The Snort Team
Revision History
-Revision 3.5.2.0 2024-11-18 20:48:07 EST TST
+Revision 3.6.0.0 2024-12-03 21:38:11 EST TST
---------------------------------------------------------------------
4. Connector Modules
4.1. file_connector
- 4.2. tcp_connector
+ 4.2. std_connector
+ 4.3. tcp_connector
5. Inspector Modules
* file_connector.messages: total messages (sum)
-4.2. tcp_connector
+4.2. std_connector
+
+--------------
+
+Help: implement the stdout/stdin based connector
+
+Type: connector
+
+Usage: global
+
+Configuration:
+
+ * string std_connector[].connector: connector name
+ * enum std_connector[].direction: usage { receive | transmit |
+ duplex }
+
+Peg counts:
+
+ * std_connector.messages_received: total number of messages
+ received (sum)
+ * std_connector.messages_transmitted: total number of messages
+ transmitted (sum)
+
+
+4.3. tcp_connector
--------------
* enum extractor.formatting = csv: output format for extractor {
csv | json }
- * enum extractor.output = stdout: output destination for extractor
- { stdout }
+ * string extractor.connector: output destination for extractor
* enum extractor.protocols[].service: service to extract from {
http | ftp }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
ordering incoming events { priority|content_length }
* bool event_queue.process_all_events = false: process just first
action group or all action groups
+ * string extractor.connector: output destination for extractor
* enum extractor.formatting = csv: output format for extractor {
csv | json }
- * enum extractor.output = stdout: output destination for extractor
- { stdout }
* string extractor.protocols[].fields: specify fields to log
* string extractor.protocols[].on_events: specify events to log
* enum extractor.protocols[].service: service to extract from {
* implied ssl_version.!tls1.2: check for records that are not
tls1.2
* implied ssl_version.tls1.2: check for tls1.2
+ * string std_connector[].connector: connector name
+ * enum std_connector[].direction: usage { receive | transmit |
+ duplex }
* bool stream.allowlist_cache.enable = false: enable allowlist
cache
* int stream.file_cache.idle_timeout = 180: maximum inactive time
* ssl.server_key_exchange: total server key exchanges (sum)
* ssl.sessions_ignored: total sessions ignore (sum)
* ssl.unrecognized_records: total unrecognized records (sum)
+ * std_connector.messages_received: total number of messages
+ received (sum)
+ * std_connector.messages_transmitted: total number of messages
+ transmitted (sum)
* stream.allowlist_flows: number of flows moved to the allow list
(now)
* stream.allowlist_memcap_prunes: number of allowlist flows pruned
* ssl (inspector): ssl inspection
* ssl_state (ips_option): detection option for ssl state
* ssl_version (ips_option): detection option for ssl version
+ * std_connector (connector): implement the stdout/stdin based
+ connector
* stream (inspector): common flow tracking
* stream_file (inspector): stream inspector for file flow tracking
and processing
* codec::wlan: support for wireless local area network protocol
(DLT 105)
* connector::file_connector: implement the file based connector
+ * connector::std_connector: implement the stdout/stdin based
+ connector
* connector::tcp_connector: implement the tcp stream connector
* inspector::appid: application and service identification
* inspector::appid_listener: log selected published data to
The Snort Team
Revision History
-Revision 3.5.2.0 2024-11-18 20:48:24 EST TST
+Revision 3.6.0.0 2024-12-03 21:38:24 EST TST
---------------------------------------------------------------------
Required:
- * a compiler that supports the C++14 feature set
+ * a compiler that supports the C++17 feature set
* cmake to build from source
* daq from https://github.com/snort3/libdaq for packet IO
* dnet from https://github.com/dugsong/libdnet.git for network
specified by user. This might happen when the buffer has fewer bytes
(from the cursor position) than specified in the option.
+5.4.6. Connectors
+
+Connectors are a set of modules that are used to exchange
+message-oriented data among Snort threads and the external world. A
+typical use-case is HA (High Availability) message exchange.
