+2021/08/26 - 3.1.11.0
+
+build: update help for --enable-tsc-clock to include arm. Thanks to liangxwa01 for reporting the issue.
+codec: geneve: fix incorrect parsing of option header length
+data_bus: support ordered call of handlers
+dns, ssh: remove obsolete stream insert checks
+doc: Add js_norm_max_template_nesting description
+flow: introduce bidirectional flag for expected session.
+flow: set the client initiated flag before publishing the flow state setup event
+framework: update base API version to 8
+framework: version rollback
+http_inspect: add builtin rule for consecutive commas in accept-encoding header
+http_inspect: Add JavaScript template literals normalization
+http_inspect: check if Normalizer has consumed input
+http_inspect: hard-code infraction enum numbers
+http_inspect: http_raw_header, http_raw_trailer field support
+http_inspect: refactor NormalizedHeader
+http_inspect: support more infractions and events
+http_inspect: two new built-in rules
+inspection: process wizard matches on defragged packets
+ips: add action_map table to map rule types, eg block -> alert
+ips: add action_override which applies to all rules
+lua: update comments in the default config
+modbus: check record length for write file record command
+normalize: remove tcp.trim config
+payload_injector: check if stream is established on flow rather than the packet flag to handle retries
+policy: put inspection policy accessors in public space
+policy: reorganize for sanity
+README: mention vars in default config
+sip: deprecate max_requestName_len in favor of max_request_name_len
+smb: Invoke SMB debug in destructor when packet thread available
+stream_tcp: update API called by payload_injector to check for unflushed queued TCP segments
+style: remove crufty comments
+style: remove C style (void) arglists
+style: remove or update crufty preprocessor comments
+utils: address compiler warning
+utils: support streamed processing of JS text
+wizard: support more HTTP and SIP methods
+
2021/08/11 - 3.1.10.0
appid: update netbios-ss (SMB) detector to extract SMB domain from SMBv2, and more intelligently handle payload appid detection
The Snort Team
Revision History
-Revision 3.1.10.0 2021-08-11 07:53:39 EDT TST
+Revision 3.1.11.0 2021-08-26 11:41:00 EDT TST
---------------------------------------------------------------------
Configuration:
+ * string ips.action_map[].replace: action you want to change
+ * string ips.action_map[].with: action you want to use instead
+ * string ips.action_override: use this action for all rules
+ (applied before action_map)
* enum ips.default_rule_state = inherit: enable or disable ips
rules { no | yes | inherit }
* bool ips.enable_builtin_rules = false: enable events from builtin
* 133:19 (dce_smb) SMB - excessive read requests with pending read
responses
* 133:20 (dce_smb) SMB - excessive command chaining
- * 133:21 (dce_smb) SMB - multiple chained tree connect requests
- * 133:22 (dce_smb) SMB - multiple chained tree connect requests
+ * 133:21 (dce_smb) SMB - Multiple chained login requests
+ * 133:22 (dce_smb) SMB - Multiple chained tree connect requests
* 133:23 (dce_smb) SMB - chained/compounded login followed by
logoff
* 133:24 (dce_smb) SMB - chained/compounded tree connect followed
body bytes to examine (-1 no limit) { -1:max53 }
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
+ * int http_inspect.maximum_host_length = -1: maximum allowed length
+ for Host header value (-1 no limit) { -1:max53 }
+ * int http_inspect.maximum_chunk_length = 4294967295: maximum
+ allowed length for a message body chunk { 0:4294967295 }
* bool http_inspect.normalize_utf = true: normalize charset utf
encodings in response bodies
* bool http_inspect.decompress_pdf = false: decompress pdf files in
normalize (-1 unlimited) (experimental) { -1:max53 }
* int http_inspect.js_norm_identifier_depth = 260000: max number of
