From: Priyanka Bangalore Gurudev (prbg) Date: Wed, 12 Mar 2025 19:20:10 +0000 (+0000) Subject: Pull request #4661: build: generate and tag 3.7.1.0 X-Git-Tag: 3.7.1.0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a11279883a8584e06ad9ab2df162c639961cd61;p=thirdparty%2Fsnort3.git Pull request #4661: build: generate and tag 3.7.1.0 Merge in SNORT/snort3 from ~PRBG/snort3:build__3.7.1.0 to master Squashed commit of the following: commit 69333ea7033b53c5bf730daba90f8a04ecb9e62a Author: Priyanka Gurudev Date: Wed Mar 12 00:30:17 2025 -0400 build: generate and tag 3.7.1.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 6123cabba..643775375 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 7) -set (VERSION_PATCH 0) +set (VERSION_PATCH 1) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index 73f14459f..bbb452825 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,44 @@ +2025-03-11: 3.7.1.0 + +* appid: added publishing of domain fronting event +* appid: adding general appid support and encrypted dns +* appid: adding log while creating third party context to monitor hanging +* appid: change get_appid_session_api to use the stash +* appid: convert appid flow data to use objects +* appid: fixes for coverity and cppcheck issues +* appid: implemented domain fronting support for shadow traffic +* appid: implemented support for shadow traffic evasive vpn & multihop proxy +* build: add version check for numactl +* copyright: update year to 2025 +* detection: fix leave_group call which should be against current packet only +* extractor: add configuration option for time formatting +* extractor: add escaping for special characters +* extractor: add support for file name and type for mime +* extractor: add tenant id as common field +* extractor: add time formatting in loggers +* extractor: dns support +* extractor: fix spelling +* extractor: print null for fields that require missing packet context +* extractor: remove obsolete includes +* file_api: add log message for reset ctx +* file_api: file event generated for asymmetric flow +* file_api, http_inspect: add info about partial download to FileInfo +* file_api: making sha256 point to null to avoid dangling cases +* file_api: setting current file data inside mutex with file data received before accessing it +* ftp_telnet: flow data creation when port command is issued for active ftp +* helpers: add missing include for unit tests +* ips: fix tsan issue with logging rule tree construction +* main: allow toggling generation of instance_map output +* main: snort --create-pidfile cmd line parameter update and support for --max-peers command line parameter implemented +* network_inspectors: rename kaizen to snort_ml +* pub_sub: add ips rule event for extractor +* pub_sub: changes for domain faking for shadowtraffic_aggregator +* snort_ml: build models into a BinaryClassifierSet +* stream_tcp: changed asymmetric flows counter increment conditions +* thread_config: add option for setting NUMA memory policy +* thread_config: fix numa build issue +* utils: add is_directory_path + 2025-02-04: 3.7.0.0 * extractor: add default filter diff --git a/cmake/FindDAQ.cmake b/cmake/FindDAQ.cmake index 3e9d200ac..24238ac88 100644 --- a/cmake/FindDAQ.cmake +++ b/cmake/FindDAQ.cmake @@ -16,7 +16,7 @@ This module defines: #]=======================================================================] find_package(PkgConfig) -pkg_check_modules(PC_DAQ libdaq>=3.0.18) +pkg_check_modules(PC_DAQ libdaq>=3.0.19) # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints # and then package config information after that. diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index e232e06f1..caf4979c1 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.7.0.0 2025-02-04 17:21:58 EST TST +Revision 3.7.1.0 2025-03-12 00:16:10 EDT TST --------------------------------------------------------------------- @@ -1344,8 +1344,8 @@ Configuration: (seconds, 0 to disable) { 0:60 } * int process.watchdog_min_thread_count = 1: minimum unresponsive threads for watchdog to trigger { 1:65535 } - * string process.numa_memory_policy = "preferred": set - default|preferred|bind|local memory policy for NUMA + * string process.numa_memory_policy = preferred: set default| + preferred|bind|local memory policy for NUMA 2.27. profiler @@ -1600,8 +1600,12 @@ Configuration: seen in TCPDump * string snort.--c2x: output hex for given char (see also --x2c) * string snort.--control-socket: to create unix socket - * implied snort.--create-pidfile: create PID file, even when not in - Daemon mode + * implied snort.--create-instance-file: create instance mappings + file for this Snort process at startup + * string snort.--create-pidfile: create PID file, even when not in + Daemon mode { (optional) } + * int snort.--max-procs: number of simultaneous Snort processes { + 1: } * string snort.