIC Linux ICMP header DOS attempt" },
+ { DECODE_ICMP_DOS_ATTEMPT, "Linux ICMP header DOS attempt" },
{ DECODE_ICMP4_HDR_TRUNC, "truncated ICMP4 header" },
{ 0, nullptr }
};
static const RuleMap icmp6_rules[] =
{
{ DECODE_ICMP6_HDR_TRUNC, "truncated ICMP6 header" },
- { DECODE_ICMP6_TYPE_OTHER, "ICMP6 type not decoded" },
- { DECODE_ICMP6_DST_MULTICAST, "ICMP6 packet to multicast address" },
+ { DECODE_ICMP6_TYPE_OTHER, "ICMPv6 type not decoded" },
+ { DECODE_ICMP6_DST_MULTICAST, "ICMPv6 packet to multicast address" },
{ DECODE_ICMPV6_TOO_BIG_BAD_MTU,
"ICMPv6 packet of type 2 (message too big) with MTU field < 1280" },
{ DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE,
static const RuleMap ipv4_rules[] =
{
- { DECODE_NOT_IPV4_DGRAM, "Not IPv4 datagram" },
- { DECODE_IPV4_INVALID_HEADER_LEN, "hlen < minimum" },
- { DECODE_IPV4_DGRAM_LT_IPHDR, "IP dgm len < IP Hdr len" },
- { DECODE_IPV4OPT_BADLEN, "Ipv4 Options found with bad lengths" },
- { DECODE_IPV4OPT_TRUNCATED, "Truncated Ipv4 Options" },
- { DECODE_IPV4_DGRAM_GT_CAPLEN, "IP dgm len > captured len" },
- { DECODE_ZERO_TTL, "IPV4 packet with zero TTL" },
- { DECODE_BAD_FRAGBITS, "IPV4 packet with bad frag bits (both MF and DF set)" },
- { DECODE_IP4_LEN_OFFSET, "IPV4 packet frag offset + length exceed maximum" },
- { DECODE_IP4_SRC_THIS_NET, "IPV4 packet from 'current net' source address" },
- { DECODE_IP4_DST_THIS_NET, "IPV4 packet to 'current net' dest address" },
- { DECODE_IP4_SRC_MULTICAST, "IPV4 packet from multicast source address" },
- { DECODE_IP4_SRC_RESERVED, "IPV4 packet from reserved source address" },
- { DECODE_IP4_DST_RESERVED, "IPV4 packet to reserved dest address" },
- { DECODE_IP4_SRC_BROADCAST, "IPV4 packet from broadcast source address" },
- { DECODE_IP4_DST_BROADCAST, "IPV4 packet to broadcast dest address" },
- { DECODE_IP4_MIN_TTL, "IPV4 packet below TTL limit" },
- { DECODE_IP4_DF_OFFSET, "IPV4 packet both DF and offset set" },
- { DECODE_IP_RESERVED_FRAG_BIT, "BAD-TRAFFIC IP reserved bit set" },
- { DECODE_IP_OPTION_SET, "MISC IP option set" },
- { DECODE_IP4_HDR_TRUNC, "truncated IP4 header" },
+ { DECODE_NOT_IPV4_DGRAM, "not IPv4 datagram" },
+ { DECODE_IPV4_INVALID_HEADER_LEN, "IPv4 header length < minimum" },
+ { DECODE_IPV4_DGRAM_LT_IPHDR, "IPv4 datagram length < header field" },
+ { DECODE_IPV4OPT_BADLEN, "IPv4 options found with bad lengths" },
+ { DECODE_IPV4OPT_TRUNCATED, "truncated IPv4 options" },
+ { DECODE_IPV4_DGRAM_GT_CAPLEN, "IPv4 datagram length > captured length" },
+ { DECODE_ZERO_TTL, "IPv4 packet with zero TTL" },
+ { DECODE_BAD_FRAGBITS, "IPv4 packet with bad frag bits (both MF and DF set)" },
+ { DECODE_IP4_LEN_OFFSET, "IPv4 packet frag offset + length exceed maximum" },
+ { DECODE_IP4_SRC_THIS_NET, "IPv4 packet from 'current net' source address" },
+ { DECODE_IP4_DST_THIS_NET, "IPv4 packet to 'current net' dest address" },
+ { DECODE_IP4_SRC_MULTICAST, "IPv4 packet from multicast source address" },
+ { DECODE_IP4_SRC_RESERVED, "IPv4 packet from reserved source address" },
+ { DECODE_IP4_DST_RESERVED, "IPv4 packet to reserved dest address" },
+ { DECODE_IP4_SRC_BROADCAST, "IPv4 packet from broadcast source address" },
+ { DECODE_IP4_DST_BROADCAST, "IPv4 packet to broadcast dest address" },
+ { DECODE_IP4_MIN_TTL, "IPv4 packet below TTL limit" },
+ { DECODE_IP4_DF_OFFSET, "IPv4 packet both DF and offset set" },
+ { DECODE_IP_RESERVED_FRAG_BIT, "IPv4 reserved bit set" },
+ { DECODE_IP_OPTION_SET, "IPv4 option set" },
+ { DECODE_IP4_HDR_TRUNC, "truncated IPv4 header" },
{ 0, nullptr }
};
{
{ DECODE_IPV6_MIN_TTL, "IPv6 packet below TTL limit" },
{ DECODE_IPV6_IS_NOT, "IPv6 header claims to not be IPv6" },
