<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 257) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 258)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
{\r
ports = "1",\r
enable = true,\r
- min_age = 0.0,\r
- min_sync = 0.0\r
+ min_age = 0,\r
+ min_sync = 0\r
}</code></pre>\r
</div></div>\r
<div class="paragraph"><p>The <em>ports</em> item maps to the SideChannel port to use for the HA messaging.</p></div>\r
<div class="paragraph"><p>The <em>enabled</em> item controls the overall HA operation.</p></div>\r
<div class="paragraph"><p>The items min_age and min_sync are used in the stream HA logic. min_age is\r
-the number of seconds that a flow must exist in the flow cache before sending\r
+the number of milliseconds that a flow must exist in the flow cache before sending\r
HA messages to the partner. min_sync is the minimum time between HA status\r
updates. HA messages for a particular flow will not be sent faster than\r
-min_sync. Both are expressed as a floating point number of seconds.</p></div>\r
+min_sync. Both are expressed as a number of milliseconds.</p></div>\r
<div class="paragraph"><p>HA messages are composed of the base <em>stream</em> information plus any content\r
from additional modules. Modules subscribe HA in order to add message\r
content. The <em>stream</em> HA content is always present in the messages while\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>alert tcp any any -> any any ( msg:"combined example"; flow:established,\r
-to_server; http_uri; content:"chocolate"; file_data;\r
-content:"sinister POST data"; sid:5; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This rule requires both the URI and the request message body. That sounds\r
-simple until one considers that the message body may be millions of bytes\r
-long. The headers with the URI may be long gone by that time.</p></div>\r
-<div class="paragraph"><p>Is this rule going to work or do we need to do something different?</p></div>\r
-<div class="paragraph"><p>It is helpful to understand when things happen. All the message headers and\r
-the first few thousand bytes of the body go through detection at the same\r
-time. Commonly this is about 16K bytes but there are several exceptions and\r
-there is no guaranteed minimum amount.</p></div>\r
-<div class="paragraph"><p>That may be all you need. In many cases that will be the entire message. Or\r
-it may be more than your request_depth/response_depth. Or this rule may\r
-simply not care what happens after that in a very long message body.</p></div>\r
-<div class="paragraph"><p>Beyond that the message body will continue to be subdivided into roughly\r
-16K-byte sections and inspected. But the previous rule will not be able to\r
-see the URI and hence will not work unless we rewrite it:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"URI with_body"; flow:established,\r
to_server; http_uri: with_body; content:"chocolate"; file_data;\r
-content:"sinister POST data"; sid:5; rev:2; )</code></pre>\r
+content:"sinister POST data"; sid:5; rev:1; )</code></pre>\r
</div></div>\r
<div class="paragraph"><p>The with_body option to http_uri causes the URI to be made available with\r
-every body section, not just the first one. These extra inspections have a\r
-performance cost which is why they are not done automatically. with_body is\r
-an option to be used when you actually need it.</p></div>\r
+the message body. Use with_body for header-related rule options in rules\r
+that also examine the message body.</p></div>\r
<div class="paragraph"><p>The with_trailer option is analogous and causes an earlier message element\r
-to be made available at the end of the message when the trailers following a\r
-chunked body arrive.</p></div>\r
+to be made available at the end of the message when the trailers following\r
+a chunked body arrive.</p></div>\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>alert tcp any any -> any any ( msg:"double content-language";\r
<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-When the first part of the request message body arrives. The request\r
-line, all of the headers, and the first part of the body all go through\r
-detection at the same time. Of course most requests don’t have a body. In\r
-that case the request line and the headers are the whole message and get\r
-done at the same time.\r
+When the the request headers arrive. The request line and all of the\r
+headers go through detection at the same time.\r
</p>\r
</li>\r
<li>\r
<p>\r
-When subsequent sections of the request message body arrive. If you want\r
-to combine this with something from the request line or headers you must\r
-use the with_body option.\r
+When sections of the request message body arrive. If you want to combine\r
+this with something from the request line or headers you must use the\r
+with_body option.\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-When the first part of the response message body arrives. The status\r
-line, all of the headers, and the first part of the body all go through\r
-detection at the same time. These may be combined with elements from the\r
-request line, request headers, or request trailers. Where ambiguity arises\r
