-20/02/21 - build 268
+2020/03/12 - build 269
+
+-- active: Add ability to inject resets and payload via IOCTLs
+-- appid: Add support for third-party reload on midstream session
+-- appid: detect apps using x-working-with http field in response header
+-- appid: Enhance ssl appid lookup api to store SNI and CN provided by SSL for app detection
+-- appid: fix thread-safety issues in mdns detector
+-- appid: handle CERTIFICATE STATUS handshake type in SSL detector
+-- appid: move client/service pattern detectors and service discovery manager to odp context
+-- appid: Support third-party reload when snort is running with multiple packet threads
+-- base64_decode: use standard detection context data buffer
+-- build: fix build on big-endian systems
+-- build: Fix LibUUID detection on OS X
+-- build: Fix various build issues on FreeBSD and OS X
+-- build: refactor trace logs
+-- build: tweak includes
+-- build: use const and auto references where possible
+-- byte_math: Snort2 bug fix port of integer over and under flow detection
+-- classifications: update implementation with unordered map
+-- classifications: use consistent variable names
+-- cmake: Fix building without lzma library
+-- detection: added support for trace config option to take a list of strings with verbosity level
+ instead of bitmask
+-- detection: refactoring updates to detection, moved DetectionModule into a separate file
+-- flow: added initiator bytes/packets onto flow
+-- flow: Add missing time.h include for struct timeval
+-- flow: free the flow data before deleting the actual flow
+-- flow: turn off deferred whitelist on DONE if no whitelist was seen
+-- flow_cache: fix memory deallocation bug due to inverted return value from hash release node
+-- framework: add generic conversion of trace strings to bitmaks
+-- ftp: Whitelist ftp session after max sig depth reached
+-- ghash: fix thread race condition with GHash member variables when a GHash instance is global
+-- hash: add unit tests for new HashLruCache class
+-- hash: delete unused sfmemcap.[h|cc] and remove unnecessary includes
+-- http2_inspect: abort for nhi errors
+-- http2_inspect: send data frames to http - full frames only in a single flush
+-- http_inspect: change http_uri to only include path and query for absolute and absolute path uris
+-- http_inspect: improve precautions for stream interactions
+-- http_inspect: Properly mock HttpModule::peg_counts in http_transaction_test
+-- main: do FileService::post_init after inspectors are configured
+-- parser: remove legacy parsing code
+-- plugin_manager: add support for reload so_rule plugins
+-- pub_sub: add http2 info to http pub messages
+-- reference: update implementation with unordered map
+-- reload: add description of reload error to the response message of the reload_config command
+-- reputation: remove reputation monitor flag from packet, track verdict on flow
+-- rules: add constructors for references and classifications
+-- rules: fix warnings and startup counts for duplicates
+-- rules: remove cruft
+-- rules: simplify implementation of services, classifications, and references by using std::string
+-- rules: update --gen-msg-map to include all configured rules with references
+-- service_inspectors: added counters to track total number of data bytes processed in SMTP, POP,
+ SSH and FTP
+-- service: update implementation to vector
+-- sfdaq: convert parsing related error messages in DAQ init to ParseErrors
+-- sfdaq: Made get_stats public for plugins
+-- smb: Fix malware over size 131kb not being detected in SMBv2/SMBv3
+-- snort_config: footprint REG_TEST, no check for stream inspector add/rm, etc.
+-- stats: update shutdown timing stats
+-- stream: Addressing inconsistent stream stats and some data races
+-- stream_ip: added counters to track total number of data bytes processed
+-- stream_tcp: no_ack applies only to ips mode
+-- stream_udp: added counters to track total number of data bytes processed
+-- style: remove tabs and too long lines
+-- utils: add unit tests for MemCapAllocator class
+-- utils: create memory allocation class based on sfmemcap functionality
+-- utils: handle out-of-range time
+-- xhash: refactor XHash and HashFnc to eliminate c-style callbacks and simplify ctor options
+-- xhash: rename hashfcn.[cc|h] to hash_keys.[cc|h]
+-- xhash/zhash: refactor duplicated code into a common base class, xhash/zhash will subclass this
+ new base class
+-- zhash: make zhash a subclass of xhash, eliminate duplicate code
+-- zhash: refactor to use hash_lru_cache and hash_key_operations classes
+
+2020/02/21 - build 268
-- appid: Adding support for appid detection on decrypted SSL sessions
-- appid: Adding support for wildcard ports in static host port cache
-- tweaks: update per new normalizer defaults
-- tweaks: update policy configs to better align with Snort 2
-19/12/20 - build 267
+2019/12/20 - build 267
-- appid: Adding command for third-party reload
-- appid: cleanup unused code
-- time: Convert periodic and stopwatch unit tests to standalone Catch
-- utils: Convert bitop unit tests to standalone Catch
-19/12/04 - build 266
+2019/12/04 - build 266
-- appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs
-- appid: Enabling host cache for unknown SSL flows
the stream tcp code into one component (libtcp goes away)
-- stream_tcp: Updates from PR review comments
-19/11/22 - build 265
+2019/11/22 - build 265
-- analyzer_command: support resource tuning on reload
-- appid: Adding Lua-C API to handle midstream traffic
-- stream_tcp: fix state machine instantiation
-- wizard: handle NBSS startup in dce_smb_curse
-19/11/06 - build 264
+2019/11/06 - build 264
-- appid: Handle DNS responses with compression pointers at last record
-- dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only
needed when the stream 'max_flows' configuration option changes
-- telnet: fix check_encrypted help string
-19/10/31 - build 263
+2019/10/31 - build 263
-- appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id
was not not found
-- stream_tcp: fix stability issues
-- stream_tcp: If no-ack is on, rewrite ACK value to be the expected ACK.
-19/10/09 - build 262
+2019/10/09 - build 262
-- analyzer: move setting pkth to nullptr to after publishing finalize event
-- analyzer: publish other message event for unknown DAQ messages
-- unit-tests: fix compiler warnings that snuck into CppUTest unit tests
-- utils: prevent integer overflow/underflow when reading BER elements
-19/09/12 - build 261
+2019/09/12 - build 261
-- analyzer: Process retry queue and onloads when no DAQ messages are received
-- appid: Enabled API for SSL to lookup appid
-- stream: fix problem with accelerated blocking partial inspection
-- style: update link for google c++ style guide
-19/08/28 - build 260
+2019/08/28 - build 260
-- appid: handle 'change cipher spec' in 'server hello' to allow some app detection for tls 1.3
traffic
-- rna: Support for rna unified2 logging
-- stream_tcp: clear consecutive small segs count upon non-small segs only
-19/08/21 - build 259
+2019/08/21 - build 259
-- analyzer_command: Import into snort namespace and add the ability to retrieve the DAQ instance
from an Analyzer
-- wizard: Avoid host cache service insertion since we are using flow service
-- xhash: Ported sfxhash_change_memcap() from snort2 to snort3
-19/07/17 - build 258
+2019/07/17 - build 258
-- analyzer: 1024 contexts max is a better default until configurable
-- appid: fix header order in appid_session
-- stream_tcp: fix non-deep detect profile exclusion
-- talos.lua: various fixes for command line usage
-19/06/19 - build 257
+2019/06/19 - build 257
-- analyzer: publish finalize packet event before calling finalize_message.
-- appid: Protocol based detection for non-TCP non-UDP traffic.
-- stream: Do not validate timestamp until peer timestamp is set
-- stream_ip: Checking null inspector while updating session
-19/05/22 - build 256
+2019/05/22 - build 256
-- DAQng: Port Snort and its DAQ modules to DAQ3
- Massive refactoring of the Analyzer thread
-- snort2lua: Remove sticky buffer duplicates
-- stream: disable inspection of flow on reset
-19/05/03 - build 255
+2019/05/03 - build 255
-- ips: add includer for better relative path support
-- module_manager: Fix potential null deref in module parameter dumping
-19/04/26 - build 254
+2019/04/26 - build 254
-- analyzer: Print pause indicator from analyzer threads
-- appid: remove inspector reference from detectors
-- stream_tcp: Try to work with a cleaner Packet when purging at shutdown
-- test: remove cruft
-19/04/17 - build 253
+2019/04/17 - build 253
-- build: delete unused code called out by cppcheck
-- doc: remove mention of obsolete LUA_PATH, SNORT_LUA_PATH, and required snort_config library
-- parser: update include file handling
-- parser: fix defaults for alerts.order and network.checksum_eval
-19/04/10 - build 252
+2019/04/10 - build 252
-- appid: Fix NetworkSet compilation on big-endian systems
-- appid: Reduce variable scope in service_mdns
-- stream_tcp: Fix shadowed variable when profiling deeply
-- u2spewfoo: update due to re-ording of retry action.