- { DECODE_IPV6_TRUNCATED_EXT, "IPV6 truncated extension header" },
- { DECODE_IPV6_TRUNCATED, "IPV6 truncated header" },
- { DECODE_IPV6_DGRAM_LT_IPHDR, "IP dgm len < IP Hdr len" },
- { DECODE_IPV6_DGRAM_GT_CAPLEN, "IP dgm len > captured len" },
+ { DECODE_IPV6_TRUNCATED_EXT, "IPv6 truncated extension header" },
+ { DECODE_IPV6_TRUNCATED, "IPv6 truncated header" },
+ { DECODE_IPV6_DGRAM_LT_IPHDR, "IPv6 datagram length < header field" },
+ { DECODE_IPV6_DGRAM_GT_CAPLEN, "IPv6 datagram length > captured length" },
{ DECODE_IPV6_DST_ZERO, "IPv6 packet with destination address ::0" },
{ DECODE_IPV6_SRC_MULTICAST, "IPv6 packet with multicast source address" },
{ DECODE_IPV6_DST_RESERVED_MULTICAST,
{ DECODE_IPV6_BAD_OPT_LEN,
"IPv6 header includes an option which is too big for the containing header" },
{ DECODE_IPV6_UNORDERED_EXTENSIONS, "IPv6 packet includes out-of-order extension headers" },
- { DECODE_IP6_ZERO_HOP_LIMIT, "IPV6 packet has zero hop limit" },
- { DECODE_IPV6_ISATAP_SPOOF, "BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt" },
+ { DECODE_IP6_ZERO_HOP_LIMIT, "IPv6 packet has zero hop limit" },
+ { DECODE_IPV6_ISATAP_SPOOF, "ISATAP-addressed IPv6 traffic spoofing attempt" },
{ DECODE_IPV6_BAD_FRAG_PKT, "bogus fragmentation packet, possible BSD attack" },
- { DECODE_IPV6_ROUTE_ZERO, "IPV6 routing type 0 extension header" },
- { DECODE_IP6_EXCESS_EXT_HDR, "too many IP6 extension headers" },
+ { DECODE_IPV6_ROUTE_ZERO, "IPv6 routing type 0 extension header" },
+ { DECODE_IP6_EXCESS_EXT_HDR, "too many IPv6 extension headers" },
{ 0, nullptr }
};
static const RuleMap pgm_rules[] =
{
- { DECODE_PGM_NAK_OVERFLOW, "BAD-TRAFFIC PGM nak list overflow attempt" },
+ { DECODE_PGM_NAK_OVERFLOW, "PGM nak list overflow attempt" },
{ 0, nullptr }
};
static const RuleMap tcp_rules[] =
{
- { DECODE_TCP_DGRAM_LT_TCPHDR, "TCP packet len is smaller than 20 bytes" },
+ { DECODE_TCP_DGRAM_LT_TCPHDR, "TCP packet length is smaller than 20 bytes" },
{ DECODE_TCP_INVALID_OFFSET, "TCP data offset is less than 5" },
{ DECODE_TCP_LARGE_OFFSET, "TCP header length exceeds packet length" },
-
{ DECODE_TCPOPT_BADLEN, "TCP options found with bad lengths" },
{ DECODE_TCPOPT_TRUNCATED, "truncated TCP options" },
{ DECODE_TCPOPT_TTCP, "T/TCP detected" },
{ DECODE_TCP_MUST_ACK, "TCP PDU missing ack for established session" },
{ DECODE_TCP_NO_SYN_ACK_RST, "TCP has no SYN, ACK, or RST" },
{ DECODE_TCP_SHAFT_SYNFLOOD, "DDOS shaft SYN flood" },
- { DECODE_TCP_PORT_ZERO, "BAD-TRAFFIC TCP port 0 traffic" },
+ { DECODE_TCP_PORT_ZERO, "TCP port 0 traffic" },
{ DECODE_DOS_NAPTHA, "DOS NAPTHA vulnerability detected" },
- { DECODE_SYN_TO_MULTICAST, "bad traffic SYN to multicast address" },
+ { DECODE_SYN_TO_MULTICAST, "SYN to multicast address" },
{ 0, nullptr }
};
{ DECODE_UDP_DGRAM_SHORT_PACKET, "short UDP packet, length field > payload length" },
{ DECODE_UDP_DGRAM_LONG_PACKET, "long UDP packet, length field < payload length" },
{ DECODE_UDP_IPV6_ZERO_CHECKSUM, "invalid IPv6 UDP packet, checksum zero" },
- { DECODE_UDP_LARGE_PACKET, "misc large UDP Packet" },
- { DECODE_UDP_PORT_ZERO, "BAD-TRAFFIC UDP port 0 traffic" },
+ { DECODE_UDP_LARGE_PACKET, "large UDP packet (> 4000 bytes)" },
+ { DECODE_UDP_PORT_ZERO, "UDP port 0 traffic" },
{ 0, nullptr }
};
static const RuleMap erspan2_rules[] =
{
{ DECODE_ERSPAN_HDR_VERSION_MISMATCH, "ERSpan header version mismatch" },
- { DECODE_ERSPAN2_DGRAM_LT_HDR, "captured < ERSpan type2 header length" },
+ { DECODE_ERSPAN2_DGRAM_LT_HDR, "captured length < ERSpan type2 header length" },
{ 0, nullptr }
};
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-// rules which will loaded into snort.
