<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0-a3 (Build 186) from 2.9.7-262\r
+o" )~ Version 3.0.0-a4 (Build 206) from 2.9.7-262\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
- Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.\r
+ Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.\r
Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>\r
</div></div>\r
<div id="toc">\r
</li>\r
<li>\r
<p>\r
-g++ >= 4.8 or other recent C++11 compiler\r
+daq from <a href="http://www.snort.org">http://www.snort.org</a> for packet IO\r
</p>\r
</li>\r
<li>\r
<p>\r
-daq from <a href="http://www.snort.org">http://www.snort.org</a> for packet IO\r
+g++ >= 4.8 or other recent C++11 compiler\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+hwloc from <a href="https://www.open-mpi.org/projects/hwloc/">https://www.open-mpi.org/projects/hwloc/</a> for CPU affinity management\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
LuaJIT from <a href="http://luajit.org">http://luajit.org</a> for configuration and scripting\r
</p>\r
</li>\r
<li>\r
<p>\r
+OpenSSL from <a href="https://www.openssl.org/source/">https://www.openssl.org/source/</a> for SHA and MD5 file signatures,\r
+ the protected_content rule option, and SSL service detection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
pcap from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a> for tcpdump style logging\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (>= 1.2.8 recommended)\r
+pkgconfig from <a href="https://www.freedesktop.org/wiki/Software/pkg-config/">https://www.freedesktop.org/wiki/Software/pkg-config/</a> to locate build dependencies\r
</p>\r
</li>\r
<li>\r
<p>\r
-pkgconfig from <a href="http://www.freedesktop.org">http://www.freedesktop.org</a> to build the example plugins\r
+zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (>= 1.2.8 recommended)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-openssl from <a href="https://www.openssl.org">https://www.openssl.org</a> for SHA and MD5 file signatures and\r
- the protected_content rule option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
hyperscan from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new and improved\r
regex and (coming soon) fast pattern support\r
</p>\r
generate the dev guide\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+safec from <a href="https://sourceforge.net/projects/safeclib/">https://sourceforge.net/projects/safeclib/</a> for runtime bounds\r
+ checks on certain legacy C-library calls.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<li>\r
<p>\r
Enabling large pcap may erroneously affect the number of packets processed\r
- from pcaps\r
+ from pcaps.\r
</p>\r
</li>\r
<li>\r
<p>\r
Enabling debug messages may erroneously affect the number of packets\r
- processed from pcaps\r
+ processed from pcaps.\r
</p>\r
</li>\r
<li>\r
iteration 930u invokes undefined behavior [-Waggressive-loop-optimizations]</code></pre>\r
</div></div>\r
</li>\r
+<li>\r
+<p>\r
+Building with clang and autotools on Linux will show the following\r
+ warning many times. Please ignore.\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>clang: warning: argument unused during compilation: '-pthread'</code></pre>\r
+</div></div>\r
+</li>\r
+<li>\r
+<p>\r
+It is not possible to build dynamic plugins using apple clang due to its\r
+ limited support for thread local variables.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect3">\r
<li>\r
<p>\r
Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET\r
- defined as below because or the space between ! and 10.\r
+ defined as below because of the space between ! and 10.\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
Ideally, --lua could be used in lieu of -c.\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-Rule line numbers provided with syntax error messages are off by one. The first rule is\r
- unnumbered, the second rule is one, etc. See nhttp_inspect/detection_buffers/bad_rules/expected\r
- for an example.\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
<div class="sect3">\r
</li>\r
<li>\r
<p>\r
-There is a bug in pps_stream_tcp.cc.. when stream_tcp: is\r
- specified without any arguments, snort2lua doesn’t convert it.\r
- Same for stream_udp.\r
+There is a bug in pps_stream_tcp.cc.. when stream_tcp: is specified\r
+ without any arguments, snort2lua doesn’t convert it. Same for\r
+ stream_udp.\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-Stream TCP alert squash mechanism incorrectly squashes alerts for\r
+stream_tcp alert squash mechanism incorrectly squashes alerts for\r
different TCP packets.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+stream_tcp gap count is broken.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
</div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>daq.dir</strong>: directory where to search for DAQ plugins\r
+string <strong>daq.module_dirs[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>daq.mode</strong>: set mode of operation { passive | inline | read-file }\r
+string <strong>daq.input_spec</strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
+string <strong>daq.module</strong>: DAQ module to use\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>daq.variables[].str</strong>: string parameter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>daq.instances[].id</strong>: instance ID (required) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.type</strong>: select type of DAQ\r
+string <strong>daq.instances[].input_spec</strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.vars</strong>: comma separated list of name=value DAQ-specific parameters\r
+string <strong>daq.instances[].variables[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>daq.snaplen</strong> = deflt: set snap length (same as -P) { 0:65535 }\r
+int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>daq.decode_data_link</strong> = false: display the second layer header info\r
+bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.fail open</strong>: packets passed during initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>file_id.enable_type</strong> = false: enable type ID\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_host_tracker">host_tracker</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
+<h3 id="_high_availability">high_availability</h3>\r
+<div class="paragraph"><p>What: implement flow tracking high availability</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+bool <strong>high_availability.enable</strong> = false: enable high availability\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>host_tracker[].services[].name</strong>: service identifier\r
+bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
+real <strong>high_availability.min_age</strong> = 1.0: minimum session life before HA updates { 0.0:100.0 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>host_tracker[].services[].port</strong>: port number\r
+real <strong>high_availability.min_sync</strong> = 1.0: minimum interval between HA updates { 0.0:100.0 }\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_hosts">hosts</h3>\r
+<h3 id="_host_cache">host_cache</h3>\r
<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>hosts[].services[].name</strong>: service identifier\r
+int <strong>host_cache[].size</strong>: size of host cache\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
+<strong>host_cache.lru cache adds</strong>: lru cache added new entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>hosts[].services[].port</strong>: port number\r
+<strong>host_cache.lru cache replaces</strong>: lru cache replaced existing entry\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ips">ips</h3>\r
-<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
+<strong>host_cache.lru cache prunes</strong>: lru cache pruned entry to make space for new entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
+<strong>host_cache.lru cache find hits</strong>: lru cache found entry in cache\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.include</strong>: legacy snort rules and includes\r
+<strong>host_cache.lru cache find misses</strong>: lru cache did not find entry in cache\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }\r
+<strong>host_cache.lru cache removes</strong>: lru cache found entry and removed it\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.rules</strong>: snort rules and includes\r
+<strong>host_cache.lru cache clears</strong>: lru cache clear API calls\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_network">network</h3>\r
-<div class="paragraph"><p>What: configure basic network parameters</p></div>\r
+<h3 id="_host_tracker">host_tracker</h3>\r
+<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
+addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
+enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder\r
+enum <strong>host_tracker[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
+string <strong>host_tracker[].services[].name</strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower ttl / hop limit (you must enable rules and / or normalization also) { 1:255 }\r
+enum <strong>host_tracker[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }\r
+port <strong>host_tracker[].services[].port</strong>: port number\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>network.layers</strong> = 40: The maximum number of protocols that Snort can correctly decode { 3:255 }\r
+<strong>host_tracker.service adds</strong>: host service adds\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.max_ip6_extensions</strong> = 0: The number of IP6 options Snort will process for a given IPv6 layer. If this limit is hit, rule 116:456 may fire. 0 = unlimited { 0:255 }\r
+<strong>host_tracker.service finds</strong>: host service finds\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>network.max_ip_layers</strong> = 0: The maximum number of IP layers Snort will process for a given packet If this limit is hit, rule 116:293 may fire. 0 = unlimited { 0:255 }\r
+<strong>host_tracker.service removes</strong>: host service removes\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_output">output</h3>\r
-<div class="paragraph"><p>What: configure general output parameters</p></div>\r
+<h3 id="_hosts">hosts</h3>\r
+<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)\r
+addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)\r
+enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)\r
+enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
+string <strong>hosts[].services[].name</strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
+enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
+port <strong>hosts[].services[].port</strong>: port number\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ips">ips</h3>\r
+<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
+bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
+int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
+string <strong>ips.include</strong>: legacy snort rules and includes\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0: }\r
+enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
+string <strong>ips.rules</strong>: snort rules and includes\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_packets">packets</h3>\r
-<div class="paragraph"><p>What: configure basic packet handling</p></div>\r
+<h3 id="_latency">latency</h3>\r
+<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
+int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
+bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>packets.enable_inline_init_failopen</strong> = true: whether to pass traffic during later stage of initialization to avoid drops\r
+enum <strong>latency.packet.action</strong> = alert_and_log: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }\r
+int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }\r
+bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
+int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ppm">ppm</h3>\r
-<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>ppm.max_pkt_time</strong> = 0: enable packet latency thresholding (usec), 0 = off { 0: }\r
+<strong>134:1</strong> (latency) rule tree suspended due to latency\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ppm.fastpath_expensive_packets</strong> = false: stop inspection if the max_pkt_time is exceeded\r
+<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>ppm.pkt_log</strong> = none: log event if max_pkt_time is exceeded { none | log | alert | both }\r
+<strong>134:3</strong> (latency) packet fastpathed due to latency\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>ppm.max_rule_time</strong> = 0: enable rule latency thresholding (usec), 0 = off { 0: }\r
+<strong>latency.total_packets</strong>: total packets monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ppm.threshold</strong> = 5: number of times to exceed limit before disabling rule { 1: }\r
+<strong>latency.packet_timeouts</strong>: packets that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ppm.suspend_expensive_rules</strong> = false: temporarily disable rule if threshold is reached\r
+<strong>latency.total_rule_evals</strong>: total rule evals monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ppm.suspend_timeout</strong> = 60: seconds to suspend rule, 0 = permanent { 0: }\r
+<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>ppm.rule_log</strong> = none: enable event logging for suspended rules { none|log|alert|both }\r
+<strong>latency.rule_tree_enables</strong>: rule tree re-enables\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_memory">memory</h3>\r
+<div class="paragraph"><p>What: memory management configuration</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>134:1</strong> (ppm) rule options disabled by rule latency\r
+int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:2</strong> (ppm) rule options re-enabled by rule latency\r
+bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:3</strong> (ppm) packet aborted due to latency\r
+int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_process">process</h3>\r
-<div class="paragraph"><p>What: configure basic process setup</p></div>\r
+<h3 id="_network">network</h3>\r
+<div class="paragraph"><p>What: configure basic network parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>process.chroot</strong>: set chroot directory (same as -t)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>process.threads[].cpu</strong> = 0: pin the associated source/thread to this cpu { 0:127 }\r
+multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.threads[].source</strong>: set cpu affinity for this source (either pcap or <iface>\r
+multi <strong>network.checksum_eval</strong> = none: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0: }\r
+bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)\r
+int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup\r
+int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower ttl / hop limit (you must enable rules and / or normalization also) { 1:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.set_gid</strong>: set group ID (same as -g)\r
+int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.set_uid</strong>: set user ID (same as -u)\r
+int <strong>network.layers</strong> = 40: The maximum number of protocols that Snort can correctly decode { 3:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.umask</strong>: set process umask (same as -m)\r
+int <strong>network.max_ip6_extensions</strong> = 0: The number of IP6 options Snort will process for a given IPv6 layer. If this limit is hit, rule 116:456 may fire. 0 = unlimited { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps\r
+int <strong>network.max_ip_layers</strong> = 0: The maximum number of IP layers Snort will process for a given packet If this limit is hit, rule 116:293 may fire. 0 = unlimited { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_profiler">profiler</h3>\r
-<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>\r
+<h3 id="_output">output</h3>\r
+<div class="paragraph"><p>What: configure general output parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>profiler.modules.show</strong> = true: show module time profile stats\r
+bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
+bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time }\r
+bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
+bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>profiler.memory.show</strong> = true: show module memory profile stats\r
+int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
+bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation }\r
+string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
+bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>profiler.rules.show</strong> = true: show rule time profile stats\r
+bool <strong>output.obfuscate_pii</strong> = false: Mask all but the last 4 characters of credit card and social security numbers\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0: }\r
+bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }\r
+int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0: }\r
</p>\r
</li>\r
-</ul></div>\r
+<li>\r
+<p>\r
+bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_packets">packets</h3>\r
+<div class="paragraph"><p>What: configure basic packet handling</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_process">process</h3>\r
+<div class="paragraph"><p>What: configure basic process setup</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>process.chroot</strong>: set chroot directory (same as -t)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>process.set_gid</strong>: set group ID (same as -g)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>process.set_uid</strong>: set user ID (same as -u)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>process.umask</strong>: set process umask (same as -m)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_profiler">profiler</h3>\r
+<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>profiler.modules.show</strong> = true: show module time profile stats\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>profiler.memory.show</strong> = true: show module memory profile stats\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>profiler.rules.show</strong> = true: show rule time profile stats\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_rate_filter">rate_filter</h3>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.search_optimize</strong> = false: tweak state machine construction for better performance\r
+bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>search_engine.max queued</strong>: maximum fast pattern matches queued for further evaluation\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.total flushed</strong>: fast pattern matches discarded due to overflow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.total inserts</strong>: total fast pattern hits\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.total unique</strong>: total unique fast pattern hits\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.non-qualified events</strong>: total non-qualified events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.qualified events</strong>: total qualified events\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_side_channel">side_channel</h3>\r
+<div class="paragraph"><p>What: implement the side-channel asynchronous messaging subsystem</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_snort">snort</h3>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq-mode</strong>: <mode> select the DAQ operating mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version { (optional) }\r
+implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
</p>\r
</li>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_eapol">eapol</h3>\r
-<div class="paragraph"><p>What: support for extensible authentication protocol over LAN</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:110</strong> (eapol) truncated EAP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:111</strong> (eapol) EAP key truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:112</strong> (eapol) EAP header truncated\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_erspan2">erspan2</h3>\r
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_token_ring">token_ring</h3>\r
-<div class="paragraph"><p>What: support for token ring decoding</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:140</strong> (token_ring) (token_ring) Bad Token Ring Header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:141</strong> (token_ring) (token_ring) Bad Token Ring ETHLLC Header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:142</strong> (token_ring) (token_ring) Bad Token Ring MRLENHeader\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:143</strong> (token_ring) (token_ring) Bad Token Ring MR Header\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_udp">udp</h3>\r
<div class="paragraph"><p>What: support for user datagram protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
</li>\r
</ul></div>\r
</div>\r
-<div class="sect2">\r
-<h3 id="_wlan">wlan</h3>\r
-<div class="paragraph"><p>What: support for wireless local area network protocol (DLT 105)</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:133</strong> (wlan) bad 802.11 LLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:134</strong> (wlan) bad 802.11 extra LLC info\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
</div>\r
</div>\r
<div class="sect1">\r
<div class="paragraph"><p>These modules perform a variety of functions, including analysis of\r
protocols beyond basic decoding.</p></div>\r
<div class="sect2">\r
-<h3 id="_arp_spoof">arp_spoof</h3>\r
-<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
+<h3 id="_appid">appid</h3>\r
+<div class="paragraph"><p>What: application and service identification</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>appid.conf</strong>: RNA configuration file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>appid.memcap</strong> = 268435456: time period for collecting and logging AppId statistics { 1048576:3221225472 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>appid.app_stats_filename</strong>: Filename for logging AppId statistics\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging AppId statistics { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for AppId stats before rolling over the log file { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection AppId stats before rolling over the log file { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>appid.app_detector_dir</strong>: directory to load AppId detectors from\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>appid.instance_id</strong> = 0: instance id - need more details for what this is { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>appid.debug</strong> = false: enable AppId debug logging\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>appid.dump_ports</strong> = false: enable dump of AppId port information\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>appid.packets</strong>: count of packets processed by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.battlefield_flows</strong>: count of battle field flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bgp_flows</strong>: count of bgp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bit_clients</strong>: count of bittorrent clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bit_flows</strong>: count of bittorrent flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bittracker_clients</strong>: count of bittorrent tracker clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dcerpc_udp_flows</strong>: count of dce rpc flows over udp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dns_udp_flows</strong>: count of dns flows over udp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ftp_flows</strong>: count of ftp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ftps_flows</strong>: count of ftps flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.imap_flows</strong>: count of imap service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.imaps_flows</strong>: count of imap TLS service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.irc_flows</strong>: count of irc service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.kerberos_clients</strong>: count of kerberos clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.kerberos_flows</strong>: count of kerberos service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.kerberos_users</strong>: count of kerberos users discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.lpr_flows</strong>: count of lpr service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.mdns_flows</strong>: count of mdns service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.netbios_flows</strong>: count of netbios service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.pop_flows</strong>: count of pop service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtps_flows</strong>: count of smtps flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ssh_flows</strong>: count of ssh flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ssl_flows</strong>: count of ssl flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.telnet_flows</strong>: count of telnet flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_arp_spoof">arp_spoof</h3>\r
+<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_data_log">data_log</h3>\r
-<div class="paragraph"><p>What: log selected published data to data.log</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>data_log.key</strong> = http_uri: name of data buffer to log\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>data_log.packets</strong>: total packets\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_dce_smb">dce_smb</h3>\r
<div class="paragraph"><p>What: dce over smb inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>145:2</strong> (dce_smb) SMB - Bad NetBIOS Session Service session type.\r
+<strong>133:2</strong> (dce_smb) SMB - Bad NetBIOS Session Service session type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:3</strong> (dce_smb) SMB - Bad SMB message type.\r
+<strong>133:3</strong> (dce_smb) SMB - Bad SMB message type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:4</strong> (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2).\r
+<strong>133:4</strong> (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2).\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:5</strong> (dce_smb) SMB - Bad word count or structure size.\r
+<strong>133:5</strong> (dce_smb) SMB - Bad word count or structure size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:6</strong> (dce_smb) SMB - Bad byte count.\r
+<strong>133:6</strong> (dce_smb) SMB - Bad byte count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:7</strong> (dce_smb) SMB - Bad format type.\r
+<strong>133:7</strong> (dce_smb) SMB - Bad format type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:8</strong> (dce_smb) SMB - Bad offset.\r
+<strong>133:8</strong> (dce_smb) SMB - Bad offset.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:9</strong> (dce_smb) SMB - Zero total data count.\r
+<strong>133:9</strong> (dce_smb) SMB - Zero total data count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length.\r
+<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:12</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command byte count.\r
+<strong>133:12</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command byte count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:13</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command data size.\r
+<strong>133:13</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command data size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:14</strong> (dce_smb) SMB - Remaining total data count less than this command data size.\r
+<strong>133:14</strong> (dce_smb) SMB - Remaining total data count less than this command data size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:15</strong> (dce_smb) SMB - Total data sent (STDu64) greater than command total data expected.\r
+<strong>133:15</strong> (dce_smb) SMB - Total data sent (STDu64) greater than command total data expected.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:16</strong> (dce_smb) SMB - Byte count less than command data size (STDu64)\r
+<strong>133:16</strong> (dce_smb) SMB - Byte count less than command data size (STDu64)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:17</strong> (dce_smb) SMB - Invalid command data size for byte count.\r
+<strong>133:17</strong> (dce_smb) SMB - Invalid command data size for byte count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:18</strong> (dce_smb) SMB - Excessive Tree Connect requests with pending Tree Connect responses.\r
+<strong>133:18</strong> (dce_smb) SMB - Excessive Tree Connect requests with pending Tree Connect responses.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:19</strong> (dce_smb) SMB - Excessive Read requests with pending Read responses.\r
+<strong>133:19</strong> (dce_smb) SMB - Excessive Read requests with pending Read responses.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:20</strong> (dce_smb) SMB - Excessive command chaining.\r
+<strong>133:20</strong> (dce_smb) SMB - Excessive command chaining.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:21</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>133:21</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:22</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>133:22</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:23</strong> (dce_smb) SMB - Chained/Compounded login followed by logoff.\r
+<strong>133:23</strong> (dce_smb) SMB - Chained/Compounded login followed by logoff.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:24</strong> (dce_smb) SMB - Chained/Compounded tree connect followed by tree disconnect.\r
+<strong>133:24</strong> (dce_smb) SMB - Chained/Compounded tree connect followed by tree disconnect.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:25</strong> (dce_smb) SMB - Chained/Compounded open pipe followed by close pipe.\r
+<strong>133:25</strong> (dce_smb) SMB - Chained/Compounded open pipe followed by close pipe.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:26</strong> (dce_smb) SMB - Invalid share access.\r
+<strong>133:26</strong> (dce_smb) SMB - Invalid share access.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:27</strong> (dce_smb) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:27</strong> (dce_smb) Connection oriented DCE/RPC - Invalid major version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:28</strong> (dce_smb) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:28</strong> (dce_smb) Connection oriented DCE/RPC - Invalid minor version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:29</strong> (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:29</strong> (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:30</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:30</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length less than header size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:32</strong> (dce_smb) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:32</strong> (dce_smb) Connection-oriented DCE/RPC - No context items specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:33</strong> (dce_smb) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:33</strong> (dce_smb) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:34</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:34</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:35</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:35</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:36</strong> (dce_smb) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:36</strong> (dce_smb) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:37</strong> (dce_smb) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:37</strong> (dce_smb) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:38</strong> (dce_smb) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:38</strong> (dce_smb) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:39</strong> (dce_smb) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:39</strong> (dce_smb) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
+<strong>133:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:45</strong> (dce_smb) SMB - Invalid SMB version 2 seen.\r
+<strong>133:45</strong> (dce_smb) SMB - Invalid SMB version 2 seen.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:46</strong> (dce_smb) SMB - Invalid user, tree connect, file binding.\r
+<strong>133:46</strong> (dce_smb) SMB - Invalid user, tree connect, file binding.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:47</strong> (dce_smb) SMB - Excessive command compounding.\r
+<strong>133:47</strong> (dce_smb) SMB - Excessive command compounding.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:48</strong> (dce_smb) SMB - Zero data count.\r
+<strong>133:48</strong> (dce_smb) SMB - Zero data count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:50</strong> (dce_smb) SMB - Maximum number of outstanding requests exceeded.\r
+<strong>133:50</strong> (dce_smb) SMB - Maximum number of outstanding requests exceeded.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:51</strong> (dce_smb) SMB - Outstanding requests with same MID.\r
+<strong>133:51</strong> (dce_smb) SMB - Outstanding requests with same MID.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:52</strong> (dce_smb) SMB - Deprecated dialect negotiated.\r
+<strong>133:52</strong> (dce_smb) SMB - Deprecated dialect negotiated.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:53</strong> (dce_smb) SMB - Deprecated command used.\r
+<strong>133:53</strong> (dce_smb) SMB - Deprecated command used.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:54</strong> (dce_smb) SMB - Unusual command used.\r
+<strong>133:54</strong> (dce_smb) SMB - Unusual command used.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:55</strong> (dce_smb) SMB - Invalid setup count for command.\r
+<strong>133:55</strong> (dce_smb) SMB - Invalid setup count for command.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:56</strong> (dce_smb) SMB - Client attempted multiple dialect negotiations on session.\r
+<strong>133:56</strong> (dce_smb) SMB - Client attempted multiple dialect negotiations on session.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
+<strong>133:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb sessions</strong>: total smb sessions\r
+<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb packets</strong>: total smb packets\r
+<strong>dce_smb.Binds</strong>: total connection-oriented binds\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_smb.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented binds</strong>: total connection-oriented binds\r
+<strong>dce_smb.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented bind acks</strong>: total connection-oriented binds acks\r
+<strong>dce_smb.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_smb.Bind naks</strong>: total connection-oriented bind naks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_smb.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented bind naks</strong>: total connection-oriented bind naks\r
