* In many cases, even in C++, use #define name "value" instead of a
const char* const name = "value" because it will eliminate a symbol from
the binary.
-
+
* Use inline functions instead of macros where possible (pretty much all
cases except where stringification is necessary). Functions offer better
typing, avoid re-expansions, and a debugger can break there.
123:1
-(stream_ip) inconsistent IP options on fragmented packets
+Received inconsistent IP options on fragmented packets
123:2
-(stream_ip) teardrop attack
+Received indicators of a teardrop attack on fragmented packets
123:3
-(stream_ip) short fragment, possible DOS attempt
+Received short fragment, possible DOS attempt (possible boink/bolt/jolt attack). The minimum length
+required to throw this alert is specified by stream_ip.min_frag_length
123:4
-(stream_ip) fragment packet ends after defragmented packet
+Overlap anomaly: fragment packet ends after defragmented packet
123:5
-(stream_ip) zero-byte fragment packet
+Received a zero-byte fragment
123:6
-(stream_ip) bad fragment size, packet size is negative
+Bad fragment size encountered, packet size is negative
123:7
-(stream_ip) bad fragment size, packet size is greater than 65536
+Bad fragment size encountered, packet size is greater than 65536
123:8
-(stream_ip) fragmentation overlap
+Fragmentation results in overlap between segments
123:11
-(stream_ip) TTL value less than configured minimum, not using for reassembly
+TTL value is less than configured minimum, not using for reassembly. Minimum TTL can be configured
+with stream_ip.min_ttl
123:12
-(stream_ip) excessive fragment overlap
+Fragment overlap limit exceeded, event will be raised for all successive fragments. The max fragment
+overlaps that can occur before alerting is configurable by changing stream_ip.max_overlaps
123:13
-(stream_ip) tiny fragment
+Received a tiny fragment (less than minimum fragment length)
124:1
129:1
-(stream_tcp) SYN on established session
+Received a TCP SYN on an already established TCP session
129:2
-(stream_tcp) data on SYN packet
+Data present on SYN packet
129:3
-(stream_tcp) data sent on stream not accepting data
+Data was sent on a stream not accepting data. The stream is in the
+TIME-WAIT, FIN-WAIT, CLOSED, or CLOSE-WAIT state
129:4
-(stream_tcp) TCP timestamp is outside of PAWS window
+The TCP timestamp is outside of PAWS (protection against wrapped sequences) window
129:5
-(stream_tcp) bad segment, adjusted size <= 0 (deprecated)
+Bad segment, adjusted size <= 0 (deprecated)
129:6
-(stream_tcp) window size (after scaling) larger than policy allows
+Window size (after scaling) is larger than policy allows. stream_tcp.max_window can be increased to
+allow for larger window sizes if desired
129:7
-(stream_tcp) limit on number of overlapping TCP packets reached
+Limit on number of overlapping TCP packets per session was reached. stream_tcp.overlap_limit can be increased
+to allow for more overlaps per session, if desired
129:8
-(stream_tcp) data sent on stream after TCP reset sent
+Data was sent on stream after a TCP reset was sent, and the stream is in
+CLOSED state
129:9
-(stream_tcp) TCP client possibly hijacked, different ethernet address
+TCP client is possibly hijacked, MAC addresses on received packets differ from what was originally
+seen on this flow
129:10
-(stream_tcp) TCP server possibly hijacked, different ethernet address
+TCP server is possibly hijacked, MAC addresses on received packets differ from what was originally
+seen on this flow
129:11
-(stream_tcp) TCP data with no TCP flags set
+Received TCP data with no TCP flags set
129:12
-(stream_tcp) consecutive TCP small segments exceeding threshold
+Consecutive TCP small segments exceed the configured threshold. The size required to be a small segment can
+be configured via stream_tcp.small_segments.maximum_size, and the maximum number of these small segments can be configured
+with int stream_tcp.small_segments.count
129:13
129:14
-(stream_tcp) TCP timestamp is missing
+TCP timestamp is missing, which could cause a failure in PAWS checking,
+or RTT calculation
129:15
-(stream_tcp) reset outside window
+TCP reset was requested outside window (bad RST)
129:16
-(stream_tcp) FIN number is greater than prior FIN
+TCP Anomaly: FIN number is greater than prior FIN while the connection
+is in TIME-WAIT
129:17
-(stream_tcp) ACK number is greater than prior FIN
+TCP Anomaly: ACK number is greater than prior FIN while the connection
+is in FIN-WAIT-2
129:18
-(stream_tcp) data sent on stream after TCP reset received
+Data was sent on stream after TCP reset received
129:19
-(stream_tcp) TCP window closed before receiving data
+TCP window was closed before receiving data
129:20
-(stream_tcp) TCP session without 3-way handshake
+The TCP 3-way handshake was not seen for this TCP session
131:1
135:1
-(stream) TCP SYN received
+ A TCP SYN was received
135:2
-(stream) TCP session established
+ A TCP session was established
135:3
-(stream) TCP session cleared
+ A TCP session was cleared
136:1
-(reputation) packets blocked based on source
+The flow was blocked based on the source IP address, since it
+appears on the IP reputation block list. Configure either the discovery filter,
+or the reputation IP lists to change this behavior
136:2
-(reputation) packets trusted based on source
+The flow was trusted based on the source IP address, since it
+appears on the IP reputation trust list. Configure either the discovery filter,
+or the reputation IP lists to change this behavior
136:3
-(reputation) packets monitored based on source
+The flow was monitored based on the source IP address, since it
+appears on the IP reputation monitor list. Configure either the discovery filter,
+or the reputation IP lists to change this behavior
136:4
-(reputation) packets blocked based on destination
+The flow was blocked based on the destination IP address, since it
+appears on the IP reputation block list. If the flow contained proxy traffic,
+the IP address could also be the address of the (inner-layer) proxied connection.
+Configure either the discovery filter, or the reputation IP lists to change this behavior.
136:5
-(reputation) packets trusted based on destination
+The flow was trusted based on the destination IP address, since it
+appears on the IP reputation trust list. If the flow contained proxy traffic,
+the IP address could also be the address of the (inner-layer) proxied connection.
