The Snort Team
Revision History
-Revision 3.1.11.0 2021-08-26 11:41:00 EDT TST
+Revision 3.1.12.0 2021-09-08 07:41:47 EDT TST
---------------------------------------------------------------------
7.52. http_raw_body
7.53. http_raw_cookie
7.54. http_raw_header
- 7.55. http_raw_header_complete
- 7.56. http_raw_request
- 7.57. http_raw_status
- 7.58. http_raw_trailer
- 7.59. http_raw_uri
- 7.60. http_stat_code
- 7.61. http_stat_msg
- 7.62. http_trailer
- 7.63. http_true_ip
- 7.64. http_uri
- 7.65. http_version
- 7.66. icmp_id
- 7.67. icmp_seq
- 7.68. icode
- 7.69. id
- 7.70. iec104_apci_type
- 7.71. iec104_asdu_func
- 7.72. ip_proto
- 7.73. ipopts
- 7.74. isdataat
- 7.75. itype
- 7.76. md5
- 7.77. metadata
- 7.78. modbus_data
- 7.79. modbus_func
- 7.80. modbus_unit
- 7.81. msg
- 7.82. mss
- 7.83. pcre
- 7.84. pkt_data
- 7.85. pkt_num
- 7.86. priority
- 7.87. raw_data
- 7.88. reference
- 7.89. regex
- 7.90. rem
- 7.91. replace
- 7.92. rev
- 7.93. rpc
- 7.94. s7commplus_content
- 7.95. s7commplus_func
- 7.96. s7commplus_opcode
- 7.97. script_data
- 7.98. sd_pattern
- 7.99. seq
- 7.100. service
- 7.101. sha256
- 7.102. sha512
- 7.103. sid
- 7.104. sip_body
- 7.105. sip_header
- 7.106. sip_method
- 7.107. sip_stat_code
- 7.108. so
- 7.109. soid
- 7.110. ssl_state
- 7.111. ssl_version
- 7.112. stream_reassemble
- 7.113. stream_size
- 7.114. tag
- 7.115. target
- 7.116. tos
- 7.117. ttl
- 7.118. urg
- 7.119. window
- 7.120. wscale
+ 7.55. http_raw_request
+ 7.56. http_raw_status
+ 7.57. http_raw_trailer
+ 7.58. http_raw_uri
+ 7.59. http_stat_code
+ 7.60. http_stat_msg
+ 7.61. http_trailer
+ 7.62. http_true_ip
+ 7.63. http_uri
+ 7.64. http_version
+ 7.65. icmp_id
+ 7.66. icmp_seq
+ 7.67. icode
+ 7.68. id
+ 7.69. iec104_apci_type
+ 7.70. iec104_asdu_func
+ 7.71. ip_proto
+ 7.72. ipopts
+ 7.73. isdataat
+ 7.74. itype
+ 7.75. md5
+ 7.76. metadata
+ 7.77. modbus_data
+ 7.78. modbus_func
+ 7.79. modbus_unit
+ 7.80. msg
+ 7.81. mss
+ 7.82. pcre
+ 7.83. pkt_data
+ 7.84. pkt_num
+ 7.85. priority
+ 7.86. raw_data
+ 7.87. reference
+ 7.88. regex
+ 7.89. rem
+ 7.90. replace
+ 7.91. rev
+ 7.92. rpc
+ 7.93. s7commplus_content
+ 7.94. s7commplus_func
+ 7.95. s7commplus_opcode
+ 7.96. script_data
+ 7.97. sd_pattern
+ 7.98. seq
+ 7.99. service
+ 7.100. sha256
+ 7.101. sha512
+ 7.102. sid
+ 7.103. sip_body
+ 7.104. sip_header
+ 7.105. sip_method
+ 7.106. sip_stat_code
+ 7.107. so
+ 7.108. soid
+ 7.109. ssl_state
+ 7.110. ssl_version
+ 7.111. stream_reassemble
+ 7.112. stream_size
+ 7.113. tag
+ 7.114. target
+ 7.115. tos
+ 7.116. ttl
+ 7.117. urg
+ 7.118. window
+ 7.119. wscale
8. Search Engine Modules
9. SO Rule Modules
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
* int trace.modules.dpx.all: enable all trace options { 0:255 }
* int trace.modules.file_id.all: enable all trace options { 0:255 }
+ * int trace.modules.http_inspect.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.http_inspect.js_proc: enable JavaScript
+ processing logging { 0:255 }
+ * int trace.modules.http_inspect.js_dump: enable JavaScript data
+ logging { 0:255 }
* int trace.modules.snort.all: enable all trace options { 0:255 }
* int trace.modules.snort.inspector_manager: enable inspector
manager trace logging { 0:255 }
after given seconds from start up; -1 tracks all { -1:max31 }
* bool stream_tcp.show_rebuilt_packets = false: enable cmg like