-// You can now reference these rules by calling a codec_event
-// in your main codec's functions
static const RuleMap mpls_rules[] =
{
{ DECODE_BAD_MPLS, "bad MPLS frame" },
{
static const RuleMap eth_rules[] =
{
- { DECODE_ETH_HDR_TRUNC, "truncated eth header" },
+ { DECODE_ETH_HDR_TRUNC, "truncated ethernet header" },
{ 0, nullptr }
};
{ "thirdparty_appid_dir", Parameter::PT_STRING, nullptr, nullptr,
"directory to load thirdparty appid detectors from" },
{ "session_log_filter", Parameter::PT_TABLE, session_log_filter, nullptr,
- "session log filter options" },
+ "session log filter options" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const RuleMap s_rules[] =
{
- { ARPSPOOF_UNICAST_ARP_REQUEST,
- ARPSPOOF_UNICAST_ARP_REQUEST_STR },
-
- { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC,
- ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR },
-
- { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST,
- ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR },
-
- { ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK,
- ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR },
+ { ARPSPOOF_UNICAST_ARP_REQUEST, ARPSPOOF_UNICAST_ARP_REQUEST_STR },
+ { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR },
+ { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR },
+ { ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR },
{ 0, nullptr }
};
#define REPUTATION_EVENT_BLACKLIST_STR \
"packets blacklisted"
#define REPUTATION_EVENT_WHITELIST_STR \
- "Packets whitelisted"
+ "packets whitelisted"
#define REPUTATION_EVENT_MONITOR_STR \
- "Packets monitored"
+ "packets monitored"
static const Parameter s_params[] =
{
#define DCE2_CO_FRAG_DIFF_OPNUM 38
#define DCE2_CO_FRAG_DIFF_CTX_ID 39
-#define DCE2_CO_BAD_MAJOR_VERSION_STR "Connection oriented DCE/RPC - Invalid major version."
-#define DCE2_CO_BAD_MINOR_VERSION_STR "Connection oriented DCE/RPC - Invalid minor version."
-#define DCE2_CO_BAD_PDU_TYPE_STR "Connection-oriented DCE/RPC - Invalid pdu type."
+#define DCE2_CO_BAD_MAJOR_VERSION_STR "connection oriented DCE/RPC - invalid major version"
+#define DCE2_CO_BAD_MINOR_VERSION_STR "connection oriented DCE/RPC - invalid minor version"
+#define DCE2_CO_BAD_PDU_TYPE_STR "connection-oriented DCE/RPC - invalid PDU type"
#define DCE2_CO_FRAG_LEN_LT_HDR_STR \
- "Connection-oriented DCE/RPC - Fragment length less than header size."
+ "connection-oriented DCE/RPC - fragment length less than header size"
#define DCE2_CO_REM_FRAG_LEN_LT_SIZE_STR \
- "Connection-oriented DCE/RPC - Remaining fragment length less than size needed."
+ "connection-oriented DCE/RPC - remaining fragment length less than size needed"
#define DCE2_CO_NO_CTX_ITEMS_SPECFD_STR \
- "Connection-oriented DCE/RPC - No context items specified."
+ "connection-oriented DCE/RPC - no context items specified"
#define DCE2_CO_NO_TFER_SYNTAX_SPECFD_STR \
- "Connection-oriented DCE/RPC -No transfer syntaxes specified."
+ "connection-oriented DCE/RPC -no transfer syntaxes specified"
#define DCE2_CO_FRAG_LT_MAX_XMIT_FRAG_STR \
- "Connection-oriented DCE/RPC - Fragment length on non-last fragment less than \
-maximum negotiated fragment transmit size for client."
+ "connection-oriented DCE/RPC - fragment length on non-last fragment less than \
+maximum negotiated fragment transmit size for client"
#define DCE2_CO_FRAG_GT_MAX_XMIT_FRAG_STR \
- "Connection-oriented DCE/RPC - Fragment length greater than \
-maximum negotiated fragment transmit size."
+ "connection-oriented DCE/RPC - fragment length greater than \
+maximum negotiated fragment transmit size"
#define DCE2_CO_ALTER_CHANGE_BYTE_ORDER_STR \
- "Connection-oriented DCE/RPC - Alter Context byte order different from Bind"
+ "connection-oriented DCE/RPC - alter context byte order different from bind"
#define DCE2_CO_FRAG_DIFF_CALL_ID_STR \
- "Connection-oriented DCE/RPC - Call id of non first/last fragment different \
-from call id established for fragmented request."
+ "connection-oriented DCE/RPC - call id of non first/last fragment different \
+from call id established for fragmented request"
#define DCE2_CO_FRAG_DIFF_OPNUM_STR \
- "Connection-oriented DCE/RPC - Opnum of non first/last fragment different \
-from opnum established for fragmented request."
+ "connection-oriented DCE/RPC - opnum of non first/last fragment different \
+from opnum established for fragmented request"
#define DCE2_CO_FRAG_DIFF_CTX_ID_STR \
- "Connection-oriented DCE/RPC - Context id of non first/last fragment different \
-from context id established for fragmented request."
+ "connection-oriented DCE/RPC - context id of non first/last fragment different \
+from context id established for fragmented request"
#define DCE2_MAX_XMIT_SIZE_FUZZ 500
#define DCE2_MOCK_HDR_LEN__CO_CLI (sizeof(DceRpcCoHdr) + sizeof(DceRpcCoRequest))
#define DCE2_SMB_INVALID_FILE_OFFSET 58
#define DCE2_SMB_BAD_NEXT_COMMAND_OFFSET 59
-#define DCE2_SMB_BAD_NBSS_TYPE_STR "SMB - Bad NetBIOS Session Service session type."
-#define DCE2_SMB_BAD_TYPE_STR "SMB - Bad SMB message type."
-#define DCE2_SMB_BAD_ID_STR "SMB - Bad SMB Id (not \\xffSMB for SMB1 or not \\xfeSMB for SMB2)."
-#define DCE2_SMB_BAD_WCT_STR "SMB - Bad word count or structure size."
-#define DCE2_SMB_BAD_BCC_STR "SMB - Bad byte count."
-#define DCE2_SMB_BAD_FORM_STR "SMB - Bad format type."
-#define DCE2_SMB_BAD_OFF_STR "SMB - Bad offset."
-#define DCE2_SMB_TDCNT_ZE_STR "SMB - Zero total data count."
-#define DCE2_SMB_NB_LT_SMBHDR_STR "SMB - NetBIOS data length less than SMB header length."
-#define DCE2_SMB_NB_LT_COM_STR "SMB - Remaining NetBIOS data length less than command length."
-#define DCE2_SMB_NB_LT_BCC_STR "SMB - Remaining NetBIOS data length less than command byte count."