+Configure either the discovery filter, or the reputation IP lists to change this behavior
136:6
-(reputation) packets monitored based on destination
+The flow was monitored (passed to further inspection) based on
+the destination IP address, since it appears on the IP reputation monitor list. If
+the flow contained proxy traffic, the IP address could also be the address of the
+(inner-layer) proxied connection. Configure either the discovery filter, or the reputation IP
+lists to change this behavior
137:1
_The console_. Every line that Snort2Lua is unable to translate from the
Snort 2.X format to the Snort 3 format is considered an error. Upon
exiting, Snort2Lua will print the number of errors that occurred. Snort2Lua
-will also print the name of the error file.
+will also print the name of the error file.
_The output file_. As previously mentioned, Snort2Lua will create a Lua
file with valid Snort 3 syntax. The default Lua file is named snort.lua.
parse the configuration file, neither can Snort2Lua. In the example below,
Snort2Lua could not convert the line 'config bad_option'. Since that is not
valid Snort 2 syntax, this is a syntax error.
-
+
* The Snort 2 configuration file contains preprocessors and rule options
that are not supported in Snort 3. If Snort 2 can parse a line that
Snort2Lua cannot parse, than Snort 3 does not support something in the line.
active.max_responses and active.min_interval.
* Response actions were removed from IPS rule body to the rule action
-in the header. This includes react, reject, and rewrite (split out of
+in the header. This includes react, reject, and rewrite (split out of
replace which now just does the detection part). These IPS actions are
plugins.
==== Configure Active
-Active response is enabled by configuring one of following IPS action
+Active response is enabled by configuring one of following IPS action
plugins:
react = { }
When these active responses are not configured the default configuration
is used.
-Active responses will be performed for reject, react or rewrite IPS rule
-actions, and response packets are encoded based on the triggering packet.
+Active responses will be performed for reject, react or rewrite IPS rule
+actions, and response packets are encoded based on the triggering packet.
TTL will be set to the value captured at session pickup.
-Configure the number of attempts to land a TCP RST within the session's
+Configure the number of attempts to land a TCP RST within the session's
current window (so that it is accepted by the receiving TCP). This
-sequence "strafing" is really only useful in passive mode. In inline mode
-the reset is put straight into the stream in lieu of the triggering packet
+sequence "strafing" is really only useful in passive mode. In inline mode
+the reset is put straight into the stream in lieu of the triggering packet
so strafing is not necessary.
-Each attempt (sent in rapid succession) has a different sequence number.
-Each active response will actually cause this number of TCP resets to be
+Each attempt (sent in rapid succession) has a different sequence number.
+Each active response will actually cause this number of TCP resets to be
sent. TCP data is multiplied similarly. At most 1 ICMP unreachable is sent,
iff attempts > 0.
-
-Device IP will perform network layer injection. It is probably a better
+
+Device IP will perform network layer injection. It is probably a better
choice to specify an interface and avoid kernel routing tables, etc.
-dst_mac will change response destination MAC address, if the device is
-eth0, eth1, eth2 etc. Otherwise, response destination MAC address is
+dst_mac will change response destination MAC address, if the device is
+eth0, eth1, eth2 etc. Otherwise, response destination MAC address is
derived from packet.
Example:
==== Reject
-IPS action reject perform active response to shutdown hostile network
-session by injecting TCP resets (TCP connections) or ICMP unreachable
+IPS action reject perform active response to shutdown hostile network
+session by injecting TCP resets (TCP connections) or ICMP unreachable
packets.
Example:
==== React
-IPS action react enables sending an HTML page on a session and then
+IPS action react enables sending an HTML page on a session and then
resetting it.
The headers used are:
When using react, payload injector must be configured as well.
Also Snort should be in ips mode, so the rule is triggered on the client
packet, and not delayed until the server sends ACK. To achieve this use
-the default normalizer. It will set normalizer.tcp.ips = true.
+the default normalizer. It will set normalizer.tcp.ips = true.
Example:
-
+
react = { page = "my_block_page.html" }
payload_injector = { }
normalizer = { }
-
+
local_rules =
[[
- react http ( msg:"Unauthorized Access Prohibited!"; flow:established,
+ react http ( msg:"Unauthorized Access Prohibited!"; flow:established,
to_server; http_method; content:"GET"; sid:1; )
]]
For example:
Rule that does not require search_engine.detect_raw_tcp=true:
-
+
rewrite udp any any -> any any
(
msg:"TEST 1";
)
Rule that does require search_engine.detect_raw_tcp=true:
-
+
rewrite http any any -> any any
(
msg:"TEST 2";
content:"/content.html";
replace:"/replace.html";
sid:1000002;
- )
\ No newline at end of file
+ )
The rule options byte_test and byte_jump were written to support
-writing rules for protocols that have length encoded data. RPC was
-the protocol that spawned the requirement for these two rule options,
+writing rules for protocols that have length encoded data. RPC was
+the protocol that spawned the requirement for these two rule options,
as RPC uses simple length based encoding for passing data.
-In order to understand why byte test and byte jump are useful, let's
+In order to understand why byte test and byte jump are useful, let's
go through an exploit attempt against the sadmind service.
This is the payload of the exploit:
Let's break this up, describe each of the fields, and figure out how to write a
-rule to catch this exploit.
+rule to catch this exploit.
There are a few things to note with RPC:
However, we know the vulnerability is that sadmind trusts the uid coming from
the client. sadmind runs any request where the client's uid is 0 as root. As
-such, we have decoded enough of the request to write our rule.
+such, we have decoded enough of the request to write our rule.
First, we need to make sure that our packet is an RPC call.
-
+
content:"|00 00 00 00|", offset 4, depth 4;
Then, we need to make sure that our packet is a call to sadmind.
-
+
content:"|00 01 87 88|", offset 12, depth 4;
Then, we need to make sure that our packet is a call to the procedure 1, the
-vulnerable procedure.
-
+vulnerable procedure.
+
content:"|00 00 00 01|", offset 20, depth 4;
-Then, we need to make sure that our packet has auth_unix credentials.
-
+Then, we need to make sure that our packet has auth_unix credentials.