-19/03/31 - build 251
+2019/03/31 - build 251
-- ActionManager: actions are tracked per packet for accurate packet suspension
-- DetectionEngine: make onload safe for reentrance
-- stream_udp: ensure all flows are cleared fully
-- time: Adding timersub_ms function to return timersub in milliseconds
-18/12/06 - build 250
+2018/12/06 - build 250
-- actions: Fix incorrect order of IPS reject unreachable codes and adding forward option
-- active: added peg count for injects
-- tools: Install appid-detector-builder.sh with the other tools;
thanks to Jonathan McDowell <noodles-github@earth.li> for reporting the issue
-18/11/07 - build 249
+2018/11/07 - build 249
-- appid: Fixing profiler data race and registration issues
-- appid: make third party appid stats configurable
-- thread_idle: call timeout flows with packet time for pcap replay
-- utils: fixed deprecation build warning on register keyword
-18/09/26 - build 248
+2018/09/26 - build 248
-- appid: adding detector builder and fixing stats to recognize custom appid
thanks to Wang Jun <traceflight@outlook.com> for reporting the issue
-- reputation: early return on parsing error causing uninitialized id
-- reputation: fix SI doesn't block traffic if Any Zone is specified
-18/08/27 - build 247 - Beta
+2018/08/27 - build 247 - Beta
-- appid: change map to unordered map
-- appid: declare SMTPS early in STARTTLS state on success response code
-- stream_tcp: avoid duplicating split sement data
-- build: removing use of u_char and u_short macros (github #53)
-18/08/13 - build 246
+2018/08/13 - build 246
-- active: Add an upper limit of 255 to min_interval
-- appid: Avoid snort crash upon lua file errors
-- stream_tcp: back out fin handling changes for bug not relevant to snort3
-- tcp_connector_test: fixed version-sensitive build problem
-18/05/21 - build 245
+2018/05/21 - build 245
-- CodecManager: removed unused code
-- DataBus: fixed creating DataHandler when one doesn't exist
-- wizard: Fix UBSAN out-of-bounds access runtime error
-- zhash: cleanup cruftiness
-18/03/15 - build 244
+2018/03/15 - build 244
-- appid: unit-tests for http detector plugins
-- build: address compiler warnings, spell check and static analyzer issues
-- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort'
namespace
-18/02/12 - build 243
+2018/02/12 - build 243
-- build: enable gdb debugging info by default
-- build: fix cppcheck warnings
when service groups are present
-- wizard: count user scans and hits separate from tcp
-18/01/29 - build 242
+2018/01/29 - build 242
-- build: add STATIC to add_library call of port_scan to build it statically
otherwise link will fail (Makefile.am already build only the static version)
-- unit tests: added ability to run Catch tests from dynamic modules
-- utils, flatbuffers: added a uniform interface for 64-bit endian swaps
-17/12/15 - build 241
+2017/12/15 - build 241
-- add back the ref count for file config
-- alert_csv: various fixes to match alert_json
-- wizard: activate profiler support
-- wizard: usage is inspect
-17/10/31 - build 240
+2017/10/31 - build 240
-- active: fix packet modify vs resize handling
-- alert_csv: rename dgm_len to pkt_len
-- unified2: log buffers as cooked packets with legacy events
-- wscale: add extra rule option to check tcp window scaling
-17/07/25 - build 239
+2017/07/25 - build 239
-- rules: remove sample.rules; Talos will publish Snort 3 rules on snort.org
-- logging: fix handling of out of range timeval
-- wizard: fix direction issue
-- wizard: fix imap spell
-17/07/24 - build 238
+2017/07/24 - build 238
-- check: update hyperscan and regex tests
-- cpputests: clean up some header include issues
-- u2: remove obsolete configurations
-- u2: support mixed IP versions
-17/07/13 - build 237
+2017/07/13 - build 237
-- build: add support for appending EXTRABUILD to the BUILD string
-- build: Clean up some ICC 2017 warnings
-- snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
-- snort2lua: update for port_scan
-17/06/15 - build 236
+2017/06/15 - build 236
-- appid: clean up shutdown stats
-- appid: fix memory leak
-- ssl: use stop-and-wait splitter (protocol aware splitter is next)
-- stream_ip: fix 123:7
-17/06/01 - build 235
+2017/06/01 - build 235
-- http_inspect: improve handling of improper bare \r separator
-- appid: fix bug where TNS detector corrupted the flow data object
-- doc: update differences section
-- doc: update README
-17/05/21 - build 234
+2017/05/21 - build 234
-- byte_math: port rule option from 2X and add feature documentation
-- pgm: don't calculate checksum if header length is not divisible by 4
-- cmg: revamp hex buffer dump format with 16 or 20 bytes per line
-- rules: reject positional parameters containing spaces
-17/05/11 - build 233
+2017/05/11 - build 233
-- packet manager: ensure ether type proto ids don't masquerade as ip proto ids
thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue
-- cleanup: fix typos in source code string literals and comments
-- doc: fix typos
-17/04/28 - build 232
+2017/04/28 - build 232
-- build: clean up Intel compiler warnings and remarks
-- build: fix FreeBSD compilation issues
-- flatbuffers: add version to banner if present
-- loggers: build alert_sf_socket on all platforms
-17/04/07 - build 231
+2017/04/07 - build 231
-- add decode of MPLS in IP
-- add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
-- cleanup: remove dead code
-17/03/27 - build 230
+2017/03/27 - build 230
-- require hyperscan >= 4.4.0, check runtime support
thanks to justin.viiret@intel.com for submitting the patch
-- add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
-- update copyrights to 2017
-17/03/17 - build 229
+2017/03/17 - build 229
-- fixed mpse to ensure all search methods return consistent results
-- updated search tool to use fast pattern config's search method
-- http_inspect: added alert 119:82 for bad Content-Length value
-- http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace
-17/03/02 - build 228 - Alpha 4
+2017/03/02 - build 228 - Alpha 4
-- update hypercsan mpse: print error message and erroneous pattern when compilation fails
-- update rule parser: add multiple byte orders warning
-- doc: move LibDAQ README to Reference, update, and fix typos
-- doc: update default manuals
-17/02/24 - build 227
+2017/02/24 - build 227
-- allow arbitrary / unused gids in text rules
-- support DAQs w/o explicit sources (nfq, ipfw)
-- fix up peg help (remove _)
-- fix u2 logging of PDUs
-17/02/16 - build 226
+2017/02/16 - build 226
-- add PDF/SWF decompression to http_inspect
-- add connectors to generated reference parts of manual
-- snort2lua - changes to add file_id when smb file inspection is on
-- snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic
-17/02/01 - build 225
+2017/02/01 - build 225
-- implement RPC over HTTP by adding dce_http_server and dce_http_proxy
-- port disable_replace option from snort 2.x and add snort2lua support
-- normalize peg names to lower snake_case
-- update default manuals
-17/01/17 - build 224
+2017/01/17 - build 224
-- fix various stream_tcp flush issues
-- fix various cmake issues
-- added CPP flags used to build Snort to snort.pc for extras and other
plugins to use
-16/21/16 - build 223
+2016/21/16 - build 223
-- port 2983 smb active response updates
-- fix reload crash with file inspector
-- improve http_inspect Field class
-- refactor plugin loading
-16/12/16 - build 222
+2016/12/16 - build 222
-- add JavaScript Normalization to http_inspect
-- fix appid service check dispatch list
-- refactor user manual for clarity
-- update default user manuals
-16/12/09 - build 221
+2016/12/09 - build 221
-- fix appid handling of sip inspection events
-- fix wizard to prevent use-after-free of service name
-- update manual for dce_* inspectors
-- refactor IP address handling
-16/12/01 - build 220
+2016/12/01 - build 220
-- fixed uu and qp decode issue
-- fixed file signature calculation for ftp
-- document sensitive data use
-- user manual refactoring and updates
-16/11/21 - build 219
+2016/11/21 - build 219
-- add dce auto detect to wizard
-- add MIME file processing to new http_inspect
-- create pid file after dropping privileges
-- improve detection and use of CppUTest in non-standard locations
-16/11/04 - build 218
+2016/11/04 - build 218
-- fix shutdown stats
-- fix misc appid issues
-- add sip inspector events for appid
-- update default manuals
-16/10/28 - build 217
+2016/10/28 - build 217
-- update appid to 2983
-- add inspector events from http_inspect to appid
-- fix release of blocked flow
-- fix 129:16 false positive
-16/10/21 - build 216
+2016/10/21 - build 216
-- add build configuration for thread sanitizer
-- port dce_udp fragments
-- fix -Wmaybe-uninitialized issues
-- fix related to appid name with space and SSL position
-16/10/13 - build 215
+2016/10/13 - build 215
-- added module trace facility
-- port block malware over ftp for clients/servers that support REST command
-- fix file hash pruning issue
-- fix rate_filter action config and apply_to clean up
-16/10/07 - build 214
+2016/10/07 - build 214
-- updated DAQ - you *must* use DAQ 2.2.1
-- add libDAQ version to snort -V output
-- change default latency actions to none
-- deleted non-functional extra decoder for i4l_rawip
-16/09/27 - build 213
+2016/09/27 - build 213
-- ported full retransmit changes from snort 2X
-- fixed carved smb2 filenames
-- fixed multithread hyperscan mpse
-- fixed sd_pattern iterative validation
-16/09/24 - build 212
+2016/09/24 - build 212
-- add dce udp snort2lua
-- add file detection when they are transferred in segments in SMB2
-- build: remove SPARC support
-- build: clean up some DAQ header inclusion creep.
