</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
+implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>snort.--plugin-path</strong>: <path> a colon separated list of directories or plugin libraries\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--version</strong>: show version number (same as -V)\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_cip">cip</h3>\r
+<div class="paragraph"><p>What: cip inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>cip.embedded_cip_path</strong> = false: check embedded CIP path\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>cip.unconnected_timeout</strong> = 300: unconnected timeout in seconds { 0:360 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>cip.max_cip_connections</strong> = 100: max cip connections { 1:10000 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>cip.max_unconnected_messages</strong> = 100: max unconnected cip messages { 1:10000 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>148:1</strong> (cip) CIP data is malformed.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>148:2</strong> (cip) CIP data is non-conforming to ODVA standard.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>148:3</strong> (cip) CIP connection limit exceeded. Least recently used connection removed.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>148:4</strong> (cip) CIP unconnected request limit exceeded. Oldest request removed.\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>cip.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip.session</strong>: total sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip.concurrent_sessions</strong>: total concurrent SIP sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_data_log">data_log</h3>\r
<div class="paragraph"><p>What: log selected published data to data.log</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>What: HTTP/2 inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
+</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>reject.reset</strong>: send TCP reset to one or both ends { source|dest|both }\r
+enum <strong>reject.reset</strong> = both: send TCP reset to one or both ends { none|source|dest|both }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reject.control</strong>: send ICMP unreachable(s) { network|host|port|forward|all }\r
+enum <strong>reject.control</strong> = none: send ICMP unreachable(s) { none|network|host|port|forward|all }\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_cip_attribute">cip_attribute</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP attribute</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>cip_attribute.~range</strong>: match CIP attribute { 0:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_class">cip_class</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP class</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>cip_class.~range</strong>: match CIP class { 0:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_conn_path_class">cip_conn_path_class</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP Connection Path Class</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>cip_conn_path_class.~range</strong>: match CIP Connection Path Class { 0:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_instance">cip_instance</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP instance</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>cip_instance.~range</strong>: match CIP instance { 0:4294967295 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_req">cip_req</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP request</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_rsp">cip_rsp</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP response</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_service">cip_service</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP service</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>cip_service.~range</strong>: match CIP service { 0:127 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cip_status">cip_status</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP response status</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>cip_status.~range</strong>: match CIP response status { 0:255 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_classtype">classtype</h3>\r
<div class="paragraph"><p>What: general rule option for rule classification</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_enip_command">enip_command</h3>\r
+<div class="paragraph"><p>What: detection option to match CIP Enip Command</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>enip_command.~range</strong>: match CIP Enip Command { 0:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_enip_req">enip_req</h3>\r
+<div class="paragraph"><p>What: detection option to match ENIP Request</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_enip_rsp">enip_rsp</h3>\r
+<div class="paragraph"><p>What: detection option to match ENIP response</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_file_data">file_data</h3>\r
<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>--print-binding-order</strong>\r
+ Print sorting priority used when generating binder table\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
differences, between the Snort and Snort++ configurations to\r
the <out_file>\r
</li>\r
<li>\r
<p>\r
+<strong>--pause-after-n</strong> <count> pause after count packets (1:max53)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--plugin-path</strong> <path> where to find plugins\r