output of reassembled packets
- * int stream_tcp.queue_limit.max_bytes = 1048576: don’t queue more
- than given bytes per session and direction { 0:max32 }
- * int stream_tcp.queue_limit.max_segments = 2621: don’t queue more
- than given segments per session and direction { 0:max32 }
+ * int stream_tcp.queue_limit.max_bytes = 4194304: don’t queue more
+ than given bytes per session and direction, 0 = unlimited {
+ 0:max32 }
+ * int stream_tcp.queue_limit.max_segments = 3072: don’t queue more
+ than given segments per session and direction, 0 = unlimited {
+ 0:max32 }
* int stream_tcp.small_segments.count = 0: number of consecutive
TCP small segments considered to be excessive (129:12) { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
service inspector (sum)
* stream_tcp.partial_fallbacks: count of fallbacks from assigned
service stream splitter (sum)
+ * stream_tcp.max_segs: maximum number of segments queued in any
+ flow (max)
+ * stream_tcp.max_bytes: maximum number of bytes queued in any flow
+ (max)
5.50. stream_udp
HTTP message trailers
-7.55. http_raw_header_complete
-
---------------
-
-Help: rule option to set the detection cursor to the unnormalized
-headers including cookies
-
-Type: ips_option
-
-Usage: detect
-
-Configuration:
-
- * implied http_raw_header_complete.request: match against the
- headers from the request message even when examining the response
- * implied http_raw_header_complete.with_header: this rule is
- limited to examining HTTP message headers
- * implied http_raw_header_complete.with_body: parts of this rule
- examine HTTP message body
- * implied http_raw_header_complete.with_trailer: parts of this rule
- examine HTTP message trailers
-
-
-7.56. http_raw_request
+7.55. http_raw_request
--------------
HTTP message trailers
-7.57. http_raw_status
+7.56. http_raw_status
--------------
HTTP message trailers
-7.58. http_raw_trailer
+7.57. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.59. http_raw_uri
+7.58. http_raw_uri
--------------
URI only
-7.60. http_stat_code
+7.59. http_stat_code
--------------
HTTP message trailers
-7.61. http_stat_msg
+7.60. http_stat_msg
--------------
HTTP message trailers
-7.62. http_trailer
+7.61. http_trailer
--------------
message body (must be combined with request)
-7.63. http_true_ip
+7.62. http_true_ip
--------------
HTTP message trailers
-7.64. http_uri
+7.63. http_uri
--------------
only
-7.65. http_version
+7.64. http_version
--------------
HTTP message trailers
-7.66. icmp_id
+7.65. icmp_id
--------------
0:65535 }
-7.67. icmp_seq
+7.66. icmp_seq
--------------
given range { 0:65535 }
-7.68. icode
+7.67. icode
--------------
0:255 }
-7.69. id
+7.68. id
--------------
}
-7.70. iec104_apci_type
+7.69. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.71. iec104_asdu_func
+7.70. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.72. ip_proto
+7.71. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.73. ipopts
+7.72. ipopts
--------------
lsrre|ssrr|satid|any }
-7.74. isdataat
+7.73. isdataat
--------------
buffer
-7.75. itype
+7.74. itype
--------------
0:255 }
-7.76. md5
+7.75. md5
--------------
of buffer
-7.77. metadata
+7.76. metadata
--------------
pairs
-7.78. modbus_data
+7.77. modbus_data
--------------
Usage: detect
-7.79. modbus_func
+7.78. modbus_func
--------------
* string modbus_func.~: function code to match
