The Snort Team
Revision History
-Revision 3.1.43.0 2022-10-05 15:21:03 EDT TST
+Revision 3.1.44.0 2022-10-20 09:37:25 EDT TST
---------------------------------------------------------------------
the recursion limit (sum)
* detection.pcre_error: total number of times pcre returns error
(sum)
+ * detection.cont_creations: total number of continuations created
+ (sum)
+ * detection.cont_recalls: total number of continuations recalled
+ (sum)
+ * detection.cont_flows: total number of flows using continuation
+ (sum)
+ * detection.cont_evals: total number of condition-met continuations
+ (sum)
+ * detection.cont_matches: total number of continuations matched
+ (sum)
+ * detection.cont_mismatches: total number of continuations
+ mismatched (sum)
+ * detection.cont_max_num: peak number of simultaneous continuations
+ per flow (max)
2.8. event_filter
length of a header exceeds this value { 0:65535 }
* int http_inspect.maximum_headers = 200: alert when the number of
headers in a message exceeds this value { 0:65535 }
+ * int http_inspect.maximum_pipelined_requests = 99: alert when the
+ number of pipelined requests exceeds this value { 0:99 }
* bool http_inspect.normalize_utf = true: normalize charset utf
encodings in response bodies
* bool http_inspect.decompress_pdf = false: decompress pdf files in
response bodies
* bool http_inspect.decompress_vba = false: decompress MS Office
Visual Basic for Applications macro files in response bodies
+ * int http_inspect.max_mime_attach = 5: maximum number of mime
+ attachments that will be inspected in a section of a request
+ message { 1:65535 }
* bool http_inspect.script_detection = false: inspect JavaScript
immediately upon script end
* bool http_inspect.normalize_javascript = false: use legacy
known as HTTP/0.9
* 119:33 (http_inspect) HTTP request URI has space character that
is not percent-encoded
- * 119:34 (http_inspect) HTTP connection has more than 100
- simultaneous pipelined requests that have not been answered
+ * 119:34 (http_inspect) HTTP connection has more than
+ maximum_pipelined_requests simultaneous pipelined requests that
+ have not been answered
* 119:102 (http_inspect) invalid status code in HTTP response
* 119:104 (http_inspect) HTTP response has UTF character set that
failed to normalize
identifiers processed (sum)
* http_inspect.js_identifier_overflows: total number of unique
JavaScript identifier limit overflows (sum)
+ * http_inspect.skip_mime_attach: total number of HTTP requests with
+ too many MIME attachments to inspect (sum)
5.26. iec104
* string wizard.spells[].to_client[].spell: sequence of data with
wild cards (*)
* multi wizard.curses: enable service identification based on
- internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 }
+ internal algorithm { dce_smb | dce_udp | dce_tcp | mms |
+ s7commplus | sslv2 }
* int wizard.max_search_depth = 8192: maximum scan depth per flow {
0:65535 }
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
- * implied http_cookie.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_cookie.with_body: parts of this rule examine HTTP
- message body
- * implied http_cookie.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_cookie.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_cookie.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_cookie.with_trailer: option is no longer used and
+ will be removed in a future release
7.50. http_header
is case insensitive.
* implied http_header.request: match against the headers from the
request message even when examining the response
- * implied http_header.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_header.with_body: parts of this rule examine HTTP
- message body
- * implied http_header.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_header.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_header.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_header.with_trailer: option is no longer used and
+ will be removed in a future release
7.51. http_header_test
name is case insensitive.