+<strong>--piglet</strong> enable piglet test harness mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--plugin-path</strong> <path> a colon separated list of directories or plugin libraries\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--version</strong> show version number (same as -V)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+interval <strong>cip_attribute.~range</strong>: match CIP attribute { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+interval <strong>cip_class.~range</strong>: match CIP class { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+interval <strong>cip_conn_path_class.~range</strong>: match CIP Connection Path Class { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>cip.embedded_cip_path</strong> = false: check embedded CIP path\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+interval <strong>cip_instance.~range</strong>: match CIP instance { 0:4294967295 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>cip.max_cip_connections</strong> = 100: max cip connections { 1:10000 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>cip.max_unconnected_messages</strong> = 100: max unconnected cip messages { 1:10000 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+interval <strong>cip_service.~range</strong>: match CIP service { 0:127 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+interval <strong>cip_status.~range</strong>: match CIP response status { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>cip.unconnected_timeout</strong> = 300: unconnected timeout in seconds { 0:360 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong><code>classifications[].name</code></strong>: name used with classtype rule option\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+interval <strong>enip_command.~range</strong>: match CIP Enip Command { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reject.control</strong>: send ICMP unreachable(s) { network|host|port|forward|all }\r
+enum <strong>reject.control</strong> = none: send ICMP unreachable(s) { none|network|host|port|forward|all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reject.reset</strong>: send TCP reset to one or both ends { source|dest|both }\r
+enum <strong>reject.reset</strong> = both: send TCP reset to one or both ends { none|source|dest|both }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.-c</strong>: <conf> use this configuration\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
+implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>snort.--plugin-path</strong>: <path> a colon separated list of directories or plugin libraries\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>cip.concurrent_sessions</strong>: total concurrent SIP sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip.session</strong>: total sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>daq.allow</strong>: total allow verdicts (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>148</strong>: cip\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>149</strong>: s7commplus\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>148:1</strong> (cip) CIP data is malformed.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>148:2</strong> (cip) CIP data is non-conforming to ODVA standard.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>148:3</strong> (cip) CIP connection limit exceeded. Least recently used connection removed.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>148:4</strong> (cip) CIP unconnected request limit exceeded. Oldest request removed.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>149:1</strong> (s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>cip</strong> (inspector): cip inspection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_attribute</strong> (ips_option): detection option to match CIP attribute\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_class</strong> (ips_option): detection option to match CIP class\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_conn_path_class</strong> (ips_option): detection option to match CIP Connection Path Class\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_instance</strong> (ips_option): detection option to match CIP instance\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_req</strong> (ips_option): detection option to match CIP request\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_rsp</strong> (ips_option): detection option to match CIP response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_service</strong> (ips_option): detection option to match CIP service\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>cip_status</strong> (ips_option): detection option to match CIP response status\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ciscometadata</strong> (codec): support for cisco metadata\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>enip_command</strong> (ips_option): detection option to match CIP Enip Command\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>enip_req</strong> (ips_option): detection option to match ENIP Request\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>enip_rsp</strong> (ips_option): detection option to match ENIP response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>erspan2</strong> (codec): support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::cip</strong>: cip inspection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::data_log</strong>: log selected published data to data.log\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::cip_attribute</strong>: detection option to match CIP attribute\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_class</strong>: detection option to match CIP class\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_conn_path_class</strong>: detection option to match CIP Connection