The Snort Team
Revision History
-Revision 3.1.67.0 2023-07-30 09:54:39 EDT TST
+Revision 3.1.68.0 2023-08-14 22:06:48 EDT TST
---------------------------------------------------------------------
7.1. ack
7.2. appids
- 7.3. asn1
- 7.4. base64_decode
- 7.5. ber_data
- 7.6. ber_skip
- 7.7. bufferlen
- 7.8. byte_extract
- 7.9. byte_jump
- 7.10. byte_math
- 7.11. byte_test
- 7.12. cip_attribute
- 7.13. cip_class
- 7.14. cip_conn_path_class
- 7.15. cip_instance
- 7.16. cip_req
- 7.17. cip_rsp
- 7.18. cip_service
- 7.19. cip_status
- 7.20. classtype
- 7.21. content
- 7.22. cvs
- 7.23. dce_iface
- 7.24. dce_opnum
- 7.25. dce_stub_data
- 7.26. detection_filter
- 7.27. dnp3_data
- 7.28. dnp3_func
- 7.29. dnp3_ind
- 7.30. dnp3_obj
- 7.31. dsize
- 7.32. enable
- 7.33. enip_command
- 7.34. enip_req
- 7.35. enip_rsp
- 7.36. file_data
- 7.37. file_meta
- 7.38. file_type
- 7.39. flags
- 7.40. flow
- 7.41. flowbits
- 7.42. fragbits
- 7.43. fragoffset
- 7.44. gid
- 7.45. gtp_info
- 7.46. gtp_type
- 7.47. gtp_version
- 7.48. http_client_body
- 7.49. http_cookie
- 7.50. http_header
- 7.51. http_header_test
- 7.52. http_max_header_line
- 7.53. http_max_trailer_line
- 7.54. http_method
- 7.55. http_num_cookies
- 7.56. http_num_headers
- 7.57. http_num_trailers
- 7.58. http_param
- 7.59. http_raw_body
- 7.60. http_raw_cookie
- 7.61. http_raw_header
- 7.62. http_raw_request
- 7.63. http_raw_status
- 7.64. http_raw_trailer
- 7.65. http_raw_uri
- 7.66. http_stat_code
- 7.67. http_stat_msg
- 7.68. http_trailer
- 7.69. http_trailer_test
- 7.70. http_true_ip
- 7.71. http_uri
- 7.72. http_version
- 7.73. http_version_match
- 7.74. icmp_id
- 7.75. icmp_seq
- 7.76. icode
- 7.77. id
- 7.78. iec104_apci_type
- 7.79. iec104_asdu_func
- 7.80. ip_proto
- 7.81. ipopts
- 7.82. isdataat
- 7.83. itype
- 7.84. js_data
- 7.85. md5
- 7.86. metadata
- 7.87. mms_data
- 7.88. mms_func
- 7.89. modbus_data
- 7.90. modbus_func
- 7.91. modbus_unit
- 7.92. msg
- 7.93. mss
- 7.94. pcre
- 7.95. pkt_data
- 7.96. pkt_num
- 7.97. priority
- 7.98. raw_data
- 7.99. reference
- 7.100. regex
- 7.101. rem
- 7.102. replace
- 7.103. rev
- 7.104. rpc
- 7.105. s7commplus_content
- 7.106. s7commplus_func
- 7.107. s7commplus_opcode
- 7.108. sd_pattern
- 7.109. seq
- 7.110. service
- 7.111. sha256
- 7.112. sha512
- 7.113. sid
- 7.114. sip_body
- 7.115. sip_header
- 7.116. sip_method
- 7.117. sip_stat_code
- 7.118. so
- 7.119. soid
- 7.120. ssl_state
- 7.121. ssl_version
- 7.122. stream_reassemble
- 7.123. stream_size
- 7.124. tag
- 7.125. target
- 7.126. tos
- 7.127. ttl
- 7.128. urg
- 7.129. vba_data
- 7.130. window
- 7.131. wscale
+ 7.3. base64_decode
+ 7.4. ber_data
+ 7.5. ber_skip
+ 7.6. bufferlen
+ 7.7. byte_extract
+ 7.8. byte_jump
+ 7.9. byte_math
+ 7.10. byte_test
+ 7.11. cip_attribute
+ 7.12. cip_class
+ 7.13. cip_conn_path_class
+ 7.14. cip_instance
+ 7.15. cip_req
+ 7.16. cip_rsp
+ 7.17. cip_service
+ 7.18. cip_status
+ 7.19. classtype
+ 7.20. content
+ 7.21. cvs
+ 7.22. dce_iface
+ 7.23. dce_opnum
+ 7.24. dce_stub_data
+ 7.25. detection_filter
+ 7.26. dnp3_data
+ 7.27. dnp3_func
+ 7.28. dnp3_ind
+ 7.29. dnp3_obj
+ 7.30. dsize
+ 7.31. enable
+ 7.32. enip_command
+ 7.33. enip_req
+ 7.34. enip_rsp
+ 7.35. file_data
+ 7.36. file_meta
+ 7.37. file_type
+ 7.38. flags
+ 7.39. flow
+ 7.40. flowbits
+ 7.41. fragbits
+ 7.42. fragoffset
+ 7.43. gid
+ 7.44. gtp_info
+ 7.45. gtp_type
+ 7.46. gtp_version
+ 7.47. http_client_body
+ 7.48. http_cookie
+ 7.49. http_header
+ 7.50. http_header_test
+ 7.51. http_max_header_line
+ 7.52. http_max_trailer_line
+ 7.53. http_method
+ 7.54. http_num_cookies
+ 7.55. http_num_headers
+ 7.56. http_num_trailers
+ 7.57. http_param
+ 7.58. http_raw_body
+ 7.59. http_raw_cookie