-use the request option.\r
+When the response headers arrive. The status line and all of the headers\r
+go through detection at the same time. These may be combined with elements\r
+from the request line, request headers, or request trailers. Where\r
+ambiguity arises use the request option.\r
</p>\r
</li>\r
<li>\r
<p>\r
-When subsequent sections of the response message body arrive. These may\r
-be combined with the status line, response headers, request line, request\r
-headers, or request trailers as described above.\r
+When sections of the response message body arrive. These may be combined\r
+with the status line, response headers, request line, request headers, or\r
+request trailers as described above.\r
</p>\r
</li>\r
<li>\r
</p>\r
</li>\r
</ol></div>\r
-<div class="paragraph"><p>Message body data can only go through detection at the time it is received.\r
-Headers may be combined with later items but the body cannot.</p></div>\r
+<div class="paragraph"><p>Message body sections can only go through detection at the time they are\r
+received. Headers may be combined with later items but the body cannot.</p></div>\r
</div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-real <strong>high_availability.min_age</strong> = 1.0: minimum session life in seconds before HA updates { 0.0:100.0 }\r
+int <strong>high_availability.min_age</strong> = 0: minimum session life in milliseconds before HA updates { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-real <strong>high_availability.min_sync</strong> = 0.1: minimum interval in seconds between HA updates { 0.0:100.0 }\r
+int <strong>high_availability.min_sync</strong> = 0: minimum interval in milliseconds between HA updates { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_host_cache">host_cache</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
+<div class="paragraph"><p>What: global LRU cache of host_tracker data about hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong><code>host_cache[].size</code></strong>: size of host cache { 1:max32 }\r
+string <strong>host_cache.dump_file</strong>: file name to dump host cache on shutdown; won’t dump by default\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>host_cache.size</strong>: size of host cache { 1:max32 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>host_cache.dump</strong>(file_name): dump host cache\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-z</strong> = 1: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }\r
+int <strong>snort.-z</strong>: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--max-packet-threads</strong> = 1: <count> configure maximum number of packet threads (same as -z) { 0:max32 }\r
+int <strong>snort.--max-packet-threads</strong>: <count> configure maximum number of packet threads (same as -z) { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-filter</strong>: <filter> filter to apply when getting pcaps from file or directory\r
+string <strong>snort.--pcap-filter</strong> = <strong>.*cap</strong>: <filter> filter to apply when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--talos</strong>: enable Talos inline rule test mode (same as --tweaks talos -Q -q)\r
+implied <strong>snort.--talos</strong>: enable Talos tweak (same as --tweaks talos)\r
</p>\r
</li>\r
<li>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>121:1</strong> (http2_inspect) Error in HPACK integer value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:2</strong> (http2_inspect) Integer value has leading zeros\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:3</strong> (http2_inspect) Error in HPACK string value\r
+</p>\r
+</li>\r
+</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>stream_tcp.no_ack</strong> = false: received data is implicitly acked immediately\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+implied <strong>http_method.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_raw_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_raw_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+implied <strong>http_raw_request.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+implied <strong>http_raw_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+implied <strong>http_true_ip.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+implied <strong>http_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_version.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--talos</strong> enable Talos inline rule test mode (same as --tweaks talos -Q -q)\r
+<strong>--talos</strong> enable Talos tweak (same as --tweaks talos)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-real <strong>high_availability.min_age</strong> = 1.0: minimum session life in seconds before HA updates { 0.0:100.0 }\r
+int <strong>high_availability.min_age</strong> = 0: minimum session life in milliseconds before HA updates { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-real <strong>high_availability.min_sync</strong> = 0.1: minimum interval in seconds between HA updates { 0.0:100.0 }\r
+int <strong>high_availability.min_sync</strong> = 0: minimum interval in milliseconds between HA updates { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong><code>host_cache[].size</code></strong>: size of host cache { 1:max32 }\r