-16/09/22 - build 211
+2016/09/22 - build 211
-- fix hyperscan detection with nocase
-- fix shutdown sequence
-- fix --dirty-pig
-- fix FreeBSD build re appid / service_rpc
-16/09/20 - build 210
+2016/09/20 - build 210
-- started dce_udp porting
-- added HA details to stream/* dev_notes
-- fixed double counting of ip and udp timeouts and prunes
-- fixed clearing of SYN - RST flows
-16/09/14 - build 209
+2016/09/14 - build 209
-- add dce iface fast pattern for tcp
-- add --enable-tsc-clock to build/use TSC register (on x86)
-- fix most bogus gap counts
-- unit test fixes for high availability, hyperscan, and regex
-16/09/09 - build 208
+2016/09/09 - build 208
-- fixed for TCP high availability
-- fixed install of file_decomp.h for consistency between Snort and extras
-- ported mpls encode fixes from 2983
-- cleaned up compiler warnings
-16/09/02 - build 207
+2016/09/02 - build 207
-- ported smb file processing
-- ported the 2.9.8 ciscometadata decoder
-- fixed http_inspect and tcp valgrind errors
-- fixed extra auto build from dist
-16/08/10 - build 206
+2016/08/10 - build 206
-- ported appid rule option as "appids"
-- moved http_inspect (old) to http_server (in extras)
-- fixed event queue buffer log size
-- fixed make distcheck; thanks to jack jackson <jsakcon@gmail.com> for reporting the issue
-16/08/05 - build 205
+2016/08/05 - build 205
-- ported smb segmentation support
-- converted sd_pattern to use hyperscan
-- fixed endianness issues with rule options seq and win
-- fixed rule option session binary vs all
-16/07/29 - build 204
+2016/07/29 - build 204
-- fixed issue with icmp_seq and icmp_id field matching
-- fixed off-by-1 line number in rule parsing errors
-- fix cmake make check issue with new_http_inspect
-- added new_http_inspect unbounded POST alert
-16/07/22 - build 203
+2016/07/22 - build 203
-- add oversize directory alert to new_http_inspect
-- add appid counts for mdns, timbuktu, battlefield, bgp, and netbios services
-- continue smb port - write and close command, deprecated dialect check, smb fingerprint
-- fix outstanding strndup calls
-16/07/15 - build 202
+2016/07/15 - build 202
-- fix dynamic build of new_http_inspect
-- fix static analysis issues
-- snort2lua updates for new_http_inspect
-- code refactoring and cleanup
-16/06/22 - build 201
+2016/06/22 - build 201
-- initial appid port - in progress
-- add configure --enable-hardened-build
-- miscellaneous cmake and auto tools build fixes
-- openssl is now a mandatory dependency
-16/06/10 - build 200
+2016/06/10 - build 200
-- continued porting of dce_rpc - smb transaction processing
-- tweaked autotools build foo
-- fix static analysis issues
-- fix handling of bpf file failures
-16/06/03 - build 199
+2016/06/03 - build 199
-- add new http_inspect alerts abusive content-length and transfer-encodings
-- add \b matching to sensitive data
-- fix link with dynamic DAQ
-- convert legacy allocations to memory manager for better memory profiling
-16/05/27 - build 198
+2016/05/27 - build 198
-- add double-decoding to new_http_inspect
-- add obfuscation support for cmg and unified2
-- additional unit tests for high availability
-- fix multi-DAQ instance configuration
-16/05/02 - build 197
+2016/05/02 - build 197
-- fix build of extras
-- fix unit tests
-16/04/29 - build 196
+2016/04/29 - build 196
-- overhaul cmake foo
-- update extras to better serve as examples
-- continued dce2 port
-- more static analysis memory leak fixes
-16/04/22 - build 195
+2016/04/22 - build 195
-- added packet_capture module
-- initial high availability for UDP
-- perf_monitor refactoring
-- unicode map file for new_http_inspect
-16/04/08 - build 194
+2016/04/08 - build 194
-- added iterative pruning for out of memory condition
-- added preemptive pruning to memory manager
-- fixed memory leaks (more to go)
-- clean up hyperscan pkg-config and cmake logic
-16/03/28 - build 193
+2016/03/28 - build 193
-- fix session parsing abort handling
-- fix shutdown memory leaks
-- add configure --enable-code-coverage
-- memory manager updates
-16/03/18 - build 192
+2016/03/18 - build 192
-- use hwloc for CPU affinity
-- fix process stats output
-- miscellaneous warning and lint cleanup
-- snort2Lua updates for preproc sensitive_data and sd_pattern option
-16/03/07 - build 191
+2016/03/07 - build 191
-- fix perf_monitor stats output at shutdown
-- initial port of sensitive data as a rule option
-- fix doc/online_manual.sh for linux
-16/03/04 - build 190
+2016/03/04 - build 190
-- fix console close and remote control disconnect issues
-- added per-thread memcap calculation
-- format string cleanup for parser logging
-- fix conf reload by signal
-16/02/26 - build 189
+2016/02/26 - build 189
-- snort2lua for dce2 port (in progress)
-- replace ppm with latency
-- fix linux + clang build errors
-- trough rewrite
-16/02/22 - build 188
+2016/02/22 - build 188
-- added delete/delete[] replacements for nothrow overload
thanks to Ramya Potluri for reporting the issue
-- packet latency updates
-- perfmon updates
-16/02/12 - build 187
+2016/02/12 - build 187
-- file capture added - initial version writes from packet thread
-- added support for http 0.9 to new_http_inspect
-- refactoring updates to tcp session
-- refactoring updates to profiler
-16/02/02 - build 186
+2016/02/02 - build 186
-- update copyright to 2016, add missing license blocks
-- fix xcode builds
-- start dce2 port - 1st of many updates
-- remove --enable-ppm - always enabled
-16/01/25 - build 185
+2016/01/25 - build 185
-- initial host_tracker for new integrated netmap
-- new_http_inspect refactoring for time and space considerations
-- fatal on failed IP rep segment allocation - thanks to Bill Parker
-- tweaked style guide wrt class declarations
-16/01/08 - build 184
+2016/01/08 - build 184
-- added new_http_inpsect rule options
-- fixed build issue with Clang and thread_local
-- continued tcp session refactoring
-- fixed rule option string unescape issue
-15/12/11 - build 183
+2015/12/11 - build 183
-- circumvent asymmetric flow handling issue
-15/12/11 - build 182 - Alpha 3
+2015/12/11 - build 182 - Alpha 3
-- added memory profiling feature
-- added regex fast pattern support
-- removed PPM_TEST
-- build and memory leak fixes
-15/12/04 - build 181
+2015/12/04 - build 181
-- perf profiling enhancements
-- fixed build issues and memory leaks
-- continued pattern match refactoring
-- fix spurious sip_method matching
-15/11/25 - build 180
+2015/11/25 - build 180
-- ported dnp3 preprocessor and rule options from 2.X
-- fixed various valgrind issues with stats from sip, imap, pop, and smtp
-- squelch repeated ip6 ooo extensions and bad options per packet
-- fixed arp inspection bug
-15/11/20 - build 179
+2015/11/20 - build 179
-- user manaul updates
-- fix perf_monitor.max_file_size default to work on 32-bit systems, thanks
-- fix arp inspection
-- search engine refactoring
-15/11/13 - build 178
+2015/11/13 - build 178
-- document runtime link issue with hyperscan on osx
-- fix pathname generation for event trace file
-- remove --enable-ppm-test
-- sync up auto tools and cmake build options
-15/11/05 - build 177
+2015/11/05 - build 177
-- idle processing cleanup
-- fixed teredo payload detection
-- fix ppm config
-- miscellanous code cleanup
-15/10/30 - build 176
+2015/10/30 - build 176
-- tcp reassembly refactoring
-- profiler rewrite
-- added gzip support to new_http_inspect
-- added regex rule option based on hyperscan
-15/10/23 - build 175
+2015/10/23 - build 175
-- ported gtp preprocessor and rule options from 2.X
-- ported modbus preprocessor and rule options from 2.X
-- added unit test build for cmake (already in autotools builds)
-- fixed dynamic builds (187 plugins, 138 dynamic)
-15/10/16 - build 174
+2015/10/16 - build 174
-- legacy daemonization cleanup
-- decouple -D, -M, -q
-- perfmonitor fixes
-- ssl stats updates
-15/10/09 - build 173
+2015/10/09 - build 173
-- added pkt_num rule option to extras
-- fix final -> finalize changes for extras
packets may have ip6 next proto
-- update default manuals
-15/10/01 - build 172
+2015/10/01 - build 172
-- check for bool value before setting fastpath config option in PPM
-- update manual related to liblzma
-- enable active response without flow
-- update bug list
-15/09/25 - build 171
+2015/09/25 - build 171
-- fix metadata:service to work like 2x
-- fixed issues when building with LINUX_SMP
-- add cpputest for unit testing
-- don't apply cooked verdicts to raw packets
-15/09/17 - build 170
+2015/09/17 - build 170
-- removed unused control socket defines from cmake
-- fixed build error with valgrind build option
-- fix detection of stream_user and stream_file data
-- log innermost proto for type of broken packets
-15/09/10 - build 169
+2015/09/10 - build 169
-- fix chunked manual install
-- add event direction bug
-- code cleanup
-- fix dev guide builds from top_srcdir
-15/09/04 - build 168
+2015/09/04 - build 168
-- fixed build of chunked manual (thanks to Bill Parker for reporting the issue)
-- const cleanup
-- DNS bug fix for TCP
-- added --catch-tags [footag],[bartag] for unit test selection
-15/08/31 - build 167
+2015/08/31 - build 167
-- fix xcode warnings
-15/08/21 - build 166
+2015/08/21 - build 166
-- fix link error with g++ 4.8.3
-- support multiple script-path args and single files
-- fixed rpc_decode sequence number handling and buffer setup
-- perf_monitor fixes for file output
-15/08/14 - build 165
+2015/08/14 - build 165
-- flow depth support for new_http_inspect
-- TCP session refactoring and create libtcp
-- run catch unit tests after check unit tests
-- fix documentation errors in users manual
-15/08/07 - build 164
+2015/08/07 - build 164
-- add range and default to command line args
-- fix unit test build on osx
thanks to Siti Farhana Binti Lokman <sitifarhana.lokman@postgrad.manchester.ac.uk>
for reporting the issue
-15/07/30 - build 163
+2015/07/30 - build 163
-- numerous piglet fixes and enhancements
-- BitOp rewrite
-- fixed endianness in private IP address check
-- fix build of dynamic plugins
-15/07/22 - build 162
+2015/07/22 - build 162
-- enable build dependency tracking
-- cleanup automake and cmake foo
-- dev guide - convert snort includes into links
-- fixup includes
-15/07/15 - build 161
+2015/07/15 - build 161
-- added piglet plugin test harness
-- added piglet_scripts with codec and inspector examples
-- added dev_notes.txt in each src/ subdir
-- scrubbed headers
-15/07/06 - build 160 - Alpha 2
+2015/07/06 - build 160 - Alpha 2
-- fixed duplicate patterns in file_magic.lua
-- warn about rules with no fast pattern
-- fix valgrind issues
-- fix xcode analyzer issues
-15/07/02 - build 159
+2015/07/02 - build 159
-- added file processing to new_http_inspect
-- ported sip preprocessor
-- tweak style guide
-- fix hosts table parsing
-15/06/19 - build 158
+2015/06/19 - build 158
-- nhttp splitter updates
-- nhttp handle white space after chunk length
-- fix ssl assertion
-- cleanup cache config
-15/06/11 - build 157
+2015/06/11 - build 157
-- port ssl from snort
-- fix stream_tcp so call splitter finish only if scan was called
-- refactored active module
-- updated snort2lua
-15/06/04 - build 156
+2015/06/04 - build 156
-- new_http_inspect switch to bitset for event tracking
-- fixed stream tcp handling of paf abort
-- fixed stream tcp cleanup on reset
-- fixed sequence of flush and flow data cleanup for new http inspect
-15/05/31 - build 155
+2015/05/31 - build 155
-- update default manuals
-- fix autotools build of manual wrt plugins
-- add file magic lua
-- xcode analyzer cleanup
-15/05/28 - build 154
+2015/05/28 - build 154
-- new_http_inspect parsing and event handling updates
-- initial port of file capture from Snort
-- cleanup logging
-- stream_tcp refactoring and cleanup
-15/05/22 - build 153
+2015/05/22 - build 153
-- new_http_inspect parsing updates
-- use buckets for user seglist
-- added stream_user for payload processing