+ 7.60. http_raw_header
+ 7.61. http_raw_request
+ 7.62. http_raw_status
+ 7.63. http_raw_trailer
+ 7.64. http_raw_uri
+ 7.65. http_stat_code
+ 7.66. http_stat_msg
+ 7.67. http_trailer
+ 7.68. http_trailer_test
+ 7.69. http_true_ip
+ 7.70. http_uri
+ 7.71. http_version
+ 7.72. http_version_match
+ 7.73. icmp_id
+ 7.74. icmp_seq
+ 7.75. icode
+ 7.76. id
+ 7.77. iec104_apci_type
+ 7.78. iec104_asdu_func
+ 7.79. ip_proto
+ 7.80. ipopts
+ 7.81. isdataat
+ 7.82. itype
+ 7.83. js_data
+ 7.84. md5
+ 7.85. metadata
+ 7.86. mms_data
+ 7.87. mms_func
+ 7.88. modbus_data
+ 7.89. modbus_func
+ 7.90. modbus_unit
+ 7.91. msg
+ 7.92. mss
+ 7.93. pcre
+ 7.94. pkt_data
+ 7.95. pkt_num
+ 7.96. priority
+ 7.97. raw_data
+ 7.98. reference
+ 7.99. regex
+ 7.100. rem
+ 7.101. replace
+ 7.102. rev
+ 7.103. rpc
+ 7.104. s7commplus_content
+ 7.105. s7commplus_func
+ 7.106. s7commplus_opcode
+ 7.107. sd_pattern
+ 7.108. seq
+ 7.109. service
+ 7.110. sha256
+ 7.111. sha512
+ 7.112. sid
+ 7.113. sip_body
+ 7.114. sip_header
+ 7.115. sip_method
+ 7.116. sip_stat_code
+ 7.117. so
+ 7.118. soid
+ 7.119. ssl_state
+ 7.120. ssl_version
+ 7.121. stream_reassemble
+ 7.122. stream_size
+ 7.123. tag
+ 7.124. target
+ 7.125. tos
+ 7.126. ttl
+ 7.127. urg
+ 7.128. vba_data
+ 7.129. window
+ 7.130. wscale
8. Search Engine Modules
9. SO Rule Modules
* bool detection.allow_missing_so_rules = false: warn (true) or
error (false) when an SO rule stub refers to an SO rule that
isn’t loaded
- * int detection.asn1 = 0: maximum decode nodes { 0:65535 }
* bool detection.global_default_rule_state = true: enable or
disable rules by default (overridden by ips policy settings)
* bool detection.global_rule_state = false: apply rule_state
Instance Type: multiton
+Configuration:
+
+ * bool dns.publish_response = false: parse and publish dns
+ responses
+
Rules:
* 131:1 (dns) obsolete DNS RR types
* string appids.~: comma separated list of application names
-7.3. asn1
-
---------------
-
-Help: rule option for asn1 detection
-
-Type: ips_option
-
-Usage: detect
-
-Configuration:
-
- * implied asn1.bitstring_overflow: detects invalid bitstring
- encodings that are known to be remotely exploitable
- * implied asn1.double_overflow: detects a double ASCII encoding
- that is larger than a standard buffer
- * implied asn1.print: dump decode data to console; always true
- * int asn1.oversize_length: compares ASN.1 type lengths with the
- supplied argument { 0:max32 }
- * int asn1.absolute_offset: absolute offset from the beginning of
- the packet { 0:65535 }
- * int asn1.relative_offset: relative offset from the cursor {
- -65535:65535 }
-
-
-7.4. base64_decode
+7.3. base64_decode
--------------
start of buffer
-7.5. ber_data
+7.4. ber_data
--------------
element type { 0:255 }
-7.6. ber_skip
+7.5. ber_skip
--------------
is not found
-7.7. bufferlen
+7.6. bufferlen
--------------
position) instead of total length
-7.8. byte_extract
+7.7. byte_extract
--------------
value before storage in name { 0x1:0xFFFFFFFF }
-7.9. byte_jump
+7.8. byte_jump
--------------
0x1:0xFFFFFFFF }
-7.10. byte_math
+7.9. byte_math
--------------
value before storage in name { 0x1:0xFFFFFFFF }
-7.11. byte_test
+7.10. byte_test
--------------
0x1:0xFFFFFFFF }
-7.12. cip_attribute
+7.11. cip_attribute
--------------
* interval cip_attribute.~range: match CIP attribute { 0:65535 }
-7.13. cip_class
+7.12. cip_class
--------------
* interval cip_class.~range: match CIP class { 0:65535 }
-7.14. cip_conn_path_class
+7.13. cip_conn_path_class
--------------
Class { 0:65535 }
-7.15. cip_instance
+7.14. cip_instance
--------------
* interval cip_instance.~range: match CIP instance { 0:4294967295 }
-7.16. cip_req
+7.15. cip_req