+<strong>dce_smb.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented requests</strong>: total connection-oriented requests\r
+<strong>dce_smb.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented responses</strong>: total connection-oriented responses\r
+<strong>dce_smb.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented cancels</strong>: total connection-oriented cancels\r
+<strong>dce_smb.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_smb.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented faults</strong>: total connection-oriented faults\r
+<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_smb.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_smb.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented rejects</strong>: total connection-oriented rejects\r
+<strong>dce_smb.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented other requests</strong>: total connection-oriented other requests\r
+<strong>dce_smb.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented other responses</strong>: total connection-oriented other responses\r
+<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented request fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented response fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_smb.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client maximum fragment size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_smb.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client minimum fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_smb.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client segments reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_smb.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client fragments reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server maximum fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server minimum fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server segments reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server fragments reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_smb.Sessions</strong>: total smb sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb client segments reassembled</strong>: total smb client segments reassembled\r
+<strong>dce_smb.Packets</strong>: total smb packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb server segments reassembled</strong>: total smb server segments reassembled\r
+<strong>dce_smb.Client segs reassembled</strong>: total smb client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb maximum outstanding requests</strong>: total smb maximum outstanding requests\r
+<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb files processed</strong>: total smb files processed\r
+<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Files processed</strong>: total smb files processed\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>145:27</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:27</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid major version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:28</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:28</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid minor version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:29</strong> (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:29</strong> (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:30</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:30</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length less than header size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:32</strong> (dce_tcp) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:32</strong> (dce_tcp) Connection-oriented DCE/RPC - No context items specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:33</strong> (dce_tcp) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:33</strong> (dce_tcp) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:34</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:34</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:35</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:35</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:36</strong> (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:36</strong> (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:37</strong> (dce_tcp) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:37</strong> (dce_tcp) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:38</strong> (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:38</strong> (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:39</strong> (dce_tcp) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:39</strong> (dce_tcp) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp sessions</strong>: total tcp sessions\r
+<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
+<strong>dce_tcp.Binds</strong>: total connection-oriented binds\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented binds</strong>: total connection-oriented binds\r
+<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented bind acks</strong>: total connection-oriented binds acks\r
+<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_tcp.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_tcp.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented bind naks</strong>: total connection-oriented bind naks\r
+<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented requests</strong>: total connection-oriented requests\r
+<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented responses</strong>: total connection-oriented responses\r
+<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented cancels</strong>: total connection-oriented cancels\r
+<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented faults</strong>: total connection-oriented faults\r
+<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented rejects</strong>: total connection-oriented rejects\r
+<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented other requests</strong>: total connection-oriented other requests\r
+<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented other responses</strong>: total connection-oriented other responses\r
+<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented request fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented response fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client maximum fragment size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client minimum fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client segments reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client fragments reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server maximum fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server minimum fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server segments reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_tcp.tcp sessions</strong>: total tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server fragments reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dpx">dpx</h3>\r
-<div class="paragraph"><p>What: dynamic inspector example</p></div>\r
+<h3 id="_file_log">file_log</h3>\r
+<div class="paragraph"><p>What: log file event to file.log</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-port <strong>dpx.port</strong>: port to check\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }\r
+bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>256:1</strong> (dpx) too much data sent to port\r
+bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dpx.packets</strong>: total packets\r
+<strong>file_log.total events</strong>: total file events\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_global">http_global</h3>\r
-<div class="paragraph"><p>What: http inspector global configuration and client rules for use with http_server</p></div>\r
+<h3 id="_http_inspect">http_inspect</h3>\r
+<div class="paragraph"><p>What: HTTP inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>http_global.compress_depth</strong> = 65535: maximum amount of packet payload to decompress { 1:65535 }\r
+int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.b64_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.bitenc_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.max_mime_mem</strong> = 838860: single packet decode depth { 3276: }\r
+bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.qp_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.uu_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decompress_depth</strong> = 65535: maximum amount of decompressed data to process { 1:65535 }\r
+bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_global.detect_anomalous_servers</strong> = false: inspect non-configured ports for HTTP - bad idea\r
+bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.max_gzip_mem</strong> = 838860: total memory used for decompression across all active sessions { 3276: }\r
+bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.memcap</strong> = 150994944: limit of memory used for logging extra data { 2304: }\r
+string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_global.proxy_alert</strong> = false: alert on proxy usage for servers without allow_proxy_use\r
+int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.unicode_map.code_page</strong> = 1252: select code page in map file { 0: }\r
+bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_global.unicode_map.map_file</strong>: unicode map file\r
+int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:1</strong> (http_global) ascii encoding\r
+bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:2</strong> (http_global) double decoding attack\r
+bool <strong>http_inspect.plus_to_space</strong> = true: replace + with <sp> when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:3</strong> (http_global) u encoding\r
+bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:4</strong> (http_global) bare byte unicode encoding\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:5</strong> (http_global) base36 encoding\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:6</strong> (http_global) UTF-8 encoding\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:7</strong> (http_global) IIS unicode codepoint encoding\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:8</strong> (http_global) multi_slash encoding\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>119:9</strong> (http_global) IIS backslash evasion\r
+<strong>119:1</strong> (http_inspect) ascii encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:10</strong> (http_global) self directory traversal\r
+<strong>119:2</strong> (http_inspect) double decoding attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:11</strong> (http_global) directory traversal\r
+<strong>119:3</strong> (http_inspect) u encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:12</strong> (http_global) apache whitespace (tab)\r
+<strong>119:4</strong> (http_inspect) bare byte unicode encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:13</strong> (http_global) non-RFC http delimiter\r
+<strong>119:5</strong> (http_inspect) obsolete event—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:14</strong> (http_global) non-RFC defined char\r
+<strong>119:6</strong> (http_inspect) UTF-8 encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:15</strong> (http_global) oversize request-URI directory\r
+<strong>119:7</strong> (http_inspect) IIS unicode codepoint encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:16</strong> (http_global) oversize chunk encoding\r
+<strong>119:8</strong> (http_inspect) multi_slash encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:17</strong> (http_global) unauthorized proxy use detected\r
+<strong>119:9</strong> (http_inspect) IIS backslash evasion\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:18</strong> (http_global) webroot directory traversal\r
+<strong>119:10</strong> (http_inspect) self directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:19</strong> (http_global) long header\r
+<strong>119:11</strong> (http_inspect) directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:20</strong> (http_global) max header fields\r
+<strong>119:12</strong> (http_inspect) apache whitespace (tab)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:21</strong> (http_global) multiple content length\r
+<strong>119:13</strong> (http_inspect) non-RFC http delimiter\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:22</strong> (http_global) chunk size mismatch detected\r
+<strong>119:14</strong> (http_inspect) non-RFC defined char\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:23</strong> (http_global) invalid ip in true-client-IP/XFF header\r
+<strong>119:15</strong> (http_inspect) oversize request-uri directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:24</strong> (http_global) multiple host hdrs detected\r
+<strong>119:16</strong> (http_inspect) oversize chunk encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:25</strong> (http_global) hostname exceeds 255 characters\r
+<strong>119:17</strong> (http_inspect) unauthorized proxy use detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:26</strong> (http_global) header parsing space saturation\r
+<strong>119:18</strong> (http_inspect) webroot directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:27</strong> (http_global) client consecutive small chunk sizes\r
+<strong>119:19</strong> (http_inspect) long header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:28</strong> (http_global) post w/o content-length or chunks\r
+<strong>119:20</strong> (http_inspect) max header fields\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:29</strong> (http_global) multiple true IPs in a session\r
+<strong>119:21</strong> (http_inspect) multiple content length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:30</strong> (http_global) both true-client-IP and XFF hdrs present\r
+<strong>119:22</strong> (http_inspect) chunk size mismatch detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:31</strong> (http_global) unknown method\r
+<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:32</strong> (http_global) simple request\r
+<strong>119:24</strong> (http_inspect) multiple host hdrs detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:33</strong> (http_global) unescaped space in http URI\r
+<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:34</strong> (http_global) too many pipelined requests\r
+<strong>119:26</strong> (http_inspect) header parsing space saturation\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>http_global.packets</strong>: total packets processed\r
+<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.gets</strong>: GET requests\r
+<strong>119:28</strong> (http_inspect) post w/o content-length or chunks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.posts</strong>: POST requests\r
+<strong>119:29</strong> (http_inspect) multiple true ips in a session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.request headers</strong>: total requests\r
+<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.response headers</strong>: total responses\r
+<strong>119:31</strong> (http_inspect) unknown method\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.request cookies</strong>: requests with Cookie\r
+<strong>119:32</strong> (http_inspect) simple request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.response cookies</strong>: responses with Set-Cookie\r
+<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.post params</strong>: POST parameters extracted\r
+<strong>119:34</strong> (http_inspect) too many pipelined requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.unicode</strong>: unicode normalizations\r
+<strong>119:35</strong> (http_inspect) anomalous http server on undefined HTTP port\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.double unicode</strong>: double unicode normalizations\r
+<strong>119:36</strong> (http_inspect) invalid status code in HTTP response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.non-ascii</strong>: non-ascii normalizations\r
+<strong>119:37</strong> (http_inspect) no content-length or transfer-encoding in HTTP response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.paths with ../</strong>: directory traversal normalizations\r
+<strong>119:38</strong> (http_inspect) HTTP response has UTF charset which failed to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.paths with //</strong>: double slash normalizations\r
+<strong>119:39</strong> (http_inspect) HTTP response has UTF-7 charset\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.paths with ./</strong>: relative directory normalizations\r
+<strong>119:40</strong> (http_inspect) HTTP response gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.gzip packets</strong>: packets with gzip compression\r
+<strong>119:41</strong> (http_inspect) server consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.compressed bytes</strong>: total comparessed bytes processed\r
+<strong>119:42</strong> (http_inspect) invalid content-length or chunk size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.decompressed bytes</strong>: total bytes decompressed\r
+<strong>119:43</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_inspect">http_inspect</h3>\r
-<div class="paragraph"><p>What: http inspection and server rules; also configure http_inspect</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>http_inspect.allow_proxy_use</strong> = false: don’t alert on proxy use for this server\r
+<strong>119:44</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.decompress_pdf</strong> = false: enable decompression of the compressed portions of PDF files\r
+<strong>119:45</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.decompress_swf</strong> = false: enable decompression of SWF (Adobe Flash content)\r
+<strong>119:46</strong> (http_inspect) SWF file zlib decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.enable_cookies</strong> = true: extract cookies\r
+<strong>119:47</strong> (http_inspect) SWF file LZMA decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.enable_xff</strong> = false: log True-Client-IP and X-Forwarded-For headers with unified2 alerts as extra data\r
+<strong>119:48</strong> (http_inspect) PDF file deflate decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.extended_ascii_uri</strong> = false: allow extended ASCII codes in the request URI\r
+<strong>119:49</strong> (http_inspect) PDF file unsupported compression type\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.extended_response_inspection</strong> = true: extract response headers\r
+<strong>119:50</strong> (http_inspect) PDF file cascaded compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_inspect.http_methods</strong> = GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA: request methods allowed in addition to GET and POST\r
+<strong>119:51</strong> (http_inspect) PDF file parse failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.inspect_gzip</strong> = true: enable gzip decompression of compressed bodies\r
+<strong>119:52</strong> (http_inspect) Not HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.inspect_uri_only</strong> = false: disable all detection except for uricontent\r
+<strong>119:53</strong> (http_inspect) Chunk length has excessive leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.log_hostname</strong> = false: enable logging of Hostname with unified2 alerts as extra data\r
+<strong>119:54</strong> (http_inspect) White space before or between messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.log_uri</strong> = false: enable logging of URI with unified2 alerts as extra data\r
+<strong>119:55</strong> (http_inspect) Request message without URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.no_pipeline_req</strong> = false: don’t inspect pipelined requests after first (still does general detection)\r
+<strong>119:56</strong> (http_inspect) Control character in reason phrase\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>http_inspect.non_rfc_chars</strong> = 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07: alert on given non-RFC chars being present in the URI { 255 }\r
+<strong>119:57</strong> (http_inspect) Illegal extra whitespace in start line\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_cookies</strong> = false: normalize cookies similar to URI\r
+<strong>119:58</strong> (http_inspect) Corrupted HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_headers</strong> = false: normalize headers other than cookie similar to URI\r
+<strong>119:59</strong> (http_inspect) Unknown HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.oversize_dir_length</strong> = 500: alert if a URL has a directory longer than this limit { 0: }\r
+<strong>119:60</strong> (http_inspect) Format error in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.apache_whitespace</strong> = false: don’t alert if tab is used in lieu of space characters\r
+<strong>119:61</strong> (http_inspect) Chunk header options present\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.ascii</strong> = false: enable decoding ASCII like %2f to /\r
+<strong>119:62</strong> (http_inspect) URI badly formatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.bare_byte</strong> = false: decode non-standard, non-ASCII character encodings\r
+<strong>119:63</strong> (http_inspect) Unrecognized type of percent encoding in URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.chunk_length</strong> = 500000: alert on chunk lengths greater than specified { 1: }\r
+<strong>119:64</strong> (http_inspect) HTTP chunk misformatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.client_flow_depth</strong> = 0: raw request payload to inspect { -1:1460 }\r
+<strong>119:65</strong> (http_inspect) White space following chunk length\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.directory</strong> = false: normalize . and .. sequences out of URI\r
+<strong>119:67</strong> (http_inspect) Excessive gzip compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.double_decode</strong> = false: iis specific extra decoding\r
+<strong>119:68</strong> (http_inspect) Gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.iis_backslash</strong> = false: normalize directory slashes\r
+<strong>119:69</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.iis_delimiter</strong> = false: allow use of non-standard delimiter\r
+<strong>119:70</strong> (http_inspect) HTTP 0.9 request following a normal request\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.iis_unicode</strong> = false: enable unicode code point mapping using unicode_map settings\r
+<strong>119:71</strong> (http_inspect) Message has both Content-Length and Transfer-Encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.iis_unicode_map.code_page</strong> = 1252: select code page in map file { 0: }\r
+<strong>119:72</strong> (http_inspect) Status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_inspect.profile.iis_unicode_map.map_file</strong>: unicode map file\r
+<strong>119:73</strong> (http_inspect) Transfer-Encoding did not end with chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_header_length</strong> = 750: maximum allowed client request header field { 0:65535 }\r
+<strong>119:74</strong> (http_inspect) Transfer-Encoding with chunked not at end\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_headers</strong> = 100: maximum allowed client request headers { 0:1024 }\r
+<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_spaces</strong> = 200: maximum allowed whitespaces when folding { 0:65535 }\r
+<strong>http_inspect.flows</strong>: HTTP connections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.multi_slash</strong> = false: normalize out consecutive slashes in URI\r
+<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.non_strict</strong> = true: allows HTTP 0.9 processing\r
+<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_javascript_whitespaces</strong> = 200: maximum number of consecutive whitespaces { 0: }\r
+<strong>http_inspect.inspections</strong>: total message sections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.normalize_utf</strong> = true: normalize response bodies with UTF content-types\r
+<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.normalize_javascript</strong> = true: normalize javascript between <script> tags\r
+<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.post_depth</strong> = 65495: amount of POST data to inspect { -1:65535 }\r
+<strong>http_inspect.GET requests</strong>: GET requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>http_inspect.profile.profile_type</strong> = default: set defaults appropriate for selected server { default | apache | iis | iis_40 | iis_50 }\r
+<strong>http_inspect.HEAD requests</strong>: HEAD requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.server_flow_depth</strong> = 0: response payload to inspect; includes headers with extended_response_inspection { -1:65535 }\r
+<strong>http_inspect.POST requests</strong>: POST requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.u_encode</strong> = true: decode %uXXXX character sequences\r
+<strong>http_inspect.PUT requests</strong>: PUT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.utf_8</strong> = false: decode UTF-8 unicode sequences in URI\r
+<strong>http_inspect.DELETE requests</strong>: DELETE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.webroot</strong> = false: alert on directory traversals past the top level (web server root)\r
+<strong>http_inspect.CONNECT requests</strong>: CONNECT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>http_inspect.profile.whitespace_chars</strong>: allowed white space characters { 255 }\r
+<strong>http_inspect.OPTIONS requests</strong>: OPTIONS requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.small_chunk_count</strong> = 5: alert if more than this limit of consecutive chunks are below small_chunk_length { 0:255 }\r
+<strong>http_inspect.TRACE requests</strong>: TRACE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.small_chunk_length</strong> = 10: alert if more than small_chunk_count consecutive chunks below this limit { 0:255 }\r
+<strong>http_inspect.other requests</strong>: other request methods inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.tab_uri_delimiter</strong> = false: whether a tab not preceded by a space is considered a delimiter or part of URI\r
+<strong>http_inspect.request bodies</strong>: POST, PUT, and other requests with message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.unlimited_decompress</strong> = true: decompress across multiple packets\r
+<strong>http_inspect.chunked</strong>: chunked message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.xff_headers</strong> = false: not implemented\r
+<strong>http_inspect.URI normalizations</strong>: URIs needing to be normalization\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>120:1</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+<strong>http_inspect.URI path</strong>: URIs with path problems\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:2</strong> (http_inspect) invalid status code in HTTP response\r
+<strong>http_inspect.URI coding</strong>: URIs with character coding problems\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_imap">imap</h3>\r
+<div class="paragraph"><p>What: imap inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>120:3</strong> (http_inspect) no content-length or transfer-encoding in HTTP response\r
+int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:4</strong> (http_inspect) HTTP response has UTF charset which failed to normalize\r
+int <strong>imap.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:5</strong> (http_inspect) HTTP response has UTF-7 charset\r
+int <strong>imap.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:6</strong> (http_inspect) HTTP response gzip decompression failed\r
+int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>120:7</strong> (http_inspect) server consecutive small chunk sizes\r
+<strong>141:1</strong> (imap) Unknown IMAP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:8</strong> (http_inspect) invalid content-length or chunk size\r
+<strong>141:2</strong> (imap) Unknown IMAP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:9</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
+<strong>141:4</strong> (imap) Base64 Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:10</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
+<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:11</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>120:12</strong> (http_inspect) HTTP response SWF file zlib decompression failure\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>imap.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:13</strong> (http_inspect) HTTP response SWF file LZMA decompression failure\r
+<strong>imap.sessions</strong>: total imap sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:14</strong> (http_inspect) HTTP response PDF file deflate decompression failure\r
+<strong>imap.b64 attachments</strong>: total base64 attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:15</strong> (http_inspect) HTTP response PDF file unsupported compression type\r
+<strong>imap.b64 decoded bytes</strong>: total base64 decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:16</strong> (http_inspect) HTTP response PDF file cascaded compression\r
+<strong>imap.qp attachments</strong>: total quoted-printable attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:17</strong> (http_inspect) HTTP response PDF file parse failure\r
+<strong>imap.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_imap">imap</h3>\r
-<div class="paragraph"><p>What: imap inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+<strong>imap.uu attachments</strong>: total uu attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+<strong>imap.uu decoded bytes</strong>: total uu decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+<strong>imap.non-encoded attachments</strong>: total non-encoded attachments extracted\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+<strong>imap.non-encoded bytes</strong>: total non-encoded extracted bytes\r
</p>\r
</li>\r
</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_modbus">modbus</h3>\r
+<div class="paragraph"><p>What: modbus inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>141:1</strong> (imap) Unknown IMAP3 command\r
+<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:2</strong> (imap) Unknown IMAP3 response\r
+<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:4</strong> (imap) Base64 Decoding failed.\r
+<strong>144:3</strong> (modbus) Reserved Modbus function code in use\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.\r
+<strong>modbus.sessions</strong>: total sessions processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.\r
+<strong>modbus.frames</strong>: total Modbus messages\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_normalizer">normalizer</h3>\r
+<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>imap.packets</strong>: total packets processed\r
+bool <strong>normalizer.ip4.base</strong> = true: clear options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.sessions</strong>: total imap sessions\r
+bool <strong>normalizer.ip4.df</strong> = false: clear don’t frag flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64 attachments</strong>: total base64 attachments decoded\r
+bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64 decoded bytes</strong>: total base64 decoded bytes\r
+bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp attachments</strong>: total quoted-printable attachments decoded\r
+bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
+bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu attachments</strong>: total uu attachments decoded\r
+bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu decoded bytes</strong>: total uu decoded bytes\r
+bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non-encoded attachments</strong>: total non-encoded attachments extracted\r
+bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non-encoded bytes</strong>: total non-encoded extracted bytes\r
+select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus">modbus</h3>\r
-<div class="paragraph"><p>What: modbus inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
+bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
+bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:3</strong> (modbus) Reserved Modbus function code in use\r
+bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>modbus.sessions</strong>: total sessions processed\r
+bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>modbus.frames</strong>: total Modbus messages\r
+bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_new_http_inspect">new_http_inspect</h3>\r
-<div class="paragraph"><p>What: new HTTP inspector</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>new_http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }\r
+bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>new_http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }\r
+bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>new_http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
+bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>new_http_inspect.test_input</strong> = false: read HTTP messages from text file\r
+bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>new_http_inspect.test_output</strong> = false: print out HTTP section data\r
+bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>new_http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }\r
+bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>219:1</strong> (new_http_inspect) ascii encoding\r
+multi <strong>normalizer.tcp.allow_names</strong>: don’t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:2</strong> (new_http_inspect) double decoding attack\r
+string <strong>normalizer.tcp.allow_codes</strong>: don’t clear given option codes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:3</strong> (new_http_inspect) u encoding\r
+bool <strong>normalizer.ip6</strong> = false: clear reserved flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:4</strong> (new_http_inspect) bare byte unicode encoding\r
+bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:5</strong> (new_http_inspect) obsolete event—should not appear\r
+bool <strong>normalizer.icmp6</strong> = false: clear reserved flag\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>219:6</strong> (new_http_inspect) UTF-8 encoding\r
+<strong>normalizer.ip4 trim</strong>: eth packets trimmed to datagram size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:7</strong> (new_http_inspect) IIS unicode codepoint encoding\r
+<strong>normalizer.test ip4 trim</strong>: test eth packets trimmed to datagram size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:8</strong> (new_http_inspect) multi_slash encoding\r
+<strong>normalizer.ip4 tos</strong>: type of service normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:9</strong> (new_http_inspect) IIS backslash evasion\r
+<strong>normalizer.test ip4 tos</strong>: test type of service normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:10</strong> (new_http_inspect) self directory traversal\r
+<strong>normalizer.ip4 df</strong>: don’t frag bit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:11</strong> (new_http_inspect) directory traversal\r