+
content:"|00 00 00 01|", offset 24, depth 4;
We don't care about the hostname, but we want to skip over it and check a
If we do that, we are now at:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00
+ 00 00 00 00
which happens to be the exact location of the uid, the value we want to check.
content:"|00 00 00 00|", within 4;
Now that we have all the detection capabilities for our rule, let's put them
-all together.
+all together.
content:"|00 00 00 00|", offset 4, depth 4;
content:"|00 01 87 88|", offset 12, depth 4;
If the sadmind service was vulnerable to a buffer overflow when reading the
client's hostname, instead of reading the length of the hostname and jumping
that many bytes forward, we would check the length of the hostname to make sure
-it is not too large.
+it is not too large.
To do that, we would read 4 bytes, starting 36 bytes into the packet, turn it
into a number, and then make sure it is not too large (let's say bigger than
-200 bytes). In Snort, we do:
+200 bytes). In Snort, we do:
byte_test:4,>,200,36;
-
-Our full rule would be:
+
+Our full rule would be:
content:"|00 00 00 00|", offset 4, depth 4;
content:"|00 01 87 88|", offset 12, depth 4;
This rule option tests a byte field against a specific value (with
-operator). Capable of testing binary values or converting
+operator). Capable of testing binary values or converting
representative byte strings to their binary equivalent and testing them.
-
+
Snort uses the C operators for each of these operators. If the &
-operator is used, then it would be the same as using
+operator is used, then it would be the same as using
[source,c]
if (data & value) { do_something(); }
-'!' operator negates the results from the base check. '!<oper>' is
-considered as
+'!' operator negates the results from the base check. '!<oper>' is
+considered as
[source,c]
!(data <oper> value)
Note:
The bitmask option applies bitwise AND operator on the bytes
converted. The result will be right-shifted by the number of bits
-equal to the number of trailing zeros in the mask.
+equal to the number of trailing zeros in the mask.
This applies for the other rule options as well.
-
+
===== Examples
alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)
-This example extracts 2 bytes at offset 0, performs bitwise and with
-bitmask 0x3FF0, shifts the result by 4 bits and compares to 568.
+This example extracts 2 bytes at offset 0, performs bitwise and with
+bitmask 0x3FF0, shifts the result by 4 bits and compares to 568.
- alert udp (byte_test:4, =, 1234, 0, string, dec;
+ alert udp (byte_test:4, =, 1234, 0, string, dec;
msg:"got 1234!";)
-
- alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;
+
+ alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;
msg:"got DEADBEEF!";)
==== Overview
-The following transports are supported for DCE/RPC: SMB, TCP, and UDP.
-New rule options have been implemented to improve performance, reduce false
+The following transports are supported for DCE/RPC: SMB, TCP, and UDP.
+New rule options have been implemented to improve performance, reduce false
positives and reduce the count and complexity of DCE/RPC based rules.
Different from Snort 2, the DCE-RPC preprocessor is split into three inspectors
- - one for each transport: dce_smb, dce_tcp, dce_udp. This includes the
+ - one for each transport: dce_smb, dce_tcp, dce_udp. This includes the
configuration as well as the inspector modules. The Snort 2 server configuration
-is now split between the inspectors. Options that are meaningful to all
-inspectors, such as policy and defragmentation, are copied into each inspector
-configuration. The address/port mapping is handled by the binder. Autodetect
+is now split between the inspectors. Options that are meaningful to all
+inspectors, such as policy and defragmentation, are copied into each inspector
+configuration. The address/port mapping is handled by the binder. Autodetect
functionality is replaced by wizard curses.
==== Quick Guide
A typical dcerpce configuration looks like this:
binder =
- {
+ {
{
when =
{
},
}
}
-
+
dce_smb = { }
dce_tcp = { }
-
+
dce_udp = { }
-
+
In this example, it defines smb, tcp and udp inspectors based on port. All the
configurations are default.
a target based approach has been implemented. Some important differences:
* Named pipe instance tracking
-* Accepted SMB commands
+* Accepted SMB commands
* AndX command chaining
* Transaction tracking
* Multiple Bind requests
* DCE/RPC Fragmented requests - Operation number
* DCE/RPC Stub data byte order
-Because of those differences, each inspector can be configured to different
+Because of those differences, each inspector can be configured to different
policy. Here are the list of policies supported:
* WinXP (default)
-* Win2000
+* Win2000
* WinVista
* Win2003
* Win2008
==== Reassembling
-Both SMB inspector and TCP inspector support reassemble. Reassemble threshold
-specifies a minimum number of bytes in the DCE/RPC desegmentation and
-defragmentation buffers before creating a reassembly packet to send to the
-detection engine. This option is useful in inline mode so as to potentially
+Both SMB inspector and TCP inspector support reassemble. Reassemble threshold
+specifies a minimum number of bytes in the DCE/RPC desegmentation and
+defragmentation buffers before creating a reassembly packet to send to the
+detection engine. This option is useful in inline mode so as to potentially
catch an exploit early before full defragmentation is done. A value of 0 s
-supplied as an argument to this option will, in effect, disable this option.
+supplied as an argument to this option will, in effect, disable this option.
Default is disabled.
-
+
==== SMB
-SMB inspector is one of the most complex inspectors. In addition to supporting
-rule options and lots of inspector rule events, it also supports file
+SMB inspector is one of the most complex inspectors. In addition to supporting
+rule options and lots of inspector rule events, it also supports file
processing for both SMB version 1, 2, and 3.
===== Finger Print Policy
-In the initial phase of an SMB session, the client needs to authenticate with a
-SessionSetupAndX. Both the request and response to this command contain OS and
+In the initial phase of an SMB session, the client needs to authenticate with a
+SessionSetupAndX. Both the request and response to this command contain OS and
version information that can allow the inspector to dynamically set the policy
-for a session which allows for better protection against Windows and Samba
+for a session which allows for better protection against Windows and Samba
specific evasions.
-
+
===== File Inspection
-SMB inspector supports file inspection. A typical configuration looks like this:
-
+SMB inspector supports file inspection. A typical configuration looks like this:
+
binder =
{
{
smb_file_depth = 0,
}
- file_id =
+ file_id =
{
enable_type = true,
enable_signature = true,
enable_capture = true,
file_rules = magics,
}
-
+
First, define a binder to map tcp port 139 and 445 to smb. Then, enable file
inspection in smb inspection and set the file depth as unlimited. Lastly, enable
file inspector to inspect file type, calculate file signature, and capture file.