* implied http_header_test.request: match against the headers from
the request message even when examining the response
- * implied http_header_test.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_header_test.with_body: parts of this rule examine
- HTTP message body
- * implied http_header_test.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_header_test.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_header_test.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_header_test.with_trailer: option is no longer used
+ and will be removed in a future release
* interval http_header_test.check: range check to perform on header
value { 0:999999999999999999 }
* bool http_header_test.numeric: header value is a number
Configuration:
- * implied http_method.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_method.with_body: parts of this rule examine HTTP
- message body
- * implied http_method.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_method.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_method.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_method.with_trailer: option is no longer used and
+ will be removed in a future release
7.55. http_num_cookies
current buffer are in given range { 0:65535 }
* implied http_num_headers.request: match against the version from
the request message even when examining the response
- * implied http_num_headers.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_num_headers.with_body: parts of this rule examine
- HTTP message body
- * implied http_num_headers.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_num_headers.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_num_headers.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_num_headers.with_trailer: option is no longer used
+ and will be removed in a future release
7.57. http_num_trailers
of current buffer are in given range { 0:65535 }
* implied http_num_trailers.request: match against the version from
the request message even when examining the response
- * implied http_num_trailers.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_num_trailers.with_body: parts of this rule examine
- HTTP message body
- * implied http_num_trailers.with_trailer: parts of this rule
- examine HTTP message trailers
+ * implied http_num_trailers.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_num_trailers.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_num_trailers.with_trailer: option is no longer used
+ and will be removed in a future release
7.58. http_param
* implied http_raw_cookie.request: match against the cookie from
the request message even when examining the response
- * implied http_raw_cookie.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_cookie.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_cookie.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_cookie.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_cookie.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_cookie.with_trailer: option is no longer used
+ and will be removed in a future release
7.61. http_raw_header
name is case insensitive.
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
- * implied http_raw_header.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_header.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_header.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_header.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_header.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_header.with_trailer: option is no longer used
+ and will be removed in a future release
7.62. http_raw_request
Configuration:
- * implied http_raw_request.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_request.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_request.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_request.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_raw_request.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_request.with_trailer: option is no longer used
+ and will be removed in a future release
7.63. http_raw_status
Configuration:
- * implied http_raw_status.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_status.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_status.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_status.with_trailer: option is no longer used
+ and will be removed in a future release
7.64. http_raw_trailer
name is case insensitive.
* implied http_raw_trailer.request: match against the trailers from
the request message even when examining the response
- * implied http_raw_trailer.with_header: parts of this rule examine
- HTTP response message headers (must be combined with request)
- * implied http_raw_trailer.with_body: parts of this rule examine
- HTTP response message body (must be combined with request)
+ * implied http_raw_trailer.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_raw_trailer.with_body: option is no longer used and
+ will be removed in a future release
7.65. http_raw_uri
Configuration:
- * implied http_raw_uri.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_uri.with_body: parts of this rule examine HTTP
- message body
- * implied http_raw_uri.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_uri.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_uri.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_raw_uri.with_trailer: option is no longer used and
+ will be removed in a future release
* implied http_raw_uri.scheme: match against scheme section of URI
only
* implied http_raw_uri.host: match against host section of URI only
Configuration:
- * implied http_stat_code.with_body: parts of this rule examine HTTP
- message body
- * implied http_stat_code.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_stat_code.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_stat_code.with_trailer: option is no longer used and
+ will be removed in a future release
7.67. http_stat_msg
Configuration:
- * implied http_stat_msg.with_body: parts of this rule examine HTTP
- message body
- * implied http_stat_msg.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_stat_msg.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_stat_msg.with_trailer: option is no longer used and
+ will be removed in a future release
7.68. http_trailer
* string http_trailer.field: restrict to given trailer
* implied http_trailer.request: match against the trailers from the
request message even when examining the response
- * implied http_trailer.with_header: parts of this rule examine HTTP
- response message headers (must be combined with request)
- * implied http_trailer.with_body: parts of this rule examine HTTP
- message body (must be combined with request)
+ * implied http_trailer.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_trailer.with_body: option is no longer used and will
+ be removed in a future release
7.69. http_trailer_test
Trailer name is case insensitive.