Path Class\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_instance</strong>: detection option to match CIP instance\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_req</strong>: detection option to match CIP request\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_rsp</strong>: detection option to match CIP response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_service</strong>: detection option to match CIP service\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::cip_status</strong>: detection option to match CIP response status\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::classtype</strong>: general rule option for rule classification\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::enip_command</strong>: detection option to match CIP Enip Command\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::enip_req</strong>: detection option to match ENIP Request\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::enip_rsp</strong>: detection option to match ENIP response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::file_data</strong>: rule option to set detection cursor to file data\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>piglet::pp_codec</strong>: Codec piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_inspector</strong>: Inspector piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_ips_action</strong>: Ips action piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_ips_option</strong>: Ips option piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_logger</strong>: Logger piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_search_engine</strong>: Search engine piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_so_rule</strong>: SO rule piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_test</strong>: Test piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-11-06 08:35:24 EST\r
+ 2019-11-21 02:51:52 EST\r
</div>\r
</div>\r
</body>\r
9.2. arp_spoof
9.3. back_orifice
9.4. binder
- 9.5. data_log
- 9.6. dce_http_proxy
- 9.7. dce_http_server
- 9.8. dce_smb
- 9.9. dce_tcp
- 9.10. dce_udp
- 9.11. dnp3
- 9.12. dns
- 9.13. domain_filter
- 9.14. dpx
- 9.15. file_id
- 9.16. file_log
- 9.17. finalize_packet
- 9.18. ftp_client
- 9.19. ftp_data
- 9.20. ftp_server
- 9.21. gtp_inspect
- 9.22. http2_inspect
- 9.23. http_inspect
- 9.24. imap
- 9.25. mem_test
- 9.26. modbus
- 9.27. normalizer
- 9.28. packet_capture
- 9.29. perf_monitor
- 9.30. pop
- 9.31. port_scan
- 9.32. reputation
- 9.33. rna
- 9.34. rpc_decode
- 9.35. rt_global
- 9.36. rt_packet
- 9.37. rt_service
- 9.38. s7commplus
- 9.39. sip
- 9.40. smtp
- 9.41. ssh
- 9.42. ssl
- 9.43. stream
- 9.44. stream_file
- 9.45. stream_icmp
- 9.46. stream_ip
- 9.47. stream_tcp
- 9.48. stream_udp
- 9.49. stream_user
- 9.50. telnet
- 9.51. wizard
+ 9.5. cip
+ 9.6. data_log
+ 9.7. dce_http_proxy
+ 9.8. dce_http_server
+ 9.9. dce_smb
+ 9.10. dce_tcp
+ 9.11. dce_udp
+ 9.12. dnp3
+ 9.13. dns
+ 9.14. domain_filter
+ 9.15. dpx
+ 9.16. file_id
+ 9.17. file_log
+ 9.18. finalize_packet
+ 9.19. ftp_client
+ 9.20. ftp_data
+ 9.21. ftp_server
+ 9.22. gtp_inspect
+ 9.23. http2_inspect
+ 9.24. http_inspect
+ 9.25. imap
+ 9.26. mem_test
+ 9.27. modbus
+ 9.28. normalizer
+ 9.29. packet_capture
+ 9.30. perf_monitor
+ 9.31. pop
+ 9.32. port_scan
+ 9.33. reputation
+ 9.34. rna
+ 9.35. rpc_decode
+ 9.36. rt_global
+ 9.37. rt_packet
+ 9.38. rt_service
+ 9.39. s7commplus
+ 9.40. sip
+ 9.41. smtp
+ 9.42. ssh
+ 9.43. ssl
+ 9.44. stream
+ 9.45. stream_file
+ 9.46. stream_icmp
+ 9.47. stream_ip
+ 9.48. stream_tcp
+ 9.49. stream_udp
+ 9.50. stream_user
+ 9.51. telnet
+ 9.52. wizard
10. IPS Action Modules
11.9. byte_jump
11.10. byte_math
11.11. byte_test
- 11.12. classtype
- 11.13. content
- 11.14. cvs
- 11.15. dce_iface
- 11.16. dce_opnum
- 11.17. dce_stub_data
- 11.18. detection_filter
- 11.19. dnp3_data
- 11.20. dnp3_func
- 11.21. dnp3_ind
- 11.22. dnp3_obj
- 11.23. dsize
- 11.24. enable
- 11.25. file_data
- 11.26. file_type
- 11.27. flags
- 11.28. flow
- 11.29. flowbits
- 11.30. fragbits
- 11.31. fragoffset
- 11.32. gid
- 11.33. gtp_info
- 11.34. gtp_type
- 11.35. gtp_version
- 11.36. http2_decoded_header
- 11.37. http2_frame_data
- 11.38. http2_frame_header
- 11.39. http_client_body
- 11.40. http_cookie
- 11.41. http_header
- 11.42. http_method
- 11.43. http_raw_body
- 11.44. http_raw_cookie
- 11.45. http_raw_header
- 11.46. http_raw_request
- 11.47. http_raw_status
- 11.48. http_raw_trailer
- 11.49. http_raw_uri
- 11.50. http_stat_code
- 11.51. http_stat_msg
- 11.52. http_trailer
- 11.53. http_true_ip
- 11.54. http_uri
- 11.55. http_version
- 11.56. icmp_id
- 11.57. icmp_seq
- 11.58. icode
- 11.59. id
- 11.60. ip_proto
- 11.61. ipopts
- 11.62. isdataat
- 11.63. itype
- 11.64. md5
- 11.65. metadata
- 11.66. modbus_data
- 11.67. modbus_func
- 11.68. modbus_unit
- 11.69. msg
- 11.70. mss
- 11.71. pcre
- 11.72. pkt_data
- 11.73. pkt_num
- 11.74. priority
- 11.75. raw_data
- 11.76. reference
- 11.77. regex
- 11.78. rem
- 11.79. replace
- 11.80. rev
- 11.81. rpc
- 11.82. s7commplus_content
- 11.83. s7commplus_func
- 11.84. s7commplus_opcode
- 11.85. sd_pattern
- 11.86. seq
- 11.87. service
- 11.88. session
- 11.89. sha256
- 11.90. sha512
- 11.91. sid
- 11.92. sip_body
- 11.93. sip_header
- 11.94. sip_method
- 11.95. sip_stat_code
- 11.96. so
- 11.97. soid
- 11.98. ssl_state
- 11.99. ssl_version
- 11.100. stream_reassemble
- 11.101. stream_size
- 11.102. tag
- 11.103. target
- 11.104. tos
- 11.105. ttl
- 11.106. urg
- 11.107. window
- 11.108. wscale
+ 11.12. cip_attribute
+ 11.13. cip_class
+ 11.14. cip_conn_path_class
+ 11.15. cip_instance
+ 11.16. cip_req
+ 11.17. cip_rsp
+ 11.18. cip_service
+ 11.19. cip_status
