<head>\r
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />\r
<meta name="generator" content="AsciiDoc 8.6.8" />\r
-<title>Snort++ User Manual</title>\r
+<title>Snort 3 User Manual</title>\r
<style type="text/css">\r
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */\r
\r
</head>\r
<body class="article">\r
<div id="header">\r
-<h1>Snort++ User Manual</h1>\r
+<h1>Snort 3 User Manual</h1>\r
<span id="author">The Snort Team</span><br />\r
</div>\r
<div id="content">\r
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0-a4 (Build 218) from 2.9.7-262\r
+o" )~ Version 3.0.0-a4 (Build 221) from 2.9.8-383\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.\r
<div class="sect1">\r
<h2 id="_overview">Overview</h2>\r
<div class="sectionbody">\r
-<div class="paragraph"><p>Snort++ is an updated version of the Snort IPS (intrusion prevention\r
-system). This document assumes you have some familiarity with Snort and\r
-are looking to see what Snort++ has to offer. Here are some of the basic\r
-goals for Snort++:</p></div>\r
+<div class="paragraph"><p>Snort 3.0 is an updated version of the Snort Intrusion Prevention System\r
+(IPS) which features a new design that provides a superset of Snort 2.X\r
+functionality with better throughput, detection, scalability, and\r
+usability. Some of the key features of Snort 3.0 are:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</li>\r
<li>\r
<p>\r
-Use a simple, scriptable configuration\r
+Autodetect services for portless configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-Make key components pluggable\r
+Modular design\r
</p>\r
</li>\r
<li>\r
<p>\r
-Autogenerate reference documentation\r
+Plugin framework with over 200 plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-Autodetect services for portless configuration\r
+More scalable memory profile\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+LuaJIT configuration, loggers, and rule options\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Hyperscan support\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Rewritten TCP handling\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+New rule parser and syntax\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Service rules like alert http\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Rule "sticky" buffers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Way better SO rules\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+New HTTP inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+New performance monitor\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+New time and space profiling\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+New latency monitoring and enforcement\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Piglets to facilitate component testing\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Inspection Events\r
</p>\r
</li>\r
<li>\r
<p>\r
-Support sticky buffers in rules\r
+Automake and Cmake\r
</p>\r
</li>\r
<li>\r
<p>\r
-Provide better cross platform support\r
+Autogenerate reference documentation\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>The above goals are met with this first alpha release. Additional,\r
-longer-term goals are:</p></div>\r
+<div class="paragraph"><p>Additional features are on the road map:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</li>\r
<li>\r
<p>\r
-Support pipelining of packet processing\r
+Support hardware offload for fast pattern acceleration\r
</p>\r
</li>\r
<li>\r
<p>\r
-Support hardware offload and data plane integration\r
+Provide support for DPDK and ODP\r
</p>\r
</li>\r
<li>\r
<p>\r
-Rewrite critical modules like TCP reassembly and HTTP inspection\r
+Support pipelining of packet processing\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-Facilitate component testing\r
+Multi-tennant support\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Incremental reload\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+New serialization of perf data and events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Enhanced rule processing\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Windows support\r
</p>\r
</li>\r
<li>\r
<p>\r
-Simplify memory management\r
+Anomaly detection\r
</p>\r
</li>\r
<li>\r
<p>\r
-Provide all of Snort’s functionality\r
+and more!\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>This first alpha release is based on Snort 2.9.6-9 and excludes all but one\r
-of Snort’s dynamic preprocessors. Work is underway to port that\r
-functionality and additions will be rolled out as they become available.</p></div>\r
+<div class="paragraph"><p>The remainder of this section provides a high level survey of the inputs,\r
+processing, and outputs available with Snort 3.0.</p></div>\r
+<div class="paragraph"><p>Snort++ is the project that is creating Snort 3.0. In this manual "Snort"\r
+or "Snort 3" refers to the 3.0 version and earlier versions will be\r
+referred to as "Snort 2" where the distinction is relevant.</p></div>\r
<div class="sect2">\r
-<h3 id="_configuration">Configuration</h3>\r
-<div class="paragraph"><p>Note that retaining backwards compatibility is not a goal. While Snort++\r
-leverages some of the Snort code base, a lot has changed. The\r
-configuration of Snort++ is done with Lua, so your old conf won’t work as\r
-is. Rules are still text based but nonetheless incompatible. However,\r
-Snort2Lua will help you convert your conf and rules to the new format.</p></div>\r
-<div class="paragraph"><p>The original Snort manual may be useful for some background information not\r
-yet documented for Snort++. The configuration differences are given in\r
-this manual.</p></div>\r
+<h3 id="_first_steps">First Steps</h3>\r
+<div class="paragraph"><p>Snort can be configured to perform complex packet processing and deep\r
+packet inspection but it is best start simply and work up to more\r
+interesting tasks. Snort won’t do anything you didn’t specifically ask it\r
+to do so it is safe to just try things out and see what happens. Let’s\r
+start by just running Snort with no arguments:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>That will output usage information including some basic help commands. You\r
+should run all of these commands now to see what is available:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort -V\r
+$ snort -?\r
+$ snort --help</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note that Snort has extensive command line help available so if anything\r
+below isn’t clear, there is probably a way to get the exact information you\r
+need from the command line.</p></div>\r
+<div class="paragraph"><p>Now let’s examine the packets in a capture file (pcap):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort -r a.pcap</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Snort will decode and count the packets in the file and output some\r
+statistics. Note that the output excludes non-zero numbers so it is easy\r
+to see what is there.</p></div>\r
+<div class="paragraph"><p>You may have noticed that there are command line options to limit the\r
+number of packets examined or set a filter to select particular packets.\r
+Now is a good time to experiment with those options.</p></div>\r
+<div class="paragraph"><p>If you want to see details on each packet, you can dump the packets to\r
+console like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort -r a.pcap -L dump</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Add the -d option to see the TCP and UDP payload. Now let’s switch to live\r
+traffic. Replace eth0 in the below command with an available network\r
+interface:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort -i eth0 -L dump</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Unless the interface is taken down, Snort will just keep running, so enter\r
+Control-C to terminate or use the -n option to limit the number of packets.</p></div>\r
+<div class="paragraph"><p>Generally it is better to capture the packets for later analysis like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort -i eth0 -L pcap -n 10</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Snort will write 10 packets to log.pcap.# where # is a timestamp value.\r
+You can read these back with -r and dump to console or pcap with -L. You\r
+get the idea.</p></div>\r
+<div class="paragraph"><p>Note that you can do similar things with other tools like tcpdump or\r
+Wireshark however these commands are very useful when you want to check\r
+your Snort setup.</p></div>\r
+<div class="paragraph"><p>The examples above use the default pcap DAQ. Snort supports non-pcap\r
+interfaces as well via the DAQ (data acquisition) library. Other DAQs\r
+provide additional functionality such as inline operation and/or higher\r
+performance. There are even DAQs that support raw file processing (ie\r
+without packets), socket processing, and plain text packets. To load\r
+external DAQ libraries and see available DAQs or select a particular DAQ\r
+use one of these commands:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort --daq-dir <path> --daq-list\r
+$ snort --daq-dir <path> --daq <type></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Be sure to put the --daq-dir option ahead of the --daq-list option or the\r
+external DAQs won’t appear in the list.</p></div>\r
+<div class="paragraph"><p>To leverage intrusion detection features of Snort you will need to provide\r
+some configuration details. The next section breaks down what must be\r
+done.</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_modules">Modules</h3>\r
-<div class="paragraph"><p>Snort++ is organized into a collection of builtin and plugin modules.\r
+<h3 id="_configuration">Configuration</h3>\r
+<div class="paragraph"><p>Effective configuration of Snort is done via the environment, command\r
+line, a Lua configuration file, and a set of rules.</p></div>\r
+<div class="paragraph"><p>Note that backwards compatibility with Snort 2 was sacrificed to obtain\r
+new and improved functionality. While Snort 3 leverages some of the\r
+Snort 2 code base, a lot has changed. The configuration of Snort 3 is\r
+done with Lua, so your old conf won’t work as is. Rules are still text\r
+based but with syntax tweaks, so your 2.X rules must be fixed up. However,\r
+snort2lua will help you convert your conf and rules to the new format.</p></div>\r
+<div class="sect3">\r
+<h4 id="_environment">Environment</h4>\r
+<div class="paragraph"><p>LUA_PATH must be set based on your install:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>LUA_PATH=$install_prefix/include/snort/lua/\?.lua\;\;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>SNORT_LUA_PATH must be set to load auxiliary configuration files if you use\r
+the default snort.lua. For example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>export SNORT_LUA_PATH=$install_prefix/etc/snort</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_command_line">Command Line</h4>\r
+<div class="paragraph"><p>A simple command line might look like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c snort.lua -R cool.rules -r some.pcap -A cmg</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To understand what that does, you can start by just running snort with no\r
+arguments by running snort --help. Help for all configuration and rule\r
+options is available via a suitable command line. In this case:</p></div>\r
+<div class="paragraph"><p>-c snort.lua is the main configuration file. This is a Lua script that is\r
+executed when loaded.</p></div>\r
+<div class="paragraph"><p>-R cool.rules contains some detection rules. You can write your own or\r
+obtain them from Talos (native 3.0 rules are not yet available from Talos\r
+so you must convert them with snort2lua). You can also put your rules\r
+directly in your configuration file.</p></div>\r
+<div class="paragraph"><p>-r some.pcap tells Snort to read network traffic from the given packet\r
+capture file. You could instead use -i eth0 to read from a live interface.\r
+There many other options available too depending on the DAQ you use.</p></div>\r
+<div class="paragraph"><p>-A cmg says to output intrusion events in "cmg" format, which has basic\r
+header details followed by the payload in hex and text.</p></div>\r
+<div class="paragraph"><p>Note that you add to and/or override anything in your configuration file by\r
+using the --lua command line option. For example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>--lua 'ips = { enable_builtin_rules = true }'</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>will load the built-in decoder and inspector rules. In this case, ips is\r
+overwritten with the config you see above. If you just want to change the\r
+config given in your configuration file you would do it like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>--lua 'ips.enable_builtin_rules = true'</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_configuration_file">Configuration File</h4>\r
+<div class="paragraph"><p>The configuration file gives you complete control over how Snort processes\r
+packets. Start with the default snort.lua included in the distribution\r
+because that contains some key ingredients. Note that most of the\r
+configurations look like:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>stream = { }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This means enable the stream module using internal defaults. To see what\r
+those are, you could run:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --help-config stream</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Snort is organized into a collection of builtin and plugin modules.\r
If a module has parameters, it is configured by a Lua table of the same\r
name. For example, we can see what the active module has to offer with\r
this command:</p></div>\r
<pre><code>active = { max_responses = 1, min_interval = 5 }</code></pre>\r
</div></div>\r
</div>\r
+<div class="sect3">\r
+<h4 id="_rules">Rules</h4>\r
+<div class="paragraph"><p>Rules determine what Snort is looking for. They can be put directly in\r
+your Lua configuration file with the ips module, on the command line with\r
+--lua, or in external files. Generally you will have many rules obtained\r
+from various sources such as Talos and loading external files is the way to\r
+go so we will summarize that here. Add this to your Lua configuration:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ips = { include = 'rules.txt' }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>to load the external rules file named rules.txt. You can only specify\r
+one file this way but rules files can include other rules files with the\r
+include statement. In addition you can load rules like:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ sort -c snort.lua -R rules.txt</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>You can use both approaches together.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_converting_your_2_x_configuration">Converting Your 2.X Configuration</h4>\r
+<div class="paragraph"><p>If you have a working 2.X configuration snort2lua makes it easy to get up\r
+and running with Snort 3. This tool will convert your configuration and/or\r
+rules files automatically. You will want to clean up the results and\r
+double check that it is doing exactly what you need.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort2lua -c snort.conf</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The above command will generate snort.lua based on your 2.X configuration.\r
+For more information and options for more sophisticated use cases, see the\r
+Snort2Lua section later in the manual.</p></div>\r
+</div>\r
+</div>\r
<div class="sect2">\r
-<h3 id="_plugins_and_scripts">Plugins and Scripts</h3>\r
-<div class="paragraph"><p>There are several plugin types:</p></div>\r
+<h3 id="_output">Output</h3>\r
+<div class="paragraph"><p>Snort can produce quite a lot of data. In the following we will summarize\r
+the key aspects of the core output types. Additional data such as from\r
+appid is covered later.</p></div>\r
+<div class="sect3">\r
+<h4 id="_basic_statistics">Basic Statistics</h4>\r
+<div class="paragraph"><p>At shutdown, Snort will output various counts depending on configuration\r
+and the traffic processed. Generally, you may see:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Codec - to decode and encode packets\r
+Packet Statistics - this includes data from the DAQ and decoders such as\r
+ the number of packets received and number of UDP packets.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Inspector - like the prior preprocessors, for normalization, etc.\r
+Module Statistics - each module tracks activity via a set of peg counts\r
+ that indicate how many times something was observed or performed. This\r
+ might include the number of HTTP GET requests processed and the number of\r
+ TCP reset packets trimmed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-IpsOption - for detection in Snort++ IPS rules\r
+File Statistics - look here for a breakdown of file type, bytes,\r
+ signatures.\r
</p>\r
</li>\r
<li>\r
<p>\r
-IpsAction - for custom rule actions\r
+Summary Statistics - this includes total runtime for packet processing\r
+ and the packets per second. Profiling data will appear here as well if\r
+ configured.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Note that only the non-zero counts are output. Run this to see the\r
+available counts:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort --help-counts</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_alerts">Alerts</h4>\r
+<div class="paragraph"><p>If you configured rules, you will need to configure alerts to see the\r
+details of detection events. Use the -A option like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort -c snort.lua -r a.pcap -A cmg</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>There are many types of alert outputs possible. Here is a brief list:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Logger - for handling events\r
+-A cmg is the same as -A fast -d -e and will show information about the\r
+ alert along with packet headers and payload.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Mpse - for fast pattern matching\r
+-A u2 is the same as -A unified2 and will log events and triggering\r
+ packets in a binary file that you can feed to other tools for post\r
+ processing. Note that Snort 3 does not provide the raw packets for\r
+ alerts on PDUs; you will get the actual buffer that alerted.\r
</p>\r
</li>\r
<li>\r
<p>\r
-So - for dynamic rules\r
+-A csv will output various fields in comma separated value format. This\r
+ is entirely customizable and very useful for pcap analysis.\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Most plugins can be built statically or dynamically. By default they are\r
-all static. There is no difference in functionality between static or\r
-dynamic plugins but the dynamic build generates a slightly lighter weight\r
-binary. Either way you can add dynamic plugins with --plugin-path and\r
-newer versions will replace older versions, even when built statically.</p></div>\r
-<div class="paragraph"><p>The power of plugins is that they have a very focused purpose and can be\r
-created with relative ease. For example, you can extend the rule language\r
-by writing your own IpsOption and it will plug in and function just like\r
-existing options. The extra directory has examples of each type of plugin.</p></div>\r
-<div class="paragraph"><p>Some things just need to be tweaked or prototyped quickly. In addition to\r
-the Lua conf, which is a script that can contain functions to compute\r
-settings, etc., you can also script Loggers and IpsOptions.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_new_http_inspector">New Http Inspector</h3>\r
-<div class="paragraph"><p>One of the major undertakings for Snort 3.0 is developing a completely new\r
-HTTP inspector. You can configure it by adding:</p></div>\r
+<div class="paragraph"><p>To see the available alert types, you can run this command:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>http_inspect = {}</code></pre>\r
+<pre><code>$ snort --list-plugins | grep logger</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code\r
-under src/service_inspectors/http_inspect.</p></div>\r
-<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release under\r
-extra. It has been renamed http_server. Be sure not to configure both old\r
-and new HTTP inspectors at the same time.</p></div>\r
-<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
-<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
-this software. But it should also be really nice for open-source\r
-developers. You can make meaningful changes and additions to HTTP\r
-processing without having to understand the whole thing. In fact much of\r
-the new HTTP inspector’s knowledge of HTTP is centralized in a series of\r
-tables where it can be easily reviewed and modified. Many significant\r
-changes can be made just by updating these tables.</p></div>\r
-<div class="paragraph"><p>Http_inspect is the first inspector written specifically for the new\r
-Snort 3.0 architecture. That provides access to one of the very best\r
-features of Snort 3.0: purely PDU-based inspection. The classic preprocessor\r
-processes HTTP messages, but even while doing so it is constantly aware of\r
-IP packets and how they divide up the TCP data stream. The same HTTP\r
-message might be processed differently depending on how the sender (bad\r
-guy) divided it up into IP packets.</p></div>\r
-<div class="paragraph"><p>Http_inspect is free of this burden and can focus exclusively on HTTP.\r
-That makes it much simpler, easier to test, and less prone to false\r
-positives. It also greatly reduces the opportunity for adversaries to probe\r
-the inspector for weak spots by adjusting packet boundaries to disguise bad\r
-behavior.</p></div>\r
-<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major\r
-new features. The http_inspect design supports true stateful\r
-processing. Want to ask questions that involve both the client request and\r
-the server response? Or different requests in the same session? These\r
-things are possible.</p></div>\r
-<div class="paragraph"><p>Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from\r
-Google’s SPDY project and is in the process of being standardized. Despite\r
-the name, it is better to think of HTTP/2 not as a newer version of\r
-HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and\r
-on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture\r
-because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but\r
-not any underlying packets. Exactly what http_inspect wants to input.</p></div>\r
-<div class="paragraph"><p>Http_inspect is taking a very different approach to HTTP header fields.\r
-The classic preprocessor divides all the HTTP headers following the start line\r
-into cookies and everything else. It normalizes the two pieces using a\r
-generic process and puts them in buffers that one can write rules against.\r
-There is some limited support for examining individual headers within the\r
-inspector but it is very specific.</p></div>\r
-<div class="paragraph"><p>The new concept is that every header should be normalized in an appropriate\r
-and specific way and individually made available for the user to write\r
-rules against it. If for example a header is supposed to be a date then\r
-normalization means put that date in a standard format.</p></div>\r
</div>\r
-<div class="sect2">\r
-<h3 id="_binder_and_wizard">Binder and Wizard</h3>\r
-<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration\r
-related to networks and ports. Here is a brief review of Snort’s configuration for\r
-network and service related components:</p></div>\r
+<div class="sect3">\r
+<h4 id="_files_and_paths">Files and Paths</h4>\r
+<div class="paragraph"><p>Note that output is specific to each packet thread. If you run 4 packet\r
+threads with u2 output, you will get 4 different u2 files. The basic\r
+structure is:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>where:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Snort’s configuration has a default policy and optional policies selected by\r
- VLAN or network (with config binding).\r
+logdir is set with -l and defaults to ./\r
</p>\r
</li>\r
<li>\r
<p>\r
-Each policy contains a user defined set of preprocessor configurations.\r
+run_prefix is set with --run-prefix else not used\r
</p>\r
</li>\r
<li>\r
<p>\r
-Each preprocessor has a default configuration and some support non-default\r
- configurations selected by network.\r
+id# is the packet thread number that writes the file; with one packet\r
+ thread, id# (zero) is omitted without --id-zero\r
</p>\r
</li>\r
<li>\r
<p>\r
-Most preprocessors have port configurations.\r
+X is / if you use --id-subdir, else _ if id# is used\r
</p>\r
</li>\r
<li>\r
<p>\r
-The default policy may also contain a list of ports to ignore.\r
+name is based on module name that writes the file\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>In Snort++, the above configurations are done in a single module called the binder. Here is an example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- -- allow all tcp port 22:\r
- -- (similar to snort 2.X config ignore_ports)\r
- { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-- select a config file by vlan\r
--- (similar to snort 2.X config binding by vlan)\r
-{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-- use a non-default HTTP inspector for port 8080:\r
--- (similar to a snort 2.X targeted preprocessor config)\r
-{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },\r
- use = { name = 'alt_http', type = 'http_inspect' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-- use the default inspectors:\r
--- (similar to a snort 2.X default preprocessor config)\r
-{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },\r
-{ when = { service = 'http' }, use = { type = 'http_inspect' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> -- figure out which inspector to run automatically:\r
- { use = { type = 'wizard' } }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Bindings are evaluated when a session starts and again if and when service is\r
-identified on the session. Essentially, the bindings are a list of when-use\r
-rules evaluated from top to bottom. The first matching network and service\r
-configurations are applied. binder.when can contain any combination of\r
-criteria and binder.use can specify an action, config file, or inspector\r
-configuration.</p></div>\r
-<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of\r
-malware command and control channels. If the wizard is bound to a session, it\r
-peeks at the initial payload to determine the service. For example, <em>GET</em>\r
-would indicate HTTP and <em>HELO</em> would indicate SMTP. Upon finding a match, the\r
-service bindings are reevaluated so the session can be handed off to the\r
-appropriate inspector. The wizard is still under development; if you find you\r
-need to tweak the defaults please let us know.</p></div>\r
-<div class="paragraph"><p>Additional Details:</p></div>\r
+<div class="paragraph"><p>Additional considerations:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-If the wizard and one or more service inspectors are configured w/o\r
- explicitly configuring the binder, default bindings will be generated which\r
- should work for most common cases.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Also note that while Snort 2.X bindings can only be configured in the\r
- default policy, each Snort 3.0 policy can contain a binder leading to an\r
- arbitrary hierarchy.\r
+There is no way to explicitly configure a full path to avoid issues with\r
+ multiple packet threads.\r
</p>\r
</li>\r
<li>\r
<p>\r
-The entire configuration can be reloaded and hot-swapped during run-time\r
- via signal or command in both Snort 2.X and 3.0. Ultimately, Snort 3.0\r
- will support commands to update the binder on the fly, thus enabling\r
- incremental reloads of individual inspectors.\r
+All text mode outputs default to stdout\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_performance_statistics">Performance Statistics</h4>\r
+<div class="paragraph"><p>Still more data is available beyond the above.</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Both Snort 2.X and 3.0 support server specific configurations via a hosts\r
- table (XML in Snort 2.X and Lua in Snort 3.0). The table allows you to\r
- map network, protocol, and port to a service and policy. This table can\r
- be reloaded and hot-swapped separately from the config file.\r
+By configuring the perf_monitor module you can capture a configurable set\r
+ of peg counts during runtime. This is useful to feed to an external\r
+ program so you can see what is happening without stopping Snort.\r
</p>\r
</li>\r
<li>\r
<p>\r
-You can find the specifics on the binder, wizard, and hosts tables in the\r
- manual or command line like this: snort --help-module binder, etc.\r
+The profiler module allows you to track time and space used by module and\r
+ rules. Use this data to tune your system for best performance. The\r
+ output will show up under Summary Statistics at shutdown.\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
-<div class="sect2">\r
-<h3 id="_packet_processing">Packet Processing</h3>\r
-<div class="paragraph"><p>One of the goals of Snort++ is to provide a more flexible framework for\r
-packet processing by implementing an event-driven approach. Another is to\r
-produce data only when needed, to minimize expensive normalizations. To help\r
-explain these concepts, let’s start by examining how Snort processes\r
-packets. The key steps are given in the following figure:</p></div>\r
-<div class="imageblock">\r
-<div class="content">\r
-<img src="./snort2x.png" alt="Snort 2X" width="480" />\r
-</div>\r
-</div>\r
-<div class="paragraph"><p>The preprocess step is highly configurable. Arbitrary preprocessors can be\r
-loaded dynamically at startup, configured in snort.conf, and then executed\r
-at runtime. Basically, the preprocessors are put into a list which is\r
-iterated for each packet. Recent versions have tweaked the list handling\r
-some, but the same basic architecture has allowed Snort to grow from a\r
-sniffer, with no preprocessing, to a full-fledged IPS, with lots of\r
-preprocessing.</p></div>\r
-<div class="paragraph"><p>While this "list of plugins" approach has considerable flexibility, it\r
-hampers future development when the flow of data from one preprocessor to\r
-the next depends on traffic conditions, a common situation with advanced\r
-features like application identification. In this case, a preprocessor\r
-like HTTP may be extracting and normalizing data that ultimately is not\r
-used, or app ID may be repeatedly checking for data that is just not\r
-available.</p></div>\r
-<div class="paragraph"><p>Callbacks help break out of the preprocess straightjacket. This is where\r
-one preprocessor supplies another with a function to call when certain data\r
-is available. Snort has started to take this approach to pass some HTTP and\r
-SIP preprocessor data to app ID. However, it remains a peripheral feature\r
-and still requires the production of data that may not be consumed.</p></div>\r
-<div class="paragraph"><p>The basic processing steps Snort++ takes are similar to Snort’s as seen in\r
-the following diagram. The preprocess step employs specific inspector\r
-types instead of a generalized list, but the basic procedure includes\r
-stateless packet decoding, TCP stream reassembly, and service specific\r
-analysis in both cases. (Snort++ provides hooks for arbitrary inspectors,\r
-but they are not central to basic flow processing and are not shown.)</p></div>\r
-<div class="imageblock">\r
-<div class="content">\r
-<img src="./snort3x.png" alt="Snort 3X" width="480" />\r
-</div>\r
-</div>\r
-<div class="paragraph"><p>However, Snort++ also provides a more flexible mechanism than callback\r
-functions. By using inspection events, it is possible for an inspector to\r
-supply data that other inspectors can process. This is known as the\r
-observer pattern or publish-subscribe pattern.</p></div>\r
-<div class="paragraph"><p>Note that the data is not actually published. Instead, access to the data\r
-is published, and that means that subscribers can access the raw or\r
-normalized version(s) as needed. Normalizations are done only on the first\r
-access, and subsequent accesses get the previously normalized data. This\r
-results in just in time (JIT) processing.</p></div>\r
-<div class="paragraph"><p>A basic example of this in action is provided by the extra data_log plugin.\r
-It is a passive inspector, ie it does nothing until it receives the data it\r
-subscribed for (<em>other</em> in the above diagram). By adding data_log = { key\r
-= <em>http_raw_uri</em> } to your snort.lua configuration, you will get a simple\r
-URI logger.</p></div>\r
-<div class="paragraph"><p>Inspection events coupled with pluggable inspectors provide a very flexible\r
-framework for implementing new features. And JIT buffer stuffers allow\r
-Snort++ to work smarter, not harder. These capabilities will be leveraged\r
-more and more as Snort++ development continues.</p></div>\r
</div>\r
</div>\r
</div>\r
<div class="sect1">\r
-<h2 id="_getting_started">Getting Started</h2>\r
+<h2 id="_concepts">Concepts</h2>\r
<div class="sectionbody">\r
-<div class="paragraph"><p>The following pointers will help you get started:</p></div>\r
+<div class="paragraph"><p>This section provides background on essential aspects of Snort’s operation.</p></div>\r
<div class="sect2">\r
-<h3 id="_dependencies">Dependencies</h3>\r
-<div class="paragraph"><p>Required:</p></div>\r
+<h3 id="_terminology">Terminology</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-autotools or cmake to build from source\r
+<strong>basic module</strong>: a module integrated into Snort that does not come from a\r
+ plugin.\r
</p>\r
</li>\r
<li>\r
<p>\r
-daq from <a href="http://www.snort.org">http://www.snort.org</a> for packet IO\r
+<strong>binder</strong>: inspector that maps configuration to traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-g++ >= 4.8 or other recent C++11 compiler\r
+<strong>builtin rules</strong>: codec and inspector rules for anomalies detected\r
+ internally.\r
</p>\r
</li>\r
<li>\r
<p>\r
-dnet from <a href="https://github.com/dugsong/libdnet.git">https://github.com/dugsong/libdnet.git</a> for network utility\r
- functions\r
+<strong>codec</strong>: short for coder / decoder. These plugins are used for basic\r
+ protocol decoding, anomaly detection, and construction of active responses.\r
</p>\r
</li>\r
<li>\r
<p>\r
-hwloc from <a href="https://www.open-mpi.org/projects/hwloc/">https://www.open-mpi.org/projects/hwloc/</a> for CPU affinity management\r
+<strong>data module</strong>: an adjunct configuration plugin for use with certain inspectors.\r
</p>\r
</li>\r
<li>\r
<p>\r
-LuaJIT from <a href="http://luajit.org">http://luajit.org</a> for configuration and scripting\r
+<strong>dynamic rules</strong>: plugin rules loaded at runtime. See SO rules.\r
</p>\r
</li>\r
<li>\r
<p>\r
-OpenSSL from <a href="https://www.openssl.org/source/">https://www.openssl.org/source/</a> for SHA and MD5 file signatures,\r
- the protected_content rule option, and SSL service detection\r
+<strong>fast pattern</strong>: the content in an IPS rule that must be found by the\r
+ search engine in order for a rule to be evaluated.\r
</p>\r
</li>\r
<li>\r
<p>\r
-pcap from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a> for tcpdump style logging\r
+<strong>fast pattern matcher</strong>: see search engine.\r
</p>\r
</li>\r
<li>\r
<p>\r
-pcre from <a href="http://www.pcre.org">http://www.pcre.org</a> for regular expression pattern matching\r
+<strong>hex</strong>: a type of protocol magic that the wizard uses to identify binary\r
+ protocols.\r
</p>\r
</li>\r
<li>\r
<p>\r
-pkgconfig from <a href="https://www.freedesktop.org/wiki/Software/pkg-config/">https://www.freedesktop.org/wiki/Software/pkg-config/</a> to locate build dependencies\r
+<strong>inspector</strong>: plugin that processes packets (similar to the Snort 2\r
+ preprocessor)\r
</p>\r
</li>\r
<li>\r
<p>\r
-zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (>= 1.2.8 recommended)\r
+<strong>IPS</strong>: intrusion prevention system, like Snort.\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Optional:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-lzma >= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a> for decompression of SWF and\r
- PDF files\r
+<strong>IPS action</strong>: plugin that allows you to perform custom actions when\r
+ events are generated. Unlike loggers, these are invoked before\r
+ thresholding and can be used to control external agents or send active\r
+ responses.\r
</p>\r
</li>\r
<li>\r
<p>\r
-hyperscan from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new and improved\r
- regex and (coming soon) fast pattern support\r
+<strong>IPS option</strong>: this plugin is the building blocks of IPS rules.\r
</p>\r
</li>\r
<li>\r
<p>\r
-cpputest from <a href="http://cpputest.github.io">http://cpputest.github.io</a> to run additional unit tests with\r
- make check\r
+<strong>logger</strong>: a plugin that performs output of events and packets. Events\r
+ are thresholded before reaching loggers.\r
</p>\r
</li>\r
<li>\r
<p>\r
-asciidoc from <a href="http://www.methods.co.nz/asciidoc/">http://www.methods.co.nz/asciidoc/</a> to build the HTML\r
- manual\r
+<strong>module</strong>: the user facing portion of a Snort component. Modules chiefly\r
+ provide configuration parameters, but may also provide commands, builtin\r
+ rules, profiling statistics, peg counts, etc. Note that not all modules\r
+ are plugins and not all plugins have modules.\r
</p>\r
</li>\r
<li>\r
<p>\r
-dblatex from <a href="http://dblatex.sourceforge.net">http://dblatex.sourceforge.net</a> to build the pdf manual (in\r
- addition to asciidoc)\r
+<strong>peg count</strong>: the number of times a given event or condition occurs.\r
</p>\r
</li>\r
<li>\r
<p>\r
-w3m from <a href="http://sourceforge.net/projects/w3m/">http://sourceforge.net/projects/w3m/</a> to build the plain text\r
- manual\r
+<strong>plugin</strong>: one of several types of software components that can be loaded\r
+ from a dynamic library when Snort starts up. Some plugins are coupled\r
+ with the main engine in such a way that they must be built statically,\r
+ but a newer version can be loaded dynamically.\r
</p>\r
</li>\r
<li>\r
<p>\r
-source-highlight from <a href="http://www.gnu.org/software/src-highlite/">http://www.gnu.org/software/src-highlite/</a> to\r
- generate the dev guide\r
+<strong>search engine</strong>: a plugin that performs multipattern searching of packets\r
+ and payload to find rules that should be evaluated. There are currently\r
+ no specific modules, although there are several search engine plugins.\r
+ Related configuration is done with the basic detection module. Aka fast\r
+ pattern matcher.\r
</p>\r
</li>\r
<li>\r
<p>\r
-safec from <a href="https://sourceforge.net/projects/safeclib/">https://sourceforge.net/projects/safeclib/</a> for runtime bounds\r
- checks on certain legacy C-library calls.\r
+<strong>SO rule</strong>: a IPS rule plugin that performs custom detection that can’t\r
+ be done by a text rule. These rules typically do not have associated\r
+ modules. SO comes from shared object, meaning dynamic library.\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_building">Building</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Optionally built features are listed in the reference section.\r
+<strong>spell</strong>: a type of protocol magic that the wizard uses to identify ASCII\r
+ protocols.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Create an install path:\r
+<strong>text rule</strong>: a rule loaded from the configuration that has a header and\r
+ body. The header specifies action, protocol, source and destination IP\r
+ addresses and ports, and direction. The body specifies detection and\r
+ non-detection options.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export my_path=/path/to/snorty\r
-mkdir -p $my_path</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-If you are using a github clone with autotools, do this:\r
+<strong>wizard</strong>: inspector that applies protocol magic to determine which\r
+ inspectors should be bound to traffic absent a port specific binding.\r
+ See hex and spell.\r
</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_modules">Modules</h3>\r
+<div class="paragraph"><p>Modules are the building blocks of Snort. They encapsulate the types of\r
+data that many components need including parameters, peg counts, profiling,\r
+builtin rules, and commands. This allows Snort to handle them generically\r
+and consistently. You can learn quite a lot about any given module from\r
+the command line. For example, to see what stream_tcp is all about, do\r
+this:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>autoreconf -isvf</code></pre>\r
+<pre><code>$ snort --help-config stream_tcp</code></pre>\r
</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Now do one of the following:\r
-</p>\r
-<div class="olist loweralpha"><ol class="loweralpha">\r
-<li>\r
-<p>\r
-To build with autotools, simply do the usual from the top level directory:\r
-</p>\r
+<div class="paragraph"><p>Modules are configured using Lua tables with the same name. So the\r
+stream_tcp module is configured with defaults like this:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>./configure --prefix=$my_path\r
-make -j 8\r
-make install</code></pre>\r
+<pre><code>stream_tcp = { }</code></pre>\r
</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-To build with cmake and make, run configure_cmake.sh. It will\r
- automatically create and populate a new subdirectory named <em>build</em>.\r
-</p>\r
+<div class="paragraph"><p>The earlier help output showed that the default session tracking timeout is\r
+30 seconds. To change that to 60 seconds, you can configure it this way:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>./configure_cmake.sh --prefix=$my_path\r
-cd build\r
-make -j 8\r
-make install\r
-ln -s $my_path/conf $my_path/etc</code></pre>\r
+<pre><code>stream_tcp = { session_timeout = 60 }</code></pre>\r
</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-You can also specify a cmake project generator:\r
-</p>\r
+<div class="paragraph"><p>Or this way:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>./configure_cmake.sh --generator=Xcode --prefix=$my_path</code></pre>\r
+<pre><code>stream_tcp = { }\r
+stream_tcp.session_timeout = 60</code></pre>\r
</div></div>\r
-</li>\r
+<div class="paragraph"><p>More on parameters is given in the next section.</p></div>\r
+<div class="paragraph"><p>Other things to note about modules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Or use ccmake directly to configure and generate from an arbitrary build\r
- directory like one of these:\r
+Shutdown output will show the non-zero peg counts for all modules. For\r
+ example, if stream_tcp did anything, you would see the number of sessions\r
+ processed among other things.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ccmake -G Xcode /path/to/Snort++/tree\r
-open snort.xcodeproj</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree\r
-run eclipse and do File > Import > Existing Eclipse Project</code></pre>\r
-</div></div>\r
</li>\r
-</ol></div>\r
+<li>\r
+<p>\r
+Providing the builtin rules allows the documentation to include them\r
+ automatically and also allows for autogenerating the rules at startup.\r
+</p>\r
</li>\r
<li>\r
<p>\r
-To build with g++ on OS X where clang is installed, do this first:\r
+Only a few module provide commands at this point, most notably the snort\r
+ module.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export CXX=g++</code></pre>\r
-</div></div>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_run">Run</h3>\r
-<div class="paragraph"><p>First set up the environment:</p></div>\r
+<h3 id="_parameters">Parameters</h3>\r
+<div class="paragraph"><p>Parameters are given with this format:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;\r
-export SNORT_LUA_PATH=$my_path/etc/snort/</code></pre>\r
+<pre><code>type name = default: help { range }</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Then give it a go:</p></div>\r
+<div class="paragraph"><p>The following types are used:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Get some help:\r
+<strong>addr</strong>: any valid IP4 or IP6 address or CIDR\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort --help\r
-$my_path/bin/snort --help-module suppress\r
-$my_path/bin/snort --help-config | grep thread</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Examine and dump a pcap:\r
+<strong>addr_list</strong>: a space separated list of addr values\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -r <pcap>\r
-$my_path/bin/snort -L dump -d -e -q -r <pcap></code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Verify config, with or w/o rules:\r
+<strong>bit_list</strong>: a list of consecutive integer values from 1 to the range\r
+ maximum\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua\r
-$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Run IDS mode. To keep it brief, look at the first n packets in each file:\r
+<strong>bool</strong>: true or false\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
- -r <pcap> -A alert_test -n 100000</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Let’s suppress 1:2123. We could edit the conf or just do this:\r
+<strong>dynamic</strong>: a select type determined by loaded plugins\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
- -r <pcap> -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Go whole hog on a directory with multiple packet threads:\r
+<strong>enum</strong>: a string selected from the given range\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
- --pcap-filter \*.pcap --pcap-dir <dir> -A alert_fast -n 1000 --max-packet-threads 8</code></pre>\r
-</div></div>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>For more examples, see the usage section.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tips">Tips</h3>\r
-<div class="paragraph"><p>One of the goals of Snort++ is to make it easier to configure your sensor.\r
-Here is a summary of tips and tricks you may find useful.</p></div>\r
-<div class="paragraph"><p>General Use</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Snort tries hard not to error out too quickly. It will report multiple\r
- semantic errors.\r
+<strong>implied</strong>: an IPS rule option that takes no value but means true\r
</p>\r
</li>\r
<li>\r
<p>\r
-Snort always assumes the simplest mode of operation. Eg, you can omit the -T\r
- option to validate the conf if you don’t provide a packet source.\r
+<strong>int</strong>: a whole number in the given range\r
</p>\r
</li>\r
<li>\r
<p>\r
-Warnings are not emitted unless --warn-* is specified. --warn-all enables all\r
- warnings, and --pedantic makes such warnings fatal.\r
+<strong>ip4</strong>: an IP4 address or CIDR\r
</p>\r
</li>\r
<li>\r
<p>\r
-You can process multiple sources at one time by using the -z or --max-threads\r
- option.\r
+<strong>mac</strong>: an ethernet address with the form 01:02:03:04:05:06\r
</p>\r
</li>\r
<li>\r
<p>\r
-To make it easy to find the important data, zero counts are not output at\r
- shutdown.\r
+<strong>multi</strong>: one or more space separated strings from the given range\r
</p>\r
</li>\r
<li>\r
<p>\r
-Load plugins from the command line with --plugin-path /path/to/install/lib.\r
+<strong>port</strong>: an int in the range 0:65535 indicating a TCP or UDP port number\r
</p>\r
</li>\r
<li>\r
<p>\r
-You can process multiple sources at one time by using the -z or\r
- --max-threads option.\r
+<strong>real</strong>: a real number in the given range\r
</p>\r
</li>\r
<li>\r
<p>\r
-Unit tests are configured with --enable-unit-tests. They can then be run\r
- with snort --catch-test [tags]|all.\r
+<strong>select</strong>: a string selected from the given range\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Lua Configuration</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Configure the wizard and default bindings will be created based on configured\r
- inspectors. No need to explicitly bind ports in this case.\r
+<strong>string</strong>: any string with no more than the given length, if any\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>The parameter name may be adorned in various ways to indicate additional\r
+information about the type and use of the parameter:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-You can override or add to your Lua conf with the --lua command line option.\r
+For Lua configuration (not IPS rules), if the name ends with [] it is\r
+ a list item and can be repeated.\r
</p>\r
</li>\r
<li>\r
<p>\r
-The Lua conf is a live script that is executed when loaded. You can add\r
- functions, grab environment variables, compute values, etc.\r
+For IPS rules only, names starting with ~ indicate positional\r
+ parameters. The names of such parameters do not appear in the rule.\r
</p>\r
</li>\r
<li>\r
<p>\r
-You can also rename symbols that you want to disable. For example,\r
- changing normalizer to Xnormalizer (an unknown symbol) will disable the\r
- normalizer. This can be easier than commenting in some cases.\r
+IPS rules may also have a wild card parameter, which is indicated by a\r
+ *. Only used for metadata that Snort ignores.\r
</p>\r
</li>\r
<li>\r
<p>\r
-By default, symbols unknown to Snort++ are silently ignored. You can\r
- generate warnings for them with --warn-unknown. To ignore such symbols,\r
- export them in the environment variable SNORT_IGNORE.\r
+The snort module has command line options starting with a -.\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Writing and Loading Rules</p></div>\r
-<div class="paragraph"><p>Snort++ rules allow arbitrary whitespace. Multi-line rules make it easier to\r
-structure your rule for clarity. There are multiple ways to add comments to\r
-your rules:</p></div>\r
+<div class="paragraph"><p>Some additional details to note:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Like Snort, the # character starts a comment to end of line. In addition, all\r
- lines between #begin and #end are comments.\r
+Table and variable names are case sensitive; use lower case only.\r
</p>\r
</li>\r
<li>\r
<p>\r
-The rem option allows you to write a comment that is conveyed with the rule.\r
+String values are case sensitive too; use lower case only.\r
</p>\r
</li>\r
<li>\r
<p>\r
-C style multi-line comments are allowed, which means you can comment out\r
- portions of a rule while testing it out by putting the options between /* and\r
- */.\r
+Numeric ranges may be of the form low:high where low and high are\r
+ bounds included in the range. If either is omitted, there is no hard\r
+ bound. E.g. 0: means any x where x >= 0.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Strings may have a numeric range indicating a length limit; otherwise\r
+ there is no hard limit.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list is typically used to store a set of byte, port, or VLAN ID\r
+ values.\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>There are multiple ways to load rules too:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_plugins">Plugins</h3>\r
+<div class="paragraph"><p>Snort uses a variety of plugins to accomplish much of its processing\r
+objectives, including:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Set ips.rules or ips.include.\r
+Codec - to decode and encode packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-Snort 2.X include statements can be used in rules files.\r
+Inspector - like Snort 2 preprocessors, for normalization, etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use -R to load a rules file.\r
+IpsOption - for detection in Snort rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use --stdin-rules with command line redirection.\r
+IpsAction - for custom actions\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use --lua to specify one or more rules as a command line argument.\r
+Logger - for handling events\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Output Files</p></div>\r
-<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet\r
-threads, output files are not explicitly configured. Instead, you can use the\r
-options below to format the paths:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-logdir is set with -l and defaults to ./\r
+Mpse - for fast pattern matching\r
</p>\r
</li>\r
<li>\r
<p>\r
-run_prefix is set with --run-prefix else not used\r
+So - for dynamic rules\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>The power of plugins is that they have a very focused purpose and can be\r
+created with relative ease. For example, you can extend the rule language\r
+by writing your own IpsOption and it will plug in and function just like\r
+existing options. The extra directory has examples of each type of plugin.</p></div>\r
+<div class="paragraph"><p>Most plugins can be built statically or dynamically. By default they are\r
+all static. There is no difference in functionality between static or\r
+dynamic plugins but the dynamic build generates a slightly lighter weight\r
+binary. Either way you can add dynamic plugins with --plugin-path and\r
+newer versions will replace older versions, even when built statically.</p></div>\r
+<div class="paragraph"><p>A single dynamic library may contain more than one plugin. For example, an\r
+inspector will typically be packaged together with any associated rule\r
+options.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_operation">Operation</h3>\r
+<div class="paragraph"><p>Snort is a signature-based IPS, which means that as it receives network\r
+packets it reassembles and normalizes the content so that a set of rules\r
+can be evaluated to detect the presence of any significant conditions that\r
+merit further action. A rough processing flow is as follows:</p></div>\r
+<div class="imageblock">\r
+<div class="content">\r
+<img src="./snort2x.png" alt="Snort 2" width="480" />\r
+</div>\r
+</div>\r
+<div class="paragraph"><p>The steps are:</p></div>\r
+<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-id# is the packet thread number that writes the file; with one packet thread,\r
- id# (zero) is omitted without --id-zero\r
+Decode each packet to determine the basic network characteristics such\r
+as source and destination addresses and ports. A typical packet might have\r
+ethernet containing IP containing TCP containing HTTP (ie eth:ip:tcp:http).\r
+The various encapsulating protocols are examined for sanity and anomalies\r
+as the packet is decoded. This is essentially a stateless effort.\r
</p>\r
</li>\r
<li>\r
<p>\r
-X is / if you use --id-subdir, else _ if id# is used\r
+Preprocess each decoded packet using accumulated state to determine the\r
+purpose and content of the innermost message. This step may involve\r
+reordering and reassembling IP fragments and TCP segments to produce the\r
+original application protocol data unit (PDU). Such PDUs are analyzed and\r
+normalized as needed to support further processing.\r
</p>\r
</li>\r
<li>\r
<p>\r
-name is based on module name that writes the file\r
+Detection is a two step process. For efficiency, most rules contain a\r
+specific content pattern that can be searched for such that if no match is\r
+found no further processing is necessary. Upon start up, the rules are\r
+compiled into pattern groups such that a single, parallel search can be\r
+done for all patterns in the group. If any match is found, the full rule\r
+is examined according to the specifics of the signature.\r
</p>\r
</li>\r
<li>\r
<p>\r
-all text mode outputs default to stdout\r
+The logging step is where Snort saves any pertinent information\r
+resulting from the earlier steps. More generally, this is where other\r
+actions can be taken as well such as blocking the packet.\r
</p>\r
</li>\r
-</ul></div>\r
+</ol></div>\r
+<div class="sect3">\r
+<h4 id="_snort_2_processing">Snort 2 Processing</h4>\r
+<div class="paragraph"><p>The preprocess step in Snort 2 is highly configurable. Arbitrary\r
+preprocessors can be loaded dynamically at startup, configured in\r
+snort.conf, and then executed at runtime. Basically, the preprocessors are\r
+put into a list which is iterated for each packet. Recent versions have\r
+tweaked the list handling some, but the same basic architecture has allowed\r
+Snort 2 to grow from a sniffer, with no preprocessing, to a full-fledged\r
+IPS, with lots of preprocessing.</p></div>\r
+<div class="paragraph"><p>While this "list of plugins" approach has considerable flexibility, it\r
+hampers future development when the flow of data from one preprocessor to\r
+the next depends on traffic conditions, a common situation with advanced\r
+features like application identification. In this case, a preprocessor\r
+like HTTP may be extracting and normalizing data that ultimately is not\r
+used, or appID may be repeatedly checking for data that is just not\r
+available.</p></div>\r
+<div class="paragraph"><p>Callbacks help break out of the preprocess straitjacket. This is where one\r
+preprocessor supplies another with a function to call when certain data is\r
+available. Snort has started to take this approach to pass some HTTP and\r
+SIP preprocessor data to appID. However, it remains a peripheral feature\r
+and still requires the production of data that may not be consumed.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_snort_3_processing">Snort 3 Processing</h4>\r
+<div class="paragraph"><p>One of the goals of Snort 3 is to provide a more flexible framework for\r
+packet processing by implementing an event-driven approach. Another is to\r
+produce data only when needed to minimize expensive normalizations.\r
+However, the basic packet processing provides very similar functionality.</p></div>\r
+<div class="paragraph"><p>The basic processing steps Snort 3 takes are similar to Snort 2 as seen\r
+in the following diagram. The preprocess step employs specific inspector\r
+types instead of a generalized list, but the basic procedure includes\r
+stateless packet decoding, TCP stream reassembly, and service specific\r
+analysis in both cases. (Snort 3 provides hooks for arbitrary inspectors,\r
+but they are not central to basic flow processing and are not shown.)</p></div>\r
+<div class="imageblock">\r
+<div class="content">\r
+<img src="./snort3x.png" alt="Snort 3" width="480" />\r
+</div>\r
+</div>\r
+<div class="paragraph"><p>However, Snort 3 also provides a more flexible mechanism than callback\r
+functions. By using inspection events, it is possible for an inspector to\r
+supply data that other inspectors can process. This is known as the\r
+observer pattern or publish-subscribe pattern.</p></div>\r
+<div class="paragraph"><p>Note that the data is not actually published. Instead, access to the data\r
+is published, and that means that subscribers can access the raw or\r
+normalized version(s) as needed. Normalizations are done only on the first\r
+access, and subsequent accesses get the previously normalized data. This\r
+results in just in time (JIT) processing.</p></div>\r
+<div class="paragraph"><p>A basic example of this in action is provided by the extra data_log plugin.\r
+It is a passive inspector, ie it does nothing until it receives the data it\r
+subscribed for (<em>other</em> in the above diagram). By adding the following to\r
+your snort.lua configuration, you will get a simple URI logger.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>data_log = { key = 'http_raw_uri' }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Inspection events coupled with pluggable inspectors provide a very flexible\r
+framework for implementing new features. And JIT buffer stuffers allow\r
+Snort to work smarter, not harder. These capabilities will be leveraged\r
+more and more as Snort development continues.</p></div>\r
+</div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_help">Help</h3>\r
-<div class="listingblock">\r
+<h3 id="_rules_2">Rules</h3>\r
+<div class="paragraph"><p>Rules tell Snort how to detect interesting conditions, such as an attack,\r
+and what to do when the condition is detected. Here is an example rule:</p></div>\r
+<div class="literalblock">\r
<div class="content">\r
-<pre><code>Snort has several options to get more help:\r
-\r
--? list command line options (same as --help)\r
---help this overview of help\r
---help-commands [<module prefix>] output matching commands\r
---help-config [<module prefix>] output matching config options\r
---help-counts [<module prefix>] output matching peg counts\r
---help-module <module> output description of given module\r
---help-modules list all available modules with brief help\r
---help-plugins list all available plugins with brief help\r
---help-options [<option prefix>] output matching command line options\r
---help-signals dump available control signals\r
---list-buffers output available inspection buffers\r
---list-builtin [<module prefix>] output matching builtin rules\r
---list-gids [<module prefix>] output matching generators\r
---list-modules [<module type>] list all known modules\r
---list-plugins list all known modules\r
---show-plugins list module and plugin versions\r
-\r
---help* and --list* options preempt other processing so should be last on the\r
-command line since any following options are ignored. To ensure options like\r
---markup and --plugin-path take effect, place them ahead of the help or list\r
-options.\r
-\r
-Options that filter output based on a matching prefix, such as --help-config\r
-won't output anything if there is no match. If no prefix is given, everything\r
-matches.\r
-\r
-Report bugs to bugs@snort.org.</code></pre>\r
+<pre><code>alert tcp any any -> 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The structure is:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>action proto source dir dest ( body )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Where:</p></div>\r
+<div class="paragraph"><p>action - tells Snort what to do when a rule "fires", ie when the signature\r
+matches. In this case Snort will log the event. It can also do thing like\r
+block the flow when running inline.</p></div>\r
+<div class="paragraph"><p>proto - tells Snort what protocol applies. This may be ip, icmp, tcp, udp,\r
+http, etc.</p></div>\r
+<div class="paragraph"><p>source - specifies the sending IP address and port, either of which can be\r
+the keyword any, which is a wildcard.</p></div>\r
+<div class="paragraph"><p>dir - must be either unidirectional as above or bidirectional indicated by\r
+<>.</p></div>\r
+<div class="paragraph"><p>dest - similar to source but indicates the receiving end.</p></div>\r
+<div class="paragraph"><p>body - detection and other information contained in parenthesis.</p></div>\r
+<div class="paragraph"><p>There are many rule options available to construct as sophisticated a\r
+signature as needed. In this case we are simply looking for the "attack"\r
+in any TCP packet. A better rule might look like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert http\r
+(\r
+ msg:"Gotcha!";\r
+ flow:established, to_server;\r
+ http_uri:"attack";\r
+ sid:2;\r
+)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note that these examples have a sid option, which indicates the signature\r
+ID. In general rules are specified by gid:sid:rev notation, where gid is\r
+the generator ID and rev is the revision of the rule. By default, text\r
+rules are gid 1 and shared-object (SO) rules are gid 3. The various\r
+components within Snort that generate events have 1XX gids, for example the\r
+decoder is gid 116. You can list the internal gids and sids with these\r
+commands:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ snort --list-gids\r
+$ snort --list-builtin</code></pre>\r
</div></div>\r
+<div class="paragraph"><p>For details on these and other options, see the reference section.</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_common_errors">Common Errors</h3>\r
-<div class="paragraph"><p><em>FATAL: snort_config is required</em></p></div>\r
+<h3 id="_pattern_matching">Pattern Matching</h3>\r
+<div class="paragraph"><p>Snort evaluates rules in a two-step process which includes a fast pattern\r
+search and full evaluation of the signature. More details on this process\r
+follow.</p></div>\r
+<div class="sect3">\r
+<h4 id="_rule_groups">Rule Groups</h4>\r
+<div class="paragraph"><p>When Snort starts or reloads configuration, rules are grouped by protocol,\r
+port and service. For example, all TCP rules using the HTTP_PORTS variable\r
+will go in one group and all service HTTP rules will go in another group.\r
+These rule groups are compiled into multipattern search engines (MPSE)\r
+which are designed to search for all patterns with just a single pass\r
+through a given packet or buffer. You can select the algorithm to use for\r
+fast pattern searches with search_engine.search_method which defaults to\r
+<em>ac_bnfa</em>, which balances speed and memory. For a faster search at the\r
+expense of significantly more memory, use <em>ac_full</em>. For best performance\r
+and reasonable memory, download the hyperscan source from Intel.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_fast_patterns">Fast Patterns</h4>\r
+<div class="paragraph"><p>Fast patterns are content strings that have the fast_pattern option or\r
+which have been selected by Snort automatically to be used as a fast\r
+pattern. Snort will by default choose the longest pattern in the rule\r
+since that is likely to be most unique. That is not always the case so add\r
+fast_pattern to the appropriate content option for best performance. The\r
+ideal fast pattern is one which, if found, is very likely to result in a\r
+rule match. Fast patterns that match frequently for unrelated traffic will\r
+cause Snort to work hard with little to show for it.</p></div>\r
+<div class="paragraph"><p>Certain contents are not eligible to be used as fast patterns.\r
+Specifically, if a content is negated, then if it is also relative to\r
+another content, case sensitive, or has non-zero offset or depth, then it\r
+is not eligible to be used as a fast pattern.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_rule_evaluation">Rule Evaluation</h4>\r
+<div class="paragraph"><p>For each fast pattern match, the corresponding rule(s) are evaluated\r
+left-to-right. Rule evaluation requires checking each detection option in\r
+a rule and is a fairly costly process which is why fast patterns are so\r
+important. Rule evaluation aborts on the first non-matching option.</p></div>\r
+<div class="paragraph"><p>When rule evaluation takes place, the fast pattern may or may not need to\r
+be searched for a second time. Note that this differs from Snort 2 which\r
+provided the fast_pattern:only option to designate such cases. This was\r
+removed because it is difficult for the rule writer get it right.</p></div>\r
+</div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_tutorial">Tutorial</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The section will walk you through building and running Snort. It is not\r
+exhaustive but, once you master this material, you should be able to figure\r
+out more advanced usage.</p></div>\r
+<div class="sect2">\r
+<h3 id="_dependencies">Dependencies</h3>\r
+<div class="paragraph"><p>Required:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-add this line near top of file:\r
+autotools or cmake to build from source\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>require('snort_config')</code></pre>\r
-</div></div>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>PANIC: unprotected error in call to Lua API (cannot open\r
-snort_defaults.lua: No such file or directory)</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-export SNORT_LUA_PATH to point to any dofiles\r
+daq from <a href="http://www.snort.org">http://www.snort.org</a> for packet IO\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR can’t find xyz</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-if xyz is the name of a module, make sure you are not assigning a scalar\r
- where a table is required (e.g. xyz = 2 should be xyz = { }).\r
+g++ >= 4.8 or other recent C++11 compiler\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR can’t find x.y</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-module x does not have a parameter named y. check --help-module x for\r
- available parameters.\r
+dnet from <a href="https://github.com/dugsong/libdnet.git">https://github.com/dugsong/libdnet.git</a> for network utility\r
+ functions\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR invalid x.y = z</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-the value z is out of range for x.y. check --help-config x.y for the range\r
- allowed.\r
+hwloc from <a href="https://www.open-mpi.org/projects/hwloc/">https://www.open-mpi.org/projects/hwloc/</a> for CPU affinity management\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR: x = { y = z } is in conf but is not being applied</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-make sure that x = { } isn’t set later because it will override the\r
- earlier setting. same for x.y.\r
+LuaJIT from <a href="http://luajit.org">http://luajit.org</a> for configuration and scripting\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>FATAL: can’t load lua/errors.lua: lua/errors.lua:68: <em>=</em> expected near\r
-';'</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-this is a syntax error reported by Lua to Snort on line 68 of errors.lua.\r
+OpenSSL from <a href="https://www.openssl.org/source/">https://www.openssl.org/source/</a> for SHA and MD5 file signatures,\r
+ the protected_content rule option, and SSL service detection\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR: rules(2) unknown rule keyword: find.</em></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-this was due to not including the --script-path.\r
+pcap from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a> for tcpdump style logging\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+pcre from <a href="http://www.pcre.org">http://www.pcre.org</a> for regular expression pattern matching\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+pkgconfig from <a href="https://www.freedesktop.org/wiki/Software/pkg-config/">https://www.freedesktop.org/wiki/Software/pkg-config/</a> to locate build dependencies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (>= 1.2.8 recommended)\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><em>WARNING: unknown symbol x</em></p></div>\r
+<div class="paragraph"><p>Optional:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-if you any variables, you can squelch such warnings by setting them in\r
- an environment variable SNORT_IGNORE. to ignore x, y, and z:\r
+lzma >= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a> for decompression of SWF and\r
+ PDF files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+hyperscan from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new and improved\r
+ regex and (coming soon) fast pattern support\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+cpputest from <a href="http://cpputest.github.io">http://cpputest.github.io</a> to run additional unit tests with\r
+ make check\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+asciidoc from <a href="http://www.methods.co.nz/asciidoc/">http://www.methods.co.nz/asciidoc/</a> to build the HTML\r
+ manual\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+dblatex from <a href="http://dblatex.sourceforge.net">http://dblatex.sourceforge.net</a> to build the pdf manual (in\r
+ addition to asciidoc)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+w3m from <a href="http://sourceforge.net/projects/w3m/">http://sourceforge.net/projects/w3m/</a> to build the plain text\r
+ manual\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+source-highlight from <a href="http://www.gnu.org/software/src-highlite/">http://www.gnu.org/software/src-highlite/</a> to\r
+ generate the dev guide\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+safec from <a href="https://sourceforge.net/projects/safeclib/">https://sourceforge.net/projects/safeclib/</a> for runtime bounds\r
+ checks on certain legacy C-library calls.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export SNORT_IGNORE="x y z"</code></pre>\r
-</div></div>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_gotchas">Gotchas</h3>\r
+<h3 id="_building">Building</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-A nil key in a table will not caught. Neither will a nil value in a\r
- table. Neither of the following will cause errors, nor will they\r
- actually set http_server.post_depth:\r
+Optionally built features are listed in the reference section.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_server = { post_depth }\r
-http_server = { post_depth = undefined_symbol }</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-It is not an error to set a value multiple times. The actual value\r
- applied may not be the last in the table either. It is best to avoid\r
- such cases.\r
+Create an install path:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>http_server =\r
-{\r
- post_depth = 1234,\r
- post_depth = 4321\r
-}</code></pre>\r
+<pre><code>export my_path=/path/to/snorty\r
+mkdir -p $my_path</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<p>\r
-Snort can’t tell you the exact filename or line number of a semantic\r
- error but it will tell you the fully qualified name.\r
+If you are using a github clone with autotools, do this:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>autoreconf -isvf</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-The dump DAQ will not work with multiple threads unless you use --daq-var\r
- file=/dev/null. This will be fixed in at some point to use the Snort log\r
- directory, etc.\r
+Now do one of the following:\r
</p>\r
-</li>\r
+<div class="olist loweralpha"><ol class="loweralpha">\r
<li>\r
<p>\r
-Variables are currently processed in an order determined by the Lua hash\r
- table which is effectively random. That means you will need to use Lua\r
- string concatenation to ensure Snort doesn’t try to use a variable before\r
- it is defined (even when it is defined ahead of use in the file):\r
+To build with autotools, simply do the usual from the top level directory:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>-- this may fail:\r
-MY_SERVERS = [[ 172.20.0.0/16 172.21.0.0/16 ]]\r
-EXTERNAL_NET = '!$MY_SERVERS'</code></pre>\r
+<pre><code>./configure --prefix=$my_path\r
+make -j 8\r
+make install</code></pre>\r
</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+To build with cmake and make, run configure_cmake.sh. It will\r
+ automatically create and populate a new subdirectory named <em>build</em>.\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>-- this will work:\r
-MY_SERVERS = [[ 172.20.0.0/16 172.21.0.0/16 ]]\r
-EXTERNAL_NET = '!' .. MY_SERVERS</code></pre>\r
+<pre><code>./configure_cmake.sh --prefix=$my_path\r
+cd build\r
+make -j 8\r
+make install\r
+ln -s $my_path/conf $my_path/etc</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<p>\r
-configure will use clang<code> by default if it is installed. To compile\r
- with g</code> instead:\r
+You can also specify a cmake project generator:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>export CXX=g++</code></pre>\r
+<pre><code>./configure_cmake.sh --generator=Xcode --prefix=$my_path</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<p>\r
-If you build with hyperscan on OS X and see:\r
+Or use ccmake directly to configure and generate from an arbitrary build\r
+ directory like one of these:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>dyld: Library not loaded: @rpath/libhs.4.0.dylib</code></pre>\r
+<pre><code>ccmake -G Xcode /path/to/Snort++/tree\r
+open snort.xcodeproj</code></pre>\r
</div></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>when you try to run src/snort, export DYLD_LIBRARY_PATH with the path to\r
-libhs. You can also do:</code></pre>\r
+<pre><code>ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree\r
+run eclipse and do File > Import > Existing Eclipse Project</code></pre>\r
</div></div>\r
+</li>\r
+</ol></div>\r
+</li>\r
+<li>\r
+<p>\r
+To build with g++ on OS X where clang is installed, do this first:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>install_name_tool -change @rpath/libhs.4.0.dylib \\r
- /path-to/libhs.4.0.dylib src/snort</code></pre>\r
+<pre><code>export CXX=g++</code></pre>\r
</div></div>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_bugs">Bugs</h3>\r
-<div class="sect3">\r
-<h4 id="_build">Build</h4>\r
+<h3 id="_running">Running</h3>\r
+<div class="paragraph"><p>First set up the environment:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;\r
+export SNORT_LUA_PATH=$my_path/etc/snort/</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Then give it a go:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-With cmake, make install will rebuild the docs even though when already\r
- built.\r
+Get some help:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$my_path/bin/snort --help\r
+$my_path/bin/snort --help-module suppress\r
+$my_path/bin/snort --help-config | grep thread</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-Enabling large pcap may erroneously affect the number of packets processed\r
- from pcaps.\r
+Examine and dump a pcap:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$my_path/bin/snort -r <pcap>\r
+$my_path/bin/snort -L dump -d -e -q -r <pcap></code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-Enabling debug messages may erroneously affect the number of packets\r
- processed from pcaps.\r
+Verify config, with or w/o rules:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua\r
+$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-g++ 4.9.2 with -O3 reports:\r
+Run IDS mode. To keep it brief, look at the first n packets in each file:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>src/service_inspectors/back_orifice/back_orifice.cc:231:25: warning:\r
-iteration 930u invokes undefined behavior [-Waggressive-loop-optimizations]</code></pre>\r
+<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
+ -r <pcap> -A alert_test -n 100000</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<p>\r
-Building with clang and autotools on Linux will show the following\r
- warning many times. Please ignore.\r
+Let’s suppress 1:2123. We could edit the conf or just do this:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>clang: warning: argument unused during compilation: '-pthread'</code></pre>\r
+<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
+ -r <pcap> -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<p>\r
-It is not possible to build dynamic plugins using apple clang due to its\r
- limited support for thread local variables.\r
+Go whole hog on a directory with multiple packet threads:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
+ --pcap-filter \*.pcap --pcap-dir <dir> -A alert_fast -n 1000 --max-packet-threads 8</code></pre>\r
+</div></div>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>For more examples, see the usage section.</p></div>\r
</div>\r
-<div class="sect3">\r
-<h4 id="_config">Config</h4>\r
+<div class="sect2">\r
+<h3 id="_tips">Tips</h3>\r
+<div class="paragraph"><p>One of the goals of Snort 3 is to make it easier to configure your sensor.\r
+Here is a summary of tips and tricks you may find useful.</p></div>\r
+<div class="paragraph"><p>General Use</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET\r
- defined as below because of the space between ! and 10.\r
+Snort tries hard not to error out too quickly. It will report multiple\r
+ semantic errors.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]\r
-EXTERNAL_NET = '! ' .. HOME_NET</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Multiple versions of luajit scripts are not handled correctly. The\r
- first loaded version will always be executed even though plugin manager\r
- saves the correct version.\r
+Snort always assumes the simplest mode of operation. Eg, you can omit the -T\r
+ option to validate the conf if you don’t provide a packet source.\r
</p>\r
</li>\r
<li>\r
<p>\r
-When using -c and -L together, the last on the command line wins (-c -L\r
- will dump; -L -c will analyze).\r
+Warnings are not emitted unless --warn-* is specified. --warn-all enables all\r
+ warnings, and --pedantic makes such warnings fatal.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Modules instantiated by command line only will not get default settings\r
- unless hard-coded. This notably applies to -A and -L options.\r
+You can process multiple sources at one time by using the -z or --max-threads\r
+ option.\r
</p>\r
</li>\r
<li>\r
<p>\r
---lua can only be used in addition to, not in place of, a -c config.\r
- Ideally, --lua could be used in lieu of -c.\r
+To make it easy to find the important data, zero counts are not output at\r
+ shutdown.\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_rules">Rules</h4>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-metdata:service foo; metadata:service foo; won’t cause a duplicate service\r
- warning as does metadata:service foo, service foo;\r
+Load plugins from the command line with --plugin-path /path/to/install/lib.\r
</p>\r
</li>\r
<li>\r
<p>\r
-ip_proto doesn’t work properly with reassembled packets so it can’t be\r
- used to restrict the protocol of service rules.\r
+You can process multiple sources at one time by using the -z or\r
+ --max-threads option.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Inspector events generated while parsing TCP payload in non-IPS mode will\r
- indicate the wrong direction (ie they will be based on the ACK packet).\r
- (Same is true for Snort.)\r
+Unit tests are configured with --enable-unit-tests. They can then be run\r
+ with snort --catch-test [tags]|all.\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_snort2lua">snort2lua</h4>\r
+<div class="paragraph"><p>Lua Configuration</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-uricontent:"foo"; content:"bar"; → http_uri; content:"foo"; content:"bar";\r
- (missing pkt_data)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream_tcp ports and protocols both go into a single binder.when; this is\r
- incorrect as the when fields are logically anded together (ie must all be\r
- true). Should create 2 separate bindings.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-There is a bug in pps_stream_tcp.cc.. when stream_tcp: is specified\r
- without any arguments, snort2lua doesn’t convert it. Same for\r
- stream_udp.\r
+Configure the wizard and default bindings will be created based on configured\r
+ inspectors. No need to explicitly bind ports in this case.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Loses the ip list delimiters [ ]; change to ( )\r
+You can override or add to your Lua conf with the --lua command line option.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>in snort.conf: var HOME_NET [A,B,C]\r
-in snort.lua: HOME_NET = [[A B C]]</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Won’t convert packet rules (alert tcp etc.) to service rules (alert http\r
- etc.).\r
+The Lua conf is a live script that is executed when loaded. You can add\r
+ functions, grab environment variables, compute values, etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-alert_fast and alert_full: output configuration includes "file =\r
- <em>foo.bar</em>", but file is a bool and you cannot specify an output file name\r
- in the configuration.\r
+You can also rename symbols that you want to disable. For example,\r
+ changing normalizer to Xnormalizer (an unknown symbol) will disable the\r
+ normalizer. This can be easier than commenting in some cases.\r
</p>\r
</li>\r
<li>\r
<p>\r
-preprocessor ports option: ports <number> not supported.\r
+By default, symbols unknown to Snort are silently ignored. You can\r
+ generate warnings for them with --warn-unknown. To ignore such symbols,\r
+ export them in the environment variable SNORT_IGNORE.\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_runtime">Runtime</h4>\r
+<div class="paragraph"><p>Writing and Loading Rules</p></div>\r
+<div class="paragraph"><p>Snort rules allow arbitrary whitespace. Multi-line rules make it easier to\r
+structure your rule for clarity. There are multiple ways to add comments to\r
+your rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
--B <mask> feature does not work. It does ordinary IP address obfuscation\r
- instead of using the mask.\r
+The # character starts a comment to end of line. In addition, all lines\r
+ between #begin and #end are comments.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Obfuscation does not work for csv format.\r
+The rem option allows you to write a comment that is conveyed with the rule.\r
</p>\r
</li>\r
<li>\r
<p>\r
-The hext DAQ will append a newline to text lines (starting with <em>"</em>).\r
+C style multi-line comments are allowed, which means you can comment out\r
+ portions of a rule while testing it out by putting the options between /* and\r
+ */.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>There are multiple ways to load rules too:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-The hext DAQ does not support embedded quotes in text lines (use hex\r
- lines as a workaround).\r
+Set ips.rules or ips.include.\r
</p>\r
</li>\r
<li>\r
<p>\r
-stream_tcp alert squash mechanism incorrectly squashes alerts for\r
- different TCP packets.\r
+include statements can be used in rules files.\r
</p>\r
</li>\r
<li>\r
<p>\r
-stream_tcp gap count is broken.\r
+Use -R to load a rules file.\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_features">Features</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>This section explains how to use key features of Snort++.</p></div>\r
-<div class="sect2">\r
-<h3 id="_file_processing">File Processing</h3>\r
-<div class="paragraph"><p>With the volume of malware transferred through network increasing,\r
-network file inspection becomes more and more important. This feature\r
-will provide file type identification, file signature creation, and file\r
-capture capabilities to help users deal with those challenges.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_2">Overview</h4>\r
-<div class="paragraph"><p>There are two parts of file services: file APIs and file policy.\r
-File APIs provides all the file inspection functionalities, such as file\r
-type identification, file signature calculation, and file capture.\r
-File policy provides users ability to control file services, such\r
-as enable/disable/configure file type identification, file signature, or\r
-file capture.</p></div>\r
-<div class="paragraph"><p>In addition to all capabilities from snort 2x, we support customized file\r
-policy along with file event log.</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.\r
+Use --stdin-rules with command line redirection.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Supported file signature calculation: SHA256\r
+Use --lua to specify one or more rules as a command line argument.\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_quick_guide">Quick Guide</h4>\r
-<div class="paragraph"><p>A very simple configuration has been included in lua/snort.lua file.\r
-A typical file configuration looks like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dofile('magic.lua')</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>my_file_policy =\r
-{\r
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_id =\r
-{\r
- enable_type = true,\r
- enable_signature = true,\r
- enable_capture = true,\r
- file_rules = magics,\r
- trace_type = true,\r
- trace_signature = true,\r
- trace_stream = true,\r
- file_policy = my_file_policy,\r
- }</code></pre>\r
-</div></div>\r
+<div class="paragraph"><p>Output Files</p></div>\r
+<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet\r
+threads, output files are not explicitly configured. Instead, you can use the\r
+options below to format the paths:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>file_log =\r
-{\r
- log_pkt_time = true,\r
- log_sys_time = false,\r
-}</code></pre>\r
+<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
</div></div>\r
-<div class="paragraph"><p>There are 3 steps to enable file processing:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-First, you need to include the file magic rules.\r
+logdir is set with -l and defaults to ./\r
</p>\r
</li>\r
<li>\r
<p>\r
-Then, define the file policy and configure the inspector\r
+run_prefix is set with --run-prefix else not used\r
</p>\r
</li>\r
<li>\r
<p>\r
-At last, enable file_log to get detailed information about file event\r
+id# is the packet thread number that writes the file; with one packet thread,\r
+ id# (zero) is omitted without --id-zero\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_pre_packaged_file_magic_rules">Pre-packaged File Magic Rules</h4>\r
-<div class="paragraph"><p>A set of file magic rules is packaged with Snort. They can be located at\r
-"lua/file_magic.lua". To use this feature, it is recommended that these\r
-pre-packaged rules are used; doing so requires that you include\r
-the file in your Snort configuration as such (already in snort.lua):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dofile('magic.lua')</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>{ type = "GIF", id = 62, category = "Graphics", rev = 1,\r
- magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>{ type = "GIF", id = 63, category = "Graphics", rev = 1,\r
- magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The previous two rules define GIF format, because two file magics are\r
-different. File magics are specifed by content and offset, which look\r
-at content at particular file offset to identify the file type. In this\r
-case, two magics look at the beginning of the file. You can use character\r
-if it is printable or hex value in between "|".</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_file_policy">File Policy</h4>\r
-<div class="paragraph"><p>You can enabled file type, file signature, or file capture by configuring\r
-file_id. In addition, you can enable trace to see file stream data, file\r
-type, and file signature information.</p></div>\r
-<div class="paragraph"><p>Most importantly, you can configure a file policy that can block/alert\r
-some file type or an individual file based on SHA. This allows you\r
-build a file blacklist or whitelist.</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_policy =\r
-{\r
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>In this example, it enables this policy:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-For PDF files, they will be logged with signatures.\r
+X is / if you use --id-subdir, else _ if id# is used\r
</p>\r
</li>\r
<li>\r
<p>\r
-For the file matching this SHA, it will be blocked\r
+name is based on module name that writes the file\r
</p>\r
</li>\r
<li>\r
<p>\r
-For all file types identified, they will be logged with signature, and\r
-also captured onto log folder.\r
+all text mode outputs default to stdout\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
-<div class="sect3">\r
-<h4 id="_file_capture">File Capture</h4>\r
-<div class="paragraph"><p>File can be captured and stored to log folder. We use SHA as file name\r
-instead of actual file name to avoid conflicts. You can capture either\r
-all files, some file type, or a particular file based on SHA.</p></div>\r
-<div class="paragraph"><p>You can enable file capture through this config:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>enable_capture = true,</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or enable it for some file or file type in your file policy:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The above rule will enable PDF file capture.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_file_events">File Events</h4>\r
-<div class="paragraph"><p>File inspect preprocessor also works as a dynamic output plugin for file\r
-events. It logs basic information about file. The log file is in the same\r
-folder as other log files with name starting with "file.log".</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
+<div class="sect2">\r
+<h3 id="_help">Help</h3>\r
+<div class="listingblock">\r
<div class="content">\r
-<pre><code>file_log = { log_pkt_time = true, log_sys_time = false }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>All file events will be logged in packet time, system time is not logged.</p></div>\r
-<div class="paragraph"><p>File event example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,\r
-[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]\r
-[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]\r
-[Size: 1039328]</code></pre>\r
+<pre><code>Snort has several options to get more help:\r
+\r
+-? list command line options (same as --help)\r
+--help this overview of help\r
+--help-commands [<module prefix>] output matching commands\r
+--help-config [<module prefix>] output matching config options\r
+--help-counts [<module prefix>] output matching peg counts\r
+--help-module <module> output description of given module\r
+--help-modules list all available modules with brief help\r
+--help-plugins list all available plugins with brief help\r
+--help-options [<option prefix>] output matching command line options\r
+--help-signals dump available control signals\r
+--list-buffers output available inspection buffers\r
+--list-builtin [<module prefix>] output matching builtin rules\r
+--list-gids [<module prefix>] output matching generators\r
+--list-modules [<module type>] list all known modules\r
+--list-plugins list all known modules\r
+--show-plugins list module and plugin versions\r
+\r
+--help* and --list* options preempt other processing so should be last on the\r
+command line since any following options are ignored. To ensure options like\r
+--markup and --plugin-path take effect, place them ahead of the help or list\r
+options.\r
+\r
+Options that filter output based on a matching prefix, such as --help-config\r
+won't output anything if there is no match. If no prefix is given, everything\r
+matches.\r
+\r
+Report bugs to bugs@snort.org.</code></pre>\r
</div></div>\r
</div>\r
-</div>\r
<div class="sect2">\r
-<h3 id="_performance_monitor">Performance Monitor</h3>\r
-<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
-too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
-hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check\r
-with stream…</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_3">Overview</h4>\r
-<div class="paragraph"><p>The Snort performance monitor is the built-in utility for monitoring system\r
-and traffic statistics. All statistics are separated by processing thread.\r
-perf_monitor supports several trackers for monitoring such data:</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_base_tracker">Base Tracker</h4>\r
-<div class="paragraph"><p>The base tracker is used to gather running statistics about Snort and its\r
-running modules. All Snort modules gather, at the very least, counters for the\r
-number of packets reaching it. Most supplement these counts with those for\r
-domain specific functions, such as http_inspect’s number of GET requests seen.</p></div>\r
-<div class="paragraph"><p>Statistics are gathered live and can be reported at regular intervals. The stats\r
-reported correspond only to the interval in question and are reset at the\r
-beginning of each interval.</p></div>\r
-<div class="paragraph"><p>These are the same counts displayed when Snort shuts down, only sorted amongst\r
-the discrete intervals in which they occurred.</p></div>\r
-<div class="paragraph"><p>Base differs from prior implementations in Snort in that all stats gathered are\r
-only raw counts, allowing the data to be evaluated as needed. Additionally,\r
-base is entirely pluggable. Data from new Snort plugins can be added to the\r
-existing stats either automatically or, if specified, by name and function.</p></div>\r
-<div class="paragraph"><p>All plugins and counters can be enabled or disabled individually, allowing for\r
-only the data that is actually desired instead of overly verbose performance\r
-logs.</p></div>\r
-<div class="paragraph"><p>To enable everything:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { modules = {} }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To enable everything within a module:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor =\r
-{\r
- modules =\r
- {\r
- {\r
- name = 'stream_tcp',\r
- pegs = [[ ]]\r
- },\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To enable specific counts within modules:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor =\r
-{\r
- modules =\r
- {\r
- {\r
- name = 'stream_tcp',\r
- pegs = [[ overlaps gaps ]]\r
- },\r
- }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note: Event stats from prior Snorts are now located within base statistics.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_flow_tracker">Flow Tracker</h4>\r
-<div class="paragraph"><p>Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This\r
-data can be used to build a profile of traffic for inspector tuning and for\r
-identifying where Snort may be stressed.</p></div>\r
-<div class="paragraph"><p>To enable:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { flow = true }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_flowip_tracker">FlowIP Tracker</h4>\r
-<div class="paragraph"><p>FlowIP provides statistics for individual hosts within a network. This data can\r
-be used for identifying communication habits, such as generating large or small\r
-amounts of data, opening a small or large number of sessions, and tendency to\r
-send smaller or larger IP packets.</p></div>\r
-<div class="paragraph"><p>To enable:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { flow_ip = true }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_cpu_tracker">CPU Tracker</h4>\r
-<div class="paragraph"><p>This tracker monitors the CPU and wall time spent by a given processing thread.</p></div>\r
-<div class="paragraph"><p>To enable:</p></div>\r
+<h3 id="_common_errors">Common Errors</h3>\r
+<div class="paragraph"><p><em>FATAL: snort_config is required</em></p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+add this line near top of file:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>perf_monitor = { cpu = true }</code></pre>\r
+<pre><code>require('snort_config')</code></pre>\r
</div></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_basic_modules">Basic Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Internal modules which are not plugins are termed "basic". These include\r
-configuration for core processing.</p></div>\r
-<div class="sect2">\r
-<h3 id="_active">active</h3>\r
-<div class="paragraph"><p>What: configure responses</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>PANIC: unprotected error in call to Lua API (cannot open\r
+snort_defaults.lua: No such file or directory)</em></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:20 }\r
+export SNORT_LUA_PATH to point to any dofiles\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>ERROR can’t find xyz</em></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer\r
+if xyz is the name of a module, make sure you are not assigning a scalar\r
+ where a table is required (e.g. xyz = 2 should be xyz = { }).\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>ERROR can’t find x.y</em></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>\r
+module x does not have a parameter named y. check --help-module x for\r
+ available parameters.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>ERROR invalid x.y = z</em></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>active.max_responses</strong> = 0: maximum number of responses { 0: }\r
+the value z is out of range for x.y. check --help-config x.y for the range\r
+ allowed.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>ERROR: x = { y = z } is in conf but is not being applied</em></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1: }\r
+make sure that x = { } isn’t set later because it will override the\r
+ earlier setting. same for x.y.\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alerts">alerts</h3>\r
-<div class="paragraph"><p>What: configure alerts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p><em>FATAL: can’t load lua/errors.lua: lua/errors.lua:68: <em>=</em> expected near\r
+';'</em></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
+this is a syntax error reported by Lua to Snort on line 68 of errors.lua.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>ERROR: rules(2) unknown rule keyword: find.</em></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
+this was due to not including the --script-path.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><em>WARNING: unknown symbol x</em></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+if you any variables, you can squelch such warnings by setting them in\r
+ an environment variable SNORT_IGNORE. to ignore x, y, and z:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>export SNORT_IGNORE="x y z"</code></pre>\r
+</div></div>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gotchas">Gotchas</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+A nil key in a table will not caught. Neither will a nil value in a\r
+ table. Neither of the following will cause errors, nor will they\r
+ actually set http_server.post_depth:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http_server = { post_depth }\r
+http_server = { post_depth = undefined_symbol }</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
+It is not an error to set a value multiple times. The actual value\r
+ applied may not be the last in the table either. It is best to avoid\r
+ such cases.\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http_server =\r
+{\r
+ post_depth = 1234,\r
+ post_depth = 4321\r
+}</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+Snort can’t tell you the exact filename or line number of a semantic\r
+ error but it will tell you the fully qualified name.\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)\r
+The dump DAQ will not work with multiple threads unless you use --daq-var\r
+ file=/dev/null. This will be fixed in at some point to use the Snort log\r
+ directory, etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.stateful</strong> = false: don’t alert w/o established session (note: rule action still taken)\r
+Variables are currently processed in an order determined by the Lua hash\r
+ table which is effectively random. That means you will need to use Lua\r
+ string concatenation to ensure Snort doesn’t try to use a variable before\r
+ it is defined (even when it is defined ahead of use in the file):\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>-- this may fail:\r
+MY_SERVERS = [[ 172.20.0.0/16 172.21.0.0/16 ]]\r
+EXTERNAL_NET = '!$MY_SERVERS'</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>-- this will work:\r
+MY_SERVERS = [[ 172.20.0.0/16 172.21.0.0/16 ]]\r
+EXTERNAL_NET = '!' .. MY_SERVERS</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_attribute_table">attribute_table</h3>\r
-<div class="paragraph"><p>What: configure hosts loading</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:207551 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }\r
+configure will use clang<code> by default if it is installed. To compile\r
+ with g</code> instead:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>export CXX=g++</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule metadata { 1:256 }\r
+If you build with hyperscan on OS X and see:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dyld: Library not loaded: @rpath/libhs.4.0.dylib</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>when you try to run src/snort, export DYLD_LIBRARY_PATH with the path to\r
+libhs. You can also do:</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>install_name_tool -change @rpath/libhs.4.0.dylib \\r
+ /path-to/libhs.4.0.dylib src/snort</code></pre>\r
+</div></div>\r
</li>\r
</ul></div>\r
</div>\r
-<div class="sect2">\r
-<h3 id="_classifications">classifications</h3>\r
-<div class="paragraph"><p>What: define rule categories with priority</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>classifications[].name</strong>: name used with classtype rule option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>classifications[].priority</strong> = 1: default priority for class { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>classifications[].text</strong>: description of class\r
-</p>\r
-</li>\r
-</ul></div>\r
</div>\r
-<div class="sect2">\r
-<h3 id="_daq">daq</h3>\r
-<div class="paragraph"><p>What: configure packet acquisition interface</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>daq.module_dirs[].str</strong>: string parameter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>daq.input_spec</strong>: input specification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>daq.module</strong>: DAQ module to use\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>daq.variables[].str</strong>: string parameter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>daq.instances[].id</strong>: instance ID (required) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>daq.instances[].input_spec</strong>: input specification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>daq.instances[].variables[].str</strong>: string parameter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.received</strong>: total packets received from DAQ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.analyzed</strong>: total packets analyzed from DAQ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.dropped</strong>: packets dropped\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.filtered</strong>: packets filtered out\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.outstanding</strong>: packets unprocessed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.injected</strong>: active responses or replacements\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.allow</strong>: total allow verdicts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.block</strong>: total block verdicts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.replace</strong>: total replace verdicts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.whitelist</strong>: total whitelist verdicts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.blacklist</strong>: total blacklist verdicts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.ignore</strong>: total ignore verdicts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.internal blacklist</strong>: packets blacklisted internally due to lack of DAQ support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.internal whitelist</strong>: packets whitelisted internally due to lack of DAQ support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.skipped</strong>: packets skipped at startup\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets\r
-</p>\r
-</li>\r
-</ul></div>\r
</div>\r
+<div class="sect1">\r
+<h2 id="_usage">Usage</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>For the following examples "$my_path" is assumed to be the path to the\r
+Snort install directory. Additionally, it is assumed that "$my_path/bin"\r
+is in your PATH.</p></div>\r
<div class="sect2">\r
-<h3 id="_decode">decode</h3>\r
-<div class="paragraph"><p>What: general decoder rules</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:450</strong> (decode) BAD-TRAFFIC bad IP protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:459</strong> (decode) fragment with zero length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:150</strong> (decode) bad traffic loopback IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:151</strong> (decode) bad traffic same src/dst IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:449</strong> (decode) BAD-TRAFFIC unassigned/reserved IP protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:472</strong> (decode) too many protocols present\r
-</p>\r
-</li>\r
-</ul></div>\r
+<h3 id="_environment_2">Environment</h3>\r
+<div class="paragraph"><p>LUA_PATH is used directly by Lua to load and run required libraries.\r
+SNORT_LUA_PATH is used by Snort to load supplemental configuration files.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;\r
+export SNORT_LUA_PATH=$my_path/etc/snort</code></pre>\r
+</div></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_detection">detection</h3>\r
-<div class="paragraph"><p>What: configure general IPS rule processing parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }\r
+<h3 id="_help_2">Help</h3>\r
+<div class="paragraph"><p>Print the help summary:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --help</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Get help on a specific module ("stream", for example):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --help-module stream</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Get help on the "-A" command line option:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --help-options A</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Grep for help on threads:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --help-config | grep thread</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Output help on "rule" options in AsciiDoc format:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --markup --help-options rule</code></pre>\r
+</div></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">Snort stops reading command-line options after the "--help-<strong>" and\r
+"--list-</strong>" options, so any other options should be placed before them.</td>\r
+</tr></table>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_sniffing_and_logging">Sniffing and Logging</h3>\r
+<div class="paragraph"><p>Read a pcap:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -r /path/to/my.pcap</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Dump the packets to stdout:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -r /path/to/my.pcap -L dump</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Dump packets with application data and layer 2 headers</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -r /path/to/my.pcap -L dump -d -e</code></pre>\r
+</div></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">Command line options must be specified separately. "snort -de" won’t\r
+work. You can still concatenate options and their arguments, however, so\r
+"snort -Ldump" will work.</td>\r
+</tr></table>\r
+</div>\r
+<div class="paragraph"><p>Dump packets from all pcaps in a directory:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Log packets to a directory:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_configuration_2">Configuration</h3>\r
+<div class="paragraph"><p>Validate a configuration file:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Validate a configuration file and a separate rules file:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Read rules from stdin and validate:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Enable warnings for Lua configurations and make warnings fatal:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Tell Snort where to look for additional Lua scripts:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --script-path /path/to/script/dir</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ids_mode">IDS mode</h3>\r
+<div class="paragraph"><p>Run Snort in IDS mode, reading packets from a pcap:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Log any generated alerts to the console using the "-A" option:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Add or modify a configuration from the command line using the "--lua" option:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \\r
+ --lua 'ips = { enable_builtin_rules = true }'</code></pre>\r
+</div></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">The "--lua" option can be specified multiple times.</td>\r
+</tr></table>\r
+</div>\r
+<div class="paragraph"><p>Run Snort in IDS mode on an entire directory of pcaps, processing each\r
+input source on a separate thread:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
+ --pcap-filter '*.pcap' --max-packet-threads 8</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Run Snort on 2 interfaces, eth0 and eth1:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Run Snort inline with the afpacket DAQ:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \\r
+ -A cmg</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_plugins_2">Plugins</h3>\r
+<div class="paragraph"><p>Load external plugins and use the "ex" alert:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --plugin-path $my_path/lib/snort_extra \\r
+ -A alert_ex -r /path/to/my.pcap</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Test the LuaJIT rule option <em>find</em> loaded from stdin:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --script-path $my_path/lib/snort_extra \\r
+ --stdin-rules -A cmg -r /path/to/my.pcap << END\r
+alert tcp any any -> any 80 (\r
+ sid:3; msg:"found"; content:"GET";\r
+ find:"pat='HTTP/1%.%d'" ; )\r
+END</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_output_files">Output Files</h3>\r
+<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet\r
+threads, output files are not explicitly configured. Instead, you can use\r
+the options below to format the paths:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Log to unified in the current directory:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Log to unified in the current directory with a different prefix:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \\r
+ --run-prefix take2</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Log to unified in /tmp:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Run 4 packet threads and log with thread number prefix (0-3):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
+ --pcap-filter '*.pcap' -z 4 -A unified2</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Run 4 packet threads and log in thread number subdirs (0-3):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
+ --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir</code></pre>\r
+</div></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">subdirectories are created automatically if required. Log filename\r
+is based on module name that writes the file. All text mode outputs\r
+default to stdout. These options can be combined.</td>\r
+</tr></table>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_daq_alternatives">DAQ Alternatives</h3>\r
+<div class="paragraph"><p>Process hext packets from stdin:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END\r
+$packet 10.1.2.3 48620 -> 10.9.8.7 80\r
+"GET / HTTP/1.1\r\n"\r
+"Host: localhost\r\n"\r
+"\r\n"\r
+END</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Process raw ethernet from hext file:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --daq-dir $my_path/lib/snort/daqs --daq hext \\r
+ --daq-var dlt=1 -r <hext-file></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Process a directory of plain files (ie non-pcap) with 4 threads with 8K\r
+buffers:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --daq-dir $my_path/lib/snort/daqs --daq file \\r
+ --pcap-dir path/to/files -z 4 -s 8192</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Bridge two TCP connections on port 8000 and inspect the traffic:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --daq-dir $my_path/lib/snort/daqs --daq socket</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_logger_alternatives">Logger Alternatives</h3>\r
+<div class="paragraph"><p>Dump TCP stream payload in hext mode:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -L hext</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap,\r
+rule, action for each alert:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -A csv</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Output the old test format alerts:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
+ --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_shell">Shell</h3>\r
+<div class="paragraph"><p>You must build with --enable-shell to make the command line shell available.</p></div>\r
+<div class="paragraph"><p>Enable shell mode:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --shell <args></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>You will see the shell mode command prompt, which looks like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>o")~</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>(The prompt can be changed with the SNORT_PROMPT environment variable.)</p></div>\r
+<div class="paragraph"><p>You can pause immediately after loading the configuration and again before\r
+exiting with:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --shell --pause <args></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>In that case you must issue the resume() command to continue. Enter quit()\r
+to terminate Snort or detach() to exit the shell. You can list the\r
+available commands with help().</p></div>\r
+<div class="paragraph"><p>To enable local telnet access on port 12345:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --shell -j 12345 <args></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The command line interface is still under development. Suggestions are\r
+welcome.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_signals">Signals</h3>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">The following examples assume that Snort is currently running and has\r
+a process ID of <pid>.</td>\r
+</tr></table>\r
+</div>\r
+<div class="paragraph"><p>Modify and Reload Configuration:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua\r
+kill -hup <pid></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Dump stats to stdout:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>kill -usr1 <pid></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Shutdown normally:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>kill -term <pid></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Exit without flushing packets:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>kill -quit <pid></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>List available signals:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --help-signals</code></pre>\r
+</div></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">The available signals may vary from platform to platform.</td>\r
+</tr></table>\r
+</div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_features">Features</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>This section explains how to use key features of Snort.</p></div>\r
+<div class="sect2">\r
+<h3 id="_binder">Binder</h3>\r
+<div class="paragraph"><p>One of the fundamental differences between Snort 2 and Snort 3 concerns configuration\r
+related to networks and ports. Here is a brief review of Snort 2 configuration for\r
+network and service related components:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Snort’s configuration has a default policy and optional policies selected by\r
+ VLAN or network (with config binding).\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching\r
+Each policy contains a user defined set of preprocessor configurations.\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, -1 = max, 0 = off { -1:1000000 }\r
+Each preprocessor has a default configuration and some support non-default\r
+ configurations selected by network.\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, -1 = max, 0 = off { -1:10000 }\r
+Most preprocessors have port configurations.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+The default policy may also contain a list of ports to ignore.\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="paragraph"><p>In Snort 3, the above configurations are done in a single module called the\r
+binder. Here is an example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>binder =\r
+{\r
+ -- allow all tcp port 22:\r
+ -- (similar to Snort 2 config ignore_ports)\r
+ { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>-- select a config file by vlan\r
+-- (similar to Snort 2 config binding by vlan)\r
+{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>-- use a non-default HTTP inspector for port 8080:\r
+-- (similar to a Snort 2 targeted preprocessor config)\r
+{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },\r
+ use = { name = 'alt_http', type = 'http_inspect' } },</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>-- use the default inspectors:\r
+-- (similar to a Snort 2 default preprocessor config)\r
+{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },\r
+{ when = { service = 'http' }, use = { type = 'http_inspect' } },</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code> -- figure out which inspector to run automatically:\r
+ { use = { type = 'wizard' } }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Bindings are evaluated when a session starts and again if and when service is\r
+identified on the session. Essentially, the bindings are a list of when-use\r
+rules evaluated from top to bottom. The first matching network and service\r
+configurations are applied. binder.when can contain any combination of\r
+criteria and binder.use can specify an action, config file, or inspector\r
+configuration.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_inspectors">DCE Inspectors</h3>\r
+<div class="paragraph"><p>The main purpose of these inspector are to perform SMB desegmentation and\r
+DCE/RPC defragmentation to avoid rule evasion using these techniques.</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_2">Overview</h4>\r
+<div class="paragraph"><p>The following transports are supported for DCE/RPC: SMB, TCP, and UDP.\r
+New rule options have been implemented to improve performance, reduce false\r
+positives and reduce the count and complexity of DCE/RPC based rules.</p></div>\r
+<div class="paragraph"><p>Different from Snort 2, the DCE-RPC preprocessor is split into three inspectors\r
+ - one for each transport: dce_smb, dce_tcp, dce_udp. This includes the\r
+configuration as well as the inspector modules. The Snort 2 server configuration\r
+is now split between the inspectors. Options that are meaningful to all\r
+inspectors, such as policy and defragmentation, are copied into each inspector\r
+configuration. The address/port mapping is handled by the binder. Autodetect\r
+functionality is replaced by wizard curses.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_quick_guide">Quick Guide</h4>\r
+<div class="paragraph"><p>A typical dcerpce configuration looks like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>binder =\r
+{\r
+ {\r
+ when =\r
+ {\r
+ proto = 'tcp',\r
+ ports = '139 445 1025',\r
+ },\r
+ use =\r
+ {\r
+ type = 'dce_smb',\r
+ },\r
+ },\r
+ {\r
+ when =\r
+ {\r
+ proto = 'tcp',\r
+ ports = '135 2103',\r
+ },\r
+ use =\r
+ {\r
+ type = 'dce_tcp',\r
+ },\r
+ },\r
+ {\r
+ when =\r
+ {\r
+ proto = 'udp',\r
+ ports = '1030',\r
+ },\r
+ use =\r
+ {\r
+ type = 'dce_udp',\r
+ },\r
+ }\r
+ }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_smb = { }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_tcp = { }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_udp = { }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>In this example, it defines smb, tcp and udp inspectors based on port. All the\r
+configurations are default.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_target_based">Target Based</h4>\r
+<div class="paragraph"><p>There are enough important differences between Windows and Samba versions that\r
+a target based approach has been implemented. Some important differences:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection\r
+Named pipe instance tracking\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.hard evals</strong>: non-fast pattern rule evaluations\r
+Accepted SMB commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.raw searches</strong>: fast pattern searches in raw packet data\r
+AndX command chaining\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.cooked searches</strong>: fast pattern searches in cooked packet data\r
+Transaction tracking\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.pkt searches</strong>: fast pattern searches in packet data\r
+Multiple Bind requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alt searches</strong>: alt fast pattern searches in packet data\r
+DCE/RPC Fragmented requests - Context ID\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+DCE/RPC Fragmented requests - Operation number\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.key searches</strong>: fast pattern searches in key buffer\r
+DCE/RPC Stub data byte order\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Because of those differences, each inspector can be configured to different\r
+policy. Here are the list of policies supported:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+WinXP (default)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Win2000\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+WinVista\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Win2003\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Win2008\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Win7\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Samba\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Samba-3.0.37\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Samba-3.0.22\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Samba-3.0.20\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_reassembling">Reassembling</h4>\r
+<div class="paragraph"><p>Both SMB inspector and TCP inspector support reassemble. Reassemble threshold\r
+specifies a minimum number of bytes in the DCE/RPC desegmentation and\r
+defragmentation buffers before creating a reassembly packet to send to the\r
+detection engine. This option is useful in inline mode so as to potentially\r
+catch an exploit early before full defragmentation is done. A value of 0 s\r
+supplied as an argument to this option will, in effect, disable this option.\r
+Default is disabled.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_smb">SMB</h4>\r
+<div class="paragraph"><p>SMB inspector is one of the most complex inspectors. In addition to supporting\r
+rule options and lots of inspector rule events, it also supports file\r
+processing for both SMB version 1, 2, and 3.</p></div>\r
+<div class="sect4">\r
+<h5 id="_finger_print_policy">Finger Print Policy</h5>\r
+<div class="paragraph"><p>In the initial phase of an SMB session, the client needs to authenticate with a\r
+SessionSetupAndX. Both the request and response to this command contain OS and\r
+version information that can allow the inspector to dynamically set the policy\r
+for a session which allows for better protection against Windows and Samba\r
+specific evasions.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_file_inspection">File Inspection</h5>\r
+<div class="paragraph"><p>SMB inspector supports file inspection. A typical configuration looks like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>binder =\r
+{\r
+ {\r
+ when =\r
+ {\r
+ proto = 'tcp',\r
+ ports = '139 445',\r
+ },\r
+ use =\r
+ {\r
+ type = 'dce_smb',\r
+ },\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_smb =\r
+{\r
+ smb_file_inspection = 'on',\r
+ smb_file_depth = 0,\r
+ }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_id =\r
+{\r
+ enable_type = true,\r
+ enable_signature = true,\r
+ enable_capture = true,\r
+ file_rules = magics,\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>First, define a binder to map tcp port 139 and 445 to smb. Then, enable file\r
+inspection in smb inspection and set the file depth as unlimited. Lastly, enable\r
+file inspector to inspect file type, calculate file signature, and capture file.\r
+The details of file inspector are explained in file processing section.</p></div>\r
+<div class="paragraph"><p>SMB inspector does inspection of normal SMB file transfers. This includes doing\r
+file type and signature through the file processing as well as setting a pointer\r
+for the "file_data" rule option. Note that the "file_depth" option only applies\r
+to the maximum amount of file data for which it will set the pointer for the\r
+"file_data" rule option. For file type and signature it will use the value\r
+configured for the file API. If "only" is specified, the inspector will only\r
+do SMB file inspection, i.e. it will not do any DCE/RPC tracking or inspection.\r
+If "on" is specified with no arguments, the default file depth is 16384 bytes.\r
+An argument of -1 to "file-depth" disables setting the pointer for "file_data",\r
+effectively disabling SMB file inspection in rules. An argument of 0 to\r
+"file_depth" means unlimited. Default is "off", i.e. no SMB file inspection is\r
+ done in the inspector.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_tcp">TCP</h4>\r
+<div class="paragraph"><p>dce_tcp inspector supports defragementation, reassembling, and policy that is\r
+similar to SMB.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_udp">UDP</h4>\r
+<div class="paragraph"><p>dce_udp is a very simple inspector that only supports defragementation</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_rule_options">Rule Options</h4>\r
+<div class="paragraph"><p>New rule options are supported by enabling the dcerpc2 inspectors:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+dce_iface\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.header searches</strong>: fast pattern searches in header buffer\r
+dce_opnum\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.body searches</strong>: fast pattern searches in body buffer\r
+dce_stub_data\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>New modifiers to existing byte_test and byte_jump rule options:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.file searches</strong>: fast pattern searches in file buffer\r
+byte_test: dce\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alerts</strong>: alerts not including IP reputation\r
+byte_jump: dce\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="sect4">\r
+<h5 id="_dce_iface">dce_iface</h5>\r
+<div class="paragraph"><p>For DCE/RPC based rules it has been necessary to set flow-bits based on a client\r
+bind to a service to avoid false positives. It is necessary for a client to bind\r
+to a service before being able to make a call to it. When a client sends a bind\r
+request to the server, it can, however, specify one or more service interfaces\r
+to bind to. Each interface is represented by a UUID. Each interface UUID is\r
+paired with a unique index (or context id) that future requests can use to\r
+reference the service that the client is making a call to. The server will\r
+respond with the interface UUIDs it accepts as valid and will allow the client\r
+to make requests to those services. When a client makes a request, it will\r
+specify the context id so the server knows what service the client is making a\r
+request to. Instead of using flow-bits, a rule can simply ask the inspector,\r
+using this rule option, whether or not the client has bound to a specific\r
+interface UUID and whether or not this client request is making a request to it.\r
+This can eliminate false positives where more than one service is bound to\r
+successfully since the inspector can correlate the bind UUID to the context\r
+id used in the request. A DCE/RPC request can specify whether numbers are\r
+represented as big endian or little endian. The representation of the interface\r
+UUID is different depending on the endianness specified in the DCE/RPC\r
+previously requiring two rules - one for big endian and one for little endian.\r
+The inspector eliminates the need for two rules by normalizing the UUID.\r
+An interface contains a version. Some versions of an interface may not be\r
+vulnerable to a certain exploit. Also, a DCE/RPC request can be broken up into\r
+1 or more fragments. Flags (and a field in the connectionless header) are set in\r
+the DCE/RPC header to indicate whether the fragment is the first, a middle or\r
+the last fragment. Many checks for data in the DCE/RPC request are only relevant\r
+if the DCE/RPC request is a first fragment (or full request), since subsequent\r
+fragments will contain data deeper into the DCE/RPC request. A rule which is\r
+looking for data, say 5 bytes into the request (maybe it’s a length field), will\r
+be looking at the wrong data on a fragment other than the first, since the\r
+beginning of subsequent fragments are already offset some length from the\r
+beginning of the request. This can be a source of false positives in fragmented\r
+DCE/RPC traffic. By default it is reasonable to only evaluate if the request is\r
+a first fragment (or full request). However, if the "any_frag" option is used to\r
+specify evaluating on all fragments.</p></div>\r
+<div class="paragraph"><p>Examples:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;\r
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2;\r
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;\r
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This option is used to specify an interface UUID. Optional arguments are an\r
+interface version and operator to specify that the version be less than (<em><</em>),\r
+greater than (<em>></em>), equal to (<em>=</em>) or not equal to (<em>!</em>) the version specified.\r
+Also, by default the rule will only be evaluated for a first fragment (or full\r
+request, i.e. not a fragment) since most rules are written to start at the\r
+beginning of a request. The "any_frag" argument says to evaluate for middle and\r
+last fragments as well. This option requires tracking client Bind and\r
+Alter Context requests as well as server Bind Ack and Alter Context responses\r
+for connection-oriented DCE/RPC in the inspector. For each Bind and\r
+Alter Context request, the client specifies a list of interface UUIDs along\r
+with a handle (or context id) for each interface UUID that will be used during\r
+the DCE/RPC session to reference the interface. The server response indicates\r
+which interfaces it will allow the client to make requests to - it either\r
+accepts or rejects the client’s wish to bind to a certain interface. This\r
+tracking is required so that when a request is processed, the context id used\r
+in the request can be correlated with the interface UUID it is a handle for.</p></div>\r
+<div class="paragraph"><p>hexlong and hexshort will be specified and interpreted to be in big endian\r
+order (this is usually the default way an interface UUID will be seen and\r
+represented). As an example, the following Messenger interface UUID as taken\r
+off the wire from a little endian Bind request:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>must be written as:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The same UUID taken off the wire from a big endian Bind request:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>must be written the same way:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This option matches if the specified interface UUID matches the interface UUID\r
+(as referred to by the context id) of the DCE/RPC request and if supplied, the\r
+version operation is true. This option will not match if the fragment is not a\r
+first fragment (or full request) unless the "any_frag" option is supplied in\r
+which case only the interface UUID and version need match. Note that a\r
+defragmented DCE/RPC request will be considered a full request.</p></div>\r
+<div class="paragraph"><p>Using this rule option will automatically insert fast pattern contents into\r
+the fast pattern matcher. For UDP rules, the interface UUID, in both big and\r
+little endian format will be inserted into the fast pattern matcher. For TCP\r
+rules, (1) if the rule option "flow:to_server|from_client" is used, |05 00 00|\r
+will be inserted into the fast pattern matcher, (2) if the rule option\r
+"flow:from_server|to_client" is used, |05 00 02| will be inserted into the\r
+fast pattern matcher and (3) if the flow isn’t known, |05 00| will be inserted\r
+into the fast pattern matcher. Note that if the rule already has content rule\r
+options in it, the best (meaning longest) pattern will be used. If a content\r
+in the rule uses the fast_pattern rule option, it will unequivocally be used\r
+over the above mentioned patterns.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_dce_opnum">dce_opnum</h5>\r
+<div class="paragraph"><p>The opnum represents a specific function call to an interface. After is has\r
+been determined that a client has bound to a specific interface and is making\r
+a request to it (see above - dce_iface) usually we want to know what function\r
+call it is making to that service. It is likely that an exploit lies in the\r
+particular DCE/RPC function call.</p></div>\r
+<div class="paragraph"><p>Examples:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_opnum: 15;\r
+dce_opnum: 15-18;\r
+dce_opnum: 15,18-20;\r
+dce_opnum: 15,17,20-22;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This option is used to specify an opnum (or operation number), opnum range or\r
+list containing either or both opnum and/or opnum-range. The opnum of a\r
+DCE/RPC request will be matched against the opnums specified with this option.\r
+This option matches if any one of the opnums specified match the opnum of the\r
+DCE/RPC request.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_dce_stub_data">dce_stub_data</h5>\r
+<div class="paragraph"><p>Since most DCE/RPC based rules had to do protocol decoding only to get to the\r
+DCE/RPC stub data, i.e. the remote procedure call or function call data, this\r
+option will alleviate this need and place the cursor at the beginning of the\r
+DCE/RPC stub data. This reduces the number of rule option checks and the\r
+complexity of the rule.</p></div>\r
+<div class="paragraph"><p>This option takes no arguments.</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dce_stub_data;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This option is used to place the cursor (used to walk the packet payload in\r
+rules processing) at the beginning of the DCE/RPC stub data, regardless of\r
+preceding rule options. There are no arguments to this option. This option\r
+matches if there is DCE/RPC stub data.</p></div>\r
+<div class="paragraph"><p>The cursor is moved to the beginning of the stub data. All ensuing rule\r
+options will be considered "sticky" to this buffer. The first rule option\r
+following dce_stub_data should use absolute location modifiers if it is\r
+position-dependent. Subsequent rule options should use a relative modifier if\r
+they are meant to be relative to a previous rule option match in the stub data\r
+buffer. Any rule option that does not specify a relative modifier will be\r
+evaluated from the start of the stub data buffer. To leave the stub data buffer\r
+and return to the main payload buffer, use the "pkt_data" rule option.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_byte_test_and_byte_jump">byte_test and byte_jump</h5>\r
+<div class="paragraph"><p>A DCE/RPC request can specify whether numbers are represented in big or little\r
+endian. These rule options will take as a new argument "dce" and will work\r
+basically the same as the normal byte_test/byte_jump, but since the DCE/RPC\r
+inspector will know the endianness of the request, it will be able to do\r
+the correct conversion.</p></div>\r
+<div class="paragraph"><p>Examples:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>byte_test: 4,>,35000,0,relative,dce;\r
+byte_test: 2,!=,2280,-10,relative,dce;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>When using the "dce" argument to a byte_test, the following normal byte_test\r
+arguments will not be allowed: "big", "little", "string", "hex", "dec" and\r
+"oct".</p></div>\r
+<div class="paragraph"><p>Examples:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>When using the dce argument to a byte_jump, the following normal byte_jump\r
+arguments will not be allowed: "big", "little", "string", "hex", "dec", "oct"\r
+and "from_beginning"</p></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_file_processing">File Processing</h3>\r
+<div class="paragraph"><p>With the volume of malware transferred through network increasing,\r
+network file inspection becomes more and more important. This feature\r
+will provide file type identification, file signature creation, and file\r
+capture capabilities to help users deal with those challenges.</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_3">Overview</h4>\r
+<div class="paragraph"><p>There are two parts of file services: file APIs and file policy.\r
+File APIs provides all the file inspection functionalities, such as file\r
+type identification, file signature calculation, and file capture.\r
+File policy provides users ability to control file services, such\r
+as enable/disable/configure file type identification, file signature, or\r
+file capture.</p></div>\r
+<div class="paragraph"><p>In addition to all capabilities from Snort 2, we support customized file\r
+policy along with file event log.</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.total alerts</strong>: alerts including IP reputation\r
+Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.logged</strong>: logged packets\r
+Supported file signature calculation: SHA256\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_quick_guide_2">Quick Guide</h4>\r
+<div class="paragraph"><p>A very simple configuration has been included in lua/snort.lua file.\r
+A typical file configuration looks like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dofile('magic.lua')</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>my_file_policy =\r
+{\r
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_id =\r
+{\r
+ enable_type = true,\r
+ enable_signature = true,\r
+ enable_capture = true,\r
+ file_rules = magics,\r
+ trace_type = true,\r
+ trace_signature = true,\r
+ trace_stream = true,\r
+ file_policy = my_file_policy,\r
+ }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_log =\r
+{\r
+ log_pkt_time = true,\r
+ log_sys_time = false,\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>There are 3 steps to enable file processing:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.passed</strong>: passed packets\r
+First, you need to include the file magic rules.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.match limit</strong>: fast pattern matches not processed\r
+Then, define the file policy and configure the inspector\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.queue limit</strong>: events not queued because queue full\r
+At last, enable file_log to get detailed information about file event\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_pre_packaged_file_magic_rules">Pre-packaged File Magic Rules</h4>\r
+<div class="paragraph"><p>A set of file magic rules is packaged with Snort. They can be located at\r
+"lua/file_magic.lua". To use this feature, it is recommended that these\r
+pre-packaged rules are used; doing so requires that you include\r
+the file in your Snort configuration as such (already in snort.lua):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>dofile('magic.lua')</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>{ type = "GIF", id = 62, category = "Graphics", rev = 1,\r
+ magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>{ type = "GIF", id = 63, category = "Graphics", rev = 1,\r
+ magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The previous two rules define GIF format, because two file magics are\r
+different. File magics are specifed by content and offset, which look\r
+at content at particular file offset to identify the file type. In this\r
+case, two magics look at the beginning of the file. You can use character\r
+if it is printable or hex value in between "|".</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_file_policy">File Policy</h4>\r
+<div class="paragraph"><p>You can enabled file type, file signature, or file capture by configuring\r
+file_id. In addition, you can enable trace to see file stream data, file\r
+type, and file signature information.</p></div>\r
+<div class="paragraph"><p>Most importantly, you can configure a file policy that can block/alert\r
+some file type or an individual file based on SHA. This allows you\r
+build a file blacklist or whitelist.</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_policy =\r
+{\r
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>In this example, it enables this policy:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.log limit</strong>: events queued but not logged\r
+For PDF files, they will be logged with signatures.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.event limit</strong>: events filtered\r
+For the file matching this SHA, it will be blocked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alert limit</strong>: events previously triggered on same PDU\r
+For all file types identified, they will be logged with signature, and\r
+also captured onto log folder.\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
+<div class="sect3">\r
+<h4 id="_file_capture">File Capture</h4>\r
+<div class="paragraph"><p>File can be captured and stored to log folder. We use SHA as file name\r
+instead of actual file name to avoid conflicts. You can capture either\r
+all files, some file type, or a particular file based on SHA.</p></div>\r
+<div class="paragraph"><p>You can enable file capture through this config:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>enable_capture = true,</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or enable it for some file or file type in your file policy:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The above rule will enable PDF file capture.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_file_events">File Events</h4>\r
+<div class="paragraph"><p>File inspect preprocessor also works as a dynamic output plugin for file\r
+events. It logs basic information about file. The log file is in the same\r
+folder as other log files with name starting with "file.log".</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>file_log = { log_pkt_time = true, log_sys_time = false }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>All file events will be logged in packet time, system time is not logged.</p></div>\r
+<div class="paragraph"><p>File event example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,\r
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]\r
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]\r
+[Size: 1039328]</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_inspector">HTTP Inspector</h3>\r
+<div class="paragraph"><p>One of the major undertakings for Snort 3 is developing a completely new\r
+HTTP inspector. You can configure it by adding:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http_inspect = {}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code\r
+under src/service_inspectors/http_inspect.</p></div>\r
+<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release under\r
+extra. It has been renamed http_server. Be sure not to configure both old\r
+and new HTTP inspectors at the same time.</p></div>\r
+<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
+<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
+this software. But it should also be really nice for open-source\r
+developers. You can make meaningful changes and additions to HTTP\r
+processing without having to understand the whole thing. In fact much of\r
+the new HTTP inspector’s knowledge of HTTP is centralized in a series of\r
+tables where it can be easily reviewed and modified. Many significant\r
+changes can be made just by updating these tables.</p></div>\r
+<div class="paragraph"><p>Http_inspect is the first inspector written specifically for the new\r
+Snort 3 architecture. That provides access to one of the very best\r
+features of Snort 3: purely PDU-based inspection. The classic preprocessor\r
+processes HTTP messages, but even while doing so it is constantly aware of\r
+IP packets and how they divide up the TCP data stream. The same HTTP\r
+message might be processed differently depending on how the sender (bad\r
+guy) divided it up into IP packets.</p></div>\r
+<div class="paragraph"><p>Http_inspect is free of this burden and can focus exclusively on HTTP.\r
+That makes it much simpler, easier to test, and less prone to false\r
+positives. It also greatly reduces the opportunity for adversaries to probe\r
+the inspector for weak spots by adjusting packet boundaries to disguise bad\r
+behavior.</p></div>\r
+<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major\r
+new features. The http_inspect design supports true stateful\r
+processing. Want to ask questions that involve both the client request and\r
+the server response? Or different requests in the same session? These\r
+things are possible.</p></div>\r
+<div class="paragraph"><p>Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from\r
+Google’s SPDY project and is in the process of being standardized. Despite\r
+the name, it is better to think of HTTP/2 not as a newer version of\r
+HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and\r
+on top of TLS or TCP. It’s a perfect fit for the new Snort 3 architecture\r
+because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but\r
+not any underlying packets. Exactly what http_inspect wants to input.</p></div>\r
+<div class="paragraph"><p>Http_inspect is taking a very different approach to HTTP header fields.\r
+The classic preprocessor divides all the HTTP headers following the start line\r
+into cookies and everything else. It normalizes the two pieces using a\r
+generic process and puts them in buffers that one can write rules against.\r
+There is some limited support for examining individual headers within the\r
+inspector but it is very specific.</p></div>\r
+<div class="paragraph"><p>The new concept is that every header should be normalized in an appropriate\r
+and specific way and individually made available for the user to write\r
+rules against it. If for example a header is supposed to be a date then\r
+normalization means put that date in a standard format.</p></div>\r
+</div>\r
<div class="sect2">\r
-<h3 id="_event_filter">event_filter</h3>\r
-<div class="paragraph"><p>What: configure thresholding of events</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>event_filter[].seconds</strong> = 0: count interval { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track\r
-</p>\r
-</li>\r
-</ul></div>\r
+<h3 id="_performance_monitor">Performance Monitor</h3>\r
+<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
+too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
+hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check\r
+with stream…</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_4">Overview</h4>\r
+<div class="paragraph"><p>The Snort performance monitor is the built-in utility for monitoring system\r
+and traffic statistics. All statistics are separated by processing thread.\r
+perf_monitor supports several trackers for monitoring such data:</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_base_tracker">Base Tracker</h4>\r
+<div class="paragraph"><p>The base tracker is used to gather running statistics about Snort and its\r
+running modules. All Snort modules gather, at the very least, counters for the\r
+number of packets reaching it. Most supplement these counts with those for\r
+domain specific functions, such as http_inspect’s number of GET requests seen.</p></div>\r
+<div class="paragraph"><p>Statistics are gathered live and can be reported at regular intervals. The stats\r
+reported correspond only to the interval in question and are reset at the\r
+beginning of each interval.</p></div>\r
+<div class="paragraph"><p>These are the same counts displayed when Snort shuts down, only sorted amongst\r
+the discrete intervals in which they occurred.</p></div>\r
+<div class="paragraph"><p>Base differs from prior implementations in Snort in that all stats gathered are\r
+only raw counts, allowing the data to be evaluated as needed. Additionally,\r
+base is entirely pluggable. Data from new Snort plugins can be added to the\r
+existing stats either automatically or, if specified, by name and function.</p></div>\r
+<div class="paragraph"><p>All plugins and counters can be enabled or disabled individually, allowing for\r
+only the data that is actually desired instead of overly verbose performance\r
+logs.</p></div>\r
+<div class="paragraph"><p>To enable everything:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { modules = {} }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To enable everything within a module:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor =\r
+{\r
+ modules =\r
+ {\r
+ {\r
+ name = 'stream_tcp',\r
+ pegs = [[ ]]\r
+ },\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To enable specific counts within modules:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor =\r
+{\r
+ modules =\r
+ {\r
+ {\r
+ name = 'stream_tcp',\r
+ pegs = [[ overlaps gaps ]]\r
+ },\r
+ }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note: Event stats from prior Snorts are now located within base statistics.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_flow_tracker">Flow Tracker</h4>\r
+<div class="paragraph"><p>Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This\r
+data can be used to build a profile of traffic for inspector tuning and for\r
+identifying where Snort may be stressed.</p></div>\r
+<div class="paragraph"><p>To enable:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { flow = true }</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_flowip_tracker">FlowIP Tracker</h4>\r
+<div class="paragraph"><p>FlowIP provides statistics for individual hosts within a network. This data can\r
+be used for identifying communication habits, such as generating large or small\r
+amounts of data, opening a small or large number of sessions, and tendency to\r
+send smaller or larger IP packets.</p></div>\r
+<div class="paragraph"><p>To enable:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { flow_ip = true }</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_cpu_tracker">CPU Tracker</h4>\r
+<div class="paragraph"><p>This tracker monitors the CPU and wall time spent by a given processing thread.</p></div>\r
+<div class="paragraph"><p>To enable:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>perf_monitor = { cpu = true }</code></pre>\r
+</div></div>\r
+</div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_event_queue">event_queue</h3>\r
-<div class="paragraph"><p>What: configure event queue parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
+<h3 id="_sensitive_data_filtering">Sensitive Data Filtering</h3>\r
+<div class="paragraph"><p>The <code>sd_pattern</code> IPS option provides detection and filtering of Personally\r
+Identifiable Information (PII). This information includes credit card\r
+numbers, U.S. Social Security numbers, and email addresses. A rich regular\r
+expression syntax is available for defining your own PII.</p></div>\r
+<div class="sect3">\r
+<h4 id="_hyperscan">Hyperscan</h4>\r
+<div class="paragraph"><p>The <code>sd_pattern</code> rule option is powered by the open source Hyperscan\r
+library from Intel. It provides a regex grammar which is mostly PCRE\r
+compatible. To learn more about Hyperscan see\r
+<a href="http://01org.github.io/hyperscan/dev-reference/">http://01org.github.io/hyperscan/dev-reference/</a></p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_syntax">Syntax</h4>\r
+<div class="paragraph"><p>Snort provides <code>sd_pattern</code> as IPS rule option with no additional inspector\r
+overhead. The Rule option takes the following syntax.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sd_pattern: "<pattern>"[, threshold <count>];</code></pre>\r
+</div></div>\r
+<div class="sect4">\r
+<h5 id="_pattern">Pattern</h5>\r
+<div class="paragraph"><p>Pattern is the most important and is the only required parameter to\r
+<code>sd_pattern</code>. It supports 3 built in patterns which are configured by name:\r
+"credit_card", "us_social" and "us_social_nodashes", as well as user\r
+defined regular expressions of the Hyperscan dialect (see\r
+<a href="http://01org.github.io/hyperscan/dev-reference/compilation.html#pattern-support">http://01org.github.io/hyperscan/dev-reference/compilation.html#pattern-support</a>).</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sd_pattern:"credit_card";</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>When configured, Snort will replace the pattern <em>credit_card</em> with the built in\r
+pattern. In addition to pattern matching, Snort will validate that the matched\r
+digits will pass the Luhn-check algorithm. Currently the only pattern that\r
+performs extra verification.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sd_pattern:"us_social";\r
+sd_pattern:"us_social_nodashes";</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>These special patterns will also be replaced with a built in pattern.\r
+Naturally, "us_social" is a pattern of 9 digits separated by <code>-</code>'s in the\r
+canonical form.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sd_pattern:"\b\w+@ourdomain\.com\b"</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This is a user defined pattern which matches what is most likely email\r
+addresses for the site "ourdomain.com". The pattern is a PCRE compatible\r
+regex, <em>\b</em> matches a word boundary (whitespace, end of line, non-word\r
+characters) and <em>\w+</em> matches one or more word characters. <em>\.</em> matches\r
+a literal <em>.</em>.</p></div>\r
+<div class="paragraph"><p>The above pattern would match "a@ourdomain.com", "aa@ourdomain.com" but would\r
+not match <code>1@ourdomain.com</code> <code>ab12@ourdomain.com</code> or <code>@ourdomain.com</code>.</p></div>\r
+<div class="paragraph"><p>Note: This is just an example, this pattern is not suitable to detect many\r
+correctly formatted emails.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_threshold">Threshold</h5>\r
+<div class="paragraph"><p>Threshold is an optional parameter allowing you to change built in default\r
+value (default value is <em>1</em>). The following two instances are identical.\r
+The first will assume the default value of <em>1</em> the second declaration\r
+explicitly sets the threshold to <em>1</em>.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sd_pattern:"This rule requires 1 match";\r
+sd_pattern:"This rule requires 1 match", threshold 1;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>That’s pretty easy, but here is one more example anyway.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sd_pattern:"This is a string literal", threshold 300;</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This example requires 300 matches of the pattern "This is a string literal"\r
+to qualify as a positive match. That is, if the string only occurred 299 times\r
+in a packet, you will not see an event.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_obfuscating_credit_cards_and_social_security_numbers">Obfuscating Credit Cards and Social Security Numbers</h5>\r
+<div class="paragraph"><p>Snort provides discreet logging for the built in patterns "credit_card",\r
+"us_social" and "us_social_nodashes". Enabling <code>output.obfuscate_pii</code> makes\r
+Snort obfuscate the suspect packet payload which was matched by the\r
+patterns. This configuration is disabled by default.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>output =\r
+{\r
+ obfuscate_pii = true\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example">Example</h4>\r
+<div class="paragraph"><p>A complete Snort IPS rule</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Logged output when running Snort in "cmg" alert format.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>02/25-21:19:05.125553 [**] [1:1:0] "Credit Card" [**] [Priority: 0] {TCP} 10.1.2.3:48620 -> 10.9.8.7:8\r
+02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46\r
+10.1.2.3:48620 -> 10.9.8.7:8 TCP TTL:64 TOS:0x0 ID:14 IpLen:20 DgmLen:56\r
+***A**** Seq: 0xB2 Ack: 0x2 Win: 0x2000 TcpLen: 20\r
+- - - raw[16] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_caveats">Caveats</h4>\r
+<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1: }\r
+Snort currently requires setting the fast pattern engine to use\r
+"hyperscan" in order for <code>sd_pattern</code> ips option to function correctly.\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>search_engine = { search_method = 'hyperscan' }</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_queue.log</strong> = 3: maximum events to log { 1: }\r
+Log obfuscation is only applicable to CMG and Unified2 logging formats.\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }\r
+Log obfuscation doesn’t support user defined PII patterns. It is\r
+currently only supported for the built in patterns for Credit Cards and US\r
+Social Security numbers.\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups\r
+Log obfuscation doesn’t work with stream rebuilt packet payloads. (This\r
+is a known bug).\r
</p>\r
</li>\r
-</ul></div>\r
+</ol></div>\r
+</div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_file_id">file_id</h3>\r
-<div class="paragraph"><p>What: configure file identification</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<h3 id="_wizard">Wizard</h3>\r
+<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of\r
+malware command and control channels. If the wizard is bound to a session, it\r
+peeks at the initial payload to determine the service. For example, <em>GET</em>\r
+would indicate HTTP and <em>HELO</em> would indicate SMTP. Upon finding a match, the\r
+service bindings are reevaluated so the session can be handed off to the\r
+appropriate inspector. The wizard is still under development; if you find you\r
+need to tweak the defaults please let us know.</p></div>\r
+<div class="paragraph"><p>Additional Details:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0: }\r
+If the wizard and one or more service inspectors are configured w/o\r
+ explicitly configuring the binder, default bindings will be generated which\r
+ should work for most common cases.\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0: }\r
+Also note that while Snort 2 bindings can only be configured in the\r
+ default policy, each Snort 3 policy can contain a binder leading to an\r
+ arbitrary hierarchy.\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8: }\r
+The entire configuration can be reloaded and hot-swapped during run-time\r
+ via signal or command in both Snort 2 and Snort 3. Ultimately, Snort 3\r
+ will support commands to update the binder on the fly, thus enabling\r
+ incremental reloads of individual inspectors.\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8: }\r
+Both Snort 2 and Snort 3 support server specific configurations via a hosts\r
+ table (XML in Snort 2 and Lua in Snort 3). The table allows you to\r
+ map network, protocol, and port to a service and policy. This table can\r
+ be reloaded and hot-swapped separately from the config file.\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.enable_type</strong> = false: enable type ID\r
+You can find the specifics on the binder, wizard, and hosts tables in the\r
+ manual or command line like this: snort --help-module binder, etc.\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_basic_modules">Basic Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Internal modules which are not plugins are termed "basic". These include\r
+configuration for core processing.</p></div>\r
+<div class="sect2">\r
+<h3 id="_active">active</h3>\r
+<div class="paragraph"><p>What: configure responses</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>file_id.enable_signature</strong> = false: enable signature calculation\r
+int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:20 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.enable_capture</strong> = false: enable file capture\r
+string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0: }\r
+string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0: }\r
+int <strong>active.max_responses</strong> = 0: maximum number of responses { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].msg</strong>: information about the file type\r
+int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1: }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_alerts_2">alerts</h3>\r
+<div class="paragraph"><p>What: configure alerts</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].type</strong>: file type name\r
+bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0: }\r
+bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].category</strong>: file type category\r
+int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available bytes of memory for detection_filters { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].version</strong>: file type version\r
+int <strong>alerts.event_filter_memcap</strong> = 1048576: set available bytes of memory for event_filters { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].magic[].content</strong>: file magic content\r
+string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0: }\r
+int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available bytes of memory for rate_filters { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_policy[].when.file_type_id</strong> = 0: unique ID for file type in file magic rule { 0: }\r
+string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_policy[].when.sha256</strong>: SHA 256\r
+bool <strong>alerts.stateful</strong> = false: don’t alert w/o established session (note: rule action still taken)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>file_id.file_policy[].use.verdict</strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
+string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_attribute_table">attribute_table</h3>\r
+<div class="paragraph"><p>What: configure hosts loading</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_type</strong> = false: true/false → enable/disable file type identification\r
+int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:207551 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_signature</strong> = false: true/false → enable/disable file signature\r
+int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_capture</strong> = false: true/false → enable/disable file capture\r
+int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule metadata { 1:256 }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_classifications">classifications</h3>\r
+<div class="paragraph"><p>What: define rule categories with priority</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info\r
+string <strong>classifications[].name</strong>: name used with classtype rule option\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info\r
+int <strong>classifications[].priority</strong> = 1: default priority for class { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data\r
+string <strong>classifications[].text</strong>: description of class\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_daq">daq</h3>\r
+<div class="paragraph"><p>What: configure packet acquisition interface</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>file_id.total_files</strong>: number of files processed\r
+string <strong>daq.module_dirs[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.total_file_data</strong>: number of file data bytes processed\r
+string <strong>daq.input_spec</strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.cache_failures</strong>: number of file cache add failures\r
+string <strong>daq.module</strong>: DAQ module to use\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_high_availability">high_availability</h3>\r
-<div class="paragraph"><p>What: implement flow tracking high availability</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>high_availability.enable</strong> = false: enable high availability\r
+string <strong>daq.variables[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel\r
+int <strong>daq.instances[].id</strong>: instance ID (required) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }\r
+string <strong>daq.instances[].input_spec</strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-real <strong>high_availability.min_age</strong> = 1.0: minimum session life before HA updates { 0.0:100.0 }\r
+string <strong>daq.instances[].variables[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-real <strong>high_availability.min_sync</strong> = 1.0: minimum interval between HA updates { 0.0:100.0 }\r
+int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_host_cache">host_cache</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>host_cache[].size</strong>: size of host cache\r
+bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache adds</strong>: lru cache added new entry\r
+<strong>daq.pcaps</strong>: total files and interfaces processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache replaces</strong>: lru cache replaced existing entry\r
+<strong>daq.received</strong>: total packets received from DAQ\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache prunes</strong>: lru cache pruned entry to make space for new entry\r
+<strong>daq.analyzed</strong>: total packets analyzed from DAQ\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache find hits</strong>: lru cache found entry in cache\r
+<strong>daq.dropped</strong>: packets dropped\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache find misses</strong>: lru cache did not find entry in cache\r
+<strong>daq.filtered</strong>: packets filtered out\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache removes</strong>: lru cache found entry and removed it\r
+<strong>daq.outstanding</strong>: packets unprocessed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru cache clears</strong>: lru cache clear API calls\r
+<strong>daq.injected</strong>: active responses or replacements\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_host_tracker">host_tracker</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
+<strong>daq.allow</strong>: total allow verdicts\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+<strong>daq.block</strong>: total block verdicts\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+<strong>daq.replace</strong>: total replace verdicts\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>host_tracker[].services[].name</strong>: service identifier\r
+<strong>daq.whitelist</strong>: total whitelist verdicts\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
+<strong>daq.blacklist</strong>: total blacklist verdicts\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>host_tracker[].services[].port</strong>: port number\r
+<strong>daq.ignore</strong>: total ignore verdicts\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>host_tracker.service adds</strong>: host service adds\r
+<strong>daq.internal blacklist</strong>: packets blacklisted internally due to lack of DAQ support\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service finds</strong>: host service finds\r
+<strong>daq.internal whitelist</strong>: packets whitelisted internally due to lack of DAQ support\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service removes</strong>: host service removes\r
+<strong>daq.skipped</strong>: packets skipped at startup\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_hosts">hosts</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
+<h3 id="_decode">decode</h3>\r
+<div class="paragraph"><p>What: general decoder rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
+<strong>116:450</strong> (decode) bad IP protocol\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+<strong>116:459</strong> (decode) fragment with zero length\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>hosts[].services[].name</strong>: service identifier\r
+<strong>116:150</strong> (decode) loopback IP\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
+<strong>116:151</strong> (decode) same src/dst IP\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>hosts[].services[].port</strong>: port number\r
+<strong>116:449</strong> (decode) unassigned/reserved IP protocol\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:472</strong> (decode) too many protocols present\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ips">ips</h3>\r
-<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
+<h3 id="_detection">detection</h3>\r
+<div class="paragraph"><p>What: configure general IPS rule processing parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
+int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
+bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.include</strong>: legacy snort rules and includes\r
+int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, -1 = max, 0 = off { -1:1000000 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }\r
+int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, -1 = max, 0 = off { -1:10000 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ips.rules</strong>: snort rules and includes\r
+<strong>detection.analyzed</strong>: packets sent to detection\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_latency">latency</h3>\r
-<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0: }\r
+<strong>detection.hard evals</strong>: non-fast pattern rule evaluations\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
+<strong>detection.raw searches</strong>: fast pattern searches in raw packet data\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
+<strong>detection.cooked searches</strong>: fast pattern searches in cooked packet data\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0: }\r
+<strong>detection.pkt searches</strong>: fast pattern searches in packet data\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules\r
+<strong>detection.alt searches</strong>: alt fast pattern searches in packet data\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1: }\r
+<strong>detection.key searches</strong>: fast pattern searches in key buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0: }\r
+<strong>detection.header searches</strong>: fast pattern searches in header buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
+<strong>detection.body searches</strong>: fast pattern searches in body buffer\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>134:1</strong> (latency) rule tree suspended due to latency\r
+<strong>detection.file searches</strong>: fast pattern searches in file buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout\r
+<strong>detection.alerts</strong>: alerts not including IP reputation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:3</strong> (latency) packet fastpathed due to latency\r
+<strong>detection.total alerts</strong>: alerts including IP reputation\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>latency.total packets</strong>: total packets monitored\r
+<strong>detection.logged</strong>: logged packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total usecs</strong>: total usecs elapsed\r
+<strong>detection.passed</strong>: passed packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.max usecs</strong>: maximum usecs elapsed\r
+<strong>detection.match limit</strong>: fast pattern matches not processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.packet timeouts</strong>: packets that timed out\r
+<strong>detection.queue limit</strong>: events not queued because queue full\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total rule evals</strong>: total rule evals monitored\r
+<strong>detection.log limit</strong>: events queued but not logged\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule eval timeouts</strong>: rule evals that timed out\r
+<strong>detection.event limit</strong>: events filtered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule tree enables</strong>: rule tree re-enables\r
+<strong>detection.alert limit</strong>: events previously triggered on same PDU\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_memory">memory</h3>\r
-<div class="paragraph"><p>What: memory management configuration</p></div>\r
+<h3 id="_event_filter">event_filter</h3>\r
+<div class="paragraph"><p>What: configure thresholding of events</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap\r
+int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0: }\r
+int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0: }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_network">network</h3>\r
-<div class="paragraph"><p>What: configure basic network parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
+enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
+enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder\r
+int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
+int <strong>event_filter[].seconds</strong> = 0: count interval { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower ttl / hop limit (you must enable rules and / or normalization also) { 1:255 }\r
+string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_event_queue">event_queue</h3>\r
+<div class="paragraph"><p>What: configure event queue parameters</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }\r
+int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.layers</strong> = 40: The maximum number of protocols that Snort can correctly decode { 3:255 }\r
+int <strong>event_queue.log</strong> = 3: maximum events to log { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.max_ip6_extensions</strong> = 0: The number of IP6 options Snort will process for a given IPv6 layer. If this limit is hit, rule 116:456 may fire. 0 = unlimited { 0:255 }\r
+enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.max_ip_layers</strong> = 0: The maximum number of IP layers Snort will process for a given packet If this limit is hit, rule 116:293 may fire. 0 = unlimited { 0:255 }\r
+bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_output">output</h3>\r
-<div class="paragraph"><p>What: configure general output parameters</p></div>\r
+<h3 id="_file_id">file_id</h3>\r
+<div class="paragraph"><p>What: configure file identification</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)\r
+int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)\r
+int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)\r
+int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
+int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
+bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
+int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
+int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
+int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.obfuscate_pii</strong> = false: Mask all but the last 4 characters of credit card and social security numbers\r
+int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
+int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0: }\r
+bool <strong>file_id.enable_type</strong> = false: enable type ID\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
+bool <strong>file_id.enable_signature</strong> = false: enable signature calculation\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_packets">packets</h3>\r
-<div class="paragraph"><p>What: configure basic packet handling</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
+bool <strong>file_id.enable_capture</strong> = false: enable file capture\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
+int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }\r
+int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }\r
+string <strong>file_id.file_rules[].msg</strong>: information about the file type\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
+string <strong>file_id.file_rules[].type</strong>: file type name\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_process">process</h3>\r
-<div class="paragraph"><p>What: configure basic process setup</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>process.chroot</strong>: set chroot directory (same as -t)\r
+int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset\r
+string <strong>file_id.file_rules[].category</strong>: file type category\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0: }\r
+string <strong>file_id.file_rules[].version</strong>: file type version\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)\r
+string <strong>file_id.file_rules[].magic[].content</strong>: file magic content\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup\r
+int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.set_gid</strong>: set group ID (same as -g)\r
+int <strong>file_id.file_policy[].when.file_type_id</strong> = 0: unique ID for file type in file magic rule { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.set_uid</strong>: set user ID (same as -u)\r
+string <strong>file_id.file_policy[].when.sha256</strong>: SHA 256\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.umask</strong>: set process umask (same as -m)\r
+enum <strong>file_id.file_policy[].use.verdict</strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps\r
+bool <strong>file_id.file_policy[].use.enable_file_type</strong> = false: true/false → enable/disable file type identification\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_profiler">profiler</h3>\r
-<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>profiler.modules.show</strong> = true: show module time profile stats\r
+bool <strong>file_id.file_policy[].use.enable_file_signature</strong> = false: true/false → enable/disable file signature\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
+bool <strong>file_id.file_policy[].use.enable_file_capture</strong> = false: true/false → enable/disable file capture\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time }\r
+bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
+bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>profiler.memory.show</strong> = true: show module memory profile stats\r
+bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
+<strong>file_id.total files</strong>: number of files processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation }\r
+<strong>file_id.total file data</strong>: number of file data bytes processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
+<strong>file_id.cache failures</strong>: number of file cache add failures\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_high_availability">high_availability</h3>\r
+<div class="paragraph"><p>What: implement flow tracking high availability</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>high_availability.enable</strong> = false: enable high availability\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>profiler.rules.show</strong> = true: show rule time profile stats\r
+bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0: }\r
+bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }\r
+real <strong>high_availability.min_age</strong> = 1.0: minimum session life before HA updates { 0.0:100.0 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+real <strong>high_availability.min_sync</strong> = 1.0: minimum interval between HA updates { 0.0:100.0 }\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_rate_filter">rate_filter</h3>\r
-<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>\r
+<h3 id="_host_cache">host_cache</h3>\r
+<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0: }\r
+int <strong>host_cache[].size</strong>: size of host cache\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0: }\r
+<strong>host_cache.lru cache adds</strong>: lru cache added new entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
+<strong>host_cache.lru cache replaces</strong>: lru cache replaced existing entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0: }\r
+<strong>host_cache.lru cache prunes</strong>: lru cache pruned entry to make space for new entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].seconds</strong> = 1: count interval { 0: }\r
+<strong>host_cache.lru cache find hits</strong>: lru cache found entry in cache\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
+<strong>host_cache.lru cache find misses</strong>: lru cache did not find entry in cache\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].timeout</strong> = 1: count interval { 0: }\r
+<strong>host_cache.lru cache removes</strong>: lru cache found entry and removed it\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track\r
+<strong>host_cache.lru cache clears</strong>: lru cache clear API calls\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_references">references</h3>\r
-<div class="paragraph"><p>What: define reference systems used in rules</p></div>\r
+<h3 id="_host_tracker">host_tracker</h3>\r
+<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>references[].name</strong>: name used with reference rule option\r
+addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>references[].url</strong>: where this reference is defined\r
+enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rule_state">rule_state</h3>\r
-<div class="paragraph"><p>What: enable/disable specific IPS rules</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rule_state.gid</strong> = 0: rule generator ID { 0: }\r
+enum <strong>host_tracker[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rule_state.sid</strong> = 0: rule signature ID { 0: }\r
+string <strong>host_tracker[].services[].name</strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>rule_state.enable</strong> = true: enable or disable rule in all policies\r
+enum <strong>host_tracker[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_search_engine">search_engine</h3>\r
-<div class="paragraph"><p>What: configure fast pattern matcher</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1: }\r
+port <strong>host_tracker[].services[].port</strong>: port number\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group\r
+<strong>host_tracker.service adds</strong>: host service adds\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group\r
+<strong>host_tracker.service finds</strong>: host service finds\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info\r
+<strong>host_tracker.service removes</strong>: host service removes\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_hosts">hosts</h3>\r
+<div class="paragraph"><p>What: configure hosts</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation\r
+addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation\r
+enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information\r
+enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information\r
+string <strong>hosts[].services[].name</strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0: }\r
+enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet\r
+port <strong>hosts[].services[].port</strong>: port number\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ips">ips</h3>\r
+<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>search_engine.inspect_stream_inserts</strong> = false: inspect reassembled payload - disabling is good for performance, bad for detection\r
+bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
</p>\r
</li>\r
<li>\r
<p>\r
-dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }\r
+int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
+string <strong>ips.include</strong>: legacy snort rules and includes\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule\r
+enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
+string <strong>ips.rules</strong>: snort rules and includes\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_latency">latency</h3>\r
+<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>search_engine.max queued</strong>: maximum fast pattern matches queued for further evaluation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total flushed</strong>: fast pattern matches discarded due to overflow\r
+int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total inserts</strong>: total fast pattern hits\r
+bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total unique</strong>: total unique fast pattern hits\r
+enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.non-qualified events</strong>: total non-qualified events\r
+int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.qualified events</strong>: total qualified events\r
+bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_side_channel">side_channel</h3>\r
-<div class="paragraph"><p>What: implement the side-channel asynchronous messaging subsystem</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
+int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>side_channel.connectors[].connector</strong>: connector handle\r
+int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>side_channel.connector</strong>: connector handle\r
+enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_snort">snort</h3>\r
-<div class="paragraph"><p>What: command line configuration and shell commands</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>snort.-?</strong>: <option prefix> output matching command line option quick help (same as --help-options) { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-A</strong>: <mode> set alert mode: none, cmg, or alert_*\r
+<strong>134:1</strong> (latency) rule tree suspended due to latency\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>snort.-B</strong> = 255.255.255.255/32: <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
+<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)\r
+<strong>134:3</strong> (latency) packet fastpathed due to latency\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>snort.-c</strong>: <conf> use this configuration\r
