The Snort Team
Revision History
-Revision 3.1.42.0 2022-09-22 15:40:10 EDT TST
+Revision 3.1.43.0 2022-10-05 15:21:03 EDT TST
---------------------------------------------------------------------
* bool http_inspect.request_body_app_detection = true: make HTTP/2
request message bodies available for application detection
(detection requires AppId)
+ * string http_inspect.allowed_methods: list of allowed methods
+ * string http_inspect.disallowed_methods: list of disallowed
+ methods
Rules:
63780 bytes
* 119:286 (http_inspect) HTTP/2 preface received instead of an HTTP
/1 method
+ * 119:287 (http_inspect) HTTP request method is not on allowed
+ methods list or is on disallowed methods list
Peg counts:
examining HTTP message headers
* implied http_header.with_trailer: parts of this rule examine HTTP
message trailers
+ * string http_inspect.allowed_methods: list of allowed methods
* bool http_inspect.backslash_to_slash = true: replace \ with /
when normalizing URIs
* bit_list http_inspect.bad_characters: alert when any of specified
Visual Basic for Applications macro files in response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
+ * string http_inspect.disallowed_methods: list of disallowed
+ methods
* string http_inspect.ignore_unreserved: do not alert when the
specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
HTTP/2 preface received instead of an HTTP/1 method
+119:287 (http_inspect) HTTP request method is not on allowed methods
+list or is on disallowed methods list
+
+HTTP request method is not on allowed methods list or is on
+disallowed methods list.
+
121:1 (http2_inspect) invalid flag set on HTTP/2 frame
Invalid flag set on HTTP/2 frame header
The Snort Team
Revision History
-Revision 3.1.42.0 2022-09-22 15:40:33 EDT TST
+Revision 3.1.43.0 2022-10-05 15:21:24 EDT TST
---------------------------------------------------------------------
These limits have no effect on how much data is forwarded to file
processing.
-5.10.3.2. script_detection
+5.10.3.2. allowed_methods and disallowed_methods
+
+When either of these options are set, HTTP inspector will check if
+the method in the HTTP request is allowed and if not raise alert
+119:287. You can either define a list of allowed methods or a list of
+disallowed methods. Defining both is a configuration error. When a
+list of disallowed methods is defined, any method not present on that
+list is implicitly allowed. Methods on either of these lists are
+considered known methods and will not raise alert 119:31. For example
+if configured for:
+
+allowed_methods = "GET,PUT,BLUE"
+
+HTTP inspector will raise 119:287 for POST and RED, no alert 119:31
+will be raised for BLUE, and 119:31 will be raised for RED. If
+configured for
+
+disallowed_methods = "POST,RED"
+
+HTTP inspector will raise 119:287 for POST and RED, 119:31 for BLUE,
+and no alert 119:31 will be raised for RED.
+
+5.10.3.3. script_detection
Script detection is a feature that enables Snort to more quickly
detect and block response messages containing malicious JavaScript.
This feature is off by default. script_detection = true will activate
it.
-5.10.3.3. gzip
+5.10.3.4. gzip
http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip =
meaningful inspection of message bodies will be possible. Effectively
HTTP processing would be limited to the headers.
-5.10.3.4. normalize_utf
+5.10.3.5. normalize_utf
http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
and utf-32be in response message bodies based on the Content-Type
header. This feature is on by default: normalize_utf = false will
deactivate it.
-5.10.3.5. decompress_pdf
+5.10.3.6. decompress_pdf
decompress_pdf = true will enable decompression of compressed
portions of PDF files encountered in a message body. http_inspect
content is decompressed and made available through the file data rule
option.
-5.10.3.6. decompress_swf
+5.10.3.7. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
(Adobe Flash content) files encountered in a message body. The
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-5.10.3.7. decompress_zip
+5.10.3.8. decompress_zip
decompress_zip = true will enable decompression of compressed zip
archives encountered in a message body. The compressed content is
decompressed and made available through the file_data rule option.