-7.80. modbus_unit
+7.79. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.81. msg
+7.80. msg
--------------
* string msg.~: message describing rule
-7.82. mss
+7.81. mss
--------------
}
-7.83. pcre
+7.82. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.84. pkt_data
+7.83. pkt_data
--------------
Usage: detect
-7.85. pkt_num
+7.84. pkt_num
--------------
{ 1: }
-7.86. priority
+7.85. priority
--------------
1:max31 }
-7.87. raw_data
+7.86. raw_data
--------------
Usage: detect
-7.88. reference
+7.87. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.89. regex
+7.88. regex
--------------
instead of start of buffer
-7.90. rem
+7.89. rem
--------------
* string rem.~: comment
-7.91. replace
+7.90. replace
--------------
* string replace.~: byte code to replace with
-7.92. rev
+7.91. rev
--------------
* int rev.~: revision { 1:max32 }
-7.93. rpc
+7.92. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.94. s7commplus_content
+7.93. s7commplus_content
--------------
Usage: detect
-7.95. s7commplus_func
+7.94. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.96. s7commplus_opcode
+7.95. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.97. script_data
+7.96. script_data
--------------
Usage: detect
-7.98. sd_pattern
+7.97. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.99. seq
+7.98. seq
--------------
range { 0: }
-7.100. service
+7.99. service
--------------
* string service.*: one or more comma-separated service names
-7.101. sha256
+7.100. sha256
--------------
start of buffer
-7.102. sha512
+7.101. sha512
--------------
start of buffer
-7.103. sid
+7.102. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.104. sip_body
+7.103. sip_body
--------------
Usage: detect
-7.105. sip_header
+7.104. sip_header
--------------
Usage: detect
-7.106. sip_method
+7.105. sip_method
--------------
* string sip_method.*method: sip method
-7.107. sip_stat_code
+7.106. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.108. so
+7.107. so
--------------
buffer
-7.109. soid
+7.108. soid
--------------
like 3_45678_9
-7.110. ssl_state
+7.109. ssl_state
--------------
unknown
-7.111. ssl_version
+7.110. ssl_version
--------------
tls1.2
-7.112. stream_reassemble
+7.111. stream_reassemble
--------------
remainder of the session
-7.113. stream_size
+7.112. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.114. tag
+7.113. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.115. target
+7.114. target
--------------
dst_ip }
-7.116. tos
+7.115. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.117. ttl
+7.116. ttl
--------------
0:255 }
-7.118. urg
+7.117. urg
--------------
{ 0:65535 }
-7.119. window
+7.118. window
--------------
range { 0:65535 }
-7.120. wscale
+7.119. wscale
--------------
examining HTTP message headers
* implied http_raw_cookie.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_raw_header_complete.request: match against the
- headers from the request message even when examining the response
- * implied http_raw_header_complete.with_body: parts of this rule
- examine HTTP message body
- * implied http_raw_header_complete.with_header: this rule is
- limited to examining HTTP message headers
- * implied http_raw_header_complete.with_trailer: parts of this rule
- examine HTTP message trailers
* string http_raw_header.field: restrict to given header. Header
name is case insensitive.