+#define DCE2_SMB_BAD_NBSS_TYPE_STR "SMB - bad NetBIOS session service session type"
+#define DCE2_SMB_BAD_TYPE_STR "SMB - bad SMB message type"
+#define DCE2_SMB_BAD_ID_STR "SMB - bad SMB Id (not \\xffSMB for SMB1 or not \\xfeSMB for SMB2)"
+#define DCE2_SMB_BAD_WCT_STR "SMB - bad word count or structure size"
+#define DCE2_SMB_BAD_BCC_STR "SMB - bad byte count"
+#define DCE2_SMB_BAD_FORM_STR "SMB - bad format type"
+#define DCE2_SMB_BAD_OFF_STR "SMB - bad offset"
+#define DCE2_SMB_TDCNT_ZE_STR "SMB - zero total data count"
+#define DCE2_SMB_NB_LT_SMBHDR_STR "SMB - NetBIOS data length less than SMB header length"
+#define DCE2_SMB_NB_LT_COM_STR "SMB - remaining NetBIOS data length less than command length"
+#define DCE2_SMB_NB_LT_BCC_STR "SMB - remaining NetBIOS data length less than command byte count"
#define DCE2_SMB_NB_LT_DSIZE_STR \
- "SMB - Remaining NetBIOS data length less than command data size."
+ "SMB - remaining NetBIOS data length less than command data size"
#define DCE2_SMB_TDCNT_LT_DSIZE_STR \
- "SMB - Remaining total data count less than this command data size."
+ "SMB - remaining total data count less than this command data size"
#define DCE2_SMB_DSENT_GT_TDCNT_STR \
- "SMB - Total data sent (STDu64) greater than command total data expected."
-#define DCE2_SMB_BCC_LT_DSIZE_STR "SMB - Byte count less than command data size (STDu64)"
-#define DCE2_SMB_INVALID_DSIZE_STR "SMB - Invalid command data size for byte count."
+ "SMB - total data sent (STDu64) greater than command total data expected"
+#define DCE2_SMB_BCC_LT_DSIZE_STR "SMB - byte count less than command data size (STDu64)"
+#define DCE2_SMB_INVALID_DSIZE_STR "SMB - invalid command data size for byte count"
#define DCE2_SMB_EXCESSIVE_TREE_CONNECTS_STR \
- "SMB - Excessive Tree Connect requests with pending Tree Connect responses."
-#define DCE2_SMB_EXCESSIVE_READS_STR "SMB - Excessive Read requests with pending Read responses."
-#define DCE2_SMB_EXCESSIVE_CHAINING_STR "SMB - Excessive command chaining."
-#define DCE2_SMB_MULT_CHAIN_SS_STR "SMB - Multiple chained tree connect requests."
-#define DCE2_SMB_MULT_CHAIN_TC_STR "SMB - Multiple chained tree connect requests."
-#define DCE2_SMB_CHAIN_SS_LOGOFF_STR "SMB - Chained/Compounded login followed by logoff."
+ "SMB - excessive tree connect requests with pending tree connect responses"
+#define DCE2_SMB_EXCESSIVE_READS_STR "SMB - excessive read requests with pending read responses"
+#define DCE2_SMB_EXCESSIVE_CHAINING_STR "SMB - excessive command chaining"
+#define DCE2_SMB_MULT_CHAIN_SS_STR "SMB - multiple chained tree connect requests"
+#define DCE2_SMB_MULT_CHAIN_TC_STR "SMB - multiple chained tree connect requests"
+#define DCE2_SMB_CHAIN_SS_LOGOFF_STR "SMB - chained/compounded login followed by logoff"
#define DCE2_SMB_CHAIN_TC_TDIS_STR \
- "SMB - Chained/Compounded tree connect followed by tree disconnect."
+ "SMB - chained/compounded tree connect followed by tree disconnect"
#define DCE2_SMB_CHAIN_OPEN_CLOSE_STR \
- "SMB - Chained/Compounded open pipe followed by close pipe."
-#define DCE2_SMB_INVALID_SHARE_STR "SMB - Invalid share access."
-
-#define DCE2_SMB_V1_STR "SMB - Invalid SMB version 1 seen."
-#define DCE2_SMB_V2_STR "SMB - Invalid SMB version 2 seen."
-#define DCE2_SMB_INVALID_BINDING_STR "SMB - Invalid user, tree connect, file binding."
-#define DCE2_SMB2_EXCESSIVE_COMPOUNDING_STR "SMB - Excessive command compounding."
-#define DCE2_SMB_DCNT_ZERO_STR "SMB - Zero data count."
-#define DCE2_SMB_DCNT_MISMATCH_STR "SMB - Data count mismatch in command and format"
-#define DCE2_SMB_MAX_REQS_EXCEEDED_STR "SMB - Maximum number of outstanding requests exceeded."
-#define DCE2_SMB_REQS_SAME_MID_STR "SMB - Outstanding requests with same MID."
-#define DCE2_SMB_DEPR_DIALECT_NEGOTIATED_STR "SMB - Deprecated dialect negotiated."
-#define DCE2_SMB_DEPR_COMMAND_USED_STR "SMB - Deprecated command used."
-#define DCE2_SMB_UNUSUAL_COMMAND_USED_STR "SMB - Unusual command used."
-#define DCE2_SMB_INVALID_SETUP_COUNT_STR "SMB - Invalid setup count for command."