* implied http_trailer_test.request: match against the trailers
from the request message even when examining the response
- * implied http_trailer_test.with_header: parts of this rule examine
- HTTP headers
- * implied http_trailer_test.with_body: parts of this rule examine
- HTTP message body
+ * implied http_trailer_test.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_trailer_test.with_body: option is no longer used and
+ will be removed in a future release
* interval http_trailer_test.check: range check to perform on
trailer value { 0:999999999999999999 }
* bool http_trailer_test.numeric: trailer value is a number
Configuration:
- * implied http_true_ip.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_true_ip.with_body: parts of this rule examine HTTP
- message body
- * implied http_true_ip.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_true_ip.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_true_ip.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_true_ip.with_trailer: option is no longer used and
+ will be removed in a future release
7.71. http_uri
Configuration:
- * implied http_uri.with_header: this rule is limited to examining
- HTTP message headers
- * implied http_uri.with_body: parts of this rule examine HTTP
- message body
- * implied http_uri.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_uri.with_header: option is no longer used and will
+ be removed in a future release
+ * implied http_uri.with_body: option is no longer used and will be
+ removed in a future release
+ * implied http_uri.with_trailer: option is no longer used and will
+ be removed in a future release
* implied http_uri.scheme: match against scheme section of URI only
* implied http_uri.host: match against host section of URI only
* implied http_uri.port: match against port section of URI only
* implied http_version.request: match against the version from the
request message even when examining the response
- * implied http_version.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_version.with_body: parts of this rule examine HTTP
- message body
- * implied http_version.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_version.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_version.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_version.with_trailer: option is no longer used and
+ will be removed in a future release
7.73. http_version_match
versions to match
* implied http_version_match.request: match against the version
from the request message even when examining the response
- * implied http_version_match.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_version_match.with_body: parts of this rule examine
- HTTP message body
- * implied http_version_match.with_trailer: parts of this rule
- examine HTTP message trailers
+ * implied http_version_match.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_version_match.with_body: option is no longer used
+ and will be removed in a future release
+ * implied http_version_match.with_trailer: option is no longer used
+ and will be removed in a future release
7.74. icmp_id
--------------
-Help: detection option for sip stat code
+Help: detection option for sip method
Type: ips_option
}
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
- * implied http_cookie.with_body: parts of this rule examine HTTP
- message body
- * implied http_cookie.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_cookie.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_cookie.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_cookie.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_cookie.with_trailer: option is no longer used and
+ will be removed in a future release
* string http_header.field: restrict to given header. Header name
is case insensitive.
* implied http_header.request: match against the headers from the
* bool http_header_test.numeric: header value is a number
* implied http_header_test.request: match against the headers from
the request message even when examining the response
- * implied http_header_test.with_body: parts of this rule examine
- HTTP message body
- * implied http_header_test.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_header_test.with_trailer: parts of this rule examine
- HTTP message trailers
- * implied http_header.with_body: parts of this rule examine HTTP
- message body
- * implied http_header.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_header.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_header_test.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_header_test.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_header_test.with_trailer: option is no longer used
+ and will be removed in a future release
+ * implied http_header.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_header.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_header.with_trailer: option is no longer used and
+ will be removed in a future release
* string http_inspect.allowed_methods: list of allowed methods
* bool http_inspect.backslash_to_slash = true: replace \ with /
when normalizing URIs
headers in a message exceeds this value { 0:65535 }
* int http_inspect.maximum_host_length = -1: maximum allowed length
for Host header value (-1 no limit) { -1:max53 }
+ * int http_inspect.maximum_pipelined_requests = 99: alert when the
+ number of pipelined requests exceeds this value { 0:99 }
* int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 }
+ * int http_inspect.max_mime_attach = 5: maximum number of mime
+ attachments that will be inspected in a section of a request
+ message { 1:65535 }
* bool http_inspect.normalize_javascript = false: use legacy
normalizer to normalize JavaScript in response bodies
* bool http_inspect.normalize_utf = true: normalize charset utf
current trailer is in given range { 0:65535 }
* implied http_max_trailer_line.request: match against the version
from the request message even when examining the response
- * implied http_method.with_body: parts of this rule examine HTTP
- message body
- * implied http_method.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_method.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_method.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_method.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_method.with_trailer: option is no longer used and
+ will be removed in a future release
* interval http_num_cookies.~range: check that number of cookies of
current header are in given range { 0:65535 }
* implied http_num_cookies.request: match against the version from
current buffer are in given range { 0:65535 }
* implied http_num_headers.request: match against the version from
the request message even when examining the response
- * implied http_num_headers.with_body: parts of this rule examine
- HTTP message body
- * implied http_num_headers.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_num_headers.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_num_headers.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_num_headers.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_num_headers.with_trailer: option is no longer used
+ and will be removed in a future release
* interval http_num_trailers.~range: check that number of headers
of current buffer are in given range { 0:65535 }
* implied http_num_trailers.request: match against the version from
the request message even when examining the response
- * implied http_num_trailers.with_body: parts of this rule examine
- HTTP message body
- * implied http_num_trailers.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_num_trailers.with_trailer: parts of this rule
- examine HTTP message trailers
+ * implied http_num_trailers.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_num_trailers.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_num_trailers.with_trailer: option is no longer used
+ and will be removed in a future release
* implied http_param.nocase: case insensitive match
* string http_param.~param: parameter to match
* implied http_raw_cookie.request: match against the cookie from
the request message even when examining the response
- * implied http_raw_cookie.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_cookie.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_cookie.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_cookie.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_cookie.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_cookie.with_trailer: option is no longer used
+ and will be removed in a future release
* string http_raw_header.field: restrict to given header. Header
name is case insensitive.
