The Snort Team
Revision History
-Revision 3.1.17.0 2021-11-17 13:35:34 EST TST
+Revision 3.1.18.0 2021-12-01 10:40:58 EST TST
---------------------------------------------------------------------
7.80. modbus_unit
7.81. msg
7.82. mss
- 7.83. pcre
- 7.84. pkt_data
- 7.85. pkt_num
- 7.86. priority
- 7.87. raw_data
- 7.88. reference
- 7.89. regex
- 7.90. rem
- 7.91. replace
- 7.92. rev
- 7.93. rpc
- 7.94. s7commplus_content
- 7.95. s7commplus_func
- 7.96. s7commplus_opcode
- 7.97. sd_pattern
- 7.98. seq
- 7.99. service
- 7.100. sha256
- 7.101. sha512
- 7.102. sid
- 7.103. sip_body
- 7.104. sip_header
- 7.105. sip_method
- 7.106. sip_stat_code
- 7.107. so
- 7.108. soid
- 7.109. ssl_state
- 7.110. ssl_version
- 7.111. stream_reassemble
- 7.112. stream_size
- 7.113. tag
- 7.114. target
- 7.115. tos
- 7.116. ttl
- 7.117. urg
- 7.118. vba_data
- 7.119. window
- 7.120. wscale
+ 7.83. num_headers
+ 7.84. num_trailers
+ 7.85. pcre
+ 7.86. pkt_data
+ 7.87. pkt_num
+ 7.88. priority
+ 7.89. raw_data
+ 7.90. reference
+ 7.91. regex
+ 7.92. rem
+ 7.93. replace
+ 7.94. rev
+ 7.95. rpc
+ 7.96. s7commplus_content
+ 7.97. s7commplus_func
+ 7.98. s7commplus_opcode
+ 7.99. sd_pattern
+ 7.100. seq
+ 7.101. service
+ 7.102. sha256
+ 7.103. sha512
+ 7.104. sid
+ 7.105. sip_body
+ 7.106. sip_header
+ 7.107. sip_method
+ 7.108. sip_stat_code
+ 7.109. so
+ 7.110. soid
+ 7.111. ssl_state
+ 7.112. ssl_version
+ 7.113. stream_reassemble
+ 7.114. stream_size
+ 7.115. tag
+ 7.116. target
+ 7.117. tos
+ 7.118. ttl
+ 7.119. urg
+ 7.120. vba_data
+ 7.121. window
+ 7.122. wscale
8. Search Engine Modules
9. SO Rule Modules
10.3. alert_fast
10.4. alert_full
10.5. alert_json
- 10.6. alert_sfsocket
- 10.7. alert_syslog
- 10.8. alert_talos
- 10.9. alert_unixsock
- 10.10. log_codecs
- 10.11. log_hext
- 10.12. log_pcap
- 10.13. unified2
+ 10.6. alert_syslog
+ 10.7. alert_talos
+ 10.8. alert_unixsock
+ 10.9. log_codecs
+ 10.10. log_hext
+ 10.11. log_pcap
+ 10.12. unified2
11. Appendix
* int memory.cap = 0: set the per-packet-thread cap on memory
(bytes, 0 to disable) { 0:maxSZ }
- * int memory.threshold = 0: set the per-packet-thread threshold for
- preemptive cleanup actions (percent, 0 to disable) { 0:100 }
+ * int memory.threshold = 100: scale cap to account for heap
+ overhead { 1:100 }
Peg counts:
* memory.reap_attempts: attempts to reclaim memory (now)
* memory.reap_failures: failures to reclaim memory (now)
* memory.max_in_use: highest allocated - deallocated (max)
- * memory.total_fudge: sum of all adjustments (now)
2.18. network
Usage: context
-Instance Type: global
+Instance Type: network
Configuration:
Usage: context
-Instance Type: global
+Instance Type: network
Configuration:
IDs
* string binder[].when.dst_groups: list of destination group IDs
* string binder[].when.addr_spaces: list of address space IDs
+ * string binder[].when.tenants: list of tenants
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
* string binder[].when.service: override default configuration
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
+ * string binder[].use.network_policy: use network policy from given
+ file
* string binder[].use.inspection_policy: use inspection policy from
given file
* string binder[].use.ips_policy: use ips policy from given file
Peg counts:
+ * binder.raw_packets: raw packets evaluated (sum)
* binder.new_flows: new flows evaluated (sum)
* binder.service_changes: flow service changes evaluated (sum)
* binder.assistant_inspectors: flow assistant inspector requests
Usage: context
-Instance Type: global
+Instance Type: network
5.8. data_log
* int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of
template literal nesting that enhanced javascript normalizer will
process { 0:255 }
+ * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth
+ of bracket nesting that enhanced JavaScript normalizer will
+ process { 1:65535 }
* int http_inspect.js_norm_max_scope_depth = 256: maximum depth of