--------------
Usage: detect
-7.17. cip_rsp
+7.16. cip_rsp
--------------
Usage: detect
-7.18. cip_service
+7.17. cip_service
--------------
* interval cip_service.~range: match CIP service { 0:127 }
-7.19. cip_status
+7.18. cip_status
--------------
* interval cip_status.~range: match CIP response status { 0:255 }
-7.20. classtype
+7.19. classtype
--------------
* string classtype.~: classification for this rule
-7.21. content
+7.20. content
--------------
from cursor
-7.22. cvs
+7.21. cvs
--------------
* implied cvs.invalid-entry: looks for an invalid Entry string
-7.23. dce_iface
+7.22. dce_iface
--------------
* implied dce_iface.any_frag: match on any fragment
-7.24. dce_opnum
+7.23. dce_opnum
--------------
list
-7.25. dce_stub_data
+7.24. dce_stub_data
--------------
Usage: detect
-7.26. detection_filter
+7.25. detection_filter
--------------
1:max32 }
-7.27. dnp3_data
+7.26. dnp3_data
--------------
Usage: detect
-7.28. dnp3_func
+7.27. dnp3_func
--------------
* string dnp3_func.~: match DNP3 function code or name
-7.29. dnp3_ind
+7.28. dnp3_ind
--------------
* string dnp3_ind.~: match given DNP3 indicator flags
-7.30. dnp3_obj
+7.29. dnp3_obj
--------------
}
-7.31. dsize
+7.30. dsize
--------------
given range { 0:65535 }
-7.32. enable
+7.31. enable
--------------
}
-7.33. enip_command
+7.32. enip_command
--------------
* interval enip_command.~range: match CIP Enip Command { 0:65535 }
-7.34. enip_req
+7.33. enip_req
--------------
Usage: detect
-7.35. enip_rsp
+7.34. enip_rsp
--------------
Usage: detect
-7.36. file_data
+7.35. file_data
--------------
Usage: detect
-7.37. file_meta
+7.36. file_meta
--------------
* string file_meta.version: file type version
-7.38. file_type
+7.37. file_type
--------------
* string file_type.~: list of file type IDs to match
-7.39. flags
+7.38. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-7.40. flow
+7.39. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-7.41. flowbits
+7.40. flowbits
--------------
* string flowbits.~bits: bit [|bit]* or bit [&bit]*
-7.42. fragbits
+7.41. fragbits
--------------
* string fragbits.~flags: these flags are tested
-7.43. fragoffset
+7.42. fragoffset
--------------
given range { 0:8192 }
-7.44. gid
+7.43. gid
--------------
* int gid.~: generator id { 1:8129 }
-7.45. gtp_info
+7.44. gtp_info
--------------
* string gtp_info.~: info element to match
-7.46. gtp_type
+7.45. gtp_type
--------------
* string gtp_type.~: list of types to match
-7.47. gtp_version
+7.46. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-7.48. http_client_body
+7.47. http_client_body
--------------
Usage: detect
-7.49. http_cookie
+7.48. http_cookie
--------------
will be removed in a future release
-7.50. http_header
+7.49. http_header
--------------
will be removed in a future release
-7.51. http_header_test
+7.50. http_header_test
--------------
* implied http_header_test.absent: header is absent
-7.52. http_max_header_line
+7.51. http_max_header_line
--------------
from the request message even when examining the response
-7.53. http_max_trailer_line
+7.52. http_max_trailer_line
--------------
from the request message even when examining the response
-7.54. http_method
+7.53. http_method
--------------
will be removed in a future release
-7.55. http_num_cookies
+7.54. http_num_cookies
--------------
the request message even when examining the response
-7.56. http_num_headers
+7.55. http_num_headers
--------------
and will be removed in a future release
-7.57. http_num_trailers
+7.56. http_num_trailers
--------------
and will be removed in a future release
-7.58. http_param
+7.57. http_param
--------------
* implied http_param.nocase: case insensitive match