+<strong>latency.total packets</strong>: total packets monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-D</strong>: run Snort in background (daemon) mode\r
+<strong>latency.total usecs</strong>: total usecs elapsed\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-d</strong>: dump the Application Layer\r
+<strong>latency.max usecs</strong>: maximum usecs elapsed\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-e</strong>: display the second layer header info\r
+<strong>latency.packet timeouts</strong>: packets that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes\r
+<strong>latency.total rule evals</strong>: total rule evals monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-G</strong>: <0xid> (same as --logid) { 0:65535 }\r
+<strong>latency.rule eval timeouts</strong>: rule evals that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
+<strong>latency.rule tree enables</strong>: rule tree re-enables\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_memory">memory</h3>\r
+<div class="paragraph"><p>What: memory management configuration</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.-H</strong>: make hash tables deterministic\r
+int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-i</strong>: <iface>… list of interfaces\r
+bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>snort.-j</strong>: <port> to listen for telnet connections\r
+int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0: }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_network">network</h3>\r
+<div class="paragraph"><p>What: configure basic network parameters</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>snort.-k</strong> = all: <mode> checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }\r
+multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-L</strong>: <mode> logging mode (none, dump, pcap, or log_*)\r
+multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-l</strong>: <logdir> log to this directory instead of current directory\r
+bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
+int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-m</strong>: <umask> set umask = <umask> { 0: }\r
+int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower ttl / hop limit (you must enable rules and / or normalization also) { 1:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-n</strong>: <count> stop after count packets { 0: }\r
+int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-O</strong>: obfuscate the logged IP addresses\r
+int <strong>network.layers</strong> = 40: the maximum number of protocols that Snort can correctly decode { 3:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-Q</strong>: enable inline mode operation\r
+int <strong>network.max_ip6_extensions</strong> = 0: the maximum number of IP6 options Snort will process for a given IPv6 layer before raising 116:456 (0 = unlimited) { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-q</strong>: quiet mode - Don’t show banner and status report\r
+int <strong>network.max_ip_layers</strong> = 0: the maximum number of IP layers Snort will process for a given packet before raising 116:293 (0 = unlimited) { 0:255 }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_output_2">output</h3>\r
+<div class="paragraph"><p>What: configure general output parameters</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>snort.-R</strong>: <rules> include this rules file in the default policy\r
+bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-r</strong>: <pcap>… (same as --pcap-list)\r
+bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-S</strong>: <x=v> set config variable x equal to value v\r
+bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-s</strong> = 1514: <snap> (same as --snaplen); default is 1514 { 68:65535 }\r
+bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-T</strong>: test and report on the current Snort configuration\r
+int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
+bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-U</strong>: use UTC for timestamps\r
+string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
+bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-V</strong>: (same as --version)\r
+bool <strong>output.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-v</strong>: be verbose\r
+bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-W</strong>: lists available interfaces\r
+int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
+bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_packets">packets</h3>\r
+<div class="paragraph"><p>What: configure basic packet handling</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.-x</strong>: same as --pedantic\r
+bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files\r
+string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-z</strong> = 1: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0: }\r
+int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--alert-before-pass</strong>: process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
+int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--bpf</strong>: <filter options> are standard BPF options, as seen in TCPDump\r
+bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_process">process</h3>\r
+<div class="paragraph"><p>What: configure basic process setup</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)\r
+string <strong>process.chroot</strong>: set chroot directory (same as -t)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode\r
+string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
+int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
+bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only\r
+bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
+string <strong>process.set_gid</strong>: set group ID (same as -g)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dirty-pig</strong>: don’t flush packets on shutdown\r
+string <strong>process.set_uid</strong>: set user ID (same as -u)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules\r
+string <strong>process.umask</strong>: set process umask (same as -m)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries\r
+bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_profiler">profiler</h3>\r
+<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>snort.--dump-defaults</strong>: [<module prefix>] output module defaults in Lua format { (optional) }\r
+bool <strong>profiler.modules.show</strong> = true: show module time profile stats\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
+int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation\r
+enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help</strong>: list command line options\r
+int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-commands</strong>: [<module prefix>] output matching commands { (optional) }\r
+bool <strong>profiler.memory.show</strong> = true: show module memory profile stats\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-config</strong>: [<module prefix>] output matching config options { (optional) }\r
+int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-counts</strong>: [<module prefix>] output matching peg counts { (optional) }\r
+enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-module</strong>: <module> output description of given module\r
+int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help-modules</strong>: list all available modules with brief help\r
+bool <strong>profiler.rules.show</strong> = true: show rule time profile stats\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-options</strong>: <option prefix> output matching command line option quick help (same as -?) { (optional) }\r
+int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help\r
+enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_rate_filter">rate_filter</h3>\r
+<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.--help-signals</strong>: dump available control signals\r
+int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
+int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread\r
+enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
+int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-builtin</strong>: <module prefix> output matching builtin rules { (optional) }\r
+int <strong>rate_filter[].seconds</strong> = 1: count interval { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-gids</strong>: [<module prefix>] output matching generators { (optional) }\r
+enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-modules</strong>: [<module type>] list all known modules of given type { (optional) }\r
+int <strong>rate_filter[].timeout</strong> = 1: count interval { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--list-plugins</strong>: list all known plugins\r
+string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_references">references</h3>\r
+<div class="paragraph"><p>What: define reference systems used in rules</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>snort.--lua</strong>: <chunk> extend/override conf with chunk; may be repeated\r
+string <strong>references[].name</strong>: name used with reference rule option\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--logid</strong>: <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }\r
+string <strong>references[].url</strong>: where this reference is defined\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_rule_state">rule_state</h3>\r
+<div class="paragraph"><p>What: enable/disable specific IPS rules</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.--markup</strong>: output help in asciidoc compatible format\r
+int <strong>rule_state.gid</strong> = 0: rule generator ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--max-packet-threads</strong> = 1: <count> configure maximum number of packet threads (same as -z) { 0: }\r
+int <strong>rule_state.sid</strong> = 0: rule signature ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
+bool <strong>rule_state.enable</strong> = true: enable or disable rule in all policies\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_search_engine">search_engine</h3>\r
+<div class="paragraph"><p>What: configure fast pattern matcher</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file\r
+int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
+bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
+bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-list</strong>: <list> a space separated list of pcaps to read - read mode is implied\r
+bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-dir</strong>: <dir> a directory to recurse to look for pcaps - read mode is implied\r
+bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-filter</strong>: <filter> filter to apply when getting pcaps from file or directory\r
+bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--pcap-loop</strong>: <count> read all pcaps <count> times; 0 will read until Snort is terminated { -1: }\r
+bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory\r
+bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps\r
+int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read\r
+int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pedantic</strong>: warnings are fatal\r
+bool <strong>search_engine.inspect_stream_inserts</strong> = false: inspect reassembled payload - disabling is good for performance, bad for detection\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
+dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--process-all-events</strong>: process all action groups\r
+bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
+bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
+bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin\r
+<strong>search_engine.max queued</strong>: maximum fast pattern matches queued for further evaluation\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--run-prefix</strong>: <pfx> prepend this to each output file\r
+<strong>search_engine.total flushed</strong>: fast pattern matches discarded due to overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--script-path</strong>: <path> to a luajit script or directory containing luajit scripts\r
+<strong>search_engine.total inserts</strong>: total fast pattern hits\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--shell</strong>: enable the interactive command line\r
+<strong>search_engine.total unique</strong>: total unique fast pattern hits\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
+<strong>search_engine.non-qualified events</strong>: total non-qualified events\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
+<strong>search_engine.qualified events</strong>: total qualified events\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_side_channel">side_channel</h3>\r
+<div class="paragraph"><p>What: implement the side-channel asynchronous messaging subsystem</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>snort.--skip</strong>: <n> skip 1st n packets { 0: }\r
+bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--snaplen</strong> = 1514: <snap> set snaplen of packet (same as -s) { 68:65535 }\r
+string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read\r
+string <strong>side_channel.connector</strong>: connector handle\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_snort">snort</h3>\r
+<div class="paragraph"><p>What: command line configuration and shell commands</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
+string <strong>snort.-?</strong>: <option prefix> output matching command line option quick help (same as --help-options) { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+string <strong>snort.-A</strong>: <mode> set alert mode: none, cmg, or alert_*\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
+addr <strong>snort.-B</strong> = 255.255.255.255/32: <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--version</strong>: show version number (same as -V)\r
+implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-all</strong>: enable all warnings\r
+string <strong>snort.-c</strong>: <conf> use this configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
+implied <strong>snort.-D</strong>: run Snort in background (daemon) mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
+implied <strong>snort.-d</strong>: dump the Application Layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa\r
+implied <strong>snort.-e</strong>: display the second layer header info\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-hosts</strong>: warn about host table issues\r
+implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading\r
+int <strong>snort.-G</strong>: <0xid> (same as --logid) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues\r
+string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts\r
+implied <strong>snort.-H</strong>: make hash tables deterministic\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config\r
+string <strong>snort.-i</strong>: <iface>… list of interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues\r
+port <strong>snort.-j</strong>: <port> to listen for telnet connections\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x)\r
+enum <strong>snort.-k</strong> = all: <mode> checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
+string <strong>snort.-L</strong>: <mode> logging mode (none, dump, pcap, or log_*)\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>snort.show_plugins</strong>(): show available plugins\r
+string <strong>snort.-l</strong>: <logdir> log to this directory instead of current directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.dump_stats</strong>(): show summary statistics\r
+implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.rotate_stats</strong>(): roll perfmonitor log files\r
+int <strong>snort.-m</strong>: <umask> set umask = <umask> { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.reload_config</strong>(filename): load new configuration\r
+int <strong>snort.-n</strong>: <count> stop after count packets { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.reload_hosts</strong>(filename): load a new hosts table\r
+implied <strong>snort.-O</strong>: obfuscate the logged IP addresses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.pause</strong>(): suspend packet processing\r
+implied <strong>snort.-Q</strong>: enable inline mode operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.resume</strong>(): continue packet processing\r
+implied <strong>snort.-q</strong>: quiet mode - Don’t show banner and status report\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.detach</strong>(): exit shell w/o shutdown\r
+string <strong>snort.-R</strong>: <rules> include this rules file in the default policy\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.quit</strong>(): shutdown and dump-stats\r
+string <strong>snort.-r</strong>: <pcap>… (same as --pcap-list)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.help</strong>(): this output\r
+string <strong>snort.-S</strong>: <x=v> set config variable x equal to value v\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>snort.local commands</strong>: total local commands processed\r
+int <strong>snort.-s</strong> = 1514: <snap> (same as --snaplen); default is 1514 { 68:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.remote commands</strong>: total remote commands processed\r
+implied <strong>snort.-T</strong>: test and report on the current Snort configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.signals</strong>: total signals processed\r
+string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.conf reloads</strong>: number of times configuration was reloaded\r
+implied <strong>snort.-U</strong>: use UTC for timestamps\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.attribute table reloads</strong>: number of times hosts table was reloaded\r
+string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.attribute table hosts</strong>: total number of hosts in table\r
+implied <strong>snort.-V</strong>: (same as --version)\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_suppress">suppress</h3>\r
-<div class="paragraph"><p>What: configure event suppressions</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>suppress[].gid</strong> = 0: rule generator ID { 0: }\r
+implied <strong>snort.-v</strong>: be verbose\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>suppress[].sid</strong> = 0: rule signature ID { 0: }\r
+implied <strong>snort.-W</strong>: lists available interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
+implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track\r
+implied <strong>snort.-x</strong>: same as --pedantic\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_codec_modules">Codec Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Codec is short for coder / decoder. These modules are used for basic\r
-protocol decoding, anomaly detection, and construction of active responses.</p></div>\r
-<div class="sect2">\r
-<h3 id="_arp">arp</h3>\r
-<div class="paragraph"><p>What: support for address resolution protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:109</strong> (arp) truncated ARP\r
+implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_auth">auth</h3>\r
-<div class="paragraph"><p>What: support for IP authentication header</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:465</strong> (auth) truncated authentication header\r
+int <strong>snort.-z</strong> = 1: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:466</strong> (auth) bad authentication header length\r
+implied <strong>snort.--alert-before-pass</strong>: process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ciscometadata">ciscometadata</h3>\r
-<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
+string <strong>snort.--bpf</strong>: <filter options> are standard BPF options, as seen in TCPDump\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
+string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
+implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
+string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_erspan2">erspan2</h3>\r
-<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:462</strong> (erspan2) ERSpan header version mismatch\r
+string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:463</strong> (erspan2) captured < ERSpan type2 header length\r
+implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_erspan3">erspan3</h3>\r
-<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 3</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:464</strong> (erspan3) captured < ERSpan type3 header length\r
+string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_esp">esp</h3>\r
-<div class="paragraph"><p>What: support for encapsulating security payload</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption\r
+implied <strong>snort.--dirty-pig</strong>: don’t flush packets on shutdown\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:294</strong> (esp) truncated encapsulated security payload header\r
+implied <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_eth">eth</h3>\r
-<div class="paragraph"><p>What: support for ethernet protocol (DLT 1) (DLT 51)</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:424</strong> (eth) truncated eth header\r
+implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_fabricpath">fabricpath</h3>\r
-<div class="paragraph"><p>What: support for fabricpath</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:467</strong> (fabricpath) truncated FabricPath header\r
+string <strong>snort.--dump-defaults</strong>: [<module prefix>] output module defaults in Lua format { (optional) }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gre">gre</h3>\r
-<div class="paragraph"><p>What: support for generic routing encapsulation</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:160</strong> (gre) GRE header length > payload length\r
+implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:161</strong> (gre) multiple encapsulations in packet\r
+implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:162</strong> (gre) invalid GRE version\r
+implied <strong>snort.--help</strong>: list command line options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:163</strong> (gre) invalid GRE header\r
+string <strong>snort.--help-commands</strong>: [<module prefix>] output matching commands { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header\r
+string <strong>snort.--help-config</strong>: [<module prefix>] output matching config options { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:165</strong> (gre) GRE trans header length > payload length\r
+string <strong>snort.--help-counts</strong>: [<module prefix>] output matching peg counts { (optional) }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp">gtp</h3>\r
-<div class="paragraph"><p>What: support for general-packet-radio-service tunnelling protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present\r
+string <strong>snort.--help-module</strong>: <module> output description of given module\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:298</strong> (gtp) GTP header length is invalid\r
+implied <strong>snort.--help-modules</strong>: list all available modules with brief help\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icmp4">icmp4</h3>\r
-<div class="paragraph"><p>What: support for Internet control message protocol v4</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:105</strong> (icmp4) ICMP header truncated\r
+string <strong>snort.--help-options</strong>: <option prefix> output matching command line option quick help (same as -?) { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:106</strong> (icmp4) ICMP timestamp header truncated\r
+implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:107</strong> (icmp4) ICMP address header truncated\r
+implied <strong>snort.--help-signals</strong>: dump available control signals\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:250</strong> (icmp4) ICMP original IP header truncated\r
+implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ\r
+implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:252</strong> (icmp4) ICMP original datagram length < original IP header length\r
+implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:253</strong> (icmp4) ICMP original IP payload < 64 bits\r
+string <strong>snort.--list-builtin</strong>: <module prefix> output matching builtin rules { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:254</strong> (icmp4) ICMP original IP payload > 576 bytes\r
+string <strong>snort.--list-gids</strong>: [<module prefix>] output matching generators { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0\r
+string <strong>snort.--list-modules</strong>: [<module type>] list all known modules of given type { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address\r
+implied <strong>snort.--list-plugins</strong>: list all known plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address\r
+string <strong>snort.--lua</strong>: <chunk> extend/override conf with chunk; may be repeated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:418</strong> (icmp4) ICMP4 type other\r
+int <strong>snort.--logid</strong>: <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:434</strong> (icmp4) ICMP ping NMAP\r
+implied <strong>snort.--markup</strong>: output help in asciidoc compatible format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1\r
+int <strong>snort.--max-packet-threads</strong> = 1: <count> configure maximum number of packet threads (same as -z) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:436</strong> (icmp4) ICMP redirect host\r
+implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:437</strong> (icmp4) ICMP redirect net\r
+implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:438</strong> (icmp4) ICMP traceroute ipopts\r
+implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:439</strong> (icmp4) ICMP source quench\r
+string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:440</strong> (icmp4) broadscan smurf scanner\r
+string <strong>snort.--pcap-list</strong>: <list> a space separated list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited\r
+string <strong>snort.--pcap-dir</strong>: <dir> a directory to recurse to look for pcaps - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited\r
+string <strong>snort.--pcap-filter</strong>: <filter> filter to apply when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited\r
+int <strong>snort.--pcap-loop</strong>: <count> read all pcaps <count> times; 0 will read until Snort is terminated { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt\r
+implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:452</strong> (icmp4) BAD-TRAFFIC Linux ICMP header DOS attempt\r
+implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:426</strong> (icmp4) truncated ICMP4 header\r
+implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>icmp4.bad checksum</strong>: non-zero icmp checksums\r
+implied <strong>snort.--pedantic</strong>: warnings are fatal\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icmp6">icmp6</h3>\r
-<div class="paragraph"><p>What: support for Internet control message protocol v6</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:427</strong> (icmp6) truncated ICMP6 header\r
+string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:431</strong> (icmp6) ICMP6 type not decoded\r
+implied <strong>snort.--process-all-events</strong>: process all action groups\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:432</strong> (icmp6) ICMP6 packet to multicast address\r
+string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280\r
+implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code\r
+implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0\r
+string <strong>snort.--run-prefix</strong>: <pfx> prepend this to each output file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0\r
+string <strong>snort.--script-path</strong>: <path> to a luajit script or directory containing luajit scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0\r
+implied <strong>snort.--shell</strong>: enable the interactive command line\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour\r
+implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code\r
+implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2\r
+int <strong>snort.--skip</strong>: <n> skip 1st n packets { 0: }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>icmp6.bad checksum (ip4)</strong>: nonzero ipcm4 checksums\r
+int <strong>snort.--snaplen</strong> = 1514: <snap> set snaplen of packet (same as -s) { 68:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>icmp6.bad checksum (ip6)</strong>: nonzero ipcm6 checksums\r
+implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_igmp">igmp</h3>\r
-<div class="paragraph"><p>What: support for Internet group management protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt\r
+implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipv4">ipv4</h3>\r
-<div class="paragraph"><p>What: support for Internet protocol v4</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:1</strong> (ipv4) Not IPv4 datagram\r
+implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:2</strong> (ipv4) hlen < minimum\r
+string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:3</strong> (ipv4) IP dgm len < IP Hdr len\r
+implied <strong>snort.--version</strong>: show version number (same as -V)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:4</strong> (ipv4) Ipv4 Options found with bad lengths\r
+implied <strong>snort.--warn-all</strong>: enable all warnings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:5</strong> (ipv4) Truncated Ipv4 Options\r
+implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:6</strong> (ipv4) IP dgm len > captured len\r
+implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:404</strong> (ipv4) IPV4 packet with zero TTL\r
+implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:405</strong> (ipv4) IPV4 packet with bad frag bits (both MF and DF set)\r
+implied <strong>snort.--warn-hosts</strong>: warn about host table issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:407</strong> (ipv4) IPV4 packet frag offset + length exceed maximum\r
+implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:408</strong> (ipv4) IPV4 packet from <em>current net</em> source address\r
+implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:409</strong> (ipv4) IPV4 packet to <em>current net</em> dest address\r
+implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:410</strong> (ipv4) IPV4 packet from multicast source address\r
+implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:411</strong> (ipv4) IPV4 packet from reserved source address\r
+implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:412</strong> (ipv4) IPV4 packet to reserved dest address\r
+int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:413</strong> (ipv4) IPV4 packet from broadcast source address\r
+string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:414</strong> (ipv4) IPV4 packet to broadcast dest address\r
+<strong>snort.show_plugins</strong>(): show available plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:428</strong> (ipv4) IPV4 packet below TTL limit\r
+<strong>snort.dump_stats</strong>(): show summary statistics\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:430</strong> (ipv4) IPV4 packet both DF and offset set\r
+<strong>snort.rotate_stats</strong>(): roll perfmonitor log files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:448</strong> (ipv4) BAD-TRAFFIC IP reserved bit set\r
+<strong>snort.reload_config</strong>(filename): load new configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:444</strong> (ipv4) MISC IP option set\r
+<strong>snort.reload_hosts</strong>(filename): load a new hosts table\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:425</strong> (ipv4) truncated IP4 header\r
+<strong>snort.pause</strong>(): suspend packet processing\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ipv4.bad checksum</strong>: nonzero ip checksums\r
+<strong>snort.resume</strong>(): continue packet processing\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipv6">ipv6</h3>\r
-<div class="paragraph"><p>What: support for Internet protocol v6</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit\r
+<strong>snort.detach</strong>(): exit shell w/o shutdown\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6\r
+<strong>snort.quit</strong>(): shutdown and dump-stats\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:272</strong> (ipv6) IPV6 truncated extension header\r
+<strong>snort.help</strong>(): this output\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:273</strong> (ipv6) IPV6 truncated header\r
+<strong>snort.local commands</strong>: total local commands processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:274</strong> (ipv6) IP dgm len < IP Hdr len\r
+<strong>snort.remote commands</strong>: total remote commands processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:275</strong> (ipv6) IP dgm len > captured len\r
+<strong>snort.signals</strong>: total signals processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0\r
+<strong>snort.conf reloads</strong>: number of times configuration was reloaded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address\r
+<strong>snort.attribute table reloads</strong>: number of times hosts table was reloaded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address\r
+<strong>snort.attribute table hosts</strong>: total number of hosts in table\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_suppress">suppress</h3>\r
+<div class="paragraph"><p>What: configure event suppressions</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type\r
+int <strong>suppress[].gid</strong> = 0: rule generator ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value\r
+int <strong>suppress[].sid</strong> = 0: rule signature ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field\r
+enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header\r
+string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_codec_modules">Codec Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Codec is short for coder / decoder. These modules are used for basic\r
+protocol decoding, anomaly detection, and construction of active responses.</p></div>\r
+<div class="sect2">\r
+<h3 id="_arp">arp</h3>\r
+<div class="paragraph"><p>What: support for address resolution protocol</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers\r
+<strong>116:109</strong> (arp) truncated ARP\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_auth">auth</h3>\r
+<div class="paragraph"><p>What: support for IP authentication header</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header\r
+<strong>116:465</strong> (auth) truncated authentication header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack\r
+<strong>116:466</strong> (auth) bad authentication header length\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ciscometadata">ciscometadata</h3>\r
+<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header\r
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers\r
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:429</strong> (ipv6) IPV6 packet has zero hop limit\r
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:453</strong> (ipv6) BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt\r
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_erspan2">erspan2</h3>\r
+<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack\r
+<strong>116:462</strong> (erspan2) ERSpan header version mismatch\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:461</strong> (ipv6) IPV6 routing type 0 extension header\r
+<strong>116:463</strong> (erspan2) captured length < ERSpan type2 header length\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_erspan3">erspan3</h3>\r
+<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 3</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:456</strong> (ipv6) too many IP6 extension headers\r
+<strong>116:464</strong> (erspan3) captured < ERSpan type3 header length\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_mpls">mpls</h3>\r
-<div class="paragraph"><p>What: support for multiprotocol label switching</p></div>\r
+<h3 id="_esp">esp</h3>\r
+<div class="paragraph"><p>What: support for encapsulating security payload</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)\r
+bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1: }\r
+<strong>116:294</strong> (esp) truncated encapsulated security payload header\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_eth">eth</h3>\r
+<div class="paragraph"><p>What: support for ethernet protocol (DLT 1) (DLT 51)</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }\r
+<strong>116:424</strong> (eth) truncated ethernet header\r
</p>\r
</li>\r
</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_fabricpath">fabricpath</h3>\r
+<div class="paragraph"><p>What: support for fabricpath</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:170</strong> (mpls) bad MPLS frame\r
+<strong>116:467</strong> (fabricpath) truncated FabricPath header\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gre">gre</h3>\r
+<div class="paragraph"><p>What: support for generic routing encapsulation</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header\r
+<strong>116:160</strong> (gre) GRE header length > payload length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header\r
+<strong>116:161</strong> (gre) multiple encapsulations in packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header\r
+<strong>116:162</strong> (gre) invalid GRE version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:174</strong> (mpls) MPLS label 3 appears in header\r
+<strong>116:163</strong> (gre) invalid GRE header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header\r
+<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:176</strong> (mpls) too many MPLS headers\r
+<strong>116:165</strong> (gre) GRE trans header length > payload length\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gtp">gtp</h3>\r
+<div class="paragraph"><p>What: support for general-packet-radio-service tunnelling protocol</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>mpls.total packets</strong>: total mpls labeled packets processed\r
+<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>mpls.total bytes</strong>: total mpls labeled bytes processed\r
+<strong>116:298</strong> (gtp) GTP header length is invalid\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_pgm">pgm</h3>\r
-<div class="paragraph"><p>What: support for pragmatic general multicast</p></div>\r
+<h3 id="_icmp4">icmp4</h3>\r
+<div class="paragraph"><p>What: support for Internet control message protocol v4</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:454</strong> (pgm) BAD-TRAFFIC PGM nak list overflow attempt\r
+<strong>116:105</strong> (icmp4) ICMP header truncated\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pppoe">pppoe</h3>\r
-<div class="paragraph"><p>What: support for point-to-point protocol over ethernet</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:120</strong> (pppoe) bad PPPOE frame detected\r
+<strong>116:106</strong> (icmp4) ICMP timestamp header truncated\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tcp">tcp</h3>\r
-<div class="paragraph"><p>What: support for transmission control protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:45</strong> (tcp) TCP packet len is smaller than 20 bytes\r
+<strong>116:107</strong> (icmp4) ICMP address header truncated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:46</strong> (tcp) TCP data offset is less than 5\r
+<strong>116:250</strong> (icmp4) ICMP original IP header truncated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:47</strong> (tcp) TCP header length exceeds packet length\r
+<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:54</strong> (tcp) TCP options found with bad lengths\r
+<strong>116:252</strong> (icmp4) ICMP original datagram length < original IP header length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:55</strong> (tcp) truncated TCP options\r
+<strong>116:253</strong> (icmp4) ICMP original IP payload < 64 bits\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:56</strong> (tcp) T/TCP detected\r
+<strong>116:254</strong> (icmp4) ICMP original IP payload > 576 bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:57</strong> (tcp) obsolete TCP options found\r
+<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:58</strong> (tcp) experimental TCP options found\r
+<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:59</strong> (tcp) TCP window scale option found with length > 14\r
+<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:400</strong> (tcp) XMAS attack detected\r
+<strong>116:418</strong> (icmp4) ICMP4 type other\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:401</strong> (tcp) Nmap XMAS attack detected\r
+<strong>116:434</strong> (icmp4) ICMP ping Nmap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload\r
+<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:420</strong> (tcp) TCP SYN with FIN\r
+<strong>116:436</strong> (icmp4) ICMP redirect host\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:421</strong> (tcp) TCP SYN with RST\r
+<strong>116:437</strong> (icmp4) ICMP redirect net\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:422</strong> (tcp) TCP PDU missing ack for established session\r
+<strong>116:438</strong> (icmp4) ICMP traceroute ipopts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST\r
+<strong>116:439</strong> (icmp4) ICMP source quench\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:433</strong> (tcp) DDOS shaft SYN flood\r
+<strong>116:440</strong> (icmp4) broadscan smurf scanner\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:446</strong> (tcp) BAD-TRAFFIC TCP port 0 traffic\r
+<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected\r
+<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:403</strong> (tcp) bad traffic SYN to multicast address\r
+<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums\r
+<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums\r
+<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:426</strong> (icmp4) truncated ICMP4 header\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>icmp4.bad checksum</strong>: non-zero icmp checksums\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_udp">udp</h3>\r
-<div class="paragraph"><p>What: support for user datagram protocol</p></div>\r
+<h3 id="_icmp6">icmp6</h3>\r
+<div class="paragraph"><p>What: support for Internet control message protocol v6</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)\r
+<strong>116:427</strong> (icmp6) truncated ICMP6 header\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations\r
+<strong>116:431</strong> (icmp6) ICMPv6 type not decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
+<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:95</strong> (udp) truncated UDP header\r
+<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:96</strong> (udp) invalid UDP header, length field < 8\r
+<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:97</strong> (udp) short UDP packet, length field > payload length\r
+<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:98</strong> (udp) long UDP packet, length field < payload length\r
+<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero\r
+<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:445</strong> (udp) misc large UDP Packet\r
+<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:447</strong> (udp) BAD-TRAFFIC UDP port 0 traffic\r
+<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>udp.bad checksum (ip4)</strong>: nonzero udp over ipv4 checksums\r
+<strong>icmp6.bad checksum (ip4)</strong>: nonzero ipcm4 checksums\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>udp.bad checksum (ip6)</strong>: nonzero udp over ipv6 checksums\r
+<strong>icmp6.bad checksum (ip6)</strong>: nonzero ipcm6 checksums\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_vlan">vlan</h3>\r
-<div class="paragraph"><p>What: support for local area network</p></div>\r
+<h3 id="_igmp">igmp</h3>\r
+<div class="paragraph"><p>What: support for Internet group management protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:130</strong> (vlan) bad VLAN frame\r
+<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ipv4">ipv4</h3>\r
+<div class="paragraph"><p>What: support for Internet protocol v4</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:131</strong> (vlan) bad LLC header\r
+<strong>116:1</strong> (ipv4) not IPv4 datagram\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:132</strong> (vlan) bad extra LLC info\r
+<strong>116:2</strong> (ipv4) IPv4 header length < minimum\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:3</strong> (ipv4) IPv4 datagram length < header field\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_inspector_modules">Inspector Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>These modules perform a variety of functions, including analysis of\r
-protocols beyond basic decoding.</p></div>\r
-<div class="sect2">\r
-<h3 id="_appid">appid</h3>\r
-<div class="paragraph"><p>What: application and service identification</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>appid.conf</strong>: RNA configuration file\r
+<strong>116:4</strong> (ipv4) IPv4 options found with bad lengths\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.memcap</strong> = 268435456: time period for collecting and logging AppId statistics { 1048576:3221225472 }\r
+<strong>116:5</strong> (ipv4) truncated IPv4 options\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.log_stats</strong> = false: enable logging of AppId statistics\r
+<strong>116:6</strong> (ipv4) IPv4 datagram length > captured length\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging AppId statistics { 0: }\r
+<strong>116:404</strong> (ipv4) IPv4 packet with zero TTL\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for AppId stats before rolling over the log file { 0: }\r
+<strong>116:405</strong> (ipv4) IPv4 packet with bad frag bits (both MF and DF set)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection AppId stats before rolling over the log file { 0: }\r
+<strong>116:407</strong> (ipv4) IPv4 packet frag offset + length exceed maximum\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.app_detector_dir</strong>: directory to load AppId detectors from\r
+<strong>116:408</strong> (ipv4) IPv4 packet from <em>current net</em> source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.instance_id</strong> = 0: instance id - need more details for what this is { 0: }\r
+<strong>116:409</strong> (ipv4) IPv4 packet to <em>current net</em> dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.debug</strong> = false: enable AppId debug logging\r
+<strong>116:410</strong> (ipv4) IPv4 packet from multicast source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.dump_ports</strong> = false: enable dump of AppId port information\r
+<strong>116:411</strong> (ipv4) IPv4 packet from reserved source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
+<strong>116:412</strong> (ipv4) IPv4 packet to reserved dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source ip address in CIDR format\r
+<strong>116:413</strong> (ipv4) IPv4 packet from broadcast source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination ip address in CIDR format\r
+<strong>116:414</strong> (ipv4) IPv4 packet to broadcast dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }\r
+<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }\r
+<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.session_log_filter.protocol</strong>: ip protocol\r
+<strong>116:448</strong> (ipv4) IPv4 reserved bit set\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions\r
+<strong>116:444</strong> (ipv4) IPv4 option set\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:425</strong> (ipv4) truncated IPv4 header\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.packets</strong>: count of packets received by appid inspector\r
+<strong>ipv4.bad checksum</strong>: nonzero ip checksums\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ipv6">ipv6</h3>\r
+<div class="paragraph"><p>What: support for Internet protocol v6</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.processed packets</strong>: count of packets processed by appid inspector\r
+<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ignored packets</strong>: count of packets ignored by appid inspector\r
+<strong>116:272</strong> (ipv6) IPv6 truncated extension header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.aim_clients</strong>: count of aim clients discovered by appid\r
+<strong>116:273</strong> (ipv6) IPv6 truncated header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.battlefield_flows</strong>: count of battle field flows discovered by appid\r
+<strong>116:274</strong> (ipv6) IPv6 datagram length < header field\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bgp_flows</strong>: count of bgp flows discovered by appid\r
+<strong>116:275</strong> (ipv6) IPv6 datagram length > captured length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bit_clients</strong>: count of bittorrent clients discovered by appid\r
+<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bit_flows</strong>: count of bittorrent flows discovered by appid\r
+<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bittracker_clients</strong>: count of bittorrent tracker clients discovered by appid\r
+<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bootp_flows</strong>: count of bootp flows discovered by appid\r
+<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid\r
+<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dcerpc_udp_flows</strong>: count of dce rpc flows over udp discovered by appid\r
+<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered by appid\r
+<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid\r
+<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dns_udp_flows</strong>: count of dns flows over udp discovered by appid\r
+<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ftp_flows</strong>: count of ftp flows discovered by appid\r
+<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ftps_flows</strong>: count of ftps flows discovered by appid\r
+<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.http_flows</strong>: count of http flows discovered by appid\r
+<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.imap_flows</strong>: count of imap service flows discovered by appid\r
+<strong>116:429</strong> (ipv6) IPv6 packet has zero hop limit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.imaps_flows</strong>: count of imap TLS service flows discovered by appid\r
+<strong>116:453</strong> (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.irc_flows</strong>: count of irc service flows discovered by appid\r
+<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.kerberos_clients</strong>: count of kerberos clients discovered by appid\r
+<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.kerberos_flows</strong>: count of kerberos service flows discovered by appid\r
+<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_mpls">mpls</h3>\r
+<div class="paragraph"><p>What: support for multiprotocol label switching</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.kerberos_users</strong>: count of kerberos users discovered by appid\r
+bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.lpr_flows</strong>: count of lpr service flows discovered by appid\r
+bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.mdns_flows</strong>: count of mdns service flows discovered by appid\r
+int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.msn_clients</strong>: count of msn clients discovered by appid\r
+enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid\r
+<strong>116:170</strong> (mpls) bad MPLS frame\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered by appid\r
+<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered by appid\r
+<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered by appid\r
+<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.nntp_flows</strong>: count of nntp flows discovered by appid\r
+<strong>116:174</strong> (mpls) MPLS label 3 appears in header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ntp_flows</strong>: count of ntp flows discovered by appid\r
+<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.pop_flows</strong>: count of pop service flows discovered by appid\r
+<strong>116:176</strong> (mpls) too many MPLS headers\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.radius_flows</strong>: count of radius flows discovered by appid\r
+<strong>mpls.total packets</strong>: total mpls labeled packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rexec_flows</strong>: count of rexec flows discovered by appid\r
+<strong>mpls.total bytes</strong>: total mpls labeled bytes processed\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pgm">pgm</h3>\r
+<div class="paragraph"><p>What: support for pragmatic general multicast</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.rfb_flows</strong>: count of rfb flows discovered by appid\r
+<strong>116:454</strong> (pgm) PGM nak list overflow attempt\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pppoe">pppoe</h3>\r
+<div class="paragraph"><p>What: support for point-to-point protocol over ethernet</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered by appid\r
+<strong>116:120</strong> (pppoe) bad PPPOE frame detected\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_tcp_2">tcp</h3>\r
+<div class="paragraph"><p>What: support for transmission control protocol</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.rpc_flows</strong>: count of rpc flows discovered by appid\r
+<strong>116:45</strong> (tcp) TCP packet length is smaller than 20 bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rshell_flows</strong>: count of rshell flows discovered by appid\r
+<strong>116:46</strong> (tcp) TCP data offset is less than 5\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
+<strong>116:47</strong> (tcp) TCP header length exceeds packet length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered by appid\r
+<strong>116:54</strong> (tcp) TCP options found with bad lengths\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rtp_clients</strong>: count of rtp clients discovered by appid\r
+<strong>116:55</strong> (tcp) truncated TCP options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.sip_clients</strong>: count of SIP clients discovered by appid\r
+<strong>116:56</strong> (tcp) T/TCP detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.sip_flows</strong>: count of SIP flows discovered by appid\r
+<strong>116:57</strong> (tcp) obsolete TCP options found\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered by appid\r
+<strong>116:58</strong> (tcp) experimental TCP options found\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered by appid\r
+<strong>116:59</strong> (tcp) TCP window scale option found with length > 14\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered by appid\r
+<strong>116:400</strong> (tcp) XMAS attack detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered by appid\r
+<strong>116:401</strong> (tcp) Nmap XMAS attack detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered by appid\r
+<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered by appid\r
+<strong>116:420</strong> (tcp) TCP SYN with FIN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered by appid\r
+<strong>116:421</strong> (tcp) TCP SYN with RST\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered by appid\r
+<strong>116:422</strong> (tcp) TCP PDU missing ack for established session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered by appid\r
+<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered by appid\r
+<strong>116:433</strong> (tcp) DDOS shaft SYN flood\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered by appid\r
+<strong>116:446</strong> (tcp) TCP port 0 traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered by appid\r
+<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
+<strong>116:403</strong> (tcp) SYN to multicast address\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.smtps_flows</strong>: count of smtps flows discovered by appid\r
+<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.snmp_flows</strong>: count of snmp flows discovered by appid\r
+<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_udp_2">udp</h3>\r
+<div class="paragraph"><p>What: support for user datagram protocol</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid\r
+bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssh_flows</strong>: count of ssh flows discovered by appid\r
+bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssl_flows</strong>: count of ssl flows discovered by appid\r
+bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.telnet_flows</strong>: count of telnet flows discovered by appid\r
+<strong>116:95</strong> (udp) truncated UDP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tftp_flows</strong>: count of tftp flows discovered by appid\r
+<strong>116:96</strong> (udp) invalid UDP header, length field < 8\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid\r
+<strong>116:97</strong> (udp) short UDP packet, length field > payload length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tns_clients</strong>: count of tns clients discovered by appid\r
+<strong>116:98</strong> (udp) long UDP packet, length field < payload length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tns_flows</strong>: count of tns flows discovered by appid\r
+<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.vnc_clients</strong>: count of vnc clients discovered by appid\r
+<strong>116:445</strong> (udp) large UDP packet (> 4000 bytes)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered by appid\r
+<strong>116:447</strong> (udp) UDP port 0 traffic\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_arp_spoof">arp_spoof</h3>\r
-<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address\r
+<strong>udp.bad checksum (ip4)</strong>: nonzero udp over ipv4 checksums\r
</p>\r
</li>\r
<li>\r
<p>\r
-mac <strong>arp_spoof.hosts[].mac</strong>: host mac address\r
+<strong>udp.bad checksum (ip6)</strong>: nonzero udp over ipv6 checksums\r
</p>\r
</li>\r
</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_vlan">vlan</h3>\r
+<div class="paragraph"><p>What: support for local area network</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>112:1</strong> (arp_spoof) unicast ARP request\r
+<strong>116:130</strong> (vlan) bad VLAN frame\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source\r
+<strong>116:131</strong> (vlan) bad LLC header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination\r
+<strong>116:132</strong> (vlan) bad extra LLC info\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_inspector_modules">Inspector Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>These modules perform a variety of functions, including analysis of\r
+protocols beyond basic decoding.</p></div>\r
+<div class="sect2">\r
+<h3 id="_appid">appid</h3>\r
+<div class="paragraph"><p>What: application and service identification</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack\r
+string <strong>appid.conf</strong>: RNA configuration file\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>arp_spoof.packets</strong>: total packets\r
+int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0: }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_back_orifice">back_orifice</h3>\r
-<div class="paragraph"><p>What: back orifice detection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>105:1</strong> (back_orifice) BO traffic detected\r
+bool <strong>appid.log_stats</strong> = false: enable logging of appid statistics\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>105:2</strong> (back_orifice) BO client traffic detected\r
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>105:3</strong> (back_orifice) BO server traffic detected\r
+int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for appid stats before rolling over the log file { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>105:4</strong> (back_orifice) BO Snort buffer attack\r
+int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection appid stats before rolling over the log file { 0: }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>back_orifice.packets</strong>: total packets\r
+string <strong>appid.app_detector_dir</strong>: directory to load appid detectors from\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_binder">binder</h3>\r
-<div class="paragraph"><p>What: configure processing based on CIDRs, ports, services, etc.</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>binder[].when.policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }\r
+int <strong>appid.instance_id</strong> = 0: instance id - need more details for what this is { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }\r
+bool <strong>appid.debug</strong> = false: enable appid debug logging\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }\r
+bool <strong>appid.dump_ports</strong> = false: enable dump of appid port information\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.nets</strong>: list of networks\r
+string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty appid detectors from\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
+addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source ip address in CIDR format\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }\r
+addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination ip address in CIDR format\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
+port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].when.service</strong>: override default configuration\r
+port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
+string <strong>appid.session_log_filter.protocol</strong>: ip protocol\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.file</strong>: use configuration in given file\r
+bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>binder[].use.service</strong>: override automatic service identification\r
+<strong>appid.packets</strong>: count of packets received\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.type</strong>: select module for binding\r
+<strong>appid.processed packets</strong>: count of packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.name</strong>: symbol name (defaults to type)\r
+<strong>appid.ignored packets</strong>: count of packets ignored\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>binder.packets</strong>: initial bindings\r
+<strong>appid.aim clients</strong>: count of aim clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.resets</strong>: reset bindings\r
+<strong>appid.battlefield flows</strong>: count of battle field flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.blocks</strong>: block bindings\r
+<strong>appid.bgp flows</strong>: count of bgp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.allows</strong>: allow bindings\r
+<strong>appid.bit clients</strong>: count of bittorrent clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.inspects</strong>: inspect bindings\r
+<strong>appid.bit flows</strong>: count of bittorrent flows discovered\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_smb">dce_smb</h3>\r
-<div class="paragraph"><p>What: dce over smb inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>dce_smb.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
+<strong>appid.bittracker clients</strong>: count of bittorrent tracker clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
+<strong>appid.bootp flows</strong>: count of bootp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.reassemble_threshold</strong> = 0: Minimum bytes received before performing reassembly { 0:65535 }\r
+<strong>appid.dcerpc tcp flows</strong>: count of dce rpc flows over tcp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>dce_smb.smb_fingerprint_policy</strong> = none: Target based SMB policy to use { none | client | server | both }\r
+<strong>appid.dcerpc udp flows</strong>: count of dce rpc flows over udp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>dce_smb.policy</strong> = WinXP: Target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
+<strong>appid.direct connect flows</strong>: count of direct connect flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }\r
+<strong>appid.dns tcp flows</strong>: count of dns flows over tcp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.smb_max_compound</strong> = 3: SMB max compound size { 0:255 }\r
+<strong>appid.dns udp flows</strong>: count of dns flows over udp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>dce_smb.valid_smb_versions</strong> = all: Valid SMB versions { v1 | v2 | all }\r
+<strong>appid.ftp flows</strong>: count of ftp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>dce_smb.smb_file_inspection</strong> = off: SMB file inspection { off | on | only }\r
+<strong>appid.ftps flows</strong>: count of ftps flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data { -1: }\r
+<strong>appid.http flows</strong>: count of http flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on\r
+<strong>appid.imap flows</strong>: count of imap service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
+<strong>appid.imaps flows</strong>: count of imap TLS service flows discovered\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.irc flows</strong>: count of irc service flows discovered\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>133:2</strong> (dce_smb) SMB - Bad NetBIOS Session Service session type.\r
+<strong>appid.kerberos clients</strong>: count of kerberos clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:3</strong> (dce_smb) SMB - Bad SMB message type.\r
+<strong>appid.kerberos flows</strong>: count of kerberos service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:4</strong> (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2).\r
+<strong>appid.kerberos users</strong>: count of kerberos users discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:5</strong> (dce_smb) SMB - Bad word count or structure size.\r
+<strong>appid.lpr flows</strong>: count of lpr service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:6</strong> (dce_smb) SMB - Bad byte count.\r
+<strong>appid.mdns flows</strong>: count of mdns service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:7</strong> (dce_smb) SMB - Bad format type.\r
+<strong>appid.msn clients</strong>: count of msn clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:8</strong> (dce_smb) SMB - Bad offset.\r
+<strong>appid.mysql flows</strong>: count of mysql service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:9</strong> (dce_smb) SMB - Zero total data count.\r
+<strong>appid.netbios dgm flows</strong>: count of netbios-dgm service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length.\r
+<strong>appid.netbios ns flows</strong>: count of netbios-ns service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:12</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command byte count.\r
+<strong>appid.netbios ssn flows</strong>: count of netbios-ssn service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:13</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command data size.\r
+<strong>appid.nntp flows</strong>: count of nntp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:14</strong> (dce_smb) SMB - Remaining total data count less than this command data size.\r
+<strong>appid.ntp flows</strong>: count of ntp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:15</strong> (dce_smb) SMB - Total data sent (STDu64) greater than command total data expected.\r
+<strong>appid.pop flows</strong>: count of pop service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:16</strong> (dce_smb) SMB - Byte count less than command data size (STDu64)\r
+<strong>appid.radius flows</strong>: count of radius flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:17</strong> (dce_smb) SMB - Invalid command data size for byte count.\r
+<strong>appid.rexec flows</strong>: count of rexec flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:18</strong> (dce_smb) SMB - Excessive Tree Connect requests with pending Tree Connect responses.\r
+<strong>appid.rfb flows</strong>: count of rfb flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:19</strong> (dce_smb) SMB - Excessive Read requests with pending Read responses.\r
+<strong>appid.rlogin flows</strong>: count of rlogin flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:20</strong> (dce_smb) SMB - Excessive command chaining.\r
+<strong>appid.rpc flows</strong>: count of rpc flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:21</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>appid.rshell flows</strong>: count of rshell flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:22</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>appid.rsync flows</strong>: count of rsync service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:23</strong> (dce_smb) SMB - Chained/Compounded login followed by logoff.\r
+<strong>appid.rtmp flows</strong>: count of rtmp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:24</strong> (dce_smb) SMB - Chained/Compounded tree connect followed by tree disconnect.\r
+<strong>appid.rtp clients</strong>: count of rtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:25</strong> (dce_smb) SMB - Chained/Compounded open pipe followed by close pipe.\r
+<strong>appid.sip clients</strong>: count of SIP clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:26</strong> (dce_smb) SMB - Invalid share access.\r
+<strong>appid.sip flows</strong>: count of SIP flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:27</strong> (dce_smb) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>appid.smtp aol clients</strong>: count of AOL smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:28</strong> (dce_smb) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>appid.smtp applemail clients</strong>: count of Apple Mail smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:29</strong> (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>appid.smtp eudora clients</strong>: count of Eudora smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:30</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>appid.smtp eudora pro clients</strong>: count of Eudora Pro smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:32</strong> (dce_smb) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>appid.smtp evolution clients</strong>: count of Evolution smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:33</strong> (dce_smb) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>appid.smtp kmail clients</strong>: count of KMail smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:34</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>appid.smtp lotus notes clients</strong>: count of Lotus Notes smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:35</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>appid.smtp microsoft outlook clients</strong>: count of Microsoft Outlook smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:36</strong> (dce_smb) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>appid.smtp microsoft outlook express clients</strong>: count of Microsoft Outlook Express smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:37</strong> (dce_smb) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>appid.smtp microsoft outlook imo clients</strong>: count of Microsoft Outlook IMO smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:38</strong> (dce_smb) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>appid.smtp mutt clients</strong>: count of Mutt smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:39</strong> (dce_smb) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>appid.smtp thunderbird clients</strong>: count of Thunderbird smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
+<strong>appid.smtp flows</strong>: count of smtp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:45</strong> (dce_smb) SMB - Invalid SMB version 2 seen.\r
+<strong>appid.smtps flows</strong>: count of smtps flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:46</strong> (dce_smb) SMB - Invalid user, tree connect, file binding.\r
+<strong>appid.snmp flows</strong>: count of snmp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:47</strong> (dce_smb) SMB - Excessive command compounding.\r
+<strong>appid.ssh clients</strong>: count of ssh clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:48</strong> (dce_smb) SMB - Zero data count.\r
+<strong>appid.ssh flows</strong>: count of ssh flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:50</strong> (dce_smb) SMB - Maximum number of outstanding requests exceeded.\r
+<strong>appid.ssl flows</strong>: count of ssl flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:51</strong> (dce_smb) SMB - Outstanding requests with same MID.\r
+<strong>appid.telnet flows</strong>: count of telnet flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:52</strong> (dce_smb) SMB - Deprecated dialect negotiated.\r
+<strong>appid.tftp flows</strong>: count of tftp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:53</strong> (dce_smb) SMB - Deprecated command used.\r
+<strong>appid.timbuktu flows</strong>: count of timbuktu flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:54</strong> (dce_smb) SMB - Unusual command used.\r
+<strong>appid.tns clients</strong>: count of tns clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:55</strong> (dce_smb) SMB - Invalid setup count for command.\r
+<strong>appid.tns flows</strong>: count of tns flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:56</strong> (dce_smb) SMB - Client attempted multiple dialect negotiations on session.\r
+<strong>appid.vnc clients</strong>: count of vnc clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
+<strong>appid.yahoo messenger clients</strong>: count of Yahoo Messenger clients discovered\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_arp_spoof">arp_spoof</h3>\r
+<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>133:58</strong> (dce_smb) SMB - File offset provided is greater than file size specified\r
+ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:59</strong> (dce_smb) SMB - Next command specified in SMB2 header is beyond payload boundary\r
+mac <strong>arp_spoof.hosts[].mac</strong>: host mac address\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.events</strong>: total events\r
+<strong>112:1</strong> (arp_spoof) unicast ARP request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.aborted sessions</strong>: total aborted sessions\r
+<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bad autodetects</strong>: total bad autodetects\r
+<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
+<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.Binds</strong>: total connection-oriented binds\r
+<strong>arp_spoof.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_back_orifice">back_orifice</h3>\r
+<div class="paragraph"><p>What: back orifice detection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.Bind acks</strong>: total connection-oriented binds acks\r
+<strong>105:1</strong> (back_orifice) BO traffic detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>105:2</strong> (back_orifice) BO client traffic detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>105:3</strong> (back_orifice) BO server traffic detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Bind naks</strong>: total connection-oriented bind naks\r
+<strong>105:4</strong> (back_orifice) BO Snort buffer attack\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.Requests</strong>: total connection-oriented requests\r
+<strong>back_orifice.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_binder_2">binder</h3>\r
+<div class="paragraph"><p>What: configure processing based on CIDRs, ports, services, etc.</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.Responses</strong>: total connection-oriented responses\r
+int <strong>binder[].when.policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Cancels</strong>: total connection-oriented cancels\r
+bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Orphaned</strong>: total connection-oriented orphaned\r
+bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Faults</strong>: total connection-oriented faults\r
+addr_list <strong>binder[].when.nets</strong>: list of networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Auth3s</strong>: total connection-oriented auth3s\r
+enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns\r
+bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Rejects</strong>: total connection-oriented rejects\r
+enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+string <strong>binder[].when.service</strong>: override default configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Other requests</strong>: total connection-oriented other requests\r
+enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Other responses</strong>: total connection-oriented other responses\r
+string <strong>binder[].use.file</strong>: use configuration in given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments\r
+string <strong>binder[].use.service</strong>: override automatic service identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments\r
+string <strong>binder[].use.type</strong>: select module for binding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
+string <strong>binder[].use.name</strong>: symbol name (defaults to type)\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>binder.packets</strong>: initial bindings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>binder.resets</strong>: reset bindings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>binder.blocks</strong>: block bindings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>binder.allows</strong>: allow bindings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>binder.inspects</strong>: inspect bindings\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_smb">dce_smb</h3>\r
+<div class="paragraph"><p>What: dce over smb inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
+bool <strong>dce_smb.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
+int <strong>dce_smb.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Sessions</strong>: total smb sessions\r
+int <strong>dce_smb.reassemble_threshold</strong> = 0: Minimum bytes received before performing reassembly { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Packets</strong>: total smb packets\r
+enum <strong>dce_smb.smb_fingerprint_policy</strong> = none: Target based SMB policy to use { none | client | server | both }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Ignored bytes</strong>: total ignored bytes\r
+enum <strong>dce_smb.policy</strong> = WinXP: Target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Client segs reassembled</strong>: total smb client segments reassembled\r
+int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled\r
+int <strong>dce_smb.smb_max_compound</strong> = 3: SMB max compound size { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
+multi <strong>dce_smb.valid_smb_versions</strong> = all: Valid SMB versions { v1 | v2 | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Files processed</strong>: total smb files processed\r
+enum <strong>dce_smb.smb_file_inspection</strong> = off: SMB file inspection { off | on | only }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 create</strong>: total number of SMBv2 create packets seen\r
+int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 write</strong>: total number of SMBv2 write packets seen\r
+string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 read</strong>: total number of SMBv2 read packets seen\r
+bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 set info</strong>: total number of SMBv2 set info packets seen\r
+<strong>133:2</strong> (dce_smb) SMB - bad NetBIOS session service session type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 tree connect</strong>: total number of SMBv2 tree connect packets seen\r
+<strong>133:3</strong> (dce_smb) SMB - bad SMB message type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 tree disconnect</strong>: total number of SMBv2 tree disconnect packets seen\r
+<strong>133:4</strong> (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.SMBv2 close</strong>: total number of SMBv2 close packets seen\r
+<strong>133:5</strong> (dce_smb) SMB - bad word count or structure size\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_tcp">dce_tcp</h3>\r
-<div class="paragraph"><p>What: dce over tcp inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>dce_tcp.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
+<strong>133:6</strong> (dce_smb) SMB - bad byte count\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_tcp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
+<strong>133:7</strong> (dce_smb) SMB - bad format type\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_tcp.reassemble_threshold</strong> = 0: Minimum bytes received before performing reassembly { 0:65535 }\r
+<strong>133:8</strong> (dce_smb) SMB - bad offset\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>dce_tcp.policy</strong> = WinXP: Target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
+<strong>133:9</strong> (dce_smb) SMB - zero total data count\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>133:27</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:28</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:29</strong> (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:13</strong> (dce_smb) SMB - remaining NetBIOS data length less than command data size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:30</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:14</strong> (dce_smb) SMB - remaining total data count less than this command data size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:32</strong> (dce_tcp) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:15</strong> (dce_smb) SMB - total data sent (STDu64) greater than command total data expected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:33</strong> (dce_tcp) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:16</strong> (dce_smb) SMB - byte count less than command data size (STDu64)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:34</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:17</strong> (dce_smb) SMB - invalid command data size for byte count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:35</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:18</strong> (dce_smb) SMB - excessive tree connect requests with pending tree connect responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:36</strong> (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:19</strong> (dce_smb) SMB - excessive read requests with pending read responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:37</strong> (dce_tcp) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:20</strong> (dce_smb) SMB - excessive command chaining\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:38</strong> (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:21</strong> (dce_smb) SMB - multiple chained tree connect requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:39</strong> (dce_tcp) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:22</strong> (dce_smb) SMB - multiple chained tree connect requests\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_tcp.events</strong>: total events\r
+<strong>133:23</strong> (dce_smb) SMB - chained/compounded login followed by logoff\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
+<strong>133:24</strong> (dce_smb) SMB - chained/compounded tree connect followed by tree disconnect\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
+<strong>133:25</strong> (dce_smb) SMB - chained/compounded open pipe followed by close pipe\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs\r
+<strong>133:26</strong> (dce_smb) SMB - invalid share access\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Binds</strong>: total connection-oriented binds\r
+<strong>133:27</strong> (dce_smb) connection oriented DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
+<strong>133:28</strong> (dce_smb) connection oriented DCE/RPC - invalid minor version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>133:29</strong> (dce_smb) connection-oriented DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>133:30</strong> (dce_smb) connection-oriented DCE/RPC - fragment length less than header size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks\r
+<strong>133:32</strong> (dce_smb) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Requests</strong>: total connection-oriented requests\r
+<strong>133:33</strong> (dce_smb) connection-oriented DCE/RPC -no transfer syntaxes specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Responses</strong>: total connection-oriented responses\r
+<strong>133:34</strong> (dce_smb) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels\r
+<strong>133:35</strong> (dce_smb) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned\r
+<strong>133:36</strong> (dce_smb) connection-oriented DCE/RPC - alter context byte order different from bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
+<strong>133:37</strong> (dce_smb) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
+<strong>133:38</strong> (dce_smb) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>133:39</strong> (dce_smb) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects\r
+<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>133:45</strong> (dce_smb) SMB - invalid SMB version 2 seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests\r
+<strong>133:46</strong> (dce_smb) SMB - invalid user, tree connect, file binding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses\r
+<strong>133:47</strong> (dce_smb) SMB - excessive command compounding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments\r
+<strong>133:48</strong> (dce_smb) SMB - zero data count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments\r
+<strong>133:50</strong> (dce_smb) SMB - maximum number of outstanding requests exceeded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
+<strong>133:51</strong> (dce_smb) SMB - outstanding requests with same MID\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>133:52</strong> (dce_smb) SMB - deprecated dialect negotiated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>133:53</strong> (dce_smb) SMB - deprecated command used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>133:54</strong> (dce_smb) SMB - unusual command used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>133:55</strong> (dce_smb) SMB - invalid setup count for command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>133:56</strong> (dce_smb) SMB - client attempted multiple dialect negotiations on session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>133:57</strong> (dce_smb) SMB - client attempted to create or set a file’s attributes to readonly/hidden/system\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>133:58</strong> (dce_smb) SMB - file offset provided is greater than file size specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp sessions</strong>: total tcp sessions\r
+<strong>133:59</strong> (dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
+<strong>dce_smb.events</strong>: total events\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_udp">dce_udp</h3>\r
-<div class="paragraph"><p>What: dce over udp inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>dce_udp.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
+<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_udp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
+<strong>dce_smb.Binds</strong>: total connection-oriented binds\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>133:40</strong> (dce_udp) Connection-less DCE/RPC - Invalid major version.\r
+<strong>dce_smb.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:41</strong> (dce_udp) Connection-less DCE/RPC - Invalid pdu type.\r
+<strong>dce_smb.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:42</strong> (dce_udp) Connection-less DCE/RPC - Data length less than header size.\r
+<strong>dce_smb.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:43</strong> (dce_udp) Connection-less DCE/RPC - Bad sequence number.\r
+<strong>dce_smb.Bind naks</strong>: total connection-oriented bind naks\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_udp.events</strong>: total events\r
+<strong>dce_smb.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.aborted sessions</strong>: total aborted sessions\r
+<strong>dce_smb.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.bad autodetects</strong>: total bad autodetects\r
+<strong>dce_smb.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.udp sessions</strong>: total udp sessions\r
+<strong>dce_smb.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.udp packets</strong>: total udp packets\r
+<strong>dce_smb.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Requests</strong>: total connection-less requests\r
+<strong>dce_smb.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Acks</strong>: total connection-less acks\r
+<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Cancels</strong>: total connection-less cancels\r
+<strong>dce_smb.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Client facks</strong>: total connection-less client facks\r
+<strong>dce_smb.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Ping</strong>: total connection-less ping\r
+<strong>dce_smb.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Responses</strong>: total connection-less responses\r
+<strong>dce_smb.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Rejects</strong>: total connection-less rejects\r
+<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks\r
+<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Server facks</strong>: total connection-less server facks\r
+<strong>dce_smb.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Faults</strong>: total connection-less faults\r
+<strong>dce_smb.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.No calls</strong>: total connection-less no calls\r
+<strong>dce_smb.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Working</strong>: total connection-less working\r
+<strong>dce_smb.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Other requests</strong>: total connection-less other requests\r
+<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Other responses</strong>: total connection-less other responses\r
+<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Fragments</strong>: total connection-less fragments\r
+<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Max fragment size</strong>: connection-less maximum fragment size\r
+<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Frags reassembled</strong>: total connection-less fragments reassembled\r
+<strong>dce_smb.Sessions</strong>: total smb sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.Max seqnum</strong>: max connection-less seqnum\r
+<strong>dce_smb.Packets</strong>: total smb packets\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3">dnp3</h3>\r
-<div class="paragraph"><p>What: dnp3 inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames\r
+<strong>dce_smb.Ignored bytes</strong>: total ignored bytes\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>145:1</strong> (dnp3) DNP3 Link-Layer Frame contains bad CRC.\r
+<strong>dce_smb.Client segs reassembled</strong>: total smb client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:2</strong> (dnp3) DNP3 Link-Layer Frame was dropped.\r
+<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:3</strong> (dnp3) DNP3 Transport-Layer Segment was dropped during reassembly.\r
+<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:4</strong> (dnp3) DNP3 Reassembly Buffer was cleared without reassembling a complete message.\r
+<strong>dce_smb.Files processed</strong>: total smb files processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:5</strong> (dnp3) DNP3 Link-Layer Frame uses a reserved address.\r
+<strong>dce_smb.SMBv2 create</strong>: total number of SMBv2 create packets seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:6</strong> (dnp3) DNP3 Application-Layer Fragment uses a reserved function code.\r
+<strong>dce_smb.SMBv2 write</strong>: total number of SMBv2 write packets seen\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dnp3.total packets</strong>: total packets\r
+<strong>dce_smb.SMBv2 read</strong>: total number of SMBv2 read packets seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.udp packets</strong>: total udp packets\r
+<strong>dce_smb.SMBv2 set info</strong>: total number of SMBv2 set info packets seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.tcp pdus</strong>: total tcp pdus\r
+<strong>dce_smb.SMBv2 tree connect</strong>: total number of SMBv2 tree connect packets seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3 link layer frames</strong>: total dnp3 link layer frames\r
+<strong>dce_smb.SMBv2 tree disconnect</strong>: total number of SMBv2 tree disconnect packets seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3 application pdus</strong>: total dnp3 application pdus\r
+<strong>dce_smb.SMBv2 close</strong>: total number of SMBv2 close packets seen\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dns">dns</h3>\r
-<div class="paragraph"><p>What: dns inspection</p></div>\r
+<h3 id="_dce_tcp">dce_tcp</h3>\r
+<div class="paragraph"><p>What: dce over tcp inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>131:1</strong> (dns) Obsolete DNS RR Types\r
+bool <strong>dce_tcp.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:2</strong> (dns) Experimental DNS RR Types\r
+int <strong>dce_tcp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:3</strong> (dns) DNS Client rdata txt Overflow\r
+int <strong>dce_tcp.reassemble_threshold</strong> = 0: Minimum bytes received before performing reassembly { 0:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dns.packets</strong>: total packets processed\r
+enum <strong>dce_tcp.policy</strong> = WinXP: Target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dns.requests</strong>: total dns requests\r
+<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.responses</strong>: total dns responses\r
+<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_log">file_log</h3>\r
-<div class="paragraph"><p>What: log file event to file.log</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
+<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated\r
+<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>file_log.total events</strong>: total file events\r
+<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp_client">ftp_client</h3>\r
-<div class="paragraph"><p>What: FTP client configuration module for use with ftp_server</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>ftp_client.bounce</strong> = false: check for bounces\r
+<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed ip address in CIDR format\r
+<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port { 1: }\r
+<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive { 0: }\r
+<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
+<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_client.max_resp_len</strong> = -1: maximum ftp response accepted by client { -1: }\r
+<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_client.telnet_cmds</strong> = false: detect telnet escape sequences on ftp control channel\r
+<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp_data">ftp_data</h3>\r
-<div class="paragraph"><p>What: FTP data channel handler</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ftp_data.packets</strong>: total packets\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp_server">ftp_server</h3>\r
-<div class="paragraph"><p>What: main FTP module; ftp_client should also be configured</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.events</strong>: total events\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.Binds</strong>: total connection-oriented binds\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command\r
+<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200: }\r
+<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands\r
+<strong>dce_tcp.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption\r
+<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.cmd_validity[].command</strong>: command string\r
+<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.cmd_validity[].format</strong>: format specification\r
+<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0: }\r
+<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1: }\r
+<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted telnet and ftp\r
+<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959\r
+<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect ftp data channels\r
+<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
+<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up\r
+<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ftp_server.telnet_cmds</strong> = false: detect telnet escape sequences of ftp control channel\r
+<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
+<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:2</strong> (ftp_server) invalid FTP command\r
+<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:3</strong> (ftp_server) FTP command parameters were too long\r
+<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:4</strong> (ftp_server) FTP command parameters were malformed\r
+<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format\r
+<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:6</strong> (ftp_server) FTP response message was too long\r
+<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:7</strong> (ftp_server) FTP traffic encrypted\r
+<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:8</strong> (ftp_server) FTP bounce attempt\r
+<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel\r
+<strong>dce_tcp.tcp sessions</strong>: total tcp sessions\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ftp_server.packets</strong>: total packets\r
+<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_gtp_inspect">gtp_inspect</h3>\r
-<div class="paragraph"><p>What: gtp control channel inspection</p></div>\r
+<h3 id="_dce_udp">dce_udp</h3>\r
+<div class="paragraph"><p>What: dce over udp inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].version</strong> = 2: gtp version { 0:2 }\r
+bool <strong>dce_udp.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }\r
+int <strong>dce_udp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>gtp_inspect[].messages[].name</strong>: message name\r
+<strong>133:40</strong> (dce_udp) connection-less DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }\r
+<strong>133:41</strong> (dce_udp) connection-less DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>gtp_inspect[].infos[].name</strong>: information element name\r
+<strong>133:42</strong> (dce_udp) connection-less DCE/RPC - data length less than header size\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }\r
+<strong>133:43</strong> (dce_udp) connection-less DCE/RPC - bad sequence number\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>143:1</strong> (gtp_inspect) message length is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:2</strong> (gtp_inspect) information element length is invalid\r
+<strong>dce_udp.events</strong>: total events\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>143:3</strong> (gtp_inspect) information elements are out of order\r
+<strong>dce_udp.udp sessions</strong>: total udp sessions\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>gtp_inspect.sessions</strong>: total sessions processed\r
+<strong>dce_udp.udp packets</strong>: total udp packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.events</strong>: requests\r
+<strong>dce_udp.Requests</strong>: total connection-less requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown types</strong>: unknown message types\r
+<strong>dce_udp.Acks</strong>: total connection-less acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown infos</strong>: unknown information elements\r
+<strong>dce_udp.Cancels</strong>: total connection-less cancels\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_inspect">http_inspect</h3>\r
-<div class="paragraph"><p>What: HTTP inspector</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }\r
+<strong>dce_udp.Client facks</strong>: total connection-less client facks\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }\r
+<strong>dce_udp.Ping</strong>: total connection-less ping\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
+<strong>dce_udp.Responses</strong>: total connection-less responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
+<strong>dce_udp.Rejects</strong>: total connection-less rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
+<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
+<strong>dce_udp.Server facks</strong>: total connection-less server facks\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings\r
+<strong>dce_udp.Faults</strong>: total connection-less faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
+<strong>dce_udp.No calls</strong>: total connection-less no calls\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
+<strong>dce_udp.Working</strong>: total connection-less working\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
+<strong>dce_udp.Other requests</strong>: total connection-less other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }\r
+<strong>dce_udp.Other responses</strong>: total connection-less other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
+<strong>dce_udp.Fragments</strong>: total connection-less fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters\r
+<strong>dce_udp.Max fragment size</strong>: connection-less maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
+<strong>dce_udp.Frags reassembled</strong>: total connection-less fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
+<strong>dce_udp.Max seqnum</strong>: max connection-less seqnum\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dnp3">dnp3</h3>\r
+<div class="paragraph"><p>What: dnp3 inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>http_inspect.plus_to_space</strong> = true: replace + with <sp> when normalizing URIs\r
+bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
+<strong>145:1</strong> (dnp3) DNP3 link-layer frame contains bad CRC\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
+<strong>145:2</strong> (dnp3) DNP3 link-layer frame was dropped\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
+<strong>145:3</strong> (dnp3) DNP3 transport-layer segment was dropped during reassembly\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }\r
+<strong>145:4</strong> (dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+<strong>145:5</strong> (dnp3) DNP3 link-layer frame uses a reserved address\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
+<strong>145:6</strong> (dnp3) DNP3 application-layer fragment uses a reserved function code\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:1</strong> (http_inspect) ascii encoding\r
+<strong>dnp3.total packets</strong>: total packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:2</strong> (http_inspect) double decoding attack\r
+<strong>dnp3.udp packets</strong>: total udp packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:3</strong> (http_inspect) u encoding\r
+<strong>dnp3.tcp pdus</strong>: total tcp pdus\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:4</strong> (http_inspect) bare byte unicode encoding\r
+<strong>dnp3.dnp3 link layer frames</strong>: total dnp3 link layer frames\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:5</strong> (http_inspect) obsolete event—should not appear\r
+<strong>dnp3.dnp3 application pdus</strong>: total dnp3 application pdus\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dns">dns</h3>\r
+<div class="paragraph"><p>What: dns inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:6</strong> (http_inspect) UTF-8 encoding\r
+<strong>131:1</strong> (dns) obsolete DNS RR types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:7</strong> (http_inspect) IIS unicode codepoint encoding\r
+<strong>131:2</strong> (dns) experimental DNS RR types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:8</strong> (http_inspect) multi_slash encoding\r
+<strong>131:3</strong> (dns) DNS client rdata txt overflow\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:9</strong> (http_inspect) IIS backslash evasion\r
+<strong>dns.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:10</strong> (http_inspect) self directory traversal\r
+<strong>dns.requests</strong>: total dns requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:11</strong> (http_inspect) directory traversal\r
+<strong>dns.responses</strong>: total dns responses\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_file_log">file_log</h3>\r
+<div class="paragraph"><p>What: log file event to file.log</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:12</strong> (http_inspect) apache whitespace (tab)\r
+bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:13</strong> (http_inspect) non-RFC http delimiter\r
+bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:14</strong> (http_inspect) non-RFC defined char\r
+<strong>file_log.total events</strong>: total file events\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ftp_client">ftp_client</h3>\r
+<div class="paragraph"><p>What: FTP client configuration module for use with ftp_server</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:15</strong> (http_inspect) oversize request-uri directory\r
+bool <strong>ftp_client.bounce</strong> = false: check for bounces\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:16</strong> (http_inspect) oversize chunk encoding\r
+addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed ip address in CIDR format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:17</strong> (http_inspect) unauthorized proxy use detected\r
+port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:18</strong> (http_inspect) webroot directory traversal\r
+port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:19</strong> (http_inspect) long header\r
+bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:20</strong> (http_inspect) max header fields\r
+int <strong>ftp_client.max_resp_len</strong> = -1: maximum ftp response accepted by client { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:21</strong> (http_inspect) multiple content length\r
+bool <strong>ftp_client.telnet_cmds</strong> = false: detect telnet escape sequences on ftp control channel\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ftp_data">ftp_data</h3>\r
+<div class="paragraph"><p>What: FTP data channel handler</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:22</strong> (http_inspect) chunk size mismatch detected\r
+<strong>ftp_data.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ftp_server">ftp_server</h3>\r
+<div class="paragraph"><p>What: main FTP module; ftp_client should also be configured</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header\r
+string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:24</strong> (http_inspect) multiple host hdrs detected\r
+string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters\r
+string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:26</strong> (http_inspect) header parsing space saturation\r
+string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes\r
+string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:28</strong> (http_inspect) post w/o content-length or chunks\r
+int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:29</strong> (http_inspect) multiple true ips in a session\r
+string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present\r
+string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:31</strong> (http_inspect) unknown method\r
+string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:32</strong> (http_inspect) simple request\r
+string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI\r
+bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:34</strong> (http_inspect) too many pipelined requests\r
+string <strong>ftp_server.cmd_validity[].command</strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:35</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+string <strong>ftp_server.cmd_validity[].format</strong>: format specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:36</strong> (http_inspect) invalid status code in HTTP response\r
+int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:37</strong> (http_inspect) no content-length or transfer-encoding in HTTP response\r
+int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:38</strong> (http_inspect) HTTP response has UTF charset which failed to normalize\r
+bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted telnet and ftp\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:39</strong> (http_inspect) HTTP response has UTF-7 charset\r
+string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:40</strong> (http_inspect) HTTP response gzip decompression failed\r
+bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect ftp data channels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:41</strong> (http_inspect) server consecutive small chunk sizes\r
+bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:42</strong> (http_inspect) invalid content-length or chunk size\r
+bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:43</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
+bool <strong>ftp_server.telnet_cmds</strong> = false: detect telnet escape sequences of ftp control channel\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:44</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
+<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:45</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>125:2</strong> (ftp_server) invalid FTP command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:46</strong> (http_inspect) SWF file zlib decompression failure\r
+<strong>125:3</strong> (ftp_server) FTP command parameters were too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:47</strong> (http_inspect) SWF file LZMA decompression failure\r
+<strong>125:4</strong> (ftp_server) FTP command parameters were malformed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:48</strong> (http_inspect) PDF file deflate decompression failure\r
+<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:49</strong> (http_inspect) PDF file unsupported compression type\r
+<strong>125:6</strong> (ftp_server) FTP response message was too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:50</strong> (http_inspect) PDF file cascaded compression\r
+<strong>125:7</strong> (ftp_server) FTP traffic encrypted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:51</strong> (http_inspect) PDF file parse failure\r
+<strong>125:8</strong> (ftp_server) FTP bounce attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:52</strong> (http_inspect) Not HTTP traffic\r
+<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:53</strong> (http_inspect) Chunk length has excessive leading zeros\r
+<strong>ftp_server.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gtp_inspect">gtp_inspect</h3>\r
+<div class="paragraph"><p>What: gtp control channel inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:54</strong> (http_inspect) White space before or between messages\r
+int <strong>gtp_inspect[].version</strong> = 2: gtp version { 0:2 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:55</strong> (http_inspect) Request message without URI\r
+int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:56</strong> (http_inspect) Control character in reason phrase\r
+string <strong>gtp_inspect[].messages[].name</strong>: message name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:57</strong> (http_inspect) Illegal extra whitespace in start line\r
+int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:58</strong> (http_inspect) Corrupted HTTP version\r
+string <strong>gtp_inspect[].infos[].name</strong>: information element name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:59</strong> (http_inspect) Unknown HTTP version\r
+int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:60</strong> (http_inspect) Format error in HTTP header\r
+<strong>143:1</strong> (gtp_inspect) message length is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:61</strong> (http_inspect) Chunk header options present\r
+<strong>143:2</strong> (gtp_inspect) information element length is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:62</strong> (http_inspect) URI badly formatted\r
+<strong>143:3</strong> (gtp_inspect) information elements are out of order\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:63</strong> (http_inspect) Unrecognized type of percent encoding in URI\r
+<strong>gtp_inspect.sessions</strong>: total sessions processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:64</strong> (http_inspect) HTTP chunk misformatted\r
+<strong>gtp_inspect.events</strong>: requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:65</strong> (http_inspect) White space following chunk length\r
+<strong>gtp_inspect.unknown types</strong>: unknown message types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:66</strong> (http_inspect) White space within header name\r
+<strong>gtp_inspect.unknown infos</strong>: unknown information elements\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_inspect">http_inspect</h3>\r
+<div class="paragraph"><p>What: HTTP inspector</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:67</strong> (http_inspect) Excessive gzip compression\r
+int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:68</strong> (http_inspect) Gzip decompression failed\r
+int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:69</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
+bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:70</strong> (http_inspect) HTTP 0.9 request following a normal request\r
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings in response bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:71</strong> (http_inspect) Message has both Content-Length and Transfer-Encoding\r
+bool <strong>http_inspect.normalize_javascript</strong> = false: normalize javascript in response bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:72</strong> (http_inspect) Status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
+int <strong>http_inspect.max_javascript_whitespaces</strong> = 200: maximum consecutive whitespaces allowed within the Javascript obfuscated data { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:73</strong> (http_inspect) Transfer-Encoding did not end with chunked\r
+bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:74</strong> (http_inspect) Transfer-Encoding with chunked not at end\r
+string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
+bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
+bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
+bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
+bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>http_inspect.flows</strong>: HTTP connections inspected\r
+string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
+int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
+bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.inspections</strong>: total message sections inspected\r
+int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
+bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
+bool <strong>http_inspect.plus_to_space</strong> = true: replace + with <sp> when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.GET requests</strong>: GET requests inspected\r
+bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.HEAD requests</strong>: HEAD requests inspected\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.POST requests</strong>: POST requests inspected\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.PUT requests</strong>: PUT requests inspected\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.DELETE requests</strong>: DELETE requests inspected\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.CONNECT requests</strong>: CONNECT requests inspected\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>http_inspect.OPTIONS requests</strong>: OPTIONS requests inspected\r
+<strong>119:1</strong> (http_inspect) ascii encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.TRACE requests</strong>: TRACE requests inspected\r
+<strong>119:2</strong> (http_inspect) double decoding attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.other requests</strong>: other request methods inspected\r
+<strong>119:3</strong> (http_inspect) u encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.request bodies</strong>: POST, PUT, and other requests with message bodies\r
+<strong>119:4</strong> (http_inspect) bare byte unicode encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.chunked</strong>: chunked message bodies\r
+<strong>119:5</strong> (http_inspect) obsolete event—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.URI normalizations</strong>: URIs needing to be normalization\r
+<strong>119:6</strong> (http_inspect) UTF-8 encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.URI path</strong>: URIs with path problems\r
+<strong>119:7</strong> (http_inspect) IIS unicode codepoint encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.URI coding</strong>: URIs with character coding problems\r
+<strong>119:8</strong> (http_inspect) multi_slash encoding\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:9</strong> (http_inspect) IIS backslash evasion\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_imap">imap</h3>\r
-<div class="paragraph"><p>What: imap inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+<strong>119:10</strong> (http_inspect) self directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+<strong>119:11</strong> (http_inspect) directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+<strong>119:12</strong> (http_inspect) apache whitespace (tab)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+<strong>119:13</strong> (http_inspect) non-RFC http delimiter\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>141:1</strong> (imap) Unknown IMAP3 command\r
+<strong>119:14</strong> (http_inspect) non-RFC defined char\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:2</strong> (imap) Unknown IMAP3 response\r
+<strong>119:15</strong> (http_inspect) oversize request-uri directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:4</strong> (imap) Base64 Decoding failed.\r
+<strong>119:16</strong> (http_inspect) oversize chunk encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.\r
+<strong>119:17</strong> (http_inspect) unauthorized proxy use detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.\r
+<strong>119:18</strong> (http_inspect) webroot directory traversal\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>imap.packets</strong>: total packets processed\r
+<strong>119:19</strong> (http_inspect) long header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.sessions</strong>: total imap sessions\r
+<strong>119:20</strong> (http_inspect) max header fields\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64 attachments</strong>: total base64 attachments decoded\r
+<strong>119:21</strong> (http_inspect) multiple content length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64 decoded bytes</strong>: total base64 decoded bytes\r
+<strong>119:22</strong> (http_inspect) chunk size mismatch detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp attachments</strong>: total quoted-printable attachments decoded\r
+<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
+<strong>119:24</strong> (http_inspect) multiple host hdrs detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu attachments</strong>: total uu attachments decoded\r
+<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu decoded bytes</strong>: total uu decoded bytes\r
+<strong>119:26</strong> (http_inspect) header parsing space saturation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non-encoded attachments</strong>: total non-encoded attachments extracted\r
+<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non-encoded bytes</strong>: total non-encoded extracted bytes\r
+<strong>119:28</strong> (http_inspect) post w/o content-length or chunks\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus">modbus</h3>\r
-<div class="paragraph"><p>What: modbus inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
+<strong>119:29</strong> (http_inspect) multiple true ips in a session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
+<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:3</strong> (modbus) Reserved Modbus function code in use\r
+<strong>119:31</strong> (http_inspect) unknown method\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>modbus.sessions</strong>: total sessions processed\r
+<strong>119:32</strong> (http_inspect) simple request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>modbus.frames</strong>: total Modbus messages\r
+<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_normalizer">normalizer</h3>\r
-<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.base</strong> = true: clear options\r
+<strong>119:34</strong> (http_inspect) too many pipelined requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.df</strong> = false: clear don’t frag flag\r
+<strong>119:35</strong> (http_inspect) anomalous http server on undefined HTTP port\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag\r
+<strong>119:36</strong> (http_inspect) invalid status code in HTTP response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte\r
+<strong>119:37</strong> (http_inspect) no content-length or transfer-encoding in HTTP response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length\r
+<strong>119:38</strong> (http_inspect) HTTP response has UTF charset which failed to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues\r
+<strong>119:39</strong> (http_inspect) HTTP response has UTF-7 charset\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization\r
+<strong>119:40</strong> (http_inspect) HTTP response gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length\r
+<strong>119:41</strong> (http_inspect) server consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data\r
+<strong>119:42</strong> (http_inspect) invalid content-length or chunk size\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }\r
+<strong>119:43</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes\r
+<strong>119:44</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN\r
+<strong>119:45</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet\r
+<strong>119:46</strong> (http_inspect) SWF file zlib decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window\r
+<strong>119:47</strong> (http_inspect) SWF file LZMA decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS\r
+<strong>119:48</strong> (http_inspect) PDF file deflate decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options\r
+<strong>119:49</strong> (http_inspect) PDF file unsupported compression type\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
+<strong>119:50</strong> (http_inspect) PDF file cascaded compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set\r
+<strong>119:51</strong> (http_inspect) PDF file parse failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload\r
+<strong>119:52</strong> (http_inspect) not HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header\r
+<strong>119:53</strong> (http_inspect) chunk length has excessive leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set\r
+<strong>119:54</strong> (http_inspect) white space before or between messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>normalizer.tcp.allow_names</strong>: don’t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }\r
+<strong>119:55</strong> (http_inspect) request message without URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>normalizer.tcp.allow_codes</strong>: don’t clear given option codes\r
+<strong>119:56</strong> (http_inspect) control character in reason phrase\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip6</strong> = false: clear reserved flag\r
+<strong>119:57</strong> (http_inspect) illegal extra whitespace in start line\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
+<strong>119:58</strong> (http_inspect) corrupted HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.icmp6</strong> = false: clear reserved flag\r
+<strong>119:59</strong> (http_inspect) unknown HTTP version\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 trim</strong>: eth packets trimmed to datagram size\r
+<strong>119:60</strong> (http_inspect) format error in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 trim</strong>: test eth packets trimmed to datagram size\r
+<strong>119:61</strong> (http_inspect) chunk header options present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 tos</strong>: type of service normalizations\r
+<strong>119:62</strong> (http_inspect) URI badly formatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 tos</strong>: test type of service normalizations\r
+<strong>119:63</strong> (http_inspect) unrecognized type of percent encoding in URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 df</strong>: don’t frag bit normalizations\r
+<strong>119:64</strong> (http_inspect) HTTP chunk misformatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 df</strong>: test don’t frag bit normalizations\r
+<strong>119:65</strong> (http_inspect) white space following chunk length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 rf</strong>: reserved flag bit clears\r
+<strong>119:66</strong> (http_inspect) white space within header name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 rf</strong>: test reserved flag bit clears\r
+<strong>119:67</strong> (http_inspect) excessive gzip compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 ttl</strong>: time-to-live normalizations\r
+<strong>119:68</strong> (http_inspect) gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 ttl</strong>: test time-to-live normalizations\r
+<strong>119:69</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 opts</strong>: ip4 options cleared\r
+<strong>119:70</strong> (http_inspect) HTTP 0.9 request following a normal request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 opts</strong>: test ip4 options cleared\r
+<strong>119:71</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp4 echo</strong>: icmp4 ping normalizations\r
+<strong>119:72</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test icmp4 echo</strong>: test icmp4 ping normalizations\r
+<strong>119:73</strong> (http_inspect) Transfer-Encoding did not end with chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6 hops</strong>: ip6 hop limit normalizations\r
+<strong>119:74</strong> (http_inspect) Transfer-Encoding with chunked not at end\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip6 hops</strong>: test ip6 hop limit normalizations\r
+<strong>119:75</strong> (http_inspect) misformatted HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6 options</strong>: ip6 options cleared\r
+<strong>119:76</strong> (http_inspect) unsupported Transfer-Encoding or Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip6 options</strong>: test ip6 options cleared\r
+<strong>119:77</strong> (http_inspect) unknown Transfer-Encoding or Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp6 echo</strong>: icmp6 echo normalizations\r
+<strong>119:78</strong> (http_inspect) multiple layers of compression encodings applied\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.test icmp6 echo</strong>: test icmp6 echo normalizations\r
+<strong>http_inspect.flows</strong>: HTTP connections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp syn options</strong>: SYN only options cleared from non-SYN packets\r
+<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp syn options</strong>: test SYN only options cleared from non-SYN packets\r
+<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp options</strong>: packets with options cleared\r
+<strong>http_inspect.inspections</strong>: total message sections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp options</strong>: test packets with options cleared\r
+<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp paddding</strong>: packets with padding cleared\r
+<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp paddding</strong>: test packets with padding cleared\r
+<strong>http_inspect.GET requests</strong>: GET requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp reserved</strong>: packets with reserved bits cleared\r
+<strong>http_inspect.HEAD requests</strong>: HEAD requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp reserved</strong>: test packets with reserved bits cleared\r
+<strong>http_inspect.POST requests</strong>: POST requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp nonce</strong>: packets with nonce bit cleared\r
+<strong>http_inspect.PUT requests</strong>: PUT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp nonce</strong>: test packets with nonce bit cleared\r
+<strong>http_inspect.DELETE requests</strong>: DELETE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp urgent ptr</strong>: packets without data with urgent pointer cleared\r
+<strong>http_inspect.CONNECT requests</strong>: CONNECT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp urgent ptr</strong>: test packets without data with urgent pointer cleared\r
+<strong>http_inspect.OPTIONS requests</strong>: OPTIONS requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ecn pkt</strong>: packets with ECN bits cleared\r
+<strong>http_inspect.TRACE requests</strong>: TRACE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ecn pkt</strong>: test packets with ECN bits cleared\r
+<strong>http_inspect.other requests</strong>: other request methods inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ts ecr</strong>: timestamp cleared on non-ACKs\r
+<strong>http_inspect.request bodies</strong>: POST, PUT, and other requests with message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ts ecr</strong>: test timestamp cleared on non-ACKs\r
+<strong>http_inspect.chunked</strong>: chunked message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp req urg</strong>: cleared urgent pointer when urgent flag is not set\r
+<strong>http_inspect.URI normalizations</strong>: URIs needing to be normalization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp req urg</strong>: test cleared urgent pointer when urgent flag is not set\r
+<strong>http_inspect.URI path</strong>: URIs with path problems\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp req pay</strong>: cleared urgent pointer and urgent flag when there is no payload\r
+<strong>http_inspect.URI coding</strong>: URIs with character coding problems\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_imap">imap</h3>\r
+<div class="paragraph"><p>What: imap inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp req pay</strong>: test cleared urgent pointer and urgent flag when there is no payload\r
+int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp req urp</strong>: cleared the urgent flag if the urgent pointer is not set\r
+int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp req urp</strong>: test cleared the urgent flag if the urgent pointer is not set\r
+int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim syn</strong>: tcp segments trimmed on SYN\r
+int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim syn</strong>: test tcp segments trimmed on SYN\r
+<strong>141:1</strong> (imap) unknown IMAP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim rst</strong>: RST packets with data trimmed\r
+<strong>141:2</strong> (imap) unknown IMAP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim rst</strong>: test RST packets with data trimmed\r
+<strong>141:4</strong> (imap) base64 decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim win</strong>: data trimed to window\r
+<strong>141:5</strong> (imap) quoted-printable decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim win</strong>: test data trimed to window\r
+<strong>141:7</strong> (imap) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim mss</strong>: data trimmed to MSS\r
+<strong>imap.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim mss</strong>: test data trimmed to MSS\r
+<strong>imap.sessions</strong>: total imap sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ecn session</strong>: ECN bits cleared\r
+<strong>imap.b64 attachments</strong>: total base64 attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ecn session</strong>: test ECN bits cleared\r
+<strong>imap.b64 decoded bytes</strong>: total base64 decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ts nop</strong>: timestamp options cleared\r
+<strong>imap.qp attachments</strong>: total quoted-printable attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ts nop</strong>: test timestamp options cleared\r
+<strong>imap.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ips data</strong>: normalized segments\r
+<strong>imap.uu attachments</strong>: total uu attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ips data</strong>: test normalized segments\r
+<strong>imap.uu decoded bytes</strong>: total uu decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp block</strong>: blocked segments\r
+<strong>imap.non-encoded attachments</strong>: total non-encoded attachments extracted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp block</strong>: test blocked segments\r
+<strong>imap.non-encoded bytes</strong>: total non-encoded extracted bytes\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_packet_capture">packet_capture</h3>\r
-<div class="paragraph"><p>What: raw packet dumping facility</p></div>\r
+<h3 id="_modbus">modbus</h3>\r
+<div class="paragraph"><p>What: modbus inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping\r
+<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump\r
+<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>144:3</strong> (modbus) reserved Modbus function code in use\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>packet_capture.enable</strong>(filter): dump raw packets\r
+<strong>modbus.sessions</strong>: total sessions processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>packet_capture.disable</strong>(): stop packet dump\r
+<strong>modbus.frames</strong>: total Modbus messages\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_normalizer">normalizer</h3>\r
+<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>packet_capture.processed</strong>: packets processed against filter\r
+bool <strong>normalizer.ip4.base</strong> = true: clear options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>packet_capture.captured</strong>: packets matching dumped after matching filter\r
+bool <strong>normalizer.ip4.df</strong> = false: clear don’t frag flag\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_perf_monitor">perf_monitor</h3>\r
-<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.base</strong> = true: enable base statistics { nullptr }\r
+bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics { nullptr }\r
+bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics\r
+bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
+bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0: }\r
+bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.seconds</strong> = 60: report interval { 1: }\r
+bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }\r
+bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096: }\r
+select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }\r
+bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>perf_monitor.output</strong> = file: Output location for stats { file | console }\r
+bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].name</strong>: name of the module\r
+bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters\r
+bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>perf_monitor.format</strong> = csv: Output format for stats { csv | text }\r
+bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.summary</strong> = false: Output summary at shutdown\r
+bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>perf_monitor.packets</strong>: total packets\r
+bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pop">pop</h3>\r
-<div class="paragraph"><p>What: pop inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>142:1</strong> (pop) Unknown POP3 command\r
+multi <strong>normalizer.tcp.allow_names</strong>: don’t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:2</strong> (pop) Unknown POP3 response\r
+string <strong>normalizer.tcp.allow_codes</strong>: don’t clear given option codes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:4</strong> (pop) Base64 Decoding failed.\r
+bool <strong>normalizer.ip6</strong> = false: clear reserved flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.\r
+bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.\r
+bool <strong>normalizer.icmp6</strong> = false: clear reserved flag\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>pop.packets</strong>: total packets processed\r
+<strong>normalizer.ip4 trim</strong>: eth packets trimmed to datagram size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.sessions</strong>: total pop sessions\r
+<strong>normalizer.test ip4 trim</strong>: test eth packets trimmed to datagram size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64 attachments</strong>: total base64 attachments decoded\r
+<strong>normalizer.ip4 tos</strong>: type of service normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64 decoded bytes</strong>: total base64 decoded bytes\r
+<strong>normalizer.test ip4 tos</strong>: test type of service normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp attachments</strong>: total quoted-printable attachments decoded\r
+<strong>normalizer.ip4 df</strong>: don’t frag bit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
+<strong>normalizer.test ip4 df</strong>: test don’t frag bit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu attachments</strong>: total uu attachments decoded\r
+<strong>normalizer.ip4 rf</strong>: reserved flag bit clears\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu decoded bytes</strong>: total uu decoded bytes\r
+<strong>normalizer.test ip4 rf</strong>: test reserved flag bit clears\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non-encoded attachments</strong>: total non-encoded attachments extracted\r
+<strong>normalizer.ip4 ttl</strong>: time-to-live normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non-encoded bytes</strong>: total non-encoded extracted bytes\r
+<strong>normalizer.test ip4 ttl</strong>: test time-to-live normalizations\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_port_scan">port_scan</h3>\r
-<div class="paragraph"><p>What: port scan inspector; also configure port_scan_global</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }\r
+<strong>normalizer.ip4 opts</strong>: ip4 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }\r
+<strong>normalizer.test ip4 opts</strong>: test ip4 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }\r
+<strong>normalizer.icmp4 echo</strong>: icmp4 ping normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
+<strong>normalizer.test icmp4 echo</strong>: test icmp4 ping normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts\r
+<strong>normalizer.ip6 hops</strong>: ip6 hop limit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
+<strong>normalizer.test ip6 hops</strong>: test ip6 hop limit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
+<strong>normalizer.ip6 options</strong>: ip6 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>port_scan.logfile</strong> = false: write scan events to file\r
+<strong>normalizer.test ip6 options</strong>: test ip6 options cleared\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>122:1</strong> (port_scan) TCP portscan\r
+<strong>normalizer.icmp6 echo</strong>: icmp6 echo normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:2</strong> (port_scan) TCP decoy portscan\r
+<strong>normalizer.test icmp6 echo</strong>: test icmp6 echo normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:3</strong> (port_scan) TCP portsweep\r
+<strong>normalizer.tcp syn options</strong>: SYN only options cleared from non-SYN packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:4</strong> (port_scan) TCP distributed portscan\r
+<strong>normalizer.test tcp syn options</strong>: test SYN only options cleared from non-SYN packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:5</strong> (port_scan) TCP filtered portscan\r
+<strong>normalizer.tcp options</strong>: packets with options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
+<strong>normalizer.test tcp options</strong>: test packets with options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
+<strong>normalizer.tcp paddding</strong>: packets with padding cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
+<strong>normalizer.test tcp paddding</strong>: test packets with padding cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:9</strong> (port_scan) IP protocol scan\r
+<strong>normalizer.tcp reserved</strong>: packets with reserved bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
+<strong>normalizer.test tcp reserved</strong>: test packets with reserved bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:11</strong> (port_scan) IP protocol sweep\r
+<strong>normalizer.tcp nonce</strong>: packets with nonce bit cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
+<strong>normalizer.test tcp nonce</strong>: test packets with nonce bit cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
+<strong>normalizer.tcp urgent ptr</strong>: packets without data with urgent pointer cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
+<strong>normalizer.test tcp urgent ptr</strong>: test packets without data with urgent pointer cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
+<strong>normalizer.tcp ecn pkt</strong>: packets with ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
+<strong>normalizer.test tcp ecn pkt</strong>: test packets with ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:17</strong> (port_scan) UDP portscan\r
+<strong>normalizer.tcp ts ecr</strong>: timestamp cleared on non-ACKs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:18</strong> (port_scan) UDP decoy portscan\r
+<strong>normalizer.test tcp ts ecr</strong>: test timestamp cleared on non-ACKs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:19</strong> (port_scan) UDP portsweep\r
+<strong>normalizer.tcp req urg</strong>: cleared urgent pointer when urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:20</strong> (port_scan) UDP distributed portscan\r
+<strong>normalizer.test tcp req urg</strong>: test cleared urgent pointer when urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:21</strong> (port_scan) UDP filtered portscan\r
+<strong>normalizer.tcp req pay</strong>: cleared urgent pointer and urgent flag when there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
+<strong>normalizer.test tcp req pay</strong>: test cleared urgent pointer and urgent flag when there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
+<strong>normalizer.tcp req urp</strong>: cleared the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
+<strong>normalizer.test tcp req urp</strong>: test cleared the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:25</strong> (port_scan) ICMP sweep\r
+<strong>normalizer.tcp trim syn</strong>: tcp segments trimmed on SYN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
+<strong>normalizer.test tcp trim syn</strong>: test tcp segments trimmed on SYN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:27</strong> (port_scan) open port\r
+<strong>normalizer.tcp trim rst</strong>: RST packets with data trimmed\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_port_scan_global">port_scan_global</h3>\r
-<div class="paragraph"><p>What: shared settings for port_scan inspectors for use with port_scan</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
+<strong>normalizer.test tcp trim rst</strong>: test RST packets with data trimmed\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>port_scan_global.packets</strong>: total packets\r
+<strong>normalizer.tcp trim win</strong>: data trimed to window\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_reputation">reputation</h3>\r
-<div class="paragraph"><p>What: reputation inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>reputation.blacklist</strong>: blacklist file name with ip lists\r
+<strong>normalizer.test tcp trim win</strong>: test data trimed to window\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>reputation.memcap</strong> = 500: maximum total memory allocated { 1:4095 }\r
+<strong>normalizer.tcp trim mss</strong>: data trimmed to MSS\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.nested_ip</strong> = inner: ip to use when there is IP encapsulation { inner|outer|all }\r
+<strong>normalizer.test tcp trim mss</strong>: test data trimmed to MSS\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }\r
+<strong>normalizer.tcp ecn session</strong>: ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918\r
+<strong>normalizer.test tcp ecn session</strong>: test ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
+<strong>normalizer.tcp ts nop</strong>: timestamp options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>reputation.whitelist</strong>: whitelist file name with ip lists\r
+<strong>normalizer.test tcp ts nop</strong>: test timestamp options cleared\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted\r
+<strong>normalizer.tcp ips data</strong>: normalized segments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>normalizer.test tcp ips data</strong>: test normalized segments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:2</strong> (reputation) Packets whitelisted\r
+<strong>normalizer.tcp block</strong>: blocked segments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:3</strong> (reputation) Packets monitored\r
+<strong>normalizer.test tcp block</strong>: test blocked segments\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_packet_capture">packet_capture</h3>\r
+<div class="paragraph"><p>What: raw packet dumping facility</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>reputation.packets</strong>: total packets processed\r
+bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.blacklisted</strong>: number of packets blacklisted\r
+string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>reputation.whitelisted</strong>: number of packets whitelisted\r
+<strong>packet_capture.enable</strong>(filter): dump raw packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.monitored</strong>: number of packets monitored\r
+<strong>packet_capture.disable</strong>(): stop packet dump\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>packet_capture.processed</strong>: packets processed against filter\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated\r
+<strong>packet_capture.captured</strong>: packets matching dumped after matching filter\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_rpc_decode">rpc_decode</h3>\r
-<div class="paragraph"><p>What: RPC inspector</p></div>\r
+<h3 id="_perf_monitor">perf_monitor</h3>\r
+<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>106:1</strong> (rpc_decode) fragmented RPC records\r
+bool <strong>perf_monitor.base</strong> = true: enable base statistics { nullptr }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:2</strong> (rpc_decode) multiple RPC records\r
+bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics { nullptr }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:3</strong> (rpc_decode) large RPC record fragment\r
+bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:4</strong> (rpc_decode) incomplete RPC segment\r
+bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:5</strong> (rpc_decode) zero-length RPC fragment\r
+int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>perf_monitor.seconds</strong> = 60: report interval { 1: }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>rpc_decode.packets</strong>: total packets\r
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200: }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip">sip</h3>\r
-<div class="paragraph"><p>What: sip inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
+int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }\r
+int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }\r
+enum <strong>perf_monitor.output</strong> = file: output location for stats { file | console }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }\r
+string <strong>perf_monitor.modules[].name</strong>: name of the module\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:4194303 }\r
+string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }\r
+enum <strong>perf_monitor.format</strong> = csv: output format for stats { csv | text }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }\r
+bool <strong>perf_monitor.summary</strong> = false: output summary at shutdown\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>sip.max_sessions</strong> = 10000: maximum number of sessions that can be allocated { 1024:4194303 }\r
+<strong>perf_monitor.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pop">pop</h3>\r
+<div class="paragraph"><p>What: pop inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }\r
+int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }\r
+int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }\r
+int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in sip messages\r
+int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:1</strong> (sip) Maximum sessions reached\r
+<strong>142:1</strong> (pop) unknown POP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:2</strong> (sip) Empty request URI\r
+<strong>142:2</strong> (pop) unknown POP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:3</strong> (sip) URI is too long\r
+<strong>142:4</strong> (pop) base64 decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:4</strong> (sip) Empty call-Id\r
+<strong>142:5</strong> (pop) quoted-printable decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:5</strong> (sip) Call-Id is too long\r
+<strong>142:7</strong> (pop) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:6</strong> (sip) CSeq number is too large or negative\r
+<strong>pop.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:7</strong> (sip) Request name in CSeq is too long\r
+<strong>pop.sessions</strong>: total pop sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:8</strong> (sip) Empty From header\r
+<strong>pop.b64 attachments</strong>: total base64 attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:9</strong> (sip) From header is too long\r
+<strong>pop.b64 decoded bytes</strong>: total base64 decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:10</strong> (sip) Empty To header\r
+<strong>pop.qp attachments</strong>: total quoted-printable attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:11</strong> (sip) To header is too long\r
+<strong>pop.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:12</strong> (sip) Empty Via header\r
+<strong>pop.uu attachments</strong>: total uu attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:13</strong> (sip) Via header is too long\r
+<strong>pop.uu decoded bytes</strong>: total uu decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:14</strong> (sip) Empty Contact\r
+<strong>pop.non-encoded attachments</strong>: total non-encoded attachments extracted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:15</strong> (sip) Contact is too long\r
+<strong>pop.non-encoded bytes</strong>: total non-encoded extracted bytes\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_port_scan">port_scan</h3>\r
+<div class="paragraph"><p>What: port scan inspector; also configure port_scan_global</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:16</strong> (sip) Content length is too large or negative\r
+multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:17</strong> (sip) Multiple SIP messages in a packet\r
+multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:18</strong> (sip) Content length mismatch\r
+enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:19</strong> (sip) Request name is invalid\r
+string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:20</strong> (sip) Invite replay attack\r
+string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:21</strong> (sip) Illegal session information modification\r
+string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:22</strong> (sip) Response status code is not a 3 digit number\r
+bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:23</strong> (sip) Empty Content-type header\r
+bool <strong>port_scan.logfile</strong> = false: write scan events to file\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:24</strong> (sip) SIP version is invalid\r
+<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header\r
+<strong>122:2</strong> (port_scan) TCP decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:26</strong> (sip) Method is unknown\r
+<strong>122:3</strong> (port_scan) TCP portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:27</strong> (sip) Maximum dialogs within a session reached\r
+<strong>122:4</strong> (port_scan) TCP distributed portscan\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.packets</strong>: total packets\r
+<strong>122:5</strong> (port_scan) TCP filtered portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.sessions</strong>: total sessions\r
+<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.events</strong>: events generated\r
+<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.dialogs</strong>: total dialogs\r
+<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored channels</strong>: total channels ignored\r
+<strong>122:9</strong> (port_scan) IP protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored sessions</strong>: total sessions ignored\r
+<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total requests</strong>: total requests\r
+<strong>122:11</strong> (port_scan) IP protocol sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.invite</strong>: invite\r
+<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.cancel</strong>: cancel\r
+<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ack</strong>: ack\r
+<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.bye</strong>: bye\r
+<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.register</strong>: register\r
+<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.options</strong>: options\r
+<strong>122:17</strong> (port_scan) UDP portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.refer</strong>: refer\r
+<strong>122:18</strong> (port_scan) UDP decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.subscribe</strong>: subscribe\r
+<strong>122:19</strong> (port_scan) UDP portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.update</strong>: update\r
+<strong>122:20</strong> (port_scan) UDP distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.join</strong>: join\r
+<strong>122:21</strong> (port_scan) UDP filtered portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.info</strong>: info\r
+<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.message</strong>: message\r
+<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.notify</strong>: notify\r
+<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.prack</strong>: prack\r
+<strong>122:25</strong> (port_scan) ICMP sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total responses</strong>: total responses\r
+<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.1xx</strong>: 1xx\r
+<strong>122:27</strong> (port_scan) open port\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_port_scan_global">port_scan_global</h3>\r
+<div class="paragraph"><p>What: shared settings for port_scan inspectors for use with port_scan</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.2xx</strong>: 2xx\r
+int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory in bytes { 1: }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.3xx</strong>: 3xx\r
+<strong>port_scan_global.packets</strong>: total packets\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_reputation">reputation</h3>\r
+<div class="paragraph"><p>What: reputation inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>reputation.blacklist</strong>: blacklist file name with ip lists\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.4xx</strong>: 4xx\r
+int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.5xx</strong>: 5xx\r
+enum <strong>reputation.nested_ip</strong> = inner: ip to use when there is IP encapsulation { inner|outer|all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.6xx</strong>: 6xx\r
+enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.7xx</strong>: 7xx\r
+bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.8xx</strong>: 8xx\r
+enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.9xx</strong>: 9xx\r
+string <strong>reputation.whitelist</strong>: whitelist file name with ip lists\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_smtp">smtp</h3>\r
-<div class="paragraph"><p>What: smtp inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>smtp.alt_max_command_line_len[].command</strong>: command string\r
+<strong>136:1</strong> (reputation) packets blacklisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0: }\r
+<strong>136:2</strong> (reputation) packets whitelisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange\r
+<strong>136:3</strong> (reputation) packets monitored\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
+<strong>reputation.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }\r
+<strong>reputation.blacklisted</strong>: number of packets blacklisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }\r
+<strong>reputation.whitelisted</strong>: number of packets whitelisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter\r
+<strong>reputation.monitored</strong>: number of packets monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
+<strong>reputation.memory allocated</strong>: total memory allocated\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_rpc_decode">rpc_decode</h3>\r
+<div class="paragraph"><p>What: RPC inspector</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail\r
+<strong>106:1</strong> (rpc_decode) fragmented RPC records\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules\r
+<strong>106:2</strong> (rpc_decode) multiple RPC records\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side\r
+<strong>106:3</strong> (rpc_decode) large RPC record fragment\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data\r
+<strong>106:4</strong> (rpc_decode) incomplete RPC segment\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body\r
+<strong>106:5</strong> (rpc_decode) zero-length RPC fragment\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>smtp.log_mailfrom</strong> = false: log the sender’s email address extracted from the MAIL FROM command\r
+<strong>rpc_decode.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_sip">sip</h3>\r
+<div class="paragraph"><p>What: sip inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>smtp.log_rcptto</strong> = false: log the recipient’s email address extracted from the RCPT TO command\r
+bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }\r
+int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
+int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }\r
+int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }\r
+int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:4194303 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
+int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
+int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }\r
+int <strong>sip.max_sessions</strong> = 10000: maximum number of sessions that can be allocated { 1024:4194303 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.valid_cmds</strong>: list of valid commands\r
+int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }\r
+int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>124:1</strong> (smtp) Attempted command buffer overflow\r
+string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in sip messages\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>124:2</strong> (smtp) Attempted data header buffer overflow\r
+<strong>140:1</strong> (sip) maximum sessions reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:3</strong> (smtp) Attempted response buffer overflow\r
+<strong>140:2</strong> (sip) empty request URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:4</strong> (smtp) Attempted specific command buffer overflow\r
+<strong>140:3</strong> (sip) URI is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:5</strong> (smtp) Unknown command\r
+<strong>140:4</strong> (sip) empty call-Id\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:6</strong> (smtp) Illegal command\r
+<strong>140:5</strong> (sip) Call-Id is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:7</strong> (smtp) Attempted header name buffer overflow\r
+<strong>140:6</strong> (sip) CSeq number is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow\r
+<strong>140:7</strong> (sip) request name in CSeq is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:10</strong> (smtp) Base64 Decoding failed\r
+<strong>140:8</strong> (sip) empty From header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed\r
+<strong>140:9</strong> (sip) From header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed\r
+<strong>140:10</strong> (sip) empty To header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:14</strong> (smtp) Cyrus SASL authentication attack\r
+<strong>140:11</strong> (sip) To header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:15</strong> (smtp) Attempted authentication command buffer overflow\r
+<strong>140:12</strong> (sip) empty Via header\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>smtp.packets</strong>: total packets processed\r
+<strong>140:13</strong> (sip) Via header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.sessions</strong>: total smtp sessions\r
+<strong>140:14</strong> (sip) empty Contact\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.concurrent sessions</strong>: total concurrent smtp sessions\r
+<strong>140:15</strong> (sip) contact is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.max concurrent sessions</strong>: maximum concurrent smtp sessions\r
+<strong>140:16</strong> (sip) content length is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64 attachments</strong>: total base64 attachments decoded\r
+<strong>140:17</strong> (sip) multiple SIP messages in a packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64 decoded bytes</strong>: total base64 decoded bytes\r
+<strong>140:18</strong> (sip) content length mismatch\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp attachments</strong>: total quoted-printable attachments decoded\r
+<strong>140:19</strong> (sip) request name is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
+<strong>140:20</strong> (sip) Invite replay attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu attachments</strong>: total uu attachments decoded\r
+<strong>140:21</strong> (sip) illegal session information modification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu decoded bytes</strong>: total uu decoded bytes\r
+<strong>140:22</strong> (sip) response status code is not a 3 digit number\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non-encoded attachments</strong>: total non-encoded attachments extracted\r
+<strong>140:23</strong> (sip) empty Content-type header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non-encoded bytes</strong>: total non-encoded extracted bytes\r
+<strong>140:24</strong> (sip) SIP version is invalid\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssh">ssh</h3>\r
-<div class="paragraph"><p>What: ssh inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }\r
+<strong>140:25</strong> (sip) mismatch in METHOD of request and the CSEQ header\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }\r
+<strong>140:26</strong> (sip) method is unknown\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }\r
+<strong>140:27</strong> (sip) maximum dialogs within a session reached\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit\r
+<strong>sip.packets</strong>: total packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
+<strong>sip.sessions</strong>: total sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:3</strong> (ssh) Server version string overflow\r
+<strong>sip.events</strong>: events generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:5</strong> (ssh) Bad message direction\r
+<strong>sip.dialogs</strong>: total dialogs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:6</strong> (ssh) Payload size incorrect for the given payload\r
+<strong>sip.ignored channels</strong>: total channels ignored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:7</strong> (ssh) Failed to detect SSH version string\r
+<strong>sip.ignored sessions</strong>: total sessions ignored\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssh.packets</strong>: total packets\r
+<strong>sip.total requests</strong>: total requests\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssl">ssl</h3>\r
-<div class="paragraph"><p>What: ssl inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
+<strong>sip.invite</strong>: invite\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }\r
+<strong>sip.cancel</strong>: cancel\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected\r
+<strong>sip.ack</strong>: ack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected\r
+<strong>sip.bye</strong>: bye\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected\r
+<strong>sip.register</strong>: register\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:4</strong> (ssl) Large Heartbeat Response Detected\r
+<strong>sip.options</strong>: options\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssl.packets</strong>: total packets processed\r
+<strong>sip.refer</strong>: refer\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.decoded</strong>: ssl packets decoded\r
+<strong>sip.subscribe</strong>: subscribe\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client hello</strong>: total client hellos\r
+<strong>sip.update</strong>: update\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server hello</strong>: total server hellos\r
+<strong>sip.join</strong>: join\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.certificate</strong>: total ssl certificates\r
+<strong>sip.info</strong>: info\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server done</strong>: total server done\r
+<strong>sip.message</strong>: message\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client key exchange</strong>: total client key exchanges\r
+<strong>sip.notify</strong>: notify\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server key exchange</strong>: total server key exchanges\r
+<strong>sip.prack</strong>: prack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.change cipher</strong>: total change cipher records\r
+<strong>sip.total responses</strong>: total responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.finished</strong>: total handshakes finished\r
+<strong>sip.1xx</strong>: 1xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client application</strong>: total client application records\r
+<strong>sip.2xx</strong>: 2xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server application</strong>: total server application records\r
+<strong>sip.3xx</strong>: 3xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.alert</strong>: total ssl alert records\r
+<strong>sip.4xx</strong>: 4xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.unrecognized records</strong>: total unrecognized records\r
+<strong>sip.5xx</strong>: 5xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.handshakes completed</strong>: total completed ssl handshakes\r
+<strong>sip.6xx</strong>: 6xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.bad handshakes</strong>: total bad handshakes\r
+<strong>sip.7xx</strong>: 7xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.sessions ignored</strong>: total sessions ignore\r
+<strong>sip.8xx</strong>: 8xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.detection disabled</strong>: total detection disabled\r
+<strong>sip.9xx</strong>: 9xx\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_stream">stream</h3>\r
-<div class="paragraph"><p>What: common flow tracking</p></div>\r
+<h3 id="_smtp">smtp</h3>\r
+<div class="paragraph"><p>What: smtp inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
+string <strong>smtp.alt_max_command_line_len[].command</strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
+string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
+bool <strong>smtp.log_mailfrom</strong> = false: log the sender’s email address extracted from the MAIL FROM command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+bool <strong>smtp.log_rcptto</strong> = false: log the recipient’s email address extracted from the RCPT TO command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.ip flows</strong>: total ip sessions\r
+enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
+string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip idle prunes</strong>: ip sessions pruned due to timeout\r
+int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip excess prunes</strong>: ip sessions pruned due to excess\r
+int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip uni prunes</strong>: ip uni sessions pruned\r
+string <strong>smtp.valid_cmds</strong>: list of valid commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip preemptive prunes</strong>: ip sessions pruned during preemptive pruning\r
+enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.ip memcap prunes</strong>: ip sessions pruned due to memcap\r
+<strong>124:1</strong> (smtp) attempted command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip ha prunes</strong>: ip sessions pruned by high availability sync\r
+<strong>124:2</strong> (smtp) attempted data header buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp flows</strong>: total icmp sessions\r
+<strong>124:3</strong> (smtp) attempted response buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp total prunes</strong>: total icmp sessions pruned\r
+<strong>124:4</strong> (smtp) attempted specific command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp idle prunes</strong>: icmp sessions pruned due to timeout\r
+<strong>124:5</strong> (smtp) unknown command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp excess prunes</strong>: icmp sessions pruned due to excess\r
+<strong>124:6</strong> (smtp) illegal command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp uni prunes</strong>: icmp uni sessions pruned\r
+<strong>124:7</strong> (smtp) attempted header name buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp preemptive prunes</strong>: icmp sessions pruned during preemptive pruning\r
+<strong>124:8</strong> (smtp) attempted X-Link2State command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp memcap prunes</strong>: icmp sessions pruned due to memcap\r
+<strong>124:10</strong> (smtp) base64 decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp ha prunes</strong>: icmp sessions pruned by high availability sync\r
+<strong>124:11</strong> (smtp) quoted-printable decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp flows</strong>: total tcp sessions\r
+<strong>124:13</strong> (smtp) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp total prunes</strong>: total tcp sessions pruned\r
+<strong>124:14</strong> (smtp) Cyrus SASL authentication attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp idle prunes</strong>: tcp sessions pruned due to timeout\r
+<strong>124:15</strong> (smtp) attempted authentication command buffer overflow\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.tcp excess prunes</strong>: tcp sessions pruned due to excess\r
+<strong>smtp.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp uni prunes</strong>: tcp uni sessions pruned\r
+<strong>smtp.sessions</strong>: total smtp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp preemptive prunes</strong>: tcp sessions pruned during preemptive pruning\r
+<strong>smtp.concurrent sessions</strong>: total concurrent smtp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp memcap prunes</strong>: tcp sessions pruned due to memcap\r
+<strong>smtp.max concurrent sessions</strong>: maximum concurrent smtp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp ha prunes</strong>: tcp sessions pruned by high availability sync\r
+<strong>smtp.b64 attachments</strong>: total base64 attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp flows</strong>: total udp sessions\r
+<strong>smtp.b64 decoded bytes</strong>: total base64 decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp total prunes</strong>: total udp sessions pruned\r
+<strong>smtp.qp attachments</strong>: total quoted-printable attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp idle prunes</strong>: udp sessions pruned due to timeout\r
+<strong>smtp.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
+<strong>smtp.uu attachments</strong>: total uu attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp uni prunes</strong>: udp uni sessions pruned\r
+<strong>smtp.uu decoded bytes</strong>: total uu decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp preemptive prunes</strong>: udp sessions pruned during preemptive pruning\r
+<strong>smtp.non-encoded attachments</strong>: total non-encoded attachments extracted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp memcap prunes</strong>: udp sessions pruned due to memcap\r
+<strong>smtp.non-encoded bytes</strong>: total non-encoded extracted bytes\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ssh">ssh</h3>\r
+<div class="paragraph"><p>What: ssh inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.udp ha prunes</strong>: udp sessions pruned by high availability sync\r
+int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user flows</strong>: total user sessions\r
+int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user total prunes</strong>: total user sessions pruned\r
+int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.user idle prunes</strong>: user sessions pruned due to timeout\r
+<strong>128:1</strong> (ssh) challenge-response overflow exploit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
+<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user uni prunes</strong>: user uni sessions pruned\r
+<strong>128:3</strong> (ssh) server version string overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
+<strong>128:5</strong> (ssh) bad message direction\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
+<strong>128:6</strong> (ssh) payload size incorrect for the given payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user ha prunes</strong>: user sessions pruned by high availability sync\r
+<strong>128:7</strong> (ssh) failed to detect SSH version string\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>ssh.packets</strong>: total packets\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ssl">ssl</h3>\r
+<div class="paragraph"><p>What: ssl inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file flows</strong>: total file sessions\r
+int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.file total prunes</strong>: total file sessions pruned\r
+<strong>137:1</strong> (ssl) invalid client HELLO after server HELLO detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file idle prunes</strong>: file sessions pruned due to timeout\r
+<strong>137:2</strong> (ssl) invalid server HELLO without client HELLO detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file excess prunes</strong>: file sessions pruned due to excess\r
+<strong>137:3</strong> (ssl) heartbeat read overrun attempt detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file uni prunes</strong>: file uni sessions pruned\r
+<strong>137:4</strong> (ssl) large heartbeat response detected\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning\r
+<strong>ssl.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap\r
+<strong>ssl.decoded</strong>: ssl packets decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file ha prunes</strong>: file sessions pruned by high availability sync\r
+<strong>ssl.client hello</strong>: total client hellos\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_file">stream_file</h3>\r
-<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
+<strong>ssl.server hello</strong>: total server hellos\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_icmp">stream_icmp</h3>\r
-<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+<strong>ssl.certificate</strong>: total ssl certificates\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions\r
+<strong>ssl.server done</strong>: total server done\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions\r
+<strong>ssl.client key exchange</strong>: total client key exchanges\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created\r
+<strong>ssl.server key exchange</strong>: total server key exchanges\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released\r
+<strong>ssl.change cipher</strong>: total change cipher records\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
+<strong>ssl.finished</strong>: total handshakes finished\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.prunes</strong>: icmp session prunes\r
+<strong>ssl.client application</strong>: total client application records\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_ip">stream_ip</h3>\r
-<div class="paragraph"><p>What: stream inspector for IP flow tracking and defragmentation</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1: }\r
+<strong>ssl.server application</strong>: total server application records\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0: }\r
+<strong>ssl.alert</strong>: total ssl alert records\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0: }\r
+<strong>ssl.unrecognized records</strong>: total unrecognized records\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with ttl below the minimum { 1:255 }\r
+<strong>ssl.handshakes completed</strong>: total completed ssl handshakes\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+<strong>ssl.bad handshakes</strong>: total bad handshakes\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+<strong>ssl.sessions ignored</strong>: total sessions ignore\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module\r
+<strong>ssl.detection disabled</strong>: total detection disabled\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream">stream</h3>\r
+<div class="paragraph"><p>What: common flow tracking</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets\r
+bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:2</strong> (stream_ip) teardrop attack\r
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt\r
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet\r
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:5</strong> (stream_ip) zero-byte fragment packet\r
+int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative\r
+int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536\r
+int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:8</strong> (stream_ip) fragmentation overlap\r
+int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly\r
+int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:12</strong> (stream_ip) excessive fragment overlap\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:13</strong> (stream_ip) tiny fragment\r
+int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_ip.sessions</strong>: total ip sessions\r
+int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max</strong>: max ip sessions\r
+int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.created</strong>: ip session trackers created\r
+int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.released</strong>: ip session trackers released\r
+int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.timeouts</strong>: ip session timeouts\r
+int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.prunes</strong>: ip session prunes\r
+int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.total frags</strong>: total fragments\r
+int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.current frags</strong>: current fragments\r
+int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_ip.max frags</strong>: max fragments\r
+<strong>stream.ip flows</strong>: total ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled</strong>: reassembled datagrams\r
+<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.discards</strong>: fragments discarded\r
+<strong>stream.ip idle prunes</strong>: ip sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.frag timeouts</strong>: datagrams abandoned\r
+<strong>stream.ip excess prunes</strong>: ip sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.overlaps</strong>: overlapping fragments\r
+<strong>stream.ip uni prunes</strong>: ip uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.anomalies</strong>: anomalies detected\r
+<strong>stream.ip preemptive prunes</strong>: ip sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.alerts</strong>: alerts generated\r
+<strong>stream.ip memcap prunes</strong>: ip sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.drops</strong>: fragments dropped\r
+<strong>stream.ip ha prunes</strong>: ip sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers added</strong>: datagram trackers created\r
+<strong>stream.icmp flows</strong>: total icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers freed</strong>: datagram trackers released\r
+<strong>stream.icmp total prunes</strong>: total icmp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers cleared</strong>: datagram trackers cleared\r
+<strong>stream.icmp idle prunes</strong>: icmp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers completed</strong>: datagram trackers completed\r
+<strong>stream.icmp excess prunes</strong>: icmp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes inserted</strong>: fragments added to tracker\r
+<strong>stream.icmp uni prunes</strong>: icmp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes deleted</strong>: fragments deleted from tracker\r
+<strong>stream.icmp preemptive prunes</strong>: icmp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory used</strong>: current memory usage in bytes\r
+<strong>stream.icmp memcap prunes</strong>: icmp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled bytes</strong>: total reassembled bytes\r
+<strong>stream.icmp ha prunes</strong>: icmp sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.fragmented bytes</strong>: total fragmented bytes\r
+<strong>stream.tcp flows</strong>: total tcp sessions\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_tcp">stream_tcp</h3>\r
-<div class="paragraph"><p>What: stream inspector for TCP flow tracking and stream normalization and reassembly</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0: }\r
+<strong>stream.tcp total prunes</strong>: total tcp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_tcp.ignore_any_rules</strong> = false: process tcp content rules w/o ports only if rules with ports are present\r
+<strong>stream.tcp idle prunes</strong>: tcp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.max_window</strong> = 0: maximum allowed tcp window { 0:1073725440 }\r
+<strong>stream.tcp excess prunes</strong>: tcp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:255 }\r
+<strong>stream.tcp uni prunes</strong>: tcp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:65535 }\r
+<strong>stream.tcp preemptive prunes</strong>: tcp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+<strong>stream.tcp memcap prunes</strong>: tcp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions\r
+<strong>stream.tcp ha prunes</strong>: tcp sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.require_3whs</strong> = -1: don’t track midstream sessions after given seconds from start up; -1 tracks all { -1:86400 }\r
+<strong>stream.udp flows</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets\r
+<strong>stream.udp total prunes</strong>: total udp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don’t queue more than given bytes per session and direction { 0: }\r
+<strong>stream.udp idle prunes</strong>: udp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don’t queue more than given segments per session and direction { 0: }\r
+<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }\r
+<strong>stream.udp uni prunes</strong>: udp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }\r
+<strong>stream.udp preemptive prunes</strong>: udp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+<strong>stream.udp memcap prunes</strong>: udp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.footprint</strong> = 0: use zero for production, non-zero for testing at given size { 0: }\r
+<strong>stream.udp ha prunes</strong>: udp sessions pruned by high availability sync\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>129:1</strong> (stream_tcp) SYN on established session\r
+<strong>stream.user flows</strong>: total user sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:2</strong> (stream_tcp) data on SYN packet\r
+<strong>stream.user total prunes</strong>: total user sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data\r
+<strong>stream.user idle prunes</strong>: user sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window\r
+<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0\r
+<strong>stream.user uni prunes</strong>: user uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows\r
+<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached\r
+<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:8</strong> (stream_tcp) data sent on stream after TCP Reset sent\r
+<strong>stream.user ha prunes</strong>: user sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address\r
+<strong>stream.file flows</strong>: total file sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:10</strong> (stream_tcp) TCP Server possibly hijacked, different ethernet address\r
+<strong>stream.file total prunes</strong>: total file sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set\r
+<strong>stream.file idle prunes</strong>: file sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold\r
+<strong>stream.file excess prunes</strong>: file sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:13</strong> (stream_tcp) 4-way handshake detected\r
+<strong>stream.file uni prunes</strong>: file uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:14</strong> (stream_tcp) TCP timestamp is missing\r
+<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:15</strong> (stream_tcp) reset outside window\r
+<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN\r
+<strong>stream.file ha prunes</strong>: file sessions pruned by high availability sync\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_file">stream_file</h3>\r
+<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN\r
+bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_icmp">stream_icmp</h3>\r
+<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>129:18</strong> (stream_tcp) data sent on stream after TCP Reset received\r
+<strong>stream_icmp.sessions</strong>: total icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data\r
+<strong>stream_icmp.max</strong>: max icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake\r
+<strong>stream_icmp.created</strong>: icmp session trackers created\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_tcp.sessions</strong>: total tcp sessions\r
+<strong>stream_icmp.released</strong>: icmp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max</strong>: max tcp sessions\r
+<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.created</strong>: tcp session trackers created\r
+<strong>stream_icmp.prunes</strong>: icmp session prunes\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_ip">stream_ip</h3>\r
+<div class="paragraph"><p>What: stream inspector for IP flow tracking and defragmentation</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_tcp.released</strong>: tcp session trackers released\r
+int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
+int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.prunes</strong>: tcp session prunes\r
+int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.resyns</strong>: SYN received on established session\r
+int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with ttl below the minimum { 1:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.discards</strong>: tcp packets discarded\r
+enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.events</strong>: events generated\r
+int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
+int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_tcp.untracked</strong>: tcp packets not tracked\r
+<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn trackers</strong>: tcp session tracking started on syn\r