+string <strong>host_cache.dump_file</strong>: file name to dump host cache on shutdown; won’t dump by default\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>host_cache.size</strong>: size of host cache { 1:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_method.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_raw_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_raw_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_raw_request.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_raw_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_true_ip.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_version.with_header</strong>: this rule is limited to examining HTTP message headers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--max-packet-threads</strong> = 1: <count> configure maximum number of packet threads (same as -z) { 0:max32 }\r
+int <strong>snort.--max-packet-threads</strong>: <count> configure maximum number of packet threads (same as -z) { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-filter</strong>: <filter> filter to apply when getting pcaps from file or directory\r
+string <strong>snort.--pcap-filter</strong> = <strong>.*cap</strong>: <filter> filter to apply when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--talos</strong>: enable Talos inline rule test mode (same as --tweaks talos -Q -q)\r
+implied <strong>snort.--talos</strong>: enable Talos tweak (same as --tweaks talos)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-z</strong> = 1: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }\r
+int <strong>snort.-z</strong>: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>stream_tcp.no_ack</strong> = false: received data is implicitly acked immediately\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>121:1</strong> (http2_inspect) Error in HPACK integer value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:2</strong> (http2_inspect) Integer value has leading zeros\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:3</strong> (http2_inspect) Error in HPACK string value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>host_cache.dump</strong>(file_name): dump host cache\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>packet_capture.enable</strong>(filter): dump raw packets\r
</p>\r
</li>\r
change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout'\r
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'\r
change -> stream5_global: 'udp_cache_pruning_timeout' ==> 'pruning_timeout'\r
+change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'\r
+change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'\r
+change -> stream5_ha: 'stream5_ha' ==> 'high_availability'\r
+change -> stream5_ha: 'use_daq' ==> 'daq_channel'\r
change -> stream5_ip: 'timeout' ==> 'session_timeout'\r
change -> stream5_tcp: 'bind_to' ==> 'bindings'\r
change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async'\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache</strong> (basic): configure hosts\r
+<strong>host_cache</strong> (basic): global LRU cache of host_tracker data about hosts\r
</p>\r
</li>\r
<li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-06-19 10:25:02 EDT\r
+ 2019-07-17 09:38:43 EDT\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 257) from 2.9.11
+o" )~ Version 3.0.0 (Build 258)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
{
ports = "1",
enable = true,
- min_age = 0.0,
- min_sync = 0.0
+ min_age = 0,
+ min_sync = 0
}
The ports item maps to the SideChannel port to use for the HA
The enabled item controls the overall HA operation.
The items min_age and min_sync are used in the stream HA logic.
-min_age is the number of seconds that a flow must exist in the flow
-cache before sending HA messages to the partner. min_sync is the
+min_age is the number of milliseconds that a flow must exist in the
+flow cache before sending HA messages to the partner. min_sync is the
minimum time between HA status updates. HA messages for a particular
flow will not be sent faster than min_sync. Both are expressed as a
-floating point number of seconds.
+number of milliseconds.
HA messages are composed of the base stream information plus any
content from additional modules. Modules subscribe HA in order to add
complicated about that, but suppose we use more than one rule option:
alert tcp any any -> any any ( msg:"combined example"; flow:established,
-to_server; http_uri; content:"chocolate"; file_data;
-content:"sinister POST data"; sid:5; rev:1; )
-
-This rule requires both the URI and the request message body. That
-sounds simple until one considers that the message body may be
-millions of bytes long. The headers with the URI may be long gone by
-that time.
-
-Is this rule going to work or do we need to do something different?
-
-It is helpful to understand when things happen. All the message
-headers and the first few thousand bytes of the body go through
-detection at the same time. Commonly this is about 16K bytes but
-there are several exceptions and there is no guaranteed minimum
-amount.