+ 11.20. classtype
+ 11.21. content
+ 11.22. cvs
+ 11.23. dce_iface
+ 11.24. dce_opnum
+ 11.25. dce_stub_data
+ 11.26. detection_filter
+ 11.27. dnp3_data
+ 11.28. dnp3_func
+ 11.29. dnp3_ind
+ 11.30. dnp3_obj
+ 11.31. dsize
+ 11.32. enable
+ 11.33. enip_command
+ 11.34. enip_req
+ 11.35. enip_rsp
+ 11.36. file_data
+ 11.37. file_type
+ 11.38. flags
+ 11.39. flow
+ 11.40. flowbits
+ 11.41. fragbits
+ 11.42. fragoffset
+ 11.43. gid
+ 11.44. gtp_info
+ 11.45. gtp_type
+ 11.46. gtp_version
+ 11.47. http2_decoded_header
+ 11.48. http2_frame_data
+ 11.49. http2_frame_header
+ 11.50. http_client_body
+ 11.51. http_cookie
+ 11.52. http_header
+ 11.53. http_method
+ 11.54. http_raw_body
+ 11.55. http_raw_cookie
+ 11.56. http_raw_header
+ 11.57. http_raw_request
+ 11.58. http_raw_status
+ 11.59. http_raw_trailer
+ 11.60. http_raw_uri
+ 11.61. http_stat_code
+ 11.62. http_stat_msg
+ 11.63. http_trailer
+ 11.64. http_true_ip
+ 11.65. http_uri
+ 11.66. http_version
+ 11.67. icmp_id
+ 11.68. icmp_seq
+ 11.69. icode
+ 11.70. id
+ 11.71. ip_proto
+ 11.72. ipopts
+ 11.73. isdataat
+ 11.74. itype
+ 11.75. md5
+ 11.76. metadata
+ 11.77. modbus_data
+ 11.78. modbus_func
+ 11.79. modbus_unit
+ 11.80. msg
+ 11.81. mss
+ 11.82. pcre
+ 11.83. pkt_data
+ 11.84. pkt_num
+ 11.85. priority
+ 11.86. raw_data
+ 11.87. reference
+ 11.88. regex
+ 11.89. rem
+ 11.90. replace
+ 11.91. rev
+ 11.92. rpc
+ 11.93. s7commplus_content
+ 11.94. s7commplus_func
+ 11.95. s7commplus_opcode
+ 11.96. sd_pattern
+ 11.97. seq
+ 11.98. service
+ 11.99. session
+ 11.100. sha256
+ 11.101. sha512
+ 11.102. sid
+ 11.103. sip_body
+ 11.104. sip_header
+ 11.105. sip_method
+ 11.106. sip_stat_code
+ 11.107. so
+ 11.108. soid
+ 11.109. ssl_state
+ 11.110. ssl_version
+ 11.111. stream_reassemble
+ 11.112. stream_size
+ 11.113. tag
+ 11.114. target
+ 11.115. tos
+ 11.116. ttl
+ 11.117. urg
+ 11.118. window
+ 11.119. wscale
12. Search Engine Modules
13. SO Rule Modules
* bool output.verbose = false: be verbose (same as -v)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.wide_hex_dump = false: output 20 bytes per lines
+ * bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
+ * int snort.--pause-after-n: <count> pause after count packets {
+ 1:max53 }
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * string snort.--plugin-path: <path> where to find plugins
+ * implied snort.--piglet: enable piglet test harness mode
+ * string snort.--plugin-path: <path> a colon separated list of
+ directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* string snort.--rule: <rules> to be added to configuration; may be
repeated
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
Configuration:
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) {
+ 0:max32 }
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
* binder.inspects: inspect bindings (sum)
-9.5. data_log
+9.5. cip
+
+--------------
+
+What: cip inspection
+
+Type: inspector
+
+Usage: inspect
+
+Configuration:
+
+ * string cip.embedded_cip_path = false: check embedded CIP path
+ * int cip.unconnected_timeout = 300: unconnected timeout in seconds
+ { 0:360 }
+ * int cip.max_cip_connections = 100: max cip connections { 1:10000
+ }
+ * int cip.max_unconnected_messages = 100: max unconnected cip
+ messages { 1:10000 }
+
+Rules:
+
+ * 148:1 (cip) CIP data is malformed.
+ * 148:2 (cip) CIP data is non-conforming to ODVA standard.
+ * 148:3 (cip) CIP connection limit exceeded. Least recently used
+ connection removed.
+ * 148:4 (cip) CIP unconnected request limit exceeded. Oldest
+ request removed.
+
+Peg counts:
+
+ * cip.packets: total packets (sum)
+ * cip.session: total sessions (sum)
+ * cip.concurrent_sessions: total concurrent SIP sessions (now)
+ * cip.max_concurrent_sessions: maximum concurrent SIP sessions
+ (max)
+
+
+9.6. data_log
--------------
* data_log.packets: total packets (sum)
-9.6. dce_http_proxy
+9.7. dce_http_proxy
--------------
sessions (sum)
-9.7. dce_http_server
+9.8. dce_http_server
--------------
sessions (sum)
-9.8. dce_smb
+9.9. dce_smb
--------------
(max)
-9.9. dce_tcp
+9.10. dce_tcp
--------------
(max)
-9.10. dce_udp
+9.11. dce_udp
--------------
(max)
-9.11. dnp3
+9.12. dnp3
--------------
(max)
-9.12. dns
+9.13. dns
--------------
(max)
-9.13. domain_filter
+9.14. domain_filter
--------------
* domain_filter.filtered: domains filtered (sum)
-9.14. dpx
+9.15. dpx
--------------
* dpx.packets: total packets (sum)
-9.15. file_id
+9.16. file_id
--------------
* file_id.cache_failures: number of file cache add failures (sum)
-9.16. file_log
+9.17. file_log
--------------
* file_log.total_events: total file events (sum)
-9.17. finalize_packet
+9.18. finalize_packet
--------------
* finalize_packet.other_messages: total other message seen (sum)
-9.18. ftp_client
+9.19. ftp_client
--------------
sequences on FTP control channel
-9.19. ftp_data
+9.20. ftp_data
--------------
* ftp_data.packets: total packets (sum)
-9.20. ftp_server
+9.21. ftp_server
--------------
sessions (max)
-9.21. gtp_inspect
+9.22. gtp_inspect
--------------
* gtp_inspect.unknown_infos: unknown information elements (sum)
-9.22. http2_inspect
+9.23. http2_inspect
--------------
Usage: inspect
+Configuration:
+
+ * bool http2_inspect.test_input = false: read HTTP/2 messages from
+ text file
+ * bool http2_inspect.test_output = false: print out HTTP section
+ data
+ * int http2_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http2_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http2_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http2_inspect.show_scan = false: display scanned segments
+
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
sessions (max)
-9.23. http_inspect
+9.24. http_inspect
--------------