SMB inspector does inspection of normal SMB file transfers. This includes doing
file type and signature through the file processing as well as setting a pointer
for the "file_data" rule option. Note that the "file_depth" option only applies
-to the maximum amount of file data for which it will set the pointer for the
-"file_data" rule option. For file type and signature it will use the value
+to the maximum amount of file data for which it will set the pointer for the
+"file_data" rule option. For file type and signature it will use the value
configured for the file API. If "only" is specified, the inspector will only
-do SMB file inspection, i.e. it will not do any DCE/RPC tracking or inspection.
-If "on" is specified with no arguments, the default file depth is 16384 bytes.
+do SMB file inspection, i.e. it will not do any DCE/RPC tracking or inspection.
+If "on" is specified with no arguments, the default file depth is 16384 bytes.
An argument of -1 to "file-depth" disables setting the pointer for "file_data",
effectively disabling SMB file inspection in rules. An argument of 0 to
"file_depth" means unlimited. Default is "off", i.e. no SMB file inspection is
- done in the inspector.
-
+ done in the inspector.
+
==== TCP
-dce_tcp inspector supports defragmentation, reassembling, and policy that is
+dce_tcp inspector supports defragmentation, reassembling, and policy that is
similar to SMB.
==== UDP
specify evaluating on all fragments.
Examples:
-
+
dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;
dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2;
dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;
off the wire from a little endian Bind request:
|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|
-
+
must be written as:
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
-
+
The same UUID taken off the wire from a big endian Bind request:
|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|
-
+
must be written the same way:
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
dce_opnum: 15-18;
dce_opnum: 15,18-20;
dce_opnum: 15,17,20-22;
-
+
This option is used to specify an opnum (or operation number), opnum range or
list containing either or both opnum and/or opnum-range. The opnum of a
DCE/RPC request will be matched against the opnums specified with this option.
-With the volume of malware transferred through network increasing,
-network file inspection becomes more and more important. This feature
-will provide file type identification, file signature creation, and file
-capture capabilities to help users deal with those challenges.
+With the volume of malware transferred through network increasing,
+network file inspection becomes more and more important. This feature
+will provide file type identification, file signature creation, and file
+capture capabilities to help users deal with those challenges.
==== Overview
There are two parts of file services: file APIs and file policy.
-File APIs provides all the file inspection functionalities, such as file
-type identification, file signature calculation, and file capture.
+File APIs provides all the file inspection functionalities, such as file
+type identification, file signature calculation, and file capture.
File policy provides users ability to control file services, such
-as enable/disable/configure file type identification, file signature, or
-file capture.
+as enable/disable/configure file type identification, file signature, or
+file capture.
In addition to all capabilities from Snort 2, we support customized file
policy along with file event log.
A typical file configuration looks like this:
dofile('magic.lua')
-
- my_file_policy =
+
+ my_file_policy =
{
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
{ when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
}
-
- file_id =
+
+ file_id =
{
enable_type = true,
enable_signature = true,
file_policy = my_file_policy,
}
- file_log =
- {
- log_pkt_time = true,
+ file_log =
+ {
+ log_pkt_time = true,
log_sys_time = false,
}
There are 3 steps to enable file processing:
-
+
* First, you need to include the file magic rules.
* Then, define the file policy and configure the inspector
* At last, enable file_log to get detailed information about file event
-
+
==== Pre-packaged File Magic Rules
A set of file magic rules is packaged with Snort. They can be located at
{ type = "GIF", id = 63, category = "Graphics", rev = 1,
magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
-The previous two rules define GIF format, because two file magics are
+The previous two rules define GIF format, because two file magics are
different. File magics are specified by content and offset, which look
at content at particular file offset to identify the file type. In this
case, two magics look at the beginning of the file. You can use character
==== File Policy
-You can enabled file type, file signature, or file capture by configuring
-file_id. In addition, you can enable trace to see file stream data, file
+You can enabled file type, file signature, or file capture by configuring
+file_id. In addition, you can enable trace to see file stream data, file
type, and file signature information.
-Most importantly, you can configure a file policy that can block/alert
-some file type or an individual file based on SHA. This allows you
+Most importantly, you can configure a file policy that can block/alert
+some file type or an individual file based on SHA. This allows you
build a file blacklist or whitelist.
Example:
- file_policy =
+ file_policy =
{
{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
{ when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
}
In this example, it enables this policy:
* For PDF files, they will be logged with signatures.
* For the file matching this SHA, it will be blocked
-* For all file types identified, they will be logged with signature, and
+* For all file types identified, they will be logged with signature, and
also captured onto log folder.
==== File Capture
File can be captured and stored to log folder. We use SHA as file name
-instead of actual file name to avoid conflicts. You can capture either
+instead of actual file name to avoid conflicts. You can capture either
all files, some file type, or a particular file based on SHA.
You can enable file capture through this config:
enable_capture = true,
-
+
or enable it for some file or file type in your file policy:
{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
-
+
The above rule will enable PDF file capture.
-
+
==== File Events
-File inspect preprocessor also works as a dynamic output plugin for file
+File inspect preprocessor also works as a dynamic output plugin for file
events. It logs basic information about file. The log file is in the same
folder as other log files with name starting with "file.log".
Example:
file_log = { log_pkt_time = true, log_sys_time = false }
-
+
All file events will be logged in packet time, system time is not logged.
-
+
File event example:
- 08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
- [Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
- [SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
- [Size: 1039328]
-
+ 08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
+ [Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
+ [SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
+ [Size: 1039328]
+
==== Overview
-IEC 60870-5-104 (iec104) is a protocol distributed by the International
+IEC 60870-5-104 (iec104) is a protocol distributed by the International
Electrotechnical Commission (IEC) that provides a standardized method of
-sending telecontrol messages between central stations and outstations,
+sending telecontrol messages between central stations and outstations,
typically running on TCP port 2404.