-
-That may be all you need. In many cases that will be the entire
-message. Or it may be more than your request_depth/response_depth. Or
-this rule may simply not care what happens after that in a very long
-message body.
-
-Beyond that the message body will continue to be subdivided into
-roughly 16K-byte sections and inspected. But the previous rule will
-not be able to see the URI and hence will not work unless we rewrite
-it:
-
-alert tcp any any -> any any ( msg:"URI with_body"; flow:established,
to_server; http_uri: with_body; content:"chocolate"; file_data;
-content:"sinister POST data"; sid:5; rev:2; )
+content:"sinister POST data"; sid:5; rev:1; )
The with_body option to http_uri causes the URI to be made available
-with every body section, not just the first one. These extra
-inspections have a performance cost which is why they are not done
-automatically. with_body is an option to be used when you actually
-need it.
+with the message body. Use with_body for header-related rule options
+in rules that also examine the message body.
The with_trailer option is analogous and causes an earlier message
element to be made available at the end of the message when the
Let’s put all of this together. There are six opportunities to do
detection:
- 1. When the first part of the request message body arrives. The
- request line, all of the headers, and the first part of the body
- all go through detection at the same time. Of course most
- requests don’t have a body. In that case the request line and the
- headers are the whole message and get done at the same time.
- 2. When subsequent sections of the request message body arrive. If
- you want to combine this with something from the request line or
- headers you must use the with_body option.
+ 1. When the the request headers arrive. The request line and all of
+ the headers go through detection at the same time.
+ 2. When sections of the request message body arrive. If you want to
+ combine this with something from the request line or headers you
+ must use the with_body option.
3. When the request trailers arrive. If you want to combine this
with something from the request line or headers you must use the
with_trailer option.
- 4. When the first part of the response message body arrives. The
- status line, all of the headers, and the first part of the body
- all go through detection at the same time. These may be combined
- with elements from the request line, request headers, or request
- trailers. Where ambiguity arises use the request option.
- 5. When subsequent sections of the response message body arrive.
- These may be combined with the status line, response headers,
- request line, request headers, or request trailers as described
- above.
+ 4. When the response headers arrive. The status line and all of the
+ headers go through detection at the same time. These may be
+ combined with elements from the request line, request headers, or
+ request trailers. Where ambiguity arises use the request option.
+ 5. When sections of the response message body arrive. These may be
+ combined with the status line, response headers, request line,
+ request headers, or request trailers as described above.
6. When the response trailers arrive. Again these may be combined as
described above.
-Message body data can only go through detection at the time it is
-received. Headers may be combined with later items but the body
+Message body sections can only go through detection at the time they
+are received. Headers may be combined with later items but the body
cannot.
data plane channel
* bit_list high_availability.ports: side channel message port list
{ 65535 }
- * real high_availability.min_age = 1.0: minimum session life in
- seconds before HA updates { 0.0:100.0 }
- * real high_availability.min_sync = 0.1: minimum interval in
- seconds between HA updates { 0.0:100.0 }
+ * int high_availability.min_age = 0: minimum session life in
+ milliseconds before HA updates { 0:max32 }
+ * int high_availability.min_sync = 0: minimum interval in
+ milliseconds between HA updates { 0:max32 }
Peg counts:
--------------
-What: configure hosts
+What: global LRU cache of host_tracker data about hosts
Type: basic
Configuration:
- * int host_cache[].size: size of host cache { 1:max32 }
+ * string host_cache.dump_file: file name to dump host cache on
+ shutdown; won’t dump by default
+ * int host_cache.size: size of host cache { 1:max32 }
+
+Commands:
+
+ * host_cache.dump(file_name): dump host cache
Peg counts:
* implied snort.-x: same as --pedantic
* implied snort.-y: include year in timestamp in the alert and log
files
