<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0-a4 (Build 217) from 2.9.7-262\r
+o" )~ Version 3.0.0-a4 (Build 218) from 2.9.7-262\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.\r
packets. The key steps are given in the following figure:</p></div>\r
<div class="imageblock">\r
<div class="content">\r
-<img src="./snort2x.png" alt="Snort 2X" width="640" />\r
+<img src="./snort2x.png" alt="Snort 2X" width="480" />\r
</div>\r
</div>\r
<div class="paragraph"><p>The preprocess step is highly configurable. Arbitrary preprocessors can be\r
but they are not central to basic flow processing and are not shown.)</p></div>\r
<div class="imageblock">\r
<div class="content">\r
-<img src="./snort3x.png" alt="Snort 3X" width="640" />\r
+<img src="./snort3x.png" alt="Snort 3X" width="480" />\r
</div>\r
</div>\r
<div class="paragraph"><p>However, Snort++ also provides a more flexible mechanism than callback\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>$my_path/bin/snort -r <pcap>\r
-$my_path/bin/snort -K text -d -e -q -r <pcap></code></pre>\r
+$my_path/bin/snort -L dump -d -e -q -r <pcap></code></pre>\r
</div></div>\r
</li>\r
<li>\r
</div>\r
</div>\r
<div class="sect1">\r
+<h2 id="_features">Features</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>This section explains how to use key features of Snort++.</p></div>\r
+<div class="sect2">\r
+<h3 id="_file_processing">File Processing</h3>\r
+<div class="paragraph"><p>With the volume of malware transferred through network increasing,\r
+network file inspection becomes more and more important. This feature\r
+will provide file type identification, file signature creation, and file\r
+capture capabilities to help users deal with those challenges.</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_2">Overview</h4>\r
+<div class="paragraph"><p>There are two parts of file services: file APIs and file policy.\r
+File APIs provides all the file inspection functionalities, such as file\r
+type identification, file signature calculation, and file capture.\r
+File policy provides users ability to control file services, such\r
+as enable/disable/configure file type identification, file signature, or\r
+file capture.</p></div>\r
+<div class="paragraph"><p>In addition to all capabilities from snort 2x, we support customized file\r
+policy along with file event log.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Supported file signature calculation: SHA256\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_quick_guide">Quick Guide</h4>\r
+<div class="paragraph"><p>A very simple configuration has been included in lua/snort.lua file.\r
+A typical file configuration looks like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dofile('magic.lua')</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>my_file_policy =\r
+{\r
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_id =\r
+{\r
+ enable_type = true,\r
+ enable_signature = true,\r
+ enable_capture = true,\r
+ file_rules = magics,\r
+ trace_type = true,\r
+ trace_signature = true,\r
+ trace_stream = true,\r
+ file_policy = my_file_policy,\r
+ }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_log =\r
+{\r
+ log_pkt_time = true,\r
+ log_sys_time = false,\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>There are 3 steps to enable file processing:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+First, you need to include the file magic rules.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Then, define the file policy and configure the inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+At last, enable file_log to get detailed information about file event\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_pre_packaged_file_magic_rules">Pre-packaged File Magic Rules</h4>\r
+<div class="paragraph"><p>A set of file magic rules is packaged with Snort. They can be located at\r
+"lua/file_magic.lua". To use this feature, it is recommended that these\r
+pre-packaged rules are used; doing so requires that you include\r
+the file in your Snort configuration as such (already in snort.lua):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dofile('magic.lua')</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>{ type = "GIF", id = 62, category = "Graphics", rev = 1,\r
+ magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>{ type = "GIF", id = 63, category = "Graphics", rev = 1,\r
+ magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The previous two rules define GIF format, because two file magics are\r
+different. File magics are specifed by content and offset, which look\r
+at content at particular file offset to identify the file type. In this\r
+case, two magics look at the beginning of the file. You can use character\r
+if it is printable or hex value in between "|".</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_file_policy">File Policy</h4>\r
+<div class="paragraph"><p>You can enabled file type, file signature, or file capture by configuring\r
+file_id. In addition, you can enable trace to see file stream data, file\r
+type, and file signature information.</p></div>\r
+<div class="paragraph"><p>Most importantly, you can configure a file policy that can block/alert\r
+some file type or an individual file based on SHA. This allows you\r
+build a file blacklist or whitelist.</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_policy =\r
+{\r
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>In this example, it enables this policy:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+For PDF files, they will be logged with signatures.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+For the file matching this SHA, it will be blocked\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+For all file types identified, they will be logged with signature, and\r
+also captured onto log folder.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_file_capture">File Capture</h4>\r
+<div class="paragraph"><p>File can be captured and stored to log folder. We use SHA as file name\r
+instead of actual file name to avoid conflicts. You can capture either\r
+all files, some file type, or a particular file based on SHA.</p></div>\r
+<div class="paragraph"><p>You can enable file capture through this config:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>enable_capture = true,</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or enable it for some file or file type in your file policy:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The above rule will enable PDF file capture.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_file_events">File Events</h4>\r
+<div class="paragraph"><p>File inspect preprocessor also works as a dynamic output plugin for file\r
+events. It logs basic information about file. The log file is in the same\r
+folder as other log files with name starting with "file.log".</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_log = { log_pkt_time = true, log_sys_time = false }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>All file events will be logged in packet time, system time is not logged.</p></div>\r
+<div class="paragraph"><p>File event example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,\r
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]\r
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]\r
+[Size: 1039328]</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_performance_monitor">Performance Monitor</h3>\r
