+2021/07/28 - 3.1.9.0
+
+actions: allow session data to stay accessible for loggers for reject rule action
+byte_options: address compiler warnings
+control: add idle expire removal to control channels
+dump_stats: direct output back to command channel
+events: use instance_id to make event_id unique across threads
+file_api: handle file_cache inspection for non-zero offset
+http2_inspect: change xor to or in assert that was failing due to uninitialized variable
+http2_inspect: fix HPACK dynamic table size update management
+http2_inspect: remove unused variables
+http_inspect: add peg count for script bytes processed
+http_inspect: add rule option http_raw_header_complete
+http_inspect: don't allocate 0-length partial inspection buffer
+ips_options: add catch tests for byte_test, byte_jump, byte_math, byte_extract
+ips_options: address compiler warnings
+ips_options: refactor byte_extract, byte_test, byte_math, byte_jump and related tests
+lua: update HTTP/2 default_wizard hex with S2C pattern match
+stats: update file and appid stats to use Log functions provided from stats.cc
+
2021/07/15 - 3.1.8.0
appid: support SSH client detection through lua detector
The Snort Team
Revision History
-Revision 3.1.8.0 2021-07-15 06:38:22 EDT TST
+Revision 3.1.9.0 2021-07-28 06:22:26 EDT TST
---------------------------------------------------------------------
7.52. http_raw_body
7.53. http_raw_cookie
7.54. http_raw_header
- 7.55. http_raw_request
- 7.56. http_raw_status
- 7.57. http_raw_trailer
- 7.58. http_raw_uri
- 7.59. http_stat_code
- 7.60. http_stat_msg
- 7.61. http_trailer
- 7.62. http_true_ip
- 7.63. http_uri
- 7.64. http_version
- 7.65. icmp_id
- 7.66. icmp_seq
- 7.67. icode
- 7.68. id
- 7.69. iec104_apci_type
- 7.70. iec104_asdu_func
- 7.71. ip_proto
- 7.72. ipopts
- 7.73. isdataat
- 7.74. itype
- 7.75. md5
- 7.76. metadata
- 7.77. modbus_data
- 7.78. modbus_func
- 7.79. modbus_unit
- 7.80. msg
- 7.81. mss
- 7.82. pcre
- 7.83. pkt_data
- 7.84. pkt_num
- 7.85. priority
- 7.86. raw_data
- 7.87. reference
- 7.88. regex
- 7.89. rem
- 7.90. replace
- 7.91. rev
- 7.92. rpc
- 7.93. s7commplus_content
- 7.94. s7commplus_func
- 7.95. s7commplus_opcode
- 7.96. script_data
- 7.97. sd_pattern
- 7.98. seq
- 7.99. service
- 7.100. sha256
- 7.101. sha512
- 7.102. sid
- 7.103. sip_body
- 7.104. sip_header
- 7.105. sip_method
- 7.106. sip_stat_code
- 7.107. so
- 7.108. soid
- 7.109. ssl_state
- 7.110. ssl_version
- 7.111. stream_reassemble
- 7.112. stream_size
- 7.113. tag
- 7.114. target
- 7.115. tos
- 7.116. ttl
- 7.117. urg
- 7.118. window
- 7.119. wscale
+ 7.55. http_raw_header_complete
+ 7.56. http_raw_request
+ 7.57. http_raw_status
+ 7.58. http_raw_trailer
+ 7.59. http_raw_uri
+ 7.60. http_stat_code
+ 7.61. http_stat_msg
+ 7.62. http_trailer
+ 7.63. http_true_ip
+ 7.64. http_uri
+ 7.65. http_version
+ 7.66. icmp_id
+ 7.67. icmp_seq
+ 7.68. icode
+ 7.69. id
+ 7.70. iec104_apci_type
+ 7.71. iec104_asdu_func
+ 7.72. ip_proto
+ 7.73. ipopts
+ 7.74. isdataat
+ 7.75. itype
+ 7.76. md5
+ 7.77. metadata
+ 7.78. modbus_data
+ 7.79. modbus_func
+ 7.80. modbus_unit
+ 7.81. msg
+ 7.82. mss
+ 7.83. pcre
+ 7.84. pkt_data
+ 7.85. pkt_num
+ 7.86. priority
+ 7.87. raw_data
+ 7.88. reference
+ 7.89. regex
+ 7.90. rem
+ 7.91. replace
+ 7.92. rev
+ 7.93. rpc
+ 7.94. s7commplus_content
+ 7.95. s7commplus_func
+ 7.96. s7commplus_opcode
+ 7.97. script_data
+ 7.98. sd_pattern
+ 7.99. seq
+ 7.100. service
+ 7.101. sha256
+ 7.102. sha512
+ 7.103. sid
+ 7.104. sip_body
+ 7.105. sip_header
+ 7.106. sip_method
+ 7.107. sip_stat_code
+ 7.108. so
+ 7.109. soid
+ 7.110. ssl_state
+ 7.111. ssl_version
+ 7.112. stream_reassemble
+ 7.113. stream_size
+ 7.114. tag
+ 7.115. target
+ 7.116. tos
+ 7.117. ttl
+ 7.118. urg
+ 7.119. window
+ 7.120. wscale
8. Search Engine Modules
9. SO Rule Modules
* 121:32 (http2_inspect) HTTP/2 window update frame with zero
increment
* 121:33 (http2_inspect) HTTP/2 request without a method
+ * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the
+ start of a header block
+ * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size
+ updates in a single header block
+ * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max
+ value set by decoder in SETTINGS frame
Peg counts:
JavaScripts processed (sum)
* http_inspect.js_external_scripts: total number of external
JavaScripts processed (sum)
+ * http_inspect.js_bytes: total number of JavaScript bytes processed
+ (sum)
5.25. iec104
HTTP message trailers
-7.55. http_raw_request
+7.55. http_raw_header_complete
+
+--------------
+
+Help: rule option to set the detection cursor to the unnormalized