+ "SMB - chained/compounded open pipe followed by close pipe"
+#define DCE2_SMB_INVALID_SHARE_STR "SMB - invalid share access"
+
+#define DCE2_SMB_V1_STR "SMB - invalid SMB version 1 seen"
+#define DCE2_SMB_V2_STR "SMB - invalid SMB version 2 seen"
+#define DCE2_SMB_INVALID_BINDING_STR "SMB - invalid user, tree connect, file binding"
+#define DCE2_SMB2_EXCESSIVE_COMPOUNDING_STR "SMB - excessive command compounding"
+#define DCE2_SMB_DCNT_ZERO_STR "SMB - zero data count"
+#define DCE2_SMB_DCNT_MISMATCH_STR "SMB - data count mismatch in command and format"
+#define DCE2_SMB_MAX_REQS_EXCEEDED_STR "SMB - maximum number of outstanding requests exceeded"
+#define DCE2_SMB_REQS_SAME_MID_STR "SMB - outstanding requests with same MID"
+#define DCE2_SMB_DEPR_DIALECT_NEGOTIATED_STR "SMB - deprecated dialect negotiated"
+#define DCE2_SMB_DEPR_COMMAND_USED_STR "SMB - deprecated command used"
+#define DCE2_SMB_UNUSUAL_COMMAND_USED_STR "SMB - unusual command used"
+#define DCE2_SMB_INVALID_SETUP_COUNT_STR "SMB - invalid setup count for command"
#define DCE2_SMB_MULTIPLE_NEGOTIATIONS_STR \
- "SMB - Client attempted multiple dialect negotiations on session."
+ "SMB - client attempted multiple dialect negotiations on session"
#define DCE2_SMB_EVASIVE_FILE_ATTRS_STR \
- "SMB - Client attempted to create or set a file's attributes to readonly/hidden/system."
+ "SMB - client attempted to create or set a file's attributes to readonly/hidden/system"
#define DCE2_SMB_INVALID_FILE_OFFSET_STR \
- "SMB - File offset provided is greater than file size specified"
+ "SMB - file offset provided is greater than file size specified"
#define DCE2_SMB_BAD_NEXT_COMMAND_OFFSET_STR \
- "SMB - Next command specified in SMB2 header is beyond payload boundary"
+ "SMB - next command specified in SMB2 header is beyond payload boundary"
struct dce2SmbStats
{
{ "reassemble_threshold", Parameter::PT_INT, "0:65535", "0",
" Minimum bytes received before performing reassembly" },
{ "policy", Parameter::PT_ENUM,
- "Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20",
- "WinXP",
+ "Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | "
+ "Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20", "WinXP",
" Target based policy to use" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
#include "dce_common.h"
#include "framework/module.h"
-#define DCE2_CL_BAD_MAJOR_VERSION 40
-#define DCE2_CL_BAD_PDU_TYPE 41
-#define DCE2_CL_DATA_LT_HDR 42
-#define DCE2_CL_BAD_SEQ_NUM 43
+#define DCE2_CL_BAD_MAJOR_VERSION 40
+#define DCE2_CL_BAD_PDU_TYPE 41
+#define DCE2_CL_DATA_LT_HDR 42
+#define DCE2_CL_BAD_SEQ_NUM 43
-#define DCE2_CL_BAD_MAJOR_VERSION_STR "Connection-less DCE/RPC - Invalid major version."
-#define DCE2_CL_BAD_PDU_TYPE_STR "Connection-less DCE/RPC - Invalid pdu type."
-#define DCE2_CL_DATA_LT_HDR_STR \
- "Connection-less DCE/RPC - Data length less than header size."
-#define DCE2_CL_BAD_SEQ_NUM_STR \
- "Connection-less DCE/RPC - Bad sequence number."
+#define DCE2_CL_BAD_MAJOR_VERSION_STR "connection-less DCE/RPC - invalid major version"
+#define DCE2_CL_BAD_PDU_TYPE_STR "connection-less DCE/RPC - invalid PDU type"
+#define DCE2_CL_DATA_LT_HDR_STR "connection-less DCE/RPC - data length less than header size"
+#define DCE2_CL_BAD_SEQ_NUM_STR "connection-less DCE/RPC - bad sequence number"
struct SnortConfig;
#define DNP3_NAME "dnp3"
#define DNP3_HELP "dnp3 inspection"
-#define DNP3_BAD_CRC_STR "DNP3 Link-Layer Frame contains bad CRC."
-#define DNP3_DROPPED_FRAME_STR "DNP3 Link-Layer Frame was dropped."
-#define DNP3_DROPPED_SEGMENT_STR "DNP3 Transport-Layer Segment was dropped during reassembly."
+#define DNP3_BAD_CRC_STR "DNP3 link-layer frame contains bad CRC"
+#define DNP3_DROPPED_FRAME_STR "DNP3 link-layer frame was dropped"
+#define DNP3_DROPPED_SEGMENT_STR "DNP3 transport-layer segment was dropped during reassembly"
#define DNP3_REASSEMBLY_BUFFER_CLEARED_STR \
- "DNP3 Reassembly Buffer was cleared without reassembling a complete message."
-#define DNP3_RESERVED_ADDRESS_STR "DNP3 Link-Layer Frame uses a reserved address."
-#define DNP3_RESERVED_FUNCTION_STR "DNP3 Application-Layer Fragment uses a reserved function code."