+<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
+too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
+hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check\r
+with stream…</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_3">Overview</h4>\r
+<div class="paragraph"><p>The Snort performance monitor is the built-in utility for monitoring system\r
+and traffic statistics. All statistics are separated by processing thread.\r
+perf_monitor supports several trackers for monitoring such data:</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_base_tracker">Base Tracker</h4>\r
+<div class="paragraph"><p>The base tracker is used to gather running statistics about Snort and its\r
+running modules. All Snort modules gather, at the very least, counters for the\r
+number of packets reaching it. Most supplement these counts with those for\r
+domain specific functions, such as http_inspect’s number of GET requests seen.</p></div>\r
+<div class="paragraph"><p>Statistics are gathered live and can be reported at regular intervals. The stats\r
+reported correspond only to the interval in question and are reset at the\r
+beginning of each interval.</p></div>\r
+<div class="paragraph"><p>These are the same counts displayed when Snort shuts down, only sorted amongst\r
+the discrete intervals in which they occurred.</p></div>\r
+<div class="paragraph"><p>Base differs from prior implementations in Snort in that all stats gathered are\r
+only raw counts, allowing the data to be evaluated as needed. Additionally,\r
+base is entirely pluggable. Data from new Snort plugins can be added to the\r
+existing stats either automatically or, if specified, by name and function.</p></div>\r
+<div class="paragraph"><p>All plugins and counters can be enabled or disabled individually, allowing for\r
+only the data that is actually desired instead of overly verbose performance\r
+logs.</p></div>\r
+<div class="paragraph"><p>To enable everything:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { modules = {} }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To enable everything within a module:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor =\r
+{\r
+ modules =\r
+ {\r
+ {\r
+ name = 'stream_tcp',\r
+ pegs = [[ ]]\r
+ },\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To enable specific counts within modules:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor =\r
+{\r
+ modules =\r
+ {\r
+ {\r
+ name = 'stream_tcp',\r
+ pegs = [[ overlaps gaps ]]\r
+ },\r
+ }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note: Event stats from prior Snorts are now located within base statistics.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_flow_tracker">Flow Tracker</h4>\r
+<div class="paragraph"><p>Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This\r
+data can be used to build a profile of traffic for inspector tuning and for\r
+identifying where Snort may be stressed.</p></div>\r
+<div class="paragraph"><p>To enable:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { flow = true }</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_flowip_tracker">FlowIP Tracker</h4>\r
+<div class="paragraph"><p>FlowIP provides statistics for individual hosts within a network. This data can\r
+be used for identifying communication habits, such as generating large or small\r
+amounts of data, opening a small or large number of sessions, and tendency to\r
+send smaller or larger IP packets.</p></div>\r
+<div class="paragraph"><p>To enable:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { flow_ip = true }</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_cpu_tracker">CPU Tracker</h4>\r
+<div class="paragraph"><p>This tracker monitors the CPU and wall time spent by a given processing thread.</p></div>\r
+<div class="paragraph"><p>To enable:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { cpu = true }</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
<h2 id="_basic_modules">Basic Modules</h2>\r
<div class="sectionbody">\r
<div class="paragraph"><p>Internal modules which are not plugins are termed "basic". These include\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>file_id.total_files</strong>: number of files processed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>file_id.total_file_data</strong>: number of file data bytes processed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>file_id.cache_failures</strong>: number of file cache add failures\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_high_availability">high_availability</h3>\r
</li>\r
<li>\r
<p>\r
-added -K text; -K text/pcap is old dump/log mode\r
+added -L none|dump|pcap\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-changed default logging mode to -K none\r
+changed default logging mode to -L none\r
</p>\r
</li>\r
<li>\r
</div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_optional_features">Optional Features</h3>\r
-<div class="paragraph"><p>The features listed below must be explicitly enabled so they are built\r
-into the Snort binary. For a full list of build features, run ./configure\r
+<h3 id="_build_options_2">Build Options</h3>\r
+<div class="paragraph"><p>The options listed below must be explicitly enabled so they are built\r
+into the Snort binary. For a full list of build options, run ./configure\r
--help.</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>These features are built only if the required libraries and headers are\r
+<div class="paragraph"><p>These options are built only if the required libraries and headers are\r
present. There is no need to explicitly enable.</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>file_id.cache_failures</strong>: number of file cache add failures\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>file_id.total_file_data</strong>: number of file data bytes processed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>file_id.total_files</strong>: number of files processed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>file_log.total events</strong>: total file events\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2016-11-03 23:18:47 EDT\r
+Last updated 2016-11-16 08:37:01 EST\r
</div>\r
</div>\r
</body>\r
2.7. Gotchas
2.8. Bugs
-3. Basic Modules
-
- 3.1. active
- 3.2. alerts
- 3.3. attribute_table
- 3.4. classifications
- 3.5. daq
- 3.6. decode
- 3.7. detection
- 3.8. event_filter
- 3.9. event_queue
- 3.10. file_id
- 3.11. high_availability
- 3.12. host_cache
- 3.13. host_tracker
- 3.14. hosts
- 3.15. ips
- 3.16. latency
- 3.17. memory
- 3.18. network
- 3.19. output
- 3.20. packets
- 3.21. process
- 3.22. profiler
- 3.23. rate_filter
- 3.24. references
- 3.25. rule_state
- 3.26. search_engine
- 3.27. side_channel
- 3.28. snort
- 3.29. suppress
-
-4. Codec Modules
-
- 4.1. arp
- 4.2. auth
- 4.3. ciscometadata
- 4.4. erspan2
- 4.5. erspan3
- 4.6. esp
- 4.7. eth
- 4.8. fabricpath
- 4.9. gre
- 4.10. gtp
- 4.11. icmp4
- 4.12. icmp6
- 4.13. igmp
- 4.14. ipv4
- 4.15. ipv6
- 4.16. mpls
- 4.17. pgm
- 4.18. pppoe
- 4.19. tcp
- 4.20. udp
- 4.21. vlan
-
-5. Inspector Modules
-
- 5.1. appid
- 5.2. arp_spoof
- 5.3. back_orifice
- 5.4. binder
- 5.5. dce_smb
- 5.6. dce_tcp
- 5.7. dce_udp
- 5.8. dnp3
- 5.9. dns
- 5.10. file_log
- 5.11. ftp_client
- 5.12. ftp_data
- 5.13. ftp_server
- 5.14. gtp_inspect
- 5.15. http_inspect
- 5.16. imap
- 5.17. modbus
- 5.18. normalizer
- 5.19. packet_capture