+<strong>normalizer.test ip4 df</strong>: test don’t frag bit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:12</strong> (new_http_inspect) apache whitespace (tab)\r
+<strong>normalizer.ip4 rf</strong>: reserved flag bit clears\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:13</strong> (new_http_inspect) non-RFC http delimiter\r
+<strong>normalizer.test ip4 rf</strong>: test reserved flag bit clears\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:14</strong> (new_http_inspect) non-RFC defined char\r
+<strong>normalizer.ip4 ttl</strong>: time-to-live normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:15</strong> (new_http_inspect) oversize request-uri directory\r
+<strong>normalizer.test ip4 ttl</strong>: test time-to-live normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:16</strong> (new_http_inspect) oversize chunk encoding\r
+<strong>normalizer.ip4 opts</strong>: ip4 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:17</strong> (new_http_inspect) unauthorized proxy use detected\r
+<strong>normalizer.test ip4 opts</strong>: test ip4 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:18</strong> (new_http_inspect) webroot directory traversal\r
+<strong>normalizer.icmp4 echo</strong>: icmp4 ping normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:19</strong> (new_http_inspect) long header\r
+<strong>normalizer.test icmp4 echo</strong>: test icmp4 ping normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:20</strong> (new_http_inspect) max header fields\r
+<strong>normalizer.ip6 hops</strong>: ip6 hop limit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:21</strong> (new_http_inspect) multiple content length\r
+<strong>normalizer.test ip6 hops</strong>: test ip6 hop limit normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:22</strong> (new_http_inspect) chunk size mismatch detected\r
+<strong>normalizer.ip6 options</strong>: ip6 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:23</strong> (new_http_inspect) invalid IP in true-client-IP/XFF header\r
+<strong>normalizer.test ip6 options</strong>: test ip6 options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:24</strong> (new_http_inspect) multiple host hdrs detected\r
+<strong>normalizer.icmp6 echo</strong>: icmp6 echo normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:25</strong> (new_http_inspect) hostname exceeds 255 characters\r
+<strong>normalizer.test icmp6 echo</strong>: test icmp6 echo normalizations\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:26</strong> (new_http_inspect) header parsing space saturation\r
+<strong>normalizer.tcp syn options</strong>: SYN only options cleared from non-SYN packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:27</strong> (new_http_inspect) client consecutive small chunk sizes\r
+<strong>normalizer.test tcp syn options</strong>: test SYN only options cleared from non-SYN packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:28</strong> (new_http_inspect) post w/o content-length or chunks\r
+<strong>normalizer.tcp options</strong>: packets with options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:29</strong> (new_http_inspect) multiple true ips in a session\r
+<strong>normalizer.test tcp options</strong>: test packets with options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:30</strong> (new_http_inspect) both true-client-IP and XFF hdrs present\r
+<strong>normalizer.tcp paddding</strong>: packets with padding cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:31</strong> (new_http_inspect) unknown method\r
+<strong>normalizer.test tcp paddding</strong>: test packets with padding cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:32</strong> (new_http_inspect) simple request\r
+<strong>normalizer.tcp reserved</strong>: packets with reserved bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:33</strong> (new_http_inspect) unescaped space in HTTP URI\r
+<strong>normalizer.test tcp reserved</strong>: test packets with reserved bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:34</strong> (new_http_inspect) too many pipelined requests\r
+<strong>normalizer.tcp nonce</strong>: packets with nonce bit cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:35</strong> (new_http_inspect) anomalous http server on undefined HTTP port\r
+<strong>normalizer.test tcp nonce</strong>: test packets with nonce bit cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:36</strong> (new_http_inspect) invalid status code in HTTP response\r
+<strong>normalizer.tcp urgent ptr</strong>: packets without data with urgent pointer cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:37</strong> (new_http_inspect) no content-length or transfer-encoding in HTTP response\r
+<strong>normalizer.test tcp urgent ptr</strong>: test packets without data with urgent pointer cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:38</strong> (new_http_inspect) HTTP response has UTF charset which failed to normalize\r
+<strong>normalizer.tcp ecn pkt</strong>: packets with ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:39</strong> (new_http_inspect) HTTP response has UTF-7 charset\r
+<strong>normalizer.test tcp ecn pkt</strong>: test packets with ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:40</strong> (new_http_inspect) HTTP response gzip decompression failed\r
+<strong>normalizer.tcp ts ecr</strong>: timestamp cleared on non-ACKs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:41</strong> (new_http_inspect) server consecutive small chunk sizes\r
+<strong>normalizer.test tcp ts ecr</strong>: test timestamp cleared on non-ACKs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:42</strong> (new_http_inspect) invalid content-length or chunk size\r
+<strong>normalizer.tcp req urg</strong>: cleared urgent pointer when urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:43</strong> (new_http_inspect) javascript obfuscation levels exceeds 1\r
+<strong>normalizer.test tcp req urg</strong>: test cleared urgent pointer when urgent flag is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:44</strong> (new_http_inspect) javascript whitespaces exceeds max allowed\r
+<strong>normalizer.tcp req pay</strong>: cleared urgent pointer and urgent flag when there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:45</strong> (new_http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>normalizer.test tcp req pay</strong>: test cleared urgent pointer and urgent flag when there is no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:46</strong> (new_http_inspect) SWF file zlib decompression failure\r
+<strong>normalizer.tcp req urp</strong>: cleared the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:47</strong> (new_http_inspect) SWF file LZMA decompression failure\r
+<strong>normalizer.test tcp req urp</strong>: test cleared the urgent flag if the urgent pointer is not set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:48</strong> (new_http_inspect) PDF file deflate decompression failure\r
+<strong>normalizer.tcp trim syn</strong>: tcp segments trimmed on SYN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:49</strong> (new_http_inspect) PDF file unsupported compression type\r
+<strong>normalizer.test tcp trim syn</strong>: test tcp segments trimmed on SYN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:50</strong> (new_http_inspect) PDF file cascaded compression\r
+<strong>normalizer.tcp trim rst</strong>: RST packets with data trimmed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:51</strong> (new_http_inspect) PDF file parse failure\r
+<strong>normalizer.test tcp trim rst</strong>: test RST packets with data trimmed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:52</strong> (new_http_inspect) HTTP misformatted or not really HTTP\r
+<strong>normalizer.tcp trim win</strong>: data trimed to window\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:53</strong> (new_http_inspect) Chunk length has excessive leading zeros\r
+<strong>normalizer.test tcp trim win</strong>: test data trimed to window\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:54</strong> (new_http_inspect) White space before or between messages\r
+<strong>normalizer.tcp trim mss</strong>: data trimmed to MSS\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:55</strong> (new_http_inspect) Request message without URI\r
+<strong>normalizer.test tcp trim mss</strong>: test data trimmed to MSS\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:56</strong> (new_http_inspect) Control character in reason phrase\r
+<strong>normalizer.tcp ecn session</strong>: ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:57</strong> (new_http_inspect) Illegal extra whitespace in start line\r
+<strong>normalizer.test tcp ecn session</strong>: test ECN bits cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:58</strong> (new_http_inspect) Corrupted HTTP version\r
+<strong>normalizer.tcp ts nop</strong>: timestamp options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:59</strong> (new_http_inspect) Unknown HTTP version\r
+<strong>normalizer.test tcp ts nop</strong>: test timestamp options cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:60</strong> (new_http_inspect) Format error in HTTP header\r
+<strong>normalizer.tcp ips data</strong>: normalized segments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:61</strong> (new_http_inspect) Chunk header options present\r
+<strong>normalizer.test tcp ips data</strong>: test normalized segments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:62</strong> (new_http_inspect) URI badly formatted\r
+<strong>normalizer.tcp block</strong>: blocked segments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:63</strong> (new_http_inspect) Unused\r
+<strong>normalizer.test tcp block</strong>: test blocked segments\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_packet_capture">packet_capture</h3>\r
+<div class="paragraph"><p>What: raw packet dumping facility</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>219:64</strong> (new_http_inspect) HTTP chunk misformatted\r
+bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:65</strong> (new_http_inspect) White space following chunk length\r
+string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>219:67</strong> (new_http_inspect) Excessive gzip compression\r
+<strong>packet_capture.enable</strong>(filter): dump raw packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:68</strong> (new_http_inspect) Gzip decompression failed\r
+<strong>packet_capture.disable</strong>(): stop packet dump\r
</p>\r
</li>\r
</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_normalizer">normalizer</h3>\r
-<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.base</strong> = true: clear options\r
+<strong>packet_capture.processed</strong>: packets processed against filter\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.df</strong> = false: clear don’t frag flag\r
+<strong>packet_capture.captured</strong>: packets matching dumped after matching filter\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_perf_monitor">perf_monitor</h3>\r
+<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag\r
+bool <strong>perf_monitor.base</strong> = true: enable base statistics { nullptr }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte\r
+bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics { nullptr }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length\r
+bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues\r
+bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization\r
+int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length\r
+int <strong>perf_monitor.seconds</strong> = 60: report interval { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data\r
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }\r
+int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes\r
+int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN\r
+enum <strong>perf_monitor.output</strong> = file: Output location for stats { file | console }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet\r
+string <strong>perf_monitor.modules[].name</strong>: name of the module\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window\r
+string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS\r
+enum <strong>perf_monitor.format</strong> = csv: Output format for stats { csv | text }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options\r
+bool <strong>perf_monitor.summary</strong> = false: Output summary at shutdown\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
+<strong>perf_monitor.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pop">pop</h3>\r
+<div class="paragraph"><p>What: pop inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set\r
+int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload\r
+int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header\r
+int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set\r
+int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-multi <strong>normalizer.tcp.allow_names</strong>: don’t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }\r
+<strong>142:1</strong> (pop) Unknown POP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>normalizer.tcp.allow_codes</strong>: don’t clear given option codes\r
+<strong>142:2</strong> (pop) Unknown POP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.ip6</strong> = false: clear reserved flag\r
+<strong>142:4</strong> (pop) Base64 Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
+<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.icmp6</strong> = false: clear reserved flag\r
+<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 trim</strong>: eth packets trimmed to datagram size\r
+<strong>pop.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 trim</strong>: test eth packets trimmed to datagram size\r
+<strong>pop.sessions</strong>: total pop sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 tos</strong>: type of service normalizations\r
+<strong>pop.b64 attachments</strong>: total base64 attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 tos</strong>: test type of service normalizations\r
+<strong>pop.b64 decoded bytes</strong>: total base64 decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 df</strong>: don’t frag bit normalizations\r
+<strong>pop.qp attachments</strong>: total quoted-printable attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 df</strong>: test don’t frag bit normalizations\r
+<strong>pop.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 rf</strong>: reserved flag bit clears\r
+<strong>pop.uu attachments</strong>: total uu attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 rf</strong>: test reserved flag bit clears\r
+<strong>pop.uu decoded bytes</strong>: total uu decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 ttl</strong>: time-to-live normalizations\r
+<strong>pop.non-encoded attachments</strong>: total non-encoded attachments extracted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 ttl</strong>: test time-to-live normalizations\r
+<strong>pop.non-encoded bytes</strong>: total non-encoded extracted bytes\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_port_scan">port_scan</h3>\r
+<div class="paragraph"><p>What: port scan inspector; also configure port_scan_global</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.ip4 opts</strong>: ip4 options cleared\r
+multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip4 opts</strong>: test ip4 options cleared\r
+multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp4 echo</strong>: icmp4 ping normalizations\r
+enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test icmp4 echo</strong>: test icmp4 ping normalizations\r
+string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6 hops</strong>: ip6 hop limit normalizations\r
+string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip6 hops</strong>: test ip6 hop limit normalizations\r
+string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6 options</strong>: ip6 options cleared\r
+bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test ip6 options</strong>: test ip6 options cleared\r
+bool <strong>port_scan.logfile</strong> = false: write scan events to file\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.icmp6 echo</strong>: icmp6 echo normalizations\r
+<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test icmp6 echo</strong>: test icmp6 echo normalizations\r
+<strong>122:2</strong> (port_scan) TCP decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp syn options</strong>: SYN only options cleared from non-SYN packets\r
+<strong>122:3</strong> (port_scan) TCP portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp syn options</strong>: test SYN only options cleared from non-SYN packets\r
+<strong>122:4</strong> (port_scan) TCP distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp options</strong>: packets with options cleared\r
+<strong>122:5</strong> (port_scan) TCP filtered portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp options</strong>: test packets with options cleared\r
+<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp paddding</strong>: packets with padding cleared\r
+<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp paddding</strong>: test packets with padding cleared\r
+<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp reserved</strong>: packets with reserved bits cleared\r
+<strong>122:9</strong> (port_scan) IP protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp reserved</strong>: test packets with reserved bits cleared\r
+<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp nonce</strong>: packets with nonce bit cleared\r
+<strong>122:11</strong> (port_scan) IP protocol sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp nonce</strong>: test packets with nonce bit cleared\r
+<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp urgent ptr</strong>: packets without data with urgent pointer cleared\r
+<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp urgent ptr</strong>: test packets without data with urgent pointer cleared\r
+<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ecn pkt</strong>: packets with ECN bits cleared\r
+<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ecn pkt</strong>: test packets with ECN bits cleared\r
+<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ts ecr</strong>: timestamp cleared on non-ACKs\r
+<strong>122:17</strong> (port_scan) UDP portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ts ecr</strong>: test timestamp cleared on non-ACKs\r
+<strong>122:18</strong> (port_scan) UDP decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp req urg</strong>: cleared urgent pointer when urgent flag is not set\r
+<strong>122:19</strong> (port_scan) UDP portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp req urg</strong>: test cleared urgent pointer when urgent flag is not set\r
+<strong>122:20</strong> (port_scan) UDP distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp req pay</strong>: cleared urgent pointer and urgent flag when there is no payload\r
+<strong>122:21</strong> (port_scan) UDP filtered portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp req pay</strong>: test cleared urgent pointer and urgent flag when there is no payload\r
+<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp req urp</strong>: cleared the urgent flag if the urgent pointer is not set\r
+<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp req urp</strong>: test cleared the urgent flag if the urgent pointer is not set\r
+<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim syn</strong>: tcp segments trimmed on SYN\r
+<strong>122:25</strong> (port_scan) ICMP sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim syn</strong>: test tcp segments trimmed on SYN\r
+<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim rst</strong>: RST packets with data trimmed\r
+<strong>122:27</strong> (port_scan) open port\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_port_scan_global">port_scan_global</h3>\r
+<div class="paragraph"><p>What: shared settings for port_scan inspectors for use with port_scan</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim rst</strong>: test RST packets with data trimmed\r
+int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim win</strong>: data trimed to window\r
+<strong>port_scan_global.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_reputation">reputation</h3>\r
+<div class="paragraph"><p>What: reputation inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim win</strong>: test data trimed to window\r
+string <strong>reputation.blacklist</strong>: blacklist file name with ip lists\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp trim mss</strong>: data trimmed to MSS\r
+int <strong>reputation.memcap</strong> = 500: maximum total memory allocated { 1:4095 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp trim mss</strong>: test data trimmed to MSS\r
+enum <strong>reputation.nested_ip</strong> = inner: ip to use when there is IP encapsulation { inner|outer|all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ecn session</strong>: ECN bits cleared\r
+enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ecn session</strong>: test ECN bits cleared\r
+bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ts nop</strong>: timestamp options cleared\r
+enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ts nop</strong>: test timestamp options cleared\r
+string <strong>reputation.whitelist</strong>: whitelist file name with ip lists\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.tcp ips data</strong>: normalized segments\r
+<strong>136:1</strong> (reputation) packets blacklisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp ips data</strong>: test normalized segments\r
+<strong>136:2</strong> (reputation) Packets whitelisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp block</strong>: blocked segments\r
+<strong>136:3</strong> (reputation) Packets monitored\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.test tcp block</strong>: test blocked segments\r
+<strong>reputation.packets</strong>: total packets processed\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_perf_monitor">perf_monitor</h3>\r
-<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0: }\r
+<strong>reputation.blacklisted</strong>: number of packets blacklisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.seconds</strong> = 60: report interval; 0 means report at exit only { 0: }\r
+<strong>reputation.whitelisted</strong>: number of packets whitelisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }\r
+<strong>reputation.monitored</strong>: number of packets monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096: }\r
+<strong>reputation.memory_allocated</strong>: total memory allocated\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_rpc_decode">rpc_decode</h3>\r
+<div class="paragraph"><p>What: RPC inspector</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0: }\r
+<strong>106:1</strong> (rpc_decode) fragmented RPC records\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.reset</strong> = true: reset (clear) statistics after each reporting interval\r
+<strong>106:2</strong> (rpc_decode) multiple RPC records\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.max</strong> = false: calculate theoretical maximum performance\r
+<strong>106:3</strong> (rpc_decode) large RPC record fragment\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.console</strong> = false: output to console\r
+<strong>106:4</strong> (rpc_decode) incomplete RPC segment\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.events</strong> = false: report on qualified vs non-qualified events\r
+<strong>106:5</strong> (rpc_decode) zero-length RPC fragment\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.file</strong> = false: output base stats to perf_monitor.csv instead of stdout\r
+<strong>rpc_decode.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_sip">sip</h3>\r
+<div class="paragraph"><p>What: sip inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics\r
+bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow_file</strong> = false: output traffic statistics to a perf_monitor_flow.csv instead of stdout\r
+int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
+int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow_ip_file</strong> = false: output host pair statistics to perf_monitor_flow_ip.csv instead of stdout\r
+int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].name</strong>: name of the module\r
+int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:4194303 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].pegs[].name</strong>: name of the statistic to track\r
+int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>perf_monitor.packets</strong>: total packets\r
+int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pop">pop</h3>\r
-<div class="paragraph"><p>What: pop inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+int <strong>sip.max_sessions</strong> = 10000: maximum number of sessions that can be allocated { 1024:4194303 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in sip messages\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>142:1</strong> (pop) Unknown POP3 command\r
+<strong>140:1</strong> (sip) Maximum sessions reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:2</strong> (pop) Unknown POP3 response\r
+<strong>140:2</strong> (sip) Empty request URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:4</strong> (pop) Base64 Decoding failed.\r
+<strong>140:3</strong> (sip) URI is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.\r
+<strong>140:4</strong> (sip) Empty call-Id\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.\r
+<strong>140:5</strong> (sip) Call-Id is too long\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>pop.packets</strong>: total packets processed\r
+<strong>140:6</strong> (sip) CSeq number is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.sessions</strong>: total pop sessions\r
+<strong>140:7</strong> (sip) Request name in CSeq is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64 attachments</strong>: total base64 attachments decoded\r
+<strong>140:8</strong> (sip) Empty From header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64 decoded bytes</strong>: total base64 decoded bytes\r
+<strong>140:9</strong> (sip) From header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp attachments</strong>: total quoted-printable attachments decoded\r
+<strong>140:10</strong> (sip) Empty To header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
+<strong>140:11</strong> (sip) To header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu attachments</strong>: total uu attachments decoded\r
+<strong>140:12</strong> (sip) Empty Via header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu decoded bytes</strong>: total uu decoded bytes\r
+<strong>140:13</strong> (sip) Via header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non-encoded attachments</strong>: total non-encoded attachments extracted\r
+<strong>140:14</strong> (sip) Empty Contact\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non-encoded bytes</strong>: total non-encoded extracted bytes\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_port_scan">port_scan</h3>\r
-<div class="paragraph"><p>What: port scan inspector; also configure port_scan_global</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }\r
+<strong>140:15</strong> (sip) Contact is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }\r
+<strong>140:16</strong> (sip) Content length is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }\r
+<strong>140:17</strong> (sip) Multiple SIP messages in a packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
+<strong>140:18</strong> (sip) Content length mismatch\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts\r
+<strong>140:19</strong> (sip) Request name is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
+<strong>140:20</strong> (sip) Invite replay attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
+<strong>140:21</strong> (sip) Illegal session information modification\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>port_scan.logfile</strong> = false: write scan events to file\r
+<strong>140:22</strong> (sip) Response status code is not a 3 digit number\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>122:1</strong> (port_scan) TCP portscan\r
+<strong>140:23</strong> (sip) Empty Content-type header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:2</strong> (port_scan) TCP decoy portscan\r
+<strong>140:24</strong> (sip) SIP version is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:3</strong> (port_scan) TCP portsweep\r
+<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:4</strong> (port_scan) TCP distributed portscan\r
+<strong>140:26</strong> (sip) Method is unknown\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:5</strong> (port_scan) TCP filtered portscan\r
+<strong>140:27</strong> (sip) Maximum dialogs within a session reached\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
+<strong>sip.packets</strong>: total packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
+<strong>sip.sessions</strong>: total sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
+<strong>sip.events</strong>: events generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:9</strong> (port_scan) IP protocol scan\r
+<strong>sip.dialogs</strong>: total dialogs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
+<strong>sip.ignored channels</strong>: total channels ignored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:11</strong> (port_scan) IP protocol sweep\r
+<strong>sip.ignored sessions</strong>: total sessions ignored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
+<strong>sip.total requests</strong>: total requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
+<strong>sip.invite</strong>: invite\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
+<strong>sip.cancel</strong>: cancel\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
+<strong>sip.ack</strong>: ack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
+<strong>sip.bye</strong>: bye\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:17</strong> (port_scan) UDP portscan\r
+<strong>sip.register</strong>: register\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:18</strong> (port_scan) UDP decoy portscan\r
+<strong>sip.options</strong>: options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:19</strong> (port_scan) UDP portsweep\r
+<strong>sip.refer</strong>: refer\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:20</strong> (port_scan) UDP distributed portscan\r
+<strong>sip.subscribe</strong>: subscribe\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:21</strong> (port_scan) UDP filtered portscan\r
+<strong>sip.update</strong>: update\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
+<strong>sip.join</strong>: join\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
+<strong>sip.info</strong>: info\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
+<strong>sip.message</strong>: message\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:25</strong> (port_scan) ICMP sweep\r
+<strong>sip.notify</strong>: notify\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
+<strong>sip.prack</strong>: prack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:27</strong> (port_scan) open port\r
+<strong>sip.total responses</strong>: total responses\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_port_scan_global">port_scan_global</h3>\r
-<div class="paragraph"><p>What: shared settings for port_scan inspectors for use with port_scan</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
+<strong>sip.1xx</strong>: 1xx\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>port_scan_global.packets</strong>: total packets\r
+<strong>sip.2xx</strong>: 2xx\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_reputation">reputation</h3>\r
-<div class="paragraph"><p>What: reputation inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>reputation.blacklist</strong>: blacklist file name with ip lists\r
+<strong>sip.3xx</strong>: 3xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>reputation.memcap</strong> = 500: maximum total memory allocated { 1:4095 }\r
+<strong>sip.4xx</strong>: 4xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.nested_ip</strong> = inner: ip to use when there is IP encapsulation { inner|outer|all }\r
+<strong>sip.5xx</strong>: 5xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }\r
+<strong>sip.6xx</strong>: 6xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918\r
+<strong>sip.7xx</strong>: 7xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
+<strong>sip.8xx</strong>: 8xx\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>reputation.whitelist</strong>: whitelist file name with ip lists\r
+<strong>sip.9xx</strong>: 9xx\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_smtp">smtp</h3>\r
+<div class="paragraph"><p>What: smtp inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:2</strong> (reputation) Packets whitelisted\r
+string <strong>smtp.alt_max_command_line_len[].command</strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:3</strong> (reputation) Packets monitored\r
+int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0: }\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>reputation.packets</strong>: total packets processed\r
+string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.blacklisted</strong>: number of packets blacklisted\r
+string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.whitelisted</strong>: number of packets whitelisted\r
+int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.monitored</strong>: number of packets monitored\r
+int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated\r
+string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rpc_decode">rpc_decode</h3>\r
-<div class="paragraph"><p>What: RPC inspector</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>106:1</strong> (rpc_decode) fragmented RPC records\r
+int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:2</strong> (rpc_decode) multiple RPC records\r
+bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:3</strong> (rpc_decode) large RPC record fragment\r
+bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:4</strong> (rpc_decode) incomplete RPC segment\r
+string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>106:5</strong> (rpc_decode) zero-length RPC fragment\r
+bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>rpc_decode.packets</strong>: total packets\r
+bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip">sip</h3>\r
-<div class="paragraph"><p>What: sip inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
+bool <strong>smtp.log_mailfrom</strong> = false: log the sender’s email address extracted from the MAIL FROM command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }\r
+bool <strong>smtp.log_rcptto</strong> = false: log the recipient’s email address extracted from the RCPT TO command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }\r
+int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }\r
+int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:4194303 }\r
+int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }\r
+int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }\r
+enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_sessions</strong> = 10000: maximum number of sessions that can be allocated { 1024:4194303 }\r