-- added stream_file for file processing
-15/05/15 - build 152
+2015/05/15 - build 152
-- fixed config error for inspection of rebuilt packets
-- ported smtp inspector from Snort
-- static analysis fix for new_http_inspect
-15/05/08 - build 151
+2015/05/08 - build 151
-- doc tweaks
-- new_http_inspect message parsing updates
-- misc bug fixes
-15/04/30 - build 150
+2015/04/30 - build 150
-- fixed xcode static analysis issues
-- updated default manuals
-- ensure unknown sources are analyzed
-- pop and imap inspectors ported
-15/04/28 - build 149
+2015/04/28 - build 149
-- fixed build issue with extras
-15/04/28 - build 148
+2015/04/28 - build 148
-- fixed default validation issue reported by Sancho Panza
-- refactored snort and snort_config modules
-- added publish-subscribe handling of data events
-- added data_log plugin example for pub-sub
-15/04/23 - build 147
+2015/04/23 - build 147
-- change PT_DATA to IT_PASSIVE; supports named instances, reload, and consumers
-15/04/16 - build 146
+2015/04/16 - build 146
-- added build of snort_manual.text if w3m is installed
-- added default_snort_manual.text w/o w3m
-- add Flow pointer to StreamSplitter::finish()
-15/04/10 - build 145
+2015/04/10 - build 145
-- nhttp clear() and related changes
-- abort PAF in current direction only
-- new http changes - events from splitter
-- fix dns assertion; remove unused variables
-15/03/31 - build 144
+2015/03/31 - build 144
-- reworked autotools generation of api_options.h
-- updated default manuals
-- ported dns inspector
-15/03/26 - build 143
+2015/03/26 - build 143
-- ported ssh inspector
-- apply service from hosts when inspector already bound to flow
-- eliminate dedicated nhttp chunk buffer
-- minor nhttp cleanup in StreamSplitter
-15/03/18 - build 142
+2015/03/18 - build 142
-- fixed host lookup issue
-- folded classification.lua and reference.lua into snort_defaults.lua
-- fix ip and icmp flow client/server ip init
-- added logging examples to usage
-15/03/11 - build 141
+2015/03/11 - build 141
-- added build foo for lzma; refactored configure.ac
-- enhancements for checking compatibility of external plugins
-- added doc/usage.txt
-15/02/27 - build 140
+2015/02/27 - build 140
-- uncrustify, see crusty.cfg
-- updated documentation on new HTTP inspector, binder, and wizard
-15/02/26 - build 139
+2015/02/26 - build 139
-- additional http_inspect cleanup
-- documented gotcha regarding rule variable definitions in Lua
-- sync 297 http xff, swf, and pdf updates
-15/02/20 - build 138
+2015/02/20 - build 138
-- sync ftp with 297; replace stream event callbacks with FlowData virtuals
-15/02/12 - build 137
+2015/02/12 - build 137
-- updated manual from blog posts and emails
-- normalization refactoring, renaming
Codec methods
-- 297 sync of active and codecs
-15/02/05 - build 136
+2015/02/05 - build 136
-- fix up encoders
-- sync stream with 297
-- fix encoder check for ip6 extensions
-- sync normalizations with 297
-15/01/29 - build 135
+2015/01/29 - build 135
-- fixed freebsd build error
-- fix default hi profile name
-- updated default snort manuals
-15/01/26 - build 134
+2015/01/26 - build 134
-- sync Mpse to 297, add SearchTool
-- 297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
-- added md5, sha256, and sha512 rule options based on Snort 2.X
protected_content
-15/01/20 - build 133
+2015/01/20 - build 133
-- fixes for large file support on 32-bit Linux systems (reported by Y M)
-- changed u2 base file name to unified2.log
-- added pflog codecs
-- fixed stream_size rule option
-15/01/05 - build 132
+2015/01/05 - build 132
-- added this change log
-- initial partial sync with Snort 297 including bug fixes and variable
-- updated source copyrights for 2015 and reformatted license foo for
consistency
-14/12/16 - build 131
+2014/12/16 - build 131
-- fix asciidoc formatting and update default manuals
-- updates to doc to better explain github builds
-- add missing sanity checks reported by bill parker
-- tweak READMEs
-14/12/11 - build 130
+2014/12/11 - build 130
-- alpha 1 release
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 268)\r
+o" )~ Version 3.0.0 (Build 269)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
is the scheme, "www.samplehost.com" is the host, "287" is the port,\r
"/basic/example/of/path" is the path, "with-query" is the query, and\r
"and-fragment" is the fragment.</p></div>\r
+<div class="paragraph"><p>http_uri represents the normalized uri, normalization of components depends\r
+on uri type. If the uri is of type absolute (contains all six components) or\r
+absolute path (contains path, query and fragment) then the path and query\r
+components are normalized. In these cases, http_uri represents the normalized\r
+path and query (/path?query). If the uri is of type authority (host and port),\r
+the host is normalized and http_uri represents the normalized host with the port\r
+number. In all other cases http_uri is the same as http_raw_uri.</p></div>\r
<div class="paragraph"><p>Note: this section uses informal language to explain some things. Nothing\r
here is intended to conflict with the technical language of the HTTP RFCs\r
and the implementation follows the RFCs.</p></div>\r
</div></div>\r
<div class="paragraph"><p>to your snort.lua configuration file.</p></div>\r
<div class="paragraph"><p>Everything has a beginning and for http2_inspect this is the beginning of\r
-the beginning. Most of the protocol including HPACK decompression is not\r
-implemented yet.</p></div>\r
+the beginning.</p></div>\r
<div class="paragraph"><p>Currently http2_inspect will divide an HTTP/2 connection into individual\r
-frames and make them available for detection. Two new rule options are\r
-available for looking at HTTP/2 frames: http2_frame_header provides the\r
-9-octet frame header and http2_frame_data provides the frame content.</p></div>\r
+frames. Two new rule options are available for looking at HTTP/2 frames:\r
+http2_frame_header provides the 9-octet frame header.</p></div>\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>alert tcp any any -> any any (msg:"Frame type"; flow:established,\r
sid:1; rev:1; )</code></pre>\r
</div></div>\r
<div class="paragraph"><p>This will match if the Type byte of the frame header is 6 (PING).</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"Content of HTTP/2 frame";\r
-flow:established, to_client; http2_frame_data; content:"peppermint";\r
-sid:2; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This will look for peppermint in the frame data but not the frame header.</p></div>\r
-<div class="paragraph"><p>These can be combined:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"Search in message bodies";\r
-flow:established, to_client;\r
-http2_frame_header; content:"|00|", offset 3, depth 1;\r
-http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Frame type 0 is DATA which carries the HTTP message body. This rule will\r
-search for MaLwArE inside an HTTP message body.</p></div>\r
<div class="paragraph"><p>To smooth the transition to inspecting HTTP/2, rules that specify\r
service:http will be treated as if they also specify service:http2.\r
Thus:</p></div>\r
large numbers of existing rules. New rules should explicitly specify\r
"service http,http2;" if that is the desired behavior. Eventually\r
support for http implies http2 may be deprecated and removed.</p></div>\r
-<div class="paragraph"><p>In the future, http2_inspect will support HPACK header decompression and\r
-be fully integrated with http_inspect to provide full inspection of the\r
-individual HTTP/1.1 streams.</p></div>\r
+<div class="paragraph"><p>In the future, http2_inspect will be fully integrated with http_inspect to\r
+provide full inspection of the individual HTTP/1.1 streams.</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_module_trace">Module Trace</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>active.injects</strong>: total crafted packets injected (sum)\r
+<strong>active.injects</strong>: total crafted packets encoded and injected (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.failed_injects</strong>: total crafted packet encode + injects that failed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.direct_injects</strong>: total crafted packets directly injected (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.failed_direct_injects</strong>: total crafted packet direct injects that failed (sum)\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>decode.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>decode.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.buf_min</strong> = 0: enable min buffer trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.buf_verbose</strong> = 0: enable verbose buffer trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:max53 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--gen-msg-map</strong>: dump builtin rules in gen-msg.map format for use by other tools\r
+implied <strong>snort.--gen-msg-map</strong>: dump configured rules in gen-msg.map format for use by other tools\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>snort.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>appid.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>dce_smb.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_udp.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>dce_udp.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-bool <strong>finalize_packet.switch_to_wizard</strong> = false: switch to wizard on first finalize event\r
+bool <strong>finalize_packet.switch_to_wizard</strong> = false: Switch to wizard on first finalize event\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>finalize_packet.use_direct_inject</strong> = false: Use ioctl to do payload and reset injects\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>finalize_packet.defer_whitelist</strong> = false: Turn on defer whitelist until we switch to wizard\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>finalize_packet.force_whitelist</strong> = false: Set ignore direction to both so that flow will be whitelisted\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>ftp_server.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ftp_server.concurrent_sessions</strong>: total concurrent FTP sessions (now)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>gtp_inspect.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>121:15</strong> (http2_inspect) invalid HTTP/2 start line\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:16</strong> (http2_inspect) HTTP/2 padding length is bigger than frame data size\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.total_frees</strong>: total flows pruned or freed by performance monitor (sum)\r
+<strong>perf_monitor.flow_tracker_creates</strong>: total number of flow trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.reload_frees</strong>: flows freed on reload with changed memcap (sum)\r
+<strong>perf_monitor.flow_tracker_total_deletes</strong>: flow trackers deleted to stay below memcap limit (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.alloc_prunes</strong>: flows pruned on allocation of IP flows (sum)\r