- 5.20. perf_monitor
- 5.21. pop
- 5.22. port_scan
- 5.23. port_scan_global
- 5.24. reputation
- 5.25. rpc_decode
- 5.26. sip
- 5.27. smtp
- 5.28. ssh
- 5.29. ssl
- 5.30. stream
- 5.31. stream_file
- 5.32. stream_icmp
- 5.33. stream_ip
- 5.34. stream_tcp
- 5.35. stream_udp
- 5.36. stream_user
- 5.37. telnet
- 5.38. wizard
-
-6. IPS Action Modules
-
- 6.1. react
- 6.2. reject
- 6.3. rewrite
-
-7. IPS Option Modules
-
- 7.1. ack
- 7.2. appids
- 7.3. asn1
- 7.4. base64_decode
- 7.5. bufferlen
- 7.6. byte_extract
- 7.7. byte_jump
- 7.8. byte_test
- 7.9. classtype
- 7.10. content
- 7.11. cvs
- 7.12. dce_iface
- 7.13. dce_opnum
- 7.14. dce_stub_data
- 7.15. detection_filter
- 7.16. dnp3_data
- 7.17. dnp3_func
- 7.18. dnp3_ind
- 7.19. dnp3_obj
- 7.20. dsize
- 7.21. file_data
- 7.22. file_type
- 7.23. flags
- 7.24. flow
- 7.25. flowbits
- 7.26. fragbits
- 7.27. fragoffset
- 7.28. gid
- 7.29. gtp_info
- 7.30. gtp_type
- 7.31. gtp_version
- 7.32. http_client_body
- 7.33. http_cookie
- 7.34. http_header
- 7.35. http_method
- 7.36. http_raw_cookie
- 7.37. http_raw_header
- 7.38. http_raw_request
- 7.39. http_raw_status
- 7.40. http_raw_trailer
- 7.41. http_raw_uri
- 7.42. http_stat_code
- 7.43. http_stat_msg
- 7.44. http_trailer
- 7.45. http_uri
- 7.46. http_version
- 7.47. icmp_id
- 7.48. icmp_seq
- 7.49. icode
- 7.50. id
- 7.51. ip_proto
- 7.52. ipopts
- 7.53. isdataat
- 7.54. itype
- 7.55. md5
- 7.56. metadata
- 7.57. modbus_data
- 7.58. modbus_func
- 7.59. modbus_unit
- 7.60. msg
- 7.61. pcre
- 7.62. pkt_data
- 7.63. priority
- 7.64. raw_data
- 7.65. reference
- 7.66. regex
- 7.67. rem
- 7.68. replace
- 7.69. rev
- 7.70. rpc
- 7.71. sd_pattern
- 7.72. seq
- 7.73. session
- 7.74. sha256
- 7.75. sha512
- 7.76. sid
- 7.77. sip_body
- 7.78. sip_header
- 7.79. sip_method
- 7.80. sip_stat_code
- 7.81. so
- 7.82. soid
- 7.83. ssl_state
- 7.84. ssl_version
- 7.85. stream_reassemble
- 7.86. stream_size
- 7.87. tag
- 7.88. tos
- 7.89. ttl
- 7.90. window
-
-8. Search Engine Modules
-9. SO Rule Modules
-10. Logger Modules
-
- 10.1. alert_csv
- 10.2. alert_fast
- 10.3. alert_full
- 10.4. alert_sfsocket
- 10.5. alert_syslog
- 10.6. log_codecs
- 10.7. log_hext
- 10.8. log_pcap
- 10.9. unified2
-
-11. DAQ Modules
-
- 11.1. Building the DAQ Library and DAQ Modules
- 11.2. PCAP Module
- 11.3. AFPACKET Module
- 11.4. NFQ Module
- 11.5. IPQ Module
- 11.6. IPFW Module
- 11.7. Dump Module
- 11.8. Netmap Module
- 11.9. Notes on iptables
- 11.10. Notes on FreeBSD::IPFW
- 11.11. Notes on OpenBSD::IPFW
- 11.12. Socket Module
- 11.13. File Module
- 11.14. Hext Module
-
-12. Snort++ vs Snort
-
- 12.1. Build Options
- 12.2. Command Line
- 12.3. Conf File
- 12.4. Rules
- 12.5. Output
- 12.6. HTTP Profiles
-
-13. Snort2Lua
-
- 13.1. Snort2Lua Command Line
- 13.2. Known Problems
- 13.3. Usage
-
-14. Extending Snort++
-
- 14.1. Plugins
- 14.2. Modules
- 14.3. Inspectors
- 14.4. Codecs
- 14.5. IPS Actions
- 14.6. Developers Guide
- 14.7. Piglet Test Harness
- 14.8. Piglet Lua API
-
-15. Coding Style
-
- 15.1. General
- 15.2. C++ Specific
- 15.3. Naming
- 15.4. Comments
- 15.5. Logging
- 15.6. Types
- 15.7. Macros (aka defines)
- 15.8. Formatting
- 15.9. Headers
- 15.10. Warnings
- 15.11. Uncrustify
-
-16. Reference
-
- 16.1. Terminology
- 16.2. Usage
- 16.3. Plugins
- 16.4. Output Files
- 16.5. Optional Features
- 16.6. Environment Variables
- 16.7. Command Line Options
- 16.8. Parameters
- 16.9. Configuration
- 16.10. Counts
- 16.11. Generators
- 16.12. Builtin Rules
- 16.13. Command Set
- 16.14. Signals
- 16.15. Configuration Changes
- 16.16. Module Listing
+3. Features
+
+ 3.1. File Processing
+ 3.2. Performance Monitor
+
+4. Basic Modules
+
+ 4.1. active
+ 4.2. alerts
+ 4.3. attribute_table
+ 4.4. classifications
+ 4.5. daq
+ 4.6. decode
+ 4.7. detection
+ 4.8. event_filter
+ 4.9. event_queue
+ 4.10. file_id
+ 4.11. high_availability
+ 4.12. host_cache
+ 4.13. host_tracker
+ 4.14. hosts
+ 4.15. ips
+ 4.16. latency
+ 4.17. memory
+ 4.18. network
+ 4.19. output
+ 4.20. packets
+ 4.21. process
+ 4.22. profiler
+ 4.23. rate_filter
+ 4.24. references
+ 4.25. rule_state
+ 4.26. search_engine
+ 4.27. side_channel
+ 4.28. snort
+ 4.29. suppress
+
+5. Codec Modules
+
+ 5.1. arp
+ 5.2. auth
+ 5.3. ciscometadata
+ 5.4. erspan2
+ 5.5. erspan3
+ 5.6. esp
+ 5.7. eth
+ 5.8. fabricpath
+ 5.9. gre
+ 5.10. gtp
+ 5.11. icmp4
+ 5.12. icmp6
+ 5.13. igmp
+ 5.14. ipv4
+ 5.15. ipv6
+ 5.16. mpls
+ 5.17. pgm
+ 5.18. pppoe
+ 5.19. tcp
+ 5.20. udp
+ 5.21. vlan
+
+6. Inspector Modules
+
+ 6.1. appid
+ 6.2. arp_spoof
+ 6.3. back_orifice
+ 6.4. binder
+ 6.5. dce_smb
+ 6.6. dce_tcp
+ 6.7. dce_udp
+ 6.8. dnp3
+ 6.9. dns
+ 6.10. file_log
+ 6.11. ftp_client
+ 6.12. ftp_data
+ 6.13. ftp_server
+ 6.14. gtp_inspect
+ 6.15. http_inspect
+ 6.16. imap
+ 6.17. modbus
+ 6.18. normalizer
+ 6.19. packet_capture
+ 6.20. perf_monitor
+ 6.21. pop
+ 6.22. port_scan
+ 6.23. port_scan_global
+ 6.24. reputation
+ 6.25. rpc_decode
+ 6.26. sip
+ 6.27. smtp
+ 6.28. ssh
+ 6.29. ssl
+ 6.30. stream
+ 6.31. stream_file
+ 6.32. stream_icmp
+ 6.33. stream_ip
+ 6.34. stream_tcp
+ 6.35. stream_udp
+ 6.36. stream_user
+ 6.37. telnet
+ 6.38. wizard
+
+7. IPS Action Modules
+
+ 7.1. react
+ 7.2. reject
+ 7.3. rewrite
+
+8. IPS Option Modules
+
+ 8.1. ack
+ 8.2. appids
+ 8.3. asn1
+ 8.4. base64_decode
+ 8.5. bufferlen
+ 8.6. byte_extract
+ 8.7. byte_jump
+ 8.8. byte_test
+ 8.9. classtype
+ 8.10. content
+ 8.11. cvs
+ 8.12. dce_iface
+ 8.13. dce_opnum
+ 8.14. dce_stub_data
+ 8.15. detection_filter
+ 8.16. dnp3_data
+ 8.17. dnp3_func
+ 8.18. dnp3_ind
+ 8.19. dnp3_obj
+ 8.20. dsize
+ 8.21. file_data
+ 8.22. file_type
+ 8.23. flags
+ 8.24. flow
+ 8.25. flowbits
+ 8.26. fragbits
+ 8.27. fragoffset
+ 8.28. gid
+ 8.29. gtp_info
+ 8.30. gtp_type
+ 8.31. gtp_version
+ 8.32. http_client_body
+ 8.33. http_cookie
+ 8.34. http_header
+ 8.35. http_method
+ 8.36. http_raw_cookie
+ 8.37. http_raw_header
+ 8.38. http_raw_request
+ 8.39. http_raw_status
+ 8.40. http_raw_trailer
+ 8.41. http_raw_uri
+ 8.42. http_stat_code
+ 8.43. http_stat_msg
+ 8.44. http_trailer
+ 8.45. http_uri
+ 8.46. http_version
+ 8.47. icmp_id
+ 8.48. icmp_seq
+ 8.49. icode
+ 8.50. id
+ 8.51. ip_proto
+ 8.52. ipopts
+ 8.53. isdataat
+ 8.54. itype
+ 8.55. md5
+ 8.56. metadata
+ 8.57. modbus_data
+ 8.58. modbus_func
+ 8.59. modbus_unit
+ 8.60. msg
+ 8.61. pcre
+ 8.62. pkt_data
+ 8.63. priority
+ 8.64. raw_data
+ 8.65. reference
+ 8.66. regex
+ 8.67. rem
+ 8.68. replace
+ 8.69. rev
+ 8.70. rpc
+ 8.71. sd_pattern
+ 8.72. seq
+ 8.73. session
+ 8.74. sha256
+ 8.75. sha512
+ 8.76. sid
+ 8.77. sip_body
+ 8.78. sip_header
+ 8.79. sip_method
+ 8.80. sip_stat_code
+ 8.81. so
+ 8.82. soid
+ 8.83. ssl_state
+ 8.84. ssl_version
+ 8.85. stream_reassemble
+ 8.86. stream_size
+ 8.87. tag
+ 8.88. tos
+ 8.89. ttl
+ 8.90. window
+
+9. Search Engine Modules
+10. SO Rule Modules
+11. Logger Modules
+
+ 11.1. alert_csv
+ 11.2. alert_fast
+ 11.3. alert_full
+ 11.4. alert_sfsocket
+ 11.5. alert_syslog
+ 11.6. log_codecs
+ 11.7. log_hext
+ 11.8. log_pcap
+ 11.9. unified2
+
+12. DAQ Modules
+
+ 12.1. Building the DAQ Library and DAQ Modules
+ 12.2. PCAP Module
+ 12.3. AFPACKET Module
+ 12.4. NFQ Module
+ 12.5. IPQ Module
+ 12.6. IPFW Module
+ 12.7. Dump Module
+ 12.8. Netmap Module
+ 12.9. Notes on iptables
+ 12.10. Notes on FreeBSD::IPFW
+ 12.11. Notes on OpenBSD::IPFW
+ 12.12. Socket Module
+ 12.13. File Module
+ 12.14. Hext Module
+
+13. Snort++ vs Snort
+
+ 13.1. Build Options