+string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }\r
+int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }\r
+int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }\r
+string <strong>smtp.valid_cmds</strong>: list of valid commands\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in sip messages\r
+enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:1</strong> (sip) Maximum sessions reached\r
+<strong>124:1</strong> (smtp) Attempted command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:2</strong> (sip) Empty request URI\r
+<strong>124:2</strong> (smtp) Attempted data header buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:3</strong> (sip) URI is too long\r
+<strong>124:3</strong> (smtp) Attempted response buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:4</strong> (sip) Empty call-Id\r
+<strong>124:4</strong> (smtp) Attempted specific command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:5</strong> (sip) Call-Id is too long\r
+<strong>124:5</strong> (smtp) Unknown command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:6</strong> (sip) CSeq number is too large or negative\r
+<strong>124:6</strong> (smtp) Illegal command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:7</strong> (sip) Request name in CSeq is too long\r
+<strong>124:7</strong> (smtp) Attempted header name buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:8</strong> (sip) Empty From header\r
+<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:9</strong> (sip) From header is too long\r
+<strong>124:10</strong> (smtp) Base64 Decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:10</strong> (sip) Empty To header\r
+<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:11</strong> (sip) To header is too long\r
+<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:12</strong> (sip) Empty Via header\r
+<strong>124:14</strong> (smtp) Cyrus SASL authentication attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:13</strong> (sip) Via header is too long\r
+<strong>124:15</strong> (smtp) Attempted authentication command buffer overflow\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:14</strong> (sip) Empty Contact\r
+<strong>smtp.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:15</strong> (sip) Contact is too long\r
+<strong>smtp.sessions</strong>: total smtp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:16</strong> (sip) Content length is too large or negative\r
+<strong>smtp.concurrent sessions</strong>: total concurrent smtp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:17</strong> (sip) Multiple SIP messages in a packet\r
+<strong>smtp.max concurrent sessions</strong>: maximum concurrent smtp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:18</strong> (sip) Content length mismatch\r
+<strong>smtp.b64 attachments</strong>: total base64 attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:19</strong> (sip) Request name is invalid\r
+<strong>smtp.b64 decoded bytes</strong>: total base64 decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:20</strong> (sip) Invite replay attack\r
+<strong>smtp.qp attachments</strong>: total quoted-printable attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:21</strong> (sip) Illegal session information modification\r
+<strong>smtp.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:22</strong> (sip) Response status code is not a 3 digit number\r
+<strong>smtp.uu attachments</strong>: total uu attachments decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:23</strong> (sip) Empty Content-type header\r
+<strong>smtp.uu decoded bytes</strong>: total uu decoded bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:24</strong> (sip) SIP version is invalid\r
+<strong>smtp.non-encoded attachments</strong>: total non-encoded attachments extracted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header\r
+<strong>smtp.non-encoded bytes</strong>: total non-encoded extracted bytes\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ssh">ssh</h3>\r
+<div class="paragraph"><p>What: ssh inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>140:26</strong> (sip) Method is unknown\r
+int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:27</strong> (sip) Maximum dialogs within a session reached\r
+int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.packets</strong>: total packets\r
+<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.sessions</strong>: total sessions\r
+<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.events</strong>: events generated\r
+<strong>128:3</strong> (ssh) Server version string overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.dialogs</strong>: total dialogs\r
+<strong>128:5</strong> (ssh) Bad message direction\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored channels</strong>: total channels ignored\r
+<strong>128:6</strong> (ssh) Payload size incorrect for the given payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored sessions</strong>: total sessions ignored\r
+<strong>128:7</strong> (ssh) Failed to detect SSH version string\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.total requests</strong>: total requests\r
+<strong>ssh.packets</strong>: total packets\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ssl">ssl</h3>\r
+<div class="paragraph"><p>What: ssl inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.invite</strong>: invite\r
+bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.cancel</strong>: cancel\r
+int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.ack</strong>: ack\r
+<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.bye</strong>: bye\r
+<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.register</strong>: register\r
+<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.options</strong>: options\r
+<strong>137:4</strong> (ssl) Large Heartbeat Response Detected\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.refer</strong>: refer\r
+<strong>ssl.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.subscribe</strong>: subscribe\r
+<strong>ssl.decoded</strong>: ssl packets decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.update</strong>: update\r
+<strong>ssl.client hello</strong>: total client hellos\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.join</strong>: join\r
+<strong>ssl.server hello</strong>: total server hellos\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.info</strong>: info\r
+<strong>ssl.certificate</strong>: total ssl certificates\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.message</strong>: message\r
+<strong>ssl.server done</strong>: total server done\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.notify</strong>: notify\r
+<strong>ssl.client key exchange</strong>: total client key exchanges\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.prack</strong>: prack\r
+<strong>ssl.server key exchange</strong>: total server key exchanges\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total responses</strong>: total responses\r
+<strong>ssl.change cipher</strong>: total change cipher records\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.1xx</strong>: 1xx\r
+<strong>ssl.finished</strong>: total handshakes finished\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.2xx</strong>: 2xx\r
+<strong>ssl.client application</strong>: total client application records\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.3xx</strong>: 3xx\r
+<strong>ssl.server application</strong>: total server application records\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.4xx</strong>: 4xx\r
+<strong>ssl.alert</strong>: total ssl alert records\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.5xx</strong>: 5xx\r
+<strong>ssl.unrecognized records</strong>: total unrecognized records\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.6xx</strong>: 6xx\r
+<strong>ssl.handshakes completed</strong>: total completed ssl handshakes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.7xx</strong>: 7xx\r
+<strong>ssl.bad handshakes</strong>: total bad handshakes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.8xx</strong>: 8xx\r
+<strong>ssl.sessions ignored</strong>: total sessions ignore\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.9xx</strong>: 9xx\r
+<strong>ssl.detection disabled</strong>: total detection disabled\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_smtp">smtp</h3>\r
-<div class="paragraph"><p>What: smtp inspection</p></div>\r
+<h3 id="_stream">stream</h3>\r
+<div class="paragraph"><p>What: common flow tracking</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>smtp.alt_max_command_line_len[].command</strong>: command string\r
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0: }\r
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange\r
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
+int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }\r
+int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }\r
+int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter\r
+int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
+int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail\r
+int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules\r
+int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data\r
+int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body\r
+int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.log_mailfrom</strong> = false: log the sender’s email address extracted from the MAIL FROM command\r
+int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>smtp.log_rcptto</strong> = false: log the recipient’s email address extracted from the RCPT TO command\r
+int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
+int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }\r
+int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }\r
+int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
+int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
+int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }\r
+int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.valid_cmds</strong>: list of valid commands\r
+int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }\r
+int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>124:1</strong> (smtp) Attempted command buffer overflow\r
+<strong>stream.ip flows</strong>: total ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:2</strong> (smtp) Attempted data header buffer overflow\r
+<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:3</strong> (smtp) Attempted response buffer overflow\r
+<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:4</strong> (smtp) Attempted specific command buffer overflow\r
+<strong>stream.ip excess prunes</strong>: ip sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:5</strong> (smtp) Unknown command\r
+<strong>stream.ip uni prunes</strong>: ip uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:6</strong> (smtp) Illegal command\r
+<strong>stream.ip preemptive prunes</strong>: ip sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:7</strong> (smtp) Attempted header name buffer overflow\r
+<strong>stream.ip memcap prunes</strong>: ip sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow\r
+<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:10</strong> (smtp) Base64 Decoding failed.\r
+<strong>stream.icmp flows</strong>: total icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed.\r
+<strong>stream.icmp total prunes</strong>: total icmp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed.\r
+<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:14</strong> (smtp) Cyrus SASL authentication attack.\r
+<strong>stream.icmp excess prunes</strong>: icmp sessions pruned due to excess\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>smtp.packets</strong>: total packets processed\r
+<strong>stream.icmp uni prunes</strong>: icmp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.sessions</strong>: total smtp sessions\r
+<strong>stream.icmp preemptive prunes</strong>: icmp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.concurrent sessions</strong>: total concurrent smtp sessions\r
+<strong>stream.icmp memcap prunes</strong>: icmp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.max concurrent sessions</strong>: maximum concurrent smtp sessions\r
+<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64 attachments</strong>: total base64 attachments decoded\r
+<strong>stream.tcp flows</strong>: total tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64 decoded bytes</strong>: total base64 decoded bytes\r
+<strong>stream.tcp total prunes</strong>: total tcp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp attachments</strong>: total quoted-printable attachments decoded\r
+<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp decoded bytes</strong>: total quoted-printable decoded bytes\r
+<strong>stream.tcp excess prunes</strong>: tcp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu attachments</strong>: total uu attachments decoded\r
+<strong>stream.tcp uni prunes</strong>: tcp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu decoded bytes</strong>: total uu decoded bytes\r
+<strong>stream.tcp preemptive prunes</strong>: tcp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non-encoded attachments</strong>: total non-encoded attachments extracted\r
+<strong>stream.tcp memcap prunes</strong>: tcp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non-encoded bytes</strong>: total non-encoded extracted bytes\r
+<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssh">ssh</h3>\r
-<div class="paragraph"><p>What: ssh inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }\r
+<strong>stream.udp flows</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }\r
+<strong>stream.udp total prunes</strong>: total udp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }\r
+<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit\r
+<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
+<strong>stream.udp uni prunes</strong>: udp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:3</strong> (ssh) Server version string overflow\r
+<strong>stream.udp preemptive prunes</strong>: udp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:5</strong> (ssh) Bad message direction\r
+<strong>stream.udp memcap prunes</strong>: udp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:6</strong> (ssh) Payload size incorrect for the given payload\r
+<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:7</strong> (ssh) Failed to detect SSH version string\r
+<strong>stream.user flows</strong>: total user sessions\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssh.packets</strong>: total packets\r
+<strong>stream.user total prunes</strong>: total user sessions pruned\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssl">ssl</h3>\r
-<div class="paragraph"><p>What: ssl inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
+<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }\r
+<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected\r
+<strong>stream.user uni prunes</strong>: user uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected\r
+<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected\r
+<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:4</strong> (ssl) Large Heartbeat Response Detected\r
+<strong>stream.user user prunes</strong>: user sessions pruned for other reasons\r
</p>\r
</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssl.packets</strong>: total packets processed\r
+<strong>stream.file flows</strong>: total file sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.decoded</strong>: ssl packets decoded\r
+<strong>stream.file total prunes</strong>: total file sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client hello</strong>: total client hellos\r
+<strong>stream.file timeout prunes</strong>: file sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server hello</strong>: total server hellos\r
+<strong>stream.file excess prunes</strong>: file sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.certificate</strong>: total ssl certificates\r
+<strong>stream.file uni prunes</strong>: file uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server done</strong>: total server done\r
+<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client key exchange</strong>: total client key exchanges\r
+<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server key exchange</strong>: total server key exchanges\r
+<strong>stream.file user prunes</strong>: file sessions pruned for other reasons\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_file">stream_file</h3>\r
+<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssl.change cipher</strong>: total change cipher records\r
+bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_stream_icmp">stream_icmp</h3>\r
+<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssl.finished</strong>: total handshakes finished\r
+int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssl.client application</strong>: total client application records\r
+<strong>stream_icmp.sessions</strong>: total icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server application</strong>: total server application records\r
+<strong>stream_icmp.max</strong>: max icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.alert</strong>: total ssl alert records\r
+<strong>stream_icmp.created</strong>: icmp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.unrecognized records</strong>: total unrecognized records\r
+<strong>stream_icmp.released</strong>: icmp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.handshakes completed</strong>: total completed ssl handshakes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.bad handshakes</strong>: total bad handshakes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.sessions ignored</strong>: total sessions ignore\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.detection disabled</strong>: total detection disabled\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream">stream</h3>\r
-<div class="paragraph"><p>What: common flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.memcap</strong> = 23920640: maximum cache memory before pruning (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.memcap</strong> = 268435456: maximum cache memory before pruning (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream.ip flows</strong>: total ip sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip prunes</strong>: ip sessions pruned\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp flows</strong>: total icmp sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp prunes</strong>: icmp sessions pruned\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp flows</strong>: total tcp sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp prunes</strong>: tcp sessions pruned\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp flows</strong>: total udp sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp prunes</strong>: udp sessions pruned\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user flows</strong>: total user sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user prunes</strong>: user sessions pruned\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file flows</strong>: total file sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file prunes</strong>: file sessions pruned\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_file">stream_file</h3>\r
-<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_icmp">stream_icmp</h3>\r
-<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
+<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory faults</strong>: memory faults\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.frag timeouts</strong>: datagrams abandoned\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.faults</strong>: number of times a new segment triggered a prune\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.memory</strong>: current memory in use\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ack.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_asn1">asn1</h3>\r
-<div class="paragraph"><p>What: rule option for asn1 detection</p></div>\r
+<h3 id="_appids">appids</h3>\r
+<div class="paragraph"><p>What: detection option for application ids</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>asn1.bitstring_overflow</strong>: Detects invalid bitstring encodings that are known to be remotely exploitable.\r
+string <strong>appids.~</strong>: appid option\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-implied <strong>asn1.double_overflow</strong>: Detects a double ASCII encoding that is larger than a standard buffer.\r
-</p>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_asn1">asn1</h3>\r
+<div class="paragraph"><p>What: rule option for asn1 detection</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+implied <strong>asn1.bitstring_overflow</strong>: Detects invalid bitstring encodings that are known to be remotely exploitable.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>asn1.double_overflow</strong>: Detects a double ASCII encoding that is larger than a standard buffer.\r
+</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>asn1.print</strong>: <>max | <max | >min\r
+implied <strong>asn1.print</strong>: dump decode data to console; always true\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
+string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_cvs">cvs</h3>\r
+<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_iface">dce_iface</h3>\r
+<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>dce_iface.uuid</strong>: match given dcerpc uuid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>dce_iface.version</strong>: interface version\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>dce_iface.any_frag</strong>: match on any fragment\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_opnum">dce_opnum</h3>\r
+<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dce_stub_data">dce_stub_data</h3>\r
+<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_detection_filter">detection_filter</h3>\r
+<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dnp3_data">dnp3_data</h3>\r
+<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dnp3_func">dnp3_func</h3>\r
+<div class="paragraph"><p>What: detection option to check dnp3 function code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>dnp3_func.~</strong>: match dnp3 function code or name\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dnp3_ind">dnp3_ind</h3>\r
+<div class="paragraph"><p>What: detection option to check dnp3 indicator flags</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>dnp3_ind.~</strong>: match given dnp3 indicator flags\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dnp3_obj">dnp3_obj</h3>\r
+<div class="paragraph"><p>What: detection option to check dnp3 object headers</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>dnp3_obj.group</strong> = 0: match given dnp3 object header group { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>dnp3_obj.var</strong> = 0: match given dnp3 object header var { 0:255 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_dsize">dsize</h3>\r
+<div class="paragraph"><p>What: rule option to test payload size</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_file_data">file_data</h3>\r
+<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_file_type">file_type</h3>\r
+<div class="paragraph"><p>What: rule option to check file type</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>file_type.~</strong>: list of file type IDs to match\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_flags">flags</h3>\r
+<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>flags.~test_flags</strong>: these flags are tested\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_flow">flow</h3>\r
+<div class="paragraph"><p>What: rule option to check session properties</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+implied <strong>flow.to_client</strong>: match on server responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.to_server</strong>: match on client requests\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.from_client</strong>: same as to_server\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.from_server</strong>: same as to_client\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.established</strong>: match only during data transfer phase\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.not_established</strong>: match only outside data transfer phase\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.stateless</strong>: match regardless of stream state\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.no_stream</strong>: match on raw packets only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.only_stream</strong>: match on reassembled packets only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.no_frag</strong>: match on raw packets only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>flow.only_frag</strong>: match on defragmented packets only\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_flowbits">flowbits</h3>\r
+<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>flowbits.~arg1</strong>: bits or group\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_fragbits">fragbits</h3>\r
+<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>fragbits.~flags</strong>: these flags are tested\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_fragoffset">fragoffset</h3>\r
+<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gid">gid</h3>\r
+<div class="paragraph"><p>What: rule option specifying rule generator</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>gid.~</strong>: generator id { 1: }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gtp_info">gtp_info</h3>\r
+<div class="paragraph"><p>What: rule option to check gtp info element</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>gtp_info.~</strong>: info element to match\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gtp_type">gtp_type</h3>\r
+<div class="paragraph"><p>What: rule option to check gtp types</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>gtp_type.~</strong>: list of types to match\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_gtp_version">gtp_version</h3>\r
+<div class="paragraph"><p>What: rule option to check gtp version</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>gtp_version.~</strong>: version to match { 0:2 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_client_body">http_client_body</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_cookie">http_cookie</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+implied <strong>http_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_header">http_header</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized headers</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>http_header.field</strong>: Restrict to given header. Header name is case insensitive.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_header.request</strong>: Match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
+implied <strong>http_header.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
+implied <strong>http_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_cvs">cvs</h3>\r
-<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>\r
+<h3 id="_http_method">http_method</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string\r
+implied <strong>http_method.with_body</strong>: Parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_method.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dce_iface">dce_iface</h3>\r
-<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>\r
+<h3 id="_http_raw_cookie">http_raw_cookie</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dce_iface.uuid</strong>: match given dcerpc uuid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dce_iface.version</strong>: interface version\r
+implied <strong>http_raw_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>dce_iface.any_frag</strong>: match on any fragment\r
+implied <strong>http_raw_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_opnum">dce_opnum</h3>\r
-<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list\r
+implied <strong>http_raw_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dce_stub_data">dce_stub_data</h3>\r
-<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_detection_filter">detection_filter</h3>\r
-<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>\r
+<h3 id="_http_raw_header">http_raw_header</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
+implied <strong>http_raw_header.request</strong>: Match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
+implied <strong>http_raw_header.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }\r
+implied <strong>http_raw_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dnp3_data">dnp3_data</h3>\r
-<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_func">dnp3_func</h3>\r
-<div class="paragraph"><p>What: detection option to check dnp3 function code</p></div>\r
+<h3 id="_http_raw_request">http_raw_request</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized request line</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dnp3_func.~</strong>: match dnp3 function code or name\r
+implied <strong>http_raw_request.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_ind">dnp3_ind</h3>\r
-<div class="paragraph"><p>What: detection option to check dnp3 indicator flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dnp3_ind.~</strong>: match given dnp3 indicator flags\r
+implied <strong>http_raw_request.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dnp3_obj">dnp3_obj</h3>\r
-<div class="paragraph"><p>What: detection option to check dnp3 object headers</p></div>\r
+<h3 id="_http_raw_status">http_raw_status</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized status line</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>dnp3_obj.group</strong> = 0: match given dnp3 object header group { 0:255 }\r
+implied <strong>http_raw_status.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dnp3_obj.var</strong> = 0: match given dnp3 object header var { 0:255 }\r
+implied <strong>http_raw_status.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_dsize">dsize</h3>\r
-<div class="paragraph"><p>What: rule option to test payload size</p></div>\r
+<h3 id="_http_raw_trailer">http_raw_trailer</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized trailers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+implied <strong>http_raw_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_data">file_data</h3>\r
-<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_flags">flags</h3>\r
-<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>flags.~test_flags</strong>: these flags are tested\r
+implied <strong>http_raw_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
+implied <strong>http_raw_trailer.with_body</strong>: Parts of this rule examine HTTP response message body (must be combined with request)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_flow">flow</h3>\r
-<div class="paragraph"><p>What: rule option to check session properties</p></div>\r
+<h3 id="_http_raw_uri">http_raw_uri</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>flow.to_client</strong>: match on server responses\r
+implied <strong>http_raw_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.to_server</strong>: match on client requests\r
+implied <strong>http_raw_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.from_client</strong>: same as to_server\r
+implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.from_server</strong>: same as to_client\r
+implied <strong>http_raw_uri.host</strong>: match against host section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.established</strong>: match only during data transfer phase\r
+implied <strong>http_raw_uri.port</strong>: match against port section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.not_established</strong>: match only outside data transfer phase\r
+implied <strong>http_raw_uri.path</strong>: match against path section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.stateless</strong>: match regardless of stream state\r
+implied <strong>http_raw_uri.query</strong>: match against query section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.no_stream</strong>: match on raw packets only\r
+implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_stat_code">http_stat_code</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+implied <strong>http_stat_code.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.only_stream</strong>: match on reassembled packets only\r
+implied <strong>http_stat_code.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http_stat_msg">http_stat_msg</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-implied <strong>flow.no_frag</strong>: match on raw packets only\r
+implied <strong>http_stat_msg.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>flow.only_frag</strong>: match on defragmented packets only\r
+implied <strong>http_stat_msg.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_flowbits">flowbits</h3>\r
-<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>\r
+<h3 id="_http_trailer">http_trailer</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized trailers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+string <strong>http_trailer.field</strong>: restrict to given trailer\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg1</strong>: bits or group\r
+implied <strong>http_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+implied <strong>http_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_fragbits">fragbits</h3>\r
-<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>fragbits.~flags</strong>: these flags are tested\r
+implied <strong>http_trailer.with_body</strong>: Parts of this rule examine HTTP message body (must be combined with request)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_fragoffset">fragoffset</h3>\r
-<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>\r
+<h3 id="_http_uri">http_uri</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>fragoffset.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+implied <strong>http_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gid">gid</h3>\r
-<div class="paragraph"><p>What: rule option specifying rule generator</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>gid.~</strong>: generator id { 1: }\r
+implied <strong>http_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_info">gtp_info</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp info element</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>gtp_info.~</strong>: info element to match\r
+implied <strong>http_uri.scheme</strong>: match against scheme section of URI only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_type">gtp_type</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp types</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>gtp_type.~</strong>: list of types to match\r
+implied <strong>http_uri.host</strong>: match against host section of URI only\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_version">gtp_version</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp version</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>gtp_version.~</strong>: version to match { 0:2 }\r