unique JavaScript identifiers to normalize { 0:260000 }
+ * int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of
+ template literal nesting that enhanced javascript normalizer will
+ process (experimental) { 0:255 }
* int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 }
CR
* 119:14 (http_inspect) non-RFC defined char
* 119:15 (http_inspect) oversize request-uri directory
+ * 119:16 (http_inspect) oversize chunk encoding
* 119:18 (http_inspect) webroot directory traversal
* 119:19 (http_inspect) long header
* 119:20 (http_inspect) max header fields
* 119:21 (http_inspect) multiple content length
* 119:24 (http_inspect) Host header field appears more than once or
has multiple values
+ * 119:25 (http_inspect) Host header value is too long
* 119:28 (http_inspect) POST or PUT w/o content-length or chunks
* 119:31 (http_inspect) unknown method
* 119:32 (http_inspect) simple request
* 119:269 (http_inspect) script opening tag in a short form
* 119:270 (http_inspect) max number of unique JavaScript
identifiers reached
+ * 119:271 (http_inspect) JavaScript template literal nesting is
+ over capacity
+ * 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
+ header
Peg counts:
packet
* bool normalizer.tcp.trim_win = false: trim data to window
* bool normalizer.tcp.trim_mss = false: trim data to MSS
- * bool normalizer.tcp.trim = false: enable all of the TCP trim
- options
* bool normalizer.tcp.opts = false: clear all options except mss,
wscale, timestamp, and any explicitly allowed
* bool normalizer.tcp.req_urg = false: clear the urgent pointer if
* int sip.max_dialogs = 4: maximum number of dialogs within one
stream session { 1:max32 }
* int sip.max_from_len = 256: maximum from field size { 0:65535 }
- * int sip.max_requestName_len = 20: maximum request name field size
- { 0:65535 }
+ * int sip.max_request_name_len = 20: maximum request name field
+ size { 0:65535 }
+ * int sip.max_requestName_len = 20: deprecated - use
+ max_request_name_len instead { 0:65535 }
* int sip.max_to_len = 256: maximum to field size { 0:65535 }
* int sip.max_uri_len = 256: maximum request uri field size {
0:65535 }
Configuration:
+ * string http_raw_header.field: restrict to given header. Header
+ name is case insensitive.
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
* implied http_raw_header.with_header: this rule is limited to
Configuration:
+ * string http_raw_trailer.field: restrict to given trailer. Trailer
+ name is case insensitive.
* implied http_raw_trailer.request: match against the trailers from
the request message even when examining the response
* implied http_raw_trailer.with_header: parts of this rule examine
normalize (-1 unlimited) (experimental) { -1:max53 }
* int http_inspect.js_norm_identifier_depth = 260000: max number of
unique JavaScript identifiers to normalize { 0:260000 }
+ * int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of
+ template literal nesting that enhanced javascript normalizer will
+ process (experimental) { 0:255 }
+ * int http_inspect.maximum_chunk_length = 4294967295: maximum
+ allowed length for a message body chunk { 0:4294967295 }
+ * int http_inspect.maximum_host_length = -1: maximum allowed length
+ for Host header value (-1 no limit) { -1:max53 }
* int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 }
limited to examining HTTP message headers
* implied http_raw_header_complete.with_trailer: parts of this rule
examine HTTP message trailers
+ * string http_raw_header.field: restrict to given header. Header
+ name is case insensitive.
* implied http_raw_header.request: match against the headers from
the request message even when examining the response
* implied http_raw_header.with_body: parts of this rule examine
HTTP message body
* implied http_raw_status.with_trailer: parts of this rule examine
HTTP message trailers
+ * string http_raw_trailer.field: restrict to given trailer. Trailer
+ name is case insensitive.