+<strong>perf_monitor.flow_tracker_reload_deletes</strong>: flow trackers deleted due to memcap change on config reload (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>perf_monitor.flow_tracker_prunes</strong>: flow trackers pruned for reuse by new flows (sum)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>pop.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>pop.sessions</strong>: total pop sessions (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>smtp.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>smtp.sessions</strong>: total smtp sessions (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ssh.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream.footprint</strong> = 0: use zero for production, non-zero for testing at given size (for TCP and user) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>stream.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.stale_prunes</strong>: sessions pruned due to stale connection (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream.expected_flows</strong>: total expected flows created within snort (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>stream_ip.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_ip.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_ip.total_frags</strong>: total fragments (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_udp.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_udp.ignored</strong>: udp packets ignored (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_user.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>stream_user.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+string <strong>flowbits.~op</strong>: set|reset|isset|etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg1</strong>: bits or group\r
+string <strong>flowbits.~bits</strong>: bits or group\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+string <strong>flowbits.~group</strong>: group if arg1 is bits\r
</p>\r
</li>\r
</ul></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http2_frame_data">http2_frame_data</h3>\r
-<div class="paragraph"><p>What: rule option to set detection cursor to the HTTP/2 frame body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_http2_frame_header">http2_frame_header</h3>\r
<div class="paragraph"><p>What: rule option to set detection cursor to the 9-octet HTTP/2 frame header</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>reference.~scheme</strong>: reference scheme\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reference.~id</strong>: reference id\r
+string <strong>reference.~ref</strong>: reference: <scheme>,<id>\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>--gen-msg-map</strong> dump builtin rules in gen-msg.map format for use by other tools\r
+<strong>--gen-msg-map</strong> dump configured rules in gen-msg.map format for use by other tools\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
+multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>appid.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>dce_smb.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_udp.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>dce_udp.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>decode.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>decode.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>detection.trace.buf_min</strong> = 0: enable min buffer trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.buf_verbose</strong> = 0: enable verbose buffer trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:max53 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>finalize_packet.defer_whitelist</strong> = false: Turn on defer whitelist until we switch to wizard\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>finalize_packet.end_pdu</strong> = 0: Deregister for finalize packet events on this PDU { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
+bool <strong>finalize_packet.force_whitelist</strong> = false: Set ignore direction to both so that flow will be whitelisted\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>finalize_packet.modify.pdu</strong> = 0: Modify verdict in finalize packet for this PDU { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>finalize_packet.switch_to_wizard</strong> = false: switch to wizard on first finalize event\r
+bool <strong>finalize_packet.switch_to_wizard</strong> = false: Switch to wizard on first finalize event\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>finalize_packet.use_direct_inject</strong> = false: Use ioctl to do payload and reset injects\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg1</strong>: bits or group\r
+string <strong>flowbits.~bits</strong>: bits or group\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+string <strong>flowbits.~group</strong>: group if arg1 is bits\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+string <strong>flowbits.~op</strong>: set|reset|isset|etc.\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>gtp_inspect.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>reference.~id</strong>: reference id\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reference.~scheme</strong>: reference scheme\r
+string <strong>reference.~ref</strong>: reference: <scheme>,<id>\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--gen-msg-map</strong>: dump builtin rules in gen-msg.map format for use by other tools\r
+implied <strong>snort.--gen-msg-map</strong>: dump configured rules in gen-msg.map format for use by other tools\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>snort.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.footprint</strong> = 0: use zero for production, non-zero for testing at given size (for TCP and user) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>stream_ip.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>stream.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_user.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+int <strong>stream_user.trace.all</strong> = 0: enabling traces in module { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>active.injects</strong>: total crafted packets injected (sum)\r
+<strong>active.direct_injects</strong>: total crafted packets directly injected (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.failed_direct_injects</strong>: total crafted packet direct injects that failed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.failed_injects</strong>: total crafted packet encode + injects that failed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.injects</strong>: total crafted packets encoded and injected (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>ftp_server.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ftp_server.total_packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.alloc_prunes</strong>: flows pruned on allocation of IP flows (sum)\r
+<strong>perf_monitor.flow_tracker_creates</strong>: total number of flow trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.packets</strong>: total packets processed by performance monitor (sum)\r
+<strong>perf_monitor.flow_tracker_prunes</strong>: flow trackers pruned for reuse by new flows (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.reload_frees</strong>: flows freed on reload with changed memcap (sum)\r
+<strong>perf_monitor.flow_tracker_reload_deletes</strong>: flow trackers deleted due to memcap change on config reload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.total_frees</strong>: total flows pruned or freed by performance monitor (sum)\r
+<strong>perf_monitor.flow_tracker_total_deletes</strong>: flow trackers deleted to stay below memcap limit (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>perf_monitor.packets</strong>: total packets processed by performance monitor (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>pop.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>smtp.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ssh.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ssl.alert</strong>: total ssl alert records (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_ip.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_ip.total_frags</strong>: total fragments (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.stale_prunes</strong>: sessions pruned due to stale connection (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_udp.total_bytes</strong>: total number of bytes processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>121:15</strong> (http2_inspect) invalid HTTP/2 start line\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:16</strong> (http2_inspect) HTTP/2 padding length is bigger than frame data size\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>http2_frame_data</strong> (ips_option): rule option to set detection cursor to the HTTP/2 frame body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>http2_frame_header</strong> (ips_option): rule option to set detection cursor to the 9-octet HTTP/2 frame header\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::http2_frame_data</strong>: rule option to set detection cursor to the HTTP/2 frame body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>ips_option::http2_frame_header</strong>: rule option to set detection cursor to the 9-octet HTTP/2 frame header\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2020-02-21 11:32:57 EST\r
+ 2020-03-12 10:44:10 EDT\r
</div>\r
</div>\r
</body>\r
11.45. gtp_type
11.46. gtp_version
11.47. http2_decoded_header
- 11.48. http2_frame_data
- 11.49. http2_frame_header
- 11.50. http_client_body
- 11.51. http_cookie
- 11.52. http_header
- 11.53. http_method
- 11.54. http_param
- 11.55. http_raw_body
- 11.56. http_raw_cookie
- 11.57. http_raw_header
- 11.58. http_raw_request
- 11.59. http_raw_status
- 11.60. http_raw_trailer
- 11.61. http_raw_uri
- 11.62. http_stat_code
- 11.63. http_stat_msg
- 11.64. http_trailer
- 11.65. http_true_ip
- 11.66. http_uri
- 11.67. http_version
- 11.68. icmp_id
- 11.69. icmp_seq
- 11.70. icode
- 11.71. id
- 11.72. ip_proto
- 11.73. ipopts
- 11.74. isdataat
- 11.75. itype
- 11.76. md5
- 11.77. metadata
- 11.78. modbus_data
- 11.79. modbus_func
- 11.80. modbus_unit
- 11.81. msg
- 11.82. mss
- 11.83. pcre
- 11.84. pkt_data
- 11.85. pkt_num
- 11.86. priority
- 11.87. raw_data
- 11.88. reference
- 11.89. regex
- 11.90. rem
- 11.91. replace
- 11.92. rev
- 11.93. rpc
- 11.94. s7commplus_content
- 11.95. s7commplus_func
- 11.96. s7commplus_opcode
- 11.97. sd_pattern
- 11.98. seq
- 11.99. service
- 11.100. session
- 11.101. sha256
- 11.102. sha512
- 11.103. sid
- 11.104. sip_body
- 11.105. sip_header
- 11.106. sip_method
- 11.107. sip_stat_code
- 11.108. so
- 11.109. soid
- 11.110. ssl_state
- 11.111. ssl_version
- 11.112. stream_reassemble
- 11.113. stream_size
- 11.114. tag
- 11.115. target
- 11.116. tos
- 11.117. ttl
- 11.118. urg
- 11.119. window
- 11.120. wscale
+ 11.48. http2_frame_header
+ 11.49. http_client_body
+ 11.50. http_cookie
+ 11.51. http_header
+ 11.52. http_method
+ 11.53. http_param
+ 11.54. http_raw_body
+ 11.55. http_raw_cookie
+ 11.56. http_raw_header
+ 11.57. http_raw_request
+ 11.58. http_raw_status
+ 11.59. http_raw_trailer
+ 11.60. http_raw_uri
+ 11.61. http_stat_code
+ 11.62. http_stat_msg
+ 11.63. http_trailer
+ 11.64. http_true_ip
+ 11.65. http_uri
+ 11.66. http_version
+ 11.67. icmp_id
+ 11.68. icmp_seq
+ 11.69. icode
+ 11.70. id
+ 11.71. ip_proto
+ 11.72. ipopts
+ 11.73. isdataat
+ 11.74. itype
+ 11.75. md5
+ 11.76. metadata
+ 11.77. modbus_data
+ 11.78. modbus_func
+ 11.79. modbus_unit
+ 11.80. msg
+ 11.81. mss
+ 11.82. pcre
+ 11.83. pkt_data
+ 11.84. pkt_num
+ 11.85. priority
+ 11.86. raw_data
+ 11.87. reference
+ 11.88. regex
+ 11.89. rem
+ 11.90. replace
+ 11.91. rev
+ 11.92. rpc
+ 11.93. s7commplus_content
+ 11.94. s7commplus_func
+ 11.95. s7commplus_opcode
+ 11.96. sd_pattern
+ 11.97. seq
+ 11.98. service
+ 11.99. session
+ 11.100. sha256
+ 11.101. sha512
+ 11.102. sid
+ 11.103. sip_body
+ 11.104. sip_header
+ 11.105. sip_method
+ 11.106. sip_stat_code
+ 11.107. so
+ 11.108. soid
+ 11.109. ssl_state
+ 11.110. ssl_version
+ 11.111. stream_reassemble
+ 11.112. stream_size
+ 11.113. tag
+ 11.114. target
+ 11.115. tos
+ 11.116. ttl
+ 11.117. urg
+ 11.118. window
+ 11.119. wscale
12. Search Engine Modules
13. SO Rule Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 268)
+o" )~ Version 3.0.0 (Build 269)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
port, "/basic/example/of/path" is the path, "with-query" is the
query, and "and-fragment" is the fragment.