+ 13.2. Command Line
+ 13.3. Conf File
+ 13.4. Rules
+ 13.5. Output
+ 13.6. HTTP Profiles
+
+14. Snort2Lua
+
+ 14.1. Snort2Lua Command Line
+ 14.2. Known Problems
+ 14.3. Usage
+
+15. Extending Snort++
+
+ 15.1. Plugins
+ 15.2. Modules
+ 15.3. Inspectors
+ 15.4. Codecs
+ 15.5. IPS Actions
+ 15.6. Developers Guide
+ 15.7. Piglet Test Harness
+ 15.8. Piglet Lua API
+
+16. Coding Style
+
+ 16.1. General
+ 16.2. C++ Specific
+ 16.3. Naming
+ 16.4. Comments
+ 16.5. Logging
+ 16.6. Types
+ 16.7. Macros (aka defines)
+ 16.8. Formatting
+ 16.9. Headers
+ 16.10. Warnings
+ 16.11. Uncrustify
+
+17. Reference
+
+ 17.1. Terminology
+ 17.2. Usage
+ 17.3. Plugins
+ 17.4. Output Files
+ 17.5. Build Options
+ 17.6. Environment Variables
+ 17.7. Command Line Options
+ 17.8. Parameters
+ 17.9. Configuration
+ 17.10. Counts
+ 17.11. Generators
+ 17.12. Builtin Rules
+ 17.13. Command Set
+ 17.14. Signals
+ 17.15. Configuration Changes
+ 17.16. Module Listing
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0-a4 (Build 217) from 2.9.7-262
+o" )~ Version 3.0.0-a4 (Build 218) from 2.9.7-262
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
* Examine and dump a pcap:
$my_path/bin/snort -r <pcap>
- $my_path/bin/snort -
K text -d -e -q -r <pcap>
+ $my_path/bin/snort -
L dump -d -e -q -r <pcap>
* Verify config, with or w/o rules:
---------------------------------------------------------------------
-3. Basic Modules
+3. Features
+
+---------------------------------------------------------------------
+
+This section explains how to use key features of Snort++.
+
+
+3.1. File Processing
+
+--------------
+
+With the volume of malware transferred through network increasing,
+network file inspection becomes more and more important. This feature
+will provide file type identification, file signature creation, and
+file capture capabilities to help users deal with those challenges.
+
+3.1.1. Overview
+
+There are two parts of file services: file APIs and file policy. File
+APIs provides all the file inspection functionalities, such as file
+type identification, file signature calculation, and file capture.
+File policy provides users ability to control file services, such as
+enable/disable/configure file type identification, file signature, or
+file capture.
+
+In addition to all capabilities from snort 2x, we support customized
+file policy along with file event log.
+
+ * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
+ * Supported file signature calculation: SHA256
+
+3.1.2. Quick Guide
+
+A very simple configuration has been included in lua/snort.lua file.
+A typical file configuration looks like this:
+
+dofile('magic.lua')
+
+my_file_policy =
+{
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+}
+
+file_id =
+{
+ enable_type = true,
+ enable_signature = true,
+ enable_capture = true,
+ file_rules = magics,
+ trace_type = true,
+ trace_signature = true,
+ trace_stream = true,
+ file_policy = my_file_policy,
+ }
+
+file_log =
+{
+ log_pkt_time = true,
+ log_sys_time = false,
+}
+
+There are 3 steps to enable file processing:
+
+ * First, you need to include the file magic rules.
+ * Then, define the file policy and configure the inspector
+ * At last, enable file_log to get detailed information about file
+ event
+
+3.1.3. Pre-packaged File Magic Rules
+
+A set of file magic rules is packaged with Snort. They can be located
+at "lua/file_magic.lua". To use this feature, it is recommended that
+these pre-packaged rules are used; doing so requires that you include
+the file in your Snort configuration as such (already in snort.lua):
+
+dofile('magic.lua')
+
+Example:
+
+{ type = "GIF", id = 62, category = "Graphics", rev = 1,
+ magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },
+
+{ type = "GIF", id = 63, category = "Graphics", rev = 1,
+ magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
+
+The previous two rules define GIF format, because two file magics are
+different. File magics are specifed by content and offset, which look
+at content at particular file offset to identify the file type. In
+this case, two magics look at the beginning of the file. You can use
+character if it is printable or hex value in between "|".
+
+3.1.4. File Policy
+
+You can enabled file type, file signature, or file capture by
+configuring file_id. In addition, you can enable trace to see file
+stream data, file type, and file signature information.
+
+Most importantly, you can configure a file policy that can block/
+alert some file type or an individual file based on SHA. This allows
+you build a file blacklist or whitelist.
+
+Example:
+
+file_policy =
+{
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+}
+
+In this example, it enables this policy:
+
+ * For PDF files, they will be logged with signatures.
+ * For the file matching this SHA, it will be blocked
+ * For all file types identified, they will be logged with
+ signature, and also captured onto log folder.
+
+3.1.5. File Capture
+
+File can be captured and stored to log folder. We use SHA as file
+name instead of actual file name to avoid conflicts. You can capture
+either all files, some file type, or a particular file based on SHA.
+
+You can enable file capture through this config:
+
+enable_capture = true,
+
+or enable it for some file or file type in your file policy:
+
+{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
+
+The above rule will enable PDF file capture.
+
+3.1.6. File Events
+
+File inspect preprocessor also works as a dynamic output plugin for
+file events. It logs basic information about file. The log file is in
+the same folder as other log files with name starting with
+"file.log".
+
+Example:
+
+file_log = { log_pkt_time = true, log_sys_time = false }
+
+All file events will be logged in packet time, system time is not
+logged.
+
+File event example:
+
+08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
+[Size: 1039328]
+
+
+3.2. Performance Monitor
+
+--------------
+
+The new and improved performance monitor! Is your sensor being bogged
+down by too many flows? perf_monitor! Why are certain TCP segments
+being dropped without hitting a rule? perf_monitor! Why is a sensor
+leaking water? Not perf_monitor, check with stream…
+
+3.2.1. Overview
+
+The Snort performance monitor is the built-in utility for monitoring
+system and traffic statistics. All statistics are separated by
+processing thread. perf_monitor supports several trackers for
+monitoring such data:
+
+3.2.2. Base Tracker
+
+The base tracker is used to gather running statistics about Snort and
+its running modules. All Snort modules gather, at the very least,
+counters for the number of packets reaching it. Most supplement these
+counts with those for domain specific functions, such as
+http_inspect’s number of GET requests seen.
+
+Statistics are gathered live and can be reported at regular
+intervals. The stats reported correspond only to the interval in
+question and are reset at the beginning of each interval.
+
+These are the same counts displayed when Snort shuts down, only
+sorted amongst the discrete intervals in which they occurred.
+
+Base differs from prior implementations in Snort in that all stats
+gathered are only raw counts, allowing the data to be evaluated as
+needed. Additionally, base is entirely pluggable. Data from new Snort
+plugins can be added to the existing stats either automatically or,
+if specified, by name and function.