* implied http_raw_trailer.request: match against the trailers from
the request message even when examining the response
* implied http_raw_trailer.with_body: parts of this rule examine
* select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
lsrre|ssrr|satid|any }
* string ip_proto.~proto: [!|>|<] name or number
+ * string ips.action_map[].replace: action you want to change
+ * string ips.action_map[].with: action you want to use instead
+ * string ips.action_override: use this action for all rules
+ (applied before action_map)
* enum ips.default_rule_state = inherit: enable or disable ips
rules { no | yes | inherit }
* bool ips.enable_builtin_rules = false: enable events from builtin
urgent pointer is not set
* bool normalizer.tcp.rsv = false: clear the reserved bits in the
TCP header
- * bool normalizer.tcp.trim = false: enable all of the TCP trim
- options
* bool normalizer.tcp.trim_mss = false: trim data to MSS
* bool normalizer.tcp.trim_rst = false: remove any data from RST
packet
* int sip.max_dialogs = 4: maximum number of dialogs within one
stream session { 1:max32 }
* int sip.max_from_len = 256: maximum from field size { 0:65535 }
- * int sip.max_requestName_len = 20: maximum request name field size
- { 0:65535 }
+ * int sip.max_requestName_len = 20: deprecated - use
+ max_request_name_len instead { 0:65535 }
+ * int sip.max_request_name_len = 20: maximum request name field
+ size { 0:65535 }
* int sip.max_to_len = 256: maximum to field size { 0:65535 }
* int sip.max_uri_len = 256: maximum request uri field size {
0:65535 }
CR
* 119:14 (http_inspect) non-RFC defined char
* 119:15 (http_inspect) oversize request-uri directory
+ * 119:16 (http_inspect) oversize chunk encoding
* 119:18 (http_inspect) webroot directory traversal
* 119:19 (http_inspect) long header
* 119:20 (http_inspect) max header fields
* 119:21 (http_inspect) multiple content length
* 119:24 (http_inspect) Host header field appears more than once or
has multiple values
+ * 119:25 (http_inspect) Host header value is too long
* 119:28 (http_inspect) POST or PUT w/o content-length or chunks
* 119:31 (http_inspect) unknown method
* 119:32 (http_inspect) simple request
* 119:269 (http_inspect) script opening tag in a short form
* 119:270 (http_inspect) max number of unique JavaScript
identifiers reached
+ * 119:271 (http_inspect) JavaScript template literal nesting is
+ over capacity
+ * 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
+ header
* 121:1 (http2_inspect) invalid flag set on HTTP/2 frame
* 121:2 (http2_inspect) HPACK integer value has leading zeros
* 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream
* 133:19 (dce_smb) SMB - excessive read requests with pending read
responses
* 133:20 (dce_smb) SMB - excessive command chaining
- * 133:21 (dce_smb) SMB - multiple chained tree connect requests
- * 133:22 (dce_smb) SMB - multiple chained tree connect requests
+ * 133:21 (dce_smb) SMB - Multiple chained login requests
+ * 133:22 (dce_smb) SMB - Multiple chained tree connect requests
* 133:23 (dce_smb) SMB - chained/compounded login followed by
logoff
* 133:24 (dce_smb) SMB - chained/compounded tree connect followed
The Snort Team
Revision History
-Revision 3.1.10.0 2021-08-11 07:53:28 EDT TST
+Revision 3.1.11.0 2021-08-26 11:40:49 EDT TST
---------------------------------------------------------------------
enhanced normalizer. This is currently experimental and still under
development.
-5.10.2.10. xff_headers
+5.10.2.10. js_norm_max_tmpl_nest
+
+js_norm_max_tmpl_nest = N {0 : 255} (default 32) is an option of the
+enhanced JavaScript normalizer that determines the deepest level of
+nested template literals to be processed. Introduced in ES6, template
+literals provide syntax to define a literal multiline string, which
+can have arbitrary JavaScript substitutions, that will be evaluated
+and inserted into the string. Such substitutions can be nested, and
+require keeping track of every layer for proper normalization. This
+option is present to limit the amount of memory dedicated to this
+tracking. This option is used only when js_normalization_depth is not
+0. This feature is currently experimental and still under
+development.
+
+5.10.2.11. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-5.10.2.11. URI processing
+5.10.2.12. maximum_host_length
+
+Setting maximum_host_length causes http_inspect to generate 119:25 if
+the Host header value including optional white space exceeds the
+specified length. In the abnormal case of multiple Host headers, the
+total length of the combined values is used. The default value is -1,
+meaning do not perform this check.
+
+5.10.2.13. maximum_chunk_length
+
+http_inspect strictly limits individual chunks within a chunked
+message body to be less than four gigabytes.
+
+A lower limit may be configured by setting maximum_chunk_length. Any
+chunk longer than maximum chunk length will generate a 119:16 alert.
+
+5.10.2.14. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
With http_header the individual header value is normalized in a way
that is appropriate for that header.
-Specifying an individual header is not available for http_raw_header
-and http_raw_header_complete.
+Specifying an individual header is not available for
+http_raw_header_complete, use http_raw_header instead.
If you don’t specify a header you get all of the headers.
http_raw_header_complete includes cookie headers Cookie and
projects / thirdparty / snort3.git / commitdiff