-It is used in combination with the companion specifications in the
+It is used in combination with the companion specifications in the
IEC 60870-5 family, most notably IEC 60870-5-101, to provide reliable
-transport via TCP/IP.
+transport via TCP/IP.
-An iec104 Application Protocol Data Unit (APDU) consists of one of three
+An iec104 Application Protocol Data Unit (APDU) consists of one of three
Application Protocol Control Information (APCI) structures, each beginning
with the start byte 0x68. In the case of an Information Transfer APCI, an
Application Service Data Unit (ASDU) follows the APCI.
The iec104 inspector decodes the iec104 protocol and provides rule options
-to access certain protocol fields and data content. This allows the user to
-write rules for iec104 packets without decoding the protocol.
+to access certain protocol fields and data content. This allows the user to
+write rules for iec104 packets without decoding the protocol.
==== Configuration
A typical iec104 configuration looks like this:
binder =
- {
- {
- when =
- {
- proto = 'tcp',
- ports = '2404'
- },
- use =
- {
- type = 'iec104'
- },
+ {
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '2404'
+ },
+ use =
+ {
+ type = 'iec104'
+ },
},
}
-
+
iec104 = { }
In this example, the tcp inspector is defined based on port. All
trace =
{
- modules =
- {
- iec104 =
- {
- all = 1
- }
+ modules =
+ {
+ iec104 =
+ {
+ all = 1
+ }
}
}
Determining the APCI type of an iec104 message involves checking the state
of one to two bits in the message's first control field octet. This can
be completed with a `byte_test` in a plaintext rule, however it adds unnecessary
-complexity to the rule. Since most rules inspecting iec104 traffic will target
-APCI Type I messages, this option was created to alleviate the need to manually
-check the type and subsequently reduce the complexity of the rule.
+complexity to the rule. Since most rules inspecting iec104 traffic will target
+APCI Type I messages, this option was created to alleviate the need to manually
+check the type and subsequently reduce the complexity of the rule.
This option takes one argument with three acceptable configurations.
This option is used to verify that the message being processed is of the
specified type. The argument passed to this rule option can be specified
in one of three ways: the full type name, the lowercase type abbreviation,
-or the uppercase type abbreviation.
+or the uppercase type abbreviation.
===== iec104_asdu_func
Determining the ASDU function of an iec104 message can be completed with a
-plaintext rule that checks a single byte in the message, however it also
+plaintext rule that checks a single byte in the message, however it also
requires verifying that the message's APCI is of Type I. Since a rule writer
-may not necessarily know that this additional check must be made, this
+may not necessarily know that this additional check must be made, this
option was created to simplify the process of verifying the function type
and subsequently reduce the complexity of the rule.
iec104_asdu_func:m_ps_na_1;
This option is used to verify that the message being processed is using
-the specified ASDU function. The argument passed to this rule option can
-be specified in one of two ways: the uppercase function name, or the
+the specified ASDU function. The argument passed to this rule option can
+be specified in one of two ways: the uppercase function name, or the
lowercase function name.
Note that you can do similar things with other tools like tcpdump or
Wireshark however these commands are very useful when you want to check
-your Snort setup.
+your Snort setup.
The examples above use the default pcap DAQ. Snort supports non-pcap
interfaces as well via the DAQ (data acquisition) library. Other DAQs
* There is no way to explicitly configure a full path to avoid issues with
multiple packet threads.
-
+
* All text mode outputs default to stdout
==== Performance Statistics
A module to detect port scanning
-==== Overview
+==== Overview
This module is designed to detect the first phase in a network attack:
Reconnaissance. In the Reconnaissance phase, an attacker determines
These alerts are for one to many portsweeps. One host scans a single
port on multiple hosts. This usually occurs when a new exploit comes out
-and the attacker is looking for a specific service.
+and the attacker is looking for a specific service.
NOTE: The characteristics of a portsweep scan may not result in many
negative responses. For example, if an attacker portsweeps a web farm
Each of these default levels have separate options that can be edited
to alter the scan sensitivity levels (scans, rejects, nets or ports)
-Example:
+Example:
....
port_scan = default_low_port_scan
....
The example above would change each of the individual settings to 1.
-NOTE:The default levels for scans, rejects, nets and ports can be
+NOTE:The default levels for scans, rejects, nets and ports can be
seen in the snort_defaults.lua file.
The counts can be seen in the alert outputs (-Acmg shown below):
It's important to correctly set these options. The watch_ip option
is easy to understand. The analyst should set this option to the
list of CIDR blocks and IPs that they want to watch. If no
-watch_ip is defined, Portscan will watch all network traffic.
+watch_ip is defined, Portscan will watch all network traffic.
The ignore_scanners and ignore_scanned options come into play in
weeding out legitimate hosts that are very active on your network.
Some of the most common examples are NAT IPs, DNS cache servers,
ignore_scanners option. If the host is generating portscan alerts
(and is the host that is being scanned), add it to the
ignore_scanned option.
-
+
Filtered scan alerts are much more prone to false positives.
When determining false positives, the alert type is very important.
Most of the false positives that Portscan may generate are of the
active during the time period in question. If the host continually
generates these types of alerts, add it to the ignore_scanners list
or use a lower sensitivity level.
-
-Make use of the Priority Count, Connection Count, IP Count,
+
+Make use of the Priority Count, Connection Count, IP Count,
Port Count, IP range, and Port range to determine false positives.
The portscan alert details are vital in determining the scope of a
portscan and also the confidence of the portscan. In the future,
simple ratio estimations. The following is a list of ratios to
estimate and the associated values that indicate a legitimate scan
and not a false positive.
-
+
Connection Count / IP Count: This ratio indicates an estimated
average of connections per IP. For portscans, this ratio should be
high, the higher the better. For portsweeps, this ratio should be
low.
-
+
Port Count / IP Count: This ratio indicates an estimated average
of ports connected to per IP. For portscans, this ratio should be
high and indicates that the scanned host's ports were connected to
by fewer IPs. For portsweeps, this ratio should be low, indicating
that the scanning host connected to few ports but on many hosts.
-
+
Connection Count / Port Count: This ratio indicates an estimated
average of connections per port. For portscans, this ratio should
be low. This indicates that each connection was to a different
port. For portsweeps, this ratio should be high. This indicates
that there were many connections to the same port.
