+2021/05/20 - 3.1.5.0
+
+appid: Publish an event when appid debug command is issued
+appid: do memory accounting of api stash object, dns/tls/third-party sessions
+appid: mark payload detection as done after either http request or response is inspected
+appid: set monitor flags on future flows
+dce_rpc: fix expected session protocol id
+dce_rpc: update memory tracking for smb session data
+dce_rpc: use find_else_insert in smb session cache to avoid deadlock
+file_api: fix spell source error
+flow: Adding stash API to save auxiliary IP
+flow: Enhancing APIs to stash auxiliary IP
+flow: memory tracking updates
+hash: add new insert method in lru_cache_shared
+http2_inspect: add assert in clear
+http2_inspect: concurrent streams limit is configurable
+http2_inspect: fix non-standard c++
+http2_inspect: handle trailer after reaching flow depth
+http2_inspect: implement window_update frame
+http2_inspect: optimize processing after reaching flow depth
+http2_inspect: track stream memory incrementally instead of all up front
+http2_inspect: update discard print
+http2_inspect: update state and delete streams after reaching flow depth
+http_inspect: IP reputation support
+http_inspect: don't disable detection for flow if it's an HTTP/2 flow
+ips_options: fix relative base64_decode
+memory: free_space cleanup
+netflow: additional check before v5/v9 decode
+netflow: version 9 decoding and filtering
+packet_tracer: IPS daq trace log
+packet_tracer: file daq trace log
+parser: Remove rule merge in dump mode
+parser: reduce RTNs only after states applied
+reputation: track monitor ID via flow; minor code cleanup
+shell: exit gracefully when sanbox lua is misconfigured
+stream_tcp: Deleting session when both talker and listener are closed
+stream_tcp: Using window base for reset validation
+
2021/04/21 - 3.1.4.0
-- appid: (fix style) Local variable 'version' shadows outer variable
The Snort Team
Revision History
-Revision 3.1.4.0 2021-04-21 12:58:32 EDT TST
+Revision 3.1.5.0 2021-05-20 14:02:39 EDT TST
---------------------------------------------------------------------
* string inspection.uuid: correlate events by uuid
* enum inspection.mode = inline-test: set policy mode { inline |
inline-test }
+ * int inspection.max_aux_ip = 16: maximum number of auxiliary IPs
+ per flow to detect and save (-1 = disable, 0 = detect but don’t
+ save, 1+ = save in FIFO manner) { -1:127 }
2.15. ips
Instance Type: multiton
+Configuration:
+
+ * int http2_inspect.concurrent_streams_limit = 100: Maximum number
+ of concurrent streams allowed in a single HTTP/2 flow { 100:1000
+ }
+
Rules:
* 121:1 (http2_inspect) invalid flag set on HTTP/2 frame
* 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid
time
* 121:30 (http2_inspect) uppercase HTTP/2 header field name
+ * 121:31 (http2_inspect) invalid HTTP/2 window update frame
+ * 121:32 (http2_inspect) HTTP/2 window update frame with zero
+ increment
Peg counts:
* 119:115 (http_inspect) PDF file unsupported compression type
* 119:116 (http_inspect) PDF file cascaded compression
* 119:117 (http_inspect) PDF file parse failure
+ * 119:118 (http_inspect) unexpected script tag within inline
+ javascript
* 119:201 (http_inspect) not HTTP traffic
* 119:202 (http_inspect) chunk length has excessive leading zeros
* 119:203 (http_inspect) white space before or between messages
* http_inspect.pipelined_requests: total requests placed in a
pipeline (sum)
* http_inspect.total_bytes: total HTTP data bytes inspected (sum)
+ * http_inspect.js_inline_scripts: total number of inline
+ JavaScripts processed (sum)
5.25. iec104
Peg counts:
+ * netflow.invalid_netflow_record: count of invalid netflow records
+ (sum)
* netflow.packets: total packets processed (sum)
* netflow.records: total records found in netflow data (sum)
+ * netflow.unique_flows: count of unique netflow flows (sum)
+ * netflow.v9_missing_template: count of data records that are
+ missing templates (sum)
+ * netflow.v9_options_template: count of options template flowset