+
+All plugins and counters can be enabled or disabled individually,
+allowing for only the data that is actually desired instead of overly
+verbose performance logs.
+
+To enable everything:
+
+perf_monitor = { modules = {} }
+
+To enable everything within a module:
+
+perf_monitor =
+{
+ modules =
+ {
+ {
+ name = 'stream_tcp',
+ pegs = [[ ]]
+ },
+ }
+}
+
+To enable specific counts within modules:
+
+perf_monitor =
+{
+ modules =
+ {
+ {
+ name = 'stream_tcp',
+ pegs = [[ overlaps gaps ]]
+ },
+ }
+
+Note: Event stats from prior Snorts are now located within base
+statistics.
+
+3.2.3. Flow Tracker
+
+Flow tracks statistics regarding traffic and L3/L4 protocol
+distributions. This data can be used to build a profile of traffic
+for inspector tuning and for identifying where Snort may be stressed.
+
+To enable:
+
+perf_monitor = { flow = true }
+
+3.2.4. FlowIP Tracker
+
+FlowIP provides statistics for individual hosts within a network.
+This data can be used for identifying communication habits, such as
+generating large or small amounts of data, opening a small or large
+number of sessions, and tendency to send smaller or larger IP
+packets.
+
+To enable:
+
+perf_monitor = { flow_ip = true }
+
+3.2.5. CPU Tracker
+
+This tracker monitors the CPU and wall time spent by a given
+processing thread.
+
+To enable:
+
+perf_monitor = { cpu = true }
+
+
+---------------------------------------------------------------------
+
+4. Basic Modules
---------------------------------------------------------------------
include configuration for core processing.
-3.1. active
+4.1. active
--------------
responses { 1: }
-3.2. alerts
+4.2. alerts
--------------
for GTP|Teredo|6in4|4in6 traffic
-3.3. attribute_table
+4.3. attribute_table
--------------
services in rule metadata { 1:256 }
-3.4. classifications
+4.4. classifications
--------------
* string classifications[].text: description of class
-3.5. daq
+4.5. daq
--------------
* daq.idle: attempts to acquire from DAQ without available packets
-3.6. decode
+4.6. decode
--------------
* 116:472 (decode) too many protocols present
-3.7. detection
+4.7. detection
--------------
* detection.alert limit: events previously triggered on same PDU
-3.8. event_filter
+4.8. event_filter
--------------
according to track
-3.9. event_queue
+4.9. event_queue
--------------
action group or all action groups
-3.10. file_id
+4.10. file_id
--------------
* bool file_id.trace_stream = false: enable runtime dump of file
data
+Peg counts:
+
+ * file_id.total_files: number of files processed
+ * file_id.total_file_data: number of file data bytes processed
+ * file_id.cache_failures: number of file cache add failures
+
-3.11. high_availability
+4.11. high_availability
--------------
Peg counts:
-3.12. host_cache
+4.12. host_cache
--------------
* host_cache.lru cache clears: lru cache clear API calls
-3.13. host_tracker
+4.13. host_tracker
--------------
* host_tracker.service removes: host service removes
-3.14. hosts
+4.14. hosts
--------------
* port hosts[].services[].port: port number
-3.15. ips
+4.15. ips
--------------
* string ips.rules: snort rules and includes
-3.16. latency
+4.16. latency
--------------
* latency.rule tree enables: rule tree re-enables
-3.17. memory
+4.17. memory
--------------
preemptive cleanup actions (percent, 0 to disable) { 0: }
-3.18. network
+4.18. network
--------------
116:293 may fire. 0 = unlimited { 0:255 }
-3.19. output
+4.19. output
--------------
* bool output.verbose = false: be verbose (same as -v)
-3.20. packets
+4.20. packets
--------------
is used to track fragments and connections
-3.21. process
+4.21. process
--------------
timestamps
-3.22. profiler
+4.22. profiler
--------------
avg_match | avg_no_match }
-3.23. rate_filter
+4.23. rate_filter
--------------
according to track
-3.24. references
+4.24. references
--------------
* string references[].url: where this reference is defined
-3.25. rule_state
+4.25. rule_state
--------------
policies
-3.26. search_engine
+4.26. search_engine
--------------
* search_engine.qualified events: total qualified events
-3.27. side_channel
+4.27. side_channel
--------------
Peg counts:
-3.28. snort
+4.28. snort
--------------
* snort.attribute table hosts: total number of hosts in table
-3.29. suppress
+4.29. suppress
--------------
---------------------------------------------------------------------
-4. Codec Modules
+5. Codec Modules
---------------------------------------------------------------------
responses.
-4.1. arp
+5.1. arp
--------------
* 116:109 (arp) truncated ARP
-4.2. auth
+5.2. auth
--------------
* 116:466 (auth) bad authentication header length
-4.3. ciscometadata
+5.3. ciscometadata
--------------
* 116:471 (ciscometadata) invalid Cisco Metadata SGT
-4.4. erspan2
+5.4. erspan2
--------------
* 116:463 (erspan2) captured < ERSpan type2 header length
-4.5. erspan3
+5.5. erspan3
--------------
* 116:464 (erspan3) captured < ERSpan type3 header length
-4.6. esp
+5.6. esp
--------------
* 116:294 (esp) truncated encapsulated security payload header
-4.7. eth
+5.7. eth
--------------
* 116:424 (eth) truncated eth header
-4.8. fabricpath
+5.8. fabricpath
--------------
* 116:467 (fabricpath) truncated FabricPath header
-4.9. gre
+5.9. gre
--------------
* 116:165 (gre) GRE trans header length > payload length
-4.10. gtp
+5.10. gtp
--------------
* 116:298 (gtp) GTP header length is invalid
-4.11. icmp4
+5.11. icmp4
--------------
* icmp4.bad checksum: non-zero icmp checksums
-4.12. icmp6
+5.12. icmp6
--------------
* icmp6.bad checksum (ip6): nonzero ipcm6 checksums
-4.13. igmp
+5.13. igmp
--------------
* 116:455 (igmp) DOS IGMP IP options validation attempt
-4.14. ipv4
+5.14. ipv4
--------------
* ipv4.bad checksum: nonzero ip checksums
-4.15. ipv6
+5.15. ipv6
--------------
* 116:456 (ipv6) too many IP6 extension headers
-4.16. mpls
+5.16. mpls
--------------
* mpls.total bytes: total mpls labeled bytes processed
-4.17. pgm
+5.17. pgm
--------------
* 116:454 (pgm) BAD-TRAFFIC PGM nak list overflow attempt
-4.18. pppoe
+5.18. pppoe
--------------
* 116:120 (pppoe) bad PPPOE frame detected
-4.19. tcp
+5.19. tcp
--------------
* tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
-4.20. udp
+5.20. udp
--------------
* udp.bad checksum (ip6): nonzero udp over ipv6 checksums
-4.21. vlan
+5.21. vlan
--------------
---------------------------------------------------------------------
-5. Inspector Modules
+6. Inspector Modules
---------------------------------------------------------------------
protocols beyond basic decoding.