-5.10.3.8. decompress_vba
+5.10.3.9. decompress_vba
decompress_vba = true will enable decompression of RLE (Run Length
Encoding) compressed vba (Visual Basic for Applications) macro data
compressed vba macro data. The decompressed vba macro data is then
made available through the vba_data ips rule option.
-5.10.3.9. normalize_javascript
+5.10.3.10. normalize_javascript
normalize_javascript = true will enable legacy normalizer of
JavaScript within the HTTP response body. http_inspect looks for
space and normalizes the plus by concatenating the strings. Such
normalizations refer to basic JavaScript normalization.
-5.10.3.10. js_norm_bytes_depth
+5.10.3.11. js_norm_bytes_depth
js_norm_bytes_depth = N {-1 : max53} will set a number of input
JavaScript bytes to normalize. When the depth is reached,
The identifiers are variables and function names. The normalized data
is available through the js_data rule option.
-5.10.3.11. js_norm_identifier_depth
+5.10.3.12. js_norm_identifier_depth
js_norm_identifier_depth = N {0 : 65536} will set a number of unique
JavaScript identifiers to normalize. When the depth is reached, a
65536, which is the max allowed number of unique identifiers. The
generated names are in the range from var_0000 to var_ffff.
-5.10.3.12. js_norm_max_tmpl_nest
+5.10.3.13. js_norm_max_tmpl_nest
js_norm_max_tmpl_nest = N {0 : 255} (default 32) is an option of the
enhanced JavaScript normalizer that determines the deepest level of
option is present to limit the amount of memory dedicated to template
nesting tracking.
-5.10.3.13. js_norm_max_bracket_depth
+5.10.3.14. js_norm_max_bracket_depth
js_norm_max_bracket_depth = N {1 : 65535} (default 256) is an option
of the enhanced JavaScript normalizer that determines the maximum
option is present to limit the amount of memory dedicated to bracket
tracking.
-5.10.3.14. js_norm_max_scope_depth
+5.10.3.15. js_norm_max_scope_depth
js_norm_max_scope_depth = N {1 : 65535} (default 256) is an option of
the enhanced JavaScript normalizer that determines the deepest level
the global scope. This option is present to limit the amount of
memory dedicated to scope tracking.
-5.10.3.15. js_norm_ident_ignore
+5.10.3.16. js_norm_ident_ignore
js_norm_ident_ignore = {<list of ignored identifiers>} is an option
of the enhanced JavaScript normalizer that defines a list of
wants to disable unescape related features, then removing function’s
name from the ignore list does the trick.
-5.10.3.16. js_norm_prop_ignore
+5.10.3.17. js_norm_prop_ignore
js_norm_prop_ignore = {<list of ignored properties>} is an option of
the enhanced JavaScript normalizer that defines a list of object
The default list of ignored properties is present in
"snort_defaults.lua".
-5.10.3.17. xff_headers
+5.10.3.18. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-5.10.3.18. maximum_host_length
+5.10.3.19. maximum_host_length
Setting maximum_host_length causes http_inspect to generate 119:25 if
the Host header value including optional white space exceeds the
total length of the combined values is used. The default value is -1,
meaning do not perform this check.
-5.10.3.19. maximum_chunk_length
+5.10.3.20. maximum_chunk_length
http_inspect strictly limits individual chunks within a chunked
message body to be less than four gigabytes.
A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert.
-5.10.3.20. maximum_header_length
+5.10.3.21. maximum_header_length
http_inspect generates 119:19 when the length of a header exceeds
maximum_header_length = N {0 : 65535} (default 4096).
-5.10.3.21. maximum_headers
+5.10.3.22. maximum_headers
http_inspect generates 119:20 when the number of headers exceeds
maximum_headers = N {0 : 65535} (default 200).
-5.10.3.22. URI processing
+5.10.3.23. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
projects / thirdparty / snort3.git / commitdiff