+implied <strong>http_uri.port</strong>: match against port section of URI only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_uri.path</strong>: match against path section of URI only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_uri.query</strong>: match against query section of URI only\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_client_body">http_client_body</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_cookie">http_cookie</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_header">http_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized header(s)</p></div>\r
+<h3 id="_http_version">http_version</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the version buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>http_header.~name</strong>: restrict to given header\r
+implied <strong>http_version.request</strong>: Match against the version from the request message even when examining the response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_version.with_body</strong>: Parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_version.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_http_method">http_method</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_cookie">http_raw_cookie</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_header">http_raw_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_uri">http_raw_uri</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_stat_code">http_stat_code</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_stat_msg">http_stat_msg</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_uri">http_uri</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_icmp_id">icmp_id</h3>\r
<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_pcre">pcre</h3>\r
-<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>pcre.~re</strong>: Snort regular expression\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pkt_data">pkt_data</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pkt_num">pkt_num</h3>\r
-<div class="paragraph"><p>What: alert on raw packet number</p></div>\r
+<h3 id="_pcre">pcre</h3>\r
+<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>pkt_num.~range</strong>: check if packet number is in given range\r
+string <strong>pcre.~re</strong>: Snort regular expression\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_pkt_data">pkt_data</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_priority">priority</h3>\r
<div class="paragraph"><p>What: rule option for prioritizing events</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_sd_pattern">sd_pattern</h3>\r
+<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>sd_pattern.threshold</strong>: number of matches before alerting { 1 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>sd_pattern.below threshold</strong>: sd_pattern matched but missed threshold\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>sd_pattern.pattern not found</strong>: sd_pattern did not not match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>sd_pattern.terminated</strong>: hyperscan terminated\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_seq">seq</h3>\r
<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>seq.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>seq.~range</strong>: check if tcp sequence number value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>tos.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>tos.~range</strong>: check if ip tos value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ttl.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_urg">urg</h3>\r
-<div class="paragraph"><p>What: detection for TCP urgent pointer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>urg.~range</strong>: check if urgent offset is min<>max | <max | >min\r
+string <strong>ttl.~range</strong>: check if ip ttl field value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>window.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>window.~range</strong>: check if tcp window field size is <em>size | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_ex">alert_ex</h3>\r
-<div class="paragraph"><p>What: output gid:sid:rev for alerts</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alert_ex.upper</strong> = false: true/false → convert to upper/lower case\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_alert_fast">alert_fast</h3>\r
<div class="paragraph"><p>What: output event with brief text format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_unixsock">alert_unixsock</h3>\r
-<div class="paragraph"><p>What: output event over unix socket</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_log_codecs">log_codecs</h3>\r
<div class="paragraph"><p>What: log protocols in packet by layer</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>--ohi</strong> Use Old Http Inspect format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--output-file=<out_file></strong>\r
Same as <em>-o</em>. output the new Snort++ lua configuration to\r
<out_file>\r
end\r
}</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>To run snort in piglet mode, first build snort with the BUILD_PIGLET option turned on\r
-(pass the flag -DBUILD_PIGLET:BOOL=ON in cmake).</p></div>\r
+<div class="paragraph"><p>To run snort in piglet mode, first build snort with the ENABLE_PIGLET option turned on\r
+(pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).</p></div>\r
<div class="paragraph"><p>Then, run the following command:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
<p>\r
Generally try to follow\r
<a href="http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml">http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml</a>,\r
- but there are a few differences.\r
+ but there are some differences documented here.\r
</p>\r
</li>\r
<li>\r
<p>\r
Each source directory should have a dev_notes.txt file summarizing the\r
- key points for the code in that directory. These are built into the\r
- developers guide.\r
+ key points and design decisions for the code in that directory. These\r
+ are built into the developers guide.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Makefile.am and CMakeLists.txt should have the same files listed in alpha\r
+ order. This makes it easier to maintain both build systems.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+All new code must come with unit tests providing 95% coverage or better.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Generally, Catch is preferred for tests in the source file and CppUTest\r
+ is preferred for test executables in a test subdirectory.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_c_specific">C++ Specific</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Do not use exceptions. Exception-safe code is non-trivial and we have\r
+ ported legacy code that makes use of exceptions unwise. There are a few\r
+ exceptions to this rule for the memory manager, shell, etc. Other code\r
+ should handle errors as errors.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Do not use dynamic_cast or RTTI. Although compilers are getting better\r
+ all the time, there is a time and space cost to this that is easily\r
+ avoided.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use smart pointers judiciously as they aren’t free. If you would have to\r
+ roll your own, then use a smart pointer. If you just need a dtor to\r
+ delete something, write the dtor.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Prefer <em>and</em> over && and <em>or</em> over || for new source files.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use nullptr instead of NULL.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use new, delete, and their [] counterparts instead of malloc and free\r
+ except where realloc must be used. But try not to use realloc. New and\r
+ delete can’t return nullptr so no need to check. And Snort’s memory\r
+ manager will ensure that we live within our memory budget.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use references in lieu of pointers wherever possible.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use the order public, protected, private top to bottom in a class\r
+ declaration.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Keep inline functions in a class declaration very brief, preferably just\r
+ one line. If you need a more complex inline function, move the\r
+ definition below the class declaration.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+The goal is to have highly readable class declarations. The user\r
+ shouldn’t have to sift through implementation details to see what is\r
+ available to the client.\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+Heed Tim Ottinger’s Rule on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):\r
+</p>\r
+<div class="olist arabic"><ol class="arabic">\r
+<li>\r
+<p>\r
+Comments should only say what the code is incapable of saying.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Comments that repeat (or pre-state) what the code is doing must be\r
+ removed.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+If the code CAN say what the comment is saying, it must be changed at\r
+ least until rule #2 is in force.\r
+</p>\r
+</li>\r
+</ol></div>\r
+</li>\r
+<li>\r
+<p>\r
Function comment blocks are generally just noise that quickly becomes\r
obsolete. If you absolutely must comment on parameters, put each on a\r
separate line along with the comment. That way changing the signature\r
Put author, description, etc. in separate comment(s) following the\r
license. Do not put such comments in the middle of the license foo.\r
Be sure to put the author line ahead of the header guard to exclude them\r
- from the developers guide.\r
+ from the developers guide. Use the following format, and include a\r
+ mention to the original author if this is derived work:\r
</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>// ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>\r
+// based on work by Ryan Jordan</code></pre>\r
+</div></div>\r
</li>\r
<li>\r
<p>\r
<li>\r
<p>\r
Messages intended for the user should not look like debug messages. Eg,\r
- the function name should not be included.\r
+ the function name should not be included. It is generally unhelpful to\r
+ include pointers.\r
</p>\r
</li>\r
<li>\r
<li>\r
<p>\r
Try not to use extern data unless absolutely necessary and then put the\r
- extern in an appropriate header.\r
+ extern in an appropriate header. Exceptions for things used in exactly\r
+ one place like BaseApi pointers.\r
</p>\r
</li>\r
<li>\r
multiple error returns. The C-style use of zero for success and -1 for\r
error is less readable and often leads to messy code that either ignores\r
the various errors anyway or needlessly and ineffectively tries to do\r
- something aobut them.\r
+ something aobut them. Generally that code is not updated if new errors\r
+ are added.\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+Try to keep all source files under 2500 lines. 3000 is the max allowed.\r
+ If you need more lines, chances are that the code needs to be refactored.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
Indent 4 space chars … no tabs!\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_classes">Classes</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Use the order public, protected, private top to bottom in a class\r
- declaration.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Keep inline functions in a class declaration very brief, preferably just\r
- one line. If you need a more complex inline function, move the\r
- definition outside the class declaration.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The goal is to have highly readable class declarations. The user\r
- shouldn’t have to sift through implementation details to see what is\r
- available to the client.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_headers">Headers</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
A .cc should include its own .h before any others (including\r
system headers). This ensures that the header stands on its own and can\r
- be used by clients without include prerequisites.\r
+ be used by clients without include prerequisites and the developer will\r
+ be the first to find a dependency problem.\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-Any file depending of #ifdefs should include config.h as shown below. A\r
+Try to keep includes in alpha order. This makes it easier to maintain,\r
+ avoid duplicates, etc.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Any file depending on #ifdefs should include config.h as shown below. A\r
.h should include it before any other includes, and a .cc should include\r
it immediately after the include of its own .h.\r
</p>\r
</li>\r
<li>\r
<p>\r
-Do not put using statements in headers.\r
+Do not put using statements in headers unless they are tightly scoped.\r
</p>\r
</li>\r
</ul></div>\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
--Wunused-but-set-variable -Wno-deprecated-declarations</code></pre>\r
+-Wunused-but-set-variable -Wno-deprecated-declarations\r
+-fsanitize=address -fno-omit-frame-pointer</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
--Wno-deprecated-declarations</code></pre>\r
+-Wno-deprecated-declarations\r
+-fsanitize=address -fno-omit-frame-pointer</code></pre>\r
</div></div>\r
</li>\r
<li>\r
<p>\r
-Then Fix All Warnings. None Allowed.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_other">Other</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Prefer <em>and</em> over && and <em>or</em> over || for new source files.\r
+Then Fix All Warnings and Aborts. None Allowed.\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>--daq-mode</strong> <mode> select the DAQ operating mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--daq-var</strong> <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--dump-version</strong> output the version, the whole version, and only the version (optional)\r
+<strong>--dump-version</strong> output the version, the whole version, and only the version\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ack.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alert_ex.upper</strong> = false: true/false → convert to upper/lower case\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>alerts.stateful</strong> = false: don’t alert w/o established session (note: rule action still taken)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }\r
+string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
+string <strong>appid.app_detector_dir</strong>: directory to load AppId detectors from\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
+string <strong>appid.app_stats_filename</strong>: Filename for logging AppId statistics\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging AppId statistics { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
+int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for AppId stats before rolling over the log file { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
+int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection AppId stats before rolling over the log file { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+string <strong>appid.conf</strong>: RNA configuration file\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+bool <strong>appid.debug</strong> = false: enable AppId debug logging\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
+bool <strong>appid.dump_ports</strong> = false: enable dump of AppId port information\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+int <strong>appid.instance_id</strong> = 0: instance id - need more details for what this is { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)\r
+int <strong>appid.memcap</strong> = 268435456: time period for collecting and logging AppId statistics { 1048576:3221225472 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.stateful</strong> = false: don’t alert w/o established session (note: rule action still taken)\r
+string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic\r
+string <strong>appids.~</strong>: appid option\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>asn1.print</strong>: <>max | <max | >min\r
+implied <strong>asn1.print</strong>: dump decode data to console; always true\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>daq.decode_data_link</strong> = false: display the second layer header info\r
+string <strong>daq.input_spec</strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.dir</strong>: directory where to search for DAQ plugins\r
+int <strong>daq.instances[].id</strong>: instance ID (required) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>daq.mode</strong>: set mode of operation { passive | inline | read-file }\r
+string <strong>daq.instances[].input_spec</strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
+string <strong>daq.instances[].variables[].str</strong>: string parameter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>daq.module</strong>: DAQ module to use\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>daq.snaplen</strong> = deflt: set snap length (same as -P) { 0:65535 }\r
+string <strong>daq.module_dirs[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.type</strong>: select type of DAQ\r
+bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.vars</strong>: comma separated list of name=value DAQ-specific parameters\r
+int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>data_log.key</strong> = http_uri: name of data buffer to log\r
+string <strong>daq.variables[].str</strong>: string parameter\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>dpx.port</strong>: port to check\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>file_connector.connector</strong>: connector name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>file_connector.direction</strong>: usage { receive | transmit | duplex }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>file_connector.format</strong>: file format { binary | text }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>file_connector.name</strong>: channel name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>file_id.enable_capture</strong> = false: enable file capture\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>file_type.~</strong>: list of file type IDs to match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>fragoffset.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>high_availability.enable</strong> = false: enable high availability\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+real <strong>high_availability.min_age</strong> = 1.0: minimum session life before HA updates { 0.0:100.0 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+real <strong>high_availability.min_sync</strong> = 1.0: minimum interval between HA updates { 0.0:100.0 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>host_cache[].size</strong>: size of host cache\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.compress_depth</strong> = 65535: maximum amount of packet payload to decompress { 1:65535 }\r
+implied <strong>http_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>http_header.field</strong>: Restrict to given header. Header name is case insensitive.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_header.request</strong>: Match against the headers from the request message even when examining the response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_header.with_body</strong>: Parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.b64_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.bitenc_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.max_mime_mem</strong> = 838860: single packet decode depth { 3276: }\r
+bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.qp_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decode.uu_decode_depth</strong> = 0: single packet decode depth { -1:65535 }\r
+int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.decompress_depth</strong> = 65535: maximum amount of decompressed data to process { 1:65535 }\r
+string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_global.detect_anomalous_servers</strong> = false: inspect non-configured ports for HTTP - bad idea\r
+int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.max_gzip_mem</strong> = 838860: total memory used for decompression across all active sessions { 3276: }\r
+bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.memcap</strong> = 150994944: limit of memory used for logging extra data { 2304: }\r
+bool <strong>http_inspect.plus_to_space</strong> = true: replace + with <sp> when normalizing URIs\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_global.proxy_alert</strong> = false: alert on proxy usage for servers without allow_proxy_use\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_global.unicode_map.code_page</strong> = 1252: select code page in map file { 0: }\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_global.unicode_map.map_file</strong>: unicode map file\r
+int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_header.~name</strong>: restrict to given header\r
+int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.allow_proxy_use</strong> = false: don’t alert on proxy use for this server\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.decompress_pdf</strong> = false: enable decompression of the compressed portions of PDF files\r
+bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.decompress_swf</strong> = false: enable decompression of SWF (Adobe Flash content)\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.enable_cookies</strong> = true: extract cookies\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.enable_xff</strong> = false: log True-Client-IP and X-Forwarded-For headers with unified2 alerts as extra data\r
+bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.extended_ascii_uri</strong> = false: allow extended ASCII codes in the request URI\r
+bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.extended_response_inspection</strong> = true: extract response headers\r
+bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_inspect.http_methods</strong> = GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA: request methods allowed in addition to GET and POST\r
+implied <strong>http_method.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.inspect_gzip</strong> = true: enable gzip decompression of compressed bodies\r
+implied <strong>http_method.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.inspect_uri_only</strong> = false: disable all detection except for uricontent\r
+implied <strong>http_raw_cookie.request</strong>: Match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.log_hostname</strong> = false: enable logging of Hostname with unified2 alerts as extra data\r
+implied <strong>http_raw_cookie.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.log_uri</strong> = false: enable logging of URI with unified2 alerts as extra data\r
+implied <strong>http_raw_cookie.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.no_pipeline_req</strong> = false: don’t inspect pipelined requests after first (still does general detection)\r
+implied <strong>http_raw_header.request</strong>: Match against the headers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>http_inspect.non_rfc_chars</strong> = 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07: alert on given non-RFC chars being present in the URI { 255 }\r
+implied <strong>http_raw_header.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_cookies</strong> = false: normalize cookies similar to URI\r
+implied <strong>http_raw_header.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_headers</strong> = false: normalize headers other than cookie similar to URI\r
+implied <strong>http_raw_request.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.oversize_dir_length</strong> = 500: alert if a URL has a directory longer than this limit { 0: }\r
+implied <strong>http_raw_request.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.apache_whitespace</strong> = false: don’t alert if tab is used in lieu of space characters\r
+implied <strong>http_raw_status.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.ascii</strong> = false: enable decoding ASCII like %2f to /\r
+implied <strong>http_raw_status.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.bare_byte</strong> = false: decode non-standard, non-ASCII character encodings\r
+implied <strong>http_raw_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.chunk_length</strong> = 500000: alert on chunk lengths greater than specified { 1: }\r
+implied <strong>http_raw_trailer.with_body</strong>: Parts of this rule examine HTTP response message body (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.client_flow_depth</strong> = 0: raw request payload to inspect { -1:1460 }\r
+implied <strong>http_raw_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.directory</strong> = false: normalize . and .. sequences out of URI\r
+implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.double_decode</strong> = false: iis specific extra decoding\r
+implied <strong>http_raw_uri.host</strong>: match against host section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.iis_backslash</strong> = false: normalize directory slashes\r
+implied <strong>http_raw_uri.path</strong>: match against path section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.iis_delimiter</strong> = false: allow use of non-standard delimiter\r
+implied <strong>http_raw_uri.port</strong>: match against port section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.iis_unicode</strong> = false: enable unicode code point mapping using unicode_map settings\r
+implied <strong>http_raw_uri.query</strong>: match against query section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.iis_unicode_map.code_page</strong> = 1252: select code page in map file { 0: }\r
+implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>http_inspect.profile.iis_unicode_map.map_file</strong>: unicode map file\r
+implied <strong>http_raw_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_header_length</strong> = 750: maximum allowed client request header field { 0:65535 }\r
+implied <strong>http_raw_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_headers</strong> = 100: maximum allowed client request headers { 0:1024 }\r
+implied <strong>http_stat_code.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_javascript_whitespaces</strong> = 200: maximum number of consecutive whitespaces { 0: }\r
+implied <strong>http_stat_code.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.max_spaces</strong> = 200: maximum allowed whitespaces when folding { 0:65535 }\r
+implied <strong>http_stat_msg.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.multi_slash</strong> = false: normalize out consecutive slashes in URI\r
+implied <strong>http_stat_msg.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.non_strict</strong> = true: allows HTTP 0.9 processing\r
+string <strong>http_trailer.field</strong>: restrict to given trailer\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.normalize_javascript</strong> = true: normalize javascript between <script> tags\r
+implied <strong>http_trailer.request</strong>: Match against the trailers from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.normalize_utf</strong> = true: normalize response bodies with UTF content-types\r
+implied <strong>http_trailer.with_body</strong>: Parts of this rule examine HTTP message body (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.post_depth</strong> = 65495: amount of POST data to inspect { -1:65535 }\r
+implied <strong>http_trailer.with_header</strong>: Parts of this rule examine HTTP response message headers (must be combined with request)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>http_inspect.profile.profile_type</strong> = default: set defaults appropriate for selected server { default | apache | iis | iis_40 | iis_50 }\r
+implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.profile.server_flow_depth</strong> = 0: response payload to inspect; includes headers with extended_response_inspection { -1:65535 }\r
+implied <strong>http_uri.host</strong>: match against host section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.u_encode</strong> = true: decode %uXXXX character sequences\r
+implied <strong>http_uri.path</strong>: match against path section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.utf_8</strong> = false: decode UTF-8 unicode sequences in URI\r
+implied <strong>http_uri.port</strong>: match against port section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.profile.webroot</strong> = false: alert on directory traversals past the top level (web server root)\r
+implied <strong>http_uri.query</strong>: match against query section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>http_inspect.profile.whitespace_chars</strong>: allowed white space characters { 255 }\r
+implied <strong>http_uri.scheme</strong>: match against scheme section of URI only\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.small_chunk_count</strong> = 5: alert if more than this limit of consecutive chunks are below small_chunk_length { 0:255 }\r
+implied <strong>http_uri.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.small_chunk_length</strong> = 10: alert if more than small_chunk_count consecutive chunks below this limit { 0:255 }\r
+implied <strong>http_uri.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.tab_uri_delimiter</strong> = false: whether a tab not preceded by a space is considered a delimiter or part of URI\r
+implied <strong>http_version.request</strong>: Match against the version from the request message even when examining the response\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.unlimited_decompress</strong> = true: decompress across multiple packets\r
+implied <strong>http_version.with_body</strong>: Parts of this rule examine HTTP message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.xff_headers</strong> = false: not implemented\r
+implied <strong>http_version.with_trailer</strong>: Parts of this rule examine HTTP message trailers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>latency.packet.action</strong> = alert_and_log: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>metadata.</strong>*: additional parameters not used by snort\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>new_http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:1000000 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>new_http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>new_http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>new_http_inspect.test_input</strong> = false: read HTTP messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>new_http_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>new_http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>output.obfuscate_pii</strong> = false: Mask all but the last 4 characters of credit card and social security numbers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
+bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
+string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>packets.enable_inline_init_failopen</strong> = true: whether to pass traffic during later stage of initialization to avoid drops\r
+bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }\r
+string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }\r
+int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
+int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>pcre.~re</strong>: Snort regular expression\r
+bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.console</strong> = false: output to console\r
+string <strong>pcre.~re</strong>: Snort regular expression\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.events</strong> = false: report on qualified vs non-qualified events\r
+bool <strong>perf_monitor.base</strong> = true: enable base statistics { nullptr }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.file</strong> = false: output base stats to perf_monitor.csv instead of stdout\r
+bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics { nullptr }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow_file</strong> = false: output traffic statistics to a perf_monitor_flow.csv instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.flow_ip_file</strong> = false: output host pair statistics to perf_monitor_flow_ip.csv instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory for flow tracking { 8200: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0: }\r
+int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.max</strong> = false: calculate theoretical maximum performance\r
+enum <strong>perf_monitor.format</strong> = csv: Output format for stats { csv | text }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].pegs[].name</strong>: name of the statistic to track\r
+string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0: }\r
+enum <strong>perf_monitor.output</strong> = file: Output location for stats { file | console }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>perf_monitor.reset</strong> = true: reset (clear) statistics after each reporting interval\r
+int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>perf_monitor.seconds</strong> = 60: report interval; 0 means report at exit only { 0: }\r
+int <strong>perf_monitor.seconds</strong> = 60: report interval { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>pkt_num.~range</strong>: check if packet number is in given range\r
+bool <strong>perf_monitor.summary</strong> = false: Output summary at shutdown\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ppm.fastpath_expensive_packets</strong> = false: stop inspection if the max_pkt_time is exceeded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ppm.max_pkt_time</strong> = 0: enable packet latency thresholding (usec), 0 = off { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ppm.max_rule_time</strong> = 0: enable rule latency thresholding (usec), 0 = off { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>ppm.pkt_log</strong> = none: log event if max_pkt_time is exceeded { none | log | alert | both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>ppm.rule_log</strong> = none: enable event logging for suspended rules { none|log|alert|both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ppm.suspend_expensive_rules</strong> = false: temporarily disable rule if threshold is reached\r
+enum <strong>port_scan.sense_level</strong> = medium: choose the level of detection { low | medium | high }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ppm.suspend_timeout</strong> = 60: seconds to suspend rule, 0 = permanent { 0: }\r
+string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ppm.threshold</strong> = 5: number of times to exceed limit before disabling rule { 1: }\r
+int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>process.threads[].cpu</strong> = 0: pin the associated source/thread to this cpu { 0:127 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>process.threads[].source</strong>: set cpu affinity for this source (either pcap or <iface>\r
+string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>sd_pattern.threshold</strong>: number of matches before alerting { 1 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
+dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.search_optimize</strong> = false: tweak state machine construction for better performance\r
+bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>seq.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>seq.~range</strong>: check if tcp sequence number value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>side_channel.connectors[].connector</strong>: connector handle\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq-mode</strong>: <mode> select the DAQ operating mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version { (optional) }\r
+implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 1: }\r
+int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }\r
+int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 1: }\r
+int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }\r
+int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 1: }\r
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.memcap</strong> = 23920640: maximum cache memory before pruning (0 is unlimited) { 0: }\r
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 1: }\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.memcap</strong> = 268435456: maximum cache memory before pruning (0 is unlimited) { 0: }\r
+int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 1: }\r
+int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.memcap</strong> = 0: maximum cache memory before pruning (0 is unlimited) { 0: }\r
+int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 1: }\r
+int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.memcap</strong> = 1048576: maximum cache memory before pruning (0 is unlimited) { 0: }\r
+int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>tos.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>tos.~range</strong>: check if ip tos value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ttl.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>ttl.~range</strong>: check if ip ttl field value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>urg.~range</strong>: check if urgent offset is min<>max | <max | >min\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>window.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>\r
+string <strong>window.~range</strong>: check if tcp window field size is <em>size | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+<strong>appid.battlefield_flows</strong>: count of battle field flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bgp_flows</strong>: count of bgp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bit_clients</strong>: count of bittorrent clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bit_flows</strong>: count of bittorrent flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.bittracker_clients</strong>: count of bittorrent tracker clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dcerpc_udp_flows</strong>: count of dce rpc flows over udp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.dns_udp_flows</strong>: count of dns flows over udp discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ftp_flows</strong>: count of ftp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ftps_flows</strong>: count of ftps flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.imap_flows</strong>: count of imap service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.imaps_flows</strong>: count of imap TLS service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.irc_flows</strong>: count of irc service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.kerberos_clients</strong>: count of kerberos clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.kerberos_flows</strong>: count of kerberos service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.kerberos_users</strong>: count of kerberos users discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.lpr_flows</strong>: count of lpr service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.mdns_flows</strong>: count of mdns service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.netbios_flows</strong>: count of netbios service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.packets</strong>: count of packets processed by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.pop_flows</strong>: count of pop service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtps_flows</strong>: count of smtps flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ssh_flows</strong>: count of ssh flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ssl_flows</strong>: count of ssl flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.telnet_flows</strong>: count of telnet flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>arp_spoof.packets</strong>: total packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.fail open</strong>: packets passed during initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>daq.filtered</strong>: packets filtered out\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>data_log.packets</strong>: total packets\r
+<strong>dce_smb.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.aborted sessions</strong>: total aborted sessions\r
+<strong>dce_smb.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bad autodetects</strong>: total bad autodetects\r
+<strong>dce_smb.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_smb.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_smb.Bind naks</strong>: total connection-oriented bind naks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_smb.Binds</strong>: total connection-oriented binds\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_smb.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented bind acks</strong>: total connection-oriented binds acks\r
+<strong>dce_smb.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented bind naks</strong>: total connection-oriented bind naks\r
+<strong>dce_smb.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented binds</strong>: total connection-oriented binds\r
+<strong>dce_smb.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented cancels</strong>: total connection-oriented cancels\r
+<strong>dce_smb.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client fragments reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_smb.Client segs reassembled</strong>: total smb client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client maximum fragment size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_smb.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client minimum fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_smb.Files processed</strong>: total smb files processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented client segments reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_smb.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented faults</strong>: total connection-oriented faults\r
+<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_smb.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented other requests</strong>: total connection-oriented other requests\r
+<strong>dce_smb.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented other responses</strong>: total connection-oriented other responses\r
+<strong>dce_smb.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented rejects</strong>: total connection-oriented rejects\r
+<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented request fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_smb.Packets</strong>: total smb packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented requests</strong>: total connection-oriented requests\r
+<strong>dce_smb.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented response fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented responses</strong>: total connection-oriented responses\r
+<strong>dce_smb.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server fragments reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server maximum fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_smb.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server minimum fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented server segments reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.connection-oriented shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.events</strong>: total events\r
+<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb client segments reassembled</strong>: total smb client segments reassembled\r
+<strong>dce_smb.Sessions</strong>: total smb sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb files processed</strong>: total smb files processed\r
+<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb maximum outstanding requests</strong>: total smb maximum outstanding requests\r
+<strong>dce_smb.aborted sessions</strong>: total aborted sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb packets</strong>: total smb packets\r
+<strong>dce_smb.bad autodetects</strong>: total bad autodetects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb server segments reassembled</strong>: total smb server segments reassembled\r
+<strong>dce_smb.events</strong>: total events\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb sessions</strong>: total smb sessions\r
+<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
+<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
+<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_tcp.Binds</strong>: total connection-oriented binds\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented bind acks</strong>: total connection-oriented binds acks\r
+<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented bind naks</strong>: total connection-oriented bind naks\r
+<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented binds</strong>: total connection-oriented binds\r
+<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented cancels</strong>: total connection-oriented cancels\r
+<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client fragments reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client maximum fragment size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client minimum fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented client segments reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented faults</strong>: total connection-oriented faults\r
+<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented other requests</strong>: total connection-oriented other requests\r
+<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented other responses</strong>: total connection-oriented other responses\r
+<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented rejects</strong>: total connection-oriented rejects\r
+<strong>dce_tcp.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented request fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented requests</strong>: total connection-oriented requests\r
+<strong>dce_tcp.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented response fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented responses</strong>: total connection-oriented responses\r
+<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server fragments reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server maximum fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server minimum fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented server segments reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.connection-oriented shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.cooked searches</strong>: fast pattern searches in cooked packet data\r
+<strong>detection.cooked searches</strong>: fast pattern searches in cooked packet data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.event limit</strong>: events filtered\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.file searches</strong>: fast pattern searches in file buffer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.header searches</strong>: fast pattern searches in header buffer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.key searches</strong>: fast pattern searches in key buffer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.log limit</strong>: events queued but not logged\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.logged</strong>: logged packets\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.match limit</strong>: fast pattern matches not processed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.passed</strong>: passed packets\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.pkt searches</strong>: fast pattern searches in packet data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.queue limit</strong>: events not queued because queue full\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.raw searches</strong>: fast pattern searches in raw packet data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.slow searches</strong>: non-fast pattern rule evaluations\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.total alerts</strong>: alerts including IP reputation\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dnp3.dnp3 application pdus</strong>: total dnp3 application pdus\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.event limit</strong>: events filtered\r
+<strong>dnp3.dnp3 link layer frames</strong>: total dnp3 link layer frames\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.file searches</strong>: fast pattern searches in file buffer\r
+<strong>dnp3.tcp pdus</strong>: total tcp pdus\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.header searches</strong>: fast pattern searches in header buffer\r
+<strong>dnp3.total packets</strong>: total packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.key searches</strong>: fast pattern searches in key buffer\r
+<strong>dnp3.udp packets</strong>: total udp packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.log limit</strong>: events queued but not logged\r
+<strong>dns.packets</strong>: total packets processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.logged</strong>: logged packets\r
+<strong>dns.requests</strong>: total dns requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.match limit</strong>: fast pattern matches not processed\r
+<strong>dns.responses</strong>: total dns responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.passed</strong>: passed packets\r
+<strong>file_connector.messages</strong>: total messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.pkt searches</strong>: fast pattern searches in packet data\r
+<strong>file_log.total events</strong>: total file events\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.queue limit</strong>: events not queued because queue full\r
+<strong>ftp_data.packets</strong>: total packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.raw searches</strong>: fast pattern searches in raw packet data\r
+<strong>ftp_server.packets</strong>: total packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.slow searches</strong>: non-fast pattern rule evaluations\r
+<strong>gtp_inspect.events</strong>: requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.total alerts</strong>: alerts including IP reputation\r
+<strong>gtp_inspect.sessions</strong>: total sessions processed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3 application pdus</strong>: total dnp3 application pdus\r
+<strong>gtp_inspect.unknown infos</strong>: unknown information elements\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3 link layer frames</strong>: total dnp3 link layer frames\r
+<strong>gtp_inspect.unknown types</strong>: unknown message types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.tcp pdus</strong>: total tcp pdus\r
+<strong>host_cache.lru cache adds</strong>: lru cache added new entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.total packets</strong>: total packets\r
+<strong>host_cache.lru cache clears</strong>: lru cache clear API calls\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.udp packets</strong>: total udp packets\r
+<strong>host_cache.lru cache find hits</strong>: lru cache found entry in cache\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.packets</strong>: total packets processed\r
+<strong>host_cache.lru cache find misses</strong>: lru cache did not find entry in cache\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.requests</strong>: total dns requests\r
+<strong>host_cache.lru cache prunes</strong>: lru cache pruned entry to make space for new entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.responses</strong>: total dns responses\r
+<strong>host_cache.lru cache removes</strong>: lru cache found entry and removed it\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dpx.packets</strong>: total packets\r
+<strong>host_cache.lru cache replaces</strong>: lru cache replaced existing entry\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ftp_data.packets</strong>: total packets\r
+<strong>host_tracker.service adds</strong>: host service adds\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ftp_server.packets</strong>: total packets\r
+<strong>host_tracker.service finds</strong>: host service finds\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.events</strong>: requests\r
+<strong>host_tracker.service removes</strong>: host service removes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.sessions</strong>: total sessions processed\r
+<strong>http_inspect.CONNECT requests</strong>: CONNECT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown infos</strong>: unknown information elements\r
+<strong>http_inspect.DELETE requests</strong>: DELETE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown types</strong>: unknown message types\r
+<strong>http_inspect.GET requests</strong>: GET requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.compressed bytes</strong>: total comparessed bytes processed\r
+<strong>http_inspect.HEAD requests</strong>: HEAD requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.decompressed bytes</strong>: total bytes decompressed\r
+<strong>http_inspect.OPTIONS requests</strong>: OPTIONS requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.double unicode</strong>: double unicode normalizations\r
+<strong>http_inspect.POST requests</strong>: POST requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.gets</strong>: GET requests\r
+<strong>http_inspect.PUT requests</strong>: PUT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.gzip packets</strong>: packets with gzip compression\r
+<strong>http_inspect.TRACE requests</strong>: TRACE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.non-ascii</strong>: non-ascii normalizations\r
+<strong>http_inspect.URI coding</strong>: URIs with character coding problems\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.packets</strong>: total packets processed\r
+<strong>http_inspect.URI normalizations</strong>: URIs needing to be normalization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.paths with ../</strong>: directory traversal normalizations\r
+<strong>http_inspect.URI path</strong>: URIs with path problems\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.paths with ./</strong>: relative directory normalizations\r
+<strong>http_inspect.chunked</strong>: chunked message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.paths with //</strong>: double slash normalizations\r
+<strong>http_inspect.flows</strong>: HTTP connections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.post params</strong>: POST parameters extracted\r
+<strong>http_inspect.inspections</strong>: total message sections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.posts</strong>: POST requests\r
+<strong>http_inspect.other requests</strong>: other request methods inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.request cookies</strong>: requests with Cookie\r
+<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.request headers</strong>: total requests\r
+<strong>http_inspect.request bodies</strong>: POST, PUT, and other requests with message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.response cookies</strong>: responses with Set-Cookie\r
+<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.response headers</strong>: total responses\r
+<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global.unicode</strong>: unicode normalizations\r
+<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>latency.packet_timeouts</strong>: packets that timed out\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.rule_tree_enables</strong>: rule tree re-enables\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.total_packets</strong>: total packets monitored\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.total_rule_evals</strong>: total rule evals monitored\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>modbus.frames</strong>: total Modbus messages\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>packet_capture.captured</strong>: packets matching dumped after matching filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>packet_capture.processed</strong>: packets processed against filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>perf_monitor.packets</strong>: total packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>sd_pattern.below threshold</strong>: sd_pattern matched but missed threshold\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>sd_pattern.pattern not found</strong>: sd_pattern did not not match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>sd_pattern.terminated</strong>: hyperscan terminated\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.max queued</strong>: maximum fast pattern matches queued for further evaluation\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.non-qualified events</strong>: total non-qualified events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.qualified events</strong>: total qualified events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.total flushed</strong>: fast pattern matches discarded due to overflow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.total inserts</strong>: total fast pattern hits\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>search_engine.total unique</strong>: total unique fast pattern hits\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>sip.1xx</strong>: 1xx\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.file excess prunes</strong>: file sessions pruned due to excess\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream.file flows</strong>: total file sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file prunes</strong>: file sessions pruned\r
+<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.file timeout prunes</strong>: file sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.file total prunes</strong>: total file sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.file uni prunes</strong>: file uni sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.file user prunes</strong>: file sessions pruned for other reasons\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp excess prunes</strong>: icmp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp prunes</strong>: icmp sessions pruned\r
+<strong>stream.icmp memcap prunes</strong>: icmp sessions pruned due to memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp preemptive prunes</strong>: icmp sessions pruned during preemptive pruning\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp total prunes</strong>: total icmp sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp uni prunes</strong>: icmp uni sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip excess prunes</strong>: ip sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip prunes</strong>: ip sessions pruned\r
+<strong>stream.ip memcap prunes</strong>: ip sessions pruned due to memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip preemptive prunes</strong>: ip sessions pruned during preemptive pruning\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip uni prunes</strong>: ip uni sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp excess prunes</strong>: tcp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp prunes</strong>: tcp sessions pruned\r
+<strong>stream.tcp memcap prunes</strong>: tcp sessions pruned due to memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp preemptive prunes</strong>: tcp sessions pruned during preemptive pruning\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp total prunes</strong>: total tcp sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp uni prunes</strong>: tcp uni sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp prunes</strong>: udp sessions pruned\r
+<strong>stream.udp memcap prunes</strong>: udp sessions pruned due to memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp preemptive prunes</strong>: udp sessions pruned during preemptive pruning\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp total prunes</strong>: total udp sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp uni prunes</strong>: udp uni sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user prunes</strong>: user sessions pruned\r
+<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.user total prunes</strong>: total user sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.user uni prunes</strong>: user uni sessions pruned\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.user user prunes</strong>: user sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max frags</strong>: max fragments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.max</strong>: max ip sessions\r
+<strong>stream_ip.max frags</strong>: max fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory faults</strong>: memory faults\r
+<strong>stream_ip.max</strong>: max ip sessions\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.faults</strong>: number of times a new segment triggered a prune\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116</strong>: eapol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>116</strong>: erspan2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116</strong>: token_ring\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>116</strong>: udp\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116</strong>: wlan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119</strong>: http_global\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120</strong>: http_inspect\r
+<strong>119</strong>: http_inspect\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>134</strong>: ppm\r
+<strong>133</strong>: dce_smb\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136</strong>: reputation\r
+<strong>133</strong>: dce_tcp\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137</strong>: ssl\r
+<strong>134</strong>: latency\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140</strong>: sip\r
+<strong>136</strong>: reputation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141</strong>: imap\r
+<strong>137</strong>: ssl\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142</strong>: pop\r
+<strong>140</strong>: sip\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>143</strong>: gtp_inspect\r
+<strong>141</strong>: imap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144</strong>: modbus\r
+<strong>142</strong>: pop\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145</strong>: dce_smb\r
+<strong>143</strong>: gtp_inspect\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145</strong>: dce_tcp\r
+<strong>144</strong>: modbus\r
</p>\r
</li>\r
<li>\r
<strong>145</strong>: dnp3\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>219</strong>: new_http_inspect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>256</strong>: dpx\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-<strong>116:110</strong> (eapol) truncated EAP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:111</strong> (eapol) EAP key truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:112</strong> (eapol) EAP header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>116:120</strong> (pppoe) bad PPPOE frame detected\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:133</strong> (wlan) bad 802.11 LLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:134</strong> (wlan) bad 802.11 extra LLC info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:140</strong> (token_ring) (token_ring) Bad Token Ring Header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:141</strong> (token_ring) (token_ring) Bad Token Ring ETHLLC Header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:142</strong> (token_ring) (token_ring) Bad Token Ring MRLENHeader\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:143</strong> (token_ring) (token_ring) Bad Token Ring MR Header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>116:150</strong> (decode) bad traffic loopback IP\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:1</strong> (http_global) ascii encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:2</strong> (http_global) double decoding attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:3</strong> (http_global) u encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:4</strong> (http_global) bare byte unicode encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:5</strong> (http_global) base36 encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:6</strong> (http_global) UTF-8 encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:7</strong> (http_global) IIS unicode codepoint encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:8</strong> (http_global) multi_slash encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:9</strong> (http_global) IIS backslash evasion\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:10</strong> (http_global) self directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:11</strong> (http_global) directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:12</strong> (http_global) apache whitespace (tab)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:13</strong> (http_global) non-RFC http delimiter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:14</strong> (http_global) non-RFC defined char\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:15</strong> (http_global) oversize request-URI directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:16</strong> (http_global) oversize chunk encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:17</strong> (http_global) unauthorized proxy use detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:18</strong> (http_global) webroot directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:19</strong> (http_global) long header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:20</strong> (http_global) max header fields\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:21</strong> (http_global) multiple content length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:22</strong> (http_global) chunk size mismatch detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:23</strong> (http_global) invalid ip in true-client-IP/XFF header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:24</strong> (http_global) multiple host hdrs detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:25</strong> (http_global) hostname exceeds 255 characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:26</strong> (http_global) header parsing space saturation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:27</strong> (http_global) client consecutive small chunk sizes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:28</strong> (http_global) post w/o content-length or chunks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:29</strong> (http_global) multiple true IPs in a session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:30</strong> (http_global) both true-client-IP and XFF hdrs present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:31</strong> (http_global) unknown method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:32</strong> (http_global) simple request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:33</strong> (http_global) unescaped space in http URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:34</strong> (http_global) too many pipelined requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:1</strong> (http_inspect) anomalous http server on undefined HTTP port\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:2</strong> (http_inspect) invalid status code in HTTP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:3</strong> (http_inspect) no content-length or transfer-encoding in HTTP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:4</strong> (http_inspect) HTTP response has UTF charset which failed to normalize\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:5</strong> (http_inspect) HTTP response has UTF-7 charset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:6</strong> (http_inspect) HTTP response gzip decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:7</strong> (http_inspect) server consecutive small chunk sizes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:8</strong> (http_inspect) invalid content-length or chunk size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:9</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:10</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>120:11</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>119:1</strong> (http_inspect) ascii encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:12</strong> (http_inspect) HTTP response SWF file zlib decompression failure\r
+<strong>119:2</strong> (http_inspect) double decoding attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:13</strong> (http_inspect) HTTP response SWF file LZMA decompression failure\r
+<strong>119:3</strong> (http_inspect) u encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:14</strong> (http_inspect) HTTP response PDF file deflate decompression failure\r
+<strong>119:4</strong> (http_inspect) bare byte unicode encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:15</strong> (http_inspect) HTTP response PDF file unsupported compression type\r
+<strong>119:5</strong> (http_inspect) obsolete event—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:16</strong> (http_inspect) HTTP response PDF file cascaded compression\r
+<strong>119:6</strong> (http_inspect) UTF-8 encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>120:17</strong> (http_inspect) HTTP response PDF file parse failure\r
+<strong>119:7</strong> (http_inspect) IIS unicode codepoint encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:1</strong> (port_scan) TCP portscan\r
+<strong>119:8</strong> (http_inspect) multi_slash encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:2</strong> (port_scan) TCP decoy portscan\r
+<strong>119:9</strong> (http_inspect) IIS backslash evasion\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:3</strong> (port_scan) TCP portsweep\r
+<strong>119:10</strong> (http_inspect) self directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:4</strong> (port_scan) TCP distributed portscan\r
+<strong>119:11</strong> (http_inspect) directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:5</strong> (port_scan) TCP filtered portscan\r
+<strong>119:12</strong> (http_inspect) apache whitespace (tab)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
+<strong>119:13</strong> (http_inspect) non-RFC http delimiter\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
+<strong>119:14</strong> (http_inspect) non-RFC defined char\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