-5.1. appid
+6.1. appid
--------------
discovered by appid
-5.2. arp_spoof
+6.2. arp_spoof
--------------
* arp_spoof.packets: total packets
-5.3. back_orifice
+6.3. back_orifice
--------------
* back_orifice.packets: total packets
-5.4. binder
+6.4. binder
--------------
* binder.inspects: inspect bindings
-5.5. dce_smb
+6.5. dce_smb
--------------
* dce_smb.SMBv2 close: total number of SMBv2 close packets seen
-5.6. dce_tcp
+6.6. dce_tcp
--------------
* dce_tcp.tcp packets: total tcp packets
-5.7. dce_udp
+6.7. dce_udp
--------------
* dce_udp.Max seqnum: max connection-less seqnum
-5.8. dnp3
+6.8. dnp3
--------------
* dnp3.dnp3 application pdus: total dnp3 application pdus
-5.9. dns
+6.9. dns
--------------
* dns.responses: total dns responses
-5.10. file_log
+6.10. file_log
--------------
* file_log.total events: total file events
-5.11. ftp_client
+6.11. ftp_client
--------------
sequences on ftp control channel
-5.12. ftp_data
+6.12. ftp_data
--------------
* ftp_data.packets: total packets
-5.13. ftp_server
+6.13. ftp_server
--------------
* ftp_server.packets: total packets
-5.14. gtp_inspect
+6.14. gtp_inspect
--------------
* gtp_inspect.unknown infos: unknown information elements
-5.15. http_inspect
+6.15. http_inspect
--------------
* http_inspect.URI coding: URIs with character coding problems
-5.16. imap
+6.16. imap
--------------
* imap.non-encoded bytes: total non-encoded extracted bytes
-5.17. modbus
+6.17. modbus
--------------
* modbus.frames: total Modbus messages
-5.18. normalizer
+6.18. normalizer
--------------
* normalizer.test tcp block: test blocked segments
-5.19. packet_capture
+6.19. packet_capture
--------------
filter
-5.20. perf_monitor
+6.20. perf_monitor
--------------
* perf_monitor.packets: total packets
-5.21. pop
+6.21. pop
--------------
* pop.non-encoded bytes: total non-encoded extracted bytes
-5.22. port_scan
+6.22. port_scan
--------------
* 122:27 (port_scan) open port
-5.23. port_scan_global
+6.23. port_scan_global
--------------
* port_scan_global.packets: total packets
-5.24. reputation
+6.24. reputation
--------------
* reputation.memory_allocated: total memory allocated
-5.25. rpc_decode
+6.25. rpc_decode
--------------
* rpc_decode.packets: total packets
-5.26. sip
+6.26. sip
--------------
* sip.9xx: 9xx
-5.27. smtp
+6.27. smtp
--------------
* smtp.non-encoded bytes: total non-encoded extracted bytes
-5.28. ssh
+6.28. ssh
--------------
* ssh.packets: total packets
-5.29. ssl
+6.29. ssl
--------------
* ssl.detection disabled: total detection disabled
-5.30. stream
+6.30. stream
--------------
sync
-5.31. stream_file
+6.31. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-5.32. stream_icmp
+6.32. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes
-5.33. stream_ip
+6.33. stream_ip
--------------
* stream_ip.fragmented bytes: total fragmented bytes
-5.34. stream_tcp
+6.34. stream_tcp
--------------
* stream_tcp.closing: number of sessions currently closing
-5.35. stream_udp
+6.35. stream_udp
--------------
* stream_udp.prunes: udp session prunes
-5.36. stream_user
+6.36. stream_user
--------------
1:86400 }
-5.37. telnet
+6.37. telnet
--------------
* telnet.packets: total packets
-5.38. wizard
+6.38. wizard
--------------
---------------------------------------------------------------------
-6. IPS Action Modules
+7. IPS Action Modules
---------------------------------------------------------------------
rule to parse.
-6.1. react
+7.1. react
--------------
body)
-6.2. reject
+7.2. reject
--------------
|all }
-6.3. rewrite
+7.3. rewrite
--------------
---------------------------------------------------------------------
-7. IPS Option Modules
+8. IPS Option Modules
---------------------------------------------------------------------
IPS options are the building blocks of IPS rules.
-7.1. ack
+8.1. ack
--------------
<max | >min
-7.2. appids
+8.2. appids
--------------
* string appids.~: appid option
-7.3. asn1
+8.3. asn1
--------------
* int asn1.relative_offset: relative offset from the cursor.
-7.4. base64_decode
+8.4. base64_decode
--------------
start of buffer.
-7.5. bufferlen
+8.5. bufferlen
--------------
* string bufferlen.~range: len | min<>max | <max | >min
-7.6. byte_extract
+8.6. byte_extract
--------------
* implied byte_extract.dec: convert from decimal string
-7.7. byte_jump
+8.7. byte_jump
--------------
* implied byte_jump.dec: convert from decimal string
-7.8. byte_test
+8.8. byte_test
--------------
* implied byte_test.dec: convert from decimal string
-7.9. classtype
+8.9. classtype
--------------
* string classtype.~: classification for this rule
-7.10. content
+8.10. content
--------------
from cursor
-7.11. cvs
+8.11. cvs
--------------
* implied cvs.invalid-entry: looks for an invalid Entry string
-7.12. dce_iface
+8.12. dce_iface
--------------
* implied dce_iface.any_frag: match on any fragment
-7.13. dce_opnum
+8.13. dce_opnum
--------------
list
-7.14. dce_stub_data
+8.14. dce_stub_data
--------------
Type: ips_option
-7.15. detection_filter
+8.15. detection_filter
--------------
1: }
-7.16. dnp3_data
+8.16. dnp3_data
--------------
Type: ips_option
-7.17. dnp3_func
+8.17. dnp3_func
--------------
* string dnp3_func.~: match dnp3 function code or name
-7.18. dnp3_ind
+8.18. dnp3_ind
--------------
* string dnp3_ind.~: match given dnp3 indicator flags
-7.19. dnp3_obj
+8.19. dnp3_obj
--------------
}
-7.20. dsize
+8.20. dsize
--------------
max | <max | >min
-7.21. file_data
+8.21. file_data
--------------
Type: ips_option
-7.22. file_type
+8.22. file_type
--------------
* string file_type.~: list of file type IDs to match
-7.23. flags
+8.23. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-7.24. flow
+8.24. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-7.25. flowbits
+8.25. flowbits
--------------
* string flowbits.~arg2: group if arg1 is bits
-7.26. fragbits
+8.26. fragbits
--------------
* string fragbits.~flags: these flags are tested
-7.27. fragoffset
+8.27. fragoffset
--------------
value | min<>max | <max | >min
-7.28. gid
+8.28. gid
--------------
* int gid.~: generator id { 1: }
-7.29. gtp_info
+8.29. gtp_info
--------------
* string gtp_info.~: info element to match
-7.30. gtp_type
+8.30. gtp_type
--------------
* string gtp_type.~: list of types to match
-7.31. gtp_version
+8.31. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-7.32. http_client_body
+8.32. http_client_body
--------------
Type: ips_option
-7.33. http_cookie
+8.33. http_cookie
--------------
message trailers
-7.34. http_header
+8.34. http_header
--------------
message trailers
-7.35. http_method
+8.35. http_method
--------------
message trailers
-7.36. http_raw_cookie
+8.36. http_raw_cookie
--------------
HTTP message trailers
-7.37. http_raw_header
+8.37. http_raw_header
--------------
HTTP message trailers
-7.38. http_raw_request
+8.38. http_raw_request
--------------
HTTP message trailers
-7.39. http_raw_status
+8.39. http_raw_status
--------------
HTTP message trailers
-7.40. http_raw_trailer
+8.40. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.41. http_raw_uri
+8.41. http_raw_uri
--------------
URI only
-7.42. http_stat_code
+8.42. http_stat_code
--------------
HTTP message trailers
-7.43. http_stat_msg
+8.43. http_stat_msg
--------------
HTTP message trailers
-7.44. http_trailer
+8.44. http_trailer
--------------
message body (must be combined with request)
-7.45. http_uri
+8.45. http_uri
--------------
only
-7.46. http_version
+8.46. http_version
--------------
HTTP message trailers
-7.47. icmp_id
+8.47. icmp_id
--------------
>min
-7.48. icmp_seq
+8.48. icmp_seq
--------------
min<>max | <max | >min
-7.49. icode
+8.49. icode
--------------
| >min
-7.50. id
+8.50. id
--------------
min
-7.51. ip_proto
+8.51. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.52. ipopts
+8.52. ipopts
--------------
lsrre|ssrr|satid|any }
-7.53. isdataat
+8.53. isdataat
--------------
buffer
