The Snort Team
Revision History
-Revision 3.2.2.0 2024-06-03 00:01:20 EDT TST
+Revision 3.3.0.0 2024-06-19 09:50:09 EDT TST
---------------------------------------------------------------------
5.15. dns
5.16. domain_filter
5.17. dpx
- 5.18. file_id
- 5.19. file_log
- 5.20. ftp_client
- 5.21. ftp_data
- 5.22. ftp_server
- 5.23. gtp_inspect
- 5.24. http2_inspect
- 5.25. http_inspect
- 5.26. iec104
- 5.27. imap
- 5.28. mem_test
- 5.29. mms
- 5.30. modbus
- 5.31. netflow
- 5.32. normalizer
- 5.33. null_trace_logger
- 5.34. packet_capture
- 5.35. perf_monitor
- 5.36. pop
- 5.37. port_scan
- 5.38. reputation
- 5.39. rna
- 5.40. rpc_decode
- 5.41. s7commplus
- 5.42. sip
- 5.43. smtp
- 5.44. so_proxy
- 5.45. ssh
- 5.46. ssl
- 5.47. stream
- 5.48. stream_file
- 5.49. stream_icmp
- 5.50. stream_ip
- 5.51. stream_tcp
- 5.52. stream_udp
- 5.53. stream_user
- 5.54. telnet
- 5.55. wizard
+ 5.18. extractor
+ 5.19. file_id
+ 5.20. file_log
+ 5.21. ftp_client
+ 5.22. ftp_data
+ 5.23. ftp_server
+ 5.24. gtp_inspect
+ 5.25. http2_inspect
+ 5.26. http_inspect
+ 5.27. iec104
+ 5.28. imap
+ 5.29. mem_test
+ 5.30. mms
+ 5.31. modbus
+ 5.32. netflow
+ 5.33. normalizer
+ 5.34. null_trace_logger
+ 5.35. packet_capture
+ 5.36. perf_monitor
+ 5.37. pop
+ 5.38. port_scan
+ 5.39. reputation
+ 5.40. rna
+ 5.41. rpc_decode
+ 5.42. s7commplus
+ 5.43. sip
+ 5.44. smtp
+ 5.45. so_proxy
+ 5.46. ssh
+ 5.47. ssl
+ 5.48. stream
+ 5.49. stream_file
+ 5.50. stream_icmp
+ 5.51. stream_ip
+ 5.52. stream_tcp
+ 5.53. stream_udp
+ 5.54. stream_user
+ 5.55. telnet
+ 5.56. wizard
6. IPS Action Modules
* snort.log_command(command, logging): enable or disable command
logging
* snort.show_config_generation(): show loaded configuration ID
+ * snort.show_snort_cpu(): show snort cpu usage
* snort.pause(): suspend packet processing
* snort.resume(pkt_num): continue packet processing. If number of
packets is specified, will resume for n packets and pause
* 116:460 (icmp6) ICMPv6 node info query/response packet with a
code greater than 2
* 116:474 (icmp6) ICMPv6 not encapsulated in IPv6
+ * 116:478 (icmp6) ICMPv6 option length field is set to 0
Peg counts:
* appid.reload_third_party(): reload appid third-party module
* appid.reload_detectors(): reload appid detectors
* appid.print_appid_config(): print appid configs
- * appid.show_cpu_profiler_stats(appid): show appid cpu profiling
- stats
+ * appid.show_cpu_profiler_stats(appid, display_rows_limit): show
+ appid cpu profiling stats
* appid.show_cpu_profiler_status(): show appid cpu profiling status
Peg counts:
* dpx.packets: total packets (sum)
-5.18. file_id
+5.18. extractor
+
+--------------
+
+Help: extracts protocol specific data
+
+Type: inspector (passive)
+
+Usage: global
+
+Instance Type: global
+
+Configuration:
+
+ * enum extractor.formatting = csv: output format for extractor {
+ csv }
+ * enum extractor.output = stdout: output destination for extractor
+ { stdout }
+ * enum extractor.protocols[].service: service to extract from {
+ http }
+ * int extractor.protocols[].tenant_id = 0: tenant_id of target
+ tenant { 0:max32 }
+ * string extractor.protocols[].on_events: specify events to log
+ * string extractor.protocols[].fields: specify fields to log
+
+Peg counts:
+
+ * extractor.total_events: total extractor events (sum)
+
+
+5.19. file_id
--------------
concurrently on a flow (max)
-5.19. file_log
+5.20. file_log
--------------
* file_log.total_events: total file events (sum)
-5.20. ftp_client
+5.21. ftp_client
--------------
sequences on FTP control channel
-5.21. ftp_data
+5.22. ftp_data
--------------
* ftp_data.packets: total packets (sum)
-5.22. ftp_server
+5.23. ftp_server
--------------
sessions with segment size change (sum)
-5.23. gtp_inspect
+5.24. gtp_inspect
--------------
* gtp_inspect.unknown_infos: unknown information elements (sum)
-5.24. http2_inspect
+5.25. http2_inspect
--------------
concurrent streams (sum)
-5.25. http_inspect
+5.26. http_inspect
--------------
too many MIME attachments to inspect (sum)
-5.26. iec104
+5.27. iec104
--------------
sessions (max)
-5.27. imap
+5.28. imap
--------------
* imap.js_pdf_scripts: total number of PDF files processed (sum)
-5.28. mem_test
+5.29. mem_test
--------------
* mem_test.packets: total packets (sum)
-5.29. mms
+5.30. mms
--------------
(max)
-5.30. modbus
+5.31. modbus
--------------
sessions (max)
-5.31. netflow
+5.32. netflow
--------------
template cache (now)
-5.32. normalizer
+5.33. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-5.33. null_trace_logger
+5.34. null_trace_logger
--------------