+<strong>123:2</strong> (stream_ip) teardrop attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn-ack trackers</strong>: tcp session tracking started on syn-ack\r
+<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack\r
+<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.data trackers</strong>: tcp session tracking started on data\r
+<strong>123:5</strong> (stream_ip) zero-byte fragment packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs queued</strong>: total segments queued\r
+<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs released</strong>: total segments released\r
+<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs split</strong>: tcp segments split when reassembling PDUs\r
+<strong>123:8</strong> (stream_ip) fragmentation overlap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs used</strong>: queued tcp segments applied to reassembled PDUs\r
+<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt packets</strong>: total reassembled PDUs\r
+<strong>123:12</strong> (stream_ip) excessive fragment overlap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt buffers</strong>: rebuilt PDU sections\r
+<strong>123:13</strong> (stream_ip) tiny fragment\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt bytes</strong>: total rebuilt bytes\r
+<strong>stream_ip.sessions</strong>: total ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.overlaps</strong>: overlapping segments queued\r
+<strong>stream_ip.max</strong>: max ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
+<strong>stream_ip.created</strong>: ip session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max segs</strong>: number of times the maximum queued segment limit was reached\r
+<strong>stream_ip.released</strong>: ip session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max bytes</strong>: number of times the maximum queued byte limit was reached\r
+<strong>stream_ip.timeouts</strong>: ip session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.internal events</strong>: 135:X events generated\r
+<strong>stream_ip.prunes</strong>: ip session prunes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.client cleanups</strong>: number of times data from server was flushed when session released\r
+<strong>stream_ip.total frags</strong>: total fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.server cleanups</strong>: number of times data from client was flushed when session released\r
+<strong>stream_ip.current frags</strong>: current fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.memory</strong>: current memory in use\r
+<strong>stream_ip.max frags</strong>: max fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.initializing</strong>: number of sessions currently initializing\r
+<strong>stream_ip.reassembled</strong>: reassembled datagrams\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.established</strong>: number of sessions currently established\r
+<strong>stream_ip.discards</strong>: fragments discarded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.closing</strong>: number of sessions currently closing\r
+<strong>stream_ip.frag timeouts</strong>: datagrams abandoned\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_udp">stream_udp</h3>\r
-<div class="paragraph"><p>What: stream inspector for UDP flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+<strong>stream_ip.overlaps</strong>: overlapping fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_udp.ignore_any_rules</strong> = false: process udp content rules w/o ports only if rules with ports are present\r
+<strong>stream_ip.anomalies</strong>: anomalies detected\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_udp.sessions</strong>: total udp sessions\r
+<strong>stream_ip.alerts</strong>: alerts generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.max</strong>: max udp sessions\r
+<strong>stream_ip.drops</strong>: fragments dropped\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created\r
+<strong>stream_ip.trackers added</strong>: datagram trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.released</strong>: udp session trackers released\r
+<strong>stream_ip.trackers freed</strong>: datagram trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.timeouts</strong>: udp session timeouts\r
+<strong>stream_ip.trackers cleared</strong>: datagram trackers cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.prunes</strong>: udp session prunes\r
+<strong>stream_ip.trackers completed</strong>: datagram trackers completed\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_user">stream_user</h3>\r
-<div class="paragraph"><p>What: stream inspector for user flow tracking and reassembly</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+<strong>stream_ip.nodes inserted</strong>: fragments added to tracker\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_telnet">telnet</h3>\r
-<div class="paragraph"><p>What: telnet inspection and normalization</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }\r
+<strong>stream_ip.nodes deleted</strong>: fragments deleted from tracker\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption\r
+<strong>stream_ip.memory used</strong>: current memory usage in bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted telnet and ftp\r
+<strong>stream_ip.reassembled bytes</strong>: total reassembled bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>telnet.normalize</strong> = false: eliminate escape sequences\r
+<strong>stream_ip.fragmented bytes</strong>: total fragmented bytes\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_tcp">stream_tcp</h3>\r
+<div class="paragraph"><p>What: stream inspector for TCP flow tracking and stream normalization and reassembly</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>126:1</strong> (telnet) consecutive telnet AYT commands beyond threshold\r
+int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>126:2</strong> (telnet) telnet traffic encrypted\r
+bool <strong>stream_tcp.ignore_any_rules</strong> = false: process tcp content rules w/o ports only if rules with ports are present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>126:3</strong> (telnet) telnet subnegotiation begin command without subnegotiation end\r
+int <strong>stream_tcp.max_window</strong> = 0: maximum allowed tcp window { 0:1073725440 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>telnet.packets</strong>: total packets\r
+int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:255 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_wizard">wizard</h3>\r
-<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].service</strong>: name of service\r
+int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer\r
+bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)\r
+int <strong>stream_tcp.require_3whs</strong> = -1: don’t track midstream sessions after given seconds from start up; -1 tracks all { -1:86400 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)\r
+bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].service</strong>: name of service\r
+int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don’t queue more than given bytes per session and direction { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don’t queue more than given segments per session and direction { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer\r
+int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)\r
+int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)\r
+int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>wizard.tcp scans</strong>: tcp payload scans\r
+int <strong>stream_tcp.footprint</strong> = 0: use zero for production, non-zero for testing at given size { 0: }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>wizard.tcp hits</strong>: tcp identifications\r
+<strong>129:1</strong> (stream_tcp) SYN on established session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.udp scans</strong>: udp payload scans\r
+<strong>129:2</strong> (stream_tcp) data on SYN packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.udp hits</strong>: udp identifications\r
+<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.user scans</strong>: user payload scans\r
+<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.user hits</strong>: user identifications\r
+<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_ips_action_modules">IPS Action Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>IPS actions allow you to perform custom actions when events are generated.\r
-Unlike loggers, these are invoked before thresholding and can be used to\r
-control external agents.</p></div>\r
-<div class="paragraph"><p>Externally defined actions must be configured to become available to the\r
-parser. For the reject rule, you can set reject = { } to get the rule to\r
-parse.</p></div>\r
-<div class="sect2">\r
-<h3 id="_react">react</h3>\r
-<div class="paragraph"><p>What: send response to client and terminate session</p></div>\r
-<div class="paragraph"><p>Type: ips_action</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>react.msg</strong> = false: use rule msg in response page instead of default message\r
+<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>react.page</strong>: file containing HTTP response (headers and body)\r
+<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_reject">reject</h3>\r
-<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>\r
-<div class="paragraph"><p>Type: ips_action</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>reject.reset</strong>: send tcp reset to one or both ends { source|dest|both }\r
+<strong>129:8</strong> (stream_tcp) data sent on stream after TCP reset sent\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reject.control</strong>: send icmp unreachable(s) { network|host|port|all }\r
+<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rewrite">rewrite</h3>\r
-<div class="paragraph"><p>What: overwrite packet contents</p></div>\r
-<div class="paragraph"><p>Type: ips_action</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_ips_option_modules">IPS Option Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>IPS options are the building blocks of IPS rules.</p></div>\r
-<div class="sect2">\r
-<h3 id="_ack">ack</h3>\r
-<div class="paragraph"><p>What: rule option to match on TCP ack numbers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em>\r
+<strong>129:10</strong> (stream_tcp) TCP server possibly hijacked, different ethernet address\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_appids">appids</h3>\r
-<div class="paragraph"><p>What: detection option for application ids</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>appids.~</strong>: appid option\r
+<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_asn1">asn1</h3>\r
-<div class="paragraph"><p>What: rule option for asn1 detection</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>asn1.bitstring_overflow</strong>: Detects invalid bitstring encodings that are known to be remotely exploitable.\r
+<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>asn1.double_overflow</strong>: Detects a double ASCII encoding that is larger than a standard buffer.\r
+<strong>129:13</strong> (stream_tcp) 4-way handshake detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>asn1.print</strong>: dump decode data to console; always true\r
+<strong>129:14</strong> (stream_tcp) TCP timestamp is missing\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>asn1.oversize_length</strong>: Compares ASN.1 type lengths with the supplied argument. { 0: }\r
+<strong>129:15</strong> (stream_tcp) reset outside window\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>asn1.absolute_offset</strong>: Absolute offset from the beginning of the packet. { 0: }\r
+<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>asn1.relative_offset</strong>: relative offset from the cursor.\r
+<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_base64_decode">base64_decode</h3>\r
-<div class="paragraph"><p>What: rule option to decode base64 data - must be used with base64_data option</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>base64_decode.bytes</strong>: Number of base64 encoded bytes to decode. { 1: }\r
+<strong>129:18</strong> (stream_tcp) data sent on stream after TCP reset received\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>base64_decode.offset</strong> = 0: Bytes past start of buffer to start decoding. { 0: }\r
+<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>base64_decode.relative</strong>: Apply offset to cursor instead of start of buffer.\r
+<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_bufferlen">bufferlen</h3>\r
-<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>bufferlen.~range</strong>: len | min<>max | <max | >min\r
+<strong>stream_tcp.sessions</strong>: total tcp sessions\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_extract">byte_extract</h3>\r
-<div class="paragraph"><p>What: rule option to convert data to an integer variable</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+<strong>stream_tcp.max</strong>: max tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }\r
+<strong>stream_tcp.created</strong>: tcp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options\r
+<strong>stream_tcp.released</strong>: tcp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer\r
+<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
+<strong>stream_tcp.prunes</strong>: tcp session prunes\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
+<strong>stream_tcp.resyns</strong>: SYN received on established session\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.big</strong>: big endian\r
+<strong>stream_tcp.discards</strong>: tcp packets discarded\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.little</strong>: little endian\r
+<strong>stream_tcp.events</strong>: events generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness\r
+<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.string</strong>: convert from string\r
+<strong>stream_tcp.untracked</strong>: tcp packets not tracked\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.hex</strong>: convert from hex string\r
+<strong>stream_tcp.syn trackers</strong>: tcp session tracking started on syn\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.oct</strong>: convert from octal string\r
+<strong>stream_tcp.syn-ack trackers</strong>: tcp session tracking started on syn-ack\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.dec</strong>: convert from decimal string\r
+<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_jump">byte_jump</h3>\r
-<div class="paragraph"><p>What: rule option to move the detection cursor</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+<strong>stream_tcp.data trackers</strong>: tcp session tracking started on data\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing\r
+<strong>stream_tcp.segs queued</strong>: total segments queued\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer\r
+<strong>stream_tcp.segs released</strong>: total segments released\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor\r
+<strong>stream_tcp.segs split</strong>: tcp segments split when reassembling PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
+<strong>stream_tcp.segs used</strong>: queued tcp segments applied to reassembled PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
+<strong>stream_tcp.rebuilt packets</strong>: total reassembled PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }\r
+<strong>stream_tcp.rebuilt buffers</strong>: rebuilt PDU sections\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.big</strong>: big endian\r
+<strong>stream_tcp.rebuilt bytes</strong>: total rebuilt bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.little</strong>: little endian\r
+<strong>stream_tcp.overlaps</strong>: overlapping segments queued\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness\r
+<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.string</strong>: convert from string\r
+<strong>stream_tcp.max segs</strong>: number of times the maximum queued segment limit was reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.hex</strong>: convert from hex string\r
+<strong>stream_tcp.max bytes</strong>: number of times the maximum queued byte limit was reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.oct</strong>: convert from octal string\r
+<strong>stream_tcp.internal events</strong>: 135:X events generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.dec</strong>: convert from decimal string\r
+<strong>stream_tcp.client cleanups</strong>: number of times data from server was flushed when session released\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_test">byte_test</h3>\r
-<div class="paragraph"><p>What: rule option to convert data to integer and compare</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+<strong>stream_tcp.server cleanups</strong>: number of times data from client was flushed when session released\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing\r
+<strong>stream_tcp.memory</strong>: current memory in use\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against\r
+<strong>stream_tcp.initializing</strong>: number of sessions currently initializing\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing\r
+<strong>stream_tcp.established</strong>: number of sessions currently established\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer\r
+<strong>stream_tcp.closing</strong>: number of sessions currently closing\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_udp">stream_udp</h3>\r
+<div class="paragraph"><p>What: stream inspector for UDP flow tracking</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>byte_test.big</strong>: big endian\r
+int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.little</strong>: little endian\r
+bool <strong>stream_udp.ignore_any_rules</strong> = false: process udp content rules w/o ports only if rules with ports are present\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness\r
+<strong>stream_udp.sessions</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.string</strong>: convert from string\r
+<strong>stream_udp.max</strong>: max udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.hex</strong>: convert from hex string\r
+<strong>stream_udp.created</strong>: udp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.oct</strong>: convert from octal string\r
+<strong>stream_udp.released</strong>: udp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.dec</strong>: convert from decimal string\r
+<strong>stream_udp.timeouts</strong>: udp session timeouts\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream_udp.prunes</strong>: udp session prunes\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_classtype">classtype</h3>\r
-<div class="paragraph"><p>What: general rule option for rule classification</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
+<h3 id="_stream_user">stream_user</h3>\r
+<div class="paragraph"><p>What: stream inspector for user flow tracking and reassembly</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>classtype.~</strong>: classification for this rule\r
+int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_content">content</h3>\r
-<div class="paragraph"><p>What: payload rule option for basic pattern matching</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
+<h3 id="_telnet">telnet</h3>\r
+<div class="paragraph"><p>What: telnet inspection and normalization</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>content.~data</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>content.nocase</strong>: case insensitive match\r
+int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
+bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0: }\r
+bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted telnet and ftp\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1: }\r
+bool <strong>telnet.normalize</strong> = false: eliminate escape sequences\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search\r
+<strong>126:1</strong> (telnet) consecutive telnet AYT commands beyond threshold\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
+<strong>126:2</strong> (telnet) telnet traffic encrypted\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
+<strong>126:3</strong> (telnet) telnet subnegotiation begin command without subnegotiation end\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
+<strong>telnet.packets</strong>: total packets\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_cvs">cvs</h3>\r
-<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
+<h3 id="_wizard_2">wizard</h3>\r
+<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string\r
+string <strong>wizard.hexes[].service</strong>: name of service\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_iface">dce_iface</h3>\r
-<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dce_iface.uuid</strong>: match given dcerpc uuid\r
+select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>dce_iface.version</strong>: interface version\r
+bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>wizard.spells[].service</strong>: name of service\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>dce_iface.any_frag</strong>: match on any fragment\r
+multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_opnum">dce_opnum</h3>\r
-<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list\r
+<strong>wizard.tcp scans</strong>: tcp payload scans\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_stub_data">dce_stub_data</h3>\r
-<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_detection_filter">detection_filter</h3>\r
-<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
+<strong>wizard.tcp hits</strong>: tcp identifications\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
+<strong>wizard.udp scans</strong>: udp payload scans\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }\r
+<strong>wizard.udp hits</strong>: udp identifications\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_data">dnp3_data</h3>\r
-<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_func">dnp3_func</h3>\r
-<div class="paragraph"><p>What: detection option to check dnp3 function code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dnp3_func.~</strong>: match dnp3 function code or name\r
+<strong>wizard.user scans</strong>: user payload scans\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_ind">dnp3_ind</h3>\r
-<div class="paragraph"><p>What: detection option to check dnp3 indicator flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dnp3_ind.~</strong>: match given dnp3 indicator flags\r
+<strong>wizard.user hits</strong>: user identifications\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_ips_action_modules">IPS Action Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>IPS actions allow you to perform custom actions when events are generated.\r
+Unlike loggers, these are invoked before thresholding and can be used to\r
+control external agents.</p></div>\r
+<div class="paragraph"><p>Externally defined actions must be configured to become available to the\r
+parser. For the reject rule, you can set reject = { } to get the rule to\r
+parse.</p></div>\r
<div class="sect2">\r
-<h3 id="_dnp3_obj">dnp3_obj</h3>\r
-<div class="paragraph"><p>What: detection option to check dnp3 object headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
+<h3 id="_react">react</h3>\r
+<div class="paragraph"><p>What: send response to client and terminate session</p></div>\r
+<div class="paragraph"><p>Type: ips_action</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>dnp3_obj.group</strong> = 0: match given dnp3 object header group { 0:255 }\r
+bool <strong>react.msg</strong> = false: use rule msg in response page instead of default message\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dnp3_obj.var</strong> = 0: match given dnp3 object header var { 0:255 }\r
+string <strong>react.page</strong>: file containing HTTP response (headers and body)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dsize">dsize</h3>\r
-<div class="paragraph"><p>What: rule option to test payload size</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
+<h3 id="_reject">reject</h3>\r
+<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>\r
+<div class="paragraph"><p>Type: ips_action</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+enum <strong>reject.reset</strong>: send tcp reset to one or both ends { source|dest|both }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>reject.control</strong>: send icmp unreachable(s) { network|host|port|all }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_file_data">file_data</h3>\r
-<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
+<h3 id="_rewrite">rewrite</h3>\r
+<div class="paragraph"><p>What: overwrite packet contents</p></div>\r
+<div class="paragraph"><p>Type: ips_action</p></div>\r
+</div>\r
</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_ips_option_modules">IPS Option Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>IPS options are the building blocks of IPS rules.</p></div>\r
<div class="sect2">\r
-<h3 id="_file_type">file_type</h3>\r
-<div class="paragraph"><p>What: rule option to check file type</p></div>\r
+<h3 id="_ack">ack</h3>\r
+<div class="paragraph"><p>What: rule option to match on TCP ack numbers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>file_type.~</strong>: list of file type IDs to match\r
+string <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_flags">flags</h3>\r
-<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>\r
+<h3 id="_appids">appids</h3>\r
+<div class="paragraph"><p>What: detection option for application ids</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>flags.~test_flags</strong>: these flags are tested\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
+string <strong>appids.~</strong>: appid option\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_flow">flow</h3>\r
-<div class="paragraph"><p>What: rule option to check session properties</p></div>\r
+<h3 id="_asn1">asn1</h3>\r
+<div class="paragraph"><p>What: rule option for asn1 detection</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>flow.to_client</strong>: match on server responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.to_server</strong>: match on client requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.from_client</strong>: same as to_server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.from_server</strong>: same as to_client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.established</strong>: match only during data transfer phase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.not_established</strong>: match only outside data transfer phase\r
+implied <strong>asn1.bitstring_overflow</strong>: detects invalid bitstring encodings that are known to be remotely exploitable\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.stateless</strong>: match regardless of stream state\r
+implied <strong>asn1.double_overflow</strong>: detects a double ASCII encoding that is larger than a standard buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.no_stream</strong>: match on raw packets only\r
+implied <strong>asn1.print</strong>: dump decode data to console; always true\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.only_stream</strong>: match on reassembled packets only\r
+int <strong>asn1.oversize_length</strong>: compares ASN.1 type lengths with the supplied argument { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.no_frag</strong>: match on raw packets only\r
+int <strong>asn1.absolute_offset</strong>: absolute offset from the beginning of the packet { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.only_frag</strong>: match on defragmented packets only\r
+int <strong>asn1.relative_offset</strong>: relative offset from the cursor\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_flowbits">flowbits</h3>\r
-<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>\r
+<h3 id="_base64_decode">base64_decode</h3>\r
+<div class="paragraph"><p>What: rule option to decode base64 data - must be used with base64_data option</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+int <strong>base64_decode.bytes</strong>: number of base64 encoded bytes to decode { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg1</strong>: bits or group\r
+int <strong>base64_decode.offset</strong> = 0: bytes past start of buffer to start decoding { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+implied <strong>base64_decode.relative</strong>: apply offset to cursor instead of start of buffer\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_fragbits">fragbits</h3>\r
-<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>\r
+<h3 id="_bufferlen">bufferlen</h3>\r
+<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>fragbits.~flags</strong>: these flags are tested\r
+string <strong>bufferlen.~range</strong>: len | min<>max | <max | >min\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_fragoffset">fragoffset</h3>\r
-<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>\r
+<h3 id="_byte_extract">byte_extract</h3>\r
+<div class="paragraph"><p>What: rule option to convert data to an integer variable</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>\r
+int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gid">gid</h3>\r
-<div class="paragraph"><p>What: rule option specifying rule generator</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>gid.~</strong>: generator id { 1: }\r
+int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_info">gtp_info</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp info element</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>gtp_info.~</strong>: info element to match\r
+string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_type">gtp_type</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp types</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>gtp_type.~</strong>: list of types to match\r
+implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_version">gtp_version</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp version</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>gtp_version.~</strong>: version to match { 0:2 }\r
+int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_client_body">http_client_body</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_cookie">http_cookie</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
+int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>byte_extract.big</strong>: big endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_extract.little</strong>: little endian\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_header">http_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>http_header.field</strong>: Restrict to given header. Header name is case insensitive.\r
+implied <strong>byte_extract.string</strong>: convert from string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_header.request</strong>: Match against the headers from the request message even when examining the response\r
+implied <strong>byte_extract.hex</strong>: convert from hex string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_header.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>byte_extract.oct</strong>: convert from octal string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_extract.dec</strong>: convert from decimal string\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_method">http_method</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>\r
+<h3 id="_byte_jump">byte_jump</h3>\r
+<div class="paragraph"><p>What: rule option to move the detection cursor</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_method.with_body</strong>: Parts of this rule examine HTTP message body\r
+int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_method.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_cookie">http_raw_cookie</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_raw_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
+int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
+int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_header">http_raw_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_raw_header.request</strong>: Match against the headers from the request message even when examining the response\r
+implied <strong>byte_jump.big</strong>: big endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_header.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>byte_jump.little</strong>: little endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_request">http_raw_request</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized request line</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_raw_request.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>byte_jump.string</strong>: convert from string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_request.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_jump.hex</strong>: convert from hex string\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_status">http_raw_status</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized status line</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_raw_status.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>byte_jump.oct</strong>: convert from octal string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_status.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_jump.dec</strong>: convert from decimal string\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_raw_trailer">http_raw_trailer</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized trailers</p></div>\r
+<h3 id="_byte_test">byte_test</h3>\r
+<div class="paragraph"><p>What: rule option to convert data to integer and compare</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_raw_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
+int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
+string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_trailer.with_body</strong>: Parts of this rule examine HTTP response message body (must be combined with request)\r
+string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_uri">http_raw_uri</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
+string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only\r
+implied <strong>byte_test.big</strong>: big endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.host</strong>: match against host section of URI only\r
+implied <strong>byte_test.little</strong>: little endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.port</strong>: match against port section of URI only\r
+implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.path</strong>: match against path section of URI only\r
+implied <strong>byte_test.string</strong>: convert from string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.query</strong>: match against query section of URI only\r
+implied <strong>byte_test.hex</strong>: convert from hex string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only\r
+implied <strong>byte_test.oct</strong>: convert from octal string\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>byte_test.dec</strong>: convert from decimal string\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_stat_code">http_stat_code</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>\r
+<h3 id="_classtype">classtype</h3>\r
+<div class="paragraph"><p>What: general rule option for rule classification</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_stat_code.with_body</strong>: Parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_code.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+string <strong>classtype.~</strong>: classification for this rule\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_stat_msg">http_stat_msg</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>\r
+<h3 id="_content">content</h3>\r
+<div class="paragraph"><p>What: payload rule option for basic pattern matching</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_stat_msg.with_body</strong>: Parts of this rule examine HTTP message body\r
+string <strong>content.~data</strong>: data to match\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_stat_msg.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>content.nocase</strong>: case insensitive match\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_trailer">http_trailer</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized trailers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>http_trailer.field</strong>: restrict to given trailer\r
+implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
+int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
+int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_trailer.with_body</strong>: Parts of this rule examine HTTP message body (must be combined with request)\r
+string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_uri">http_uri</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
+string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_uri.scheme</strong>: match against scheme section of URI only\r
+string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cvs">cvs</h3>\r
+<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_uri.host</strong>: match against host section of URI only\r
+implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_iface_2">dce_iface</h3>\r
+<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_uri.port</strong>: match against port section of URI only\r
+string <strong>dce_iface.uuid</strong>: match given dcerpc uuid\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_uri.path</strong>: match against path section of URI only\r
+string <strong>dce_iface.version</strong>: interface version\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_uri.query</strong>: match against query section of URI only\r
+implied <strong>dce_iface.any_frag</strong>: match on any fragment\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_opnum_2">dce_opnum</h3>\r
+<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
+string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_version">http_version</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the version buffer</p></div>\r
+<h3 id="_dce_stub_data_2">dce_stub_data</h3>\r
+<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_detection_filter">detection_filter</h3>\r
+<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>http_version.request</strong>: Match against the version from the request message even when examining the response\r
+enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_version.with_body</strong>: Parts of this rule examine HTTP message body\r
+int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_version.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_icmp_id">icmp_id</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>\r
+<h3 id="_dnp3_data">dnp3_data</h3>\r
+<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dnp3_func">dnp3_func</h3>\r
+<div class="paragraph"><p>What: detection option to check dnp3 function code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>icmp_id.~range</strong>: check if icmp id is <em>id | min<>max | <max | >min</em>\r
+string <strong>dnp3_func.~</strong>: match dnp3 function code or name\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_icmp_seq">icmp_seq</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP sequence number</p></div>\r
+<h3 id="_dnp3_ind">dnp3_ind</h3>\r
+<div class="paragraph"><p>What: detection option to check dnp3 indicator flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>icmp_seq.~range</strong>: check if icmp sequence number is <em>seq | min<>max | <max | >min</em>\r
+string <strong>dnp3_ind.~</strong>: match given dnp3 indicator flags\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_icode">icode</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP code</p></div>\r
+<h3 id="_dnp3_obj">dnp3_obj</h3>\r
+<div class="paragraph"><p>What: detection option to check dnp3 object headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>icode.~range</strong>: check if ICMP code is <em>code | min<>max | <max | >min</em>\r
+int <strong>dnp3_obj.group</strong> = 0: match given dnp3 object header group { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>dnp3_obj.var</strong> = 0: match given dnp3 object header var { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_id">id</h3>\r
-<div class="paragraph"><p>What: rule option to check the IP ID field</p></div>\r
+<h3 id="_dsize">dsize</h3>\r
+<div class="paragraph"><p>What: rule option to test payload size</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>id.~range</strong>: check if the IP ID is <em>id | min<>max | <max | >min</em>\r
+string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ip_proto">ip_proto</h3>\r
-<div class="paragraph"><p>What: rule option to check the IP protocol number</p></div>\r
+<h3 id="_file_data">file_data</h3>\r
+<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_file_type">file_type</h3>\r
+<div class="paragraph"><p>What: rule option to check file type</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ip_proto.~proto</strong>: [!|>|<] name or number\r
+string <strong>file_type.~</strong>: list of file type IDs to match\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ipopts">ipopts</h3>\r
-<div class="paragraph"><p>What: rule option to check for IP options</p></div>\r
+<h3 id="_flags">flags</h3>\r
+<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
+string <strong>flags.~test_flags</strong>: these flags are tested\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_isdataat">isdataat</h3>\r
-<div class="paragraph"><p>What: rule option to check for the presence of payload data</p></div>\r
+<h3 id="_flow">flow</h3>\r
+<div class="paragraph"><p>What: rule option to check session properties</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>isdataat.~length</strong>: num | !num\r
+implied <strong>flow.to_client</strong>: match on server responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.to_server</strong>: match on client requests\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.from_client</strong>: same as to_server\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.from_server</strong>: same as to_client\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.established</strong>: match only during data transfer phase\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.not_established</strong>: match only outside data transfer phase\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.stateless</strong>: match regardless of stream state\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.no_stream</strong>: match on raw packets only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer\r
+implied <strong>flow.only_stream</strong>: match on reassembled packets only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_itype">itype</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP type</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>itype.~range</strong>: check if icmp type is <em>type | min<>max | <max | >min</em>\r
+implied <strong>flow.no_frag</strong>: match on raw packets only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.only_frag</strong>: match on defragmented packets only\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_md5">md5</h3>\r
-<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
+<h3 id="_flowbits">flowbits</h3>\r
+<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>md5.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }\r
+string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search\r
+string <strong>flowbits.~arg1</strong>: bits or group\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer\r
+string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_metadata">metadata</h3>\r
-<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>\r
+<h3 id="_fragbits">fragbits</h3>\r
+<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>metadata.service</strong>: service name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>metadata.</strong>*: additional parameters not used by snort\r
+string <strong>fragbits.~flags</strong>: these flags are tested\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_modbus_data">modbus_data</h3>\r
-<div class="paragraph"><p>What: rule option to set cursor to modbus data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus_func">modbus_func</h3>\r
-<div class="paragraph"><p>What: rule option to check modbus function code</p></div>\r
+<h3 id="_fragoffset">fragoffset</h3>\r
+<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>modbus_func.~</strong>: function code to match\r
+string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_modbus_unit">modbus_unit</h3>\r
-<div class="paragraph"><p>What: rule option to check modbus unit ID</p></div>\r
+<h3 id="_gid">gid</h3>\r
+<div class="paragraph"><p>What: rule option specifying rule generator</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>modbus_unit.~</strong>: modbus unit ID { 0:255 }\r
+int <strong>gid.~</strong>: generator id { 1: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_msg">msg</h3>\r
-<div class="paragraph"><p>What: rule option summarizing rule purpose output with events</p></div>\r
+<h3 id="_gtp_info">gtp_info</h3>\r
+<div class="paragraph"><p>What: rule option to check gtp info element</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>msg.~</strong>: message describing rule\r
+string <strong>gtp_info.~</strong>: info element to match\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_pcre">pcre</h3>\r
-<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>\r
+<h3 id="_gtp_type">gtp_type</h3>\r
+<div class="paragraph"><p>What: rule option to check gtp types</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>pcre.~re</strong>: Snort regular expression\r
+string <strong>gtp_type.~</strong>: list of types to match\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_pkt_data">pkt_data</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_priority">priority</h3>\r
-<div class="paragraph"><p>What: rule option for prioritizing events</p></div>\r
+<h3 id="_gtp_version">gtp_version</h3>\r
+<div class="paragraph"><p>What: rule option to check gtp version</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1: }\r
+int <strong>gtp_version.~</strong>: version to match { 0:2 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_raw_data">raw_data</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the raw packet data</p></div>\r
+<h3 id="_http_client_body">http_client_body</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_reference">reference</h3>\r
-<div class="paragraph"><p>What: rule option to indicate relevant attack identification system</p></div>\r
+<h3 id="_http_cookie">http_cookie</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>reference.~scheme</strong>: reference scheme\r
+implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>reference.~id</strong>: reference id\r
+implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_regex">regex</h3>\r
-<div class="paragraph"><p>What: rule option for matching payload data with hyperscan regex</p></div>\r
+<h3 id="_http_header">http_header</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>regex.~re</strong>: hyperscan regular expression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.dotall</strong>: matching a . will not exclude newlines\r
+string <strong>http_header.field</strong>: restrict to given header. Header name is case insensitive.\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data\r
+implied <strong>http_header.request</strong>: match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer\r
+implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rem">rem</h3>\r
-<div class="paragraph"><p>What: rule option to convey an arbitrary comment in the rule body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>rem.~</strong>: comment\r
+implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_replace">replace</h3>\r
-<div class="paragraph"><p>What: rule option to overwrite payload data; use with rewrite action</p></div>\r
+<h3 id="_http_method">http_method</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>replace.~</strong>: byte code to replace with\r
+implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rev">rev</h3>\r
-<div class="paragraph"><p>What: rule option to indicate current revision of signature</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rev.~</strong>: revision { 1: }\r
+implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_rpc">rpc</h3>\r
-<div class="paragraph"><p>What: rule option to check SUNRPC CALL parameters</p></div>\r
+<h3 id="_http_raw_cookie">http_raw_cookie</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rpc.~app</strong>: application number\r
+implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.ver</strong>: version number or * for any\r
+implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.proc</strong>: procedure number or * for any\r
+implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_sd_pattern">sd_pattern</h3>\r
-<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>\r
+<h3 id="_http_raw_header">http_raw_header</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
+implied <strong>http_raw_header.request</strong>: match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sd_pattern.threshold</strong>: number of matches before alerting { 1 }\r
+implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sd_pattern.below threshold</strong>: sd_pattern matched but missed threshold\r
+implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_raw_request">http_raw_request</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized request line</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sd_pattern.pattern not found</strong>: sd_pattern did not not match\r
+implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sd_pattern.terminated</strong>: hyperscan terminated\r
+implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_seq">seq</h3>\r
-<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>\r
+<h3 id="_http_raw_status">http_raw_status</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized status line</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>seq.~range</strong>: check if tcp sequence number value is <em>value | min<>max | <max | >min</em>\r
+implied <strong>http_raw_status.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_session">session</h3>\r
-<div class="paragraph"><p>What: rule option to check user data from TCP sessions</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>session.~mode</strong>: output format { printable|binary|all }\r
+implied <strong>http_raw_status.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_sha256">sha256</h3>\r
-<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
+<h3 id="_http_raw_trailer">http_raw_trailer</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized trailers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>sha256.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }\r
+implied <strong>http_raw_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search\r
+implied <strong>http_raw_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer\r
+implied <strong>http_raw_trailer.with_body</strong>: parts of this rule examine HTTP response message body (must be combined with request)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_sha512">sha512</h3>\r
-<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
+<h3 id="_http_raw_uri">http_raw_uri</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>sha512.~hash</strong>: data to match\r
+implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }\r
+implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search\r
+implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer\r
+implied <strong>http_raw_uri.host</strong>: match against host section of URI only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sid">sid</h3>\r
-<div class="paragraph"><p>What: rule option to indicate signature number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>sid.~</strong>: signature id { 1: }\r
+implied <strong>http_raw_uri.port</strong>: match against port section of URI only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_body">sip_body</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_header">sip_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the SIP header buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_method">sip_method</h3>\r
-<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>sip_method.*method</strong>: sip method\r
+implied <strong>http_raw_uri.path</strong>: match against path section of URI only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_stat_code">sip_stat_code</h3>\r
-<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>sip_stat_code.*code</strong>: stat code { 1:999 }\r
+implied <strong>http_raw_uri.query</strong>: match against query section of URI only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_so">so</h3>\r
-<div class="paragraph"><p>What: rule option to call custom eval function</p></div>\r
+<h3 id="_http_stat_code">http_stat_code</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>so.~func</strong>: name of eval function\r
+implied <strong>http_stat_code.with_body</strong>: parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_stat_code.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_soid">soid</h3>\r
-<div class="paragraph"><p>What: rule option to specify a shared object rule ID</p></div>\r
+<h3 id="_http_stat_msg">http_stat_msg</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>soid.~</strong>: SO rule ID has <gid>|<sid> format, like 3|12345\r
+implied <strong>http_stat_msg.with_body</strong>: parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_stat_msg.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ssl_state">ssl_state</h3>\r
-<div class="paragraph"><p>What: detection option for ssl state</p></div>\r
+<h3 id="_http_trailer">http_trailer</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized trailers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_state.client_hello</strong>: check for client hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.server_hello</strong>: check for server hello\r
+string <strong>http_trailer.field</strong>: restrict to given trailer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.client_keyx</strong>: check for client keyx\r
+implied <strong>http_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.server_keyx</strong>: check for server keyx\r
+implied <strong>http_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.unknown</strong>: check for unknown record\r
+implied <strong>http_trailer.with_body</strong>: parts of this rule examine HTTP message body (must be combined with request)\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_uri">http_uri</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello\r
+implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello\r
+implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx\r
+implied <strong>http_uri.scheme</strong>: match against scheme section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx\r
+implied <strong>http_uri.host</strong>: match against host section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown\r
+implied <strong>http_uri.port</strong>: match against port section of URI only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssl_version">ssl_version</h3>\r
-<div class="paragraph"><p>What: detection option for ssl version</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_version.sslv2</strong>: check for sslv2\r
+implied <strong>http_uri.path</strong>: match against path section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.sslv3</strong>: check for sslv3\r
+implied <strong>http_uri.query</strong>: match against query section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.tls1.0</strong>: check for tls1.0\r
+implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_version">http_version</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the version buffer</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_version.tls1.1</strong>: check for tls1.1\r
+implied <strong>http_version.request</strong>: match against the version from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.tls1.2</strong>: check for tls1.2\r
+implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2\r
+implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_icmp_id">icmp_id</h3>\r
+<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3\r
+string <strong>icmp_id.~range</strong>: check if icmp id is <em>id | min<>max | <max | >min</em>\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_icmp_seq">icmp_seq</h3>\r
+<div class="paragraph"><p>What: rule option to check ICMP sequence number</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0\r
+string <strong>icmp_seq.~range</strong>: check if icmp sequence number is <em>seq | min<>max | <max | >min</em>\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_icode">icode</h3>\r
+<div class="paragraph"><p>What: rule option to check ICMP code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1\r
+string <strong>icode.~range</strong>: check if ICMP code is <em>code | min<>max | <max | >min</em>\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_id">id</h3>\r
+<div class="paragraph"><p>What: rule option to check the IP ID field</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2\r
+string <strong>id.~range</strong>: check if the IP ID is <em>id | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_stream_reassemble">stream_reassemble</h3>\r
-<div class="paragraph"><p>What: detection option for stream reassembly control</p></div>\r
+<h3 id="_ip_proto">ip_proto</h3>\r
+<div class="paragraph"><p>What: rule option to check the IP protocol number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
+string <strong>ip_proto.~proto</strong>: [!|>|<] name or number\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ipopts">ipopts</h3>\r
+<div class="paragraph"><p>What: rule option to check for IP options</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }\r
+select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_isdataat">isdataat</h3>\r
+<div class="paragraph"><p>What: rule option to check for the presence of payload data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>stream_reassemble.noalert</strong>: don’t alert when rule matches\r
+string <strong>isdataat.~length</strong>: num | !num\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session\r
+implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_stream_size">stream_size</h3>\r
-<div class="paragraph"><p>What: detection option for stream size checking</p></div>\r
+<h3 id="_itype">itype</h3>\r
+<div class="paragraph"><p>What: rule option to check ICMP type</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>stream_size.~range</strong>: size for comparison\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }\r
+string <strong>itype.~range</strong>: check if icmp type is <em>type | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_tag">tag</h3>\r
-<div class="paragraph"><p>What: rule option to log additional packets</p></div>\r
+<h3 id="_md5">md5</h3>\r
+<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }\r
+string <strong>md5.~hash</strong>: data to match\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>tag.packets</strong>: tag this many packets { 1: }\r
+int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>tag.seconds</strong>: tag for this many seconds { 1: }\r
+string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>tag.bytes</strong>: tag for this many bytes { 1: }\r
+implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_tos">tos</h3>\r
-<div class="paragraph"><p>What: rule option to check type of service field</p></div>\r
+<h3 id="_metadata">metadata</h3>\r
+<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>tos.~range</strong>: check if ip tos value is <em>value | min<>max | <max | >min</em>\r
+string <strong>metadata.service</strong>: service name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>metadata.</strong>*: additional parameters not used by snort\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ttl">ttl</h3>\r
-<div class="paragraph"><p>What: rule option to check time to live field</p></div>\r
+<h3 id="_modbus_data">modbus_data</h3>\r
+<div class="paragraph"><p>What: rule option to set cursor to modbus data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_modbus_func">modbus_func</h3>\r
+<div class="paragraph"><p>What: rule option to check modbus function code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ttl.~range</strong>: check if ip ttl field value is <em>value | min<>max | <max | >min</em>\r
+string <strong>modbus_func.~</strong>: function code to match\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_window">window</h3>\r
-<div class="paragraph"><p>What: rule option to check TCP window field</p></div>\r
+<h3 id="_modbus_unit">modbus_unit</h3>\r
+<div class="paragraph"><p>What: rule option to check modbus unit ID</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>window.~range</strong>: check if tcp window field size is <em>size | min<>max | <max | >min</em>\r
+int <strong>modbus_unit.~</strong>: modbus unit ID { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_search_engine_modules">Search Engine Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Search engines perform multipattern searching of packets and payload to find\r
-rules that should be evaluated. There are currently no specific modules,\r
-although there are several search engine plugins. Related configuration\r
-is done with the basic detection module.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_so_rule_modules">SO Rule Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>SO rules are dynamic rules that require custom coding to perform detection\r
-not possible with the existing rule options. These rules typically do not\r
-have associated modules.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_logger_modules">Logger Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>All output of events and packets is done by Loggers.</p></div>\r
<div class="sect2">\r
-<h3 id="_alert_csv">alert_csv</h3>\r
-<div class="paragraph"><p>What: output event in csv format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_msg">msg</h3>\r
+<div class="paragraph"><p>What: rule option summarizing rule purpose output with events</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout\r
+string <strong>msg.~</strong>: message describing rule\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pcre">pcre</h3>\r
+<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen dgm_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | dir | dgm_len | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid | src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }\r
+string <strong>pcre.~re</strong>: Snort regular expression\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pkt_data">pkt_data</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_priority">priority</h3>\r
+<div class="paragraph"><p>What: rule option for prioritizing events</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>alert_csv.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1: }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_raw_data">raw_data</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the raw packet data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_reference">reference</h3>\r
+<div class="paragraph"><p>What: rule option to indicate relevant attack identification system</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence\r
+string <strong>reference.~scheme</strong>: reference scheme\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_csv.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+string <strong>reference.~id</strong>: reference id\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_fast">alert_fast</h3>\r
-<div class="paragraph"><p>What: output event with brief text format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_regex">regex</h3>\r
+<div class="paragraph"><p>What: rule option for matching payload data with hyperscan regex</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
+string <strong>regex.~re</strong>: hyperscan regular expression\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alert_fast.packet</strong> = false: output packet dump with alert\r
+implied <strong>regex.nocase</strong>: case insensitive match\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_fast.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+implied <strong>regex.dotall</strong>: matching a . will not exclude newlines\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_fast.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_full">alert_full</h3>\r
-<div class="paragraph"><p>What: output event with full packet dump</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_rem">rem</h3>\r
+<div class="paragraph"><p>What: rule option to convey an arbitrary comment in the rule body</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
+string <strong>rem.~</strong>: comment\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_replace">replace</h3>\r
+<div class="paragraph"><p>What: rule option to overwrite payload data; use with rewrite action</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+string <strong>replace.~</strong>: byte code to replace with\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_rev">rev</h3>\r
+<div class="paragraph"><p>What: rule option to indicate current revision of signature</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }\r
+int <strong>rev.~</strong>: revision { 1: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_sfsocket">alert_sfsocket</h3>\r
-<div class="paragraph"><p>What: output event over socket</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_rpc">rpc</h3>\r
+<div class="paragraph"><p>What: rule option to check SUNRPC CALL parameters</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>alert_sfsocket.file</strong>: name of unix socket file\r
+int <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1: }\r
+int <strong>rpc.ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1: }\r
+int <strong>rpc.proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_syslog">alert_syslog</h3>\r
-<div class="paragraph"><p>What: output event to syslog</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_sd_pattern">sd_pattern</h3>\r
+<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
+string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
+int <strong>sd_pattern.threshold</strong>: number of matches before alerting { 1 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
+<strong>sd_pattern.below threshold</strong>: sd_pattern matched but missed threshold\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_log_codecs">log_codecs</h3>\r
-<div class="paragraph"><p>What: log protocols in packet by layer</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
+<strong>sd_pattern.pattern not found</strong>: sd_pattern did not not match\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>log_codecs.msg</strong> = false: include alert msg\r
+<strong>sd_pattern.terminated</strong>: hyperscan terminated\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_log_hext">log_hext</h3>\r
-<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_seq">seq</h3>\r
+<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload\r
+string <strong>seq.~range</strong>: check if tcp sequence number value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_session">session</h3>\r
+<div class="paragraph"><p>What: rule option to check user data from TCP sessions</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>log_hext.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+enum <strong>session.~mode</strong>: output format { printable|binary|all }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_sha256">sha256</h3>\r
+<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>log_hext.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+string <strong>sha256.~hash</strong>: data to match\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0: }\r
+int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_log_pcap">log_pcap</h3>\r
-<div class="paragraph"><p>What: log packet in pcap format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>log_pcap.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>log_pcap.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_unified2">unified2</h3>\r
-<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
+<h3 id="_sha512">sha512</h3>\r
+<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>unified2.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+string <strong>sha512.~hash</strong>: data to match\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>unified2.units</strong> = B: limit multiplier { B | K | M | G }\r
+int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)\r
+string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>unified2.mpls_event_types</strong> = false: include mpls labels in events\r
+implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_sid">sid</h3>\r
+<div class="paragraph"><p>What: rule option to indicate signature number</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>unified2.vlan_event_types</strong> = false: include vlan IDs in events\r
+int <strong>sid.~</strong>: signature id { 1: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
+<div class="sect2">\r
+<h3 id="_sip_body">sip_body</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
</div>\r
+<div class="sect2">\r
+<h3 id="_sip_header">sip_header</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the SIP header buffer</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
</div>\r
-<div class="sect1">\r
-<h2 id="_daq_modules">DAQ Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>The Data AcQuisition library (DAQ), provides pluggable packet I/O. The DAQ\r
-replaces direct calls to libraries like libpcap with an abstraction layer\r
-that facilitates operation on a variety of hardware and software interfaces\r
-without requiring changes to Snort. It is possible to select the DAQ type\r
-and mode when invoking Snort to perform pcap readback or inline operation,\r
-etc. The DAQ library may be useful for other packet processing\r
-applications and the modular nature allows you to build new modules for\r
-other platforms.</p></div>\r
-<div class="paragraph"><p>The DAQ library is provided as an external package on snort.org. There are\r
-a few additional modules provided with Snort++. This section summarizes\r
-the important things you need to know to use these DAQ modules. There are\r
-also 3rd DAQ modules available.</p></div>\r
<div class="sect2">\r
-<h3 id="_building_the_daq_library_and_daq_modules">Building the DAQ Library and DAQ Modules</h3>\r
-<div class="paragraph"><p>The DAQ is bundled with Snort but must be built first using these steps:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure\r
-make\r
-sudo make install</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This will build and install both static and dynamic DAQ modules.</p></div>\r
-<div class="paragraph"><p>Note that pcap >= 1.0.0 is required. pcap 1.1.1 is available at the time\r
-of this writing and is recommended.</p></div>\r
-<div class="paragraph"><p>Also, libdnet is required for IPQ and NFQ DAQs. If you get a relocation error\r
-trying to build those DAQs, you may need to reinstall libdnet and configure it\r
-with something like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure "CFLAGS=-fPIC -g -O2"</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You may also experience problems trying to find the dynamic dnet library\r
-because it isn’t always named properly. Try creating a link to the shared\r
-library (identified by its .x or .x.y etc. extension) with the same name but\r
-with ".so" inserted as follows:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ ln -s libdnet.1.1 libdnet.so.1.1\r
-$ ldconfig -Rv /usr/local/lib 2>&1 | grep dnet\r
- Adding /usr/local/lib/libdnet.so.1.1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Alternatively, you should be able to fix both issues as follows:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>libtoolize --copy --force\r
-aclocal -I config\r
-autoheader\r
-autoconf\r
-automake --foreign</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>When the DAQ library is built, both static and dynamic flavors will be\r
-generated. The various DAQ modules will be built if the requisite headers and\r
-libraries are available. You can disable individual modules, etc. with options\r
-to configure. For the complete list of configure options, run:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure --help</code></pre>\r
-</div></div>\r
+<h3 id="_sip_method">sip_method</h3>\r
+<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>sip_method.*method</strong>: sip method\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_pcap_module">PCAP Module</h3>\r
-<div class="paragraph"><p>pcap is the default DAQ. If snort is run w/o any DAQ arguments, it will\r
-operate as it always did using this module. These are equivalent:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort -i <device>\r
-./snort -r <file></code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq pcap --daq-mode passive -i <device>\r
-./snort --daq pcap --daq-mode read-file -r <file></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You can specify the buffer size pcap uses with:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq pcap --daq-var buffer_size=<#bytes></code></pre>\r
-</div></div>\r
+<h3 id="_sip_stat_code">sip_stat_code</h3>\r
+<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-The pcap DAQ does not count filtered packets. *\r
+int <strong>sip_stat_code.*code</strong>: stat code { 1:999 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_afpacket_module">AFPACKET Module</h3>\r
-<div class="paragraph"><p>afpacket functions similar to the pcap DAQ but with better performance:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq afpacket -i <device>\r
- [--daq-var buffer_size_mb=<#MB>]\r
- [--daq-var debug]</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>If you want to run afpacket in inline mode, you must craft the device string as\r
-one or more interface pairs, where each member of a pair is separated by a\r
-single colon and each pair is separated by a double colon like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>eth0:eth1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>eth0:eth1::eth2:eth3</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>By default, the afpacket DAQ allocates 128MB for packet memory. You can change\r
-this with:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>--daq-var buffer_size_mb=<#MB></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note that the total allocated is actually higher, here’s why. Assuming the\r
-default packet memory with a snaplen of 1518, the numbers break down like this:</p></div>\r
+<h3 id="_so">so</h3>\r
+<div class="paragraph"><p>What: rule option to call custom eval function</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-The frame size is 1518 (snaplen) + the size of the AFPacket header (66\r
- bytes) = 1584 bytes.\r
+string <strong>so.~func</strong>: name of eval function\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_soid">soid</h3>\r
+<div class="paragraph"><p>What: rule option to specify a shared object rule ID</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-The number of frames is 128 MB / 1518 = 84733.\r
+string <strong>soid.~</strong>: SO rule ID has <gid>|<sid> format, like 3|12345\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ssl_state">ssl_state</h3>\r
+<div class="paragraph"><p>What: detection option for ssl state</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-The smallest block size that can fit at least one frame is 4 KB = 4096 bytes\r
- @ 2 frames per block.\r
+implied <strong>ssl_state.client_hello</strong>: check for client hello\r
</p>\r
</li>\r
<li>\r
<p>\r
-As a result, we need 84733 / 2 = 42366 blocks.\r
+implied <strong>ssl_state.server_hello</strong>: check for server hello\r
</p>\r
</li>\r
<li>\r
<p>\r
-Actual memory allocated is 42366 * 4 KB = 165.5 MB.\r
+implied <strong>ssl_state.client_keyx</strong>: check for client keyx\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ\r
-module due to its dependency on both TPACKET v2 and PACKET_TX_RING support.</td>\r
-</tr></table>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_nfq_module">NFQ Module</h3>\r
-<div class="paragraph"><p>NFQ is the new and improved way to process iptables packets:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq nfq \\r
- [--daq-var device=<dev>] \\r
- [--daq-var proto=<proto>] \\r
- [--daq-var queue=<qid>]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><dev> ::= ip | eth0, etc; default is IP injection\r
-<proto> ::= ip4 | ip6 |; default is ip4\r
-<qid> ::= 0..65535; default is 0</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This module can not run unprivileged so ./snort -u -g will produce a warning\r
-and won’t change user or group.</p></div>\r
-<div class="paragraph"><p>Notes on iptables are given below.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipq_module">IPQ Module</h3>\r
-<div class="paragraph"><p>IPQ is the old way to process iptables packets. It replaces the inline version\r
-available in pre-2.9 versions built with this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure --enable-inline</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note that layer 2 resets are not supported with the IPQ DAQ:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>config layer2resets[: <mac>]</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Start the IPQ DAQ as follows:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq ipq \\r
- [--daq-var device=<dev>] \\r
- [--daq-var proto=<proto>] \</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><dev> ::= ip | eth0, etc; default is IP injection\r
-<proto> ::= ip4 | ip6; default is ip4</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This module can not run unprivileged so ./snort -u -g will produce a warning\r
-and won’t change user or group.</p></div>\r
-<div class="paragraph"><p>Notes on iptables are given below.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipfw_module">IPFW Module</h3>\r
-<div class="paragraph"><p>IPFW is available for BSD systems. It replaces the inline version available in\r
-pre-2.9 versions built with this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure --enable-ipfw</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This command line argument is no longer supported:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort -J <port#></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Instead, start Snort like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq ipfw [--daq-var port=<port>]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><port> ::= 1..65535; default is 8000</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-IPFW only supports ip4 traffic.\r
+implied <strong>ssl_state.server_keyx</strong>: check for server keyx\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ssl_state.unknown</strong>: check for unknown record\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Notes on FreeBSD and OpenBSD are given below.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dump_module">Dump Module</h3>\r
-<div class="paragraph"><p>The dump DAQ allows you to test the various inline mode features available in\r
-2.9 Snort like injection and normalization.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort -i <device> --daq dump\r
-./snort -r <pcap> --daq dump</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>By default a file named inline-out.pcap will be created containing all packets\r
-that passed through or were generated by snort. You can optionally specify a\r
-different name.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq dump --daq-var file=<name></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>dump uses the pcap daq for packet acquisition. It therefore does not count\r
-filtered packets (a pcap limitation).</p></div>\r
-<div class="paragraph"><p>Note that the dump DAQ inline mode is not an actual inline mode. Furthermore,\r
-you will probably want to have the pcap DAQ acquire in another mode like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort -r <pcap> -Q --daq dump --daq-var load-mode=read-file\r
-./snort -i <device> -Q --daq dump --daq-var load-mode=passive</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_netmap_module">Netmap Module</h3>\r
-<div class="paragraph"><p>The netmap project is a framework for very high speed packet I/O. It is\r
-available on both FreeBSD and Linux with varying amounts of preparatory\r
-setup required. Specific notes for each follow.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq netmap -i <device>\r
- [--daq-var debug]</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>If you want to run netmap in inline mode, you must craft the device string as\r
-one or more interface pairs, where each member of a pair is separated by a\r
-single colon and each pair is separated by a double colon like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>em1:em2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>em1:em2::em3:em4</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Inline operation performs Layer 2 forwarding with no MAC filtering, akin to the\r
-AFPacket module’s behavior. All packets received on one interface in an inline\r
-pair will be forwarded out the other interface unless dropped by the reader and\r
-vice versa.</p></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/important.png" alt="Important" />\r
-</td>\r
-<td class="content">The interfaces will need to be up and in promiscuous mode in order to\r
-function (<em>ifconfig em1 up promisc</em>). The DAQ module does not currently do\r
-either of these configuration steps for itself.</td>\r
-</tr></table>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_freebsd">FreeBSD</h4>\r
-<div class="paragraph"><p>In FreeBSD 10.0, netmap has been integrated into the core OS. In order to use\r
-it, you must recompile your kernel with the line</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>device netmap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>added to your kernel config.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_linux">Linux</h4>\r
-<div class="paragraph"><p>You will need to download the netmap source code from the project’s repository:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>https://code.google.com/p/netmap/</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Follow the instructions on the project’s homepage for compiling and installing\r
-the code:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http://info.iet.unipi.it/~luigi/netmap/</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>It will involve a standalone kernel module (netmap_lin) as well as patching and\r
-rebuilding the kernel module used to drive your network adapters. The following\r
-drivers are supported under Linux at the time of writing (June 2014):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>e1000\r
-e1000e\r
-forcedeth\r
-igb\r
-ixgbe\r
-r8169\r
-virtio</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>TODO:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Support for attaching to only a single ring (queue) on a network adapter.\r
+implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello\r
</p>\r
</li>\r
<li>\r
<p>\r
-Support for VALE and netmap pipes.\r
+implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_notes_on_iptables">Notes on iptables</h3>\r
-<div class="paragraph"><p>These notes are just a quick reminder that you need to set up iptables to use\r
-the IPQ or NFQ DAQs. Doing so may cause problems with your network so tread\r
-carefully. The examples below are intentionally incomplete so please read the\r
-related documentation first.</p></div>\r
-<div class="paragraph"><p>Here is a blog post by Marty for historical reference:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http://archives.neohapsis.com/archives/snort/2000-11/0394.html</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You can check this out for queue sizing tips:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You might find useful IPQ info here:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http://snort-inline.sourceforge.net/</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Use this to examine your iptables:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sudo /sbin/iptables -L</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Use something like this to set up NFQ:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sudo /sbin/iptables\r
- -I <table> [<protocol stuff>] [<state stuff>]\r
- -j NFQUEUE --queue-num 1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Use something like this to set up IPQ:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sudo iptables -I FORWARD -j QUEUE</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Use something like this to "disconnect" snort:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sudo /sbin/iptables -D <table> <rule pos></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Be sure to start Snort prior to routing packets through NFQ with iptables.\r
-Such packets will be dropped until Snort is started.</p></div>\r
-<div class="paragraph"><p>The queue-num is the number you must give Snort.</p></div>\r
-<div class="paragraph"><p>If you are running on a system with both NFQ and IPQ support, you may\r
-experience some start-up failures of the sort:</p></div>\r
-<div class="paragraph"><p>The solution seems to be to remove both modules from the kernel like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>modprobe -r nfnetlink_queue\r
-modprobe -r ip_queue</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>and then install the module you want:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>modprobe ip_queue</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>modprobe nfnetlink_queue</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>These DAQs should be run with a snaplen of 65535 since the kernel defrags the\r
-packets before queuing. Also, no need to configure frag3.</p></div>\r
-</div>\r
<div class="sect2">\r
-<h3 id="_notes_on_freebsd_ipfw">Notes on FreeBSD::IPFW</h3>\r
-<div class="paragraph"><p>Check the online manual at:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http://www.freebsd.org/doc/handbook/firewalls-ipfw.html.</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Here is a brief example to divert icmp packets to Snort at port 8000:</p></div>\r
-<div class="paragraph"><p>To enable support for divert sockets, place the following lines in the\r
-kernel configuration file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>options IPFIREWALL\r
-options IPDIVERT</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>(The file in this case was: /usr/src/sys/i386/conf/GENERIC; which is platform\r
-dependent.)</p></div>\r
-<div class="paragraph"><p>You may need to also set these to use the loadable kernel modules:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>/etc/rc.conf:\r
-firewall_enable="YES"</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>/boot/loader.conf:\r
-ipfw_load="YES"\r
-ipdivert_load="YES"</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ dmesg | grep ipfw\r
-ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based\r
-forwarding disabled, default to deny, logging disabled</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ kldload -v ipdivert\r
-Loaded ipdivert, id=4</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ ipfw add 75 divert 8000 icmp from any to any\r
-00075 divert 8000 icmp from any to any</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ ipfw list\r
-...\r
-00075 divert 8000 icmp from any to any\r
-00080 allow icmp from any to any\r
-...</code></pre>\r
-</div></div>\r
+<h3 id="_ssl_version">ssl_version</h3>\r
+<div class="paragraph"><p>What: detection option for ssl version</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Note that on FreeBSD, divert sockets don’t work with bridges!\r
+implied <strong>ssl_version.sslv2</strong>: check for sslv2\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Please refer to the following articles for more information:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<a href="https://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw">https://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw</a>\r
+implied <strong>ssl_version.sslv3</strong>: check for sslv3\r
</p>\r
</li>\r
<li>\r
<p>\r
-<a href="http://freebsd.rogness.net/snort_inline/">http://freebsd.rogness.net/snort_inline/</a>\r
+implied <strong>ssl_version.tls1.0</strong>: check for tls1.0\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>NAT gateway can be used with divert sockets if the network environment is\r
-conducive to using NAT.</p></div>\r
-<div class="paragraph"><p>The steps to set up NAT with ipfw are as follows:</p></div>\r
-<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-Set up NAT with two interface em0 and em1 by adding the following to\r
-/etc/rc.conf. Here em0 is connected to external network and em1 to\r
-host-only LAN.\r
+implied <strong>ssl_version.tls1.1</strong>: check for tls1.1\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>gateway_enable="YES"\r
-natd_program="/sbin/natd" # path to natd\r
-natd_enable="YES" # Enable natd (if firewall_enable == YES)\r
-natd_interface="em0" # Public interface or IP Address\r
-natd_flags="-dynamic" # Additional flags\r
-defaultrouter=""\r
-ifconfig_em0="DHCP"\r
-ifconfig_em1="inet 192.168.1.2 netmask 255.255.255.0"\r
-firewall_enable="YES"\r
-firewall_script="/etc/rc.firewall"\r
-firewall_type="simple"</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Add the following divert rules to divert packets to Snort above and\r
-below the NAT rule in the "Simple" section of /etc/rc.firewall.\r
+implied <strong>ssl_version.tls1.2</strong>: check for tls1.2\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>...\r
-# Inspect outbound packets (those arriving on "inside" interface)\r
-# before NAT translation.\r
-${fwcmd} add divert 8000 all from any to any in via ${iif}\r
-case ${natd_enable} in\r
-[Yy][Ee][Ss])\r
- if [ -n "${natd_interface}" ]; then\r
- ${fwcmd} add divert natd all from any to any via ${natd_interface}\r
- fi\r
- ;;\r
-esac\r
-...\r
-# Inspect inbound packets (those arriving on "outside" interface)\r
-# after NAT translation that aren't blocked for other reasons,\r
-# after the TCP "established" rule.\r
-${fwcmd} add divert 8000 all from any to any in via ${oif}</code></pre>\r
-</div></div>\r
</li>\r
-</ol></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_notes_on_openbsd_ipfw">Notes on OpenBSD::IPFW</h3>\r
-<div class="paragraph"><p>OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.</p></div>\r
-<div class="paragraph"><p>Here is one way to set things up:</p></div>\r
-<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-Configure the system to forward packets:\r
+implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ sysctl net.inet.ip.forwarding=1\r
-$ sysctl net.inet6.ip6.forwarding=1</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>(You can also put that in /etc/sysctl.conf to enable on boot.)</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Set up interfaces\r
+implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ dhclient vic1\r
-$ dhclient vic2</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Set up packet filter rules:\r
+implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_reassemble">stream_reassemble</h3>\r
+<div class="paragraph"><p>What: detection option for stream reassembly control</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ echo "pass out on vic1 divert-packet port 9000 keep-state" > rules.txt\r
-$ echo "pass out on vic2 divert-packet port 9000 keep-state" >> rules.txt</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ pfctl -v -f rules.txt</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Analyze packets diverted to port 9000:\r
+enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ ./snort --daq ipfw --daq-var port=9000</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
+</li>\r
<li>\r
<p>\r
-Note that on OpenBSD, divert sockets don’t work with bridges!\r
+implied <strong>stream_reassemble.noalert</strong>: don’t alert when rule matches\r
</p>\r
</li>\r
-</ul></div>\r
-</li>\r
-</ol></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_socket_module">Socket Module</h3>\r
-<div class="paragraph"><p>The socket module provides provides a stream socket server that will accept\r
-up to 2 simultaneous connections and bridge them together while also\r
-passing data to Snort++ for inspection. The first connection accepted is\r
-considered the client and the second connection accepted is considered the\r
-server. If there is only one connection, stream data can’t be forwarded\r
-but it is still inspected.</p></div>\r
-<div class="paragraph"><p>Each read from a socket of up to snaplen bytes is passed as a packet to\r
-Snort++ along with a DAQ_SktHdr_t pointer in DAQ_PktHdr_t→priv_ptr.\r
-DAQ_SktHdr_t conveys IP4 address, ports, protocol, and direction. Socket\r
-packets can be configured to be TCP or UDP. The socket DAQ can be operated\r
-in inline mode and is able to block packets.</p></div>\r
-<div class="paragraph"><p>The socket DAQ uses DLT_SOCKET and requires that Snort++ load the socket\r
-codec which is included in the extra package.</p></div>\r
-<div class="paragraph"><p>To use the socket DAQ, start Snort++ like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --plugin-path /path/to/lib/snort_extra \\r
- --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><port> ::= 1..65535; default is 8000\r
-<proto> ::= tcp | udp</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-This module only supports ip4 traffic.\r
+implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_size">stream_size</h3>\r
+<div class="paragraph"><p>What: detection option for stream size checking</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-This module is only supported by Snort++. It is not compatible with\r
- Snort.\r
+string <strong>stream_size.~range</strong>: size for comparison\r
</p>\r
</li>\r
<li>\r
<p>\r
-This module is primarily for development and test.\r
+enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_file_module">File Module</h3>\r
-<div class="paragraph"><p>The file module provides the ability to process files directly w/o having\r
-to extract them from pcaps. Use the file module with Snort’s stream_file\r
-to get file type identification and signature services. The usual IPS\r
-detection and logging etc. is available too.</p></div>\r
-<div class="paragraph"><p>You can process all the files in a directory recursively using 8 threads\r
-with these Snort options:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>--pcap-dir path -z 8</code></pre>\r
-</div></div>\r
+<h3 id="_tag">tag</h3>\r
+<div class="paragraph"><p>What: rule option to log additional packets</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-This module is only supported by Snort++. It is not compatible with\r
- Snort.\r
+enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-This module is primarily for development and test.\r
+int <strong>tag.packets</strong>: tag this many packets { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>tag.seconds</strong>: tag for this many seconds { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>tag.bytes</strong>: tag for this many bytes { 1: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_hext_module">Hext Module</h3>\r
-<div class="paragraph"><p>The hext module generates packets suitable for processing by Snort from\r
-hex/plain text. Raw packets include full headers and are processed\r
-normally. Otherwise the packets contain only payload and are accompanied\r
-with flow information (4-tuple) suitable for processing by stream_user.</p></div>\r
-<div class="paragraph"><p>The first character of the line determines it’s purpose:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>'$' command\r
-'#' comment\r
-'"' quoted string packet data\r
-'x' hex packet data\r
-' ' empty line separates packets</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The available commands are:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$client <ip4> <port>\r
-$server <ip4> <port></code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$packet -> client\r
-$packet -> server</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$packet <addr> <port> -> <addr> <port></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Client and server are determined as follows. $packet → client indicates\r
-to the client (from server) and $packet → server indicates a packet to the\r
-server (from client). $packet followed by a 4-tuple uses the heuristic\r
-that the client is the side with the lower port number.</p></div>\r
-<div class="paragraph"><p>The default client and server are 192.168.1.1 12345 and 10.1.2.3 80\r
-respectively. $packet commands with a 4-tuple do not change client and\r
-server set with the other $packet commands.</p></div>\r
-<div class="paragraph"><p>$packet commands should be followed by packet data, which may contain any\r
-combination of hex and strings. Data for a packet ends with the next\r
-command or a blank line. Data after a blank line will start another packet\r
-with the same tuple as the prior one.</p></div>\r
-<div class="paragraph"><p>Strings may contain the following escape sequences:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>\r = 0x0D = carriage return\r
-\n = 0x0A = new line\r
-\t = 0x09 = tab\r
-\\ = 0x5C = \</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Format your input carefully; there is minimal error checking and little\r
-tolerance for arbitrary whitespace. You can use Snort’s -L hext option to\r
-generate hext input from a pcap.</p></div>\r
+<h3 id="_tos">tos</h3>\r
+<div class="paragraph"><p>What: rule option to check type of service field</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-This module only supports ip4 traffic.\r
+string <strong>tos.~range</strong>: check if ip tos value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ttl">ttl</h3>\r
+<div class="paragraph"><p>What: rule option to check time to live field</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-This module is only supported by Snort++. It is not compatible with\r
- Snort.\r
+string <strong>ttl.~range</strong>: check if ip ttl field value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_window">window</h3>\r
+<div class="paragraph"><p>What: rule option to check TCP window field</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-This module is primarily for development and test.\r
+string <strong>window.~range</strong>: check if tcp window field size is <em>size | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>The hext DAQ also supports a raw mode which is activated by setting the\r
-data link type. For example, you can input full ethernet packets with\r
---daq-var dlt=1 (Data link types are defined in the DAQ include\r
-sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a quick\r
-(and dirty) way to edit pcaps. With --lua "log_hext = { raw = true }", the\r
-hext logger will dump the full packet in a way that can be read by the hext\r
-DAQ in raw mode. Here is an example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code># 3 [96]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..\r
-x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..\r
-x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t\r
-x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H\r
-x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>A comment indicating packet number and size precedes each packet dump.\r
-Note that the commands are not applicable in raw mode and have no effect.</p></div>\r
</div>\r
</div>\r
</div>\r
<div class="sect1">\r
-<h2 id="_snort_vs_snort">Snort++ vs Snort</h2>\r
+<h2 id="_search_engine_modules">Search Engine Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Search engines perform multipattern searching of packets and payload to find\r
+rules that should be evaluated. There are currently no specific modules,\r
+although there are several search engine plugins. Related configuration\r
+is done with the basic detection module.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_so_rule_modules">SO Rule Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>SO rules are dynamic rules that require custom coding to perform detection\r
+not possible with the existing rule options. These rules typically do not\r
+have associated modules.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_logger_modules">Logger Modules</h2>\r
<div class="sectionbody">\r
-<div class="paragraph"><p>Snort++ differs from Snort in the following ways:</p></div>\r
+<div class="paragraph"><p>All output of events and packets is done by Loggers.</p></div>\r
+<div class="sect2">\r
+<h3 id="_alert_csv">alert_csv</h3>\r
+<div class="paragraph"><p>What: output event in csv format</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-command line and conf file syntax made more uniform\r
+bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-removed unused and deprecated features\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen dgm_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | dir | dgm_len | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid | src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }\r
</p>\r
</li>\r
<li>\r
<p>\r
-remove as many barriers to successful run as possible\r
- (e.g.: no upper bounds on memcaps)\r
+int <strong>alert_csv.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-assume the simplest mode of operation\r
- (e.g.: never assume input from or output to some hardcoded filename)\r
+string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence\r
</p>\r
</li>\r
<li>\r
<p>\r
-all Snort config options are grouped into Snort++ modules\r
+enum <strong>alert_csv.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
</p>\r
</li>\r
</ul></div>\r
+</div>\r
<div class="sect2">\r
-<h3 id="_build_options">Build Options</h3>\r
+<h3 id="_alert_fast">alert_fast</h3>\r
+<div class="paragraph"><p>What: output event with brief text format</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*\r
+bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-control socket, cs_dir, and users were deleted\r
+bool <strong>alert_fast.packet</strong> = false: output packet dump with alert\r
</p>\r
</li>\r
<li>\r
<p>\r
-POLICY_BY_ID_ONLY code was deleted\r
+int <strong>alert_fast.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-hardened --enable-inline-init-failopen / INLINE_FAILOPEN\r
+enum <strong>alert_fast.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_command_line">Command Line</h3>\r
+<h3 id="_alert_full">alert_full</h3>\r
+<div class="paragraph"><p>What: output event with full packet dump</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
---pause loads config and waits for resume before processing packets\r
+bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
---require-rule-sid is hardened\r
+int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
---shell enables interactive Lua shell\r
+enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_alert_sfsocket">alert_sfsocket</h3>\r
+<div class="paragraph"><p>What: output event over socket</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>alert_sfsocket.file</strong>: name of unix socket file\r
</p>\r
</li>\r
<li>\r
<p>\r
--T is assumed if no input given\r
+int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1: }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_alert_syslog">alert_syslog</h3>\r
+<div class="paragraph"><p>What: output event to syslog</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-added --help-config prefix to dump all matching settings\r
+enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-added --script-path\r
+enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
</p>\r
</li>\r
<li>\r
<p>\r
-added -L none|dump|pcap\r
+multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_log_codecs">log_codecs</h3>\r
+<div class="paragraph"><p>What: log protocols in packet by layer</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-added -z <#> and --max-packet-threads <#>\r
+bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,\r
- --max-mpls-labelchain-len, --mpls-payload-type\r
+bool <strong>log_codecs.msg</strong> = false: include alert msg\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_log_hext">log_hext</h3>\r
+<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-deleted --pid-path and --no-interface-pidfile\r
+bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleting command line options which will be available with --lua or some such including:\r
- -I, -h, -F, -p, --disable-inline-init-failopen\r
+bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-hardened -n < 0\r
+int <strong>log_hext.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-removed --search-method\r
+enum <strong>log_hext.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
</p>\r
</li>\r
<li>\r
<p>\r
-replaced "unknown args are bpf" with --bpf\r
+int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0: }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_log_pcap">log_pcap</h3>\r
+<div class="paragraph"><p>What: log packet in pcap format</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-replaced --dynamic-*-lib[-dir] with --plugin-path (with : separators)\r
+int <strong>log_pcap.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-removed -b, -N, -Z and, --perfmon-file options\r
+enum <strong>log_pcap.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_conf_file">Conf File</h3>\r
+<h3 id="_unified2">unified2</h3>\r
+<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Snort++ has a default unicode.map\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort++ will not enforce an upper bound on memcaps and the like within 64 bits\r
+int <strong>unified2.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-Snort++ will supply a default *_global config if not specified\r
- (Snort would fatal; e.g. http_inspect_server w/o http_inspect_global)\r
+enum <strong>unified2.units</strong> = B: limit multiplier { B | K | M | G }\r
</p>\r
</li>\r
<li>\r
<p>\r
-address list syntax changes: [[ and ]] must be [ [ and ] ] to avoid Lua string\r
- parsing errors (unless in quoted string)\r
+bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)\r
</p>\r
</li>\r
<li>\r
<p>\r
-because the Lua conf is live code, we lose file:line locations in app error messages\r
- (syntax errors from Lua have file:line)\r
+bool <strong>unified2.mpls_event_types</strong> = false: include mpls labels in events\r
</p>\r
</li>\r
<li>\r
<p>\r
-changed search-method names for consistency\r
+bool <strong>unified2.vlan_event_types</strong> = false: include vlan IDs in events\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_daq_modules">DAQ Modules</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The Data AcQuisition library (DAQ), provides pluggable packet I/O. The DAQ\r
+replaces direct calls to libraries like libpcap with an abstraction layer\r
+that facilitates operation on a variety of hardware and software interfaces\r
+without requiring changes to Snort. It is possible to select the DAQ type\r
+and mode when invoking Snort to perform pcap readback or inline operation,\r
+etc. The DAQ library may be useful for other packet processing\r
+applications and the modular nature allows you to build new modules for\r
+other platforms.</p></div>\r
+<div class="paragraph"><p>The DAQ library is provided as an external package on snort.org. There are\r
+a few additional modules provided with Snort 3. This section summarizes\r
+the important things you need to know to use these DAQ modules. There are\r
+also 3rd DAQ modules available.</p></div>\r
+<div class="sect2">\r
+<h3 id="_building_the_daq_library_and_daq_modules">Building the DAQ Library and DAQ Modules</h3>\r
+<div class="paragraph"><p>The DAQ is bundled with Snort but must be built first using these steps:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./configure\r
+make\r
+sudo make install</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This will build and install both static and dynamic DAQ modules.</p></div>\r
+<div class="paragraph"><p>Note that pcap >= 1.0.0 is required. pcap 1.1.1 is available at the time\r
+of this writing and is recommended.</p></div>\r
+<div class="paragraph"><p>Also, libdnet is required for IPQ and NFQ DAQs. If you get a relocation error\r
+trying to build those DAQs, you may need to reinstall libdnet and configure it\r
+with something like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./configure "CFLAGS=-fPIC -g -O2"</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>You may also experience problems trying to find the dynamic dnet library\r
+because it isn’t always named properly. Try creating a link to the shared\r
+library (identified by its .x or .x.y etc. extension) with the same name but\r
+with ".so" inserted as follows:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ ln -s libdnet.1.1 libdnet.so.1.1\r
+$ ldconfig -Rv /usr/local/lib 2>&1 | grep dnet\r
+ Adding /usr/local/lib/libdnet.so.1.1</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Alternatively, you should be able to fix both issues as follows:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>libtoolize --copy --force\r
+aclocal -I config\r
+autoheader\r
+autoconf\r
+automake --foreign</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>When the DAQ library is built, both static and dynamic flavors will be\r
+generated. The various DAQ modules will be built if the requisite headers and\r
+libraries are available. You can disable individual modules, etc. with options\r
+to configure. For the complete list of configure options, run:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./configure --help</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pcap_module">PCAP Module</h3>\r
+<div class="paragraph"><p>pcap is the default DAQ. If snort is run w/o any DAQ arguments, it will\r
+operate as it always did using this module. These are equivalent:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort -i <device>\r
+./snort -r <file></code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq pcap --daq-mode passive -i <device>\r
+./snort --daq pcap --daq-mode read-file -r <file></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>You can specify the buffer size pcap uses with:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq pcap --daq-var buffer_size=<#bytes></code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-delete config include_vlan_in_alerts (not used in code)\r
+The pcap DAQ does not count filtered packets. *\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_afpacket_module">AFPACKET Module</h3>\r
+<div class="paragraph"><p>afpacket functions similar to the pcap DAQ but with better performance:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq afpacket -i <device>\r
+ [--daq-var buffer_size_mb=<#MB>]\r
+ [--daq-var debug]</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>If you want to run afpacket in inline mode, you must craft the device string as\r
+one or more interface pairs, where each member of a pair is separated by a\r
+single colon and each pair is separated by a double colon like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>eth0:eth1</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>eth0:eth1::eth2:eth3</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>By default, the afpacket DAQ allocates 128MB for packet memory. You can change\r
+this with:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>--daq-var buffer_size_mb=<#MB></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note that the total allocated is actually higher, here’s why. Assuming the\r
+default packet memory with a snaplen of 1518, the numbers break down like this:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-delete config so_rule_memcap (not used in code)\r
+The frame size is 1518 (snaplen) + the size of the AFPacket header (66\r
+ bytes) = 1584 bytes.\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted --disable-attribute-table-reload-thread\r
+The number of frames is 128 MB / 1518 = 84733.\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted config decode_*_{alerts,drops} (use rules only)\r
+The smallest block size that can fit at least one frame is 4 KB = 4096 bytes\r
+ @ 2 frames per block.\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted config dump-dynamic-rules-path\r
+As a result, we need 84733 / 2 = 42366 blocks.\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted config ipv6_frag (not actually used)\r
+Actual memory allocated is 42366 * 4 KB = 165.5 MB.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ\r
+module due to its dependency on both TPACKET v2 and PACKET_TX_RING support.</td>\r
+</tr></table>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_nfq_module">NFQ Module</h3>\r
+<div class="paragraph"><p>NFQ is the new and improved way to process iptables packets:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq nfq \\r
+ [--daq-var device=<dev>] \\r
+ [--daq-var proto=<proto>] \\r
+ [--daq-var queue=<qid>]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><dev> ::= ip | eth0, etc; default is IP injection\r
+<proto> ::= ip4 | ip6 |; default is ip4\r
+<qid> ::= 0..65535; default is 0</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This module can not run unprivileged so ./snort -u -g will produce a warning\r
+and won’t change user or group.</p></div>\r
+<div class="paragraph"><p>Notes on iptables are given below.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ipq_module">IPQ Module</h3>\r
+<div class="paragraph"><p>IPQ is the old way to process iptables packets. It replaces the inline version\r
+available in pre-2.9 versions built with this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./configure --enable-inline</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note that layer 2 resets are not supported with the IPQ DAQ:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>config layer2resets[: <mac>]</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Start the IPQ DAQ as follows:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq ipq \\r
+ [--daq-var device=<dev>] \\r
+ [--daq-var proto=<proto>] \</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><dev> ::= ip | eth0, etc; default is IP injection\r
+<proto> ::= ip4 | ip6; default is ip4</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This module can not run unprivileged so ./snort -u -g will produce a warning\r
+and won’t change user or group.</p></div>\r
+<div class="paragraph"><p>Notes on iptables are given below.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ipfw_module">IPFW Module</h3>\r
+<div class="paragraph"><p>IPFW is available for BSD systems. It replaces the inline version available in\r
+pre-2.9 versions built with this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./configure --enable-ipfw</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This command line argument is no longer supported:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort -J <port#></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Instead, start Snort like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq ipfw [--daq-var port=<port>]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><port> ::= 1..65535; default is 8000</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-deleted config threshold and ips rule threshold (→ event_filter)\r
+IPFW only supports ip4 traffic.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Notes on FreeBSD and OpenBSD are given below.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dump_module">Dump Module</h3>\r
+<div class="paragraph"><p>The dump DAQ allows you to test the various inline mode features available in\r
+Snort like injection and normalization.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort -i <device> --daq dump\r
+./snort -r <pcap> --daq dump</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>By default a file named inline-out.pcap will be created containing all packets\r
+that passed through or were generated by snort. You can optionally specify a\r
+different name.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq dump --daq-var file=<name></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>dump uses the pcap daq for packet acquisition. It therefore does not count\r
+filtered packets (a pcap limitation).</p></div>\r
+<div class="paragraph"><p>Note that the dump DAQ inline mode is not an actual inline mode. Furthermore,\r
+you will probably want to have the pcap DAQ acquire in another mode like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort -r <pcap> -Q --daq dump --daq-var load-mode=read-file\r
+./snort -i <device> -Q --daq dump --daq-var load-mode=passive</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_netmap_module">Netmap Module</h3>\r
+<div class="paragraph"><p>The netmap project is a framework for very high speed packet I/O. It is\r
+available on both FreeBSD and Linux with varying amounts of preparatory\r
+setup required. Specific notes for each follow.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --daq netmap -i <device>\r
+ [--daq-var debug]</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>If you want to run netmap in inline mode, you must craft the device string as\r
+one or more interface pairs, where each member of a pair is separated by a\r
+single colon and each pair is separated by a double colon like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>em1:em2</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>em1:em2::em3:em4</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Inline operation performs Layer 2 forwarding with no MAC filtering, akin to the\r
+AFPacket module’s behavior. All packets received on one interface in an inline\r
+pair will be forwarded out the other interface unless dropped by the reader and\r
+vice versa.</p></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/important.png" alt="Important" />\r
+</td>\r
+<td class="content">The interfaces will need to be up and in promiscuous mode in order to\r
+function (<em>ifconfig em1 up promisc</em>). The DAQ module does not currently do\r
+either of these configuration steps for itself.</td>\r
+</tr></table>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_freebsd">FreeBSD</h4>\r
+<div class="paragraph"><p>In FreeBSD 10.0, netmap has been integrated into the core OS. In order to use\r
+it, you must recompile your kernel with the line</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>device netmap</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>added to your kernel config.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_linux">Linux</h4>\r
+<div class="paragraph"><p>You will need to download the netmap source code from the project’s repository:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>https://code.google.com/p/netmap/</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Follow the instructions on the project’s homepage for compiling and installing\r
+the code:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http://info.iet.unipi.it/~luigi/netmap/</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>It will involve a standalone kernel module (netmap_lin) as well as patching and\r
+rebuilding the kernel module used to drive your network adapters. The following\r
+drivers are supported under Linux at the time of writing (June 2014):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>e1000\r
+e1000e\r
+forcedeth\r
+igb\r
+ixgbe\r
+r8169\r
+virtio</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>TODO:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-eliminated ac-split; must use ac-full-q split-any-any\r
+Support for attaching to only a single ring (queue) on a network adapter.\r
</p>\r
</li>\r
<li>\r
<p>\r
-frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan,\r
- perfmonitor → perf_monitor, bo → back_orifice\r
+Support for VALE and netmap pipes.\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_notes_on_iptables">Notes on iptables</h3>\r
+<div class="paragraph"><p>These notes are just a quick reminder that you need to set up iptables to use\r
+the IPQ or NFQ DAQs. Doing so may cause problems with your network so tread\r
+carefully. The examples below are intentionally incomplete so please read the\r
+related documentation first.</p></div>\r
+<div class="paragraph"><p>Here is a blog post by Marty for historical reference:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http://archives.neohapsis.com/archives/snort/2000-11/0394.html</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>You can check this out for queue sizing tips:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>You might find useful IPQ info here:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http://snort-inline.sourceforge.net/</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Use this to examine your iptables:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sudo /sbin/iptables -L</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Use something like this to set up NFQ:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sudo /sbin/iptables\r
+ -I <table> [<protocol stuff>] [<state stuff>]\r
+ -j NFQUEUE --queue-num 1</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Use something like this to set up IPQ:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sudo iptables -I FORWARD -j QUEUE</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Use something like this to "disconnect" snort:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>sudo /sbin/iptables -D <table> <rule pos></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Be sure to start Snort prior to routing packets through NFQ with iptables.\r
+Such packets will be dropped until Snort is started.</p></div>\r
+<div class="paragraph"><p>The queue-num is the number you must give Snort.</p></div>\r
+<div class="paragraph"><p>If you are running on a system with both NFQ and IPQ support, you may\r
+experience some start-up failures of the sort:</p></div>\r
+<div class="paragraph"><p>The solution seems to be to remove both modules from the kernel like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>modprobe -r nfnetlink_queue\r
+modprobe -r ip_queue</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>and then install the module you want:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>modprobe ip_queue</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>modprobe nfnetlink_queue</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>These DAQs should be run with a snaplen of 65535 since the kernel defrags the\r
+packets before queuing. Also, no need to configure frag3.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_notes_on_freebsd_ipfw">Notes on FreeBSD::IPFW</h3>\r
+<div class="paragraph"><p>Check the online manual at:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http://www.freebsd.org/doc/handbook/firewalls-ipfw.html.</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Here is a brief example to divert icmp packets to Snort at port 8000:</p></div>\r
+<div class="paragraph"><p>To enable support for divert sockets, place the following lines in the\r
+kernel configuration file:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>options IPFIREWALL\r
+options IPDIVERT</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>(The file in this case was: /usr/src/sys/i386/conf/GENERIC; which is platform\r
+dependent.)</p></div>\r
+<div class="paragraph"><p>You may need to also set these to use the loadable kernel modules:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>/etc/rc.conf:\r
+firewall_enable="YES"</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>/boot/loader.conf:\r
+ipfw_load="YES"\r
+ipdivert_load="YES"</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ dmesg | grep ipfw\r
+ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based\r
+forwarding disabled, default to deny, logging disabled</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ kldload -v ipdivert\r
+Loaded ipdivert, id=4</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ ipfw add 75 divert 8000 icmp from any to any\r
+00075 divert 8000 icmp from any to any</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ ipfw list\r
+...\r
+00075 divert 8000 icmp from any to any\r
+00080 allow icmp from any to any\r
+...</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-limits like "1234K" are now "limit = 1234, units = <em>K</em>"\r
+Note that on FreeBSD, divert sockets don’t work with bridges!\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Please refer to the following articles for more information:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-lua field names are (lower) case sensitive; snort.conf largely wasn’t\r
+<a href="https://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw">https://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw</a>\r
</p>\r
</li>\r
<li>\r
<p>\r
-module filenames are not configurable: always <log-dir>/<module-name><suffix>\r
- (suffix is determined by module)\r
+<a href="http://freebsd.rogness.net/snort_inline/">http://freebsd.rogness.net/snort_inline/</a>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>NAT gateway can be used with divert sockets if the network environment is\r
+conducive to using NAT.</p></div>\r
+<div class="paragraph"><p>The steps to set up NAT with ipfw are as follows:</p></div>\r
+<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-no positional parameters; all name = value\r
+Set up NAT with two interface em0 and em1 by adding the following to\r
+/etc/rc.conf. Here em0 is connected to external network and em1 to\r
+host-only LAN.\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>gateway_enable="YES"\r
+natd_program="/sbin/natd" # path to natd\r
+natd_enable="YES" # Enable natd (if firewall_enable == YES)\r
+natd_interface="em0" # Public interface or IP Address\r
+natd_flags="-dynamic" # Additional flags\r
+defaultrouter=""\r
+ifconfig_em0="DHCP"\r
+ifconfig_em1="inet 192.168.1.2 netmask 255.255.255.0"\r
+firewall_enable="YES"\r
+firewall_script="/etc/rc.firewall"\r
+firewall_type="simple"</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-perf_monitor configuration was simplified\r
+Add the following divert rules to divert packets to Snort above and\r
+below the NAT rule in the "Simple" section of /etc/rc.firewall.\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>...\r
+# Inspect outbound packets (those arriving on "inside" interface)\r
+# before NAT translation.\r
+${fwcmd} add divert 8000 all from any to any in via ${iif}\r
+case ${natd_enable} in\r
+[Yy][Ee][Ss])\r
+ if [ -n "${natd_interface}" ]; then\r
+ ${fwcmd} add divert natd all from any to any via ${natd_interface}\r
+ fi\r
+ ;;\r
+esac\r
+...\r
+# Inspect inbound packets (those arriving on "outside" interface)\r
+# after NAT translation that aren't blocked for other reasons,\r
+# after the TCP "established" rule.\r
+${fwcmd} add divert 8000 all from any to any in via ${oif}</code></pre>\r
+</div></div>\r
</li>\r
+</ol></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_notes_on_openbsd_ipfw">Notes on OpenBSD::IPFW</h3>\r
+<div class="paragraph"><p>OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.</p></div>\r
+<div class="paragraph"><p>Here is one way to set things up:</p></div>\r
+<div class="olist arabic"><ol class="arabic">\r
<li>\r
<p>\r
-portscan.detect_ack_scans deleted (exact same as include_midstream)\r
+Configure the system to forward packets:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ sysctl net.inet.ip.forwarding=1\r
+$ sysctl net.inet6.ip6.forwarding=1</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>(You can also put that in /etc/sysctl.conf to enable on boot.)</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-removed various run modes - now just one\r
+Set up interfaces\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ dhclient vic1\r
+$ dhclient vic2</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-frag3 default policy is Linux not bsd\r
+Set up packet filter rules:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ echo "pass out on vic1 divert-packet port 9000 keep-state" > rules.txt\r
+$ echo "pass out on vic2 divert-packet port 9000 keep-state" >> rules.txt</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ pfctl -v -f rules.txt</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-lowmem* search methods are now in snort_examples\r
+Analyze packets diverted to port 9000:\r
</p>\r
-</li>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$ ./snort --daq ipfw --daq-var port=9000</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-deleted unused http_inspect stateful mode\r
+Note that on OpenBSD, divert sockets don’t work with bridges!\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-deleted stateless inspection from ftp and telnet\r
-</p>\r
+</ul></div>\r
</li>\r
+</ol></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_socket_module">Socket Module</h3>\r
+<div class="paragraph"><p>The socket module provides provides a stream socket server that will accept\r
+up to 2 simultaneous connections and bridge them together while also\r
+passing data to Snort for inspection. The first connection accepted is\r
+considered the client and the second connection accepted is considered the\r
+server. If there is only one connection, stream data can’t be forwarded\r
+but it is still inspected.</p></div>\r
+<div class="paragraph"><p>Each read from a socket of up to snaplen bytes is passed as a packet to\r
+Snort along with a DAQ_SktHdr_t pointer in DAQ_PktHdr_t→priv_ptr.\r
+DAQ_SktHdr_t conveys IP4 address, ports, protocol, and direction. Socket\r
+packets can be configured to be TCP or UDP. The socket DAQ can be operated\r
+in inline mode and is able to block packets.</p></div>\r
+<div class="paragraph"><p>The socket DAQ uses DLT_SOCKET and requires that Snort load the socket\r
+codec which is included in the extra package.</p></div>\r
+<div class="paragraph"><p>To use the socket DAQ, start Snort like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>./snort --plugin-path /path/to/lib/snort_extra \\r
+ --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><port> ::= 1..65535; default is 8000\r
+<proto> ::= tcp | udp</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-deleted http and ftp alert options (now strictly rule based)\r
+This module only supports ip4 traffic.\r
</p>\r
</li>\r
<li>\r
<p>\r
-preprocessor disabled settings deleted since no longer relevant\r
+This module is only supported by Snort 3. It is not compatible with\r
+ Snort 2.\r
</p>\r
</li>\r
<li>\r
<p>\r
-sessions are always created; snort config stateful checks eliminated\r
+This module is primarily for development and test.\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_file_module">File Module</h3>\r
+<div class="paragraph"><p>The file module provides the ability to process files directly w/o having\r
+to extract them from pcaps. Use the file module with Snort’s stream_file\r
+to get file type identification and signature services. The usual IPS\r
+detection and logging etc. is available too.</p></div>\r
+<div class="paragraph"><p>You can process all the files in a directory recursively using 8 threads\r
+with these Snort options:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>--pcap-dir path -z 8</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-stream5_tcp: prune_log_max deleted; to be replaced with histogram\r
+This module is only supported by Snort 3. It is not compatible with\r
+ Snort 2.\r
</p>\r
</li>\r
<li>\r
<p>\r
-stream5_tcp: max_active_responses, min_response_seconds moved to\r
- active.max_responses, min_interval\r
+This module is primarily for development and test.\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_rules_2">Rules</h3>\r
+<h3 id="_hext_module">Hext Module</h3>\r
+<div class="paragraph"><p>The hext module generates packets suitable for processing by Snort from\r
+hex/plain text. Raw packets include full headers and are processed\r
+normally. Otherwise the packets contain only payload and are accompanied\r
+with flow information (4-tuple) suitable for processing by stream_user.</p></div>\r
+<div class="paragraph"><p>The first character of the line determines it’s purpose:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>'$' command\r
+'#' comment\r
+'"' quoted string packet data\r
+'x' hex packet data\r
+' ' empty line separates packets</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The available commands are:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$client <ip4> <port>\r
+$server <ip4> <port></code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$packet -> client\r
+$packet -> server</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$packet <addr> <port> -> <addr> <port></code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Client and server are determined as follows. $packet → client indicates\r
+to the client (from server) and $packet → server indicates a packet to the\r
+server (from client). $packet followed by a 4-tuple uses the heuristic\r
+that the client is the side with the lower port number.</p></div>\r
+<div class="paragraph"><p>The default client and server are 192.168.1.1 12345 and 10.1.2.3 80\r
+respectively. $packet commands with a 4-tuple do not change client and\r
+server set with the other $packet commands.</p></div>\r
+<div class="paragraph"><p>$packet commands should be followed by packet data, which may contain any\r
+combination of hex and strings. Data for a packet ends with the next\r
+command or a blank line. Data after a blank line will start another packet\r
+with the same tuple as the prior one.</p></div>\r
+<div class="paragraph"><p>Strings may contain the following escape sequences:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>\r = 0x0D = carriage return\r
+\n = 0x0A = new line\r
+\t = 0x09 = tab\r
+\\ = 0x5C = \</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Format your input carefully; there is minimal error checking and little\r
+tolerance for arbitrary whitespace. You can use Snort’s -L hext option to\r
+generate hext input from a pcap.</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-all rules must have a sid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted activate / dynamic rules\r
+This module only supports ip4 traffic.\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted metadata engine shared\r
+This module is only supported by Snort 3. It is not compatible with\r
+ Snort 2.\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted metadata: rule-flushing (with PDU flushing rule flushing can cause\r
- missed attacks, the opposite of its intent)\r
+This module is primarily for development and test.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>The hext DAQ also supports a raw mode which is activated by setting the\r
+data link type. For example, you can input full ethernet packets with\r
+--daq-var dlt=1 (Data link types are defined in the DAQ include\r
+sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a quick\r
+(and dirty) way to edit pcaps. With --lua "log_hext = { raw = true }", the\r
+hext logger will dump the full packet in a way that can be read by the hext\r
+DAQ in raw mode. Here is an example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code># 3 [96]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..\r
+x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..\r
+x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t\r
+x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H\r
+x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>A comment indicating packet number and size precedes each packet dump.\r
+Note that the commands are not applicable in raw mode and have no effect.</p></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_snort_3_vs_snort_2">Snort 3 vs Snort 2</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Snort 3 differs from Snort 2 in the following ways:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-deleted unused rule_state.action\r
+command line and conf file syntax made more uniform\r
</p>\r
</li>\r
<li>\r
<p>\r
-fastpattern_offset, fast_pattern_length\r
+removed unused and deprecated features\r
</p>\r
</li>\r
<li>\r
<p>\r
-no ; separated content suboptions\r
+remove as many barriers to successful run as possible\r
+ (e.g.: no upper bounds on memcaps)\r
</p>\r
</li>\r
<li>\r
<p>\r
-offset, depth, distance, and within must use a space separator not colon\r
- (e.g. offset:5; becomes offset 5;)\r
+assume the simplest mode of operation\r
+ (e.g.: never assume input from or output to some hardcoded filename)\r
</p>\r
</li>\r
<li>\r
<p>\r
-rule option sequence: <stub> soid <hidden>\r
+all Snort 2 config options are grouped into Snort 3 modules\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="sect2">\r
+<h3 id="_build_options">Build Options</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-sid == 0 not allowed\r
+configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*\r
</p>\r
</li>\r
<li>\r
<p>\r
-soid is now a non-metadata option\r
+control socket, cs_dir, and users were deleted\r
</p>\r
</li>\r
<li>\r
<p>\r
-content suboptions http_* are now full options and should be place before content\r
+POLICY_BY_ID_ONLY code was deleted\r
</p>\r
</li>\r
<li>\r
<p>\r
-the following pcre options have been deleted: use sticky buffers instead\r
- B, U, P, H, M, C, I, D, K, S, Y\r
+hardened --enable-inline-init-failopen / INLINE_FAILOPEN\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_command_line_2">Command Line</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-deleted uricontent ips rule option.\r
- uricontent:"foo" -→ http_uri; content:"foo"\r
+--pause loads config and waits for resume before processing packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted urilen raw and norm; must use http_raw_uri and http_uri instead\r
+--require-rule-sid is hardened\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted unused http_encode option\r
+--shell enables interactive Lua shell\r
</p>\r
</li>\r
<li>\r
<p>\r
-urilen replaced with generic bufferlen which applies to current sticky\r
- buffer\r
+-T is assumed if no input given\r
</p>\r
</li>\r
<li>\r
<p>\r
-added optional selector to http_header, e.g. http_header:User-Agent;\r
+added --help-config prefix to dump all matching settings\r
</p>\r
</li>\r
<li>\r
<p>\r
-multiline rules w/o \n\r
+added --script-path\r
</p>\r
</li>\r
<li>\r
<p>\r
-#begin … #end comments\r
+added -L none|dump|pcap\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_output_2">Output</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-alert_fast includes packet data by default\r
+added -z <#> and --max-packet-threads <#>\r
</p>\r
</li>\r
<li>\r
<p>\r
-all text mode outputs default to stdout\r
+delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,\r
+ --max-mpls-labelchain-len, --mpls-payload-type\r
</p>\r
</li>\r
<li>\r
<p>\r
-changed default logging mode to -L none\r
+deleted --pid-path and --no-interface-pidfile\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted layer2resets and flexresp2_*\r
+deleting command line options which will be available with --lua or some such including:\r
+ -I, -h, -F, -p, --disable-inline-init-failopen\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted log_ascii\r
+hardened -n < 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-general output guideline: don’t print zero counts\r
+removed --search-method\r
</p>\r
</li>\r
<li>\r
<p>\r
-Snort++ queues decoder and inspector events to the main event queue before ips policy\r
- is selected; since some events may not be enabled, the queue needs to be sized larger\r
- than with Snort which used an intermediate queue for decoder events.\r
+replaced "unknown args are bpf" with --bpf\r
</p>\r
</li>\r
<li>\r
<p>\r
-deleted the intermediate http and ftp_telnet event queues\r
+replaced --dynamic-*-lib[-dir] with --plugin-path (with : separators)\r
</p>\r
</li>\r
<li>\r
<p>\r
-alert_unified2 and log_unified2 have been deleted\r
+removed -b, -N, -Z and, --perfmon-file options\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_profiles">HTTP Profiles</h3>\r
-<div class="paragraph"><p>This section describes the changes to the Http Inspect config option "profile".</p></div>\r
-<div class="paragraph"><p>Snort 2.X allows users to select pre-defined HTTP server profiles using the\r
-config option "profile". The user can choose one of five predefined profiles.\r
-When defined, this option will set defaults for other config options within\r
-Http Inspect.</p></div>\r
-<div class="paragraph"><p>With Snort++, the user has the flexibility of defining and fine tuning custom\r
-profiles along with the five predefined profiles.</p></div>\r
-<div class="paragraph"><p>Snort 2.X conf</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>preprocessor http_inspect_server: server default \\r
- profile apache ports { 80 3128 } max_headers 200</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort 3.0 conf</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_inspect = { profile = http_profile_apache }\r
-http_inspect.profile.max_headers = 200</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- {\r
- when = { proto = 'tcp', ports = '80 3128', },\r
- use = { type = 'http_inspect' },\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The "profile" option now that points to a table "http_profile_apache"\r
-which is defined in "snort_defaults.lua" (as follows).</td>\r
-</tr></table>\r
-</div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_profile_apache =\r
-{\r
- profile_type = 'apache',\r
- server_flow_depth = 300,\r
- client_flow_depth = 300,\r
- post_depth = -1,\r
- chunk_length = 500000,\r
- ascii = true,\r
- multi_slash = true,\r
- directory = true,\r
- webroot = true,\r
- utf_8 = true,\r
- apache_whitespace = true,\r
- non_strict = true,\r
- normalize_utf = true,\r
- normalize_javascript = false,\r
- max_header_length = 0,\r
- max_headers = 0,\r
- max_spaces = 200,\r
- max_javascript_whitespaces = 200,\r
- whitespace_chars ='0x9 0xb 0xc 0xd'\r
-}</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The config option "max_headers" is set to 0 in the profile, but\r
-overwritten by "http_inspect.profile.max_headers = 200".</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Conversion</p></div>\r
-<div class="paragraph"><p>Snort2lua can convert the existing snort.conf with the "profile" option to\r
-Snort3.0 compatible "profile". Please refer to the Snort2Lua post for more\r
-details.</p></div>\r
-<div class="paragraph"><p>Examples</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>"profile all" ==> "profile = http_profile_default"\r
-"profile apache" ==> "profile = http_profile_apache"\r
-"profile iis" ==> "profile = http_profile_iis"\r
-"profile iis_40" ==> "profile = http_profile_iis_40"\r
-"profile iis_50" ==> "profile = http_profile_iis_50"</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Defining custom profiles</p></div>\r
-<div class="paragraph"><p>The complete set of Http Inspect config options that a custom profile can\r
-configure can be found by running the following command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-config http_inspect | grep http_inspect.profile</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_snort2lua_2">Snort2Lua</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>One of the major differences between Snort 2.9.X and Snort 3.0 is the\r
-configuration. Snort 2.9.X configuration files are written in Snort-specific\r
-syntax while Snort 3.0 configuration files are written in Lua. Snort2Lua is a\r
-program specifically designed to convert Snort 2.9.X configuration files into\r
-Lua files that Snort 3.0 can understand.</p></div>\r
-<div class="paragraph"><p>Snort2Lua reads your legacy Snort conf file(s) and generates Snort++ Lua\r
-and rules files. When running this program, the only mandatory option is\r
-to provide Snort2Lua with a Snort configuration file. The default output\r
-file file is snort.lua, the default error file will be snort.rej, and the\r
-default rule file is the output file (default is snort.lua). When\r
-Snort2Lua finishes running, the resulting configuration file can be\r
-successfully run as the Snort3.0 configuration file. The sole exception to\r
-this rule is when Snort2Lua cannot find an included file. If that occurs,\r
-the file will still be included in the output file and you will need to\r
-manually adjust or comment the file name. Additionally, if the exit code is\r
-not zero, some of the information may not be successfully converted. Check\r
-the error file for all of the conversion problems.</p></div>\r
-<div class="paragraph"><p>Those errors can occur for a multitude of reasons and are not necessarily\r
-bad. For instance, Snort2Lua will only convert preprocessors that are\r
-currently supported. Therefore, any unsupported preprocessors or\r
-configuration options including DCERP, SIP, and SMTP, will cause an error\r
-in Snort2Lua since Snort3.0 does not support those preprocessors.\r
-Additionally, any rule options associated with those preprocessors are also\r
-not supported. Finally, Snort2Lua expects a valid Snort configuration.\r
-Therefore, if the configuration is invalid or has questionable syntax,\r
-Snort2Lua may fail to parse the configuration file or create an invalid\r
-Snort3.0 configuration file.</p></div>\r
-<div class="paragraph"><p>There are a also few peculiarities of Snort2Lua that may be confusing to a\r
-first time user. Specifically, aside from an initial configuration file\r
-(which is specified from the command line or as the file in ‘config\r
-binding’), every file that is included into Snort3.0 must be either a Lua\r
-file or a rule file; the file cannot contain both rules and Lua syntax.\r
-Therefore, when parsing a file specified with the ‘include’ command,\r
-Snort2Lua will output both a Lua file and a rule file. Additionally, any\r
-line that is a comment in a configuration file will be added in to a\r
-comments section at the bottom of the main configuration file. Finally,\r
-rules that contain unsupported options will be converted to the best of\r
-Snort2Lua’s capability and then printed as a comment in the rule file.</p></div>\r
-<div class="sect2">\r
-<h3 id="_snort2lua_command_line">Snort2Lua Command Line</h3>\r
-<div class="paragraph"><p>By default, Snort2Lua will attempt to parse every ‘include’ file and every\r
-‘binding’ file. There is an option to change this functionality.</p></div>\r
-<div class="paragraph"><p>When specifying a rule file with one of the command line options, Snort2Lua\r
-will output all of the converted rules to that specified rule file.\r
-This is especially useful when you are only interesting in\r
-converting rules since there is no Lua syntax in rule files. There is also\r
-an option that tells Snort2Lua to output every rule for a given\r
-configuration into a single rule file. Similarly, there is an option\r
-pull all of the Lua syntax from every ‘include’ file into the output file.</p></div>\r
-<div class="paragraph"><p>There are currently three output modes: default, quiet, and differences.\r
-As expected, quiet mode produces a Snort++ configuration. All errors\r
-(aside from Fatal Snort2Lua errors), differences, and comments will omitted\r
-from the final output file. Default mode will print everything. That mean\r
-you will be able to see exactly what changes have occurred between Snort and\r
-Snort++ in addition to the new syntax, the original file’s comments, and\r
-all errors that have occurred. Finally, differences mode will not actually\r
-output a valid Snort3.0 configuration. Instead, you can see the exact\r
-options from the input configuration that have changed.</p></div>\r
-<div class="sect3">\r
-<h4 id="_usage_snort2lua_options_8230_c_lt_snort_conf_gt_8230">Usage: snort2lua [OPTIONS]… -c <snort_conf> …</h4>\r
-<div class="paragraph"><p>Converts the Snort configuration file specified by the -c or --conf-file\r
-options into a Snort++ configuration file</p></div>\r
-<div class="sect4">\r
-<h5 id="_options">Options:</h5>\r
+<h3 id="_conf_file">Conf File</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>-?</strong> show usage\r
+Snort 3 has a default unicode.map\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-h</strong> this overview of snort2lua\r
+Snort 3 will not enforce an upper bound on memcaps and the like within 64 bits\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-a</strong> default option. print all data\r
+Snort 3 will supply a default *_global config if not specified\r
+ (Snort 2 would fatal; e.g. http_inspect_server w/o http_inspect_global)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-c <snort_conf></strong> The Snort <snort_conf> file to convert\r
+address list syntax changes: [[ and ]] must be [ [ and ] ] to avoid Lua string\r
+ parsing errors (unless in quoted string)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-d</strong> print the differences, and only the differences, between the\r
- Snort and Snort++ configurations to the <out_file>\r
+because the Lua conf is live code, we lose file:line locations in app error messages\r
+ (syntax errors from Lua have file:line)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-e <error_file></strong> output all errors to <error_file>\r
+changed search-method names for consistency\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-i</strong> if <snort_conf> file contains any <include_file> or\r
- <policy_file> (i.e. <em>include path/to/conf/other_conf</em>), do\r
- NOT parse those files\r
+delete config include_vlan_in_alerts (not used in code)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-m</strong> add a remark to the end of every converted rule\r
+delete config so_rule_memcap (not used in code)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-o <out_file></strong> output the new Snort++ lua configuration to <out_file>\r
+deleted --disable-attribute-table-reload-thread\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-q</strong> quiet mode. Only output valid confiration information to the\r
- <out_file>\r
+deleted config decode_*_{alerts,drops} (use rules only)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-r <rule_file></strong> output any converted rule to <rule_file>\r
+deleted config dump-dynamic-rules-path\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-s</strong> when parsing <include_file>, write <include_file>'s rules to\r
- <rule_file>. Meaningles if <em>-i</em> provided\r
+deleted config ipv6_frag (not actually used)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-t</strong> when parsing <include_file>, write <include_file>'s\r
- information, excluding rules, to <out_file>. Meaningles if\r
- <em>-i</em> provided\r
+deleted config threshold and ips rule threshold (→ event_filter)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-V</strong> Print the current Snort2Lua version\r
+eliminated ac-split; must use ac-full-q split-any-any\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--conf-file</strong> Same as <em>-c</em>. A Snort <snort_conf> file which will be\r
- converted\r
+frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan,\r
+ perfmonitor → perf_monitor, bo → back_orifice\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--dont-parse-includes</strong>\r
- Same as <em>-p</em>. if <snort_conf> file contains any\r
- <include_file> or <policy_file> (i.e. <em>include\r
- path/to/conf/other_conf</em>), do NOT parse those files\r
+limits like "1234K" are now "limit = 1234, units = <em>K</em>"\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--error-file=<error_file></strong>\r
- Same as <em>-e</em>. output all errors to <error_file>\r
+lua field names are (lower) case sensitive; snort.conf largely wasn’t\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+module filenames are not configurable: always <log-dir>/<module-name><suffix>\r
+ (suffix is determined by module)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help</strong> Same as <em>-h</em>. this overview of snort2lua\r
+no positional parameters; all name = value\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--markup</strong> print help in asciidoc compatible format\r
+perf_monitor configuration was simplified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--ohi</strong> Use Old Http Inspect format\r
+portscan.detect_ack_scans deleted (exact same as include_midstream)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--output-file=<out_file></strong>\r
- Same as <em>-o</em>. output the new Snort++ lua configuration to\r
- <out_file>\r
+removed various run modes - now just one\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--print-all</strong> Same as <em>-a</em>. default option. print all data\r
+frag3 default policy is Linux not bsd\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
- differences, between the Snort and Snort++ configurations to\r
- the <out_file>\r
+lowmem* search methods are now in snort_examples\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--quiet</strong> Same as <em>-q</em>. quiet mode. Only output valid confiration\r
- information to the <out_file>\r
+deleted unused http_inspect stateful mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--remark</strong> same as <em>-m</em>. add a remark to the end of every converted\r
- rule\r
+deleted stateless inspection from ftp and telnet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--rule-file=<rule_file></strong>\r
- Same as <em>-r</em>. output any converted rule to <rule_file>\r
+deleted http and ftp alert options (now strictly rule based)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--single-conf-file</strong> Same as <em>-t</em>. when parsing <include_file>, write\r
- <include_file>'s information, excluding rules, to\r
- <out_file>\r
+preprocessor disabled settings deleted since no longer relevant\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--single-rule-file</strong> Same as <em>-s</em>. when parsing <include_file>, write\r
- <include_file>'s rules to <rule_file>.\r
+sessions are always created; snort config stateful checks eliminated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--version</strong> Same as <em>-V</em>. Print the current Snort2Lua version\r
+stream5_tcp: prune_log_max deleted; to be replaced with histogram\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_required_option">Required option:</h5>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-A Snort configuration file to convert. Set with either <em>-c</em> or <em>--conf-file</em>\r
+stream5_tcp: max_active_responses, min_response_seconds moved to\r
+ active.max_responses, min_interval\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
-<div class="sect4">\r
-<h5 id="_default_values">Default values:</h5>\r
+<div class="sect2">\r
+<h3 id="_rules_3">Rules</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<out_file> = snort.lua\r
+all rules must have a sid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<rule_file> = <out_file> = snort.lua. Rules are written to the <em>local_rules</em> variable in the <out_file>\r
+deleted activate / dynamic rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-<error_file> = snort.rej. This file will not be created in quiet mode.\r
+deleted metadata engine shared\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_known_problems">Known Problems</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Any Snort ‘string’ which is dependent on a variable will no longer have\r
-that variable in the Lua string.\r
+deleted metadata: rule-flushing (with PDU flushing rule flushing can cause\r
+ missed attacks, the opposite of its intent)\r
</p>\r
</li>\r
<li>\r
<p>\r
-Snort2Lua currently does not handle variables well. First, that means\r
-variables will not always be parsed correctly. Second, sometimes a\r
-variables value will be outoput in the lua file rather than a variable\r
-For instance, if Snort2Lua attempted to convert the line\r
-<em>include $RULE_PATH/example.rule</em>, the output may ouput\r
-<em>include /etc/rules/example.rule</em> instead.\r
+deleted unused rule_state.action\r
</p>\r
</li>\r
<li>\r
<p>\r
-When Snort2Lua parses a ‘binding’ configuration file, the rules and\r
-configuration will automatically be combined into the same file. Also, the\r
-new files name will automatically become the old file’s name with a .lua\r
-extension. There is currently no way to specify or change that files name.\r
+fastpattern_offset, fast_pattern_length\r
</p>\r
</li>\r
<li>\r
<p>\r
-If a rule’s action is a custom ruletype, that rule action will be silently\r
-converted to the rultype’s <em>type</em>. No warnings or errors are currently\r
-emmitted. Additionally, the custom ruletypes outputs will be silently\r
-discarded.\r
+no ; separated content suboptions\r
</p>\r
</li>\r
<li>\r
<p>\r
-If the original configuration contains a binding that points to another\r
-file and the binding file contains an error, Snort2Lua will output the\r
-number of rejects for the binding file in addition to the number of\r
-rejects in the main file. The two numbers will eventually be combined into\r
-one output.\r
+offset, depth, distance, and within must use a space separator not colon\r
+ (e.g. offset:5; becomes offset 5;)\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_usage">Usage</h3>\r
-<div class="paragraph"><p>Snort2Lua is included in the Snort 3.0 distribution. The Snort2Lua source code\r
-is located in the tools/snort2lua directory. The program is automatically built\r
-and installed.</p></div>\r
-<div class="paragraph"><p>Translating your configuration</p></div>\r
-<div class="paragraph"><p>To run Snort2Lua, the only requirement is a file containing Snort 2.9.X syntax.\r
-Assuming your configuration file is named snort.conf, run the command</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort2lua –c snort.conf</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort2Lua will output a file named snort.lua. Assuming your snort.conf file is\r
-a valid Snort 2.9.X configuration file, than the resulting snort.lua file will\r
-always be a valid Snort 3.0 configuration file; any errors that occur are\r
-because Snort 3.0 currently does not support all of the Snort 2.9.X options.</p></div>\r
-<div class="paragraph"><p>Every keyword from the Snort configuration can be found in the output file. If\r
-the option or keyword has changed, then a comment containing both the option or\r
-keyword’s old name and new name will be present in the output file.</p></div>\r
-<div class="paragraph"><p>Translating a rule file</p></div>\r
-<div class="paragraph"><p>Snort2Lua can also accommodate translating individual rule files. Assuming the\r
-Snort 2.9.X rule file is named snort.rules and you want the new rule file to be\r
-name updated.rules, run the command</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort2lua –c snort.rules -r updated.rules</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort2Lua will output a file named updated.rules. That file, updated.rules,\r
-will always be a valid Snort 3.0 rule file. Any rule that contains unsupported\r
-options will be a comment in the output file.</p></div>\r
-<div class="paragraph"><p>Understanding the Output</p></div>\r
-<div class="paragraph"><p>Although Snort2Lua outputs very little to the console, there are several things\r
-that occur when Snort2Lua runs. This is a list of Snort2Lua outputs.</p></div>\r
-<div class="paragraph"><p><em>The console</em>. Every line that Snort2Lua is unable to translate from the Snort\r
-2.9.X format to the Snort 3.0 format is considered an error. Upon exiting,\r
-Snort2Lua will print the number of errors that occurred. Snort2Lua will also\r
-print the name of the error file.</p></div>\r
-<div class="paragraph"><p><em>The output file</em>. As previously mentioned, Snort2Lua will create a Lua file\r
-with valid Snort 3.0 syntax. The default Lua file is named snort.lua. This\r
-file is the equivalent of your main Snort 2.9.X configuration file.</p></div>\r
-<div class="paragraph"><p><em>The rule file</em>. By default, all rules will be printed to the Lua file.\r
-However, if a rule file is specified on the command line, any rules found in\r
-the Snort 2.9.X configuration will be written to the rule file instead</p></div>\r
-<div class="paragraph"><p><em>The error file</em>. By default, the error file is snort.rej. It will only be\r
-created if errors exist. Every error referenced on the command line can be\r
-found in this file. There are two reasons an error can occur.</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-The Snort 2.9.X configuration file has invalid syntax. If Snort 2.9.X cannot\r
- parse the configuration file, neither can Snort2Lua. In the example below,\r
- Snort2Lua could not convert the line <em>config bad_option</em>. Since that is not\r
- valid Snort 2.9.X syntax, this is a syntax error.\r
+rule option sequence: <stub> soid <hidden>\r
</p>\r
</li>\r
<li>\r
<p>\r
-The Snort 2.9.X configuration file contains preprocessors and rule options\r
- that are not supported in Snort 3.0. If Snort 2.9.X can parse a line that\r
- Snort2Lua cannot parse, than Snort 3.0 does not support something in the line.\r
- As Snort 3.0 begins supporting these preprocessors and rule options, Snort2Lua\r
- will also begin translating these lines. One example of such an error is\r
- dcerpc2.\r
+sid == 0 not allowed\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Additional .lua and .rules files. Every time Snort2Lua parses the include or\r
-binding keyword, the program will attempt to parse the file referenced by the\r
-keyword. Snort2Lua will then create one or two new files. The new files will\r
-have a .lua or .rules extension appended to the original filename.</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_extending_snort">Extending Snort++</h2>\r
-<div class="sectionbody">\r
-<div class="sect2">\r
-<h3 id="_plugins">Plugins</h3>\r
-<div class="paragraph"><p>Snort++ uses a variety of plugins to accomplish much of its processing\r
-objectives, including:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Codec - to decode and encode packets\r
+soid is now a non-metadata option\r
</p>\r
</li>\r
<li>\r
<p>\r
-Inspector - like the prior preprocessors, for normalization, etc.\r
+content suboptions http_* are now full options and should be place before content\r
</p>\r
</li>\r
<li>\r
<p>\r
-IpsOption - for detection in Snort++ rules\r
+the following pcre options have been deleted: use sticky buffers instead\r
+ B, U, P, H, M, C, I, D, K, S, Y\r
</p>\r
</li>\r
<li>\r
<p>\r
-IpsAction - for custom actions\r
+deleted uricontent ips rule option.\r
+ uricontent:"foo" -→ http_uri; content:"foo"\r
</p>\r
</li>\r
<li>\r
<p>\r
-Logger - for handling events\r
+deleted urilen raw and norm; must use http_raw_uri and http_uri instead\r
</p>\r
</li>\r
<li>\r
<p>\r
-Mpse - for fast pattern matching\r
+deleted unused http_encode option\r
</p>\r
</li>\r
<li>\r
<p>\r
-So - for dynamic rules\r
+urilen replaced with generic bufferlen which applies to current sticky\r
+ buffer\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Plugins have an associated API defined for each type, all of which share a\r
-common <em>header</em>, called the BaseApi. A dynamic library makes its plugins\r
-available by exporting the snort_plugins symbol, which is a null terminated\r
-array of BaseApi pointers.</p></div>\r
-<div class="paragraph"><p>The BaseApi includes type, name, API version, plugin version, and function\r
-pointers for constructing and destructing a Module. The specific API add\r
-various other data and functions for their given roles.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modules_2">Modules</h3>\r
-<div class="paragraph"><p>The Module is pervasive in Snort+<code>. It is how everything, including\r
-plugins, are configured. It also provides access to builtin rules. And as\r
-the glue that binds functionality to Snort</code>+, the capabilities of a Module\r
-are expected to grow to include statistics support, etc.</p></div>\r
-<div class="paragraph"><p>Module configuration is handled by a list of Parameters. Most parameters\r
-can be validated by the framework, which means for example that conversion\r
-from string to number is done in exactly one place. Providing the builtin\r
-rules allows the documentation to include them automatically and also allows\r
-for autogenerating the rules at startup.</p></div>\r
-<div class="paragraph"><p>If we are defining a new Inspector called, say, gadget, it might be\r
-configured in snort.lua like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>gadget =\r
-{\r
- brain = true,\r
- claw = 3\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>When the gadget table is processed, Snort++ will look for a module called\r
-gadget. If that Module has an associated API, it will be used to configure\r
-a new instance of the plugin. In this case, a GadgetModule would be\r
-instantiated, brain and claw would be set, and the Module instance would be\r
-passed to the GadgetInspector constructor.</p></div>\r
-<div class="paragraph"><p>Module has three key virtual methods:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>begin()</strong> - called when Snort++ starts processing the associated Lua\r
- table. This is a good place to allocate any required data and set\r
- defaults.\r
+added optional selector to http_header, e.g. http_header:User-Agent;\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>set()</strong> - called to set each parameter after validation.\r
+multiline rules w/o \n\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>end()</strong> - called when Snort++ finishes processing the associated Lua\r
- table. This is where additional integrity checks of related parameters\r
- should be done.\r
+#begin … #end comments\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>The configured Module is passed to the plugin constructor which pulls the\r
-configuration data from the Module. For non-trivial configurations, the\r
-working paradigm is that Module hands a pointer to the configured data to\r
-the plugin instance which takes ownership.</p></div>\r
-<div class="paragraph"><p>Note that there is at most one instance of a given Module, even if multiple\r
-plugin instances are created which use that Module. (Multiple instances\r
-require Snort++ binding configuration.)</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_inspectors">Inspectors</h3>\r
-<div class="paragraph"><p>There are several types of inspector, which determines which inspectors are\r
-executed when:</p></div>\r
+<h3 id="_output_3">Output</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-IT_BINDER - determines which inspectors apply to given flows\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_WIZARD - determines which service inspector to use if none explicitly\r
- bound\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_PACKET - used to process all packets before session and service processing\r
- (e.g. normalize)\r
+alert_fast includes packet data by default\r
</p>\r
</li>\r
<li>\r
<p>\r
-IT_NETWORK - processes packets w/o service (e.g. arp_spoof, back_orifice)\r
+all text mode outputs default to stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-IT_STREAM - for flow tracking, ip defrag, and tcp reassembly\r
+changed default logging mode to -L none\r
</p>\r
</li>\r
<li>\r
<p>\r
-IT_SERVICE - for http, ftp, telnet, etc.\r
+deleted layer2resets and flexresp2_*\r
</p>\r
</li>\r
<li>\r
<p>\r
-IT_PROBE - process all packets after all the above (e.g. perf_monitor,\r
- port_scan)\r
+deleted log_ascii\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_codecs">Codecs</h3>\r
-<div class="paragraph"><p>The Snort3.0 Codecs decipher raw packets. These Codecs are now completely\r
-pluggable; almost every Snort3.0 Codec can be built dynamically and replaced\r
-with an alternative, customized Codec. The pluggable nature has also made it\r
-easier to build new Codecs for protocols without having to touch the Snort3.0\r
-code base.</p></div>\r
-<div class="paragraph"><p>The first step in creating a Codec is defining its class and protocol. Every\r
-Codec must inherit from the Snort3.0 Codec class defined in\r
-"framework/codec.h". The following is an example Codec named "example" and has\r
-an associated struct that is 14 bytes long.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#include <cstdint>\r
-#include <arpa/inet.h>\r
-#include “framework/codec.h”\r
-#include "main/snort_types.h"</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#define EX_NAME “example”\r
-#define EX_HELP “example codec help string”</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>struct Example\r
-{\r
- uint8_t dst[6];\r
- uint8_t src[6];\r
- uint16_t ethertype;</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> static inline uint8_t size()\r
- { return 14; }\r
-}</code></pre>\r
-</div></div>\r
+<li>\r
+<p>\r
+general output guideline: don’t print zero counts\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Snort 3 queues decoder and inspector events to the main event queue before ips policy\r
+ is selected; since some events may not be enabled, the queue needs to be sized larger\r
+ than with Snort 2 which used an intermediate queue for decoder events.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+deleted the intermediate http and ftp_telnet event queues\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+alert_unified2 and log_unified2 have been deleted\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_profiles">HTTP Profiles</h3>\r
+<div class="paragraph"><p>This section describes the changes to the Http Inspect config option "profile".</p></div>\r
+<div class="paragraph"><p>Snort 2 allows users to select pre-defined HTTP server profiles using the\r
+config option "profile". The user can choose one of five predefined profiles.\r
+When defined, this option will set defaults for other config options within\r
+Http Inspect.</p></div>\r
+<div class="paragraph"><p>With Snort 3, the user has the flexibility of defining and fine tuning custom\r
+profiles along with the five predefined profiles.</p></div>\r
+<div class="paragraph"><p>Snort 2 conf</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>class ExCodec : public Codec\r
-{\r
-public:\r
- ExCodec() : Codec(EX_NAME) { }\r
- ~ExCodec() { }</code></pre>\r
+<pre><code>preprocessor http_inspect_server: server default \\r
+ profile apache ports { 80 3128 } max_headers 200</code></pre>\r
</div></div>\r
+<div class="paragraph"><p>Snort 3 conf</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code> bool decode(const RawData&, CodecData&, DecodeData&) override;\r
- void get_protocol_ids(std::vector<uint16_t>&) override;\r
-};</code></pre>\r
+<pre><code>http_inspect = { profile = http_profile_apache }\r
+http_inspect.profile.max_headers = 200</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>After defining ExCodec, the next step is adding the Codec’s decode\r
-functionality. The function below does this by implementing a valid decode\r
-function. The first parameter, which is the RawData struct, provides both a\r
-pointer to the raw data that has come from a wire and the length of that raw\r
-data. The function takes this information and validates that there are enough\r
-bytes for this protocol. If the raw data’s length is less than 14 bytes, the\r
-function returns false and Snort3.0 discards the packet; the packet is neither\r
-inspected nor processed. If the length is greater than 14 bytes, the function\r
-populates two fields in the CodecData struct, next_prot_id and lyr_len. The\r
-lyr_len field tells Snort3.0 the number of bytes that this layer contains. The\r
-next_prot_id field provides Snort3.0 the value of the next EtherType or IP\r
-protocol number.</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>bool ExCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)\r
+<pre><code>binder =\r
{\r
- if ( raw.len < Example::size() )\r
- return false;</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> const Example* const ex = reinterpret_cast<const Example*>(raw.data);\r
- codec.next_prot_id = ntohs(ex->ethertype);\r
- codec.lyr_len = ex->size();\r
- return true;\r
+ {\r
+ when = { proto = 'tcp', ports = '80 3128', },\r
+ use = { type = 'http_inspect' },\r
+ },\r
}</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>For instance, assume this decode function receives the following raw data with\r
-a validated length of 32 bytes:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>00 11 22 33 44 55 66 77 88 99 aa bb 08 00 45 00\r
-00 38 00 01 00 00 40 06 5c ac 0a 01 02 03 0a 09</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The Example struct’s EtherType field is the 13 and 14 bytes. Therefore, this\r
-function tells Snort that the next protocol has an EtherType of 0x0800.\r
-Additionally, since the lyr_len is set to 14, Snort knows that the next\r
-protocol begins 14 bytes after the beginning of this protocol. The Codec with\r
-EtherType 0x0800, which happens to be the IPv4 Codec, will receive the\r
-following data with a validated length of 18 ( == 32 – 14):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>45 00 00 38 00 01 00 00 40 06 5c ac 0a 01 02 03\r
-0a 09</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>How does Snort3.0 know that the IPv4 Codec has an EtherType of 0x0800? The\r
-Codec class has a second virtual function named get_protocol_ids(). When\r
-implementing the function, a Codec can register for any number of values\r
-between 0x0000 - 0xFFFF. Then, if the next_proto_id is set to a value for which\r
-this Codec has registered, this Codec’s decode function will be called. As a\r
-general note, the protocol ids between [0, 0x00FF] are IP protocol numbers,\r
-[0x0100, 0x05FF] are custom types, and [0x0600, 0xFFFF] are EtherTypes.</p></div>\r
-<div class="paragraph"><p>For example, in the get_protocol_ids function below, the ExCodec registers for\r
-the protocols numbers 17, 787, and 2054. 17 happens to be the protocol number\r
-for UDP while 2054 is ARP’s EtherType. Therefore, this Codec will now attempt\r
-to decode UDP and ARP data. Additionally, if any Codec sets the\r
-next_protocol_id to 787, ExCodec’s decode function will be called. Some custom\r
-protocols are already defined in the file "protocols/protocol_ids.h"</p></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">The "profile" option now that points to a table "http_profile_apache"\r
+which is defined in "snort_defaults.lua" (as follows).</td>\r
+</tr></table>\r
+</div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>void ExCodec::get_protocol_ids(std::vector<uint16_t>&v)\r
+<pre><code>http_profile_apache =\r
{\r
- v.push_back(0x0011); // == 17 == UDP\r
- v.push_back(0x1313); // == 787 == custom\r
- v.push_back(0x0806); // == 2054 == ARP\r
+ profile_type = 'apache',\r
+ server_flow_depth = 300,\r
+ client_flow_depth = 300,\r
+ post_depth = -1,\r
+ chunk_length = 500000,\r
+ ascii = true,\r
+ multi_slash = true,\r
+ directory = true,\r
+ webroot = true,\r
+ utf_8 = true,\r
+ apache_whitespace = true,\r
+ non_strict = true,\r
+ normalize_utf = true,\r
+ normalize_javascript = false,\r
+ max_header_length = 0,\r
+ max_headers = 0,\r
+ max_spaces = 200,\r
+ max_javascript_whitespaces = 200,\r
+ whitespace_chars ='0x9 0xb 0xc 0xd'\r
}</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>To register a Codec for Data Link Type’s rather than protocols, the function\r
-get_data_link_type() can be similarly implemented.</p></div>\r
-<div class="paragraph"><p>The final step to creating a pluggable Codec is the snort_plugins array. This\r
-array is important because when Snort3.0 loads a dynamic library, the program\r
-only find plugins that are inside the snort_plugins array. In other words, if a\r
-plugin has not been added to the snort_plugins array, that plugin will not be\r
-loaded into Snort3.0.</p></div>\r
-<div class="paragraph"><p>Although the details will not be covered in this post, the following code\r
-snippet is a basic CodecApi that Snort3.0 can load. This snippet can be copied\r
-and used with only three minor changes. First, in the function ctor, ExCodec\r
-should be replaced with the name of the Codec that is being built. Second,\r
-EX_NAME must match the Codec’s name or Snort will be unable to load this Codec.\r
-Third, EX_HELP should be replaced with the general description of this Codec.\r
-Once this code snippet has been added, ExCodec is ready to be compiled and\r
-plugged into Snort3.0.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>static Codec* ctor(Module*)\r
-{ return new ExCodec; }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>static void dtor(Codec *cd)\r
-{ delete cd; }</code></pre>\r
-</div></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">The config option "max_headers" is set to 0 in the profile, but\r
+overwritten by "http_inspect.profile.max_headers = 200".</td>\r
+</tr></table>\r
+</div>\r
+<div class="paragraph"><p>Conversion</p></div>\r
+<div class="paragraph"><p>snort2lua can convert the existing snort.conf with the "profile" option to\r
+Snort 3 compatible "profile". Please refer to the snort2Lua post for more\r
+details.</p></div>\r
+<div class="paragraph"><p>Examples</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>static const CodecApi ex_api =\r
-{\r
- {\r
- PT_CODEC,\r
- EX_NAME,\r
- EX_HELP,\r
- CDAPI_PLUGIN_V0,\r
- 0,\r
- nullptr,\r
- nullptr,\r
- },\r
- nullptr, // pointer to a function called during Snort's startup.\r
- nullptr, // pointer to a function called during Snort's exit.\r
- nullptr, // pointer to a function called during thread's startup.\r
- nullptr, // pointer to a function called during thread's destruction.\r
- ctor, // pointer to the codec constructor.\r
- dtor, // pointer to the codec destructor.\r
-};</code></pre>\r
+<pre><code>"profile all" ==> "profile = http_profile_default"\r
+"profile apache" ==> "profile = http_profile_apache"\r
+"profile iis" ==> "profile = http_profile_iis"\r
+"profile iis_40" ==> "profile = http_profile_iis_40"\r
+"profile iis_50" ==> "profile = http_profile_iis_50"</code></pre>\r
</div></div>\r
+<div class="paragraph"><p>Defining custom profiles</p></div>\r
+<div class="paragraph"><p>The complete set of Http Inspect config options that a custom profile can\r
+configure can be found by running the following command:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>SO_PUBLIC const BaseApi* snort_plugins[] =\r
-{\r
- &ex_api.base,\r
- nullptr\r
-};</code></pre>\r
+<pre><code>snort --help-config http_inspect | grep http_inspect.profile</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Two example Codecs are available in the extra directory on git and the extra\r
-tarball on the Snort3.0 page. One of those examples is the Token Ring Codec\r
-while the other example is the PIM Codec.</p></div>\r
-<div class="paragraph"><p>As a final note, there are four more virtual functions that a Codec should\r
-implement: encode, format, update, and log. If the functions are not\r
-implemented Snort will not throw any errors. However, Snort may also be unable\r
-to accomplish some of its basic functionality.</p></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_snort2lua">Snort2Lua</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>One of the major differences between Snort 2 and Snort 3 is the\r
+configuration. Snort 2 configuration files are written in Snort-specific\r
+syntax while Snort 3 configuration files are written in Lua. Snort2Lua is\r
+a program specifically designed to convert Snort 2 configuration files\r
+into Lua files that Snort 3 can understand.</p></div>\r
+<div class="paragraph"><p>Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3 Lua\r
+and rules files. When running this program, the only mandatory option is\r
+to provide Snort2Lua with a Snort 2 configuration file. The default\r
+output file file is snort.lua, the default error file will be snort.rej,\r
+and the default rule file is the output file (default is snort.lua). When\r
+Snort2Lua finishes running, the resulting configuration file can be\r
+successfully run as the Snort3.0 configuration file. The sole exception to\r
+this rule is when Snort2Lua cannot find an included file. If that occurs,\r
+the file will still be included in the output file and you will need to\r
+manually adjust or comment the file name. Additionally, if the exit code is\r
+not zero, some of the information may not be successfully converted. Check\r
+the error file for all of the conversion problems.</p></div>\r
+<div class="paragraph"><p>Those errors can occur for a multitude of reasons and are not necessarily\r
+bad. For instance, Snort2Lua will only convert preprocessors that are\r
+currently supported. Therefore, any unsupported preprocessors or\r
+configuration options including DCERP, SIP, and SMTP, will cause an error\r
+in Snort2Lua since Snort 3 does not support those preprocessors.\r
+Additionally, any rule options associated with those preprocessors are also\r
+not supported. Finally, Snort2Lua expects a valid Snort 2 configuration.\r
+Therefore, if the configuration is invalid or has questionable syntax,\r
+Snort2Lua may fail to parse the configuration file or create an invalid\r
+Snort 3 configuration file.</p></div>\r
+<div class="paragraph"><p>There are a also few peculiarities of Snort2Lua that may be confusing to a\r
+first time user. Specifically, aside from an initial configuration file\r
+(which is specified from the command line or as the file in ‘config\r
+binding’), every file that is included into Snort 3 must be either a Lua\r
+file or a rule file; the file cannot contain both rules and Lua syntax.\r
+Therefore, when parsing a file specified with the ‘include’ command,\r
+Snort2Lua will output both a Lua file and a rule file. Additionally, any\r
+line that is a comment in a configuration file will be added in to a\r
+comments section at the bottom of the main configuration file. Finally,\r
+rules that contain unsupported options will be converted to the best of\r
+Snort2Lua’s capability and then printed as a comment in the rule file.</p></div>\r
+<div class="sect2">\r
+<h3 id="_snort2lua_command_line">Snort2Lua Command Line</h3>\r
+<div class="paragraph"><p>By default, Snort2Lua will attempt to parse every ‘include’ file and every\r
+‘binding’ file. There is an option to change this functionality.</p></div>\r
+<div class="paragraph"><p>When specifying a rule file with one of the command line options, Snort2Lua\r
+will output all of the converted rules to that specified rule file.\r
+This is especially useful when you are only interesting in\r
+converting rules since there is no Lua syntax in rule files. There is also\r
+an option that tells Snort2Lua to output every rule for a given\r
+configuration into a single rule file. Similarly, there is an option\r
+pull all of the Lua syntax from every ‘include’ file into the output file.</p></div>\r
+<div class="paragraph"><p>There are currently three output modes: default, quiet, and differences.\r
+As expected, quiet mode produces a Snort configuration. All errors (aside\r
+from Fatal Snort2Lua errors), differences, and comments will omitted from\r
+the final output file. Default mode will print everything. That mean you\r
+will be able to see exactly what changes have occurred between Snort 2\r
+and Snort 3 in addition to the new syntax, the original file’s comments,\r
+and all errors that have occurred. Finally, differences mode will not\r
+actually output a valid Snort 3 configuration. Instead, you can see the\r
+exact options from the input configuration that have changed.</p></div>\r
+<div class="sect3">\r
+<h4 id="_usage_snort2lua_options_8230_c_lt_snort_conf_gt_8230">Usage: snort2lua [OPTIONS]… -c <snort_conf> …</h4>\r
+<div class="paragraph"><p>Converts the Snort configuration file specified by the -c or --conf-file\r
+options into a Snort++ configuration file</p></div>\r
+<div class="sect4">\r
+<h5 id="_options">Options:</h5>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-encode is called whenever Snort actively responds and needs to builds a\r
- packet, i.e. whenever a rule using an IPS ACTION like react, reject, or rewrite\r
- is triggered. This function is used to build the response packet protocol by\r
- protocol.\r
+<strong>-?</strong> show usage\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-h</strong> this overview of snort2lua\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-a</strong> default option. print all data\r
</p>\r
</li>\r
<li>\r
<p>\r
-format is called when Snort is rebuilding a packet. For instance, every time\r
- Snort reassembles a TCP stream or IP fragment, format is called. Generally,\r
- this function either swaps any source and destination fields in the protocol or\r
- does nothing.\r
+<strong>-c <snort_conf></strong> The Snort <snort_conf> file to convert\r
</p>\r
</li>\r
<li>\r
<p>\r
-update is similar to format in that it is called when Snort is reassembling a\r
- packet. Unlike format, this function only sets length fields.\r
+<strong>-d</strong> print the differences, and only the differences, between the\r
+ Snort and Snort++ configurations to the <out_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-log is called when either the log_codecs logger or a custom logger that calls\r
- PacketManager::log_protocols is used when running Snort3.0.\r
+<strong>-e <error_file></strong> output all errors to <error_file>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ips_actions">IPS Actions</h3>\r
-<div class="paragraph"><p>Action plugins specify a builtin action in the API which is used to\r
-determine verdict. (Conversely, builtin actions don’t have an associated\r
-plugin function.)</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_developers_guide">Developers Guide</h3>\r
-<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to\r
-the source tree.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_piglet_test_harness">Piglet Test Harness</h3>\r
-<div class="paragraph"><p>In order to assist with plugin development, an experimental mode called "piglet" mode\r
-is provided. With piglet mode, you can call individual methods for a specific plugin.\r
-The piglet tests are specified as Lua scripts. Each piglet test script defines a test\r
-for a specific plugin.</p></div>\r
-<div class="paragraph"><p>Here is a minimal example of a piglet test script for the IPv4 Codec plugin:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>plugin =\r
-{\r
- type = "piglet",\r
- name = "codec::ipv4",\r
- use_defaults = true,\r
- test = function()\r
- local daq_header = DAQHeader.new()\r
- local raw_buffer = RawBuffer.new("some data")\r
- local codec_data = CodecData.new()\r
- local decode_data = DecodeData.new()</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> return Codec.decode(\r
- daq_header,\r
- raw_buffer,\r
- codec_data,\r
- decode_data\r
- )\r
- end\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To run snort in piglet mode, first build snort with the ENABLE_PIGLET option turned on\r
-(pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).</p></div>\r
-<div class="paragraph"><p>Then, run the following command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --script-path $test_scripts --piglet</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>(where $test_scripts is the directory containing your piglet tests).</p></div>\r
-<div class="paragraph"><p>The test runner will generate a check-like output, indicating the\r
-the results of each test script.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_piglet_lua_api">Piglet Lua API</h3>\r
-<div class="paragraph"><p>This section documents the API that piglet exposes to Lua.\r
-Refer to the piglet directory in the source tree for examples of usage.</p></div>\r
-<div class="paragraph"><p>Note: Because of the differences between the Lua and C++ data model and type\r
-system, not all parameters map directly to the parameters of the underlying\r
-C\++ member functions. Every effort has been made to keep the mappings consist,\r
-but there are still some differences. They are documented below.</p></div>\r
-<div class="sect3">\r
-<h4 id="_plugin_instances">Plugin Instances</h4>\r
-<div class="paragraph"><p>For each test, piglet instantiates plugin specified in the <code>name</code> field of the\r
-<code>plugin</code> table. The virtual methods of the instance are exposed in a table\r
-unique to each plugin type. The name of the table is the CamelCase name of the\r
-plugin type.</p></div>\r
-<div class="paragraph"><p>For example, codec plugins have a virtual method called <code>decode</code>. This method\r
-is called like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Codec.decode(...)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p><strong>Codec</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Codec.get_data_link_type() → { int, int, … }</code>\r
+<strong>-i</strong> if <snort_conf> file contains any <include_file> or\r
+ <policy_file> (i.e. <em>include path/to/conf/other_conf</em>), do\r
+ NOT parse those files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Codec.get_protocol_ids() → { int, int, … }</code>\r
+<strong>-m</strong> add a remark to the end of every converted rule\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) → bool</code>\r
+<strong>-o <out_file></strong> output the new Snort++ lua configuration to <out_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Codec.log(RawBuffer, uint[lyr_len])</code>\r
+<strong>-q</strong> quiet mode. Only output valid confiration information to the\r
+ <out_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Codec.encode(RawBuffer, EncState, Buffer) → bool</code>\r
+<strong>-r <rule_file></strong> output any converted rule to <rule_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint[lyr_len] → int</code>\r