* implied http_raw_header.request: match against the headers from
characteristics like reassembly { first | last | linux |
old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 |
windows | win_2003 | vista | proxy }
- * int stream_tcp.queue_limit.max_bytes = 1048576: don’t queue more
- than given bytes per session and direction { 0:max32 }
- * int stream_tcp.queue_limit.max_segments = 2621: don’t queue more
- than given segments per session and direction { 0:max32 }
+ * int stream_tcp.queue_limit.max_bytes = 4194304: don’t queue more
+ than given bytes per session and direction, 0 = unlimited {
+ 0:max32 }
+ * int stream_tcp.queue_limit.max_segments = 3072: don’t queue more
+ than given segments per session and direction, 0 = unlimited {
+ 0:max32 }
* bool stream_tcp.reassemble_async = true: queue data for
reassembly before traffic is seen in both directions
* int stream_tcp.require_3whs = -1: don’t track midstream sessions
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
* int trace.modules.dpx.all: enable all trace options { 0:255 }
* int trace.modules.file_id.all: enable all trace options { 0:255 }
+ * int trace.modules.http_inspect.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.http_inspect.js_dump: enable JavaScript data
+ logging { 0:255 }
+ * int trace.modules.http_inspect.js_proc: enable JavaScript
+ processing logging { 0:255 }
* int trace.modules.snort.all: enable all trace options { 0:255 }
* int trace.modules.snort.inspector_manager: enable inspector
manager trace logging { 0:255 }
number (sum)
* stream_tcp.invalid_seq_num: tcp packets received with an invalid
sequence number (sum)
+ * stream_tcp.max_bytes: maximum number of bytes queued in any flow
+ (max)
* stream_tcp.max: max tcp sessions (max)
* stream_tcp.max_packets_held: maximum number of packets held
simultaneously (max)
+ * stream_tcp.max_segs: maximum number of segments queued in any
+ flow (max)
* stream_tcp.memory: current memory in use (now)
* stream_tcp.meta_acks: number of meta acks processed (sum)
* stream_tcp.no_flags_set: tcp packets received with no TCP flags
cursor to the unnormalized cookie
* http_raw_header (ips_option): rule option to set the detection
cursor to the unnormalized headers
- * http_raw_header_complete (ips_option): rule option to set the
- detection cursor to the unnormalized headers including cookies
* http_raw_request (ips_option): rule option to set the detection
cursor to the unnormalized request line
* http_raw_status (ips_option): rule option to set the detection
cursor to the unnormalized cookie
* ips_option::http_raw_header: rule option to set the detection
cursor to the unnormalized headers
- * ips_option::http_raw_header_complete: rule option to set the
- detection cursor to the unnormalized headers including cookies
* ips_option::http_raw_request: rule option to set the detection
cursor to the unnormalized request line
* ips_option::http_raw_status: rule option to set the detection
The Snort Team
Revision History
-Revision 3.1.11.0 2021-08-26 11:40:49 EDT TST
+Revision 3.1.12.0 2021-09-08 07:41:38 EDT TST
---------------------------------------------------------------------
any early client-to-server traffic, but will continue normal HTTP
processing of the flow regardless of the eventual server response.
-5.10.4. Detection rules
+5.10.4. Trace messages
+
+When a user needs help to sort out things going on inside HTTP
+inspector, Trace module becomes handy.
+
+$ snort --help-module trace | grep http_inspect
+
+Messages for the enhanced JavaScript Normalizer follow (more
+verbosity available in debug build):
+
+5.10.4.1. trace.module.http_inspect.js_proc
+
+Messages from script processing flow and their verbosity levels:
+
+ 1. Script opening tag location.
+ 2. Attributes of the detected script.
+ 3. Return codes from Normalizer.
+
+5.10.4.2. trace.module.http_inspect.js_dump
+
+Script data dump and verbosity levels:
+
+ 1. script_data buffer as it is passed to detection.
+ 2. Current script in normalized form.
+ 3. Current script as it is passed to Normalizer.
+
+5.10.5. Detection rules
http_inspect parses HTTP messages into their components and makes
them available to the detection engine through rule options. Let’s
In addition to the headers there are rule options for virtually every
part of the HTTP message.
-5.10.4.1. http_uri and http_raw_uri
+5.10.5.1. http_uri and http_raw_uri
These provide the URI of the request message. The raw form is exactly
as it appeared in the message and the normalized form is determined
Nothing here is intended to conflict with the technical language of
the HTTP RFCs and the implementation follows the RFCs.