+Connectors serve to decouple the message transport from the message
+creation/consumption. Connectors expose a common API for several
+forms of message transport.
+
+Connectors are a Snort plugin type.
+
+5.4.6.1. Connector (parent plugin class)
+
+Connectors may either be a simplex channel and perform unidirectional
+communications. Or may be duplex and perform bidirectional
+communications. The TcpConnector is duplex while the FileConnector is
+simplex.
+
+All subtypes of Connector have a direction configuration element and
+a connector element. The connector string is the key used to identify
+the element for client module configuration. The direction element
+may have a default value, for instance TcpConnector is duplex.
+
+Currently there are the following implementations of the Connector:
+
+ * TcpConnector - Exchange messages over a tcp channel.
+ * FileConnector - Write messages to files and read messages from
+ files.
+ * StdConnector - Exchange messages over a standard input/output.
+
+5.4.6.2. TcpConnector
+
+TcpConnector is a subclass of Connector and implements a DUPLEX type
+Connector, able to send and receive messages over a tcp session.
+
+TcpConnector adds a few session setup configuration elements:
+
+ * setup = call or answer - call is used to have TcpConnector
+ initiate the connection. answer is used to have TcpConnector
+ accept incoming connections.
+ * address = <addr> - used for call setup to specify the partner
+ * ports = "port port …" - used to pick a port number for call and
+ answer modes. If the ports list contains more than one port, the
+ "per-thread" destination mode will be assumed. In this mode, each
+ thread will connect to a corresponding destination port by
+ selecting a port number from the list based on the instance_id.
+
+An example segment of TcpConnector configuration:
+
+tcp_connector =
+{
+ {
+ connector = 'tcp_1',
+ address = '127.0.0.1',
+ setup = 'call',
+ ports = "11000 11001 11002 11003",
+ },
+}
+
+5.4.6.3. FileConnector
+
+FileConnector implements a Connector that can either read from files
+or write to files. FileConnector’s are simplex and must be configured
+to be CONN_TRANSMIT or CONN_RECEIVE.
+
+FileConnector configuration adds two additional element:
+
+ * name = string - used as part of the message file name
+ * text_format = bool - FileConnector works in binary mode by
+ default, the option switches it to text mode
+
+The configured name string is used to construct the actual names as
+in:
+
+ * file_connector_NAME_transmit and file_connector_NAME_receive
+
+All messages for one Snort invocation are read and written to one
+file.
+
+In the case of a receive FileConnector, all messages are read from
+the file prior to the start of packet processing. This allows the
+messages to establish state information for all processed packets.
+
+An example segment of FileConnector configuration:
+
+file_connector =
+{
+ {
+ connector = 'file_tx_1',
+ direction = 'transmit',
+ text_format = true,
+ name = 'HA'
+ },
+ {
+ connector = 'file_rx_1',
+ direction = 'receive',
+ text_format = true,
+ name = 'HA'
+ },
+}
+
+5.4.6.4. StdConnector
+
+StdConnector is an implementation of a Connector that has the
+capability to read from the standard input and write to the standard
+output. Its principal purpose is testing.
+
+All messages transmitted through the stdout are automatically
+appended with a new line. Therefore, it is expected that each message
+read from the stdin will also be separated by a newline.
+
+The std_connector module automatically sets-up three default
+connectors on startup:
+
+ * stdout: the default transmit connector
+ * stdin: the default receive connector
+ * stdio: the default duplex connector.
+
+An example segment of a duplex StdConnector configuration:
+
+std_connector = { { connector = std_in_out, direction = duplex } }
+
5.5. Consolidated Config
messages while the ancillary module content is only present when
requested via a status change request.
-5.8.2. Connector
-
-Connectors are a set of modules that are used to exchange
-message-oriented data among Snort threads and the external world. A
-typical use-case is HA (High Availability) message exchange.