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.show_scan = false: display scanned segments
Rules:
inspection (sum)
-9.24. imap
+9.25. imap
--------------
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.25. mem_test
+9.26. mem_test
--------------
* mem_test.packets: total packets (sum)
-9.26. modbus
+9.27. modbus
--------------
sessions (max)
-9.27. normalizer
+9.28. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-9.28. packet_capture
+9.29. packet_capture
--------------
filter (sum)
-9.29. perf_monitor
+9.30. perf_monitor
--------------
* perf_monitor.packets: total packets (sum)
-9.30. pop
+9.31. pop
--------------
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.31. port_scan
+9.32. port_scan
--------------
* port_scan.packets: total packets (sum)
-9.32. reputation
+9.33. reputation
--------------
* reputation.memory_allocated: total memory allocated (sum)
-9.33. rna
+9.34. rna
--------------
(sum)
-9.34. rpc_decode
+9.35. rpc_decode
--------------
sessions (max)
-9.35. rt_global
+9.36. rt_global
--------------
* rt_global.packets: total packets (sum)
-9.36. rt_packet
+9.37. rt_packet
--------------
* rt_packet.retry_packets: total retried packets received (sum)
-9.37. rt_service
+9.38. rt_service
--------------
* rt_service.search_requests: total splitter search requests (sum)
-9.38. s7commplus
+9.39. s7commplus
--------------
sessions (max)
-9.39. sip
+9.40. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.40. smtp
+9.41. smtp
--------------
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.41. ssh
+9.42. ssh
--------------
(max)
-9.42. ssl
+9.43. ssl
--------------
(max)
-9.43. stream
+9.44. stream
--------------
deleted by config reloads (sum)
-9.44. stream_file
+9.45. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.45. stream_icmp
+9.46. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.46. stream_ip
+9.47. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.47. stream_tcp
+9.48. stream_tcp
--------------
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
-9.48. stream_udp
+9.49. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.49. stream_user
+9.50. stream_user
--------------
0:max53 }
-9.50. telnet
+9.51. telnet
--------------
sessions (max)
-9.51. wizard
+9.52. wizard
--------------
Configuration:
- * enum reject.reset: send TCP reset to one or both ends { source|
- dest|both }
- * enum reject.control: send ICMP unreachable(s) { network|host|port
- |forward|all }
+ * enum reject.reset = both: send TCP reset to one or both ends {
+ none|source|dest|both }
+ * enum reject.control = none: send ICMP unreachable(s) { none|
+ network|host|port|forward|all }
10.3. rewrite
0x1:0xFFFFFFFF }
-11.12. classtype
+11.12. cip_attribute
+
+--------------
+
+What: detection option to match CIP attribute
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval cip_attribute.~range: match CIP attribute { 0:65535 }
+
+
+11.13. cip_class
+
+--------------
+
+What: detection option to match CIP class
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval cip_class.~range: match CIP class { 0:65535 }
+
+
+11.14. cip_conn_path_class
+
+--------------
+
+What: detection option to match CIP Connection Path Class
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval cip_conn_path_class.~range: match CIP Connection Path
+ Class { 0:65535 }
+
+
+11.15. cip_instance
+
+--------------
+
+What: detection option to match CIP instance
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval cip_instance.~range: match CIP instance { 0:4294967295 }
+
+
+11.16. cip_req
+
+--------------
+
+What: detection option to match CIP request
+
+Type: ips_option
+
+Usage: detect
+
+
+11.17. cip_rsp
+
+--------------
+
+What: detection option to match CIP response
+
+Type: ips_option
+
+Usage: detect
+
+
+11.18. cip_service
+
+--------------
+
+What: detection option to match CIP service
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval cip_service.~range: match CIP service { 0:127 }
+
+
+11.19. cip_status
+
+--------------
+
+What: detection option to match CIP response status
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval cip_status.~range: match CIP response status { 0:255 }
+
+
+11.20. classtype
--------------
* string classtype.~: classification for this rule
-11.13. content
+11.21. content
--------------
from cursor
-11.14. cvs
+11.22. cvs
--------------
* implied cvs.invalid-entry: looks for an invalid Entry string
-11.15. dce_iface
+11.23. dce_iface
--------------
* implied dce_iface.any_frag: match on any fragment
-11.16. dce_opnum
+11.24. dce_opnum
--------------
list
-11.17. dce_stub_data
+11.25. dce_stub_data
--------------
Usage: detect
-11.18. detection_filter
+11.26. detection_filter
--------------
1:max32 }
-11.19. dnp3_data
+11.27. dnp3_data
--------------
Usage: detect
-11.20. dnp3_func
+11.28. dnp3_func
--------------
* string dnp3_func.~: match DNP3 function code or name
-11.21. dnp3_ind
+11.29. dnp3_ind
--------------
* string dnp3_ind.~: match given DNP3 indicator flags
-11.22. dnp3_obj
+11.30. dnp3_obj
--------------
}
-11.23. dsize
+11.31. dsize
--------------
given range { 0:65535 }
-11.24. enable
+11.32. enable
--------------
}
-11.25. file_data
+11.33. enip_command
+
+--------------
+
+What: detection option to match CIP Enip Command
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval enip_command.~range: match CIP Enip Command { 0:65535 }
+
+
+11.34. enip_req
+
+--------------
+
+What: detection option to match ENIP Request
+
+Type: ips_option
+
+Usage: detect
+
+
+11.35. enip_rsp
+
+--------------
+
+What: detection option to match ENIP response
+
+Type: ips_option
+
+Usage: detect
+
+
+11.36. file_data
--------------
Usage: detect
-11.26. file_type
+11.37. file_type