-5.10.4.2. http_header, http_raw_header, and http_raw_header_complete
+5.10.5.2. http_header and http_raw_header
These cover all the header lines except the first one. You may
specify an individual header by name using the field option as shown
With http_header the individual header value is normalized in a way
that is appropriate for that header.
-Specifying an individual header is not available for
-http_raw_header_complete, use http_raw_header instead.
-
If you don’t specify a header you get all of the headers.
-http_raw_header_complete includes cookie headers Cookie and
-Set-Cookie. http_header and http_raw_header don’t. http_raw_header
-and http_raw_header_complete include the unmodified header names and
-values as they appeared in the original message. http_header is the
-same except percent encodings are removed and paths are simplified
+http_raw_header includes the unmodified header names and values as
+they appeared in the original message. http_header is the same except
+percent encodings and cookies are removed and paths are simplified
exactly as if the headers were a URI.
In most cases specifying individual headers creates a more efficient
and accurate rule. It is recommended that new rules be written using
individual headers whenever possible.
-5.10.4.3. http_trailer and http_raw_trailer
+5.10.5.3. http_trailer and http_raw_trailer
HTTP permits header lines to appear after a chunked body ends.
Typically they contain information about the message content that was
rule to inspect both kinds of headers you need to write two rules,
one using header and one using trailer.
-5.10.4.4. http_cookie and http_raw_cookie
+5.10.5.4. http_cookie and http_raw_cookie
These provide the value of the Cookie header for a request message
and the Set-Cookie for a response message. If multiple cookies are
Normalization for http_cookie is the same URI-style normalization
applied to http_header when no specific header is specified.
-5.10.4.5. http_true_ip
+5.10.5.5. http_true_ip
This provides the original IP address of the client sending the
request as it was stored by a proxy in the request message headers.
multiple headers are present the preference defined in xff_headers
configuration is considered.
-5.10.4.6. http_client_body
+5.10.5.6. http_client_body
This is the body of a request message such as POST or PUT.
Normalization for http_client_body is the same URI-like normalization
applied to http_header when no specific header is specified.
-5.10.4.7. http_raw_body
+5.10.5.7. http_raw_body
This is the body of a request or response message. It will be
dechunked and unzipped if applicable but will not be normalized in
any other way.
-5.10.4.8. http_method
+5.10.5.8. http_method
The method field of a request message. Common values are "GET",
"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
-5.10.4.9. http_stat_code
+5.10.5.9. http_stat_code
The status code field of a response message. This is normally a
3-digit number between 100 and 599. In this example it is 200.
HTTP/1.1 200 OK
-5.10.4.10. http_stat_msg
+5.10.5.10. http_stat_msg
The reason phrase field of a response message. This is the
human-readable text following the status code. "OK" in the previous
example.
-5.10.4.11. http_version
+5.10.5.11. http_version
The protocol version information that appears on the first line of an
HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
-5.10.4.12. http_raw_request and http_raw_status
+5.10.5.12. http_raw_request and http_raw_status
These are the unmodified first header line of the HTTP request and
response messages respectively. These rule options are a safety valve
http_raw_uri, and http_version. For a response message those are
http_version, http_stat_code, and http_stat_msg.
-5.10.4.13. file_data
+5.10.5.13. file_data
The file_data contains the normalized message body. This is the
normalization described above under gzip, normalize_utf,
decompress_pdf, decompress_swf, and normalize_javascript.
-5.10.4.14. script_data
+5.10.5.14. script_data
The script_data contains normalized JavaScript text collected from
the whole PDU (inline or external scripts). It requires the Enhanced
script_data has, file_data still contains the whole HTTP body with an
original JavaScript in it.
-5.10.5. Timing issues and combining rule options
+5.10.6. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
picture than the packet in front of it. It knows what all the pieces
projects / thirdparty / snort3.git / commitdiff