-Connectors serve to decouple the message transport from the message
-creation/consumption. Connectors expose a common API for several
-forms of message transport.
-
-Connectors are a Snort plugin type.
-
-5.8.2.1. Connector (parent plugin class)
-
-Connectors may either be a simplex channel and perform unidirectional
-communications. Or may be duplex and perform bidirectional
-communications. The TcpConnector is duplex while the FileConnector is
-simplex.
-
-All subtypes of Connector have a direction configuration element and
-a connector element. The connector string is the key used to identify
-the element for client module configuration. The direction element
-may have a default value, for instance TcpConnector is duplex.
-
-There are currently two implementations of Connectors:
-
- * TcpConnector - Exchange messages over a tcp channel.
- * FileConnector - Write messages to files and read messages from
- files.
-
-5.8.2.2. TcpConnector
-
-TcpConnector is a subclass of Connector and implements a DUPLEX type
-Connector, able to send and receive messages over a tcp session.
-
-TcpConnector adds a few session setup configuration elements:
-
- * setup = call or answer - call is used to have TcpConnector
- initiate the connection. answer is used to have TcpConnector
- accept incoming connections.
- * address = <addr> - used for call setup to specify the partner
- * ports = "port port …" - used to pick a port number for call and
- answer modes. If the ports list contains more than one port, the
- "per-thread" destination mode will be assumed. In this mode, each
- thread will connect to a corresponding destination port by
- selecting a port number from the list based on the instance_id.
-
-An example segment of TcpConnector configuration:
-
-tcp_connector =
-{
- {
- connector = 'tcp_1',
- address = '127.0.0.1',
- setup = 'call',
- ports = "11000 11001 11002 11003",
- },
-}
-
-5.8.2.3. FileConnector
-
-FileConnector implements a Connector that can either read from files
-or write to files. FileConnector’s are simplex and must be configured
-to be CONN_TRANSMIT or CONN_RECEIVE.
-
-FileConnector configuration adds two additional element:
-
- * name = string - used as part of the message file name
- * text_format = bool - FileConnector works in binary mode by
- default, the option switches it to text mode
-
-The configured name string is used to construct the actual names as
-in:
-
- * file_connector_NAME_transmit and file_connector_NAME_receive
-
-All messages for one Snort invocation are read and written to one
-file.
-
-In the case of a receive FileConnector, all messages are read from
-the file prior to the start of packet processing. This allows the
-messages to establish state information for all processed packets.
-
-An example segment of FileConnector configuration:
-
-file_connector =
-{
- {
- connector = 'file_tx_1',
- direction = 'transmit',
- text_format = true,
- name = 'HA'
- },
- {
- connector = 'file_rx_1',
- direction = 'receive',
- text_format = true,
- name = 'HA'
- },
-}
-
-5.8.3. Side Channel
+5.8.2. Side Channel
SideChannel is a Snort module that uses Connectors to implement a
messaging infrastructure that is used to communicate between Snort
* global parameters
+ formatting - log record format
- + output - where to write logs
+ + connector - Connector object through which logs will be sent.
+ See Connectors page for more details.
* protocol-targeted parameters bind the targeted service and events
with filters and a set of fields to log
extractor =
{
formatting = 'csv',
- output = 'stdout',
+ connector = 'stdout',
protocols =
{
FTP sessions with basic fields:
+std_connector = { }
+
extractor =
{
formatting = csv',
- output = 'stdout',
+ connector = 'stdout',
protocols =
{
{service = 'ftp', on_events = 'eot', fields = 'ts, command, user'}
Or FTP requests with the same set of fields:
+std_connector = { }
+
extractor =
{
formatting = 'csv',
- output = 'stdout',
+ connector = 'stdout',
protocols =
{
{service = 'ftp', on_events = 'request', fields = 'ts, command, user'}
projects / thirdparty / snort3.git / commitdiff