+headers including cookies
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * implied http_raw_header_complete.request: match against the
+ headers from the request message even when examining the response
+ * implied http_raw_header_complete.with_header: this rule is
+ limited to examining HTTP message headers
+ * implied http_raw_header_complete.with_body: parts of this rule
+ examine HTTP message body
+ * implied http_raw_header_complete.with_trailer: parts of this rule
+ examine HTTP message trailers
+
+
+7.56. http_raw_request
--------------
HTTP message trailers
-7.56. http_raw_status
+7.57. http_raw_status
--------------
HTTP message trailers
-7.57. http_raw_trailer
+7.58. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.58. http_raw_uri
+7.59. http_raw_uri
--------------
URI only
-7.59. http_stat_code
+7.60. http_stat_code
--------------
HTTP message trailers
-7.60. http_stat_msg
+7.61. http_stat_msg
--------------
HTTP message trailers
-7.61. http_trailer
+7.62. http_trailer
--------------
message body (must be combined with request)
-7.62. http_true_ip
+7.63. http_true_ip
--------------
HTTP message trailers
-7.63. http_uri
+7.64. http_uri
--------------
only
-7.64. http_version
+7.65. http_version
--------------
HTTP message trailers
-7.65. icmp_id
+7.66. icmp_id
--------------
0:65535 }
-7.66. icmp_seq
+7.67. icmp_seq
--------------
given range { 0:65535 }
-7.67. icode
+7.68. icode
--------------
0:255 }
-7.68. id
+7.69. id
--------------
}
-7.69. iec104_apci_type
+7.70. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.70. iec104_asdu_func
+7.71. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.71. ip_proto
+7.72. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.72. ipopts
+7.73. ipopts
--------------
lsrre|ssrr|satid|any }
-7.73. isdataat
+7.74. isdataat
--------------
buffer
-7.74. itype
+7.75. itype
--------------
0:255 }
-7.75. md5
+7.76. md5
--------------
of buffer
-7.76. metadata
+7.77. metadata
--------------
pairs
-7.77. modbus_data
+7.78. modbus_data
--------------
Usage: detect
-7.78. modbus_func
+7.79. modbus_func
--------------
* string modbus_func.~: function code to match
-7.79. modbus_unit
+7.80. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.80. msg
+7.81. msg
--------------
* string msg.~: message describing rule
-7.81. mss
+7.82. mss
--------------
}
-7.82. pcre
+7.83. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.83. pkt_data
+7.84. pkt_data
--------------
Usage: detect
-7.84. pkt_num
+7.85. pkt_num
--------------
{ 1: }
-7.85. priority
+7.86. priority
--------------
1:max31 }
-7.86. raw_data
+7.87. raw_data
--------------
Usage: detect
-7.87. reference
+7.88. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.88. regex
+7.89. regex
--------------
instead of start of buffer
-7.89. rem
+7.90. rem
--------------
* string rem.~: comment
-7.90. replace
+7.91. replace
--------------
* string replace.~: byte code to replace with
-7.91. rev
+7.92. rev
--------------
* int rev.~: revision { 1:max32 }
-7.92. rpc
+7.93. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.93. s7commplus_content
+7.94. s7commplus_content
--------------
Usage: detect
-7.94. s7commplus_func
+7.95. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.95. s7commplus_opcode
+7.96. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.96. script_data
+7.97. script_data
--------------
Usage: detect
-7.97. sd_pattern
+7.98. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.98. seq
+7.99. seq
--------------
range { 0: }
-7.99. service
+7.100. service
--------------
* string service.*: one or more comma-separated service names
-7.100. sha256
+7.101. sha256
--------------
start of buffer
-7.101. sha512
+7.102. sha512
--------------
start of buffer
-7.102. sid
+7.103. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.103. sip_body
+7.104. sip_body
--------------
Usage: detect
-7.104. sip_header
+7.105. sip_header
--------------
Usage: detect
-7.105. sip_method
+7.106. sip_method
--------------
* string sip_method.*method: sip method
-7.106. sip_stat_code
+7.107. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.107. so
+7.108. so
--------------
buffer
-7.108. soid
+7.109. soid
--------------
like 3_45678_9
-7.109. ssl_state
+7.110. ssl_state
--------------
unknown
-7.110. ssl_version
+7.111. ssl_version
--------------
tls1.2
-7.111. stream_reassemble
+7.112. stream_reassemble
--------------
remainder of the session
-7.112. stream_size
+7.113. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.113. tag