scope nesting that enhanced JavaScript normalizer will process {
- 0:65535 }
+ 1:65535 }
* string http_inspect.js_norm_built_in_ident[].ident_name: name of
built-in identifier
* int http_inspect.max_javascript_whitespaces = 200: maximum
* 119:269 (http_inspect) script opening tag in a short form
* 119:270 (http_inspect) max number of unique JavaScript
identifiers reached
- * 119:271 (http_inspect) JavaScript scope nesting is over capacity
+ * 119:271 (http_inspect) JavaScript bracket nesting is over
+ capacity
* 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
header
* 119:273 (http_inspect) missed PDUs during JavaScript
normalization
+ * 119:274 (http_inspect) JavaScript scope nesting is over capacity
Peg counts:
Type: inspector (packet)
-Usage: inspect
+Usage: context
-Instance Type: singleton
+Instance Type: network
Configuration:
pairs
* int perf_monitor.packets = 10000: minimum packets to report {
0:max32 }
- * int perf_monitor.seconds = 60: report interval { 1:max32 }
+ * int perf_monitor.seconds = 60: report interval { 0:max32 }
* int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
bytes for flow tracking { 236:maxSZ }
* int perf_monitor.max_file_size = 1073741824: files will be rolled
Type: inspector (first)
-Usage: global
+Usage: context
-Instance Type: global
+Instance Type: network
Configuration:
Usage: context
-Instance Type: global
+Instance Type: network
Configuration:
* stream.excess_prunes: sessions pruned due to excess (sum)
* stream.uni_prunes: uni sessions pruned (sum)
* stream.preemptive_prunes: sessions pruned during preemptive
- pruning (sum)
+ pruning (deprecated) (sum)
* stream.memcap_prunes: sessions pruned due to memcap (sum)
* stream.ha_prunes: sessions pruned by high availability sync (sum)
* stream.stale_prunes: sessions pruned due to stale connection
wild cards (*)
* multi wizard.curses: enable service identification based on
internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 }
- * int wizard.max_search_depth = 64: maximum scan depth per flow {
+ * int wizard.max_search_depth = 8192: maximum scan depth per flow {
0:65535 }
Peg counts:
}
-7.83. pcre
+7.83. num_headers
+
+--------------
+
+Help: rule option to perform range check on number of headers
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval num_headers.~range: check that number of headers of
+ current buffer are in given range { 0:200 }
+ * implied num_headers.request: match against the version from the
+ request message even when examining the response
+ * implied num_headers.with_header: this rule is limited to
+ examining HTTP message headers
+ * implied num_headers.with_body: parts of this rule examine HTTP
+ message body
+ * implied num_headers.with_trailer: parts of this rule examine HTTP
+ message trailers
+
+
+7.84. num_trailers
+
+--------------
+
+Help: rule option to perform range check on number of trailers
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval num_trailers.~range: check that number of headers of
+ current buffer are in given range { 0:200 }
+ * implied num_trailers.request: match against the version from the
+ request message even when examining the response
+ * implied num_trailers.with_header: this rule is limited to
+ examining HTTP message headers
+ * implied num_trailers.with_body: parts of this rule examine HTTP
+ message body
+ * implied num_trailers.with_trailer: parts of this rule examine
+ HTTP message trailers
+
+
+7.85. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.84. pkt_data
+7.86. pkt_data
--------------
Usage: detect
-7.85. pkt_num
+7.87. pkt_num
--------------
{ 1: }
-7.86. priority
+7.88. priority
--------------
1:max31 }
-7.87. raw_data
+7.89. raw_data
--------------
Usage: detect
-7.88. reference
+7.90. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.89. regex
+7.91. regex
--------------
instead of start of buffer
-7.90. rem
+7.92. rem