--daq: select packet acquisition module (default is pcap) * int snort.--daq-batch-size: set the DAQ receive batch @@ -3593,10 +3597,12 @@ Configuration: * enum extractor.formatting = csv: output format for extractor { csv | json } * string extractor.connector: output destination for extractor + * enum extractor.time = unix: output format for timestamp values { + snort | snort_yy | unix | unix_s | unix_us } * enum extractor.default_filter = pick: default action for protocol with no filter provided { pick | skip } * enum extractor.protocols[].service: service to extract from { - http | ftp | conn } + http | ftp | conn | dns } * int extractor.protocols[].tenant_id = 0: tenant_id of target tenant { 0:max32 } * string extractor.protocols[].on_events: specify events to log @@ -5679,7 +5685,7 @@ Instance Type: global Configuration: - * string snort_ml_engine.http_param_model: path to the model file + * string snort_ml_engine.http_param_model: path to model file(s) 5.47. so_proxy @@ -9278,7 +9284,11 @@ libraries see the Getting Started section of the manual. TCPDump * --c2x output hex for given char (see also --x2c) * --control-socket to create unix socket + * --create-instance-file create instance mappings file for this + Snort process at startup * --create-pidfile create PID file, even when not in Daemon mode + (optional) + * --max-procs number of simultaneous Snort processes (1:) * --daq select packet acquisition module (default is pcap) * --daq-batch-size set the DAQ receive batch size; default is 64 (1:) @@ -9877,9 +9887,11 @@ libraries see the Getting Started section of the manual. * string extractor.protocols[].fields: specify fields to log * string extractor.protocols[].on_events: specify events to log * enum extractor.protocols[].service: service to extract from { - http | ftp | conn } + http | ftp | conn | dns } * int extractor.protocols[].tenant_id = 0: tenant_id of target tenant { 0:max32 } + * enum extractor.time = unix: output format for timestamp values { + snort | snort_yy | unix | unix_s | unix_us } * string file_connector[].connector: connector name * enum file_connector[].direction: usage { receive | transmit | duplex } @@ -10748,6 +10760,8 @@ libraries see the Getting Started section of the manual. * string process.chroot: set chroot directory (same as -t) * bool process.daemon = false: fork as a daemon (same as -D) * bool process.dirty_pig = false: shutdown without internal cleanup + * string process.numa_memory_policy = preferred: set default| + preferred|bind|local memory policy for NUMA * string process.set_gid: set group ID (same as -g) * string process.set_uid: set user ID (same as -u) * string process.threads[].cpuset: pin the associated thread to @@ -10765,8 +10779,6 @@ libraries see the Getting Started section of the manual. threads for watchdog to trigger { 1:65535 } * int process.watchdog_timer = 0: watchdog timer for packet threads (seconds, 0 to disable) { 0:60 } - * string process.numa_memory_policy = "preferred": set - default|preferred|bind|local memory policy for NUMA * int profiler.memory.count = 0: limit results to count items per level (0 = no limit) { 0:max32 } * int profiler.memory.dump_file_size = 1073741824: files will be @@ -11090,8 +11102,10 @@ libraries see the Getting Started section of the manual. * string snort.--control-socket: to create unix socket * implied snort.-C: print out payloads with character data only (no hex) - * implied snort.--create-pidfile: create PID file, even when not in - Daemon mode + * implied snort.--create-instance-file: create instance mappings + file for this Snort process at startup + * string snort.--create-pidfile: create PID file, even when not in + Daemon mode { (optional) } * int snort.--daq-batch-size: set the DAQ receive batch size; default is 64 { 1: } * string snort.--daq-dir: tell snort where to find desired @@ -11193,13 +11207,15 @@ libraries see the Getting Started section of the manual. * implied snort.--markup: output help in asciidoc compatible format * int snort.--max-packet-threads: configure maximum number of packet threads (same as -z) { 0:max32 } + * int snort.--max-procs: number of simultaneous Snort processes { + 1: } * implied snort.--mem-check: like -T but also compile search engines * string snort.--metadata-filter: load only rules containing filter string in metadata if set * int snort_ml.client_body_depth = 0: number of input HTTP client body bytes to scan (-1 unlimited) { -1:max31 } - * string snort_ml_engine.http_param_model: path to the model file + * string snort_ml_engine.http_param_model: path to model file(s) * real snort_ml.http_param_threshold = 0.95: alert threshold for http_param_model { 0:1 } * implied snort.