+<strong>119:15</strong> (http_inspect) oversize request-uri directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:9</strong> (port_scan) IP protocol scan\r
+<strong>119:16</strong> (http_inspect) oversize chunk encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
+<strong>119:17</strong> (http_inspect) unauthorized proxy use detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:11</strong> (port_scan) IP protocol sweep\r
+<strong>119:18</strong> (http_inspect) webroot directory traversal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
+<strong>119:19</strong> (http_inspect) long header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
+<strong>119:20</strong> (http_inspect) max header fields\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
+<strong>119:21</strong> (http_inspect) multiple content length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
+<strong>119:22</strong> (http_inspect) chunk size mismatch detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
+<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:17</strong> (port_scan) UDP portscan\r
+<strong>119:24</strong> (http_inspect) multiple host hdrs detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:18</strong> (port_scan) UDP decoy portscan\r
+<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:19</strong> (port_scan) UDP portsweep\r
+<strong>119:26</strong> (http_inspect) header parsing space saturation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:20</strong> (port_scan) UDP distributed portscan\r
+<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:21</strong> (port_scan) UDP filtered portscan\r
+<strong>119:28</strong> (http_inspect) post w/o content-length or chunks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
+<strong>119:29</strong> (http_inspect) multiple true ips in a session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
+<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
+<strong>119:31</strong> (http_inspect) unknown method\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:25</strong> (port_scan) ICMP sweep\r
+<strong>119:32</strong> (http_inspect) simple request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
+<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>122:27</strong> (port_scan) open port\r
+<strong>119:34</strong> (http_inspect) too many pipelined requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets\r
+<strong>119:35</strong> (http_inspect) anomalous http server on undefined HTTP port\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:2</strong> (stream_ip) teardrop attack\r
+<strong>119:36</strong> (http_inspect) invalid status code in HTTP response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt\r
+<strong>119:37</strong> (http_inspect) no content-length or transfer-encoding in HTTP response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet\r
+<strong>119:38</strong> (http_inspect) HTTP response has UTF charset which failed to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:5</strong> (stream_ip) zero-byte fragment packet\r
+<strong>119:39</strong> (http_inspect) HTTP response has UTF-7 charset\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative\r
+<strong>119:40</strong> (http_inspect) HTTP response gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536\r
+<strong>119:41</strong> (http_inspect) server consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:8</strong> (stream_ip) fragmentation overlap\r
+<strong>119:42</strong> (http_inspect) invalid content-length or chunk size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly\r
+<strong>119:43</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:12</strong> (stream_ip) excessive fragment overlap\r
+<strong>119:44</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>123:13</strong> (stream_ip) tiny fragment\r
+<strong>119:45</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:1</strong> (smtp) Attempted command buffer overflow\r
+<strong>119:46</strong> (http_inspect) SWF file zlib decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:2</strong> (smtp) Attempted data header buffer overflow\r
+<strong>119:47</strong> (http_inspect) SWF file LZMA decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:3</strong> (smtp) Attempted response buffer overflow\r
+<strong>119:48</strong> (http_inspect) PDF file deflate decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:4</strong> (smtp) Attempted specific command buffer overflow\r
+<strong>119:49</strong> (http_inspect) PDF file unsupported compression type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:5</strong> (smtp) Unknown command\r
+<strong>119:50</strong> (http_inspect) PDF file cascaded compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:6</strong> (smtp) Illegal command\r
+<strong>119:51</strong> (http_inspect) PDF file parse failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:7</strong> (smtp) Attempted header name buffer overflow\r
+<strong>119:52</strong> (http_inspect) Not HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow\r
+<strong>119:53</strong> (http_inspect) Chunk length has excessive leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:10</strong> (smtp) Base64 Decoding failed.\r
+<strong>119:54</strong> (http_inspect) White space before or between messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed.\r
+<strong>119:55</strong> (http_inspect) Request message without URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed.\r
+<strong>119:56</strong> (http_inspect) Control character in reason phrase\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>124:14</strong> (smtp) Cyrus SASL authentication attack.\r
+<strong>119:57</strong> (http_inspect) Illegal extra whitespace in start line\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
+<strong>119:58</strong> (http_inspect) Corrupted HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:2</strong> (ftp_server) invalid FTP command\r
+<strong>119:59</strong> (http_inspect) Unknown HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:3</strong> (ftp_server) FTP command parameters were too long\r
+<strong>119:60</strong> (http_inspect) Format error in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:4</strong> (ftp_server) FTP command parameters were malformed\r
+<strong>119:61</strong> (http_inspect) Chunk header options present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format\r
+<strong>119:62</strong> (http_inspect) URI badly formatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:6</strong> (ftp_server) FTP response message was too long\r
+<strong>119:63</strong> (http_inspect) Unrecognized type of percent encoding in URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:7</strong> (ftp_server) FTP traffic encrypted\r
+<strong>119:64</strong> (http_inspect) HTTP chunk misformatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:8</strong> (ftp_server) FTP bounce attempt\r
+<strong>119:65</strong> (http_inspect) White space following chunk length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel\r
+<strong>119:67</strong> (http_inspect) Excessive gzip compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>126:1</strong> (telnet) consecutive telnet AYT commands beyond threshold\r
+<strong>119:68</strong> (http_inspect) Gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>126:2</strong> (telnet) telnet traffic encrypted\r
+<strong>119:69</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>126:3</strong> (telnet) telnet subnegotiation begin command without subnegotiation end\r
+<strong>119:70</strong> (http_inspect) HTTP 0.9 request following a normal request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit\r
+<strong>119:71</strong> (http_inspect) Message has both Content-Length and Transfer-Encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
+<strong>119:72</strong> (http_inspect) Status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:3</strong> (ssh) Server version string overflow\r
+<strong>119:73</strong> (http_inspect) Transfer-Encoding did not end with chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:5</strong> (ssh) Bad message direction\r
+<strong>119:74</strong> (http_inspect) Transfer-Encoding with chunked not at end\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:6</strong> (ssh) Payload size incorrect for the given payload\r
+<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>128:7</strong> (ssh) Failed to detect SSH version string\r
+<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:1</strong> (stream_tcp) SYN on established session\r
+<strong>122:2</strong> (port_scan) TCP decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:2</strong> (stream_tcp) data on SYN packet\r
+<strong>122:3</strong> (port_scan) TCP portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data\r
+<strong>122:4</strong> (port_scan) TCP distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window\r
+<strong>122:5</strong> (port_scan) TCP filtered portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0\r
+<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows\r
+<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached\r
+<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:8</strong> (stream_tcp) data sent on stream after TCP Reset sent\r
+<strong>122:9</strong> (port_scan) IP protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address\r
+<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:10</strong> (stream_tcp) TCP Server possibly hijacked, different ethernet address\r
+<strong>122:11</strong> (port_scan) IP protocol sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set\r
+<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold\r
+<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:13</strong> (stream_tcp) 4-way handshake detected\r
+<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:14</strong> (stream_tcp) TCP timestamp is missing\r
+<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:15</strong> (stream_tcp) reset outside window\r
+<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN\r
+<strong>122:17</strong> (port_scan) UDP portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN\r
+<strong>122:18</strong> (port_scan) UDP decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:18</strong> (stream_tcp) data sent on stream after TCP Reset received\r
+<strong>122:19</strong> (port_scan) UDP portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data\r
+<strong>122:20</strong> (port_scan) UDP distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake\r
+<strong>122:21</strong> (port_scan) UDP filtered portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:1</strong> (dns) Obsolete DNS RR Types\r
+<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:2</strong> (dns) Experimental DNS RR Types\r
+<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>131:3</strong> (dns) DNS Client rdata txt Overflow\r
+<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:1</strong> (ppm) rule options disabled by rule latency\r
+<strong>122:25</strong> (port_scan) ICMP sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:2</strong> (ppm) rule options re-enabled by rule latency\r
+<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>134:3</strong> (ppm) packet aborted due to latency\r
+<strong>122:27</strong> (port_scan) open port\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted\r
+<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:2</strong> (reputation) Packets whitelisted\r
+<strong>123:2</strong> (stream_ip) teardrop attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:3</strong> (reputation) Packets monitored\r
+<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected\r
+<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected\r
+<strong>123:5</strong> (stream_ip) zero-byte fragment packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected\r
+<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>137:4</strong> (ssl) Large Heartbeat Response Detected\r
+<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:1</strong> (sip) Maximum sessions reached\r
+<strong>123:8</strong> (stream_ip) fragmentation overlap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:2</strong> (sip) Empty request URI\r
+<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:3</strong> (sip) URI is too long\r
+<strong>123:12</strong> (stream_ip) excessive fragment overlap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:4</strong> (sip) Empty call-Id\r
+<strong>123:13</strong> (stream_ip) tiny fragment\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:5</strong> (sip) Call-Id is too long\r
+<strong>124:1</strong> (smtp) Attempted command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:6</strong> (sip) CSeq number is too large or negative\r
+<strong>124:2</strong> (smtp) Attempted data header buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:7</strong> (sip) Request name in CSeq is too long\r
+<strong>124:3</strong> (smtp) Attempted response buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:8</strong> (sip) Empty From header\r
+<strong>124:4</strong> (smtp) Attempted specific command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:9</strong> (sip) From header is too long\r
+<strong>124:5</strong> (smtp) Unknown command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:10</strong> (sip) Empty To header\r
+<strong>124:6</strong> (smtp) Illegal command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:11</strong> (sip) To header is too long\r
+<strong>124:7</strong> (smtp) Attempted header name buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:12</strong> (sip) Empty Via header\r
+<strong>124:8</strong> (smtp) Attempted X-Link2State command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:13</strong> (sip) Via header is too long\r
+<strong>124:10</strong> (smtp) Base64 Decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:14</strong> (sip) Empty Contact\r
+<strong>124:11</strong> (smtp) Quoted-Printable Decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:15</strong> (sip) Contact is too long\r
+<strong>124:13</strong> (smtp) Unix-to-Unix Decoding failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:16</strong> (sip) Content length is too large or negative\r
+<strong>124:14</strong> (smtp) Cyrus SASL authentication attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:17</strong> (sip) Multiple SIP messages in a packet\r
+<strong>124:15</strong> (smtp) Attempted authentication command buffer overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:18</strong> (sip) Content length mismatch\r
+<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:19</strong> (sip) Request name is invalid\r
+<strong>125:2</strong> (ftp_server) invalid FTP command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:20</strong> (sip) Invite replay attack\r
+<strong>125:3</strong> (ftp_server) FTP command parameters were too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:21</strong> (sip) Illegal session information modification\r
+<strong>125:4</strong> (ftp_server) FTP command parameters were malformed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:22</strong> (sip) Response status code is not a 3 digit number\r
+<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:23</strong> (sip) Empty Content-type header\r
+<strong>125:6</strong> (ftp_server) FTP response message was too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:24</strong> (sip) SIP version is invalid\r
+<strong>125:7</strong> (ftp_server) FTP traffic encrypted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header\r
+<strong>125:8</strong> (ftp_server) FTP bounce attempt\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:26</strong> (sip) Method is unknown\r
+<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>140:27</strong> (sip) Maximum dialogs within a session reached\r
+<strong>126:1</strong> (telnet) consecutive telnet AYT commands beyond threshold\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:1</strong> (imap) Unknown IMAP3 command\r
+<strong>126:2</strong> (telnet) telnet traffic encrypted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:2</strong> (imap) Unknown IMAP3 response\r
+<strong>126:3</strong> (telnet) telnet subnegotiation begin command without subnegotiation end\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:4</strong> (imap) Base64 Decoding failed.\r
+<strong>128:1</strong> (ssh) Challenge-Response Overflow exploit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.\r
+<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.\r
+<strong>128:3</strong> (ssh) Server version string overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:1</strong> (pop) Unknown POP3 command\r
+<strong>128:5</strong> (ssh) Bad message direction\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:2</strong> (pop) Unknown POP3 response\r
+<strong>128:6</strong> (ssh) Payload size incorrect for the given payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:4</strong> (pop) Base64 Decoding failed.\r
+<strong>128:7</strong> (ssh) Failed to detect SSH version string\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.\r
+<strong>129:1</strong> (stream_tcp) SYN on established session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.\r
+<strong>129:2</strong> (stream_tcp) data on SYN packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>143:1</strong> (gtp_inspect) message length is invalid\r
+<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>143:2</strong> (gtp_inspect) information element length is invalid\r
+<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>143:3</strong> (gtp_inspect) information elements are out of order\r
+<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
+<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
+<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>144:3</strong> (modbus) Reserved Modbus function code in use\r
+<strong>129:8</strong> (stream_tcp) data sent on stream after TCP Reset sent\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:1</strong> (dnp3) DNP3 Link-Layer Frame contains bad CRC.\r
+<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:2</strong> (dce_smb) SMB - Bad NetBIOS Session Service session type.\r
+<strong>129:10</strong> (stream_tcp) TCP Server possibly hijacked, different ethernet address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:2</strong> (dnp3) DNP3 Link-Layer Frame was dropped.\r
+<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:3</strong> (dce_smb) SMB - Bad SMB message type.\r
+<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:3</strong> (dnp3) DNP3 Transport-Layer Segment was dropped during reassembly.\r
+<strong>129:13</strong> (stream_tcp) 4-way handshake detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:4</strong> (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2).\r
+<strong>129:14</strong> (stream_tcp) TCP timestamp is missing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:4</strong> (dnp3) DNP3 Reassembly Buffer was cleared without reassembling a complete message.\r
+<strong>129:15</strong> (stream_tcp) reset outside window\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:5</strong> (dce_smb) SMB - Bad word count or structure size.\r
+<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:5</strong> (dnp3) DNP3 Link-Layer Frame uses a reserved address.\r
+<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:6</strong> (dce_smb) SMB - Bad byte count.\r
+<strong>129:18</strong> (stream_tcp) data sent on stream after TCP Reset received\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:6</strong> (dnp3) DNP3 Application-Layer Fragment uses a reserved function code.\r
+<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:7</strong> (dce_smb) SMB - Bad format type.\r
+<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:8</strong> (dce_smb) SMB - Bad offset.\r
+<strong>131:1</strong> (dns) Obsolete DNS RR Types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:9</strong> (dce_smb) SMB - Zero total data count.\r
+<strong>131:2</strong> (dns) Experimental DNS RR Types\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length.\r
+<strong>131:3</strong> (dns) DNS Client rdata txt Overflow\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:12</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command byte count.\r
+<strong>133:2</strong> (dce_smb) SMB - Bad NetBIOS Session Service session type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:13</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command data size.\r
+<strong>133:3</strong> (dce_smb) SMB - Bad SMB message type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:14</strong> (dce_smb) SMB - Remaining total data count less than this command data size.\r
+<strong>133:4</strong> (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2).\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:15</strong> (dce_smb) SMB - Total data sent (STDu64) greater than command total data expected.\r
+<strong>133:5</strong> (dce_smb) SMB - Bad word count or structure size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:16</strong> (dce_smb) SMB - Byte count less than command data size (STDu64)\r
+<strong>133:6</strong> (dce_smb) SMB - Bad byte count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:17</strong> (dce_smb) SMB - Invalid command data size for byte count.\r
+<strong>133:7</strong> (dce_smb) SMB - Bad format type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:18</strong> (dce_smb) SMB - Excessive Tree Connect requests with pending Tree Connect responses.\r
+<strong>133:8</strong> (dce_smb) SMB - Bad offset.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:19</strong> (dce_smb) SMB - Excessive Read requests with pending Read responses.\r
+<strong>133:9</strong> (dce_smb) SMB - Zero total data count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:20</strong> (dce_smb) SMB - Excessive command chaining.\r
+<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:21</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>133:12</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command byte count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:22</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
+<strong>133:13</strong> (dce_smb) SMB - Remaining NetBIOS data length less than command data size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:23</strong> (dce_smb) SMB - Chained/Compounded login followed by logoff.\r
+<strong>133:14</strong> (dce_smb) SMB - Remaining total data count less than this command data size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:24</strong> (dce_smb) SMB - Chained/Compounded tree connect followed by tree disconnect.\r
+<strong>133:15</strong> (dce_smb) SMB - Total data sent (STDu64) greater than command total data expected.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:25</strong> (dce_smb) SMB - Chained/Compounded open pipe followed by close pipe.\r
+<strong>133:16</strong> (dce_smb) SMB - Byte count less than command data size (STDu64)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:26</strong> (dce_smb) SMB - Invalid share access.\r
+<strong>133:17</strong> (dce_smb) SMB - Invalid command data size for byte count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:27</strong> (dce_smb) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:18</strong> (dce_smb) SMB - Excessive Tree Connect requests with pending Tree Connect responses.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:27</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid major version.\r
+<strong>133:19</strong> (dce_smb) SMB - Excessive Read requests with pending Read responses.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:28</strong> (dce_smb) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:20</strong> (dce_smb) SMB - Excessive command chaining.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:28</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid minor version.\r
+<strong>133:21</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:29</strong> (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:22</strong> (dce_smb) SMB - Multiple chained tree connect requests.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:29</strong> (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.\r
+<strong>133:23</strong> (dce_smb) SMB - Chained/Compounded login followed by logoff.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:30</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:24</strong> (dce_smb) SMB - Chained/Compounded tree connect followed by tree disconnect.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:30</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length less than header size.\r
+<strong>133:25</strong> (dce_smb) SMB - Chained/Compounded open pipe followed by close pipe.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:32</strong> (dce_smb) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:26</strong> (dce_smb) SMB - Invalid share access.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:32</strong> (dce_tcp) Connection-oriented DCE/RPC - No context items specified.\r
+<strong>133:27</strong> (dce_smb) Connection oriented DCE/RPC - Invalid major version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:33</strong> (dce_smb) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:27</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid major version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:33</strong> (dce_tcp) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
+<strong>133:28</strong> (dce_smb) Connection oriented DCE/RPC - Invalid minor version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:34</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:28</strong> (dce_tcp) Connection oriented DCE/RPC - Invalid minor version.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:34</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
+<strong>133:29</strong> (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:35</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:29</strong> (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:35</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
+<strong>133:30</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length less than header size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:36</strong> (dce_smb) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:30</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length less than header size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:36</strong> (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
+<strong>133:32</strong> (dce_smb) Connection-oriented DCE/RPC - No context items specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:37</strong> (dce_smb) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:32</strong> (dce_tcp) Connection-oriented DCE/RPC - No context items specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:37</strong> (dce_tcp) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
+<strong>133:33</strong> (dce_smb) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:38</strong> (dce_smb) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:33</strong> (dce_tcp) Connection-oriented DCE/RPC -No transfer syntaxes specified.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:38</strong> (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
+<strong>133:34</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:39</strong> (dce_smb) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:34</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:39</strong> (dce_tcp) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
+<strong>133:35</strong> (dce_smb) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
+<strong>133:35</strong> (dce_tcp) Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:45</strong> (dce_smb) SMB - Invalid SMB version 2 seen.\r
+<strong>133:36</strong> (dce_smb) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:46</strong> (dce_smb) SMB - Invalid user, tree connect, file binding.\r
+<strong>133:36</strong> (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte order different from Bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:47</strong> (dce_smb) SMB - Excessive command compounding.\r
+<strong>133:37</strong> (dce_smb) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:48</strong> (dce_smb) SMB - Zero data count.\r
+<strong>133:37</strong> (dce_tcp) Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:50</strong> (dce_smb) SMB - Maximum number of outstanding requests exceeded.\r
+<strong>133:38</strong> (dce_smb) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:51</strong> (dce_smb) SMB - Outstanding requests with same MID.\r
+<strong>133:38</strong> (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:52</strong> (dce_smb) SMB - Deprecated dialect negotiated.\r
+<strong>133:39</strong> (dce_smb) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:53</strong> (dce_smb) SMB - Deprecated command used.\r
+<strong>133:39</strong> (dce_tcp) Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:54</strong> (dce_smb) SMB - Unusual command used.\r
+<strong>133:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:55</strong> (dce_smb) SMB - Invalid setup count for command.\r
+<strong>133:45</strong> (dce_smb) SMB - Invalid SMB version 2 seen.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:56</strong> (dce_smb) SMB - Client attempted multiple dialect negotiations on session.\r
+<strong>133:46</strong> (dce_smb) SMB - Invalid user, tree connect, file binding.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>145:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
+<strong>133:47</strong> (dce_smb) SMB - Excessive command compounding.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:1</strong> (new_http_inspect) ascii encoding\r
+<strong>133:48</strong> (dce_smb) SMB - Zero data count.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:2</strong> (new_http_inspect) double decoding attack\r
+<strong>133:50</strong> (dce_smb) SMB - Maximum number of outstanding requests exceeded.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:3</strong> (new_http_inspect) u encoding\r
+<strong>133:51</strong> (dce_smb) SMB - Outstanding requests with same MID.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:4</strong> (new_http_inspect) bare byte unicode encoding\r
+<strong>133:52</strong> (dce_smb) SMB - Deprecated dialect negotiated.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:5</strong> (new_http_inspect) obsolete event—should not appear\r
+<strong>133:53</strong> (dce_smb) SMB - Deprecated command used.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:6</strong> (new_http_inspect) UTF-8 encoding\r
+<strong>133:54</strong> (dce_smb) SMB - Unusual command used.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:7</strong> (new_http_inspect) IIS unicode codepoint encoding\r
+<strong>133:55</strong> (dce_smb) SMB - Invalid setup count for command.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:8</strong> (new_http_inspect) multi_slash encoding\r
+<strong>133:56</strong> (dce_smb) SMB - Client attempted multiple dialect negotiations on session.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:9</strong> (new_http_inspect) IIS backslash evasion\r
+<strong>133:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:10</strong> (new_http_inspect) self directory traversal\r
+<strong>134:1</strong> (latency) rule tree suspended due to latency\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:11</strong> (new_http_inspect) directory traversal\r
+<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:12</strong> (new_http_inspect) apache whitespace (tab)\r
+<strong>134:3</strong> (latency) packet fastpathed due to latency\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:13</strong> (new_http_inspect) non-RFC http delimiter\r
+<strong>136:1</strong> (reputation) packets blacklisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:14</strong> (new_http_inspect) non-RFC defined char\r
+<strong>136:2</strong> (reputation) Packets whitelisted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:15</strong> (new_http_inspect) oversize request-uri directory\r
+<strong>136:3</strong> (reputation) Packets monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:16</strong> (new_http_inspect) oversize chunk encoding\r
+<strong>137:1</strong> (ssl) Invalid Client HELLO after Server HELLO Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:17</strong> (new_http_inspect) unauthorized proxy use detected\r
+<strong>137:2</strong> (ssl) Invalid Server HELLO without Client HELLO Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:18</strong> (new_http_inspect) webroot directory traversal\r
+<strong>137:3</strong> (ssl) Heartbeat Read Overrun Attempt Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:19</strong> (new_http_inspect) long header\r
+<strong>137:4</strong> (ssl) Large Heartbeat Response Detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:20</strong> (new_http_inspect) max header fields\r
+<strong>140:1</strong> (sip) Maximum sessions reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:21</strong> (new_http_inspect) multiple content length\r
+<strong>140:2</strong> (sip) Empty request URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:22</strong> (new_http_inspect) chunk size mismatch detected\r
+<strong>140:3</strong> (sip) URI is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:23</strong> (new_http_inspect) invalid IP in true-client-IP/XFF header\r
+<strong>140:4</strong> (sip) Empty call-Id\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:24</strong> (new_http_inspect) multiple host hdrs detected\r
+<strong>140:5</strong> (sip) Call-Id is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:25</strong> (new_http_inspect) hostname exceeds 255 characters\r
+<strong>140:6</strong> (sip) CSeq number is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:26</strong> (new_http_inspect) header parsing space saturation\r
+<strong>140:7</strong> (sip) Request name in CSeq is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:27</strong> (new_http_inspect) client consecutive small chunk sizes\r
+<strong>140:8</strong> (sip) Empty From header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:28</strong> (new_http_inspect) post w/o content-length or chunks\r
+<strong>140:9</strong> (sip) From header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:29</strong> (new_http_inspect) multiple true ips in a session\r
+<strong>140:10</strong> (sip) Empty To header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:30</strong> (new_http_inspect) both true-client-IP and XFF hdrs present\r
+<strong>140:11</strong> (sip) To header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:31</strong> (new_http_inspect) unknown method\r
+<strong>140:12</strong> (sip) Empty Via header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:32</strong> (new_http_inspect) simple request\r
+<strong>140:13</strong> (sip) Via header is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:33</strong> (new_http_inspect) unescaped space in HTTP URI\r
+<strong>140:14</strong> (sip) Empty Contact\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:34</strong> (new_http_inspect) too many pipelined requests\r
+<strong>140:15</strong> (sip) Contact is too long\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:35</strong> (new_http_inspect) anomalous http server on undefined HTTP port\r