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
- * implied http_raw_header.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_header.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_header.with_trailer: parts of this rule examine
- HTTP message trailers
- * implied http_raw_request.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_request.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_request.with_trailer: parts of this rule examine
- HTTP message trailers
- * implied http_raw_status.with_body: parts of this rule examine
- HTTP message body
- * implied http_raw_status.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_header.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_header.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_header.with_trailer: option is no longer used
+ and will be removed in a future release
+ * implied http_raw_request.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_request.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_raw_request.with_trailer: option is no longer used
+ and will be removed in a future release
+ * implied http_raw_status.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_status.with_trailer: option is no longer used
+ and will be removed in a future release
* string http_raw_trailer.field: restrict to given trailer. Trailer
name is case insensitive.
* implied http_raw_trailer.request: match against the trailers from
the request message even when examining the response
- * implied http_raw_trailer.with_body: parts of this rule examine
- HTTP response message body (must be combined with request)
- * implied http_raw_trailer.with_header: parts of this rule examine
- HTTP response message headers (must be combined with request)
+ * implied http_raw_trailer.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_trailer.with_header: option is no longer used
+ and will be removed in a future release
* implied http_raw_uri.fragment: match against fragment section of
URI only
* implied http_raw_uri.host: match against host section of URI only
only
* implied http_raw_uri.scheme: match against scheme section of URI
only
- * implied http_raw_uri.with_body: parts of this rule examine HTTP
- message body
- * implied http_raw_uri.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_raw_uri.with_trailer: parts of this rule examine
- HTTP message trailers
- * implied http_stat_code.with_body: parts of this rule examine HTTP
- message body
- * implied http_stat_code.with_trailer: parts of this rule examine
- HTTP message trailers
- * implied http_stat_msg.with_body: parts of this rule examine HTTP
- message body
- * implied http_stat_msg.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_raw_uri.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_raw_uri.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_raw_uri.with_trailer: option is no longer used and
+ will be removed in a future release
+ * implied http_stat_code.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_stat_code.with_trailer: option is no longer used and
+ will be removed in a future release
+ * implied http_stat_msg.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_stat_msg.with_trailer: option is no longer used and
+ will be removed in a future release
* string http_trailer.field: restrict to given trailer
* implied http_trailer.request: match against the trailers from the
request message even when examining the response
* bool http_trailer_test.numeric: trailer value is a number
* implied http_trailer_test.request: match against the trailers
from the request message even when examining the response
- * implied http_trailer_test.with_body: parts of this rule examine
- HTTP message body
- * implied http_trailer_test.with_header: parts of this rule examine
- HTTP headers
- * implied http_trailer.with_body: parts of this rule examine HTTP
- message body (must be combined with request)
- * implied http_trailer.with_header: parts of this rule examine HTTP
- response message headers (must be combined with request)
- * implied http_true_ip.with_body: parts of this rule examine HTTP
- message body
- * implied http_true_ip.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_true_ip.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_trailer_test.with_body: option is no longer used and
+ will be removed in a future release
+ * implied http_trailer_test.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_trailer.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_trailer.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_true_ip.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_true_ip.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_true_ip.with_trailer: option is no longer used and
+ will be removed in a future release
* implied http_uri.fragment: match against fragment section of URI
only
* implied http_uri.host: match against host section of URI only
* implied http_uri.port: match against port section of URI only
* implied http_uri.query: match against query section of URI only
* implied http_uri.scheme: match against scheme section of URI only
- * implied http_uri.with_body: parts of this rule examine HTTP
- message body
- * implied http_uri.with_header: this rule is limited to examining
- HTTP message headers
- * implied http_uri.with_trailer: parts of this rule examine HTTP
- message trailers
+ * implied http_uri.with_body: option is no longer used and will be
+ removed in a future release
+ * implied http_uri.with_header: option is no longer used and will