--------------
* string file_type.~: list of file type IDs to match
-11.27. flags
+11.38. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-11.28. flow
+11.39. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-11.29. flowbits
+11.40. flowbits
--------------
* string flowbits.~arg2: group if arg1 is bits
-11.30. fragbits
+11.41. fragbits
--------------
* string fragbits.~flags: these flags are tested
-11.31. fragoffset
+11.42. fragoffset
--------------
given range { 0:8192 }
-11.32. gid
+11.43. gid
--------------
* int gid.~: generator id { 1:max32 }
-11.33. gtp_info
+11.44. gtp_info
--------------
* string gtp_info.~: info element to match
-11.34. gtp_type
+11.45. gtp_type
--------------
* string gtp_type.~: list of types to match
-11.35. gtp_version
+11.46. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-11.36. http2_decoded_header
+11.47. http2_decoded_header
--------------
Usage: detect
-11.37. http2_frame_data
+11.48. http2_frame_data
--------------
Usage: detect
-11.38. http2_frame_header
+11.49. http2_frame_header
--------------
Usage: detect
-11.39. http_client_body
+11.50. http_client_body
--------------
Usage: detect
-11.40. http_cookie
+11.51. http_cookie
--------------
message trailers
-11.41. http_header
+11.52. http_header
--------------
message trailers
-11.42. http_method
+11.53. http_method
--------------
message trailers
-11.43. http_raw_body
+11.54. http_raw_body
--------------
Usage: detect
-11.44. http_raw_cookie
+11.55. http_raw_cookie
--------------
HTTP message trailers
-11.45. http_raw_header
+11.56. http_raw_header
--------------
HTTP message trailers
-11.46. http_raw_request
+11.57. http_raw_request
--------------
HTTP message trailers
-11.47. http_raw_status
+11.58. http_raw_status
--------------
HTTP message trailers
-11.48. http_raw_trailer
+11.59. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.49. http_raw_uri
+11.60. http_raw_uri
--------------
URI only
-11.50. http_stat_code
+11.61. http_stat_code
--------------
HTTP message trailers
-11.51. http_stat_msg
+11.62. http_stat_msg
--------------
HTTP message trailers
-11.52. http_trailer
+11.63. http_trailer
--------------
message body (must be combined with request)
-11.53. http_true_ip
+11.64. http_true_ip
--------------
HTTP message trailers
-11.54. http_uri
+11.65. http_uri
--------------
only
-11.55. http_version
+11.66. http_version
--------------
HTTP message trailers
-11.56. icmp_id
+11.67. icmp_id
--------------
0:65535 }
-11.57. icmp_seq
+11.68. icmp_seq
--------------
given range { 0:65535 }
-11.58. icode
+11.69. icode
--------------
0:255 }
-11.59. id
+11.70. id
--------------
}
-11.60. ip_proto
+11.71. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.61. ipopts
+11.72. ipopts
--------------
lsrre|ssrr|satid|any }
-11.62. isdataat
+11.73. isdataat
--------------
buffer
-11.63. itype
+11.74. itype
--------------
0:255 }
-11.64. md5
+11.75. md5
--------------
of buffer
-11.65. metadata
+11.76. metadata
--------------
pairs
-11.66. modbus_data
+11.77. modbus_data
--------------
Usage: detect
-11.67. modbus_func
+11.78. modbus_func
--------------
* string modbus_func.~: function code to match
-11.68. modbus_unit
+11.79. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.69. msg
+11.80. msg
--------------
* string msg.~: message describing rule
-11.70. mss
+11.81. mss
--------------
}
-11.71. pcre
+11.82. pcre
--------------
* string pcre.~re: Snort regular expression
-11.72. pkt_data
+11.83. pkt_data
--------------
Usage: detect
-11.73. pkt_num
+11.84. pkt_num
--------------
{ 1: }
-11.74. priority
+11.85. priority
--------------
1:max31 }
-11.75. raw_data
+11.86. raw_data
--------------
Usage: detect
-11.76. reference
+11.87. reference
--------------
* string reference.~id: reference id
-11.77. regex
+11.88. regex
--------------
instead of start of buffer
-11.78. rem
+11.89. rem
--------------
* string rem.~: comment
-11.79. replace
+11.90. replace
--------------
* string replace.~: byte code to replace with
-11.80. rev
+11.91. rev
--------------
* int rev.~: revision { 1:max32 }
-11.81. rpc
+11.92. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.82. s7commplus_content
+11.93. s7commplus_content
--------------
Usage: detect
-11.83. s7commplus_func
+11.94. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-11.84. s7commplus_opcode
+11.95. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-11.85. sd_pattern
+11.96. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.86. seq
+11.97. seq
--------------
range { 0: }
-11.87. service
+11.98. service
--------------
* string service.*: one or more comma-separated service names
-11.88. session
+11.99. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.89. sha256
+11.100. sha256
--------------
start of buffer
-11.90. sha512
+11.101. sha512
--------------
start of buffer
-11.91. sid
+11.102. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.92. sip_body
+11.103. sip_body
--------------
Usage: detect
-11.93. sip_header
+11.104. sip_header
--------------
Usage: detect
-11.94. sip_method
+11.105. sip_method
--------------
* string sip_method.*method: sip method
-11.95. sip_stat_code
+11.106. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.96. so
+11.107. so
--------------
buffer
-11.97. soid
+11.108. soid
--------------
like 3_45678_9
-11.98. ssl_state
+11.109. ssl_state
--------------
unknown
-11.99. ssl_version
+11.110. ssl_version
--------------
tls1.2
-11.100. stream_reassemble
+11.111. stream_reassemble
--------------
remainder of the session
-11.101. stream_size
+11.112. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.102. tag
+11.113. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.103. target
+11.114. target
--------------
dst_ip }
-11.104. tos