+<strong>-s</strong> when parsing <include_file>, write <include_file>'s rules to\r
+ <rule_file>. Meaningles if <em>-i</em> provided\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Codec.format(bool[reverse], RawBuffer, DecodeData)</code>\r
+<strong>-t</strong> when parsing <include_file>, write <include_file>'s\r
+ information, excluding rules, to <out_file>. Meaningles if\r
+ <em>-i</em> provided\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Differences:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-In <code>Codec.update()</code>, the <code>(uint64_t) flags</code> parameter has been split into\r
-<code>flags_hi</code> and <code>flags_lo</code>\r
+<strong>-V</strong> Print the current Snort2Lua version\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Inspector</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Inspector.configure()</code>\r
+<strong>--conf-file</strong> Same as <em>-c</em>. A Snort <snort_conf> file which will be\r
+ converted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.tinit()</code>\r
+<strong>--dont-parse-includes</strong>\r
+ Same as <em>-p</em>. if <snort_conf> file contains any\r
+ <include_file> or <policy_file> (i.e. <em>include\r
+ path/to/conf/other_conf</em>), do NOT parse those files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.tterm()</code>\r
+<strong>--error-file=<error_file></strong>\r
+ Same as <em>-e</em>. output all errors to <error_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.likes(Packet)</code>\r
+<strong>--help</strong> Same as <em>-h</em>. this overview of snort2lua\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.eval(Packet)</code>\r
+<strong>--markup</strong> print help in asciidoc compatible format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.clear(Packet)</code>\r
+<strong>--ohi</strong> Use Old Http Inspect format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.get_buf_from_key(string[key], Packet, RawBuffer) → bool</code>\r
+<strong>--output-file=<out_file></strong>\r
+ Same as <em>-o</em>. output the new Snort++ lua configuration to\r
+ <out_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) → bool</code>\r
+<strong>--print-all</strong> Same as <em>-a</em>. default option. print all data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) → bool</code>\r
+<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
+ differences, between the Snort and Snort++ configurations to\r
+ the <out_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Inspector.get_splitter(bool[to_server]) → StreamSplitter</code>\r
+<strong>--quiet</strong> Same as <em>-q</em>. quiet mode. Only output valid confiration\r
+ information to the <out_file>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--remark</strong> same as <em>-m</em>. add a remark to the end of every converted\r
+ rule\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--rule-file=<rule_file></strong>\r
+ Same as <em>-r</em>. output any converted rule to <rule_file>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--single-conf-file</strong> Same as <em>-t</em>. when parsing <include_file>, write\r
+ <include_file>'s information, excluding rules, to\r
+ <out_file>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--single-rule-file</strong> Same as <em>-s</em>. when parsing <include_file>, write\r
+ <include_file>'s rules to <rule_file>.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--version</strong> Same as <em>-V</em>. Print the current Snort2Lua version\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_required_option">Required option:</h5>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+A Snort configuration file to convert. Set with either <em>-c</em> or <em>--conf-file</em>\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_default_values">Default values:</h5>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<out_file> = snort.lua\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<rule_file> = <out_file> = snort.lua. Rules are written to the <em>local_rules</em> variable in the <out_file>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<error_file> = snort.rej. This file will not be created in quiet mode.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_known_problems">Known Problems</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Any Snort 2 ‘string’ which is dependent on a variable will no longer have\r
+that variable in the Lua string.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Snort2Lua currently does not handle variables well. First, that means\r
+variables will not always be parsed correctly. Second, sometimes a\r
+variables value will be outoput in the lua file rather than a variable\r
+For instance, if Snort2Lua attempted to convert the line\r
+<em>include $RULE_PATH/example.rule</em>, the output may ouput\r
+<em>include /etc/rules/example.rule</em> instead.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+When Snort2Lua parses a ‘binding’ configuration file, the rules and\r
+configuration will automatically be combined into the same file. Also, the\r
+new files name will automatically become the old file’s name with a .lua\r
+extension. There is currently no way to specify or change that files name.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+If a rule’s action is a custom ruletype, that rule action will be silently\r
+converted to the rultype’s <em>type</em>. No warnings or errors are currently\r
+emmitted. Additionally, the custom ruletypes outputs will be silently\r
+discarded.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+If the original configuration contains a binding that points to another\r
+file and the binding file contains an error, Snort2Lua will output the\r
+number of rejects for the binding file in addition to the number of\r
+rejects in the main file. The two numbers will eventually be combined into\r
+one output.\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Differences:\r
-* In <code>Inspector.configure()</code>, the <code>SnortConfig*</code> parameter is passed implicitly.\r
-* the overloaded <code>get_buf()</code> member function has been split into three separate methods.</p></div>\r
-<div class="paragraph"><p><strong>IpsOption</strong></p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_usage_2">Usage</h3>\r
+<div class="paragraph"><p>Snort2Lua is included in the Snort 3 distribution. The Snort2Lua source code\r
+is located in the tools/snort2lua directory. The program is automatically built\r
+and installed.</p></div>\r
+<div class="paragraph"><p>Translating your configuration</p></div>\r
+<div class="paragraph"><p>To run Snort2Lua, the only requirement is a file containing Snort 2 syntax.\r
+Assuming your configuration file is named snort.conf, run the command</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort2lua –c snort.conf</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Snort2Lua will output a file named snort.lua. Assuming your snort.conf file is\r
+a valid Snort 2 configuration file, than the resulting snort.lua file will\r
+always be a valid Snort 3 configuration file; any errors that occur are\r
+because Snort 3 currently does not support all of the Snort 2 options.</p></div>\r
+<div class="paragraph"><p>Every keyword from the Snort configuration can be found in the output file. If\r
+the option or keyword has changed, then a comment containing both the option or\r
+keyword’s old name and new name will be present in the output file.</p></div>\r
+<div class="paragraph"><p>Translating a rule file</p></div>\r
+<div class="paragraph"><p>Snort2Lua can also accommodate translating individual rule files. Assuming the\r
+Snort 2 rule file is named snort.rules and you want the new rule file to be\r
+name updated.rules, run the command</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort2lua –c snort.rules -r updated.rules</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Snort2Lua will output a file named updated.rules. That file, updated.rules,\r
+will always be a valid Snort 3 rule file. Any rule that contains unsupported\r
+options will be a comment in the output file.</p></div>\r
+<div class="paragraph"><p>Understanding the Output</p></div>\r
+<div class="paragraph"><p>Although Snort2Lua outputs very little to the console, there are several things\r
+that occur when Snort2Lua runs. This is a list of Snort2Lua outputs.</p></div>\r
+<div class="paragraph"><p><em>The console</em>. Every line that Snort2Lua is unable to translate from the Snort\r
+2.X format to the Snort 3 format is considered an error. Upon exiting,\r
+Snort2Lua will print the number of errors that occurred. Snort2Lua will also\r
+print the name of the error file.</p></div>\r
+<div class="paragraph"><p><em>The output file</em>. As previously mentioned, Snort2Lua will create a Lua file\r
+with valid Snort 3 syntax. The default Lua file is named snort.lua. This\r
+file is the equivalent of your main Snort 2 configuration file.</p></div>\r
+<div class="paragraph"><p><em>The rule file</em>. By default, all rules will be printed to the Lua file.\r
+However, if a rule file is specified on the command line, any rules found in\r
+the Snort 2 configuration will be written to the rule file instead</p></div>\r
+<div class="paragraph"><p><em>The error file</em>. By default, the error file is snort.rej. It will only be\r
+created if errors exist. Every error referenced on the command line can be\r
+found in this file. There are two reasons an error can occur.</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>IpsOption.hash() → int</code>\r
+The Snort 2 configuration file has invalid syntax. If Snort 2 cannot\r
+ parse the configuration file, neither can Snort2Lua. In the example below,\r
+ Snort2Lua could not convert the line <em>config bad_option</em>. Since that is not\r
+ valid Snort 2 syntax, this is a syntax error.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>IpsOption.is_relative() → bool</code>\r
+The Snort 2 configuration file contains preprocessors and rule options\r
+ that are not supported in Snort 3. If Snort 2 can parse a line that\r
+ Snort2Lua cannot parse, than Snort 3 does not support something in the line.\r
+ As Snort 3 begins supporting these preprocessors and rule options, Snort2Lua\r
+ will also begin translating these lines. One example of such an error is\r
+ dcerpc2.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Additional .lua and .rules files. Every time Snort2Lua parses the include or\r
+binding keyword, the program will attempt to parse the file referenced by the\r
+keyword. Snort2Lua will then create one or two new files. The new files will\r
+have a .lua or .rules extension appended to the original filename.</p></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_extending_snort">Extending Snort</h2>\r
+<div class="sectionbody">\r
+<div class="sect2">\r
+<h3 id="_plugins_3">Plugins</h3>\r
+<div class="paragraph"><p>Plugins have an associated API defined for each type, all of which share a\r
+common <em>header</em>, called the BaseApi. A dynamic library makes its plugins\r
+available by exporting the snort_plugins symbol, which is a null terminated\r
+array of BaseApi pointers.</p></div>\r
+<div class="paragraph"><p>The BaseApi includes type, name, API version, plugin version, and function\r
+pointers for constructing and destructing a Module. The specific API add\r
+various other data and functions for their given roles.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_modules_2">Modules</h3>\r
+<div class="paragraph"><p>If we are defining a new Inspector called, say, gadget, it might be\r
+configured in snort.lua like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>gadget =\r
+{\r
+ brain = true,\r
+ claw = 3\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>When the gadget table is processed, Snort will look for a module called\r
+gadget. If that Module has an associated API, it will be used to configure\r
+a new instance of the plugin. In this case, a GadgetModule would be\r
+instantiated, brain and claw would be set, and the Module instance would be\r
+passed to the GadgetInspector constructor.</p></div>\r
+<div class="paragraph"><p>Module has three key virtual methods:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>IpsOption.fp_research() → bool</code>\r
+<strong>begin()</strong> - called when Snort starts processing the associated Lua\r
+ table. This is a good place to allocate any required data and set\r
+ defaults.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>IpsOption.get_cursor_type() → int</code>\r
+<strong>set()</strong> - called to set each parameter after validation.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>IpsOption.eval(Cursor, Packet) → int</code>\r
+<strong>end()</strong> - called when Snort finishes processing the associated Lua\r
+ table. This is where additional integrity checks of related parameters\r
+ should be done.\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>The configured Module is passed to the plugin constructor which pulls the\r
+configuration data from the Module. For non-trivial configurations, the\r
+working paradigm is that Module hands a pointer to the configured data to\r
+the plugin instance which takes ownership.</p></div>\r
+<div class="paragraph"><p>Note that there is at most one instance of a given Module, even if multiple\r
+plugin instances are created which use that Module. (Multiple instances\r
+require Snort binding configuration.)</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_inspectors">Inspectors</h3>\r
+<div class="paragraph"><p>There are several types of inspector, which determines which inspectors are\r
+executed when:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>IpsOption.action(Packet)</code>\r
+IT_BINDER - determines which inspectors apply to given flows\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>IpsAction</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>IpsAction.exec(Packet)</code>\r
+IT_WIZARD - determines which service inspector to use if none explicitly\r
+ bound\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Logger</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Logger.open()</code>\r
+IT_PACKET - used to process all packets before session and service processing\r
+ (e.g. normalize)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Logger.close()</code>\r
+IT_NETWORK - processes packets w/o service (e.g. arp_spoof, back_orifice)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Logger.reset()</code>\r
+IT_STREAM - for flow tracking, ip defrag, and tcp reassembly\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Logger.alert(Packet, string[message], Event)</code>\r
+IT_SERVICE - for http, ftp, telnet, etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Logger.log(Packet, string[message], Event)</code>\r
+IT_PROBE - process all packets after all the above (e.g. perf_monitor,\r
+ port_scan)\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><strong>SearchEngine</strong></p></div>\r
-<div class="paragraph"><p>Currently, SearchEngine does not expose any methods.</p></div>\r
-<div class="paragraph"><p><strong>SoRule</strong></p></div>\r
-<div class="paragraph"><p>Currently, SoRule does not expose any methods.</p></div>\r
-<div class="sect4">\r
-<h5 id="_interface_objects">Interface Objects</h5>\r
-<div class="paragraph"><p>Many of the plugins take C++ classes and structs as arguments. These objects\r
-are exposed to the Lua API as Lua userdata. Exposed objects are instantiated\r
-by calling the <code>new</code> method from each object’s method table.</p></div>\r
-<div class="paragraph"><p>For example, the DecodeData object can be instantiated and exposed to Lua\r
-like this:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_codecs">Codecs</h3>\r
+<div class="paragraph"><p>The Snort Codecs decipher raw packets. These Codecs are now completely\r
+pluggable; almost every Snort Codec can be built dynamically and replaced\r
+with an alternative, customized Codec. The pluggable nature has also made\r
+it easier to build new Codecs for protocols without having to touch the\r
+Snort code base.</p></div>\r
+<div class="paragraph"><p>The first step in creating a Codec is defining its class and protocol.\r
+Every Codec must inherit from the Snort Codec class defined in\r
+"framework/codec.h". The following is an example Codec named "example" and\r
+has an associated struct that is 14 bytes long.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>#include <cstdint>\r
+#include <arpa/inet.h>\r
+#include “framework/codec.h”\r
+#include "main/snort_types.h"</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>#define EX_NAME “example”\r
+#define EX_HELP “example codec help string”</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>struct Example\r
+{\r
+ uint8_t dst[6];\r
+ uint8_t src[6];\r
+ uint16_t ethertype;</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code> static inline uint8_t size()\r
+ { return 14; }\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>class ExCodec : public Codec\r
+{\r
+public:\r
+ ExCodec() : Codec(EX_NAME) { }\r
+ ~ExCodec() { }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code> bool decode(const RawData&, CodecData&, DecodeData&) override;\r
+ void get_protocol_ids(std::vector<uint16_t>&) override;\r
+};</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>After defining ExCodec, the next step is adding the Codec’s decode\r
+functionality. The function below does this by implementing a valid decode\r
+function. The first parameter, which is the RawData struct, provides both a\r
+pointer to the raw data that has come from a wire and the length of that raw\r
+data. The function takes this information and validates that there are enough\r
+bytes for this protocol. If the raw data’s length is less than 14 bytes, the\r
+function returns false and Snort discards the packet; the packet is neither\r
+inspected nor processed. If the length is greater than 14 bytes, the function\r
+populates two fields in the CodecData struct, next_prot_id and lyr_len. The\r
+lyr_len field tells Snort the number of bytes that this layer contains. The\r
+next_prot_id field provides Snort the value of the next EtherType or IP\r
+protocol number.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>bool ExCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)\r
+{\r
+ if ( raw.len < Example::size() )\r
+ return false;</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code> const Example* const ex = reinterpret_cast<const Example*>(raw.data);\r
+ codec.next_prot_id = ntohs(ex->ethertype);\r
+ codec.lyr_len = ex->size();\r
+ return true;\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>For instance, assume this decode function receives the following raw data with\r
+a validated length of 32 bytes:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>00 11 22 33 44 55 66 77 88 99 aa bb 08 00 45 00\r
+00 38 00 01 00 00 40 06 5c ac 0a 01 02 03 0a 09</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The Example struct’s EtherType field is the 13 and 14 bytes. Therefore, this\r
+function tells Snort that the next protocol has an EtherType of 0x0800.\r
+Additionally, since the lyr_len is set to 14, Snort knows that the next\r
+protocol begins 14 bytes after the beginning of this protocol. The Codec with\r
+EtherType 0x0800, which happens to be the IPv4 Codec, will receive the\r
+following data with a validated length of 18 ( == 32 – 14):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>45 00 00 38 00 01 00 00 40 06 5c ac 0a 01 02 03\r
+0a 09</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>How does Snort know that the IPv4 Codec has an EtherType of 0x0800? The\r
+Codec class has a second virtual function named get_protocol_ids(). When\r
+implementing the function, a Codec can register for any number of values\r
+between 0x0000 - 0xFFFF. Then, if the next_proto_id is set to a value for which\r
+this Codec has registered, this Codec’s decode function will be called. As a\r
+general note, the protocol ids between [0, 0x00FF] are IP protocol numbers,\r
+[0x0100, 0x05FF] are custom types, and [0x0600, 0xFFFF] are EtherTypes.</p></div>\r
+<div class="paragraph"><p>For example, in the get_protocol_ids function below, the ExCodec registers for\r
+the protocols numbers 17, 787, and 2054. 17 happens to be the protocol number\r
+for UDP while 2054 is ARP’s EtherType. Therefore, this Codec will now attempt\r
+to decode UDP and ARP data. Additionally, if any Codec sets the\r
+next_protocol_id to 787, ExCodec’s decode function will be called. Some custom\r
+protocols are already defined in the file "protocols/protocol_ids.h"</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>void ExCodec::get_protocol_ids(std::vector<uint16_t>&v)\r
+{\r
+ v.push_back(0x0011); // == 17 == UDP\r
+ v.push_back(0x1313); // == 787 == custom\r
+ v.push_back(0x0806); // == 2054 == ARP\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To register a Codec for Data Link Type’s rather than protocols, the function\r
+get_data_link_type() can be similarly implemented.</p></div>\r
+<div class="paragraph"><p>The final step to creating a pluggable Codec is the snort_plugins array. This\r
+array is important because when Snort loads a dynamic library, the program\r
+only find plugins that are inside the snort_plugins array. In other words, if a\r
+plugin has not been added to the snort_plugins array, that plugin will not be\r
+loaded into Snort.</p></div>\r
+<div class="paragraph"><p>Although the details will not be covered in this post, the following code\r
+snippet is a basic CodecApi that Snort can load. This snippet can be copied\r
+and used with only three minor changes. First, in the function ctor, ExCodec\r
+should be replaced with the name of the Codec that is being built. Second,\r
+EX_NAME must match the Codec’s name or Snort will be unable to load this Codec.\r
+Third, EX_HELP should be replaced with the general description of this Codec.\r
+Once this code snippet has been added, ExCodec is ready to be compiled and\r
+plugged into Snort.</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>local decode_data = DecodeData.new(...)</code></pre>\r
+<pre><code>static Codec* ctor(Module*)\r
+{ return new ExCodec; }</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Each object also exposes useful methods for getting and setting member variables,\r
-and calling the C++ methods contained in the the object. These methods can\r
-be accessed using the <code>:</code> accessor syntax:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>decode_data:set({ sp = 80, dp = 3500 })</code></pre>\r
+<pre><code>static void dtor(Codec *cd)\r
+{ delete cd; }</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Since this is just syntactic sugar for passing the object as the first parameter\r
-of the function <code>DecodeData.set</code>, an equivalent form is:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>decode_data.set(decode_data, { sp = 80, dp = 3500 })</code></pre>\r
+<pre><code>static const CodecApi ex_api =\r
+{\r
+ {\r
+ PT_CODEC,\r
+ EX_NAME,\r
+ EX_HELP,\r
+ CDAPI_PLUGIN_V0,\r
+ 0,\r
+ nullptr,\r
+ nullptr,\r
+ },\r
+ nullptr, // pointer to a function called during Snort's startup.\r
+ nullptr, // pointer to a function called during Snort's exit.\r
+ nullptr, // pointer to a function called during thread's startup.\r
+ nullptr, // pointer to a function called during thread's destruction.\r
+ ctor, // pointer to the codec constructor.\r
+ dtor, // pointer to the codec destructor.\r
+};</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>or even:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>DecodeData.set(decode_data, { sp = 80, dp = 3500 })</code></pre>\r
+<pre><code>SO_PUBLIC const BaseApi* snort_plugins[] =\r
+{\r
+ &ex_api.base,\r
+ nullptr\r
+};</code></pre>\r
</div></div>\r
-<div class="paragraph"><p><strong>Buffer</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Buffer.new(string[data]) → Buffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer.new(uint[length]) → Buffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer.new(RawBuffer) → Buffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer:allocate(uint[length]) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer:clear()</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>CodecData</strong></p></div>\r
+<div class="paragraph"><p>Two example Codecs are available in the extra directory on git and the extra\r
+tarball on the Snort page. One of those examples is the Token Ring Codec\r
+while the other example is the PIM Codec.</p></div>\r
+<div class="paragraph"><p>As a final note, there are four more virtual functions that a Codec should\r
+implement: encode, format, update, and log. If the functions are not\r
+implemented Snort will not throw any errors. However, Snort may also be unable\r
+to accomplish some of its basic functionality.</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>CodecData.new() → CodecData</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>CodecData.new(uint[next_prot_id]) → CodecData</code>\r
+encode is called whenever Snort actively responds and needs to builds a\r
+ packet, i.e. whenever a rule using an IPS ACTION like react, reject, or rewrite\r
+ is triggered. This function is used to build the response packet protocol by\r
+ protocol.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>CodecData.new(fields) → CodecData</code>\r
+format is called when Snort is rebuilding a packet. For instance, every time\r
+ Snort reassembles a TCP stream or IP fragment, format is called. Generally,\r
+ this function either swaps any source and destination fields in the protocol or\r
+ does nothing.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>CodecData:get() → fields</code>\r
+update is similar to format in that it is called when Snort is reassembling a\r
+ packet. Unlike format, this function only sets length fields.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>CodecData:set(fields)</code>\r
+log is called when either the log_codecs logger or a custom logger that calls\r
+ PacketManager::log_protocols is used when running Snort.\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ips_actions">IPS Actions</h3>\r
+<div class="paragraph"><p>Action plugins specify a builtin action in the API which is used to\r
+determine verdict. (Conversely, builtin actions don’t have an associated\r
+plugin function.)</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_developers_guide">Developers Guide</h3>\r
+<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to\r
+the source tree.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_piglet_test_harness">Piglet Test Harness</h3>\r
+<div class="paragraph"><p>In order to assist with plugin development, an experimental mode called "piglet" mode\r
+is provided. With piglet mode, you can call individual methods for a specific plugin.\r
+The piglet tests are specified as Lua scripts. Each piglet test script defines a test\r
+for a specific plugin.</p></div>\r
+<div class="paragraph"><p>Here is a minimal example of a piglet test script for the IPv4 Codec plugin:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>plugin =\r
+{\r
+ type = "piglet",\r
+ name = "codec::ipv4",\r
+ use_defaults = true,\r
+ test = function()\r
+ local daq_header = DAQHeader.new()\r
+ local raw_buffer = RawBuffer.new("some data")\r
+ local codec_data = CodecData.new()\r
+ local decode_data = DecodeData.new()</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code> return Codec.decode(\r
+ daq_header,\r
+ raw_buffer,\r
+ codec_data,\r
+ decode_data\r
+ )\r
+ end\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>To run snort in piglet mode, first build snort with the ENABLE_PIGLET option turned on\r
+(pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).</p></div>\r
+<div class="paragraph"><p>Then, run the following command:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort --script-path $test_scripts --piglet</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>(where $test_scripts is the directory containing your piglet tests).</p></div>\r
+<div class="paragraph"><p>The test runner will generate a check-like output, indicating the\r
+the results of each test script.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_piglet_lua_api">Piglet Lua API</h3>\r
+<div class="paragraph"><p>This section documents the API that piglet exposes to Lua.\r
+Refer to the piglet directory in the source tree for examples of usage.</p></div>\r
+<div class="paragraph"><p>Note: Because of the differences between the Lua and C++ data model and type\r
+system, not all parameters map directly to the parameters of the underlying\r
+C\++ member functions. Every effort has been made to keep the mappings consist,\r
+but there are still some differences. They are documented below.</p></div>\r
+<div class="sect3">\r
+<h4 id="_plugin_instances">Plugin Instances</h4>\r
+<div class="paragraph"><p>For each test, piglet instantiates plugin specified in the <code>name</code> field of the\r
+<code>plugin</code> table. The virtual methods of the instance are exposed in a table\r
+unique to each plugin type. The name of the table is the CamelCase name of the\r
+plugin type.</p></div>\r
+<div class="paragraph"><p>For example, codec plugins have a virtual method called <code>decode</code>. This method\r
+is called like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>Codec.decode(...)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p><strong>Codec</strong></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>next_prot_id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>lyr_len</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>invalid_bytes</code>\r
+<code>Codec.get_data_link_type() → { int, int, … }</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>proto_bits</code>\r
+<code>Codec.get_protocol_ids() → { int, int, … }</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>codec_flags</code>\r
+<code>Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>ip_layer_cnt</code>\r
+<code>Codec.log(RawBuffer, uint[lyr_len])</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>ip6_extension_count</code>\r
+<code>Codec.encode(RawBuffer, EncState, Buffer) → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>curr_ip6_extension</code>\r
+<code>Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint[lyr_len] → int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>ip6_csum_proto</code>\r
+<code>Codec.format(bool[reverse], RawBuffer, DecodeData)</code>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><strong>Cursor</strong></p></div>\r
+<div class="paragraph"><p>Differences:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Cursor.new() → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor.new(Packet) → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor.new(string[data]) → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor.new(RawBuffer) → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset(Packet)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset(string[data])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset(RawBuffer)</code>\r
+In <code>Codec.update()</code>, the <code>(uint64_t) flags</code> parameter has been split into\r
+<code>flags_hi</code> and <code>flags_lo</code>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><strong>DAQHeader</strong></p></div>\r
+<div class="paragraph"><p><strong>Inspector</strong></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>DAQHeader.new() → DAQHeader</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DAQHeader.new(fields) → DAQHeader</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DAQHeader:get() → fields</code>\r
+<code>Inspector.configure()</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>DAQHeader:set(fields)</code>\r
+<code>Inspector.tinit()</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>caplen</code>\r
+<code>Inspector.tterm()</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>pktlen</code>\r
+<code>Inspector.likes(Packet)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>ingress_index</code>\r
+<code>Inspector.eval(Packet)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>egress_index</code>\r
+<code>Inspector.clear(Packet)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>ingress_group</code>\r
+<code>Inspector.get_buf_from_key(string[key], Packet, RawBuffer) → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>egress_group</code>\r
+<code>Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>flags</code>\r
+<code>Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>opaque</code>\r
+<code>Inspector.get_splitter(bool[to_server]) → StreamSplitter</code>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><strong>DecodeData</strong></p></div>\r
+<div class="paragraph"><p>Differences:\r
+* In <code>Inspector.configure()</code>, the <code>SnortConfig*</code> parameter is passed implicitly.\r
+* the overloaded <code>get_buf()</code> member function has been split into three separate methods.</p></div>\r
+<div class="paragraph"><p><strong>IpsOption</strong></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>DecodeData.new() → DecodeData</code>\r
+<code>IpsOption.hash() → int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>DecodeData.new(fields) → DecodeData</code>\r
+<code>IpsOption.is_relative() → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>DecodeData:reset()</code>\r
+<code>IpsOption.fp_research() → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>DecodeData:get() → fields</code>\r
+<code>IpsOption.get_cursor_type() → int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>DecodeData:set(fields)</code>\r
+<code>IpsOption.eval(Cursor, Packet) → int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])</code>\r
+<code>IpsOption.action(Packet)</code>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
+<div class="paragraph"><p><strong>IpsAction</strong></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>sp</code>\r
+<code>IpsAction.exec(Packet)</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>Logger</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>dp</code>\r
+<code>Logger.open()</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>decode_flags</code>\r
+<code>Logger.close()</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>type</code>\r
+<code>Logger.reset()</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>EncState</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>EncState.new() → EncState</code>\r
+<code>Logger.alert(Packet, string[message], Event)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>EncState.new(uint[flags_lo]) → EncState</code>\r
+<code>Logger.log(Packet, string[message], Event)</code>\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>SearchEngine</strong></p></div>\r
+<div class="paragraph"><p>Currently, SearchEngine does not expose any methods.</p></div>\r
+<div class="paragraph"><p><strong>SoRule</strong></p></div>\r
+<div class="paragraph"><p>Currently, SoRule does not expose any methods.</p></div>\r
+<div class="sect4">\r
+<h5 id="_interface_objects">Interface Objects</h5>\r
+<div class="paragraph"><p>Many of the plugins take C++ classes and structs as arguments. These objects\r
+are exposed to the Lua API as Lua userdata. Exposed objects are instantiated\r
+by calling the <code>new</code> method from each object’s method table.</p></div>\r
+<div class="paragraph"><p>For example, the DecodeData object can be instantiated and exposed to Lua\r
+like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>local decode_data = DecodeData.new(...)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Each object also exposes useful methods for getting and setting member variables,\r
+and calling the C++ methods contained in the the object. These methods can\r
+be accessed using the <code>:</code> accessor syntax:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>decode_data:set({ sp = 80, dp = 3500 })</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Since this is just syntactic sugar for passing the object as the first parameter\r
+of the function <code>DecodeData.set</code>, an equivalent form is:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>decode_data.set(decode_data, { sp = 80, dp = 3500 })</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or even:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>DecodeData.set(decode_data, { sp = 80, dp = 3500 })</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p><strong>Buffer</strong></p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<code>Buffer.new(string[data]) → Buffer</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi]) → EncState</code>\r
+<code>Buffer.new(uint[length]) → Buffer</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) → EncState</code>\r
+<code>Buffer.new(RawBuffer) → Buffer</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl]) → EncState</code>\r
+<code>Buffer:allocate(uint[length]) → bool</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl], uint[dsize]) → EncState</code>\r
+<code>Buffer:clear()</code>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p><strong>Event</strong></p></div>\r
+<div class="paragraph"><p><strong>CodecData</strong></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Event.new() → Event</code>\r
+<code>CodecData.new() → CodecData</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Event.new(fields) → Event</code>\r
+<code>CodecData.new(uint[next_prot_id]) → CodecData</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Event:get() → fields</code>\r
+<code>CodecData.new(fields) → CodecData</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Event:set(fields)</code>\r
+<code>CodecData:get() → fields</code>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<code>CodecData:set(fields)</code>\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>event_id</code>\r
+<code>next_prot_id</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>event_reference</code>\r
+<code>lyr_len</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>sig_info</code>\r
+<code>invalid_bytes</code>\r
</p>\r
-<div class="ulist"><ul>\r
+</li>\r
<li>\r
<p>\r
-<code>generator</code>\r
+<code>proto_bits</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>id</code>\r
+<code>codec_flags</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>rev</code>\r
+<code>ip_layer_cnt</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>class_id</code>\r
+<code>ip6_extension_count</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>priority</code>\r
+<code>curr_ip6_extension</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>text_rule</code>\r
+<code>ip6_csum_proto</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>Cursor</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>num_services</code>\r
+<code>Cursor.new() → Cursor</code>\r
</p>\r
</li>\r
-</ul></div>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Flow</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Flow.new() → Flow</code>\r
+<code>Cursor.new(Packet) → Cursor</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Flow:reset()</code>\r
+<code>Cursor.new(string[data]) → Cursor</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Packet</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Packet.new() → Packet</code>\r
+<code>Cursor.new(RawBuffer) → Cursor</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet.new(string[data]) → Packet</code>\r
+<code>Cursor:reset()</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet.new(uint[size]) → Packet</code>\r
+<code>Cursor:reset(Packet)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet.new(fields) → Packet</code>\r
+<code>Cursor:reset(string[data])</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet.new(RawBuffer) → Packet</code>\r
+<code>Cursor:reset(RawBuffer)</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>DAQHeader</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Packet.new(DAQHeader) → Packet</code>\r
+<code>DAQHeader.new() → DAQHeader</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set_decode_data(DecodeData)</code>\r
+<code>DAQHeader.new(fields) → DAQHeader</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set_data(uint[offset], uint[length])</code>\r
+<code>DAQHeader:get() → fields</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set_flow(Flow)</code>\r
+<code>DAQHeader:set(fields)</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>Packet:get() → fields</code>\r
+<code>caplen</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set() </code>\r
+<code>pktlen</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set(string[data]) </code>\r
+<code>ingress_index</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set(uint[size]) </code>\r
+<code>egress_index</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set(fields) </code>\r
+<code>ingress_group</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set(RawBuffer) </code>\r
+<code>egress_group</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>Packet:set(DAQHeader) </code>\r
+<code>flags</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>packet_flags</code>\r
+<code>opaque</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>DecodeData</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>xtradata_mask</code>\r
+<code>DecodeData.new() → DecodeData</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>proto_bits</code>\r
+<code>DecodeData.new(fields) → DecodeData</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>application_protocol_ordinal</code>\r
+<code>DecodeData:reset()</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>alt_dsize</code>\r
+<code>DecodeData:get() → fields</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>num_layers</code>\r
+<code>DecodeData:set(fields)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>iplist_id</code>\r
+<code>DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>user_policy_id</code>\r
+<code>sp</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>ps_proto</code>\r
+<code>dp</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note: <code>Packet.new()</code> and <code>Packet:set()</code> accept multiple arguments of the\r
-types described above in any order</p></div>\r
-<div class="paragraph"><p><strong>RawBuffer</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>RawBuffer.new() → RawBuffer</code>\r
+<code>decode_flags</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer.new(uint[size]) → RawBuffer</code>\r
+<code>type</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>EncState</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>RawBuffer.new(string[data]) → RawBuffer</code>\r
+<code>EncState.new() → EncState</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer:size() → int</code>\r
+<code>EncState.new(uint[flags_lo]) → EncState</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer:resize(uint[size])</code>\r
+<code>EncState.new(uint[flags_lo], uint[flags_hi]) → EncState</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer:write(string[data])</code>\r
+<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) → EncState</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer:write(string[data], uint[size])</code>\r
+<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl]) → EncState</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer:read() → string</code>\r
+<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl], uint[dsize]) → EncState</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>Event</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>RawBuffer:read(uint[end]) → string</code>\r
+<code>Event.new() → Event</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>RawBuffer:read(uint[start], uint[end]) → string</code>\r
+<code>Event.new(fields) → Event</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note: calling <code>RawBuffer.new()</code> with no arguments returns a RawBuffer of size 0</p></div>\r
-<div class="paragraph"><p><strong>StreamSplitter</strong></p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>StreamSplitter:scan(Flow, RawBuffer) → int, int</code>\r
+<code>Event:get() → fields</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>StreamSplitter:scan(Flow, RawBuffer, uint[len]) → int, int</code>\r
+<code>Event:set(fields)</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) → int, int</code>\r
+<code>event_id</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer) → int, RawBuffer</code>\r
+<code>event_reference</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len]) → int, RawBuffer</code>\r
+<code>sig_info</code>\r
</p>\r
-</li>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len], uint[flags]) → int, RawBuffer</code>\r
+<code>generator</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<code>StreamSplitter:finish(Flow) → bool</code>\r
+<code>id</code>\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note: StreamSplitter does not have a <code>new()</code> method, it must be created by an inspector via\r
-<code>Inspector.get_splitter()</code></p></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_coding_style">Coding Style</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>All new code should try to follow these style guidelines. These are not\r
-yet firm so feedback is welcome to get something we can live with.</p></div>\r
-<div class="sect2">\r
-<h3 id="_general">General</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Generally try to follow\r
- <a href="http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml">http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml</a>,\r
- but there are some differences documented here.\r
+<code>rev</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Each source directory should have a dev_notes.txt file summarizing the\r
- key points and design decisions for the code in that directory. These\r
- are built into the developers guide.\r
+<code>class_id</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Makefile.am and CMakeLists.txt should have the same files listed in alpha\r
- order. This makes it easier to maintain both build systems.\r
+<code>priority</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-All new code must come with unit tests providing 95% coverage or better.\r
+<code>text_rule</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Generally, Catch is preferred for tests in the source file and CppUTest\r
- is preferred for test executables in a test subdirectory.\r
+<code>num_services</code>\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_c_specific">C++ Specific</h3>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>Flow</strong></p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Do not use exceptions. Exception-safe code is non-trivial and we have\r
- ported legacy code that makes use of exceptions unwise. There are a few\r
- exceptions to this rule for the memory manager, shell, etc. Other code\r
- should handle errors as errors.\r
+<code>Flow.new() → Flow</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Do not use dynamic_cast or RTTI. Although compilers are getting better\r
- all the time, there is a time and space cost to this that is easily\r
- avoided.\r
+<code>Flow:reset()</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><strong>Packet</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Use smart pointers judiciously as they aren’t free. If you would have to\r
- roll your own, then use a smart pointer. If you just need a dtor to\r
- delete something, write the dtor.\r
+<code>Packet.new() → Packet</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Prefer <em>and</em> over && and <em>or</em> over || for new source files.\r
+<code>Packet.new(string[data]) → Packet</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use nullptr instead of NULL.\r
+<code>Packet.new(uint[size]) → Packet</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use new, delete, and their [] counterparts instead of malloc and free\r
- except where realloc must be used. But try not to use realloc. New and\r
- delete can’t return nullptr so no need to check. And Snort’s memory\r
- manager will ensure that we live within our memory budget.\r
+<code>Packet.new(fields) → Packet</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use references in lieu of pointers wherever possible.\r
+<code>Packet.new(RawBuffer) → Packet</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use the order public, protected, private top to bottom in a class\r
- declaration.\r
+<code>Packet.new(DAQHeader) → Packet</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Keep inline functions in a class declaration very brief, preferably just\r
- one line. If you need a more complex inline function, move the\r
- definition below the class declaration.\r
+<code>Packet:set_decode_data(DecodeData)</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-The goal is to have highly readable class declarations. The user\r
- shouldn’t have to sift through implementation details to see what is\r
- available to the client.\r
+<code>Packet:set_data(uint[offset], uint[length])</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Any using statements in source files should be added only after all\r
- includes have been declared.\r
+<code>Packet:set_flow(Flow)</code>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_naming">Naming</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Use camel case for namespaces, classes, and types like WhizBangPdfChecker.\r
+<code>Packet:get() → fields</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use lower case identifiers with underscore separators, e.g. some_function()\r
- and my_var.\r
+<code>Packet:set() </code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Do not start or end variable names with an underscore. This has a good\r
- chance of conflicting with macro and/or system definitions.\r
+<code>Packet:set(string[data]) </code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use lower case filenames with underscores.\r
+<code>Packet:set(uint[size]) </code>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_comments">Comments</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Write comments sparingly with a mind towards future proofing. Often the\r
- comments can be obviated with better code. Clear code is better than a\r
- comment.\r
+<code>Packet:set(fields) </code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Heed Tim Ottinger’s Rule on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):\r
+<code>Packet:set(RawBuffer) </code>\r
</p>\r
-<div class="olist arabic"><ol class="arabic">\r
+</li>\r
<li>\r
<p>\r
-Comments should only say what the code is incapable of saying.\r
+<code>Packet:set(DAQHeader) </code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Comments that repeat (or pre-state) what the code is doing must be\r
- removed.\r
+<code>packet_flags</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-If the code CAN say what the comment is saying, it must be changed at\r
- least until rule #2 is in force.\r
+<code>xtradata_mask</code>\r
</p>\r
</li>\r
-</ol></div>\r
-</li>\r
<li>\r
<p>\r
-Function comment blocks are generally just noise that quickly becomes\r
- obsolete. If you absolutely must comment on parameters, put each on a\r
- separate line along with the comment. That way changing the signature\r
- may prompt a change to the comments too.\r
+<code>proto_bits</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a\r
- day or even just a minute. That way we can find them easily and won’t\r
- lose track of them.\r
+<code>application_protocol_ordinal</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,\r
- warning, perf, high, med, or low priority. Place A and W comments on the\r
- exact warning line so we can match up comments and build output. Supporting\r
- comments can be added above.\r
+<code>alt_dsize</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Put the copyright(s) and license in a comment block at the top of each\r
- source file (.h and .cc). Don’t bother with trivial scripts and make\r
- foo. Some interesting Lua code should get a comment block too. Copy and\r
- paste exactly from src/main.h (don’t reformat).\r
+<code>num_layers</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Put author, description, etc. in separate comment(s) following the\r
- license. Do not put such comments in the middle of the license foo.\r
- Be sure to put the author line ahead of the header guard to exclude them\r
- from the developers guide. Use the following format, and include a\r
- mention to the original author if this is derived work:\r
+<code>iplist_id</code>\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>\r
-// based on work by Ryan Jordan</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Each header should have a comment immediately after the header guard to\r
- give an overview of the file so the reader knows what’s going on.\r
+<code>user_policy_id</code>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_logging">Logging</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Messages intended for the user should not look like debug messages. Eg,\r
- the function name should not be included. It is generally unhelpful to\r
- include pointers.\r
+<code>ps_proto</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Note: <code>Packet.new()</code> and <code>Packet:set()</code> accept multiple arguments of the\r
+types described above in any order</p></div>\r
+<div class="paragraph"><p><strong>RawBuffer</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Most debug messages should just be deleted.\r
+<code>RawBuffer.new() → RawBuffer</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Don’t bang your error messages (no !). The user feels bad enough about the\r
- problem already w/o you shouting at him.\r
+<code>RawBuffer.new(uint[size]) → RawBuffer</code>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_types">Types</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Use logical types to make the code clearer and to help the compiler catch\r
- problems. typedef uint16_t Port; bool foo(Port) is way better than\r
- int foo(int port).\r
+<code>RawBuffer.new(string[data]) → RawBuffer</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use forward declarations (e.g. struct SnortConfig;) instead of void*.\r
+<code>RawBuffer:size() → int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Try not to use extern data unless absolutely necessary and then put the\r
- extern in an appropriate header. Exceptions for things used in exactly\r
- one place like BaseApi pointers.\r
+<code>RawBuffer:resize(uint[size])</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use const liberally. In most cases, const char* s = "foo" should be\r
- const char* const s = "foo". The former goes in the initialized data\r
- section and the latter in read only data section.\r
+<code>RawBuffer:write(string[data])</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-But use const char s[] = "foo" instead of const char* s = "foo" when\r
- possible. The latter form allocates a pointer variable and the data\r
- while the former allocates only the data.\r
+<code>RawBuffer:write(string[data], uint[size])</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use static wherever possible to minimize public symbols and eliminate\r
- unneeded relocations.\r
+<code>RawBuffer:read() → string</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Declare functions virtual only in the parent class introducing the\r
- function (not in a derived class that is overriding the function).\r
- This makes it clear which class introduces the function.\r
+<code>RawBuffer:read(uint[end]) → string</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Declare functions as override if they are intended to override a\r
- function. This makes it possible to find derived implementations that\r
- didn’t get updated and therefore won’t get called due a change in the\r
- parent signature.\r
+<code>RawBuffer:read(uint[start], uint[end]) → string</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Note: calling <code>RawBuffer.new()</code> with no arguments returns a RawBuffer of size 0</p></div>\r
+<div class="paragraph"><p><strong>StreamSplitter</strong></p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-Use bool functions instead of int unless there is truly a need for\r
- multiple error returns. The C-style use of zero for success and -1 for\r
- error is less readable and often leads to messy code that either ignores\r
- the various errors anyway or needlessly and ineffectively tries to do\r
- something aobut them. Generally that code is not updated if new errors\r
- are added.\r
+<code>StreamSplitter:scan(Flow, RawBuffer) → int, int</code>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_macros_aka_defines">Macros (aka defines)</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-In many cases, even in C++, use #define name "value" instead of a\r
- const char* const name = "value" because it will eliminate a symbol from\r
- the binary.\r
+<code>StreamSplitter:scan(Flow, RawBuffer, uint[len]) → int, int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use inline functions instead of macros where possible (pretty much all\r
- cases except where stringification is necessary). Functions offer better\r
- typing, avoid re-expansions, and a debugger can break there.\r
+<code>StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) → int, int</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-All macros except simple const values should be wrapped in () and all\r
- args should be wrapped in () too to avoid surprises upon expansion.\r
- Example:\r
+<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer) → int, RawBuffer</code>\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Multiline macros should be blocked (i.e. inside { }) to avoid if-else type\r
- surprises.\r
+<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len]) → int, RawBuffer</code>\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_formatting">Formatting</h3>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Try to keep all source files under 2500 lines. 3000 is the max allowed.\r
- If you need more lines, chances are that the code needs to be refactored.\r
+<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len], uint[flags]) → int, RawBuffer</code>\r
</p>\r
</li>\r
<li>\r
<p>\r
-Indent 4 space chars … no tabs!\r
+<code>StreamSplitter:finish(Flow) → bool</code>\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Note: StreamSplitter does not have a <code>new()</code> method, it must be created by an inspector via\r
+<code>Inspector.get_splitter()</code></p></div>\r
+</div>\r
+</div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect1">\r
+<h2 id="_coding_style">Coding Style</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>All new code should try to follow these style guidelines. These are not\r
+yet firm so feedback is welcome to get something we can live with.</p></div>\r
+<div class="sect2">\r
+<h3 id="_general">General</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-If you need to indent many times, something could be rewritten or\r
- restructured to make it clearer. Fewer indents is generally easier to\r
- write, easier to read, and overall better code.\r
+Generally try to follow\r
+ <a href="http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml">http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml</a>,\r
+ but there are some differences documented here.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Braces go on the line immediately following a new scope (function\r
- signature, if, else, loop, switch, etc.\r
+Each source directory should have a dev_notes.txt file summarizing the\r
+ key points and design decisions for the code in that directory. These\r
+ are built into the developers guide.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Use consistent spacing and line breaks. Always indent 4 spaces from the\r
- breaking line. Keep lines less than 100 chars; it greatly helps\r
- readability.\r
+Makefile.am and CMakeLists.txt should have the same files listed in alpha\r
+ order. This makes it easier to maintain both build systems.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>No:\r
- calling_a_func_with_a_long_name(arg1,\r
- arg2,\r
- arg3);</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Yes:\r
- calling_a_func_with_a_long_name(\r
- arg1, arg2, arg3);</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Put function signature on one line, except when breaking for the arg\r
- list:\r
+All new code must come with unit tests providing 95% coverage or better.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>No:\r
- inline\r
- bool foo()\r
- { // ...</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Yes:\r
- inline bool foo()\r
- { // ...</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Put conditional code on the line following the if so it is easy to break\r
- on the conditional block:\r
+Generally, Catch is preferred for tests in the source file and CppUTest\r
+ is preferred for test executables in a test subdirectory.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>No:\r
- if ( test ) foo();</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Yes:\r
- if ( test )\r
- foo();</code></pre>\r
-</div></div>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_headers">Headers</h3>\r
+<h3 id="_c_specific">C++ Specific</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-Don’t hesitate to create a new header if it is needed. Don’t lump\r
- unrelated stuff into an header because it is convenient.\r
+Do not use exceptions. Exception-safe code is non-trivial and we have\r
+ ported legacy code that makes use of exceptions unwise. There are a few\r
+ exceptions to this rule for the memory manager, shell, etc. Other code\r
+ should handle errors as errors.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Write header guards like this (leading underscores are reserved for\r
- system stuff). In my_header.h:\r
+Do not use dynamic_cast or RTTI. Although compilers are getting better\r
+ all the time, there is a time and space cost to this that is easily\r
+ avoided.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#ifndef MY_HEADER_H\r
-#define MY_HEADER_H\r
-// ...\r
-#endif</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Includes from a different directory should specify parent directory.\r
- This makes it clear exactly what is included and avoids the primordial\r
- soup that results from using -I this -I that -I the_other_thing … .\r
+Use smart pointers judiciously as they aren’t free. If you would have to\r
+ roll your own, then use a smart pointer. If you just need a dtor to\r
+ delete something, write the dtor.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// given:\r
-src/foo/foo.cc\r
-src/bar/bar.cc\r
-src/bar/baz.cc</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// in baz.cc\r
-#include "bar.h"</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// in foo.cc\r
-#include "bar/bar.h"</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Includes within installed headers should specify parent directory.\r
+Prefer <em>and</em> over && and <em>or</em> over || for new source files.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Just because it is a #define doesn’t mean it goes in a header.\r
- Everything should be scoped as tightly as possible. Shared\r
- implementation declarations should go in a separate header from the\r
- interface. And so on.\r
+Use nullptr instead of NULL.\r
</p>\r
</li>\r
<li>\r
<p>\r
-A .cc should include its own .h before any others (including\r
- system headers). This ensures that the header stands on its own and can\r
- be used by clients without include prerequisites and the developer will\r
- be the first to find a dependency problem.\r
+Use new, delete, and their [] counterparts instead of malloc and free\r
+ except where realloc must be used. But try not to use realloc. New and\r
+ delete can’t return nullptr so no need to check. And Snort’s memory\r
+ manager will ensure that we live within our memory budget.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Include required headers, all required headers, and nothing but required\r
- headers. Don’t just clone a bunch of headers because it is convenient.\r
+Use references in lieu of pointers wherever possible.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Try to keep includes in alpha order. This makes it easier to maintain,\r
- avoid duplicates, etc.\r
+Use the order public, protected, private top to bottom in a class\r
+ declaration.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Any file depending on #ifdefs should include config.h as shown below. A\r
- .h should include it before any other includes, and a .cc should include\r
- it immediately after the include of its own .h.\r
+Keep inline functions in a class declaration very brief, preferably just\r
+ one line. If you need a more complex inline function, move the\r
+ definition below the class declaration.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#ifdef HAVE_CONFIG_H\r
-#include "config.h"\r
-#endif</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Do not put using statements in headers unless they are tightly scoped.\r
+The goal is to have highly readable class declarations. The user\r
+ shouldn’t have to sift through implementation details to see what is\r
+ available to the client.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Any using statements in source files should be added only after all\r
+ includes have been declared.\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_warnings">Warnings</h3>\r
+<h3 id="_naming">Naming</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-With g++, use at least these compiler flags:\r
+Use camel case for namespaces, classes, and types like WhizBangPdfChecker.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
--Wunused-but-set-variable -Wno-deprecated-declarations\r
--fsanitize=address -fno-omit-frame-pointer</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-With clang, use at least these compiler flags:\r
+Use lower case identifiers with underscore separators, e.g. some_function()\r
+ and my_var.\r
</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
--Wno-deprecated-declarations\r
--fsanitize=address -fno-omit-frame-pointer</code></pre>\r
-</div></div>\r
</li>\r
<li>\r
<p>\r
-Then Fix All Warnings and Aborts. None Allowed.\r
+Do not start or end variable names with an underscore. This has a good\r
+ chance of conflicting with macro and/or system definitions.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use lower case filenames with underscores.\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_uncrustify">Uncrustify</h3>\r
-<div class="paragraph"><p>Currently using uncrustify from at <a href="https://github.com/bengardner/uncrustify">https://github.com/bengardner/uncrustify</a>\r
-to reformat legacy code and anything that happens to need a makeover at\r
-some point.</p></div>\r
-<div class="paragraph"><p>The working config is crusty.cfg in the top level directory. It does well\r
-but will munge some things. Specially formatted INDENT-OFF comments were\r
-added in 2 places to avoid a real mess.</p></div>\r
-<div class="paragraph"><p>You can use uncrustify something like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>uncrustify -c crusty.cfg --replace file.cc</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_reference_2">Reference</h2>\r
-<div class="sectionbody">\r
-<div class="sect2">\r
-<h3 id="_terminology">Terminology</h3>\r
+<h3 id="_comments">Comments</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>basic module</strong>: a module integrated into Snort that does not come from a\r
- plugin.\r
+Write comments sparingly with a mind towards future proofing. Often the\r
+ comments can be obviated with better code. Clear code is better than a\r
+ comment.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder</strong>: inspector that maps configuration to traffic\r
+Heed Tim Ottinger’s Rule on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):\r
+</p>\r
+<div class="olist arabic"><ol class="arabic">\r
+<li>\r
+<p>\r
+Comments should only say what the code is incapable of saying.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>builtin rules</strong>: codec and inspector rules for anomalies detected\r
- internally.\r
+Comments that repeat (or pre-state) what the code is doing must be\r
+ removed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>codec</strong>: short for coder / decoder. These plugins are used for basic\r
- protocol decoding, anomaly detection, and construction of active responses.\r
+If the code CAN say what the comment is saying, it must be changed at\r
+ least until rule #2 is in force.\r
</p>\r
</li>\r
+</ol></div>\r
+</li>\r
<li>\r
<p>\r
-<strong>data module</strong>: an adjunct configuration plugin for use with certain inspectors.\r
+Function comment blocks are generally just noise that quickly becomes\r
+ obsolete. If you absolutely must comment on parameters, put each on a\r
+ separate line along with the comment. That way changing the signature\r
+ may prompt a change to the comments too.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dynamic rules</strong>: plugin rules loaded at runtime. See SO rules.\r
+Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a\r
+ day or even just a minute. That way we can find them easily and won’t\r
+ lose track of them.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>fast pattern</strong>: the content in an IPS rule that must be found by the\r
- search engine in order for a rule to be evaluated.\r
+Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,\r
+ warning, perf, high, med, or low priority. Place A and W comments on the\r
+ exact warning line so we can match up comments and build output. Supporting\r
+ comments can be added above.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>fast pattern matcher</strong>: see search engine.\r
+Put the copyright(s) and license in a comment block at the top of each\r
+ source file (.h and .cc). Don’t bother with trivial scripts and make\r
+ foo. Some interesting Lua code should get a comment block too. Copy and\r
+ paste exactly from src/main.h (don’t reformat).\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>hex</strong>: a type of protocol magic that the wizard uses to identify binary\r
- protocols.\r
+Put author, description, etc. in separate comment(s) following the\r
+ license. Do not put such comments in the middle of the license foo.\r
+ Be sure to put the author line ahead of the header guard to exclude them\r
+ from the developers guide. Use the following format, and include a\r
+ mention to the original author if this is derived work:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>// ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>\r
+// based on work by Ryan Jordan</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector</strong>: plugin that processes packets (similar to the legacy Snort\r
- preprocessor)\r
+Each header should have a comment immediately after the header guard to\r
+ give an overview of the file so the reader knows what’s going on.\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_logging">Logging</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>IPS</strong>: intrusion prevention system, like Snort.\r
+Messages intended for the user should not look like debug messages. Eg,\r
+ the function name should not be included. It is generally unhelpful to\r
+ include pointers.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>IPS action</strong>: plugin that allows you to perform custom actions when\r
- events are generated. Unlike loggers, these are invoked before\r
- thresholding and can be used to control external agents or send active\r
- responses.\r
+Most debug messages should just be deleted.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>IPS option</strong>: this plugin is the building blocks of IPS rules.\r
+Don’t bang your error messages (no !). The user feels bad enough about the\r
+ problem already w/o you shouting at him.\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_types">Types</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>logger</strong>: a plugin that performs output of events and packets. Events\r
- are thresholded before reaching loggers.\r
+Use logical types to make the code clearer and to help the compiler catch\r
+ problems. typedef uint16_t Port; bool foo(Port) is way better than\r
+ int foo(int port).\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>module</strong>: the user facing portion of a Snort component. Modules chiefly\r
- provide configuration parameters, but may also provide commands, builtin\r
- rules, profiling statistics, peg counts, etc. Note that not all modules\r
- are plugins and not all plugins have modules.\r
+Use forward declarations (e.g. struct SnortConfig;) instead of void*.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>peg count</strong>: the number of times a given event or condition occurs.\r
+Try not to use extern data unless absolutely necessary and then put the\r
+ extern in an appropriate header. Exceptions for things used in exactly\r
+ one place like BaseApi pointers.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>plugin</strong>: one of several types of software components that can be loaded\r
- from a dynamic library when Snort starts up. Some plugins are coupled\r
- with the main engine in such a way that they must be built statically,\r
- but a newer version can be loaded dynamically.\r
+Use const liberally. In most cases, const char* s = "foo" should be\r
+ const char* const s = "foo". The former goes in the initialized data\r
+ section and the latter in read only data section.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search engine</strong>: a plugin that performs multipattern searching of packets\r
- and payload to find rules that should be evaluated. There are currently\r
- no specific modules, although there are several search engine plugins.\r
- Related configuration is done with the basic detection module. Aka fast\r
- pattern matcher.\r
+But use const char s[] = "foo" instead of const char* s = "foo" when\r
+ possible. The latter form allocates a pointer variable and the data\r
+ while the former allocates only the data.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>SO rule</strong>: a IPS rule plugin that performs custom detection that can’t\r
- be done by a text rule. These rules typically do not have associated\r
- modules. SO comes from shared object, meaning dynamic library.\r
+Use static wherever possible to minimize public symbols and eliminate\r
+ unneeded relocations.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>spell</strong>: a type of protocol magic that the wizard uses to identify ASCII\r
- protocols.\r
+Declare functions virtual only in the parent class introducing the\r
+ function (not in a derived class that is overriding the function).\r
+ This makes it clear which class introduces the function.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>text rule</strong>: a rule loaded from the configuration that has a header and\r
- body. The header specifies action, protocol, source and destination IP\r
- addresses and ports, and direction. The body specifies detection and\r
- non-detection options.\r
+Declare functions as override if they are intended to override a\r
+ function. This makes it possible to find derived implementations that\r
+ didn’t get updated and therefore won’t get called due a change in the\r
+ parent signature.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard</strong>: inspector that applies protocol magic to determine which\r
- inspectors should be bound to traffic absent a port specific binding.\r
- See hex and spell.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_usage_2">Usage</h3>\r
-<div class="paragraph"><p>For the following examples "$my_path" is assumed to be the path to the\r
-Snort++ install directory. Additionally, it is assumed that "$my_path/bin"\r
-is in your PATH.</p></div>\r
-<div class="sect3">\r
-<h4 id="_environment">Environment</h4>\r
-<div class="paragraph"><p>LUA_PATH is used directly by Lua to load and run required libraries.\r
-SNORT_LUA_PATH is used by Snort to load supplemental configuration files.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;\r
-export SNORT_LUA_PATH=$my_path/etc/snort</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_help_2">Help</h4>\r
-<div class="paragraph"><p>Print the help summary:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Get help on a specific module ("stream", for example):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-module stream</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Get help on the "-A" command line option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-options A</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Grep for help on threads:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-config | grep thread</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Output help on "rule" options in AsciiDoc format:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --markup --help-options rule</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Snort++ stops reading command-line options after the "--help-<strong>" and\r
-"--list-</strong>" options, so any other options should be placed before them.</td>\r
-</tr></table>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_sniffing_and_logging">Sniffing and Logging</h4>\r
-<div class="paragraph"><p>Read a pcap:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -r /path/to/my.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Dump the packets to stdout:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -r /path/to/my.pcap -L dump</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Dump packets with application data and layer 2 headers</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -r /path/to/my.pcap -L dump -d -e</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Command line options must be specified separately. "snort -de" won’t\r
-work. You can still concatenate options and their arguments, however, so\r
-"snort -Ldump" will work.</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Dump packets from all pcaps in a directory:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log packets to a directory:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_2">Configuration</h4>\r
-<div class="paragraph"><p>Validate a configuration file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Validate a configuration file and a separate rules file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Read rules from stdin and validate:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Enable warnings for Lua configurations and make warnings fatal:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Tell Snort++ where to look for additional Lua scripts:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --script-path /path/to/script/dir</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_ids_mode">IDS mode</h4>\r
-<div class="paragraph"><p>Run Snort++ in IDS mode, reading packets from a pcap:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log any generated alerts to the console using the "-A" option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Add or modify a configuration from the command line using the "--lua" option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \\r
- --lua 'ips = { enable_builtin_rules = true }'</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The "--lua" option can be specified multiple times.</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Run Snort++ in IDS mode on an entire directory of pcaps, processing each\r
-input source on a separate thread:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
- --pcap-filter '*.pcap' --max-packet-threads 8</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run Snort++ on 2 interfaces, eth0 and eth1:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run Snort++ inline with the afpacket DAQ:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \\r
- -A cmg</code></pre>\r
-</div></div>\r
-</div>\r
+Use bool functions instead of int unless there is truly a need for\r
+ multiple error returns. The C-style use of zero for success and -1 for\r
+ error is less readable and often leads to messy code that either ignores\r
+ the various errors anyway or needlessly and ineffectively tries to do\r
+ something aobut them. Generally that code is not updated if new errors\r
+ are added.\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_plugins_2">Plugins</h3>\r
-<div class="paragraph"><p>Load external plugins and use the "ex" alert:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --plugin-path $my_path/lib/snort_extra \\r
- -A alert_ex -r /path/to/my.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Test the LuaJIT rule option <em>find</em> loaded from stdin:</p></div>\r
+<h3 id="_macros_aka_defines">Macros (aka defines)</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+In many cases, even in C++, use #define name "value" instead of a\r
+ const char* const name = "value" because it will eliminate a symbol from\r
+ the binary.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use inline functions instead of macros where possible (pretty much all\r
+ cases except where stringification is necessary). Functions offer better\r
+ typing, avoid re-expansions, and a debugger can break there.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+All macros except simple const values should be wrapped in () and all\r
+ args should be wrapped in () too to avoid surprises upon expansion.\r
+ Example:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --script-path $my_path/lib/snort_extra \\r
- --stdin-rules -A cmg -r /path/to/my.pcap << END\r
-alert tcp any any -> any 80 (\r
- sid:3; msg:"found"; content:"GET";\r
- find:"pat='HTTP/1%.%d'" ; )\r
-END</code></pre>\r
+<pre><code>#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)</code></pre>\r
</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+Multiline macros should be blocked (i.e. inside { }) to avoid if-else type\r
+ surprises.\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_output_files">Output Files</h3>\r
-<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet\r
-threads, output files are not explicitly configured. Instead, you can use\r
-the options below to format the paths:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log to unified in the current directory:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log to unified in the current directory with a different prefix:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \\r
- --run-prefix take2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log to unified in /tmp:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run 4 packet threads and log with thread number prefix (0-3):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
- --pcap-filter '*.pcap' -z 4 -A unified2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run 4 packet threads and log in thread number subdirs (0-3):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
- --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">subdirectories are created automatically if required. Log filename\r
-is based on module name that writes the file. All text mode outputs\r
-default to stdout. These options can be combined.</td>\r
-</tr></table>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_daq_alternatives">DAQ Alternatives</h4>\r
-<div class="paragraph"><p>Process hext packets from stdin:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END\r
-$packet 10.1.2.3 48620 -> 10.9.8.7 80\r
-"GET / HTTP/1.1\r\n"\r
-"Host: localhost\r\n"\r
-"\r\n"\r
-END</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Process raw ethernet from hext file:</p></div>\r
+<h3 id="_formatting">Formatting</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Try to keep all source files under 2500 lines. 3000 is the max allowed.\r
+ If you need more lines, chances are that the code needs to be refactored.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Indent 4 space chars … no tabs!\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+If you need to indent many times, something could be rewritten or\r
+ restructured to make it clearer. Fewer indents is generally easier to\r
+ write, easier to read, and overall better code.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Braces go on the line immediately following a new scope (function\r
+ signature, if, else, loop, switch, etc.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use consistent spacing and line breaks. Always indent 4 spaces from the\r
+ breaking line. Keep lines less than 100 chars; it greatly helps\r
+ readability.\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq hext \\r
- --daq-var dlt=1 -r <hext-file></code></pre>\r
+<pre><code>No:\r
+ calling_a_func_with_a_long_name(arg1,\r
+ arg2,\r
+ arg3);</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Process a directory of plain files (ie non-pcap) with 4 threads with 8K\r
-buffers:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq file \\r
- --pcap-dir path/to/files -z 4 -s 8192</code></pre>\r
+<pre><code>Yes:\r
+ calling_a_func_with_a_long_name(\r
+ arg1, arg2, arg3);</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Bridge two TCP connections on port 8000 and inspect the traffic:</p></div>\r
+</li>\r
+<li>\r
+<p>\r
+Put function signature on one line, except when breaking for the arg\r
+ list:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq socket</code></pre>\r
+<pre><code>No:\r
+ inline\r
+ bool foo()\r
+ { // ...</code></pre>\r
</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_logger_alternatives">Logger Alternatives</h4>\r
-<div class="paragraph"><p>Dump TCP stream payload in hext mode:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -L hext</code></pre>\r
+<pre><code>Yes:\r
+ inline bool foo()\r
+ { // ...</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap,\r
-rule, action for each alert:</p></div>\r
+</li>\r
+<li>\r
+<p>\r
+Put conditional code on the line following the if so it is easy to break\r
+ on the conditional block:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -A csv</code></pre>\r
+<pre><code>No:\r
+ if ( test ) foo();</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Output the old test format alerts:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"</code></pre>\r
+<pre><code>Yes:\r
+ if ( test )\r
+ foo();</code></pre>\r
</div></div>\r
+</li>\r
+</ul></div>\r
</div>\r
-<div class="sect3">\r
-<h4 id="_shell">Shell</h4>\r
-<div class="paragraph"><p>You must build with --enable-shell to make the command line shell available.</p></div>\r
-<div class="paragraph"><p>Enable shell mode:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --shell <args></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You will see the shell mode command prompt, which looks like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>o")~</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>(The prompt can be changed with the SNORT_PROMPT environment variable.)</p></div>\r
-<div class="paragraph"><p>You can pause immediately after loading the configuration and again before\r
-exiting with:</p></div>\r
+<div class="sect2">\r
+<h3 id="_headers">Headers</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Don’t hesitate to create a new header if it is needed. Don’t lump\r
+ unrelated stuff into an header because it is convenient.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Write header guards like this (leading underscores are reserved for\r
+ system stuff). In my_header.h:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort --shell --pause <args></code></pre>\r
+<pre><code>#ifndef MY_HEADER_H\r
+#define MY_HEADER_H\r
+// ...\r
+#endif</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>In that case you must issue the resume() command to continue. Enter quit()\r
-to terminate Snort or detach() to exit the shell. You can list the\r
-available commands with help().</p></div>\r
-<div class="paragraph"><p>To enable local telnet access on port 12345:</p></div>\r
+</li>\r
+<li>\r
+<p>\r
+Includes from a different directory should specify parent directory.\r
+ This makes it clear exactly what is included and avoids the primordial\r
+ soup that results from using -I this -I that -I the_other_thing … .\r
+</p>\r
<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --shell -j 12345 <args></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The command line interface is still under development. Suggestions are\r
-welcome.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_signals">Signals</h4>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The following examples assume that Snort++ is currently running and\r
-has a process ID of <pid>.</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Modify and Reload Configuration:</p></div>\r
+<div class="content">\r
+<pre><code>// given:\r
+src/foo/foo.cc\r
+src/bar/bar.cc\r
+src/bar/baz.cc</code></pre>\r
+</div></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua\r
-kill -hup <pid></code></pre>\r
+<pre><code>// in baz.cc\r
+#include "bar.h"</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Dump stats to stdout:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>kill -usr1 <pid></code></pre>\r
+<pre><code>// in foo.cc\r
+#include "bar/bar.h"</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Shutdown normally:</p></div>\r
+</li>\r
+<li>\r
+<p>\r
+Includes within installed headers should specify parent directory.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Just because it is a #define doesn’t mean it goes in a header.\r
+ Everything should be scoped as tightly as possible. Shared\r
+ implementation declarations should go in a separate header from the\r
+ interface. And so on.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+A .cc should include its own .h before any others (including\r
+ system headers). This ensures that the header stands on its own and can\r
+ be used by clients without include prerequisites and the developer will\r
+ be the first to find a dependency problem.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Include required headers, all required headers, and nothing but required\r
+ headers. Don’t just clone a bunch of headers because it is convenient.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Try to keep includes in alpha order. This makes it easier to maintain,\r
+ avoid duplicates, etc.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Any file depending on #ifdefs should include config.h as shown below. A\r
+ .h should include it before any other includes, and a .cc should include\r
+ it immediately after the include of its own .h.\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>kill -term <pid></code></pre>\r
+<pre><code>#ifdef HAVE_CONFIG_H\r
+#include "config.h"\r
+#endif</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>Exit without flushing packets:</p></div>\r
+</li>\r
+<li>\r
+<p>\r
+Do not put using statements in headers unless they are tightly scoped.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_warnings">Warnings</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+With g++, use at least these compiler flags:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>kill -quit <pid></code></pre>\r
+<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
+-Wunused-but-set-variable -Wno-deprecated-declarations\r
+-fsanitize=address -fno-omit-frame-pointer</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>List available signals:</p></div>\r
+</li>\r
+<li>\r
+<p>\r
+With clang, use at least these compiler flags:\r
+</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>snort --help-signals</code></pre>\r
+<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
+-Wno-deprecated-declarations\r
+-fsanitize=address -fno-omit-frame-pointer</code></pre>\r
+</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+Two macros (PADDING_GUARD_BEGIN and PADDING_GUARD_END) are provided by\r
+ utils/cpp_macros.h. These should be used to surround any structure used as\r
+ a hash key with a raw comparator or that would otherwise suffer from\r
+ unintentional padding. A compiler warning will be generated if any structure\r
+ definition is automatically padded between the macro invocations.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Then Fix All Warnings and Aborts. None Allowed.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_uncrustify">Uncrustify</h3>\r
+<div class="paragraph"><p>Currently using uncrustify from at <a href="https://github.com/bengardner/uncrustify">https://github.com/bengardner/uncrustify</a>\r
+to reformat legacy code and anything that happens to need a makeover at\r
+some point.</p></div>\r
+<div class="paragraph"><p>The working config is crusty.cfg in the top level directory. It does well\r
+but will munge some things. Specially formatted INDENT-OFF comments were\r
+added in 2 places to avoid a real mess.</p></div>\r
+<div class="paragraph"><p>You can use uncrustify something like this:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>uncrustify -c crusty.cfg --replace file.cc</code></pre>\r
</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The available signals may vary from platform to platform.</td>\r
-</tr></table>\r
</div>\r
</div>\r
</div>\r
+<div class="sect1">\r
+<h2 id="_reference_2">Reference</h2>\r
+<div class="sectionbody">\r
<div class="sect2">\r
<h3 id="_build_options_2">Build Options</h3>\r
<div class="paragraph"><p>The options listed below must be explicitly enabled so they are built\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-vars</strong> warn about variable definition and usage issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-W</strong> lists available interfaces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-X</strong> dump the raw packet data starting at the link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-x</strong> same as --pedantic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-y</strong> include year in timestamp in the alert and log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_parameters">Parameters</h3>\r
-<div class="paragraph"><p>Parameters are given with this format:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>type name = default: help { range }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The following types are used:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>addr</strong>: any valid IP4 or IP6 address or CIDR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>addr_list</strong>: a space separated list of addr values\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>bit_list</strong>: a list of consecutive integer values from 1 to the range\r
- maximum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>bool</strong>: true or false\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dynamic</strong>: a select type determined by loaded plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>enum</strong>: a string selected from the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>implied</strong>: an IPS rule option that takes no value but means true\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>int</strong>: a whole number in the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ip4</strong>: an IP4 address or CIDR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mac</strong>: an ethernet address with the form 01:02:03:04:05:06\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>multi</strong>: one or more space separated strings from the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port</strong>: an int in the range 0:65535 indicating a TCP or UDP port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>real</strong>: a real number in the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>select</strong>: a string selected from the given range\r
+<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>string</strong>: any string with no more than the given length, if any\r
+<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The parameter name may be adorned in various ways to indicate additional\r
-information about the type and use of the parameter:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-For Lua configuration (not IPS rules), if the name ends with [] it is\r
- a list item and can be repeated.\r
+<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
</p>\r
</li>\r
<li>\r
<p>\r
-For IPS rules only, names starting with ~ indicate positional\r
- parameters. The names of such parameters do not appear in the rule.\r
+<strong>--warn-vars</strong> warn about variable definition and usage issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-IPS rules may also have a wild card parameter, which is indicated by a\r
- *. Only used for metadata that Snort ignores.\r
+<strong>-W</strong> lists available interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-The snort module has command line options starting with a -.\r
+<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Some additional details to note:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-Table and variable names are case sensitive; use lower case only.\r
+<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
<li>\r
<p>\r
-String values are case sensitive too; use lower case only.\r
+<strong>-X</strong> dump the raw packet data starting at the link layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-Numeric ranges may be of the form low:high where low and high are\r
- bounds included in the range. If either is omitted, there is no hard\r
- bound. E.g. 0: means any x where x >= 0.\r
+<strong>-x</strong> same as --pedantic\r
</p>\r
</li>\r
<li>\r
<p>\r
-Strings may have a numeric range indicating a length limit; otherwise\r
- there is no hard limit.\r
+<strong>-y</strong> include year in timestamp in the alert and log files\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list is typically used to store a set of byte, port, or VLAN ID\r
- values.\r
+<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available bytes of memory for detection_filters { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+int <strong>alerts.event_filter_memcap</strong> = 1048576: set available bytes of memory for event_filters { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available bytes of memory for rate_filters { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.app_detector_dir</strong>: directory to load AppId detectors from\r
+string <strong>appid.app_detector_dir</strong>: directory to load appid detectors from\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging AppId statistics { 0: }\r
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for AppId stats before rolling over the log file { 0: }\r
+int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for appid stats before rolling over the log file { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection AppId stats before rolling over the log file { 0: }\r
+int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection appid stats before rolling over the log file { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.debug</strong> = false: enable AppId debug logging\r
+bool <strong>appid.debug</strong> = false: enable appid debug logging\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.dump_ports</strong> = false: enable dump of AppId port information\r
+bool <strong>appid.dump_ports</strong> = false: enable dump of appid port information\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.log_stats</strong> = false: enable logging of AppId statistics\r
+bool <strong>appid.log_stats</strong> = false: enable logging of appid statistics\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.memcap</strong> = 268435456: time period for collecting and logging AppId statistics { 1048576:3221225472 }\r
+int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
+string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty appid detectors from\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>asn1.absolute_offset</strong>: Absolute offset from the beginning of the packet. { 0: }\r
+int <strong>asn1.absolute_offset</strong>: absolute offset from the beginning of the packet { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>asn1.bitstring_overflow</strong>: Detects invalid bitstring encodings that are known to be remotely exploitable.\r
+implied <strong>asn1.bitstring_overflow</strong>: detects invalid bitstring encodings that are known to be remotely exploitable\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>asn1.double_overflow</strong>: Detects a double ASCII encoding that is larger than a standard buffer.\r
+implied <strong>asn1.double_overflow</strong>: detects a double ASCII encoding that is larger than a standard buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>asn1.oversize_length</strong>: Compares ASN.1 type lengths with the supplied argument. { 0: }\r
+int <strong>asn1.oversize_length</strong>: compares ASN.1 type lengths with the supplied argument { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>asn1.relative_offset</strong>: relative offset from the cursor.\r
+int <strong>asn1.relative_offset</strong>: relative offset from the cursor\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>base64_decode.bytes</strong>: Number of base64 encoded bytes to decode. { 1: }\r
+int <strong>base64_decode.bytes</strong>: number of base64 encoded bytes to decode { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>base64_decode.offset</strong> = 0: Bytes past start of buffer to start decoding. { 0: }\r
+int <strong>base64_decode.offset</strong> = 0: bytes past start of buffer to start decoding { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>base64_decode.relative</strong>: Apply offset to cursor instead of start of buffer.\r
+implied <strong>base64_decode.relative</strong>: apply offset to cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
+implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_header.field</strong>: Restrict to given header. Header name is case insensitive.\r
+string <strong>http_header.field</strong>: restrict to given header. Header name is case insensitive.\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_header.request</strong>: Match against the headers from the request message even when examining the response\r
+implied <strong>http_header.request</strong>: match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_header.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
+int <strong>http_inspect.max_javascript_whitespaces</strong> = 200: maximum consecutive whitespaces allowed within the Javascript obfuscated data { 1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.normalize_javascript</strong> = false: normalize javascript in response bodies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings in response bodies\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_method.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_method.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
+implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_header.request</strong>: Match against the headers from the request message even when examining the response\r
+implied <strong>http_raw_header.request</strong>: match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_header.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_request.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_request.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_status.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_raw_status.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_status.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_raw_status.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
+implied <strong>http_raw_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_trailer.with_body</strong>: Parts of this rule examine HTTP response message body (must be combined with request)\r
+implied <strong>http_raw_trailer.with_body</strong>: parts of this rule examine HTTP response message body (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
+implied <strong>http_raw_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_raw_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_stat_code.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_stat_code.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_stat_code.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_stat_code.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_stat_msg.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_stat_msg.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_stat_msg.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_stat_msg.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
+implied <strong>http_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_trailer.with_body</strong>: Parts of this rule examine HTTP message body (must be combined with request)\r
+implied <strong>http_trailer.with_body</strong>: parts of this rule examine HTTP message body (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
+implied <strong>http_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_version.request</strong>: Match against the version from the request message even when examining the response\r
+implied <strong>http_version.request</strong>: match against the version from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_version.with_body</strong>: Parts of this rule examine HTTP message body\r
+implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>http_version.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.layers</strong> = 40: The maximum number of protocols that Snort can correctly decode { 3:255 }\r
+int <strong>network.layers</strong> = 40: the maximum number of protocols that Snort can correctly decode { 3:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.max_ip6_extensions</strong> = 0: The number of IP6 options Snort will process for a given IPv6 layer. If this limit is hit, rule 116:456 may fire. 0 = unlimited { 0:255 }\r
+int <strong>network.max_ip6_extensions</strong> = 0: the maximum number of IP6 options Snort will process for a given IPv6 layer before raising 116:456 (0 = unlimited) { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.max_ip_layers</strong> = 0: The maximum number of IP layers Snort will process for a given packet If this limit is hit, rule 116:293 may fire. 0 = unlimited { 0:255 }\r
+int <strong>network.max_ip_layers</strong> = 0: the maximum number of IP layers Snort will process for a given packet before raising 116:293 (0 = unlimited) { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.obfuscate_pii</strong> = false: Mask all but the last 4 characters of credit card and social security numbers\r
+bool <strong>output.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }\r
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>perf_monitor.format</strong> = csv: Output format for stats { csv | text }\r
+enum <strong>perf_monitor.format</strong> = csv: output format for stats { csv | text }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>perf_monitor.output</strong> = file: Output location for stats { file | console }\r
+enum <strong>perf_monitor.output</strong> = file: output location for stats { file | console }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.summary</strong> = false: Output summary at shutdown\r
+bool <strong>perf_monitor.summary</strong> = false: output summary at shutdown\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
+int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory in bytes { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>reputation.memcap</strong> = 500: maximum total memory allocated { 1:4095 }\r
+int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.aim_clients</strong>: count of aim clients discovered by appid\r
+<strong>appid.aim clients</strong>: count of aim clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.battlefield_flows</strong>: count of battle field flows discovered by appid\r
+<strong>appid.battlefield flows</strong>: count of battle field flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bgp_flows</strong>: count of bgp flows discovered by appid\r
+<strong>appid.bgp flows</strong>: count of bgp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bit_clients</strong>: count of bittorrent clients discovered by appid\r
+<strong>appid.bit clients</strong>: count of bittorrent clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bit_flows</strong>: count of bittorrent flows discovered by appid\r
+<strong>appid.bit flows</strong>: count of bittorrent flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bittracker_clients</strong>: count of bittorrent tracker clients discovered by appid\r
+<strong>appid.bittracker clients</strong>: count of bittorrent tracker clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.bootp_flows</strong>: count of bootp flows discovered by appid\r
+<strong>appid.bootp flows</strong>: count of bootp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid\r
+<strong>appid.dcerpc tcp flows</strong>: count of dce rpc flows over tcp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dcerpc_udp_flows</strong>: count of dce rpc flows over udp discovered by appid\r
+<strong>appid.dcerpc udp flows</strong>: count of dce rpc flows over udp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered by appid\r
+<strong>appid.direct connect flows</strong>: count of direct connect flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid\r
+<strong>appid.dns tcp flows</strong>: count of dns flows over tcp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.dns_udp_flows</strong>: count of dns flows over udp discovered by appid\r
+<strong>appid.dns udp flows</strong>: count of dns flows over udp discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ftp_flows</strong>: count of ftp flows discovered by appid\r
+<strong>appid.ftp flows</strong>: count of ftp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ftps_flows</strong>: count of ftps flows discovered by appid\r
+<strong>appid.ftps flows</strong>: count of ftps flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.http_flows</strong>: count of http flows discovered by appid\r
+<strong>appid.http flows</strong>: count of http flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ignored packets</strong>: count of packets ignored by appid inspector\r
+<strong>appid.ignored packets</strong>: count of packets ignored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.imap_flows</strong>: count of imap service flows discovered by appid\r
+<strong>appid.imap flows</strong>: count of imap service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.imaps_flows</strong>: count of imap TLS service flows discovered by appid\r
+<strong>appid.imaps flows</strong>: count of imap TLS service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.irc_flows</strong>: count of irc service flows discovered by appid\r
+<strong>appid.irc flows</strong>: count of irc service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.kerberos_clients</strong>: count of kerberos clients discovered by appid\r
+<strong>appid.kerberos clients</strong>: count of kerberos clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.kerberos_flows</strong>: count of kerberos service flows discovered by appid\r
+<strong>appid.kerberos flows</strong>: count of kerberos service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.kerberos_users</strong>: count of kerberos users discovered by appid\r
+<strong>appid.kerberos users</strong>: count of kerberos users discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.lpr_flows</strong>: count of lpr service flows discovered by appid\r
+<strong>appid.lpr flows</strong>: count of lpr service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.mdns_flows</strong>: count of mdns service flows discovered by appid\r
+<strong>appid.mdns flows</strong>: count of mdns service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.msn_clients</strong>: count of msn clients discovered by appid\r
+<strong>appid.msn clients</strong>: count of msn clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid\r
+<strong>appid.mysql flows</strong>: count of mysql service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered by appid\r
+<strong>appid.netbios dgm flows</strong>: count of netbios-dgm service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered by appid\r
+<strong>appid.netbios ns flows</strong>: count of netbios-ns service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered by appid\r
+<strong>appid.netbios ssn flows</strong>: count of netbios-ssn service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.nntp_flows</strong>: count of nntp flows discovered by appid\r
+<strong>appid.nntp flows</strong>: count of nntp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ntp_flows</strong>: count of ntp flows discovered by appid\r
+<strong>appid.ntp flows</strong>: count of ntp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.packets</strong>: count of packets received by appid inspector\r
+<strong>appid.packets</strong>: count of packets received\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.pop_flows</strong>: count of pop service flows discovered by appid\r
+<strong>appid.pop flows</strong>: count of pop service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.processed packets</strong>: count of packets processed by appid inspector\r
+<strong>appid.processed packets</strong>: count of packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.radius_flows</strong>: count of radius flows discovered by appid\r
+<strong>appid.radius flows</strong>: count of radius flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rexec_flows</strong>: count of rexec flows discovered by appid\r
+<strong>appid.rexec flows</strong>: count of rexec flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rfb_flows</strong>: count of rfb flows discovered by appid\r
+<strong>appid.rfb flows</strong>: count of rfb flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered by appid\r
+<strong>appid.rlogin flows</strong>: count of rlogin flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rpc_flows</strong>: count of rpc flows discovered by appid\r
+<strong>appid.rpc flows</strong>: count of rpc flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rshell_flows</strong>: count of rshell flows discovered by appid\r
+<strong>appid.rshell flows</strong>: count of rshell flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
+<strong>appid.rsync flows</strong>: count of rsync service flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered by appid\r
+<strong>appid.rtmp flows</strong>: count of rtmp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rtp_clients</strong>: count of rtp clients discovered by appid\r
+<strong>appid.rtp clients</strong>: count of rtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.sip_clients</strong>: count of SIP clients discovered by appid\r
+<strong>appid.sip clients</strong>: count of SIP clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.sip_flows</strong>: count of SIP flows discovered by appid\r
+<strong>appid.sip flows</strong>: count of SIP flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered by appid\r
+<strong>appid.smtp aol clients</strong>: count of AOL smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered by appid\r
+<strong>appid.smtp applemail clients</strong>: count of Apple Mail smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered by appid\r
+<strong>appid.smtp eudora clients</strong>: count of Eudora smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered by appid\r
+<strong>appid.smtp eudora pro clients</strong>: count of Eudora Pro smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered by appid\r
+<strong>appid.smtp evolution clients</strong>: count of Evolution smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
+<strong>appid.smtp flows</strong>: count of smtp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered by appid\r
+<strong>appid.smtp kmail clients</strong>: count of KMail smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered by appid\r
+<strong>appid.smtp lotus notes clients</strong>: count of Lotus Notes smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered by appid\r
+<strong>appid.smtp microsoft outlook clients</strong>: count of Microsoft Outlook smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered by appid\r
+<strong>appid.smtp microsoft outlook express clients</strong>: count of Microsoft Outlook Express smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered by appid\r
+<strong>appid.smtp microsoft outlook imo clients</strong>: count of Microsoft Outlook IMO smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered by appid\r
+<strong>appid.smtp mutt clients</strong>: count of Mutt smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtps_flows</strong>: count of smtps flows discovered by appid\r
+<strong>appid.smtps flows</strong>: count of smtps flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered by appid\r
+<strong>appid.smtp thunderbird clients</strong>: count of Thunderbird smtp clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.snmp_flows</strong>: count of snmp flows discovered by appid\r
+<strong>appid.snmp flows</strong>: count of snmp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid\r
+<strong>appid.ssh clients</strong>: count of ssh clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssh_flows</strong>: count of ssh flows discovered by appid\r
+<strong>appid.ssh flows</strong>: count of ssh flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssl_flows</strong>: count of ssl flows discovered by appid\r
+<strong>appid.ssl flows</strong>: count of ssl flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.telnet_flows</strong>: count of telnet flows discovered by appid\r
+<strong>appid.telnet flows</strong>: count of telnet flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tftp_flows</strong>: count of tftp flows discovered by appid\r
+<strong>appid.tftp flows</strong>: count of tftp flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid\r
+<strong>appid.timbuktu flows</strong>: count of timbuktu flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tns_clients</strong>: count of tns clients discovered by appid\r
+<strong>appid.tns clients</strong>: count of tns clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tns_flows</strong>: count of tns flows discovered by appid\r
+<strong>appid.tns flows</strong>: count of tns flows discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.vnc_clients</strong>: count of vnc clients discovered by appid\r
+<strong>appid.vnc clients</strong>: count of vnc clients discovered\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered by appid\r
+<strong>appid.yahoo messenger clients</strong>: count of Yahoo Messenger clients discovered\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.aborted sessions</strong>: total aborted sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_smb.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bad autodetects</strong>: total bad autodetects\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_smb.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.aborted sessions</strong>: total aborted sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_udp.Acks</strong>: total connection-less acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.bad autodetects</strong>: total bad autodetects\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.cache_failures</strong>: number of file cache add failures\r
+<strong>file_id.cache failures</strong>: number of file cache add failures\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.total_file_data</strong>: number of file data bytes processed\r
+<strong>file_id.total file data</strong>: number of file data bytes processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.total_files</strong>: number of files processed\r
+<strong>file_id.total files</strong>: number of files processed\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated\r
+<strong>reputation.memory allocated</strong>: total memory allocated\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:1</strong> (ipv4) Not IPv4 datagram\r
+<strong>116:1</strong> (ipv4) not IPv4 datagram\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:2</strong> (ipv4) hlen < minimum\r
+<strong>116:2</strong> (ipv4) IPv4 header length < minimum\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:3</strong> (ipv4) IP dgm len < IP Hdr len\r
+<strong>116:3</strong> (ipv4) IPv4 datagram length < header field\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:4</strong> (ipv4) Ipv4 Options found with bad lengths\r
+<strong>116:4</strong> (ipv4) IPv4 options found with bad lengths\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:5</strong> (ipv4) Truncated Ipv4 Options\r
+<strong>116:5</strong> (ipv4) truncated IPv4 options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:6</strong> (ipv4) IP dgm len > captured len\r
+<strong>116:6</strong> (ipv4) IPv4 datagram length > captured length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:45</strong> (tcp) TCP packet len is smaller than 20 bytes\r
+<strong>116:45</strong> (tcp) TCP packet length is smaller than 20 bytes\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:150</strong> (decode) bad traffic loopback IP\r
+<strong>116:150</strong> (decode) loopback IP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:151</strong> (decode) bad traffic same src/dst IP\r
+<strong>116:151</strong> (decode) same src/dst IP\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:272</strong> (ipv6) IPV6 truncated extension header\r
+<strong>116:272</strong> (ipv6) IPv6 truncated extension header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:273</strong> (ipv6) IPV6 truncated header\r
+<strong>116:273</strong> (ipv6) IPv6 truncated header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:274</strong> (ipv6) IP dgm len < IP Hdr len\r
+<strong>116:274</strong> (ipv6) IPv6 datagram length < header field\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:275</strong> (ipv6) IP dgm len > captured len\r
+<strong>116:275</strong> (ipv6) IPv6 datagram length > captured length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:403</strong> (tcp) bad traffic SYN to multicast address\r
+<strong>116:403</strong> (tcp) SYN to multicast address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:404</strong> (ipv4) IPV4 packet with zero TTL\r
+<strong>116:404</strong> (ipv4) IPv4 packet with zero TTL\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:405</strong> (ipv4) IPV4 packet with bad frag bits (both MF and DF set)\r
+<strong>116:405</strong> (ipv4) IPv4 packet with bad frag bits (both MF and DF set)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:407</strong> (ipv4) IPV4 packet frag offset + length exceed maximum\r
+<strong>116:407</strong> (ipv4) IPv4 packet frag offset + length exceed maximum\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:408</strong> (ipv4) IPV4 packet from <em>current net</em> source address\r
+<strong>116:408</strong> (ipv4) IPv4 packet from <em>current net</em> source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:409</strong> (ipv4) IPV4 packet to <em>current net</em> dest address\r
+<strong>116:409</strong> (ipv4) IPv4 packet to <em>current net</em> dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:410</strong> (ipv4) IPV4 packet from multicast source address\r
+<strong>116:410</strong> (ipv4) IPv4 packet from multicast source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:411</strong> (ipv4) IPV4 packet from reserved source address\r
+<strong>116:411</strong> (ipv4) IPv4 packet from reserved source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:412</strong> (ipv4) IPV4 packet to reserved dest address\r
+<strong>116:412</strong> (ipv4) IPv4 packet to reserved dest address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:413</strong> (ipv4) IPV4 packet from broadcast source address\r
+<strong>116:413</strong> (ipv4) IPv4 packet from broadcast source address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:414</strong> (ipv4) IPV4 packet to broadcast dest address\r
+<strong>116:414</strong> (ipv4) IPv4 packet to broadcast dest address\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:424</strong> (eth) truncated eth header\r
+<strong>116:424</strong> (eth) truncated ethernet header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:425</strong> (ipv4) truncated IP4 header\r
+<strong>116:425</strong> (ipv4) truncated IPv4 header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:428</strong> (ipv4) IPV4 packet below TTL limit\r
+<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:429</strong> (ipv6) IPV6 packet has zero hop limit\r
+<strong>116:429</strong> (ipv6) IPv6 packet has zero hop limit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:430</strong> (ipv4) IPV4 packet both DF and offset set\r
+<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:431</strong> (icmp6) ICMP6 type not decoded\r
+<strong>116:431</strong> (icmp6) ICMPv6 type not decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:432</strong> (icmp6) ICMP6 packet to multicast address\r
+<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:434</strong> (icmp4) ICMP ping NMAP\r
+<strong>116:434</strong> (icmp4) ICMP ping Nmap\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:444</strong> (ipv4) MISC IP option set\r
+<strong>116:444</strong> (ipv4) IPv4 option set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:445</strong> (udp) misc large UDP Packet\r
+<strong>116:445</strong> (udp) large UDP packet (> 4000 bytes)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:446</strong> (tcp) BAD-TRAFFIC TCP port 0 traffic\r
+<strong>116:446</strong> (tcp) TCP port 0 traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:447</strong> (udp) BAD-TRAFFIC UDP port 0 traffic\r
+<strong>116:447</strong> (udp) UDP port 0 traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:448</strong> (ipv4) BAD-TRAFFIC IP reserved bit set\r
+<strong>116:448</strong> (ipv4) IPv4 reserved bit set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:449</strong> (decode) BAD-TRAFFIC unassigned/reserved IP protocol\r
+<strong>116:449</strong> (decode) unassigned/reserved IP protocol\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:450</strong> (decode) BAD-TRAFFIC bad IP protocol\r
+<strong>116:450</strong> (decode) bad IP protocol\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:452</strong> (icmp4) BAD-TRAFFIC Linux ICMP header DOS attempt\r
+<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:453</strong> (ipv6) BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt\r
+<strong>116:453</strong> (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:454</strong> (pgm) BAD-TRAFFIC PGM nak list overflow attempt\r
+<strong>116:454</strong> (pgm) PGM nak list overflow attempt\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:456</strong> (ipv6) too many IP6 extension headers\r
+<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:461</strong> (ipv6) IPV6 routing type 0 extension header\r
+<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:463</strong> (erspan2) captured < ERSpan type2 header length\r
+<strong>116:463</strong> (erspan2) captured length < ERSpan type2 header length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:52</strong> (http_inspect) Not HTTP traffic\r
+<strong>119:52</strong> (http_inspect) not HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:53</strong> (http_inspect) Chunk length has excessive leading zeros\r
+<strong>119:53</strong> (http_inspect) chunk length has excessive leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:54</strong> (http_inspect) White space before or between messages\r
+<strong>119:54</strong> (http_inspect) white space before or between messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:55</strong> (http_inspect) Request message without URI\r
+<strong>119:55</strong> (http_inspect) request message without URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:56</strong> (http_inspect) Control character in reason phrase\r
+<strong>119:56</strong> (http_inspect) control character in reason phrase\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:57</strong> (http_inspect) Illegal extra whitespace in start line\r
+<strong>119:57</strong> (http_inspect) illegal extra whitespace in start line\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:58</strong> (http_inspect) Corrupted HTTP version\r
+<strong>119:58</strong> (http_inspect) corrupted HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:59</strong> (http_inspect) Unknown HTTP version\r
+<strong>119:59</strong> (http_inspect) unknown HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:60</strong> (http_inspect) Format error in HTTP header\r
+<strong>119:60</strong> (http_inspect) format error in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:61</strong> (http_inspect) Chunk header options present\r
+<strong>119:61</strong> (http_inspect) chunk header options present\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:63</strong> (http_inspect) Unrecognized type of percent encoding in URI\r
+<strong>119:63</strong> (http_inspect) unrecognized type of percent encoding in URI\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:65</strong> (http_inspect) White space following chunk length\r
+<strong>119:65</strong> (http_inspect) white space following chunk length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:66</strong> (http_inspect) White space within header name\r
+<strong>119:66</strong> (http_inspect) white space within header name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:67</strong> (http_inspect) Excessive gzip compression\r
+<strong>119:67</strong> (http_inspect) excessive gzip compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:68</strong> (http_inspect) Gzip decompression failed\r
+<strong>119:68</strong> (http_inspect) gzip decompression failed\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:71</strong> (http_inspect) Message has both Content-Length and Transfer-Encoding\r
+<strong>119:71</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:72</strong> (http_inspect) Status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
+<strong>119:72</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
+<strong>119:75</strong> (http_inspect) misformatted HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
+<strong>119:76</strong> (http_inspect) unsupported Transfer-Encoding or Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
+<strong>119:77</strong> (http_inspect) unknown Transfer-Encoding or Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
+<strong>119:78</strong> (http_inspect) multiple layers of compression encodings applied\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>124:1</strong> (smtp) Attempted command buffer overflow\r
+<strong>124:1</strong> (smtp) attempted command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:2</strong> (smtp) Attempted data header buffer overflow\r
+<strong>124:2</strong> (smtp) attempted data header buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:3</strong> (smtp) Attempted response buffer overflow\r
+<strong>124:3</strong> (smtp) attempted response buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:4</strong> (smtp) Attempted specific command buffer overflow\r
+<strong>124:4</strong> (smtp) attempted specific command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:5</strong> (smtp) Unknown command\r
+<strong>124:5</strong> (smtp) unknown command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:6</strong> (smtp) Illegal command\r
+<strong>124:6</strong> (smtp) illegal command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:7</strong> (smtp) Attempted header name buffer overflow\r
+<strong>124:7</strong> (smtp) attempted header name buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow\r
+<strong>124:8</strong> (smtp) attempted X-Link2State command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:10</strong> (smtp) Base64 Decoding failed\r
+<strong>124:10</strong> (smtp) base64 decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed\r
+<strong>124:11</strong> (smtp) quoted-printable decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed\r
+<strong>124:13</strong> (smtp) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>124:15</strong> (smtp) Attempted authentication command buffer overflow\r
+<strong>124:15</strong> (smtp) attempted authentication command buffer overflow\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit\r
+<strong>128:1</strong> (ssh) challenge-response overflow exploit\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>128:3</strong> (ssh) Server version string overflow\r
+<strong>128:3</strong> (ssh) server version string overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:5</strong> (ssh) Bad message direction\r
+<strong>128:5</strong> (ssh) bad message direction\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:6</strong> (ssh) Payload size incorrect for the given payload\r
+<strong>128:6</strong> (ssh) payload size incorrect for the given payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:7</strong> (ssh) Failed to detect SSH version string\r
+<strong>128:7</strong> (ssh) failed to detect SSH version string\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0\r
+<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>129:8</strong> (stream_tcp) data sent on stream after TCP Reset sent\r
+<strong>129:8</strong> (stream_tcp) data sent on stream after TCP reset sent\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>129:10</strong> (stream_tcp) TCP Server possibly hijacked, different ethernet address\r
+<strong>129:10</strong> (stream_tcp) TCP server possibly hijacked, different ethernet address\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>129:18</strong> (stream_tcp) data sent on stream after TCP Reset received\r
+<strong>129:18</strong> (stream_tcp) data sent on stream after TCP reset received\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>131:1</strong> (dns) Obsolete DNS RR Types\r
+<strong>131:1</strong> (dns) obsolete DNS RR types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:2</strong> (dns) Experimental DNS RR Types\r
+<strong>131:2</strong> (dns) experimental DNS RR types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:3</strong> (dns) DNS Client rdata txt Overflow\r
+<strong>131:3</strong> (dns) DNS client rdata txt overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:2</strong> (dce_smb) SMB - Bad NetBIOS Session Service session type.\r
+<strong>133:2</strong> (dce_smb) SMB - bad NetBIOS session service session type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:3</strong> (dce_smb) SMB - Bad SMB message type.\r
+<strong>133:3</strong> (dce_smb) SMB - bad SMB message type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:4</strong> (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2).\r
+<strong>133:4</strong> (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:5</strong> (dce_smb) SMB - Bad word count or structure size.\r
+<strong>133:5</strong> (dce_smb) SMB - bad word count or structure size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:6</strong> (dce_smb) SMB - Bad byte count.\r
+<strong>133:6</strong> (dce_smb) SMB - bad byte count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:7</strong> (dce_smb) SMB - Bad format type.\r
+<strong>133:7</strong> (dce_smb) SMB - bad format type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:8</strong> (dce_smb) SMB - Bad offset.\r
+<strong>133:8</strong> (dce_smb) SMB - bad offset\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:9</strong> (dce_smb) SMB - Zero total data count.\r
+<strong>133:9</strong> (dce_smb) SMB - zero total data count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length.\r
+<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:12</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command byte count.\r
+<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:13</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command data size.\r
+<strong>133:13</strong> (dce_smb) SMB - remaining NetBIOS data length less than command data size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:14</strong> (dce_smb) SMB - Remaining total data count less than this command data size.\r
+<strong>133:14</strong> (dce_smb) SMB - remaining total data count less than this command data size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:15</strong> (dce_smb) SMB - Total data sent (STDu64) greater than command total data expected.\r
+<strong>133:15</strong> (dce_smb) SMB - total data sent (STDu64) greater than command total data expected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:16</strong> (dce_smb) SMB - Byte count less than command data size (STDu64)\r
+<strong>133:16</strong> (dce_smb) SMB - byte count less than command data size (STDu64)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:17</strong> (dce_smb) SMB - Invalid command data size for byte count.\r
+<strong>133:17</strong> (dce_smb) SMB - invalid command data size for byte count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:18</strong> (dce_smb) SMB - Excessive Tree Connect requests with pending Tree Connect responses.\r
+<strong>133:18</strong> (dce_smb) SMB - excessive tree connect requests with pending tree connect responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:19</strong> (dce_smb) SMB - Excessive Read requests with pending Read responses.\r
+<strong>133:19</strong> (dce_smb) SMB - excessive read requests with pending read responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:20</strong> (dce_smb) SMB - Excessive command chaining.\r
+<strong>133:20</strong> (dce_smb) SMB - excessive command chaining\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:21</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>133:21</strong> (dce_smb) SMB - multiple chained tree connect requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:22</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>133:22</strong> (dce_smb) SMB - multiple chained tree connect requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:23</strong> (dce_smb) SMB - Chained/Compounded login followed by logoff.\r
+<strong>133:23</strong> (dce_smb) SMB - chained/compounded login followed by logoff\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:24</strong> (dce_smb) SMB - Chained/Compounded tree connect followed by tree disconnect.\r
+<strong>133:24</strong> (dce_smb) SMB - chained/compounded tree connect followed by tree disconnect\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:25</strong> (dce_smb) SMB - Chained/Compounded open pipe followed by close pipe.\r
+<strong>133:25</strong> (dce_smb) SMB - chained/compounded open pipe followed by close pipe\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:26</strong> (dce_smb) SMB - Invalid share access.\r
+<strong>133:26</strong> (dce_smb) SMB - invalid share access\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:27</strong> (dce_smb) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:27</strong> (dce_smb) connection oriented DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:27</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:28</strong> (dce_smb) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:28</strong> (dce_smb) connection oriented DCE/RPC - invalid minor version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:28</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:29</strong> (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:29</strong> (dce_smb) connection-oriented DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:29</strong> (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:30</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:30</strong> (dce_smb) connection-oriented DCE/RPC - fragment length less than header size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:30</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:32</strong> (dce_smb) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:32</strong> (dce_smb) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:32</strong> (dce_tcp) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:33</strong> (dce_smb) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:33</strong> (dce_smb) connection-oriented DCE/RPC -no transfer syntaxes specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:33</strong> (dce_tcp) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:34</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:34</strong> (dce_smb) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:34</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:35</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:35</strong> (dce_smb) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:35</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:36</strong> (dce_smb) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:36</strong> (dce_smb) connection-oriented DCE/RPC - alter context byte order different from bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:36</strong> (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:37</strong> (dce_smb) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:37</strong> (dce_smb) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:37</strong> (dce_tcp) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:38</strong> (dce_smb) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:38</strong> (dce_smb) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:38</strong> (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:39</strong> (dce_smb) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:39</strong> (dce_smb) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:39</strong> (dce_tcp) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:40</strong> (dce_udp) Connection-less DCE/RPC - Invalid major version.\r
+<strong>133:40</strong> (dce_udp) connection-less DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:41</strong> (dce_udp) Connection-less DCE/RPC - Invalid pdu type.\r
+<strong>133:41</strong> (dce_udp) connection-less DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:42</strong> (dce_udp) Connection-less DCE/RPC - Data length less than header size.\r
+<strong>133:42</strong> (dce_udp) connection-less DCE/RPC - data length less than header size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:43</strong> (dce_udp) Connection-less DCE/RPC - Bad sequence number.\r
+<strong>133:43</strong> (dce_udp) connection-less DCE/RPC - bad sequence number\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
+<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:45</strong> (dce_smb) SMB - Invalid SMB version 2 seen.\r
+<strong>133:45</strong> (dce_smb) SMB - invalid SMB version 2 seen\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:46</strong> (dce_smb) SMB - Invalid user, tree connect, file binding.\r
+<strong>133:46</strong> (dce_smb) SMB - invalid user, tree connect, file binding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:47</strong> (dce_smb) SMB - Excessive command compounding.\r
+<strong>133:47</strong> (dce_smb) SMB - excessive command compounding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:48</strong> (dce_smb) SMB - Zero data count.\r
+<strong>133:48</strong> (dce_smb) SMB - zero data count\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:50</strong> (dce_smb) SMB - Maximum number of outstanding requests exceeded.\r
+<strong>133:50</strong> (dce_smb) SMB - maximum number of outstanding requests exceeded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:51</strong> (dce_smb) SMB - Outstanding requests with same MID.\r
+<strong>133:51</strong> (dce_smb) SMB - outstanding requests with same MID\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:52</strong> (dce_smb) SMB - Deprecated dialect negotiated.\r
+<strong>133:52</strong> (dce_smb) SMB - deprecated dialect negotiated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:53</strong> (dce_smb) SMB - Deprecated command used.\r
+<strong>133:53</strong> (dce_smb) SMB - deprecated command used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:54</strong> (dce_smb) SMB - Unusual command used.\r
+<strong>133:54</strong> (dce_smb) SMB - unusual command used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:55</strong> (dce_smb) SMB - Invalid setup count for command.\r
+<strong>133:55</strong> (dce_smb) SMB - invalid setup count for command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:56</strong> (dce_smb) SMB - Client attempted multiple dialect negotiations on session.\r
+<strong>133:56</strong> (dce_smb) SMB - client attempted multiple dialect negotiations on session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
+<strong>133:57</strong> (dce_smb) SMB - client attempted to create or set a file’s attributes to readonly/hidden/system\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:58</strong> (dce_smb) SMB - File offset provided is greater than file size specified\r
+<strong>133:58</strong> (dce_smb) SMB - file offset provided is greater than file size specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:59</strong> (dce_smb) SMB - Next command specified in SMB2 header is beyond payload boundary\r
+<strong>133:59</strong> (dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>136:2</strong> (reputation) Packets whitelisted\r
+<strong>136:2</strong> (reputation) packets whitelisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:3</strong> (reputation) Packets monitored\r
+<strong>136:3</strong> (reputation) packets monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected\r
+<strong>137:1</strong> (ssl) invalid client HELLO after server HELLO detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected\r
+<strong>137:2</strong> (ssl) invalid server HELLO without client HELLO detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected\r
+<strong>137:3</strong> (ssl) heartbeat read overrun attempt detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:4</strong> (ssl) Large Heartbeat Response Detected\r
+<strong>137:4</strong> (ssl) large heartbeat response detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:1</strong> (sip) Maximum sessions reached\r
+<strong>140:1</strong> (sip) maximum sessions reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:2</strong> (sip) Empty request URI\r
+<strong>140:2</strong> (sip) empty request URI\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:4</strong> (sip) Empty call-Id\r
+<strong>140:4</strong> (sip) empty call-Id\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:7</strong> (sip) Request name in CSeq is too long\r
+<strong>140:7</strong> (sip) request name in CSeq is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:8</strong> (sip) Empty From header\r
+<strong>140:8</strong> (sip) empty From header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:10</strong> (sip) Empty To header\r
+<strong>140:10</strong> (sip) empty To header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:12</strong> (sip) Empty Via header\r
+<strong>140:12</strong> (sip) empty Via header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:14</strong> (sip) Empty Contact\r
+<strong>140:14</strong> (sip) empty Contact\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:15</strong> (sip) Contact is too long\r
+<strong>140:15</strong> (sip) contact is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:16</strong> (sip) Content length is too large or negative\r
+<strong>140:16</strong> (sip) content length is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:17</strong> (sip) Multiple SIP messages in a packet\r
+<strong>140:17</strong> (sip) multiple SIP messages in a packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:18</strong> (sip) Content length mismatch\r
+<strong>140:18</strong> (sip) content length mismatch\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:19</strong> (sip) Request name is invalid\r
+<strong>140:19</strong> (sip) request name is invalid\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:21</strong> (sip) Illegal session information modification\r
+<strong>140:21</strong> (sip) illegal session information modification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:22</strong> (sip) Response status code is not a 3 digit number\r
+<strong>140:22</strong> (sip) response status code is not a 3 digit number\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:23</strong> (sip) Empty Content-type header\r
+<strong>140:23</strong> (sip) empty Content-type header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header\r
+<strong>140:25</strong> (sip) mismatch in METHOD of request and the CSEQ header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:26</strong> (sip) Method is unknown\r
+<strong>140:26</strong> (sip) method is unknown\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:27</strong> (sip) Maximum dialogs within a session reached\r
+<strong>140:27</strong> (sip) maximum dialogs within a session reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:1</strong> (imap) Unknown IMAP3 command\r
+<strong>141:1</strong> (imap) unknown IMAP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:2</strong> (imap) Unknown IMAP3 response\r
+<strong>141:2</strong> (imap) unknown IMAP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:4</strong> (imap) Base64 Decoding failed.\r
+<strong>141:4</strong> (imap) base64 decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.\r
+<strong>141:5</strong> (imap) quoted-printable decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.\r
+<strong>141:7</strong> (imap) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:1</strong> (pop) Unknown POP3 command\r
+<strong>142:1</strong> (pop) unknown POP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:2</strong> (pop) Unknown POP3 response\r
+<strong>142:2</strong> (pop) unknown POP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:4</strong> (pop) Base64 Decoding failed.\r
+<strong>142:4</strong> (pop) base64 decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.\r
+<strong>142:5</strong> (pop) quoted-printable decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.\r
+<strong>142:7</strong> (pop) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>144:3</strong> (modbus) Reserved Modbus function code in use\r
+<strong>144:3</strong> (modbus) reserved Modbus function code in use\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:1</strong> (dnp3) DNP3 Link-Layer Frame contains bad CRC.\r
+<strong>145:1</strong> (dnp3) DNP3 link-layer frame contains bad CRC\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:2</strong> (dnp3) DNP3 Link-Layer Frame was dropped.\r
+<strong>145:2</strong> (dnp3) DNP3 link-layer frame was dropped\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:3</strong> (dnp3) DNP3 Transport-Layer Segment was dropped during reassembly.\r
+<strong>145:3</strong> (dnp3) DNP3 transport-layer segment was dropped during reassembly\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:4</strong> (dnp3) DNP3 Reassembly Buffer was cleared without reassembling a complete message.\r
+<strong>145:4</strong> (dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:5</strong> (dnp3) DNP3 Link-Layer Frame uses a reserved address.\r
+<strong>145:5</strong> (dnp3) DNP3 link-layer frame uses a reserved address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:6</strong> (dnp3) DNP3 Application-Layer Fragment uses a reserved function code.\r
+<strong>145:6</strong> (dnp3) DNP3 application-layer fragment uses a reserved function code\r
</p>\r
</li>\r
</ul></div>\r
<li>\r
<p>\r
<strong>wizard</strong> (inspector): inspector that implements port-independent protocol identification\r
-:leveloffset: 0\r
</p>\r
</li>\r
</ul></div>\r
-<div class="sect3">\r
-<h4 id="_plugin_listing">Plugin Listing</h4>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_plugin_listing">Plugin Listing</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</li>\r
</ul></div>\r
</div>\r
+<div class="sect2">\r
+<h3 id="_bugs">Bugs</h3>\r
+<div class="sect3">\r
+<h4 id="_build">Build</h4>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Enabling large pcap may erroneously affect the number of packets processed\r
+ from pcaps.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Enabling debug messages may erroneously affect the number of packets\r
+ processed from pcaps.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+g++ 4.9.2 with -O3 reports:\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>src/service_inspectors/back_orifice/back_orifice.cc:231:25: warning:\r
+iteration 930u invokes undefined behavior [-Waggressive-loop-optimizations]</code></pre>\r
+</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+Building with clang and autotools on Linux will show the following\r
+ warning many times. Please ignore.\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>clang: warning: argument unused during compilation: '-pthread'</code></pre>\r
+</div></div>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_config">Config</h4>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET\r
+ defined as below because of the space between ! and 10.\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]\r
+EXTERNAL_NET = '! ' .. HOME_NET</code></pre>\r
+</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+Multiple versions of luajit scripts are not handled correctly. The\r
+ first loaded version will always be executed even though plugin manager\r
+ saves the correct version.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+When using -c and -L together, the last on the command line wins (-c -L\r
+ will dump; -L -c will analyze).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Modules instantiated by command line only will not get default settings\r
+ unless hard-coded. This notably applies to -A and -L options.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+--lua can only be used in addition to, not in place of, a -c config.\r
+ Ideally, --lua could be used in lieu of -c.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_rules_4">Rules</h4>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+metdata:service foo; metadata:service foo; won’t cause a duplicate service\r
+ warning as does metadata:service foo, service foo;\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+ip_proto doesn’t work properly with reassembled packets so it can’t be\r
+ used to restrict the protocol of service rules.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_snort2lua_2">snort2lua</h4>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+uricontent:"foo"; content:"bar"; → http_uri; content:"foo"; content:"bar";\r
+ (missing pkt_data)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream_tcp ports and protocols both go into a single binder.when; this is\r
+ incorrect as the when fields are logically anded together (ie must all be\r
+ true). Should create 2 separate bindings.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+There is a bug in pps_stream_tcp.cc.. when stream_tcp: is specified\r
+ without any arguments, snort2lua doesn’t convert it. Same for\r
+ stream_udp.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Loses the ip list delimiters [ ]; change to ( )\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>in snort.conf: var HOME_NET [A,B,C]\r
+in snort.lua: HOME_NET = [[A B C]]</code></pre>\r
+</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+Won’t convert packet rules (alert tcp etc.) to service rules (alert http\r
+ etc.).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+alert_fast and alert_full: output configuration includes "file =\r
+ <em>foo.bar</em>", but file is a bool and you cannot specify an output file name\r
+ in the configuration.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+preprocessor ports option: ports <number> not supported.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_runtime">Runtime</h4>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+-B <mask> feature does not work. It does ordinary IP address obfuscation\r
+ instead of using the mask.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Obfuscation does not work for csv format.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+The hext DAQ will append a newline to text lines (starting with <em>"</em>).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+The hext DAQ does not support embedded quotes in text lines (use hex\r
+ lines as a workaround).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream_tcp alert squash mechanism incorrectly squashes alerts for\r
+ different TCP packets.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
</div>\r
</div>\r
</div>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2016-11-16 08:37:01 EST\r
+Last updated 2016-12-15 23:03:37 EST\r
</div>\r
</div>\r
</body>\r
---------------------------------------------------------------------
-Snort++ User Manual
+Snort 3 User Manual
---------------------------------------------------------------------
1. Overview
- 1.1. Configuration
- 1.2. Modules
- 1.3. Plugins and Scripts
- 1.4. New Http Inspector
- 1.5. Binder and Wizard
- 1.6. Packet Processing
-
-2. Getting Started
-
- 2.1. Dependencies
- 2.2. Building
- 2.3. Run
- 2.4. Tips
- 2.5. Help
- 2.6. Common Errors
- 2.7. Gotchas
- 2.8. Bugs
-
-3. Features
-
- 3.1. File Processing
- 3.2. Performance Monitor
-
-4. Basic Modules
-
- 4.1. active
- 4.2. alerts
- 4.3. attribute_table
- 4.4. classifications
- 4.5. daq
- 4.6. decode
- 4.7. detection
- 4.8. event_filter
- 4.9. event_queue
- 4.10. file_id
- 4.11. high_availability
- 4.12. host_cache
- 4.13. host_tracker
- 4.14. hosts
- 4.15. ips
- 4.16. latency
- 4.17. memory
- 4.18. network
- 4.19. output
- 4.20. packets
- 4.21. process
- 4.22. profiler
- 4.23. rate_filter
- 4.24. references
- 4.25. rule_state
- 4.26. search_engine
- 4.27. side_channel
- 4.28. snort
- 4.29. suppress
-
-5. Codec Modules
-
- 5.1. arp
- 5.2. auth
- 5.3. ciscometadata
- 5.4. erspan2
- 5.5. erspan3
- 5.6. esp
- 5.7. eth
- 5.8. fabricpath
- 5.9. gre
- 5.10. gtp
- 5.11. icmp4
- 5.12. icmp6
- 5.13. igmp
- 5.14. ipv4
- 5.15. ipv6
- 5.16. mpls
- 5.17. pgm
- 5.18. pppoe
- 5.19. tcp
- 5.20. udp
- 5.21. vlan
-
-6. Inspector Modules
-
- 6.1. appid
- 6.2. arp_spoof
- 6.3. back_orifice
- 6.4. binder
- 6.5. dce_smb
- 6.6. dce_tcp
- 6.7. dce_udp
- 6.8. dnp3
- 6.9. dns
- 6.10. file_log
- 6.11. ftp_client
- 6.12. ftp_data
- 6.13. ftp_server
- 6.14. gtp_inspect
- 6.15. http_inspect
- 6.16. imap
- 6.17. modbus
- 6.18. normalizer
- 6.19. packet_capture
- 6.20. perf_monitor
- 6.21. pop
- 6.22. port_scan
- 6.23. port_scan_global
- 6.24. reputation
- 6.25. rpc_decode
- 6.26. sip
- 6.27. smtp
- 6.28. ssh
- 6.29. ssl
- 6.30. stream
- 6.31. stream_file
- 6.32. stream_icmp
- 6.33. stream_ip
- 6.34. stream_tcp
- 6.35. stream_udp
- 6.36. stream_user
- 6.37. telnet
- 6.38. wizard
-
-7. IPS Action Modules
-
- 7.1. react
- 7.2. reject
- 7.3. rewrite
-
-8. IPS Option Modules
-
- 8.1. ack
- 8.2. appids
- 8.3. asn1
- 8.4. base64_decode
- 8.5. bufferlen
- 8.6. byte_extract
- 8.7. byte_jump
- 8.8. byte_test
- 8.9. classtype
- 8.10. content
- 8.11. cvs
- 8.12. dce_iface
- 8.13. dce_opnum
- 8.14. dce_stub_data
- 8.15. detection_filter
- 8.16. dnp3_data
- 8.17. dnp3_func
- 8.18. dnp3_ind
- 8.19. dnp3_obj
- 8.20. dsize
- 8.21. file_data
- 8.22. file_type
- 8.23. flags
- 8.24. flow
- 8.25. flowbits
- 8.26. fragbits
- 8.27. fragoffset
- 8.28. gid
- 8.29. gtp_info
- 8.30. gtp_type
- 8.31. gtp_version
- 8.32. http_client_body
- 8.33. http_cookie
- 8.34. http_header
- 8.35. http_method
- 8.36. http_raw_cookie
- 8.37. http_raw_header
- 8.38. http_raw_request
- 8.39. http_raw_status
- 8.40. http_raw_trailer
- 8.41. http_raw_uri
- 8.42. http_stat_code
- 8.43. http_stat_msg
- 8.44. http_trailer
- 8.45. http_uri
- 8.46. http_version
- 8.47. icmp_id
- 8.48. icmp_seq
- 8.49. icode
- 8.50. id
- 8.51. ip_proto
- 8.52. ipopts
- 8.53. isdataat
- 8.54. itype
- 8.55. md5
- 8.56. metadata
- 8.57. modbus_data
- 8.58. modbus_func
- 8.59. modbus_unit
- 8.60. msg
- 8.61. pcre
- 8.62. pkt_data
- 8.63. priority
- 8.64. raw_data
- 8.65. reference
- 8.66. regex
- 8.67. rem
- 8.68. replace
- 8.69. rev
- 8.70. rpc
- 8.71. sd_pattern
- 8.72. seq
- 8.73. session
- 8.74. sha256
- 8.75. sha512
- 8.76. sid
- 8.77. sip_body
- 8.78. sip_header
- 8.79. sip_method
- 8.80. sip_stat_code
- 8.81. so
- 8.82. soid
- 8.83. ssl_state
- 8.84. ssl_version
- 8.85. stream_reassemble
- 8.86. stream_size
- 8.87. tag
- 8.88. tos
- 8.89. ttl
- 8.90. window
-
-9. Search Engine Modules
-10. SO Rule Modules
-11. Logger Modules
-
- 11.1. alert_csv
- 11.2. alert_fast
- 11.3. alert_full
- 11.4. alert_sfsocket
- 11.5. alert_syslog
- 11.6. log_codecs
- 11.7. log_hext
- 11.8. log_pcap
- 11.9. unified2
-
-12. DAQ Modules
-
- 12.1. Building the DAQ Library and DAQ Modules
- 12.2. PCAP Module
- 12.3. AFPACKET Module
- 12.4. NFQ Module
- 12.5. IPQ Module
- 12.6. IPFW Module
- 12.7. Dump Module
- 12.8. Netmap Module
- 12.9. Notes on iptables
- 12.10. Notes on FreeBSD::IPFW
- 12.11. Notes on OpenBSD::IPFW
- 12.12. Socket Module
- 12.13. File Module
- 12.14. Hext Module
-
-13. Snort++ vs Snort
-
- 13.1. Build Options
- 13.2. Command Line
- 13.3. Conf File
- 13.4. Rules
- 13.5. Output
- 13.6. HTTP Profiles
-
-14. Snort2Lua
-
- 14.1. Snort2Lua Command Line
- 14.2. Known Problems
- 14.3. Usage
-
-15. Extending Snort++
-
- 15.1. Plugins
- 15.2. Modules
- 15.3. Inspectors
- 15.4. Codecs
- 15.5. IPS Actions
- 15.6. Developers Guide
- 15.7. Piglet Test Harness
- 15.8. Piglet Lua API
-
-16. Coding Style
-
- 16.1. General
- 16.2. C++ Specific
- 16.3. Naming
- 16.4. Comments
- 16.5. Logging
- 16.6. Types
- 16.7. Macros (aka defines)
- 16.8. Formatting
- 16.9. Headers
- 16.10. Warnings
- 16.11. Uncrustify
-
-17. Reference
-
- 17.1. Terminology
- 17.2. Usage
- 17.3. Plugins
- 17.4. Output Files
- 17.5. Build Options
- 17.6. Environment Variables
- 17.7. Command Line Options
- 17.8. Parameters
- 17.9. Configuration
- 17.10. Counts
- 17.11. Generators
- 17.12. Builtin Rules
- 17.13. Command Set
- 17.14. Signals
- 17.15. Configuration Changes
- 17.16. Module Listing
+ 1.1. First Steps
+ 1.2. Configuration
+ 1.3. Output
+
+2. Concepts
+
+ 2.1. Terminology
+ 2.2. Modules
+ 2.3. Parameters
+ 2.4. Plugins
+ 2.5. Operation
+ 2.6. Rules
+ 2.7. Pattern Matching
+
+3. Tutorial
+
+ 3.1. Dependencies
+ 3.2. Building
+ 3.3. Running
+ 3.4. Tips
+ 3.5. Help
+ 3.6. Common Errors
+ 3.7. Gotchas
+
+4. Usage
+
+ 4.1. Environment
+ 4.2. Help
+ 4.3. Sniffing and Logging
+ 4.4. Configuration
+ 4.5. IDS mode
+ 4.6. Plugins
+ 4.7. Output Files
+ 4.8. DAQ Alternatives
+ 4.9. Logger Alternatives
+ 4.10. Shell
+ 4.11. Signals
+
+5. Features
+
+ 5.1. Binder
+ 5.2. DCE Inspectors
+ 5.3. File Processing
+ 5.4. HTTP Inspector
+ 5.5. Performance Monitor
+ 5.6. Sensitive Data Filtering
+ 5.7. Wizard
+
+6. Basic Modules
+
+ 6.1. active
+ 6.2. alerts
+ 6.3. attribute_table
+ 6.4. classifications
+ 6.5. daq
+ 6.6. decode
+ 6.7. detection
+ 6.8. event_filter
+ 6.9. event_queue
+ 6.10. file_id
+ 6.11. high_availability
+ 6.12. host_cache
+ 6.13. host_tracker
+ 6.14. hosts
+ 6.15. ips
+ 6.16. latency
+ 6.17. memory
+ 6.18. network
+ 6.19. output
+ 6.20. packets
+ 6.21. process
+ 6.22. profiler
+ 6.23. rate_filter
+ 6.24. references
+ 6.25. rule_state
+ 6.26. search_engine
+ 6.27. side_channel
+ 6.28. snort
+ 6.29. suppress
+
+7. Codec Modules
+
+ 7.1. arp
+ 7.2. auth
+ 7.3. ciscometadata
+ 7.4. erspan2
+ 7.5. erspan3
+ 7.6. esp
+ 7.7. eth
+ 7.8. fabricpath
+ 7.9. gre
+ 7.10. gtp
+ 7.11. icmp4
+ 7.12. icmp6
+ 7.13. igmp
+ 7.14. ipv4
+ 7.15. ipv6
+ 7.16. mpls
+ 7.17. pgm
+ 7.18. pppoe
+ 7.19. tcp
+ 7.20. udp
+ 7.21. vlan
+
+8. Inspector Modules
+
+ 8.1. appid
+ 8.2. arp_spoof
+ 8.3. back_orifice
+ 8.4. binder
+ 8.5. dce_smb
+ 8.6. dce_tcp
+ 8.7. dce_udp
+ 8.8. dnp3
+ 8.9. dns
+ 8.10. file_log
+ 8.11. ftp_client
+ 8.12. ftp_data
+ 8.13. ftp_server
+ 8.14. gtp_inspect
+ 8.15. http_inspect
+ 8.16. imap
+ 8.17. modbus
+ 8.18. normalizer
+ 8.19. packet_capture
+ 8.20. perf_monitor
+ 8.21. pop
+ 8.22. port_scan
+ 8.23. port_scan_global
+ 8.24. reputation
+ 8.25. rpc_decode
+ 8.26. sip
+ 8.27. smtp
+ 8.28. ssh
+ 8.29. ssl
+ 8.30. stream
+ 8.31. stream_file
+ 8.32. stream_icmp
+ 8.33. stream_ip
+ 8.34. stream_tcp
+ 8.35. stream_udp
+ 8.36. stream_user
+ 8.37. telnet
+ 8.38. wizard
+
+9. IPS Action Modules
+
+ 9.1. react
+ 9.2. reject
+ 9.3. rewrite
+
+10. IPS Option Modules
+
+ 10.1. ack
+ 10.2. appids
+ 10.3. asn1
+ 10.4. base64_decode
+ 10.5. bufferlen
+ 10.6. byte_extract
+ 10.7. byte_jump
+ 10.8. byte_test
+ 10.9. classtype
+ 10.10. content
+ 10.11. cvs
+ 10.12. dce_iface
+ 10.13. dce_opnum
+ 10.14. dce_stub_data
+ 10.15. detection_filter
+ 10.16. dnp3_data
+ 10.17. dnp3_func
+ 10.18. dnp3_ind
+ 10.19. dnp3_obj
+ 10.20. dsize
+ 10.21. file_data
+ 10.22. file_type
+ 10.23. flags
+ 10.24. flow
+ 10.25. flowbits
+ 10.26. fragbits
+ 10.27. fragoffset
+ 10.28. gid
+ 10.29. gtp_info
+ 10.30. gtp_type
+ 10.31. gtp_version
+ 10.32. http_client_body
+ 10.33. http_cookie
+ 10.34. http_header
+ 10.35. http_method
+ 10.36. http_raw_cookie
+ 10.37. http_raw_header
+ 10.38. http_raw_request
+ 10.39. http_raw_status
+ 10.40. http_raw_trailer
+ 10.41. http_raw_uri
+ 10.42. http_stat_code
+ 10.43. http_stat_msg
+ 10.44. http_trailer
+ 10.45. http_uri
+ 10.46. http_version
+ 10.47. icmp_id
+ 10.48. icmp_seq
+ 10.49. icode
+ 10.50. id
+ 10.51. ip_proto
+ 10.52. ipopts
+ 10.53. isdataat
+ 10.54. itype
+ 10.55. md5
+ 10.56. metadata
+ 10.57. modbus_data
+ 10.58. modbus_func
+ 10.59. modbus_unit
+ 10.60. msg
+ 10.61. pcre
+ 10.62. pkt_data
+ 10.63. priority
+ 10.64. raw_data
+ 10.65. reference
+ 10.66. regex
+ 10.67. rem
+ 10.68. replace
+ 10.69. rev
+ 10.70. rpc
+ 10.71. sd_pattern
+ 10.72. seq
+ 10.73. session
+ 10.74. sha256
+ 10.75. sha512
+ 10.76. sid
+ 10.77. sip_body
+ 10.78. sip_header
+ 10.79. sip_method
+ 10.80. sip_stat_code
+ 10.81. so
+ 10.82. soid
+ 10.83. ssl_state
+ 10.84. ssl_version
+ 10.85. stream_reassemble
+ 10.86. stream_size
+ 10.87. tag
+ 10.88. tos
+ 10.89. ttl
+ 10.90. window
+
+11. Search Engine Modules
+12. SO Rule Modules
+13. Logger Modules
+
+ 13.1. alert_csv
+ 13.2. alert_fast
+ 13.3. alert_full
+ 13.4. alert_sfsocket
+ 13.5. alert_syslog
+ 13.6. log_codecs
+ 13.7. log_hext
+ 13.8. log_pcap
+ 13.9. unified2
+
+14. DAQ Modules
+
+ 14.1. Building the DAQ Library and DAQ Modules
+ 14.2. PCAP Module
+ 14.3. AFPACKET Module
+ 14.4. NFQ Module
+ 14.5. IPQ Module
+ 14.6. IPFW Module
+ 14.7. Dump Module
+ 14.8. Netmap Module
+ 14.9. Notes on iptables
+ 14.10. Notes on FreeBSD::IPFW
+ 14.11. Notes on OpenBSD::IPFW
+ 14.12. Socket Module
+ 14.13. File Module
+ 14.14. Hext Module
+
+15. Snort 3 vs Snort 2
+
+ 15.1. Build Options
+ 15.2. Command Line
+ 15.3. Conf File
+ 15.4. Rules
+ 15.5. Output
+ 15.6. HTTP Profiles
+
+16. Snort2Lua
+
+ 16.1. Snort2Lua Command Line
+ 16.2. Known Problems
+ 16.3. Usage
+
+17. Extending Snort
+
+ 17.1. Plugins
+ 17.2. Modules
+ 17.3. Inspectors
+ 17.4. Codecs
+ 17.5. IPS Actions
+ 17.6. Developers Guide
+ 17.7. Piglet Test Harness
+ 17.8. Piglet Lua API
+
+18. Coding Style
+
+ 18.1. General
+ 18.2. C++ Specific
+ 18.3. Naming
+ 18.4. Comments
+ 18.5. Logging
+ 18.6. Types
+ 18.7. Macros (aka defines)
+ 18.8. Formatting
+ 18.9. Headers
+ 18.10. Warnings
+ 18.11. Uncrustify
+
+19. Reference
+
+ 19.1. Build Options
+ 19.2. Environment Variables
+ 19.3. Command Line Options
+ 19.4. Configuration
+ 19.5. Counts
+ 19.6. Generators
+ 19.7. Builtin Rules
+ 19.8. Command Set
+ 19.9. Signals
+ 19.10. Configuration Changes
+ 19.11. Module Listing
+ 19.12. Plugin Listing
+ 19.13. Bugs
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0-a4 (Build 218) from 2.9.7-262
+o" )~ Version 3.0.0-a4 (Build 221) from 2.9.8-383
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
---------------------------------------------------------------------
-Snort++ is an updated version of the Snort IPS (intrusion prevention
-system). This document assumes you have some familiarity with Snort
-and are looking to see what Snort++ has to offer. Here are some of
-the basic goals for Snort++:
+Snort 3.0 is an updated version of the Snort Intrusion Prevention
+System (IPS) which features a new design that provides a superset of
+Snort 2.X functionality with better throughput, detection,
+scalability, and usability. Some of the key features of Snort 3.0
+are:
* Support multiple packet processing threads
* Use a shared configuration and attribute table
- * Use a simple, scriptable configuration
- * Make key components pluggable
- * Autogenerate reference documentation
* Autodetect services for portless configuration
- * Support sticky buffers in rules
- * Provide better cross platform support
+ * Modular design
+ * Plugin framework with over 200 plugins
+ * More scalable memory profile
+ * LuaJIT configuration, loggers, and rule options
+ * Hyperscan support
+ * Rewritten TCP handling
+ * New rule parser and syntax
+ * Service rules like alert http
+ * Rule "sticky" buffers
+ * Way better SO rules
+ * New HTTP inspector
+ * New performance monitor
+ * New time and space profiling
+ * New latency monitoring and enforcement
+ * Piglets to facilitate component testing
+ * Inspection Events
+ * Automake and Cmake
+ * Autogenerate reference documentation
-The above goals are met with this first alpha release. Additional,
-longer-term goals are:
+Additional features are on the road map:
* Use a shared network map
+ * Support hardware offload for fast pattern acceleration
+ * Provide support for DPDK and ODP
* Support pipelining of packet processing
- * Support hardware offload and data plane integration
- * Rewrite critical modules like TCP reassembly and HTTP inspection
* Support proxy mode
- * Facilitate component testing
- * Simplify memory management
- * Provide all of Snort’s functionality
+ * Multi-tennant support
+ * Incremental reload
+ * New serialization of perf data and events
+ * Enhanced rule processing
+ * Windows support
+ * Anomaly detection
+ * and more!
-This first alpha release is based on Snort 2.9.6-9 and excludes all
-but one of Snort’s dynamic preprocessors. Work is underway to port
-that functionality and additions will be rolled out as they become
-available.
+The remainder of this section provides a high level survey of the
+inputs, processing, and outputs available with Snort 3.0.
+
+Snort++ is the project that is creating Snort 3.0. In this manual
+"Snort" or "Snort 3" refers to the 3.0 version and earlier versions
+will be referred to as "Snort 2" where the distinction is relevant.
-1.1. Configuration
+1.1. First Steps
--------------
-Note that retaining backwards compatibility is not a goal. While
-Snort++ leverages some of the Snort code base, a lot has changed. The
-configuration of Snort++ is done with Lua, so your old conf won’t
-work as is. Rules are still text based but nonetheless incompatible.
-However, Snort2Lua will help you convert your conf and rules to the
-new format.
+Snort can be configured to perform complex packet processing and deep
+packet inspection but it is best start simply and work up to more
+interesting tasks. Snort won’t do anything you didn’t specifically
+ask it to do so it is safe to just try things out and see what
+happens. Let’s start by just running Snort with no arguments:
+
+$ snort
+
+That will output usage information including some basic help
+commands. You should run all of these commands now to see what is
+available:
+
+$ snort -V
+$ snort -?
+$ snort --help
+
+Note that Snort has extensive command line help available so if
+anything below isn’t clear, there is probably a way to get the exact
+information you need from the command line.
+
+Now let’s examine the packets in a capture file (pcap):
+
+$ snort -r a.pcap
+
+Snort will decode and count the packets in the file and output some
+statistics. Note that the output excludes non-zero numbers so it is
+easy to see what is there.
+
+You may have noticed that there are command line options to limit the
+number of packets examined or set a filter to select particular
+packets. Now is a good time to experiment with those options.
+
+If you want to see details on each packet, you can dump the packets
+to console like this:
+
+$ snort -r a.pcap -L dump
+
+Add the -d option to see the TCP and UDP payload. Now let’s switch to
+live traffic. Replace eth0 in the below command with an available
+network interface:
+
+$ snort -i eth0 -L dump
-The original Snort manual may be useful for some background
-information not yet documented for Snort++. The configuration
-differences are given in this manual.
+Unless the interface is taken down, Snort will just keep running, so
+enter Control-C to terminate or use the -n option to limit the number
+of packets.
+Generally it is better to capture the packets for later analysis like
+this:
+
+$ snort -i eth0 -L pcap -n 10
+
+Snort will write 10 packets to log.pcap.# where # is a timestamp
+value. You can read these back with -r and dump to console or pcap
+with -L. You get the idea.
+
+Note that you can do similar things with other tools like tcpdump or
+Wireshark however these commands are very useful when you want to
+check your Snort setup.
+
+The examples above use the default pcap DAQ. Snort supports non-pcap
+interfaces as well via the DAQ (data acquisition) library. Other DAQs
+provide additional functionality such as inline operation and/or
+higher performance. There are even DAQs that support raw file
+processing (ie without packets), socket processing, and plain text
+packets. To load external DAQ libraries and see available DAQs or
+select a particular DAQ use one of these commands:
+
+$ snort --daq-dir <path> --daq-list
+$ snort --daq-dir <path> --daq <type>
+
+Be sure to put the --daq-dir option ahead of the --daq-list option or
+the external DAQs won’t appear in the list.
+
+To leverage intrusion detection features of Snort you will need to
+provide some configuration details. The next section breaks down what
+must be done.
-1.2. Modules
+
+1.2. Configuration
--------------
-Snort++ is organized into a collection of builtin and plugin modules.
+Effective configuration of Snort is done via the environment, command
+line, a Lua configuration file, and a set of rules.
+
+Note that backwards compatibility with Snort 2 was sacrificed to
+obtain new and improved functionality. While Snort 3 leverages some
+of the Snort 2 code base, a lot has changed. The configuration of
+Snort 3 is done with Lua, so your old conf won’t work as is. Rules
+are still text based but with syntax tweaks, so your 2.X rules must
+be fixed up. However, snort2lua will help you convert your conf and
+rules to the new format.
+
+1.2.1. Environment
+
+LUA_PATH must be set based on your install:
+
+LUA_PATH=$install_prefix/include/snort/lua/\?.lua\;\;
+
+SNORT_LUA_PATH must be set to load auxiliary configuration files if
+you use the default snort.lua. For example:
+
+export SNORT_LUA_PATH=$install_prefix/etc/snort
+
+1.2.2. Command Line
+
+A simple command line might look like this:
+
+snort -c snort.lua -R cool.rules -r some.pcap -A cmg
+
+To understand what that does, you can start by just running snort
+with no arguments by running snort --help. Help for all configuration
+and rule options is available via a suitable command line. In this
+case:
+
+-c snort.lua is the main configuration file. This is a Lua script
+that is executed when loaded.
+
+-R cool.rules contains some detection rules. You can write your own
+or obtain them from Talos (native 3.0 rules are not yet available
+from Talos so you must convert them with snort2lua). You can also put
+your rules directly in your configuration file.
+
+-r some.pcap tells Snort to read network traffic from the given
+packet capture file. You could instead use -i eth0 to read from a
+live interface. There many other options available too depending on
+the DAQ you use.
+
+-A cmg says to output intrusion events in "cmg" format, which has
+basic header details followed by the payload in hex and text.
+
+Note that you add to and/or override anything in your configuration
+file by using the --lua command line option. For example:
+
+--lua 'ips = { enable_builtin_rules = true }'
+
+will load the built-in decoder and inspector rules. In this case, ips
+is overwritten with the config you see above. If you just want to
+change the config given in your configuration file you would do it
+like this:
+
+--lua 'ips.enable_builtin_rules = true'
+
+1.2.3. Configuration File
+
+The configuration file gives you complete control over how Snort
+processes packets. Start with the default snort.lua included in the
+distribution because that contains some key ingredients. Note that
+most of the configurations look like:
+
+stream = { }
+
+This means enable the stream module using internal defaults. To see
+what those are, you could run:
+
+snort --help-config stream
+
+Snort is organized into a collection of builtin and plugin modules.
If a module has parameters, it is configured by a Lua table of the
same name. For example, we can see what the active module has to
offer with this command:
active = { max_responses = 1, min_interval = 5 }
+1.2.4. Rules
-1.3. Plugins and Scripts
+Rules determine what Snort is looking for. They can be put directly
+in your Lua configuration file with the ips module, on the command
+line with --lua, or in external files. Generally you will have many
+rules obtained from various sources such as Talos and loading
+external files is the way to go so we will summarize that here. Add
+this to your Lua configuration:
---------------
+ips = { include = 'rules.txt' }
-There are several plugin types:
+to load the external rules file named rules.txt. You can only specify
+one file this way but rules files can include other rules files with
+the include statement. In addition you can load rules like:
- * Codec - to decode and encode packets
- * Inspector - like the prior preprocessors, for normalization, etc.
- * IpsOption - for detection in Snort++ IPS rules
- * IpsAction - for custom rule actions
- * Logger - for handling events
- * Mpse - for fast pattern matching
- * So - for dynamic rules
+$ sort -c snort.lua -R rules.txt
-Most plugins can be built statically or dynamically. By default they
-are all static. There is no difference in functionality between
-static or dynamic plugins but the dynamic build generates a slightly
-lighter weight binary. Either way you can add dynamic plugins with
---plugin-path and newer versions will replace older versions, even
-when built statically.
+You can use both approaches together.
-The power of plugins is that they have a very focused purpose and can
-be created with relative ease. For example, you can extend the rule
-language by writing your own IpsOption and it will plug in and
-function just like existing options. The extra directory has examples
-of each type of plugin.
+1.2.5. Converting Your 2.X Configuration
+
+If you have a working 2.X configuration snort2lua makes it easy to
+get up and running with Snort 3. This tool will convert your
+configuration and/or rules files automatically. You will want to
+clean up the results and double check that it is doing exactly what
+you need.
-Some things just need to be tweaked or prototyped quickly. In
-addition to the Lua conf, which is a script that can contain
-functions to compute settings, etc., you can also script Loggers and
-IpsOptions.
+snort2lua -c snort.conf
+The above command will generate snort.lua based on your 2.X
+configuration. For more information and options for more
+sophisticated use cases, see the Snort2Lua section later in the
+manual.
-1.4. New Http Inspector
+
+1.3. Output
--------------
-One of the major undertakings for Snort 3.0 is developing a
-completely new HTTP inspector. You can configure it by adding:
+Snort can produce quite a lot of data. In the following we will
+summarize the key aspects of the core output types. Additional data
+such as from appid is covered later.
-http_inspect = {}
+1.3.1. Basic Statistics
-to your snort.lua configuration file. Or you can read it in the
-source code under src/service_inspectors/http_inspect.
+At shutdown, Snort will output various counts depending on
+configuration and the traffic processed. Generally, you may see:
-The classic HTTP preprocessor is still available in the alpha release
-under extra. It has been renamed http_server. Be sure not to
-configure both old and new HTTP inspectors at the same time.
+ * Packet Statistics - this includes data from the DAQ and decoders
+ such as the number of packets received and number of UDP packets.
+ * Module Statistics - each module tracks activity via a set of peg
+ counts that indicate how many times something was observed or
+ performed. This might include the number of HTTP GET requests
+ processed and the number of TCP reset packets trimmed.
+ * File Statistics - look here for a breakdown of file type, bytes,
+ signatures.
+ * Summary Statistics - this includes total runtime for packet
+ processing and the packets per second. Profiling data will appear
+ here as well if configured.
-So why a new HTTP inspector?
+Note that only the non-zero counts are output. Run this to see the
+available counts:
-For starters it is object-oriented. That’s good for us because we
-maintain this software. But it should also be really nice for
-open-source developers. You can make meaningful changes and additions
-to HTTP processing without having to understand the whole thing. In
-fact much of the new HTTP inspector’s knowledge of HTTP is
-centralized in a series of tables where it can be easily reviewed and
-modified. Many significant changes can be made just by updating these
-tables.
+$ snort --help-counts
-Http_inspect is the first inspector written specifically for the new
-Snort 3.0 architecture. That provides access to one of the very best
-features of Snort 3.0: purely PDU-based inspection. The classic
-preprocessor processes HTTP messages, but even while doing so it is
-constantly aware of IP packets and how they divide up the TCP data
-stream. The same HTTP message might be processed differently
-depending on how the sender (bad guy) divided it up into IP packets.
+1.3.2. Alerts
-Http_inspect is free of this burden and can focus exclusively on
-HTTP. That makes it much simpler, easier to test, and less prone to
-false positives. It also greatly reduces the opportunity for
-adversaries to probe the inspector for weak spots by adjusting packet
-boundaries to disguise bad behavior.
+If you configured rules, you will need to configure alerts to see the
+details of detection events. Use the -A option like this:
-Dealing solely with HTTP messages also opens the door for developing
-major new features. The http_inspect design supports true stateful
-processing. Want to ask questions that involve both the client
-request and the server response? Or different requests in the same
-session? These things are possible.
+$ snort -c snort.lua -r a.pcap -A cmg
-Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives
-from Google’s SPDY project and is in the process of being
-standardized. Despite the name, it is better to think of HTTP/2 not
-as a newer version of HTTP/1.1, but rather a separate protocol layer
-that runs under HTTP/1.1 and on top of TLS or TCP. It’s a perfect fit
-for the new Snort 3.0 architecture because a new HTTP/2 inspector
-would naturally output HTTP/1.1 messages but not any underlying
-packets. Exactly what http_inspect wants to input.
+There are many types of alert outputs possible. Here is a brief list:
-Http_inspect is taking a very different approach to HTTP header
-fields. The classic preprocessor divides all the HTTP headers
-following the start line into cookies and everything else. It
-normalizes the two pieces using a generic process and puts them in
-buffers that one can write rules against. There is some limited
-support for examining individual headers within the inspector but it
-is very specific.
+ * -A cmg is the same as -A fast -d -e and will show information
+ about the alert along with packet headers and payload.
+ * -A u2 is the same as -A unified2 and will log events and
+ triggering packets in a binary file that you can feed to other
+ tools for post processing. Note that Snort 3 does not provide the
+ raw packets for alerts on PDUs; you will get the actual buffer
+ that alerted.
+ * -A csv will output various fields in comma separated value
+ format. This is entirely customizable and very useful for pcap
+ analysis.
-The new concept is that every header should be normalized in an
-appropriate and specific way and individually made available for the
-user to write rules against it. If for example a header is supposed
-to be a date then normalization means put that date in a standard
-format.
+To see the available alert types, you can run this command:
+$ snort --list-plugins | grep logger
-1.5. Binder and Wizard
+1.3.3. Files and Paths
---------------
+Note that output is specific to each packet thread. If you run 4
+packet threads with u2 output, you will get 4 different u2 files. The
+basic structure is:
-One of the fundamental differences between Snort and Snort++ concerns
-configuration related to networks and ports. Here is a brief review
-of Snort’s configuration for network and service related components:
+<logdir>/[<run_prefix>][<id#>][<X>]<name>
- * Snort’s configuration has a default policy and optional policies
- selected by VLAN or network (with config binding).
- * Each policy contains a user defined set of preprocessor
- configurations.
- * Each preprocessor has a default configuration and some support
- non-default configurations selected by network.
- * Most preprocessors have port configurations.
- * The default policy may also contain a list of ports to ignore.
+where:
-In Snort++, the above configurations are done in a single module
-called the binder. Here is an example:
+ * logdir is set with -l and defaults to ./
+ * run_prefix is set with --run-prefix else not used
+ * id# is the packet thread number that writes the file; with one
+ packet thread, id# (zero) is omitted without --id-zero
+ * X is / if you use --id-subdir, else _ if id# is used
+ * name is based on module name that writes the file
-binder =
-{
- -- allow all tcp port 22:
- -- (similar to snort 2.X config ignore_ports)
- { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },
+Additional considerations:
--- select a config file by vlan
--- (similar to snort 2.X config binding by vlan)
-{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },
+ * There is no way to explicitly configure a full path to avoid
+ issues with multiple packet threads.
+ * All text mode outputs default to stdout
--- use a non-default HTTP inspector for port 8080:
--- (similar to a snort 2.X targeted preprocessor config)
-{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
- use = { name = 'alt_http', type = 'http_inspect' } },
+1.3.4. Performance Statistics
--- use the default inspectors:
--- (similar to a snort 2.X default preprocessor config)
-{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
-{ when = { service = 'http' }, use = { type = 'http_inspect' } },
+Still more data is available beyond the above.
- -- figure out which inspector to run automatically:
- { use = { type = 'wizard' } }
-}
+ * By configuring the perf_monitor module you can capture a
+ configurable set of peg counts during runtime. This is useful to
+ feed to an external program so you can see what is happening
+ without stopping Snort.
+ * The profiler module allows you to track time and space used by
+ module and rules. Use this data to tune your system for best
+ performance. The output will show up under Summary Statistics at
+ shutdown.
-Bindings are evaluated when a session starts and again if and when
-service is identified on the session. Essentially, the bindings are a
-list of when-use rules evaluated from top to bottom. The first
-matching network and service configurations are applied. binder.when
-can contain any combination of criteria and binder.use can specify an
-action, config file, or inspector configuration.
-Using the wizard enables port-independent configuration and the
-detection of malware command and control channels. If the wizard is
-bound to a session, it peeks at the initial payload to determine the
-service. For example, GET would indicate HTTP and HELO would indicate
-SMTP. Upon finding a match, the service bindings are reevaluated so
-the session can be handed off to the appropriate inspector. The
-wizard is still under development; if you find you need to tweak the
-defaults please let us know.
+---------------------------------------------------------------------
-Additional Details:
+2. Concepts
- * If the wizard and one or more service inspectors are configured w
- /o explicitly configuring the binder, default bindings will be
- generated which should work for most common cases.
- * Also note that while Snort 2.X bindings can only be configured in
- the default policy, each Snort 3.0 policy can contain a binder
- leading to an arbitrary hierarchy.
- * The entire configuration can be reloaded and hot-swapped during
- run-time via signal or command in both Snort 2.X and 3.0.
- Ultimately, Snort 3.0 will support commands to update the binder
- on the fly, thus enabling incremental reloads of individual
- inspectors.
- * Both Snort 2.X and 3.0 support server specific configurations via
- a hosts table (XML in Snort 2.X and Lua in Snort 3.0). The table
- allows you to map network, protocol, and port to a service and
- policy. This table can be reloaded and hot-swapped separately
- from the config file.
- * You can find the specifics on the binder, wizard, and hosts
- tables in the manual or command line like this: snort
- --help-module binder, etc.
+---------------------------------------------------------------------
+
+This section provides background on essential aspects of Snort’s
+operation.
-1.6. Packet Processing
+2.1. Terminology
--------------
-One of the goals of Snort++ is to provide a more flexible framework
-for packet processing by implementing an event-driven approach.
-Another is to produce data only when needed, to minimize expensive
-normalizations. To help explain these concepts, let’s start by
-examining how Snort processes packets. The key steps are given in the
-following figure:
+ * basic module: a module integrated into Snort that does not come
+ from a plugin.