--------------
* string rem.~: comment
-7.91. replace
+7.93. replace
--------------
* string replace.~: byte code to replace with
-7.92. rev
+7.94. rev
--------------
* int rev.~: revision { 1:max32 }
-7.93. rpc
+7.95. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.94. s7commplus_content
+7.96. s7commplus_content
--------------
Usage: detect
-7.95. s7commplus_func
+7.97. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.96. s7commplus_opcode
+7.98. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.97. sd_pattern
+7.99. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.98. seq
+7.100. seq
--------------
range { 0: }
-7.99. service
+7.101. service
--------------
* string service.*: one or more comma-separated service names
-7.100. sha256
+7.102. sha256
--------------
start of buffer
-7.101. sha512
+7.103. sha512
--------------
start of buffer
-7.102. sid
+7.104. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.103. sip_body
+7.105. sip_body
--------------
Usage: detect
-7.104. sip_header
+7.106. sip_header
--------------
Usage: detect
-7.105. sip_method
+7.107. sip_method
--------------
* string sip_method.*method: sip method
-7.106. sip_stat_code
+7.108. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.107. so
+7.109. so
--------------
buffer
-7.108. soid
+7.110. soid
--------------
like 3_45678_9
-7.109. ssl_state
+7.111. ssl_state
--------------
unknown
-7.110. ssl_version
+7.112. ssl_version
--------------
tls1.2
-7.111. stream_reassemble
+7.113. stream_reassemble
--------------
remainder of the session
-7.112. stream_size
+7.114. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.113. tag
+7.115. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.114. target
+7.116. target
--------------
dst_ip }
-7.115. tos
+7.117. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.116. ttl
+7.118. ttl
--------------
0:255 }
-7.117. urg
+7.119. urg
--------------
{ 0:65535 }
-7.118. vba_data
+7.120. vba_data
--------------
Usage: detect
-7.119. window
+7.121. window
--------------
range { 0:65535 }
-7.120. wscale
+7.122. wscale
--------------
character sequence
-10.6. alert_sfsocket
-
---------------
-
-Help: output event over socket
-
-Type: logger
-
-Usage: global
-
-Configuration:
-
- * string alert_sfsocket.file: name of unix socket file
- * int alert_sfsocket.rules[].gid = 1: rule generator ID { 1:max32 }
- * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1:max32 }
-
-
-10.7. alert_syslog
+10.6. alert_syslog
--------------
cons | ndelay | perror | pid }
-10.8. alert_talos
+10.7. alert_talos
--------------
Usage: global
-10.9. alert_unixsock
+10.8. alert_unixsock
--------------
Usage: global
-10.10. log_codecs
+10.9. log_codecs
--------------
* bool log_codecs.msg = false: include alert msg
-10.11. log_hext
+10.10. log_hext
--------------
0:max32 }
-10.12. log_pcap
+10.11. log_pcap
--------------
is unlimited) { 0:maxSZ }
-10.13. unified2
+10.12. unified2
--------------
}
* int active.min_interval = 255: minimum number of seconds between
responses { 1:255 }
+ * string address_space_selector[].addr_spaces: list of address
+ space IDs to match
+ * string address_space_selector[].file: use configuration in given
+ file
* multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
given order left to right { action | class | b64_data |
memory for detection_filters { 0:max32 }
* int alerts.event_filter_memcap = 1048576: set available MB of
memory for event_filters { 0:max32 }
- * string alert_sfsocket.file: name of unix socket file
- * int alert_sfsocket.rules[].gid = 1: rule generator ID { 1:max32 }
- * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1:max32 }
* bool alerts.log_references = false: include rule references in
alert info (full only)
* string alerts.order: change the order of rule action application
given file
* string binder[].use.ips_policy: use ips policy from given file
* string binder[].use.name: symbol name (defaults to type)