-
+
The reason that Priority Count is not included, is because the
priority count is included in the connection count and the above
comparisons take that into consideration. The Priority Count play
Dump TCP stream payload in hext mode:
snort -c $my_path/etc/snort/snort.lua -L hext
-
+
Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap,
rule, action for each alert:
snort --shell -j 12345 <args>
-The command line interface is still under development. Suggestions are
+The command line interface is still under development. Suggestions are
welcome.
}
bool load_in_sandbox = true;
-
+
if ( lua_sandbox.empty() )
load_in_sandbox = false;
else if ( !load_lua_sandbox() )
return;
static THREAD_LOCAL bool entered = false;
-
+
if ( entered )
return;
}
static inline int ssh_client_sm(AppIdDiscoveryArgs& args, ClientSSHData* fd)
-{
+{
const char *pattern_begin;
const char *pattern_end;
uint8_t d;
{
return APPID_EINVALID;
}
-
-
+
+
pattern_begin = strchr((const char*)(fd->proto_string + SSH_CLIENT_BANNER_MAXPOS + 1), '-');
if (pattern_begin != nullptr)
{
{
return APPID_EINVALID;
}
-
+
pattern_end = strpbrk(pattern_begin, "_-");
if (pattern_end != nullptr)
{
size_t pattern_len = (size_t)(pattern_end - pattern_begin);
string pattern(pattern_begin, pattern_len);
SshPatternMatchers& table = args.asd.get_odp_ctxt().get_ssh_matchers();
-
+
if (table.has_pattern(pattern))
{
fd->client_id = table.get_appid(pattern);
{
fd->client_id = APP_ID_SSH;
}
- fd->pos = 0;
+ fd->pos = 0;
return APPID_INPROCESS;
}
fd->oldhstate = SSH1_HEADER_BEGIN;
fd->proto_string_done = false;
}
-
+
uint16_t offset = 0;
if (!(fd->proto_string_done))
{
const uint8_t *line_end = (const uint8_t *)memchr(args.data, '\n', args.size);
size_t append_len;
- if (line_end != nullptr)
+ if (line_end != nullptr)
{
append_len = (size_t)(line_end - args.data + 1);
fd->proto_string_done = true;
{
ip = p->ptrs.ip_api.get_dst();
}
-
+
sfip_ntop(ip, addr, sizeof(addr));
PacketTracer::daq_log("SI-IP+%" PRId64"+%s list id %u+Matched ip %s, action %s$",
- TO_NSECS(pt_timer->get()),
- (TRUSTED_SRC == decision or TRUSTED_DST == decision)?"Do_not_block":"Block",
+ TO_NSECS(pt_timer->get()),
+ (TRUSTED_SRC == decision or TRUSTED_DST == decision)?"Do_not_block":"Block",
p->iplist_id, addr, to_string(decision));
}
int result = Stream::set_snort_protocol_id_expected(p, PktType::TCP,
IpProtocol::TCP, p->ptrs.ip_api.get_dst() , 0 ,p->ptrs.ip_api.get_src(),
p->flow->server_port , snort_protocol_id_smb, fd, false, true);
-
+
if (result < 0)
{
SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_CRITICAL_LEVEL, GET_CURRENT_PACKET,
// Check header length
if (data_len < sizeof(NbssHdr) + SMB2_HEADER_LENGTH)
{
- SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_CRITICAL_LEVEL,
+ SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_CRITICAL_LEVEL,
p, "Header error with data length %d\n",data_len);
dce2_smb_stats.v2_hdr_err++;
return;
{
dce_alert(GID_DCE2, DCE2_SMB_BAD_NEXT_COMMAND_OFFSET,
(dce2CommonStats*)&dce2_smb_stats, sd);
- SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID,
+ SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID,
TRACE_ERROR_LEVEL, p, "bad next command offset\n");
dce2_smb_stats.v2_bad_next_cmd_offset++;
return;
if (compound_request_index > get_smb_max_compound())
{
dce2_smb_stats.v2_cmpnd_req_lt_crossed++;
- SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID,
+ SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID,
TRACE_INFO_LEVEL, p, "compound request limit"
" reached %" PRIu8 "\n",compound_request_index);
return;
Http2Stream* stream)
{
Http2Frame* frame = nullptr;
-
+
// FIXIT-E call the appropriate frame subclass constructor based on the type
switch(session_data->frame_type[source_id])
{
}
}
}
-
+
start_line_length = method.length() + uri_len + http_version_length +
num_request_line_extra_chars;
start_line_buffer = new uint8_t[start_line_length];
-
- // Method
+
+ // Method
memcpy(start_line_buffer, method.start(), method.length());
bytes_written += method.length();
memcpy(start_line_buffer + bytes_written, " ", 1);
uint8_t get_flags_mask() const override
{ return Http2Enums::FLAG_ACK; }
-
+
bool bad_frame = false;
};
// Skip frame header
if (session_data->read_frame_header[source_id])
{
-
+
const uint32_t remaining_frame_header = FRAME_HEADER_LENGTH -
session_data->frame_header_offset[source_id];
const uint32_t octets_to_skip = remaining_frame_header > len - data_offset ?
num_flush = length;
else
num_flush = flow_target - octets_seen;
-
+
total_octets_scanned += num_flush;
if (num_flush == length)
return SCAN_FOUND;
{
const bool need_accelerated_blocking = accelerated_blocking && dangerous(data, length);
if (need_accelerated_blocking)
- HttpModule::increment_peg_counts(PEG_SCRIPT_DETECTION);
+ HttpModule::increment_peg_counts(PEG_SCRIPT_DETECTION);
return need_accelerated_blocking;
}
header_norms[id]->normalize(id, count, infractions, events,
header_name_id, header_value, num_headers, norm, comma_separated_raw);
}
-
+
return norm;
}
int32_t count;
const HttpEnums::HeaderId id;
-private:
+private:
// Header normalization strategies. There should be one defined for every different way we can
// process a header field value.