+ "DNP3 reassembly buffer was cleared without reassembling a complete message"
+#define DNP3_RESERVED_ADDRESS_STR "DNP3 link-layer frame uses a reserved address"
+#define DNP3_RESERVED_FUNCTION_STR "DNP3 application-layer fragment uses a reserved function code"
#define DNP3_BAD_CRC 1
#define DNP3_DROPPED_FRAME 2
using namespace std;
#define DNS_EVENT_OBSOLETE_TYPES_STR \
- "Obsolete DNS RR Types"
+ "obsolete DNS RR types"
#define DNS_EVENT_EXPERIMENTAL_TYPES_STR \
- "Experimental DNS RR Types"
+ "experimental DNS RR types"
#define DNS_EVENT_RDATA_OVERFLOW_STR \
- "DNS Client rdata txt Overflow"
+ "DNS client rdata txt overflow"
static const Parameter s_params[] =
{
{ EVENT_PDF_UNSUP_COMP_TYPE, "PDF file unsupported compression type" },
{ EVENT_PDF_CASC_COMP, "PDF file cascaded compression" },
{ EVENT_PDF_PARSE_FAILURE, "PDF file parse failure" },
- { EVENT_LOSS_OF_SYNC, "Not HTTP traffic" },
- { EVENT_CHUNK_ZEROS, "Chunk length has excessive leading zeros" },
- { EVENT_WS_BETWEEN_MSGS, "White space before or between messages" },
- { EVENT_URI_MISSING, "Request message without URI" },
- { EVENT_CTRL_IN_REASON, "Control character in reason phrase" },
- { EVENT_IMPROPER_WS, "Illegal extra whitespace in start line" },
- { EVENT_BAD_VERS, "Corrupted HTTP version" },
- { EVENT_UNKNOWN_VERS, "Unknown HTTP version" },
- { EVENT_BAD_HEADER, "Format error in HTTP header" },
- { EVENT_CHUNK_OPTIONS, "Chunk header options present" },
+ { EVENT_LOSS_OF_SYNC, "not HTTP traffic" },
+ { EVENT_CHUNK_ZEROS, "chunk length has excessive leading zeros" },
+ { EVENT_WS_BETWEEN_MSGS, "white space before or between messages" },
+ { EVENT_URI_MISSING, "request message without URI" },
+ { EVENT_CTRL_IN_REASON, "control character in reason phrase" },
+ { EVENT_IMPROPER_WS, "illegal extra whitespace in start line" },
+ { EVENT_BAD_VERS, "corrupted HTTP version" },
+ { EVENT_UNKNOWN_VERS, "unknown HTTP version" },
+ { EVENT_BAD_HEADER, "format error in HTTP header" },
+ { EVENT_CHUNK_OPTIONS, "chunk header options present" },
{ EVENT_URI_BAD_FORMAT, "URI badly formatted" },
- { EVENT_UNKNOWN_PERCENT, "Unrecognized type of percent encoding in URI" },
+ { EVENT_UNKNOWN_PERCENT, "unrecognized type of percent encoding in URI" },
{ EVENT_BROKEN_CHUNK, "HTTP chunk misformatted" },
- { EVENT_CHUNK_WHITESPACE, "White space following chunk length" },
- { EVENT_HEAD_NAME_WHITESPACE, "White space within header name" },
- { EVENT_GZIP_OVERRUN, "Excessive gzip compression" },
- { EVENT_GZIP_FAILURE, "Gzip decompression failed" },
+ { EVENT_CHUNK_WHITESPACE, "white space following chunk length" },
+ { EVENT_HEAD_NAME_WHITESPACE, "white space within header name" },
+ { EVENT_GZIP_OVERRUN, "excessive gzip compression" },
+ { EVENT_GZIP_FAILURE, "gzip decompression failed" },
{ EVENT_ZERO_NINE_CONTINUE, "HTTP 0.9 requested followed by another request" },
{ EVENT_ZERO_NINE_NOT_FIRST, "HTTP 0.9 request following a normal request" },
- { EVENT_BOTH_CL_AND_TE, "Message has both Content-Length and Transfer-Encoding" },
- { EVENT_BAD_CODE_BODY_HEADER, "Status code implying no body combined with Transfer-"
- "Encoding or nonzero Content-Length" },
+ { EVENT_BOTH_CL_AND_TE, "message has both Content-Length and Transfer-Encoding" },
+ { EVENT_BAD_CODE_BODY_HEADER, "status code implying no body combined with Transfer-"
+ "Encoding or nonzero Content-Length" },
{ EVENT_FINAL_NOT_CHUNKED, "Transfer-Encoding did not end with chunked" },
{ EVENT_CHUNKED_BEFORE_END, "Transfer-Encoding with chunked not at end" },
- { EVENT_MISFORMATTED_HTTP, "Misformatted HTTP traffic" },
- { EVENT_UNSUPPORTED_ENCODING, "Unsupported Transfer-Encoding or Content-Encoding used" },
- { EVENT_UNKNOWN_ENCODING, "Unknown Transfer-Encoding or Content-Encoding used" },
- { EVENT_STACKED_ENCODINGS, "Multiple layers of compression encodings applied" },
+ { EVENT_MISFORMATTED_HTTP, "misformatted HTTP traffic" },
+ { EVENT_UNSUPPORTED_ENCODING, "unsupported Transfer-Encoding or Content-Encoding used" },
+ { EVENT_UNKNOWN_ENCODING, "unknown Transfer-Encoding or Content-Encoding used" },
+ { EVENT_STACKED_ENCODINGS, "multiple layers of compression encodings applied" },
{ 0, nullptr }
};
using namespace std;
-#define IMAP_UNKNOWN_CMD_STR "Unknown IMAP3 command"
-#define IMAP_UNKNOWN_RESP_STR "Unknown IMAP3 response"
-#define IMAP_B64_DECODING_FAILED_STR "Base64 Decoding failed."
-#define IMAP_QP_DECODING_FAILED_STR "Quoted-Printable Decoding failed."
-#define IMAP_UU_DECODING_FAILED_STR "Unix-to-Unix Decoding failed."
