Pull request #3584: build: generate and tag 3.1.41.0

Merge in SNORT/snort3 from ~PRBG/snort3:build_3.1.41.0 to master

Squashed commit of the following:

commit c2679ae40b120ee4d17b04612422d1bcbd5093d1
Author: Priyanka Gurudev <prbg@cisco.com>
Date:   Wed Sep 7 15:34:40 2022 -0400

    build: generate and tag 3.1.41.0

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 767615610ab696d1cafe8374b3acace698606030..308c588c218677011d5670b3904a28e9bc0d50c4 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -3,7 +3,7 @@ project (snort CXX C)
 
 set (VERSION_MAJOR 3)
 set (VERSION_MINOR 1)
-set (VERSION_PATCH 40)
+set (VERSION_PATCH 41)
 set (VERSION_SUBLEVEL 0)
 set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
 

diff --git a/ChangeLog.md b/ChangeLog.md
index 5c577788b864770ac8b621057077ff935dad6c90..5440e00221a9b4e8b56002fc9fdfcbdea3448704 100644 (file)
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,16 @@
+2022-09-07: 3.1.41.0
+
+* appid: send intermediate messages for appid reload commands to the socket
+* file_api: corrected the formatting of File Statistics output
+* file_id: Update Office Documents rules
+* flow: update flow statistics before processing a flow
+* framework, rna, pub_sub: make data bus get_packet method a const
+* netflow: log even when not all info is present
+* sd_pattern: add and improve built-in patterns
+* stream: free flow data, if flow is blocked
+* stream: use a const packet to populate the flow key
+* utils: refactor JS normalizer unit tests
+
 2022-08-25: 3.1.40.0
 
 * appid: activate appid debug object before printing logs from http event handler

diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text
index 4671f5ac0842e545be392f52db7b037dc2702c39..e017de8f9d9f494439c0d7bb409bbd9cb82b0c7e 100644 (file)
--- a/doc/reference/snort_reference.text
+++ b/doc/reference/snort_reference.text
@@ -8,7 +8,7 @@ Snort 3 Reference Manual
 The Snort Team
 
 Revision History
-Revision 3.1.40.0 2022-08-25 09:58:14 EDT TST
+Revision 3.1.41.0 2022-09-08 16:39:43 EDT TST
 
 ---------------------------------------------------------------------
 

diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text
index 29250b47ab0d23ee3e93a39a01013e9e64836172..8239661563b6d741786f0a2f47db7b505b38df07 100644 (file)
--- a/doc/upgrade/snort_upgrade.text
+++ b/doc/upgrade/snort_upgrade.text
@@ -8,7 +8,7 @@ Snort 3 Upgrade Manual
 The Snort Team
 
 Revision History
-Revision 3.1.40.0 2022-08-25 09:59:02 EDT TST
+Revision 3.1.41.0 2022-09-08 16:40:51 EDT TST
 
 ---------------------------------------------------------------------
 

diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text
index 54cc1c5e623c62c7feb904444d648ee84ba5bee9..19bf388230042c5f059e653ce90143bb56d18980 100644 (file)
--- a/doc/user/snort_user.text
+++ b/doc/user/snort_user.text
@@ -8,7 +8,7 @@ Snort 3 User Manual
 The Snort Team
 
 Revision History
-Revision 3.1.40.0 2022-08-25 09:57:58 EDT TST
+Revision 3.1.41.0 2022-09-08 16:40:05 EDT TST
 
 ---------------------------------------------------------------------
 
@@ -5537,9 +5537,9 @@ filtered scans, since these are more prone to false positives.
 
 The sd_pattern IPS option provides detection and filtering of
 Personally Identifiable Information (PII). This information includes
-credit card numbers, U.S. Social Security numbers, and email
-addresses. A rich regular expression syntax is available for defining
-your own PII.
+credit card numbers, U.S. Social Security numbers, phone numbers, and
+email addresses. A rich regular expression syntax is available for
+defining your own PII.
 
 5.17.1. Hyperscan
 
@@ -5558,25 +5558,37 @@ sd_pattern: "<pattern>"[, threshold <count>];
 5.17.2.1. Pattern
 
 Pattern is the most important and is the only required parameter to
-sd_pattern. It supports 3 built in patterns which are configured by
-name: "credit_card", "us_social" and "us_social_nodashes", as well as
-user defined regular expressions of the Hyperscan dialect (see https:
-//intel.github.io/hyperscan/dev-reference/compilation.html#
-pattern-support).
+sd_pattern. It supports 5 built-in patterns which are configured by
+name: "credit_card", "us_social", "us_social_nodashes", "email", and
+"us_phone" as well as user defined regular expressions of the
+Hyperscan dialect (see https://intel.github.io/hyperscan/
+dev-reference/compilation.html#pattern-support).
 
 sd_pattern:"credit_card";
 
 When configured, Snort will replace the pattern credit_card with the
-built in pattern. In addition to pattern matching, Snort will
+built-in pattern. In addition to pattern matching, Snort will
 validate that the matched digits will pass the Luhn-check algorithm.
-Currently the only pattern that performs extra verification.
 
 sd_pattern:"us_social";
 sd_pattern:"us_social_nodashes";
 
-These special patterns will also be replaced with a built in pattern.
+These special patterns will also be replaced with a built-in pattern.
 Naturally, "us_social" is a pattern of 9 digits separated by -'s in
-the canonical form.
+the canonical form. For this pattern, some validation of compliance
+with the Social Security Numbers randomization rules is also
+performed.
+
+sd_pattern:"email";
+
+This pattern will be replaced with a built-in pattern created to
+match email. The regex implements the “preferred” syntax from RFC
+1035 which is one of the recommendations in RFC 5322.
+
+sd_pattern:"us_phone";
+
+This pattern will match U.S. phone numbers in different formats with
+or without country code.
 
 sd_pattern:"\b\w+@ourdomain\.com\b"
 
@@ -5595,7 +5607,7 @@ many correctly formatted emails.
 
 5.17.2.2. Threshold
 
-Threshold is an optional parameter allowing you to change built in
+Threshold is an optional parameter allowing you to change built-in
 default value (default value is 1). The following two instances are
 identical. The first will assume the default value of 1 the second
 declaration explicitly sets the threshold to 1.
@@ -5611,13 +5623,13 @@ This example requires 300 matches of the pattern "This is a string
 literal" to qualify as a positive match. That is, if the string only
 occurred 299 times in a packet, you will not see an event.
 
-5.17.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.17.2.3. Obfuscating built-in patterns
 
-Snort provides discreet logging for the built in patterns
-"credit_card", "us_social" and "us_social_nodashes". Enabling
-ips.obfuscate_pii makes Snort obfuscate the suspect packet payload
-which was matched by the patterns. This configuration is disabled by
-default.
+Snort provides discreet logging for the built-in patterns
+"credit_card", "us_social", "us_social_nodashes", "us_phone" and
+"email". Enabling ips.obfuscate_pii makes Snort obfuscate the suspect
+packet payload which was matched by the patterns. This configuration
+is disabled by default.
 
 ips =
 {
@@ -5651,8 +5663,8 @@ Logged output when running Snort in "cmg" alert format.
  2. Log obfuscation is only applicable to CMG and Unified2 logging
     formats.
  3. Log obfuscation doesn’t support user defined PII patterns. It is
-    currently only supported for the built in patterns for Credit
-    Cards and US Social Security numbers.
+    currently only supported for the built-in patterns for Credit
+    Cards and U.S. Social Security numbers.
  4. Log obfuscation doesn’t work with stream rebuilt packet payloads.
     (This is a known bug).