+ * binder: inspector that maps configuration to traffic
+ * builtin rules: codec and inspector rules for anomalies detected
+ internally.
+ * codec: short for coder / decoder. These plugins are used for
+ basic protocol decoding, anomaly detection, and construction of
+ active responses.
+ * data module: an adjunct configuration plugin for use with certain
+ inspectors.
+ * dynamic rules: plugin rules loaded at runtime. See SO rules.
+ * fast pattern: the content in an IPS rule that must be found by
+ the search engine in order for a rule to be evaluated.
+ * fast pattern matcher: see search engine.
+ * hex: a type of protocol magic that the wizard uses to identify
+ binary protocols.
+ * inspector: plugin that processes packets (similar to the Snort 2
+ preprocessor)
+ * IPS: intrusion prevention system, like Snort.
+ * IPS action: plugin that allows you to perform custom actions when
+ events are generated. Unlike loggers, these are invoked before
+ thresholding and can be used to control external agents or send
+ active responses.
+ * IPS option: this plugin is the building blocks of IPS rules.
+ * logger: a plugin that performs output of events and packets.
+ Events are thresholded before reaching loggers.
+ * module: the user facing portion of a Snort component. Modules
+ chiefly provide configuration parameters, but may also provide
+ commands, builtin rules, profiling statistics, peg counts, etc.
+ Note that not all modules are plugins and not all plugins have
+ modules.
+ * peg count: the number of times a given event or condition occurs.
+ * plugin: one of several types of software components that can be
+ loaded from a dynamic library when Snort starts up. Some plugins
+ are coupled with the main engine in such a way that they must be
+ built statically, but a newer version can be loaded dynamically.
+ * search engine: a plugin that performs multipattern searching of
+ packets and payload to find rules that should be evaluated. There
+ are currently no specific modules, although there are several
+ search engine plugins. Related configuration is done with the
+ basic detection module. Aka fast pattern matcher.
+ * SO rule: a IPS rule plugin that performs custom detection that
+ can’t be done by a text rule. These rules typically do not have
+ associated modules. SO comes from shared object, meaning dynamic
+ library.
+ * spell: a type of protocol magic that the wizard uses to identify
+ ASCII protocols.
+ * text rule: a rule loaded from the configuration that has a header
+ and body. The header specifies action, protocol, source and
+ destination IP addresses and ports, and direction. The body
+ specifies detection and non-detection options.
+ * wizard: inspector that applies protocol magic to determine which
+ inspectors should be bound to traffic absent a port specific
+ binding. See hex and spell.
-Snort 2X
-The preprocess step is highly configurable. Arbitrary preprocessors
-can be loaded dynamically at startup, configured in snort.conf, and
-then executed at runtime. Basically, the preprocessors are put into a
-list which is iterated for each packet. Recent versions have tweaked
-the list handling some, but the same basic architecture has allowed
-Snort to grow from a sniffer, with no preprocessing, to a
-full-fledged IPS, with lots of preprocessing.
+2.2. Modules
-While this "list of plugins" approach has considerable flexibility,
-it hampers future development when the flow of data from one
-preprocessor to the next depends on traffic conditions, a common
-situation with advanced features like application identification. In
-this case, a preprocessor like HTTP may be extracting and normalizing
-data that ultimately is not used, or app ID may be repeatedly
-checking for data that is just not available.
+--------------
-Callbacks help break out of the preprocess straightjacket. This is
-where one preprocessor supplies another with a function to call when
-certain data is available. Snort has started to take this approach to
-pass some HTTP and SIP preprocessor data to app ID. However, it
-remains a peripheral feature and still requires the production of
-data that may not be consumed.
+Modules are the building blocks of Snort. They encapsulate the types
+of data that many components need including parameters, peg counts,
+profiling, builtin rules, and commands. This allows Snort to handle
+them generically and consistently. You can learn quite a lot about
+any given module from the command line. For example, to see what
+stream_tcp is all about, do this:
-The basic processing steps Snort++ takes are similar to Snort’s as
-seen in the following diagram. The preprocess step employs specific
-inspector types instead of a generalized list, but the basic
-procedure includes stateless packet decoding, TCP stream reassembly,
-and service specific analysis in both cases. (Snort++ provides hooks
-for arbitrary inspectors, but they are not central to basic flow
-processing and are not shown.)
+$ snort --help-config stream_tcp
-Snort 3X
+Modules are configured using Lua tables with the same name. So the
+stream_tcp module is configured with defaults like this:
-However, Snort++ also provides a more flexible mechanism than
-callback functions. By using inspection events, it is possible for an
-inspector to supply data that other inspectors can process. This is
-known as the observer pattern or publish-subscribe pattern.
+stream_tcp = { }
-Note that the data is not actually published. Instead, access to the
-data is published, and that means that subscribers can access the raw
-or normalized version(s) as needed. Normalizations are done only on
-the first access, and subsequent accesses get the previously
-normalized data. This results in just in time (JIT) processing.
+The earlier help output showed that the default session tracking
+timeout is 30 seconds. To change that to 60 seconds, you can
+configure it this way:
-A basic example of this in action is provided by the extra data_log
-plugin. It is a passive inspector, ie it does nothing until it
-receives the data it subscribed for (other in the above diagram). By
-adding data_log = { key = http_raw_uri } to your snort.lua
-configuration, you will get a simple URI logger.
+stream_tcp = { session_timeout = 60 }
-Inspection events coupled with pluggable inspectors provide a very
+Or this way:
+
+stream_tcp = { }
+stream_tcp.session_timeout = 60
+
+More on parameters is given in the next section.
+
+Other things to note about modules:
+
+ * Shutdown output will show the non-zero peg counts for all
+ modules. For example, if stream_tcp did anything, you would see
+ the number of sessions processed among other things.
+ * Providing the builtin rules allows the documentation to include
+ them automatically and also allows for autogenerating the rules
+ at startup.
+ * Only a few module provide commands at this point, most notably
+ the snort module.
+
+
+2.3. Parameters
+
+--------------
+
+Parameters are given with this format:
+
+type name = default: help { range }
+
+The following types are used:
+
+ * addr: any valid IP4 or IP6 address or CIDR
+ * addr_list: a space separated list of addr values
+ * bit_list: a list of consecutive integer values from 1 to the
+ range maximum
+ * bool: true or false
+ * dynamic: a select type determined by loaded plugins
+ * enum: a string selected from the given range
+ * implied: an IPS rule option that takes no value but means true
+ * int: a whole number in the given range
+ * ip4: an IP4 address or CIDR
+ * mac: an ethernet address with the form 01:02:03:04:05:06
+ * multi: one or more space separated strings from the given range
+ * port: an int in the range 0:65535 indicating a TCP or UDP port
+ number
+ * real: a real number in the given range
+ * select: a string selected from the given range
+ * string: any string with no more than the given length, if any
+
+The parameter name may be adorned in various ways to indicate
+additional information about the type and use of the parameter:
+
+ * For Lua configuration (not IPS rules), if the name ends with []
+ it is a list item and can be repeated.
+ * For IPS rules only, names starting with ~ indicate positional
+ parameters. The names of such parameters do not appear in the
+ rule.
+ * IPS rules may also have a wild card parameter, which is indicated
+ by a *. Only used for metadata that Snort ignores.
+ * The snort module has command line options starting with a -.
+
+Some additional details to note:
+
+ * Table and variable names are case sensitive; use lower case only.
+ * String values are case sensitive too; use lower case only.
+ * Numeric ranges may be of the form low:high where low and high are
+ bounds included in the range. If either is omitted, there is no
+ hard bound. E.g. 0: means any x where x >= 0.
+ * Strings may have a numeric range indicating a length limit;
+ otherwise there is no hard limit.
+ * bit_list is typically used to store a set of byte, port, or VLAN
+ ID values.
+
+
+2.4. Plugins
+
+--------------
+
+Snort uses a variety of plugins to accomplish much of its processing
+objectives, including:
+
+ * Codec - to decode and encode packets
+ * Inspector - like Snort 2 preprocessors, for normalization, etc.
+ * IpsOption - for detection in Snort rules
+ * IpsAction - for custom actions
+ * Logger - for handling events
+ * Mpse - for fast pattern matching
+ * So - for dynamic rules
+
+The power of plugins is that they have a very focused purpose and can
+be created with relative ease. For example, you can extend the rule
+language by writing your own IpsOption and it will plug in and
+function just like existing options. The extra directory has examples
+of each type of plugin.
+
+Most plugins can be built statically or dynamically. By default they
+are all static. There is no difference in functionality between
+static or dynamic plugins but the dynamic build generates a slightly
+lighter weight binary. Either way you can add dynamic plugins with
+--plugin-path and newer versions will replace older versions, even
+when built statically.
+
+A single dynamic library may contain more than one plugin. For
+example, an inspector will typically be packaged together with any
+associated rule options.
+
+
+2.5. Operation
+
+--------------
+
+Snort is a signature-based IPS, which means that as it receives
+network packets it reassembles and normalizes the content so that a
+set of rules can be evaluated to detect the presence of any
+significant conditions that merit further action. A rough processing
+flow is as follows:
+
+Snort 2
+
+The steps are:
+
+ 1. Decode each packet to determine the basic network characteristics
+ such as source and destination addresses and ports. A typical
+ packet might have ethernet containing IP containing TCP
+ containing HTTP (ie eth:ip:tcp:http). The various encapsulating
+ protocols are examined for sanity and anomalies as the packet is
+ decoded. This is essentially a stateless effort.
+ 2. Preprocess each decoded packet using accumulated state to
+ determine the purpose and content of the innermost message. This
+ step may involve reordering and reassembling IP fragments and TCP
+ segments to produce the original application protocol data unit
+ (PDU). Such PDUs are analyzed and normalized as needed to support
+ further processing.
+ 3. Detection is a two step process. For efficiency, most rules
+ contain a specific content pattern that can be searched for such
+ that if no match is found no further processing is necessary.
+ Upon start up, the rules are compiled into pattern groups such
+ that a single, parallel search can be done for all patterns in
+ the group. If any match is found, the full rule is examined
+ according to the specifics of the signature.
+ 4. The logging step is where Snort saves any pertinent information
+ resulting from the earlier steps. More generally, this is where
+ other actions can be taken as well such as blocking the packet.
+
+2.5.1. Snort 2 Processing
+
+The preprocess step in Snort 2 is highly configurable. Arbitrary
+preprocessors can be loaded dynamically at startup, configured in
+snort.conf, and then executed at runtime. Basically, the
+preprocessors are put into a list which is iterated for each packet.
+Recent versions have tweaked the list handling some, but the same
+basic architecture has allowed Snort 2 to grow from a sniffer, with
+no preprocessing, to a full-fledged IPS, with lots of preprocessing.
+
+While this "list of plugins" approach has considerable flexibility,
+it hampers future development when the flow of data from one
+preprocessor to the next depends on traffic conditions, a common
+situation with advanced features like application identification. In
+this case, a preprocessor like HTTP may be extracting and normalizing
+data that ultimately is not used, or appID may be repeatedly checking
+for data that is just not available.
+
+Callbacks help break out of the preprocess straitjacket. This is
+where one preprocessor supplies another with a function to call when
+certain data is available. Snort has started to take this approach to
+pass some HTTP and SIP preprocessor data to appID. However, it
+remains a peripheral feature and still requires the production of
+data that may not be consumed.
+
+2.5.2. Snort 3 Processing
+
+One of the goals of Snort 3 is to provide a more flexible framework
+for packet processing by implementing an event-driven approach.
+Another is to produce data only when needed to minimize expensive
+normalizations. However, the basic packet processing provides very
+similar functionality.
+
+The basic processing steps Snort 3 takes are similar to Snort 2 as
+seen in the following diagram. The preprocess step employs specific
+inspector types instead of a generalized list, but the basic
+procedure includes stateless packet decoding, TCP stream reassembly,
+and service specific analysis in both cases. (Snort 3 provides hooks
+for arbitrary inspectors, but they are not central to basic flow
+processing and are not shown.)
+
+Snort 3
+
+However, Snort 3 also provides a more flexible mechanism than
+callback functions. By using inspection events, it is possible for an
+inspector to supply data that other inspectors can process. This is
+known as the observer pattern or publish-subscribe pattern.
+
+Note that the data is not actually published. Instead, access to the
+data is published, and that means that subscribers can access the raw
+or normalized version(s) as needed. Normalizations are done only on
+the first access, and subsequent accesses get the previously
+normalized data. This results in just in time (JIT) processing.
+
+A basic example of this in action is provided by the extra data_log
+plugin. It is a passive inspector, ie it does nothing until it
+receives the data it subscribed for (other in the above diagram). By
+adding the following to your snort.lua configuration, you will get a
+simple URI logger.
+
+data_log = { key = 'http_raw_uri' }
+
+Inspection events coupled with pluggable inspectors provide a very
flexible framework for implementing new features. And JIT buffer
-stuffers allow Snort++ to work smarter, not harder. These
-capabilities will be leveraged more and more as Snort++ development
-continues.
+stuffers allow Snort to work smarter, not harder. These capabilities
+will be leveraged more and more as Snort development continues.
+
+
+2.6. Rules
+
+--------------
+
+Rules tell Snort how to detect interesting conditions, such as an
+attack, and what to do when the condition is detected. Here is an
+example rule:
+
+alert tcp any any -> 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )
+
+The structure is:
+
+action proto source dir dest ( body )
+
+Where:
+
+action - tells Snort what to do when a rule "fires", ie when the
+signature matches. In this case Snort will log the event. It can also
+do thing like block the flow when running inline.
+
+proto - tells Snort what protocol applies. This may be ip, icmp, tcp,
+udp, http, etc.
+
+source - specifies the sending IP address and port, either of which
+can be the keyword any, which is a wildcard.
+
+dir - must be either unidirectional as above or bidirectional
+indicated by <>.
+
+dest - similar to source but indicates the receiving end.
+
+body - detection and other information contained in parenthesis.
+
+There are many rule options available to construct as sophisticated a
+signature as needed. In this case we are simply looking for the
+"attack" in any TCP packet. A better rule might look like this:
+
+alert http
+(
+ msg:"Gotcha!";
+ flow:established, to_server;
+ http_uri:"attack";
+ sid:2;
+)
+
+Note that these examples have a sid option, which indicates the
+signature ID. In general rules are specified by gid:sid:rev notation,
+where gid is the generator ID and rev is the revision of the rule. By
+default, text rules are gid 1 and shared-object (SO) rules are gid 3.
+The various components within Snort that generate events have 1XX
+gids, for example the decoder is gid 116. You can list the internal
+gids and sids with these commands:
+
+$ snort --list-gids
+$ snort --list-builtin
+
+For details on these and other options, see the reference section.
+
+
+2.7. Pattern Matching
+
+--------------
+
+Snort evaluates rules in a two-step process which includes a fast
+pattern search and full evaluation of the signature. More details on
+this process follow.
+
+2.7.1. Rule Groups
+
+When Snort starts or reloads configuration, rules are grouped by
+protocol, port and service. For example, all TCP rules using the
+HTTP_PORTS variable will go in one group and all service HTTP rules
+will go in another group. These rule groups are compiled into
+multipattern search engines (MPSE) which are designed to search for
+all patterns with just a single pass through a given packet or
+buffer. You can select the algorithm to use for fast pattern searches
+with search_engine.search_method which defaults to ac_bnfa, which
+balances speed and memory. For a faster search at the expense of
+significantly more memory, use ac_full. For best performance and
+reasonable memory, download the hyperscan source from Intel.
+
+2.7.2. Fast Patterns
+
+Fast patterns are content strings that have the fast_pattern option
+or which have been selected by Snort automatically to be used as a
+fast pattern. Snort will by default choose the longest pattern in the
+rule since that is likely to be most unique. That is not always the
+case so add fast_pattern to the appropriate content option for best
+performance. The ideal fast pattern is one which, if found, is very
+likely to result in a rule match. Fast patterns that match frequently
+for unrelated traffic will cause Snort to work hard with little to
+show for it.
+
+Certain contents are not eligible to be used as fast patterns.
+Specifically, if a content is negated, then if it is also relative to
+another content, case sensitive, or has non-zero offset or depth,
+then it is not eligible to be used as a fast pattern.
+
+2.7.3. Rule Evaluation
+
+For each fast pattern match, the corresponding rule(s) are evaluated
+left-to-right. Rule evaluation requires checking each detection
+option in a rule and is a fairly costly process which is why fast
+patterns are so important. Rule evaluation aborts on the first
+non-matching option.
+
+When rule evaluation takes place, the fast pattern may or may not
+need to be searched for a second time. Note that this differs from
+Snort 2 which provided the fast_pattern:only option to designate such
+cases. This was removed because it is difficult for the rule writer
+get it right.
---------------------------------------------------------------------
-2. Getting Started
+3. Tutorial
---------------------------------------------------------------------
-The following pointers will help you get started:
+The section will walk you through building and running Snort. It is
+not exhaustive but, once you master this material, you should be able
+to figure out more advanced usage.
-2.1. Dependencies
+3.1. Dependencies
--------------
bounds checks on certain legacy C-library calls.
-2.2. Building
+3.2. Building
--------------
export CXX=g++
-2.3. Run
+3.3. Running
--------------
For more examples, see the usage section.
-2.4. Tips
+3.4. Tips
--------------
-One of the goals of Snort++ is to make it easier to configure your
+One of the goals of Snort 3 is to make it easier to configure your
sensor. Here is a summary of tips and tricks you may find useful.
General Use
example, changing normalizer to Xnormalizer (an unknown symbol)
will disable the normalizer. This can be easier than commenting
in some cases.
- * By default, symbols unknown to Snort++ are silently ignored. You
+ * By default, symbols unknown to Snort are silently ignored. You
can generate warnings for them with --warn-unknown. To ignore
such symbols, export them in the environment variable
SNORT_IGNORE.
Writing and Loading Rules
-Snort++ rules allow arbitrary whitespace. Multi-line rules make it
+Snort rules allow arbitrary whitespace. Multi-line rules make it
easier to structure your rule for clarity. There are multiple ways to
add comments to your rules:
- * Like Snort, the # character starts a comment to end of line. In
- addition, all lines between #begin and #end are comments.
+ * The # character starts a comment to end of line. In addition, all
+ lines between #begin and #end are comments.
* The rem option allows you to write a comment that is conveyed
with the rule.
* C style multi-line comments are allowed, which means you can
There are multiple ways to load rules too:
* Set ips.rules or ips.include.
- * Snort 2.X include statements can be used in rules files.
+ * include statements can be used in rules files.
* Use -R to load a rules file.
* Use --stdin-rules with command line redirection.
* Use --lua to specify one or more rules as a command line
* all text mode outputs default to stdout
-2.5. Help
+3.5. Help
--------------
Report bugs to bugs@snort.org.
-2.6. Common Errors
+3.6. Common Errors
--------------
export SNORT_IGNORE="x y z"
-2.7. Gotchas
+3.7. Gotchas
--------------
/path-to/libhs.4.0.dylib src/snort
-2.8. Bugs
-
---------------
+---------------------------------------------------------------------
-2.8.1. Build
+4. Usage
- * With cmake, make install will rebuild the docs even though when
- already built.
- * Enabling large pcap may erroneously affect the number of packets
- processed from pcaps.
- * Enabling debug messages may erroneously affect the number of
- packets processed from pcaps.
- * g++ 4.9.2 with -O3 reports:
+---------------------------------------------------------------------
- src/service_inspectors/back_orifice/back_orifice.cc:231:25: warning:
- iteration 930u invokes undefined behavior [-Waggressive-loop-optimizations]
+For the following examples "$my_path" is assumed to be the path to
+the Snort install directory. Additionally, it is assumed that
+"$my_path/bin" is in your PATH.
- * Building with clang and autotools on Linux will show the
- following warning many times. Please ignore.
- clang: warning: argument unused during compilation: '-pthread'
+4.1. Environment
- * It is not possible to build dynamic plugins using apple clang due
- to its limited support for thread local variables.
+--------------
-2.8.2. Config
+LUA_PATH is used directly by Lua to load and run required libraries.
+SNORT_LUA_PATH is used by Snort to load supplemental configuration
+files.
- * Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET
- defined as below because of the space between ! and 10.
+export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
+export SNORT_LUA_PATH=$my_path/etc/snort
- HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]
- EXTERNAL_NET = '! ' .. HOME_NET
- * Multiple versions of luajit scripts are not handled correctly.
- The first loaded version will always be executed even though
- plugin manager saves the correct version.
- * When using -c and -L together, the last on the command line wins
- (-c -L will dump; -L -c will analyze).
- * Modules instantiated by command line only will not get default
- settings unless hard-coded. This notably applies to -A and -L
- options.
- * --lua can only be used in addition to, not in place of, a -c
- config. Ideally, --lua could be used in lieu of -c.
+4.2. Help
-2.8.3. Rules
+--------------
- * metdata:service foo; metadata:service foo; won’t cause a
- duplicate service warning as does metadata:service foo, service
- foo;
- * ip_proto doesn’t work properly with reassembled packets so it
- can’t be used to restrict the protocol of service rules.
- * Inspector events generated while parsing TCP payload in non-IPS
- mode will indicate the wrong direction (ie they will be based on
- the ACK packet). (Same is true for Snort.)
+Print the help summary:
-2.8.4. snort2lua
+snort --help
- * uricontent:"foo"; content:"bar"; → http_uri; content:"foo";
- content:"bar"; (missing pkt_data)
- * stream_tcp ports and protocols both go into a single binder.when;
- this is incorrect as the when fields are logically anded together
- (ie must all be true). Should create 2 separate bindings.
- * There is a bug in pps_stream_tcp.cc.. when stream_tcp: is
- specified without any arguments, snort2lua doesn’t convert it.
- Same for stream_udp.
- * Loses the ip list delimiters [ ]; change to ( )
+Get help on a specific module ("stream", for example):
- in snort.conf: var HOME_NET [A,B,C]
- in snort.lua: HOME_NET = [[A B C]]
+snort --help-module stream
- * Won’t convert packet rules (alert tcp etc.) to service rules
- (alert http etc.).
- * alert_fast and alert_full: output configuration includes "file =
- foo.bar", but file is a bool and you cannot specify an output
- file name in the configuration.
- * preprocessor ports option: ports <number> not supported.
+Get help on the "-A" command line option:
-2.8.5. Runtime
+snort --help-options A
- * -B <mask> feature does not work. It does ordinary IP address
- obfuscation instead of using the mask.
- * Obfuscation does not work for csv format.
- * The hext DAQ will append a newline to text lines (starting with "
- ).
- * The hext DAQ does not support embedded quotes in text lines (use
- hex lines as a workaround).
- * stream_tcp alert squash mechanism incorrectly squashes alerts for
- different TCP packets.
- * stream_tcp gap count is broken.
+Grep for help on threads:
+snort --help-config | grep thread
----------------------------------------------------------------------
+Output help on "rule" options in AsciiDoc format:
-3. Features
+snort --markup --help-options rule
----------------------------------------------------------------------
+Note
-This section explains how to use key features of Snort++.
+Snort stops reading command-line options after the "--help-" and
+"--list-" options, so any other options should be placed before them.
-3.1. File Processing
+4.3. Sniffing and Logging
--------------
-With the volume of malware transferred through network increasing,
-network file inspection becomes more and more important. This feature
-will provide file type identification, file signature creation, and
-file capture capabilities to help users deal with those challenges.
+Read a pcap:
-3.1.1. Overview
+snort -r /path/to/my.pcap
-There are two parts of file services: file APIs and file policy. File
-APIs provides all the file inspection functionalities, such as file
-type identification, file signature calculation, and file capture.
-File policy provides users ability to control file services, such as
-enable/disable/configure file type identification, file signature, or
-file capture.
+Dump the packets to stdout:
-In addition to all capabilities from snort 2x, we support customized
-file policy along with file event log.
+snort -r /path/to/my.pcap -L dump
- * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
- * Supported file signature calculation: SHA256
+Dump packets with application data and layer 2 headers
-3.1.2. Quick Guide
+snort -r /path/to/my.pcap -L dump -d -e
-A very simple configuration has been included in lua/snort.lua file.
-A typical file configuration looks like this:
+Note
-dofile('magic.lua')
+Command line options must be specified separately. "snort -de" won’t
+work. You can still concatenate options and their arguments, however,
+so "snort -Ldump" will work.
-my_file_policy =
-{
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
-}
+Dump packets from all pcaps in a directory:
-file_id =
-{
- enable_type = true,
- enable_signature = true,
- enable_capture = true,
- file_rules = magics,
- trace_type = true,
- trace_signature = true,
- trace_stream = true,
- file_policy = my_file_policy,
- }
+snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e
-file_log =
-{
- log_pkt_time = true,
- log_sys_time = false,
-}
+Log packets to a directory:
-There are 3 steps to enable file processing:
+snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
- * First, you need to include the file magic rules.
- * Then, define the file policy and configure the inspector
- * At last, enable file_log to get detailed information about file
- event
-3.1.3. Pre-packaged File Magic Rules
+4.4. Configuration
-A set of file magic rules is packaged with Snort. They can be located
-at "lua/file_magic.lua". To use this feature, it is recommended that
-these pre-packaged rules are used; doing so requires that you include
-the file in your Snort configuration as such (already in snort.lua):
+--------------
-dofile('magic.lua')
+Validate a configuration file:
-Example:
+snort -c $my_path/etc/snort/snort.lua
-{ type = "GIF", id = 62, category = "Graphics", rev = 1,
- magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },
+Validate a configuration file and a separate rules file:
-{ type = "GIF", id = 63, category = "Graphics", rev = 1,
- magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
+snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
-The previous two rules define GIF format, because two file magics are
-different. File magics are specifed by content and offset, which look
-at content at particular file offset to identify the file type. In
-this case, two magics look at the beginning of the file. You can use
-character if it is printable or hex value in between "|".
+Read rules from stdin and validate:
-3.1.4. File Policy
+snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules
-You can enabled file type, file signature, or file capture by
-configuring file_id. In addition, you can enable trace to see file
-stream data, file type, and file signature information.
+Enable warnings for Lua configurations and make warnings fatal:
-Most importantly, you can configure a file policy that can block/
-alert some file type or an individual file based on SHA. This allows
-you build a file blacklist or whitelist.
+snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic
-Example:
+Tell Snort where to look for additional Lua scripts:
-file_policy =
-{
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
-}
+snort --script-path /path/to/script/dir
-In this example, it enables this policy:
- * For PDF files, they will be logged with signatures.
- * For the file matching this SHA, it will be blocked
- * For all file types identified, they will be logged with
- signature, and also captured onto log folder.
+4.5. IDS mode
-3.1.5. File Capture
+--------------
-File can be captured and stored to log folder. We use SHA as file
-name instead of actual file name to avoid conflicts. You can capture
-either all files, some file type, or a particular file based on SHA.
+Run Snort in IDS mode, reading packets from a pcap:
-You can enable file capture through this config:
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap
-enable_capture = true,
+Log any generated alerts to the console using the "-A" option:
-or enable it for some file or file type in your file policy:
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full
-{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
+Add or modify a configuration from the command line using the "--lua"
+option:
-The above rule will enable PDF file capture.
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \
+ --lua 'ips = { enable_builtin_rules = true }'
-3.1.6. File Events
+Note
-File inspect preprocessor also works as a dynamic output plugin for
-file events. It logs basic information about file. The log file is in
-the same folder as other log files with name starting with
-"file.log".
+The "--lua" option can be specified multiple times.
-Example:
+Run Snort in IDS mode on an entire directory of pcaps, processing
+each input source on a separate thread:
-file_log = { log_pkt_time = true, log_sys_time = false }
+snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
+ --pcap-filter '*.pcap' --max-packet-threads 8
-All file events will be logged in packet time, system time is not
-logged.
+Run Snort on 2 interfaces, eth0 and eth1:
-File event example:
+snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg
-08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
-[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
-[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
-[Size: 1039328]
+Run Snort inline with the afpacket DAQ:
+snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
+ -A cmg
-3.2. Performance Monitor
---------------
+4.6. Plugins
-The new and improved performance monitor! Is your sensor being bogged
-down by too many flows? perf_monitor! Why are certain TCP segments
-being dropped without hitting a rule? perf_monitor! Why is a sensor
-leaking water? Not perf_monitor, check with stream…
+--------------
-3.2.1. Overview
+Load external plugins and use the "ex" alert:
-The Snort performance monitor is the built-in utility for monitoring
-system and traffic statistics. All statistics are separated by
-processing thread. perf_monitor supports several trackers for
-monitoring such data:
+snort -c $my_path/etc/snort/snort.lua \
+ --plugin-path $my_path/lib/snort_extra \
+ -A alert_ex -r /path/to/my.pcap
-3.2.2. Base Tracker
+Test the LuaJIT rule option find loaded from stdin:
-The base tracker is used to gather running statistics about Snort and
-its running modules. All Snort modules gather, at the very least,
-counters for the number of packets reaching it. Most supplement these
-counts with those for domain specific functions, such as
-http_inspect’s number of GET requests seen.
+snort -c $my_path/etc/snort/snort.lua \
+ --script-path $my_path/lib/snort_extra \
+ --stdin-rules -A cmg -r /path/to/my.pcap << END
+alert tcp any any -> any 80 (
+ sid:3; msg:"found"; content:"GET";
+ find:"pat='HTTP/1%.%d'" ; )
+END
-Statistics are gathered live and can be reported at regular
-intervals. The stats reported correspond only to the interval in
-question and are reset at the beginning of each interval.
-These are the same counts displayed when Snort shuts down, only
-sorted amongst the discrete intervals in which they occurred.
+4.7. Output Files
-Base differs from prior implementations in Snort in that all stats
-gathered are only raw counts, allowing the data to be evaluated as
-needed. Additionally, base is entirely pluggable. Data from new Snort
-plugins can be added to the existing stats either automatically or,
-if specified, by name and function.
+--------------
-All plugins and counters can be enabled or disabled individually,
-allowing for only the data that is actually desired instead of overly
-verbose performance logs.
+To make it simple to configure outputs when you run with multiple
+packet threads, output files are not explicitly configured. Instead,
+you can use the options below to format the paths:
-To enable everything:
+<logdir>/[<run_prefix>][<id#>][<X>]<name>
-perf_monitor = { modules = {} }
+Log to unified in the current directory:
-To enable everything within a module:
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2
-perf_monitor =
-{
- modules =
- {
- {
- name = 'stream_tcp',
- pegs = [[ ]]
- },
- }
-}
+Log to unified in the current directory with a different prefix:
-To enable specific counts within modules:
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
+ --run-prefix take2
-perf_monitor =
-{
- modules =
- {
- {
- name = 'stream_tcp',
- pegs = [[ overlaps gaps ]]
- },
- }
+Log to unified in /tmp:
-Note: Event stats from prior Snorts are now located within base
-statistics.
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp
-3.2.3. Flow Tracker
+Run 4 packet threads and log with thread number prefix (0-3):
-Flow tracks statistics regarding traffic and L3/L4 protocol
-distributions. This data can be used to build a profile of traffic
-for inspector tuning and for identifying where Snort may be stressed.
+snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
+ --pcap-filter '*.pcap' -z 4 -A unified2
-To enable:
+Run 4 packet threads and log in thread number subdirs (0-3):
-perf_monitor = { flow = true }
+snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
+ --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir
-3.2.4. FlowIP Tracker
+Note
-FlowIP provides statistics for individual hosts within a network.
-This data can be used for identifying communication habits, such as
-generating large or small amounts of data, opening a small or large
-number of sessions, and tendency to send smaller or larger IP
-packets.
+subdirectories are created automatically if required. Log filename is
+based on module name that writes the file. All text mode outputs
+default to stdout. These options can be combined.
-To enable:
-perf_monitor = { flow_ip = true }
+4.8. DAQ Alternatives
-3.2.5. CPU Tracker
+--------------
-This tracker monitors the CPU and wall time spent by a given
-processing thread.
+Process hext packets from stdin:
-To enable:
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END
+$packet 10.1.2.3 48620 -> 10.9.8.7 80
+"GET / HTTP/1.1\r\n"
+"Host: localhost\r\n"
+"\r\n"
+END
-perf_monitor = { cpu = true }
+Process raw ethernet from hext file:
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq hext \
+ --daq-var dlt=1 -r <hext-file>
----------------------------------------------------------------------
+Process a directory of plain files (ie non-pcap) with 4 threads with
+8K buffers:
-4. Basic Modules
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq file \
+ --pcap-dir path/to/files -z 4 -s 8192
----------------------------------------------------------------------
+Bridge two TCP connections on port 8000 and inspect the traffic:
-Internal modules which are not plugins are termed "basic". These
-include configuration for core processing.
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq socket
-4.1. active
+4.9. Logger Alternatives
--------------
-What: configure responses
+Dump TCP stream payload in hext mode:
-Type: basic
+snort -c $my_path/etc/snort/snort.lua -L hext
-Configuration:
+Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap,
+dst_ap, rule, action for each alert:
- * int active.attempts = 0: number of TCP packets sent per response
- (with varying sequence numbers) { 0:20 }
- * string active.device: use ip for network layer responses or eth0
- etc for link layer
- * string active.dst_mac: use format 01:23:45:67:89:ab
- * int active.max_responses = 0: maximum number of responses { 0: }
- * int active.min_interval = 255: minimum number of seconds between
- responses { 1: }
+snort -c $my_path/etc/snort/snort.lua -A csv
+
+Output the old test format alerts:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
-4.2. alerts
+4.10. Shell
--------------
-What: configure alerts
+You must build with --enable-shell to make the command line shell
+available.
-Type: basic
+Enable shell mode:
-Configuration:
+snort --shell <args>
- * bool alerts.alert_with_interface_name = false: include interface
- in alert info (fast, full, or syslog only)
- * bool alerts.default_rule_state = true: enable or disable ips
- rules
- * int alerts.detection_filter_memcap = 1048576: set available
- memory for filters { 0: }
- * int alerts.event_filter_memcap = 1048576: set available memory
- for filters { 0: }
- * string alerts.order = pass drop alert log: change the order of
- rule action application
- * int alerts.rate_filter_memcap = 1048576: set available memory for
- filters { 0: }
- * string alerts.reference_net: set the CIDR for homenet (for use
- with -l or -B, does NOT change $HOME_NET in IDS mode)
- * bool alerts.stateful = false: don’t alert w/o established session
- (note: rule action still taken)
- * string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
- for GTP|Teredo|6in4|4in6 traffic
+You will see the shell mode command prompt, which looks like this:
+o")~
-4.3. attribute_table
+(The prompt can be changed with the SNORT_PROMPT environment
+variable.)
---------------
+You can pause immediately after loading the configuration and again
+before exiting with:
-What: configure hosts loading
+snort --shell --pause <args>
-Type: basic
+In that case you must issue the resume() command to continue. Enter
+quit() to terminate Snort or detach() to exit the shell. You can list
+the available commands with help().
-Configuration:
+To enable local telnet access on port 12345:
- * int attribute_table.max_hosts = 1024: maximum number of hosts in
- attribute table { 32:207551 }
- * int attribute_table.max_services_per_host = 8: maximum number of
- services per host entry in attribute table { 1:65535 }
- * int attribute_table.max_metadata_services = 8: maximum number of
- services in rule metadata { 1:256 }
+snort --shell -j 12345 <args>
+
+The command line interface is still under development. Suggestions
+are welcome.
-4.4. classifications
+4.11. Signals
--------------
-What: define rule categories with priority
+Note
-Type: basic
+The following examples assume that Snort is currently running and has
+a process ID of <pid>.
-Configuration:
+Modify and Reload Configuration:
- * string classifications[].name: name used with classtype rule
- option
- * int classifications[].priority = 1: default priority for class {
- 0: }
- * string classifications[].text: description of class
+echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua
+kill -hup <pid>
+Dump stats to stdout:
-4.5. daq
+kill -usr1 <pid>
---------------
+Shutdown normally:
-What: configure packet acquisition interface
+kill -term <pid>
-Type: basic
+Exit without flushing packets:
-Configuration:
+kill -quit <pid>
- * string daq.module_dirs[].str: string parameter
- * string daq.input_spec: input specification
- * string daq.module: DAQ module to use
- * string daq.variables[].str: string parameter
- * int daq.instances[].id: instance ID (required) { 0: }
- * string daq.instances[].input_spec: input specification
- * string daq.instances[].variables[].str: string parameter
- * int daq.snaplen: set snap length (same as -s) { 0:65535 }
- * bool daq.no_promisc = false: whether to put DAQ device into
- promiscuous mode
+List available signals:
-Peg counts:
+snort --help-signals
- * daq.pcaps: total files and interfaces processed
- * daq.received: total packets received from DAQ
- * daq.analyzed: total packets analyzed from DAQ
- * daq.dropped: packets dropped
- * daq.filtered: packets filtered out
- * daq.outstanding: packets unprocessed
- * daq.injected: active responses or replacements
- * daq.allow: total allow verdicts
- * daq.block: total block verdicts
- * daq.replace: total replace verdicts
- * daq.whitelist: total whitelist verdicts
- * daq.blacklist: total blacklist verdicts
- * daq.ignore: total ignore verdicts
- * daq.internal blacklist: packets blacklisted internally due to
- lack of DAQ support
- * daq.internal whitelist: packets whitelisted internally due to
- lack of DAQ support
- * daq.skipped: packets skipped at startup
- * daq.idle: attempts to acquire from DAQ without available packets
+Note
+
+The available signals may vary from platform to platform.
+
+
+---------------------------------------------------------------------
+5. Features
-4.6. decode
+---------------------------------------------------------------------
+
+This section explains how to use key features of Snort.
+
+
+5.1. Binder
--------------
-What: general decoder rules
+One of the fundamental differences between Snort 2 and Snort 3
+concerns configuration related to networks and ports. Here is a brief
+review of Snort 2 configuration for network and service related
+components:
-Type: basic
+ * Snort’s configuration has a default policy and optional policies
+ selected by VLAN or network (with config binding).
+ * Each policy contains a user defined set of preprocessor
+ configurations.
+ * Each preprocessor has a default configuration and some support
+ non-default configurations selected by network.
+ * Most preprocessors have port configurations.
+ * The default policy may also contain a list of ports to ignore.
-Rules:
+In Snort 3, the above configurations are done in a single module
+called the binder. Here is an example:
- * 116:450 (decode) BAD-TRAFFIC bad IP protocol
- * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation
- layers present
- * 116:459 (decode) fragment with zero length
- * 116:150 (decode) bad traffic loopback IP
- * 116:151 (decode) bad traffic same src/dst IP
- * 116:449 (decode) BAD-TRAFFIC unassigned/reserved IP protocol
- * 116:472 (decode) too many protocols present
+binder =
+{
+ -- allow all tcp port 22:
+ -- (similar to Snort 2 config ignore_ports)
+ { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },
+
+-- select a config file by vlan
+-- (similar to Snort 2 config binding by vlan)
+{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },
+
+-- use a non-default HTTP inspector for port 8080:
+-- (similar to a Snort 2 targeted preprocessor config)
+{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
+ use = { name = 'alt_http', type = 'http_inspect' } },
+
+-- use the default inspectors:
+-- (similar to a Snort 2 default preprocessor config)
+{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
+{ when = { service = 'http' }, use = { type = 'http_inspect' } },
+
+ -- figure out which inspector to run automatically:
+ { use = { type = 'wizard' } }
+}
+
+Bindings are evaluated when a session starts and again if and when
+service is identified on the session. Essentially, the bindings are a
+list of when-use rules evaluated from top to bottom. The first
+matching network and service configurations are applied. binder.when
+can contain any combination of criteria and binder.use can specify an
+action, config file, or inspector configuration.
-4.7. detection
+5.2. DCE Inspectors
--------------
-What: configure general IPS rule processing parameters
+The main purpose of these inspector are to perform SMB desegmentation
+and DCE/RPC defragmentation to avoid rule evasion using these
+techniques.
-Type: basic
+5.2.1. Overview
-Configuration:
+The following transports are supported for DCE/RPC: SMB, TCP, and
+UDP. New rule options have been implemented to improve performance,
+reduce false positives and reduce the count and complexity of DCE/RPC
+based rules.
- * int detection.asn1 = 256: maximum decode nodes { 1: }
- * bool detection.pcre_enable = true: disable pcre pattern matching
- * int detection.pcre_match_limit = 1500: limit pcre backtracking,
- -1 = max, 0 = off { -1:1000000 }
- * int detection.pcre_match_limit_recursion = 1500: limit pcre stack
- consumption, -1 = max, 0 = off { -1:10000 }
+Different from Snort 2, the DCE-RPC preprocessor is split into three
+inspectors - one for each transport: dce_smb, dce_tcp, dce_udp. This
+includes the configuration as well as the inspector modules. The
+Snort 2 server configuration is now split between the inspectors.
+Options that are meaningful to all inspectors, such as policy and
+defragmentation, are copied into each inspector configuration. The
+address/port mapping is handled by the binder. Autodetect
+functionality is replaced by wizard curses.
-Peg counts:
+5.2.2. Quick Guide
- * detection.analyzed: packets sent to detection
- * detection.hard evals: non-fast pattern rule evaluations
- * detection.raw searches: fast pattern searches in raw packet data
- * detection.cooked searches: fast pattern searches in cooked packet
- data
- * detection.pkt searches: fast pattern searches in packet data
- * detection.alt searches: alt fast pattern searches in packet data
- * detection.key searches: fast pattern searches in key buffer
- * detection.header searches: fast pattern searches in header buffer
- * detection.body searches: fast pattern searches in body buffer
- * detection.file searches: fast pattern searches in file buffer
- * detection.alerts: alerts not including IP reputation
- * detection.total alerts: alerts including IP reputation
- * detection.logged: logged packets
- * detection.passed: passed packets
- * detection.match limit: fast pattern matches not processed
- * detection.queue limit: events not queued because queue full
- * detection.log limit: events queued but not logged
- * detection.event limit: events filtered
- * detection.alert limit: events previously triggered on same PDU
+A typical dcerpce configuration looks like this:
+binder =
+{
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '139 445 1025',
+ },
+ use =
+ {
+ type = 'dce_smb',
+ },
+ },
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '135 2103',
+ },
+ use =
+ {
+ type = 'dce_tcp',
+ },
+ },
+ {
+ when =
+ {
+ proto = 'udp',
+ ports = '1030',
+ },
+ use =
+ {
+ type = 'dce_udp',
+ },
+ }
+ }
-4.8. event_filter
+dce_smb = { }
---------------
+dce_tcp = { }
-What: configure thresholding of events
+dce_udp = { }
-Type: basic
+In this example, it defines smb, tcp and udp inspectors based on
+port. All the configurations are default.
-Configuration:
+5.2.3. Target Based
- * int event_filter[].gid = 1: rule generator ID { 0: }
- * int event_filter[].sid = 1: rule signature ID { 0: }
- * enum event_filter[].type: 1st count events | every count events |
- once after count events { limit | threshold | both }
- * enum event_filter[].track: filter only matching source or
- destination addresses { by_src | by_dst }
- * int event_filter[].count = 0: number of events in interval before
- tripping; -1 to disable { -1: }
- * int event_filter[].seconds = 0: count interval { 0: }
- * string event_filter[].ip: restrict filter to these addresses
- according to track
+There are enough important differences between Windows and Samba
+versions that a target based approach has been implemented. Some
+important differences:
+ * Named pipe instance tracking
+ * Accepted SMB commands
+ * AndX command chaining
+ * Transaction tracking
+ * Multiple Bind requests
+ * DCE/RPC Fragmented requests - Context ID
+ * DCE/RPC Fragmented requests - Operation number
+ * DCE/RPC Stub data byte order
-4.9. event_queue
+Because of those differences, each inspector can be configured to
+different policy. Here are the list of policies supported:
---------------
+ * WinXP (default)
+ * Win2000
+ * WinVista
+ * Win2003
+ * Win2008
+ * Win7
+ * Samba
+ * Samba-3.0.37
+ * Samba-3.0.22
+ * Samba-3.0.20
-What: configure event queue parameters
+5.2.4. Reassembling
-Type: basic
+Both SMB inspector and TCP inspector support reassemble. Reassemble
+threshold specifies a minimum number of bytes in the DCE/RPC
+desegmentation and defragmentation buffers before creating a
+reassembly packet to send to the detection engine. This option is
+useful in inline mode so as to potentially catch an exploit early
+before full defragmentation is done. A value of 0 s supplied as an
+argument to this option will, in effect, disable this option. Default
+is disabled.
-Configuration:
+5.2.5. SMB
- * int event_queue.max_queue = 8: maximum events to queue { 1: }
- * int event_queue.log = 3: maximum events to log { 1: }
- * enum event_queue.order_events = content_length: criteria for
- ordering incoming events { priority|content_length }
- * bool event_queue.process_all_events = false: process just first
- action group or all action groups
+SMB inspector is one of the most complex inspectors. In addition to
+supporting rule options and lots of inspector rule events, it also
+supports file processing for both SMB version 1, 2, and 3.
+5.2.5.1. Finger Print Policy
-4.10. file_id
+In the initial phase of an SMB session, the client needs to
+authenticate with a SessionSetupAndX. Both the request and response
+to this command contain OS and version information that can allow the
+inspector to dynamically set the policy for a session which allows
+for better protection against Windows and Samba specific evasions.
---------------
+5.2.5.2. File Inspection
-What: configure file identification
+SMB inspector supports file inspection. A typical configuration looks
+like this:
-Type: basic
+binder =
+{
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '139 445',
+ },
+ use =
+ {
+ type = 'dce_smb',
+ },
+ },
+}
-Configuration:
+dce_smb =
+{
+ smb_file_inspection = 'on',
+ smb_file_depth = 0,
+ }
- * int file_id.type_depth = 1460: stop type ID at this point { 0: }
- * int file_id.signature_depth = 10485760: stop signature at this
- point { 0: }
- * int file_id.block_timeout = 86400: stop blocking after this many
- seconds { 0: }
- * int file_id.lookup_timeout = 2: give up on lookup after this many
- seconds { 0: }
- * bool file_id.block_timeout_lookup = false: block if lookup times
- out
- * int file_id.capture_memcap = 100: memcap for file capture in
- megabytes { 0: }
- * int file_id.capture_max_size = 1048576: stop file capture beyond
- this point { 0: }
- * int file_id.capture_min_size = 0: stop file capture if file size
- less than this { 0: }
- * int file_id.capture_block_size = 32768: file capture block size
- in bytes { 8: }
- * int file_id.max_files_cached = 65536: maximal number of files
- cached in memory { 8: }
- * bool file_id.enable_type = false: enable type ID
- * bool file_id.enable_signature = false: enable signature
- calculation
- * bool file_id.enable_capture = false: enable file capture
- * int file_id.show_data_depth = 100: print this many octets { 0: }
- * int file_id.file_rules[].rev = 0: rule revision { 0: }
- * string file_id.file_rules[].msg: information about the file type
- * string file_id.file_rules[].type: file type name
- * int file_id.file_rules[].id = 0: file type id { 0: }
- * string file_id.file_rules[].category: file type category
- * string file_id.file_rules[].version: file type version
- * string file_id.file_rules[].magic[].content: file magic content
- * int file_id.file_rules[].magic[].offset = 0: file magic offset {
- 0: }
- * int file_id.file_policy[].when.file_type_id = 0: unique ID for
- file type in file magic rule { 0: }
- * string file_id.file_policy[].when.sha256: SHA 256
- * enum file_id.file_policy[].use.verdict = unknown: what to do with
- matching traffic { unknown | log | stop | block | reset }
- * bool file_id.file_policy[].use.enable_file_type = false: true/
- false → enable/disable file type identification
- * bool file_id.file_policy[].use.enable_file_signature = false:
- true/false → enable/disable file signature
- * bool file_id.file_policy[].use.enable_file_capture = false: true/
- false → enable/disable file capture
- * bool file_id.trace_type = false: enable runtime dump of type info
- * bool file_id.trace_signature = false: enable runtime dump of
- signature info
- * bool file_id.trace_stream = false: enable runtime dump of file
- data
+file_id =
+{
+ enable_type = true,
+ enable_signature = true,
+ enable_capture = true,
+ file_rules = magics,
+}
-Peg counts:
+First, define a binder to map tcp port 139 and 445 to smb. Then,
+enable file inspection in smb inspection and set the file depth as
+unlimited. Lastly, enable file inspector to inspect file type,
+calculate file signature, and capture file. The details of file
+inspector are explained in file processing section.
+
+SMB inspector does inspection of normal SMB file transfers. This
+includes doing file type and signature through the file processing as
+well as setting a pointer for the "file_data" rule option. Note that
+the "file_depth" option only applies to the maximum amount of file
+data for which it will set the pointer for the "file_data" rule
+option. For file type and signature it will use the value configured
+for the file API. If "only" is specified, the inspector will only do
+SMB file inspection, i.e. it will not do any DCE/RPC tracking or
+inspection. If "on" is specified with no arguments, the default file
+depth is 16384 bytes. An argument of -1 to "file-depth" disables
+setting the pointer for "file_data", effectively disabling SMB file
+inspection in rules. An argument of 0 to "file_depth" means
+unlimited. Default is "off", i.e. no SMB file inspection is done in
+the inspector.
+
+5.2.6. TCP
+
+dce_tcp inspector supports defragementation, reassembling, and policy
+that is similar to SMB.
+
+5.2.7. UDP
+
+dce_udp is a very simple inspector that only supports
+defragementation
+
+5.2.8. Rule Options
+
+New rule options are supported by enabling the dcerpc2 inspectors:
+
+ * dce_iface
+ * dce_opnum
+ * dce_stub_data
+
+New modifiers to existing byte_test and byte_jump rule options:
+
+ * byte_test: dce
+ * byte_jump: dce
+
+5.2.8.1. dce_iface
+
+For DCE/RPC based rules it has been necessary to set flow-bits based
+on a client bind to a service to avoid false positives. It is
+necessary for a client to bind to a service before being able to make
+a call to it. When a client sends a bind request to the server, it
+can, however, specify one or more service interfaces to bind to. Each
+interface is represented by a UUID. Each interface UUID is paired
+with a unique index (or context id) that future requests can use to
+reference the service that the client is making a call to. The server
+will respond with the interface UUIDs it accepts as valid and will
+allow the client to make requests to those services. When a client
+makes a request, it will specify the context id so the server knows
+what service the client is making a request to. Instead of using
+flow-bits, a rule can simply ask the inspector, using this rule
+option, whether or not the client has bound to a specific interface
+UUID and whether or not this client request is making a request to
+it. This can eliminate false positives where more than one service is
+bound to successfully since the inspector can correlate the bind UUID
+to the context id used in the request. A DCE/RPC request can specify
+whether numbers are represented as big endian or little endian. The
+representation of the interface UUID is different depending on the
+endianness specified in the DCE/RPC previously requiring two rules -
+one for big endian and one for little endian. The inspector
+eliminates the need for two rules by normalizing the UUID. An
+interface contains a version. Some versions of an interface may not
+be vulnerable to a certain exploit. Also, a DCE/RPC request can be
+broken up into 1 or more fragments. Flags (and a field in the
+connectionless header) are set in the DCE/RPC header to indicate
+whether the fragment is the first, a middle or the last fragment.
+Many checks for data in the DCE/RPC request are only relevant if the
+DCE/RPC request is a first fragment (or full request), since
+subsequent fragments will contain data deeper into the DCE/RPC
+request. A rule which is looking for data, say 5 bytes into the
+request (maybe it’s a length field), will be looking at the wrong
+data on a fragment other than the first, since the beginning of
+subsequent fragments are already offset some length from the
+beginning of the request. This can be a source of false positives in
+fragmented DCE/RPC traffic. By default it is reasonable to only
+evaluate if the request is a first fragment (or full request).
+However, if the "any_frag" option is used to specify evaluating on
+all fragments.
+
+Examples:
+
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2;
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag;
+
+This option is used to specify an interface UUID. Optional arguments
+are an interface version and operator to specify that the version be
+less than (<), greater than (>), equal to (=) or not equal to (!) the
+version specified. Also, by default the rule will only be evaluated
+for a first fragment (or full request, i.e. not a fragment) since
+most rules are written to start at the beginning of a request. The
+"any_frag" argument says to evaluate for middle and last fragments as
+well. This option requires tracking client Bind and Alter Context
+requests as well as server Bind Ack and Alter Context responses for
+connection-oriented DCE/RPC in the inspector. For each Bind and Alter
+Context request, the client specifies a list of interface UUIDs along
+with a handle (or context id) for each interface UUID that will be
+used during the DCE/RPC session to reference the interface. The
+server response indicates which interfaces it will allow the client
+to make requests to - it either accepts or rejects the client’s wish
+to bind to a certain interface. This tracking is required so that
+when a request is processed, the context id used in the request can
+be correlated with the interface UUID it is a handle for.
+
+hexlong and hexshort will be specified and interpreted to be in big
+endian order (this is usually the default way an interface UUID will
+be seen and represented). As an example, the following Messenger
+interface UUID as taken off the wire from a little endian Bind
+request:
+
+|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|
+
+must be written as:
+
+5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
+
+The same UUID taken off the wire from a big endian Bind request:
+
+|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|
+
+must be written the same way:
+
+5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
+
+This option matches if the specified interface UUID matches the
+interface UUID (as referred to by the context id) of the DCE/RPC
+request and if supplied, the version operation is true. This option
+will not match if the fragment is not a first fragment (or full
+request) unless the "any_frag" option is supplied in which case only
+the interface UUID and version need match. Note that a defragmented
+DCE/RPC request will be considered a full request.
+
+Using this rule option will automatically insert fast pattern
+contents into the fast pattern matcher. For UDP rules, the interface
+UUID, in both big and little endian format will be inserted into the
+fast pattern matcher. For TCP rules, (1) if the rule option
+"flow:to_server|from_client" is used, |05 00 00| will be inserted
+into the fast pattern matcher, (2) if the rule option
+"flow:from_server|to_client" is used, |05 00 02| will be inserted
+into the fast pattern matcher and (3) if the flow isn’t known, |05 00
+| will be inserted into the fast pattern matcher. Note that if the
+rule already has content rule options in it, the best (meaning
+longest) pattern will be used. If a content in the rule uses the
+fast_pattern rule option, it will unequivocally be used over the
+above mentioned patterns.
+
+5.2.8.2. dce_opnum
+
+The opnum represents a specific function call to an interface. After
+is has been determined that a client has bound to a specific
+interface and is making a request to it (see above - dce_iface)
+usually we want to know what function call it is making to that
+service. It is likely that an exploit lies in the particular DCE/RPC
+function call.
+
+Examples:
+
+dce_opnum: 15;
+dce_opnum: 15-18;
+dce_opnum: 15,18-20;
+dce_opnum: 15,17,20-22;
+
+This option is used to specify an opnum (or operation number), opnum
+range or list containing either or both opnum and/or opnum-range. The
+opnum of a DCE/RPC request will be matched against the opnums
+specified with this option. This option matches if any one of the
+opnums specified match the opnum of the DCE/RPC request.
+
+5.2.8.3. dce_stub_data
+
+Since most DCE/RPC based rules had to do protocol decoding only to
+get to the DCE/RPC stub data, i.e. the remote procedure call or
+function call data, this option will alleviate this need and place
+the cursor at the beginning of the DCE/RPC stub data. This reduces
+the number of rule option checks and the complexity of the rule.
+
+This option takes no arguments.
- * file_id.total_files: number of files processed
- * file_id.total_file_data: number of file data bytes processed
- * file_id.cache_failures: number of file cache add failures
+Example:
+dce_stub_data;
-4.11. high_availability
+This option is used to place the cursor (used to walk the packet
+payload in rules processing) at the beginning of the DCE/RPC stub
+data, regardless of preceding rule options. There are no arguments to
+this option. This option matches if there is DCE/RPC stub data.
---------------
+The cursor is moved to the beginning of the stub data. All ensuing
+rule options will be considered "sticky" to this buffer. The first
+rule option following dce_stub_data should use absolute location
+modifiers if it is position-dependent. Subsequent rule options should
+use a relative modifier if they are meant to be relative to a
+previous rule option match in the stub data buffer. Any rule option
+that does not specify a relative modifier will be evaluated from the
+start of the stub data buffer. To leave the stub data buffer and
+return to the main payload buffer, use the "pkt_data" rule option.
-What: implement flow tracking high availability
+5.2.8.4. byte_test and byte_jump
-Type: basic
+A DCE/RPC request can specify whether numbers are represented in big
+or little endian. These rule options will take as a new argument
+"dce" and will work basically the same as the normal byte_test/
+byte_jump, but since the DCE/RPC inspector will know the endianness
+of the request, it will be able to do the correct conversion.
-Configuration:
+Examples:
- * bool high_availability.enable = false: enable high availability
- * bool high_availability.daq_channel = false: enable use of daq
- data plane channel
- * bit_list high_availability.ports: side channel message port list
- { 65535 }
- * real high_availability.min_age = 1.0: minimum session life before
- HA updates { 0.0:100.0 }
- * real high_availability.min_sync = 1.0: minimum interval between
- HA updates { 0.0:100.0 }
+byte_test: 4,>,35000,0,relative,dce;
+byte_test: 2,!=,2280,-10,relative,dce;
-Peg counts:
+When using the "dce" argument to a byte_test, the following normal
+byte_test arguments will not be allowed: "big", "little", "string",
+"hex", "dec" and "oct".
+Examples:
-4.12. host_cache
+byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce;
---------------
+When using the dce argument to a byte_jump, the following normal
+byte_jump arguments will not be allowed: "big", "little", "string",
+"hex", "dec", "oct" and "from_beginning"
-What: configure hosts
-Type: basic
+5.3. File Processing
-Configuration:
+--------------
- * int host_cache[].size: size of host cache
+With the volume of malware transferred through network increasing,
+network file inspection becomes more and more important. This feature
+will provide file type identification, file signature creation, and
+file capture capabilities to help users deal with those challenges.
-Peg counts:
+5.3.1. Overview
- * host_cache.lru cache adds: lru cache added new entry
- * host_cache.lru cache replaces: lru cache replaced existing entry
- * host_cache.lru cache prunes: lru cache pruned entry to make space
- for new entry
- * host_cache.lru cache find hits: lru cache found entry in cache
- * host_cache.lru cache find misses: lru cache did not find entry in
- cache
- * host_cache.lru cache removes: lru cache found entry and removed
- it
- * host_cache.lru cache clears: lru cache clear API calls
+There are two parts of file services: file APIs and file policy. File
+APIs provides all the file inspection functionalities, such as file
+type identification, file signature calculation, and file capture.
+File policy provides users ability to control file services, such as
+enable/disable/configure file type identification, file signature, or
+file capture.
+In addition to all capabilities from Snort 2, we support customized
+file policy along with file event log.
-4.13. host_tracker
+ * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
+ * Supported file signature calculation: SHA256
---------------
+5.3.2. Quick Guide
-What: configure hosts
+A very simple configuration has been included in lua/snort.lua file.
+A typical file configuration looks like this:
-Type: basic
+dofile('magic.lua')
-Configuration:
+my_file_policy =
+{
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+}
- * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
- * enum host_tracker[].frag_policy: defragmentation policy { first |
- linux | bsd | bsd_right | last | windows | solaris }
- * enum host_tracker[].tcp_policy: tcp reassembly policy { first |
- last | linux | old_linux | bsd | macos | solaris | irix | hpux11
- | hpux10 | windows | win_2003 | vista | proxy }
- * string host_tracker[].services[].name: service identifier
- * enum host_tracker[].services[].proto = tcp: ip protocol { tcp |
- udp }
- * port host_tracker[].services[].port: port number
+file_id =
+{
+ enable_type = true,
+ enable_signature = true,
+ enable_capture = true,
+ file_rules = magics,
+ trace_type = true,
+ trace_signature = true,
+ trace_stream = true,
+ file_policy = my_file_policy,
+ }
-Peg counts:
+file_log =
+{
+ log_pkt_time = true,
+ log_sys_time = false,
+}
- * host_tracker.service adds: host service adds
- * host_tracker.service finds: host service finds
- * host_tracker.service removes: host service removes
+There are 3 steps to enable file processing:
+ * First, you need to include the file magic rules.
+ * Then, define the file policy and configure the inspector
+ * At last, enable file_log to get detailed information about file
+ event
-4.14. hosts
+5.3.3. Pre-packaged File Magic Rules
---------------
+A set of file magic rules is packaged with Snort. They can be located
+at "lua/file_magic.lua". To use this feature, it is recommended that
+these pre-packaged rules are used; doing so requires that you include
+the file in your Snort configuration as such (already in snort.lua):
-What: configure hosts
+dofile('magic.lua')
-Type: basic
+Example:
-Configuration:
+{ type = "GIF", id = 62, category = "Graphics", rev = 1,
+ magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },
- * addr hosts[].ip = 0.0.0.0/32: hosts address / cidr
- * enum hosts[].frag_policy: defragmentation policy { first | linux
- | bsd | bsd_right | last | windows | solaris }
- * enum hosts[].tcp_policy: tcp reassembly policy { first | last |
- linux | old_linux | bsd | macos | solaris | irix | hpux11 |
- hpux10 | windows | win_2003 | vista | proxy }
- * string hosts[].services[].name: service identifier
- * enum hosts[].services[].proto = tcp: ip protocol { tcp | udp }
- * port hosts[].services[].port: port number
+{ type = "GIF", id = 63, category = "Graphics", rev = 1,
+ magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
+The previous two rules define GIF format, because two file magics are
+different. File magics are specifed by content and offset, which look
+at content at particular file offset to identify the file type. In
+this case, two magics look at the beginning of the file. You can use
+character if it is printable or hex value in between "|".
-4.15. ips
+5.3.4. File Policy
---------------
+You can enabled file type, file signature, or file capture by
+configuring file_id. In addition, you can enable trace to see file
+stream data, file type, and file signature information.
-What: configure IPS rule processing
+Most importantly, you can configure a file policy that can block/
+alert some file type or an individual file based on SHA. This allows
+you build a file blacklist or whitelist.
-Type: basic
+Example:
-Configuration:
+file_policy =
+{
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+}
- * bool ips.enable_builtin_rules = false: enable events from builtin
- rules w/o stubs
- * int ips.id = 0: correlate unified2 events with configuration {
- 0:65535 }
- * string ips.include: legacy snort rules and includes
- * enum ips.mode: set policy mode { tap | inline | inline-test }
- * string ips.rules: snort rules and includes
+In this example, it enables this policy:
+ * For PDF files, they will be logged with signatures.
+ * For the file matching this SHA, it will be blocked
+ * For all file types identified, they will be logged with
+ signature, and also captured onto log folder.
-4.16. latency
+5.3.5. File Capture
---------------
+File can be captured and stored to log folder. We use SHA as file
+name instead of actual file name to avoid conflicts. You can capture
+either all files, some file type, or a particular file based on SHA.
-What: packet and rule latency monitoring and control
+You can enable file capture through this config:
-Type: basic
+enable_capture = true,
-Configuration:
+or enable it for some file or file type in your file policy:
- * int latency.packet.max_time = 500: set timeout for packet latency
- thresholding (usec) { 0: }
- * bool latency.packet.fastpath = false: fastpath expensive packets
- (max_time exceeded)
- * enum latency.packet.action = none: event action if packet times
- out and is fastpathed { none | alert | log | alert_and_log }
- * int latency.rule.max_time = 500: set timeout for rule evaluation
- (usec) { 0: }
- * bool latency.rule.suspend = false: temporarily suspend expensive
- rules
- * int latency.rule.suspend_threshold = 5: set threshold for number
- of timeouts before suspending a rule { 1: }
- * int latency.rule.max_suspend_time = 30000: set max time for
- suspending a rule (ms, 0 means permanently disable rule) { 0: }
- * enum latency.rule.action = none: event action for rule latency
- enable and suspend events { none | alert | log | alert_and_log }
+{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
-Rules:
+The above rule will enable PDF file capture.
- * 134:1 (latency) rule tree suspended due to latency
- * 134:2 (latency) rule tree re-enabled after suspend timeout
- * 134:3 (latency) packet fastpathed due to latency
+5.3.6. File Events
-Peg counts:
+File inspect preprocessor also works as a dynamic output plugin for
+file events. It logs basic information about file. The log file is in
+the same folder as other log files with name starting with
+"file.log".
- * latency.total packets: total packets monitored
- * latency.total usecs: total usecs elapsed
- * latency.max usecs: maximum usecs elapsed
- * latency.packet timeouts: packets that timed out
- * latency.total rule evals: total rule evals monitored
- * latency.rule eval timeouts: rule evals that timed out
- * latency.rule tree enables: rule tree re-enables
+Example:
+file_log = { log_pkt_time = true, log_sys_time = false }
-4.17. memory
+All file events will be logged in packet time, system time is not
+logged.
---------------
+File event example:
-What: memory management configuration
+08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
+[Size: 1039328]
-Type: basic
-Configuration:
+5.4. HTTP Inspector
- * int memory.cap = 0: set the per-packet-thread cap on memory
- (bytes, 0 to disable) { 0: }
- * bool memory.soft = false: always succeed in allocating memory,
- even if above the cap
- * int memory.threshold = 0: set the per-packet-thread threshold for
- preemptive cleanup actions (percent, 0 to disable) { 0: }
+--------------
+One of the major undertakings for Snort 3 is developing a completely
+new HTTP inspector. You can configure it by adding:
-4.18. network
+http_inspect = {}
---------------
+to your snort.lua configuration file. Or you can read it in the
+source code under src/service_inspectors/http_inspect.
-What: configure basic network parameters
+The classic HTTP preprocessor is still available in the alpha release
+under extra. It has been renamed http_server. Be sure not to
+configure both old and new HTTP inspectors at the same time.
-Type: basic
+So why a new HTTP inspector?
-Configuration:
+For starters it is object-oriented. That’s good for us because we
+maintain this software. But it should also be really nice for
+open-source developers. You can make meaningful changes and additions
+to HTTP processing without having to understand the whole thing. In
+fact much of the new HTTP inspector’s knowledge of HTTP is
+centralized in a series of tables where it can be easily reviewed and
+modified. Many significant changes can be made just by updating these
+tables.
- * multi network.checksum_drop = none: drop if checksum is bad { all
- | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
- * multi network.checksum_eval = none: checksums to verify { all |
- ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
- * bool network.decode_drops = false: enable dropping of packets by
- the decoder
- * int network.id = 0: correlate unified2 events with configuration
- { 0:65535 }
- * int network.min_ttl = 1: alert / normalize packets with lower ttl
- / hop limit (you must enable rules and / or normalization also) {
- 1:255 }
- * int network.new_ttl = 1: use this value for responses and when
- normalizing { 1:255 }
- * int network.layers = 40: The maximum number of protocols that
- Snort can correctly decode { 3:255 }
- * int network.max_ip6_extensions = 0: The number of IP6 options
- Snort will process for a given IPv6 layer. If this limit is hit,
- rule 116:456 may fire. 0 = unlimited { 0:255 }
- * int network.max_ip_layers = 0: The maximum number of IP layers
- Snort will process for a given packet If this limit is hit, rule
- 116:293 may fire. 0 = unlimited { 0:255 }
+Http_inspect is the first inspector written specifically for the new
+Snort 3 architecture. That provides access to one of the very best
+features of Snort 3: purely PDU-based inspection. The classic
+preprocessor processes HTTP messages, but even while doing so it is
+constantly aware of IP packets and how they divide up the TCP data
+stream. The same HTTP message might be processed differently
+depending on how the sender (bad guy) divided it up into IP packets.
+
+Http_inspect is free of this burden and can focus exclusively on
+HTTP. That makes it much simpler, easier to test, and less prone to
+false positives. It also greatly reduces the opportunity for
+adversaries to probe the inspector for weak spots by adjusting packet
+boundaries to disguise bad behavior.
+
+Dealing solely with HTTP messages also opens the door for developing
+major new features. The http_inspect design supports true stateful
+processing. Want to ask questions that involve both the client
+request and the server response? Or different requests in the same
+session? These things are possible.
+
+Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives
+from Google’s SPDY project and is in the process of being
+standardized. Despite the name, it is better to think of HTTP/2 not
+as a newer version of HTTP/1.1, but rather a separate protocol layer
+that runs under HTTP/1.1 and on top of TLS or TCP. It’s a perfect fit
+for the new Snort 3 architecture because a new HTTP/2 inspector would
+naturally output HTTP/1.1 messages but not any underlying packets.
+Exactly what http_inspect wants to input.
+
+Http_inspect is taking a very different approach to HTTP header
+fields. The classic preprocessor divides all the HTTP headers
+following the start line into cookies and everything else. It
+normalizes the two pieces using a generic process and puts them in
+buffers that one can write rules against. There is some limited
+support for examining individual headers within the inspector but it
+is very specific.
+
+The new concept is that every header should be normalized in an
+appropriate and specific way and individually made available for the
+user to write rules against it. If for example a header is supposed
+to be a date then normalization means put that date in a standard
+format.
-4.19. output
+5.5. Performance Monitor
--------------
-What: configure general output parameters
+The new and improved performance monitor! Is your sensor being bogged
+down by too many flows? perf_monitor! Why are certain TCP segments
+being dropped without hitting a rule? perf_monitor! Why is a sensor
+leaking water? Not perf_monitor, check with stream…
-Type: basic
+5.5.1. Overview
-Configuration:
+The Snort performance monitor is the built-in utility for monitoring
+system and traffic statistics. All statistics are separated by
+processing thread. perf_monitor supports several trackers for
+monitoring such data:
- * bool output.dump_chars_only = false: turns on character dumps
- (same as -C)
- * bool output.dump_payload = false: dumps application layer (same
- as -d)
- * bool output.dump_payload_verbose = false: dumps raw packet
- starting at link layer (same as -X)
- * bool output.log_ipv6_extra_data = false: log IPv6 source and
- destination addresses as unified2 extra data records
- * int output.event_trace.max_data = 0: maximum amount of packet
- data to capture { 0:65535 }
- * bool output.quiet = false: suppress non-fatal information (still
- show alerts, same as -q)
- * string output.logdir = .: where to put log files (same as -l)
- * bool output.obfuscate = false: obfuscate the logged IP addresses
- (same as -O)
- * bool output.obfuscate_pii = false: Mask all but the last 4
- characters of credit card and social security numbers
- * bool output.show_year = false: include year in timestamp in the
- alert and log files (same as -y)
- * int output.tagged_packet_limit = 256: maximum number of packets
- tagged for non-packet metrics { 0: }
- * bool output.verbose = false: be verbose (same as -v)
+5.5.2. Base Tracker
+
+The base tracker is used to gather running statistics about Snort and
+its running modules. All Snort modules gather, at the very least,
+counters for the number of packets reaching it. Most supplement these
+counts with those for domain specific functions, such as
+http_inspect’s number of GET requests seen.
+Statistics are gathered live and can be reported at regular
+intervals. The stats reported correspond only to the interval in
+question and are reset at the beginning of each interval.
-4.20. packets
+These are the same counts displayed when Snort shuts down, only
+sorted amongst the discrete intervals in which they occurred.
---------------
+Base differs from prior implementations in Snort in that all stats
+gathered are only raw counts, allowing the data to be evaluated as
+needed. Additionally, base is entirely pluggable. Data from new Snort
+plugins can be added to the existing stats either automatically or,
+if specified, by name and function.
-What: configure basic packet handling
+All plugins and counters can be enabled or disabled individually,
+allowing for only the data that is actually desired instead of overly
+verbose performance logs.
-Type: basic
+To enable everything:
-Configuration:
+perf_monitor = { modules = {} }
- * bool packets.address_space_agnostic = false: determines whether
- DAQ address space info is used to track fragments and connections
- * string packets.bpf_file: file with BPF to select traffic for
- Snort
- * int packets.limit = 0: maximum number of packets to process
- before stopping (0 is unlimited) { 0: }
- * int packets.skip = 0: number of packets to skip before before
- processing { 0: }
- * bool packets.vlan_agnostic = false: determines whether VLAN info
- is used to track fragments and connections
+To enable everything within a module:
+perf_monitor =
+{
+ modules =
+ {
+ {
+ name = 'stream_tcp',
+ pegs = [[ ]]
+ },
+ }
+}
-4.21. process
+To enable specific counts within modules:
---------------
+perf_monitor =
+{
+ modules =
+ {
+ {
+ name = 'stream_tcp',
+ pegs = [[ overlaps gaps ]]
+ },
+ }
-What: configure basic process setup
+Note: Event stats from prior Snorts are now located within base
+statistics.
-Type: basic
+5.5.3. Flow Tracker
-Configuration:
+Flow tracks statistics regarding traffic and L3/L4 protocol
+distributions. This data can be used to build a profile of traffic
+for inspector tuning and for identifying where Snort may be stressed.
- * string process.chroot: set chroot directory (same as -t)
- * string process.threads[].cpuset: pin the associated thread to
- this cpuset
- * int process.threads[].thread = 0: set cpu affinity for the
- <cur_thread_num> thread that runs { 0: }
- * bool process.daemon = false: fork as a daemon (same as -D)
- * bool process.dirty_pig = false: shutdown without internal cleanup
- * string process.set_gid: set group ID (same as -g)
- * string process.set_uid: set user ID (same as -u)
- * string process.umask: set process umask (same as -m)
- * bool process.utc = false: use UTC instead of local time for
- timestamps
+To enable:
+perf_monitor = { flow = true }
-4.22. profiler
+5.5.4. FlowIP Tracker
---------------
+FlowIP provides statistics for individual hosts within a network.
+This data can be used for identifying communication habits, such as
+generating large or small amounts of data, opening a small or large
+number of sessions, and tendency to send smaller or larger IP
+packets.
-What: configure profiling of rules and/or modules
+To enable:
-Type: basic
+perf_monitor = { flow_ip = true }
-Configuration:
+5.5.5. CPU Tracker
- * bool profiler.modules.show = true: show module time profile stats
- * int profiler.modules.count = 0: limit results to count items per
- level (0 = no limit) { 0: }
- * enum profiler.modules.sort = total_time: sort by given field {
- none | checks | avg_check | total_time }
- * int profiler.modules.max_depth = -1: limit depth to max_depth (-1
- = no limit) { -1: }
- * bool profiler.memory.show = true: show module memory profile
- stats
- * int profiler.memory.count = 0: limit results to count items per
- level (0 = no limit) { 0: }
- * enum profiler.memory.sort = total_used: sort by given field {
- none | allocations | total_used | avg_allocation }
- * int profiler.memory.max_depth = -1: limit depth to max_depth (-1
- = no limit) { -1: }
- * bool profiler.rules.show = true: show rule time profile stats
- * int profiler.rules.count = 0: print results to given level (0 =
- all) { 0: }
- * enum profiler.rules.sort = total_time: sort by given field { none
- | checks | avg_check | total_time | matches | no_matches |
- avg_match | avg_no_match }
+This tracker monitors the CPU and wall time spent by a given
+processing thread.
+
+To enable:
+
+perf_monitor = { cpu = true }
-4.23. rate_filter
+5.6. Sensitive Data Filtering
--------------
-What: configure rate filters (which change rule actions)
+The sd_pattern IPS option provides detection and filtering of
+Personally Identifiable Information (PII). This information includes
+credit card numbers, U.S. Social Security numbers, and email
+addresses. A rich regular expression syntax is available for defining
+your own PII.
-Type: basic
+5.6.1. Hyperscan
-Configuration:
+The sd_pattern rule option is powered by the open source Hyperscan
+library from Intel. It provides a regex grammar which is mostly PCRE
+compatible. To learn more about Hyperscan see http://01org.github.io/
+hyperscan/dev-reference/
- * int rate_filter[].gid = 1: rule generator ID { 0: }
- * int rate_filter[].sid = 1: rule signature ID { 0: }
- * enum rate_filter[].track = by_src: filter only matching source or
- destination addresses { by_src | by_dst | by_rule }
- * int rate_filter[].count = 1: number of events in interval before
- tripping { 0: }
- * int rate_filter[].seconds = 1: count interval { 0: }
- * enum rate_filter[].new_action = alert: take this action on future
- hits until timeout { log | pass | alert | drop | block | reset }
- * int rate_filter[].timeout = 1: count interval { 0: }
- * string rate_filter[].apply_to: restrict filter to these addresses
- according to track
+5.6.2. Syntax
+Snort provides sd_pattern as IPS rule option with no additional
+inspector overhead. The Rule option takes the following syntax.
-4.24. references
+sd_pattern: "<pattern>"[, threshold <count>];
---------------
+5.6.2.1. Pattern
-What: define reference systems used in rules
+Pattern is the most important and is the only required parameter to
+sd_pattern. It supports 3 built in patterns which are configured by
+name: "credit_card", "us_social" and "us_social_nodashes", as well as
+user defined regular expressions of the Hyperscan dialect (see http:/
+/01org.github.io/hyperscan/dev-reference/compilation.html#
+pattern-support).
-Type: basic
+sd_pattern:"credit_card";
-Configuration:
+When configured, Snort will replace the pattern credit_card with the
+built in pattern. In addition to pattern matching, Snort will
+validate that the matched digits will pass the Luhn-check algorithm.
+Currently the only pattern that performs extra verification.
- * string references[].name: name used with reference rule option
- * string references[].url: where this reference is defined
+sd_pattern:"us_social";
+sd_pattern:"us_social_nodashes";
+These special patterns will also be replaced with a built in pattern.
+Naturally, "us_social" is a pattern of 9 digits separated by -'s in
+the canonical form.
-4.25. rule_state
+sd_pattern:"\b\w+@ourdomain\.com\b"
---------------
+This is a user defined pattern which matches what is most likely
+email addresses for the site "ourdomain.com". The pattern is a PCRE
+compatible regex, \b matches a word boundary (whitespace, end of
+line, non-word characters) and \w+ matches one or more word
+characters. \. matches a literal ..
-What: enable/disable specific IPS rules
+The above pattern would match "a@ourdomain.com", "aa@ourdomain.com"
+but would not match 1@ourdomain.com ab12@ourdomain.com or
+@ourdomain.com.
-Type: basic
+Note: This is just an example, this pattern is not suitable to detect
+many correctly formatted emails.
-Configuration:
+5.6.2.2. Threshold
- * int rule_state.gid = 0: rule generator ID { 0: }
- * int rule_state.sid = 0: rule signature ID { 0: }
- * bool rule_state.enable = true: enable or disable rule in all
- policies
+Threshold is an optional parameter allowing you to change built in
+default value (default value is 1). The following two instances are
+identical. The first will assume the default value of 1 the second
+declaration explicitly sets the threshold to 1.
+sd_pattern:"This rule requires 1 match";
+sd_pattern:"This rule requires 1 match", threshold 1;
-4.26. search_engine
+That’s pretty easy, but here is one more example anyway.
---------------
+sd_pattern:"This is a string literal", threshold 300;
-What: configure fast pattern matcher
+This example requires 300 matches of the pattern "This is a string
+literal" to qualify as a positive match. That is, if the string only
+occurred 299 times in a packet, you will not see an event.
-Type: basic
+5.6.2.3. Obfuscating Credit Cards and Social Security Numbers
-Configuration:
+Snort provides discreet logging for the built in patterns
+"credit_card", "us_social" and "us_social_nodashes". Enabling
+output.obfuscate_pii makes Snort obfuscate the suspect packet payload
+which was matched by the patterns. This configuration is disabled by
+default.
- * int search_engine.bleedover_port_limit = 1024: maximum ports in
- rule before demotion to any-any port group { 1: }
- * bool search_engine.bleedover_warnings_enabled = false: print
- warning if a rule is demoted to any-any port group
- * bool search_engine.enable_single_rule_group = false: put all
- rules into one group
- * bool search_engine.debug = false: print verbose fast pattern info
- * bool search_engine.debug_print_nocontent_rule_tests = false:
- print rule group info during packet evaluation
- * bool search_engine.debug_print_rule_group_build_details = false:
- print rule group info during compilation
- * bool search_engine.debug_print_rule_groups_uncompiled = false:
- prints uncompiled rule group information
- * bool search_engine.debug_print_rule_groups_compiled = false:
- prints compiled rule group information
- * int search_engine.max_pattern_len = 0: truncate patterns when
- compiling into state machine (0 means no maximum) { 0: }
- * int search_engine.max_queue_events = 5: maximum number of
- matching fast pattern states to queue per packet
- * bool search_engine.inspect_stream_inserts = false: inspect
- reassembled payload - disabling is good for performance, bad for
- detection
- * dynamic search_engine.search_method = ac_bnfa: set fast pattern
- algorithm - choose available search engine { ac_banded | ac_bnfa
- | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
- * bool search_engine.search_optimize = true: tweak state machine
- construction for better performance
- * bool search_engine.show_fast_patterns = false: print fast pattern
- info for each rule
- * bool search_engine.split_any_any = false: evaluate any-any rules
- separately to save memory
+output =
+{
+ obfuscate_pii = true
+}
-Peg counts:
+5.6.3. Example
- * search_engine.max queued: maximum fast pattern matches queued for
- further evaluation
- * search_engine.total flushed: fast pattern matches discarded due
- to overflow
- * search_engine.total inserts: total fast pattern hits
- * search_engine.total unique: total unique fast pattern hits
- * search_engine.non-qualified events: total non-qualified events
- * search_engine.qualified events: total qualified events
+A complete Snort IPS rule
+alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )
-4.27. side_channel
+Logged output when running Snort in "cmg" alert format.
---------------
+02/25-21:19:05.125553 [**] [1:1:0] "Credit Card" [**] [Priority: 0] {TCP} 10.1.2.3:48620 -> 10.9.8.7:8
+02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46
+10.1.2.3:48620 -> 10.9.8.7:8 TCP TTL:64 TOS:0x0 ID:14 IpLen:20 DgmLen:56
+***A**** Seq: 0xB2 Ack: 0x2 Win: 0x2000 TcpLen: 20
+- - - raw[16] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-What: implement the side-channel asynchronous messaging subsystem
+5.6.4. Caveats
-Type: basic
+ 1. Snort currently requires setting the fast pattern engine to use
+ "hyperscan" in order for sd_pattern ips option to function
+ correctly.
-Configuration:
-
- * bit_list side_channel.ports: side channel message port list {
- 65535 }
- * string side_channel.connectors[].connector: connector handle
- * string side_channel.connector: connector handle
+ search_engine = { search_method = 'hyperscan' }
-Peg counts:
+ 2. Log obfuscation is only applicable to CMG and Unified2 logging
+ formats.
+ 3. Log obfuscation doesn’t support user defined PII patterns. It is
+ currently only supported for the built in patterns for Credit
+ Cards and US Social Security numbers.
+ 4. Log obfuscation doesn’t work with stream rebuilt packet payloads.
+ (This is a known bug).
-4.28. snort
+5.7. Wizard
--------------
-What: command line configuration and shell commands
+Using the wizard enables port-independent configuration and the
+detection of malware command and control channels. If the wizard is
+bound to a session, it peeks at the initial payload to determine the
+service. For example, GET would indicate HTTP and HELO would indicate
+SMTP. Upon finding a match, the service bindings are reevaluated so
+the session can be handed off to the appropriate inspector. The
+wizard is still under development; if you find you need to tweak the
+defaults please let us know.
-Type: basic
+Additional Details:
-Configuration:
+ * If the wizard and one or more service inspectors are configured w
+ /o explicitly configuring the binder, default bindings will be
+ generated which should work for most common cases.
+ * Also note that while Snort 2 bindings can only be configured in
+ the default policy, each Snort 3 policy can contain a binder
+ leading to an arbitrary hierarchy.
+ * The entire configuration can be reloaded and hot-swapped during
+ run-time via signal or command in both Snort 2 and Snort 3.
+ Ultimately, Snort 3 will support commands to update the binder on
+ the fly, thus enabling incremental reloads of individual
+ inspectors.
+ * Both Snort 2 and Snort 3 support server specific configurations
+ via a hosts table (XML in Snort 2 and Lua in Snort 3). The table
+ allows you to map network, protocol, and port to a service and
+ policy. This table can be reloaded and hot-swapped separately
+ from the config file.
+ * You can find the specifics on the binder, wizard, and hosts
+ tables in the manual or command line like this: snort
+ --help-module binder, etc.
- * string snort.-?: <option prefix> output matching command line
- option quick help (same as --help-options) { (optional) }
- * string snort.-A: <mode> set alert mode: none, cmg, or alert_*
- * addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP
- addresses in alerts and packet dumps using CIDR mask
- * implied snort.-C: print out payloads with character data only (no
- hex)
- * string snort.-c: <conf> use this configuration
- * implied snort.-D: run Snort in background (daemon) mode
- * implied snort.-d: dump the Application Layer
- * implied snort.-e: display the second layer header info
- * implied snort.-f: turn off fflush() calls after binary log writes
- * int snort.-G: <0xid> (same as --logid) { 0:65535 }
- * string snort.-g: <gname> run snort gid as <gname> group (or gid)
- after initialization
- * implied snort.-H: make hash tables deterministic
- * string snort.-i: <iface>… list of interfaces
- * port snort.-j: <port> to listen for telnet connections
- * enum snort.-k = all: <mode> checksum mode; default is all { all|
- noip|notcp|noudp|noicmp|none }
- * string snort.-L: <mode> logging mode (none, dump, pcap, or log_*)
- * string snort.-l: <logdir> log to this directory instead of
- current directory
- * implied snort.-M: log messages to syslog (not alerts)
- * int snort.-m: <umask> set umask = <umask> { 0: }
- * int snort.-n: <count> stop after count packets { 0: }
- * implied snort.-O: obfuscate the logged IP addresses
- * implied snort.-Q: enable inline mode operation
- * implied snort.-q: quiet mode - Don’t show banner and status
- report
- * string snort.-R: <rules> include this rules file in the default
- policy
- * string snort.-r: <pcap>… (same as --pcap-list)
- * string snort.-S: <x=v> set config variable x equal to value v
- * int snort.-s = 1514: <snap> (same as --snaplen); default is 1514
- { 68:65535 }
- * implied snort.-T: test and report on the current Snort
- configuration
- * string snort.-t: <dir> chroots process to <dir> after
- initialization
- * implied snort.-U: use UTC for timestamps
- * string snort.-u: <uname> run snort as <uname> or <uid> after
- initialization
- * implied snort.-V: (same as --version)
- * implied snort.-v: be verbose
- * implied snort.-W: lists available interfaces
- * implied snort.-X: dump the raw packet data starting at the link
- layer
- * implied snort.-x: same as --pedantic
- * implied snort.-y: include year in timestamp in the alert and log
- files
- * int snort.-z = 1: <count> maximum number of packet threads (same
- as --max-packet-threads); 0 gets the number of CPU cores reported
- by the system; default is 1 { 0: }
- * implied snort.--alert-before-pass: process alert, drop, sdrop, or
- reject before pass; default is pass before alert, drop,…
- * string snort.--bpf: <filter options> are standard BPF options, as
- seen in TCPDump
- * string snort.--c2x: output hex for given char (see also --x2c)
- * implied snort.--create-pidfile: create PID file, even when not in
- Daemon mode
- * string snort.--daq: <type> select packet acquisition module
- (default is pcap)
- * string snort.--daq-dir: <dir> tell snort where to find desired
- DAQ
- * implied snort.--daq-list: list packet acquisition modules
- available in optional dir, default is static modules only
- * string snort.--daq-var: <name=value> specify extra DAQ
- configuration variable
- * implied snort.--dirty-pig: don’t flush packets on shutdown
- * implied snort.--dump-builtin-rules: [<module prefix>] output stub
- rules for selected modules
- * implied snort.--dump-dynamic-rules: output stub rules for all
- loaded rules libraries
- * string snort.--dump-defaults: [<module prefix>] output module
- defaults in Lua format { (optional) }
- * implied snort.--dump-version: output the version, the whole
- version, and only the version
- * implied snort.--enable-inline-test: enable Inline-Test Mode
- Operation
- * implied snort.--help: list command line options
- * string snort.--help-commands: [<module prefix>] output matching
- commands { (optional) }
- * string snort.--help-config: [<module prefix>] output matching
- config options { (optional) }
- * string snort.--help-counts: [<module prefix>] output matching peg
- counts { (optional) }
- * string snort.--help-module: <module> output description of given
- module
- * implied snort.--help-modules: list all available modules with
- brief help
- * string snort.--help-options: <option prefix> output matching
- command line option quick help (same as -?) { (optional) }
- * implied snort.--help-plugins: list all available plugins with
- brief help
- * implied snort.--help-signals: dump available control signals
- * implied snort.--id-subdir: create/use instance subdirectories in
- logdir instead of instance filename prefix
- * implied snort.--id-zero: use id prefix / subdirectory even with
- one packet thread
- * implied snort.--list-buffers: output available inspection buffers
- * string snort.--list-builtin: <module prefix> output matching
- builtin rules { (optional) }
- * string snort.--list-gids: [<module prefix>] output matching
- generators { (optional) }
- * string snort.--list-modules: [<module type>] list all known
- modules of given type { (optional) }
- * implied snort.--list-plugins: list all known plugins
- * string snort.--lua: <chunk> extend/override conf with chunk; may
- be repeated
- * int snort.--logid: <0xid> log Identifier to uniquely id events
- for multiple snorts (same as -G) { 0:65535 }
- * implied snort.--markup: output help in asciidoc compatible format
- * int snort.--max-packet-threads = 1: <count> configure maximum
- number of packet threads (same as -z) { 0: }
- * implied snort.--nostamps: don’t include timestamps in log file
- names
- * implied snort.--nolock-pidfile: do not try to lock Snort PID file
- * implied snort.--pause: wait for resume/quit command before
- processing packets/terminating
- * string snort.--pcap-file: <file> file that contains a list of
- pcaps to read - read mode is implied
- * string snort.--pcap-list: <list> a space separated list of pcaps
- to read - read mode is implied
- * string snort.--pcap-dir: <dir> a directory to recurse to look for
- pcaps - read mode is implied
- * string snort.--pcap-filter: <filter> filter to apply when getting
- pcaps from file or directory
- * int snort.--pcap-loop: <count> read all pcaps <count> times; 0
- will read until Snort is terminated { -1: }
- * implied snort.--pcap-no-filter: reset to use no filter when
- getting pcaps from file or directory
- * implied snort.--pcap-reload: if reading multiple pcaps, reload
- snort config between pcaps
- * implied snort.--pcap-show: print a line saying what pcap is
- currently being read
- * implied snort.--pedantic: warnings are fatal
- * string snort.--plugin-path: <path> where to find plugins
- * implied snort.--process-all-events: process all action groups
- * string snort.--rule: <rules> to be added to configuration; may be
- repeated
- * implied snort.--rule-to-hex: output so rule header to stdout for
- text rule on stdin
- * implied snort.--rule-to-text: output plain so rule header to
- stdout for text rule on stdin
- * string snort.--run-prefix: <pfx> prepend this to each output file
- * string snort.--script-path: <path> to a luajit script or
- directory containing luajit scripts
- * implied snort.--shell: enable the interactive command line
- * implied snort.--piglet: enable piglet test harness mode
- * implied snort.--show-plugins: list module and plugin versions
- * int snort.--skip: <n> skip 1st n packets { 0: }
- * int snort.--snaplen = 1514: <snap> set snaplen of packet (same as
- -s) { 68:65535 }
- * implied snort.--stdin-rules: read rules from stdin until EOF or a
- line starting with END is read
- * implied snort.--treat-drop-as-alert: converts drop, sdrop, and
- reject rules into alert rules during startup
- * implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
- rules to ignore session traffic when not inline
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
- * implied snort.--version: show version number (same as -V)
- * implied snort.--warn-all: enable all warnings
- * implied snort.--warn-conf: warn about configuration issues
- * implied snort.--warn-daq: warn about DAQ issues, usually related
- to mode
- * implied snort.--warn-flowbits: warn about flowbits that are
- checked but not set and vice-versa
- * implied snort.--warn-hosts: warn about host table issues
- * implied snort.--warn-plugins: warn about issues that prevent
- plugins from loading
- * implied snort.--warn-rules: warn about duplicate rules and rule
- parsing issues
- * implied snort.--warn-scripts: warn about issues discovered while
- processing Lua scripts
- * implied snort.--warn-symbols: warn about unknown symbols in your
- Lua config
- * implied snort.--warn-vars: warn about variable definition and
- usage issues
- * int snort.--x2c: output ASCII char for given hex (see also --c2x)
- * string snort.--x2s: output ASCII string for given byte code (see
- also --x2c)
-Commands:
+---------------------------------------------------------------------
- * snort.show_plugins(): show available plugins
- * snort.dump_stats(): show summary statistics
- * snort.rotate_stats(): roll perfmonitor log files
- * snort.reload_config(filename): load new configuration
- * snort.reload_hosts(filename): load a new hosts table
- * snort.pause(): suspend packet processing
- * snort.resume(): continue packet processing
- * snort.detach(): exit shell w/o shutdown
- * snort.quit(): shutdown and dump-stats
- * snort.help(): this output
+6. Basic Modules
-Peg counts:
+---------------------------------------------------------------------
- * snort.local commands: total local commands processed
- * snort.remote commands: total remote commands processed
- * snort.signals: total signals processed
- * snort.conf reloads: number of times configuration was reloaded
- * snort.attribute table reloads: number of times hosts table was
- reloaded
- * snort.attribute table hosts: total number of hosts in table
+Internal modules which are not plugins are termed "basic". These
+include configuration for core processing.
-4.29. suppress
+6.1. active
--------------
-What: configure event suppressions
+What: configure responses
Type: basic
Configuration:
- * int suppress[].gid = 0: rule generator ID { 0: }
- * int suppress[].sid = 0: rule signature ID { 0: }
- * enum suppress[].track: suppress only matching source or
- destination addresses { by_src | by_dst }
- * string suppress[].ip: restrict suppression to these addresses
- according to track
+ * int active.attempts = 0: number of TCP packets sent per response
+ (with varying sequence numbers) { 0:20 }
+ * string active.device: use ip for network layer responses or eth0
+ etc for link layer
+ * string active.dst_mac: use format 01:23:45:67:89:ab
+ * int active.max_responses = 0: maximum number of responses { 0: }
+ * int active.min_interval = 255: minimum number of seconds between
+ responses { 1: }
----------------------------------------------------------------------
+6.2. alerts
-5. Codec Modules
+--------------
----------------------------------------------------------------------
+What: configure alerts
-Codec is short for coder / decoder. These modules are used for basic
-protocol decoding, anomaly detection, and construction of active
-responses.
+Type: basic
+
+Configuration:
+
+ * bool alerts.alert_with_interface_name = false: include interface
+ in alert info (fast, full, or syslog only)
+ * bool alerts.default_rule_state = true: enable or disable ips
+ rules
+ * int alerts.detection_filter_memcap = 1048576: set available bytes
+ of memory for detection_filters { 0: }
+ * int alerts.event_filter_memcap = 1048576: set available bytes of
+ memory for event_filters { 0: }
+ * string alerts.order = pass drop alert log: change the order of
+ rule action application
+ * int alerts.rate_filter_memcap = 1048576: set available bytes of
+ memory for rate_filters { 0: }
+ * string alerts.reference_net: set the CIDR for homenet (for use
+ with -l or -B, does NOT change $HOME_NET in IDS mode)
+ * bool alerts.stateful = false: don’t alert w/o established session
+ (note: rule action still taken)
+ * string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
+ for GTP|Teredo|6in4|4in6 traffic
-5.1. arp
+6.3. attribute_table
--------------
-What: support for address resolution protocol
+What: configure hosts loading
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:109 (arp) truncated ARP
+ * int attribute_table.max_hosts = 1024: maximum number of hosts in
+ attribute table { 32:207551 }
+ * int attribute_table.max_services_per_host = 8: maximum number of
+ services per host entry in attribute table { 1:65535 }
+ * int attribute_table.max_metadata_services = 8: maximum number of
+ services in rule metadata { 1:256 }
-5.2. auth
+6.4. classifications
--------------
-What: support for IP authentication header
+What: define rule categories with priority
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:465 (auth) truncated authentication header
- * 116:466 (auth) bad authentication header length
+ * string classifications[].name: name used with classtype rule
+ option
+ * int classifications[].priority = 1: default priority for class {
+ 0: }
+ * string classifications[].text: description of class
-5.3. ciscometadata
+6.5. daq
--------------
-What: support for cisco metadata
+What: configure packet acquisition interface
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:468 (ciscometadata) truncated Cisco Metadata header
- * 116:469 (ciscometadata) invalid Cisco Metadata option length
- * 116:470 (ciscometadata) invalid Cisco Metadata option type
- * 116:471 (ciscometadata) invalid Cisco Metadata SGT
+ * string daq.module_dirs[].str: string parameter
+ * string daq.input_spec: input specification
+ * string daq.module: DAQ module to use
+ * string daq.variables[].str: string parameter
+ * int daq.instances[].id: instance ID (required) { 0: }
+ * string daq.instances[].input_spec: input specification
+ * string daq.instances[].variables[].str: string parameter
+ * int daq.snaplen: set snap length (same as -s) { 0:65535 }
+ * bool daq.no_promisc = false: whether to put DAQ device into
+ promiscuous mode
+
+Peg counts:
+
+ * daq.pcaps: total files and interfaces processed
+ * daq.received: total packets received from DAQ
+ * daq.analyzed: total packets analyzed from DAQ
+ * daq.dropped: packets dropped
+ * daq.filtered: packets filtered out
+ * daq.outstanding: packets unprocessed
+ * daq.injected: active responses or replacements
+ * daq.allow: total allow verdicts
+ * daq.block: total block verdicts
+ * daq.replace: total replace verdicts
+ * daq.whitelist: total whitelist verdicts
+ * daq.blacklist: total blacklist verdicts
+ * daq.ignore: total ignore verdicts
+ * daq.internal blacklist: packets blacklisted internally due to
+ lack of DAQ support
+ * daq.internal whitelist: packets whitelisted internally due to
+ lack of DAQ support
+ * daq.skipped: packets skipped at startup
+ * daq.idle: attempts to acquire from DAQ without available packets
-5.4. erspan2
+6.6. decode
--------------
-What: support for encapsulated remote switched port analyzer - type 2
+What: general decoder rules
-Type: codec
+Type: basic
Rules:
- * 116:462 (erspan2) ERSpan header version mismatch
- * 116:463 (erspan2) captured < ERSpan type2 header length
+ * 116:450 (decode) bad IP protocol
+ * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation
+ layers present
+ * 116:459 (decode) fragment with zero length
+ * 116:150 (decode) loopback IP
+ * 116:151 (decode) same src/dst IP
+ * 116:449 (decode) unassigned/reserved IP protocol
+ * 116:472 (decode) too many protocols present
-5.5. erspan3
+6.7. detection
--------------
-What: support for encapsulated remote switched port analyzer - type 3
+What: configure general IPS rule processing parameters
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:464 (erspan3) captured < ERSpan type3 header length
+ * int detection.asn1 = 256: maximum decode nodes { 1: }
+ * bool detection.pcre_enable = true: disable pcre pattern matching
+ * int detection.pcre_match_limit = 1500: limit pcre backtracking,
+ -1 = max, 0 = off { -1:1000000 }
+ * int detection.pcre_match_limit_recursion = 1500: limit pcre stack
+ consumption, -1 = max, 0 = off { -1:10000 }
+Peg counts:
-5.6. esp
+ * detection.analyzed: packets sent to detection
+ * detection.hard evals: non-fast pattern rule evaluations
+ * detection.raw searches: fast pattern searches in raw packet data
+ * detection.cooked searches: fast pattern searches in cooked packet
+ data
+ * detection.pkt searches: fast pattern searches in packet data
+ * detection.alt searches: alt fast pattern searches in packet data
+ * detection.key searches: fast pattern searches in key buffer
+ * detection.header searches: fast pattern searches in header buffer
+ * detection.body searches: fast pattern searches in body buffer
+ * detection.file searches: fast pattern searches in file buffer
+ * detection.alerts: alerts not including IP reputation
+ * detection.total alerts: alerts including IP reputation
+ * detection.logged: logged packets
+ * detection.passed: passed packets
+ * detection.match limit: fast pattern matches not processed
+ * detection.queue limit: events not queued because queue full
+ * detection.log limit: events queued but not logged
+ * detection.event limit: events filtered
+ * detection.alert limit: events previously triggered on same PDU
---------------
-What: support for encapsulating security payload
+6.8. event_filter
-Type: codec
+--------------
-Configuration:
+What: configure thresholding of events
- * bool esp.decode_esp = false: enable for inspection of esp traffic
- that has authentication but not encryption
+Type: basic
-Rules:
+Configuration:
- * 116:294 (esp) truncated encapsulated security payload header
+ * int event_filter[].gid = 1: rule generator ID { 0: }
+ * int event_filter[].sid = 1: rule signature ID { 0: }
+ * enum event_filter[].type: 1st count events | every count events |
+ once after count events { limit | threshold | both }
+ * enum event_filter[].track: filter only matching source or
+ destination addresses { by_src | by_dst }
+ * int event_filter[].count = 0: number of events in interval before
+ tripping; -1 to disable { -1: }
+ * int event_filter[].seconds = 0: count interval { 0: }
+ * string event_filter[].ip: restrict filter to these addresses
+ according to track
-5.7. eth
+6.9. event_queue
--------------
-What: support for ethernet protocol (DLT 1) (DLT 51)
+What: configure event queue parameters
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:424 (eth) truncated eth header
+ * int event_queue.max_queue = 8: maximum events to queue { 1: }
+ * int event_queue.log = 3: maximum events to log { 1: }
+ * enum event_queue.order_events = content_length: criteria for
+ ordering incoming events { priority|content_length }
+ * bool event_queue.process_all_events = false: process just first
+ action group or all action groups
-5.8. fabricpath
+6.10. file_id
--------------
-What: support for fabricpath
+What: configure file identification
-Type: codec
+Type: basic
+
+Configuration:
+
+ * int file_id.type_depth = 1460: stop type ID at this point { 0: }
+ * int file_id.signature_depth = 10485760: stop signature at this
+ point { 0: }
+ * int file_id.block_timeout = 86400: stop blocking after this many
+ seconds { 0: }
+ * int file_id.lookup_timeout = 2: give up on lookup after this many
+ seconds { 0: }
+ * bool file_id.block_timeout_lookup = false: block if lookup times
+ out
+ * int file_id.capture_memcap = 100: memcap for file capture in
+ megabytes { 0: }
+ * int file_id.capture_max_size = 1048576: stop file capture beyond
+ this point { 0: }
+ * int file_id.capture_min_size = 0: stop file capture if file size
+ less than this { 0: }
+ * int file_id.capture_block_size = 32768: file capture block size
+ in bytes { 8: }
+ * int file_id.max_files_cached = 65536: maximal number of files
+ cached in memory { 8: }
+ * bool file_id.enable_type = false: enable type ID
+ * bool file_id.enable_signature = false: enable signature
+ calculation
+ * bool file_id.enable_capture = false: enable file capture
+ * int file_id.show_data_depth = 100: print this many octets { 0: }
+ * int file_id.file_rules[].rev = 0: rule revision { 0: }
+ * string file_id.file_rules[].msg: information about the file type
+ * string file_id.file_rules[].type: file type name
+ * int file_id.file_rules[].id = 0: file type id { 0: }
+ * string file_id.file_rules[].category: file type category
+ * string file_id.file_rules[].version: file type version
+ * string file_id.file_rules[].magic[].content: file magic content
+ * int file_id.file_rules[].magic[].offset = 0: file magic offset {
+ 0: }
+ * int file_id.file_policy[].when.file_type_id = 0: unique ID for
+ file type in file magic rule { 0: }
+ * string file_id.file_policy[].when.sha256: SHA 256
+ * enum file_id.file_policy[].use.verdict = unknown: what to do with
+ matching traffic { unknown | log | stop | block | reset }
+ * bool file_id.file_policy[].use.enable_file_type = false: true/
+ false → enable/disable file type identification
+ * bool file_id.file_policy[].use.enable_file_signature = false:
+ true/false → enable/disable file signature
+ * bool file_id.file_policy[].use.enable_file_capture = false: true/
+ false → enable/disable file capture
+ * bool file_id.trace_type = false: enable runtime dump of type info
+ * bool file_id.trace_signature = false: enable runtime dump of
+ signature info
+ * bool file_id.trace_stream = false: enable runtime dump of file
+ data
-Rules:
+Peg counts:
- * 116:467 (fabricpath) truncated FabricPath header
+ * file_id.total files: number of files processed
+ * file_id.total file data: number of file data bytes processed
+ * file_id.cache failures: number of file cache add failures
-5.9. gre
+6.11. high_availability
--------------
-What: support for generic routing encapsulation
-
-Type: codec
-
-Rules:
-
- * 116:160 (gre) GRE header length > payload length
- * 116:161 (gre) multiple encapsulations in packet
- * 116:162 (gre) invalid GRE version
- * 116:163 (gre) invalid GRE header
- * 116:164 (gre) invalid GRE v.1 PPTP header
- * 116:165 (gre) GRE trans header length > payload length
-
-
-5.10. gtp
-
---------------
+What: implement flow tracking high availability
-What: support for general-packet-radio-service tunnelling protocol
+Type: basic
-Type: codec
+Configuration:
-Rules:
+ * bool high_availability.enable = false: enable high availability
+ * bool high_availability.daq_channel = false: enable use of daq
+ data plane channel
+ * bit_list high_availability.ports: side channel message port list
+ { 65535 }
+ * real high_availability.min_age = 1.0: minimum session life before
+ HA updates { 0.0:100.0 }
+ * real high_availability.min_sync = 1.0: minimum interval between
+ HA updates { 0.0:100.0 }
- * 116:297 (gtp) two or more GTP encapsulation layers present
- * 116:298 (gtp) GTP header length is invalid
+Peg counts:
-5.11. icmp4
+6.12. host_cache
--------------
-What: support for Internet control message protocol v4
+What: configure hosts
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:105 (icmp4) ICMP header truncated
- * 116:106 (icmp4) ICMP timestamp header truncated
- * 116:107 (icmp4) ICMP address header truncated
- * 116:250 (icmp4) ICMP original IP header truncated
- * 116:251 (icmp4) ICMP version and original IP header versions
- differ
- * 116:252 (icmp4) ICMP original datagram length < original IP
- header length
- * 116:253 (icmp4) ICMP original IP payload < 64 bits
- * 116:254 (icmp4) ICMP original IP payload > 576 bytes
- * 116:255 (icmp4) ICMP original IP fragmented and offset not 0
- * 116:415 (icmp4) ICMP4 packet to multicast dest address
- * 116:416 (icmp4) ICMP4 packet to broadcast dest address
- * 116:418 (icmp4) ICMP4 type other
- * 116:434 (icmp4) ICMP ping NMAP
- * 116:435 (icmp4) ICMP icmpenum v1.1.1
- * 116:436 (icmp4) ICMP redirect host
- * 116:437 (icmp4) ICMP redirect net
- * 116:438 (icmp4) ICMP traceroute ipopts
- * 116:439 (icmp4) ICMP source quench
- * 116:440 (icmp4) broadscan smurf scanner
- * 116:441 (icmp4) ICMP destination unreachable communication
- administratively prohibited
- * 116:442 (icmp4) ICMP destination unreachable communication with
- destination host is administratively prohibited
- * 116:443 (icmp4) ICMP destination unreachable communication with
- destination network is administratively prohibited
- * 116:451 (icmp4) ICMP path MTU denial of service attempt
- * 116:452 (icmp4) BAD-TRAFFIC Linux ICMP header DOS attempt
- * 116:426 (icmp4) truncated ICMP4 header
+ * int host_cache[].size: size of host cache
Peg counts:
- * icmp4.bad checksum: non-zero icmp checksums
+ * host_cache.lru cache adds: lru cache added new entry
+ * host_cache.lru cache replaces: lru cache replaced existing entry
+ * host_cache.lru cache prunes: lru cache pruned entry to make space
+ for new entry
+ * host_cache.lru cache find hits: lru cache found entry in cache
+ * host_cache.lru cache find misses: lru cache did not find entry in
+ cache
+ * host_cache.lru cache removes: lru cache found entry and removed
+ it
+ * host_cache.lru cache clears: lru cache clear API calls
-5.12. icmp6
+6.13. host_tracker
--------------
-What: support for Internet control message protocol v6
+What: configure hosts
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:427 (icmp6) truncated ICMP6 header
- * 116:431 (icmp6) ICMP6 type not decoded
- * 116:432 (icmp6) ICMP6 packet to multicast address
- * 116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with
- MTU field < 1280
- * 116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
- with non-RFC 2463 code
- * 116:287 (icmp6) ICMPv6 router solicitation packet with a code not
- equal to 0
- * 116:288 (icmp6) ICMPv6 router advertisement packet with a code
- not equal to 0
- * 116:289 (icmp6) ICMPv6 router solicitation packet with the
- reserved field not equal to 0
- * 116:290 (icmp6) ICMPv6 router advertisement packet with the
- reachable time field set > 1 hour
- * 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
- with non-RFC 4443 code
- * 116:460 (icmp6) ICMPv6 node info query/response packet with a
- code greater than 2
+ * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
+ * enum host_tracker[].frag_policy: defragmentation policy { first |
+ linux | bsd | bsd_right | last | windows | solaris }
+ * enum host_tracker[].tcp_policy: tcp reassembly policy { first |
+ last | linux | old_linux | bsd | macos | solaris | irix | hpux11
+ | hpux10 | windows | win_2003 | vista | proxy }
+ * string host_tracker[].services[].name: service identifier
+ * enum host_tracker[].services[].proto = tcp: ip protocol { tcp |
+ udp }
+ * port host_tracker[].services[].port: port number
Peg counts:
- * icmp6.bad checksum (ip4): nonzero ipcm4 checksums
- * icmp6.bad checksum (ip6): nonzero ipcm6 checksums
+ * host_tracker.service adds: host service adds
+ * host_tracker.service finds: host service finds
+ * host_tracker.service removes: host service removes
-5.13. igmp
+6.14. hosts
--------------
-What: support for Internet group management protocol
+What: configure hosts
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:455 (igmp) DOS IGMP IP options validation attempt
+ * addr hosts[].ip = 0.0.0.0/32: hosts address / cidr
+ * enum hosts[].frag_policy: defragmentation policy { first | linux
+ | bsd | bsd_right | last | windows | solaris }
+ * enum hosts[].tcp_policy: tcp reassembly policy { first | last |
+ linux | old_linux | bsd | macos | solaris | irix | hpux11 |
+ hpux10 | windows | win_2003 | vista | proxy }
+ * string hosts[].services[].name: service identifier
+ * enum hosts[].services[].proto = tcp: ip protocol { tcp | udp }
+ * port hosts[].services[].port: port number
-5.14. ipv4
+6.15. ips
--------------
-What: support for Internet protocol v4
-
-Type: codec
-
-Rules:
+What: configure IPS rule processing
- * 116:1 (ipv4) Not IPv4 datagram
- * 116:2 (ipv4) hlen < minimum
- * 116:3 (ipv4) IP dgm len < IP Hdr len
- * 116:4 (ipv4) Ipv4 Options found with bad lengths
- * 116:5 (ipv4) Truncated Ipv4 Options
- * 116:6 (ipv4) IP dgm len > captured len
- * 116:404 (ipv4) IPV4 packet with zero TTL
- * 116:405 (ipv4) IPV4 packet with bad frag bits (both MF and DF
- set)
- * 116:407 (ipv4) IPV4 packet frag offset + length exceed maximum
- * 116:408 (ipv4) IPV4 packet from current net source address
- * 116:409 (ipv4) IPV4 packet to current net dest address
- * 116:410 (ipv4) IPV4 packet from multicast source address
- * 116:411 (ipv4) IPV4 packet from reserved source address
- * 116:412 (ipv4) IPV4 packet to reserved dest address
- * 116:413 (ipv4) IPV4 packet from broadcast source address
- * 116:414 (ipv4) IPV4 packet to broadcast dest address
- * 116:428 (ipv4) IPV4 packet below TTL limit
- * 116:430 (ipv4) IPV4 packet both DF and offset set
- * 116:448 (ipv4) BAD-TRAFFIC IP reserved bit set
- * 116:444 (ipv4) MISC IP option set
- * 116:425 (ipv4) truncated IP4 header
+Type: basic
-Peg counts:
+Configuration:
- * ipv4.bad checksum: nonzero ip checksums
+ * bool ips.enable_builtin_rules = false: enable events from builtin
+ rules w/o stubs
+ * int ips.id = 0: correlate unified2 events with configuration {
+ 0:65535 }
+ * string ips.include: legacy snort rules and includes
+ * enum ips.mode: set policy mode { tap | inline | inline-test }
+ * string ips.rules: snort rules and includes
-5.15. ipv6
+6.16. latency
--------------
-What: support for Internet protocol v6
+What: packet and rule latency monitoring and control
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:270 (ipv6) IPv6 packet below TTL limit
- * 116:271 (ipv6) IPv6 header claims to not be IPv6
- * 116:272 (ipv6) IPV6 truncated extension header
- * 116:273 (ipv6) IPV6 truncated header
- * 116:274 (ipv6) IP dgm len < IP Hdr len
- * 116:275 (ipv6) IP dgm len > captured len
- * 116:276 (ipv6) IPv6 packet with destination address ::0
- * 116:277 (ipv6) IPv6 packet with multicast source address
- * 116:278 (ipv6) IPv6 packet with reserved multicast destination
- address
- * 116:279 (ipv6) IPv6 header includes an undefined option type
- * 116:280 (ipv6) IPv6 address includes an unassigned multicast
- scope value
- * 116:281 (ipv6) IPv6 header includes an invalid value for the next
- header field
- * 116:282 (ipv6) IPv6 header includes a routing extension header
- followed by a hop-by-hop header
- * 116:283 (ipv6) IPv6 header includes two routing extension headers
- * 116:292 (ipv6) IPv6 header has destination options followed by a
- routing header
- * 116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated,
- possible Linux kernel attack
- * 116:295 (ipv6) IPv6 header includes an option which is too big
- for the containing header
- * 116:296 (ipv6) IPv6 packet includes out-of-order extension
- headers
- * 116:429 (ipv6) IPV6 packet has zero hop limit
- * 116:453 (ipv6) BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing
- attempt
- * 116:458 (ipv6) bogus fragmentation packet, possible BSD attack
- * 116:461 (ipv6) IPV6 routing type 0 extension header
- * 116:456 (ipv6) too many IP6 extension headers
+ * int latency.packet.max_time = 500: set timeout for packet latency
+ thresholding (usec) { 0: }
+ * bool latency.packet.fastpath = false: fastpath expensive packets
+ (max_time exceeded)
+ * enum latency.packet.action = none: event action if packet times
+ out and is fastpathed { none | alert | log | alert_and_log }
+ * int latency.rule.max_time = 500: set timeout for rule evaluation
+ (usec) { 0: }
+ * bool latency.rule.suspend = false: temporarily suspend expensive
+ rules
+ * int latency.rule.suspend_threshold = 5: set threshold for number
+ of timeouts before suspending a rule { 1: }
+ * int latency.rule.max_suspend_time = 30000: set max time for
+ suspending a rule (ms, 0 means permanently disable rule) { 0: }
+ * enum latency.rule.action = none: event action for rule latency
+ enable and suspend events { none | alert | log | alert_and_log }
+Rules:
-5.16. mpls
+ * 134:1 (latency) rule tree suspended due to latency
+ * 134:2 (latency) rule tree re-enabled after suspend timeout
+ * 134:3 (latency) packet fastpathed due to latency
---------------
+Peg counts:
-What: support for multiprotocol label switching
+ * latency.total packets: total packets monitored
+ * latency.total usecs: total usecs elapsed
+ * latency.max usecs: maximum usecs elapsed
+ * latency.packet timeouts: packets that timed out
+ * latency.total rule evals: total rule evals monitored
+ * latency.rule eval timeouts: rule evals that timed out
+ * latency.rule tree enables: rule tree re-enables
-Type: codec
-Configuration:
+6.17. memory
- * bool mpls.enable_mpls_multicast = false: enables support for MPLS
- multicast
- * bool mpls.enable_mpls_overlapping_ip = false: enable if private
- network addresses overlap and must be differentiated by MPLS
- label(s)
- * int mpls.max_mpls_stack_depth = -1: set MPLS stack depth { -1: }
- * enum mpls.mpls_payload_type = ip4: set encapsulated payload type
- { eth | ip4 | ip6 }
+--------------
-Rules:
+What: memory management configuration
- * 116:170 (mpls) bad MPLS frame
- * 116:171 (mpls) MPLS label 0 appears in non-bottom header
- * 116:172 (mpls) MPLS label 1 appears in bottom header
- * 116:173 (mpls) MPLS label 2 appears in non-bottom header
- * 116:174 (mpls) MPLS label 3 appears in header
- * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
- * 116:176 (mpls) too many MPLS headers
+Type: basic
-Peg counts:
+Configuration:
- * mpls.total packets: total mpls labeled packets processed
- * mpls.total bytes: total mpls labeled bytes processed
+ * int memory.cap = 0: set the per-packet-thread cap on memory
+ (bytes, 0 to disable) { 0: }
+ * bool memory.soft = false: always succeed in allocating memory,
+ even if above the cap
+ * int memory.threshold = 0: set the per-packet-thread threshold for
+ preemptive cleanup actions (percent, 0 to disable) { 0: }
-5.17. pgm
+6.18. network
--------------
-What: support for pragmatic general multicast
+What: configure basic network parameters
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:454 (pgm) BAD-TRAFFIC PGM nak list overflow attempt
+ * multi network.checksum_drop = none: drop if checksum is bad { all
+ | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
+ * multi network.checksum_eval = none: checksums to verify { all |
+ ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
+ * bool network.decode_drops = false: enable dropping of packets by
+ the decoder
+ * int network.id = 0: correlate unified2 events with configuration
+ { 0:65535 }
+ * int network.min_ttl = 1: alert / normalize packets with lower ttl
+ / hop limit (you must enable rules and / or normalization also) {
+ 1:255 }
+ * int network.new_ttl = 1: use this value for responses and when
+ normalizing { 1:255 }
+ * int network.layers = 40: the maximum number of protocols that
+ Snort can correctly decode { 3:255 }
+ * int network.max_ip6_extensions = 0: the maximum number of IP6
+ options Snort will process for a given IPv6 layer before raising
+ 116:456 (0 = unlimited) { 0:255 }
+ * int network.max_ip_layers = 0: the maximum number of IP layers
+ Snort will process for a given packet before raising 116:293 (0 =
+ unlimited) { 0:255 }
-5.18. pppoe
+6.19. output
--------------
-What: support for point-to-point protocol over ethernet
+What: configure general output parameters
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:120 (pppoe) bad PPPOE frame detected
+ * bool output.dump_chars_only = false: turns on character dumps
+ (same as -C)
+ * bool output.dump_payload = false: dumps application layer (same
+ as -d)
+ * bool output.dump_payload_verbose = false: dumps raw packet
+ starting at link layer (same as -X)
+ * bool output.log_ipv6_extra_data = false: log IPv6 source and
+ destination addresses as unified2 extra data records
+ * int output.event_trace.max_data = 0: maximum amount of packet
+ data to capture { 0:65535 }
+ * bool output.quiet = false: suppress non-fatal information (still
+ show alerts, same as -q)
+ * string output.logdir = .: where to put log files (same as -l)
+ * bool output.obfuscate = false: obfuscate the logged IP addresses
+ (same as -O)
+ * bool output.obfuscate_pii = false: mask all but the last 4
+ characters of credit card and social security numbers
+ * bool output.show_year = false: include year in timestamp in the
+ alert and log files (same as -y)
+ * int output.tagged_packet_limit = 256: maximum number of packets
+ tagged for non-packet metrics { 0: }
+ * bool output.verbose = false: be verbose (same as -v)
-5.19. tcp
+6.20. packets
--------------
-What: support for transmission control protocol
-
-Type: codec
-
-Rules:
+What: configure basic packet handling
- * 116:45 (tcp) TCP packet len is smaller than 20 bytes
- * 116:46 (tcp) TCP data offset is less than 5
- * 116:47 (tcp) TCP header length exceeds packet length
- * 116:54 (tcp) TCP options found with bad lengths
- * 116:55 (tcp) truncated TCP options
- * 116:56 (tcp) T/TCP detected
- * 116:57 (tcp) obsolete TCP options found
- * 116:58 (tcp) experimental TCP options found
- * 116:59 (tcp) TCP window scale option found with length > 14
- * 116:400 (tcp) XMAS attack detected
- * 116:401 (tcp) Nmap XMAS attack detected
- * 116:419 (tcp) TCP urgent pointer exceeds payload length or no
- payload
- * 116:420 (tcp) TCP SYN with FIN
- * 116:421 (tcp) TCP SYN with RST
- * 116:422 (tcp) TCP PDU missing ack for established session
- * 116:423 (tcp) TCP has no SYN, ACK, or RST
- * 116:433 (tcp) DDOS shaft SYN flood
- * 116:446 (tcp) BAD-TRAFFIC TCP port 0 traffic
- * 116:402 (tcp) DOS NAPTHA vulnerability detected
- * 116:403 (tcp) bad traffic SYN to multicast address
+Type: basic
-Peg counts:
+Configuration:
- * tcp.bad checksum (ip4): nonzero tcp over ip checksums
- * tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
+ * bool packets.address_space_agnostic = false: determines whether
+ DAQ address space info is used to track fragments and connections
+ * string packets.bpf_file: file with BPF to select traffic for
+ Snort
+ * int packets.limit = 0: maximum number of packets to process
+ before stopping (0 is unlimited) { 0: }
+ * int packets.skip = 0: number of packets to skip before before
+ processing { 0: }
+ * bool packets.vlan_agnostic = false: determines whether VLAN info
+ is used to track fragments and connections
-5.20. udp
+6.21. process
--------------
-What: support for user datagram protocol
+What: configure basic process setup
-Type: codec
+Type: basic
Configuration:
- * bool udp.deep_teredo_inspection = false: look for Teredo on all
- UDP ports (default is only 3544)
- * bool udp.enable_gtp = false: decode GTP encapsulations
- * bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
+ * string process.chroot: set chroot directory (same as -t)
+ * string process.threads[].cpuset: pin the associated thread to
+ this cpuset
+ * int process.threads[].thread = 0: set cpu affinity for the
+ <cur_thread_num> thread that runs { 0: }
+ * bool process.daemon = false: fork as a daemon (same as -D)
+ * bool process.dirty_pig = false: shutdown without internal cleanup
+ * string process.set_gid: set group ID (same as -g)
+ * string process.set_uid: set user ID (same as -u)
+ * string process.umask: set process umask (same as -m)
+ * bool process.utc = false: use UTC instead of local time for
+ timestamps
-Rules:
- * 116:95 (udp) truncated UDP header
- * 116:96 (udp) invalid UDP header, length field < 8
- * 116:97 (udp) short UDP packet, length field > payload length
- * 116:98 (udp) long UDP packet, length field < payload length
- * 116:406 (udp) invalid IPv6 UDP packet, checksum zero
- * 116:445 (udp) misc large UDP Packet
- * 116:447 (udp) BAD-TRAFFIC UDP port 0 traffic
+6.22. profiler
-Peg counts:
+--------------
- * udp.bad checksum (ip4): nonzero udp over ipv4 checksums
- * udp.bad checksum (ip6): nonzero udp over ipv6 checksums
+What: configure profiling of rules and/or modules
+
+Type: basic
+
+Configuration:
+
+ * bool profiler.modules.show = true: show module time profile stats
+ * int profiler.modules.count = 0: limit results to count items per
+ level (0 = no limit) { 0: }
+ * enum profiler.modules.sort = total_time: sort by given field {
+ none | checks | avg_check | total_time }
+ * int profiler.modules.max_depth = -1: limit depth to max_depth (-1
+ = no limit) { -1: }
+ * bool profiler.memory.show = true: show module memory profile
+ stats
+ * int profiler.memory.count = 0: limit results to count items per
+ level (0 = no limit) { 0: }
+ * enum profiler.memory.sort = total_used: sort by given field {
+ none | allocations | total_used | avg_allocation }
+ * int profiler.memory.max_depth = -1: limit depth to max_depth (-1
+ = no limit) { -1: }
+ * bool profiler.rules.show = true: show rule time profile stats
+ * int profiler.rules.count = 0: print results to given level (0 =
+ all) { 0: }
+ * enum profiler.rules.sort = total_time: sort by given field { none
+ | checks | avg_check | total_time | matches | no_matches |
+ avg_match | avg_no_match }
-5.21. vlan
+6.23. rate_filter
--------------
-What: support for local area network
+What: configure rate filters (which change rule actions)
-Type: codec
+Type: basic
-Rules:
+Configuration:
- * 116:130 (vlan) bad VLAN frame
- * 116:131 (vlan) bad LLC header
- * 116:132 (vlan) bad extra LLC info
+ * int rate_filter[].gid = 1: rule generator ID { 0: }
+ * int rate_filter[].sid = 1: rule signature ID { 0: }
+ * enum rate_filter[].track = by_src: filter only matching source or
+ destination addresses { by_src | by_dst | by_rule }
+ * int rate_filter[].count = 1: number of events in interval before
+ tripping { 0: }
+ * int rate_filter[].seconds = 1: count interval { 0: }
+ * enum rate_filter[].new_action = alert: take this action on future
+ hits until timeout { log | pass | alert | drop | block | reset }
+ * int rate_filter[].timeout = 1: count interval { 0: }
+ * string rate_filter[].apply_to: restrict filter to these addresses
+ according to track
----------------------------------------------------------------------
+6.24. references
-6. Inspector Modules
+--------------
----------------------------------------------------------------------
+What: define reference systems used in rules
-These modules perform a variety of functions, including analysis of
-protocols beyond basic decoding.
+Type: basic
+
+Configuration:
+ * string references[].name: name used with reference rule option
+ * string references[].url: where this reference is defined
-6.1. appid
+
+6.25. rule_state
--------------
-What: application and service identification
+What: enable/disable specific IPS rules
-Type: inspector
+Type: basic
Configuration:
- * string appid.conf: RNA configuration file
- * int appid.memcap = 268435456: time period for collecting and
- logging AppId statistics { 1048576:3221225472 }
- * bool appid.log_stats = false: enable logging of AppId statistics
- * int appid.app_stats_period = 300: time period for collecting and
- logging AppId statistics { 0: }
- * int appid.app_stats_rollover_size = 20971520: max file size for
- AppId stats before rolling over the log file { 0: }
- * int appid.app_stats_rollover_time = 86400: max time period for
- collection AppId stats before rolling over the log file { 0: }
- * string appid.app_detector_dir: directory to load AppId detectors
- from
- * int appid.instance_id = 0: instance id - need more details for
- what this is { 0: }
- * bool appid.debug = false: enable AppId debug logging
- * bool appid.dump_ports = false: enable dump of AppId port
- information
- * string appid.thirdparty_appid_dir: directory to load thirdparty
- AppId detectors from
- * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source ip
- address in CIDR format
- * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
- address in CIDR format
- * port appid.session_log_filter.src_port: source port { 1: }
- * port appid.session_log_filter.dst_port: destination port { 1: }
- * string appid.session_log_filter.protocol: ip protocol
- * bool appid.session_log_filter.log_all_sessions = false: enable
- logging for all appid sessions
+ * int rule_state.gid = 0: rule generator ID { 0: }
+ * int rule_state.sid = 0: rule signature ID { 0: }
+ * bool rule_state.enable = true: enable or disable rule in all
+ policies
-Peg counts:
- * appid.packets: count of packets received by appid inspector
- * appid.processed packets: count of packets processed by appid
- inspector
- * appid.ignored packets: count of packets ignored by appid
- inspector
- * appid.aim_clients: count of aim clients discovered by appid
- * appid.battlefield_flows: count of battle field flows discovered
- by appid
- * appid.bgp_flows: count of bgp flows discovered by appid
- * appid.bit_clients: count of bittorrent clients discovered by
- appid
- * appid.bit_flows: count of bittorrent flows discovered by appid
- * appid.bittracker_clients: count of bittorrent tracker clients
- discovered by appid
- * appid.bootp_flows: count of bootp flows discovered by appid
- * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
- discovered by appid
- * appid.dcerpc_udp_flows: count of dce rpc flows over udp
- discovered by appid
- * appid.direct_connect_flows: count of direct connect flows
- discovered by appid
- * appid.dns_tcp_flows: count of dns flows over tcp discovered by
- appid
- * appid.dns_udp_flows: count of dns flows over udp discovered by
- appid
- * appid.ftp_flows: count of ftp flows discovered by appid
- * appid.ftps_flows: count of ftps flows discovered by appid
- * appid.http_flows: count of http flows discovered by appid
- * appid.imap_flows: count of imap service flows discovered by appid
- * appid.imaps_flows: count of imap TLS service flows discovered by
- appid
- * appid.irc_flows: count of irc service flows discovered by appid
- * appid.kerberos_clients: count of kerberos clients discovered by
- appid
- * appid.kerberos_flows: count of kerberos service flows discovered
- by appid
- * appid.kerberos_users: count of kerberos users discovered by appid
- * appid.lpr_flows: count of lpr service flows discovered by appid
- * appid.mdns_flows: count of mdns service flows discovered by appid
- * appid.msn_clients: count of msn clients discovered by appid
- * appid.mysql_flows: count of mysql service flows discovered by
- appid
- * appid.netbios_dgm_flows: count of netbios-dgm service flows
- discovered by appid
- * appid.netbios_ns_flows: count of netbios-ns service flows
- discovered by appid
- * appid.netbios_ssn_flows: count of netbios-ssn service flows
- discovered by appid
- * appid.nntp_flows: count of nntp flows discovered by appid
- * appid.ntp_flows: count of ntp flows discovered by appid
- * appid.pop_flows: count of pop service flows discovered by appid
- * appid.radius_flows: count of radius flows discovered by appid
- * appid.rexec_flows: count of rexec flows discovered by appid
- * appid.rfb_flows: count of rfb flows discovered by appid
- * appid.rlogin_flows: count of rlogin flows discovered by appid
- * appid.rpc_flows: count of rpc flows discovered by appid
- * appid.rshell_flows: count of rshell flows discovered by appid
- * appid.rsync_flows: count of rsync service flows discovered by
- appid
- * appid.rtmp_flows: count of rtmp flows discovered by appid
- * appid.rtp_clients: count of rtp clients discovered by appid
- * appid.sip_clients: count of SIP clients discovered by appid
- * appid.sip_flows: count of SIP flows discovered by appid
- * appid.smtp_aol_clients: count of AOL smtp clients discovered by
- appid
- * appid.smtp_applemail_clients: count of Apple Mail smtp clients
- discovered by appid
- * appid.smtp_eudora_clients: count of Eudora smtp clients
- discovered by appid
- * appid.smtp_eudora_pro_clients: count of Eudora Pro smtp clients
- discovered by appid
- * appid.smtp_evolution_clients: count of Evolution smtp clients
- discovered by appid
- * appid.smtp_kmail_clients: count of KMail smtp clients discovered
- by appid
- * appid.smtp_lotus_notes_clients: count of Lotus Notes smtp clients
- discovered by appid
- * appid.smtp_microsoft_outlook_clients: count of Microsoft Outlook
- smtp clients discovered by appid
- * appid.smtp_microsoft_outlook_express_clients: count of Microsoft
- Outlook Express smtp clients discovered by appid
- * appid.smtp_microsoft_outlook_imo_clients: count of Microsoft
- Outlook IMO smtp clients discovered by appid
- * appid.smtp_mutt_clients: count of Mutt smtp clients discovered by
- appid
- * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
- discovered by appid
- * appid.smtp_flows: count of smtp flows discovered by appid
- * appid.smtps_flows: count of smtps flows discovered by appid
- * appid.snmp_flows: count of snmp flows discovered by appid
- * appid.ssh_clients: count of ssh clients discovered by appid
- * appid.ssh_flows: count of ssh flows discovered by appid
- * appid.ssl_flows: count of ssl flows discovered by appid
- * appid.telnet_flows: count of telnet flows discovered by appid
- * appid.tftp_flows: count of tftp flows discovered by appid
- * appid.timbuktu_flows: count of timbuktu flows discovered by appid
- * appid.tns_clients: count of tns clients discovered by appid
- * appid.tns_flows: count of tns flows discovered by appid
- * appid.vnc_clients: count of vnc clients discovered by appid
- * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
- discovered by appid
-
-
-6.2. arp_spoof
+6.26. search_engine
--------------
-What: detect ARP attacks and anomalies
+What: configure fast pattern matcher
-Type: inspector
+Type: basic
Configuration:
- * ip4 arp_spoof.hosts[].ip: host ip address
- * mac arp_spoof.hosts[].mac: host mac address
-
-Rules:
-
- * 112:1 (arp_spoof) unicast ARP request
- * 112:2 (arp_spoof) ethernet/ARP mismatch request for source
- * 112:3 (arp_spoof) ethernet/ARP mismatch request for destination
- * 112:4 (arp_spoof) attempted ARP cache overwrite attack
+ * int search_engine.bleedover_port_limit = 1024: maximum ports in
+ rule before demotion to any-any port group { 1: }
+ * bool search_engine.bleedover_warnings_enabled = false: print
+ warning if a rule is demoted to any-any port group
+ * bool search_engine.enable_single_rule_group = false: put all
+ rules into one group
+ * bool search_engine.debug = false: print verbose fast pattern info
+ * bool search_engine.debug_print_nocontent_rule_tests = false:
+ print rule group info during packet evaluation
+ * bool search_engine.debug_print_rule_group_build_details = false:
+ print rule group info during compilation
+ * bool search_engine.debug_print_rule_groups_uncompiled = false:
+ prints uncompiled rule group information
+ * bool search_engine.debug_print_rule_groups_compiled = false:
+ prints compiled rule group information
+ * int search_engine.max_pattern_len = 0: truncate patterns when
+ compiling into state machine (0 means no maximum) { 0: }
+ * int search_engine.max_queue_events = 5: maximum number of
+ matching fast pattern states to queue per packet
+ * bool search_engine.inspect_stream_inserts = false: inspect
+ reassembled payload - disabling is good for performance, bad for
+ detection
+ * dynamic search_engine.search_method = ac_bnfa: set fast pattern
+ algorithm - choose available search engine { ac_banded | ac_bnfa
+ | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
+ * bool search_engine.search_optimize = true: tweak state machine
+ construction for better performance
+ * bool search_engine.show_fast_patterns = false: print fast pattern
+ info for each rule
+ * bool search_engine.split_any_any = false: evaluate any-any rules
+ separately to save memory
Peg counts:
- * arp_spoof.packets: total packets
+ * search_engine.max queued: maximum fast pattern matches queued for
+ further evaluation
+ * search_engine.total flushed: fast pattern matches discarded due
+ to overflow
+ * search_engine.total inserts: total fast pattern hits
+ * search_engine.total unique: total unique fast pattern hits
+ * search_engine.non-qualified events: total non-qualified events
+ * search_engine.qualified events: total qualified events
-6.3. back_orifice
+6.27. side_channel
--------------
-What: back orifice detection
+What: implement the side-channel asynchronous messaging subsystem
-Type: inspector
+Type: basic
-Rules:
+Configuration:
- * 105:1 (back_orifice) BO traffic detected
- * 105:2 (back_orifice) BO client traffic detected
- * 105:3 (back_orifice) BO server traffic detected
- * 105:4 (back_orifice) BO Snort buffer attack
+ * bit_list side_channel.ports: side channel message port list {
+ 65535 }
+ * string side_channel.connectors[].connector: connector handle
+ * string side_channel.connector: connector handle
Peg counts:
- * back_orifice.packets: total packets
-
-6.4. binder
+6.28. snort
--------------
-What: configure processing based on CIDRs, ports, services, etc.