+ * string binder[].use.network_policy: use network policy from given
+ file
* string binder[].use.service: override automatic service
identification
* string binder[].use.type: select module for binding
* addr_list binder[].when.src_nets: list of source networks
* bit_list binder[].when.src_ports: list of source ports { 65535 }
* string binder[].when.src_zone: deprecated alias for src_groups
+ * string binder[].when.tenants: list of tenants
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
* string binder[].when.zones: deprecated alias for groups
* interval bufferlen.~range: check that total length of current
built-in identifier
* int http_inspect.js_norm_identifier_depth = 65536: max number of
unique JavaScript identifiers to normalize { 0:65536 }
+ * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth
+ of bracket nesting that enhanced JavaScript normalizer will
+ process { 1:65535 }
* int http_inspect.js_norm_max_scope_depth = 256: maximum depth of
scope nesting that enhanced JavaScript normalizer will process {
- 0:65535 }
+ 1:65535 }
* int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of
template literal nesting that enhanced javascript normalizer will
process { 0:255 }
of buffer
* int memory.cap = 0: set the per-packet-thread cap on memory
(bytes, 0 to disable) { 0:maxSZ }
- * int memory.threshold = 0: set the per-packet-thread threshold for
- preemptive cleanup actions (percent, 0 to disable) { 0:100 }
+ * int memory.threshold = 100: scale cap to account for heap
+ overhead { 1:100 }
* string metadata.*: comma-separated list of arbitrary name value
pairs
* string modbus_func.~: function code to match
* bool normalizer.tcp.trim_win = false: trim data to window
* bool normalizer.tcp.urp = false: adjust urgent pointer if beyond
segment length
+ * interval num_headers.~range: check that number of headers of
+ current buffer are in given range { 0:200 }
+ * implied num_headers.request: match against the version from the
+ request message even when examining the response
+ * implied num_headers.with_body: parts of this rule examine HTTP
+ message body
+ * implied num_headers.with_header: this rule is limited to
+ examining HTTP message headers
+ * implied num_headers.with_trailer: parts of this rule examine HTTP
+ message trailers
+ * interval num_trailers.~range: check that number of headers of
+ current buffer are in given range { 0:200 }
+ * implied num_trailers.request: match against the version from the
+ request message even when examining the response
+ * implied num_trailers.with_body: parts of this rule examine HTTP
+ message body
+ * implied num_trailers.with_header: this rule is limited to
+ examining HTTP message headers
+ * implied num_trailers.with_trailer: parts of this rule examine
+ HTTP message trailers
* bool output.dump_chars_only = false: turns on character dumps
(same as -C)
* bool output.dump_payload = false: dumps application layer (same
| console }
* int perf_monitor.packets = 10000: minimum packets to report {
0:max32 }
- * int perf_monitor.seconds = 60: report interval { 1:max32 }
+ * int perf_monitor.seconds = 60: report interval { 0:max32 }
* bool perf_monitor.summary = false: output summary at shutdown
* interval pkt_num.~range: check if packet number is in given range
{ 1: }
* bool telnet.check_encrypted = false: check for end of encryption
* bool telnet.encrypted_traffic = false: check for encrypted Telnet
* bool telnet.normalize = false: eliminate escape sequences
+ * string tenant_selector[].file: use configuration in given file
+ * string tenant_selector[].tenants: list of tenants to match
* interval tos.~range: check if IP TOS is in given range { 0:255 }
* string trace.constraints.dst_ip: destination IP address filter
* int trace.constraints.dst_port: destination port filter { 0:65535
chars (?)
* string wizard.hexes[].to_server[].hex: sequence of data with wild
chars (?)