class HeaderNormalizer;
Field norm;
Field comma_separated_raw;
};
-
+
#endif
DetectionEngine::queue_event(GID_IEC104, IEC104_RESERVED_QOC);
}
- if (se >= 2)
+ if (se >= 2)
{
// error indicating that parsing couldn't finish
}
uint32_t parseIec104Vsq(const Iec104ApciI* apci)
{
// number of elements == 0 is caught in check apdu
-
+
uint32_t informationObjectSubgroupSize = 0;
// determine the size of the current message type group
- switch(apci->asdu.typeId)
+ switch(apci->asdu.typeId)
{
- case IEC104_ASDU_M_SP_NA_1:
+ case IEC104_ASDU_M_SP_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_SP_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_SP_TA_1:
+ case IEC104_ASDU_M_SP_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_SP_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_DP_NA_1:
+ case IEC104_ASDU_M_DP_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_DP_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_DP_TA_1:
+ case IEC104_ASDU_M_DP_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_DP_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ST_NA_1:
+ case IEC104_ASDU_M_ST_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ST_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ST_TA_1:
+ case IEC104_ASDU_M_ST_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ST_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_BO_NA_1:
+ case IEC104_ASDU_M_BO_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_BO_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_BO_TA_1:
+ case IEC104_ASDU_M_BO_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_BO_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_NA_1:
+ case IEC104_ASDU_M_ME_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_TA_1:
+ case IEC104_ASDU_M_ME_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_NB_1:
+ case IEC104_ASDU_M_ME_NB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_NB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_TB_1:
+ case IEC104_ASDU_M_ME_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_NC_1:
+ case IEC104_ASDU_M_ME_NC_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_NC_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_TC_1:
+ case IEC104_ASDU_M_ME_TC_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_TC_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_IT_NA_1:
+ case IEC104_ASDU_M_IT_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_IT_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_IT_TA_1:
+ case IEC104_ASDU_M_IT_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_IT_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EP_TA_1:
+ case IEC104_ASDU_M_EP_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EP_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EP_TB_1:
+ case IEC104_ASDU_M_EP_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EP_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EP_TC_1:
+ case IEC104_ASDU_M_EP_TC_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EP_TC_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_PS_NA_1:
+ case IEC104_ASDU_M_PS_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_PS_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_ND_1:
+ case IEC104_ASDU_M_ME_ND_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_ND_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_SP_TB_1:
+ case IEC104_ASDU_M_SP_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_SP_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_DP_TB_1:
+ case IEC104_ASDU_M_DP_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_DP_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ST_TB_1:
+ case IEC104_ASDU_M_ST_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ST_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_BO_TB_1:
+ case IEC104_ASDU_M_BO_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_BO_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_TD_1:
+ case IEC104_ASDU_M_ME_TD_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_TD_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_TE_1:
+ case IEC104_ASDU_M_ME_TE_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_TE_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_ME_TF_1:
+ case IEC104_ASDU_M_ME_TF_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_ME_TF_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_IT_TB_1:
+ case IEC104_ASDU_M_IT_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_IT_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EP_TD_1:
+ case IEC104_ASDU_M_EP_TD_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EP_TD_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EP_TE_1:
+ case IEC104_ASDU_M_EP_TE_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EP_TE_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EP_TF_1:
+ case IEC104_ASDU_M_EP_TF_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EP_TF_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SC_NA_1:
+ case IEC104_ASDU_C_SC_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SC_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_DC_NA_1:
+ case IEC104_ASDU_C_DC_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_DC_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_RC_NA_1:
+ case IEC104_ASDU_C_RC_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_RC_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SE_NA_1:
+ case IEC104_ASDU_C_SE_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SE_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SE_NB_1:
+ case IEC104_ASDU_C_SE_NB_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SE_NB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SE_NC_1:
+ case IEC104_ASDU_C_SE_NC_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SE_NC_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_BO_NA_1:
+ case IEC104_ASDU_C_BO_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_BO_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SC_TA_1:
+ case IEC104_ASDU_C_SC_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SC_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_DC_TA_1:
+ case IEC104_ASDU_C_DC_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_DC_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_RC_TA_1:
+ case IEC104_ASDU_C_RC_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_RC_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SE_TA_1:
+ case IEC104_ASDU_C_SE_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SE_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SE_TB_1:
+ case IEC104_ASDU_C_SE_TB_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SE_TB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_SE_TC_1:
+ case IEC104_ASDU_C_SE_TC_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_SE_TC_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_BO_TA_1:
+ case IEC104_ASDU_C_BO_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_BO_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_M_EI_NA_1:
+ case IEC104_ASDU_M_EI_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104M_EI_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_IC_NA_1:
+ case IEC104_ASDU_C_IC_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_IC_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_CI_NA_1:
+ case IEC104_ASDU_C_CI_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_CI_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_RD_NA_1:
+ case IEC104_ASDU_C_RD_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_RD_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_CS_NA_1:
+ case IEC104_ASDU_C_CS_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_CS_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_TS_NA_1:
+ case IEC104_ASDU_C_TS_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_TS_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_RP_NA_1:
+ case IEC104_ASDU_C_RP_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_RP_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_CD_NA_1:
+ case IEC104_ASDU_C_CD_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_CD_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_C_TS_TA_1:
+ case IEC104_ASDU_C_TS_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104C_TS_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_P_ME_NA_1:
+ case IEC104_ASDU_P_ME_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104P_ME_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_P_ME_NB_1:
+ case IEC104_ASDU_P_ME_NB_1:
{
informationObjectSubgroupSize = sizeof(Iec104P_ME_NB_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_P_ME_NC_1:
+ case IEC104_ASDU_P_ME_NC_1:
{
informationObjectSubgroupSize = sizeof(Iec104P_ME_NC_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_P_AC_NA_1:
+ case IEC104_ASDU_P_AC_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104P_AC_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_FR_NA_1:
+ case IEC104_ASDU_F_FR_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_FR_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_SR_NA_1:
+ case IEC104_ASDU_F_SR_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_SR_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_SC_NA_1:
+ case IEC104_ASDU_F_SC_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_SC_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_LS_NA_1:
+ case IEC104_ASDU_F_LS_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_LS_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_AF_NA_1:
+ case IEC104_ASDU_F_AF_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_AF_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_SG_NA_1:
+ case IEC104_ASDU_F_SG_NA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_SG_NA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_DR_TA_1:
+ case IEC104_ASDU_F_DR_TA_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_DR_TA_1_IO_Subgroup);
break;
}
- case IEC104_ASDU_F_SC_NB_1:
+ case IEC104_ASDU_F_SC_NB_1:
{
informationObjectSubgroupSize = sizeof(Iec104F_SC_NB_1_IO_Subgroup);
break;
// * divide the result of the earlier calculation by this group size to get the maximum allowable groups without overflowing
uint8_t maxNumberOfElements = 0;
- if (informationObjectSubgroupSize)
+ if (informationObjectSubgroupSize)
{
uint32_t reported_msg_len = apci->header.length;
- if (reported_msg_len >= IEC104_APCI_TYPE_I_MIN_LEN) {
- if (apci->asdu.variableStructureQualifier.sq == 0)
+ if (reported_msg_len >= IEC104_APCI_TYPE_I_MIN_LEN) {
+ if (apci->asdu.variableStructureQualifier.sq == 0)
{
uint32_t informationObjectGroupSize = informationObjectSubgroupSize + sizeof(const Iec104InformationObjectAddressThreeOctetType);
maxNumberOfElements = (reported_msg_len
- sizeof(uint8_t) // type id
- - sizeof(const Iec104VariableStructureQualifierType)
+ - sizeof(const Iec104VariableStructureQualifierType)
- sizeof(const Iec104CauseOfTransmissionType)
- sizeof(const Iec104CommonAddressOfAsduType)
) / informationObjectGroupSize;
- }
- else
+ }
+ else
{
- maxNumberOfElements = (reported_msg_len
+ maxNumberOfElements = (reported_msg_len
- sizeof(uint8_t) // type id
- - sizeof(const Iec104VariableStructureQualifierType)
+ - sizeof(const Iec104VariableStructureQualifierType)
- sizeof(const Iec104CauseOfTransmissionType)
- sizeof(const Iec104CommonAddressOfAsduType)
- sizeof(const Iec104InformationObjectAddressThreeOctetType)
}
uint32_t verifiedNumberOfElements = apci->asdu.variableStructureQualifier.numberOfElements;
- if (verifiedNumberOfElements > 0 and verifiedNumberOfElements <= maxNumberOfElements)
+ if (verifiedNumberOfElements > 0 and verifiedNumberOfElements <= maxNumberOfElements)
{
// do nothing
- }
- else
+ }
+ else
{
verifiedNumberOfElements = 0;
DetectionEngine::queue_event(GID_IEC104, IEC104_APCII_INVALID_NUM_ELEMENTS_VALUE);
{
// no alerts are needed here as they are processed in checkIec104Asdu
- if (!apci)
+ if (!apci)
{
// error indicating that parsing couldn't finish
- }
+ }
}
void parseIec104TwoOctetCommonAddress(const Iec104ApciI* apci)
{
// Nothing worth alerting on here
- if (!ioa)
+ if (!ioa)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on here
- if (!vti)
+ if (!vti)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on here
- if (!sva)
+ if (!sva)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on here
- if (!bcr)
+ if (!bcr)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on here
- if (!bsi)
+ if (!bsi)
{
// error indicating that parsing couldn't finish
}
// CP56Time2a Day of Month set outside of the allowable range for 30-day months
DetectionEngine::queue_event(GID_IEC104, IEC104_INVALID_DAY_OF_MONTH);
}
-
+
}// months with 31 days cannot be over as the type isn't large enough
- }
- else
+ }
+ else
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on directly here
- if (!nof)
+ if (!nof)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on directly here
- if (!nos)
+ if (!nos)
{
// error indicating that parsing couldn't finish
}
void parseIec104Lof(const Iec104LofType* lof)
{
// maybe a rule checking if length of file is greater than amount of data
- // It appears that the length field here is an indicator for other messages actually containing the
- // file data so detection may be better via plaintext rules with flowbits if desired
+ // It appears that the length field here is an indicator for other messages actually containing the
+ // file data so detection may be better via plaintext rules with flowbits if desired
- if (!lof)
+ if (!lof)
{
// error indicating that parsing couldn't finish
- }
+ }
}
// LOS: Length of Segment Structure
{
// Nothing worth alerting on directly here
- if (!chs)
+ if (!chs)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on directly here
- if (!scd)
+ if (!scd)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on directly here
- if (!tsc)
+ if (!tsc)
{
// error indicating that parsing couldn't finish
}
{
// Nothing worth alerting on directly here
- if (!segment)
+ if (!segment)
{
// error indicating that parsing couldn't finish
}
}
// Analyzes POP packets for anomalies/exploits.
-
+
static void snort_pop(POP_PROTO_CONF* config, Packet* p)
{
/* Attempt to get a previously allocated POP block. */
* TCP State Machine - this class is the engine that dispatches processing to the correct
event handling method of the handler for the current TCP state of the flow.
-
+
The TCP session module implements the following functions:
* TCP segment normalization. Variations in handling normalization are
of ProtocolHA, declared in the stream/base area. Thus each protocol
within 'stream' can have specific HA logic and interfaces.
-TcpHAManager::process_deletion() is called when an TCP stream is being
+TcpHAManager::process_deletion() is called when an TCP stream is being
destroyed and indicates to the stream & flow HA logic that a flow
deletion HA message needs to be emitted for the flow in question.
Tcp streams are both closed internally (e.g. FIN) and externally due
to cache timeout or pruning. The calls to TcpHAManager::process_deletion()
-in tcp/tcp_session.cc indicate a normal closure of a stream/flow.
+in tcp/tcp_session.cc indicate a normal closure of a stream/flow.
TcpHA::create_session() is called from the stream & flow HA logic and
handles the creation of new flow upon receiving an HA update message.
-TcpHA::deactivate_session() is called from the stream & flow HA logic to
-place a session into standby mode. Upon receiving an HA Update message,
+TcpHA::deactivate_session() is called from the stream & flow HA logic to
+place a session into standby mode. Upon receiving an HA Update message,
the flow is first created if necessary, and is then placed into Standby
state. deactivate_session() sets the TCP specific state for Standby mode.
projects / thirdparty / snort3.git / commitdiff