- * int snort.-z = 1: <count> maximum number of packet threads (same
- as --max-packet-threads); 0 gets the number of CPU cores reported
- by the system; default is 1 { 0:max32 }
+ * int snort.-z: <count> maximum number of packet threads (same as
+ --max-packet-threads); 0 gets the number of CPU cores reported by
+ the system; default is 1 { 0:max32 }
* implied snort.--alert-before-pass: evaluate alert rules before
pass rules; default is pass rules first
* string snort.--bpf: <filter options> are standard BPF options, as
* int snort.--logid: <0xid> log Identifier to uniquely id events
for multiple snorts (same as -G) { 0:65535 }
* implied snort.--markup: output help in asciidoc compatible format
- * int snort.--max-packet-threads = 1: <count> configure maximum
- number of packet threads (same as -z) { 0:max32 }
+ * int snort.--max-packet-threads: <count> configure maximum number
+ of packet threads (same as -z) { 0:max32 }
* implied snort.--mem-check: like -T but also compile search
engines
* implied snort.--nostamps: don’t include timestamps in log file
to read - read mode is implied
* string snort.--pcap-dir: <dir> a directory to recurse to look for
pcaps - read mode is implied
- * string snort.--pcap-filter: <filter> filter to apply when getting
- pcaps from file or directory
+ * string snort.--pcap-filter = .*cap: <filter> filter to apply when
+ getting pcaps from file or directory
* int snort.--pcap-loop: <count> read all pcaps <count> times; 0
will read until Snort is terminated { 0:max32 }
* implied snort.--pcap-no-filter: reset to use no filter when
-s) { 68:65535 }
* implied snort.--stdin-rules: read rules from stdin until EOF or a
line starting with END is read
- * implied snort.--talos: enable Talos inline rule test mode (same
- as --tweaks talos -Q -q)
+ * implied snort.--talos: enable Talos tweak (same as --tweaks
+ talos)
* implied snort.--treat-drop-as-alert: converts drop, block, and
reset rules into alert rules when loaded
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
Rules:
+ * 121:1 (http2_inspect) Error in HPACK integer value
+ * 121:2 (http2_inspect) Integer value has leading zeros
+ * 121:3 (http2_inspect) Error in HPACK string value
+
Peg counts:
* http2_inspect.flows: HTTP connections inspected (sum)
overlapping segments per session { 0:max32 }
* int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
1460:32768 }
+ * bool stream_tcp.no_ack = false: received data is implicitly acked
+ immediately
* enum stream_tcp.policy = bsd: determines operating system
characteristics like reassembly { first | last | linux |
old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 |
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
+ * implied http_cookie.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_cookie.with_body: parts of this rule examine HTTP
message body
* implied http_cookie.with_trailer: parts of this rule examine HTTP
is case insensitive.
* implied http_header.request: match against the headers from the
request message even when examining the response
+ * implied http_header.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_header.with_body: parts of this rule examine HTTP
message body
* implied http_header.with_trailer: parts of this rule examine HTTP
Configuration:
+ * implied http_method.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_method.with_body: parts of this rule examine HTTP
message body
* implied http_method.with_trailer: parts of this rule examine HTTP
* implied http_raw_cookie.request: match against the cookie from
the request message even when examining the response
+ * implied http_raw_cookie.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_cookie.with_body: parts of this rule examine
HTTP message body
* implied http_raw_cookie.with_trailer: parts of this rule examine
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
+ * implied http_raw_header.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_header.with_body: parts of this rule examine
HTTP message body
* implied http_raw_header.with_trailer: parts of this rule examine
Configuration:
+ * implied http_raw_request.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_request.with_body: parts of this rule examine
HTTP message body
* implied http_raw_request.with_trailer: parts of this rule examine
Configuration:
+ * implied http_raw_uri.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_uri.with_body: parts of this rule examine HTTP
message body
* implied http_raw_uri.with_trailer: parts of this rule examine
Configuration:
+ * implied http_true_ip.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_true_ip.with_body: parts of this rule examine HTTP