+11.115. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.105. ttl
+11.116. ttl
--------------
0:255 }
-11.106. urg
+11.117. urg
--------------
{ 0:65535 }
-11.107. window
+11.118. window
--------------
range { 0:65535 }
-11.108. wscale
+11.119. wscale
--------------
* --output-file=<out_file> Same as -o. output the new Snort++ lua
configuration to <out_file>
* --print-all Same as -a. default option. print all data
+ * --print-binding-order Print sorting priority used when generating
+ binder table
* --print-differences Same as -d. output the differences, and only
the differences, between the Snort and Snort++ configurations to
the <out_file>
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
+ * --pause-after-n <count> pause after count packets (1:max53)
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
between pcaps
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
- * --plugin-path <path> where to find plugins
+ * --piglet enable piglet test harness mode
+ * --plugin-path <path> a colon separated list of directories or
+ plugin libraries
* --process-all-events process all action groups
* --rule <rules> to be added to configuration; may be repeated
* --rule-path <path> where to find rules files
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
session traffic when not inline
* --tweaks tune configuration
+ * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) {
+ 0:max32 }
* int appid.instance_id = 0: instance id - ignored { 0:max32 }
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* implied byte_test.relative: offset from cursor instead of start
of buffer
* implied byte_test.string: convert from string
+ * interval cip_attribute.~range: match CIP attribute { 0:65535 }
+ * interval cip_class.~range: match CIP class { 0:65535 }
+ * interval cip_conn_path_class.~range: match CIP Connection Path
+ Class { 0:65535 }
+ * string cip.embedded_cip_path = false: check embedded CIP path
+ * interval cip_instance.~range: match CIP instance { 0:4294967295 }
+ * int cip.max_cip_connections = 100: max cip connections { 1:10000
+ }
+ * int cip.max_unconnected_messages = 100: max unconnected cip
+ messages { 1:10000 }
+ * interval cip_service.~range: match CIP service { 0:127 }
+ * interval cip_status.~range: match CIP response status { 0:255 }
+ * int cip.unconnected_timeout = 300: unconnected timeout in seconds
+ { 0:360 }
* string classifications[].name: name used with classtype rule
option
* int classifications[].priority = 1: default priority for class {
* enum enable.~enable = yes: enable or disable rule in current ips
policy or use default defined by ips policy { no | yes | inherit
}
+ * interval enip_command.~range: match CIP Enip Command { 0:65535 }
* bool esp.decode_esp = false: enable for inspection of esp traffic
that has authentication but not encryption
* int event_filter[].count = 0: number of events in interval before
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
+ * int http2_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http2_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http2_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http2_inspect.show_scan = false: display scanned segments
+ * bool http2_inspect.test_input = false: read HTTP/2 messages from
+ text file
+ * bool http2_inspect.test_output = false: print out HTTP section
+ data
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.show_scan = false: display scanned segments
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
- * bool output.wide_hex_dump = false: output 20 bytes per lines
+ * bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
* bool packet_capture.enable = false: initially enable packet
dumping
* string regex.~re: hyperscan regular expression
* implied regex.relative: start search from end of last match
instead of start of buffer
- * enum reject.control: send ICMP unreachable(s) { network|host|port
- |forward|all }
- * enum reject.reset: send TCP reset to one or both ends { source|
- dest|both }
+ * enum reject.control = none: send ICMP unreachable(s) { none|
+ network|host|port|forward|all }
+ * enum reject.reset = both: send TCP reset to one or both ends {
+ none|source|dest|both }
* string rem.~: comment
* string replace.~: byte code to replace with
* string reputation.blacklist: blacklist file name with IP lists
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
* string snort.-c: <conf> use this configuration
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
+ * int snort.--pause-after-n: <count> pause after count packets {
+ 1:max53 }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * string snort.--plugin-path: <path> where to find plugins
+ * implied snort.--piglet: enable piglet test harness mode
+ * string snort.--plugin-path: <path> a colon separated list of
+ directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* implied snort.-Q: enable inline mode operation
* implied snort.-q: quiet mode - Don’t show banner and status
* binder.inspects: inspect bindings (sum)
* binder.packets: initial bindings (sum)
* binder.resets: reset bindings (sum)
+ * cip.concurrent_sessions: total concurrent SIP sessions (now)
+ * cip.max_concurrent_sessions: maximum concurrent SIP sessions
+ (max)
+ * cip.packets: total packets (sum)
+ * cip.session: total sessions (sum)
* daq.allow: total allow verdicts (sum)
* daq.analyzed: total packets analyzed from DAQ (sum)
* daq.blacklist: total blacklist verdicts (sum)
* 144: modbus
* 145: dnp3
* 146: file_id
+ * 148: cip
* 149: s7commplus
* 175: domain_filter
* 256: dpx
* 145:5 (dnp3) DNP3 link-layer frame uses a reserved address
* 145:6 (dnp3) DNP3 application-layer fragment uses a reserved
function code
+ * 148:1 (cip) CIP data is malformed.