+ be removed in a future release
+ * implied http_uri.with_trailer: option is no longer used and will
+ be removed in a future release
* implied http_version_match.request: match against the version
from the request message even when examining the response
* string http_version_match.~version_list: space-separated list of
versions to match
- * implied http_version_match.with_body: parts of this rule examine
- HTTP message body
- * implied http_version_match.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_version_match.with_trailer: parts of this rule
- examine HTTP message trailers
+ * implied http_version_match.with_body: option is no longer used
+ and will be removed in a future release
+ * implied http_version_match.with_header: option is no longer used
+ and will be removed in a future release
+ * implied http_version_match.with_trailer: option is no longer used
+ and will be removed in a future release
* implied http_version.request: match against the version from the
request message even when examining the response
- * implied http_version.with_body: parts of this rule examine HTTP
- message body
- * implied http_version.with_header: this rule is limited to
- examining HTTP message headers
- * implied http_version.with_trailer: parts of this rule examine
- HTTP message trailers
+ * implied http_version.with_body: option is no longer used and will
+ be removed in a future release
+ * implied http_version.with_header: option is no longer used and
+ will be removed in a future release
+ * implied http_version.with_trailer: option is no longer used and
+ will be removed in a future release
* interval icmp_id.~range: check if ICMP ID is in given range {
0:65535 }
* interval icmp_seq.~range: check if ICMP sequence number is in
* interval window.~range: check if TCP window size is in given
range { 0:65535 }
* multi wizard.curses: enable service identification based on
- internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 }
+ internal algorithm { dce_smb | dce_udp | dce_tcp | mms |
+ s7commplus | sslv2 }
* bool wizard.hexes[].client_first = true: which end initiates data
transfer (deprecated)
* select wizard.hexes[].proto = any: protocol to scan { tcp | udp |
* detection.alt_searches: alt fast pattern searches in packet data
(sum)
* detection.analyzed: total packets processed (now)
+ * detection.cont_creations: total number of continuations created
+ (sum)
+ * detection.cont_evals: total number of condition-met continuations
+ (sum)
* detection.context_stalls: times processing stalled to wait for an
available context (sum)
+ * detection.cont_flows: total number of flows using continuation
+ (sum)
+ * detection.cont_matches: total number of continuations matched
+ (sum)
+ * detection.cont_max_num: peak number of simultaneous continuations
+ per flow (max)
+ * detection.cont_mismatches: total number of continuations
+ mismatched (sum)
+ * detection.cont_recalls: total number of continuations recalled
+ (sum)
* detection.cooked_searches: fast pattern searches in cooked packet
data (sum)
* detection.event_limit: events filtered (sum)
messages (sum)
* http_inspect.script_detections: early inspections of scripts in
HTTP responses (sum)
+ * http_inspect.skip_mime_attach: total number of HTTP requests with
+ too many MIME attachments to inspect (sum)
* http_inspect.ssl_srch_abandoned_early: total SSL search abandoned
too soon (sum)
* http_inspect.total_bytes: total HTTP data bytes inspected (sum)
The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST
flag set.
-116:424 (eth) truncated ethernet header
+116:424 (pbb) truncated ethernet header
The packet length is less than the minimum ethernet header size (14
bytes)
-116:424 (eth) truncated ethernet header
+116:424 (pbb) truncated ethernet header
A truncated ethernet header was detected.
HTTP request URI has space character that is not percent-encoded.
-119:34 (http_inspect) HTTP connection has more than 100 simultaneous
-pipelined requests that have not been answered
+119:34 (http_inspect) HTTP connection has more than
+maximum_pipelined_requests simultaneous pipelined requests that have
+not been answered
-HTTP connection has more than 100 simultaneous pipelined requests
-that have not been answered.
+HTTP connection has more than maximum_pipelined_requests simultaneous
+pipelined requests that have not been answered.
119:102 (http_inspect) invalid status code in HTTP response
the request body
* sip_header (ips_option): rule option to set the detection cursor
to the SIP header buffer
- * sip_method (ips_option): detection option for sip stat code
+ * sip_method (ips_option): detection option for sip method
* sip_stat_code (ips_option): detection option for sip stat code
* smtp (inspector): smtp inspection
* snort (basic): command line configuration and shell commands
the request body
* ips_option::sip_header: rule option to set the detection cursor
to the SIP header buffer
- * ips_option::sip_method: detection option for sip stat code
+ * ips_option::sip_method: detection option for sip method
* ips_option::sip_stat_code: detection option for sip stat code
* ips_option::so: rule option to call custom eval function
* ips_option::soid: rule option to specify a shared object rule ID
The Snort Team
Revision History
-Revision 3.1.43.0 2022-10-05 15:21:24 EDT TST
+Revision 3.1.44.0 2022-10-20 09:37:11 EDT TST
---------------------------------------------------------------------
Snort 2 which provided the fast_pattern:only option to designate such
cases. This is one less thing for the rule writer to worry about.