- * int wizard.max_search_depth = 64: maximum scan depth per flow {
+ * int wizard.max_search_depth = 8192: maximum scan depth per flow {
0:65535 }
* bool wizard.spells[].client_first = true: which end initiates
data transfer
* active.holds_denied: total number of packet hold requests denied
(sum)
* active.injects: total crafted packets encoded and injected (sum)
+ * address_space_selector.no_match: selection evaluations that had
+ no matches (sum)
+ * address_space_selector.packets: packets evaluated (sum)
* appid.appid_unknown: count of sessions where appid could not be
determined (sum)
* appid.ignored_packets: count of packets ignored (sum)
* binder.new_flows: new flows evaluated (sum)
* binder.new_standby_flows: new HA flows evaluated (sum)
* binder.no_match: binding evaluations that had no matches (sum)
+ * binder.raw_packets: raw packets evaluated (sum)
* binder.resets: reset actions bound (sum)
* binder.service_changes: flow service changes evaluated (sum)
* cip.concurrent_sessions: total concurrent SIP sessions (now)
* memory.max_in_use: highest allocated - deallocated (max)
* memory.reap_attempts: attempts to reclaim memory (now)
* memory.reap_failures: failures to reclaim memory (now)
- * memory.total_fudge: sum of all adjustments (now)
* mem_test.packets: total packets (sum)
* modbus.concurrent_sessions: total concurrent modbus sessions
(now)
* stream_ip.trackers_freed: datagram trackers released (sum)
* stream.memcap_prunes: sessions pruned due to memcap (sum)
* stream.preemptive_prunes: sessions pruned during preemptive
- pruning (sum)
+ pruning (deprecated) (sum)
* stream.reload_allowed_deletes: number of allowed flows deleted by
config reloads (sum)
* stream.reload_blocked_deletes: number of blocked flows deleted by
* telnet.max_concurrent_sessions: maximum concurrent Telnet
sessions (max)
* telnet.total_packets: total packets (sum)
+ * tenant_selector.no_match: selection evaluations that had no
+ matches (sum)
+ * tenant_selector.packets: packets evaluated (sum)
* udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
* udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
* udp.checksum_bypassed: checksum calculations bypassed (sum)
The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST
flag set.
-116:424 (eth) truncated ethernet header
+116:424 (pbb) truncated ethernet header
The packet length is less than the minimum ethernet header size (14
bytes)
-116:424 (eth) truncated ethernet header
+116:424 (pbb) truncated ethernet header
A truncated ethernet header was detected.
alert is not expected for typical network traffic and may be an
indication that an attacker is trying to exhaust resources.
-119:271 (http_inspect) JavaScript scope nesting is over capacity
+119:271 (http_inspect) JavaScript bracket nesting is over capacity
In JavaScript, template literals can have substitutions, that in turn
can have nested template literals, which requires a stack to track
for proper whitespace normalization. Also, the normalization tracks
-the current scope, which requires a stack as well. When the depth of
-nesting exceeds limit set in http_inspect.js_norm_max_tmpl_nest or in
-http_inspect.js_norm_max_scope_depth, this alert is raised. This
+the current bracket scope, which requires a stack as well. When the
+depth of nesting exceeds limit set in
+http_inspect.js_norm_max_tmpl_nest or in
+http_inspect.js_norm_max_bracket_depth, this alert is raised. This
alert is not expected for typical network traffic and may be an
indication that an attacker is trying to exhaust resources.
inline/external scripts will be stopped for current request within
the flow.
+119:274 (http_inspect) JavaScript scope nesting is over capacity
+
+In JavaScript, a program is split into several scopes such as a
+global scope, function scope, if block, block of code, object, etc.
+The scope has a nesting nature which requires a stack to track it for
+proper normalization of JavaScript identifiers. When the depth of
+nesting exceeds limit set in http_inspect.js_norm_max_scope_depth,
+this alert is raised. This alert is not expected for typical network
+traffic and may be an indication that an attacker is trying to
+exhaust resources.