-M: log messages to syslog (not alerts) diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 231e62d98..67b4f4b9d 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.7.0.0 2025-02-04 17:22:43 EST TST +Revision 3.7.1.0 2025-03-12 00:16:50 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index e78cd36a2..737c25657 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.7.0.0 2025-02-04 17:22:15 EST TST +Revision 3.7.1.0 2025-03-12 00:16:23 EDT TST --------------------------------------------------------------------- @@ -5836,6 +5836,7 @@ The module’s configuration consists of two parts: + formatting - log record format + connector - Connector object through which logs will be sent. See Connectors page for more details. + + time - timestamp format * protocol-targeted parameters bind the targeted service and events with filters and a set of fields to log @@ -5857,15 +5858,27 @@ extractor = protocols = { - { service = 'http', tenant_id = 1, on_events = 'eot', fields = 'ts, uri, host, method' }, - { service = 'ftp', tenant_id = 1, on_events = 'request', fields = 'ts, command, arg' }, - { service = 'http', tenant_id = 2, on_events = 'eot', fields = 'ts, uri' }, - { service = 'conn', tenant_id = 1, on_events = 'eof', fields = 'ts, uid, service' } + { service = 'http', on_events = 'eot', fields = 'ts, uri, host, method' }, + { service = 'ftp', on_events = 'request', fields = 'ts, command, arg' }, + { service = 'http', on_events = 'eot', fields = 'ts, uri' }, + { service = 'conn', on_events = 'eof', fields = 'ts, uid, service' }, + { service = 'dns', on_events = 'response', fields = 'ts, uid, query, answers' } } } 5.18.2. Supported Parameters +Timestamp formats: + + * snort prints timestamp as in IPS events (see snort command line + options -U and -y) (string ts field) + * snort_yy same as above, but using YYYY-MM-DD format (string ts + field) + * unix prints UTC time in seconds (integer part) and microseconds + (fractional part) (floating ts field) + * unix_s prints UTC time in seconds (integer ts field) + * unix_us prints UTC time in microseconds (integer ts field) + Services and their events: * HTTP, HTTP2 @@ -5877,6 +5890,9 @@ Services and their events: + response + eot (a session defined by the following commands: APPE, DELE, RETR, STOR, STOU, ACCT, PORT, PASV, EPRT, EPSV) + * DNS + + + response * connection (conn) + eof (end of flow) @@ -5891,6 +5907,7 @@ Common fields available for every service: * id.resp_h - server IP address * id.resp_p - server TCP port * pkt_num - packet number + * tenant_id - tenant identifier Fields supported for HTTP: @@ -5905,6 +5922,20 @@ Fields supported for HTTP: * status_msg - status message returned by server * trans_depth - number of request-response pairs seen in the session + * request_body_len - length of the body, decompressed and + normalized, of the HTTP request + * response_body_len - length of the body, decompressed and + normalized, of the HTTP response + * info_code - last informational status code returned by the server + * info_msg - last informational reason phrase returned by the + server + * proxied - list with the headers associated with proxied requests + * orig_filenames - list with the names of the files sent by client + * resp_filenames - list with the names of the files sent by server + * orig_mime_types - list with the content types of the files sent + by client + * resp_mime_types - list with the content types of the files sent + by server Fields supported for FTP: @@ -5919,6 +5950,35 @@ Fields supported for FTP: * data_channel.resp_h - IP address of data channel receiving point * data_channel.resp_p - TCP port of data channel receiving point +Fields supported for DNS: + + * proto - transport protocol for DNS connection + * trans_id - A 16 bit identifier assigned by the program that + generates the query + * query - The domain name that is the subject of this DNS + transaction + * qclass - A 16 bit integer that specifies the class of the query + * qclass_name - A descriptive name for the class of the query + * qtype - A 16 bit integer that specifies the type of the query + * qtype_name - A descriptive name for the type of the query + * rcode - A 16 bit integer that specifies the response code to the + query + * rcode_name - A descriptive name for the response code to the + query + * AA - A boolean, true when this is an Authoritative Answer to the + query + * TC - A boolean, true when the message was truncated due to UDP + PDU size limits + * RD - A boolean, true when the client asks the server to pursue + the query recursively + * RA - A boolean, denotes the availability of recursive query + support at the server + * Z - A 3 bit integer set to 0 unless DNSSEC is used (see RFC 2535) + * answers - The list of answers to the query, only A and AAAA types + are currently supported + * rejected - A boolean, true when the server responds with an error + code and no query + Fields supported for connection: * duration - connection duration in seconds