+2.7.3.1. Stateful Evaluation
+
+When data forms a kind of stream, e.g. contiguous byte flow (like a
+file transferred over the network or byte sequence from TCP session
+packets), the point of interest may be in a signature which spans
+across packets (its parts lies in different data blocks). In this
+case, the stateful evaluation becomes handy.
+
+If rule evaluation starts in a packet and the cursor position is
+moved beyond the current packet boundary, then the evaluation gets
+paused and will resume later when more data become available to
+finish the process.
+
+Stateful evaluation is supported for the following buffers:
+
+ 1. pkt_data — as a sequence of TCP session bytes with respect to
+ their direction (client-to-server, server-to-client)
+ 2. js_data — normalized JavaScript text from the same data transfer
+ session
+ 3. file_data — the same file bytes, e.g. flows from different files
+ do not overlap
+
---------------------------------------------------------------------
compressed vba macro data. The decompressed vba macro data is then
made available through the vba_data ips rule option.
-5.10.3.10. normalize_javascript
+5.10.3.10. max_mime_attach
+
+HTTP request message bodies may be in MIME format. Each file
+attachment is separately incorporated in the file_data rule option.
+When a request contains many small file attachments these inspections
+may consume a lot of processing power. This parameter limits the
+number of files from one message that are inspected. The default
+value is 5.
+
+5.10.3.11. normalize_javascript
normalize_javascript = true will enable legacy normalizer of
JavaScript within the HTTP response body. http_inspect looks for
space and normalizes the plus by concatenating the strings. Such
normalizations refer to basic JavaScript normalization.
-5.10.3.11. js_norm_bytes_depth
+5.10.3.12. js_norm_bytes_depth
js_norm_bytes_depth = N {-1 : max53} will set a number of input
JavaScript bytes to normalize. When the depth is reached,
The identifiers are variables and function names. The normalized data
is available through the js_data rule option.
-5.10.3.12. js_norm_identifier_depth
+5.10.3.13. js_norm_identifier_depth
js_norm_identifier_depth = N {0 : 65536} will set a number of unique
JavaScript identifiers to normalize. When the depth is reached, a
65536, which is the max allowed number of unique identifiers. The
generated names are in the range from var_0000 to var_ffff.
-5.10.3.13. js_norm_max_tmpl_nest
+5.10.3.14. js_norm_max_tmpl_nest
js_norm_max_tmpl_nest = N {0 : 255} (default 32) is an option of the
enhanced JavaScript normalizer that determines the deepest level of
option is present to limit the amount of memory dedicated to template
nesting tracking.
-5.10.3.14. js_norm_max_bracket_depth
+5.10.3.15. js_norm_max_bracket_depth
js_norm_max_bracket_depth = N {1 : 65535} (default 256) is an option
of the enhanced JavaScript normalizer that determines the maximum
option is present to limit the amount of memory dedicated to bracket
tracking.
-5.10.3.15. js_norm_max_scope_depth
+5.10.3.16. js_norm_max_scope_depth
js_norm_max_scope_depth = N {1 : 65535} (default 256) is an option of
the enhanced JavaScript normalizer that determines the deepest level
the global scope. This option is present to limit the amount of
memory dedicated to scope tracking.
-5.10.3.16. js_norm_ident_ignore
+5.10.3.17. js_norm_ident_ignore
js_norm_ident_ignore = {<list of ignored identifiers>} is an option
of the enhanced JavaScript normalizer that defines a list of
wants to disable unescape related features, then removing function’s
name from the ignore list does the trick.
-5.10.3.17. js_norm_prop_ignore
+5.10.3.18. js_norm_prop_ignore
js_norm_prop_ignore = {<list of ignored properties>} is an option of
the enhanced JavaScript normalizer that defines a list of object
The default list of ignored properties is present in
"snort_defaults.lua".
-5.10.3.18. xff_headers
+5.10.3.19. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-5.10.3.19. maximum_host_length
+5.10.3.20. maximum_host_length
Setting maximum_host_length causes http_inspect to generate 119:25 if
the Host header value including optional white space exceeds the
total length of the combined values is used. The default value is -1,
meaning do not perform this check.