+
121:1 (http2_inspect) invalid flag set on HTTP/2 frame
Invalid flag set on HTTP/2 frame header
* ack (ips_option): rule option to match on TCP ack numbers
* active (basic): configure responses
+ * address_space_selector (policy_selector): configure traffic
+ processing based on address space
* alert_csv (logger): output event in csv format
* alert_ex (logger): output gid:sid:rev for alerts
* alert_fast (logger): output event with brief text format
* alert_full (logger): output event with full packet dump
* alert_json (logger): output event in json format
- * alert_sfsocket (logger): output event over socket
* alert_syslog (logger): output event to syslog
* alert_talos (logger): output event in Talos alert format
* alert_unixsock (logger): output event over unix socket
* network (basic): configure basic network parameters
* normalizer (inspector): packet scrubbing for inline mode
* null_trace_logger (inspector): trace logger with a null printout
+ * num_headers (ips_option): rule option to perform range check on
+ number of headers
+ * num_trailers (ips_option): rule option to perform range check on
+ number of trailers
* output (basic): configure general output parameters
* packet_capture (inspector): raw packet dumping facility
* packet_tracer (basic): generate debug trace messages for packets
* tcp (codec): support for transmission control protocol
* tcp_connector (connector): implement the tcp stream connector
* telnet (inspector): telnet inspection and normalization
+ * tenant_selector (policy_selector): configure traffic processing
+ based on tenants
* token_ring (codec): support for token ring decoding
* tos (ips_option): rule option to check type of service field
* trace (basic): configure trace log messages
* ips_option::msg: rule option summarizing rule purpose output with
events
* ips_option::mss: detection for TCP maximum segment size
+ * ips_option::num_headers: rule option to perform range check on
+ number of headers
+ * ips_option::num_trailers: rule option to perform range check on
+ number of trailers
* ips_option::pcre: rule option for matching payload data with pcre
* ips_option::pkt_data: rule option to set the detection cursor to
the normalized packet data
* logger::alert_fast: output event with brief text format
* logger::alert_full: output event with full packet dump
* logger::alert_json: output event in json format
- * logger::alert_sfsocket: output event over socket
* logger::alert_syslog: output event to syslog
* logger::alert_talos: output event in Talos alert format
* logger::alert_unixsock: output event over unix socket
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
+ * policy_selector::address_space_selector: configure traffic
+ processing based on address space
+ * policy_selector::tenant_selector: configure traffic processing
+ based on tenants
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
The Snort Team
Revision History
-Revision 3.1.17.0 2021-11-17 13:35:23 EST TST
+Revision 3.1.18.0 2021-12-01 10:40:47 EST TST
---------------------------------------------------------------------
* New latency monitoring and enforcement
* Piglets to facilitate component testing
* Inspection Events
- * Automake and Cmake
* Autogenerate reference documentation
Additional features are on the road map:
HTML-embedded JavaScript). For more information on how additionally
configure Enhanced Normalizer check the following http_inspect
options: js_normalization_depth, js_norm_identifier_depth,
-js_norm_max_tmpl_nest, js_norm_max_scope_depth,
-js_norm_built_in_ident. Eventually Enhanced Normalizer will
-completely replace Legacy Normalizer.
+js_norm_max_tmpl_nest, js_norm_max_bracket_depth,
+js_norm_max_scope_depth, js_norm_built_in_ident. Eventually Enhanced
+Normalizer will completely replace Legacy Normalizer.
5.10.3. Configuration
option is present to limit the amount of memory dedicated to this
tracking.
-5.10.3.12. js_norm_max_scope_depth
+5.10.3.12. js_norm_max_bracket_depth
-js_norm_max_scope_depth = N {0 : 65535} (default 256) is an option of
+js_norm_max_bracket_depth = N {1 : 65535} (default 256) is an option
+of the enhanced JavaScript normalizer that determines the deepest
+level of nested bracket scope. The scope term includes code sections
+("{}"), parentheses("()") and brackets("[]"). This option is present
+to limit the amount of memory dedicated to this tracking.
+
+5.10.3.13. js_norm_max_scope_depth
+
+js_norm_max_scope_depth = N {1 : 65535} (default 256) is an option of
the enhanced JavaScript normalizer that determines the deepest level
-of nested scope. The scope term includes code sections("{}"),
-parentheses("()") and brackets("[]"). This option is present to limit
+of nested scope. The scope term includes any type of JavaScript
+program scope such as the global one, function scope, if block,
+loops, code block, object scope, etc. This option is present to limit
the amount of memory dedicated to this tracking.
-5.10.3.13. js_norm_built_in_ident
+5.10.3.14. js_norm_built_in_ident
js_norm_built_in_ident = {<the list of built-in JavaScript identifier
names>}. The default list is present in "snort_defaults.lua".
http_inspect.js_norm_built_in_ident = { 'console', 'document', 'eval', 'foo' }
-5.10.3.14. xff_headers
+5.10.3.15. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-5.10.3.15. maximum_host_length
+5.10.3.16. maximum_host_length
Setting maximum_host_length causes http_inspect to generate 119:25 if
the Host header value including optional white space exceeds the
total length of the combined values is used. The default value is -1,
meaning do not perform this check.
-5.10.3.16. maximum_chunk_length
+5.10.3.17. maximum_chunk_length
http_inspect strictly limits individual chunks within a chunked
message body to be less than four gigabytes.
A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert.
-5.10.3.17. URI processing
+5.10.3.18. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
Applications (vba) macro data embedded in MS office files. It
requires decompress_zip and decompress_vba options enabled.