+7.114. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.114. target
+7.115. target
--------------
dst_ip }
-7.115. tos
+7.116. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.116. ttl
+7.117. ttl
--------------
0:255 }
-7.117. urg
+7.118. urg
--------------
{ 0:65535 }
-7.118. window
+7.119. window
--------------
range { 0:65535 }
-7.119. wscale
+7.120. wscale
--------------
examining HTTP message headers
* implied http_raw_cookie.with_trailer: parts of this rule examine
HTTP message trailers
+ * implied http_raw_header_complete.request: match against the
+ headers from the request message even when examining the response
+ * implied http_raw_header_complete.with_body: parts of this rule
+ examine HTTP message body
+ * implied http_raw_header_complete.with_header: this rule is
+ limited to examining HTTP message headers
+ * implied http_raw_header_complete.with_trailer: parts of this rule
+ examine HTTP message trailers
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
* implied http_raw_header.with_body: parts of this rule examine
* http_inspect.get_requests: GET requests inspected (sum)
* http_inspect.head_requests: HEAD requests inspected (sum)
* http_inspect.inspections: total message sections inspected (sum)
+ * http_inspect.js_bytes: total number of JavaScript bytes processed
+ (sum)
* http_inspect.js_external_scripts: total number of external
JavaScripts processed (sum)
* http_inspect.js_inline_scripts: total number of inline
* 121:32 (http2_inspect) HTTP/2 window update frame with zero
increment
* 121:33 (http2_inspect) HTTP/2 request without a method
+ * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the
+ start of a header block
+ * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size
+ updates in a single header block
+ * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max
+ value set by decoder in SETTINGS frame
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
cursor to the unnormalized cookie
* http_raw_header (ips_option): rule option to set the detection
cursor to the unnormalized headers
+ * http_raw_header_complete (ips_option): rule option to set the
+ detection cursor to the unnormalized headers including cookies
* http_raw_request (ips_option): rule option to set the detection
cursor to the unnormalized request line
* http_raw_status (ips_option): rule option to set the detection
cursor to the unnormalized cookie
* ips_option::http_raw_header: rule option to set the detection
cursor to the unnormalized headers
+ * ips_option::http_raw_header_complete: rule option to set the
+ detection cursor to the unnormalized headers including cookies
* ips_option::http_raw_request: rule option to set the detection
cursor to the unnormalized request line
* ips_option::http_raw_status: rule option to set the detection
The Snort Team
Revision History
-Revision 3.1.8.0 2021-07-15 06:38:10 EDT TST
+Revision 3.1.9.0 2021-07-28 06:22:15 EDT TST
---------------------------------------------------------------------
Nothing here is intended to conflict with the technical language of
the HTTP RFCs and the implementation follows the RFCs.
-5.10.4.2. http_header and http_raw_header
+5.10.4.2. http_header, http_raw_header, and http_raw_header_complete
These cover all the header lines except the first one. You may
specify an individual header by name using the field option as shown
With http_header the individual header value is normalized in a way
that is appropriate for that header.
-Specifying an individual header is not available for http_raw_header.
+Specifying an individual header is not available for http_raw_header
+and http_raw_header_complete.
-If you don’t specify a header you get all of the headers except for
-the cookie headers Cookie and Set-Cookie. http_raw_header includes
-the unmodified header names and values as they appeared in the
-original message. http_header is the same except percent encodings
-are removed and paths are simplified exactly as if the headers were a
-URI.
+If you don’t specify a header you get all of the headers.
+http_raw_header_complete includes cookie headers Cookie and
+Set-Cookie. http_header and http_raw_header don’t. http_raw_header
+and http_raw_header_complete include the unmodified header names and
+values as they appeared in the original message. http_header is the
+same except percent encodings are removed and paths are simplified
+exactly as if the headers were a URI.
In most cases specifying individual headers creates a more efficient
and accurate rule. It is recommended that new rules be written using
projects / thirdparty / snort3.git / commitdiff