-5.10.3.20. maximum_chunk_length
+5.10.3.21. maximum_chunk_length
http_inspect strictly limits individual chunks within a chunked
message body to be less than four gigabytes.
A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert.
-5.10.3.21. maximum_header_length
+5.10.3.22. maximum_header_length
http_inspect generates 119:19 when the length of a header exceeds
maximum_header_length = N {0 : 65535} (default 4096).
-5.10.3.22. maximum_headers
+5.10.3.23. maximum_headers
http_inspect generates 119:20 when the number of headers exceeds
maximum_headers = N {0 : 65535} (default 200).
-5.10.3.23. URI processing
+5.10.3.24. maximum_pipelined_requests
+
+http_inspect generates 119:34 when the number of pipelined requests
+exceeds maximum_pipelined_requests = N {0 : 99} (default 99). This
+number does not include the first request in a sequence of requests.
+Setting maximum_pipelined_requests = 0, will not trigger an alert in
+the case of an alternating sequence of requests and responses. It
+will trigger the alert once the client issue a request before getting
+the response to a previous request.
+
+5.10.3.25. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
them available to the detection engine through rule options. Let’s
start with an example:
-alert tcp any any -> any any ( msg:"URI example"; flow:established,
-to_server; http_uri; content:"chocolate"; sid:1; rev:1; )
+alert tcp any any -> any any (
+ msg:"URI example";
+ flow:established, to_server;
+ http_uri; content:"chocolate";
+ sid:1; rev:1; )
This rule looks for chocolate in the URI portion of the request
message. Specifically, the http_uri rule option is the normalized URI
It is also possible to search the unnormalized URI
-alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,
-to_server; http_raw_uri; content:"chocolate"; sid:2; rev:1; )
+alert tcp any any -> any any (
+ msg:"Raw URI example";
+ flow:established, to_server;
+ http_raw_uri; content:"chocolate";
+ sid:2; rev:1; )
will match the first message but not the second. If you want to
detect someone who is trying to hide his request for chocolate then
-alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,
-to_server; http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65";
-sid:3; rev:1; )
+alert tcp any any -> any any (
+ msg:"Raw URI example";
+ flow:established, to_server;
+ http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65";
+ sid:3; rev:1; )
will do the trick.
messages with the Content-Language header set to "da" (Danish). You
could write:
-alert tcp any any -> any any ( msg:"whole header search";
-flow:established, to_client; http_header; content:
-"Content-Language: da", nocase; sid:4; rev:1; )
+alert tcp any any -> any any (
+ msg:"whole header search";
+ flow:established, to_client;
+ http_header; content:"Content-Language: da", nocase;
+ sid:4; rev:1; )
This rule leaves much to be desired. Modern headers are often
thousands of bytes and seem to get longer every year. Searching all
A better way to write this rule is:
-alert tcp any any -> any any ( msg:"individual header search";
-flow:established, to_client; http_header: field content-language;
-content:"da", nocase; sid:4; rev:2; )
+alert tcp any any -> any any (
+ msg:"individual header search";
+ flow:established, to_client;
+ http_header: field content-language; content:"da", nocase;
+ sid:4; rev:2; )
The field option improves performance by narrowing the search to the
Content-Language field of the header. Because it uses the header
searching the entire URI there are six components that can be
searched individually:
-alert tcp any any -> any any ( msg:"URI path"; flow:established,
-to_server; http_uri: path; content:"chocolate"; sid:1; rev:2; )
+alert tcp any any -> any any (
+ msg:"URI path";
+ flow:established, to_server;
+ http_uri: path; content:"chocolate";
+ sid:1; rev:2; )
By specifying "path" the search is limited to the path portion of the
URI. Informally this is the part consisting of the directory path and
specify an individual header by name using the field option as shown
in this earlier example:
-alert tcp any any -> any any ( msg:"individual header search";
-flow:established, to_client; http_header: field content-language;
-content:"da", nocase; sid:4; rev:2; )
+alert tcp any any -> any any (
+ msg:"individual header search";
+ flow:established, to_client;
+ http_header: field content-language; content:"da", nocase;
+ sid:4; rev:2; )
This rule searches the value of the Content-Language header. Header
names are not case sensitive and may be written in the rule in any
pipelines, and how many messages have been sent over the current
connection.