+What: command line configuration and shell commands
-Type: inspector
+Type: basic
Configuration:
- * int binder[].when.policy_id = 0: unique ID for selection of this
- config by external logic { 0: }
- * bit_list binder[].when.ifaces: list of interface indices { 255 }
- * bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
- * addr_list binder[].when.nets: list of networks
- * enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp
- | user | file }
- * bit_list binder[].when.ports: list of ports { 65535 }
- * enum binder[].when.role = any: use the given configuration on one
- or any end of a session { client | server | any }
- * string binder[].when.service: override default configuration
- * enum binder[].use.action = inspect: what to do with matching
- traffic { reset | block | allow | inspect }
- * string binder[].use.file: use configuration in given file
- * string binder[].use.service: override automatic service
- identification
- * string binder[].use.type: select module for binding
- * string binder[].use.name: symbol name (defaults to type)
+ * string snort.-?: <option prefix> output matching command line
+ option quick help (same as --help-options) { (optional) }
+ * string snort.-A: <mode> set alert mode: none, cmg, or alert_*
+ * addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP
+ addresses in alerts and packet dumps using CIDR mask
+ * implied snort.-C: print out payloads with character data only (no
+ hex)
+ * string snort.-c: <conf> use this configuration
+ * implied snort.-D: run Snort in background (daemon) mode
+ * implied snort.-d: dump the Application Layer
+ * implied snort.-e: display the second layer header info
+ * implied snort.-f: turn off fflush() calls after binary log writes
+ * int snort.-G: <0xid> (same as --logid) { 0:65535 }
+ * string snort.-g: <gname> run snort gid as <gname> group (or gid)
+ after initialization
+ * implied snort.-H: make hash tables deterministic
+ * string snort.-i: <iface>… list of interfaces
+ * port snort.-j: <port> to listen for telnet connections
+ * enum snort.-k = all: <mode> checksum mode; default is all { all|
+ noip|notcp|noudp|noicmp|none }
+ * string snort.-L: <mode> logging mode (none, dump, pcap, or log_*)
+ * string snort.-l: <logdir> log to this directory instead of
+ current directory
+ * implied snort.-M: log messages to syslog (not alerts)
+ * int snort.-m: <umask> set umask = <umask> { 0: }
+ * int snort.-n: <count> stop after count packets { 0: }
+ * implied snort.-O: obfuscate the logged IP addresses
+ * implied snort.-Q: enable inline mode operation
+ * implied snort.-q: quiet mode - Don’t show banner and status
+ report
+ * string snort.-R: <rules> include this rules file in the default
+ policy
+ * string snort.-r: <pcap>… (same as --pcap-list)
+ * string snort.-S: <x=v> set config variable x equal to value v
+ * int snort.-s = 1514: <snap> (same as --snaplen); default is 1514
+ { 68:65535 }
+ * implied snort.-T: test and report on the current Snort
+ configuration
+ * string snort.-t: <dir> chroots process to <dir> after
+ initialization
+ * implied snort.-U: use UTC for timestamps
+ * string snort.-u: <uname> run snort as <uname> or <uid> after
+ initialization
+ * implied snort.-V: (same as --version)
+ * implied snort.-v: be verbose
+ * implied snort.-W: lists available interfaces
+ * implied snort.-X: dump the raw packet data starting at the link
+ layer
+ * implied snort.-x: same as --pedantic
+ * implied snort.-y: include year in timestamp in the alert and log
+ files
+ * int snort.-z = 1: <count> maximum number of packet threads (same
+ as --max-packet-threads); 0 gets the number of CPU cores reported
+ by the system; default is 1 { 0: }
+ * implied snort.--alert-before-pass: process alert, drop, sdrop, or
+ reject before pass; default is pass before alert, drop,…
+ * string snort.--bpf: <filter options> are standard BPF options, as
+ seen in TCPDump
+ * string snort.--c2x: output hex for given char (see also --x2c)
+ * implied snort.--create-pidfile: create PID file, even when not in
+ Daemon mode
+ * string snort.--daq: <type> select packet acquisition module
+ (default is pcap)
+ * string snort.--daq-dir: <dir> tell snort where to find desired
+ DAQ
+ * implied snort.--daq-list: list packet acquisition modules
+ available in optional dir, default is static modules only
+ * string snort.--daq-var: <name=value> specify extra DAQ
+ configuration variable
+ * implied snort.--dirty-pig: don’t flush packets on shutdown
+ * implied snort.--dump-builtin-rules: [<module prefix>] output stub
+ rules for selected modules
+ * implied snort.--dump-dynamic-rules: output stub rules for all
+ loaded rules libraries
+ * string snort.--dump-defaults: [<module prefix>] output module
+ defaults in Lua format { (optional) }
+ * implied snort.--dump-version: output the version, the whole
+ version, and only the version
+ * implied snort.--enable-inline-test: enable Inline-Test Mode
+ Operation
+ * implied snort.--help: list command line options
+ * string snort.--help-commands: [<module prefix>] output matching
+ commands { (optional) }
+ * string snort.--help-config: [<module prefix>] output matching
+ config options { (optional) }
+ * string snort.--help-counts: [<module prefix>] output matching peg
+ counts { (optional) }
+ * string snort.--help-module: <module> output description of given
+ module
+ * implied snort.--help-modules: list all available modules with
+ brief help
+ * string snort.--help-options: <option prefix> output matching
+ command line option quick help (same as -?) { (optional) }
+ * implied snort.--help-plugins: list all available plugins with
+ brief help
+ * implied snort.--help-signals: dump available control signals
+ * implied snort.--id-subdir: create/use instance subdirectories in
+ logdir instead of instance filename prefix
+ * implied snort.--id-zero: use id prefix / subdirectory even with
+ one packet thread
+ * implied snort.--list-buffers: output available inspection buffers
+ * string snort.--list-builtin: <module prefix> output matching
+ builtin rules { (optional) }
+ * string snort.--list-gids: [<module prefix>] output matching
+ generators { (optional) }
+ * string snort.--list-modules: [<module type>] list all known
+ modules of given type { (optional) }
+ * implied snort.--list-plugins: list all known plugins
+ * string snort.--lua: <chunk> extend/override conf with chunk; may
+ be repeated
+ * int snort.--logid: <0xid> log Identifier to uniquely id events
+ for multiple snorts (same as -G) { 0:65535 }
+ * implied snort.--markup: output help in asciidoc compatible format
+ * int snort.--max-packet-threads = 1: <count> configure maximum
+ number of packet threads (same as -z) { 0: }
+ * implied snort.--nostamps: don’t include timestamps in log file
+ names
+ * implied snort.--nolock-pidfile: do not try to lock Snort PID file
+ * implied snort.--pause: wait for resume/quit command before
+ processing packets/terminating
+ * string snort.--pcap-file: <file> file that contains a list of
+ pcaps to read - read mode is implied
+ * string snort.--pcap-list: <list> a space separated list of pcaps
+ to read - read mode is implied
+ * string snort.--pcap-dir: <dir> a directory to recurse to look for
+ pcaps - read mode is implied
+ * string snort.--pcap-filter: <filter> filter to apply when getting
+ pcaps from file or directory
+ * int snort.--pcap-loop: <count> read all pcaps <count> times; 0
+ will read until Snort is terminated { -1: }
+ * implied snort.--pcap-no-filter: reset to use no filter when
+ getting pcaps from file or directory
+ * implied snort.--pcap-reload: if reading multiple pcaps, reload
+ snort config between pcaps
+ * implied snort.--pcap-show: print a line saying what pcap is
+ currently being read
+ * implied snort.--pedantic: warnings are fatal
+ * string snort.--plugin-path: <path> where to find plugins
+ * implied snort.--process-all-events: process all action groups
+ * string snort.--rule: <rules> to be added to configuration; may be
+ repeated
+ * implied snort.--rule-to-hex: output so rule header to stdout for
+ text rule on stdin
+ * implied snort.--rule-to-text: output plain so rule header to
+ stdout for text rule on stdin
+ * string snort.--run-prefix: <pfx> prepend this to each output file
+ * string snort.--script-path: <path> to a luajit script or
+ directory containing luajit scripts
+ * implied snort.--shell: enable the interactive command line
+ * implied snort.--piglet: enable piglet test harness mode
+ * implied snort.--show-plugins: list module and plugin versions
+ * int snort.--skip: <n> skip 1st n packets { 0: }
+ * int snort.--snaplen = 1514: <snap> set snaplen of packet (same as
+ -s) { 68:65535 }
+ * implied snort.--stdin-rules: read rules from stdin until EOF or a
+ line starting with END is read
+ * implied snort.--treat-drop-as-alert: converts drop, sdrop, and
+ reject rules into alert rules during startup
+ * implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
+ rules to ignore session traffic when not inline
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
+ * implied snort.--version: show version number (same as -V)
+ * implied snort.--warn-all: enable all warnings
+ * implied snort.--warn-conf: warn about configuration issues
+ * implied snort.--warn-daq: warn about DAQ issues, usually related
+ to mode
+ * implied snort.--warn-flowbits: warn about flowbits that are
+ checked but not set and vice-versa
+ * implied snort.--warn-hosts: warn about host table issues
+ * implied snort.--warn-plugins: warn about issues that prevent
+ plugins from loading
+ * implied snort.--warn-rules: warn about duplicate rules and rule
+ parsing issues
+ * implied snort.--warn-scripts: warn about issues discovered while
+ processing Lua scripts
+ * implied snort.--warn-symbols: warn about unknown symbols in your
+ Lua config
+ * implied snort.--warn-vars: warn about variable definition and
+ usage issues
+ * int snort.--x2c: output ASCII char for given hex (see also --c2x)
+ * string snort.--x2s: output ASCII string for given byte code (see
+ also --x2c)
+
+Commands:
+
+ * snort.show_plugins(): show available plugins
+ * snort.dump_stats(): show summary statistics
+ * snort.rotate_stats(): roll perfmonitor log files
+ * snort.reload_config(filename): load new configuration
+ * snort.reload_hosts(filename): load a new hosts table
+ * snort.pause(): suspend packet processing
+ * snort.resume(): continue packet processing
+ * snort.detach(): exit shell w/o shutdown
+ * snort.quit(): shutdown and dump-stats
+ * snort.help(): this output
Peg counts:
- * binder.packets: initial bindings
- * binder.resets: reset bindings
- * binder.blocks: block bindings
- * binder.allows: allow bindings
- * binder.inspects: inspect bindings
+ * snort.local commands: total local commands processed
+ * snort.remote commands: total remote commands processed
+ * snort.signals: total signals processed
+ * snort.conf reloads: number of times configuration was reloaded
+ * snort.attribute table reloads: number of times hosts table was
+ reloaded
+ * snort.attribute table hosts: total number of hosts in table
-6.5. dce_smb
+6.29. suppress
--------------
-What: dce over smb inspection
+What: configure event suppressions
-Type: inspector
+Type: basic
Configuration:
- * bool dce_smb.disable_defrag = false: Disable DCE/RPC
- defragmentation
- * int dce_smb.max_frag_len = 65535: Maximum fragment size for
- defragmentation { 1514:65535 }
- * int dce_smb.reassemble_threshold = 0: Minimum bytes received
- before performing reassembly { 0:65535 }
- * enum dce_smb.smb_fingerprint_policy = none: Target based SMB
- policy to use { none | client | server | both }
- * enum dce_smb.policy = WinXP: Target based policy to use { Win2000
- | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba |
- Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
- * int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
- * int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
- * multi dce_smb.valid_smb_versions = all: Valid SMB versions { v1 |
- v2 | all }
- * enum dce_smb.smb_file_inspection = off: SMB file inspection { off
- | on | only }
- * int dce_smb.smb_file_depth = 16384: SMB file depth for file data
- { -1: }
- * string dce_smb.smb_invalid_shares: SMB shares to alert on
- * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
+ * int suppress[].gid = 0: rule generator ID { 0: }
+ * int suppress[].sid = 0: rule signature ID { 0: }
+ * enum suppress[].track: suppress only matching source or
+ destination addresses { by_src | by_dst }
+ * string suppress[].ip: restrict suppression to these addresses
+ according to track
-Rules:
- * 133:2 (dce_smb) SMB - Bad NetBIOS Session Service session type.
- * 133:3 (dce_smb) SMB - Bad SMB message type.
- * 133:4 (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \
- xfeSMB for SMB2).
- * 133:5 (dce_smb) SMB - Bad word count or structure size.
- * 133:6 (dce_smb) SMB - Bad byte count.
- * 133:7 (dce_smb) SMB - Bad format type.
- * 133:8 (dce_smb) SMB - Bad offset.
- * 133:9 (dce_smb) SMB - Zero total data count.
- * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
- length.
- * 133:12 (dce_smb) SMB - Remaining NetBIOS data length less than
- command byte count.
- * 133:13 (dce_smb) SMB - Remaining NetBIOS data length less than
- command data size.
- * 133:14 (dce_smb) SMB - Remaining total data count less than this
- command data size.
- * 133:15 (dce_smb) SMB - Total data sent (STDu64) greater than
- command total data expected.
- * 133:16 (dce_smb) SMB - Byte count less than command data size
- (STDu64)
- * 133:17 (dce_smb) SMB - Invalid command data size for byte count.
- * 133:18 (dce_smb) SMB - Excessive Tree Connect requests with
- pending Tree Connect responses.
- * 133:19 (dce_smb) SMB - Excessive Read requests with pending Read
- responses.
- * 133:20 (dce_smb) SMB - Excessive command chaining.
- * 133:21 (dce_smb) SMB - Multiple chained tree connect requests.
- * 133:22 (dce_smb) SMB - Multiple chained tree connect requests.
- * 133:23 (dce_smb) SMB - Chained/Compounded login followed by
- logoff.
- * 133:24 (dce_smb) SMB - Chained/Compounded tree connect followed
- by tree disconnect.
- * 133:25 (dce_smb) SMB - Chained/Compounded open pipe followed by
- close pipe.
- * 133:26 (dce_smb) SMB - Invalid share access.
- * 133:27 (dce_smb) Connection oriented DCE/RPC - Invalid major
- version.
- * 133:28 (dce_smb) Connection oriented DCE/RPC - Invalid minor
- version.
- * 133:29 (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.
- * 133:30 (dce_smb) Connection-oriented DCE/RPC - Fragment length
- less than header size.
- * 133:32 (dce_smb) Connection-oriented DCE/RPC - No context items
- specified.
- * 133:33 (dce_smb) Connection-oriented DCE/RPC -No transfer
- syntaxes specified.
- * 133:34 (dce_smb) Connection-oriented DCE/RPC - Fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client.
- * 133:35 (dce_smb) Connection-oriented DCE/RPC - Fragment length
- greater than maximum negotiated fragment transmit size.
- * 133:36 (dce_smb) Connection-oriented DCE/RPC - Alter Context byte
- order different from Bind
- * 133:37 (dce_smb) Connection-oriented DCE/RPC - Call id of non
- first/last fragment different from call id established for
- fragmented request.
- * 133:38 (dce_smb) Connection-oriented DCE/RPC - Opnum of non first
- /last fragment different from opnum established for fragmented
- request.
- * 133:39 (dce_smb) Connection-oriented DCE/RPC - Context id of non
- first/last fragment different from context id established for
- fragmented request.
- * 133:44 (dce_smb) SMB - Invalid SMB version 1 seen.
- * 133:45 (dce_smb) SMB - Invalid SMB version 2 seen.
- * 133:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
- * 133:47 (dce_smb) SMB - Excessive command compounding.
- * 133:48 (dce_smb) SMB - Zero data count.
- * 133:50 (dce_smb) SMB - Maximum number of outstanding requests
- exceeded.
- * 133:51 (dce_smb) SMB - Outstanding requests with same MID.
- * 133:52 (dce_smb) SMB - Deprecated dialect negotiated.
- * 133:53 (dce_smb) SMB - Deprecated command used.
- * 133:54 (dce_smb) SMB - Unusual command used.
- * 133:55 (dce_smb) SMB - Invalid setup count for command.
- * 133:56 (dce_smb) SMB - Client attempted multiple dialect
- negotiations on session.
- * 133:57 (dce_smb) SMB - Client attempted to create or set a file’s
- attributes to readonly/hidden/system.
- * 133:58 (dce_smb) SMB - File offset provided is greater than file
- size specified
- * 133:59 (dce_smb) SMB - Next command specified in SMB2 header is
- beyond payload boundary
+---------------------------------------------------------------------
-Peg counts:
+7. Codec Modules
- * dce_smb.events: total events
- * dce_smb.aborted sessions: total aborted sessions
- * dce_smb.bad autodetects: total bad autodetects
- * dce_smb.PDUs: total connection-oriented PDUs
- * dce_smb.Binds: total connection-oriented binds
- * dce_smb.Bind acks: total connection-oriented binds acks
- * dce_smb.Alter contexts: total connection-oriented alter contexts
- * dce_smb.Alter context responses: total connection-oriented alter
- context responses
- * dce_smb.Bind naks: total connection-oriented bind naks
- * dce_smb.Requests: total connection-oriented requests
- * dce_smb.Responses: total connection-oriented responses
- * dce_smb.Cancels: total connection-oriented cancels
- * dce_smb.Orphaned: total connection-oriented orphaned
- * dce_smb.Faults: total connection-oriented faults
- * dce_smb.Auth3s: total connection-oriented auth3s
- * dce_smb.Shutdowns: total connection-oriented shutdowns
- * dce_smb.Rejects: total connection-oriented rejects
- * dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
- to send RPC over HTTP
- * dce_smb.Other requests: total connection-oriented other requests
- * dce_smb.Other responses: total connection-oriented other
- responses
- * dce_smb.Request fragments: total connection-oriented request
- fragments
- * dce_smb.Response fragments: total connection-oriented response
- fragments
- * dce_smb.Client max fragment size: connection-oriented client
- maximum fragment size
- * dce_smb.Client min fragment size: connection-oriented client
- minimum fragment size
- * dce_smb.Client segs reassembled: total connection-oriented client
- segments reassembled
- * dce_smb.Client frags reassembled: total connection-oriented
- client fragments reassembled
- * dce_smb.Server max fragment size: connection-oriented server
- maximum fragment size
- * dce_smb.Server min fragment size: connection-oriented server
- minimum fragment size
- * dce_smb.Server segs reassembled: total connection-oriented server
- segments reassembled
- * dce_smb.Server frags reassembled: total connection-oriented
- server fragments reassembled
- * dce_smb.Sessions: total smb sessions
- * dce_smb.Packets: total smb packets
- * dce_smb.Ignored bytes: total ignored bytes
- * dce_smb.Client segs reassembled: total smb client segments
- reassembled
- * dce_smb.Server segs reassembled: total smb server segments
- reassembled
- * dce_smb.Max outstanding requests: total smb maximum outstanding
- requests
- * dce_smb.Files processed: total smb files processed
- * dce_smb.SMBv2 create: total number of SMBv2 create packets seen
- * dce_smb.SMBv2 write: total number of SMBv2 write packets seen
- * dce_smb.SMBv2 read: total number of SMBv2 read packets seen
- * dce_smb.SMBv2 set info: total number of SMBv2 set info packets
- seen
- * dce_smb.SMBv2 tree connect: total number of SMBv2 tree connect
- packets seen
- * dce_smb.SMBv2 tree disconnect: total number of SMBv2 tree
- disconnect packets seen
- * dce_smb.SMBv2 close: total number of SMBv2 close packets seen
+---------------------------------------------------------------------
+
+Codec is short for coder / decoder. These modules are used for basic
+protocol decoding, anomaly detection, and construction of active
+responses.
-6.6. dce_tcp
+7.1. arp
--------------
-What: dce over tcp inspection
+What: support for address resolution protocol
-Type: inspector
+Type: codec
-Configuration:
+Rules:
- * bool dce_tcp.disable_defrag = false: Disable DCE/RPC
- defragmentation
- * int dce_tcp.max_frag_len = 65535: Maximum fragment size for
- defragmentation { 1514:65535 }
- * int dce_tcp.reassemble_threshold = 0: Minimum bytes received
- before performing reassembly { 0:65535 }
- * enum dce_tcp.policy = WinXP: Target based policy to use { Win2000
- | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba |
- Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
+ * 116:109 (arp) truncated ARP
-Rules:
- * 133:27 (dce_tcp) Connection oriented DCE/RPC - Invalid major
- version.
- * 133:28 (dce_tcp) Connection oriented DCE/RPC - Invalid minor
- version.
- * 133:29 (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.
- * 133:30 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
- less than header size.
- * 133:32 (dce_tcp) Connection-oriented DCE/RPC - No context items
- specified.
- * 133:33 (dce_tcp) Connection-oriented DCE/RPC -No transfer
- syntaxes specified.
- * 133:34 (dce_tcp) Connection-oriented DCE/RPC - Fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client.
- * 133:35 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
- greater than maximum negotiated fragment transmit size.
- * 133:36 (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte
- order different from Bind
- * 133:37 (dce_tcp) Connection-oriented DCE/RPC - Call id of non
- first/last fragment different from call id established for
- fragmented request.
- * 133:38 (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first
- /last fragment different from opnum established for fragmented
- request.
- * 133:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
- first/last fragment different from context id established for
- fragmented request.
+7.2. auth
-Peg counts:
+--------------
- * dce_tcp.events: total events
- * dce_tcp.aborted sessions: total aborted sessions
- * dce_tcp.bad autodetects: total bad autodetects
- * dce_tcp.PDUs: total connection-oriented PDUs
- * dce_tcp.Binds: total connection-oriented binds
- * dce_tcp.Bind acks: total connection-oriented binds acks
- * dce_tcp.Alter contexts: total connection-oriented alter contexts
- * dce_tcp.Alter context responses: total connection-oriented alter
- context responses
- * dce_tcp.Bind naks: total connection-oriented bind naks
- * dce_tcp.Requests: total connection-oriented requests
- * dce_tcp.Responses: total connection-oriented responses
- * dce_tcp.Cancels: total connection-oriented cancels
- * dce_tcp.Orphaned: total connection-oriented orphaned
- * dce_tcp.Faults: total connection-oriented faults
- * dce_tcp.Auth3s: total connection-oriented auth3s
- * dce_tcp.Shutdowns: total connection-oriented shutdowns
- * dce_tcp.Rejects: total connection-oriented rejects
- * dce_tcp.MS RPC/HTTP PDUs: total connection-oriented MS requests
- to send RPC over HTTP
- * dce_tcp.Other requests: total connection-oriented other requests
- * dce_tcp.Other responses: total connection-oriented other
- responses
- * dce_tcp.Request fragments: total connection-oriented request
- fragments
- * dce_tcp.Response fragments: total connection-oriented response
- fragments
- * dce_tcp.Client max fragment size: connection-oriented client
- maximum fragment size
- * dce_tcp.Client min fragment size: connection-oriented client
- minimum fragment size
- * dce_tcp.Client segs reassembled: total connection-oriented client
- segments reassembled
- * dce_tcp.Client frags reassembled: total connection-oriented
- client fragments reassembled
- * dce_tcp.Server max fragment size: connection-oriented server
- maximum fragment size
- * dce_tcp.Server min fragment size: connection-oriented server
- minimum fragment size
- * dce_tcp.Server segs reassembled: total connection-oriented server
- segments reassembled
- * dce_tcp.Server frags reassembled: total connection-oriented
- server fragments reassembled
- * dce_tcp.tcp sessions: total tcp sessions
- * dce_tcp.tcp packets: total tcp packets
+What: support for IP authentication header
+Type: codec
-6.7. dce_udp
+Rules:
---------------
+ * 116:465 (auth) truncated authentication header
+ * 116:466 (auth) bad authentication header length
-What: dce over udp inspection
-Type: inspector
+7.3. ciscometadata
-Configuration:
+--------------
- * bool dce_udp.disable_defrag = false: Disable DCE/RPC
- defragmentation
- * int dce_udp.max_frag_len = 65535: Maximum fragment size for
- defragmentation { 1514:65535 }
+What: support for cisco metadata
+
+Type: codec
Rules:
- * 133:40 (dce_udp) Connection-less DCE/RPC - Invalid major version.
- * 133:41 (dce_udp) Connection-less DCE/RPC - Invalid pdu type.
- * 133:42 (dce_udp) Connection-less DCE/RPC - Data length less than
- header size.
- * 133:43 (dce_udp) Connection-less DCE/RPC - Bad sequence number.
+ * 116:468 (ciscometadata) truncated Cisco Metadata header
+ * 116:469 (ciscometadata) invalid Cisco Metadata option length
+ * 116:470 (ciscometadata) invalid Cisco Metadata option type
+ * 116:471 (ciscometadata) invalid Cisco Metadata SGT
-Peg counts:
- * dce_udp.events: total events
- * dce_udp.aborted sessions: total aborted sessions
- * dce_udp.bad autodetects: total bad autodetects
- * dce_udp.udp sessions: total udp sessions
- * dce_udp.udp packets: total udp packets
- * dce_udp.Requests: total connection-less requests
- * dce_udp.Acks: total connection-less acks
- * dce_udp.Cancels: total connection-less cancels
- * dce_udp.Client facks: total connection-less client facks
- * dce_udp.Ping: total connection-less ping
- * dce_udp.Responses: total connection-less responses
- * dce_udp.Rejects: total connection-less rejects
- * dce_udp.Cancel acks: total connection-less cancel acks
- * dce_udp.Server facks: total connection-less server facks
- * dce_udp.Faults: total connection-less faults
- * dce_udp.No calls: total connection-less no calls
- * dce_udp.Working: total connection-less working
- * dce_udp.Other requests: total connection-less other requests
- * dce_udp.Other responses: total connection-less other responses
- * dce_udp.Fragments: total connection-less fragments
- * dce_udp.Max fragment size: connection-less maximum fragment size
- * dce_udp.Frags reassembled: total connection-less fragments
- reassembled
- * dce_udp.Max seqnum: max connection-less seqnum
+7.4. erspan2
+--------------
-6.8. dnp3
+What: support for encapsulated remote switched port analyzer - type 2
---------------
+Type: codec
-What: dnp3 inspection
+Rules:
-Type: inspector
+ * 116:462 (erspan2) ERSpan header version mismatch
+ * 116:463 (erspan2) captured length < ERSpan type2 header length
-Configuration:
- * bool dnp3.check_crc = false: validate checksums in DNP3 link
- layer frames
+7.5. erspan3
+
+--------------
+
+What: support for encapsulated remote switched port analyzer - type 3
+
+Type: codec
Rules:
- * 145:1 (dnp3) DNP3 Link-Layer Frame contains bad CRC.
- * 145:2 (dnp3) DNP3 Link-Layer Frame was dropped.
- * 145:3 (dnp3) DNP3 Transport-Layer Segment was dropped during
- reassembly.
- * 145:4 (dnp3) DNP3 Reassembly Buffer was cleared without
- reassembling a complete message.
- * 145:5 (dnp3) DNP3 Link-Layer Frame uses a reserved address.
- * 145:6 (dnp3) DNP3 Application-Layer Fragment uses a reserved
- function code.
+ * 116:464 (erspan3) captured < ERSpan type3 header length
-Peg counts:
- * dnp3.total packets: total packets
- * dnp3.udp packets: total udp packets
- * dnp3.tcp pdus: total tcp pdus
- * dnp3.dnp3 link layer frames: total dnp3 link layer frames
- * dnp3.dnp3 application pdus: total dnp3 application pdus
+7.6. esp
+
+--------------
+
+What: support for encapsulating security payload
+
+Type: codec
+
+Configuration:
+
+ * bool esp.decode_esp = false: enable for inspection of esp traffic
+ that has authentication but not encryption
+
+Rules:
+
+ * 116:294 (esp) truncated encapsulated security payload header
-6.9. dns
+7.7. eth
--------------
-What: dns inspection
+What: support for ethernet protocol (DLT 1) (DLT 51)
-Type: inspector
+Type: codec
Rules:
- * 131:1 (dns) Obsolete DNS RR Types
- * 131:2 (dns) Experimental DNS RR Types
- * 131:3 (dns) DNS Client rdata txt Overflow
+ * 116:424 (eth) truncated ethernet header
-Peg counts:
- * dns.packets: total packets processed
- * dns.requests: total dns requests
- * dns.responses: total dns responses
+7.8. fabricpath
+--------------
-6.10. file_log
+What: support for fabricpath
---------------
+Type: codec
-What: log file event to file.log
+Rules:
-Type: inspector
+ * 116:467 (fabricpath) truncated FabricPath header
-Configuration:
- * bool file_log.log_pkt_time = true: log the packet time when event
- generated
- * bool file_log.log_sys_time = false: log the system time when
- event generated
+7.9. gre
-Peg counts:
+--------------
- * file_log.total events: total file events
+What: support for generic routing encapsulation
+
+Type: codec
+
+Rules:
+
+ * 116:160 (gre) GRE header length > payload length
+ * 116:161 (gre) multiple encapsulations in packet
+ * 116:162 (gre) invalid GRE version
+ * 116:163 (gre) invalid GRE header
+ * 116:164 (gre) invalid GRE v.1 PPTP header
+ * 116:165 (gre) GRE trans header length > payload length
-6.11. ftp_client
+7.10. gtp
--------------
-What: FTP client configuration module for use with ftp_server
+What: support for general-packet-radio-service tunnelling protocol
-Type: inspector
+Type: codec
-Configuration:
+Rules:
- * bool ftp_client.bounce = false: check for bounces
- * addr ftp_client.bounce_to[].address = 1.0.0.0/32: allowed ip
- address in CIDR format
- * port ftp_client.bounce_to[].port = 20: allowed port { 1: }
- * port ftp_client.bounce_to[].last_port: optional allowed range
- from port to last_port inclusive { 0: }
- * bool ftp_client.ignore_telnet_erase_cmds = false: ignore erase
- character and erase line commands when normalizing
- * int ftp_client.max_resp_len = -1: maximum ftp response accepted
- by client { -1: }
- * bool ftp_client.telnet_cmds = false: detect telnet escape
- sequences on ftp control channel
+ * 116:297 (gtp) two or more GTP encapsulation layers present
+ * 116:298 (gtp) GTP header length is invalid
-6.12. ftp_data
+7.11. icmp4
--------------
-What: FTP data channel handler
+What: support for Internet control message protocol v4
-Type: inspector
+Type: codec
-Peg counts:
+Rules:
- * ftp_data.packets: total packets
+ * 116:105 (icmp4) ICMP header truncated
+ * 116:106 (icmp4) ICMP timestamp header truncated
+ * 116:107 (icmp4) ICMP address header truncated
+ * 116:250 (icmp4) ICMP original IP header truncated
+ * 116:251 (icmp4) ICMP version and original IP header versions
+ differ
+ * 116:252 (icmp4) ICMP original datagram length < original IP
+ header length
+ * 116:253 (icmp4) ICMP original IP payload < 64 bits
+ * 116:254 (icmp4) ICMP original IP payload > 576 bytes
+ * 116:255 (icmp4) ICMP original IP fragmented and offset not 0
+ * 116:415 (icmp4) ICMP4 packet to multicast dest address
+ * 116:416 (icmp4) ICMP4 packet to broadcast dest address
+ * 116:418 (icmp4) ICMP4 type other
+ * 116:434 (icmp4) ICMP ping Nmap
+ * 116:435 (icmp4) ICMP icmpenum v1.1.1
+ * 116:436 (icmp4) ICMP redirect host
+ * 116:437 (icmp4) ICMP redirect net
+ * 116:438 (icmp4) ICMP traceroute ipopts
+ * 116:439 (icmp4) ICMP source quench
+ * 116:440 (icmp4) broadscan smurf scanner
+ * 116:441 (icmp4) ICMP destination unreachable communication
+ administratively prohibited
+ * 116:442 (icmp4) ICMP destination unreachable communication with
+ destination host is administratively prohibited
+ * 116:443 (icmp4) ICMP destination unreachable communication with
+ destination network is administratively prohibited
+ * 116:451 (icmp4) ICMP path MTU denial of service attempt
+ * 116:452 (icmp4) Linux ICMP header DOS attempt
+ * 116:426 (icmp4) truncated ICMP4 header
+Peg counts:
-6.13. ftp_server
+ * icmp4.bad checksum: non-zero icmp checksums
---------------
-What: main FTP module; ftp_client should also be configured
+7.12. icmp6
-Type: inspector
+--------------
-Configuration:
+What: support for Internet control message protocol v6
- * string ftp_server.chk_str_fmt: check the formatting of the given
- commands
- * string ftp_server.data_chan_cmds: check the formatting of the
- given commands
- * string ftp_server.data_rest_cmds: check the formatting of the
- given commands
- * string ftp_server.data_xfer_cmds: check the formatting of the
- given commands
- * string ftp_server.directory_cmds[].dir_cmd: directory command
- * int ftp_server.directory_cmds[].rsp_code = 200: expected
- successful response code for command { 200: }
- * string ftp_server.file_put_cmds: check the formatting of the
- given commands
- * string ftp_server.file_get_cmds: check the formatting of the
- given commands
- * string ftp_server.encr_cmds: check the formatting of the given
- commands
- * string ftp_server.login_cmds: check the formatting of the given
- commands
- * bool ftp_server.check_encrypted = false: check for end of
- encryption
- * string ftp_server.cmd_validity[].command: command string
- * string ftp_server.cmd_validity[].format: format specification
- * int ftp_server.cmd_validity[].length = 0: specify non-default
- maximum for command { 0: }
- * int ftp_server.def_max_param_len = 100: default maximum length of
- commands handled by server; 0 is unlimited { 1: }
- * bool ftp_server.encrypted_traffic = false: check for encrypted
- telnet and ftp
- * string ftp_server.ftp_cmds: specify additional commands supported
- by server beyond RFC 959
- * bool ftp_server.ignore_data_chan = false: do not inspect ftp data
- channels
- * bool ftp_server.ignore_telnet_erase_cmds = false: ignore erase
- character and erase line commands when normalizing
- * bool ftp_server.print_cmds = false: print command configurations
- on start up
- * bool ftp_server.telnet_cmds = false: detect telnet escape
- sequences of ftp control channel
+Type: codec
Rules:
- * 125:1 (ftp_server) TELNET cmd on FTP command channel
- * 125:2 (ftp_server) invalid FTP command
- * 125:3 (ftp_server) FTP command parameters were too long
- * 125:4 (ftp_server) FTP command parameters were malformed
- * 125:5 (ftp_server) FTP command parameters contained potential
- string format
- * 125:6 (ftp_server) FTP response message was too long
- * 125:7 (ftp_server) FTP traffic encrypted
- * 125:8 (ftp_server) FTP bounce attempt
- * 125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command
- channel
+ * 116:427 (icmp6) truncated ICMP6 header
+ * 116:431 (icmp6) ICMPv6 type not decoded
+ * 116:432 (icmp6) ICMPv6 packet to multicast address
+ * 116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with
+ MTU field < 1280
+ * 116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
+ with non-RFC 2463 code
+ * 116:287 (icmp6) ICMPv6 router solicitation packet with a code not
+ equal to 0
+ * 116:288 (icmp6) ICMPv6 router advertisement packet with a code
+ not equal to 0
+ * 116:289 (icmp6) ICMPv6 router solicitation packet with the
+ reserved field not equal to 0
+ * 116:290 (icmp6) ICMPv6 router advertisement packet with the
+ reachable time field set > 1 hour
+ * 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
+ with non-RFC 4443 code
+ * 116:460 (icmp6) ICMPv6 node info query/response packet with a
+ code greater than 2
Peg counts:
- * ftp_server.packets: total packets
+ * icmp6.bad checksum (ip4): nonzero ipcm4 checksums
+ * icmp6.bad checksum (ip6): nonzero ipcm6 checksums
-6.14. gtp_inspect
+7.13. igmp
--------------
-What: gtp control channel inspection
+What: support for Internet group management protocol
-Type: inspector
+Type: codec
-Configuration:
+Rules:
- * int gtp_inspect[].version = 2: gtp version { 0:2 }
- * int gtp_inspect[].messages[].type = 0: message type code { 0:255
- }
- * string gtp_inspect[].messages[].name: message name
- * int gtp_inspect[].infos[].type = 0: information element type code
- { 0:255 }
- * string gtp_inspect[].infos[].name: information element name
- * int gtp_inspect[].infos[].length = 0: information element type
- code { 0:255 }
+ * 116:455 (igmp) DOS IGMP IP options validation attempt
-Rules:
- * 143:1 (gtp_inspect) message length is invalid
- * 143:2 (gtp_inspect) information element length is invalid
- * 143:3 (gtp_inspect) information elements are out of order
+7.14. ipv4
-Peg counts:
+--------------
- * gtp_inspect.sessions: total sessions processed
- * gtp_inspect.events: requests
- * gtp_inspect.unknown types: unknown message types
- * gtp_inspect.unknown infos: unknown information elements
+What: support for Internet protocol v4
+Type: codec
-6.15. http_inspect
+Rules:
---------------
+ * 116:1 (ipv4) not IPv4 datagram
+ * 116:2 (ipv4) IPv4 header length < minimum
+ * 116:3 (ipv4) IPv4 datagram length < header field
+ * 116:4 (ipv4) IPv4 options found with bad lengths
+ * 116:5 (ipv4) truncated IPv4 options
+ * 116:6 (ipv4) IPv4 datagram length > captured length
+ * 116:404 (ipv4) IPv4 packet with zero TTL
+ * 116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF
+ set)
+ * 116:407 (ipv4) IPv4 packet frag offset + length exceed maximum
+ * 116:408 (ipv4) IPv4 packet from current net source address
+ * 116:409 (ipv4) IPv4 packet to current net dest address
+ * 116:410 (ipv4) IPv4 packet from multicast source address
+ * 116:411 (ipv4) IPv4 packet from reserved source address
+ * 116:412 (ipv4) IPv4 packet to reserved dest address
+ * 116:413 (ipv4) IPv4 packet from broadcast source address
+ * 116:414 (ipv4) IPv4 packet to broadcast dest address
+ * 116:428 (ipv4) IPv4 packet below TTL limit
+ * 116:430 (ipv4) IPv4 packet both DF and offset set
+ * 116:448 (ipv4) IPv4 reserved bit set
+ * 116:444 (ipv4) IPv4 option set
+ * 116:425 (ipv4) truncated IPv4 header
-What: HTTP inspector
+Peg counts:
-Type: inspector
+ * ipv4.bad checksum: nonzero ip checksums
-Configuration:
- * int http_inspect.request_depth = -1: maximum request message body
- bytes to examine (-1 no limit) { -1: }
- * int http_inspect.response_depth = -1: maximum response message
- body bytes to examine (-1 no limit) { -1: }
- * bool http_inspect.unzip = true: decompress gzip and deflate
- message bodies
- * bool http_inspect.normalize_utf = true: normalize charset utf
- encodings
- * bit_list http_inspect.bad_characters: alert when any of specified
- bytes are present in URI after percent decoding { 255 }
- * string http_inspect.ignore_unreserved: do not alert when the
- specified unreserved characters are percent-encoded in a
- URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
- tilde, and minus. { (optional) }
- * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
- encodings
- * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
- characters to a single byte
- * bool http_inspect.utf8_bare_byte = false: when doing UTF-8
- character normalization include bytes that were not percent
- encoded
- * bool http_inspect.iis_unicode = false: use IIS unicode code point
- mapping to normalize characters
- * string http_inspect.iis_unicode_map_file: file containing code
- points for IIS unicode. { (optional) }
- * int http_inspect.iis_unicode_code_page = 1252: code page to use
- from the IIS unicode map file { 0:65535 }
- * bool http_inspect.iis_double_decode = false: perform double
- decoding of percent encodings to normalize characters
- * int http_inspect.oversize_dir_length = 300: maximum length for
- URL directory { 1:65535 }
- * bool http_inspect.backslash_to_slash = false: replace \ with /
- when normalizing URIs
- * bool http_inspect.plus_to_space = true: replace + with <sp> when
- normalizing URIs
- * bool http_inspect.simplify_path = true: reduce URI directory path
- to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:1000000 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
+7.15. ipv6
+
+--------------
-Rules:
+What: support for Internet protocol v6
- * 119:1 (http_inspect) ascii encoding
- * 119:2 (http_inspect) double decoding attack
- * 119:3 (http_inspect) u encoding
- * 119:4 (http_inspect) bare byte unicode encoding
- * 119:5 (http_inspect) obsolete event—should not appear
- * 119:6 (http_inspect) UTF-8 encoding
- * 119:7 (http_inspect) IIS unicode codepoint encoding
- * 119:8 (http_inspect) multi_slash encoding
- * 119:9 (http_inspect) IIS backslash evasion
- * 119:10 (http_inspect) self directory traversal
- * 119:11 (http_inspect) directory traversal
- * 119:12 (http_inspect) apache whitespace (tab)
- * 119:13 (http_inspect) non-RFC http delimiter
- * 119:14 (http_inspect) non-RFC defined char
- * 119:15 (http_inspect) oversize request-uri directory
- * 119:16 (http_inspect) oversize chunk encoding
- * 119:17 (http_inspect) unauthorized proxy use detected
- * 119:18 (http_inspect) webroot directory traversal
- * 119:19 (http_inspect) long header
- * 119:20 (http_inspect) max header fields
- * 119:21 (http_inspect) multiple content length
- * 119:22 (http_inspect) chunk size mismatch detected
- * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
- * 119:24 (http_inspect) multiple host hdrs detected
- * 119:25 (http_inspect) hostname exceeds 255 characters
- * 119:26 (http_inspect) header parsing space saturation
- * 119:27 (http_inspect) client consecutive small chunk sizes
- * 119:28 (http_inspect) post w/o content-length or chunks
- * 119:29 (http_inspect) multiple true ips in a session
- * 119:30 (http_inspect) both true-client-IP and XFF hdrs present
- * 119:31 (http_inspect) unknown method
- * 119:32 (http_inspect) simple request
- * 119:33 (http_inspect) unescaped space in HTTP URI
- * 119:34 (http_inspect) too many pipelined requests
- * 119:35 (http_inspect) anomalous http server on undefined HTTP
- port
- * 119:36 (http_inspect) invalid status code in HTTP response
- * 119:37 (http_inspect) no content-length or transfer-encoding in
- HTTP response
- * 119:38 (http_inspect) HTTP response has UTF charset which failed
- to normalize
- * 119:39 (http_inspect) HTTP response has UTF-7 charset
- * 119:40 (http_inspect) HTTP response gzip decompression failed
- * 119:41 (http_inspect) server consecutive small chunk sizes
- * 119:42 (http_inspect) invalid content-length or chunk size
- * 119:43 (http_inspect) javascript obfuscation levels exceeds 1
- * 119:44 (http_inspect) javascript whitespaces exceeds max allowed
- * 119:45 (http_inspect) multiple encodings within javascript
- obfuscated data
- * 119:46 (http_inspect) SWF file zlib decompression failure
- * 119:47 (http_inspect) SWF file LZMA decompression failure
- * 119:48 (http_inspect) PDF file deflate decompression failure
- * 119:49 (http_inspect) PDF file unsupported compression type
- * 119:50 (http_inspect) PDF file cascaded compression
- * 119:51 (http_inspect) PDF file parse failure
- * 119:52 (http_inspect) Not HTTP traffic
- * 119:53 (http_inspect) Chunk length has excessive leading zeros
- * 119:54 (http_inspect) White space before or between messages
- * 119:55 (http_inspect) Request message without URI
- * 119:56 (http_inspect) Control character in reason phrase
- * 119:57 (http_inspect) Illegal extra whitespace in start line
- * 119:58 (http_inspect) Corrupted HTTP version
- * 119:59 (http_inspect) Unknown HTTP version
- * 119:60 (http_inspect) Format error in HTTP header
- * 119:61 (http_inspect) Chunk header options present
- * 119:62 (http_inspect) URI badly formatted
- * 119:63 (http_inspect) Unrecognized type of percent encoding in
- URI
- * 119:64 (http_inspect) HTTP chunk misformatted
- * 119:65 (http_inspect) White space following chunk length
- * 119:66 (http_inspect) White space within header name
- * 119:67 (http_inspect) Excessive gzip compression
- * 119:68 (http_inspect) Gzip decompression failed
- * 119:69 (http_inspect) HTTP 0.9 requested followed by another
- request
- * 119:70 (http_inspect) HTTP 0.9 request following a normal request
- * 119:71 (http_inspect) Message has both Content-Length and
- Transfer-Encoding
- * 119:72 (http_inspect) Status code implying no body combined with
- Transfer-Encoding or nonzero Content-Length
- * 119:73 (http_inspect) Transfer-Encoding did not end with chunked
- * 119:74 (http_inspect) Transfer-Encoding with chunked not at end
- * 119:75 (http_inspect) Misformatted HTTP traffic
- * 119:76 (http_inspect) Unsupported Transfer-Encoding or
- Content-Encoding used
- * 119:77 (http_inspect) Unknown Transfer-Encoding or
- Content-Encoding used
- * 119:78 (http_inspect) Multiple layers of compression encodings
- applied
+Type: codec
-Peg counts:
+Rules:
- * http_inspect.flows: HTTP connections inspected
- * http_inspect.scans: TCP segments scanned looking for HTTP
- messages
- * http_inspect.reassembles: TCP segments combined into HTTP
- messages
- * http_inspect.inspections: total message sections inspected
- * http_inspect.requests: HTTP request messages inspected
- * http_inspect.responses: HTTP response messages inspected
- * http_inspect.GET requests: GET requests inspected
- * http_inspect.HEAD requests: HEAD requests inspected
- * http_inspect.POST requests: POST requests inspected
- * http_inspect.PUT requests: PUT requests inspected
- * http_inspect.DELETE requests: DELETE requests inspected
- * http_inspect.CONNECT requests: CONNECT requests inspected
- * http_inspect.OPTIONS requests: OPTIONS requests inspected
- * http_inspect.TRACE requests: TRACE requests inspected
- * http_inspect.other requests: other request methods inspected
- * http_inspect.request bodies: POST, PUT, and other requests with
- message bodies
- * http_inspect.chunked: chunked message bodies
- * http_inspect.URI normalizations: URIs needing to be normalization
- * http_inspect.URI path: URIs with path problems
- * http_inspect.URI coding: URIs with character coding problems
+ * 116:270 (ipv6) IPv6 packet below TTL limit
+ * 116:271 (ipv6) IPv6 header claims to not be IPv6
+ * 116:272 (ipv6) IPv6 truncated extension header
+ * 116:273 (ipv6) IPv6 truncated header
+ * 116:274 (ipv6) IPv6 datagram length < header field
+ * 116:275 (ipv6) IPv6 datagram length > captured length
+ * 116:276 (ipv6) IPv6 packet with destination address ::0
+ * 116:277 (ipv6) IPv6 packet with multicast source address
+ * 116:278 (ipv6) IPv6 packet with reserved multicast destination
+ address
+ * 116:279 (ipv6) IPv6 header includes an undefined option type
+ * 116:280 (ipv6) IPv6 address includes an unassigned multicast
+ scope value
+ * 116:281 (ipv6) IPv6 header includes an invalid value for the next
+ header field
+ * 116:282 (ipv6) IPv6 header includes a routing extension header
+ followed by a hop-by-hop header
+ * 116:283 (ipv6) IPv6 header includes two routing extension headers
+ * 116:292 (ipv6) IPv6 header has destination options followed by a
+ routing header
+ * 116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated,
+ possible Linux kernel attack
+ * 116:295 (ipv6) IPv6 header includes an option which is too big
+ for the containing header
+ * 116:296 (ipv6) IPv6 packet includes out-of-order extension
+ headers
+ * 116:429 (ipv6) IPv6 packet has zero hop limit
+ * 116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
+ * 116:458 (ipv6) bogus fragmentation packet, possible BSD attack
+ * 116:461 (ipv6) IPv6 routing type 0 extension header
+ * 116:456 (ipv6) too many IPv6 extension headers
-6.16. imap
+7.16. mpls
--------------
-What: imap inspection
+What: support for multiprotocol label switching
-Type: inspector
+Type: codec
Configuration:
- * int imap.b64_decode_depth = 1460: base64 decoding depth {
- -1:65535 }
- * int imap.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
- extraction depth { -1:65535 }
- * int imap.qp_decode_depth = 1460: Quoted Printable decoding depth
- { -1:65535 }
- * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
- -1:65535 }
+ * bool mpls.enable_mpls_multicast = false: enables support for MPLS
+ multicast
+ * bool mpls.enable_mpls_overlapping_ip = false: enable if private
+ network addresses overlap and must be differentiated by MPLS
+ label(s)
+ * int mpls.max_mpls_stack_depth = -1: set MPLS stack depth { -1: }
+ * enum mpls.mpls_payload_type = ip4: set encapsulated payload type
+ { eth | ip4 | ip6 }
Rules:
- * 141:1 (imap) Unknown IMAP3 command
- * 141:2 (imap) Unknown IMAP3 response
- * 141:4 (imap) Base64 Decoding failed.
- * 141:5 (imap) Quoted-Printable Decoding failed.
- * 141:7 (imap) Unix-to-Unix Decoding failed.
+ * 116:170 (mpls) bad MPLS frame
+ * 116:171 (mpls) MPLS label 0 appears in non-bottom header
+ * 116:172 (mpls) MPLS label 1 appears in bottom header
+ * 116:173 (mpls) MPLS label 2 appears in non-bottom header
+ * 116:174 (mpls) MPLS label 3 appears in header
+ * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
+ * 116:176 (mpls) too many MPLS headers
Peg counts:
- * imap.packets: total packets processed
- * imap.sessions: total imap sessions
- * imap.b64 attachments: total base64 attachments decoded
- * imap.b64 decoded bytes: total base64 decoded bytes
- * imap.qp attachments: total quoted-printable attachments decoded
- * imap.qp decoded bytes: total quoted-printable decoded bytes
- * imap.uu attachments: total uu attachments decoded
- * imap.uu decoded bytes: total uu decoded bytes
- * imap.non-encoded attachments: total non-encoded attachments
- extracted
- * imap.non-encoded bytes: total non-encoded extracted bytes
+ * mpls.total packets: total mpls labeled packets processed
+ * mpls.total bytes: total mpls labeled bytes processed
-6.17. modbus
+7.17. pgm
--------------
-What: modbus inspection
+What: support for pragmatic general multicast
-Type: inspector
+Type: codec
Rules:
- * 144:1 (modbus) length in Modbus MBAP header does not match the
- length needed for the given function
- * 144:2 (modbus) Modbus protocol ID is non-zero
- * 144:3 (modbus) Reserved Modbus function code in use
+ * 116:454 (pgm) PGM nak list overflow attempt
-Peg counts:
- * modbus.sessions: total sessions processed
- * modbus.frames: total Modbus messages
+7.18. pppoe
+
+--------------
+
+What: support for point-to-point protocol over ethernet
+
+Type: codec
+
+Rules:
+
+ * 116:120 (pppoe) bad PPPOE frame detected
-6.18. normalizer
+7.19. tcp
--------------
-What: packet scrubbing for inline mode
+What: support for transmission control protocol
-Type: inspector
+Type: codec
-Configuration:
+Rules:
- * bool normalizer.ip4.base = true: clear options
- * bool normalizer.ip4.df = false: clear don’t frag flag
- * bool normalizer.ip4.rf = false: clear reserved flag
- * bool normalizer.ip4.tos = false: clear tos / differentiated
- services byte
- * bool normalizer.ip4.trim = false: truncate excess payload beyond
- datagram length
- * bool normalizer.tcp.base = true: clear reserved bits and option
- padding and fix urgent pointer / flags issues
- * bool normalizer.tcp.block = true: allow packet drops during TCP
- normalization
- * bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
- segment length
- * bool normalizer.tcp.ips = false: ensure consistency in
- retransmitted data
- * select normalizer.tcp.ecn = off: clear ecn for all packets |
- sessions w/o ecn setup { off | packet | stream }
- * bool normalizer.tcp.pad = true: clear any option padding bytes
- * bool normalizer.tcp.trim_syn = false: remove data on SYN
- * bool normalizer.tcp.trim_rst = false: remove any data from RST
- packet
- * bool normalizer.tcp.trim_win = false: trim data to window
- * bool normalizer.tcp.trim_mss = false: trim data to MSS
- * bool normalizer.tcp.trim = false: enable all of the TCP trim
- options
- * bool normalizer.tcp.opts = true: clear all options except mss,
- wscale, timestamp, and any explicitly allowed
- * bool normalizer.tcp.req_urg = true: clear the urgent pointer if
- the urgent flag is not set
- * bool normalizer.tcp.req_pay = true: clear the urgent pointer and
- the urgent flag if there is no payload
- * bool normalizer.tcp.rsv = true: clear the reserved bits in the
- TCP header
- * bool normalizer.tcp.req_urp = true: clear the urgent flag if the
- urgent pointer is not set
- * multi normalizer.tcp.allow_names: don’t clear given option names
- { sack | echo | partial_order | conn_count | alt_checksum | md5 }
- * string normalizer.tcp.allow_codes: don’t clear given option codes
- * bool normalizer.ip6 = false: clear reserved flag
- * bool normalizer.icmp4 = false: clear reserved flag
- * bool normalizer.icmp6 = false: clear reserved flag
+ * 116:45 (tcp) TCP packet length is smaller than 20 bytes
+ * 116:46 (tcp) TCP data offset is less than 5
+ * 116:47 (tcp) TCP header length exceeds packet length
+ * 116:54 (tcp) TCP options found with bad lengths
+ * 116:55 (tcp) truncated TCP options
+ * 116:56 (tcp) T/TCP detected
+ * 116:57 (tcp) obsolete TCP options found
+ * 116:58 (tcp) experimental TCP options found
+ * 116:59 (tcp) TCP window scale option found with length > 14
+ * 116:400 (tcp) XMAS attack detected
+ * 116:401 (tcp) Nmap XMAS attack detected
+ * 116:419 (tcp) TCP urgent pointer exceeds payload length or no
+ payload
+ * 116:420 (tcp) TCP SYN with FIN
+ * 116:421 (tcp) TCP SYN with RST
+ * 116:422 (tcp) TCP PDU missing ack for established session
+ * 116:423 (tcp) TCP has no SYN, ACK, or RST
+ * 116:433 (tcp) DDOS shaft SYN flood
+ * 116:446 (tcp) TCP port 0 traffic
+ * 116:402 (tcp) DOS NAPTHA vulnerability detected
+ * 116:403 (tcp) SYN to multicast address
+
+Peg counts:
+
+ * tcp.bad checksum (ip4): nonzero tcp over ip checksums
+ * tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
+
+
+7.20. udp
+
+--------------
+
+What: support for user datagram protocol
+
+Type: codec
+
+Configuration:
+
+ * bool udp.deep_teredo_inspection = false: look for Teredo on all
+ UDP ports (default is only 3544)
+ * bool udp.enable_gtp = false: decode GTP encapsulations
+ * bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
+
+Rules:
+
+ * 116:95 (udp) truncated UDP header
+ * 116:96 (udp) invalid UDP header, length field < 8
+ * 116:97 (udp) short UDP packet, length field > payload length
+ * 116:98 (udp) long UDP packet, length field < payload length
+ * 116:406 (udp) invalid IPv6 UDP packet, checksum zero
+ * 116:445 (udp) large UDP packet (> 4000 bytes)
+ * 116:447 (udp) UDP port 0 traffic
Peg counts:
- * normalizer.ip4 trim: eth packets trimmed to datagram size
- * normalizer.test ip4 trim: test eth packets trimmed to datagram
- size
- * normalizer.ip4 tos: type of service normalizations
- * normalizer.test ip4 tos: test type of service normalizations
- * normalizer.ip4 df: don’t frag bit normalizations
- * normalizer.test ip4 df: test don’t frag bit normalizations
- * normalizer.ip4 rf: reserved flag bit clears
- * normalizer.test ip4 rf: test reserved flag bit clears
- * normalizer.ip4 ttl: time-to-live normalizations
- * normalizer.test ip4 ttl: test time-to-live normalizations
- * normalizer.ip4 opts: ip4 options cleared
- * normalizer.test ip4 opts: test ip4 options cleared
- * normalizer.icmp4 echo: icmp4 ping normalizations
- * normalizer.test icmp4 echo: test icmp4 ping normalizations
- * normalizer.ip6 hops: ip6 hop limit normalizations
- * normalizer.test ip6 hops: test ip6 hop limit normalizations
- * normalizer.ip6 options: ip6 options cleared
- * normalizer.test ip6 options: test ip6 options cleared
- * normalizer.icmp6 echo: icmp6 echo normalizations
- * normalizer.test icmp6 echo: test icmp6 echo normalizations
- * normalizer.tcp syn options: SYN only options cleared from non-SYN
- packets
- * normalizer.test tcp syn options: test SYN only options cleared
- from non-SYN packets
- * normalizer.tcp options: packets with options cleared
- * normalizer.test tcp options: test packets with options cleared
- * normalizer.tcp paddding: packets with padding cleared
- * normalizer.test tcp paddding: test packets with padding cleared
- * normalizer.tcp reserved: packets with reserved bits cleared
- * normalizer.test tcp reserved: test packets with reserved bits
- cleared
- * normalizer.tcp nonce: packets with nonce bit cleared
- * normalizer.test tcp nonce: test packets with nonce bit cleared
- * normalizer.tcp urgent ptr: packets without data with urgent
- pointer cleared
- * normalizer.test tcp urgent ptr: test packets without data with
- urgent pointer cleared
- * normalizer.tcp ecn pkt: packets with ECN bits cleared
- * normalizer.test tcp ecn pkt: test packets with ECN bits cleared
- * normalizer.tcp ts ecr: timestamp cleared on non-ACKs
- * normalizer.test tcp ts ecr: test timestamp cleared on non-ACKs
- * normalizer.tcp req urg: cleared urgent pointer when urgent flag
- is not set
- * normalizer.test tcp req urg: test cleared urgent pointer when
- urgent flag is not set
- * normalizer.tcp req pay: cleared urgent pointer and urgent flag
- when there is no payload
- * normalizer.test tcp req pay: test cleared urgent pointer and
- urgent flag when there is no payload
- * normalizer.tcp req urp: cleared the urgent flag if the urgent
- pointer is not set
- * normalizer.test tcp req urp: test cleared the urgent flag if the
- urgent pointer is not set
- * normalizer.tcp trim syn: tcp segments trimmed on SYN
- * normalizer.test tcp trim syn: test tcp segments trimmed on SYN
- * normalizer.tcp trim rst: RST packets with data trimmed
- * normalizer.test tcp trim rst: test RST packets with data trimmed
- * normalizer.tcp trim win: data trimed to window
- * normalizer.test tcp trim win: test data trimed to window
- * normalizer.tcp trim mss: data trimmed to MSS
- * normalizer.test tcp trim mss: test data trimmed to MSS
- * normalizer.tcp ecn session: ECN bits cleared
- * normalizer.test tcp ecn session: test ECN bits cleared
- * normalizer.tcp ts nop: timestamp options cleared
- * normalizer.test tcp ts nop: test timestamp options cleared
- * normalizer.tcp ips data: normalized segments
- * normalizer.test tcp ips data: test normalized segments
- * normalizer.tcp block: blocked segments
- * normalizer.test tcp block: test blocked segments
+ * udp.bad checksum (ip4): nonzero udp over ipv4 checksums
+ * udp.bad checksum (ip6): nonzero udp over ipv6 checksums
-6.19. packet_capture
+7.21. vlan
--------------
-What: raw packet dumping facility
+What: support for local area network
-Type: inspector
+Type: codec
-Configuration:
+Rules:
- * bool packet_capture.enable = false: initially enable packet
- dumping
- * string packet_capture.filter: bpf filter to use for packet dump
+ * 116:130 (vlan) bad VLAN frame
+ * 116:131 (vlan) bad LLC header
+ * 116:132 (vlan) bad extra LLC info
-Commands:
- * packet_capture.enable(filter): dump raw packets
- * packet_capture.disable(): stop packet dump
+---------------------------------------------------------------------
-Peg counts:
+8. Inspector Modules
- * packet_capture.processed: packets processed against filter
- * packet_capture.captured: packets matching dumped after matching
- filter
+---------------------------------------------------------------------
+These modules perform a variety of functions, including analysis of
+protocols beyond basic decoding.
-6.20. perf_monitor
+
+8.1. appid
--------------
-What: performance monitoring and flow statistics collection
+What: application and service identification
Type: inspector
Configuration:
- * bool perf_monitor.base = true: enable base statistics { nullptr }
- * bool perf_monitor.cpu = false: enable cpu statistics { nullptr }
- * bool perf_monitor.flow = false: enable traffic statistics
- * bool perf_monitor.flow_ip = false: enable statistics on host
- pairs
- * int perf_monitor.packets = 10000: minimum packets to report { 0:
- }
- * int perf_monitor.seconds = 60: report interval { 1: }
- * int perf_monitor.flow_ip_memcap = 52428800: maximum memory for
- flow tracking { 8200: }
- * int perf_monitor.max_file_size = 1073741824: files will be rolled
- over if they exceed this size { 4096: }
- * int perf_monitor.flow_ports = 1023: maximum ports to track {
- 0:65535 }
- * enum perf_monitor.output = file: Output location for stats { file
- | console }
- * string perf_monitor.modules[].name: name of the module
- * string perf_monitor.modules[].pegs: list of statistics to track
- or empty for all counters
- * enum perf_monitor.format = csv: Output format for stats { csv |
- text }
- * bool perf_monitor.summary = false: Output summary at shutdown
+ * string appid.conf: RNA configuration file
+ * int appid.memcap = 0: disregard - not implemented { 0: }
+ * bool appid.log_stats = false: enable logging of appid statistics
+ * int appid.app_stats_period = 300: time period for collecting and
+ logging appid statistics { 0: }
+ * int appid.app_stats_rollover_size = 20971520: max file size for
+ appid stats before rolling over the log file { 0: }
+ * int appid.app_stats_rollover_time = 86400: max time period for
+ collection appid stats before rolling over the log file { 0: }
+ * string appid.app_detector_dir: directory to load appid detectors
+ from
+ * int appid.instance_id = 0: instance id - need more details for
+ what this is { 0: }
+ * bool appid.debug = false: enable appid debug logging
+ * bool appid.dump_ports = false: enable dump of appid port
+ information
+ * string appid.thirdparty_appid_dir: directory to load thirdparty
+ appid detectors from
+ * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source ip
+ address in CIDR format
+ * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
+ address in CIDR format
+ * port appid.session_log_filter.src_port: source port { 1: }
+ * port appid.session_log_filter.dst_port: destination port { 1: }
+ * string appid.session_log_filter.protocol: ip protocol
+ * bool appid.session_log_filter.log_all_sessions = false: enable
+ logging for all appid sessions
Peg counts:
- * perf_monitor.packets: total packets
-
-
-6.21. pop
+ * appid.packets: count of packets received
+ * appid.processed packets: count of packets processed
+ * appid.ignored packets: count of packets ignored
+ * appid.aim clients: count of aim clients discovered
+ * appid.battlefield flows: count of battle field flows discovered
+ * appid.bgp flows: count of bgp flows discovered
+ * appid.bit clients: count of bittorrent clients discovered
+ * appid.bit flows: count of bittorrent flows discovered
+ * appid.bittracker clients: count of bittorrent tracker clients
+ discovered
+ * appid.bootp flows: count of bootp flows discovered
+ * appid.dcerpc tcp flows: count of dce rpc flows over tcp
+ discovered
+ * appid.dcerpc udp flows: count of dce rpc flows over udp
+ discovered
+ * appid.direct connect flows: count of direct connect flows
+ discovered
+ * appid.dns tcp flows: count of dns flows over tcp discovered
+ * appid.dns udp flows: count of dns flows over udp discovered
+ * appid.ftp flows: count of ftp flows discovered
+ * appid.ftps flows: count of ftps flows discovered
+ * appid.http flows: count of http flows discovered
+ * appid.imap flows: count of imap service flows discovered
+ * appid.imaps flows: count of imap TLS service flows discovered
+ * appid.irc flows: count of irc service flows discovered
+ * appid.kerberos clients: count of kerberos clients discovered
+ * appid.kerberos flows: count of kerberos service flows discovered
+ * appid.kerberos users: count of kerberos users discovered
+ * appid.lpr flows: count of lpr service flows discovered
+ * appid.mdns flows: count of mdns service flows discovered
+ * appid.msn clients: count of msn clients discovered
+ * appid.mysql flows: count of mysql service flows discovered
+ * appid.netbios dgm flows: count of netbios-dgm service flows
+ discovered
+ * appid.netbios ns flows: count of netbios-ns service flows
+ discovered
+ * appid.netbios ssn flows: count of netbios-ssn service flows
+ discovered
+ * appid.nntp flows: count of nntp flows discovered
+ * appid.ntp flows: count of ntp flows discovered
+ * appid.pop flows: count of pop service flows discovered
+ * appid.radius flows: count of radius flows discovered
+ * appid.rexec flows: count of rexec flows discovered
+ * appid.rfb flows: count of rfb flows discovered
+ * appid.rlogin flows: count of rlogin flows discovered
+ * appid.rpc flows: count of rpc flows discovered
+ * appid.rshell flows: count of rshell flows discovered
+ * appid.rsync flows: count of rsync service flows discovered
+ * appid.rtmp flows: count of rtmp flows discovered
+ * appid.rtp clients: count of rtp clients discovered
+ * appid.sip clients: count of SIP clients discovered
+ * appid.sip flows: count of SIP flows discovered
+ * appid.smtp aol clients: count of AOL smtp clients discovered
+ * appid.smtp applemail clients: count of Apple Mail smtp clients
+ discovered
+ * appid.smtp eudora clients: count of Eudora smtp clients
+ discovered
+ * appid.smtp eudora pro clients: count of Eudora Pro smtp clients
+ discovered
+ * appid.smtp evolution clients: count of Evolution smtp clients
+ discovered
+ * appid.smtp kmail clients: count of KMail smtp clients discovered
+ * appid.smtp lotus notes clients: count of Lotus Notes smtp clients
+ discovered
+ * appid.smtp microsoft outlook clients: count of Microsoft Outlook
+ smtp clients discovered
+ * appid.smtp microsoft outlook express clients: count of Microsoft
+ Outlook Express smtp clients discovered
+ * appid.smtp microsoft outlook imo clients: count of Microsoft
+ Outlook IMO smtp clients discovered
+ * appid.smtp mutt clients: count of Mutt smtp clients discovered
+ * appid.smtp thunderbird clients: count of Thunderbird smtp clients
+ discovered
+ * appid.smtp flows: count of smtp flows discovered
+ * appid.smtps flows: count of smtps flows discovered
+ * appid.snmp flows: count of snmp flows discovered
+ * appid.ssh clients: count of ssh clients discovered
+ * appid.ssh flows: count of ssh flows discovered
+ * appid.ssl flows: count of ssl flows discovered
+ * appid.telnet flows: count of telnet flows discovered
+ * appid.tftp flows: count of tftp flows discovered
+ * appid.timbuktu flows: count of timbuktu flows discovered
+ * appid.tns clients: count of tns clients discovered
+ * appid.tns flows: count of tns flows discovered
+ * appid.vnc clients: count of vnc clients discovered
+ * appid.yahoo messenger clients: count of Yahoo Messenger clients
+ discovered
+
+
+8.2. arp_spoof
--------------
-What: pop inspection
+What: detect ARP attacks and anomalies
Type: inspector
Configuration:
- * int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
- }
- * int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
- extraction depth { -1:65535 }
- * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth {
- -1:65535 }
- * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
- -1:65535 }
+ * ip4 arp_spoof.hosts[].ip: host ip address
+ * mac arp_spoof.hosts[].mac: host mac address
Rules:
- * 142:1 (pop) Unknown POP3 command
- * 142:2 (pop) Unknown POP3 response
- * 142:4 (pop) Base64 Decoding failed.
- * 142:5 (pop) Quoted-Printable Decoding failed.
- * 142:7 (pop) Unix-to-Unix Decoding failed.
+ * 112:1 (arp_spoof) unicast ARP request
+ * 112:2 (arp_spoof) ethernet/ARP mismatch request for source
+ * 112:3 (arp_spoof) ethernet/ARP mismatch request for destination
+ * 112:4 (arp_spoof) attempted ARP cache overwrite attack
Peg counts:
- * pop.packets: total packets processed
- * pop.sessions: total pop sessions
- * pop.b64 attachments: total base64 attachments decoded
- * pop.b64 decoded bytes: total base64 decoded bytes
- * pop.qp attachments: total quoted-printable attachments decoded
- * pop.qp decoded bytes: total quoted-printable decoded bytes
- * pop.uu attachments: total uu attachments decoded
- * pop.uu decoded bytes: total uu decoded bytes
- * pop.non-encoded attachments: total non-encoded attachments
- extracted
- * pop.non-encoded bytes: total non-encoded extracted bytes
+ * arp_spoof.packets: total packets
-6.22. port_scan
+8.3. back_orifice
--------------
-What: port scan inspector; also configure port_scan_global
+What: back orifice detection
Type: inspector
-Configuration:
+Rules:
- * multi port_scan.protos = all: choose the protocols to monitor {
- tcp | udp | icmp | ip | all }
- * multi port_scan.scan_types = all: choose type of scans to look
- for { portscan | portsweep | decoy_portscan |
- distributed_portscan | all }
- * enum port_scan.sense_level = medium: choose the level of
- detection { low | medium | high }
- * string port_scan.watch_ip: list of CIDRs with optional ports to
- watch
- * string port_scan.ignore_scanners: list of CIDRs with optional
- ports to ignore if the source of scan alerts
- * string port_scan.ignore_scanned: list of CIDRs with optional
- ports to ignore if the destination of scan alerts
- * bool port_scan.include_midstream = false: list of CIDRs with
- optional ports
- * bool port_scan.logfile = false: write scan events to file
+ * 105:1 (back_orifice) BO traffic detected
+ * 105:2 (back_orifice) BO client traffic detected
+ * 105:3 (back_orifice) BO server traffic detected
+ * 105:4 (back_orifice) BO Snort buffer attack
-Rules:
+Peg counts:
- * 122:1 (port_scan) TCP portscan
- * 122:2 (port_scan) TCP decoy portscan
- * 122:3 (port_scan) TCP portsweep
- * 122:4 (port_scan) TCP distributed portscan
- * 122:5 (port_scan) TCP filtered portscan
- * 122:6 (port_scan) TCP filtered decoy portscan
- * 122:7 (port_scan) TCP filtered portsweep
- * 122:8 (port_scan) TCP filtered distributed portscan
- * 122:9 (port_scan) IP protocol scan
- * 122:10 (port_scan) IP decoy protocol scan
- * 122:11 (port_scan) IP protocol sweep
- * 122:12 (port_scan) IP distributed protocol scan
- * 122:13 (port_scan) IP filtered protocol scan
- * 122:14 (port_scan) IP filtered decoy protocol scan
- * 122:15 (port_scan) IP filtered protocol sweep
- * 122:16 (port_scan) IP filtered distributed protocol scan
- * 122:17 (port_scan) UDP portscan
- * 122:18 (port_scan) UDP decoy portscan
- * 122:19 (port_scan) UDP portsweep
- * 122:20 (port_scan) UDP distributed portscan
- * 122:21 (port_scan) UDP filtered portscan
- * 122:22 (port_scan) UDP filtered decoy portscan
- * 122:23 (port_scan) UDP filtered portsweep
- * 122:24 (port_scan) UDP filtered distributed portscan
- * 122:25 (port_scan) ICMP sweep
- * 122:26 (port_scan) ICMP filtered sweep
- * 122:27 (port_scan) open port
+ * back_orifice.packets: total packets
-6.23. port_scan_global
+8.4. binder
--------------
-What: shared settings for port_scan inspectors for use with port_scan
+What: configure processing based on CIDRs, ports, services, etc.
Type: inspector
Configuration:
- * int port_scan_global.memcap = 1048576: maximum tracker memory {
- 1: }
+ * int binder[].when.policy_id = 0: unique ID for selection of this
+ config by external logic { 0: }
+ * bit_list binder[].when.ifaces: list of interface indices { 255 }
+ * bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
+ * addr_list binder[].when.nets: list of networks
+ * enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp
+ | user | file }
+ * bit_list binder[].when.ports: list of ports { 65535 }
+ * enum binder[].when.role = any: use the given configuration on one
+ or any end of a session { client | server | any }
+ * string binder[].when.service: override default configuration
+ * enum binder[].use.action = inspect: what to do with matching
+ traffic { reset | block | allow | inspect }
+ * string binder[].use.file: use configuration in given file
+ * string binder[].use.service: override automatic service
+ identification
+ * string binder[].use.type: select module for binding
+ * string binder[].use.name: symbol name (defaults to type)
Peg counts:
- * port_scan_global.packets: total packets
+ * binder.packets: initial bindings
+ * binder.resets: reset bindings
+ * binder.blocks: block bindings
+ * binder.allows: allow bindings
+ * binder.inspects: inspect bindings
-6.24. reputation
+8.5. dce_smb
--------------
-What: reputation inspection
+What: dce over smb inspection
Type: inspector
Configuration:
- * string reputation.blacklist: blacklist file name with ip lists
- * int reputation.memcap = 500: maximum total memory allocated {
- 1:4095 }
- * enum reputation.nested_ip = inner: ip to use when there is IP
- encapsulation { inner|outer|all }
- * enum reputation.priority = whitelist: defines priority when there
- is a decision conflict during run-time { blacklist|whitelist }
- * bool reputation.scan_local = false: inspect local address defined
- in RFC 1918
- * enum reputation.white = unblack: specify the meaning of whitelist
- { unblack|trust }
- * string reputation.whitelist: whitelist file name with ip lists
+ * bool dce_smb.disable_defrag = false: Disable DCE/RPC
+ defragmentation
+ * int dce_smb.max_frag_len = 65535: Maximum fragment size for
+ defragmentation { 1514:65535 }
+ * int dce_smb.reassemble_threshold = 0: Minimum bytes received
+ before performing reassembly { 0:65535 }
+ * enum dce_smb.smb_fingerprint_policy = none: Target based SMB
+ policy to use { none | client | server | both }
+ * enum dce_smb.policy = WinXP: Target based policy to use { Win2000
+ | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba |
+ Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
+ * int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
+ * int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
+ * multi dce_smb.valid_smb_versions = all: Valid SMB versions { v1 |
+ v2 | all }
+ * enum dce_smb.smb_file_inspection = off: SMB file inspection { off
+ | on | only }
+ * int dce_smb.smb_file_depth = 16384: SMB file depth for file data
+ { -1: }
+ * string dce_smb.smb_invalid_shares: SMB shares to alert on
+ * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
Rules:
- * 136:1 (reputation) packets blacklisted
- * 136:2 (reputation) Packets whitelisted
- * 136:3 (reputation) Packets monitored
+ * 133:2 (dce_smb) SMB - bad NetBIOS session service session type
+ * 133:3 (dce_smb) SMB - bad SMB message type
+ * 133:4 (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \
+ xfeSMB for SMB2)
+ * 133:5 (dce_smb) SMB - bad word count or structure size
+ * 133:6 (dce_smb) SMB - bad byte count
+ * 133:7 (dce_smb) SMB - bad format type
+ * 133:8 (dce_smb) SMB - bad offset
+ * 133:9 (dce_smb) SMB - zero total data count
+ * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
+ length
+ * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than
+ command byte count
+ * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than
+ command data size
+ * 133:14 (dce_smb) SMB - remaining total data count less than this
+ command data size
+ * 133:15 (dce_smb) SMB - total data sent (STDu64) greater than
+ command total data expected
+ * 133:16 (dce_smb) SMB - byte count less than command data size
+ (STDu64)
+ * 133:17 (dce_smb) SMB - invalid command data size for byte count
+ * 133:18 (dce_smb) SMB - excessive tree connect requests with
+ pending tree connect responses
+ * 133:19 (dce_smb) SMB - excessive read requests with pending read
+ responses
+ * 133:20 (dce_smb) SMB - excessive command chaining
+ * 133:21 (dce_smb) SMB - multiple chained tree connect requests
+ * 133:22 (dce_smb) SMB - multiple chained tree connect requests
+ * 133:23 (dce_smb) SMB - chained/compounded login followed by
+ logoff
+ * 133:24 (dce_smb) SMB - chained/compounded tree connect followed
+ by tree disconnect
+ * 133:25 (dce_smb) SMB - chained/compounded open pipe followed by
+ close pipe
+ * 133:26 (dce_smb) SMB - invalid share access
+ * 133:27 (dce_smb) connection oriented DCE/RPC - invalid major
+ version
+ * 133:28 (dce_smb) connection oriented DCE/RPC - invalid minor
+ version
+ * 133:29 (dce_smb) connection-oriented DCE/RPC - invalid PDU type
+ * 133:30 (dce_smb) connection-oriented DCE/RPC - fragment length
+ less than header size
+ * 133:32 (dce_smb) connection-oriented DCE/RPC - no context items
+ specified
+ * 133:33 (dce_smb) connection-oriented DCE/RPC -no transfer
+ syntaxes specified
+ * 133:34 (dce_smb) connection-oriented DCE/RPC - fragment length on
+ non-last fragment less than maximum negotiated fragment transmit
+ size for client
+ * 133:35 (dce_smb) connection-oriented DCE/RPC - fragment length
+ greater than maximum negotiated fragment transmit size
+ * 133:36 (dce_smb) connection-oriented DCE/RPC - alter context byte
+ order different from bind
+ * 133:37 (dce_smb) connection-oriented DCE/RPC - call id of non
+ first/last fragment different from call id established for
+ fragmented request
+ * 133:38 (dce_smb) connection-oriented DCE/RPC - opnum of non first
+ /last fragment different from opnum established for fragmented
+ request
+ * 133:39 (dce_smb) connection-oriented DCE/RPC - context id of non
+ first/last fragment different from context id established for
+ fragmented request
+ * 133:44 (dce_smb) SMB - invalid SMB version 1 seen
+ * 133:45 (dce_smb) SMB - invalid SMB version 2 seen
+ * 133:46 (dce_smb) SMB - invalid user, tree connect, file binding
+ * 133:47 (dce_smb) SMB - excessive command compounding
+ * 133:48 (dce_smb) SMB - zero data count
+ * 133:50 (dce_smb) SMB - maximum number of outstanding requests
+ exceeded
+ * 133:51 (dce_smb) SMB - outstanding requests with same MID
+ * 133:52 (dce_smb) SMB - deprecated dialect negotiated
+ * 133:53 (dce_smb) SMB - deprecated command used
+ * 133:54 (dce_smb) SMB - unusual command used
+ * 133:55 (dce_smb) SMB - invalid setup count for command
+ * 133:56 (dce_smb) SMB - client attempted multiple dialect
+ negotiations on session
+ * 133:57 (dce_smb) SMB - client attempted to create or set a file’s
+ attributes to readonly/hidden/system
+ * 133:58 (dce_smb) SMB - file offset provided is greater than file
+ size specified
+ * 133:59 (dce_smb) SMB - next command specified in SMB2 header is
+ beyond payload boundary
Peg counts:
- * reputation.packets: total packets processed
- * reputation.blacklisted: number of packets blacklisted
- * reputation.whitelisted: number of packets whitelisted
- * reputation.monitored: number of packets monitored
- * reputation.memory_allocated: total memory allocated
+ * dce_smb.events: total events
+ * dce_smb.PDUs: total connection-oriented PDUs
+ * dce_smb.Binds: total connection-oriented binds
+ * dce_smb.Bind acks: total connection-oriented binds acks
+ * dce_smb.Alter contexts: total connection-oriented alter contexts
+ * dce_smb.Alter context responses: total connection-oriented alter
+ context responses
+ * dce_smb.Bind naks: total connection-oriented bind naks
+ * dce_smb.Requests: total connection-oriented requests
+ * dce_smb.Responses: total connection-oriented responses
+ * dce_smb.Cancels: total connection-oriented cancels
+ * dce_smb.Orphaned: total connection-oriented orphaned
+ * dce_smb.Faults: total connection-oriented faults
+ * dce_smb.Auth3s: total connection-oriented auth3s
+ * dce_smb.Shutdowns: total connection-oriented shutdowns
+ * dce_smb.Rejects: total connection-oriented rejects
+ * dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
+ * dce_smb.Other requests: total connection-oriented other requests
+ * dce_smb.Other responses: total connection-oriented other
+ responses
+ * dce_smb.Request fragments: total connection-oriented request
+ fragments
+ * dce_smb.Response fragments: total connection-oriented response
+ fragments
+ * dce_smb.Client max fragment size: connection-oriented client
+ maximum fragment size
+ * dce_smb.Client min fragment size: connection-oriented client
+ minimum fragment size
+ * dce_smb.Client segs reassembled: total connection-oriented client
+ segments reassembled
+ * dce_smb.Client frags reassembled: total connection-oriented
+ client fragments reassembled
+ * dce_smb.Server max fragment size: connection-oriented server
+ maximum fragment size
+ * dce_smb.Server min fragment size: connection-oriented server
+ minimum fragment size
+ * dce_smb.Server segs reassembled: total connection-oriented server
+ segments reassembled
+ * dce_smb.Server frags reassembled: total connection-oriented
+ server fragments reassembled
+ * dce_smb.Sessions: total smb sessions
+ * dce_smb.Packets: total smb packets
+ * dce_smb.Ignored bytes: total ignored bytes
+ * dce_smb.Client segs reassembled: total smb client segments
+ reassembled
+ * dce_smb.Server segs reassembled: total smb server segments
+ reassembled
+ * dce_smb.Max outstanding requests: total smb maximum outstanding
+ requests
+ * dce_smb.Files processed: total smb files processed
+ * dce_smb.SMBv2 create: total number of SMBv2 create packets seen
+ * dce_smb.SMBv2 write: total number of SMBv2 write packets seen
+ * dce_smb.SMBv2 read: total number of SMBv2 read packets seen
+ * dce_smb.SMBv2 set info: total number of SMBv2 set info packets
+ seen
+ * dce_smb.SMBv2 tree connect: total number of SMBv2 tree connect
+ packets seen
+ * dce_smb.SMBv2 tree disconnect: total number of SMBv2 tree
+ disconnect packets seen
+ * dce_smb.SMBv2 close: total number of SMBv2 close packets seen
-6.25. rpc_decode
+8.6. dce_tcp
--------------
-What: RPC inspector
+What: dce over tcp inspection
Type: inspector
+Configuration:
+
+ * bool dce_tcp.disable_defrag = false: Disable DCE/RPC
+ defragmentation
+ * int dce_tcp.max_frag_len = 65535: Maximum fragment size for
+ defragmentation { 1514:65535 }
+ * int dce_tcp.reassemble_threshold = 0: Minimum bytes received
+ before performing reassembly { 0:65535 }
+ * enum dce_tcp.policy = WinXP: Target based policy to use { Win2000
+ | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba |
+ Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
+
Rules:
- * 106:1 (rpc_decode) fragmented RPC records
- * 106:2 (rpc_decode) multiple RPC records
- * 106:3 (rpc_decode) large RPC record fragment
- * 106:4 (rpc_decode) incomplete RPC segment
- * 106:5 (rpc_decode) zero-length RPC fragment
+ * 133:27 (dce_tcp) connection oriented DCE/RPC - invalid major
+ version
+ * 133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor
+ version
+ * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
+ * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length
+ less than header size
+ * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
+ specified
+ * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer
+ syntaxes specified
+ * 133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on
+ non-last fragment less than maximum negotiated fragment transmit
+ size for client
+ * 133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length
+ greater than maximum negotiated fragment transmit size
+ * 133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte
+ order different from bind
+ * 133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non
+ first/last fragment different from call id established for
+ fragmented request
+ * 133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first
+ /last fragment different from opnum established for fragmented
+ request
+ * 133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non
+ first/last fragment different from context id established for
+ fragmented request
Peg counts:
- * rpc_decode.packets: total packets
+ * dce_tcp.events: total events
+ * dce_tcp.PDUs: total connection-oriented PDUs
+ * dce_tcp.Binds: total connection-oriented binds
+ * dce_tcp.Bind acks: total connection-oriented binds acks
+ * dce_tcp.Alter contexts: total connection-oriented alter contexts
+ * dce_tcp.Alter context responses: total connection-oriented alter
+ context responses
+ * dce_tcp.Bind naks: total connection-oriented bind naks
+ * dce_tcp.Requests: total connection-oriented requests
+ * dce_tcp.Responses: total connection-oriented responses
+ * dce_tcp.Cancels: total connection-oriented cancels
+ * dce_tcp.Orphaned: total connection-oriented orphaned
+ * dce_tcp.Faults: total connection-oriented faults
+ * dce_tcp.Auth3s: total connection-oriented auth3s
+ * dce_tcp.Shutdowns: total connection-oriented shutdowns
+ * dce_tcp.Rejects: total connection-oriented rejects
+ * dce_tcp.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
+ * dce_tcp.Other requests: total connection-oriented other requests
+ * dce_tcp.Other responses: total connection-oriented other
+ responses
+ * dce_tcp.Request fragments: total connection-oriented request
+ fragments
+ * dce_tcp.Response fragments: total connection-oriented response
+ fragments
+ * dce_tcp.Client max fragment size: connection-oriented client
+ maximum fragment size
+ * dce_tcp.Client min fragment size: connection-oriented client
+ minimum fragment size
+ * dce_tcp.Client segs reassembled: total connection-oriented client
+ segments reassembled
+ * dce_tcp.Client frags reassembled: total connection-oriented
+ client fragments reassembled
+ * dce_tcp.Server max fragment size: connection-oriented server
+ maximum fragment size
+ * dce_tcp.Server min fragment size: connection-oriented server
+ minimum fragment size
+ * dce_tcp.Server segs reassembled: total connection-oriented server
+ segments reassembled
+ * dce_tcp.Server frags reassembled: total connection-oriented
+ server fragments reassembled
+ * dce_tcp.tcp sessions: total tcp sessions
+ * dce_tcp.tcp packets: total tcp packets
-6.26. sip
+8.7. dce_udp
--------------
-What: sip inspection
+What: dce over udp inspection
Type: inspector
Configuration:
- * bool sip.ignore_call_channel = false: enables the support for
- ignoring audio/video data channel
- * int sip.max_call_id_len = 256: maximum call id field size {
- 0:65535 }
- * int sip.max_contact_len = 256: maximum contact field size {
- 0:65535 }
- * int sip.max_content_len = 1024: maximum content length of the
- message body { 0:65535 }
- * int sip.max_dialogs = 4: maximum number of dialogs within one
- stream session { 1:4194303 }
- * int sip.max_from_len = 256: maximum from field size { 0:65535 }
- * int sip.max_requestName_len = 20: maximum request name field size
- { 0:65535 }
- * int sip.max_sessions = 10000: maximum number of sessions that can
- be allocated { 1024:4194303 }
- * int sip.max_to_len = 256: maximum to field size { 0:65535 }
- * int sip.max_uri_len = 256: maximum request uri field size {
- 0:65535 }
- * int sip.max_via_len = 1024: maximum via field size { 0:65535 }
- * string sip.methods = invite cancel ack bye register options: list
- of methods to check in sip messages
+ * bool dce_udp.disable_defrag = false: Disable DCE/RPC
+ defragmentation
+ * int dce_udp.max_frag_len = 65535: Maximum fragment size for
+ defragmentation { 1514:65535 }
Rules:
- * 140:1 (sip) Maximum sessions reached
- * 140:2 (sip) Empty request URI
- * 140:3 (sip) URI is too long
- * 140:4 (sip) Empty call-Id
- * 140:5 (sip) Call-Id is too long
- * 140:6 (sip) CSeq number is too large or negative
- * 140:7 (sip) Request name in CSeq is too long
- * 140:8 (sip) Empty From header
- * 140:9 (sip) From header is too long
- * 140:10 (sip) Empty To header
- * 140:11 (sip) To header is too long
- * 140:12 (sip) Empty Via header
- * 140:13 (sip) Via header is too long
- * 140:14 (sip) Empty Contact
- * 140:15 (sip) Contact is too long
- * 140:16 (sip) Content length is too large or negative
- * 140:17 (sip) Multiple SIP messages in a packet
- * 140:18 (sip) Content length mismatch
- * 140:19 (sip) Request name is invalid
- * 140:20 (sip) Invite replay attack
- * 140:21 (sip) Illegal session information modification
- * 140:22 (sip) Response status code is not a 3 digit number
- * 140:23 (sip) Empty Content-type header
- * 140:24 (sip) SIP version is invalid
- * 140:25 (sip) Mismatch in METHOD of request and the CSEQ header
- * 140:26 (sip) Method is unknown
- * 140:27 (sip) Maximum dialogs within a session reached
+ * 133:40 (dce_udp) connection-less DCE/RPC - invalid major version
+ * 133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type
+ * 133:42 (dce_udp) connection-less DCE/RPC - data length less than
+ header size
+ * 133:43 (dce_udp) connection-less DCE/RPC - bad sequence number
Peg counts:
- * sip.packets: total packets
- * sip.sessions: total sessions
- * sip.events: events generated
- * sip.dialogs: total dialogs
- * sip.ignored channels: total channels ignored
- * sip.ignored sessions: total sessions ignored
- * sip.total requests: total requests
- * sip.invite: invite
- * sip.cancel: cancel
- * sip.ack: ack
- * sip.bye: bye
- * sip.register: register
- * sip.options: options
- * sip.refer: refer
- * sip.subscribe: subscribe
- * sip.update: update
- * sip.join: join
- * sip.info: info
- * sip.message: message
- * sip.notify: notify
- * sip.prack: prack
- * sip.total responses: total responses
- * sip.1xx: 1xx
- * sip.2xx: 2xx
- * sip.3xx: 3xx
- * sip.4xx: 4xx
- * sip.5xx: 5xx
- * sip.6xx: 6xx
- * sip.7xx: 7xx
- * sip.8xx: 8xx
- * sip.9xx: 9xx
+ * dce_udp.events: total events
+ * dce_udp.udp sessions: total udp sessions
+ * dce_udp.udp packets: total udp packets
+ * dce_udp.Requests: total connection-less requests
+ * dce_udp.Acks: total connection-less acks
+ * dce_udp.Cancels: total connection-less cancels
+ * dce_udp.Client facks: total connection-less client facks
+ * dce_udp.Ping: total connection-less ping
+ * dce_udp.Responses: total connection-less responses
+ * dce_udp.Rejects: total connection-less rejects
+ * dce_udp.Cancel acks: total connection-less cancel acks
+ * dce_udp.Server facks: total connection-less server facks
+ * dce_udp.Faults: total connection-less faults
+ * dce_udp.No calls: total connection-less no calls
+ * dce_udp.Working: total connection-less working
+ * dce_udp.Other requests: total connection-less other requests
+ * dce_udp.Other responses: total connection-less other responses
+ * dce_udp.Fragments: total connection-less fragments
+ * dce_udp.Max fragment size: connection-less maximum fragment size
+ * dce_udp.Frags reassembled: total connection-less fragments
+ reassembled
+ * dce_udp.Max seqnum: max connection-less seqnum
-6.27. smtp
+8.8. dnp3
--------------
-What: smtp inspection
+What: dnp3 inspection
Type: inspector
Configuration:
- * string smtp.alt_max_command_line_len[].command: command string
- * int smtp.alt_max_command_line_len[].length = 0: specify
- non-default maximum for command { 0: }
- * string smtp.auth_cmds: commands that initiate an authentication
- exchange
- * string smtp.binary_data_cmds: commands that initiate sending of
- data and use a length value after the command
- * int smtp.bitenc_decode_depth = 25: depth used to extract the
- non-encoded MIME attachments { -1:65535 }
- * int smtp.b64_decode_depth = 25: depth used to decode the base64
- encoded MIME attachments { -1:65535 }
- * string smtp.data_cmds: commands that initiate sending of data
- with an end of data delimiter
- * int smtp.email_hdrs_log_depth = 1464: depth for logging email
- headers { 0:20480 }
- * bool smtp.ignore_data = false: ignore data section of mail
- * bool smtp.ignore_tls_data = false: ignore TLS-encrypted data when
- processing rules
- * string smtp.invalid_cmds: alert if this command is sent from
- client side
- * bool smtp.log_email_hdrs = false: log the SMTP email headers
- extracted from SMTP data
- * bool smtp.log_filename = false: log the MIME attachment filenames
- extracted from the Content-Disposition header within the MIME
- body
- * bool smtp.log_mailfrom = false: log the sender’s email address
- extracted from the MAIL FROM command
- * bool smtp.log_rcptto = false: log the recipient’s email address
- extracted from the RCPT TO command
- * int smtp.max_auth_command_line_len = 1000: max auth command Line
- Length { 0:65535 }
- * int smtp.max_command_line_len = 0: max Command Line Length {
- 0:65535 }
- * int smtp.max_header_line_len = 0: max SMTP DATA header line {
- 0:65535 }
- * int smtp.max_response_line_len = 0: max SMTP response line {
- 0:65535 }
- * enum smtp.normalize = none: turns on/off normalization { none |
- cmds | all }
- * string smtp.normalize_cmds: list of commands to normalize
- * int smtp.qp_decode_depth = 25: quoted-Printable decoding depth {
- -1:65535 }
- * int smtp.uu_decode_depth = 25: unix-to-Unix decoding depth {
- -1:65535 }
- * string smtp.valid_cmds: list of valid commands
- * enum smtp.xlink2state = alert: enable/disable xlink2state alert {
- disable | alert | drop }
+ * bool dnp3.check_crc = false: validate checksums in DNP3 link
+ layer frames
Rules:
- * 124:1 (smtp) Attempted command buffer overflow
- * 124:2 (smtp) Attempted data header buffer overflow
- * 124:3 (smtp) Attempted response buffer overflow
- * 124:4 (smtp) Attempted specific command buffer overflow
- * 124:5 (smtp) Unknown command
- * 124:6 (smtp) Illegal command
- * 124:7 (smtp) Attempted header name buffer overflow
- * 124:8 (smtp) Attempted X-Link2State command buffer overflow
- * 124:10 (smtp) Base64 Decoding failed
- * 124:11 (smtp) Quoted-Printable Decoding failed
- * 124:13 (smtp) Unix-to-Unix Decoding failed
- * 124:14 (smtp) Cyrus SASL authentication attack
- * 124:15 (smtp) Attempted authentication command buffer overflow
+ * 145:1 (dnp3) DNP3 link-layer frame contains bad CRC
+ * 145:2 (dnp3) DNP3 link-layer frame was dropped
+ * 145:3 (dnp3) DNP3 transport-layer segment was dropped during
+ reassembly
+ * 145:4 (dnp3) DNP3 reassembly buffer was cleared without
+ reassembling a complete message
+ * 145:5 (dnp3) DNP3 link-layer frame uses a reserved address
+ * 145:6 (dnp3) DNP3 application-layer fragment uses a reserved
+ function code
Peg counts:
- * smtp.packets: total packets processed
- * smtp.sessions: total smtp sessions
- * smtp.concurrent sessions: total concurrent smtp sessions
- * smtp.max concurrent sessions: maximum concurrent smtp sessions
- * smtp.b64 attachments: total base64 attachments decoded
- * smtp.b64 decoded bytes: total base64 decoded bytes
- * smtp.qp attachments: total quoted-printable attachments decoded
- * smtp.qp decoded bytes: total quoted-printable decoded bytes
- * smtp.uu attachments: total uu attachments decoded
- * smtp.uu decoded bytes: total uu decoded bytes
- * smtp.non-encoded attachments: total non-encoded attachments
- extracted
- * smtp.non-encoded bytes: total non-encoded extracted bytes
+ * dnp3.total packets: total packets
+ * dnp3.udp packets: total udp packets
+ * dnp3.tcp pdus: total tcp pdus
+ * dnp3.dnp3 link layer frames: total dnp3 link layer frames
+ * dnp3.dnp3 application pdus: total dnp3 application pdus
-6.28. ssh
+8.9. dns
--------------
-What: ssh inspection
+What: dns inspection
Type: inspector
-Configuration:
+Rules:
- * int ssh.max_encrypted_packets = 25: ignore session after this
- many encrypted packets { 0:65535 }
- * int ssh.max_client_bytes = 19600: number of unanswered bytes
- before alerting on challenge-response overflow or CRC32 { 0:65535
- }
- * int ssh.max_server_version_len = 80: limit before alerting on
- secure CRT server version string overflow { 0:255 }
+ * 131:1 (dns) obsolete DNS RR types
+ * 131:2 (dns) experimental DNS RR types
+ * 131:3 (dns) DNS client rdata txt overflow
-Rules:
+Peg counts:
- * 128:1 (ssh) Challenge-Response Overflow exploit
- * 128:2 (ssh) SSH1 CRC32 exploit
- * 128:3 (ssh) Server version string overflow
- * 128:5 (ssh) Bad message direction
- * 128:6 (ssh) Payload size incorrect for the given payload
- * 128:7 (ssh) Failed to detect SSH version string
+ * dns.packets: total packets processed
+ * dns.requests: total dns requests
+ * dns.responses: total dns responses
+
+
+8.10. file_log
+
+--------------
+
+What: log file event to file.log
+
+Type: inspector
+
+Configuration:
+
+ * bool file_log.log_pkt_time = true: log the packet time when event
+ generated
+ * bool file_log.log_sys_time = false: log the system time when
+ event generated
Peg counts:
- * ssh.packets: total packets
+ * file_log.total events: total file events
-6.29. ssl
+8.11. ftp_client
--------------
-What: ssl inspection
+What: FTP client configuration module for use with ftp_server
Type: inspector
Configuration:
- * bool ssl.trust_servers = false: disables requirement that
- application (encrypted) data must be observed on both sides
- * int ssl.max_heartbeat_length = 0: maximum length of heartbeat
- record allowed { 0:65535 }
+ * bool ftp_client.bounce = false: check for bounces
+ * addr ftp_client.bounce_to[].address = 1.0.0.0/32: allowed ip
+ address in CIDR format
+ * port ftp_client.bounce_to[].port = 20: allowed port { 1: }
+ * port ftp_client.bounce_to[].last_port: optional allowed range
+ from port to last_port inclusive { 0: }
+ * bool ftp_client.ignore_telnet_erase_cmds = false: ignore erase
+ character and erase line commands when normalizing
+ * int ftp_client.max_resp_len = -1: maximum ftp response accepted
+ by client { -1: }
+ * bool ftp_client.telnet_cmds = false: detect telnet escape
+ sequences on ftp control channel
-Rules:
- * 137:1 (ssl) Invalid Client HELLO after Server HELLO Detected
- * 137:2 (ssl) Invalid Server HELLO without Client HELLO Detected
- * 137:3 (ssl) Heartbeat Read Overrun Attempt Detected
- * 137:4 (ssl) Large Heartbeat Response Detected
+8.12. ftp_data
+
+--------------
+
+What: FTP data channel handler
+
+Type: inspector
Peg counts:
- * ssl.packets: total packets processed
- * ssl.decoded: ssl packets decoded
- * ssl.client hello: total client hellos
- * ssl.server hello: total server hellos
- * ssl.certificate: total ssl certificates
- * ssl.server done: total server done
- * ssl.client key exchange: total client key exchanges
- * ssl.server key exchange: total server key exchanges
- * ssl.change cipher: total change cipher records
- * ssl.finished: total handshakes finished
- * ssl.client application: total client application records
- * ssl.server application: total server application records
- * ssl.alert: total ssl alert records
- * ssl.unrecognized records: total unrecognized records
- * ssl.handshakes completed: total completed ssl handshakes
- * ssl.bad handshakes: total bad handshakes
- * ssl.sessions ignored: total sessions ignore
- * ssl.detection disabled: total detection disabled
+ * ftp_data.packets: total packets
-6.30. stream
+8.13. ftp_server
--------------
-What: common flow tracking
+What: main FTP module; ftp_client should also be configured
Type: inspector
Configuration:
- * bool stream.ip_frags_only = false: don’t process non-frag flows
- * int stream.ip_cache.max_sessions = 16384: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.ip_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.ip_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.icmp_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.tcp_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.udp_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.user_cache.max_sessions = 1024: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.user_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.user_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.file_cache.max_sessions = 128: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.file_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.file_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
+ * string ftp_server.chk_str_fmt: check the formatting of the given
+ commands
+ * string ftp_server.data_chan_cmds: check the formatting of the
+ given commands
+ * string ftp_server.data_rest_cmds: check the formatting of the
+ given commands
+ * string ftp_server.data_xfer_cmds: check the formatting of the
+ given commands
+ * string ftp_server.directory_cmds[].dir_cmd: directory command
+ * int ftp_server.directory_cmds[].rsp_code = 200: expected
+ successful response code for command { 200: }
+ * string ftp_server.file_put_cmds: check the formatting of the
+ given commands
+ * string ftp_server.file_get_cmds: check the formatting of the
+ given commands
+ * string ftp_server.encr_cmds: check the formatting of the given
+ commands
+ * string ftp_server.login_cmds: check the formatting of the given
+ commands
+ * bool ftp_server.check_encrypted = false: check for end of
+ encryption
+ * string ftp_server.cmd_validity[].command: command string
+ * string ftp_server.cmd_validity[].format: format specification
+ * int ftp_server.cmd_validity[].length = 0: specify non-default
+ maximum for command { 0: }
+ * int ftp_server.def_max_param_len = 100: default maximum length of
+ commands handled by server; 0 is unlimited { 1: }
+ * bool ftp_server.encrypted_traffic = false: check for encrypted
+ telnet and ftp
+ * string ftp_server.ftp_cmds: specify additional commands supported
+ by server beyond RFC 959
+ * bool ftp_server.ignore_data_chan = false: do not inspect ftp data
+ channels
+ * bool ftp_server.ignore_telnet_erase_cmds = false: ignore erase
+ character and erase line commands when normalizing
+ * bool ftp_server.print_cmds = false: print command configurations
+ on start up
+ * bool ftp_server.telnet_cmds = false: detect telnet escape
+ sequences of ftp control channel
+
+Rules:
+
+ * 125:1 (ftp_server) TELNET cmd on FTP command channel
+ * 125:2 (ftp_server) invalid FTP command
+ * 125:3 (ftp_server) FTP command parameters were too long
+ * 125:4 (ftp_server) FTP command parameters were malformed
+ * 125:5 (ftp_server) FTP command parameters contained potential
+ string format
+ * 125:6 (ftp_server) FTP response message was too long
+ * 125:7 (ftp_server) FTP traffic encrypted
+ * 125:8 (ftp_server) FTP bounce attempt
+ * 125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command
+ channel
+
+Peg counts:
+
+ * ftp_server.packets: total packets
+
+
+8.14. gtp_inspect
+
+--------------
+
+What: gtp control channel inspection
+
+Type: inspector
+
+Configuration:
+
+ * int gtp_inspect[].version = 2: gtp version { 0:2 }
+ * int gtp_inspect[].messages[].type = 0: message type code { 0:255
+ }
+ * string gtp_inspect[].messages[].name: message name
+ * int gtp_inspect[].infos[].type = 0: information element type code
+ { 0:255 }
+ * string gtp_inspect[].infos[].name: information element name
+ * int gtp_inspect[].infos[].length = 0: information element type
+ code { 0:255 }
+
+Rules:
+
+ * 143:1 (gtp_inspect) message length is invalid
+ * 143:2 (gtp_inspect) information element length is invalid
+ * 143:3 (gtp_inspect) information elements are out of order
Peg counts:
- * stream.ip flows: total ip sessions
- * stream.ip total prunes: total ip sessions pruned
- * stream.ip idle prunes: ip sessions pruned due to timeout
- * stream.ip excess prunes: ip sessions pruned due to excess
- * stream.ip uni prunes: ip uni sessions pruned
- * stream.ip preemptive prunes: ip sessions pruned during preemptive
- pruning
- * stream.ip memcap prunes: ip sessions pruned due to memcap
- * stream.ip ha prunes: ip sessions pruned by high availability sync
- * stream.icmp flows: total icmp sessions
- * stream.icmp total prunes: total icmp sessions pruned
- * stream.icmp idle prunes: icmp sessions pruned due to timeout
- * stream.icmp excess prunes: icmp sessions pruned due to excess
- * stream.icmp uni prunes: icmp uni sessions pruned
- * stream.icmp preemptive prunes: icmp sessions pruned during
- preemptive pruning
- * stream.icmp memcap prunes: icmp sessions pruned due to memcap
- * stream.icmp ha prunes: icmp sessions pruned by high availability
- sync
- * stream.tcp flows: total tcp sessions
- * stream.tcp total prunes: total tcp sessions pruned
- * stream.tcp idle prunes: tcp sessions pruned due to timeout
- * stream.tcp excess prunes: tcp sessions pruned due to excess
- * stream.tcp uni prunes: tcp uni sessions pruned
- * stream.tcp preemptive prunes: tcp sessions pruned during
- preemptive pruning
- * stream.tcp memcap prunes: tcp sessions pruned due to memcap
- * stream.tcp ha prunes: tcp sessions pruned by high availability
- sync
- * stream.udp flows: total udp sessions
- * stream.udp total prunes: total udp sessions pruned
- * stream.udp idle prunes: udp sessions pruned due to timeout
- * stream.udp excess prunes: udp sessions pruned due to excess
- * stream.udp uni prunes: udp uni sessions pruned
- * stream.udp preemptive prunes: udp sessions pruned during
- preemptive pruning
- * stream.udp memcap prunes: udp sessions pruned due to memcap
- * stream.udp ha prunes: udp sessions pruned by high availability
- sync
- * stream.user flows: total user sessions
- * stream.user total prunes: total user sessions pruned
- * stream.user idle prunes: user sessions pruned due to timeout
- * stream.user excess prunes: user sessions pruned due to excess
- * stream.user uni prunes: user uni sessions pruned
- * stream.user preemptive prunes: user sessions pruned during
- preemptive pruning
- * stream.user memcap prunes: user sessions pruned due to memcap
- * stream.user ha prunes: user sessions pruned by high availability
- sync
- * stream.file flows: total file sessions
- * stream.file total prunes: total file sessions pruned
- * stream.file idle prunes: file sessions pruned due to timeout
- * stream.file excess prunes: file sessions pruned due to excess
- * stream.file uni prunes: file uni sessions pruned
- * stream.file preemptive prunes: file sessions pruned during
- preemptive pruning
- * stream.file memcap prunes: file sessions pruned due to memcap
- * stream.file ha prunes: file sessions pruned by high availability
- sync
+ * gtp_inspect.sessions: total sessions processed
+ * gtp_inspect.events: requests
+ * gtp_inspect.unknown types: unknown message types
+ * gtp_inspect.unknown infos: unknown information elements
-6.31. stream_file
+8.15. http_inspect
--------------
-What: stream inspector for file flow tracking and processing
+What: HTTP inspector
Type: inspector
Configuration:
- * bool stream_file.upload = false: indicate file transfer direction
+ * int http_inspect.request_depth = -1: maximum request message body
+ bytes to examine (-1 no limit) { -1: }
+ * int http_inspect.response_depth = -1: maximum response message
+ body bytes to examine (-1 no limit) { -1: }
+ * bool http_inspect.unzip = true: decompress gzip and deflate
+ message bodies
+ * bool http_inspect.normalize_utf = true: normalize charset utf
+ encodings in response bodies
+ * bool http_inspect.normalize_javascript = false: normalize
+ javascript in response bodies
+ * int http_inspect.max_javascript_whitespaces = 200: maximum
+ consecutive whitespaces allowed within the Javascript obfuscated
+ data { 1:65535 }
+ * bit_list http_inspect.bad_characters: alert when any of specified
+ bytes are present in URI after percent decoding { 255 }
+ * string http_inspect.ignore_unreserved: do not alert when the
+ specified unreserved characters are percent-encoded in a
+ URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
+ tilde, and minus. { (optional) }
+ * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
+ encodings
+ * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
+ characters to a single byte
+ * bool http_inspect.utf8_bare_byte = false: when doing UTF-8
+ character normalization include bytes that were not percent
+ encoded
+ * bool http_inspect.iis_unicode = false: use IIS unicode code point
+ mapping to normalize characters
+ * string http_inspect.iis_unicode_map_file: file containing code
+ points for IIS unicode. { (optional) }
+ * int http_inspect.iis_unicode_code_page = 1252: code page to use
+ from the IIS unicode map file { 0:65535 }
+ * bool http_inspect.iis_double_decode = false: perform double
+ decoding of percent encodings to normalize characters
+ * int http_inspect.oversize_dir_length = 300: maximum length for
+ URL directory { 1:65535 }
+ * bool http_inspect.backslash_to_slash = false: replace \ with /
+ when normalizing URIs
+ * bool http_inspect.plus_to_space = true: replace + with <sp> when
+ normalizing URIs
+ * bool http_inspect.simplify_path = true: reduce URI directory path
+ to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:1000000 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+
+Rules:
+
+ * 119:1 (http_inspect) ascii encoding
+ * 119:2 (http_inspect) double decoding attack
+ * 119:3 (http_inspect) u encoding
+ * 119:4 (http_inspect) bare byte unicode encoding
+ * 119:5 (http_inspect) obsolete event—should not appear
+ * 119:6 (http_inspect) UTF-8 encoding
+ * 119:7 (http_inspect) IIS unicode codepoint encoding
+ * 119:8 (http_inspect) multi_slash encoding
+ * 119:9 (http_inspect) IIS backslash evasion
+ * 119:10 (http_inspect) self directory traversal
+ * 119:11 (http_inspect) directory traversal
+ * 119:12 (http_inspect) apache whitespace (tab)
+ * 119:13 (http_inspect) non-RFC http delimiter
+ * 119:14 (http_inspect) non-RFC defined char
+ * 119:15 (http_inspect) oversize request-uri directory
+ * 119:16 (http_inspect) oversize chunk encoding
+ * 119:17 (http_inspect) unauthorized proxy use detected
+ * 119:18 (http_inspect) webroot directory traversal
+ * 119:19 (http_inspect) long header
+ * 119:20 (http_inspect) max header fields
+ * 119:21 (http_inspect) multiple content length
+ * 119:22 (http_inspect) chunk size mismatch detected
+ * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
+ * 119:24 (http_inspect) multiple host hdrs detected
+ * 119:25 (http_inspect) hostname exceeds 255 characters
+ * 119:26 (http_inspect) header parsing space saturation
+ * 119:27 (http_inspect) client consecutive small chunk sizes
+ * 119:28 (http_inspect) post w/o content-length or chunks
+ * 119:29 (http_inspect) multiple true ips in a session
+ * 119:30 (http_inspect) both true-client-IP and XFF hdrs present
+ * 119:31 (http_inspect) unknown method
+ * 119:32 (http_inspect) simple request
+ * 119:33 (http_inspect) unescaped space in HTTP URI
+ * 119:34 (http_inspect) too many pipelined requests
+ * 119:35 (http_inspect) anomalous http server on undefined HTTP
+ port
+ * 119:36 (http_inspect) invalid status code in HTTP response
+ * 119:37 (http_inspect) no content-length or transfer-encoding in
+ HTTP response
+ * 119:38 (http_inspect) HTTP response has UTF charset which failed
+ to normalize
+ * 119:39 (http_inspect) HTTP response has UTF-7 charset
+ * 119:40 (http_inspect) HTTP response gzip decompression failed
+ * 119:41 (http_inspect) server consecutive small chunk sizes
+ * 119:42 (http_inspect) invalid content-length or chunk size
+ * 119:43 (http_inspect) javascript obfuscation levels exceeds 1
+ * 119:44 (http_inspect) javascript whitespaces exceeds max allowed
+ * 119:45 (http_inspect) multiple encodings within javascript
+ obfuscated data
+ * 119:46 (http_inspect) SWF file zlib decompression failure
+ * 119:47 (http_inspect) SWF file LZMA decompression failure
+ * 119:48 (http_inspect) PDF file deflate decompression failure
+ * 119:49 (http_inspect) PDF file unsupported compression type
+ * 119:50 (http_inspect) PDF file cascaded compression
+ * 119:51 (http_inspect) PDF file parse failure
+ * 119:52 (http_inspect) not HTTP traffic
+ * 119:53 (http_inspect) chunk length has excessive leading zeros
+ * 119:54 (http_inspect) white space before or between messages
+ * 119:55 (http_inspect) request message without URI
+ * 119:56 (http_inspect) control character in reason phrase
+ * 119:57 (http_inspect) illegal extra whitespace in start line
+ * 119:58 (http_inspect) corrupted HTTP version
+ * 119:59 (http_inspect) unknown HTTP version
+ * 119:60 (http_inspect) format error in HTTP header
+ * 119:61 (http_inspect) chunk header options present
+ * 119:62 (http_inspect) URI badly formatted
+ * 119:63 (http_inspect) unrecognized type of percent encoding in
+ URI
+ * 119:64 (http_inspect) HTTP chunk misformatted
+ * 119:65 (http_inspect) white space following chunk length
+ * 119:66 (http_inspect) white space within header name
+ * 119:67 (http_inspect) excessive gzip compression
+ * 119:68 (http_inspect) gzip decompression failed
+ * 119:69 (http_inspect) HTTP 0.9 requested followed by another
+ request
+ * 119:70 (http_inspect) HTTP 0.9 request following a normal request
+ * 119:71 (http_inspect) message has both Content-Length and
+ Transfer-Encoding
+ * 119:72 (http_inspect) status code implying no body combined with
+ Transfer-Encoding or nonzero Content-Length
+ * 119:73 (http_inspect) Transfer-Encoding did not end with chunked
+ * 119:74 (http_inspect) Transfer-Encoding with chunked not at end
+ * 119:75 (http_inspect) misformatted HTTP traffic
+ * 119:76 (http_inspect) unsupported Transfer-Encoding or
+ Content-Encoding used
+ * 119:77 (http_inspect) unknown Transfer-Encoding or
+ Content-Encoding used
+ * 119:78 (http_inspect) multiple layers of compression encodings
+ applied
+
+Peg counts:
+
+ * http_inspect.flows: HTTP connections inspected
+ * http_inspect.scans: TCP segments scanned looking for HTTP
+ messages
+ * http_inspect.reassembles: TCP segments combined into HTTP
+ messages
+ * http_inspect.inspections: total message sections inspected
+ * http_inspect.requests: HTTP request messages inspected
+ * http_inspect.responses: HTTP response messages inspected
+ * http_inspect.GET requests: GET requests inspected
+ * http_inspect.HEAD requests: HEAD requests inspected
+ * http_inspect.POST requests: POST requests inspected
+ * http_inspect.PUT requests: PUT requests inspected
+ * http_inspect.DELETE requests: DELETE requests inspected
+ * http_inspect.CONNECT requests: CONNECT requests inspected
+ * http_inspect.OPTIONS requests: OPTIONS requests inspected
+ * http_inspect.TRACE requests: TRACE requests inspected
+ * http_inspect.other requests: other request methods inspected
+ * http_inspect.request bodies: POST, PUT, and other requests with
+ message bodies
+ * http_inspect.chunked: chunked message bodies
+ * http_inspect.URI normalizations: URIs needing to be normalization
+ * http_inspect.URI path: URIs with path problems
+ * http_inspect.URI coding: URIs with character coding problems
-6.32. stream_icmp
+8.16. imap
--------------
-What: stream inspector for ICMP flow tracking
+What: imap inspection
Type: inspector
Configuration:
- * int stream_icmp.session_timeout = 30: session tracking timeout {
- 1:86400 }
+ * int imap.b64_decode_depth = 1460: base64 decoding depth {
+ -1:65535 }
+ * int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
+ extraction depth { -1:65535 }
+ * int imap.qp_decode_depth = 1460: quoted Printable decoding depth
+ { -1:65535 }
+ * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
+ -1:65535 }
-Peg counts:
+Rules:
- * stream_icmp.sessions: total icmp sessions
- * stream_icmp.max: max icmp sessions
- * stream_icmp.created: icmp session trackers created
- * stream_icmp.released: icmp session trackers released
- * stream_icmp.timeouts: icmp session timeouts
- * stream_icmp.prunes: icmp session prunes
+ * 141:1 (imap) unknown IMAP3 command
+ * 141:2 (imap) unknown IMAP3 response
+ * 141:4 (imap) base64 decoding failed
+ * 141:5 (imap) quoted-printable decoding failed
+ * 141:7 (imap) Unix-to-Unix decoding failed
+
+Peg counts:
+
+ * imap.packets: total packets processed
+ * imap.sessions: total imap sessions
+ * imap.b64 attachments: total base64 attachments decoded
+ * imap.b64 decoded bytes: total base64 decoded bytes
+ * imap.qp attachments: total quoted-printable attachments decoded
+ * imap.qp decoded bytes: total quoted-printable decoded bytes
+ * imap.uu attachments: total uu attachments decoded
+ * imap.uu decoded bytes: total uu decoded bytes
+ * imap.non-encoded attachments: total non-encoded attachments
+ extracted
+ * imap.non-encoded bytes: total non-encoded extracted bytes
-6.33. stream_ip
+8.17. modbus
--------------
-What: stream inspector for IP flow tracking and defragmentation
+What: modbus inspection
Type: inspector
-Configuration:
-
- * int stream_ip.max_frags = 8192: maximum number of simultaneous
- fragments being tracked { 1: }
- * int stream_ip.max_overlaps = 0: maximum allowed overlaps per
- datagram; 0 is unlimited { 0: }
- * int stream_ip.min_frag_length = 0: alert if fragment length is
- below this limit before or after trimming { 0: }
- * int stream_ip.min_ttl = 1: discard fragments with ttl below the
- minimum { 1:255 }
- * enum stream_ip.policy = linux: fragment reassembly policy { first
- | linux | bsd | bsd_right | last | windows | solaris }
- * int stream_ip.session_timeout = 30: session tracking timeout {
- 1:86400 }
- * int stream_ip.trace: mask for enabling debug traces in module
-
Rules:
- * 123:1 (stream_ip) inconsistent IP options on fragmented packets
- * 123:2 (stream_ip) teardrop attack
- * 123:3 (stream_ip) short fragment, possible DOS attempt
- * 123:4 (stream_ip) fragment packet ends after defragmented packet
- * 123:5 (stream_ip) zero-byte fragment packet
- * 123:6 (stream_ip) bad fragment size, packet size is negative
- * 123:7 (stream_ip) bad fragment size, packet size is greater than
- 65536
- * 123:8 (stream_ip) fragmentation overlap
- * 123:11 (stream_ip) TTL value less than configured minimum, not
- using for reassembly
- * 123:12 (stream_ip) excessive fragment overlap
- * 123:13 (stream_ip) tiny fragment
+ * 144:1 (modbus) length in Modbus MBAP header does not match the
+ length needed for the given function
+ * 144:2 (modbus) Modbus protocol ID is non-zero
+ * 144:3 (modbus) reserved Modbus function code in use
Peg counts:
- * stream_ip.sessions: total ip sessions
- * stream_ip.max: max ip sessions
- * stream_ip.created: ip session trackers created
- * stream_ip.released: ip session trackers released
- * stream_ip.timeouts: ip session timeouts
- * stream_ip.prunes: ip session prunes
- * stream_ip.total frags: total fragments
- * stream_ip.current frags: current fragments
- * stream_ip.max frags: max fragments
- * stream_ip.reassembled: reassembled datagrams
- * stream_ip.discards: fragments discarded
- * stream_ip.frag timeouts: datagrams abandoned
- * stream_ip.overlaps: overlapping fragments
- * stream_ip.anomalies: anomalies detected
- * stream_ip.alerts: alerts generated
- * stream_ip.drops: fragments dropped
- * stream_ip.trackers added: datagram trackers created
- * stream_ip.trackers freed: datagram trackers released
- * stream_ip.trackers cleared: datagram trackers cleared
- * stream_ip.trackers completed: datagram trackers completed
- * stream_ip.nodes inserted: fragments added to tracker
- * stream_ip.nodes deleted: fragments deleted from tracker
- * stream_ip.memory used: current memory usage in bytes
- * stream_ip.reassembled bytes: total reassembled bytes
- * stream_ip.fragmented bytes: total fragmented bytes
+ * modbus.sessions: total sessions processed
+ * modbus.frames: total Modbus messages
-6.34. stream_tcp
+8.18. normalizer
--------------
-What: stream inspector for TCP flow tracking and stream normalization
-and reassembly
+What: packet scrubbing for inline mode
Type: inspector
Configuration:
- * int stream_tcp.flush_factor = 0: flush upon seeing a drop in
- segment size after given number of non-decreasing segments { 0: }
- * bool stream_tcp.ignore_any_rules = false: process tcp content
- rules w/o ports only if rules with ports are present
- * int stream_tcp.max_window = 0: maximum allowed tcp window {
- 0:1073725440 }
- * int stream_tcp.overlap_limit = 0: maximum number of allowed
- overlapping segments per session { 0:255 }
- * int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
- 1460:65535 }
- * enum stream_tcp.policy = bsd: determines operating system
- characteristics like reassembly { first | last | linux |
- old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 |
- windows | win_2003 | vista | proxy }
- * bool stream_tcp.reassemble_async = true: queue data for
- reassembly before traffic is seen in both directions
- * int stream_tcp.require_3whs = -1: don’t track midstream sessions
- after given seconds from start up; -1 tracks all { -1:86400 }
- * bool stream_tcp.show_rebuilt_packets = false: enable cmg like
- output of reassembled packets
- * int stream_tcp.queue_limit.max_bytes = 1048576: don’t queue more
- than given bytes per session and direction { 0: }
- * int stream_tcp.queue_limit.max_segments = 2621: don’t queue more
- than given segments per session and direction { 0: }
- * int stream_tcp.small_segments.count = 0: limit number of small
- segments queued { 0:2048 }
- * int stream_tcp.small_segments.maximum_size = 0: limit number of
- small segments queued { 0:2048 }
- * int stream_tcp.session_timeout = 30: session tracking timeout {
- 1:86400 }
- * int stream_tcp.footprint = 0: use zero for production, non-zero
- for testing at given size { 0: }
-
-Rules:
-
- * 129:1 (stream_tcp) SYN on established session
- * 129:2 (stream_tcp) data on SYN packet
- * 129:3 (stream_tcp) data sent on stream not accepting data
- * 129:4 (stream_tcp) TCP timestamp is outside of PAWS window
- * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0
- * 129:6 (stream_tcp) window size (after scaling) larger than policy
- allows
- * 129:7 (stream_tcp) limit on number of overlapping TCP packets
- reached
- * 129:8 (stream_tcp) data sent on stream after TCP Reset sent
- * 129:9 (stream_tcp) TCP client possibly hijacked, different
- ethernet address
- * 129:10 (stream_tcp) TCP Server possibly hijacked, different
- ethernet address
- * 129:11 (stream_tcp) TCP data with no TCP flags set
- * 129:12 (stream_tcp) consecutive TCP small segments exceeding
- threshold
- * 129:13 (stream_tcp) 4-way handshake detected
- * 129:14 (stream_tcp) TCP timestamp is missing
- * 129:15 (stream_tcp) reset outside window
- * 129:16 (stream_tcp) FIN number is greater than prior FIN
- * 129:17 (stream_tcp) ACK number is greater than prior FIN
- * 129:18 (stream_tcp) data sent on stream after TCP Reset received
- * 129:19 (stream_tcp) TCP window closed before receiving data
- * 129:20 (stream_tcp) TCP session without 3-way handshake
+ * bool normalizer.ip4.base = true: clear options
+ * bool normalizer.ip4.df = false: clear don’t frag flag
+ * bool normalizer.ip4.rf = false: clear reserved flag
+ * bool normalizer.ip4.tos = false: clear tos / differentiated
+ services byte
+ * bool normalizer.ip4.trim = false: truncate excess payload beyond
+ datagram length
+ * bool normalizer.tcp.base = true: clear reserved bits and option
+ padding and fix urgent pointer / flags issues
+ * bool normalizer.tcp.block = true: allow packet drops during TCP
+ normalization
+ * bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
+ segment length
+ * bool normalizer.tcp.ips = false: ensure consistency in
+ retransmitted data
+ * select normalizer.tcp.ecn = off: clear ecn for all packets |
+ sessions w/o ecn setup { off | packet | stream }
+ * bool normalizer.tcp.pad = true: clear any option padding bytes
+ * bool normalizer.tcp.trim_syn = false: remove data on SYN
+ * bool normalizer.tcp.trim_rst = false: remove any data from RST
+ packet
+ * bool normalizer.tcp.trim_win = false: trim data to window
+ * bool normalizer.tcp.trim_mss = false: trim data to MSS
+ * bool normalizer.tcp.trim = false: enable all of the TCP trim
+ options
+ * bool normalizer.tcp.opts = true: clear all options except mss,
+ wscale, timestamp, and any explicitly allowed
+ * bool normalizer.tcp.req_urg = true: clear the urgent pointer if
+ the urgent flag is not set
+ * bool normalizer.tcp.req_pay = true: clear the urgent pointer and
+ the urgent flag if there is no payload
+ * bool normalizer.tcp.rsv = true: clear the reserved bits in the
+ TCP header
+ * bool normalizer.tcp.req_urp = true: clear the urgent flag if the
+ urgent pointer is not set
+ * multi normalizer.tcp.allow_names: don’t clear given option names
+ { sack | echo | partial_order | conn_count | alt_checksum | md5 }
+ * string normalizer.tcp.allow_codes: don’t clear given option codes
+ * bool normalizer.ip6 = false: clear reserved flag
+ * bool normalizer.icmp4 = false: clear reserved flag
+ * bool normalizer.icmp6 = false: clear reserved flag
Peg counts:
- * stream_tcp.sessions: total tcp sessions
- * stream_tcp.max: max tcp sessions
- * stream_tcp.created: tcp session trackers created
- * stream_tcp.released: tcp session trackers released
- * stream_tcp.timeouts: tcp session timeouts
- * stream_tcp.prunes: tcp session prunes
- * stream_tcp.resyns: SYN received on established session
- * stream_tcp.discards: tcp packets discarded
- * stream_tcp.events: events generated
- * stream_tcp.ignored: tcp packets ignored
- * stream_tcp.untracked: tcp packets not tracked
- * stream_tcp.syn trackers: tcp session tracking started on syn
- * stream_tcp.syn-ack trackers: tcp session tracking started on
- syn-ack
- * stream_tcp.3way trackers: tcp session tracking started on ack
- * stream_tcp.data trackers: tcp session tracking started on data
- * stream_tcp.segs queued: total segments queued
- * stream_tcp.segs released: total segments released
- * stream_tcp.segs split: tcp segments split when reassembling PDUs
- * stream_tcp.segs used: queued tcp segments applied to reassembled
- PDUs
- * stream_tcp.rebuilt packets: total reassembled PDUs
- * stream_tcp.rebuilt buffers: rebuilt PDU sections
- * stream_tcp.rebuilt bytes: total rebuilt bytes
- * stream_tcp.overlaps: overlapping segments queued
- * stream_tcp.gaps: missing data between PDUs
- * stream_tcp.max segs: number of times the maximum queued segment
- limit was reached
- * stream_tcp.max bytes: number of times the maximum queued byte
- limit was reached
- * stream_tcp.internal events: 135:X events generated
- * stream_tcp.client cleanups: number of times data from server was
- flushed when session released
- * stream_tcp.server cleanups: number of times data from client was
- flushed when session released
- * stream_tcp.memory: current memory in use
- * stream_tcp.initializing: number of sessions currently
- initializing
- * stream_tcp.established: number of sessions currently established
- * stream_tcp.closing: number of sessions currently closing
+ * normalizer.ip4 trim: eth packets trimmed to datagram size
+ * normalizer.test ip4 trim: test eth packets trimmed to datagram
+ size
+ * normalizer.ip4 tos: type of service normalizations
+ * normalizer.test ip4 tos: test type of service normalizations
+ * normalizer.ip4 df: don’t frag bit normalizations
+ * normalizer.test ip4 df: test don’t frag bit normalizations
+ * normalizer.ip4 rf: reserved flag bit clears
+ * normalizer.test ip4 rf: test reserved flag bit clears
+ * normalizer.ip4 ttl: time-to-live normalizations
+ * normalizer.test ip4 ttl: test time-to-live normalizations
+ * normalizer.ip4 opts: ip4 options cleared
+ * normalizer.test ip4 opts: test ip4 options cleared
+ * normalizer.icmp4 echo: icmp4 ping normalizations
+ * normalizer.test icmp4 echo: test icmp4 ping normalizations
+ * normalizer.ip6 hops: ip6 hop limit normalizations
+ * normalizer.test ip6 hops: test ip6 hop limit normalizations
+ * normalizer.ip6 options: ip6 options cleared
+ * normalizer.test ip6 options: test ip6 options cleared
+ * normalizer.icmp6 echo: icmp6 echo normalizations
+ * normalizer.test icmp6 echo: test icmp6 echo normalizations
+ * normalizer.tcp syn options: SYN only options cleared from non-SYN
+ packets
+ * normalizer.test tcp syn options: test SYN only options cleared
+ from non-SYN packets
+ * normalizer.tcp options: packets with options cleared
+ * normalizer.test tcp options: test packets with options cleared
+ * normalizer.tcp paddding: packets with padding cleared
+ * normalizer.test tcp paddding: test packets with padding cleared
+ * normalizer.tcp reserved: packets with reserved bits cleared
+ * normalizer.test tcp reserved: test packets with reserved bits
+ cleared
+ * normalizer.tcp nonce: packets with nonce bit cleared
+ * normalizer.test tcp nonce: test packets with nonce bit cleared
+ * normalizer.tcp urgent ptr: packets without data with urgent
+ pointer cleared
+ * normalizer.test tcp urgent ptr: test packets without data with
+ urgent pointer cleared
+ * normalizer.tcp ecn pkt: packets with ECN bits cleared
+ * normalizer.test tcp ecn pkt: test packets with ECN bits cleared
+ * normalizer.tcp ts ecr: timestamp cleared on non-ACKs
+ * normalizer.test tcp ts ecr: test timestamp cleared on non-ACKs
+ * normalizer.tcp req urg: cleared urgent pointer when urgent flag
+ is not set
+ * normalizer.test tcp req urg: test cleared urgent pointer when
+ urgent flag is not set
+ * normalizer.tcp req pay: cleared urgent pointer and urgent flag
+ when there is no payload
+ * normalizer.test tcp req pay: test cleared urgent pointer and
+ urgent flag when there is no payload
+ * normalizer.tcp req urp: cleared the urgent flag if the urgent
+ pointer is not set
+ * normalizer.test tcp req urp: test cleared the urgent flag if the
+ urgent pointer is not set
+ * normalizer.tcp trim syn: tcp segments trimmed on SYN
+ * normalizer.test tcp trim syn: test tcp segments trimmed on SYN
+ * normalizer.tcp trim rst: RST packets with data trimmed
+ * normalizer.test tcp trim rst: test RST packets with data trimmed
+ * normalizer.tcp trim win: data trimed to window
+ * normalizer.test tcp trim win: test data trimed to window
+ * normalizer.tcp trim mss: data trimmed to MSS
+ * normalizer.test tcp trim mss: test data trimmed to MSS
+ * normalizer.tcp ecn session: ECN bits cleared
+ * normalizer.test tcp ecn session: test ECN bits cleared
+ * normalizer.tcp ts nop: timestamp options cleared
+ * normalizer.test tcp ts nop: test timestamp options cleared
+ * normalizer.tcp ips data: normalized segments
+ * normalizer.test tcp ips data: test normalized segments
+ * normalizer.tcp block: blocked segments
+ * normalizer.test tcp block: test blocked segments
-6.35. stream_udp
+8.19. packet_capture
--------------
-What: stream inspector for UDP flow tracking
+What: raw packet dumping facility
Type: inspector
Configuration:
- * int stream_udp.session_timeout = 30: session tracking timeout {
- 1:86400 }
- * bool stream_udp.ignore_any_rules = false: process udp content
- rules w/o ports only if rules with ports are present
+ * bool packet_capture.enable = false: initially enable packet
+ dumping
+ * string packet_capture.filter: bpf filter to use for packet dump
+
+Commands:
+
+ * packet_capture.enable(filter): dump raw packets
+ * packet_capture.disable(): stop packet dump
Peg counts:
- * stream_udp.sessions: total udp sessions
- * stream_udp.max: max udp sessions
- * stream_udp.created: udp session trackers created
- * stream_udp.released: udp session trackers released
- * stream_udp.timeouts: udp session timeouts
- * stream_udp.prunes: udp session prunes
+ * packet_capture.processed: packets processed against filter
+ * packet_capture.captured: packets matching dumped after matching
+ filter
-6.36. stream_user
+8.20. perf_monitor
--------------
-What: stream inspector for user flow tracking and reassembly
+What: performance monitoring and flow statistics collection
Type: inspector
Configuration:
- * int stream_user.session_timeout = 30: session tracking timeout {
- 1:86400 }
+ * bool perf_monitor.base = true: enable base statistics { nullptr }
+ * bool perf_monitor.cpu = false: enable cpu statistics { nullptr }
+ * bool perf_monitor.flow = false: enable traffic statistics
+ * bool perf_monitor.flow_ip = false: enable statistics on host
+ pairs
+ * int perf_monitor.packets = 10000: minimum packets to report { 0:
+ }
+ * int perf_monitor.seconds = 60: report interval { 1: }
+ * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
+ bytes for flow tracking { 8200: }
+ * int perf_monitor.max_file_size = 1073741824: files will be rolled
+ over if they exceed this size { 4096: }
+ * int perf_monitor.flow_ports = 1023: maximum ports to track {
+ 0:65535 }
+ * enum perf_monitor.output = file: output location for stats { file
+ | console }
+ * string perf_monitor.modules[].name: name of the module
+ * string perf_monitor.modules[].pegs: list of statistics to track
+ or empty for all counters
+ * enum perf_monitor.format = csv: output format for stats { csv |
+ text }
+ * bool perf_monitor.summary = false: output summary at shutdown
+
+Peg counts:
+
+ * perf_monitor.packets: total packets
-6.37. telnet
+8.21. pop
--------------
-What: telnet inspection and normalization
+What: pop inspection
Type: inspector
Configuration:
- * int telnet.ayt_attack_thresh = -1: alert on this number of
- consecutive telnet AYT commands { -1: }
- * bool telnet.check_encrypted = false: check for end of encryption
- * bool telnet.encrypted_traffic = false: check for encrypted telnet
- and ftp
- * bool telnet.normalize = false: eliminate escape sequences
+ * int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
+ }
+ * int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
+ extraction depth { -1:65535 }
+ * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth {
+ -1:65535 }
+ * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
+ -1:65535 }
Rules:
- * 126:1 (telnet) consecutive telnet AYT commands beyond threshold
- * 126:2 (telnet) telnet traffic encrypted
- * 126:3 (telnet) telnet subnegotiation begin command without
- subnegotiation end
+ * 142:1 (pop) unknown POP3 command
+ * 142:2 (pop) unknown POP3 response
+ * 142:4 (pop) base64 decoding failed
+ * 142:5 (pop) quoted-printable decoding failed
+ * 142:7 (pop) Unix-to-Unix decoding failed
Peg counts:
- * telnet.packets: total packets
+ * pop.packets: total packets processed
+ * pop.sessions: total pop sessions
+ * pop.b64 attachments: total base64 attachments decoded
+ * pop.b64 decoded bytes: total base64 decoded bytes
+ * pop.qp attachments: total quoted-printable attachments decoded
+ * pop.qp decoded bytes: total quoted-printable decoded bytes
+ * pop.uu attachments: total uu attachments decoded
+ * pop.uu decoded bytes: total uu decoded bytes
+ * pop.non-encoded attachments: total non-encoded attachments
+ extracted
+ * pop.non-encoded bytes: total non-encoded extracted bytes
-6.38. wizard
+8.22. port_scan
--------------
-What: inspector that implements port-independent protocol
-identification
+What: port scan inspector; also configure port_scan_global
Type: inspector
Configuration:
- * string wizard.hexes[].service: name of service
- * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
- * bool wizard.hexes[].client_first = true: which end initiates data
- transfer
- * string wizard.hexes[].to_server[].hex: sequence of data with wild
- chars (?)
- * string wizard.hexes[].to_client[].hex: sequence of data with wild
- chars (?)
- * string wizard.spells[].service: name of service
- * select wizard.spells[].proto = tcp: protocol to scan { tcp | udp
- }
- * bool wizard.spells[].client_first = true: which end initiates
- data transfer
- * string wizard.spells[].to_server[].spell: sequence of data with
- wild cards (*)
- * string wizard.spells[].to_client[].spell: sequence of data with
- wild cards (*)
-
-Peg counts:
-
- * wizard.tcp scans: tcp payload scans
- * wizard.tcp hits: tcp identifications
- * wizard.udp scans: udp payload scans
- * wizard.udp hits: udp identifications
- * wizard.user scans: user payload scans
- * wizard.user hits: user identifications
-
-
----------------------------------------------------------------------
-
-7. IPS Action Modules
-
----------------------------------------------------------------------
+ * multi port_scan.protos = all: choose the protocols to monitor {
+ tcp | udp | icmp | ip | all }
+ * multi port_scan.scan_types = all: choose type of scans to look
+ for { portscan | portsweep | decoy_portscan |
+ distributed_portscan | all }
+ * enum port_scan.sense_level = medium: choose the level of
+ detection { low | medium | high }
+ * string port_scan.watch_ip: list of CIDRs with optional ports to
+ watch
+ * string port_scan.ignore_scanners: list of CIDRs with optional
+ ports to ignore if the source of scan alerts
+ * string port_scan.ignore_scanned: list of CIDRs with optional
+ ports to ignore if the destination of scan alerts
+ * bool port_scan.include_midstream = false: list of CIDRs with
+ optional ports
+ * bool port_scan.logfile = false: write scan events to file
-IPS actions allow you to perform custom actions when events are
-generated. Unlike loggers, these are invoked before thresholding and
-can be used to control external agents.
+Rules:
-Externally defined actions must be configured to become available to
-the parser. For the reject rule, you can set reject = { } to get the
-rule to parse.
+ * 122:1 (port_scan) TCP portscan
+ * 122:2 (port_scan) TCP decoy portscan
+ * 122:3 (port_scan) TCP portsweep
+ * 122:4 (port_scan) TCP distributed portscan
+ * 122:5 (port_scan) TCP filtered portscan
+ * 122:6 (port_scan) TCP filtered decoy portscan
+ * 122:7 (port_scan) TCP filtered portsweep
+ * 122:8 (port_scan) TCP filtered distributed portscan
+ * 122:9 (port_scan) IP protocol scan
+ * 122:10 (port_scan) IP decoy protocol scan
+ * 122:11 (port_scan) IP protocol sweep
+ * 122:12 (port_scan) IP distributed protocol scan
+ * 122:13 (port_scan) IP filtered protocol scan
+ * 122:14 (port_scan) IP filtered decoy protocol scan
+ * 122:15 (port_scan) IP filtered protocol sweep
+ * 122:16 (port_scan) IP filtered distributed protocol scan
+ * 122:17 (port_scan) UDP portscan
+ * 122:18 (port_scan) UDP decoy portscan
+ * 122:19 (port_scan) UDP portsweep
+ * 122:20 (port_scan) UDP distributed portscan
+ * 122:21 (port_scan) UDP filtered portscan
+ * 122:22 (port_scan) UDP filtered decoy portscan
+ * 122:23 (port_scan) UDP filtered portsweep
+ * 122:24 (port_scan) UDP filtered distributed portscan
+ * 122:25 (port_scan) ICMP sweep
+ * 122:26 (port_scan) ICMP filtered sweep
+ * 122:27 (port_scan) open port
-7.1. react
+8.23. port_scan_global
--------------
-What: send response to client and terminate session
+What: shared settings for port_scan inspectors for use with port_scan
-Type: ips_action
+Type: inspector
Configuration:
- * bool react.msg = false: use rule msg in response page instead of
- default message
- * string react.page: file containing HTTP response (headers and
- body)
-
-
-7.2. reject
-
---------------
-
-What: terminate session with TCP reset or ICMP unreachable
-
-Type: ips_action
+ * int port_scan_global.memcap = 1048576: maximum tracker memory in
+ bytes { 1: }
-Configuration:
+Peg counts:
- * enum reject.reset: send tcp reset to one or both ends { source|
- dest|both }
- * enum reject.control: send icmp unreachable(s) { network|host|port
- |all }
+ * port_scan_global.packets: total packets
-7.3. rewrite
+8.24. reputation
--------------
-What: overwrite packet contents
+What: reputation inspection
-Type: ips_action
+Type: inspector
+Configuration:
----------------------------------------------------------------------
+ * string reputation.blacklist: blacklist file name with ip lists
+ * int reputation.memcap = 500: maximum total MB of memory allocated
+ { 1:4095 }
+ * enum reputation.nested_ip = inner: ip to use when there is IP
+ encapsulation { inner|outer|all }
+ * enum reputation.priority = whitelist: defines priority when there
+ is a decision conflict during run-time { blacklist|whitelist }
+ * bool reputation.scan_local = false: inspect local address defined
+ in RFC 1918
+ * enum reputation.white = unblack: specify the meaning of whitelist
+ { unblack|trust }
+ * string reputation.whitelist: whitelist file name with ip lists
+
+Rules:
-8. IPS Option Modules
+ * 136:1 (reputation) packets blacklisted
+ * 136:2 (reputation) packets whitelisted
+ * 136:3 (reputation) packets monitored
----------------------------------------------------------------------
+Peg counts:
-IPS options are the building blocks of IPS rules.
+ * reputation.packets: total packets processed
+ * reputation.blacklisted: number of packets blacklisted
+ * reputation.whitelisted: number of packets whitelisted
+ * reputation.monitored: number of packets monitored
+ * reputation.memory allocated: total memory allocated
-8.1. ack
+8.25. rpc_decode
--------------
-What: rule option to match on TCP ack numbers
+What: RPC inspector
-Type: ips_option
+Type: inspector
-Configuration:
+Rules:
- * string ack.~range: check if tcp ack value is value | min<>max |
- <max | >min
+ * 106:1 (rpc_decode) fragmented RPC records
+ * 106:2 (rpc_decode) multiple RPC records
+ * 106:3 (rpc_decode) large RPC record fragment
+ * 106:4 (rpc_decode) incomplete RPC segment
+ * 106:5 (rpc_decode) zero-length RPC fragment
+
+Peg counts:
+
+ * rpc_decode.packets: total packets
-8.2. appids
+8.26. sip
--------------
-What: detection option for application ids
+What: sip inspection
-Type: ips_option
+Type: inspector
Configuration:
- * string appids.~: appid option
-
-
-8.3. asn1
-
---------------
+ * bool sip.ignore_call_channel = false: enables the support for
+ ignoring audio/video data channel
+ * int sip.max_call_id_len = 256: maximum call id field size {
+ 0:65535 }
+ * int sip.max_contact_len = 256: maximum contact field size {
+ 0:65535 }
+ * int sip.max_content_len = 1024: maximum content length of the
+ message body { 0:65535 }
+ * int sip.max_dialogs = 4: maximum number of dialogs within one
+ stream session { 1:4194303 }
+ * int sip.max_from_len = 256: maximum from field size { 0:65535 }
+ * int sip.max_requestName_len = 20: maximum request name field size
+ { 0:65535 }
+ * int sip.max_sessions = 10000: maximum number of sessions that can
+ be allocated { 1024:4194303 }
+ * int sip.max_to_len = 256: maximum to field size { 0:65535 }
+ * int sip.max_uri_len = 256: maximum request uri field size {
+ 0:65535 }
+ * int sip.max_via_len = 1024: maximum via field size { 0:65535 }
+ * string sip.methods = invite cancel ack bye register options: list
+ of methods to check in sip messages
-What: rule option for asn1 detection
+Rules:
-Type: ips_option
+ * 140:1 (sip) maximum sessions reached
+ * 140:2 (sip) empty request URI
+ * 140:3 (sip) URI is too long
+ * 140:4 (sip) empty call-Id
+ * 140:5 (sip) Call-Id is too long
+ * 140:6 (sip) CSeq number is too large or negative
+ * 140:7 (sip) request name in CSeq is too long
+ * 140:8 (sip) empty From header
+ * 140:9 (sip) From header is too long
+ * 140:10 (sip) empty To header
+ * 140:11 (sip) To header is too long
+ * 140:12 (sip) empty Via header
+ * 140:13 (sip) Via header is too long
+ * 140:14 (sip) empty Contact
+ * 140:15 (sip) contact is too long
+ * 140:16 (sip) content length is too large or negative
+ * 140:17 (sip) multiple SIP messages in a packet
+ * 140:18 (sip) content length mismatch
+ * 140:19 (sip) request name is invalid
+ * 140:20 (sip) Invite replay attack
+ * 140:21 (sip) illegal session information modification
+ * 140:22 (sip) response status code is not a 3 digit number
+ * 140:23 (sip) empty Content-type header
+ * 140:24 (sip) SIP version is invalid
+ * 140:25 (sip) mismatch in METHOD of request and the CSEQ header
+ * 140:26 (sip) method is unknown
+ * 140:27 (sip) maximum dialogs within a session reached
-Configuration:
+Peg counts:
- * implied asn1.bitstring_overflow: Detects invalid bitstring
- encodings that are known to be remotely exploitable.