+ * 148:2 (cip) CIP data is non-conforming to ODVA standard.
+ * 148:3 (cip) CIP connection limit exceeded. Least recently used
+ connection removed.
+ * 148:4 (cip) CIP unconnected request limit exceeded. Oldest
+ request removed.
* 149:1 (s7commplus) length in S7commplus MBAP header does not
match the length needed for the given S7commplus function
* 149:2 (s7commplus) S7commplus protocol ID is non-zero
variable
* byte_test (ips_option): rule option to convert data to integer
and compare
+ * cip (inspector): cip inspection
+ * cip_attribute (ips_option): detection option to match CIP
+ attribute
+ * cip_class (ips_option): detection option to match CIP class
+ * cip_conn_path_class (ips_option): detection option to match CIP
+ Connection Path Class
+ * cip_instance (ips_option): detection option to match CIP instance
+ * cip_req (ips_option): detection option to match CIP request
+ * cip_rsp (ips_option): detection option to match CIP response
+ * cip_service (ips_option): detection option to match CIP service
+ * cip_status (ips_option): detection option to match CIP response
+ status
* ciscometadata (codec): support for cisco metadata
* classifications (basic): define rule categories with priority
* classtype (ips_option): general rule option for rule
over LAN
* enable (ips_option): stub rule option to enable or disable full
rule
+ * enip_command (ips_option): detection option to match CIP Enip
+ Command
+ * enip_req (ips_option): detection option to match ENIP Request
+ * enip_rsp (ips_option): detection option to match ENIP response
* erspan2 (codec): support for encapsulated remote switched port
analyzer - type 2
* erspan3 (codec): support for encapsulated remote switched port
* inspector::back_orifice: back orifice detection
* inspector::binder: configure processing based on CIDRs, ports,
services, etc.
+ * inspector::cip: cip inspection
* inspector::data_log: log selected published data to data.log
* inspector::dce_http_proxy: dce over http inspection - client to/
from proxy
variable
* ips_option::byte_test: rule option to convert data to integer and
compare
+ * ips_option::cip_attribute: detection option to match CIP
+ attribute
+ * ips_option::cip_class: detection option to match CIP class
+ * ips_option::cip_conn_path_class: detection option to match CIP
+ Connection Path Class
+ * ips_option::cip_instance: detection option to match CIP instance
+ * ips_option::cip_req: detection option to match CIP request
+ * ips_option::cip_rsp: detection option to match CIP response
+ * ips_option::cip_service: detection option to match CIP service
+ * ips_option::cip_status: detection option to match CIP response
+ status
* ips_option::classtype: general rule option for rule
classification
* ips_option::content: payload rule option for basic pattern
* ips_option::dsize: rule option to test payload size
* ips_option::enable: stub rule option to enable or disable full
rule
+ * ips_option::enip_command: detection option to match CIP Enip
+ Command
+ * ips_option::enip_req: detection option to match ENIP Request
+ * ips_option::enip_rsp: detection option to match ENIP response
* ips_option::file_data: rule option to set detection cursor to
file data
* ips_option::file_type: rule option to check file type
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
+ * piglet::pp_codec: Codec piglet
+ * piglet::pp_inspector: Inspector piglet
+ * piglet::pp_ips_action: Ips action piglet
+ * piglet::pp_ips_option: Ips option piglet
+ * piglet::pp_logger: Logger piglet
+ * piglet::pp_search_engine: Search engine piglet
+ * piglet::pp_so_rule: SO rule piglet
+ * piglet::pp_test: Test piglet
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
projects / thirdparty / snort3.git / commitdiff