+#define IMAP_UNKNOWN_CMD_STR "unknown IMAP3 command"
+#define IMAP_UNKNOWN_RESP_STR "unknown IMAP3 response"
+#define IMAP_B64_DECODING_FAILED_STR "base64 decoding failed"
+#define IMAP_QP_DECODING_FAILED_STR "quoted-printable decoding failed"
+#define IMAP_UU_DECODING_FAILED_STR "Unix-to-Unix decoding failed"
static const Parameter s_params[] =
{
{ "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " base64 decoding depth" },
+ "base64 decoding depth" },
{ "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " Non-Encoded MIME attachment extraction depth" },
+ "non-Encoded MIME attachment extraction depth" },
{ "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " Quoted Printable decoding depth" },
+ "quoted Printable decoding depth" },
{ "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " Unix-to-Unix decoding depth" },
+ "Unix-to-Unix decoding depth" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
"length in Modbus MBAP header does not match the length needed for the given function"
#define MODBUS_BAD_PROTO_ID_STR "Modbus protocol ID is non-zero"
-#define MODBUS_RESERVED_FUNCTION_STR "Reserved Modbus function code in use"
+#define MODBUS_RESERVED_FUNCTION_STR "reserved Modbus function code in use"
static const RuleMap modbus_rules[] =
{
using namespace std;
-#define POP_UNKNOWN_CMD_STR "Unknown POP3 command"
-#define POP_UNKNOWN_RESP_STR "Unknown POP3 response"
-#define POP_B64_DECODING_FAILED_STR "Base64 Decoding failed."
-#define POP_QP_DECODING_FAILED_STR "Quoted-Printable Decoding failed."
-#define POP_UU_DECODING_FAILED_STR "Unix-to-Unix Decoding failed."
+#define POP_UNKNOWN_CMD_STR "unknown POP3 command"
+#define POP_UNKNOWN_RESP_STR "unknown POP3 response"
+#define POP_B64_DECODING_FAILED_STR "base64 decoding failed"
+#define POP_QP_DECODING_FAILED_STR "quoted-printable decoding failed"
+#define POP_UU_DECODING_FAILED_STR "Unix-to-Unix decoding failed"
static const Parameter s_params[] =
{
using namespace std;
-#define SIP_EVENT_MAX_SESSIONS_STR "Maximum sessions reached"
-#define SIP_EVENT_EMPTY_REQUEST_URI_STR "Empty request URI"
+#define SIP_EVENT_MAX_SESSIONS_STR "maximum sessions reached"
+#define SIP_EVENT_EMPTY_REQUEST_URI_STR "empty request URI"
#define SIP_EVENT_BAD_URI_STR "URI is too long"
-#define SIP_EVENT_EMPTY_CALL_ID_STR "Empty call-Id"
+#define SIP_EVENT_EMPTY_CALL_ID_STR "empty call-Id"
#define SIP_EVENT_BAD_CALL_ID_STR "Call-Id is too long"
#define SIP_EVENT_BAD_CSEQ_NUM_STR "CSeq number is too large or negative"
-#define SIP_EVENT_BAD_CSEQ_NAME_STR "Request name in CSeq is too long"
-#define SIP_EVENT_EMPTY_FROM_STR "Empty From header"
+#define SIP_EVENT_BAD_CSEQ_NAME_STR "request name in CSeq is too long"
+#define SIP_EVENT_EMPTY_FROM_STR "empty From header"
#define SIP_EVENT_BAD_FROM_STR "From header is too long"
-#define SIP_EVENT_EMPTY_TO_STR "Empty To header"
+#define SIP_EVENT_EMPTY_TO_STR "empty To header"
#define SIP_EVENT_BAD_TO_STR "To header is too long"
-#define SIP_EVENT_EMPTY_VIA_STR "Empty Via header"
+#define SIP_EVENT_EMPTY_VIA_STR "empty Via header"
#define SIP_EVENT_BAD_VIA_STR "Via header is too long"
-#define SIP_EVENT_EMPTY_CONTACT_STR "Empty Contact"
-#define SIP_EVENT_BAD_CONTACT_STR "Contact is too long"
-#define SIP_EVENT_BAD_CONTENT_LEN_STR "Content length is too large or negative"
-#define SIP_EVENT_MULTI_MSGS_STR "Multiple SIP messages in a packet"
-#define SIP_EVENT_MISMATCH_CONTENT_LEN_STR "Content length mismatch"
-#define SIP_EVENT_INVALID_CSEQ_NAME_STR "Request name is invalid"
+#define SIP_EVENT_EMPTY_CONTACT_STR "empty Contact"
+#define SIP_EVENT_BAD_CONTACT_STR "contact is too long"
+#define SIP_EVENT_BAD_CONTENT_LEN_STR "content length is too large or negative"
+#define SIP_EVENT_MULTI_MSGS_STR "multiple SIP messages in a packet"
+#define SIP_EVENT_MISMATCH_CONTENT_LEN_STR "content length mismatch"
+#define SIP_EVENT_INVALID_CSEQ_NAME_STR "request name is invalid"
#define SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK_STR "Invite replay attack"
-#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR "Illegal session information modification"
-#define SIP_EVENT_BAD_STATUS_CODE_STR "Response status code is not a 3 digit number"
-#define SIP_EVENT_EMPTY_CONTENT_TYPE_STR "Empty Content-type header"
+#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR "illegal session information modification"
+#define SIP_EVENT_BAD_STATUS_CODE_STR "response status code is not a 3 digit number"
+#define SIP_EVENT_EMPTY_CONTENT_TYPE_STR "empty Content-type header"
#define SIP_EVENT_INVALID_VERSION_STR "SIP version is invalid"
-#define SIP_EVENT_MISMATCH_METHOD_STR "Mismatch in METHOD of request and the CSEQ header"
-#define SIP_EVENT_UNKOWN_METHOD_STR "Method is unknown"
-#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR "Maximum dialogs within a session reached"
+#define SIP_EVENT_MISMATCH_METHOD_STR "mismatch in METHOD of request and the CSEQ header"