+http_uri represents the normalized uri, normalization of components
+depends on uri type. If the uri is of type absolute (contains all six
+components) or absolute path (contains path, query and fragment) then
+the path and query components are normalized. In these cases,
+http_uri represents the normalized path and query (/path?query). If
+the uri is of type authority (host and port), the host is normalized
+and http_uri represents the normalized host with the port number. In
+all other cases http_uri is the same as http_raw_uri.
+
Note: this section uses informal language to explain some things.
Nothing here is intended to conflict with the technical language of
the HTTP RFCs and the implementation follows the RFCs.
to your snort.lua configuration file.
Everything has a beginning and for http2_inspect this is the
-beginning of the beginning. Most of the protocol including HPACK
-decompression is not implemented yet.
+beginning of the beginning.
Currently http2_inspect will divide an HTTP/2 connection into
-individual frames and make them available for detection. Two new rule
-options are available for looking at HTTP/2 frames:
-http2_frame_header provides the 9-octet frame header and
-http2_frame_data provides the frame content.
+individual frames. Two new rule options are available for looking at
+HTTP/2 frames: http2_frame_header provides the 9-octet frame header.
alert tcp any any -> any any (msg:"Frame type"; flow:established,
to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
This will match if the Type byte of the frame header is 6 (PING).
-alert tcp any any -> any any ( msg:"Content of HTTP/2 frame";
-flow:established, to_client; http2_frame_data; content:"peppermint";
-sid:2; rev:1; )
-
-This will look for peppermint in the frame data but not the frame
-header.
-
-These can be combined:
-
-alert tcp any any -> any any ( msg:"Search in message bodies";
-flow:established, to_client;
-http2_frame_header; content:"|00|", offset 3, depth 1;
-http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )
-
-Frame type 0 is DATA which carries the HTTP message body. This rule
-will search for MaLwArE inside an HTTP message body.
-
To smooth the transition to inspecting HTTP/2, rules that specify
service:http will be treated as if they also specify service:http2.
Thus:
"service http,http2;" if that is the desired behavior. Eventually
support for http implies http2 may be deprecated and removed.
-In the future, http2_inspect will support HPACK header decompression
-and be fully integrated with http_inspect to provide full inspection
-of the individual HTTP/1.1 streams.
+In the future, http2_inspect will be fully integrated with
+http_inspect to provide full inspection of the individual HTTP/1.1
+streams.
5.11. Module Trace
Peg counts:
- * active.injects: total crafted packets injected (sum)
+ * active.injects: total crafted packets encoded and injected (sum)
+ * active.failed_injects: total crafted packet encode + injects that
+ failed (sum)
+ * active.direct_injects: total crafted packets directly injected
+ (sum)
+ * active.failed_direct_injects: total crafted packet direct injects
+ that failed (sum)
6.2. alerts
Configuration:
- * int decode.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int decode.trace.all = 0: enabling traces in module { 0:max32 }
Rules:
instead of pcre for compatible expressions
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
- * int detection.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int detection.trace.detect_engine = 0: enable detection engine
+ trace logging { 0:max53 }
+ * int detection.trace.rule_eval = 0: enable rule evaluation trace
+ logging { 0:max53 }
+ * int detection.trace.buf_min = 0: enable min buffer trace logging
+ { 0:max53 }
+ * int detection.trace.buf_verbose = 0: enable verbose buffer trace
+ logging { 0:max53 }
+ * int detection.trace.rule_vars = 0: enable rule variables trace
+ logging { 0:max53 }
+ * int detection.trace.fp_search = 0: enable fast pattern search
+ trace logging { 0:max53 }
+ * int detection.trace.pkt_detect = 0: enable packet detection trace
+ logging { 0:max53 }
+ * int detection.trace.opt_tree = 0: enable tree option trace
+ logging { 0:max53 }
+ * int detection.trace.tag = 0: enable tag trace logging { 0:max53 }
Peg counts:
version, and only the version
* implied snort.--enable-inline-test: enable Inline-Test Mode
Operation
- * implied snort.--gen-msg-map: dump builtin rules in gen-msg.map
+ * implied snort.--gen-msg-map: dump configured rules in gen-msg.map
format for use by other tools
* implied snort.--help: list command line options
* string snort.--help-commands: [<module prefix>] output matching
* string snort.--x2s: output ASCII string for given byte code (see
also --x2c)
* implied snort.--trace: turn on main loop debug trace
- * int snort.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int snort.trace.all = 0: enabling traces in module { 0:max32 }
Commands:
on startup
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
- * int appid.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int appid.trace.all = 0: enabling traces in module { 0:max32 }
Commands:
(-1 = disabled, 0 = unlimited) { -1:32767 }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
- * int dce_smb.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int dce_smb.trace.all = 0: enabling traces in module { 0:max32 }
Rules:
defragmentation
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
- * int dce_udp.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int dce_udp.trace.all = 0: enabling traces in module { 0:max32 }
Rules:
packet for this PDU { 0:max32 }
* enum finalize_packet.modify.verdict: output format for stats {
pass | block | replace | whitelist | blacklist | ignore | retry }
- * bool finalize_packet.switch_to_wizard = false: switch to wizard
+ * bool finalize_packet.switch_to_wizard = false: Switch to wizard
on first finalize event
+ * bool finalize_packet.use_direct_inject = false: Use ioctl to do
+ payload and reset injects
+ * bool finalize_packet.defer_whitelist = false: Turn on defer
+ whitelist until we switch to wizard
+ * bool finalize_packet.force_whitelist = false: Set ignore
+ direction to both so that flow will be whitelisted
Peg counts:
Peg counts:
* ftp_server.total_packets: total packets (sum)
+ * ftp_server.total_bytes: total number of bytes processed (sum)
* ftp_server.concurrent_sessions: total concurrent FTP sessions
(now)
* ftp_server.max_concurrent_sessions: maximum concurrent FTP
* string gtp_inspect[].infos[].name: information element name
* int gtp_inspect[].infos[].length = 0: information element type
code { 0:255 }
- * int gtp_inspect.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int gtp_inspect.trace.all = 0: enabling traces in module {
+ 0:max32 }
Rules:
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
* 121:13 (http2_inspect) invalid HTTP/2 frame sequence
* 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
+ * 121:15 (http2_inspect) invalid HTTP/2 start line
+ * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
+ data size
Peg counts:
* perf_monitor.packets: total packets processed by performance
monitor (sum)
- * perf_monitor.total_frees: total flows pruned or freed by
- performance monitor (sum)
- * perf_monitor.reload_frees: flows freed on reload with changed
- memcap (sum)
- * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows
- (sum)
+ * perf_monitor.flow_tracker_creates: total number of flow trackers
+ created (sum)
+ * perf_monitor.flow_tracker_total_deletes: flow trackers deleted to
+ stay below memcap limit (sum)
+ * perf_monitor.flow_tracker_reload_deletes: flow trackers deleted
+ due to memcap change on config reload (sum)
+ * perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse
+ by new flows (sum)
9.31. pop
Peg counts:
* pop.packets: total packets processed (sum)
+ * pop.total_bytes: total number of bytes processed (sum)
* pop.sessions: total pop sessions (sum)
* pop.concurrent_sessions: total concurrent pop sessions (now)
* pop.max_concurrent_sessions: maximum concurrent pop sessions
Peg counts:
* smtp.packets: total packets processed (sum)
+ * smtp.total_bytes: total number of bytes processed (sum)
* smtp.sessions: total smtp sessions (sum)
* smtp.concurrent_sessions: total concurrent smtp sessions (now)
* smtp.max_concurrent_sessions: maximum concurrent smtp sessions
Peg counts:
* ssh.packets: total packets (sum)
+ * ssh.total_bytes: total number of bytes processed (sum)
* ssh.concurrent_sessions: total concurrent ssh sessions (now)
* ssh.max_concurrent_sessions: maximum concurrent ssh sessions
(max)
Configuration:
- * int stream.footprint = 0: use zero for production, non-zero for
- testing at given size (for TCP and user) { 0:max32 }
* bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
before retiring session tracker { 1:max32 }
* int stream.file_cache.cap_weight = 32: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int stream.trace.all = 0: enabling traces in module { 0:max32 }
Rules:
pruning (sum)
* stream.memcap_prunes: sessions pruned due to memcap (sum)
* stream.ha_prunes: sessions pruned by high availability sync (sum)
+ * stream.stale_prunes: sessions pruned due to stale connection
+ (sum)
* stream.expected_flows: total expected flows created within snort
(sum)
* stream.expected_realized: number of expected flows realized (sum)
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_ip.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int stream_ip.trace.all = 0: enabling traces in module { 0:max32
+ }
Rules:
* stream_ip.released: ip session trackers released (sum)
* stream_ip.timeouts: ip session timeouts (sum)
* stream_ip.prunes: ip session prunes (sum)
+ * stream_ip.total_bytes: total number of bytes processed (sum)
* stream_ip.total_frags: total fragments (sum)
* stream_ip.current_frags: current fragments (now)
* stream_ip.max_frags: max fragments (sum)
* stream_udp.released: udp session trackers released (sum)
* stream_udp.timeouts: udp session timeouts (sum)
* stream_udp.prunes: udp session prunes (sum)
+ * stream_udp.total_bytes: total number of bytes processed (sum)
* stream_udp.ignored: udp packets ignored (sum)
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_user.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int stream_user.trace.all = 0: enabling traces in module {
+ 0:max32 }
9.51. telnet
Configuration:
- * string flowbits.~command: set|reset|isset|etc.