-Some rules use a single rule option:
-
-alert tcp any any -> any any ( msg:"URI example"; flow:established,
-to_server; http_uri; content:"chocolate"; sid:1; rev:1; )
-
-Whenever a new URI is available this rule will be evaluated. Nothing
-complicated about that, but suppose we use more than one rule option:
-
-alert tcp any any -> any any ( msg:"combined example"; flow:established,
-to_server; http_uri: with_body; content:"chocolate"; file_data;
-content:"sinister POST data"; sid:5; rev:1; )
-
-The with_body option to http_uri causes the URI to be made available
-with the message body. Use with_body for header-related rule options
-in rules that also examine the message body.
-
-The with_trailer option is analogous and causes an earlier message
-element to be made available at the end of the message when the
-trailers following a chunked body arrive.
+It is possible to write rules that examine both the client request
+and the server response to it.
-alert tcp any any -> any any ( msg:"double content-language";
-flow:established, to_client; http_header: with_trailer, field
-content-language; content:"da", nocase; http_trailer: field
-content-language; content:"en", nocase; sid:6; rev:1; )
-
-This rule will alert if the Content-Language changes from Danish in
-the headers to English in the trailers. The with_trailer option is
-essential to make this rule work.
-
-It is also possible to write rules that examine both the client
-request and the server response to it.
-
-alert tcp any any -> any any ( msg:"request and response example";
-flow:established, to_client; http_uri: with_body; content:"chocolate";
-file_data; content:"white chocolate"; sid:7; rev:1; )
+alert tcp any any -> any any (
+ msg:"request and response example";
+ flow:established, to_client;
+ http_uri; content:"chocolate";
+ file_data; content:"white chocolate";
+ sid:7; rev:1; )
This rule looks for white chocolate in a response message body where
the URI of the request contained chocolate. Note that this is a
on what the server response will be because that has not happened
yet.
-Another point is "with_body" for http_uri. This ensures the rule
-works on the entire response body. If we were looking for white
-chocolate in the response headers this would not be necessary.
-
Response messages do not have a URI so there was only one thing
http_uri could have meant in the previous rule. It had to be
referring to the request message. Sometimes that is not so clear.
-alert tcp any any -> any any ( msg:"header ambiguity example 1";
-flow:established, to_client; http_header: with_body; content:
-"chocolate"; file_data; content:"white chocolate"; sid:8; rev:1; )
+alert tcp any any -> any any (
+ msg:"header ambiguity example 1";
+ flow:established, to_client;
+ http_header; content:"chocolate";
+ file_data; content:"white chocolate";
+ sid:8; rev:1; )
-alert tcp any any -> any any ( msg:"header ambiguity example 2";
-flow:established, to_client; http_header: with_body, request; content:
-"chocolate"; file_data; content:"white chocolate"; sid:8; rev:2; )
+alert tcp any any -> any any (
+ msg:"header ambiguity example 2";
+ flow:established, to_client;
+ http_header: request; content:"chocolate";
+ file_data; content:"white chocolate";
+ sid:8; rev:2; )
Our search for chocolate has moved from the URI to the message
headers. Both the request and response messages have headers—which
The second rule uses the "request" option to explicitly say that the
http_header to be searched is the request header.
-Let’s put all of this together. There are six opportunities to do
-detection:
-
- 1. When the the request headers arrive. The request line and all of
- the headers go through detection at the same time.
- 2. When sections of the request message body arrive. If you want to
- combine this with something from the request line or headers you
- must use the with_body option.
- 3. When the request trailers arrive. If you want to combine this
- with something from the request line or headers you must use the
- with_trailer option.
- 4. When the response headers arrive. The status line and all of the
- headers go through detection at the same time. These may be
- combined with elements from the request line, request headers, or
- request trailers. Where ambiguity arises use the request option.
- 5. When sections of the response message body arrive. These may be
- combined with the status line, response headers, request line,
- request headers, or request trailers as described above.
- 6. When the response trailers arrive. Again these may be combined as
- described above.
+Fast patterns are always searched in the current message. Rule
+options using "request" option can’t be used as fast patterns.
Message body sections can only go through detection at the time they
are received. Headers may be combined with later items but the body
cannot.
+The sub-options "with_header", "with_body" and "with_trailer" are
+deprecated, and no longer required when mixing the different
+sections.
+
5.11. HTTP/2 Inspector
projects / thirdparty / snort3.git / commitdiff