Instance Type: global
-5.34. packet_capture
+5.35. packet_capture
--------------
(sum)
-5.35. perf_monitor
+5.36. perf_monitor
--------------
by new flows (sum)
-5.36. pop
+5.37. pop
--------------
* pop.js_pdf_scripts: total number of PDF files processed (sum)
-5.37. port_scan
+5.38. port_scan
--------------
portscan (now)
-5.38. reputation
+5.39. reputation
--------------
monitored (sum)
-5.39. rna
+5.40. rna
--------------
* rna.total_bytes_in_interval: count of bytes processed (sum)
-5.40. rpc_decode
+5.41. rpc_decode
--------------
sessions (max)
-5.41. s7commplus
+5.42. s7commplus
--------------
sessions (max)
-5.42. sip
+5.43. sip
--------------
* sip.code_9xx: 9xx (sum)
-5.43. smtp
+5.44. smtp
--------------
* smtp.js_pdf_scripts: total number of PDF files processed (sum)
-5.44. so_proxy
+5.45. so_proxy
--------------
Instance Type: global
-5.45. ssh
+5.46. ssh
--------------
(max)
-5.46. ssl
+5.47. ssl
--------------
(max)
-5.47. stream
+5.48. stream
--------------
* stream.uni_ip_flows: number of uni ip flows in cache (now)
-5.48. stream_file
+5.49. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-5.49. stream_icmp
+5.50. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-5.50. stream_ip
+5.51. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-5.51. stream_tcp
+5.52. stream_tcp
--------------
one-way traffic only (sum)
-5.52. stream_udp
+5.53. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-5.53. stream_user
+5.54. stream_user
--------------
1:max31 }
-5.54. telnet
+5.55. telnet
--------------
sessions (max)
-5.55. wizard
+5.56. wizard
--------------
ordering incoming events { priority|content_length }
* bool event_queue.process_all_events = false: process just first
action group or all action groups
+ * enum extractor.formatting = csv: output format for extractor {
+ csv }
+ * enum extractor.output = stdout: output destination for extractor
+ { stdout }
+ * string extractor.protocols[].fields: specify fields to log
+ * string extractor.protocols[].on_events: specify events to log
+ * enum extractor.protocols[].service: service to extract from {
+ http }
+ * int extractor.protocols[].tenant_id = 0: tenant_id of target
+ tenant { 0:max32 }
* string file_connector[].connector: connector name
* enum file_connector[].direction: usage { receive | transmit |
duplex }
out of global memory (sum)
* event_filter.no_memory_local: number of times event filter ran
out of local memory (sum)
+ * extractor.total_events: total extractor events (sum)
* file_connector.messages: total messages (sum)
* file_id.cache_failures: number of file cache add failures (sum)
* file_id.files_not_processed: number of files not processed due to
The IPv6 packet has a reserved destination address.
+116:478 (icmp6) ICMPv6 option length field is set to 0
+
+ICMPv6 option length field is set to 0.
+
119:1 (http_inspect) URI has percent-encoding of an unreserved
character
* appid.reload_third_party(): reload appid third-party module
* appid.reload_detectors(): reload appid detectors
* appid.print_appid_config(): print appid configs
- * appid.show_cpu_profiler_stats(appid): show appid cpu profiling
- stats
+ * appid.show_cpu_profiler_stats(appid, display_rows_limit): show
+ appid cpu profiling stats
* appid.show_cpu_profiler_status(): show appid cpu profiling status
* host_cache.dump(file_name): dump host cache
* host_cache.delete_host(host_ip): delete host from host cache
* snort.log_command(command, logging): enable or disable command
logging
* snort.show_config_generation(): show loaded configuration ID
+ * snort.show_snort_cpu(): show snort cpu usage
* snort.pause(): suspend packet processing
* snort.resume(pkt_num): continue packet processing. If number of
packets is specified, will resume for n packets and pause
* eth (codec): support for ethernet protocol (DLT 1) (DLT 51)
* event_filter (basic): configure thresholding of events
* event_queue (basic): configure event queue parameters
+ * extractor (inspector): extracts protocol specific data
* fabricpath (codec): support for fabricpath
* file_connector (connector): implement the file based connector
* file_data (ips_option): rule option to set detection cursor to
* inspector::dns: dns inspection
* inspector::domain_filter: alert on configured HTTP domains
* inspector::dpx: dynamic inspector example
+ * inspector::extractor: extracts protocol specific data
* inspector::file_id: configure file identification
* inspector::file_log: log file event to file.log
* inspector::ftp_client: FTP inspector client module
projects / thirdparty / snort3.git / commitdiff