- * string flowbits.~arg1: bits or group
- * string flowbits.~arg2: group if arg1 is bits
+ * string flowbits.~op: set|reset|isset|etc.
+ * string flowbits.~bits: bits or group
+ * string flowbits.~group: group if arg1 is bits
11.41. fragbits
Usage: detect
-11.48. http2_frame_data
-
---------------
-
-What: rule option to set detection cursor to the HTTP/2 frame body
-
-Type: ips_option
-
-Usage: detect
-
-
-11.49. http2_frame_header
+11.48. http2_frame_header
--------------
Usage: detect
-11.50. http_client_body
+11.49. http_client_body
--------------
Usage: detect
-11.51. http_cookie
+11.50. http_cookie
--------------
message trailers
-11.52. http_header
+11.51. http_header
--------------
message trailers
-11.53. http_method
+11.52. http_method
--------------
message trailers
-11.54. http_param
+11.53. http_param
--------------
* implied http_param.nocase: case insensitive match
-11.55. http_raw_body
+11.54. http_raw_body
--------------
Usage: detect
-11.56. http_raw_cookie
+11.55. http_raw_cookie
--------------
HTTP message trailers
-11.57. http_raw_header
+11.56. http_raw_header
--------------
HTTP message trailers
-11.58. http_raw_request
+11.57. http_raw_request
--------------
HTTP message trailers
-11.59. http_raw_status
+11.58. http_raw_status
--------------
HTTP message trailers
-11.60. http_raw_trailer
+11.59. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.61. http_raw_uri
+11.60. http_raw_uri
--------------
URI only
-11.62. http_stat_code
+11.61. http_stat_code
--------------
HTTP message trailers
-11.63. http_stat_msg
+11.62. http_stat_msg
--------------
HTTP message trailers
-11.64. http_trailer
+11.63. http_trailer
--------------
message body (must be combined with request)
-11.65. http_true_ip
+11.64. http_true_ip
--------------
HTTP message trailers
-11.66. http_uri
+11.65. http_uri
--------------
only
-11.67. http_version
+11.66. http_version
--------------
HTTP message trailers
-11.68. icmp_id
+11.67. icmp_id
--------------
0:65535 }
-11.69. icmp_seq
+11.68. icmp_seq
--------------
given range { 0:65535 }
-11.70. icode
+11.69. icode
--------------
0:255 }
-11.71. id
+11.70. id
--------------
}
-11.72. ip_proto
+11.71. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.73. ipopts
+11.72. ipopts
--------------
lsrre|ssrr|satid|any }
-11.74. isdataat
+11.73. isdataat
--------------
buffer
-11.75. itype
+11.74. itype
--------------
0:255 }
-11.76. md5
+11.75. md5
--------------
of buffer
-11.77. metadata
+11.76. metadata
--------------
pairs
-11.78. modbus_data
+11.77. modbus_data
--------------
Usage: detect
-11.79. modbus_func
+11.78. modbus_func
--------------
* string modbus_func.~: function code to match
-11.80. modbus_unit
+11.79. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.81. msg
+11.80. msg
--------------
* string msg.~: message describing rule
-11.82. mss
+11.81. mss
--------------
}
-11.83. pcre
+11.82. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-11.84. pkt_data
+11.83. pkt_data
--------------
Usage: detect
-11.85. pkt_num
+11.84. pkt_num
--------------
{ 1: }
-11.86. priority
+11.85. priority
--------------
1:max31 }
-11.87. raw_data
+11.86. raw_data
--------------
Usage: detect
-11.88. reference
+11.87. reference
--------------
Configuration:
- * string reference.~scheme: reference scheme
- * string reference.~id: reference id
+ * string reference.~ref: reference: <scheme>,<id>
-11.89. regex
+11.88. regex
--------------
instead of start of buffer
-11.90. rem
+11.89. rem
--------------
* string rem.~: comment
-11.91. replace
+11.90. replace
--------------
* string replace.~: byte code to replace with
-11.92. rev
+11.91. rev
--------------
* int rev.~: revision { 1:max32 }
-11.93. rpc
+11.92. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.94. s7commplus_content
+11.93. s7commplus_content
--------------
Usage: detect
-11.95. s7commplus_func
+11.94. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-11.96. s7commplus_opcode
+11.95. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-11.97. sd_pattern
+11.96. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.98. seq
+11.97. seq
--------------
range { 0: }
-11.99. service
+11.98. service
--------------
* string service.*: one or more comma-separated service names
-11.100. session
+11.99. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.101. sha256
+11.100. sha256
--------------
start of buffer
-11.102. sha512
+11.101. sha512
--------------
start of buffer
-11.103. sid
+11.102. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.104. sip_body
+11.103. sip_body
--------------
Usage: detect
-11.105. sip_header
+11.104. sip_header
--------------
Usage: detect
-11.106. sip_method
+11.105. sip_method
--------------
* string sip_method.*method: sip method
-11.107. sip_stat_code
+11.106. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.108. so
+11.107. so
--------------
buffer
-11.109. soid
+11.108. soid
--------------
like 3_45678_9
-11.110. ssl_state
+11.109. ssl_state
--------------
unknown
-11.111. ssl_version
+11.110. ssl_version
--------------
tls1.2
-11.112. stream_reassemble
+11.111. stream_reassemble
--------------
remainder of the session
-11.113. stream_size
+11.112. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.114. tag
+11.113. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.115. target
+11.114. target
--------------
dst_ip }
-11.116. tos
+11.115. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.117. ttl
+11.116. ttl
--------------
0:255 }
-11.118. urg
+11.117. urg
--------------
{ 0:65535 }
-11.119. window
+11.118. window
--------------
range { 0:65535 }
-11.120. wscale
+11.119. wscale
--------------
stdout
* multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | class | b64_data | dir |
- dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
- eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
- iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | seconds | service | sid |
- src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
- tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
- vlan }
+ given order left to right { action | class | b64_data |
+ client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
+ icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
+ ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
+ proto | rev | rule | seconds | server_bytes | server_pkts |
+ service | sid | src_addr | src_ap | src_port | target | tcp_ack |
+ tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl |
+ udp_len | vlan }
* int alert_csv.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
* string alert_csv.separator = , : separate fields with this
stdout
* multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | class | b64_data | dir |
- dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
- eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
- iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | seconds | service | sid |
- src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
- tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
- vlan }
+ given order left to right { action | class | b64_data |
+ client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
+ icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
+ ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
+ proto | rev | rule | seconds | server_bytes | server_pkts |
+ service | sid | src_addr | src_ap | src_port | target | tcp_ack |
+ tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl |
+ udp_len | vlan }
* int alert_json.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
* string alert_json.separator = , : separate fields with this
* --dump-version output the version, the whole version, and only
the version
* --enable-inline-test enable Inline-Test Mode Operation
- * --gen-msg-map dump builtin rules in gen-msg.map format for use by
- other tools
+ * --gen-msg-map dump configured rules in gen-msg.map format for use
+ by other tools
* --help list command line options
* --help-commands [<module prefix>] output matching commands
(optional)
responses { 1:255 }
* multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | class | b64_data | dir |
- dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
- eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
- iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | seconds | service | sid |
- src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
- tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
- vlan }
+ given order left to right { action | class | b64_data |
+ client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
+ icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
+ ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
+ proto | rev | rule | seconds | server_bytes | server_pkts |
+ service | sid | src_addr | src_ap | src_port | target | tcp_ack |
+ tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl |
+ udp_len | vlan }
* bool alert_csv.file = false: output to alert_csv.txt instead of
stdout
* int alert_csv.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
* multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | class | b64_data | dir |
- dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
- eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
- iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
- | priority | proto | rev | rule | seconds | service | sid |
- src_addr | src_ap | src_port | target | tcp_ack | tcp_flags |
- tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len |
- vlan }
+ given order left to right { action | class | b64_data |
+ client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
+ icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
+ ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
+ proto | rev | rule | seconds | server_bytes | server_pkts |
+ service | sid | src_addr | src_ap | src_port | target | tcp_ack |
+ tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl |
+ udp_len | vlan }
* bool alert_json.file = false: output to alert_json.txt instead of
stdout
* int alert_json.limit = 0: set maximum size in MB before rollover
library
* bool appid.tp_appid_stats_enable: enable collection of stats and
print stats on exit in third party module
- * int appid.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int appid.trace.all = 0: enabling traces in module { 0:max32 }
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
* int asn1.absolute_offset: absolute offset from the beginning of
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
* int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
* int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
- * int dce_smb.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int dce_smb.trace.all = 0: enabling traces in module { 0:max32 }
* multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 |
v2 | all }
* bool dce_tcp.disable_defrag = false: disable DCE/RPC
per signature per flow
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
- * int dce_udp.trace: mask for enabling debug traces in module {
- 0:max53 }
- * int decode.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int dce_udp.trace.all = 0: enabling traces in module { 0:max32 }
+ * int decode.trace.all = 0: enabling traces in module { 0:max32 }
* int detection.asn1 = 0: maximum decode nodes { 0:65535 }
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
overrides when pattern matching (ie ignore /O)
* bool detection.pcre_to_regex = false: enable the use of regex
instead of pcre for compatible expressions
- * int detection.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int detection.trace.buf_min = 0: enable min buffer trace logging
+ { 0:max53 }
+ * int detection.trace.buf_verbose = 0: enable verbose buffer trace
+ logging { 0:max53 }
+ * int detection.trace.detect_engine = 0: enable detection engine
+ trace logging { 0:max53 }
+ * int detection.trace.fp_search = 0: enable fast pattern search
+ trace logging { 0:max53 }
+ * int detection.trace.opt_tree = 0: enable tree option trace
+ logging { 0:max53 }
+ * int detection.trace.pkt_detect = 0: enable packet detection trace
+ logging { 0:max53 }
+ * int detection.trace.rule_eval = 0: enable rule evaluation trace
+ logging { 0:max53 }
+ * int detection.trace.rule_vars = 0: enable rule variables trace
+ logging { 0:max53 }
+ * int detection.trace.tag = 0: enable tag trace logging { 0:max53 }
* bool dnp3.check_crc = false: validate checksums in DNP3 link
layer frames
* string dnp3_func.~: match DNP3 function code or name
* bool file_log.log_sys_time = false: log the system time when
event generated
* string file_type.~: list of file type IDs to match
+ * bool finalize_packet.defer_whitelist = false: Turn on defer
+ whitelist until we switch to wizard
* int finalize_packet.end_pdu = 0: Deregister for finalize packet
events on this PDU { 0:max32 }
+ * bool finalize_packet.force_whitelist = false: Set ignore
+ direction to both so that flow will be whitelisted
* int finalize_packet.modify.pdu = 0: Modify verdict in finalize
packet for this PDU { 0:max32 }
* enum finalize_packet.modify.verdict: output format for stats {
pass | block | replace | whitelist | blacklist | ignore | retry }
* int finalize_packet.start_pdu = 0: Register to receive finalize
packet event starting on this PDU { 0:max32 }
- * bool finalize_packet.switch_to_wizard = false: switch to wizard
+ * bool finalize_packet.switch_to_wizard = false: Switch to wizard
on first finalize event
+ * bool finalize_packet.use_direct_inject = false: Use ioctl to do
+ payload and reset injects
* string flags.~mask_flags: these flags are don’t cares
* string flags.~test_flags: these flags are tested
- * string flowbits.~arg1: bits or group
- * string flowbits.~arg2: group if arg1 is bits
- * string flowbits.~command: set|reset|isset|etc.