-7.59. http_raw_body
+7.58. http_raw_body
--------------
Usage: detect
-7.60. http_raw_cookie
+7.59. http_raw_cookie
--------------
and will be removed in a future release
-7.61. http_raw_header
+7.60. http_raw_header
--------------
and will be removed in a future release
-7.62. http_raw_request
+7.61. http_raw_request
--------------
and will be removed in a future release
-7.63. http_raw_status
+7.62. http_raw_status
--------------
and will be removed in a future release
-7.64. http_raw_trailer
+7.63. http_raw_trailer
--------------
will be removed in a future release
-7.65. http_raw_uri
+7.64. http_raw_uri
--------------
URI only
-7.66. http_stat_code
+7.65. http_stat_code
--------------
will be removed in a future release
-7.67. http_stat_msg
+7.66. http_stat_msg
--------------
will be removed in a future release
-7.68. http_trailer
+7.67. http_trailer
--------------
be removed in a future release
-7.69. http_trailer_test
+7.68. http_trailer_test
--------------
* implied http_trailer_test.absent: trailer is absent
-7.70. http_true_ip
+7.69. http_true_ip
--------------
will be removed in a future release
-7.71. http_uri
+7.70. http_uri
--------------
only
-7.72. http_version
+7.71. http_version
--------------
will be removed in a future release
-7.73. http_version_match
+7.72. http_version_match
--------------
and will be removed in a future release
-7.74. icmp_id
+7.73. icmp_id
--------------
0:65535 }
-7.75. icmp_seq
+7.74. icmp_seq
--------------
given range { 0:65535 }
-7.76. icode
+7.75. icode
--------------
0:255 }
-7.77. id
+7.76. id
--------------
}
-7.78. iec104_apci_type
+7.77. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.79. iec104_asdu_func
+7.78. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.80. ip_proto
+7.79. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.81. ipopts
+7.80. ipopts
--------------
lsrre|ssrr|satid|any }
-7.82. isdataat
+7.81. isdataat
--------------
buffer
-7.83. itype
+7.82. itype
--------------
0:255 }
-7.84. js_data
+7.83. js_data
--------------
Usage: detect
-7.85. md5
+7.84. md5
--------------
of buffer
-7.86. metadata
+7.85. metadata
--------------
pairs
-7.87. mms_data
+7.86. mms_data
--------------
Usage: detect
-7.88. mms_func
+7.87. mms_func
--------------
* string mms_func.~: func to match
-7.89. modbus_data
+7.88. modbus_data
--------------
Usage: detect
-7.90. modbus_func
+7.89. modbus_func
--------------
* string modbus_func.~: function code to match
-7.91. modbus_unit
+7.90. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.92. msg
+7.91. msg
--------------
* string msg.~: message describing rule
-7.93. mss
+7.92. mss
--------------
}
-7.94. pcre
+7.93. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.95. pkt_data
+7.94. pkt_data
--------------
Usage: detect
-7.96. pkt_num
+7.95. pkt_num
--------------
{ 1: }
-7.97. priority
+7.96. priority
--------------
1:max31 }
-7.98. raw_data
+7.97. raw_data
--------------
Usage: detect
-7.99. reference
+7.98. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.100. regex
+7.99. regex
--------------
instead of start of buffer
-7.101. rem
+7.100. rem
--------------
* string rem.~: comment
-7.102. replace
+7.101. replace
--------------
* string replace.~: byte code to replace with
-7.103. rev
+7.102. rev
--------------
* int rev.~: revision { 1:max32 }
-7.104. rpc
+7.103. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.105. s7commplus_content
+7.104. s7commplus_content
--------------
Usage: detect
-7.106. s7commplus_func
+7.105. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.107. s7commplus_opcode
+7.106. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.108. sd_pattern
+7.107. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.109. seq