-7.54. itype
+8.54. itype
--------------
| >min
-7.55. md5
+8.55. md5
--------------
of buffer
-7.56. metadata
+8.56. metadata
--------------
* string metadata.*: additional parameters not used by snort
-7.57. modbus_data
+8.57. modbus_data
--------------
Type: ips_option
-7.58. modbus_func
+8.58. modbus_func
--------------
* string modbus_func.~: function code to match
-7.59. modbus_unit
+8.59. modbus_unit
--------------
* int modbus_unit.~: modbus unit ID { 0:255 }
-7.60. msg
+8.60. msg
--------------
* string msg.~: message describing rule
-7.61. pcre
+8.61. pcre
--------------
* string pcre.~re: Snort regular expression
-7.62. pkt_data
+8.62. pkt_data
--------------
Type: ips_option
-7.63. priority
+8.63. priority
--------------
1: }
-7.64. raw_data
+8.64. raw_data
--------------
Type: ips_option
-7.65. reference
+8.65. reference
--------------
* string reference.~id: reference id
-7.66. regex
+8.66. regex
--------------
instead of start of buffer
-7.67. rem
+8.67. rem
--------------
* string rem.~: comment
-7.68. replace
+8.68. replace
--------------
* string replace.~: byte code to replace with
-7.69. rev
+8.69. rev
--------------
* int rev.~: revision { 1: }
-7.70. rpc
+8.70. rpc
--------------
* int rpc.proc: procedure number or * for any
-7.71. sd_pattern
+8.71. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated
-7.72. seq
+8.72. seq
--------------
min<>max | <max | >min
-7.73. session
+8.73. session
--------------
* enum session.~mode: output format { printable|binary|all }
-7.74. sha256
+8.74. sha256
--------------
start of buffer
-7.75. sha512
+8.75. sha512
--------------
start of buffer
-7.76. sid
+8.76. sid
--------------
* int sid.~: signature id { 1: }
-7.77. sip_body
+8.77. sip_body
--------------
Type: ips_option
-7.78. sip_header
+8.78. sip_header
--------------
Type: ips_option
-7.79. sip_method
+8.79. sip_method
--------------
* string sip_method.*method: sip method
-7.80. sip_stat_code
+8.80. sip_stat_code
--------------
* int sip_stat_code.*code: stat code { 1:999 }
-7.81. so
+8.81. so
--------------
* string so.~func: name of eval function
-7.82. soid
+8.82. soid
--------------
* string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
-7.83. ssl_state
+8.83. ssl_state
--------------
unknown
-7.84. ssl_version
+8.84. ssl_version
--------------
tls1.2
-7.85. stream_reassemble
+8.85. stream_reassemble
--------------
remainder of the session
-7.86. stream_size
+8.86. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.87. tag
+8.87. tag
--------------
* int tag.bytes: tag for this many bytes { 1: }
-7.88. tos
+8.88. tos
--------------
<max | >min
-7.89. ttl
+8.89. ttl
--------------
max | <max | >min
-7.90. window
+8.90. window
--------------
---------------------------------------------------------------------
-8. Search Engine Modules
+9. Search Engine Modules
---------------------------------------------------------------------
---------------------------------------------------------------------
-9. SO Rule Modules
+10. SO Rule Modules
---------------------------------------------------------------------
---------------------------------------------------------------------
-10. Logger Modules
+11. Logger Modules
---------------------------------------------------------------------
All output of events and packets is done by Loggers.
-10.1. alert_csv
+11.1. alert_csv
--------------
* enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.2. alert_fast
+11.2. alert_fast
--------------
* enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.3. alert_full
+11.3. alert_full
--------------
K | M | G }
-10.4. alert_sfsocket
+11.4. alert_sfsocket
--------------
* int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
-10.5. alert_syslog
+11.5. alert_syslog
--------------
cons | ndelay | perror | pid }
-10.6. log_codecs
+11.6. log_codecs
--------------
* bool log_codecs.msg = false: include alert msg
-10.7. log_hext
+11.7. log_hext
--------------
* int log_hext.width = 20: set line width (0 is unlimited) { 0: }
-10.8. log_pcap
+11.8. log_pcap
--------------
* enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.9. unified2
+11.9. unified2
--------------
---------------------------------------------------------------------
-11. DAQ Modules
+12. DAQ Modules
---------------------------------------------------------------------
DAQ modules. There are also 3rd DAQ modules available.
-11.1. Building the DAQ Library and DAQ Modules
+12.1. Building the DAQ Library and DAQ Modules
--------------
./configure --help
-11.2. PCAP Module
+12.2. PCAP Module
--------------
* The pcap DAQ does not count filtered packets. *
-11.3. AFPACKET Module
+12.3. AFPACKET Module
--------------
PACKET_TX_RING support.
-11.4. NFQ Module
+12.4. NFQ Module
--------------
Notes on iptables are given below.
-11.5. IPQ Module
+12.5. IPQ Module
--------------
Notes on iptables are given below.
-11.6. IPFW Module
+12.6. IPFW Module
--------------
Notes on FreeBSD and OpenBSD are given below.
-11.7. Dump Module
+12.7. Dump Module
--------------
./snort -i <device> -Q --daq dump --daq-var load-mode=passive
-11.8. Netmap Module
+12.8. Netmap Module
--------------
function (ifconfig em1 up promisc). The DAQ module does not currently
do either of these configuration steps for itself.
-11.8.1. FreeBSD
+12.8.1. FreeBSD
In FreeBSD 10.0, netmap has been integrated into the core OS. In
order to use it, you must recompile your kernel with the line
added to your kernel config.
-11.8.2. Linux
+12.8.2. Linux
You will need to download the netmap source code from the project’s
repository:
* Support for VALE and netmap pipes.
-11.9. Notes on iptables
+12.9. Notes on iptables
--------------
defrags the packets before queuing. Also, no need to configure frag3.
-11.10. Notes on FreeBSD::IPFW
+12.10. Notes on FreeBSD::IPFW
--------------
${fwcmd} add divert 8000 all from any to any in via ${oif}
-11.11. Notes on OpenBSD::IPFW
+12.11. Notes on OpenBSD::IPFW
--------------
+ Note that on OpenBSD, divert sockets don’t work with bridges!
-11.12. Socket Module
+12.12. Socket Module
--------------
* This module is primarily for development and test.
-11.13. File Module
+12.13. File Module
--------------
* This module is primarily for development and test.
-11.14. Hext Module
+12.14. Hext Module
--------------
---------------------------------------------------------------------
-12. Snort++ vs Snort
+13. Snort++ vs Snort
---------------------------------------------------------------------
* all Snort config options are grouped into Snort++ modules
-12.1. Build Options
+13.1. Build Options
--------------
* hardened --enable-inline-init-failopen / INLINE_FAILOPEN
-12.2. Command Line
+13.2. Command Line
--------------
* -T is assumed if no input given
* added --help-config prefix to dump all matching settings
* added --script-path
- * added -K text; -K text/pcap is old dump/log mode
+ * added -L none|dump|pcap
* added -z <#> and --max-packet-threads <#>
* delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
--max-mpls-labelchain-len, --mpls-payload-type
* removed -b, -N, -Z and, --perfmon-file options
-12.3. Conf File
+13.3. Conf File
--------------
active.max_responses, min_interval
-12.4. Rules
+13.4. Rules
--------------
* #begin … #end comments
-12.5. Output
+13.5. Output
--------------
* alert_fast includes packet data by default
* all text mode outputs default to stdout
- * changed default logging mode to -K none
+ * changed default logging mode to -L none
* deleted layer2resets and flexresp2_*
* deleted log_ascii
* general output guideline: don’t print zero counts
* alert_unified2 and log_unified2 have been deleted
-12.6. HTTP Profiles
+13.6. HTTP Profiles
--------------
---------------------------------------------------------------------
-13. Snort2Lua
+14. Snort2Lua
---------------------------------------------------------------------
capability and then printed as a comment in the rule file.