+#define SIP_EVENT_UNKOWN_METHOD_STR "method is unknown"
+#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR "maximum dialogs within a session reached"
#define default_methods "invite cancel ack bye register options"
static const RuleMap smtp_rules[] =
{
- { SMTP_COMMAND_OVERFLOW, "Attempted command buffer overflow" },
- { SMTP_DATA_HDR_OVERFLOW, "Attempted data header buffer overflow" },
- { SMTP_RESPONSE_OVERFLOW, "Attempted response buffer overflow" },
- { SMTP_SPECIFIC_CMD_OVERFLOW, "Attempted specific command buffer overflow" },
- { SMTP_UNKNOWN_CMD, "Unknown command" },
- { SMTP_ILLEGAL_CMD, "Illegal command" },
- { SMTP_HEADER_NAME_OVERFLOW, "Attempted header name buffer overflow" },
- { SMTP_XLINK2STATE_OVERFLOW, "Attempted X-Link2State command buffer overflow" },
- { SMTP_B64_DECODING_FAILED, "Base64 Decoding failed" },
- { SMTP_QP_DECODING_FAILED, "Quoted-Printable Decoding failed" },
- { SMTP_UU_DECODING_FAILED, "Unix-to-Unix Decoding failed" },
+ { SMTP_COMMAND_OVERFLOW, "attempted command buffer overflow" },
+ { SMTP_DATA_HDR_OVERFLOW, "attempted data header buffer overflow" },
+ { SMTP_RESPONSE_OVERFLOW, "attempted response buffer overflow" },
+ { SMTP_SPECIFIC_CMD_OVERFLOW, "attempted specific command buffer overflow" },
+ { SMTP_UNKNOWN_CMD, "unknown command" },
+ { SMTP_ILLEGAL_CMD, "illegal command" },
+ { SMTP_HEADER_NAME_OVERFLOW, "attempted header name buffer overflow" },
+ { SMTP_XLINK2STATE_OVERFLOW, "attempted X-Link2State command buffer overflow" },
+ { SMTP_B64_DECODING_FAILED, "base64 decoding failed" },
+ { SMTP_QP_DECODING_FAILED, "quoted-printable decoding failed" },
+ { SMTP_UU_DECODING_FAILED, "Unix-to-Unix decoding failed" },
{ SMTP_AUTH_ABORT_AUTH, "Cyrus SASL authentication attack" },
- { SMTP_AUTH_COMMAND_OVERFLOW, "Attempted authentication command buffer overflow" },
+ { SMTP_AUTH_COMMAND_OVERFLOW, "attempted authentication command buffer overflow" },
{ 0, nullptr }
};
using namespace std;
#define SSH_EVENT_RESPOVERFLOW_STR \
- "Challenge-Response Overflow exploit"
+ "challenge-response overflow exploit"
#define SSH_EVENT_CRC32_STR \
"SSH1 CRC32 exploit"
#define SSH_EVENT_SECURECRT_STR \
- "Server version string overflow"
+ "server version string overflow"
#define SSH_EVENT_WRONGDIR_STR \
- "Bad message direction"
+ "bad message direction"
#define SSH_PAYLOAD_SIZE_STR \
- "Payload size incorrect for the given payload"
+ "payload size incorrect for the given payload"
#define SSH_VERSION_STR \
- "Failed to detect SSH version string"
+ "failed to detect SSH version string"
static const Parameter s_params[] =
{
using namespace std;
-#define SSL_INVALID_CLIENT_HELLO_STR "Invalid Client HELLO after Server HELLO Detected"
-#define SSL_INVALID_SERVER_HELLO_STR "Invalid Server HELLO without Client HELLO Detected"
-#define SSL_HEARTBLEED_REQUEST_STR "Heartbeat Read Overrun Attempt Detected"
-#define SSL_HEARTBLEED_RESPONSE_STR "Large Heartbeat Response Detected"
+#define SSL_INVALID_CLIENT_HELLO_STR "invalid client HELLO after server HELLO detected"
+#define SSL_INVALID_SERVER_HELLO_STR "invalid server HELLO without client HELLO detected"
+#define SSL_HEARTBLEED_REQUEST_STR "heartbeat read overrun attempt detected"
+#define SSL_HEARTBLEED_RESPONSE_STR "large heartbeat response detected"
static const Parameter s_params[] =
{
#if 0 // OBE
#define DEFRAG_IPV6_BSD_ICMP_FRAG_STR
-"IPv6 BSD mbufs remote kernel buffer overflow"
+ "IPv6 BSD mbufs remote kernel buffer overflow"
#define DEFRAG_IPV6_BAD_FRAG_PKT_STR
-"bogus fragmentation packet, possible BSD attack"
+ "bogus fragmentation packet, possible BSD attack"
#endif
#define DEFRAG_MIN_TTL_EVASION_STR \
#define STREAM_TCP_BAD_TIMESTAMP_STR \
"TCP timestamp is outside of PAWS window"
#define STREAM_TCP_BAD_SEGMENT_STR \
- "bad segment, adjusted size <= 0"
+ "bad segment, adjusted size <= 0 (deprecated)"
#define STREAM_TCP_WINDOW_TOO_LARGE_STR \
"window size (after scaling) larger than policy allows"
#define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS_STR \
"limit on number of overlapping TCP packets reached"
#define STREAM_TCP_DATA_AFTER_RESET_STR \
- "data sent on stream after TCP Reset sent"
+ "data sent on stream after TCP reset sent"
#define STREAM_TCP_SESSION_HIJACKED_CLIENT_STR \
"TCP client possibly hijacked, different ethernet address"
#define STREAM_TCP_SESSION_HIJACKED_SERVER_STR \
- "TCP Server possibly hijacked, different ethernet address"
+ "TCP server possibly hijacked, different ethernet address"
#define STREAM_TCP_DATA_WITHOUT_FLAGS_STR \
"TCP data with no TCP flags set"
#define STREAM_TCP_SMALL_SEGMENT_STR \
#define STREAM_TCP_BAD_ACK_STR \
"ACK number is greater than prior FIN"
#define STREAM_TCP_DATA_AFTER_RST_RCVD_STR \
- "data sent on stream after TCP Reset received"
+ "data sent on stream after TCP reset received"
#define STREAM_TCP_WINDOW_SLAM_STR \
"TCP window closed before receiving data"
#define STREAM_TCP_NO_3WHS_STR \
projects / thirdparty / snort3.git / commitdiff