- * implied asn1.double_overflow: Detects a double ASCII encoding
- that is larger than a standard buffer.
- * implied asn1.print: dump decode data to console; always true
- * int asn1.oversize_length: Compares ASN.1 type lengths with the
- supplied argument. { 0: }
- * int asn1.absolute_offset: Absolute offset from the beginning of
- the packet. { 0: }
- * int asn1.relative_offset: relative offset from the cursor.
+ * sip.packets: total packets
+ * sip.sessions: total sessions
+ * sip.events: events generated
+ * sip.dialogs: total dialogs
+ * sip.ignored channels: total channels ignored
+ * sip.ignored sessions: total sessions ignored
+ * sip.total requests: total requests
+ * sip.invite: invite
+ * sip.cancel: cancel
+ * sip.ack: ack
+ * sip.bye: bye
+ * sip.register: register
+ * sip.options: options
+ * sip.refer: refer
+ * sip.subscribe: subscribe
+ * sip.update: update
+ * sip.join: join
+ * sip.info: info
+ * sip.message: message
+ * sip.notify: notify
+ * sip.prack: prack
+ * sip.total responses: total responses
+ * sip.1xx: 1xx
+ * sip.2xx: 2xx
+ * sip.3xx: 3xx
+ * sip.4xx: 4xx
+ * sip.5xx: 5xx
+ * sip.6xx: 6xx
+ * sip.7xx: 7xx
+ * sip.8xx: 8xx
+ * sip.9xx: 9xx
-8.4. base64_decode
+8.27. smtp
--------------
-What: rule option to decode base64 data - must be used with
-base64_data option
+What: smtp inspection
-Type: ips_option
+Type: inspector
Configuration:
- * int base64_decode.bytes: Number of base64 encoded bytes to
- decode. { 1: }
- * int base64_decode.offset = 0: Bytes past start of buffer to start
- decoding. { 0: }
- * implied base64_decode.relative: Apply offset to cursor instead of
- start of buffer.
-
-
-8.5. bufferlen
-
---------------
+ * string smtp.alt_max_command_line_len[].command: command string
+ * int smtp.alt_max_command_line_len[].length = 0: specify
+ non-default maximum for command { 0: }
+ * string smtp.auth_cmds: commands that initiate an authentication
+ exchange
+ * string smtp.binary_data_cmds: commands that initiate sending of
+ data and use a length value after the command
+ * int smtp.bitenc_decode_depth = 25: depth used to extract the
+ non-encoded MIME attachments { -1:65535 }
+ * int smtp.b64_decode_depth = 25: depth used to decode the base64
+ encoded MIME attachments { -1:65535 }
+ * string smtp.data_cmds: commands that initiate sending of data
+ with an end of data delimiter
+ * int smtp.email_hdrs_log_depth = 1464: depth for logging email
+ headers { 0:20480 }
+ * bool smtp.ignore_data = false: ignore data section of mail
+ * bool smtp.ignore_tls_data = false: ignore TLS-encrypted data when
+ processing rules
+ * string smtp.invalid_cmds: alert if this command is sent from
+ client side
+ * bool smtp.log_email_hdrs = false: log the SMTP email headers
+ extracted from SMTP data
+ * bool smtp.log_filename = false: log the MIME attachment filenames
+ extracted from the Content-Disposition header within the MIME
+ body
+ * bool smtp.log_mailfrom = false: log the sender’s email address
+ extracted from the MAIL FROM command
+ * bool smtp.log_rcptto = false: log the recipient’s email address
+ extracted from the RCPT TO command
+ * int smtp.max_auth_command_line_len = 1000: max auth command Line
+ Length { 0:65535 }
+ * int smtp.max_command_line_len = 0: max Command Line Length {
+ 0:65535 }
+ * int smtp.max_header_line_len = 0: max SMTP DATA header line {
+ 0:65535 }
+ * int smtp.max_response_line_len = 0: max SMTP response line {
+ 0:65535 }
+ * enum smtp.normalize = none: turns on/off normalization { none |
+ cmds | all }
+ * string smtp.normalize_cmds: list of commands to normalize
+ * int smtp.qp_decode_depth = 25: quoted-Printable decoding depth {
+ -1:65535 }
+ * int smtp.uu_decode_depth = 25: unix-to-Unix decoding depth {
+ -1:65535 }
+ * string smtp.valid_cmds: list of valid commands
+ * enum smtp.xlink2state = alert: enable/disable xlink2state alert {
+ disable | alert | drop }
-What: rule option to check length of current buffer
+Rules:
-Type: ips_option
+ * 124:1 (smtp) attempted command buffer overflow
+ * 124:2 (smtp) attempted data header buffer overflow
+ * 124:3 (smtp) attempted response buffer overflow
+ * 124:4 (smtp) attempted specific command buffer overflow
+ * 124:5 (smtp) unknown command
+ * 124:6 (smtp) illegal command
+ * 124:7 (smtp) attempted header name buffer overflow
+ * 124:8 (smtp) attempted X-Link2State command buffer overflow
+ * 124:10 (smtp) base64 decoding failed
+ * 124:11 (smtp) quoted-printable decoding failed
+ * 124:13 (smtp) Unix-to-Unix decoding failed
+ * 124:14 (smtp) Cyrus SASL authentication attack
+ * 124:15 (smtp) attempted authentication command buffer overflow
-Configuration:
+Peg counts:
- * string bufferlen.~range: len | min<>max | <max | >min
+ * smtp.packets: total packets processed
+ * smtp.sessions: total smtp sessions
+ * smtp.concurrent sessions: total concurrent smtp sessions
+ * smtp.max concurrent sessions: maximum concurrent smtp sessions
+ * smtp.b64 attachments: total base64 attachments decoded
+ * smtp.b64 decoded bytes: total base64 decoded bytes
+ * smtp.qp attachments: total quoted-printable attachments decoded
+ * smtp.qp decoded bytes: total quoted-printable decoded bytes
+ * smtp.uu attachments: total uu attachments decoded
+ * smtp.uu decoded bytes: total uu decoded bytes
+ * smtp.non-encoded attachments: total non-encoded attachments
+ extracted
+ * smtp.non-encoded bytes: total non-encoded extracted bytes
-8.6. byte_extract
+8.28. ssh
--------------
-What: rule option to convert data to an integer variable
+What: ssh inspection
-Type: ips_option
+Type: inspector
Configuration:
- * int byte_extract.~count: number of bytes to pick up from the
- buffer { 1:10 }
- * int byte_extract.~offset: number of bytes into the buffer to
- start processing { -65535:65535 }
- * string byte_extract.~name: name of the variable that will be used
- in other rule options
- * implied byte_extract.relative: offset from cursor instead of
- start of buffer
- * int byte_extract.multiplier = 1: scale extracted value by given
- amount { 1:65535 }
- * int byte_extract.align = 0: round the number of converted bytes
- up to the next 2- or 4-byte boundary { 0:4 }
- * implied byte_extract.big: big endian
- * implied byte_extract.little: little endian
- * implied byte_extract.dce: dcerpc2 determines endianness
- * implied byte_extract.string: convert from string
- * implied byte_extract.hex: convert from hex string
- * implied byte_extract.oct: convert from octal string
- * implied byte_extract.dec: convert from decimal string
+ * int ssh.max_encrypted_packets = 25: ignore session after this
+ many encrypted packets { 0:65535 }
+ * int ssh.max_client_bytes = 19600: number of unanswered bytes
+ before alerting on challenge-response overflow or CRC32 { 0:65535
+ }
+ * int ssh.max_server_version_len = 80: limit before alerting on
+ secure CRT server version string overflow { 0:255 }
+Rules:
-8.7. byte_jump
+ * 128:1 (ssh) challenge-response overflow exploit
+ * 128:2 (ssh) SSH1 CRC32 exploit
+ * 128:3 (ssh) server version string overflow
+ * 128:5 (ssh) bad message direction
+ * 128:6 (ssh) payload size incorrect for the given payload
+ * 128:7 (ssh) failed to detect SSH version string
---------------
+Peg counts:
-What: rule option to move the detection cursor
+ * ssh.packets: total packets
-Type: ips_option
-Configuration:
+8.29. ssl
- * int byte_jump.~count: number of bytes to pick up from the buffer
- { 1:10 }
- * string byte_jump.~offset: variable name or number of bytes into
- the buffer to start processing
- * implied byte_jump.relative: offset from cursor instead of start
- of buffer
- * implied byte_jump.from_beginning: jump from start of buffer
- instead of cursor
- * int byte_jump.multiplier = 1: scale extracted value by given
- amount { 1:65535 }
- * int byte_jump.align = 0: round the number of converted bytes up
- to the next 2- or 4-byte boundary { 0:4 }
- * int byte_jump.post_offset = 0: also skip forward or backwards
- (positive of negative value) this number of bytes { -65535:65535
- }
- * implied byte_jump.big: big endian
- * implied byte_jump.little: little endian
- * implied byte_jump.dce: dcerpc2 determines endianness
- * implied byte_jump.string: convert from string
- * implied byte_jump.hex: convert from hex string
- * implied byte_jump.oct: convert from octal string
- * implied byte_jump.dec: convert from decimal string
+--------------
+What: ssl inspection
-8.8. byte_test
+Type: inspector
---------------
+Configuration:
-What: rule option to convert data to integer and compare
+ * bool ssl.trust_servers = false: disables requirement that
+ application (encrypted) data must be observed on both sides
+ * int ssl.max_heartbeat_length = 0: maximum length of heartbeat
+ record allowed { 0:65535 }
-Type: ips_option
+Rules:
-Configuration:
+ * 137:1 (ssl) invalid client HELLO after server HELLO detected
+ * 137:2 (ssl) invalid server HELLO without client HELLO detected
+ * 137:3 (ssl) heartbeat read overrun attempt detected
+ * 137:4 (ssl) large heartbeat response detected
- * int byte_test.~count: number of bytes to pick up from the buffer
- { 1:10 }
- * string byte_test.~operator: variable name or number of bytes into
- the buffer to start processing
- * string byte_test.~compare: variable name or value to test the
- converted result against
- * string byte_test.~offset: variable name or number of bytes into
- the payload to start processing
- * implied byte_test.relative: offset from cursor instead of start
- of buffer
- * implied byte_test.big: big endian
- * implied byte_test.little: little endian
- * implied byte_test.dce: dcerpc2 determines endianness
- * implied byte_test.string: convert from string
- * implied byte_test.hex: convert from hex string
- * implied byte_test.oct: convert from octal string
- * implied byte_test.dec: convert from decimal string
+Peg counts:
+
+ * ssl.packets: total packets processed
+ * ssl.decoded: ssl packets decoded
+ * ssl.client hello: total client hellos
+ * ssl.server hello: total server hellos
+ * ssl.certificate: total ssl certificates
+ * ssl.server done: total server done
+ * ssl.client key exchange: total client key exchanges
+ * ssl.server key exchange: total server key exchanges
+ * ssl.change cipher: total change cipher records
+ * ssl.finished: total handshakes finished
+ * ssl.client application: total client application records
+ * ssl.server application: total server application records
+ * ssl.alert: total ssl alert records
+ * ssl.unrecognized records: total unrecognized records
+ * ssl.handshakes completed: total completed ssl handshakes
+ * ssl.bad handshakes: total bad handshakes
+ * ssl.sessions ignored: total sessions ignore
+ * ssl.detection disabled: total detection disabled
-8.9. classtype
+8.30. stream
--------------
-What: general rule option for rule classification
+What: common flow tracking
-Type: ips_option
+Type: inspector
Configuration:
- * string classtype.~: classification for this rule
-
-
-8.10. content
-
---------------
-
-What: payload rule option for basic pattern matching
-
-Type: ips_option
+ * bool stream.ip_frags_only = false: don’t process non-frag flows
+ * int stream.ip_cache.max_sessions = 16384: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.ip_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
+ * int stream.ip_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
+ * int stream.icmp_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
+ * int stream.tcp_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
+ * int stream.udp_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.user_cache.max_sessions = 1024: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.user_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
+ * int stream.user_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.file_cache.max_sessions = 128: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.file_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
+ * int stream.file_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
-Configuration:
+Peg counts:
- * string content.~data: data to match
- * implied content.nocase: case insensitive match
- * implied content.fast_pattern: use this content in the fast
- pattern matcher instead of the content selected by default
- * int content.fast_pattern_offset = 0: number of leading characters
- of this content the fast pattern matcher should exclude { 0: }
- * int content.fast_pattern_length: maximum number of characters
- from this content the fast pattern matcher should use { 1: }
- * string content.offset: var or number of bytes from start of
- buffer to start search
- * string content.depth: var or maximum number of bytes to search
- from beginning of buffer
- * string content.distance: var or number of bytes from cursor to
- start search
- * string content.within: var or maximum number of bytes to search
- from cursor
+ * stream.ip flows: total ip sessions
+ * stream.ip total prunes: total ip sessions pruned
+ * stream.ip idle prunes: ip sessions pruned due to timeout
+ * stream.ip excess prunes: ip sessions pruned due to excess
+ * stream.ip uni prunes: ip uni sessions pruned
+ * stream.ip preemptive prunes: ip sessions pruned during preemptive
+ pruning
+ * stream.ip memcap prunes: ip sessions pruned due to memcap
+ * stream.ip ha prunes: ip sessions pruned by high availability sync
+ * stream.icmp flows: total icmp sessions
+ * stream.icmp total prunes: total icmp sessions pruned
+ * stream.icmp idle prunes: icmp sessions pruned due to timeout
+ * stream.icmp excess prunes: icmp sessions pruned due to excess
+ * stream.icmp uni prunes: icmp uni sessions pruned
+ * stream.icmp preemptive prunes: icmp sessions pruned during
+ preemptive pruning
+ * stream.icmp memcap prunes: icmp sessions pruned due to memcap
+ * stream.icmp ha prunes: icmp sessions pruned by high availability
+ sync
+ * stream.tcp flows: total tcp sessions
+ * stream.tcp total prunes: total tcp sessions pruned
+ * stream.tcp idle prunes: tcp sessions pruned due to timeout
+ * stream.tcp excess prunes: tcp sessions pruned due to excess
+ * stream.tcp uni prunes: tcp uni sessions pruned
+ * stream.tcp preemptive prunes: tcp sessions pruned during
+ preemptive pruning
+ * stream.tcp memcap prunes: tcp sessions pruned due to memcap
+ * stream.tcp ha prunes: tcp sessions pruned by high availability
+ sync
+ * stream.udp flows: total udp sessions
+ * stream.udp total prunes: total udp sessions pruned
+ * stream.udp idle prunes: udp sessions pruned due to timeout
+ * stream.udp excess prunes: udp sessions pruned due to excess
+ * stream.udp uni prunes: udp uni sessions pruned
+ * stream.udp preemptive prunes: udp sessions pruned during
+ preemptive pruning
+ * stream.udp memcap prunes: udp sessions pruned due to memcap
+ * stream.udp ha prunes: udp sessions pruned by high availability
+ sync
+ * stream.user flows: total user sessions
+ * stream.user total prunes: total user sessions pruned
+ * stream.user idle prunes: user sessions pruned due to timeout
+ * stream.user excess prunes: user sessions pruned due to excess
+ * stream.user uni prunes: user uni sessions pruned
+ * stream.user preemptive prunes: user sessions pruned during
+ preemptive pruning
+ * stream.user memcap prunes: user sessions pruned due to memcap
+ * stream.user ha prunes: user sessions pruned by high availability
+ sync
+ * stream.file flows: total file sessions
+ * stream.file total prunes: total file sessions pruned
+ * stream.file idle prunes: file sessions pruned due to timeout
+ * stream.file excess prunes: file sessions pruned due to excess
+ * stream.file uni prunes: file uni sessions pruned
+ * stream.file preemptive prunes: file sessions pruned during
+ preemptive pruning
+ * stream.file memcap prunes: file sessions pruned due to memcap
+ * stream.file ha prunes: file sessions pruned by high availability
+ sync
-8.11. cvs
+8.31. stream_file
--------------
-What: payload rule option for detecting specific attacks
+What: stream inspector for file flow tracking and processing
-Type: ips_option
+Type: inspector
Configuration:
- * implied cvs.invalid-entry: looks for an invalid Entry string
+ * bool stream_file.upload = false: indicate file transfer direction
-8.12. dce_iface
+8.32. stream_icmp
--------------
-What: detection option to check dcerpc interface
+What: stream inspector for ICMP flow tracking
-Type: ips_option
+Type: inspector
Configuration:
- * string dce_iface.uuid: match given dcerpc uuid
- * string dce_iface.version: interface version
- * implied dce_iface.any_frag: match on any fragment
+ * int stream_icmp.session_timeout = 30: session tracking timeout {
+ 1:86400 }
+
+Peg counts:
+
+ * stream_icmp.sessions: total icmp sessions
+ * stream_icmp.max: max icmp sessions
+ * stream_icmp.created: icmp session trackers created
+ * stream_icmp.released: icmp session trackers released
+ * stream_icmp.timeouts: icmp session timeouts
+ * stream_icmp.prunes: icmp session prunes
-8.13. dce_opnum
+8.33. stream_ip
--------------
-What: detection option to check dcerpc operation number
+What: stream inspector for IP flow tracking and defragmentation
-Type: ips_option
+Type: inspector
Configuration:
- * string dce_opnum.~: match given dcerpc operation number, range or
- list
-
+ * int stream_ip.max_frags = 8192: maximum number of simultaneous
+ fragments being tracked { 1: }
+ * int stream_ip.max_overlaps = 0: maximum allowed overlaps per
+ datagram; 0 is unlimited { 0: }
+ * int stream_ip.min_frag_length = 0: alert if fragment length is
+ below this limit before or after trimming { 0: }
+ * int stream_ip.min_ttl = 1: discard fragments with ttl below the
+ minimum { 1:255 }
+ * enum stream_ip.policy = linux: fragment reassembly policy { first
+ | linux | bsd | bsd_right | last | windows | solaris }
+ * int stream_ip.session_timeout = 30: session tracking timeout {
+ 1:86400 }
+ * int stream_ip.trace: mask for enabling debug traces in module
-8.14. dce_stub_data
+Rules:
---------------
+ * 123:1 (stream_ip) inconsistent IP options on fragmented packets
+ * 123:2 (stream_ip) teardrop attack
+ * 123:3 (stream_ip) short fragment, possible DOS attempt
+ * 123:4 (stream_ip) fragment packet ends after defragmented packet
+ * 123:5 (stream_ip) zero-byte fragment packet
+ * 123:6 (stream_ip) bad fragment size, packet size is negative
+ * 123:7 (stream_ip) bad fragment size, packet size is greater than
+ 65536
+ * 123:8 (stream_ip) fragmentation overlap
+ * 123:11 (stream_ip) TTL value less than configured minimum, not
+ using for reassembly
+ * 123:12 (stream_ip) excessive fragment overlap
+ * 123:13 (stream_ip) tiny fragment
-What: sets the cursor to dcerpc stub data
+Peg counts:
-Type: ips_option
+ * stream_ip.sessions: total ip sessions
+ * stream_ip.max: max ip sessions
+ * stream_ip.created: ip session trackers created
+ * stream_ip.released: ip session trackers released
+ * stream_ip.timeouts: ip session timeouts
+ * stream_ip.prunes: ip session prunes
+ * stream_ip.total frags: total fragments
+ * stream_ip.current frags: current fragments
+ * stream_ip.max frags: max fragments
+ * stream_ip.reassembled: reassembled datagrams
+ * stream_ip.discards: fragments discarded
+ * stream_ip.frag timeouts: datagrams abandoned
+ * stream_ip.overlaps: overlapping fragments
+ * stream_ip.anomalies: anomalies detected
+ * stream_ip.alerts: alerts generated
+ * stream_ip.drops: fragments dropped
+ * stream_ip.trackers added: datagram trackers created
+ * stream_ip.trackers freed: datagram trackers released
+ * stream_ip.trackers cleared: datagram trackers cleared
+ * stream_ip.trackers completed: datagram trackers completed
+ * stream_ip.nodes inserted: fragments added to tracker
+ * stream_ip.nodes deleted: fragments deleted from tracker
+ * stream_ip.memory used: current memory usage in bytes
+ * stream_ip.reassembled bytes: total reassembled bytes
+ * stream_ip.fragmented bytes: total fragmented bytes
-8.15. detection_filter
+8.34. stream_tcp
--------------
-What: rule option to require multiple hits before a rule generates an
-event
+What: stream inspector for TCP flow tracking and stream normalization
+and reassembly
-Type: ips_option
+Type: inspector
Configuration:
- * enum detection_filter.track: track hits by source or destination
- IP address { by_src | by_dst }
- * int detection_filter.count: hits in interval before allowing the
- rule to fire { 1: }
- * int detection_filter.seconds: length of interval to count hits {
- 1: }
-
+ * int stream_tcp.flush_factor = 0: flush upon seeing a drop in
+ segment size after given number of non-decreasing segments { 0: }
+ * bool stream_tcp.ignore_any_rules = false: process tcp content
+ rules w/o ports only if rules with ports are present
+ * int stream_tcp.max_window = 0: maximum allowed tcp window {
+ 0:1073725440 }
+ * int stream_tcp.overlap_limit = 0: maximum number of allowed
+ overlapping segments per session { 0:255 }
+ * int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
+ 1460:65535 }
+ * enum stream_tcp.policy = bsd: determines operating system
+ characteristics like reassembly { first | last | linux |
+ old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 |
+ windows | win_2003 | vista | proxy }
+ * bool stream_tcp.reassemble_async = true: queue data for
+ reassembly before traffic is seen in both directions
+ * int stream_tcp.require_3whs = -1: don’t track midstream sessions
+ after given seconds from start up; -1 tracks all { -1:86400 }
+ * bool stream_tcp.show_rebuilt_packets = false: enable cmg like
+ output of reassembled packets
+ * int stream_tcp.queue_limit.max_bytes = 1048576: don’t queue more
+ than given bytes per session and direction { 0: }
+ * int stream_tcp.queue_limit.max_segments = 2621: don’t queue more
+ than given segments per session and direction { 0: }
+ * int stream_tcp.small_segments.count = 0: limit number of small
+ segments queued { 0:2048 }
+ * int stream_tcp.small_segments.maximum_size = 0: limit number of
+ small segments queued { 0:2048 }
+ * int stream_tcp.session_timeout = 30: session tracking timeout {
+ 1:86400 }
+ * int stream_tcp.footprint = 0: use zero for production, non-zero
+ for testing at given size { 0: }
-8.16. dnp3_data
+Rules:
---------------
+ * 129:1 (stream_tcp) SYN on established session
+ * 129:2 (stream_tcp) data on SYN packet
+ * 129:3 (stream_tcp) data sent on stream not accepting data
+ * 129:4 (stream_tcp) TCP timestamp is outside of PAWS window
+ * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)
+ * 129:6 (stream_tcp) window size (after scaling) larger than policy
+ allows
+ * 129:7 (stream_tcp) limit on number of overlapping TCP packets
+ reached
+ * 129:8 (stream_tcp) data sent on stream after TCP reset sent
+ * 129:9 (stream_tcp) TCP client possibly hijacked, different
+ ethernet address
+ * 129:10 (stream_tcp) TCP server possibly hijacked, different
+ ethernet address
+ * 129:11 (stream_tcp) TCP data with no TCP flags set
+ * 129:12 (stream_tcp) consecutive TCP small segments exceeding
+ threshold
+ * 129:13 (stream_tcp) 4-way handshake detected
+ * 129:14 (stream_tcp) TCP timestamp is missing
+ * 129:15 (stream_tcp) reset outside window
+ * 129:16 (stream_tcp) FIN number is greater than prior FIN
+ * 129:17 (stream_tcp) ACK number is greater than prior FIN
+ * 129:18 (stream_tcp) data sent on stream after TCP reset received
+ * 129:19 (stream_tcp) TCP window closed before receiving data
+ * 129:20 (stream_tcp) TCP session without 3-way handshake
-What: sets the cursor to dnp3 data
+Peg counts:
-Type: ips_option
+ * stream_tcp.sessions: total tcp sessions
+ * stream_tcp.max: max tcp sessions
+ * stream_tcp.created: tcp session trackers created
+ * stream_tcp.released: tcp session trackers released
+ * stream_tcp.timeouts: tcp session timeouts
+ * stream_tcp.prunes: tcp session prunes
+ * stream_tcp.resyns: SYN received on established session
+ * stream_tcp.discards: tcp packets discarded
+ * stream_tcp.events: events generated
+ * stream_tcp.ignored: tcp packets ignored
+ * stream_tcp.untracked: tcp packets not tracked
+ * stream_tcp.syn trackers: tcp session tracking started on syn
+ * stream_tcp.syn-ack trackers: tcp session tracking started on
+ syn-ack
+ * stream_tcp.3way trackers: tcp session tracking started on ack
+ * stream_tcp.data trackers: tcp session tracking started on data
+ * stream_tcp.segs queued: total segments queued
+ * stream_tcp.segs released: total segments released
+ * stream_tcp.segs split: tcp segments split when reassembling PDUs
+ * stream_tcp.segs used: queued tcp segments applied to reassembled
+ PDUs
+ * stream_tcp.rebuilt packets: total reassembled PDUs
+ * stream_tcp.rebuilt buffers: rebuilt PDU sections
+ * stream_tcp.rebuilt bytes: total rebuilt bytes
+ * stream_tcp.overlaps: overlapping segments queued
+ * stream_tcp.gaps: missing data between PDUs
+ * stream_tcp.max segs: number of times the maximum queued segment
+ limit was reached
+ * stream_tcp.max bytes: number of times the maximum queued byte
+ limit was reached
+ * stream_tcp.internal events: 135:X events generated
+ * stream_tcp.client cleanups: number of times data from server was
+ flushed when session released
+ * stream_tcp.server cleanups: number of times data from client was
+ flushed when session released
+ * stream_tcp.memory: current memory in use
+ * stream_tcp.initializing: number of sessions currently
+ initializing
+ * stream_tcp.established: number of sessions currently established
+ * stream_tcp.closing: number of sessions currently closing
-8.17. dnp3_func
+8.35. stream_udp
--------------
-What: detection option to check dnp3 function code
+What: stream inspector for UDP flow tracking
-Type: ips_option
+Type: inspector
Configuration:
- * string dnp3_func.~: match dnp3 function code or name
-
-
-8.18. dnp3_ind
-
---------------
-
-What: detection option to check dnp3 indicator flags
-
-Type: ips_option
+ * int stream_udp.session_timeout = 30: session tracking timeout {
+ 1:86400 }
+ * bool stream_udp.ignore_any_rules = false: process udp content
+ rules w/o ports only if rules with ports are present
-Configuration:
+Peg counts:
- * string dnp3_ind.~: match given dnp3 indicator flags
+ * stream_udp.sessions: total udp sessions
+ * stream_udp.max: max udp sessions
+ * stream_udp.created: udp session trackers created
+ * stream_udp.released: udp session trackers released
+ * stream_udp.timeouts: udp session timeouts
+ * stream_udp.prunes: udp session prunes
-8.19. dnp3_obj
+8.36. stream_user
--------------
-What: detection option to check dnp3 object headers
+What: stream inspector for user flow tracking and reassembly
-Type: ips_option
+Type: inspector
Configuration:
- * int dnp3_obj.group = 0: match given dnp3 object header group {
- 0:255 }
- * int dnp3_obj.var = 0: match given dnp3 object header var { 0:255
- }
+ * int stream_user.session_timeout = 30: session tracking timeout {
+ 1:86400 }
-8.20. dsize
+8.37. telnet
--------------
-What: rule option to test payload size
+What: telnet inspection and normalization
-Type: ips_option
+Type: inspector
Configuration:
- * string dsize.~range: check if packet payload size is size | min<>
- max | <max | >min
-
+ * int telnet.ayt_attack_thresh = -1: alert on this number of
+ consecutive telnet AYT commands { -1: }
+ * bool telnet.check_encrypted = false: check for end of encryption
+ * bool telnet.encrypted_traffic = false: check for encrypted telnet
+ and ftp
+ * bool telnet.normalize = false: eliminate escape sequences
-8.21. file_data
+Rules:
---------------
+ * 126:1 (telnet) consecutive telnet AYT commands beyond threshold
+ * 126:2 (telnet) telnet traffic encrypted
+ * 126:3 (telnet) telnet subnegotiation begin command without
+ subnegotiation end
-What: rule option to set detection cursor to file data
+Peg counts:
-Type: ips_option
+ * telnet.packets: total packets
-8.22. file_type
+8.38. wizard
--------------
-What: rule option to check file type
+What: inspector that implements port-independent protocol
+identification
-Type: ips_option
+Type: inspector
Configuration:
- * string file_type.~: list of file type IDs to match
+ * string wizard.hexes[].service: name of service
+ * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
+ * bool wizard.hexes[].client_first = true: which end initiates data
+ transfer
+ * string wizard.hexes[].to_server[].hex: sequence of data with wild
+ chars (?)
+ * string wizard.hexes[].to_client[].hex: sequence of data with wild
+ chars (?)
+ * string wizard.spells[].service: name of service
+ * select wizard.spells[].proto = tcp: protocol to scan { tcp | udp
+ }
+ * bool wizard.spells[].client_first = true: which end initiates
+ data transfer
+ * string wizard.spells[].to_server[].spell: sequence of data with
+ wild cards (*)
+ * string wizard.spells[].to_client[].spell: sequence of data with
+ wild cards (*)
+ * multi wizard.curses: enable service identification based on
+ internal algorithm { dce_smb | dce_udp | dce_tcp }
+
+Peg counts:
+ * wizard.tcp scans: tcp payload scans
+ * wizard.tcp hits: tcp identifications
+ * wizard.udp scans: udp payload scans
+ * wizard.udp hits: udp identifications
+ * wizard.user scans: user payload scans
+ * wizard.user hits: user identifications
-8.23. flags
---------------
+---------------------------------------------------------------------
-What: rule option to test TCP control flags
+9. IPS Action Modules
-Type: ips_option
+---------------------------------------------------------------------
-Configuration:
+IPS actions allow you to perform custom actions when events are
+generated. Unlike loggers, these are invoked before thresholding and
+can be used to control external agents.
- * string flags.~test_flags: these flags are tested
- * string flags.~mask_flags: these flags are don’t cares
+Externally defined actions must be configured to become available to
+the parser. For the reject rule, you can set reject = { } to get the
+rule to parse.
-8.24. flow
+9.1. react
--------------
-What: rule option to check session properties
+What: send response to client and terminate session
-Type: ips_option
+Type: ips_action
Configuration:
- * implied flow.to_client: match on server responses
- * implied flow.to_server: match on client requests
- * implied flow.from_client: same as to_server
- * implied flow.from_server: same as to_client
- * implied flow.established: match only during data transfer phase
- * implied flow.not_established: match only outside data transfer
- phase
- * implied flow.stateless: match regardless of stream state
- * implied flow.no_stream: match on raw packets only
- * implied flow.only_stream: match on reassembled packets only
- * implied flow.no_frag: match on raw packets only
- * implied flow.only_frag: match on defragmented packets only
+ * bool react.msg = false: use rule msg in response page instead of
+ default message
+ * string react.page: file containing HTTP response (headers and
+ body)
-8.25. flowbits
+9.2. reject
--------------
-What: rule option to set and test arbitrary boolean flags
+What: terminate session with TCP reset or ICMP unreachable
-Type: ips_option
+Type: ips_action
Configuration:
- * string flowbits.~command: set|reset|isset|etc.
- * string flowbits.~arg1: bits or group
- * string flowbits.~arg2: group if arg1 is bits
+ * enum reject.reset: send tcp reset to one or both ends { source|
+ dest|both }
+ * enum reject.control: send icmp unreachable(s) { network|host|port
+ |all }
-8.26. fragbits
+9.3. rewrite
--------------
-What: rule option to test IP frag flags
-
-Type: ips_option
-
-Configuration:
-
- * string fragbits.~flags: these flags are tested
-
+What: overwrite packet contents
-8.27. fragoffset
+Type: ips_action
---------------
-What: rule option to test IP frag offset
+---------------------------------------------------------------------
-Type: ips_option
+10. IPS Option Modules
-Configuration:
+---------------------------------------------------------------------
- * string fragoffset.~range: check if ip fragment offset value is
- value | min<>max | <max | >min
+IPS options are the building blocks of IPS rules.
-8.28. gid
+10.1. ack
--------------
-What: rule option specifying rule generator
+What: rule option to match on TCP ack numbers
Type: ips_option
Configuration:
- * int gid.~: generator id { 1: }
+ * string ack.~range: check if tcp ack value is value | min<>max |
+ <max | >min
-8.29. gtp_info
+10.2. appids
--------------
-What: rule option to check gtp info element
+What: detection option for application ids
Type: ips_option
Configuration:
- * string gtp_info.~: info element to match
+ * string appids.~: appid option
-8.30. gtp_type
+10.3. asn1
--------------
-What: rule option to check gtp types
+What: rule option for asn1 detection
Type: ips_option
Configuration:
- * string gtp_type.~: list of types to match
+ * implied asn1.bitstring_overflow: detects invalid bitstring
+ encodings that are known to be remotely exploitable
+ * implied asn1.double_overflow: detects a double ASCII encoding
+ that is larger than a standard buffer
+ * implied asn1.print: dump decode data to console; always true
+ * int asn1.oversize_length: compares ASN.1 type lengths with the
+ supplied argument { 0: }
+ * int asn1.absolute_offset: absolute offset from the beginning of
+ the packet { 0: }
+ * int asn1.relative_offset: relative offset from the cursor
-8.31. gtp_version
+10.4. base64_decode
--------------
-What: rule option to check gtp version
+What: rule option to decode base64 data - must be used with
+base64_data option
Type: ips_option
Configuration:
- * int gtp_version.~: version to match { 0:2 }
-
-
-8.32. http_client_body
-
---------------
-
-What: rule option to set the detection cursor to the request body
-
-Type: ips_option
+ * int base64_decode.bytes: number of base64 encoded bytes to decode
+ { 1: }
+ * int base64_decode.offset = 0: bytes past start of buffer to start
+ decoding { 0: }
+ * implied base64_decode.relative: apply offset to cursor instead of
+ start of buffer
-8.33. http_cookie
+10.5. bufferlen
--------------
-What: rule option to set the detection cursor to the HTTP cookie
+What: rule option to check length of current buffer
Type: ips_option
Configuration:
- * implied http_cookie.request: Match against the cookie from the
- request message even when examining the response
- * implied http_cookie.with_body: Parts of this rule examine HTTP
- message body
- * implied http_cookie.with_trailer: Parts of this rule examine HTTP
- message trailers
+ * string bufferlen.~range: len | min<>max | <max | >min
-8.34. http_header
+10.6. byte_extract
--------------
-What: rule option to set the detection cursor to the normalized
-headers
+What: rule option to convert data to an integer variable
Type: ips_option
Configuration:
- * string http_header.field: Restrict to given header. Header name
- is case insensitive.
- * implied http_header.request: Match against the headers from the
- request message even when examining the response
- * implied http_header.with_body: Parts of this rule examine HTTP
- message body
- * implied http_header.with_trailer: Parts of this rule examine HTTP
- message trailers
+ * int byte_extract.~count: number of bytes to pick up from the
+ buffer { 1:10 }
+ * int byte_extract.~offset: number of bytes into the buffer to
+ start processing { -65535:65535 }
+ * string byte_extract.~name: name of the variable that will be used
+ in other rule options
+ * implied byte_extract.relative: offset from cursor instead of
+ start of buffer
+ * int byte_extract.multiplier = 1: scale extracted value by given
+ amount { 1:65535 }
+ * int byte_extract.align = 0: round the number of converted bytes
+ up to the next 2- or 4-byte boundary { 0:4 }
+ * implied byte_extract.big: big endian
+ * implied byte_extract.little: little endian
+ * implied byte_extract.dce: dcerpc2 determines endianness
+ * implied byte_extract.string: convert from string
+ * implied byte_extract.hex: convert from hex string
+ * implied byte_extract.oct: convert from octal string
+ * implied byte_extract.dec: convert from decimal string
-8.35. http_method
+10.7. byte_jump
--------------
-What: rule option to set the detection cursor to the HTTP request
-method
+What: rule option to move the detection cursor
Type: ips_option
Configuration:
- * implied http_method.with_body: Parts of this rule examine HTTP
- message body
- * implied http_method.with_trailer: Parts of this rule examine HTTP
- message trailers
+ * int byte_jump.~count: number of bytes to pick up from the buffer
+ { 1:10 }
+ * string byte_jump.~offset: variable name or number of bytes into
+ the buffer to start processing
+ * implied byte_jump.relative: offset from cursor instead of start
+ of buffer
+ * implied byte_jump.from_beginning: jump from start of buffer
+ instead of cursor
+ * int byte_jump.multiplier = 1: scale extracted value by given
+ amount { 1:65535 }
+ * int byte_jump.align = 0: round the number of converted bytes up
+ to the next 2- or 4-byte boundary { 0:4 }
+ * int byte_jump.post_offset = 0: also skip forward or backwards
+ (positive of negative value) this number of bytes { -65535:65535
+ }
+ * implied byte_jump.big: big endian
+ * implied byte_jump.little: little endian
+ * implied byte_jump.dce: dcerpc2 determines endianness
+ * implied byte_jump.string: convert from string
+ * implied byte_jump.hex: convert from hex string
+ * implied byte_jump.oct: convert from octal string
+ * implied byte_jump.dec: convert from decimal string
-8.36. http_raw_cookie
+10.8. byte_test
--------------
-What: rule option to set the detection cursor to the unnormalized
-cookie
+What: rule option to convert data to integer and compare
Type: ips_option
Configuration:
- * implied http_raw_cookie.request: Match against the cookie from
- the request message even when examining the response
- * implied http_raw_cookie.with_body: Parts of this rule examine
- HTTP message body
- * implied http_raw_cookie.with_trailer: Parts of this rule examine
- HTTP message trailers
+ * int byte_test.~count: number of bytes to pick up from the buffer
+ { 1:10 }
+ * string byte_test.~operator: variable name or number of bytes into
+ the buffer to start processing
+ * string byte_test.~compare: variable name or value to test the
+ converted result against
+ * string byte_test.~offset: variable name or number of bytes into
+ the payload to start processing
+ * implied byte_test.relative: offset from cursor instead of start
+ of buffer
+ * implied byte_test.big: big endian
+ * implied byte_test.little: little endian
+ * implied byte_test.dce: dcerpc2 determines endianness
+ * implied byte_test.string: convert from string
+ * implied byte_test.hex: convert from hex string
+ * implied byte_test.oct: convert from octal string
+ * implied byte_test.dec: convert from decimal string
-8.37. http_raw_header
+10.9. classtype
--------------
-What: rule option to set the detection cursor to the unnormalized
-headers
+What: general rule option for rule classification
Type: ips_option
Configuration:
- * implied http_raw_header.request: Match against the headers from
- the request message even when examining the response
- * implied http_raw_header.with_body: Parts of this rule examine
- HTTP message body
- * implied http_raw_header.with_trailer: Parts of this rule examine
- HTTP message trailers
+ * string classtype.~: classification for this rule
-8.38. http_raw_request
+10.10. content
--------------
-What: rule option to set the detection cursor to the unnormalized
-request line
+What: payload rule option for basic pattern matching
Type: ips_option
Configuration:
- * implied http_raw_request.with_body: Parts of this rule examine
- HTTP message body
- * implied http_raw_request.with_trailer: Parts of this rule examine
- HTTP message trailers
+ * string content.~data: data to match
+ * implied content.nocase: case insensitive match
+ * implied content.fast_pattern: use this content in the fast
+ pattern matcher instead of the content selected by default
+ * int content.fast_pattern_offset = 0: number of leading characters
+ of this content the fast pattern matcher should exclude { 0: }
+ * int content.fast_pattern_length: maximum number of characters
+ from this content the fast pattern matcher should use { 1: }
+ * string content.offset: var or number of bytes from start of
+ buffer to start search
+ * string content.depth: var or maximum number of bytes to search
+ from beginning of buffer
+ * string content.distance: var or number of bytes from cursor to
+ start search
+ * string content.within: var or maximum number of bytes to search
+ from cursor
-8.39. http_raw_status
+10.11. cvs
--------------
-What: rule option to set the detection cursor to the unnormalized
-status line
+What: payload rule option for detecting specific attacks
Type: ips_option
Configuration:
- * implied http_raw_status.with_body: Parts of this rule examine
- HTTP message body
- * implied http_raw_status.with_trailer: Parts of this rule examine
- HTTP message trailers
+ * implied cvs.invalid-entry: looks for an invalid Entry string
-8.40. http_raw_trailer
+10.12. dce_iface
--------------
-What: rule option to set the detection cursor to the unnormalized
-trailers
+What: detection option to check dcerpc interface
Type: ips_option
Configuration:
- * implied http_raw_trailer.request: Match against the trailers from
- the request message even when examining the response
- * implied http_raw_trailer.with_header: Parts of this rule examine
- HTTP response message headers (must be combined with request)
- * implied http_raw_trailer.with_body: Parts of this rule examine
- HTTP response message body (must be combined with request)
+ * string dce_iface.uuid: match given dcerpc uuid
+ * string dce_iface.version: interface version
+ * implied dce_iface.any_frag: match on any fragment
-8.41. http_raw_uri
+10.13. dce_opnum
--------------
-What: rule option to set the detection cursor to the unnormalized URI
+What: detection option to check dcerpc operation number
Type: ips_option
Configuration:
- * implied http_raw_uri.with_body: Parts of this rule examine HTTP
- message body
- * implied http_raw_uri.with_trailer: Parts of this rule examine
- HTTP message trailers
- * implied http_raw_uri.scheme: match against scheme section of URI
- only
- * implied http_raw_uri.host: match against host section of URI only
- * implied http_raw_uri.port: match against port section of URI only
- * implied http_raw_uri.path: match against path section of URI only
- * implied http_raw_uri.query: match against query section of URI
- only
- * implied http_raw_uri.fragment: match against fragment section of
- URI only
+ * string dce_opnum.~: match given dcerpc operation number, range or
+ list
-8.42. http_stat_code
+10.14. dce_stub_data
--------------
-What: rule option to set the detection cursor to the HTTP status code
+What: sets the cursor to dcerpc stub data
Type: ips_option
-Configuration:
-
- * implied http_stat_code.with_body: Parts of this rule examine HTTP
- message body
- * implied http_stat_code.with_trailer: Parts of this rule examine
- HTTP message trailers
-
-8.43. http_stat_msg
+10.15. detection_filter
--------------
-What: rule option to set the detection cursor to the HTTP status
-message
+What: rule option to require multiple hits before a rule generates an
+event
Type: ips_option
Configuration:
- * implied http_stat_msg.with_body: Parts of this rule examine HTTP
- message body
- * implied http_stat_msg.with_trailer: Parts of this rule examine
- HTTP message trailers
+ * enum detection_filter.track: track hits by source or destination
+ IP address { by_src | by_dst }
+ * int detection_filter.count: hits in interval before allowing the
+ rule to fire { 1: }
+ * int detection_filter.seconds: length of interval to count hits {
+ 1: }
-8.44. http_trailer
+10.16. dnp3_data
--------------
-What: rule option to set the detection cursor to the normalized
-trailers
+What: sets the cursor to dnp3 data
Type: ips_option
-Configuration:
-
- * string http_trailer.field: restrict to given trailer
- * implied http_trailer.request: Match against the trailers from the
- request message even when examining the response
- * implied http_trailer.with_header: Parts of this rule examine HTTP
- response message headers (must be combined with request)
- * implied http_trailer.with_body: Parts of this rule examine HTTP
- message body (must be combined with request)
-
-8.45. http_uri
+10.17. dnp3_func
--------------
-What: rule option to set the detection cursor to the normalized URI
-buffer
+What: detection option to check dnp3 function code
Type: ips_option
Configuration:
- * implied http_uri.with_body: Parts of this rule examine HTTP
- message body
- * implied http_uri.with_trailer: Parts of this rule examine HTTP
- message trailers
- * implied http_uri.scheme: match against scheme section of URI only
- * implied http_uri.host: match against host section of URI only
- * implied http_uri.port: match against port section of URI only
- * implied http_uri.path: match against path section of URI only
- * implied http_uri.query: match against query section of URI only
- * implied http_uri.fragment: match against fragment section of URI
- only
+ * string dnp3_func.~: match dnp3 function code or name
-8.46. http_version
+10.18. dnp3_ind
--------------
-What: rule option to set the detection cursor to the version buffer
+What: detection option to check dnp3 indicator flags
Type: ips_option
Configuration:
- * implied http_version.request: Match against the version from the
- request message even when examining the response
- * implied http_version.with_body: Parts of this rule examine HTTP
- message body
- * implied http_version.with_trailer: Parts of this rule examine
- HTTP message trailers
+ * string dnp3_ind.~: match given dnp3 indicator flags
-8.47. icmp_id
+10.19. dnp3_obj
--------------
-What: rule option to check ICMP ID
+What: detection option to check dnp3 object headers
Type: ips_option
Configuration:
- * string icmp_id.~range: check if icmp id is id | min<>max | <max |
- >min
+ * int dnp3_obj.group = 0: match given dnp3 object header group {
+ 0:255 }
+ * int dnp3_obj.var = 0: match given dnp3 object header var { 0:255
+ }
-8.48. icmp_seq
+10.20. dsize
--------------
-What: rule option to check ICMP sequence number
+What: rule option to test payload size
Type: ips_option
Configuration:
- * string icmp_seq.~range: check if icmp sequence number is seq |
- min<>max | <max | >min
+ * string dsize.~range: check if packet payload size is size | min<>
+ max | <max | >min
-8.49. icode
+10.21. file_data
--------------
-What: rule option to check ICMP code
+What: rule option to set detection cursor to file data
Type: ips_option
-Configuration:
-
- * string icode.~range: check if ICMP code is code | min<>max | <max
- | >min
-
-8.50. id
+10.22. file_type
--------------
-What: rule option to check the IP ID field
+What: rule option to check file type
Type: ips_option
Configuration:
- * string id.~range: check if the IP ID is id | min<>max | <max | >
- min
+ * string file_type.~: list of file type IDs to match
-8.51. ip_proto
+10.23. flags
--------------
-What: rule option to check the IP protocol number
+What: rule option to test TCP control flags
Type: ips_option
Configuration:
- * string ip_proto.~proto: [!|>|<] name or number
+ * string flags.~test_flags: these flags are tested
+ * string flags.~mask_flags: these flags are don’t cares
-8.52. ipopts
+10.24. flow
--------------
-What: rule option to check for IP options
+What: rule option to check session properties
Type: ips_option
Configuration:
- * select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
- lsrre|ssrr|satid|any }
+ * implied flow.to_client: match on server responses
+ * implied flow.to_server: match on client requests
+ * implied flow.from_client: same as to_server
+ * implied flow.from_server: same as to_client
+ * implied flow.established: match only during data transfer phase
+ * implied flow.not_established: match only outside data transfer
+ phase
+ * implied flow.stateless: match regardless of stream state
+ * implied flow.no_stream: match on raw packets only
+ * implied flow.only_stream: match on reassembled packets only
+ * implied flow.no_frag: match on raw packets only
+ * implied flow.only_frag: match on defragmented packets only
-8.53. isdataat
+10.25. flowbits
--------------
-What: rule option to check for the presence of payload data
+What: rule option to set and test arbitrary boolean flags
Type: ips_option
Configuration:
- * string isdataat.~length: num | !num
- * implied isdataat.relative: offset from cursor instead of start of
- buffer
+ * string flowbits.~command: set|reset|isset|etc.
+ * string flowbits.~arg1: bits or group
+ * string flowbits.~arg2: group if arg1 is bits
-8.54. itype
+10.26. fragbits
--------------
-What: rule option to check ICMP type
+What: rule option to test IP frag flags
Type: ips_option
Configuration:
- * string itype.~range: check if icmp type is type | min<>max | <max
- | >min
+ * string fragbits.~flags: these flags are tested
-8.55. md5
+10.27. fragoffset
--------------
-What: payload rule option for hash matching
+What: rule option to test IP frag offset
Type: ips_option
Configuration:
- * string md5.~hash: data to match
- * int md5.length: number of octets in plain text { 1:65535 }
- * string md5.offset: var or number of bytes from start of buffer to
- start search
- * implied md5.relative = false: offset from cursor instead of start
- of buffer
+ * string fragoffset.~range: check if ip fragment offset value is
+ value | min<>max | <max | >min
-8.56. metadata
+10.28. gid
--------------
-What: rule option for conveying arbitrary name, value data within the
-rule text
+What: rule option specifying rule generator
Type: ips_option
Configuration:
- * string metadata.service: service name
- * string metadata.*: additional parameters not used by snort
+ * int gid.~: generator id { 1: }
-8.57. modbus_data
+10.29. gtp_info
--------------
-What: rule option to set cursor to modbus data
+What: rule option to check gtp info element
Type: ips_option
+Configuration:
+
+ * string gtp_info.~: info element to match
+
-8.58. modbus_func
+10.30. gtp_type
--------------
-What: rule option to check modbus function code
+What: rule option to check gtp types
Type: ips_option
Configuration:
- * string modbus_func.~: function code to match
+ * string gtp_type.~: list of types to match
-8.59. modbus_unit
+10.31. gtp_version
--------------
-What: rule option to check modbus unit ID
+What: rule option to check gtp version
Type: ips_option
Configuration:
- * int modbus_unit.~: modbus unit ID { 0:255 }
+ * int gtp_version.~: version to match { 0:2 }
-8.60. msg
+10.32. http_client_body
--------------
-What: rule option summarizing rule purpose output with events
+What: rule option to set the detection cursor to the request body
Type: ips_option
-Configuration:
-
- * string msg.~: message describing rule
-
-8.61. pcre
+10.33. http_cookie
--------------
-What: rule option for matching payload data with pcre
+What: rule option to set the detection cursor to the HTTP cookie
Type: ips_option
Configuration:
- * string pcre.~re: Snort regular expression
+ * implied http_cookie.request: match against the cookie from the
+ request message even when examining the response
+ * implied http_cookie.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_cookie.with_trailer: parts of this rule examine HTTP
+ message trailers
-8.62. pkt_data
+10.34. http_header
--------------
What: rule option to set the detection cursor to the normalized
-packet data
+headers
Type: ips_option
+Configuration:
+
+ * string http_header.field: restrict to given header. Header name
+ is case insensitive.
+ * implied http_header.request: match against the headers from the
+ request message even when examining the response
+ * implied http_header.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_header.with_trailer: parts of this rule examine HTTP
+ message trailers
+
-8.63. priority
+10.35. http_method
--------------
-What: rule option for prioritizing events
+What: rule option to set the detection cursor to the HTTP request
+method
Type: ips_option
Configuration:
- * int priority.~: relative severity level; 1 is highest priority {
- 1: }
+ * implied http_method.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_method.with_trailer: parts of this rule examine HTTP
+ message trailers
-8.64. raw_data
+10.36. http_raw_cookie
--------------
-What: rule option to set the detection cursor to the raw packet data
+What: rule option to set the detection cursor to the unnormalized
+cookie
Type: ips_option
+Configuration:
+
+ * implied http_raw_cookie.request: match against the cookie from
+ the request message even when examining the response
+ * implied http_raw_cookie.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_raw_cookie.with_trailer: parts of this rule examine
+ HTTP message trailers
+
-8.65. reference
+10.37. http_raw_header
--------------
-What: rule option to indicate relevant attack identification system
+What: rule option to set the detection cursor to the unnormalized
+headers
Type: ips_option
Configuration:
- * string reference.~scheme: reference scheme
- * string reference.~id: reference id
+ * implied http_raw_header.request: match against the headers from
+ the request message even when examining the response
+ * implied http_raw_header.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_raw_header.with_trailer: parts of this rule examine
+ HTTP message trailers
-8.66. regex
+10.38. http_raw_request
--------------
-What: rule option for matching payload data with hyperscan regex
+What: rule option to set the detection cursor to the unnormalized
+request line
Type: ips_option
Configuration:
- * string regex.~re: hyperscan regular expression
- * implied regex.nocase: case insensitive match
- * implied regex.dotall: matching a . will not exclude newlines
- * implied regex.multiline: ^ and $ anchors match any newlines in
- data
- * implied regex.relative: start search from end of last match
- instead of start of buffer
+ * implied http_raw_request.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_raw_request.with_trailer: parts of this rule examine
+ HTTP message trailers
-8.67. rem
+10.39. http_raw_status
--------------
-What: rule option to convey an arbitrary comment in the rule body
+What: rule option to set the detection cursor to the unnormalized
+status line
Type: ips_option
Configuration:
- * string rem.~: comment
+ * implied http_raw_status.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_raw_status.with_trailer: parts of this rule examine
+ HTTP message trailers
-8.68. replace
+10.40. http_raw_trailer
--------------
-What: rule option to overwrite payload data; use with rewrite action
+What: rule option to set the detection cursor to the unnormalized
+trailers
Type: ips_option
Configuration:
- * string replace.~: byte code to replace with
+ * implied http_raw_trailer.request: match against the trailers from
+ the request message even when examining the response
+ * implied http_raw_trailer.with_header: parts of this rule examine
+ HTTP response message headers (must be combined with request)
+ * implied http_raw_trailer.with_body: parts of this rule examine
+ HTTP response message body (must be combined with request)
-8.69. rev
+10.41. http_raw_uri
--------------
-What: rule option to indicate current revision of signature
+What: rule option to set the detection cursor to the unnormalized URI
Type: ips_option
Configuration:
- * int rev.~: revision { 1: }
+ * implied http_raw_uri.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_raw_uri.with_trailer: parts of this rule examine
+ HTTP message trailers
+ * implied http_raw_uri.scheme: match against scheme section of URI
+ only
+ * implied http_raw_uri.host: match against host section of URI only
+ * implied http_raw_uri.port: match against port section of URI only
+ * implied http_raw_uri.path: match against path section of URI only
+ * implied http_raw_uri.query: match against query section of URI
+ only
+ * implied http_raw_uri.fragment: match against fragment section of
+ URI only
-8.70. rpc
+10.42. http_stat_code
--------------
-What: rule option to check SUNRPC CALL parameters
+What: rule option to set the detection cursor to the HTTP status code
Type: ips_option
Configuration:
- * int rpc.~app: application number
- * int rpc.ver: version number or * for any
- * int rpc.proc: procedure number or * for any
+ * implied http_stat_code.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_stat_code.with_trailer: parts of this rule examine
+ HTTP message trailers
-8.71. sd_pattern
+10.43. http_stat_msg
--------------
-What: rule option for detecting sensitive data
+What: rule option to set the detection cursor to the HTTP status
+message
Type: ips_option
Configuration:
- * string sd_pattern.~pattern: The pattern to search for
- * int sd_pattern.threshold: number of matches before alerting { 1 }
-
-Peg counts:
-
- * sd_pattern.below threshold: sd_pattern matched but missed
- threshold
- * sd_pattern.pattern not found: sd_pattern did not not match
- * sd_pattern.terminated: hyperscan terminated
+ * implied http_stat_msg.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_stat_msg.with_trailer: parts of this rule examine
+ HTTP message trailers
-8.72. seq
+10.44. http_trailer
--------------
-What: rule option to check TCP sequence number
+What: rule option to set the detection cursor to the normalized
+trailers
Type: ips_option
Configuration:
- * string seq.~range: check if tcp sequence number value is value |
- min<>max | <max | >min
+ * string http_trailer.field: restrict to given trailer
+ * implied http_trailer.request: match against the trailers from the
+ request message even when examining the response
+ * implied http_trailer.with_header: parts of this rule examine HTTP
+ response message headers (must be combined with request)
+ * implied http_trailer.with_body: parts of this rule examine HTTP
+ message body (must be combined with request)
-8.73. session
+10.45. http_uri
--------------
-What: rule option to check user data from TCP sessions
+What: rule option to set the detection cursor to the normalized URI
+buffer
Type: ips_option
Configuration:
- * enum session.~mode: output format { printable|binary|all }
+ * implied http_uri.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_uri.with_trailer: parts of this rule examine HTTP
+ message trailers
+ * implied http_uri.scheme: match against scheme section of URI only
+ * implied http_uri.host: match against host section of URI only
+ * implied http_uri.port: match against port section of URI only
+ * implied http_uri.path: match against path section of URI only
+ * implied http_uri.query: match against query section of URI only
+ * implied http_uri.fragment: match against fragment section of URI
+ only
-8.74. sha256
+10.46. http_version
--------------
-What: payload rule option for hash matching
+What: rule option to set the detection cursor to the version buffer
Type: ips_option
Configuration:
- * string sha256.~hash: data to match
- * int sha256.length: number of octets in plain text { 1:65535 }
- * string sha256.offset: var or number of bytes from start of buffer
- to start search
- * implied sha256.relative = false: offset from cursor instead of
- start of buffer
+ * implied http_version.request: match against the version from the
+ request message even when examining the response
+ * implied http_version.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_version.with_trailer: parts of this rule examine
+ HTTP message trailers
-8.75. sha512
+10.47. icmp_id
--------------
-What: payload rule option for hash matching
+What: rule option to check ICMP ID
Type: ips_option
Configuration:
- * string sha512.~hash: data to match
- * int sha512.length: number of octets in plain text { 1:65535 }
- * string sha512.offset: var or number of bytes from start of buffer
- to start search
- * implied sha512.relative = false: offset from cursor instead of
- start of buffer
+ * string icmp_id.~range: check if icmp id is id | min<>max | <max |
+ >min
-8.76. sid
+10.48. icmp_seq
--------------
-What: rule option to indicate signature number
+What: rule option to check ICMP sequence number
Type: ips_option
Configuration:
- * int sid.~: signature id { 1: }
+ * string icmp_seq.~range: check if icmp sequence number is seq |
+ min<>max | <max | >min
-8.77. sip_body
+10.49. icode
--------------
-What: rule option to set the detection cursor to the request body
+What: rule option to check ICMP code
Type: ips_option
+Configuration:
+
+ * string icode.~range: check if ICMP code is code | min<>max | <max
+ | >min
+
-8.78. sip_header
+10.50. id
--------------
-What: rule option to set the detection cursor to the SIP header
-buffer
+What: rule option to check the IP ID field
Type: ips_option
+Configuration:
+
+ * string id.~range: check if the IP ID is id | min<>max | <max | >
+ min
+
-8.79. sip_method
+10.51. ip_proto
--------------
-What: detection option for sip stat code
+What: rule option to check the IP protocol number
Type: ips_option
Configuration:
- * string sip_method.*method: sip method
+ * string ip_proto.~proto: [!|>|<] name or number
-8.80. sip_stat_code
+10.52. ipopts
--------------
-What: detection option for sip stat code
+What: rule option to check for IP options
Type: ips_option
Configuration:
- * int sip_stat_code.*code: stat code { 1:999 }
+ * select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
+ lsrre|ssrr|satid|any }
-8.81. so
+10.53. isdataat
--------------
-What: rule option to call custom eval function
+What: rule option to check for the presence of payload data
Type: ips_option
Configuration:
- * string so.~func: name of eval function
+ * string isdataat.~length: num | !num
+ * implied isdataat.relative: offset from cursor instead of start of
+ buffer
-8.82. soid
+10.54. itype
--------------
-What: rule option to specify a shared object rule ID
+What: rule option to check ICMP type
Type: ips_option
Configuration:
- * string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
+ * string itype.~range: check if icmp type is type | min<>max | <max
+ | >min
-8.83. ssl_state
+10.55. md5
--------------
-What: detection option for ssl state
+What: payload rule option for hash matching
Type: ips_option
Configuration:
- * implied ssl_state.client_hello: check for client hello
- * implied ssl_state.server_hello: check for server hello
- * implied ssl_state.client_keyx: check for client keyx
- * implied ssl_state.server_keyx: check for server keyx
- * implied ssl_state.unknown: check for unknown record
- * implied ssl_state.!client_hello: check for records that are not
- client hello
- * implied ssl_state.!server_hello: check for records that are not
- server hello
- * implied ssl_state.!client_keyx: check for records that are not
- client keyx
- * implied ssl_state.!server_keyx: check for records that are not
- server keyx
- * implied ssl_state.!unknown: check for records that are not
- unknown
+ * string md5.~hash: data to match
+ * int md5.length: number of octets in plain text { 1:65535 }
+ * string md5.offset: var or number of bytes from start of buffer to
+ start search
+ * implied md5.relative = false: offset from cursor instead of start
+ of buffer
-8.84. ssl_version
+10.56. metadata
--------------
-What: detection option for ssl version
+What: rule option for conveying arbitrary name, value data within the
+rule text
Type: ips_option
Configuration:
- * implied ssl_version.sslv2: check for sslv2
- * implied ssl_version.sslv3: check for sslv3
- * implied ssl_version.tls1.0: check for tls1.0
- * implied ssl_version.tls1.1: check for tls1.1
- * implied ssl_version.tls1.2: check for tls1.2
- * implied ssl_version.!sslv2: check for records that are not sslv2
- * implied ssl_version.!sslv3: check for records that are not sslv3
- * implied ssl_version.!tls1.0: check for records that are not
- tls1.0
- * implied ssl_version.!tls1.1: check for records that are not
- tls1.1
- * implied ssl_version.!tls1.2: check for records that are not
- tls1.2
+ * string metadata.service: service name
+ * string metadata.*: additional parameters not used by snort
+
+
+10.57. modbus_data
+
+--------------
+
+What: rule option to set cursor to modbus data
+
+Type: ips_option
-8.85. stream_reassemble
+10.58. modbus_func
--------------
-What: detection option for stream reassembly control
+What: rule option to check modbus function code
Type: ips_option
Configuration:
- * enum stream_reassemble.action: stop or start stream reassembly {
- disable|enable }
- * enum stream_reassemble.direction: action applies to the given
- direction(s) { client|server|both }
- * implied stream_reassemble.noalert: don’t alert when rule matches
- * implied stream_reassemble.fastpath: optionally whitelist the
- remainder of the session
+ * string modbus_func.~: function code to match
-8.86. stream_size
+10.59. modbus_unit
--------------
-What: detection option for stream size checking
+What: rule option to check modbus unit ID
Type: ips_option
Configuration:
- * string stream_size.~range: size for comparison
- * enum stream_size.~direction: compare applies to the given
- direction(s) { either|to_server|to_client|both }
+ * int modbus_unit.~: modbus unit ID { 0:255 }
-8.87. tag
+10.60. msg
--------------
-What: rule option to log additional packets
+What: rule option summarizing rule purpose output with events
Type: ips_option
Configuration:
- * enum tag.~: log all packets in session or all packets to or from
- host { session|host_src|host_dst }
- * int tag.packets: tag this many packets { 1: }
- * int tag.seconds: tag for this many seconds { 1: }
- * int tag.bytes: tag for this many bytes { 1: }
+ * string msg.~: message describing rule
-8.88. tos
+10.61. pcre
--------------
-What: rule option to check type of service field
+What: rule option for matching payload data with pcre
Type: ips_option
Configuration:
- * string tos.~range: check if ip tos value is value | min<>max |
- <max | >min
+ * string pcre.~re: Snort regular expression
-8.89. ttl
+10.62. pkt_data
--------------
-What: rule option to check time to live field
+What: rule option to set the detection cursor to the normalized
+packet data
Type: ips_option
-Configuration:
-
- * string ttl.~range: check if ip ttl field value is value | min<>
- max | <max | >min
-
-8.90. window
+10.63. priority
--------------
-What: rule option to check TCP window field
+What: rule option for prioritizing events
Type: ips_option
Configuration:
- * string window.~range: check if tcp window field size is size |
- min<>max | <max | >min
-
-
----------------------------------------------------------------------
-
-9. Search Engine Modules
+ * int priority.~: relative severity level; 1 is highest priority {
+ 1: }
----------------------------------------------------------------------
-Search engines perform multipattern searching of packets and payload
-to find rules that should be evaluated. There are currently no
-specific modules, although there are several search engine plugins.
-Related configuration is done with the basic detection module.
+10.64. raw_data
+--------------
----------------------------------------------------------------------
+What: rule option to set the detection cursor to the raw packet data
-10. SO Rule Modules
+Type: ips_option
----------------------------------------------------------------------
-SO rules are dynamic rules that require custom coding to perform
-detection not possible with the existing rule options. These rules
-typically do not have associated modules.
+10.65. reference
+--------------
----------------------------------------------------------------------
+What: rule option to indicate relevant attack identification system
-11. Logger Modules
+Type: ips_option
----------------------------------------------------------------------
+Configuration:
-All output of events and packets is done by Loggers.
+ * string reference.~scheme: reference scheme
+ * string reference.~id: reference id
-11.1. alert_csv
+10.66. regex
--------------
-What: output event in csv format
+What: rule option for matching payload data with hyperscan regex
-Type: logger
+Type: ips_option
Configuration:
- * bool alert_csv.file = false: output to alert_csv.txt instead of
- stdout
- * multi alert_csv.fields = timestamp pkt_num proto pkt_gen dgm_len
- dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | dir | dgm_len | dst_addr |
- dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid
- | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid |
- src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }
- * int alert_csv.limit = 0: set limit (0 is unlimited) { 0: }
- * string alert_csv.separator = , : separate fields with this
- character sequence
- * enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * string regex.~re: hyperscan regular expression
+ * implied regex.nocase: case insensitive match
+ * implied regex.dotall: matching a . will not exclude newlines
+ * implied regex.multiline: ^ and $ anchors match any newlines in
+ data
+ * implied regex.relative: start search from end of last match
+ instead of start of buffer
-11.2. alert_fast
+10.67. rem
--------------
-What: output event with brief text format
+What: rule option to convey an arbitrary comment in the rule body
-Type: logger
+Type: ips_option
Configuration:
- * bool alert_fast.file = false: output to alert_fast.txt instead of
- stdout
- * bool alert_fast.packet = false: output packet dump with alert
- * int alert_fast.limit = 0: set limit (0 is unlimited) { 0: }
- * enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * string rem.~: comment
-11.3. alert_full
+10.68. replace
--------------
-What: output event with full packet dump
+What: rule option to overwrite payload data; use with rewrite action
-Type: logger
+Type: ips_option
Configuration:
- * bool alert_full.file = false: output to alert_full.txt instead of
- stdout
- * int alert_full.limit = 0: set limit (0 is unlimited) { 0: }
- * enum alert_full.units = B: limit is in bytes | KB | MB | GB { B |
- K | M | G }
+ * string replace.~: byte code to replace with
-11.4. alert_sfsocket
+10.69. rev
--------------
-What: output event over socket
+What: rule option to indicate current revision of signature
-Type: logger
+Type: ips_option
Configuration:
- * string alert_sfsocket.file: name of unix socket file
- * int alert_sfsocket.rules[].gid = 1: rule generator ID { 1: }
- * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
+ * int rev.~: revision { 1: }
-11.5. alert_syslog
+10.70. rpc
--------------
-What: output event to syslog
+What: rule option to check SUNRPC CALL parameters
-Type: logger
+Type: ips_option
Configuration:
- * enum alert_syslog.facility = auth: part of priority applied to
- each message { auth | authpriv | daemon | user | local0 | local1
- | local2 | local3 | local4 | local5 | local6 | local7 }
- * enum alert_syslog.level = info: part of priority applied to each
- message { emerg | alert | crit | err | warning | notice | info |
- debug }
- * multi alert_syslog.options: used to open the syslog connection {
- cons | ndelay | perror | pid }
+ * int rpc.~app: application number
+ * int rpc.ver: version number or * for any
+ * int rpc.proc: procedure number or * for any
-11.6. log_codecs
+10.71. sd_pattern
--------------
-What: log protocols in packet by layer
+What: rule option for detecting sensitive data
-Type: logger
+Type: ips_option
Configuration:
- * bool log_codecs.file = false: output to log_codecs.txt instead of
- stdout
- * bool log_codecs.msg = false: include alert msg
+ * string sd_pattern.~pattern: The pattern to search for
+ * int sd_pattern.threshold: number of matches before alerting { 1 }
+
+Peg counts:
+
+ * sd_pattern.below threshold: sd_pattern matched but missed
+ threshold
+ * sd_pattern.pattern not found: sd_pattern did not not match
+ * sd_pattern.terminated: hyperscan terminated
-11.7. log_hext
+10.72. seq
--------------
-What: output payload suitable for daq hext
+What: rule option to check TCP sequence number
-Type: logger
+Type: ips_option
Configuration:
- * bool log_hext.file = false: output to log_hext.txt instead of
- stdout
- * bool log_hext.raw = false: output all full packets if true, else
- just TCP payload
- * int log_hext.limit = 0: set limit (0 is unlimited) { 0: }
- * enum log_hext.units = B: bytes | KB | MB | GB { B | K | M | G }
- * int log_hext.width = 20: set line width (0 is unlimited) { 0: }
+ * string seq.~range: check if tcp sequence number value is value |
+ min<>max | <max | >min
-11.8. log_pcap
+10.73. session
--------------
-What: log packet in pcap format
+What: rule option to check user data from TCP sessions
-Type: logger
+Type: ips_option
Configuration:
- * int log_pcap.limit = 0: set limit (0 is unlimited) { 0: }
- * enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * enum session.~mode: output format { printable|binary|all }
-11.9. unified2
+10.74. sha256
--------------
-What: output event and packet in unified2 format file
+What: payload rule option for hash matching
-Type: logger
+Type: ips_option
Configuration:
- * int unified2.limit = 0: set limit (0 is unlimited) { 0: }
- * enum unified2.units = B: limit multiplier { B | K | M | G }
- * bool unified2.nostamp = true: append file creation time to name
- (in Unix Epoch format)
- * bool unified2.mpls_event_types = false: include mpls labels in
- events
- * bool unified2.vlan_event_types = false: include vlan IDs in
- events
-
-
----------------------------------------------------------------------
-
-12. DAQ Modules
+ * string sha256.~hash: data to match
+ * int sha256.length: number of octets in plain text { 1:65535 }
+ * string sha256.offset: var or number of bytes from start of buffer
+ to start search
+ * implied sha256.relative = false: offset from cursor instead of
+ start of buffer
----------------------------------------------------------------------
-The Data AcQuisition library (DAQ), provides pluggable packet I/O.
-The DAQ replaces direct calls to libraries like libpcap with an
-abstraction layer that facilitates operation on a variety of hardware
-and software interfaces without requiring changes to Snort. It is
-possible to select the DAQ type and mode when invoking Snort to
-perform pcap readback or inline operation, etc. The DAQ library may
-be useful for other packet processing applications and the modular
-nature allows you to build new modules for other platforms.
+10.75. sha512
-The DAQ library is provided as an external package on snort.org.
-There are a few additional modules provided with Snort++. This
-section summarizes the important things you need to know to use these
-DAQ modules. There are also 3rd DAQ modules available.
+--------------
+What: payload rule option for hash matching
-12.1. Building the DAQ Library and DAQ Modules
+Type: ips_option
---------------
+Configuration:
-The DAQ is bundled with Snort but must be built first using these
-steps:
+ * string sha512.~hash: data to match
+ * int sha512.length: number of octets in plain text { 1:65535 }
+ * string sha512.offset: var or number of bytes from start of buffer
+ to start search
+ * implied sha512.relative = false: offset from cursor instead of
+ start of buffer
-./configure
-make
-sudo make install
-This will build and install both static and dynamic DAQ modules.
+10.76. sid
-Note that pcap >= 1.0.0 is required. pcap 1.1.1 is available at the
-time of this writing and is recommended.
+--------------
-Also, libdnet is required for IPQ and NFQ DAQs. If you get a
-relocation error trying to build those DAQs, you may need to
-reinstall libdnet and configure it with something like this:
+What: rule option to indicate signature number
-./configure "CFLAGS=-fPIC -g -O2"
+Type: ips_option
-You may also experience problems trying to find the dynamic dnet
-library because it isn’t always named properly. Try creating a link
-to the shared library (identified by its .x or .x.y etc. extension)
-with the same name but with ".so" inserted as follows:
+Configuration:
-$ ln -s libdnet.1.1 libdnet.so.1.1
-$ ldconfig -Rv /usr/local/lib 2>&1 | grep dnet
- Adding /usr/local/lib/libdnet.so.1.1
+ * int sid.~: signature id { 1: }
-Alternatively, you should be able to fix both issues as follows:
-libtoolize --copy --force
-aclocal -I config
-autoheader
-autoconf
-automake --foreign
+10.77. sip_body
-When the DAQ library is built, both static and dynamic flavors will
-be generated. The various DAQ modules will be built if the requisite
-headers and libraries are available. You can disable individual
-modules, etc. with options to configure. For the complete list of
-configure options, run:
+--------------
-./configure --help
+What: rule option to set the detection cursor to the request body
+
+Type: ips_option
-12.2. PCAP Module
+10.78. sip_header
--------------
-pcap is the default DAQ. If snort is run w/o any DAQ arguments, it
-will operate as it always did using this module. These are
-equivalent:
+What: rule option to set the detection cursor to the SIP header
+buffer
-./snort -i <device>
-./snort -r <file>
+Type: ips_option
-./snort --daq pcap --daq-mode passive -i <device>
-./snort --daq pcap --daq-mode read-file -r <file>
-You can specify the buffer size pcap uses with:
+10.79. sip_method
-./snort --daq pcap --daq-var buffer_size=<#bytes>
+--------------
- * The pcap DAQ does not count filtered packets. *
+What: detection option for sip stat code
+Type: ips_option
-12.3. AFPACKET Module
+Configuration:
---------------
+ * string sip_method.*method: sip method
-afpacket functions similar to the pcap DAQ but with better
-performance:
-./snort --daq afpacket -i <device>
- [--daq-var buffer_size_mb=<#MB>]
- [--daq-var debug]
+10.80. sip_stat_code
-If you want to run afpacket in inline mode, you must craft the device
-string as one or more interface pairs, where each member of a pair is
-separated by a single colon and each pair is separated by a double
-colon like this:
+--------------
-eth0:eth1
+What: detection option for sip stat code
-or this:
+Type: ips_option
-eth0:eth1::eth2:eth3
+Configuration:
-By default, the afpacket DAQ allocates 128MB for packet memory. You
-can change this with:
+ * int sip_stat_code.*code: stat code { 1:999 }
---daq-var buffer_size_mb=<#MB>
-Note that the total allocated is actually higher, here’s why.
-Assuming the default packet memory with a snaplen of 1518, the
-numbers break down like this:
+10.81. so
- * The frame size is 1518 (snaplen) + the size of the AFPacket
- header (66 bytes) = 1584 bytes.
- * The number of frames is 128 MB / 1518 = 84733.
- * The smallest block size that can fit at least one frame is 4 KB =
- 4096 bytes @ 2 frames per block.
- * As a result, we need 84733 / 2 = 42366 blocks.
- * Actual memory allocated is 42366 * 4 KB = 165.5 MB.
+--------------
-Note
+What: rule option to call custom eval function
-Linux kernel version 2.6.31 or higher is required for the AFPacket
-DAQ module due to its dependency on both TPACKET v2 and
-PACKET_TX_RING support.
+Type: ips_option
+Configuration:
-12.4. NFQ Module
+ * string so.~func: name of eval function
---------------
-NFQ is the new and improved way to process iptables packets:
+10.82. soid
-./snort --daq nfq \
- [--daq-var device=<dev>] \
- [--daq-var proto=<proto>] \
- [--daq-var queue=<qid>]
+--------------
-<dev> ::= ip | eth0, etc; default is IP injection
-<proto> ::= ip4 | ip6 |; default is ip4
-<qid> ::= 0..65535; default is 0
+What: rule option to specify a shared object rule ID
-This module can not run unprivileged so ./snort -u -g will produce a
-warning and won’t change user or group.
+Type: ips_option
-Notes on iptables are given below.
+Configuration:
+
+ * string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
-12.5. IPQ Module
+10.83. ssl_state
--------------
-IPQ is the old way to process iptables packets. It replaces the
-inline version available in pre-2.9 versions built with this:
+What: detection option for ssl state
-./configure --enable-inline
+Type: ips_option
-Note that layer 2 resets are not supported with the IPQ DAQ:
+Configuration:
-config layer2resets[: <mac>]
+ * implied ssl_state.client_hello: check for client hello
+ * implied ssl_state.server_hello: check for server hello
+ * implied ssl_state.client_keyx: check for client keyx
+ * implied ssl_state.server_keyx: check for server keyx
+ * implied ssl_state.unknown: check for unknown record
+ * implied ssl_state.!client_hello: check for records that are not
+ client hello
+ * implied ssl_state.!server_hello: check for records that are not
+ server hello
+ * implied ssl_state.!client_keyx: check for records that are not
+ client keyx
+ * implied ssl_state.!server_keyx: check for records that are not
+ server keyx
+ * implied ssl_state.!unknown: check for records that are not
+ unknown
-Start the IPQ DAQ as follows:
-./snort --daq ipq \
- [--daq-var device=<dev>] \
- [--daq-var proto=<proto>] \
+10.84. ssl_version
-<dev> ::= ip | eth0, etc; default is IP injection
-<proto> ::= ip4 | ip6; default is ip4
+--------------
-This module can not run unprivileged so ./snort -u -g will produce a
-warning and won’t change user or group.
+What: detection option for ssl version
-Notes on iptables are given below.
+Type: ips_option
+
+Configuration:
+
+ * implied ssl_version.sslv2: check for sslv2
+ * implied ssl_version.sslv3: check for sslv3
+ * implied ssl_version.tls1.0: check for tls1.0
+ * implied ssl_version.tls1.1: check for tls1.1
+ * implied ssl_version.tls1.2: check for tls1.2
+ * implied ssl_version.!sslv2: check for records that are not sslv2
+ * implied ssl_version.!sslv3: check for records that are not sslv3
+ * implied ssl_version.!tls1.0: check for records that are not
+ tls1.0
+ * implied ssl_version.!tls1.1: check for records that are not
+ tls1.1
+ * implied ssl_version.!tls1.2: check for records that are not
+ tls1.2
-12.6. IPFW Module
+10.85. stream_reassemble
--------------
-IPFW is available for BSD systems. It replaces the inline version
-available in pre-2.9 versions built with this:
+What: detection option for stream reassembly control
-./configure --enable-ipfw
+Type: ips_option
-This command line argument is no longer supported:
+Configuration:
-./snort -J <port#>
+ * enum stream_reassemble.action: stop or start stream reassembly {
+ disable|enable }
+ * enum stream_reassemble.direction: action applies to the given
+ direction(s) { client|server|both }
+ * implied stream_reassemble.noalert: don’t alert when rule matches
+ * implied stream_reassemble.fastpath: optionally whitelist the
+ remainder of the session
-Instead, start Snort like this:
-./snort --daq ipfw [--daq-var port=<port>]
+10.86. stream_size
-<port> ::= 1..65535; default is 8000
+--------------
- * IPFW only supports ip4 traffic.
+What: detection option for stream size checking
-Notes on FreeBSD and OpenBSD are given below.
+Type: ips_option
+
+Configuration:
+
+ * string stream_size.~range: size for comparison
+ * enum stream_size.~direction: compare applies to the given
+ direction(s) { either|to_server|to_client|both }
-12.7. Dump Module
+10.87. tag
--------------
-The dump DAQ allows you to test the various inline mode features
-available in 2.9 Snort like injection and normalization.
+What: rule option to log additional packets
-./snort -i <device> --daq dump
-./snort -r <pcap> --daq dump
+Type: ips_option
-By default a file named inline-out.pcap will be created containing
-all packets that passed through or were generated by snort. You can
-optionally specify a different name.
+Configuration:
-./snort --daq dump --daq-var file=<name>
+ * enum tag.~: log all packets in session or all packets to or from
+ host { session|host_src|host_dst }
+ * int tag.packets: tag this many packets { 1: }
+ * int tag.seconds: tag for this many seconds { 1: }
+ * int tag.bytes: tag for this many bytes { 1: }
-dump uses the pcap daq for packet acquisition. It therefore does not
-count filtered packets (a pcap limitation).
-Note that the dump DAQ inline mode is not an actual inline mode.
-Furthermore, you will probably want to have the pcap DAQ acquire in
-another mode like this:
+10.88. tos
-./snort -r <pcap> -Q --daq dump --daq-var load-mode=read-file
-./snort -i <device> -Q --daq dump --daq-var load-mode=passive
+--------------
+
+What: rule option to check type of service field
+
+Type: ips_option
+
+Configuration:
+
+ * string tos.~range: check if ip tos value is value | min<>max |
+ <max | >min
-12.8. Netmap Module
+10.89. ttl
--------------
-The netmap project is a framework for very high speed packet I/O. It
-is available on both FreeBSD and Linux with varying amounts of
-preparatory setup required. Specific notes for each follow.
+What: rule option to check time to live field
-./snort --daq netmap -i <device>
- [--daq-var debug]
+Type: ips_option
-If you want to run netmap in inline mode, you must craft the device
-string as one or more interface pairs, where each member of a pair is
-separated by a single colon and each pair is separated by a double
-colon like this:
+Configuration:
-em1:em2
+ * string ttl.~range: check if ip ttl field value is value | min<>
+ max | <max | >min
-or this:
-em1:em2::em3:em4
+10.90. window
-Inline operation performs Layer 2 forwarding with no MAC filtering,
-akin to the AFPacket module’s behavior. All packets received on one
-interface in an inline pair will be forwarded out the other interface
-unless dropped by the reader and vice versa.
+--------------
-Important
+What: rule option to check TCP window field
-The interfaces will need to be up and in promiscuous mode in order to
-function (ifconfig em1 up promisc). The DAQ module does not currently
-do either of these configuration steps for itself.
+Type: ips_option
-12.8.1. FreeBSD
+Configuration:
-In FreeBSD 10.0, netmap has been integrated into the core OS. In
-order to use it, you must recompile your kernel with the line
+ * string window.~range: check if tcp window field size is size |
+ min<>max | <max | >min
-device netmap
-added to your kernel config.
+---------------------------------------------------------------------
-12.8.2. Linux
+11. Search Engine Modules
-You will need to download the netmap source code from the project’s
-repository:
+---------------------------------------------------------------------
-https://code.google.com/p/netmap/
+Search engines perform multipattern searching of packets and payload
+to find rules that should be evaluated. There are currently no
+specific modules, although there are several search engine plugins.
+Related configuration is done with the basic detection module.
-Follow the instructions on the project’s homepage for compiling and
-installing the code:
-http://info.iet.unipi.it/~luigi/netmap/
+---------------------------------------------------------------------
-It will involve a standalone kernel module (netmap_lin) as well as
-patching and rebuilding the kernel module used to drive your network
-adapters. The following drivers are supported under Linux at the time
-of writing (June 2014):
+12. SO Rule Modules
-e1000
-e1000e
-forcedeth
-igb
-ixgbe
-r8169
-virtio
+---------------------------------------------------------------------
+
+SO rules are dynamic rules that require custom coding to perform
+detection not possible with the existing rule options. These rules
+typically do not have associated modules.
-TODO:
- * Support for attaching to only a single ring (queue) on a network
- adapter.
- * Support for VALE and netmap pipes.
+---------------------------------------------------------------------
+
+13. Logger Modules
+
+---------------------------------------------------------------------
+
+All output of events and packets is done by Loggers.
-12.9. Notes on iptables
+13.1. alert_csv
--------------
-These notes are just a quick reminder that you need to set up
-iptables to use the IPQ or NFQ DAQs. Doing so may cause problems with
-your network so tread carefully. The examples below are intentionally
-incomplete so please read the related documentation first.
+What: output event in csv format
-Here is a blog post by Marty for historical reference:
+Type: logger
-http://archives.neohapsis.com/archives/snort/2000-11/0394.html
+Configuration:
-You can check this out for queue sizing tips:
+ * bool alert_csv.file = false: output to alert_csv.txt instead of
+ stdout
+ * multi alert_csv.fields = timestamp pkt_num proto pkt_gen dgm_len
+ dir src_ap dst_ap rule action: selected fields will be output in
+ given order left to right { action | dir | dgm_len | dst_addr |
+ dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid
+ | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
+ ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid |
+ src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len |
+ tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }
+ * int alert_csv.limit = 0: set limit (0 is unlimited) { 0: }
+ * string alert_csv.separator = , : separate fields with this
+ character sequence
+ * enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
-http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html
-You might find useful IPQ info here:
+13.2. alert_fast
-http://snort-inline.sourceforge.net/
+--------------
-Use this to examine your iptables:
+What: output event with brief text format
-sudo /sbin/iptables -L
+Type: logger
-Use something like this to set up NFQ:
+Configuration:
-sudo /sbin/iptables
- -I <table> [<protocol stuff>] [<state stuff>]
- -j NFQUEUE --queue-num 1
+ * bool alert_fast.file = false: output to alert_fast.txt instead of
+ stdout
+ * bool alert_fast.packet = false: output packet dump with alert
+ * int alert_fast.limit = 0: set limit (0 is unlimited) { 0: }
+ * enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
-Use something like this to set up IPQ:
-sudo iptables -I FORWARD -j QUEUE
+13.3. alert_full
-Use something like this to "disconnect" snort:
+--------------
-sudo /sbin/iptables -D <table> <rule pos>
+What: output event with full packet dump
-Be sure to start Snort prior to routing packets through NFQ with
-iptables. Such packets will be dropped until Snort is started.
+Type: logger
-The queue-num is the number you must give Snort.
+Configuration:
-If you are running on a system with both NFQ and IPQ support, you may
-experience some start-up failures of the sort:
+ * bool alert_full.file = false: output to alert_full.txt instead of
+ stdout
+ * int alert_full.limit = 0: set limit (0 is unlimited) { 0: }
+ * enum alert_full.units = B: limit is in bytes | KB | MB | GB { B |
+ K | M | G }
-The solution seems to be to remove both modules from the kernel like
-this:
-modprobe -r nfnetlink_queue
-modprobe -r ip_queue
+13.4. alert_sfsocket
-and then install the module you want:
+--------------
-modprobe ip_queue
+What: output event over socket
-or:
+Type: logger
-modprobe nfnetlink_queue
+Configuration:
-These DAQs should be run with a snaplen of 65535 since the kernel
-defrags the packets before queuing. Also, no need to configure frag3.
+ * string alert_sfsocket.file: name of unix socket file
+ * int alert_sfsocket.rules[].gid = 1: rule generator ID { 1: }
+ * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
-12.10. Notes on FreeBSD::IPFW
+13.5. alert_syslog
--------------
-Check the online manual at:
+What: output event to syslog
-http://www.freebsd.org/doc/handbook/firewalls-ipfw.html.
+Type: logger
-Here is a brief example to divert icmp packets to Snort at port 8000:
+Configuration:
-To enable support for divert sockets, place the following lines in
-the kernel configuration file:
+ * enum alert_syslog.facility = auth: part of priority applied to
+ each message { auth | authpriv | daemon | user | local0 | local1
+ | local2 | local3 | local4 | local5 | local6 | local7 }
+ * enum alert_syslog.level = info: part of priority applied to each
+ message { emerg | alert | crit | err | warning | notice | info |
+ debug }
+ * multi alert_syslog.options: used to open the syslog connection {
+ cons | ndelay | perror | pid }
-options IPFIREWALL
-options IPDIVERT
-(The file in this case was: /usr/src/sys/i386/conf/GENERIC; which is
-platform dependent.)
+13.6. log_codecs
-You may need to also set these to use the loadable kernel modules:
+--------------
-/etc/rc.conf:
-firewall_enable="YES"
+What: log protocols in packet by layer
-/boot/loader.conf:
-ipfw_load="YES"
-ipdivert_load="YES"
+Type: logger
-$ dmesg | grep ipfw
-ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based
-forwarding disabled, default to deny, logging disabled
+Configuration:
-$ kldload -v ipdivert
-Loaded ipdivert, id=4
+ * bool log_codecs.file = false: output to log_codecs.txt instead of
+ stdout
+ * bool log_codecs.msg = false: include alert msg
-$ ipfw add 75 divert 8000 icmp from any to any
-00075 divert 8000 icmp from any to any
-$ ipfw list
-...
-00075 divert 8000 icmp from any to any
-00080 allow icmp from any to any
-...
+13.7. log_hext
- * Note that on FreeBSD, divert sockets don’t work with bridges!
+--------------
-Please refer to the following articles for more information:
+What: output payload suitable for daq hext
- * https://forums.snort.org/forums/support/topics/
- snort-inline-on-freebsd-ipfw
- * http://freebsd.rogness.net/snort_inline/
+Type: logger
-NAT gateway can be used with divert sockets if the network
-environment is conducive to using NAT.
+Configuration:
-The steps to set up NAT with ipfw are as follows:
+ * bool log_hext.file = false: output to log_hext.txt instead of
+ stdout
+ * bool log_hext.raw = false: output all full packets if true, else
+ just TCP payload
+ * int log_hext.limit = 0: set limit (0 is unlimited) { 0: }
+ * enum log_hext.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * int log_hext.width = 20: set line width (0 is unlimited) { 0: }
- 1. Set up NAT with two interface em0 and em1 by adding the following
- to /etc/rc.conf. Here em0 is connected to external network and
- em1 to host-only LAN.
- gateway_enable="YES"
- natd_program="/sbin/natd" # path to natd
- natd_enable="YES" # Enable natd (if firewall_enable == YES)
- natd_interface="em0" # Public interface or IP Address
- natd_flags="-dynamic" # Additional flags
- defaultrouter=""
- ifconfig_em0="DHCP"
- ifconfig_em1="inet 192.168.1.2 netmask 255.255.255.0"
- firewall_enable="YES"
- firewall_script="/etc/rc.firewall"
- firewall_type="simple"
+13.8. log_pcap
- 2. Add the following divert rules to divert packets to Snort above
- and below the NAT rule in the "Simple" section of /etc/
- rc.firewall.
+--------------
- ...
- # Inspect outbound packets (those arriving on "inside" interface)
- # before NAT translation.
- ${fwcmd} add divert 8000 all from any to any in via ${iif}
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
- fi
- ;;
- esac
- ...
- # Inspect inbound packets (those arriving on "outside" interface)
- # after NAT translation that aren't blocked for other reasons,
- # after the TCP "established" rule.
- ${fwcmd} add divert 8000 all from any to any in via ${oif}
+What: log packet in pcap format
+Type: logger
-12.11. Notes on OpenBSD::IPFW
+Configuration:
---------------
+ * int log_pcap.limit = 0: set limit (0 is unlimited) { 0: }
+ * enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
-OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.
-Here is one way to set things up:
+13.9. unified2
- 1. Configure the system to forward packets:
+--------------
- $ sysctl net.inet.ip.forwarding=1
- $ sysctl net.inet6.ip6.forwarding=1
+What: output event and packet in unified2 format file
- (You can also put that in /etc/sysctl.conf to enable on boot.)
+Type: logger
- 2. Set up interfaces
+Configuration:
- $ dhclient vic1
- $ dhclient vic2
+ * int unified2.limit = 0: set limit (0 is unlimited) { 0: }
+ * enum unified2.units = B: limit multiplier { B | K | M | G }
+ * bool unified2.nostamp = true: append file creation time to name
+ (in Unix Epoch format)
+ * bool unified2.mpls_event_types = false: include mpls labels in
+ events
+ * bool unified2.vlan_event_types = false: include vlan IDs in
+ events
- 3. Set up packet filter rules:
- $ echo "pass out on vic1 divert-packet port 9000 keep-state" > rules.txt
- $ echo "pass out on vic2 divert-packet port 9000 keep-state" >> rules.txt
+---------------------------------------------------------------------
- $ pfctl -v -f rules.txt
+14. DAQ Modules
- 4. Analyze packets diverted to port 9000:
+---------------------------------------------------------------------
- $ ./snort --daq ipfw --daq-var port=9000
+The Data AcQuisition library (DAQ), provides pluggable packet I/O.
+The DAQ replaces direct calls to libraries like libpcap with an
+abstraction layer that facilitates operation on a variety of hardware
+and software interfaces without requiring changes to Snort. It is
+possible to select the DAQ type and mode when invoking Snort to
+perform pcap readback or inline operation, etc. The DAQ library may
+be useful for other packet processing applications and the modular
+nature allows you to build new modules for other platforms.
- + Note that on OpenBSD, divert sockets don’t work with bridges!
+The DAQ library is provided as an external package on snort.org.
+There are a few additional modules provided with Snort 3. This
+section summarizes the important things you need to know to use these
+DAQ modules. There are also 3rd DAQ modules available.
-12.12. Socket Module
+14.1. Building the DAQ Library and DAQ Modules
--------------
-The socket module provides provides a stream socket server that will
-accept up to 2 simultaneous connections and bridge them together
-while also passing data to Snort++ for inspection. The first
-connection accepted is considered the client and the second
-connection accepted is considered the server. If there is only one
-connection, stream data can’t be forwarded but it is still inspected.
+The DAQ is bundled with Snort but must be built first using these
+steps:
-Each read from a socket of up to snaplen bytes is passed as a packet
-to Snort++ along with a DAQ_SktHdr_t pointer in
-DAQ_PktHdr_t→priv_ptr. DAQ_SktHdr_t conveys IP4 address, ports,
-protocol, and direction. Socket packets can be configured to be TCP
-or UDP. The socket DAQ can be operated in inline mode and is able to
-block packets.
+./configure
+make
+sudo make install
+
+This will build and install both static and dynamic DAQ modules.
+
+Note that pcap >= 1.0.0 is required. pcap 1.1.1 is available at the
+time of this writing and is recommended.
+
+Also, libdnet is required for IPQ and NFQ DAQs. If you get a
+relocation error trying to build those DAQs, you may need to
+reinstall libdnet and configure it with something like this:
+
+./configure "CFLAGS=-fPIC -g -O2"
+
+You may also experience problems trying to find the dynamic dnet
+library because it isn’t always named properly. Try creating a link
+to the shared library (identified by its .x or .x.y etc. extension)
+with the same name but with ".so" inserted as follows:
-The socket DAQ uses DLT_SOCKET and requires that Snort++ load the
-socket codec which is included in the extra package.
+$ ln -s libdnet.1.1 libdnet.so.1.1
+$ ldconfig -Rv /usr/local/lib 2>&1 | grep dnet
+ Adding /usr/local/lib/libdnet.so.1.1
-To use the socket DAQ, start Snort++ like this:
+Alternatively, you should be able to fix both issues as follows:
-./snort --plugin-path /path/to/lib/snort_extra \
- --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]
+libtoolize --copy --force
+aclocal -I config
+autoheader
+autoconf
+automake --foreign
-<port> ::= 1..65535; default is 8000
-<proto> ::= tcp | udp
+When the DAQ library is built, both static and dynamic flavors will
+be generated. The various DAQ modules will be built if the requisite
+headers and libraries are available. You can disable individual
+modules, etc. with options to configure. For the complete list of
+configure options, run:
- * This module only supports ip4 traffic.
- * This module is only supported by Snort++. It is not compatible
- with Snort.
- * This module is primarily for development and test.
+./configure --help
-12.13. File Module
+14.2. PCAP Module
--------------
-The file module provides the ability to process files directly w/o
-having to extract them from pcaps. Use the file module with Snort’s
-stream_file to get file type identification and signature services.
-The usual IPS detection and logging etc. is available too.
-
-You can process all the files in a directory recursively using 8
-threads with these Snort options:
-
---pcap-dir path -z 8
+pcap is the default DAQ. If snort is run w/o any DAQ arguments, it
+will operate as it always did using this module. These are
+equivalent:
- * This module is only supported by Snort++. It is not compatible
- with Snort.
- * This module is primarily for development and test.
+./snort -i <device>
+./snort -r <file>
+./snort --daq pcap --daq-mode passive -i <device>
+./snort --daq pcap --daq-mode read-file -r <file>
-12.14. Hext Module
+You can specify the buffer size pcap uses with:
---------------
+./snort --daq pcap --daq-var buffer_size=<#bytes>
-The hext module generates packets suitable for processing by Snort
-from hex/plain text. Raw packets include full headers and are
-processed normally. Otherwise the packets contain only payload and
-are accompanied with flow information (4-tuple) suitable for
-processing by stream_user.
+ * The pcap DAQ does not count filtered packets. *
-The first character of the line determines it’s purpose:
-'$' command
-'#' comment
-'"' quoted string packet data
-'x' hex packet data
-' ' empty line separates packets
+14.3. AFPACKET Module
-The available commands are:
+--------------
-$client <ip4> <port>
-$server <ip4> <port>
+afpacket functions similar to the pcap DAQ but with better
+performance:
-$packet -> client
-$packet -> server
+./snort --daq afpacket -i <device>
+ [--daq-var buffer_size_mb=<#MB>]
+ [--daq-var debug]
-$packet <addr> <port> -> <addr> <port>
+If you want to run afpacket in inline mode, you must craft the device
+string as one or more interface pairs, where each member of a pair is
+separated by a single colon and each pair is separated by a double
+colon like this:
-Client and server are determined as follows. $packet → client
-indicates to the client (from server) and $packet → server indicates
-a packet to the server (from client). $packet followed by a 4-tuple
-uses the heuristic that the client is the side with the lower port
-number.
+eth0:eth1
-The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
-respectively. $packet commands with a 4-tuple do not change client
-and server set with the other $packet commands.
+or this:
-$packet commands should be followed by packet data, which may contain
-any combination of hex and strings. Data for a packet ends with the
-next command or a blank line. Data after a blank line will start
-another packet with the same tuple as the prior one.
+eth0:eth1::eth2:eth3
-Strings may contain the following escape sequences:
+By default, the afpacket DAQ allocates 128MB for packet memory. You
+can change this with:
-\r = 0x0D = carriage return
-\n = 0x0A = new line
-\t = 0x09 = tab
-\\ = 0x5C = \
+--daq-var buffer_size_mb=<#MB>
-Format your input carefully; there is minimal error checking and
-little tolerance for arbitrary whitespace. You can use Snort’s -L
-hext option to generate hext input from a pcap.
+Note that the total allocated is actually higher, here’s why.
+Assuming the default packet memory with a snaplen of 1518, the
+numbers break down like this:
- * This module only supports ip4 traffic.
- * This module is only supported by Snort++. It is not compatible
- with Snort.
- * This module is primarily for development and test.
+ * The frame size is 1518 (snaplen) + the size of the AFPacket
+ header (66 bytes) = 1584 bytes.
+ * The number of frames is 128 MB / 1518 = 84733.
+ * The smallest block size that can fit at least one frame is 4 KB =
+ 4096 bytes @ 2 frames per block.
+ * As a result, we need 84733 / 2 = 42366 blocks.
+ * Actual memory allocated is 42366 * 4 KB = 165.5 MB.
-The hext DAQ also supports a raw mode which is activated by setting
-the data link type. For example, you can input full ethernet packets
-with --daq-var dlt=1 (Data link types are defined in the DAQ include
-sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a
-quick (and dirty) way to edit pcaps. With --lua "log_hext = { raw =
-true }", the hext logger will dump the full packet in a way that can
-be read by the hext DAQ in raw mode. Here is an example:
+Note
-# 3 [96]
+Linux kernel version 2.6.31 or higher is required for the AFPacket
+DAQ module due to its dependency on both TPACKET v2 and
+PACKET_TX_RING support.
-x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..
-x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..
-x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t
-x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H
-x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..
-A comment indicating packet number and size precedes each packet
-dump. Note that the commands are not applicable in raw mode and have
-no effect.
+14.4. NFQ Module
+--------------
----------------------------------------------------------------------
+NFQ is the new and improved way to process iptables packets:
-13. Snort++ vs Snort
+./snort --daq nfq \
+ [--daq-var device=<dev>] \
+ [--daq-var proto=<proto>] \
+ [--daq-var queue=<qid>]
----------------------------------------------------------------------
+<dev> ::= ip | eth0, etc; default is IP injection
+<proto> ::= ip4 | ip6 |; default is ip4
+<qid> ::= 0..65535; default is 0
-Snort++ differs from Snort in the following ways:
+This module can not run unprivileged so ./snort -u -g will produce a
+warning and won’t change user or group.
- * command line and conf file syntax made more uniform
- * removed unused and deprecated features
- * remove as many barriers to successful run as possible (e.g.: no
- upper bounds on memcaps)
- * assume the simplest mode of operation (e.g.: never assume input
- from or output to some hardcoded filename)
- * all Snort config options are grouped into Snort++ modules
+Notes on iptables are given below.
-13.1. Build Options
+14.5. IPQ Module
--------------
- * configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*
- * control socket, cs_dir, and users were deleted
- * POLICY_BY_ID_ONLY code was deleted
- * hardened --enable-inline-init-failopen / INLINE_FAILOPEN
+IPQ is the old way to process iptables packets. It replaces the
+inline version available in pre-2.9 versions built with this:
+./configure --enable-inline
-13.2. Command Line
+Note that layer 2 resets are not supported with the IPQ DAQ:
---------------
+config layer2resets[: <mac>]
- * --pause loads config and waits for resume before processing
- packets
- * --require-rule-sid is hardened
- * --shell enables interactive Lua shell
- * -T is assumed if no input given
- * added --help-config prefix to dump all matching settings
- * added --script-path
- * added -L none|dump|pcap
- * added -z <#> and --max-packet-threads <#>
- * delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
- --max-mpls-labelchain-len, --mpls-payload-type
- * deleted --pid-path and --no-interface-pidfile
- * deleting command line options which will be available with --lua
- or some such including: -I, -h, -F, -p,
- --disable-inline-init-failopen
- * hardened -n < 0
- * removed --search-method
- * replaced "unknown args are bpf" with --bpf
- * replaced --dynamic-*-lib[-dir] with --plugin-path (with :
- separators)
- * removed -b, -N, -Z and, --perfmon-file options
+Start the IPQ DAQ as follows:
+./snort --daq ipq \
+ [--daq-var device=<dev>] \
+ [--daq-var proto=<proto>] \
-13.3. Conf File
+<dev> ::= ip | eth0, etc; default is IP injection
+<proto> ::= ip4 | ip6; default is ip4
---------------
+This module can not run unprivileged so ./snort -u -g will produce a
+warning and won’t change user or group.
- * Snort++ has a default unicode.map
- * Snort++ will not enforce an upper bound on memcaps and the like
- within 64 bits
- * Snort++ will supply a default *_global config if not specified
- (Snort would fatal; e.g. http_inspect_server w/o
- http_inspect_global)
- * address list syntax changes: [[ and ]] must be [ [ and ] ] to
- avoid Lua string parsing errors (unless in quoted string)
- * because the Lua conf is live code, we lose file:line locations in
- app error messages (syntax errors from Lua have file:line)
- * changed search-method names for consistency
- * delete config include_vlan_in_alerts (not used in code)
- * delete config so_rule_memcap (not used in code)
- * deleted --disable-attribute-table-reload-thread
- * deleted config decode_*_{alerts,drops} (use rules only)
- * deleted config dump-dynamic-rules-path
- * deleted config ipv6_frag (not actually used)
- * deleted config threshold and ips rule threshold (→ event_filter)
- * eliminated ac-split; must use ac-full-q split-any-any
- * frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan,
- perfmonitor → perf_monitor, bo → back_orifice
- * limits like "1234K" are now "limit = 1234, units = K"
- * lua field names are (lower) case sensitive; snort.conf largely
- wasn’t
- * module filenames are not configurable: always <log-dir>/
- <module-name><suffix> (suffix is determined by module)
- * no positional parameters; all name = value
- * perf_monitor configuration was simplified
- * portscan.detect_ack_scans deleted (exact same as
- include_midstream)
- * removed various run modes - now just one
- * frag3 default policy is Linux not bsd
- * lowmem* search methods are now in snort_examples
- * deleted unused http_inspect stateful mode
- * deleted stateless inspection from ftp and telnet
- * deleted http and ftp alert options (now strictly rule based)
- * preprocessor disabled settings deleted since no longer relevant
- * sessions are always created; snort config stateful checks
- eliminated
- * stream5_tcp: prune_log_max deleted; to be replaced with histogram
- * stream5_tcp: max_active_responses, min_response_seconds moved to
- active.max_responses, min_interval
+Notes on iptables are given below.
-13.4. Rules
+14.6. IPFW Module
--------------
- * all rules must have a sid
- * deleted activate / dynamic rules
- * deleted metadata engine shared
- * deleted metadata: rule-flushing (with PDU flushing rule flushing
- can cause missed attacks, the opposite of its intent)
- * deleted unused rule_state.action
- * fastpattern_offset, fast_pattern_length
- * no ; separated content suboptions
- * offset, depth, distance, and within must use a space separator
- not colon (e.g. offset:5; becomes offset 5;)
- * rule option sequence: <stub> soid <hidden>
- * sid == 0 not allowed
- * soid is now a non-metadata option
- * content suboptions http_* are now full options and should be
- place before content
- * the following pcre options have been deleted: use sticky buffers
- instead B, U, P, H, M, C, I, D, K, S, Y
- * deleted uricontent ips rule option. uricontent:"foo" -→ http_uri;
- content:"foo"
- * deleted urilen raw and norm; must use http_raw_uri and http_uri
- instead
- * deleted unused http_encode option
- * urilen replaced with generic bufferlen which applies to current
- sticky buffer
- * added optional selector to http_header, e.g.
- http_header:User-Agent;
- * multiline rules w/o \n
- * #begin … #end comments
+IPFW is available for BSD systems. It replaces the inline version
+available in pre-2.9 versions built with this:
+./configure --enable-ipfw
-13.5. Output
+This command line argument is no longer supported:
---------------
+./snort -J <port#>
- * alert_fast includes packet data by default
- * all text mode outputs default to stdout
- * changed default logging mode to -L none
- * deleted layer2resets and flexresp2_*
- * deleted log_ascii
- * general output guideline: don’t print zero counts
- * Snort++ queues decoder and inspector events to the main event
- queue before ips policy is selected; since some events may not be
- enabled, the queue needs to be sized larger than with Snort which
- used an intermediate queue for decoder events.
- * deleted the intermediate http and ftp_telnet event queues
- * alert_unified2 and log_unified2 have been deleted
+Instead, start Snort like this:
+
+./snort --daq ipfw [--daq-var port=<port>]
+
+<port> ::= 1..65535; default is 8000
+
+ * IPFW only supports ip4 traffic.
+
+Notes on FreeBSD and OpenBSD are given below.
-13.6. HTTP Profiles
+14.7. Dump Module
--------------
-This section describes the changes to the Http Inspect config option
-"profile".
+The dump DAQ allows you to test the various inline mode features
+available in Snort like injection and normalization.
-Snort 2.X allows users to select pre-defined HTTP server profiles
-using the config option "profile". The user can choose one of five
-predefined profiles. When defined, this option will set defaults for
-other config options within Http Inspect.
+./snort -i <device> --daq dump
+./snort -r <pcap> --daq dump
-With Snort++, the user has the flexibility of defining and fine
-tuning custom profiles along with the five predefined profiles.
+By default a file named inline-out.pcap will be created containing
+all packets that passed through or were generated by snort. You can
+optionally specify a different name.
-Snort 2.X conf
+./snort --daq dump --daq-var file=<name>
-preprocessor http_inspect_server: server default \
- profile apache ports { 80 3128 } max_headers 200
+dump uses the pcap daq for packet acquisition. It therefore does not
+count filtered packets (a pcap limitation).
-Snort 3.0 conf
+Note that the dump DAQ inline mode is not an actual inline mode.
+Furthermore, you will probably want to have the pcap DAQ acquire in
+another mode like this:
-http_inspect = { profile = http_profile_apache }
-http_inspect.profile.max_headers = 200
+./snort -r <pcap> -Q --daq dump --daq-var load-mode=read-file
+./snort -i <device> -Q --daq dump --daq-var load-mode=passive
-binder =
-{
- {
- when = { proto = 'tcp', ports = '80 3128', },
- use = { type = 'http_inspect' },
- },
-}
-Note
+14.8. Netmap Module
-The "profile" option now that points to a table "http_profile_apache"
-which is defined in "snort_defaults.lua" (as follows).
+--------------
-http_profile_apache =
-{
- profile_type = 'apache',
- server_flow_depth = 300,
- client_flow_depth = 300,
- post_depth = -1,
- chunk_length = 500000,
- ascii = true,
- multi_slash = true,
- directory = true,
- webroot = true,
- utf_8 = true,
- apache_whitespace = true,
- non_strict = true,
- normalize_utf = true,
- normalize_javascript = false,
- max_header_length = 0,
- max_headers = 0,
- max_spaces = 200,
- max_javascript_whitespaces = 200,
- whitespace_chars ='0x9 0xb 0xc 0xd'
-}
+The netmap project is a framework for very high speed packet I/O. It
+is available on both FreeBSD and Linux with varying amounts of
+preparatory setup required. Specific notes for each follow.
-Note
+./snort --daq netmap -i <device>
+ [--daq-var debug]
-The config option "max_headers" is set to 0 in the profile, but
-overwritten by "http_inspect.profile.max_headers = 200".
+If you want to run netmap in inline mode, you must craft the device
+string as one or more interface pairs, where each member of a pair is
+separated by a single colon and each pair is separated by a double
+colon like this:
-Conversion
+em1:em2
-Snort2lua can convert the existing snort.conf with the "profile"
-option to Snort3.0 compatible "profile". Please refer to the
-Snort2Lua post for more details.
+or this:
-Examples
+em1:em2::em3:em4
-"profile all" ==> "profile = http_profile_default"
-"profile apache" ==> "profile = http_profile_apache"
-"profile iis" ==> "profile = http_profile_iis"
-"profile iis_40" ==> "profile = http_profile_iis_40"
-"profile iis_50" ==> "profile = http_profile_iis_50"
+Inline operation performs Layer 2 forwarding with no MAC filtering,
+akin to the AFPacket module’s behavior. All packets received on one
+interface in an inline pair will be forwarded out the other interface
+unless dropped by the reader and vice versa.
-Defining custom profiles
+Important
-The complete set of Http Inspect config options that a custom profile
-can configure can be found by running the following command:
+The interfaces will need to be up and in promiscuous mode in order to
+function (ifconfig em1 up promisc). The DAQ module does not currently
+do either of these configuration steps for itself.
-snort --help-config http_inspect | grep http_inspect.profile
+14.8.1. FreeBSD
+In FreeBSD 10.0, netmap has been integrated into the core OS. In
+order to use it, you must recompile your kernel with the line
----------------------------------------------------------------------
+device netmap
-14. Snort2Lua
+added to your kernel config.
----------------------------------------------------------------------
+14.8.2. Linux
-One of the major differences between Snort 2.9.X and Snort 3.0 is the
-configuration. Snort 2.9.X configuration files are written in
-Snort-specific syntax while Snort 3.0 configuration files are written
-in Lua. Snort2Lua is a program specifically designed to convert Snort
-2.9.X configuration files into Lua files that Snort 3.0 can
-understand.
+You will need to download the netmap source code from the project’s
+repository:
-Snort2Lua reads your legacy Snort conf file(s) and generates Snort++
-Lua and rules files. When running this program, the only mandatory
-option is to provide Snort2Lua with a Snort configuration file. The
-default output file file is snort.lua, the default error file will be
-snort.rej, and the default rule file is the output file (default is
-snort.lua). When Snort2Lua finishes running, the resulting
-configuration file can be successfully run as the Snort3.0
-configuration file. The sole exception to this rule is when Snort2Lua
-cannot find an included file. If that occurs, the file will still be
-included in the output file and you will need to manually adjust or
-comment the file name. Additionally, if the exit code is not zero,
-some of the information may not be successfully converted. Check the
-error file for all of the conversion problems.
+https://code.google.com/p/netmap/
-Those errors can occur for a multitude of reasons and are not
-necessarily bad. For instance, Snort2Lua will only convert
-preprocessors that are currently supported. Therefore, any
-unsupported preprocessors or configuration options including DCERP,
-SIP, and SMTP, will cause an error in Snort2Lua since Snort3.0 does
-not support those preprocessors. Additionally, any rule options
-associated with those preprocessors are also not supported. Finally,
-Snort2Lua expects a valid Snort configuration. Therefore, if the
-configuration is invalid or has questionable syntax, Snort2Lua may
-fail to parse the configuration file or create an invalid Snort3.0
-configuration file.
+Follow the instructions on the project’s homepage for compiling and
+installing the code:
-There are a also few peculiarities of Snort2Lua that may be confusing
-to a first time user. Specifically, aside from an initial
-configuration file (which is specified from the command line or as
-the file in ‘config binding’), every file that is included into
-Snort3.0 must be either a Lua file or a rule file; the file cannot
-contain both rules and Lua syntax. Therefore, when parsing a file
-specified with the ‘include’ command, Snort2Lua will output both a
-Lua file and a rule file. Additionally, any line that is a comment in
-a configuration file will be added in to a comments section at the
-bottom of the main configuration file. Finally, rules that contain
-unsupported options will be converted to the best of Snort2Lua’s
-capability and then printed as a comment in the rule file.
+http://info.iet.unipi.it/~luigi/netmap/
+
+It will involve a standalone kernel module (netmap_lin) as well as
+patching and rebuilding the kernel module used to drive your network
+adapters. The following drivers are supported under Linux at the time
+of writing (June 2014):
+
+e1000
+e1000e
+forcedeth
+igb
+ixgbe
+r8169
+virtio
+
+TODO:
+
+ * Support for attaching to only a single ring (queue) on a network
+ adapter.
+ * Support for VALE and netmap pipes.
-14.1. Snort2Lua Command Line
+14.9. Notes on iptables
--------------
-By default, Snort2Lua will attempt to parse every ‘include’ file and
-every ‘binding’ file. There is an option to change this
-functionality.
+These notes are just a quick reminder that you need to set up
+iptables to use the IPQ or NFQ DAQs. Doing so may cause problems with
+your network so tread carefully. The examples below are intentionally
+incomplete so please read the related documentation first.
-When specifying a rule file with one of the command line options,
-Snort2Lua will output all of the converted rules to that specified
-rule file. This is especially useful when you are only interesting in
-converting rules since there is no Lua syntax in rule files. There is
-also an option that tells Snort2Lua to output every rule for a given
-configuration into a single rule file. Similarly, there is an option
-pull all of the Lua syntax from every ‘include’ file into the output
-file.
+Here is a blog post by Marty for historical reference:
-There are currently three output modes: default, quiet, and
-differences. As expected, quiet mode produces a Snort++
-configuration. All errors (aside from Fatal Snort2Lua errors),
-differences, and comments will omitted from the final output file.
-Default mode will print everything. That mean you will be able to see
-exactly what changes have occurred between Snort and Snort++ in
-addition to the new syntax, the original file’s comments, and all
-errors that have occurred. Finally, differences mode will not
-actually output a valid Snort3.0 configuration. Instead, you can see
-the exact options from the input configuration that have changed.
-
-14.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
+http://archives.neohapsis.com/archives/snort/2000-11/0394.html
-Converts the Snort configuration file specified by the -c or
---conf-file options into a Snort++ configuration file
+You can check this out for queue sizing tips:
-14.1.1.1. Options:
+http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html
- * -? show usage
- * -h this overview of snort2lua
- * -a default option. print all data
- * -c <snort_conf> The Snort <snort_conf> file to convert
- * -d print the differences, and only the differences, between the
- Snort and Snort++ configurations to the <out_file>
- * -e <error_file> output all errors to <error_file>
- * -i if <snort_conf> file contains any <include_file> or
- <policy_file> (i.e. include path/to/conf/other_conf), do NOT
- parse those files
- * -m add a remark to the end of every converted rule
- * -o <out_file> output the new Snort++ lua configuration to
- <out_file>
- * -q quiet mode. Only output valid confiration information to the
- <out_file>
- * -r <rule_file> output any converted rule to <rule_file>
- * -s when parsing <include_file>, write <include_file>'s rules to
- <rule_file>. Meaningles if -i provided
- * -t when parsing <include_file>, write <include_file>'s
- information, excluding rules, to <out_file>. Meaningles if -i
- provided
- * -V Print the current Snort2Lua version
- * --conf-file Same as -c. A Snort <snort_conf> file which will be
- converted
- * --dont-parse-includes Same as -p. if <snort_conf> file contains
- any <include_file> or <policy_file> (i.e. include path/to/conf/
- other_conf), do NOT parse those files
- * --error-file=<error_file> Same as -e. output all errors to
- <error_file>
- * --help Same as -h. this overview of snort2lua
- * --markup print help in asciidoc compatible format
- * --ohi Use Old Http Inspect format
- * --output-file=<out_file> Same as -o. output the new Snort++ lua
- configuration to <out_file>
- * --print-all Same as -a. default option. print all data
- * --print-differences Same as -d. output the differences, and only
- the differences, between the Snort and Snort++ configurations to
- the <out_file>
- * --quiet Same as -q. quiet mode. Only output valid confiration
- information to the <out_file>
- * --remark same as -m. add a remark to the end of every converted
- rule
- * --rule-file=<rule_file> Same as -r. output any converted rule to
- <rule_file>
- * --single-conf-file Same as -t. when parsing <include_file>, write
- <include_file>'s information, excluding rules, to <out_file>
- * --single-rule-file Same as -s. when parsing <include_file>, write
- <include_file>'s rules to <rule_file>.
- * --version Same as -V. Print the current Snort2Lua version
+You might find useful IPQ info here:
+
+http://snort-inline.sourceforge.net/
+
+Use this to examine your iptables:
+
+sudo /sbin/iptables -L
+
+Use something like this to set up NFQ:
+
+sudo /sbin/iptables
+ -I <table> [<protocol stuff>] [<state stuff>]
+ -j NFQUEUE --queue-num 1
+
+Use something like this to set up IPQ:
-14.1.1.2. Required option:
+sudo iptables -I FORWARD -j QUEUE
- * A Snort configuration file to convert. Set with either -c or
- --conf-file
+Use something like this to "disconnect" snort:
-14.1.1.3. Default values:
+sudo /sbin/iptables -D <table> <rule pos>
- * <out_file> = snort.lua
- * <rule_file> = <out_file> = snort.lua. Rules are written to the
- local_rules variable in the <out_file>
- * <error_file> = snort.rej. This file will not be created in quiet
- mode.
+Be sure to start Snort prior to routing packets through NFQ with
+iptables. Such packets will be dropped until Snort is started.
+The queue-num is the number you must give Snort.
-14.2. Known Problems
+If you are running on a system with both NFQ and IPQ support, you may
+experience some start-up failures of the sort:
---------------
+The solution seems to be to remove both modules from the kernel like
+this:
- * Any Snort ‘string’ which is dependent on a variable will no
- longer have that variable in the Lua string.
- * Snort2Lua currently does not handle variables well. First, that
- means variables will not always be parsed correctly. Second,
- sometimes a variables value will be outoput in the lua file
- rather than a variable For instance, if Snort2Lua attempted to
- convert the line include $RULE_PATH/example.rule, the output may
- ouput include /etc/rules/example.rule instead.
- * When Snort2Lua parses a ‘binding’ configuration file, the rules
- and configuration will automatically be combined into the same
- file. Also, the new files name will automatically become the old
- file’s name with a .lua extension. There is currently no way to
- specify or change that files name.
- * If a rule’s action is a custom ruletype, that rule action will be
- silently converted to the rultype’s type. No warnings or errors
- are currently emmitted. Additionally, the custom ruletypes
- outputs will be silently discarded.
- * If the original configuration contains a binding that points to
- another file and the binding file contains an error, Snort2Lua
- will output the number of rejects for the binding file in
- addition to the number of rejects in the main file. The two
- numbers will eventually be combined into one output.
+modprobe -r nfnetlink_queue
+modprobe -r ip_queue
+
+and then install the module you want:
+
+modprobe ip_queue
+
+or:
+modprobe nfnetlink_queue
+
+These DAQs should be run with a snaplen of 65535 since the kernel
+defrags the packets before queuing. Also, no need to configure frag3.
-14.3. Usage
+
+14.10. Notes on FreeBSD::IPFW
--------------
-Snort2Lua is included in the Snort 3.0 distribution. The Snort2Lua
-source code is located in the tools/snort2lua directory. The program
-is automatically built and installed.
+Check the online manual at:
-Translating your configuration
+http://www.freebsd.org/doc/handbook/firewalls-ipfw.html.
-To run Snort2Lua, the only requirement is a file containing Snort
-2.9.X syntax. Assuming your configuration file is named snort.conf,
-run the command
+Here is a brief example to divert icmp packets to Snort at port 8000:
-snort2lua –c snort.conf
+To enable support for divert sockets, place the following lines in
+the kernel configuration file:
-Snort2Lua will output a file named snort.lua. Assuming your
-snort.conf file is a valid Snort 2.9.X configuration file, than the
-resulting snort.lua file will always be a valid Snort 3.0
-configuration file; any errors that occur are because Snort 3.0
-currently does not support all of the Snort 2.9.X options.
+options IPFIREWALL
+options IPDIVERT
-Every keyword from the Snort configuration can be found in the output
-file. If the option or keyword has changed, then a comment containing
-both the option or keyword’s old name and new name will be present in
-the output file.
+(The file in this case was: /usr/src/sys/i386/conf/GENERIC; which is
+platform dependent.)
-Translating a rule file
+You may need to also set these to use the loadable kernel modules:
-Snort2Lua can also accommodate translating individual rule files.
-Assuming the Snort 2.9.X rule file is named snort.rules and you want
-the new rule file to be name updated.rules, run the command
+/etc/rc.conf:
+firewall_enable="YES"
-snort2lua –c snort.rules -r updated.rules
+/boot/loader.conf:
+ipfw_load="YES"
+ipdivert_load="YES"
-Snort2Lua will output a file named updated.rules. That file,
-updated.rules, will always be a valid Snort 3.0 rule file. Any rule
-that contains unsupported options will be a comment in the output
-file.
+$ dmesg | grep ipfw
+ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based
+forwarding disabled, default to deny, logging disabled
-Understanding the Output
+$ kldload -v ipdivert
+Loaded ipdivert, id=4
-Although Snort2Lua outputs very little to the console, there are
-several things that occur when Snort2Lua runs. This is a list of
-Snort2Lua outputs.
+$ ipfw add 75 divert 8000 icmp from any to any
+00075 divert 8000 icmp from any to any
-The console. Every line that Snort2Lua is unable to translate from
-the Snort 2.9.X format to the Snort 3.0 format is considered an
-error. Upon exiting, Snort2Lua will print the number of errors that
-occurred. Snort2Lua will also print the name of the error file.
+$ ipfw list
+...
+00075 divert 8000 icmp from any to any
+00080 allow icmp from any to any
+...
-The output file. As previously mentioned, Snort2Lua will create a Lua
-file with valid Snort 3.0 syntax. The default Lua file is named
-snort.lua. This file is the equivalent of your main Snort 2.9.X
-configuration file.
+ * Note that on FreeBSD, divert sockets don’t work with bridges!
-The rule file. By default, all rules will be printed to the Lua file.
-However, if a rule file is specified on the command line, any rules
-found in the Snort 2.9.X configuration will be written to the rule
-file instead
+Please refer to the following articles for more information:
-The error file. By default, the error file is snort.rej. It will only
-be created if errors exist. Every error referenced on the command
-line can be found in this file. There are two reasons an error can
-occur.
+ * https://forums.snort.org/forums/support/topics/
+ snort-inline-on-freebsd-ipfw
+ * http://freebsd.rogness.net/snort_inline/
- * The Snort 2.9.X configuration file has invalid syntax. If Snort
- 2.9.X cannot parse the configuration file, neither can Snort2Lua.
- In the example below, Snort2Lua could not convert the line config
- bad_option. Since that is not valid Snort 2.9.X syntax, this is a
- syntax error.
- * The Snort 2.9.X configuration file contains preprocessors and
- rule options that are not supported in Snort 3.0. If Snort 2.9.X
- can parse a line that Snort2Lua cannot parse, than Snort 3.0 does
- not support something in the line. As Snort 3.0 begins supporting
- these preprocessors and rule options, Snort2Lua will also begin
- translating these lines. One example of such an error is dcerpc2.
+NAT gateway can be used with divert sockets if the network
+environment is conducive to using NAT.
-Additional .lua and .rules files. Every time Snort2Lua parses the
-include or binding keyword, the program will attempt to parse the
-file referenced by the keyword. Snort2Lua will then create one or two
-new files. The new files will have a .lua or .rules extension
-appended to the original filename.
+The steps to set up NAT with ipfw are as follows:
+ 1. Set up NAT with two interface em0 and em1 by adding the following
+ to /etc/rc.conf. Here em0 is connected to external network and
+ em1 to host-only LAN.
----------------------------------------------------------------------
+ gateway_enable="YES"
+ natd_program="/sbin/natd" # path to natd
+ natd_enable="YES" # Enable natd (if firewall_enable == YES)
+ natd_interface="em0" # Public interface or IP Address
+ natd_flags="-dynamic" # Additional flags
+ defaultrouter=""
+ ifconfig_em0="DHCP"
+ ifconfig_em1="inet 192.168.1.2 netmask 255.255.255.0"
+ firewall_enable="YES"
+ firewall_script="/etc/rc.firewall"
+ firewall_type="simple"
-15. Extending Snort++
+ 2. Add the following divert rules to divert packets to Snort above
+ and below the NAT rule in the "Simple" section of /etc/
+ rc.firewall.
----------------------------------------------------------------------
+ ...
+ # Inspect outbound packets (those arriving on "inside" interface)
+ # before NAT translation.
+ ${fwcmd} add divert 8000 all from any to any in via ${iif}
+ case ${natd_enable} in
+ [Yy][Ee][Ss])
+ if [ -n "${natd_interface}" ]; then
+ ${fwcmd} add divert natd all from any to any via ${natd_interface}
+ fi
+ ;;
+ esac
+ ...
+ # Inspect inbound packets (those arriving on "outside" interface)
+ # after NAT translation that aren't blocked for other reasons,
+ # after the TCP "established" rule.
+ ${fwcmd} add divert 8000 all from any to any in via ${oif}
-15.1. Plugins
+14.11. Notes on OpenBSD::IPFW
--------------
-Snort++ uses a variety of plugins to accomplish much of its
-processing objectives, including:
+OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.
- * Codec - to decode and encode packets
- * Inspector - like the prior preprocessors, for normalization, etc.
- * IpsOption - for detection in Snort++ rules
- * IpsAction - for custom actions
- * Logger - for handling events
- * Mpse - for fast pattern matching
- * So - for dynamic rules
+Here is one way to set things up:
-Plugins have an associated API defined for each type, all of which
-share a common header, called the BaseApi. A dynamic library makes
-its plugins available by exporting the snort_plugins symbol, which is
-a null terminated array of BaseApi pointers.
+ 1. Configure the system to forward packets:
-The BaseApi includes type, name, API version, plugin version, and
-function pointers for constructing and destructing a Module. The
-specific API add various other data and functions for their given
-roles.
+ $ sysctl net.inet.ip.forwarding=1
+ $ sysctl net.inet6.ip6.forwarding=1
+ (You can also put that in /etc/sysctl.conf to enable on boot.)
-15.2. Modules
+ 2. Set up interfaces
---------------
+ $ dhclient vic1
+ $ dhclient vic2
-The Module is pervasive in Snort+. It is how everything, including
-plugins, are configured. It also provides access to builtin rules.
-And as the glue that binds functionality to Snort+, the capabilities
-of a Module are expected to grow to include statistics support, etc.
+ 3. Set up packet filter rules:
-Module configuration is handled by a list of Parameters. Most
-parameters can be validated by the framework, which means for example
-that conversion from string to number is done in exactly one place.
-Providing the builtin rules allows the documentation to include them
-automatically and also allows for autogenerating the rules at
-startup.
+ $ echo "pass out on vic1 divert-packet port 9000 keep-state" > rules.txt
+ $ echo "pass out on vic2 divert-packet port 9000 keep-state" >> rules.txt
-If we are defining a new Inspector called, say, gadget, it might be
-configured in snort.lua like this:
+ $ pfctl -v -f rules.txt
-gadget =
-{
- brain = true,
- claw = 3
-}
+ 4. Analyze packets diverted to port 9000:
-When the gadget table is processed, Snort++ will look for a module
-called gadget. If that Module has an associated API, it will be used
-to configure a new instance of the plugin. In this case, a
-GadgetModule would be instantiated, brain and claw would be set, and
-the Module instance would be passed to the GadgetInspector
-constructor.
+ $ ./snort --daq ipfw --daq-var port=9000
-Module has three key virtual methods:
+ + Note that on OpenBSD, divert sockets don’t work with bridges!
- * begin() - called when Snort++ starts processing the associated
- Lua table. This is a good place to allocate any required data and
- set defaults.
- * set() - called to set each parameter after validation.
- * end() - called when Snort++ finishes processing the associated
- Lua table. This is where additional integrity checks of related
- parameters should be done.
-The configured Module is passed to the plugin constructor which pulls
-the configuration data from the Module. For non-trivial
-configurations, the working paradigm is that Module hands a pointer
-to the configured data to the plugin instance which takes ownership.
+14.12. Socket Module
-Note that there is at most one instance of a given Module, even if
-multiple plugin instances are created which use that Module.
-(Multiple instances require Snort++ binding configuration.)
+--------------
+
+The socket module provides provides a stream socket server that will
+accept up to 2 simultaneous connections and bridge them together
+while also passing data to Snort for inspection. The first connection
+accepted is considered the client and the second connection accepted
+is considered the server. If there is only one connection, stream
+data can’t be forwarded but it is still inspected.
+
+Each read from a socket of up to snaplen bytes is passed as a packet
+to Snort along with a DAQ_SktHdr_t pointer in DAQ_PktHdr_t→priv_ptr.
+DAQ_SktHdr_t conveys IP4 address, ports, protocol, and direction.
+Socket packets can be configured to be TCP or UDP. The socket DAQ can
+be operated in inline mode and is able to block packets.
+
+The socket DAQ uses DLT_SOCKET and requires that Snort load the
+socket codec which is included in the extra package.
+
+To use the socket DAQ, start Snort like this:
+
+./snort --plugin-path /path/to/lib/snort_extra \
+ --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]
+
+<port> ::= 1..65535; default is 8000
+<proto> ::= tcp | udp
+
+ * This module only supports ip4 traffic.
+ * This module is only supported by Snort 3. It is not compatible
+ with Snort 2.
+ * This module is primarily for development and test.
-15.3. Inspectors
+14.13. File Module
--------------
-There are several types of inspector, which determines which
-inspectors are executed when:
+The file module provides the ability to process files directly w/o
+having to extract them from pcaps. Use the file module with Snort’s
+stream_file to get file type identification and signature services.
+The usual IPS detection and logging etc. is available too.
- * IT_BINDER - determines which inspectors apply to given flows
- * IT_WIZARD - determines which service inspector to use if none
- explicitly bound
- * IT_PACKET - used to process all packets before session and
- service processing (e.g. normalize)
- * IT_NETWORK - processes packets w/o service (e.g. arp_spoof,
- back_orifice)
- * IT_STREAM - for flow tracking, ip defrag, and tcp reassembly
- * IT_SERVICE - for http, ftp, telnet, etc.
- * IT_PROBE - process all packets after all the above (e.g.
- perf_monitor, port_scan)
+You can process all the files in a directory recursively using 8
+threads with these Snort options:
+
+--pcap-dir path -z 8
+
+ * This module is only supported by Snort 3. It is not compatible
+ with Snort 2.
+ * This module is primarily for development and test.
+
+
+14.14. Hext Module
+
+--------------
+
+The hext module generates packets suitable for processing by Snort
+from hex/plain text. Raw packets include full headers and are
+processed normally. Otherwise the packets contain only payload and
+are accompanied with flow information (4-tuple) suitable for
+processing by stream_user.
+The first character of the line determines it’s purpose:
-15.4. Codecs
+'$' command
+'#' comment
+'"' quoted string packet data
+'x' hex packet data
+' ' empty line separates packets
---------------
+The available commands are:
-The Snort3.0 Codecs decipher raw packets. These Codecs are now
-completely pluggable; almost every Snort3.0 Codec can be built
-dynamically and replaced with an alternative, customized Codec. The
-pluggable nature has also made it easier to build new Codecs for
-protocols without having to touch the Snort3.0 code base.
+$client <ip4> <port>
+$server <ip4> <port>
-The first step in creating a Codec is defining its class and
-protocol. Every Codec must inherit from the Snort3.0 Codec class
-defined in "framework/codec.h". The following is an example Codec
-named "example" and has an associated struct that is 14 bytes long.
+$packet -> client
+$packet -> server
-#include <cstdint>
-#include <arpa/inet.h>
-#include “framework/codec.h”
-#include "main/snort_types.h"
+$packet <addr> <port> -> <addr> <port>
-#define EX_NAME “example”
-#define EX_HELP “example codec help string”
+Client and server are determined as follows. $packet → client
+indicates to the client (from server) and $packet → server indicates
+a packet to the server (from client). $packet followed by a 4-tuple
+uses the heuristic that the client is the side with the lower port
+number.
-struct Example
-{
- uint8_t dst[6];
- uint8_t src[6];
- uint16_t ethertype;
+The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
+respectively. $packet commands with a 4-tuple do not change client
+and server set with the other $packet commands.
- static inline uint8_t size()
- { return 14; }
-}
+$packet commands should be followed by packet data, which may contain
+any combination of hex and strings. Data for a packet ends with the
+next command or a blank line. Data after a blank line will start
+another packet with the same tuple as the prior one.
-class ExCodec : public Codec
-{
-public:
- ExCodec() : Codec(EX_NAME) { }
- ~ExCodec() { }
+Strings may contain the following escape sequences:
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_protocol_ids(std::vector<uint16_t>&) override;
-};
+\r = 0x0D = carriage return
+\n = 0x0A = new line
+\t = 0x09 = tab
+\\ = 0x5C = \
-After defining ExCodec, the next step is adding the Codec’s decode
-functionality. The function below does this by implementing a valid
-decode function. The first parameter, which is the RawData struct,
-provides both a pointer to the raw data that has come from a wire and
-the length of that raw data. The function takes this information and
-validates that there are enough bytes for this protocol. If the raw
-data’s length is less than 14 bytes, the function returns false and
-Snort3.0 discards the packet; the packet is neither inspected nor
-processed. If the length is greater than 14 bytes, the function
-populates two fields in the CodecData struct, next_prot_id and
-lyr_len. The lyr_len field tells Snort3.0 the number of bytes that
-this layer contains. The next_prot_id field provides Snort3.0 the
-value of the next EtherType or IP protocol number.
+Format your input carefully; there is minimal error checking and
+little tolerance for arbitrary whitespace. You can use Snort’s -L
+hext option to generate hext input from a pcap.
-bool ExCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- if ( raw.len < Example::size() )
- return false;
+ * This module only supports ip4 traffic.
+ * This module is only supported by Snort 3. It is not compatible
+ with Snort 2.
+ * This module is primarily for development and test.
- const Example* const ex = reinterpret_cast<const Example*>(raw.data);
- codec.next_prot_id = ntohs(ex->ethertype);
- codec.lyr_len = ex->size();
- return true;
-}
+The hext DAQ also supports a raw mode which is activated by setting
+the data link type. For example, you can input full ethernet packets
+with --daq-var dlt=1 (Data link types are defined in the DAQ include
+sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a
+quick (and dirty) way to edit pcaps. With --lua "log_hext = { raw =
+true }", the hext logger will dump the full packet in a way that can
+be read by the hext DAQ in raw mode. Here is an example:
-For instance, assume this decode function receives the following raw
-data with a validated length of 32 bytes:
+# 3 [96]
-00 11 22 33 44 55 66 77 88 99 aa bb 08 00 45 00
-00 38 00 01 00 00 40 06 5c ac 0a 01 02 03 0a 09
+x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..
+x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..
+x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t
+x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H
+x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..
-The Example struct’s EtherType field is the 13 and 14 bytes.
-Therefore, this function tells Snort that the next protocol has an
-EtherType of 0x0800. Additionally, since the lyr_len is set to 14,
-Snort knows that the next protocol begins 14 bytes after the
-beginning of this protocol. The Codec with EtherType 0x0800, which
-happens to be the IPv4 Codec, will receive the following data with a
-validated length of 18 ( == 32 – 14):
+A comment indicating packet number and size precedes each packet
+dump. Note that the commands are not applicable in raw mode and have
+no effect.
-45 00 00 38 00 01 00 00 40 06 5c ac 0a 01 02 03
-0a 09
-How does Snort3.0 know that the IPv4 Codec has an EtherType of
-0x0800? The Codec class has a second virtual function named
-get_protocol_ids(). When implementing the function, a Codec can
-register for any number of values between 0x0000 - 0xFFFF. Then, if
-the next_proto_id is set to a value for which this Codec has
-registered, this Codec’s decode function will be called. As a general
-note, the protocol ids between [0, 0x00FF] are IP protocol numbers,
-[0x0100, 0x05FF] are custom types, and [0x0600, 0xFFFF] are
-EtherTypes.
+---------------------------------------------------------------------
-For example, in the get_protocol_ids function below, the ExCodec
-registers for the protocols numbers 17, 787, and 2054. 17 happens to
-be the protocol number for UDP while 2054 is ARP’s EtherType.
-Therefore, this Codec will now attempt to decode UDP and ARP data.
-Additionally, if any Codec sets the next_protocol_id to 787,
-ExCodec’s decode function will be called. Some custom protocols are
-already defined in the file "protocols/protocol_ids.h"
+15. Snort 3 vs Snort 2
-void ExCodec::get_protocol_ids(std::vector<uint16_t>&v)
-{
- v.push_back(0x0011); // == 17 == UDP
- v.push_back(0x1313); // == 787 == custom
- v.push_back(0x0806); // == 2054 == ARP
-}
+---------------------------------------------------------------------
-To register a Codec for Data Link Type’s rather than protocols, the
-function get_data_link_type() can be similarly implemented.
+Snort 3 differs from Snort 2 in the following ways:
-The final step to creating a pluggable Codec is the snort_plugins
-array. This array is important because when Snort3.0 loads a dynamic
-library, the program only find plugins that are inside the
-snort_plugins array. In other words, if a plugin has not been added
-to the snort_plugins array, that plugin will not be loaded into
-Snort3.0.
+ * command line and conf file syntax made more uniform
+ * removed unused and deprecated features
+ * remove as many barriers to successful run as possible (e.g.: no
+ upper bounds on memcaps)
+ * assume the simplest mode of operation (e.g.: never assume input
+ from or output to some hardcoded filename)
+ * all Snort 2 config options are grouped into Snort 3 modules
-Although the details will not be covered in this post, the following
-code snippet is a basic CodecApi that Snort3.0 can load. This snippet
-can be copied and used with only three minor changes. First, in the
-function ctor, ExCodec should be replaced with the name of the Codec
-that is being built. Second, EX_NAME must match the Codec’s name or
-Snort will be unable to load this Codec. Third, EX_HELP should be
-replaced with the general description of this Codec. Once this code
-snippet has been added, ExCodec is ready to be compiled and plugged
-into Snort3.0.
-static Codec* ctor(Module*)
-{ return new ExCodec; }
+15.1. Build Options
-static void dtor(Codec *cd)
-{ delete cd; }
+--------------
-static const CodecApi ex_api =
-{
- {
- PT_CODEC,
- EX_NAME,
- EX_HELP,
- CDAPI_PLUGIN_V0,
- 0,
- nullptr,
- nullptr,
- },
- nullptr, // pointer to a function called during Snort's startup.
- nullptr, // pointer to a function called during Snort's exit.
- nullptr, // pointer to a function called during thread's startup.
- nullptr, // pointer to a function called during thread's destruction.
- ctor, // pointer to the codec constructor.
- dtor, // pointer to the codec destructor.
-};
+ * configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*
+ * control socket, cs_dir, and users were deleted
+ * POLICY_BY_ID_ONLY code was deleted
+ * hardened --enable-inline-init-failopen / INLINE_FAILOPEN
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &ex_api.base,
- nullptr
-};
-Two example Codecs are available in the extra directory on git and
-the extra tarball on the Snort3.0 page. One of those examples is the
-Token Ring Codec while the other example is the PIM Codec.