+5.10.6.16. num_headers and num_trailers
+
+These rule options are used to check the number of headers and
+trailers, respectively. Checks available: equal to "=" or just value,
+not "!" or "!=", less than "<", greater than ">", less or equal to
+"⇐", less or greater than ">=", in range "<>", in range or equal to "
+<⇒".
+
5.10.7. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
wizard is still under development; if you find you need to tweak the
defaults please let us know.
-Additional Details:
+5.20.1. Wizard patterns
+
+Wizard supports 3 kinds of patterns:
+
+ 1. Hexes
+ 2. Spells
+ 3. Curses
+
+Each kind of pattern has its own purpose and features. It should be
+noted that the types of patterns are evaluated exactly in the order
+in which they are described above. Thus, if some data matches a hex,
+it will not be processed by spells and curses.
+
+The depth of search for a pattern in the data can be configured using
+the max_search_depth option
+
+TCP packets form a flow, so wizard checks all data in the flow for a
+match. If no pattern matches and max_search_depth is reached, the
+flow is abandoned by wizard.
+
+UDP packets form a "meta-flow" based on the addresses and ports of
+the packets. However, unlike TCP processing, for UDP wizard only
+looks at the first arriving packet from the meta-flow. If no pattern
+matches that packet or wizard’s max_search_depth is reached, the
+meta-flow is abandoned by wizard.
+
+5.20.2. Wizard patterns - Spells
+
+Spell is a text based pattern. The best area of usage - text
+protocols: http, smtp, sip, etc. Spells are:
+
+ * Case insensitive
+ * Whitespace sensitive
+ * Able to match by a wildcard symbol
+
+In order to match any sequence of characters in pattern, you should
+use "*" (glob) symbol in pattern.
+
+Example:
+ Pattern: '220-*FTP'
+ Traffic that would match: '220- Hello world! It's a new FTP server'
+
+To escape "*" symbol, put "**" in the pattern.
+
+Spells are configured as a Lua array, each element of which can
+contain following options:
+
+ * service - name of the service that would be assigned
+ * proto - protocol to scan
+ * client_first - indicator of which end initiates data transfer
+ * to_server - list of text patterns to search in the data sent to
+ the client
+ * to_client - list of text patterns to search in the data sent to
+ the server
+
+ Example of a spell definition in Lua:
+ {
+ service = 'smtp',
+ proto = 'tcp',
+ client_first = true,
+ to_server = { 'HELO', 'EHLO' },
+ to_client = { '220*SMTP', '220*MAIL' }
+ }
+
+5.20.3. Wizard patterns - Hexes
+
+Hexes can be used to match binary protocols: dnp3, http2, ssl, etc.
+Hexes use hexadecimal representation of the data for pattern
+matching.
+
+Wildcard in hex pattern is a placeholder for exactly one occurrence
+of any hexadecimal digit and denoted by the symbol "?".
+
+Example:
+ Pattern: '|05 ?4|'
+ Traffic that would match: '|05 84|'
+
+Hexes are configured in the same way as spells and have an identical
+set of options.
+
+Example of a hex definition in Lua:
+ {
+ service = 'dnp3',
+ proto = 'tcp',
+ client_first = true,
+ to_server = { '|05 64|' },
+ to_client = { '|05 64|' }
+ }
+
+5.20.4. Wizard patterns - Curses
+
+Curses are internal algorithms of service identification. They are
+implemented as state machines in C++ code and can have their own
+unique state information stored on the flow.
+
+A list of available services can be obtained using snort
+--help-config wizard | grep curses.
+
+A configuration which enables some curses:
+ curses = {'dce_udp', 'dce_tcp', 'dce_smb', 'sslv2'}
+
+5.20.5. Additional Details:
+
+ * Note that usually more specific patterns have higher precedence.
+
+ For example:
+ The following spells against 'foobar' payload. The 3rd spell matches.
+ { service = 'first', to_server = { 'foo' } },
+ { service = 'second', to_server = { 'bar' } }
+ { service = 'third', to_server = { 'foobar' } }
* If the wizard and one or more service inspectors are configured w
/o explicitly configuring the binder, default bindings will be
projects / thirdparty / snort3.git / commitdiff