+ (sum)
+ * netflow.v9_templates: count of total version 9 templates (sum)
* netflow.version_5: count of netflow version 5 packets received
(sum)
* netflow.version_9: count of netflow version 9 packets received
(sum)
- * netflow.invalid_netflow_pkts: count of invalid netflow packets
- (sum)
- * netflow.unique_flows: count of unique netflow flows (sum)
5.30. normalizer
* reputation.trusted: number of packets trusted (sum)
* reputation.monitored: number of packets monitored (sum)
* reputation.memory_allocated: total memory allocated (sum)
+ * reputation.aux_ip_blocked: number of auxiliary ip packets blocked
+ (sum)
+ * reputation.aux_ip_trusted: number of auxiliary ip packets trusted
+ (sum)
+ * reputation.aux_ip_monitored: number of auxiliary ip packets
+ monitored (sum)
5.37. rna
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
+ * int http2_inspect.concurrent_streams_limit = 100: Maximum number
+ of concurrent streams allowed in a single HTTP/2 flow { 100:1000
+ }
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
limit) { -1:65535 }
* int inspection.id = 0: correlate policy and events with other
items in configuration { 0:65535 }
+ * int inspection.max_aux_ip = 16: maximum number of auxiliary IPs
+ per flow to detect and save (-1 = disable, 0 = detect but don’t
+ save, 1+ = save in FIFO manner) { -1:127 }
* enum inspection.mode = inline-test: set policy mode { inline |
inline-test }
* string inspection.uuid: correlate events by uuid
* http_inspect.get_requests: GET requests inspected (sum)
* http_inspect.head_requests: HEAD requests inspected (sum)
* http_inspect.inspections: total message sections inspected (sum)
+ * http_inspect.js_inline_scripts: total number of inline
+ JavaScripts processed (sum)
* http_inspect.max_concurrent_sessions: maximum concurrent http
sessions (max)
* http_inspect.options_requests: OPTIONS requests inspected (sum)
* modbus.max_concurrent_sessions: maximum concurrent modbus
sessions (max)
* modbus.sessions: total sessions processed (sum)
- * netflow.invalid_netflow_pkts: count of invalid netflow packets
+ * netflow.invalid_netflow_record: count of invalid netflow records
(sum)
* netflow.packets: total packets processed (sum)
* netflow.records: total records found in netflow data (sum)
* netflow.unique_flows: count of unique netflow flows (sum)
+ * netflow.v9_missing_template: count of data records that are
+ missing templates (sum)
+ * netflow.v9_options_template: count of options template flowset
+ (sum)
+ * netflow.v9_templates: count of total version 9 templates (sum)
* netflow.version_5: count of netflow version 5 packets received
(sum)
* netflow.version_9: count of netflow version 9 packets received
(sum)
* rate_filter.no_memory: number of times rate filter ran out of
memory (sum)
+ * reputation.aux_ip_blocked: number of auxiliary ip packets blocked
+ (sum)
+ * reputation.aux_ip_monitored: number of auxiliary ip packets
+ monitored (sum)
+ * reputation.aux_ip_trusted: number of auxiliary ip packets trusted
+ (sum)
* reputation.blocked: number of packets blocked (sum)
* reputation.memory_allocated: total memory allocated (sum)
* reputation.monitored: number of packets monitored (sum)
* 119:115 (http_inspect) PDF file unsupported compression type
* 119:116 (http_inspect) PDF file cascaded compression
* 119:117 (http_inspect) PDF file parse failure
+ * 119:118 (http_inspect) unexpected script tag within inline
+ javascript
* 119:201 (http_inspect) not HTTP traffic
* 119:202 (http_inspect) chunk length has excessive leading zeros
* 119:203 (http_inspect) white space before or between messages
* 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid
time
* 121:30 (http2_inspect) uppercase HTTP/2 header field name
+ * 121:31 (http2_inspect) invalid HTTP/2 window update frame
+ * 121:32 (http2_inspect) HTTP/2 window update frame with zero
+ increment
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
projects / thirdparty / snort3.git / commitdiff