+15.2. Command Line
-As a final note, there are four more virtual functions that a Codec
-should implement: encode, format, update, and log. If the functions
-are not implemented Snort will not throw any errors. However, Snort
-may also be unable to accomplish some of its basic functionality.
+--------------
- * encode is called whenever Snort actively responds and needs to
- builds a packet, i.e. whenever a rule using an IPS ACTION like
- react, reject, or rewrite is triggered. This function is used to
- build the response packet protocol by protocol.
- * format is called when Snort is rebuilding a packet. For instance,
- every time Snort reassembles a TCP stream or IP fragment, format
- is called. Generally, this function either swaps any source and
- destination fields in the protocol or does nothing.
- * update is similar to format in that it is called when Snort is
- reassembling a packet. Unlike format, this function only sets
- length fields.
- * log is called when either the log_codecs logger or a custom
- logger that calls PacketManager::log_protocols is used when
- running Snort3.0.
+ * --pause loads config and waits for resume before processing
+ packets
+ * --require-rule-sid is hardened
+ * --shell enables interactive Lua shell
+ * -T is assumed if no input given
+ * added --help-config prefix to dump all matching settings
+ * added --script-path
+ * added -L none|dump|pcap
+ * added -z <#> and --max-packet-threads <#>
+ * delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
+ --max-mpls-labelchain-len, --mpls-payload-type
+ * deleted --pid-path and --no-interface-pidfile
+ * deleting command line options which will be available with --lua
+ or some such including: -I, -h, -F, -p,
+ --disable-inline-init-failopen
+ * hardened -n < 0
+ * removed --search-method
+ * replaced "unknown args are bpf" with --bpf
+ * replaced --dynamic-*-lib[-dir] with --plugin-path (with :
+ separators)
+ * removed -b, -N, -Z and, --perfmon-file options
-15.5. IPS Actions
+15.3. Conf File
--------------
-Action plugins specify a builtin action in the API which is used to
-determine verdict. (Conversely, builtin actions don’t have an
-associated plugin function.)
+ * Snort 3 has a default unicode.map
+ * Snort 3 will not enforce an upper bound on memcaps and the like
+ within 64 bits
+ * Snort 3 will supply a default *_global config if not specified
+ (Snort 2 would fatal; e.g. http_inspect_server w/o
+ http_inspect_global)
+ * address list syntax changes: [[ and ]] must be [ [ and ] ] to
+ avoid Lua string parsing errors (unless in quoted string)
+ * because the Lua conf is live code, we lose file:line locations in
+ app error messages (syntax errors from Lua have file:line)
+ * changed search-method names for consistency
+ * delete config include_vlan_in_alerts (not used in code)
+ * delete config so_rule_memcap (not used in code)
+ * deleted --disable-attribute-table-reload-thread
+ * deleted config decode_*_{alerts,drops} (use rules only)
+ * deleted config dump-dynamic-rules-path
+ * deleted config ipv6_frag (not actually used)
+ * deleted config threshold and ips rule threshold (→ event_filter)
+ * eliminated ac-split; must use ac-full-q split-any-any
+ * frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan,
+ perfmonitor → perf_monitor, bo → back_orifice
+ * limits like "1234K" are now "limit = 1234, units = K"
+ * lua field names are (lower) case sensitive; snort.conf largely
+ wasn’t
+ * module filenames are not configurable: always <log-dir>/
+ <module-name><suffix> (suffix is determined by module)
+ * no positional parameters; all name = value
+ * perf_monitor configuration was simplified
+ * portscan.detect_ack_scans deleted (exact same as
+ include_midstream)
+ * removed various run modes - now just one
+ * frag3 default policy is Linux not bsd
+ * lowmem* search methods are now in snort_examples
+ * deleted unused http_inspect stateful mode
+ * deleted stateless inspection from ftp and telnet
+ * deleted http and ftp alert options (now strictly rule based)
+ * preprocessor disabled settings deleted since no longer relevant
+ * sessions are always created; snort config stateful checks
+ eliminated
+ * stream5_tcp: prune_log_max deleted; to be replaced with histogram
+ * stream5_tcp: max_active_responses, min_response_seconds moved to
+ active.max_responses, min_interval
-15.6. Developers Guide
+15.4. Rules
--------------
-Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
-guide to the source tree.
+ * all rules must have a sid
+ * deleted activate / dynamic rules
+ * deleted metadata engine shared
+ * deleted metadata: rule-flushing (with PDU flushing rule flushing
+ can cause missed attacks, the opposite of its intent)
+ * deleted unused rule_state.action
+ * fastpattern_offset, fast_pattern_length
+ * no ; separated content suboptions
+ * offset, depth, distance, and within must use a space separator
+ not colon (e.g. offset:5; becomes offset 5;)
+ * rule option sequence: <stub> soid <hidden>
+ * sid == 0 not allowed
+ * soid is now a non-metadata option
+ * content suboptions http_* are now full options and should be
+ place before content
+ * the following pcre options have been deleted: use sticky buffers
+ instead B, U, P, H, M, C, I, D, K, S, Y
+ * deleted uricontent ips rule option. uricontent:"foo" -→ http_uri;
+ content:"foo"
+ * deleted urilen raw and norm; must use http_raw_uri and http_uri
+ instead
+ * deleted unused http_encode option
+ * urilen replaced with generic bufferlen which applies to current
+ sticky buffer
+ * added optional selector to http_header, e.g.
+ http_header:User-Agent;
+ * multiline rules w/o \n
+ * #begin … #end comments
-15.7. Piglet Test Harness
+15.5. Output
--------------
-In order to assist with plugin development, an experimental mode
-called "piglet" mode is provided. With piglet mode, you can call
-individual methods for a specific plugin. The piglet tests are
-specified as Lua scripts. Each piglet test script defines a test for
-a specific plugin.
-
-Here is a minimal example of a piglet test script for the IPv4 Codec
-plugin:
-
-plugin =
-{
- type = "piglet",
- name = "codec::ipv4",
- use_defaults = true,
- test = function()
- local daq_header = DAQHeader.new()
- local raw_buffer = RawBuffer.new("some data")
- local codec_data = CodecData.new()
- local decode_data = DecodeData.new()
-
- return Codec.decode(
- daq_header,
- raw_buffer,
- codec_data,
- decode_data
- )
- end
-}
+ * alert_fast includes packet data by default
+ * all text mode outputs default to stdout
+ * changed default logging mode to -L none
+ * deleted layer2resets and flexresp2_*
+ * deleted log_ascii
+ * general output guideline: don’t print zero counts
+ * Snort 3 queues decoder and inspector events to the main event
+ queue before ips policy is selected; since some events may not be
+ enabled, the queue needs to be sized larger than with Snort 2
+ which used an intermediate queue for decoder events.
+ * deleted the intermediate http and ftp_telnet event queues
+ * alert_unified2 and log_unified2 have been deleted
-To run snort in piglet mode, first build snort with the ENABLE_PIGLET
-option turned on (pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).
-Then, run the following command:
+15.6. HTTP Profiles
-snort --script-path $test_scripts --piglet
+--------------
-(where $test_scripts is the directory containing your piglet tests).
+This section describes the changes to the Http Inspect config option
+"profile".
-The test runner will generate a check-like output, indicating the the
-results of each test script.
+Snort 2 allows users to select pre-defined HTTP server profiles using
+the config option "profile". The user can choose one of five
+predefined profiles. When defined, this option will set defaults for
+other config options within Http Inspect.
+With Snort 3, the user has the flexibility of defining and fine
+tuning custom profiles along with the five predefined profiles.
-15.8. Piglet Lua API
+Snort 2 conf
---------------
+preprocessor http_inspect_server: server default \
+ profile apache ports { 80 3128 } max_headers 200
-This section documents the API that piglet exposes to Lua. Refer to
-the piglet directory in the source tree for examples of usage.
+Snort 3 conf
-Note: Because of the differences between the Lua and C++ data model
-and type system, not all parameters map directly to the parameters of
-the underlying C\++ member functions. Every effort has been made to
-keep the mappings consist, but there are still some differences. They
-are documented below.
+http_inspect = { profile = http_profile_apache }
+http_inspect.profile.max_headers = 200
-15.8.1. Plugin Instances
+binder =
+{
+ {
+ when = { proto = 'tcp', ports = '80 3128', },
+ use = { type = 'http_inspect' },
+ },
+}
-For each test, piglet instantiates plugin specified in the name field
-of the plugin table. The virtual methods of the instance are exposed
-in a table unique to each plugin type. The name of the table is the
-CamelCase name of the plugin type.
+Note
-For example, codec plugins have a virtual method called decode. This
-method is called like this:
+The "profile" option now that points to a table "http_profile_apache"
+which is defined in "snort_defaults.lua" (as follows).
-Codec.decode(...)
+http_profile_apache =
+{
+ profile_type = 'apache',
+ server_flow_depth = 300,
+ client_flow_depth = 300,
+ post_depth = -1,
+ chunk_length = 500000,
+ ascii = true,
+ multi_slash = true,
+ directory = true,
+ webroot = true,
+ utf_8 = true,
+ apache_whitespace = true,
+ non_strict = true,
+ normalize_utf = true,
+ normalize_javascript = false,
+ max_header_length = 0,
+ max_headers = 0,
+ max_spaces = 200,
+ max_javascript_whitespaces = 200,
+ whitespace_chars ='0x9 0xb 0xc 0xd'
+}
-Codec
+Note
- * Codec.get_data_link_type() → { int, int, … }
- * Codec.get_protocol_ids() → { int, int, … }
- * Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) → bool
- * Codec.log(RawBuffer, uint[lyr_len])
- * Codec.encode(RawBuffer, EncState, Buffer) → bool
- * Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint
- [lyr_len] → int
- * Codec.format(bool[reverse], RawBuffer, DecodeData)
+The config option "max_headers" is set to 0 in the profile, but
+overwritten by "http_inspect.profile.max_headers = 200".
-Differences:
+Conversion
- * In Codec.update(), the (uint64_t) flags parameter has been split
- into flags_hi and flags_lo
+snort2lua can convert the existing snort.conf with the "profile"
+option to Snort 3 compatible "profile". Please refer to the snort2Lua
+post for more details.
-Inspector
+Examples
- * Inspector.configure()
- * Inspector.tinit()
- * Inspector.tterm()
- * Inspector.likes(Packet)
- * Inspector.eval(Packet)
- * Inspector.clear(Packet)
- * Inspector.get_buf_from_key(string[key], Packet, RawBuffer) → bool
- * Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) → bool
- * Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) → bool
- * Inspector.get_splitter(bool[to_server]) → StreamSplitter
+"profile all" ==> "profile = http_profile_default"
+"profile apache" ==> "profile = http_profile_apache"
+"profile iis" ==> "profile = http_profile_iis"
+"profile iis_40" ==> "profile = http_profile_iis_40"
+"profile iis_50" ==> "profile = http_profile_iis_50"
-Differences: * In Inspector.configure(), the SnortConfig* parameter
-is passed implicitly. * the overloaded get_buf() member function has
-been split into three separate methods.
+Defining custom profiles
-IpsOption
+The complete set of Http Inspect config options that a custom profile
+can configure can be found by running the following command:
- * IpsOption.hash() → int
- * IpsOption.is_relative() → bool
- * IpsOption.fp_research() → bool
- * IpsOption.get_cursor_type() → int
- * IpsOption.eval(Cursor, Packet) → int
- * IpsOption.action(Packet)
+snort --help-config http_inspect | grep http_inspect.profile
-IpsAction
- * IpsAction.exec(Packet)
+---------------------------------------------------------------------
-Logger
+16. Snort2Lua
- * Logger.open()
- * Logger.close()
- * Logger.reset()
- * Logger.alert(Packet, string[message], Event)
- * Logger.log(Packet, string[message], Event)
+---------------------------------------------------------------------
-SearchEngine
+One of the major differences between Snort 2 and Snort 3 is the
+configuration. Snort 2 configuration files are written in
+Snort-specific syntax while Snort 3 configuration files are written
+in Lua. Snort2Lua is a program specifically designed to convert Snort
+2 configuration files into Lua files that Snort 3 can understand.
-Currently, SearchEngine does not expose any methods.
+Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3
+Lua and rules files. When running this program, the only mandatory
+option is to provide Snort2Lua with a Snort 2 configuration file. The
+default output file file is snort.lua, the default error file will be
+snort.rej, and the default rule file is the output file (default is
+snort.lua). When Snort2Lua finishes running, the resulting
+configuration file can be successfully run as the Snort3.0
+configuration file. The sole exception to this rule is when Snort2Lua
+cannot find an included file. If that occurs, the file will still be
+included in the output file and you will need to manually adjust or
+comment the file name. Additionally, if the exit code is not zero,
+some of the information may not be successfully converted. Check the
+error file for all of the conversion problems.
-SoRule
+Those errors can occur for a multitude of reasons and are not
+necessarily bad. For instance, Snort2Lua will only convert
+preprocessors that are currently supported. Therefore, any
+unsupported preprocessors or configuration options including DCERP,
+SIP, and SMTP, will cause an error in Snort2Lua since Snort 3 does
+not support those preprocessors. Additionally, any rule options
+associated with those preprocessors are also not supported. Finally,
+Snort2Lua expects a valid Snort 2 configuration. Therefore, if the
+configuration is invalid or has questionable syntax, Snort2Lua may
+fail to parse the configuration file or create an invalid Snort 3
+configuration file.
-Currently, SoRule does not expose any methods.
+There are a also few peculiarities of Snort2Lua that may be confusing
+to a first time user. Specifically, aside from an initial
+configuration file (which is specified from the command line or as
+the file in ‘config binding’), every file that is included into Snort
+3 must be either a Lua file or a rule file; the file cannot contain
+both rules and Lua syntax. Therefore, when parsing a file specified
+with the ‘include’ command, Snort2Lua will output both a Lua file and
+a rule file. Additionally, any line that is a comment in a
+configuration file will be added in to a comments section at the
+bottom of the main configuration file. Finally, rules that contain
+unsupported options will be converted to the best of Snort2Lua’s
+capability and then printed as a comment in the rule file.
-15.8.1.1. Interface Objects
-Many of the plugins take C++ classes and structs as arguments. These
-objects are exposed to the Lua API as Lua userdata. Exposed objects
-are instantiated by calling the new method from each object’s method
-table.
+16.1. Snort2Lua Command Line
-For example, the DecodeData object can be instantiated and exposed to
-Lua like this:
+--------------
-local decode_data = DecodeData.new(...)
+By default, Snort2Lua will attempt to parse every ‘include’ file and
+every ‘binding’ file. There is an option to change this
+functionality.
-Each object also exposes useful methods for getting and setting
-member variables, and calling the C++ methods contained in the the
-object. These methods can be accessed using the : accessor syntax:
+When specifying a rule file with one of the command line options,
+Snort2Lua will output all of the converted rules to that specified
+rule file. This is especially useful when you are only interesting in
+converting rules since there is no Lua syntax in rule files. There is
+also an option that tells Snort2Lua to output every rule for a given
+configuration into a single rule file. Similarly, there is an option
+pull all of the Lua syntax from every ‘include’ file into the output
+file.
-decode_data:set({ sp = 80, dp = 3500 })
+There are currently three output modes: default, quiet, and
+differences. As expected, quiet mode produces a Snort configuration.
+All errors (aside from Fatal Snort2Lua errors), differences, and
+comments will omitted from the final output file. Default mode will
+print everything. That mean you will be able to see exactly what
+changes have occurred between Snort 2 and Snort 3 in addition to the
+new syntax, the original file’s comments, and all errors that have
+occurred. Finally, differences mode will not actually output a valid
+Snort 3 configuration. Instead, you can see the exact options from
+the input configuration that have changed.
+
+16.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
-Since this is just syntactic sugar for passing the object as the
-first parameter of the function DecodeData.set, an equivalent form
-is:
+Converts the Snort configuration file specified by the -c or
+--conf-file options into a Snort++ configuration file
-decode_data.set(decode_data, { sp = 80, dp = 3500 })
+16.1.1.1. Options:
-or even:
+ * -? show usage
+ * -h this overview of snort2lua
+ * -a default option. print all data
+ * -c <snort_conf> The Snort <snort_conf> file to convert
+ * -d print the differences, and only the differences, between the
+ Snort and Snort++ configurations to the <out_file>
+ * -e <error_file> output all errors to <error_file>
+ * -i if <snort_conf> file contains any <include_file> or
+ <policy_file> (i.e. include path/to/conf/other_conf), do NOT
+ parse those files
+ * -m add a remark to the end of every converted rule
+ * -o <out_file> output the new Snort++ lua configuration to
+ <out_file>
+ * -q quiet mode. Only output valid confiration information to the
+ <out_file>
+ * -r <rule_file> output any converted rule to <rule_file>
+ * -s when parsing <include_file>, write <include_file>'s rules to
+ <rule_file>. Meaningles if -i provided
+ * -t when parsing <include_file>, write <include_file>'s
+ information, excluding rules, to <out_file>. Meaningles if -i
+ provided
+ * -V Print the current Snort2Lua version
+ * --conf-file Same as -c. A Snort <snort_conf> file which will be
+ converted
+ * --dont-parse-includes Same as -p. if <snort_conf> file contains
+ any <include_file> or <policy_file> (i.e. include path/to/conf/
+ other_conf), do NOT parse those files
+ * --error-file=<error_file> Same as -e. output all errors to
+ <error_file>
+ * --help Same as -h. this overview of snort2lua
+ * --markup print help in asciidoc compatible format
+ * --ohi Use Old Http Inspect format
+ * --output-file=<out_file> Same as -o. output the new Snort++ lua
+ configuration to <out_file>
+ * --print-all Same as -a. default option. print all data
+ * --print-differences Same as -d. output the differences, and only
+ the differences, between the Snort and Snort++ configurations to
+ the <out_file>
+ * --quiet Same as -q. quiet mode. Only output valid confiration
+ information to the <out_file>
+ * --remark same as -m. add a remark to the end of every converted
+ rule
+ * --rule-file=<rule_file> Same as -r. output any converted rule to
+ <rule_file>
+ * --single-conf-file Same as -t. when parsing <include_file>, write
+ <include_file>'s information, excluding rules, to <out_file>
+ * --single-rule-file Same as -s. when parsing <include_file>, write
+ <include_file>'s rules to <rule_file>.
+ * --version Same as -V. Print the current Snort2Lua version
-DecodeData.set(decode_data, { sp = 80, dp = 3500 })
+16.1.1.2. Required option:
-Buffer
+ * A Snort configuration file to convert. Set with either -c or
+ --conf-file
- * Buffer.new(string[data]) → Buffer
- * Buffer.new(uint[length]) → Buffer
- * Buffer.new(RawBuffer) → Buffer
- * Buffer:allocate(uint[length]) → bool
- * Buffer:clear()
+16.1.1.3. Default values:
-CodecData
+ * <out_file> = snort.lua
+ * <rule_file> = <out_file> = snort.lua. Rules are written to the
+ local_rules variable in the <out_file>
+ * <error_file> = snort.rej. This file will not be created in quiet
+ mode.
- * CodecData.new() → CodecData
- * CodecData.new(uint[next_prot_id]) → CodecData
- * CodecData.new(fields) → CodecData
- * CodecData:get() → fields
- * CodecData:set(fields)
-fields is a table with the following contents:
+16.2. Known Problems
- * next_prot_id
- * lyr_len
- * invalid_bytes
- * proto_bits
- * codec_flags
- * ip_layer_cnt
- * ip6_extension_count
- * curr_ip6_extension
- * ip6_csum_proto
+--------------
-Cursor
+ * Any Snort 2 ‘string’ which is dependent on a variable will no
+ longer have that variable in the Lua string.
+ * Snort2Lua currently does not handle variables well. First, that
+ means variables will not always be parsed correctly. Second,
+ sometimes a variables value will be outoput in the lua file
+ rather than a variable For instance, if Snort2Lua attempted to
+ convert the line include $RULE_PATH/example.rule, the output may
+ ouput include /etc/rules/example.rule instead.
+ * When Snort2Lua parses a ‘binding’ configuration file, the rules
+ and configuration will automatically be combined into the same
+ file. Also, the new files name will automatically become the old
+ file’s name with a .lua extension. There is currently no way to
+ specify or change that files name.
+ * If a rule’s action is a custom ruletype, that rule action will be
+ silently converted to the rultype’s type. No warnings or errors
+ are currently emmitted. Additionally, the custom ruletypes
+ outputs will be silently discarded.
+ * If the original configuration contains a binding that points to
+ another file and the binding file contains an error, Snort2Lua
+ will output the number of rejects for the binding file in
+ addition to the number of rejects in the main file. The two
+ numbers will eventually be combined into one output.
- * Cursor.new() → Cursor
- * Cursor.new(Packet) → Cursor
- * Cursor.new(string[data]) → Cursor
- * Cursor.new(RawBuffer) → Cursor
- * Cursor:reset()
- * Cursor:reset(Packet)
- * Cursor:reset(string[data])
- * Cursor:reset(RawBuffer)
-DAQHeader
+16.3. Usage
- * DAQHeader.new() → DAQHeader
- * DAQHeader.new(fields) → DAQHeader
- * DAQHeader:get() → fields
- * DAQHeader:set(fields)
+--------------
-fields is a table with the following contents:
+Snort2Lua is included in the Snort 3 distribution. The Snort2Lua
+source code is located in the tools/snort2lua directory. The program
+is automatically built and installed.
- * caplen
- * pktlen
- * ingress_index
- * egress_index
- * ingress_group
- * egress_group
- * flags
- * opaque
+Translating your configuration
-DecodeData
+To run Snort2Lua, the only requirement is a file containing Snort 2
+syntax. Assuming your configuration file is named snort.conf, run the
+command
- * DecodeData.new() → DecodeData
- * DecodeData.new(fields) → DecodeData
- * DecodeData:reset()
- * DecodeData:get() → fields
- * DecodeData:set(fields)
- * DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])
+snort2lua –c snort.conf
-fields is a table with the following contents:
+Snort2Lua will output a file named snort.lua. Assuming your
+snort.conf file is a valid Snort 2 configuration file, than the
+resulting snort.lua file will always be a valid Snort 3 configuration
+file; any errors that occur are because Snort 3 currently does not
+support all of the Snort 2 options.
- * sp
- * dp
- * decode_flags
- * type
+Every keyword from the Snort configuration can be found in the output
+file. If the option or keyword has changed, then a comment containing
+both the option or keyword’s old name and new name will be present in
+the output file.
-EncState
+Translating a rule file
- * EncState.new() → EncState
- * EncState.new(uint[flags_lo]) → EncState
- * EncState.new(uint[flags_lo], uint[flags_hi]) → EncState
- * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) →
- EncState
- * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto],
- uint[ttl]) → EncState
- * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto],
- uint[ttl], uint[dsize]) → EncState
+Snort2Lua can also accommodate translating individual rule files.
+Assuming the Snort 2 rule file is named snort.rules and you want the
+new rule file to be name updated.rules, run the command
-Event
+snort2lua –c snort.rules -r updated.rules
- * Event.new() → Event
- * Event.new(fields) → Event
- * Event:get() → fields
- * Event:set(fields)
+Snort2Lua will output a file named updated.rules. That file,
+updated.rules, will always be a valid Snort 3 rule file. Any rule
+that contains unsupported options will be a comment in the output
+file.
-fields is a table with the following contents:
+Understanding the Output
- * event_id
- * event_reference
- * sig_info
+Although Snort2Lua outputs very little to the console, there are
+several things that occur when Snort2Lua runs. This is a list of
+Snort2Lua outputs.
- + generator
- + id
- + rev
- + class_id
- + priority
- + text_rule
- + num_services
+The console. Every line that Snort2Lua is unable to translate from
+the Snort 2.X format to the Snort 3 format is considered an error.
+Upon exiting, Snort2Lua will print the number of errors that
+occurred. Snort2Lua will also print the name of the error file.
-Flow
+The output file. As previously mentioned, Snort2Lua will create a Lua
+file with valid Snort 3 syntax. The default Lua file is named
+snort.lua. This file is the equivalent of your main Snort 2
+configuration file.
- * Flow.new() → Flow
- * Flow:reset()
+The rule file. By default, all rules will be printed to the Lua file.
+However, if a rule file is specified on the command line, any rules
+found in the Snort 2 configuration will be written to the rule file
+instead
-Packet
+The error file. By default, the error file is snort.rej. It will only
+be created if errors exist. Every error referenced on the command
+line can be found in this file. There are two reasons an error can
+occur.
- * Packet.new() → Packet
- * Packet.new(string[data]) → Packet
- * Packet.new(uint[size]) → Packet
- * Packet.new(fields) → Packet
- * Packet.new(RawBuffer) → Packet
- * Packet.new(DAQHeader) → Packet
- * Packet:set_decode_data(DecodeData)
- * Packet:set_data(uint[offset], uint[length])
- * Packet:set_flow(Flow)
- * Packet:get() → fields
- * Packet:set()
- * Packet:set(string[data])
- * Packet:set(uint[size])
- * Packet:set(fields)
- * Packet:set(RawBuffer)
- * Packet:set(DAQHeader)
+ * The Snort 2 configuration file has invalid syntax. If Snort 2
+ cannot parse the configuration file, neither can Snort2Lua. In
+ the example below, Snort2Lua could not convert the line config
+ bad_option. Since that is not valid Snort 2 syntax, this is a
+ syntax error.
+ * The Snort 2 configuration file contains preprocessors and rule
+ options that are not supported in Snort 3. If Snort 2 can parse a
+ line that Snort2Lua cannot parse, than Snort 3 does not support
+ something in the line. As Snort 3 begins supporting these
+ preprocessors and rule options, Snort2Lua will also begin
+ translating these lines. One example of such an error is dcerpc2.
-fields is a table with the following contents:
+Additional .lua and .rules files. Every time Snort2Lua parses the
+include or binding keyword, the program will attempt to parse the
+file referenced by the keyword. Snort2Lua will then create one or two
+new files. The new files will have a .lua or .rules extension
+appended to the original filename.
- * packet_flags
- * xtradata_mask
- * proto_bits
- * application_protocol_ordinal
- * alt_dsize
- * num_layers
- * iplist_id
- * user_policy_id
- * ps_proto
-Note: Packet.new() and Packet:set() accept multiple arguments of the
-types described above in any order
+---------------------------------------------------------------------
-RawBuffer
+17. Extending Snort
- * RawBuffer.new() → RawBuffer
- * RawBuffer.new(uint[size]) → RawBuffer
- * RawBuffer.new(string[data]) → RawBuffer
- * RawBuffer:size() → int
- * RawBuffer:resize(uint[size])
- * RawBuffer:write(string[data])
- * RawBuffer:write(string[data], uint[size])
- * RawBuffer:read() → string
- * RawBuffer:read(uint[end]) → string
- * RawBuffer:read(uint[start], uint[end]) → string
+---------------------------------------------------------------------
-Note: calling RawBuffer.new() with no arguments returns a RawBuffer
-of size 0
-StreamSplitter
+17.1. Plugins
- * StreamSplitter:scan(Flow, RawBuffer) → int, int
- * StreamSplitter:scan(Flow, RawBuffer, uint[len]) → int, int
- * StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) →
- int, int
- * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
- RawBuffer) → int, RawBuffer
- * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
- RawBuffer, uint[len]) → int, RawBuffer
- * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
- RawBuffer, uint[len], uint[flags]) → int, RawBuffer
- * StreamSplitter:finish(Flow) → bool
+--------------
-Note: StreamSplitter does not have a new() method, it must be created
-by an inspector via Inspector.get_splitter()
+Plugins have an associated API defined for each type, all of which
+share a common header, called the BaseApi. A dynamic library makes
+its plugins available by exporting the snort_plugins symbol, which is
+a null terminated array of BaseApi pointers.
+The BaseApi includes type, name, API version, plugin version, and
+function pointers for constructing and destructing a Module. The
+specific API add various other data and functions for their given
+roles.
----------------------------------------------------------------------
-16. Coding Style
+17.2. Modules
----------------------------------------------------------------------
+--------------
-All new code should try to follow these style guidelines. These are
-not yet firm so feedback is welcome to get something we can live
-with.
+If we are defining a new Inspector called, say, gadget, it might be
+configured in snort.lua like this:
+gadget =
+{
+ brain = true,
+ claw = 3
+}
-16.1. General
+When the gadget table is processed, Snort will look for a module
+called gadget. If that Module has an associated API, it will be used
+to configure a new instance of the plugin. In this case, a
+GadgetModule would be instantiated, brain and claw would be set, and
+the Module instance would be passed to the GadgetInspector
+constructor.
---------------
+Module has three key virtual methods:
- * Generally try to follow http://google-styleguide.googlecode.com/
- svn/trunk/cppguide.xml, but there are some differences documented
- here.
- * Each source directory should have a dev_notes.txt file
- summarizing the key points and design decisions for the code in
- that directory. These are built into the developers guide.
- * Makefile.am and CMakeLists.txt should have the same files listed
- in alpha order. This makes it easier to maintain both build
- systems.
- * All new code must come with unit tests providing 95% coverage or
- better.
- * Generally, Catch is preferred for tests in the source file and
- CppUTest is preferred for test executables in a test
- subdirectory.
+ * begin() - called when Snort starts processing the associated Lua
+ table. This is a good place to allocate any required data and set
+ defaults.
+ * set() - called to set each parameter after validation.
+ * end() - called when Snort finishes processing the associated Lua
+ table. This is where additional integrity checks of related
+ parameters should be done.
+
+The configured Module is passed to the plugin constructor which pulls
+the configuration data from the Module. For non-trivial
+configurations, the working paradigm is that Module hands a pointer
+to the configured data to the plugin instance which takes ownership.
+
+Note that there is at most one instance of a given Module, even if
+multiple plugin instances are created which use that Module.
+(Multiple instances require Snort binding configuration.)
-16.2. C++ Specific
+17.3. Inspectors
--------------
- * Do not use exceptions. Exception-safe code is non-trivial and we
- have ported legacy code that makes use of exceptions unwise.
- There are a few exceptions to this rule for the memory manager,
- shell, etc. Other code should handle errors as errors.
- * Do not use dynamic_cast or RTTI. Although compilers are getting
- better all the time, there is a time and space cost to this that
- is easily avoided.
- * Use smart pointers judiciously as they aren’t free. If you would
- have to roll your own, then use a smart pointer. If you just need
- a dtor to delete something, write the dtor.
- * Prefer and over && and or over || for new source files.
- * Use nullptr instead of NULL.
- * Use new, delete, and their [] counterparts instead of malloc and
- free except where realloc must be used. But try not to use
- realloc. New and delete can’t return nullptr so no need to check.
- And Snort’s memory manager will ensure that we live within our
- memory budget.
- * Use references in lieu of pointers wherever possible.
- * Use the order public, protected, private top to bottom in a class
- declaration.
- * Keep inline functions in a class declaration very brief,
- preferably just one line. If you need a more complex inline
- function, move the definition below the class declaration.
- * The goal is to have highly readable class declarations. The user
- shouldn’t have to sift through implementation details to see what
- is available to the client.
- * Any using statements in source files should be added only after
- all includes have been declared.
+There are several types of inspector, which determines which
+inspectors are executed when:
+
+ * IT_BINDER - determines which inspectors apply to given flows
+ * IT_WIZARD - determines which service inspector to use if none
+ explicitly bound
+ * IT_PACKET - used to process all packets before session and
+ service processing (e.g. normalize)
+ * IT_NETWORK - processes packets w/o service (e.g. arp_spoof,
+ back_orifice)
+ * IT_STREAM - for flow tracking, ip defrag, and tcp reassembly
+ * IT_SERVICE - for http, ftp, telnet, etc.
+ * IT_PROBE - process all packets after all the above (e.g.
+ perf_monitor, port_scan)
-16.3. Naming
+17.4. Codecs
--------------
- * Use camel case for namespaces, classes, and types like
- WhizBangPdfChecker.
- * Use lower case identifiers with underscore separators, e.g.
- some_function() and my_var.
- * Do not start or end variable names with an underscore. This has a
- good chance of conflicting with macro and/or system definitions.
- * Use lower case filenames with underscores.
+The Snort Codecs decipher raw packets. These Codecs are now
+completely pluggable; almost every Snort Codec can be built
+dynamically and replaced with an alternative, customized Codec. The
+pluggable nature has also made it easier to build new Codecs for
+protocols without having to touch the Snort code base.
+The first step in creating a Codec is defining its class and
+protocol. Every Codec must inherit from the Snort Codec class defined
+in "framework/codec.h". The following is an example Codec named
+"example" and has an associated struct that is 14 bytes long.
-16.4. Comments
+#include <cstdint>
+#include <arpa/inet.h>
+#include “framework/codec.h”
+#include "main/snort_types.h"
---------------
+#define EX_NAME “example”
+#define EX_HELP “example codec help string”
- * Write comments sparingly with a mind towards future proofing.
- Often the comments can be obviated with better code. Clear code
- is better than a comment.
- * Heed Tim Ottinger’s Rule on Comments (https://disqus.com/by/
- tim_ottinger/):
+struct Example
+{
+ uint8_t dst[6];
+ uint8_t src[6];
+ uint16_t ethertype;
- 1. Comments should only say what the code is incapable of
- saying.
- 2. Comments that repeat (or pre-state) what the code is doing
- must be removed.
- 3. If the code CAN say what the comment is saying, it must be
- changed at least until rule #2 is in force.
- * Function comment blocks are generally just noise that quickly
- becomes obsolete. If you absolutely must comment on parameters,
- put each on a separate line along with the comment. That way
- changing the signature may prompt a change to the comments too.
- * Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
- for a day or even just a minute. That way we can find them easily
- and won’t lose track of them.
- * Presently using FIXIT-X where X = A | W | P | H | M | L,
- indicating analysis, warning, perf, high, med, or low priority.
- Place A and W comments on the exact warning line so we can match
- up comments and build output. Supporting comments can be added
- above.
- * Put the copyright(s) and license in a comment block at the top of
- each source file (.h and .cc). Don’t bother with trivial scripts
- and make foo. Some interesting Lua code should get a comment
- block too. Copy and paste exactly from src/main.h (don’t
- reformat).
- * Put author, description, etc. in separate comment(s) following
- the license. Do not put such comments in the middle of the
- license foo. Be sure to put the author line ahead of the header
- guard to exclude them from the developers guide. Use the
- following format, and include a mention to the original author if
- this is derived work:
+ static inline uint8_t size()
+ { return 14; }
+}
- // ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>
- // based on work by Ryan Jordan
+class ExCodec : public Codec
+{
+public:
+ ExCodec() : Codec(EX_NAME) { }
+ ~ExCodec() { }
- * Each header should have a comment immediately after the header
- guard to give an overview of the file so the reader knows what’s
- going on.
+ bool decode(const RawData&, CodecData&, DecodeData&) override;
+ void get_protocol_ids(std::vector<uint16_t>&) override;
+};
+After defining ExCodec, the next step is adding the Codec’s decode
+functionality. The function below does this by implementing a valid
+decode function. The first parameter, which is the RawData struct,
+provides both a pointer to the raw data that has come from a wire and
+the length of that raw data. The function takes this information and
+validates that there are enough bytes for this protocol. If the raw
+data’s length is less than 14 bytes, the function returns false and
+Snort discards the packet; the packet is neither inspected nor
+processed. If the length is greater than 14 bytes, the function
+populates two fields in the CodecData struct, next_prot_id and
+lyr_len. The lyr_len field tells Snort the number of bytes that this
+layer contains. The next_prot_id field provides Snort the value of
+the next EtherType or IP protocol number.
-16.5. Logging
+bool ExCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
+{
+ if ( raw.len < Example::size() )
+ return false;
---------------
+ const Example* const ex = reinterpret_cast<const Example*>(raw.data);
+ codec.next_prot_id = ntohs(ex->ethertype);
+ codec.lyr_len = ex->size();
+ return true;
+}
- * Messages intended for the user should not look like debug
- messages. Eg, the function name should not be included. It is
- generally unhelpful to include pointers.
- * Most debug messages should just be deleted.
- * Don’t bang your error messages (no !). The user feels bad enough
- about the problem already w/o you shouting at him.
+For instance, assume this decode function receives the following raw
+data with a validated length of 32 bytes:
+00 11 22 33 44 55 66 77 88 99 aa bb 08 00 45 00
+00 38 00 01 00 00 40 06 5c ac 0a 01 02 03 0a 09
-16.6. Types
+The Example struct’s EtherType field is the 13 and 14 bytes.
+Therefore, this function tells Snort that the next protocol has an
+EtherType of 0x0800. Additionally, since the lyr_len is set to 14,
+Snort knows that the next protocol begins 14 bytes after the
+beginning of this protocol. The Codec with EtherType 0x0800, which
+happens to be the IPv4 Codec, will receive the following data with a
+validated length of 18 ( == 32 – 14):
---------------
+45 00 00 38 00 01 00 00 40 06 5c ac 0a 01 02 03
+0a 09
- * Use logical types to make the code clearer and to help the
- compiler catch problems. typedef uint16_t Port; bool foo(Port) is
- way better than int foo(int port).
- * Use forward declarations (e.g. struct SnortConfig;) instead of
- void*.
- * Try not to use extern data unless absolutely necessary and then
- put the extern in an appropriate header. Exceptions for things
- used in exactly one place like BaseApi pointers.
- * Use const liberally. In most cases, const char* s = "foo" should
- be const char* const s = "foo". The former goes in the
- initialized data section and the latter in read only data
- section.
- * But use const char s[] = "foo" instead of const char* s = "foo"
- when possible. The latter form allocates a pointer variable and
- the data while the former allocates only the data.
- * Use static wherever possible to minimize public symbols and
- eliminate unneeded relocations.
- * Declare functions virtual only in the parent class introducing
- the function (not in a derived class that is overriding the
- function). This makes it clear which class introduces the
- function.
- * Declare functions as override if they are intended to override a
- function. This makes it possible to find derived implementations
- that didn’t get updated and therefore won’t get called due a
- change in the parent signature.
- * Use bool functions instead of int unless there is truly a need
- for multiple error returns. The C-style use of zero for success
- and -1 for error is less readable and often leads to messy code
- that either ignores the various errors anyway or needlessly and
- ineffectively tries to do something aobut them. Generally that
- code is not updated if new errors are added.
+How does Snort know that the IPv4 Codec has an EtherType of 0x0800?
+The Codec class has a second virtual function named get_protocol_ids
+(). When implementing the function, a Codec can register for any
+number of values between 0x0000 - 0xFFFF. Then, if the next_proto_id
+is set to a value for which this Codec has registered, this Codec’s
+decode function will be called. As a general note, the protocol ids
+between [0, 0x00FF] are IP protocol numbers, [0x0100, 0x05FF] are
+custom types, and [0x0600, 0xFFFF] are EtherTypes.
+
+For example, in the get_protocol_ids function below, the ExCodec
+registers for the protocols numbers 17, 787, and 2054. 17 happens to
+be the protocol number for UDP while 2054 is ARP’s EtherType.
+Therefore, this Codec will now attempt to decode UDP and ARP data.
+Additionally, if any Codec sets the next_protocol_id to 787,
+ExCodec’s decode function will be called. Some custom protocols are
+already defined in the file "protocols/protocol_ids.h"
+
+void ExCodec::get_protocol_ids(std::vector<uint16_t>&v)
+{
+ v.push_back(0x0011); // == 17 == UDP
+ v.push_back(0x1313); // == 787 == custom
+ v.push_back(0x0806); // == 2054 == ARP
+}
+To register a Codec for Data Link Type’s rather than protocols, the
+function get_data_link_type() can be similarly implemented.
-16.7. Macros (aka defines)
+The final step to creating a pluggable Codec is the snort_plugins
+array. This array is important because when Snort loads a dynamic
+library, the program only find plugins that are inside the
+snort_plugins array. In other words, if a plugin has not been added
+to the snort_plugins array, that plugin will not be loaded into
+Snort.
---------------
+Although the details will not be covered in this post, the following
+code snippet is a basic CodecApi that Snort can load. This snippet
+can be copied and used with only three minor changes. First, in the
+function ctor, ExCodec should be replaced with the name of the Codec
+that is being built. Second, EX_NAME must match the Codec’s name or
+Snort will be unable to load this Codec. Third, EX_HELP should be
+replaced with the general description of this Codec. Once this code
+snippet has been added, ExCodec is ready to be compiled and plugged
+into Snort.
- * In many cases, even in C++, use #define name "value" instead of a
- const char* const name = "value" because it will eliminate a
- symbol from the binary.
- * Use inline functions instead of macros where possible (pretty
- much all cases except where stringification is necessary).
- Functions offer better typing, avoid re-expansions, and a
- debugger can break there.
- * All macros except simple const values should be wrapped in () and
- all args should be wrapped in () too to avoid surprises upon
- expansion. Example:
+static Codec* ctor(Module*)
+{ return new ExCodec; }
- #define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
+static void dtor(Codec *cd)
+{ delete cd; }
- * Multiline macros should be blocked (i.e. inside { }) to avoid
- if-else type surprises.
+static const CodecApi ex_api =
+{
+ {
+ PT_CODEC,
+ EX_NAME,
+ EX_HELP,
+ CDAPI_PLUGIN_V0,
+ 0,
+ nullptr,
+ nullptr,
+ },
+ nullptr, // pointer to a function called during Snort's startup.
+ nullptr, // pointer to a function called during Snort's exit.
+ nullptr, // pointer to a function called during thread's startup.
+ nullptr, // pointer to a function called during thread's destruction.
+ ctor, // pointer to the codec constructor.
+ dtor, // pointer to the codec destructor.
+};
+SO_PUBLIC const BaseApi* snort_plugins[] =
+{
+ &ex_api.base,
+ nullptr
+};
-16.8. Formatting
+Two example Codecs are available in the extra directory on git and
+the extra tarball on the Snort page. One of those examples is the
+Token Ring Codec while the other example is the PIM Codec.
---------------
+As a final note, there are four more virtual functions that a Codec
+should implement: encode, format, update, and log. If the functions
+are not implemented Snort will not throw any errors. However, Snort
+may also be unable to accomplish some of its basic functionality.
- * Try to keep all source files under 2500 lines. 3000 is the max
- allowed. If you need more lines, chances are that the code needs
- to be refactored.
- * Indent 4 space chars … no tabs!
- * If you need to indent many times, something could be rewritten or
- restructured to make it clearer. Fewer indents is generally
- easier to write, easier to read, and overall better code.
- * Braces go on the line immediately following a new scope (function
- signature, if, else, loop, switch, etc.
- * Use consistent spacing and line breaks. Always indent 4 spaces
- from the breaking line. Keep lines less than 100 chars; it
- greatly helps readability.
+ * encode is called whenever Snort actively responds and needs to
+ builds a packet, i.e. whenever a rule using an IPS ACTION like
+ react, reject, or rewrite is triggered. This function is used to
+ build the response packet protocol by protocol.
+ * format is called when Snort is rebuilding a packet. For instance,
+ every time Snort reassembles a TCP stream or IP fragment, format
+ is called. Generally, this function either swaps any source and
+ destination fields in the protocol or does nothing.
+ * update is similar to format in that it is called when Snort is
+ reassembling a packet. Unlike format, this function only sets
+ length fields.
+ * log is called when either the log_codecs logger or a custom
+ logger that calls PacketManager::log_protocols is used when
+ running Snort.
- No:
- calling_a_func_with_a_long_name(arg1,
- arg2,
- arg3);
- Yes:
- calling_a_func_with_a_long_name(
- arg1, arg2, arg3);
+17.5. IPS Actions
- * Put function signature on one line, except when breaking for the
- arg list:
+--------------
- No:
- inline
- bool foo()
- { // ...
+Action plugins specify a builtin action in the API which is used to
+determine verdict. (Conversely, builtin actions don’t have an
+associated plugin function.)
- Yes:
- inline bool foo()
- { // ...
- * Put conditional code on the line following the if so it is easy
- to break on the conditional block:
+17.6. Developers Guide
- No:
- if ( test ) foo();
+--------------
- Yes:
- if ( test )
- foo();
+Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
+guide to the source tree.
-16.9. Headers
+17.7. Piglet Test Harness
--------------
- * Don’t hesitate to create a new header if it is needed. Don’t lump
- unrelated stuff into an header because it is convenient.
- * Write header guards like this (leading underscores are reserved
- for system stuff). In my_header.h:
+In order to assist with plugin development, an experimental mode
+called "piglet" mode is provided. With piglet mode, you can call
+individual methods for a specific plugin. The piglet tests are
+specified as Lua scripts. Each piglet test script defines a test for
+a specific plugin.
- #ifndef MY_HEADER_H
- #define MY_HEADER_H
- // ...
- #endif
+Here is a minimal example of a piglet test script for the IPv4 Codec
+plugin:
- * Includes from a different directory should specify parent
- directory. This makes it clear exactly what is included and
- avoids the primordial soup that results from using -I this -I
- that -I the_other_thing … .
+plugin =
+{
+ type = "piglet",
+ name = "codec::ipv4",
+ use_defaults = true,
+ test = function()
+ local daq_header = DAQHeader.new()
+ local raw_buffer = RawBuffer.new("some data")
+ local codec_data = CodecData.new()
+ local decode_data = DecodeData.new()
- // given:
- src/foo/foo.cc
- src/bar/bar.cc
- src/bar/baz.cc
+ return Codec.decode(
+ daq_header,
+ raw_buffer,
+ codec_data,
+ decode_data
+ )
+ end
+}
- // in baz.cc
- #include "bar.h"
+To run snort in piglet mode, first build snort with the ENABLE_PIGLET
+option turned on (pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).
- // in foo.cc
- #include "bar/bar.h"
+Then, run the following command:
- * Includes within installed headers should specify parent
- directory.
- * Just because it is a #define doesn’t mean it goes in a header.
- Everything should be scoped as tightly as possible. Shared
- implementation declarations should go in a separate header from
- the interface. And so on.
- * A .cc should include its own .h before any others (including
- system headers). This ensures that the header stands on its own
- and can be used by clients without include prerequisites and the
- developer will be the first to find a dependency problem.
- * Include required headers, all required headers, and nothing but
- required headers. Don’t just clone a bunch of headers because it
- is convenient.
- * Try to keep includes in alpha order. This makes it easier to
- maintain, avoid duplicates, etc.
- * Any file depending on #ifdefs should include config.h as shown
- below. A .h should include it before any other includes, and a
- .cc should include it immediately after the include of its own
- .h.
+snort --script-path $test_scripts --piglet
- #ifdef HAVE_CONFIG_H
- #include "config.h"
- #endif
+(where $test_scripts is the directory containing your piglet tests).
- * Do not put using statements in headers unless they are tightly
- scoped.
+The test runner will generate a check-like output, indicating the the
+results of each test script.
-16.10. Warnings
+17.8. Piglet Lua API
--------------
- * With g++, use at least these compiler flags:
+This section documents the API that piglet exposes to Lua. Refer to
+the piglet directory in the source tree for examples of usage.
- -Wall -Wextra -pedantic -Wformat -Wformat-security
- -Wunused-but-set-variable -Wno-deprecated-declarations
- -fsanitize=address -fno-omit-frame-pointer
+Note: Because of the differences between the Lua and C++ data model
+and type system, not all parameters map directly to the parameters of
+the underlying C\++ member functions. Every effort has been made to
+keep the mappings consist, but there are still some differences. They
+are documented below.
- * With clang, use at least these compiler flags:
+17.8.1. Plugin Instances
- -Wall -Wextra -pedantic -Wformat -Wformat-security
- -Wno-deprecated-declarations
- -fsanitize=address -fno-omit-frame-pointer
+For each test, piglet instantiates plugin specified in the name field
+of the plugin table. The virtual methods of the instance are exposed
+in a table unique to each plugin type. The name of the table is the
+CamelCase name of the plugin type.
- * Then Fix All Warnings and Aborts. None Allowed.
+For example, codec plugins have a virtual method called decode. This
+method is called like this:
+Codec.decode(...)
-16.11. Uncrustify
+Codec
---------------
+ * Codec.get_data_link_type() → { int, int, … }
+ * Codec.get_protocol_ids() → { int, int, … }
+ * Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) → bool
+ * Codec.log(RawBuffer, uint[lyr_len])
+ * Codec.encode(RawBuffer, EncState, Buffer) → bool
+ * Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint
+ [lyr_len] → int
+ * Codec.format(bool[reverse], RawBuffer, DecodeData)
-Currently using uncrustify from at https://github.com/bengardner/
-uncrustify to reformat legacy code and anything that happens to need
-a makeover at some point.
+Differences:
-The working config is crusty.cfg in the top level directory. It does
-well but will munge some things. Specially formatted INDENT-OFF
-comments were added in 2 places to avoid a real mess.
+ * In Codec.update(), the (uint64_t) flags parameter has been split
+ into flags_hi and flags_lo
-You can use uncrustify something like this:
+Inspector
-uncrustify -c crusty.cfg --replace file.cc
+ * Inspector.configure()
+ * Inspector.tinit()
+ * Inspector.tterm()
+ * Inspector.likes(Packet)
+ * Inspector.eval(Packet)
+ * Inspector.clear(Packet)
+ * Inspector.get_buf_from_key(string[key], Packet, RawBuffer) → bool
+ * Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) → bool
+ * Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) → bool
+ * Inspector.get_splitter(bool[to_server]) → StreamSplitter
+
+Differences: * In Inspector.configure(), the SnortConfig* parameter
+is passed implicitly. * the overloaded get_buf() member function has
+been split into three separate methods.
+
+IpsOption
+
+ * IpsOption.hash() → int
+ * IpsOption.is_relative() → bool
+ * IpsOption.fp_research() → bool
+ * IpsOption.get_cursor_type() → int
+ * IpsOption.eval(Cursor, Packet) → int
+ * IpsOption.action(Packet)
+IpsAction
----------------------------------------------------------------------
+ * IpsAction.exec(Packet)
-17. Reference
+Logger
----------------------------------------------------------------------
+ * Logger.open()
+ * Logger.close()
+ * Logger.reset()
+ * Logger.alert(Packet, string[message], Event)
+ * Logger.log(Packet, string[message], Event)
+SearchEngine
-17.1. Terminology
+Currently, SearchEngine does not expose any methods.
---------------
+SoRule
- * basic module: a module integrated into Snort that does not come
- from a plugin.
- * binder: inspector that maps configuration to traffic
- * builtin rules: codec and inspector rules for anomalies detected
- internally.
- * codec: short for coder / decoder. These plugins are used for
- basic protocol decoding, anomaly detection, and construction of
- active responses.
- * data module: an adjunct configuration plugin for use with certain
- inspectors.
- * dynamic rules: plugin rules loaded at runtime. See SO rules.
- * fast pattern: the content in an IPS rule that must be found by
- the search engine in order for a rule to be evaluated.
- * fast pattern matcher: see search engine.
- * hex: a type of protocol magic that the wizard uses to identify
- binary protocols.
- * inspector: plugin that processes packets (similar to the legacy
- Snort preprocessor)
- * IPS: intrusion prevention system, like Snort.
- * IPS action: plugin that allows you to perform custom actions when
- events are generated. Unlike loggers, these are invoked before
- thresholding and can be used to control external agents or send
- active responses.
- * IPS option: this plugin is the building blocks of IPS rules.
- * logger: a plugin that performs output of events and packets.
- Events are thresholded before reaching loggers.
- * module: the user facing portion of a Snort component. Modules
- chiefly provide configuration parameters, but may also provide
- commands, builtin rules, profiling statistics, peg counts, etc.
- Note that not all modules are plugins and not all plugins have
- modules.
- * peg count: the number of times a given event or condition occurs.
- * plugin: one of several types of software components that can be
- loaded from a dynamic library when Snort starts up. Some plugins
- are coupled with the main engine in such a way that they must be
- built statically, but a newer version can be loaded dynamically.
- * search engine: a plugin that performs multipattern searching of
- packets and payload to find rules that should be evaluated. There
- are currently no specific modules, although there are several
- search engine plugins. Related configuration is done with the
- basic detection module. Aka fast pattern matcher.
- * SO rule: a IPS rule plugin that performs custom detection that
- can’t be done by a text rule. These rules typically do not have
- associated modules. SO comes from shared object, meaning dynamic
- library.
- * spell: a type of protocol magic that the wizard uses to identify
- ASCII protocols.
- * text rule: a rule loaded from the configuration that has a header
- and body. The header specifies action, protocol, source and
- destination IP addresses and ports, and direction. The body
- specifies detection and non-detection options.
- * wizard: inspector that applies protocol magic to determine which
- inspectors should be bound to traffic absent a port specific
- binding. See hex and spell.
+Currently, SoRule does not expose any methods.
+17.8.1.1. Interface Objects
-17.2. Usage
+Many of the plugins take C++ classes and structs as arguments. These
+objects are exposed to the Lua API as Lua userdata. Exposed objects
+are instantiated by calling the new method from each object’s method
+table.
---------------
+For example, the DecodeData object can be instantiated and exposed to
+Lua like this:
-For the following examples "$my_path" is assumed to be the path to
-the Snort++ install directory. Additionally, it is assumed that
-"$my_path/bin" is in your PATH.
+local decode_data = DecodeData.new(...)
-17.2.1. Environment
+Each object also exposes useful methods for getting and setting
+member variables, and calling the C++ methods contained in the the
+object. These methods can be accessed using the : accessor syntax:
-LUA_PATH is used directly by Lua to load and run required libraries.
-SNORT_LUA_PATH is used by Snort to load supplemental configuration
-files.
+decode_data:set({ sp = 80, dp = 3500 })
-export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
-export SNORT_LUA_PATH=$my_path/etc/snort
+Since this is just syntactic sugar for passing the object as the
+first parameter of the function DecodeData.set, an equivalent form
+is:
-17.2.2. Help
+decode_data.set(decode_data, { sp = 80, dp = 3500 })
-Print the help summary:
+or even:
-snort --help
+DecodeData.set(decode_data, { sp = 80, dp = 3500 })
-Get help on a specific module ("stream", for example):
+Buffer
-snort --help-module stream
+ * Buffer.new(string[data]) → Buffer
+ * Buffer.new(uint[length]) → Buffer
+ * Buffer.new(RawBuffer) → Buffer
+ * Buffer:allocate(uint[length]) → bool
+ * Buffer:clear()
-Get help on the "-A" command line option:
+CodecData
-snort --help-options A
+ * CodecData.new() → CodecData
+ * CodecData.new(uint[next_prot_id]) → CodecData
+ * CodecData.new(fields) → CodecData
+ * CodecData:get() → fields
+ * CodecData:set(fields)
-Grep for help on threads:
+fields is a table with the following contents:
-snort --help-config | grep thread
+ * next_prot_id
+ * lyr_len
+ * invalid_bytes
+ * proto_bits
+ * codec_flags
+ * ip_layer_cnt
+ * ip6_extension_count
+ * curr_ip6_extension
+ * ip6_csum_proto
-Output help on "rule" options in AsciiDoc format:
+Cursor
-snort --markup --help-options rule
+ * Cursor.new() → Cursor
+ * Cursor.new(Packet) → Cursor
+ * Cursor.new(string[data]) → Cursor
+ * Cursor.new(RawBuffer) → Cursor
+ * Cursor:reset()
+ * Cursor:reset(Packet)
+ * Cursor:reset(string[data])
+ * Cursor:reset(RawBuffer)
-Note
+DAQHeader
-Snort++ stops reading command-line options after the "--help-" and
-"--list-" options, so any other options should be placed before them.
+ * DAQHeader.new() → DAQHeader
+ * DAQHeader.new(fields) → DAQHeader
+ * DAQHeader:get() → fields
+ * DAQHeader:set(fields)
-17.2.3. Sniffing and Logging
+fields is a table with the following contents:
-Read a pcap:
+ * caplen
+ * pktlen
+ * ingress_index
+ * egress_index
+ * ingress_group
+ * egress_group
+ * flags
+ * opaque
-snort -r /path/to/my.pcap
+DecodeData
-Dump the packets to stdout:
+ * DecodeData.new() → DecodeData
+ * DecodeData.new(fields) → DecodeData
+ * DecodeData:reset()
+ * DecodeData:get() → fields
+ * DecodeData:set(fields)
+ * DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])
-snort -r /path/to/my.pcap -L dump
+fields is a table with the following contents:
-Dump packets with application data and layer 2 headers
+ * sp
+ * dp
+ * decode_flags
+ * type
-snort -r /path/to/my.pcap -L dump -d -e
+EncState
-Note
+ * EncState.new() → EncState
+ * EncState.new(uint[flags_lo]) → EncState
+ * EncState.new(uint[flags_lo], uint[flags_hi]) → EncState
+ * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) →
+ EncState
+ * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto],
+ uint[ttl]) → EncState
+ * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto],
+ uint[ttl], uint[dsize]) → EncState
-Command line options must be specified separately. "snort -de" won’t
-work. You can still concatenate options and their arguments, however,
-so "snort -Ldump" will work.
+Event
-Dump packets from all pcaps in a directory:
+ * Event.new() → Event
+ * Event.new(fields) → Event
+ * Event:get() → fields
+ * Event:set(fields)
-snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e
+fields is a table with the following contents:
-Log packets to a directory:
+ * event_id
+ * event_reference
+ * sig_info
-snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
+ + generator
+ + id
+ + rev
+ + class_id
+ + priority
+ + text_rule
+ + num_services
-17.2.4. Configuration
+Flow
-Validate a configuration file:
+ * Flow.new() → Flow
+ * Flow:reset()
-snort -c $my_path/etc/snort/snort.lua
+Packet
-Validate a configuration file and a separate rules file:
+ * Packet.new() → Packet
+ * Packet.new(string[data]) → Packet
+ * Packet.new(uint[size]) → Packet
+ * Packet.new(fields) → Packet
+ * Packet.new(RawBuffer) → Packet
+ * Packet.new(DAQHeader) → Packet
+ * Packet:set_decode_data(DecodeData)
+ * Packet:set_data(uint[offset], uint[length])
+ * Packet:set_flow(Flow)
+ * Packet:get() → fields
+ * Packet:set()
+ * Packet:set(string[data])
+ * Packet:set(uint[size])
+ * Packet:set(fields)
+ * Packet:set(RawBuffer)
+ * Packet:set(DAQHeader)
-snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
+fields is a table with the following contents:
-Read rules from stdin and validate:
+ * packet_flags
+ * xtradata_mask
+ * proto_bits
+ * application_protocol_ordinal
+ * alt_dsize
+ * num_layers
+ * iplist_id
+ * user_policy_id
+ * ps_proto
-snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules
+Note: Packet.new() and Packet:set() accept multiple arguments of the
+types described above in any order
-Enable warnings for Lua configurations and make warnings fatal:
+RawBuffer
-snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic
+ * RawBuffer.new() → RawBuffer
+ * RawBuffer.new(uint[size]) → RawBuffer
+ * RawBuffer.new(string[data]) → RawBuffer
+ * RawBuffer:size() → int
+ * RawBuffer:resize(uint[size])
+ * RawBuffer:write(string[data])
+ * RawBuffer:write(string[data], uint[size])
+ * RawBuffer:read() → string
+ * RawBuffer:read(uint[end]) → string
+ * RawBuffer:read(uint[start], uint[end]) → string
-Tell Snort++ where to look for additional Lua scripts:
+Note: calling RawBuffer.new() with no arguments returns a RawBuffer
+of size 0
-snort --script-path /path/to/script/dir
+StreamSplitter
-17.2.5. IDS mode
+ * StreamSplitter:scan(Flow, RawBuffer) → int, int
+ * StreamSplitter:scan(Flow, RawBuffer, uint[len]) → int, int
+ * StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) →
+ int, int
+ * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
+ RawBuffer) → int, RawBuffer
+ * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
+ RawBuffer, uint[len]) → int, RawBuffer
+ * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
+ RawBuffer, uint[len], uint[flags]) → int, RawBuffer
+ * StreamSplitter:finish(Flow) → bool
-Run Snort++ in IDS mode, reading packets from a pcap:
+Note: StreamSplitter does not have a new() method, it must be created
+by an inspector via Inspector.get_splitter()
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap
-Log any generated alerts to the console using the "-A" option:
+---------------------------------------------------------------------
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full
+18. Coding Style
-Add or modify a configuration from the command line using the "--lua"
-option:
+---------------------------------------------------------------------
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \
- --lua 'ips = { enable_builtin_rules = true }'
+All new code should try to follow these style guidelines. These are
+not yet firm so feedback is welcome to get something we can live
+with.
-Note
-The "--lua" option can be specified multiple times.
+18.1. General
-Run Snort++ in IDS mode on an entire directory of pcaps, processing
-each input source on a separate thread:
+--------------
-snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
- --pcap-filter '*.pcap' --max-packet-threads 8
+ * Generally try to follow http://google-styleguide.googlecode.com/
+ svn/trunk/cppguide.xml, but there are some differences documented
+ here.
+ * Each source directory should have a dev_notes.txt file
+ summarizing the key points and design decisions for the code in
+ that directory. These are built into the developers guide.
+ * Makefile.am and CMakeLists.txt should have the same files listed
+ in alpha order. This makes it easier to maintain both build
+ systems.
+ * All new code must come with unit tests providing 95% coverage or
+ better.
+ * Generally, Catch is preferred for tests in the source file and
+ CppUTest is preferred for test executables in a test
+ subdirectory.
-Run Snort++ on 2 interfaces, eth0 and eth1:
-snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg
+18.2. C++ Specific
-Run Snort++ inline with the afpacket DAQ:
+--------------
-snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
- -A cmg
+ * Do not use exceptions. Exception-safe code is non-trivial and we
+ have ported legacy code that makes use of exceptions unwise.
+ There are a few exceptions to this rule for the memory manager,
+ shell, etc. Other code should handle errors as errors.
+ * Do not use dynamic_cast or RTTI. Although compilers are getting
+ better all the time, there is a time and space cost to this that
+ is easily avoided.
+ * Use smart pointers judiciously as they aren’t free. If you would
+ have to roll your own, then use a smart pointer. If you just need
+ a dtor to delete something, write the dtor.
+ * Prefer and over && and or over || for new source files.
+ * Use nullptr instead of NULL.
+ * Use new, delete, and their [] counterparts instead of malloc and
+ free except where realloc must be used. But try not to use
+ realloc. New and delete can’t return nullptr so no need to check.
+ And Snort’s memory manager will ensure that we live within our
+ memory budget.
+ * Use references in lieu of pointers wherever possible.
+ * Use the order public, protected, private top to bottom in a class
+ declaration.
+ * Keep inline functions in a class declaration very brief,
+ preferably just one line. If you need a more complex inline
+ function, move the definition below the class declaration.
+ * The goal is to have highly readable class declarations. The user
+ shouldn’t have to sift through implementation details to see what
+ is available to the client.
+ * Any using statements in source files should be added only after
+ all includes have been declared.
-17.3. Plugins
+18.3. Naming
--------------
-Load external plugins and use the "ex" alert:
+ * Use camel case for namespaces, classes, and types like
+ WhizBangPdfChecker.
+ * Use lower case identifiers with underscore separators, e.g.
+ some_function() and my_var.
+ * Do not start or end variable names with an underscore. This has a
+ good chance of conflicting with macro and/or system definitions.
+ * Use lower case filenames with underscores.
-snort -c $my_path/etc/snort/snort.lua \
- --plugin-path $my_path/lib/snort_extra \
- -A alert_ex -r /path/to/my.pcap
-Test the LuaJIT rule option find loaded from stdin:
+18.4. Comments
-snort -c $my_path/etc/snort/snort.lua \
- --script-path $my_path/lib/snort_extra \
- --stdin-rules -A cmg -r /path/to/my.pcap << END
-alert tcp any any -> any 80 (
- sid:3; msg:"found"; content:"GET";
- find:"pat='HTTP/1%.%d'" ; )
-END
+--------------
+ * Write comments sparingly with a mind towards future proofing.
+ Often the comments can be obviated with better code. Clear code
+ is better than a comment.
+ * Heed Tim Ottinger’s Rule on Comments (https://disqus.com/by/
+ tim_ottinger/):
-17.4. Output Files
+ 1. Comments should only say what the code is incapable of
+ saying.
+ 2. Comments that repeat (or pre-state) what the code is doing
+ must be removed.
+ 3. If the code CAN say what the comment is saying, it must be
+ changed at least until rule #2 is in force.
+ * Function comment blocks are generally just noise that quickly
+ becomes obsolete. If you absolutely must comment on parameters,
+ put each on a separate line along with the comment. That way
+ changing the signature may prompt a change to the comments too.
+ * Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
+ for a day or even just a minute. That way we can find them easily
+ and won’t lose track of them.
+ * Presently using FIXIT-X where X = A | W | P | H | M | L,
+ indicating analysis, warning, perf, high, med, or low priority.
+ Place A and W comments on the exact warning line so we can match
+ up comments and build output. Supporting comments can be added
+ above.
+ * Put the copyright(s) and license in a comment block at the top of
+ each source file (.h and .cc). Don’t bother with trivial scripts
+ and make foo. Some interesting Lua code should get a comment
+ block too. Copy and paste exactly from src/main.h (don’t
+ reformat).
+ * Put author, description, etc. in separate comment(s) following
+ the license. Do not put such comments in the middle of the
+ license foo. Be sure to put the author line ahead of the header
+ guard to exclude them from the developers guide. Use the
+ following format, and include a mention to the original author if
+ this is derived work:
---------------
+ // ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>
+ // based on work by Ryan Jordan
-To make it simple to configure outputs when you run with multiple
-packet threads, output files are not explicitly configured. Instead,
-you can use the options below to format the paths:
+ * Each header should have a comment immediately after the header
+ guard to give an overview of the file so the reader knows what’s
+ going on.
-<logdir>/[<run_prefix>][<id#>][<X>]<name>
-Log to unified in the current directory:
+18.5. Logging
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2
+--------------
-Log to unified in the current directory with a different prefix:
+ * Messages intended for the user should not look like debug
+ messages. Eg, the function name should not be included. It is
+ generally unhelpful to include pointers.
+ * Most debug messages should just be deleted.
+ * Don’t bang your error messages (no !). The user feels bad enough
+ about the problem already w/o you shouting at him.
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
- --run-prefix take2
-Log to unified in /tmp:
+18.6. Types
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp
+--------------
-Run 4 packet threads and log with thread number prefix (0-3):
+ * Use logical types to make the code clearer and to help the
+ compiler catch problems. typedef uint16_t Port; bool foo(Port) is
+ way better than int foo(int port).
+ * Use forward declarations (e.g. struct SnortConfig;) instead of
+ void*.
+ * Try not to use extern data unless absolutely necessary and then
+ put the extern in an appropriate header. Exceptions for things
+ used in exactly one place like BaseApi pointers.
+ * Use const liberally. In most cases, const char* s = "foo" should
+ be const char* const s = "foo". The former goes in the
+ initialized data section and the latter in read only data
+ section.
+ * But use const char s[] = "foo" instead of const char* s = "foo"
+ when possible. The latter form allocates a pointer variable and
+ the data while the former allocates only the data.
+ * Use static wherever possible to minimize public symbols and
+ eliminate unneeded relocations.
+ * Declare functions virtual only in the parent class introducing
+ the function (not in a derived class that is overriding the
+ function). This makes it clear which class introduces the
+ function.
+ * Declare functions as override if they are intended to override a
+ function. This makes it possible to find derived implementations
+ that didn’t get updated and therefore won’t get called due a
+ change in the parent signature.
+ * Use bool functions instead of int unless there is truly a need
+ for multiple error returns. The C-style use of zero for success
+ and -1 for error is less readable and often leads to messy code
+ that either ignores the various errors anyway or needlessly and
+ ineffectively tries to do something aobut them. Generally that
+ code is not updated if new errors are added.
-snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
- --pcap-filter '*.pcap' -z 4 -A unified2
-Run 4 packet threads and log in thread number subdirs (0-3):
+18.7. Macros (aka defines)
-snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
- --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir
+--------------
-Note
+ * In many cases, even in C++, use #define name "value" instead of a
+ const char* const name = "value" because it will eliminate a
+ symbol from the binary.
+ * Use inline functions instead of macros where possible (pretty
+ much all cases except where stringification is necessary).
+ Functions offer better typing, avoid re-expansions, and a
+ debugger can break there.
+ * All macros except simple const values should be wrapped in () and
+ all args should be wrapped in () too to avoid surprises upon
+ expansion. Example:
-subdirectories are created automatically if required. Log filename is
-based on module name that writes the file. All text mode outputs
-default to stdout. These options can be combined.
+ #define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
-17.4.1. DAQ Alternatives
+ * Multiline macros should be blocked (i.e. inside { }) to avoid
+ if-else type surprises.
-Process hext packets from stdin:
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END
-$packet 10.1.2.3 48620 -> 10.9.8.7 80
-"GET / HTTP/1.1\r\n"
-"Host: localhost\r\n"
-"\r\n"
-END
+18.8. Formatting
-Process raw ethernet from hext file:
+--------------
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq hext \
- --daq-var dlt=1 -r <hext-file>
+ * Try to keep all source files under 2500 lines. 3000 is the max
+ allowed. If you need more lines, chances are that the code needs
+ to be refactored.
+ * Indent 4 space chars … no tabs!
+ * If you need to indent many times, something could be rewritten or
+ restructured to make it clearer. Fewer indents is generally
+ easier to write, easier to read, and overall better code.
+ * Braces go on the line immediately following a new scope (function
+ signature, if, else, loop, switch, etc.
+ * Use consistent spacing and line breaks. Always indent 4 spaces
+ from the breaking line. Keep lines less than 100 chars; it
+ greatly helps readability.
-Process a directory of plain files (ie non-pcap) with 4 threads with
-8K buffers:
+ No:
+ calling_a_func_with_a_long_name(arg1,
+ arg2,
+ arg3);
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq file \
- --pcap-dir path/to/files -z 4 -s 8192
+ Yes:
+ calling_a_func_with_a_long_name(
+ arg1, arg2, arg3);
-Bridge two TCP connections on port 8000 and inspect the traffic:
+ * Put function signature on one line, except when breaking for the
+ arg list:
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq socket
+ No:
+ inline
+ bool foo()
+ { // ...
-17.4.2. Logger Alternatives
+ Yes:
+ inline bool foo()
+ { // ...
-Dump TCP stream payload in hext mode:
+ * Put conditional code on the line following the if so it is easy
+ to break on the conditional block:
-snort -c $my_path/etc/snort/snort.lua -L hext
+ No:
+ if ( test ) foo();
-Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap,
-dst_ap, rule, action for each alert:
+ Yes:
+ if ( test )
+ foo();
-snort -c $my_path/etc/snort/snort.lua -A csv
-Output the old test format alerts:
+18.9. Headers
-snort -c $my_path/etc/snort/snort.lua \
- --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
+--------------
-17.4.3. Shell
+ * Don’t hesitate to create a new header if it is needed. Don’t lump
+ unrelated stuff into an header because it is convenient.
+ * Write header guards like this (leading underscores are reserved
+ for system stuff). In my_header.h:
-You must build with --enable-shell to make the command line shell
-available.
+ #ifndef MY_HEADER_H
+ #define MY_HEADER_H
+ // ...
+ #endif
-Enable shell mode:
+ * Includes from a different directory should specify parent
+ directory. This makes it clear exactly what is included and
+ avoids the primordial soup that results from using -I this -I
+ that -I the_other_thing … .
-snort --shell <args>
+ // given:
+ src/foo/foo.cc
+ src/bar/bar.cc
+ src/bar/baz.cc
-You will see the shell mode command prompt, which looks like this:
+ // in baz.cc
+ #include "bar.h"
-o")~
+ // in foo.cc
+ #include "bar/bar.h"
-(The prompt can be changed with the SNORT_PROMPT environment
-variable.)
+ * Includes within installed headers should specify parent
+ directory.
+ * Just because it is a #define doesn’t mean it goes in a header.
+ Everything should be scoped as tightly as possible. Shared
+ implementation declarations should go in a separate header from
+ the interface. And so on.
+ * A .cc should include its own .h before any others (including
+ system headers). This ensures that the header stands on its own
+ and can be used by clients without include prerequisites and the
+ developer will be the first to find a dependency problem.
+ * Include required headers, all required headers, and nothing but
+ required headers. Don’t just clone a bunch of headers because it
+ is convenient.
+ * Try to keep includes in alpha order. This makes it easier to
+ maintain, avoid duplicates, etc.
+ * Any file depending on #ifdefs should include config.h as shown
+ below. A .h should include it before any other includes, and a
+ .cc should include it immediately after the include of its own
+ .h.
-You can pause immediately after loading the configuration and again
-before exiting with:
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+ #endif
-snort --shell --pause <args>
+ * Do not put using statements in headers unless they are tightly
+ scoped.
-In that case you must issue the resume() command to continue. Enter
-quit() to terminate Snort or detach() to exit the shell. You can list
-the available commands with help().
-To enable local telnet access on port 12345:
+18.10. Warnings
-snort --shell -j 12345 <args>
+--------------
-The command line interface is still under development. Suggestions
-are welcome.
+ * With g++, use at least these compiler flags:
-17.4.4. Signals
+ -Wall -Wextra -pedantic -Wformat -Wformat-security
+ -Wunused-but-set-variable -Wno-deprecated-declarations
+ -fsanitize=address -fno-omit-frame-pointer
-Note
+ * With clang, use at least these compiler flags:
-The following examples assume that Snort++ is currently running and
-has a process ID of <pid>.
+ -Wall -Wextra -pedantic -Wformat -Wformat-security
+ -Wno-deprecated-declarations
+ -fsanitize=address -fno-omit-frame-pointer
-Modify and Reload Configuration:
+ * Two macros (PADDING_GUARD_BEGIN and PADDING_GUARD_END) are
+ provided by utils/cpp_macros.h. These should be used to surround
+ any structure used as a hash key with a raw comparator or that
+ would otherwise suffer from unintentional padding. A compiler
+ warning will be generated if any structure definition is
+ automatically padded between the macro invocations.
+ * Then Fix All Warnings and Aborts. None Allowed.
-echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua
-kill -hup <pid>
-Dump stats to stdout:
+18.11. Uncrustify
-kill -usr1 <pid>
+--------------
-Shutdown normally:
+Currently using uncrustify from at https://github.com/bengardner/
+uncrustify to reformat legacy code and anything that happens to need
+a makeover at some point.
-kill -term <pid>
+The working config is crusty.cfg in the top level directory. It does
+well but will munge some things. Specially formatted INDENT-OFF
+comments were added in 2 places to avoid a real mess.
-Exit without flushing packets:
+You can use uncrustify something like this:
-kill -quit <pid>
+uncrustify -c crusty.cfg --replace file.cc
-List available signals:
-snort --help-signals
+---------------------------------------------------------------------
-Note
+19. Reference
-The available signals may vary from platform to platform.
+---------------------------------------------------------------------
-17.5. Build Options
+19.1. Build Options
--------------
libraries see the Getting Started section of the manual.
-17.6. Environment Variables
+19.2. Environment Variables
--------------
be added to the manuals.
-17.7. Command Line Options
+19.3. Command Line Options
--------------
the system; default is 1 (0:)
-17.8. Parameters
-
---------------
-
-Parameters are given with this format:
-
-type name = default: help { range }
-
-The following types are used:
-
- * addr: any valid IP4 or IP6 address or CIDR
- * addr_list: a space separated list of addr values
- * bit_list: a list of consecutive integer values from 1 to the
- range maximum
- * bool: true or false
- * dynamic: a select type determined by loaded plugins
- * enum: a string selected from the given range
- * implied: an IPS rule option that takes no value but means true
- * int: a whole number in the given range
- * ip4: an IP4 address or CIDR
- * mac: an ethernet address with the form 01:02:03:04:05:06
- * multi: one or more space separated strings from the given range
- * port: an int in the range 0:65535 indicating a TCP or UDP port
- number
- * real: a real number in the given range
- * select: a string selected from the given range
- * string: any string with no more than the given length, if any
-
-The parameter name may be adorned in various ways to indicate
-additional information about the type and use of the parameter:
-
- * For Lua configuration (not IPS rules), if the name ends with []
- it is a list item and can be repeated.
- * For IPS rules only, names starting with ~ indicate positional
- parameters. The names of such parameters do not appear in the
- rule.
- * IPS rules may also have a wild card parameter, which is indicated
- by a *. Only used for metadata that Snort ignores.
- * The snort module has command line options starting with a -.
-
-Some additional details to note:
-
- * Table and variable names are case sensitive; use lower case only.
- * String values are case sensitive too; use lower case only.
- * Numeric ranges may be of the form low:high where low and high are
- bounds included in the range. If either is omitted, there is no
- hard bound. E.g. 0: means any x where x >= 0.
- * Strings may have a numeric range indicating a length limit;
- otherwise there is no hard limit.
- * bit_list is typically used to store a set of byte, port, or VLAN
- ID values.
-
-
-17.9. Configuration
+19.4. Configuration
--------------
in alert info (fast, full, or syslog only)
* bool alerts.default_rule_state = true: enable or disable ips
rules
- * int alerts.detection_filter_memcap = 1048576: set available
- memory for filters { 0: }
- * int alerts.event_filter_memcap = 1048576: set available memory
- for filters { 0: }
+ * int alerts.detection_filter_memcap = 1048576: set available bytes
+ of memory for detection_filters { 0: }
+ * int alerts.event_filter_memcap = 1048576: set available bytes of
+ memory for event_filters { 0: }
* string alert_sfsocket.file: name of unix socket file
* int alert_sfsocket.rules[].gid = 1: rule generator ID { 1: }
* int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
* string alerts.order = pass drop alert log: change the order of
rule action application
- * int alerts.rate_filter_memcap = 1048576: set available memory for
- filters { 0: }
+ * int alerts.rate_filter_memcap = 1048576: set available bytes of
+ memory for rate_filters { 0: }
* string alerts.reference_net: set the CIDR for homenet (for use
with -l or -B, does NOT change $HOME_NET in IDS mode)
* bool alerts.stateful = false: don’t alert w/o established session
debug }
* multi alert_syslog.options: used to open the syslog connection {
cons | ndelay | perror | pid }
- * string appid.app_detector_dir: directory to load AppId detectors
+ * string appid.app_detector_dir: directory to load appid detectors
from
* int appid.app_stats_period = 300: time period for collecting and
- logging AppId statistics { 0: }
+ logging appid statistics { 0: }
* int appid.app_stats_rollover_size = 20971520: max file size for
- AppId stats before rolling over the log file { 0: }
+ appid stats before rolling over the log file { 0: }
* int appid.app_stats_rollover_time = 86400: max time period for
- collection AppId stats before rolling over the log file { 0: }
+ collection appid stats before rolling over the log file { 0: }
* string appid.conf: RNA configuration file
- * bool appid.debug = false: enable AppId debug logging
- * bool appid.dump_ports = false: enable dump of AppId port
+ * bool appid.debug = false: enable appid debug logging
+ * bool appid.dump_ports = false: enable dump of appid port
information
* int appid.instance_id = 0: instance id - need more details for
what this is { 0: }
- * bool appid.log_stats = false: enable logging of AppId statistics
- * int appid.memcap = 268435456: time period for collecting and
- logging AppId statistics { 1048576:3221225472 }
+ * bool appid.log_stats = false: enable logging of appid statistics
+ * int appid.memcap = 0: disregard - not implemented { 0: }
* string appids.~: appid option
* addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
address in CIDR format
address in CIDR format
* port appid.session_log_filter.src_port: source port { 1: }
* string appid.thirdparty_appid_dir: directory to load thirdparty
- AppId detectors from
+ appid detectors from
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
- * int asn1.absolute_offset: Absolute offset from the beginning of
- the packet. { 0: }
- * implied asn1.bitstring_overflow: Detects invalid bitstring
- encodings that are known to be remotely exploitable.
- * implied asn1.double_overflow: Detects a double ASCII encoding
- that is larger than a standard buffer.
- * int asn1.oversize_length: Compares ASN.1 type lengths with the
- supplied argument. { 0: }
+ * int asn1.absolute_offset: absolute offset from the beginning of
+ the packet { 0: }
+ * implied asn1.bitstring_overflow: detects invalid bitstring
+ encodings that are known to be remotely exploitable
+ * implied asn1.double_overflow: detects a double ASCII encoding
+ that is larger than a standard buffer
+ * int asn1.oversize_length: compares ASN.1 type lengths with the
+ supplied argument { 0: }
* implied asn1.print: dump decode data to console; always true
- * int asn1.relative_offset: relative offset from the cursor.
+ * int asn1.relative_offset: relative offset from the cursor
* int attribute_table.max_hosts = 1024: maximum number of hosts in
attribute table { 32:207551 }
* int attribute_table.max_metadata_services = 8: maximum number of
services in rule metadata { 1:256 }
* int attribute_table.max_services_per_host = 8: maximum number of
services per host entry in attribute table { 1:65535 }
- * int base64_decode.bytes: Number of base64 encoded bytes to
- decode. { 1: }
- * int base64_decode.offset = 0: Bytes past start of buffer to start
- decoding. { 0: }
- * implied base64_decode.relative: Apply offset to cursor instead of
- start of buffer.
+ * int base64_decode.bytes: number of base64 encoded bytes to decode
+ { 1: }
+ * int base64_decode.offset = 0: bytes past start of buffer to start
+ decoding { 0: }
+ * implied base64_decode.relative: apply offset to cursor instead of
+ start of buffer
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
* enum host_tracker[].tcp_policy: tcp reassembly policy { first |
last | linux | old_linux | bsd | macos | solaris | irix | hpux11
| hpux10 | windows | win_2003 | vista | proxy }
- * implied http_cookie.request: Match against the cookie from the
+ * implied http_cookie.request: match against the cookie from the
request message even when examining the response
- * implied http_cookie.with_body: Parts of this rule examine HTTP
+ * implied http_cookie.with_body: parts of this rule examine HTTP
message body
- * implied http_cookie.with_trailer: Parts of this rule examine HTTP
+ * implied http_cookie.with_trailer: parts of this rule examine HTTP
message trailers
- * string http_header.field: Restrict to given header. Header name
+ * string http_header.field: restrict to given header. Header name
is case insensitive.
- * implied http_header.request: Match against the headers from the
+ * implied http_header.request: match against the headers from the
request message even when examining the response
- * implied http_header.with_body: Parts of this rule examine HTTP
+ * implied http_header.with_body: parts of this rule examine HTTP
message body
- * implied http_header.with_trailer: Parts of this rule examine HTTP
+ * implied http_header.with_trailer: parts of this rule examine HTTP
message trailers
* bool http_inspect.backslash_to_slash = false: replace \ with /
when normalizing URIs
mapping to normalize characters
* string http_inspect.iis_unicode_map_file: file containing code
points for IIS unicode. { (optional) }
+ * int http_inspect.max_javascript_whitespaces = 200: maximum
+ consecutive whitespaces allowed within the Javascript obfuscated
+ data { 1:65535 }
+ * bool http_inspect.normalize_javascript = false: normalize
+ javascript in response bodies
* bool http_inspect.normalize_utf = true: normalize charset utf
- encodings
+ encodings in response bodies
* int http_inspect.oversize_dir_length = 300: maximum length for
URL directory { 1:65535 }
* bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
encoded
* bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
characters to a single byte
- * implied http_method.with_body: Parts of this rule examine HTTP
+ * implied http_method.with_body: parts of this rule examine HTTP
message body
- * implied http_method.with_trailer: Parts of this rule examine HTTP
+ * implied http_method.with_trailer: parts of this rule examine HTTP
message trailers
- * implied http_raw_cookie.request: Match against the cookie from
+ * implied http_raw_cookie.request: match against the cookie from
the request message even when examining the response
- * implied http_raw_cookie.with_body: Parts of this rule examine
+ * implied http_raw_cookie.with_body: parts of this rule examine
HTTP message body
- * implied http_raw_cookie.with_trailer: Parts of this rule examine
+ * implied http_raw_cookie.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_raw_header.request: Match against the headers from
+ * implied http_raw_header.request: match against the headers from
the request message even when examining the response
- * implied http_raw_header.with_body: Parts of this rule examine
+ * implied http_raw_header.with_body: parts of this rule examine
HTTP message body
- * implied http_raw_header.with_trailer: Parts of this rule examine
+ * implied http_raw_header.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_raw_request.with_body: Parts of this rule examine
+ * implied http_raw_request.with_body: parts of this rule examine
HTTP message body
- * implied http_raw_request.with_trailer: Parts of this rule examine
+ * implied http_raw_request.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_raw_status.with_body: Parts of this rule examine
+ * implied http_raw_status.with_body: parts of this rule examine
HTTP message body
- * implied http_raw_status.with_trailer: Parts of this rule examine
+ * implied http_raw_status.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_raw_trailer.request: Match against the trailers from
+ * implied http_raw_trailer.request: match against the trailers from
the request message even when examining the response
- * implied http_raw_trailer.with_body: Parts of this rule examine
+ * implied http_raw_trailer.with_body: parts of this rule examine
HTTP response message body (must be combined with request)
- * implied http_raw_trailer.with_header: Parts of this rule examine
+ * implied http_raw_trailer.with_header: parts of this rule examine
HTTP response message headers (must be combined with request)
* implied http_raw_uri.fragment: match against fragment section of
URI only
only
* implied http_raw_uri.scheme: match against scheme section of URI
only
- * implied http_raw_uri.with_body: Parts of this rule examine HTTP
+ * implied http_raw_uri.with_body: parts of this rule examine HTTP
message body
- * implied http_raw_uri.with_trailer: Parts of this rule examine
+ * implied http_raw_uri.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_stat_code.with_body: Parts of this rule examine HTTP
+ * implied http_stat_code.with_body: parts of this rule examine HTTP
message body
- * implied http_stat_code.with_trailer: Parts of this rule examine
+ * implied http_stat_code.with_trailer: parts of this rule examine
HTTP message trailers
- * implied http_stat_msg.with_body: Parts of this rule examine HTTP
+ * implied http_stat_msg.with_body: parts of this rule examine HTTP
message body
- * implied http_stat_msg.with_trailer: Parts of this rule examine
+ * implied http_stat_msg.with_trailer: parts of this rule examine
HTTP message trailers
* string http_trailer.field: restrict to given trailer
- * implied http_trailer.request: Match against the trailers from the
+ * implied http_trailer.request: match against the trailers from the
request message even when examining the response
- * implied http_trailer.with_body: Parts of this rule examine HTTP
+ * implied http_trailer.with_body: parts of this rule examine HTTP
message body (must be combined with request)
- * implied http_trailer.with_header: Parts of this rule examine HTTP
+ * implied http_trailer.with_header: parts of this rule examine HTTP
response message headers (must be combined with request)
* implied http_uri.fragment: match against fragment section of URI
only
* implied http_uri.port: match against port section of URI only
* implied http_uri.query: match against query section of URI only
* implied http_uri.scheme: match against scheme section of URI only
- * implied http_uri.with_body: Parts of this rule examine HTTP
+ * implied http_uri.with_body: parts of this rule examine HTTP
message body
- * implied http_uri.with_trailer: Parts of this rule examine HTTP
+ * implied http_uri.with_trailer: parts of this rule examine HTTP
message trailers
- * implied http_version.request: Match against the version from the
+ * implied http_version.request: match against the version from the
request message even when examining the response
- * implied http_version.with_body: Parts of this rule examine HTTP
+ * implied http_version.with_body: parts of this rule examine HTTP
message body
- * implied http_version.with_trailer: Parts of this rule examine
+ * implied http_version.with_trailer: parts of this rule examine
HTTP message trailers
* string icmp_id.~range: check if icmp id is id | min<>max | <max |
>min
min
* int imap.b64_decode_depth = 1460: base64 decoding depth {
-1:65535 }
- * int imap.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
+ * int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
extraction depth { -1:65535 }
- * int imap.qp_decode_depth = 1460: Quoted Printable decoding depth
+ * int imap.qp_decode_depth = 1460: quoted Printable decoding depth
{ -1:65535 }
* int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
-1:65535 }
the decoder
* int network.id = 0: correlate unified2 events with configuration
{ 0:65535 }
- * int network.layers = 40: The maximum number of protocols that
+ * int network.layers = 40: the maximum number of protocols that
Snort can correctly decode { 3:255 }
- * int network.max_ip6_extensions = 0: The number of IP6 options
- Snort will process for a given IPv6 layer. If this limit is hit,
- rule 116:456 may fire. 0 = unlimited { 0:255 }
- * int network.max_ip_layers = 0: The maximum number of IP layers
- Snort will process for a given packet If this limit is hit, rule
- 116:293 may fire. 0 = unlimited { 0:255 }
+ * int network.max_ip6_extensions = 0: the maximum number of IP6
+ options Snort will process for a given IPv6 layer before raising
+ 116:456 (0 = unlimited) { 0:255 }
+ * int network.max_ip_layers = 0: the maximum number of IP layers
+ Snort will process for a given packet before raising 116:293 (0 =
+ unlimited) { 0:255 }
* int network.min_ttl = 1: alert / normalize packets with lower ttl
/ hop limit (you must enable rules and / or normalization also) {
1:255 }
destination addresses as unified2 extra data records
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.obfuscate_pii = false: Mask all but the last 4
+ * bool output.obfuscate_pii = false: mask all but the last 4
characters of credit card and social security numbers
* bool output.quiet = false: suppress non-fatal information (still
show alerts, same as -q)
* bool perf_monitor.flow = false: enable traffic statistics
* bool perf_monitor.flow_ip = false: enable statistics on host
pairs
- * int perf_monitor.flow_ip_memcap = 52428800: maximum memory for
- flow tracking { 8200: }
+ * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
+ bytes for flow tracking { 8200: }
* int perf_monitor.flow_ports = 1023: maximum ports to track {
0:65535 }
- * enum perf_monitor.format = csv: Output format for stats { csv |
+ * enum perf_monitor.format = csv: output format for stats { csv |
text }
* int perf_monitor.max_file_size = 1073741824: files will be rolled
over if they exceed this size { 4096: }
* string perf_monitor.modules[].name: name of the module
* string perf_monitor.modules[].pegs: list of statistics to track
or empty for all counters
- * enum perf_monitor.output = file: Output location for stats { file
+ * enum perf_monitor.output = file: output location for stats { file
| console }
* int perf_monitor.packets = 10000: minimum packets to report { 0:
}
* int perf_monitor.seconds = 60: report interval { 1: }
- * bool perf_monitor.summary = false: Output summary at shutdown
+ * bool perf_monitor.summary = false: output summary at shutdown
* int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
}
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
-1:65535 }
* int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
-1:65535 }
- * int port_scan_global.memcap = 1048576: maximum tracker memory {
- 1: }
+ * int port_scan_global.memcap = 1048576: maximum tracker memory in
+ bytes { 1: }
* string port_scan.ignore_scanned: list of CIDRs with optional
ports to ignore if the destination of scan alerts
* string port_scan.ignore_scanners: list of CIDRs with optional
* string rem.~: comment
* string replace.~: byte code to replace with
* string reputation.blacklist: blacklist file name with ip lists
- * int reputation.memcap = 500: maximum total memory allocated {
- 1:4095 }
+ * int reputation.memcap = 500: maximum total MB of memory allocated
+ { 1:4095 }
* enum reputation.nested_ip = inner: ip to use when there is IP
encapsulation { inner|outer|all }
* enum reputation.priority = whitelist: defines priority when there
events
* string window.~range: check if tcp window field size is size |
min<>max | <max | >min
+ * multi wizard.curses: enable service identification based on
+ internal algorithm { dce_smb | dce_udp | dce_tcp }
* bool wizard.hexes[].client_first = true: which end initiates data
transfer
* select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
wild cards (*)
-17.10. Counts
-
---------------
-
- * appid.aim_clients: count of aim clients discovered by appid
- * appid.battlefield_flows: count of battle field flows discovered
- by appid
- * appid.bgp_flows: count of bgp flows discovered by appid
- * appid.bit_clients: count of bittorrent clients discovered by
- appid
- * appid.bit_flows: count of bittorrent flows discovered by appid
- * appid.bittracker_clients: count of bittorrent tracker clients
- discovered by appid
- * appid.bootp_flows: count of bootp flows discovered by appid
- * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
- discovered by appid
- * appid.dcerpc_udp_flows: count of dce rpc flows over udp
- discovered by appid
- * appid.direct_connect_flows: count of direct connect flows
- discovered by appid
- * appid.dns_tcp_flows: count of dns flows over tcp discovered by
- appid
- * appid.dns_udp_flows: count of dns flows over udp discovered by
- appid
- * appid.ftp_flows: count of ftp flows discovered by appid
- * appid.ftps_flows: count of ftps flows discovered by appid
- * appid.http_flows: count of http flows discovered by appid
- * appid.ignored packets: count of packets ignored by appid
- inspector
- * appid.imap_flows: count of imap service flows discovered by appid
- * appid.imaps_flows: count of imap TLS service flows discovered by
- appid
- * appid.irc_flows: count of irc service flows discovered by appid
- * appid.kerberos_clients: count of kerberos clients discovered by
- appid
- * appid.kerberos_flows: count of kerberos service flows discovered
- by appid
- * appid.kerberos_users: count of kerberos users discovered by appid
- * appid.lpr_flows: count of lpr service flows discovered by appid
- * appid.mdns_flows: count of mdns service flows discovered by appid
- * appid.msn_clients: count of msn clients discovered by appid
- * appid.mysql_flows: count of mysql service flows discovered by
- appid
- * appid.netbios_dgm_flows: count of netbios-dgm service flows
- discovered by appid
- * appid.netbios_ns_flows: count of netbios-ns service flows
- discovered by appid
- * appid.netbios_ssn_flows: count of netbios-ssn service flows
- discovered by appid
- * appid.nntp_flows: count of nntp flows discovered by appid
- * appid.ntp_flows: count of ntp flows discovered by appid
- * appid.packets: count of packets received by appid inspector
- * appid.pop_flows: count of pop service flows discovered by appid
- * appid.processed packets: count of packets processed by appid
- inspector
- * appid.radius_flows: count of radius flows discovered by appid
- * appid.rexec_flows: count of rexec flows discovered by appid
- * appid.rfb_flows: count of rfb flows discovered by appid
- * appid.rlogin_flows: count of rlogin flows discovered by appid
- * appid.rpc_flows: count of rpc flows discovered by appid
- * appid.rshell_flows: count of rshell flows discovered by appid
- * appid.rsync_flows: count of rsync service flows discovered by
- appid
- * appid.rtmp_flows: count of rtmp flows discovered by appid
- * appid.rtp_clients: count of rtp clients discovered by appid
- * appid.sip_clients: count of SIP clients discovered by appid
- * appid.sip_flows: count of SIP flows discovered by appid
- * appid.smtp_aol_clients: count of AOL smtp clients discovered by
- appid
- * appid.smtp_applemail_clients: count of Apple Mail smtp clients
- discovered by appid
- * appid.smtp_eudora_clients: count of Eudora smtp clients
- discovered by appid
- * appid.smtp_eudora_pro_clients: count of Eudora Pro smtp clients
- discovered by appid
- * appid.smtp_evolution_clients: count of Evolution smtp clients
- discovered by appid
- * appid.smtp_flows: count of smtp flows discovered by appid
- * appid.smtp_kmail_clients: count of KMail smtp clients discovered
- by appid
- * appid.smtp_lotus_notes_clients: count of Lotus Notes smtp clients
- discovered by appid
- * appid.smtp_microsoft_outlook_clients: count of Microsoft Outlook
- smtp clients discovered by appid
- * appid.smtp_microsoft_outlook_express_clients: count of Microsoft
- Outlook Express smtp clients discovered by appid
- * appid.smtp_microsoft_outlook_imo_clients: count of Microsoft
- Outlook IMO smtp clients discovered by appid
- * appid.smtp_mutt_clients: count of Mutt smtp clients discovered by
- appid
- * appid.smtps_flows: count of smtps flows discovered by appid
- * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
- discovered by appid
- * appid.snmp_flows: count of snmp flows discovered by appid
- * appid.ssh_clients: count of ssh clients discovered by appid
- * appid.ssh_flows: count of ssh flows discovered by appid
- * appid.ssl_flows: count of ssl flows discovered by appid
- * appid.telnet_flows: count of telnet flows discovered by appid
- * appid.tftp_flows: count of tftp flows discovered by appid
- * appid.timbuktu_flows: count of timbuktu flows discovered by appid
- * appid.tns_clients: count of tns clients discovered by appid
- * appid.tns_flows: count of tns flows discovered by appid
- * appid.vnc_clients: count of vnc clients discovered by appid
- * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
- discovered by appid
+19.5. Counts
+
+--------------
+
+ * appid.aim clients: count of aim clients discovered
+ * appid.battlefield flows: count of battle field flows discovered
+ * appid.bgp flows: count of bgp flows discovered
+ * appid.bit clients: count of bittorrent clients discovered
+ * appid.bit flows: count of bittorrent flows discovered
+ * appid.bittracker clients: count of bittorrent tracker clients
+ discovered
+ * appid.bootp flows: count of bootp flows discovered
+ * appid.dcerpc tcp flows: count of dce rpc flows over tcp
+ discovered
+ * appid.dcerpc udp flows: count of dce rpc flows over udp
+ discovered
+ * appid.direct connect flows: count of direct connect flows
+ discovered
+ * appid.dns tcp flows: count of dns flows over tcp discovered
+ * appid.dns udp flows: count of dns flows over udp discovered
+ * appid.ftp flows: count of ftp flows discovered
+ * appid.ftps flows: count of ftps flows discovered
+ * appid.http flows: count of http flows discovered
+ * appid.ignored packets: count of packets ignored
+ * appid.imap flows: count of imap service flows discovered
+ * appid.imaps flows: count of imap TLS service flows discovered
+ * appid.irc flows: count of irc service flows discovered
+ * appid.kerberos clients: count of kerberos clients discovered
+ * appid.kerberos flows: count of kerberos service flows discovered
+ * appid.kerberos users: count of kerberos users discovered
+ * appid.lpr flows: count of lpr service flows discovered
+ * appid.mdns flows: count of mdns service flows discovered
+ * appid.msn clients: count of msn clients discovered
+ * appid.mysql flows: count of mysql service flows discovered
+ * appid.netbios dgm flows: count of netbios-dgm service flows
+ discovered
+ * appid.netbios ns flows: count of netbios-ns service flows
+ discovered
+ * appid.netbios ssn flows: count of netbios-ssn service flows
+ discovered
+ * appid.nntp flows: count of nntp flows discovered
+ * appid.ntp flows: count of ntp flows discovered
+ * appid.packets: count of packets received
+ * appid.pop flows: count of pop service flows discovered
+ * appid.processed packets: count of packets processed
+ * appid.radius flows: count of radius flows discovered
+ * appid.rexec flows: count of rexec flows discovered
+ * appid.rfb flows: count of rfb flows discovered
+ * appid.rlogin flows: count of rlogin flows discovered
+ * appid.rpc flows: count of rpc flows discovered
+ * appid.rshell flows: count of rshell flows discovered
+ * appid.rsync flows: count of rsync service flows discovered
+ * appid.rtmp flows: count of rtmp flows discovered
+ * appid.rtp clients: count of rtp clients discovered
+ * appid.sip clients: count of SIP clients discovered
+ * appid.sip flows: count of SIP flows discovered
+ * appid.smtp aol clients: count of AOL smtp clients discovered
+ * appid.smtp applemail clients: count of Apple Mail smtp clients
+ discovered
+ * appid.smtp eudora clients: count of Eudora smtp clients
+ discovered
+ * appid.smtp eudora pro clients: count of Eudora Pro smtp clients
+ discovered
+ * appid.smtp evolution clients: count of Evolution smtp clients
+ discovered
+ * appid.smtp flows: count of smtp flows discovered
+ * appid.smtp kmail clients: count of KMail smtp clients discovered
+ * appid.smtp lotus notes clients: count of Lotus Notes smtp clients
+ discovered
+ * appid.smtp microsoft outlook clients: count of Microsoft Outlook
+ smtp clients discovered
+ * appid.smtp microsoft outlook express clients: count of Microsoft
+ Outlook Express smtp clients discovered
+ * appid.smtp microsoft outlook imo clients: count of Microsoft
+ Outlook IMO smtp clients discovered
+ * appid.smtp mutt clients: count of Mutt smtp clients discovered
+ * appid.smtps flows: count of smtps flows discovered
+ * appid.smtp thunderbird clients: count of Thunderbird smtp clients
+ discovered
+ * appid.snmp flows: count of snmp flows discovered
+ * appid.ssh clients: count of ssh clients discovered
+ * appid.ssh flows: count of ssh flows discovered
+ * appid.ssl flows: count of ssl flows discovered
+ * appid.telnet flows: count of telnet flows discovered
+ * appid.tftp flows: count of tftp flows discovered
+ * appid.timbuktu flows: count of timbuktu flows discovered
+ * appid.tns clients: count of tns clients discovered
+ * appid.tns flows: count of tns flows discovered
+ * appid.vnc clients: count of vnc clients discovered
+ * appid.yahoo messenger clients: count of Yahoo Messenger clients
+ discovered
* arp_spoof.packets: total packets
* back_orifice.packets: total packets
* binder.allows: allow bindings
* daq.replace: total replace verdicts
* daq.skipped: packets skipped at startup
* daq.whitelist: total whitelist verdicts
- * dce_smb.aborted sessions: total aborted sessions
* dce_smb.Alter context responses: total connection-oriented alter
context responses
* dce_smb.Alter contexts: total connection-oriented alter contexts
* dce_smb.Auth3s: total connection-oriented auth3s
- * dce_smb.bad autodetects: total bad autodetects
* dce_smb.Bind acks: total connection-oriented binds acks
* dce_smb.Bind naks: total connection-oriented bind naks
* dce_smb.Binds: total connection-oriented binds
* dce_smb.SMBv2 tree disconnect: total number of SMBv2 tree
disconnect packets seen
* dce_smb.SMBv2 write: total number of SMBv2 write packets seen
- * dce_tcp.aborted sessions: total aborted sessions
* dce_tcp.Alter context responses: total connection-oriented alter
context responses
* dce_tcp.Alter contexts: total connection-oriented alter contexts
* dce_tcp.Auth3s: total connection-oriented auth3s
- * dce_tcp.bad autodetects: total bad autodetects
* dce_tcp.Bind acks: total connection-oriented binds acks
* dce_tcp.Bind naks: total connection-oriented bind naks
* dce_tcp.Binds: total connection-oriented binds
* dce_tcp.Shutdowns: total connection-oriented shutdowns
* dce_tcp.tcp packets: total tcp packets
* dce_tcp.tcp sessions: total tcp sessions
- * dce_udp.aborted sessions: total aborted sessions
* dce_udp.Acks: total connection-less acks
- * dce_udp.bad autodetects: total bad autodetects
* dce_udp.Cancel acks: total connection-less cancel acks
* dce_udp.Cancels: total connection-less cancels
* dce_udp.Client facks: total connection-less client facks
* dns.requests: total dns requests
* dns.responses: total dns responses
* file_connector.messages: total messages
- * file_id.cache_failures: number of file cache add failures
- * file_id.total_file_data: number of file data bytes processed
- * file_id.total_files: number of files processed
+ * file_id.cache failures: number of file cache add failures
+ * file_id.total file data: number of file data bytes processed
+ * file_id.total files: number of files processed
* file_log.total events: total file events
* ftp_data.packets: total packets
* ftp_server.packets: total packets
* pop.uu decoded bytes: total uu decoded bytes
* port_scan_global.packets: total packets
* reputation.blacklisted: number of packets blacklisted
- * reputation.memory_allocated: total memory allocated
+ * reputation.memory allocated: total memory allocated
* reputation.monitored: number of packets monitored
* reputation.packets: total packets processed
* reputation.whitelisted: number of packets whitelisted
* wizard.user scans: user payload scans
-17.11. Generators
+19.6. Generators
--------------
* 145: dnp3
-17.12. Builtin Rules
+19.7. Builtin Rules
--------------
* 112:2 (arp_spoof) ethernet/ARP mismatch request for source
* 112:3 (arp_spoof) ethernet/ARP mismatch request for destination
* 112:4 (arp_spoof) attempted ARP cache overwrite attack
- * 116:1 (ipv4) Not IPv4 datagram
- * 116:2 (ipv4) hlen < minimum
- * 116:3 (ipv4) IP dgm len < IP Hdr len
- * 116:4 (ipv4) Ipv4 Options found with bad lengths
- * 116:5 (ipv4) Truncated Ipv4 Options
- * 116:6 (ipv4) IP dgm len > captured len
- * 116:45 (tcp) TCP packet len is smaller than 20 bytes
+ * 116:1 (ipv4) not IPv4 datagram
+ * 116:2 (ipv4) IPv4 header length < minimum
+ * 116:3 (ipv4) IPv4 datagram length < header field
+ * 116:4 (ipv4) IPv4 options found with bad lengths
+ * 116:5 (ipv4) truncated IPv4 options
+ * 116:6 (ipv4) IPv4 datagram length > captured length
+ * 116:45 (tcp) TCP packet length is smaller than 20 bytes
* 116:46 (tcp) TCP data offset is less than 5
* 116:47 (tcp) TCP header length exceeds packet length
* 116:54 (tcp) TCP options found with bad lengths
* 116:130 (vlan) bad VLAN frame
* 116:131 (vlan) bad LLC header
* 116:132 (vlan) bad extra LLC info
- * 116:150 (decode) bad traffic loopback IP
- * 116:151 (decode) bad traffic same src/dst IP
+ * 116:150 (decode) loopback IP
+ * 116:151 (decode) same src/dst IP
* 116:160 (gre) GRE header length > payload length
* 116:161 (gre) multiple encapsulations in packet
* 116:162 (gre) invalid GRE version
* 116:255 (icmp4) ICMP original IP fragmented and offset not 0
* 116:270 (ipv6) IPv6 packet below TTL limit
* 116:271 (ipv6) IPv6 header claims to not be IPv6
- * 116:272 (ipv6) IPV6 truncated extension header
- * 116:273 (ipv6) IPV6 truncated header
- * 116:274 (ipv6) IP dgm len < IP Hdr len
- * 116:275 (ipv6) IP dgm len > captured len
+ * 116:272 (ipv6) IPv6 truncated extension header
+ * 116:273 (ipv6) IPv6 truncated header
+ * 116:274 (ipv6) IPv6 datagram length < header field
+ * 116:275 (ipv6) IPv6 datagram length > captured length
* 116:276 (ipv6) IPv6 packet with destination address ::0
* 116:277 (ipv6) IPv6 packet with multicast source address
* 116:278 (ipv6) IPv6 packet with reserved multicast destination
* 116:400 (tcp) XMAS attack detected
* 116:401 (tcp) Nmap XMAS attack detected
* 116:402 (tcp) DOS NAPTHA vulnerability detected
- * 116:403 (tcp) bad traffic SYN to multicast address
- * 116:404 (ipv4) IPV4 packet with zero TTL
- * 116:405 (ipv4) IPV4 packet with bad frag bits (both MF and DF
+ * 116:403 (tcp) SYN to multicast address
+ * 116:404 (ipv4) IPv4 packet with zero TTL
+ * 116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF
set)
* 116:406 (udp) invalid IPv6 UDP packet, checksum zero
- * 116:407 (ipv4) IPV4 packet frag offset + length exceed maximum
- * 116:408 (ipv4) IPV4 packet from current net source address
- * 116:409 (ipv4) IPV4 packet to current net dest address
- * 116:410 (ipv4) IPV4 packet from multicast source address
- * 116:411 (ipv4) IPV4 packet from reserved source address
- * 116:412 (ipv4) IPV4 packet to reserved dest address
- * 116:413 (ipv4) IPV4 packet from broadcast source address
- * 116:414 (ipv4) IPV4 packet to broadcast dest address
+ * 116:407 (ipv4) IPv4 packet frag offset + length exceed maximum
+ * 116:408 (ipv4) IPv4 packet from current net source address
+ * 116:409 (ipv4) IPv4 packet to current net dest address
+ * 116:410 (ipv4) IPv4 packet from multicast source address
+ * 116:411 (ipv4) IPv4 packet from reserved source address
+ * 116:412 (ipv4) IPv4 packet to reserved dest address
+ * 116:413 (ipv4) IPv4 packet from broadcast source address
+ * 116:414 (ipv4) IPv4 packet to broadcast dest address
* 116:415 (icmp4) ICMP4 packet to multicast dest address
* 116:416 (icmp4) ICMP4 packet to broadcast dest address
* 116:418 (icmp4) ICMP4 type other
* 116:421 (tcp) TCP SYN with RST
* 116:422 (tcp) TCP PDU missing ack for established session
* 116:423 (tcp) TCP has no SYN, ACK, or RST
- * 116:424 (eth) truncated eth header
- * 116:425 (ipv4) truncated IP4 header
+ * 116:424 (eth) truncated ethernet header
+ * 116:425 (ipv4) truncated IPv4 header
* 116:426 (icmp4) truncated ICMP4 header
* 116:427 (icmp6) truncated ICMP6 header
- * 116:428 (ipv4) IPV4 packet below TTL limit
- * 116:429 (ipv6) IPV6 packet has zero hop limit
- * 116:430 (ipv4) IPV4 packet both DF and offset set
- * 116:431 (icmp6) ICMP6 type not decoded
- * 116:432 (icmp6) ICMP6 packet to multicast address
+ * 116:428 (ipv4) IPv4 packet below TTL limit
+ * 116:429 (ipv6) IPv6 packet has zero hop limit
+ * 116:430 (ipv4) IPv4 packet both DF and offset set
+ * 116:431 (icmp6) ICMPv6 type not decoded
+ * 116:432 (icmp6) ICMPv6 packet to multicast address
* 116:433 (tcp) DDOS shaft SYN flood
- * 116:434 (icmp4) ICMP ping NMAP
+ * 116:434 (icmp4) ICMP ping Nmap
* 116:435 (icmp4) ICMP icmpenum v1.1.1
* 116:436 (icmp4) ICMP redirect host
* 116:437 (icmp4) ICMP redirect net
destination host is administratively prohibited
* 116:443 (icmp4) ICMP destination unreachable communication with
destination network is administratively prohibited
- * 116:444 (ipv4) MISC IP option set
- * 116:445 (udp) misc large UDP Packet
- * 116:446 (tcp) BAD-TRAFFIC TCP port 0 traffic
- * 116:447 (udp) BAD-TRAFFIC UDP port 0 traffic
- * 116:448 (ipv4) BAD-TRAFFIC IP reserved bit set
- * 116:449 (decode) BAD-TRAFFIC unassigned/reserved IP protocol
- * 116:450 (decode) BAD-TRAFFIC bad IP protocol
+ * 116:444 (ipv4) IPv4 option set
+ * 116:445 (udp) large UDP packet (> 4000 bytes)
+ * 116:446 (tcp) TCP port 0 traffic
+ * 116:447 (udp) UDP port 0 traffic
+ * 116:448 (ipv4) IPv4 reserved bit set
+ * 116:449 (decode) unassigned/reserved IP protocol
+ * 116:450 (decode) bad IP protocol
* 116:451 (icmp4) ICMP path MTU denial of service attempt
- * 116:452 (icmp4) BAD-TRAFFIC Linux ICMP header DOS attempt
- * 116:453 (ipv6) BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing
- attempt
- * 116:454 (pgm) BAD-TRAFFIC PGM nak list overflow attempt
+ * 116:452 (icmp4) Linux ICMP header DOS attempt
+ * 116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
+ * 116:454 (pgm) PGM nak list overflow attempt
* 116:455 (igmp) DOS IGMP IP options validation attempt
- * 116:456 (ipv6) too many IP6 extension headers
+ * 116:456 (ipv6) too many IPv6 extension headers
* 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
with non-RFC 4443 code
* 116:458 (ipv6) bogus fragmentation packet, possible BSD attack
* 116:459 (decode) fragment with zero length
* 116:460 (icmp6) ICMPv6 node info query/response packet with a
code greater than 2
- * 116:461 (ipv6) IPV6 routing type 0 extension header
+ * 116:461 (ipv6) IPv6 routing type 0 extension header
* 116:462 (erspan2) ERSpan header version mismatch
- * 116:463 (erspan2) captured < ERSpan type2 header length
+ * 116:463 (erspan2) captured length < ERSpan type2 header length
* 116:464 (erspan3) captured < ERSpan type3 header length
* 116:465 (auth) truncated authentication header
* 116:466 (auth) bad authentication header length
* 119:49 (http_inspect) PDF file unsupported compression type
* 119:50 (http_inspect) PDF file cascaded compression
* 119:51 (http_inspect) PDF file parse failure
- * 119:52 (http_inspect) Not HTTP traffic
- * 119:53 (http_inspect) Chunk length has excessive leading zeros
- * 119:54 (http_inspect) White space before or between messages
- * 119:55 (http_inspect) Request message without URI
- * 119:56 (http_inspect) Control character in reason phrase
- * 119:57 (http_inspect) Illegal extra whitespace in start line
- * 119:58 (http_inspect) Corrupted HTTP version
- * 119:59 (http_inspect) Unknown HTTP version
- * 119:60 (http_inspect) Format error in HTTP header
- * 119:61 (http_inspect) Chunk header options present
+ * 119:52 (http_inspect) not HTTP traffic
+ * 119:53 (http_inspect) chunk length has excessive leading zeros
+ * 119:54 (http_inspect) white space before or between messages
+ * 119:55 (http_inspect) request message without URI
+ * 119:56 (http_inspect) control character in reason phrase
+ * 119:57 (http_inspect) illegal extra whitespace in start line
+ * 119:58 (http_inspect) corrupted HTTP version
+ * 119:59 (http_inspect) unknown HTTP version
+ * 119:60 (http_inspect) format error in HTTP header
+ * 119:61 (http_inspect) chunk header options present
* 119:62 (http_inspect) URI badly formatted
- * 119:63 (http_inspect) Unrecognized type of percent encoding in
+ * 119:63 (http_inspect) unrecognized type of percent encoding in
URI
* 119:64 (http_inspect) HTTP chunk misformatted
- * 119:65 (http_inspect) White space following chunk length
- * 119:66 (http_inspect) White space within header name
- * 119:67 (http_inspect) Excessive gzip compression
- * 119:68 (http_inspect) Gzip decompression failed
+ * 119:65 (http_inspect) white space following chunk length
+ * 119:66 (http_inspect) white space within header name
+ * 119:67 (http_inspect) excessive gzip compression
+ * 119:68 (http_inspect) gzip decompression failed
* 119:69 (http_inspect) HTTP 0.9 requested followed by another
request
* 119:70 (http_inspect) HTTP 0.9 request following a normal request
- * 119:71 (http_inspect) Message has both Content-Length and
+ * 119:71 (http_inspect) message has both Content-Length and
Transfer-Encoding
- * 119:72 (http_inspect) Status code implying no body combined with
+ * 119:72 (http_inspect) status code implying no body combined with
Transfer-Encoding or nonzero Content-Length
* 119:73 (http_inspect) Transfer-Encoding did not end with chunked
* 119:74 (http_inspect) Transfer-Encoding with chunked not at end
- * 119:75 (http_inspect) Misformatted HTTP traffic
- * 119:76 (http_inspect) Unsupported Transfer-Encoding or
+ * 119:75 (http_inspect) misformatted HTTP traffic
+ * 119:76 (http_inspect) unsupported Transfer-Encoding or
Content-Encoding used
- * 119:77 (http_inspect) Unknown Transfer-Encoding or
+ * 119:77 (http_inspect) unknown Transfer-Encoding or
Content-Encoding used
- * 119:78 (http_inspect) Multiple layers of compression encodings
+ * 119:78 (http_inspect) multiple layers of compression encodings
applied
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
using for reassembly
* 123:12 (stream_ip) excessive fragment overlap
* 123:13 (stream_ip) tiny fragment
- * 124:1 (smtp) Attempted command buffer overflow
- * 124:2 (smtp) Attempted data header buffer overflow
- * 124:3 (smtp) Attempted response buffer overflow
- * 124:4 (smtp) Attempted specific command buffer overflow
- * 124:5 (smtp) Unknown command
- * 124:6 (smtp) Illegal command
- * 124:7 (smtp) Attempted header name buffer overflow
- * 124:8 (smtp) Attempted X-Link2State command buffer overflow
- * 124:10 (smtp) Base64 Decoding failed
- * 124:11 (smtp) Quoted-Printable Decoding failed
- * 124:13 (smtp) Unix-to-Unix Decoding failed
+ * 124:1 (smtp) attempted command buffer overflow
+ * 124:2 (smtp) attempted data header buffer overflow
+ * 124:3 (smtp) attempted response buffer overflow
+ * 124:4 (smtp) attempted specific command buffer overflow
+ * 124:5 (smtp) unknown command
+ * 124:6 (smtp) illegal command
+ * 124:7 (smtp) attempted header name buffer overflow
+ * 124:8 (smtp) attempted X-Link2State command buffer overflow
+ * 124:10 (smtp) base64 decoding failed
+ * 124:11 (smtp) quoted-printable decoding failed
+ * 124:13 (smtp) Unix-to-Unix decoding failed
* 124:14 (smtp) Cyrus SASL authentication attack
- * 124:15 (smtp) Attempted authentication command buffer overflow
+ * 124:15 (smtp) attempted authentication command buffer overflow
* 125:1 (ftp_server) TELNET cmd on FTP command channel
* 125:2 (ftp_server) invalid FTP command
* 125:3 (ftp_server) FTP command parameters were too long
* 126:2 (telnet) telnet traffic encrypted
* 126:3 (telnet) telnet subnegotiation begin command without
subnegotiation end
- * 128:1 (ssh) Challenge-Response Overflow exploit
+ * 128:1 (ssh) challenge-response overflow exploit
* 128:2 (ssh) SSH1 CRC32 exploit
- * 128:3 (ssh) Server version string overflow
- * 128:5 (ssh) Bad message direction
- * 128:6 (ssh) Payload size incorrect for the given payload
- * 128:7 (ssh) Failed to detect SSH version string
+ * 128:3 (ssh) server version string overflow
+ * 128:5 (ssh) bad message direction
+ * 128:6 (ssh) payload size incorrect for the given payload
+ * 128:7 (ssh) failed to detect SSH version string
* 129:1 (stream_tcp) SYN on established session
* 129:2 (stream_tcp) data on SYN packet
* 129:3 (stream_tcp) data sent on stream not accepting data
* 129:4 (stream_tcp) TCP timestamp is outside of PAWS window
- * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0
+ * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)
* 129:6 (stream_tcp) window size (after scaling) larger than policy
allows
* 129:7 (stream_tcp) limit on number of overlapping TCP packets
reached
- * 129:8 (stream_tcp) data sent on stream after TCP Reset sent
+ * 129:8 (stream_tcp) data sent on stream after TCP reset sent
* 129:9 (stream_tcp) TCP client possibly hijacked, different
ethernet address
- * 129:10 (stream_tcp) TCP Server possibly hijacked, different
+ * 129:10 (stream_tcp) TCP server possibly hijacked, different
ethernet address
* 129:11 (stream_tcp) TCP data with no TCP flags set
* 129:12 (stream_tcp) consecutive TCP small segments exceeding
* 129:15 (stream_tcp) reset outside window
* 129:16 (stream_tcp) FIN number is greater than prior FIN
* 129:17 (stream_tcp) ACK number is greater than prior FIN
- * 129:18 (stream_tcp) data sent on stream after TCP Reset received
+ * 129:18 (stream_tcp) data sent on stream after TCP reset received
* 129:19 (stream_tcp) TCP window closed before receiving data
* 129:20 (stream_tcp) TCP session without 3-way handshake
- * 131:1 (dns) Obsolete DNS RR Types
- * 131:2 (dns) Experimental DNS RR Types
- * 131:3 (dns) DNS Client rdata txt Overflow
- * 133:2 (dce_smb) SMB - Bad NetBIOS Session Service session type.
- * 133:3 (dce_smb) SMB - Bad SMB message type.
- * 133:4 (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \
- xfeSMB for SMB2).
- * 133:5 (dce_smb) SMB - Bad word count or structure size.
- * 133:6 (dce_smb) SMB - Bad byte count.
- * 133:7 (dce_smb) SMB - Bad format type.
- * 133:8 (dce_smb) SMB - Bad offset.
- * 133:9 (dce_smb) SMB - Zero total data count.
+ * 131:1 (dns) obsolete DNS RR types
+ * 131:2 (dns) experimental DNS RR types
+ * 131:3 (dns) DNS client rdata txt overflow
+ * 133:2 (dce_smb) SMB - bad NetBIOS session service session type
+ * 133:3 (dce_smb) SMB - bad SMB message type
+ * 133:4 (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \
+ xfeSMB for SMB2)
+ * 133:5 (dce_smb) SMB - bad word count or structure size
+ * 133:6 (dce_smb) SMB - bad byte count
+ * 133:7 (dce_smb) SMB - bad format type
+ * 133:8 (dce_smb) SMB - bad offset
+ * 133:9 (dce_smb) SMB - zero total data count
* 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
- length.
- * 133:12 (dce_smb) SMB - Remaining NetBIOS data length less than
- command byte count.
- * 133:13 (dce_smb) SMB - Remaining NetBIOS data length less than
- command data size.
- * 133:14 (dce_smb) SMB - Remaining total data count less than this
- command data size.
- * 133:15 (dce_smb) SMB - Total data sent (STDu64) greater than
- command total data expected.
- * 133:16 (dce_smb) SMB - Byte count less than command data size
+ length
+ * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than
+ command byte count
+ * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than
+ command data size
+ * 133:14 (dce_smb) SMB - remaining total data count less than this
+ command data size
+ * 133:15 (dce_smb) SMB - total data sent (STDu64) greater than
+ command total data expected
+ * 133:16 (dce_smb) SMB - byte count less than command data size
(STDu64)
- * 133:17 (dce_smb) SMB - Invalid command data size for byte count.
- * 133:18 (dce_smb) SMB - Excessive Tree Connect requests with
- pending Tree Connect responses.
- * 133:19 (dce_smb) SMB - Excessive Read requests with pending Read
- responses.
- * 133:20 (dce_smb) SMB - Excessive command chaining.
- * 133:21 (dce_smb) SMB - Multiple chained tree connect requests.
- * 133:22 (dce_smb) SMB - Multiple chained tree connect requests.
- * 133:23 (dce_smb) SMB - Chained/Compounded login followed by
- logoff.
- * 133:24 (dce_smb) SMB - Chained/Compounded tree connect followed
- by tree disconnect.
- * 133:25 (dce_smb) SMB - Chained/Compounded open pipe followed by
- close pipe.
- * 133:26 (dce_smb) SMB - Invalid share access.
- * 133:27 (dce_smb) Connection oriented DCE/RPC - Invalid major
- version.
- * 133:27 (dce_tcp) Connection oriented DCE/RPC - Invalid major
- version.
- * 133:28 (dce_smb) Connection oriented DCE/RPC - Invalid minor
- version.
- * 133:28 (dce_tcp) Connection oriented DCE/RPC - Invalid minor
- version.
- * 133:29 (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.
- * 133:29 (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.
- * 133:30 (dce_smb) Connection-oriented DCE/RPC - Fragment length
- less than header size.
- * 133:30 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
- less than header size.
- * 133:32 (dce_smb) Connection-oriented DCE/RPC - No context items
- specified.
- * 133:32 (dce_tcp) Connection-oriented DCE/RPC - No context items
- specified.
- * 133:33 (dce_smb) Connection-oriented DCE/RPC -No transfer
- syntaxes specified.
- * 133:33 (dce_tcp) Connection-oriented DCE/RPC -No transfer
- syntaxes specified.
- * 133:34 (dce_smb) Connection-oriented DCE/RPC - Fragment length on
+ * 133:17 (dce_smb) SMB - invalid command data size for byte count
+ * 133:18 (dce_smb) SMB - excessive tree connect requests with
+ pending tree connect responses
+ * 133:19 (dce_smb) SMB - excessive read requests with pending read
+ responses
+ * 133:20 (dce_smb) SMB - excessive command chaining
+ * 133:21 (dce_smb) SMB - multiple chained tree connect requests
+ * 133:22 (dce_smb) SMB - multiple chained tree connect requests
+ * 133:23 (dce_smb) SMB - chained/compounded login followed by
+ logoff
+ * 133:24 (dce_smb) SMB - chained/compounded tree connect followed
+ by tree disconnect
+ * 133:25 (dce_smb) SMB - chained/compounded open pipe followed by
+ close pipe
+ * 133:26 (dce_smb) SMB - invalid share access
+ * 133:27 (dce_smb) connection oriented DCE/RPC - invalid major
+ version
+ * 133:27 (dce_tcp) connection oriented DCE/RPC - invalid major
+ version
+ * 133:28 (dce_smb) connection oriented DCE/RPC - invalid minor
+ version
+ * 133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor
+ version
+ * 133:29 (dce_smb) connection-oriented DCE/RPC - invalid PDU type
+ * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
+ * 133:30 (dce_smb) connection-oriented DCE/RPC - fragment length
+ less than header size
+ * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length
+ less than header size
+ * 133:32 (dce_smb) connection-oriented DCE/RPC - no context items
+ specified
+ * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
+ specified
+ * 133:33 (dce_smb) connection-oriented DCE/RPC -no transfer
+ syntaxes specified
+ * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer
+ syntaxes specified
+ * 133:34 (dce_smb) connection-oriented DCE/RPC - fragment length on
non-last fragment less than maximum negotiated fragment transmit
- size for client.
- * 133:34 (dce_tcp) Connection-oriented DCE/RPC - Fragment length on
+ size for client
+ * 133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on
non-last fragment less than maximum negotiated fragment transmit
- size for client.
- * 133:35 (dce_smb) Connection-oriented DCE/RPC - Fragment length
- greater than maximum negotiated fragment transmit size.
- * 133:35 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
- greater than maximum negotiated fragment transmit size.
- * 133:36 (dce_smb) Connection-oriented DCE/RPC - Alter Context byte
- order different from Bind
- * 133:36 (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte
- order different from Bind
- * 133:37 (dce_smb) Connection-oriented DCE/RPC - Call id of non
+ size for client
+ * 133:35 (dce_smb) connection-oriented DCE/RPC - fragment length
+ greater than maximum negotiated fragment transmit size
+ * 133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length
+ greater than maximum negotiated fragment transmit size
+ * 133:36 (dce_smb) connection-oriented DCE/RPC - alter context byte
+ order different from bind
+ * 133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte
+ order different from bind
+ * 133:37 (dce_smb) connection-oriented DCE/RPC - call id of non
first/last fragment different from call id established for
- fragmented request.
- * 133:37 (dce_tcp) Connection-oriented DCE/RPC - Call id of non
+ fragmented request
+ * 133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non
first/last fragment different from call id established for
- fragmented request.
- * 133:38 (dce_smb) Connection-oriented DCE/RPC - Opnum of non first
+ fragmented request
+ * 133:38 (dce_smb) connection-oriented DCE/RPC - opnum of non first
/last fragment different from opnum established for fragmented
- request.
- * 133:38 (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first
+ request
+ * 133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first
/last fragment different from opnum established for fragmented
- request.
- * 133:39 (dce_smb) Connection-oriented DCE/RPC - Context id of non
+ request
+ * 133:39 (dce_smb) connection-oriented DCE/RPC - context id of non
first/last fragment different from context id established for
- fragmented request.
- * 133:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
+ fragmented request
+ * 133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non
first/last fragment different from context id established for
- fragmented request.
- * 133:40 (dce_udp) Connection-less DCE/RPC - Invalid major version.
- * 133:41 (dce_udp) Connection-less DCE/RPC - Invalid pdu type.
- * 133:42 (dce_udp) Connection-less DCE/RPC - Data length less than
- header size.
- * 133:43 (dce_udp) Connection-less DCE/RPC - Bad sequence number.
- * 133:44 (dce_smb) SMB - Invalid SMB version 1 seen.
- * 133:45 (dce_smb) SMB - Invalid SMB version 2 seen.
- * 133:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
- * 133:47 (dce_smb) SMB - Excessive command compounding.
- * 133:48 (dce_smb) SMB - Zero data count.
- * 133:50 (dce_smb) SMB - Maximum number of outstanding requests
- exceeded.
- * 133:51 (dce_smb) SMB - Outstanding requests with same MID.
- * 133:52 (dce_smb) SMB - Deprecated dialect negotiated.
- * 133:53 (dce_smb) SMB - Deprecated command used.
- * 133:54 (dce_smb) SMB - Unusual command used.
- * 133:55 (dce_smb) SMB - Invalid setup count for command.
- * 133:56 (dce_smb) SMB - Client attempted multiple dialect
- negotiations on session.
- * 133:57 (dce_smb) SMB - Client attempted to create or set a file’s
- attributes to readonly/hidden/system.
- * 133:58 (dce_smb) SMB - File offset provided is greater than file
+ fragmented request
+ * 133:40 (dce_udp) connection-less DCE/RPC - invalid major version
+ * 133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type
+ * 133:42 (dce_udp) connection-less DCE/RPC - data length less than
+ header size
+ * 133:43 (dce_udp) connection-less DCE/RPC - bad sequence number
+ * 133:44 (dce_smb) SMB - invalid SMB version 1 seen
+ * 133:45 (dce_smb) SMB - invalid SMB version 2 seen
+ * 133:46 (dce_smb) SMB - invalid user, tree connect, file binding
+ * 133:47 (dce_smb) SMB - excessive command compounding
+ * 133:48 (dce_smb) SMB - zero data count
+ * 133:50 (dce_smb) SMB - maximum number of outstanding requests
+ exceeded
+ * 133:51 (dce_smb) SMB - outstanding requests with same MID
+ * 133:52 (dce_smb) SMB - deprecated dialect negotiated
+ * 133:53 (dce_smb) SMB - deprecated command used
+ * 133:54 (dce_smb) SMB - unusual command used
+ * 133:55 (dce_smb) SMB - invalid setup count for command
+ * 133:56 (dce_smb) SMB - client attempted multiple dialect
+ negotiations on session
+ * 133:57 (dce_smb) SMB - client attempted to create or set a file’s
+ attributes to readonly/hidden/system
+ * 133:58 (dce_smb) SMB - file offset provided is greater than file
size specified
- * 133:59 (dce_smb) SMB - Next command specified in SMB2 header is
+ * 133:59 (dce_smb) SMB - next command specified in SMB2 header is
beyond payload boundary
* 134:1 (latency) rule tree suspended due to latency
* 134:2 (latency) rule tree re-enabled after suspend timeout
* 134:3 (latency) packet fastpathed due to latency
* 136:1 (reputation) packets blacklisted
- * 136:2 (reputation) Packets whitelisted
- * 136:3 (reputation) Packets monitored
- * 137:1 (ssl) Invalid Client HELLO after Server HELLO Detected
- * 137:2 (ssl) Invalid Server HELLO without Client HELLO Detected
- * 137:3 (ssl) Heartbeat Read Overrun Attempt Detected
- * 137:4 (ssl) Large Heartbeat Response Detected
- * 140:1 (sip) Maximum sessions reached
- * 140:2 (sip) Empty request URI
+ * 136:2 (reputation) packets whitelisted
+ * 136:3 (reputation) packets monitored
+ * 137:1 (ssl) invalid client HELLO after server HELLO detected
+ * 137:2 (ssl) invalid server HELLO without client HELLO detected
+ * 137:3 (ssl) heartbeat read overrun attempt detected
+ * 137:4 (ssl) large heartbeat response detected
+ * 140:1 (sip) maximum sessions reached
+ * 140:2 (sip) empty request URI
* 140:3 (sip) URI is too long
- * 140:4 (sip) Empty call-Id
+ * 140:4 (sip) empty call-Id
* 140:5 (sip) Call-Id is too long
* 140:6 (sip) CSeq number is too large or negative
- * 140:7 (sip) Request name in CSeq is too long
- * 140:8 (sip) Empty From header
+ * 140:7 (sip) request name in CSeq is too long
+ * 140:8 (sip) empty From header
* 140:9 (sip) From header is too long
- * 140:10 (sip) Empty To header
+ * 140:10 (sip) empty To header
* 140:11 (sip) To header is too long
- * 140:12 (sip) Empty Via header
+ * 140:12 (sip) empty Via header
* 140:13 (sip) Via header is too long
- * 140:14 (sip) Empty Contact
- * 140:15 (sip) Contact is too long
- * 140:16 (sip) Content length is too large or negative
- * 140:17 (sip) Multiple SIP messages in a packet
- * 140:18 (sip) Content length mismatch
- * 140:19 (sip) Request name is invalid
+ * 140:14 (sip) empty Contact
+ * 140:15 (sip) contact is too long
+ * 140:16 (sip) content length is too large or negative
+ * 140:17 (sip) multiple SIP messages in a packet
+ * 140:18 (sip) content length mismatch
+ * 140:19 (sip) request name is invalid
* 140:20 (sip) Invite replay attack
- * 140:21 (sip) Illegal session information modification
- * 140:22 (sip) Response status code is not a 3 digit number
- * 140:23 (sip) Empty Content-type header
+ * 140:21 (sip) illegal session information modification
+ * 140:22 (sip) response status code is not a 3 digit number
+ * 140:23 (sip) empty Content-type header
* 140:24 (sip) SIP version is invalid
- * 140:25 (sip) Mismatch in METHOD of request and the CSEQ header
- * 140:26 (sip) Method is unknown
- * 140:27 (sip) Maximum dialogs within a session reached
- * 141:1 (imap) Unknown IMAP3 command
- * 141:2 (imap) Unknown IMAP3 response
- * 141:4 (imap) Base64 Decoding failed.
- * 141:5 (imap) Quoted-Printable Decoding failed.
- * 141:7 (imap) Unix-to-Unix Decoding failed.
- * 142:1 (pop) Unknown POP3 command
- * 142:2 (pop) Unknown POP3 response
- * 142:4 (pop) Base64 Decoding failed.
- * 142:5 (pop) Quoted-Printable Decoding failed.
- * 142:7 (pop) Unix-to-Unix Decoding failed.
+ * 140:25 (sip) mismatch in METHOD of request and the CSEQ header
+ * 140:26 (sip) method is unknown
+ * 140:27 (sip) maximum dialogs within a session reached
+ * 141:1 (imap) unknown IMAP3 command
+ * 141:2 (imap) unknown IMAP3 response
+ * 141:4 (imap) base64 decoding failed
+ * 141:5 (imap) quoted-printable decoding failed
+ * 141:7 (imap) Unix-to-Unix decoding failed
+ * 142:1 (pop) unknown POP3 command
+ * 142:2 (pop) unknown POP3 response
+ * 142:4 (pop) base64 decoding failed
+ * 142:5 (pop) quoted-printable decoding failed
+ * 142:7 (pop) Unix-to-Unix decoding failed
* 143:1 (gtp_inspect) message length is invalid
* 143:2 (gtp_inspect) information element length is invalid
* 143:3 (gtp_inspect) information elements are out of order
* 144:1 (modbus) length in Modbus MBAP header does not match the
length needed for the given function
* 144:2 (modbus) Modbus protocol ID is non-zero
- * 144:3 (modbus) Reserved Modbus function code in use
- * 145:1 (dnp3) DNP3 Link-Layer Frame contains bad CRC.
- * 145:2 (dnp3) DNP3 Link-Layer Frame was dropped.
- * 145:3 (dnp3) DNP3 Transport-Layer Segment was dropped during
- reassembly.
- * 145:4 (dnp3) DNP3 Reassembly Buffer was cleared without
- reassembling a complete message.
- * 145:5 (dnp3) DNP3 Link-Layer Frame uses a reserved address.
- * 145:6 (dnp3) DNP3 Application-Layer Fragment uses a reserved
- function code.
+ * 144:3 (modbus) reserved Modbus function code in use
+ * 145:1 (dnp3) DNP3 link-layer frame contains bad CRC
+ * 145:2 (dnp3) DNP3 link-layer frame was dropped
+ * 145:3 (dnp3) DNP3 transport-layer segment was dropped during
+ reassembly
+ * 145:4 (dnp3) DNP3 reassembly buffer was cleared without
+ reassembling a complete message
+ * 145:5 (dnp3) DNP3 link-layer frame uses a reserved address
+ * 145:6 (dnp3) DNP3 application-layer fragment uses a reserved
+ function code
-17.13. Command Set
+19.8. Command Set
--------------
* snort.show_plugins(): show available plugins
-17.14. Signals
+19.9. Signals
--------------
* term(15): shutdown normally
-17.15. Configuration Changes
+19.10. Configuration Changes
--------------
deleted -> unified2: 'filename'
-17.16. Module Listing
+19.11. Module Listing
--------------
* vlan (codec): support for local area network
* window (ips_option): rule option to check TCP window field
* wizard (inspector): inspector that implements port-independent
- protocol identification :leveloffset: 0
+ protocol identification
+
-17.16.1. Plugin Listing
+19.12. Plugin Listing
+
+--------------
* codec::arp: support for address resolution protocol
* codec::auth: support for IP authentication header
* search_engine::hyperscan: intel hyperscan-based mpse with regex
support
+
+19.13. Bugs
+
+--------------
+
+19.13.1. Build
+
+ * Enabling large pcap may erroneously affect the number of packets
+ processed from pcaps.
+ * Enabling debug messages may erroneously affect the number of
+ packets processed from pcaps.
+ * g++ 4.9.2 with -O3 reports:
+
+ src/service_inspectors/back_orifice/back_orifice.cc:231:25: warning:
+ iteration 930u invokes undefined behavior [-Waggressive-loop-optimizations]
+
+ * Building with clang and autotools on Linux will show the
+ following warning many times. Please ignore.
+
+ clang: warning: argument unused during compilation: '-pthread'
+
+19.13.2. Config
+
+ * Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET
+ defined as below because of the space between ! and 10.
+
+ HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]
+ EXTERNAL_NET = '! ' .. HOME_NET
+
+ * Multiple versions of luajit scripts are not handled correctly.
+ The first loaded version will always be executed even though
+ plugin manager saves the correct version.
+ * When using -c and -L together, the last on the command line wins
+ (-c -L will dump; -L -c will analyze).
+ * Modules instantiated by command line only will not get default
+ settings unless hard-coded. This notably applies to -A and -L
+ options.
+ * --lua can only be used in addition to, not in place of, a -c
+ config. Ideally, --lua could be used in lieu of -c.
+
+19.13.3. Rules
+
+ * metdata:service foo; metadata:service foo; won’t cause a
+ duplicate service warning as does metadata:service foo, service
+ foo;
+ * ip_proto doesn’t work properly with reassembled packets so it
+ can’t be used to restrict the protocol of service rules.
+
+19.13.4. snort2lua
+
+ * uricontent:"foo"; content:"bar"; → http_uri; content:"foo";
+ content:"bar"; (missing pkt_data)
+ * stream_tcp ports and protocols both go into a single binder.when;
+ this is incorrect as the when fields are logically anded together
+ (ie must all be true). Should create 2 separate bindings.
+ * There is a bug in pps_stream_tcp.cc.. when stream_tcp: is
+ specified without any arguments, snort2lua doesn’t convert it.
+ Same for stream_udp.
+ * Loses the ip list delimiters [ ]; change to ( )
+
+ in snort.conf: var HOME_NET [A,B,C]
+ in snort.lua: HOME_NET = [[A B C]]
+
+ * Won’t convert packet rules (alert tcp etc.) to service rules
+ (alert http etc.).
+ * alert_fast and alert_full: output configuration includes "file =
+ foo.bar", but file is a bool and you cannot specify an output
+ file name in the configuration.
+ * preprocessor ports option: ports <number> not supported.
+
+19.13.5. Runtime
+
+ * -B <mask> feature does not work. It does ordinary IP address
+ obfuscation instead of using the mask.
+ * Obfuscation does not work for csv format.
+ * The hext DAQ will append a newline to text lines (starting with "
+ ).
+ * The hext DAQ does not support embedded quotes in text lines (use
+ hex lines as a workaround).
+ * stream_tcp alert squash mechanism incorrectly squashes alerts for
+ different TCP packets.
+
projects / thirdparty / snort3.git / commitdiff