+7.108. seq
--------------
range { 0: }
-7.110. service
+7.109. service
--------------
* string service.*: one or more comma-separated service names
-7.111. sha256
+7.110. sha256
--------------
start of buffer
-7.112. sha512
+7.111. sha512
--------------
start of buffer
-7.113. sid
+7.112. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.114. sip_body
+7.113. sip_body
--------------
Usage: detect
-7.115. sip_header
+7.114. sip_header
--------------
Usage: detect
-7.116. sip_method
+7.115. sip_method
--------------
* string sip_method.*method: sip method
-7.117. sip_stat_code
+7.116. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.118. so
+7.117. so
--------------
buffer
-7.119. soid
+7.118. soid
--------------
like 3_45678_9
-7.120. ssl_state
+7.119. ssl_state
--------------
unknown
-7.121. ssl_version
+7.120. ssl_version
--------------
tls1.2
-7.122. stream_reassemble
+7.121. stream_reassemble
--------------
remainder of the session
-7.123. stream_size
+7.122. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.124. tag
+7.123. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.125. target
+7.124. target
--------------
dst_ip }
-7.126. tos
+7.125. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.127. ttl
+7.126. ttl
--------------
0:255 }
-7.128. urg
+7.127. urg
--------------
{ 0:65535 }
-7.129. vba_data
+7.128. vba_data
--------------
Usage: detect
-7.130. window
+7.129. window
--------------
range { 0:65535 }
-7.131. wscale
+7.130. wscale
--------------
print stats on exit in third party module
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
- * int asn1.absolute_offset: absolute offset from the beginning of
- the packet { 0:65535 }
- * implied asn1.bitstring_overflow: detects invalid bitstring
- encodings that are known to be remotely exploitable
- * implied asn1.double_overflow: detects a double ASCII encoding
- that is larger than a standard buffer
- * int asn1.oversize_length: compares ASN.1 type lengths with the
- supplied argument { 0:max32 }
- * implied asn1.print: dump decode data to console; always true
- * int asn1.relative_offset: relative offset from the cursor {
- -65535:65535 }
* string attribute_table.hosts_file: filename to load attribute
host table from
* int attribute_table.max_hosts = 1024: maximum number of hosts in
* bool detection.allow_missing_so_rules = false: warn (true) or
error (false) when an SO rule stub refers to an SO rule that
isn’t loaded
- * int detection.asn1 = 0: maximum decode nodes { 0:65535 }
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
* bool detection.enable_strict_reduction = false: enable strict
0:255 }
* int dnp3_obj.var = 0: match given DNP3 object header var { 0:255
}
+ * bool dns.publish_response = false: parse and publish dns
+ responses
* string domain_filter.file: file with list of domains identifying
hosts to be filtered
* string domain_filter.hosts: list of domains identifying hosts to
* appids (ips_option): detection option for application ids
* arp (codec): support for address resolution protocol
* arp_spoof (inspector): detect ARP attacks and anomalies
- * asn1 (ips_option): rule option for asn1 detection
* attribute_table (basic): configure hosts loading
* auth (codec): support for IP authentication header
* back_orifice (inspector): back orifice detection
option content
* ips_option::ack: rule option to match on TCP ack numbers
* ips_option::appids: detection option for application ids
- * ips_option::asn1: rule option for asn1 detection
* ips_option::base64_data: set detection cursor to decoded Base64
data
* ips_option::base64_decode: rule option to decode base64 data -
projects / thirdparty / snort3.git / commitdiff