message body
* implied http_true_ip.with_trailer: parts of this rule examine
Configuration:
+ * implied http_uri.with_header: this rule is limited to examining
+ HTTP message headers
* implied http_uri.with_body: parts of this rule examine HTTP
message body
* implied http_uri.with_trailer: parts of this rule examine HTTP
* implied http_version.request: match against the version from the
request message even when examining the response
+ * implied http_version.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_version.with_body: parts of this rule examine HTTP
message body
* implied http_version.with_trailer: parts of this rule examine
* --snaplen <snap> set snaplen of packet (same as -s) (68:65535)
* --stdin-rules read rules from stdin until EOF or a line starting
with END is read
- * --talos enable Talos inline rule test mode (same as --tweaks
- talos -Q -q)
+ * --talos enable Talos tweak (same as --tweaks talos)
* --treat-drop-as-alert converts drop, block, and reset rules into
alert rules when loaded
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
* bool high_availability.daq_channel = false: enable use of daq
data plane channel
* bool high_availability.enable = false: enable high availability
- * real high_availability.min_age = 1.0: minimum session life in
- seconds before HA updates { 0.0:100.0 }
- * real high_availability.min_sync = 0.1: minimum interval in
- seconds between HA updates { 0.0:100.0 }
+ * int high_availability.min_age = 0: minimum session life in
+ milliseconds before HA updates { 0:max32 }
+ * int high_availability.min_sync = 0: minimum interval in
+ milliseconds between HA updates { 0:max32 }
* bit_list high_availability.ports: side channel message port list
{ 65535 }
- * int host_cache[].size: size of host cache { 1:max32 }
+ * string host_cache.dump_file: file name to dump host cache on
+ shutdown; won’t dump by default
+ * int host_cache.size: size of host cache { 1:max32 }
* enum hosts[].frag_policy: defragmentation policy { first | linux
| bsd | bsd_right | last | windows | solaris }
* addr hosts[].ip = 0.0.0.0/32: hosts address / CIDR
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
message body
+ * implied http_cookie.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_cookie.with_trailer: parts of this rule examine HTTP
message trailers
* string http_header.field: restrict to given header. Header name
request message even when examining the response
* implied http_header.with_body: parts of this rule examine HTTP
message body
+ * implied http_header.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_header.with_trailer: parts of this rule examine HTTP
message trailers
* bool http_inspect.accelerated_blocking = false: inspect
characters to a single byte
* implied http_method.with_body: parts of this rule examine HTTP
message body
+ * implied http_method.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_method.with_trailer: parts of this rule examine HTTP
message trailers
* implied http_raw_cookie.request: match against the cookie from
the request message even when examining the response
* implied http_raw_cookie.with_body: parts of this rule examine
HTTP message body
+ * implied http_raw_cookie.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_cookie.with_trailer: parts of this rule examine
HTTP message trailers
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
* implied http_raw_header.with_body: parts of this rule examine
HTTP message body
+ * implied http_raw_header.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_header.with_trailer: parts of this rule examine
HTTP message trailers
* implied http_raw_request.with_body: parts of this rule examine
HTTP message body
+ * implied http_raw_request.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_request.with_trailer: parts of this rule examine
HTTP message trailers
* implied http_raw_status.with_body: parts of this rule examine
only
* implied http_raw_uri.with_body: parts of this rule examine HTTP
message body
+ * implied http_raw_uri.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_raw_uri.with_trailer: parts of this rule examine
HTTP message trailers
* implied http_stat_code.with_body: parts of this rule examine HTTP
response message headers (must be combined with request)
* implied http_true_ip.with_body: parts of this rule examine HTTP
message body
+ * implied http_true_ip.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_true_ip.with_trailer: parts of this rule examine
HTTP message trailers
* implied http_uri.fragment: match against fragment section of URI
* implied http_uri.scheme: match against scheme section of URI only