+ * string flowbits.~bits: bits or group
+ * string flowbits.~group: group if arg1 is bits
+ * string flowbits.~op: set|reset|isset|etc.
* implied flow.established: match only during data transfer phase
* implied flow.from_client: same as to_server
* implied flow.from_server: same as to_client
* string gtp_inspect[].messages[].name: message name
* int gtp_inspect[].messages[].type = 0: message type code { 0:255
}
- * int gtp_inspect.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int gtp_inspect.trace.all = 0: enabling traces in module {
+ 0:max32 }
* int gtp_inspect[].version = 2: GTP version { 0:2 }
* string gtp_type.~: list of types to match
* int gtp_version.~: version to match { 0:2 }
default message
* string react.page: file containing HTTP response (headers and
body)
- * string reference.~id: reference id
- * string reference.~scheme: reference scheme
+ * string reference.~ref: reference: <scheme>,<id>
* string references[].name: name used with reference rule option
* string references[].url: where this reference is defined
* implied regex.dotall: matching a . will not exclude newlines
Operation
* implied snort.-f: turn off fflush() calls after binary log writes
* int snort.-G: <0xid> (same as --logid) { 0:65535 }
- * implied snort.--gen-msg-map: dump builtin rules in gen-msg.map
+ * implied snort.--gen-msg-map: dump configured rules in gen-msg.map
format for use by other tools
* string snort.-g: <gname> run snort gid as <gname> group (or gid)
after initialization
talos)
* string snort.-t: <dir> chroots process to <dir> after
initialization
- * int snort.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int snort.trace.all = 0: enabling traces in module { 0:max32 }
* implied snort.--trace: turn on main loop debug trace
* implied snort.--treat-drop-as-alert: converts drop, block, and
reset rules into alert rules when loaded
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
- * int stream.footprint = 0: use zero for production, non-zero for
- testing at given size (for TCP and user) { 0:max32 }
* int stream.icmp_cache.cap_weight = 8: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_ip.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int stream_ip.trace.all = 0: enabling traces in module { 0:max32
+ }
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
* int stream.pruning_timeout = 30: minimum inactive time before
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 }
* bool stream_tcp.track_only = false: disable reassembly if true
- * int stream.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int stream.trace.all = 0: enabling traces in module { 0:max32 }
* int stream.udp_cache.cap_weight = 128: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_user.trace: mask for enabling debug traces in module {
- 0:max53 }
+ * int stream_user.trace.all = 0: enabling traces in module {
+ 0:max32 }
* int suppress[].gid = 0: rule generator ID { 0:max32 }
* string suppress[].ip: restrict suppression to these addresses
according to track
--------------
- * active.injects: total crafted packets injected (sum)
+ * active.direct_injects: total crafted packets directly injected
+ (sum)
+ * active.failed_direct_injects: total crafted packet direct injects
+ that failed (sum)
+ * active.failed_injects: total crafted packet encode + injects that
+ failed (sum)
+ * active.injects: total crafted packets encoded and injected (sum)
* appid.appid_unknown: count of sessions where appid could not be
determined (sum)
* appid.ignored_packets: count of packets ignored (sum)
(now)
* ftp_server.max_concurrent_sessions: maximum concurrent FTP
sessions (max)
+ * ftp_server.total_bytes: total number of bytes processed (sum)
* ftp_server.total_packets: total packets (sum)
* gtp_inspect.concurrent_sessions: total concurrent gtp sessions
(now)
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
* pcre.pcre_rules: total rules processed with pcre option (sum)
* pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum)
- * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows
- (sum)
+ * perf_monitor.flow_tracker_creates: total number of flow trackers
+ created (sum)
+ * perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse
+ by new flows (sum)
+ * perf_monitor.flow_tracker_reload_deletes: flow trackers deleted
+ due to memcap change on config reload (sum)
+ * perf_monitor.flow_tracker_total_deletes: flow trackers deleted to
+ stay below memcap limit (sum)
* perf_monitor.packets: total packets processed by performance
monitor (sum)
- * perf_monitor.reload_frees: flows freed on reload with changed
- memcap (sum)
- * perf_monitor.total_frees: total flows pruned or freed by
- performance monitor (sum)
* pop.b64_attachments: total base64 attachments decoded (sum)
* pop.b64_decoded_bytes: total base64 decoded bytes (sum)
* pop.concurrent_sessions: total concurrent pop sessions (now)
(sum)
* pop.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
* pop.sessions: total pop sessions (sum)
+ * pop.total_bytes: total number of bytes processed (sum)
* pop.uu_attachments: total uu attachments decoded (sum)
* pop.uu_decoded_bytes: total uu decoded bytes (sum)
* port_scan.alloc_prunes: number of trackers pruned on allocation
(sum)
* smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
* smtp.sessions: total smtp sessions (sum)
+ * smtp.total_bytes: total number of bytes processed (sum)
* smtp.uu_attachments: total uu attachments decoded (sum)
* smtp.uu_decoded_bytes: total uu decoded bytes (sum)
* snort.attribute_table_hosts: total number of hosts in table (sum)
* ssh.max_concurrent_sessions: maximum concurrent ssh sessions
(max)
* ssh.packets: total packets (sum)
+ * ssh.total_bytes: total number of bytes processed (sum)
* ssl.alert: total ssl alert records (sum)
* ssl.bad_handshakes: total bad handshakes (sum)
* ssl.certificate: total ssl certificates (sum)
* stream_ip.released: ip session trackers released (sum)
* stream_ip.sessions: total ip sessions (sum)
* stream_ip.timeouts: ip session timeouts (sum)
+ * stream_ip.total_bytes: total number of bytes processed (sum)
* stream_ip.total_frags: total fragments (sum)
* stream_ip.trackers_added: datagram trackers created (sum)
* stream_ip.trackers_cleared: datagram trackers cleared (sum)
called while idle (sum)
* stream.reload_tuning_packets: number of times stream resource
tuner called while processing packets (sum)
+ * stream.stale_prunes: sessions pruned due to stale connection
+ (sum)
* stream_tcp.client_cleanups: number of times data from server was
flushed when session released (sum)
* stream_tcp.closing: number of sessions currently closing (now)
* stream_udp.released: udp session trackers released (sum)
* stream_udp.sessions: total udp sessions (sum)
* stream_udp.timeouts: udp session timeouts (sum)
+ * stream_udp.total_bytes: total number of bytes processed (sum)
* stream.uni_prunes: uni sessions pruned (sum)
* tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
* tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
* 121:13 (http2_inspect) invalid HTTP/2 frame sequence
* 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
+ * 121:15 (http2_inspect) invalid HTTP/2 start line
+ * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
+ data size
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* hosts (basic): configure hosts
* http2_decoded_header (ips_option): rule option to set detection
cursor to the decoded HTTP/2 header
- * http2_frame_data (ips_option): rule option to set detection
- cursor to the HTTP/2 frame body
* http2_frame_header (ips_option): rule option to set detection
cursor to the 9-octet HTTP/2 frame header
* http2_inspect (inspector): HTTP/2 inspector
* ips_option::gtp_version: rule option to check GTP version
* ips_option::http2_decoded_header: rule option to set detection
cursor to the decoded HTTP/2 header
- * ips_option::http2_frame_data: rule option to set detection cursor
- to the HTTP/2 frame body
* ips_option::http2_frame_header: rule option to set detection
cursor to the 9-octet HTTP/2 frame header
* ips_option::http_client_body: rule option to set the detection
// //
//-----------------------------------------------//
-#define BUILD_NUMBER 268
+#define BUILD_NUMBER 269
#ifndef EXTRABUILD
#define BUILD STRINGIFY_MX(BUILD_NUMBER)
projects / thirdparty / snort3.git / commitdiff