-13.1. Snort2Lua Command Line
+14.1. Snort2Lua Command Line
--------------
actually output a valid Snort3.0 configuration. Instead, you can see
the exact options from the input configuration that have changed.
-13.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
+14.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
Converts the Snort configuration file specified by the -c or
--conf-file options into a Snort++ configuration file
-13.1.1.1. Options:
+14.1.1.1. Options:
* -? show usage
* -h this overview of snort2lua
<include_file>'s rules to <rule_file>.
* --version Same as -V. Print the current Snort2Lua version
-13.1.1.2. Required option:
+14.1.1.2. Required option:
* A Snort configuration file to convert. Set with either -c or
--conf-file
-13.1.1.3. Default values:
+14.1.1.3. Default values:
* <out_file> = snort.lua
* <rule_file> = <out_file> = snort.lua. Rules are written to the
mode.
-13.2. Known Problems
+14.2. Known Problems
--------------
numbers will eventually be combined into one output.
-13.3. Usage
+14.3. Usage
--------------
---------------------------------------------------------------------
-14. Extending Snort++
+15. Extending Snort++
---------------------------------------------------------------------
-14.1. Plugins
+15.1. Plugins
--------------
roles.
-14.2. Modules
+15.2. Modules
--------------
(Multiple instances require Snort++ binding configuration.)
-14.3. Inspectors
+15.3. Inspectors
--------------
perf_monitor, port_scan)
-14.4. Codecs
+15.4. Codecs
--------------
running Snort3.0.
-14.5. IPS Actions
+15.5. IPS Actions
--------------
associated plugin function.)
-14.6. Developers Guide
+15.6. Developers Guide
--------------
guide to the source tree.
-14.7. Piglet Test Harness
+15.7. Piglet Test Harness
--------------
results of each test script.
-14.8. Piglet Lua API
+15.8. Piglet Lua API
--------------
keep the mappings consist, but there are still some differences. They
are documented below.
-14.8.1. Plugin Instances
+15.8.1. Plugin Instances
For each test, piglet instantiates plugin specified in the name field
of the plugin table. The virtual methods of the instance are exposed
Currently, SoRule does not expose any methods.
-14.8.1.1. Interface Objects
+15.8.1.1. Interface Objects
Many of the plugins take C++ classes and structs as arguments. These
objects are exposed to the Lua API as Lua userdata. Exposed objects
---------------------------------------------------------------------
-15. Coding Style
+16. Coding Style
---------------------------------------------------------------------
with.
-15.1. General
+16.1. General
--------------
subdirectory.
-15.2. C++ Specific
+16.2. C++ Specific
--------------
all includes have been declared.
-15.3. Naming
+16.3. Naming
--------------
* Use lower case filenames with underscores.
-15.4. Comments
+16.4. Comments
--------------
going on.
-15.5. Logging
+16.5. Logging
--------------
about the problem already w/o you shouting at him.
-15.6. Types
+16.6. Types
--------------
code is not updated if new errors are added.
-15.7. Macros (aka defines)
+16.7. Macros (aka defines)
--------------
if-else type surprises.
-15.8. Formatting
+16.8. Formatting
--------------
foo();
-15.9. Headers
+16.9. Headers
--------------
scoped.
-15.10. Warnings
+16.10. Warnings
--------------
* Then Fix All Warnings and Aborts. None Allowed.
-15.11. Uncrustify
+16.11. Uncrustify
--------------
---------------------------------------------------------------------
-16. Reference
+17. Reference
---------------------------------------------------------------------
-16.1. Terminology
+17.1. Terminology
--------------
binding. See hex and spell.
-16.2. Usage
+17.2. Usage
--------------
the Snort++ install directory. Additionally, it is assumed that
"$my_path/bin" is in your PATH.
-16.2.1. Environment
+17.2.1. Environment
LUA_PATH is used directly by Lua to load and run required libraries.
SNORT_LUA_PATH is used by Snort to load supplemental configuration
export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort
-16.2.2. Help
+17.2.2. Help
Print the help summary:
Snort++ stops reading command-line options after the "--help-" and
"--list-" options, so any other options should be placed before them.
-16.2.3. Sniffing and Logging
+17.2.3. Sniffing and Logging
Read a pcap:
snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
-16.2.4. Configuration
+17.2.4. Configuration
Validate a configuration file:
snort --script-path /path/to/script/dir
-16.2.5. IDS mode
+17.2.5. IDS mode
Run Snort++ in IDS mode, reading packets from a pcap:
-A cmg
-16.3. Plugins
+17.3. Plugins
--------------
END
-16.4. Output Files
+17.4. Output Files
--------------
based on module name that writes the file. All text mode outputs
default to stdout. These options can be combined.
-16.4.1. DAQ Alternatives
+17.4.1. DAQ Alternatives
Process hext packets from stdin:
snort -c $my_path/etc/snort/snort.lua \
--daq-dir $my_path/lib/snort/daqs --daq socket
-16.4.2. Logger Alternatives
+17.4.2. Logger Alternatives
Dump TCP stream payload in hext mode:
snort -c $my_path/etc/snort/snort.lua \
--lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
-16.4.3. Shell
+17.4.3. Shell
You must build with --enable-shell to make the command line shell
available.
The command line interface is still under development. Suggestions
are welcome.
-16.4.4. Signals
+17.4.4. Signals
Note
The available signals may vary from platform to platform.
-16.5. Optional Features
+17.5. Build Options
--------------
-The features listed below must be explicitly enabled so they are
-built into the Snort binary. For a full list of build features, run .
-/configure --help.
+The options listed below must be explicitly enabled so they are built
+into the Snort binary. For a full list of build options, run ./
+configure --help.
* --enable-shell: enable building local and remote command line
shell support.
-These features are built only if the required libraries and headers
+These options are built only if the required libraries and headers
are present. There is no need to explicitly enable.
* lzma: for decompression of SWF and PDF files.
libraries see the Getting Started section of the manual.
-16.6. Environment Variables
+17.6. Environment Variables
--------------
be added to the manuals.
-16.7. Command Line Options
+17.7. Command Line Options
--------------
the system; default is 1 (0:)
-16.8. Parameters
+17.8. Parameters
--------------
ID values.
-16.9. Configuration
+17.9. Configuration
--------------
wild cards (*)
-16.10. Counts
+17.10. Counts
--------------
* dns.requests: total dns requests
* dns.responses: total dns responses
* file_connector.messages: total messages
+ * file_id.cache_failures: number of file cache add failures
+ * file_id.total_file_data: number of file data bytes processed
+ * file_id.total_files: number of files processed
* file_log.total events: total file events
* ftp_data.packets: total packets
* ftp_server.packets: total packets
* wizard.user scans: user payload scans
-16.11. Generators
+17.11. Generators
--------------
* 145: dnp3
-16.12. Builtin Rules
+17.12. Builtin Rules
--------------
function code.
-16.13. Command Set
+17.13. Command Set
--------------
* snort.show_plugins(): show available plugins
-16.14. Signals
+17.14. Signals
--------------
* term(15): shutdown normally
-16.15. Configuration Changes
+17.15. Configuration Changes
--------------
deleted -> unified2: 'filename'
-16.16. Module Listing
+17.16. Module Listing
--------------
* wizard (inspector): inspector that implements port-independent
protocol identification :leveloffset: 0
-16.16.1. Plugin Listing
+17.16.1. Plugin Listing
* codec::arp: support for address resolution protocol
* codec::auth: support for IP authentication header
projects / thirdparty / snort3.git / commitdiff