* implied http_uri.with_body: parts of this rule examine HTTP
message body
+ * implied http_uri.with_header: this rule is limited to examining
+ HTTP message headers
* implied http_uri.with_trailer: parts of this rule examine HTTP
message trailers
* implied http_version.request: match against the version from the
request message even when examining the response
* implied http_version.with_body: parts of this rule examine HTTP
message body
+ * implied http_version.with_header: this rule is limited to
+ examining HTTP message headers
* implied http_version.with_trailer: parts of this rule examine
HTTP message trailers
* interval icmp_id.~range: check if ICMP ID is in given range {
* string snort.--lua: <chunk> extend/override conf with chunk; may
be repeated
* implied snort.--markup: output help in asciidoc compatible format
- * int snort.--max-packet-threads = 1: <count> configure maximum
- number of packet threads (same as -z) { 0:max32 }
+ * int snort.--max-packet-threads: <count> configure maximum number
+ of packet threads (same as -z) { 0:max32 }
* implied snort.--mem-check: like -T but also compile search
engines
* implied snort.-M: log messages to syslog (not alerts)
pcaps - read mode is implied
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
- * string snort.--pcap-filter: <filter> filter to apply when getting
- pcaps from file or directory
+ * string snort.--pcap-filter = .*cap: <filter> filter to apply when
+ getting pcaps from file or directory
* string snort.--pcap-list: <list> a space separated list of pcaps
to read - read mode is implied
* int snort.--pcap-loop: <count> read all pcaps <count> times; 0
* implied snort.--stdin-rules: read rules from stdin until EOF or a
line starting with END is read
* string snort.-S: <x=v> set config variable x equal to value v
- * implied snort.--talos: enable Talos inline rule test mode (same
- as --tweaks talos -Q -q)
+ * implied snort.--talos: enable Talos tweak (same as --tweaks
+ talos)
* string snort.-t: <dir> chroots process to <dir> after
initialization
* int snort.trace: mask for enabling debug traces in module {
* implied snort.-x: same as --pedantic
* implied snort.-y: include year in timestamp in the alert and log
files
- * int snort.-z = 1: <count> maximum number of packet threads (same
- as --max-packet-threads); 0 gets the number of CPU cores reported
- by the system; default is 1 { 0:max32 }
+ * int snort.-z: <count> maximum number of packet threads (same as
+ --max-packet-threads); 0 gets the number of CPU cores reported by
+ the system; default is 1 { 0:max32 }
* string so.~func: name of eval function
* string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev>
like 3_45678_9
1460:32768 }
* int stream_tcp.max_window = 0: maximum allowed TCP window {
0:1073725440 }
+ * bool stream_tcp.no_ack = false: received data is implicitly acked
+ immediately
* int stream_tcp.overlap_limit = 0: maximum number of allowed
overlapping segments per session { 0:max32 }
* enum stream_tcp.policy = bsd: determines operating system
value
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
+ * 121:1 (http2_inspect) Error in HPACK integer value
+ * 121:2 (http2_inspect) Integer value has leading zeros
+ * 121:3 (http2_inspect) Error in HPACK string value
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port):
enable appid debugging
* appid.disable_debug(): disable appid debugging
+ * host_cache.dump(file_name): dump host cache
* packet_capture.enable(filter): dump raw packets
* packet_capture.disable(): stop packet dump
* packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port):
change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout'
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'
change -> stream5_global: 'udp_cache_pruning_timeout' ==> 'pruning_timeout'
+change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'
+change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'
+change -> stream5_ha: 'stream5_ha' ==> 'high_availability'
+change -> stream5_ha: 'use_daq' ==> 'daq_channel'
change -> stream5_ip: 'timeout' ==> 'session_timeout'
change -> stream5_tcp: 'bind_to' ==> 'bindings'
change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async'
* gtp_version (ips_option): rule option to check GTP version
* high_availability (basic): implement flow tracking high
availability
- * host_cache (basic): configure hosts
+ * host_cache (basic): global LRU cache of host_tracker data about
+ hosts
* host_tracker (basic): configure hosts
* hosts (basic): configure hosts
* http2_frame_data (ips_option): rule option to see HTTP/2 frame
projects / thirdparty / snort3.git / commitdiff