+<strong>140:16</strong> (sip) Content length is too large or negative\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:36</strong> (new_http_inspect) invalid status code in HTTP response\r
+<strong>140:17</strong> (sip) Multiple SIP messages in a packet\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:37</strong> (new_http_inspect) no content-length or transfer-encoding in HTTP response\r
+<strong>140:18</strong> (sip) Content length mismatch\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:38</strong> (new_http_inspect) HTTP response has UTF charset which failed to normalize\r
+<strong>140:19</strong> (sip) Request name is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:39</strong> (new_http_inspect) HTTP response has UTF-7 charset\r
+<strong>140:20</strong> (sip) Invite replay attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:40</strong> (new_http_inspect) HTTP response gzip decompression failed\r
+<strong>140:21</strong> (sip) Illegal session information modification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:41</strong> (new_http_inspect) server consecutive small chunk sizes\r
+<strong>140:22</strong> (sip) Response status code is not a 3 digit number\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:42</strong> (new_http_inspect) invalid content-length or chunk size\r
+<strong>140:23</strong> (sip) Empty Content-type header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:43</strong> (new_http_inspect) javascript obfuscation levels exceeds 1\r
+<strong>140:24</strong> (sip) SIP version is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:44</strong> (new_http_inspect) javascript whitespaces exceeds max allowed\r
+<strong>140:25</strong> (sip) Mismatch in METHOD of request and the CSEQ header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:45</strong> (new_http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>140:26</strong> (sip) Method is unknown\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:46</strong> (new_http_inspect) SWF file zlib decompression failure\r
+<strong>140:27</strong> (sip) Maximum dialogs within a session reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:47</strong> (new_http_inspect) SWF file LZMA decompression failure\r
+<strong>141:1</strong> (imap) Unknown IMAP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:48</strong> (new_http_inspect) PDF file deflate decompression failure\r
+<strong>141:2</strong> (imap) Unknown IMAP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:49</strong> (new_http_inspect) PDF file unsupported compression type\r
+<strong>141:4</strong> (imap) Base64 Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:50</strong> (new_http_inspect) PDF file cascaded compression\r
+<strong>141:5</strong> (imap) Quoted-Printable Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:51</strong> (new_http_inspect) PDF file parse failure\r
+<strong>141:7</strong> (imap) Unix-to-Unix Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:52</strong> (new_http_inspect) HTTP misformatted or not really HTTP\r
+<strong>142:1</strong> (pop) Unknown POP3 command\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:53</strong> (new_http_inspect) Chunk length has excessive leading zeros\r
+<strong>142:2</strong> (pop) Unknown POP3 response\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:54</strong> (new_http_inspect) White space before or between messages\r
+<strong>142:4</strong> (pop) Base64 Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:55</strong> (new_http_inspect) Request message without URI\r
+<strong>142:5</strong> (pop) Quoted-Printable Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:56</strong> (new_http_inspect) Control character in reason phrase\r
+<strong>142:7</strong> (pop) Unix-to-Unix Decoding failed.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:57</strong> (new_http_inspect) Illegal extra whitespace in start line\r
+<strong>143:1</strong> (gtp_inspect) message length is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:58</strong> (new_http_inspect) Corrupted HTTP version\r
+<strong>143:2</strong> (gtp_inspect) information element length is invalid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:59</strong> (new_http_inspect) Unknown HTTP version\r
+<strong>143:3</strong> (gtp_inspect) information elements are out of order\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:60</strong> (new_http_inspect) Format error in HTTP header\r
+<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:61</strong> (new_http_inspect) Chunk header options present\r
+<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:62</strong> (new_http_inspect) URI badly formatted\r
+<strong>144:3</strong> (modbus) Reserved Modbus function code in use\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:63</strong> (new_http_inspect) Unused\r
+<strong>145:1</strong> (dnp3) DNP3 Link-Layer Frame contains bad CRC.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:64</strong> (new_http_inspect) HTTP chunk misformatted\r
+<strong>145:2</strong> (dnp3) DNP3 Link-Layer Frame was dropped.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:65</strong> (new_http_inspect) White space following chunk length\r
+<strong>145:3</strong> (dnp3) DNP3 Transport-Layer Segment was dropped during reassembly.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:67</strong> (new_http_inspect) Excessive gzip compression\r
+<strong>145:4</strong> (dnp3) DNP3 Reassembly Buffer was cleared without reassembling a complete message.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>219:68</strong> (new_http_inspect) Gzip decompression failed\r
+<strong>145:5</strong> (dnp3) DNP3 Link-Layer Frame uses a reserved address.\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>256:1</strong> (dpx) too much data sent to port\r
+<strong>145:6</strong> (dnp3) DNP3 Application-Layer Fragment uses a reserved function code.\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+<strong>packet_capture.disable</strong>(): stop packet dump\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>packet_capture.enable</strong>(filter): dump raw packets\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.detach</strong>(): exit shell w/o shutdown\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>alert_ex</strong> (logger): output gid:sid:rev for alerts\r
+<strong>alert_fast</strong> (logger): output event with brief text format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>alert_fast</strong> (logger): output event with brief text format\r
+<strong>alert_full</strong> (logger): output event with full packet dump\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>alert_full</strong> (logger): output event with full packet dump\r
+<strong>alert_syslog</strong> (logger): output event to syslog\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>alert_syslog</strong> (logger): output event to syslog\r
+<strong>alerts</strong> (basic): configure alerts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>alert_unixsock</strong> (logger): output event over unix socket\r
+<strong>appid</strong> (inspector): application and service identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>alerts</strong> (basic): configure alerts\r
+<strong>appids</strong> (ips_option): detection option for application ids\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>data_log</strong> (inspector): log selected published data to data.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_iface</strong> (ips_option): detection option to check dcerpc interface\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dpx</strong> (inspector): dynamic inspector example\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dsize</strong> (ips_option): rule option to test payload size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>eapol</strong> (codec): support for extensible authentication protocol over LAN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>erspan2</strong> (codec): support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>file_connector</strong> (connector): implement the file based connector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>file_data</strong> (ips_option): rule option to set detection cursor to file data\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>file_log</strong> (inspector): log file event to file.log\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>file_type</strong> (ips_option): rule option to check file type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>flags</strong> (ips_option): rule option to test TCP control flags\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>high_availability</strong> (basic): implement flow tracking high availability\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>host_cache</strong> (basic): configure hosts\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>host_tracker</strong> (basic): configure hosts\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>http_global</strong> (inspector): http inspector global configuration and client rules for use with http_server\r
+<strong>http_header</strong> (ips_option): rule option to set the detection cursor to the normalized headers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_header</strong> (ips_option): rule option to set the detection cursor to the normalized header(s)\r
+<strong>http_inspect</strong> (inspector): HTTP inspector\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect</strong> (inspector): http inspection and server rules; also configure http_inspect\r
+<strong>http_method</strong> (ips_option): rule option to set the detection cursor to the HTTP request method\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_method</strong> (ips_option): rule option to set the detection cursor to the HTTP request method\r
+<strong>http_raw_cookie</strong> (ips_option): rule option to set the detection cursor to the unnormalized cookie\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_raw_cookie</strong> (ips_option): rule option to set the detection cursor to the unnormalized cookie\r
+<strong>http_raw_header</strong> (ips_option): rule option to set the detection cursor to the unnormalized headers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_raw_header</strong> (ips_option): rule option to set the detection cursor to the unnormalized headers\r
+<strong>http_raw_request</strong> (ips_option): rule option to set the detection cursor to the unnormalized request line\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http_raw_status</strong> (ips_option): rule option to set the detection cursor to the unnormalized status line\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http_raw_trailer</strong> (ips_option): rule option to set the detection cursor to the unnormalized trailers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>http_trailer</strong> (ips_option): rule option to set the detection cursor to the normalized trailers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_uri</strong> (ips_option): rule option to set the detection cursor to the normalized URI buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>http_version</strong> (ips_option): rule option to set the detection cursor to the version buffer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>icmp4</strong> (codec): support for Internet control message protocol v4\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>latency</strong> (basic): packet and rule latency monitoring and control\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>log_codecs</strong> (logger): log protocols in packet by layer\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>memory</strong> (basic): memory management configuration\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>metadata</strong> (ips_option): rule option for conveying arbitrary name, value data within the rule text\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>new_http_inspect</strong> (inspector): new HTTP inspector\r
+<strong>normalizer</strong> (inspector): packet scrubbing for inline mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer</strong> (inspector): packet scrubbing for inline mode\r
+<strong>output</strong> (basic): configure general output parameters\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>output</strong> (basic): configure general output parameters\r
+<strong>packet_capture</strong> (inspector): raw packet dumping facility\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>pkt_num</strong> (ips_option): alert on raw packet number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>pop</strong> (inspector): pop inspection\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ppm</strong> (basic): packet and rule latency monitoring and control\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>pppoe</strong> (codec): support for point-to-point protocol over ethernet\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>sd_pattern</strong> (ips_option): rule option for detecting sensitive data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>search_engine</strong> (basic): configure fast pattern matcher\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>side_channel</strong> (basic): implement the side-channel asynchronous messaging subsystem\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>sip</strong> (inspector): sip inspection\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>token_ring</strong> (codec): support for token ring decoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>tos</strong> (ips_option): rule option to check type of service field\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>urg</strong> (ips_option): detection for TCP urgent pointer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>vlan</strong> (codec): support for local area network\r
</p>\r
</li>\r
<li>\r
<p>\r
<strong>wizard</strong> (inspector): inspector that implements port-independent protocol identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wlan</strong> (codec): support for wireless local area network protocol (DLT 105)\r
:leveloffset: 0\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::eapol</strong>: support for extensible authentication protocol over LAN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::i4l_rawip</strong>: support for I4L IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::icmp4</strong>: support for Internet control message protocol v4\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::linux_sll</strong>: support for Linux SLL (DLT 113)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::llc</strong>: support for logical link control\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::null</strong>: support for null encapsulation (DLT 0)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::pflog</strong>: support for OpenBSD PF log (DLT 117)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::pgm</strong>: support for pragmatic general multicast\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::pim</strong>: support for protocol independent multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ppp</strong>: support for point-to-point encapsulation (DLT DLT_PPP)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::ppp_encap</strong>: support for point-to-point encapsulation\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::raw4</strong>: support for unencapsulated IPv4 (DLT 12) (DLT 228)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::raw6</strong>: support for unencapsulated IPv6 (DLT 229)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::slip</strong>: support for slip protocol (DLT 8)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::sun_nd</strong>: support for Sun ND\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::token_ring</strong>: support for token ring decoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::trans_bridge</strong>: support for trans-bridging\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::wlan</strong>: support for wireless local area network protocol (DLT 105)\r
+<strong>connector::file_connector</strong>: implement the file based connector\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::arp_spoof</strong>: detect ARP attacks and anomalies\r
+<strong>inspector::appid</strong>: application and service identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::back_orifice</strong>: back orifice detection\r
+<strong>inspector::arp_spoof</strong>: detect ARP attacks and anomalies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::binder</strong>: configure processing based on CIDRs, ports, services, etc.\r
+<strong>inspector::back_orifice</strong>: back orifice detection\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::data_log</strong>: log selected published data to data.log\r
+<strong>inspector::binder</strong>: configure processing based on CIDRs, ports, services, etc.\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::dpx</strong>: dynamic inspector example\r
+<strong>inspector::file_log</strong>: log file event to file.log\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::http_global</strong>: shared HTTP inspector settings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::http_inspect</strong>: main HTTP inspector module\r
+<strong>inspector::http_inspect</strong>: the new HTTP inspector!\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::new_http_inspect</strong>: the new HTTP inspector!\r
+<strong>inspector::normalizer</strong>: packet scrubbing for inline mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>inspector::normalizer</strong>: packet scrubbing for inline mode\r
+<strong>inspector::packet_capture</strong>: raw packet dumping facility\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::appids</strong>: detection option for application ids\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::asn1</strong>: rule option for asn1 detection\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::file_type</strong>: rule option to check file type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::flags</strong>: rule option to test TCP control flags\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::http_header</strong>: rule option to set the detection cursor to the normalized header(s)\r
+<strong>ips_option::http_header</strong>: rule option to set the detection cursor to the normalized headers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http_raw_request</strong>: rule option to set the detection cursor to the unnormalized request line\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::http_raw_status</strong>: rule option to set the detection cursor to the unnormalized status line\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::http_raw_trailer</strong>: rule option to set the detection cursor to the unnormalized trailers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::http_raw_uri</strong>: rule option to set the detection cursor to the unnormalized URI\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http_trailer</strong>: rule option to set the detection cursor to the normalized trailers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::http_uri</strong>: rule option to set the detection cursor to the normalized URI buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http_version</strong>: rule option to set the detection cursor to the version buffer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::icmp_id</strong>: rule option to check ICMP ID\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::pkt_num</strong>: alert on raw packet number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>ips_option::priority</strong>: rule option for prioritizing events\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::sd_pattern</strong>: rule option for detecting sensitive data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::seq</strong>: rule option to check TCP sequence number\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::urg</strong>: detection for TCP urgent pointer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>ips_option::window</strong>: rule option to check TCP window field\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>logger::alert_ex</strong>: output gid:sid:rev for alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>logger::alert_fast</strong>: output event with brief text format\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>logger::alert_unixsock</strong>: output event over unix socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>logger::log_codecs</strong>: log protocols in packet by layer\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>logger::log_null</strong>: disable logging of packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>logger::log_pcap</strong>: log packet in pcap format\r
</p>\r
</li>\r
<strong>search_engine::hyperscan</strong>: intel hyperscan-based mpse with regex support\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::lowmem</strong>: Keyword Trie (low memory, moderate performance) MPSE\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>so_rule::3|18758</strong>: SO rule example\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
</div>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2016-01-30 08:58:28 EST\r
+Last updated 2016-08-10 17:28:55 EDT\r
</div>\r
</div>\r
</body>\r
3.8. event_filter
3.9. event_queue
3.10. file_id
- 3.11. host_tracker
- 3.12. hosts
- 3.13. ips
- 3.14. network
- 3.15. output
- 3.16. packets
- 3.17. ppm
- 3.18. process
- 3.19. profiler
- 3.20. rate_filter
- 3.21. references
- 3.22. rule_state
- 3.23. search_engine
- 3.24. snort
- 3.25. suppress
+ 3.11. high_availability
+ 3.12. host_cache
+ 3.13. host_tracker
+ 3.14. hosts
+ 3.15. ips
+ 3.16. latency
+ 3.17. memory
+ 3.18. network
+ 3.19. output
+ 3.20. packets
+ 3.21. process
+ 3.22. profiler
+ 3.23. rate_filter
+ 3.24. references
+ 3.25. rule_state
+ 3.26. search_engine
+ 3.27. side_channel
+ 3.28. snort
+ 3.29. suppress
4. Codec Modules
4.1. arp
4.2. auth
- 4.3. eapol
- 4.4. erspan2
- 4.5. erspan3
- 4.6. esp
- 4.7. eth
- 4.8. fabricpath
- 4.9. gre
- 4.10. gtp
- 4.11. icmp4
- 4.12. icmp6
- 4.13. igmp
- 4.14. ipv4
- 4.15. ipv6
- 4.16. mpls
- 4.17. pgm
- 4.18. pppoe
- 4.19. tcp
- 4.20. token_ring
- 4.21. udp
- 4.22. vlan
- 4.23. wlan
+ 4.3. erspan2
+ 4.4. erspan3
+ 4.5. esp
+ 4.6. eth
+ 4.7. fabricpath
+ 4.8. gre
+ 4.9. gtp
+ 4.10. icmp4
+ 4.11. icmp6
+ 4.12. igmp
+ 4.13. ipv4
+ 4.14. ipv6
+ 4.15. mpls
+ 4.16. pgm
+ 4.17. pppoe
+ 4.18. tcp
+ 4.19. udp
+ 4.20. vlan
5. Inspector Modules
- 5.1. arp_spoof
- 5.2. back_orifice
- 5.3. binder
- 5.4. data_log
+ 5.1. appid
+ 5.2. arp_spoof
+ 5.3. back_orifice
+ 5.4. binder
5.5. dce_smb
5.6. dce_tcp
5.7. dnp3
5.8. dns
- 5.9. dpx
+ 5.9. file_log
5.10. ftp_client
5.11. ftp_data
5.12. ftp_server
5.13. gtp_inspect
- 5.14. http_global
- 5.15. http_inspect
- 5.16. imap
- 5.17. modbus
- 5.18. new_http_inspect
- 5.19. normalizer
- 5.20. perf_monitor
- 5.21. pop
- 5.22. port_scan
- 5.23. port_scan_global
- 5.24. reputation
- 5.25. rpc_decode
- 5.26. sip
- 5.27. smtp
- 5.28. ssh
- 5.29. ssl
- 5.30. stream
- 5.31. stream_file
- 5.32. stream_icmp
- 5.33. stream_ip
- 5.34. stream_tcp
- 5.35. stream_udp
- 5.36. stream_user
- 5.37. telnet
- 5.38. wizard
+ 5.14. http_inspect
+ 5.15. imap
+ 5.16. modbus
+ 5.17. normalizer
+ 5.18. packet_capture
+ 5.19. perf_monitor
+ 5.20. pop
+ 5.21. port_scan
+ 5.22. port_scan_global
+ 5.23. reputation
+ 5.24. rpc_decode
+ 5.25. sip
+ 5.26. smtp
+ 5.27. ssh
+ 5.28. ssl
+ 5.29. stream
+ 5.30. stream_file
+ 5.31. stream_icmp
+ 5.32. stream_ip
+ 5.33. stream_tcp
+ 5.34. stream_udp
+ 5.35. stream_user
+ 5.36. telnet
+ 5.37. wizard
6. IPS Action Modules
7. IPS Option Modules
7.1. ack
- 7.2. asn1
- 7.3. base64_decode
- 7.4. bufferlen
- 7.5. byte_extract
- 7.6. byte_jump
- 7.7. byte_test
- 7.8. classtype
- 7.9. content
- 7.10. cvs
- 7.11. dce_iface
- 7.12. dce_opnum
- 7.13. dce_stub_data
- 7.14. detection_filter
- 7.15. dnp3_data
- 7.16. dnp3_func
- 7.17. dnp3_ind
- 7.18. dnp3_obj
- 7.19. dsize
- 7.20. file_data
- 7.21. flags
- 7.22. flow
- 7.23. flowbits
- 7.24. fragbits
- 7.25. fragoffset
- 7.26. gid
- 7.27. gtp_info
- 7.28. gtp_type
- 7.29. gtp_version
- 7.30. http_client_body
- 7.31. http_cookie
- 7.32. http_header
- 7.33. http_method
- 7.34. http_raw_cookie
- 7.35. http_raw_header
- 7.36. http_raw_uri
- 7.37. http_stat_code
- 7.38. http_stat_msg
- 7.39. http_uri
- 7.40. icmp_id
- 7.41. icmp_seq
- 7.42. icode
- 7.43. id
- 7.44. ip_proto
- 7.45. ipopts
- 7.46. isdataat
- 7.47. itype
- 7.48. md5
- 7.49. metadata
- 7.50. modbus_data
- 7.51. modbus_func
- 7.52. modbus_unit
- 7.53. msg
- 7.54. pcre
- 7.55. pkt_data
- 7.56. pkt_num
- 7.57. priority
- 7.58. raw_data
- 7.59. reference
- 7.60. regex
- 7.61. rem
- 7.62. replace
- 7.63. rev
- 7.64. rpc
- 7.65. seq
- 7.66. session
- 7.67. sha256
- 7.68. sha512
- 7.69. sid
- 7.70. sip_body
- 7.71. sip_header
- 7.72. sip_method
- 7.73. sip_stat_code
- 7.74. so
- 7.75. soid
- 7.76. ssl_state
- 7.77. ssl_version
- 7.78. stream_reassemble
- 7.79. stream_size
- 7.80. tag
- 7.81. tos
- 7.82. ttl
- 7.83. urg
- 7.84. window
+ 7.2. appids
+ 7.3. asn1
+ 7.4. base64_decode
+ 7.5. bufferlen
+ 7.6. byte_extract
+ 7.7. byte_jump
+ 7.8. byte_test
+ 7.9. classtype
+ 7.10. content
+ 7.11. cvs
+ 7.12. dce_iface
+ 7.13. dce_opnum
+ 7.14. dce_stub_data
+ 7.15. detection_filter
+ 7.16. dnp3_data
+ 7.17. dnp3_func
+ 7.18. dnp3_ind
+ 7.19. dnp3_obj
+ 7.20. dsize
+ 7.21. file_data
+ 7.22. file_type
+ 7.23. flags
+ 7.24. flow
+ 7.25. flowbits
+ 7.26. fragbits
+ 7.27. fragoffset
+ 7.28. gid
+ 7.29. gtp_info
+ 7.30. gtp_type
+ 7.31. gtp_version
+ 7.32. http_client_body
+ 7.33. http_cookie
+ 7.34. http_header
+ 7.35. http_method
+ 7.36. http_raw_cookie
+ 7.37. http_raw_header
+ 7.38. http_raw_request
+ 7.39. http_raw_status
+ 7.40. http_raw_trailer
+ 7.41. http_raw_uri
+ 7.42. http_stat_code
+ 7.43. http_stat_msg
+ 7.44. http_trailer
+ 7.45. http_uri
+ 7.46. http_version
+ 7.47. icmp_id
+ 7.48. icmp_seq
+ 7.49. icode
+ 7.50. id
+ 7.51. ip_proto
+ 7.52. ipopts
+ 7.53. isdataat
+ 7.54. itype
+ 7.55. md5
+ 7.56. metadata
+ 7.57. modbus_data
+ 7.58. modbus_func
+ 7.59. modbus_unit
+ 7.60. msg
+ 7.61. pcre
+ 7.62. pkt_data
+ 7.63. priority
+ 7.64. raw_data
+ 7.65. reference
+ 7.66. regex
+ 7.67. rem
+ 7.68. replace
+ 7.69. rev
+ 7.70. rpc
+ 7.71. sd_pattern
+ 7.72. seq
+ 7.73. session
+ 7.74. sha256
+ 7.75. sha512
+ 7.76. sid
+ 7.77. sip_body
+ 7.78. sip_header
+ 7.79. sip_method
+ 7.80. sip_stat_code
+ 7.81. so
+ 7.82. soid
+ 7.83. ssl_state
+ 7.84. ssl_version
+ 7.85. stream_reassemble
+ 7.86. stream_size
+ 7.87. tag
+ 7.88. tos
+ 7.89. ttl
+ 7.90. window
8. Search Engine Modules
9. SO Rule Modules
10. Logger Modules
10.1. alert_csv
- 10.2. alert_ex
- 10.3. alert_fast
- 10.4. alert_full
- 10.5. alert_syslog
- 10.6. alert_unixsock
- 10.7. log_codecs
- 10.8. log_hext
- 10.9. log_pcap
- 10.10. unified2
+ 10.2. alert_fast
+ 10.3. alert_full
+ 10.4. alert_syslog
+ 10.5. log_codecs
+ 10.6. log_hext
+ 10.7. log_pcap
+ 10.8. unified2
11. DAQ Modules
15. Coding Style
15.1. General
- 15.2. Naming
- 15.3. Comments
- 15.4. Logging
- 15.5. Types
- 15.6. Macros (aka defines)
- 15.7. Formatting
- 15.8. Classes
+ 15.2. C++ Specific
+ 15.3. Naming
+ 15.4. Comments
+ 15.5. Logging
+ 15.6. Types
+ 15.7. Macros (aka defines)
+ 15.8. Formatting
15.9. Headers
15.10. Warnings
- 15.11. Other
- 15.12. Uncrustify
+ 15.11. Uncrustify
16. Reference
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0-a3 (Build 186) from 2.9.7-262
+o" )~ Version 3.0.0-a4 (Build 206) from 2.9.7-262
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
- Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
+ Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Required:
* autotools or cmake to build from source
- * g++ >= 4.8 or other recent C++11 compiler
* daq from http://www.snort.org for packet IO
+ * g++ >= 4.8 or other recent C++11 compiler
* dnet from https://github.com/dugsong/libdnet.git for network
utility functions
+ * hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU
+ affinity management
* LuaJIT from http://luajit.org for configuration and scripting
+ * OpenSSL from https://www.openssl.org/source/ for SHA and MD5 file
+ signatures, the protected_content rule option, and SSL service
+ detection
* pcap from http://www.tcpdump.org for tcpdump style logging
* pcre from http://www.pcre.org for regular expression pattern
matching
+ * pkgconfig from https://www.freedesktop.org/wiki/Software/
+ pkg-config/ to locate build dependencies
* zlib from http://www.zlib.net for decompression (>= 1.2.8
recommended)
- * pkgconfig from http://www.freedesktop.org to build the example
- plugins
Optional:
* lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
SWF and PDF files
- * openssl from https://www.openssl.org for SHA and MD5 file
- signatures and the protected_content rule option
* hyperscan from https://github.com/01org/hyperscan to build new
and improved regex and (coming soon) fast pattern support
* cpputest from http://cpputest.github.io to run additional unit
text manual
* source-highlight from http://www.gnu.org/software/src-highlite/
to generate the dev guide
+ * safec from https://sourceforge.net/projects/safeclib/ for runtime
+ bounds checks on certain legacy C-library calls.
2.2. Building
* With cmake, make install will rebuild the docs even though when
already built.
* Enabling large pcap may erroneously affect the number of packets
- processed from pcaps
+ processed from pcaps.
* Enabling debug messages may erroneously affect the number of
- packets processed from pcaps
+ packets processed from pcaps.
* g++ 4.9.2 with -O3 reports:
src/service_inspectors/back_orifice/back_orifice.cc:231:25: warning:
iteration 930u invokes undefined behavior [-Waggressive-loop-optimizations]
+ * Building with clang and autotools on Linux will show the
+ following warning many times. Please ignore.
+
+ clang: warning: argument unused during compilation: '-pthread'
+
+ * It is not possible to build dynamic plugins using apple clang due
+ to its limited support for thread local variables.
+
2.8.2. Config
* Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET
- defined as below because or the space between ! and 10.
+ defined as below because of the space between ! and 10.
HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]
EXTERNAL_NET = '! ' .. HOME_NET
options.
* --lua can only be used in addition to, not in place of, a -c
config. Ideally, --lua could be used in lieu of -c.
- * Rule line numbers provided with syntax error messages are off by
- one. The first rule is unnumbered, the second rule is one, etc.
- See nhttp_inspect/detection_buffers/bad_rules/expected for an
- example.
2.8.3. Rules
).
* The hext DAQ does not support embedded quotes in text lines (use
hex lines as a workaround).
- * Stream TCP alert squash mechanism incorrectly squashes alerts for
+ * stream_tcp alert squash mechanism incorrectly squashes alerts for
different TCP packets.
+ * stream_tcp gap count is broken.
---------------------------------------------------------------------
Configuration:
- * string daq.dir: directory where to search for DAQ plugins
- * select daq.mode: set mode of operation { passive | inline |
- read-file }
+ * string daq.module_dirs[].str: string parameter
+ * string daq.input_spec: input specification
+ * string daq.module: DAQ module to use
+ * string daq.variables[].str: string parameter
+ * int daq.instances[].id: instance ID (required) { 0: }
+ * string daq.instances[].input_spec: input specification
+ * string daq.instances[].variables[].str: string parameter
+ * int daq.snaplen: set snap length (same as -s) { 0:65535 }
* bool daq.no_promisc = false: whether to put DAQ device into
promiscuous mode
- * string daq.type: select type of DAQ
- * string daq.vars: comma separated list of name=value DAQ-specific
- parameters
- * int daq.snaplen = deflt: set snap length (same as -P) { 0:65535 }
- * bool daq.decode_data_link = false: display the second layer
- header info
Peg counts:
* daq.internal whitelist: packets whitelisted internally due to
lack of DAQ support
* daq.skipped: packets skipped at startup
- * daq.fail open: packets passed during initialization
* daq.idle: attempts to acquire from DAQ without available packets
seconds { 0: }
* bool file_id.block_timeout_lookup = false: block if lookup times
out
+ * int file_id.capture_memcap = 100: memcap for file capture in
+ megabytes { 0: }
+ * int file_id.capture_max_size = 1048576: stop file capture beyond
+ this point { 0: }
+ * int file_id.capture_min_size = 0: stop file capture if file size
+ less than this { 0: }
+ * int file_id.capture_block_size = 32768: file capture block size
+ in bytes { 8: }
* bool file_id.enable_type = false: enable type ID
* bool file_id.enable_signature = false: enable signature
calculation
data
-3.11. host_tracker
+3.11. high_availability
+
+------------
+
+What: implement flow tracking high availability
+
+Type: basic
+
+Configuration:
+
+ * bool high_availability.enable = false: enable high availability
+ * bool high_availability.daq_channel = false: enable use of daq
+ data plane channel
+ * bit_list high_availability.ports: side channel message port list
+ { 65535 }
+ * real high_availability.min_age = 1.0: minimum session life before
+ HA updates { 0.0:100.0 }
+ * real high_availability.min_sync = 1.0: minimum interval between
+ HA updates { 0.0:100.0 }
+
+Peg counts:
+
+
+3.12. host_cache
+
+------------
+
+What: configure hosts
+
+Type: basic
+
+Configuration:
+
+ * int host_cache[].size: size of host cache
+
+Peg counts:
+
+ * host_cache.lru cache adds: lru cache added new entry
+ * host_cache.lru cache replaces: lru cache replaced existing entry
+ * host_cache.lru cache prunes: lru cache pruned entry to make space
+ for new entry
+ * host_cache.lru cache find hits: lru cache found entry in cache
+ * host_cache.lru cache find misses: lru cache did not find entry in
+ cache
+ * host_cache.lru cache removes: lru cache found entry and removed
+ it
+ * host_cache.lru cache clears: lru cache clear API calls
+
+
+3.13. host_tracker
------------
udp }
* port host_tracker[].services[].port: port number
+Peg counts:
+
+ * host_tracker.service adds: host service adds
+ * host_tracker.service finds: host service finds
+ * host_tracker.service removes: host service removes
-3.12. hosts
+
+3.14. hosts
------------
* port hosts[].services[].port: port number
-3.13. ips
+3.15. ips
------------
* string ips.rules: snort rules and includes
-3.14. network
+3.16. latency
+
+------------
+
+What: packet and rule latency monitoring and control
+
+Type: basic
+
+Configuration:
+
+ * int latency.packet.max_time = 500: set timeout for packet latency
+ thresholding (usec) { 0: }
+ * bool latency.packet.fastpath = false: fastpath expensive packets
+ (max_time exceeded)
+ * enum latency.packet.action = alert_and_log: event action if
+ packet times out and is fastpathed { none | alert | log |
+ alert_and_log }
+ * int latency.rule.max_time = 500: set timeout for rule evaluation
+ (usec) { 0: }
+ * bool latency.rule.suspend = false: temporarily suspend expensive
+ rules
+ * int latency.rule.suspend_threshold = 5: set threshold for number
+ of timeouts before suspending a rule { 1: }
+ * int latency.rule.max_suspend_time = 30000: set max time for
+ suspending a rule (ms, 0 means permanently disable rule) { 0: }
+ * enum latency.rule.action = alert_and_log: event action for rule
+ latency enable and suspend events { none | alert | log |
+ alert_and_log }
+
+Rules:
+
+ * 134:1 (latency) rule tree suspended due to latency
+ * 134:2 (latency) rule tree re-enabled after suspend timeout
+ * 134:3 (latency) packet fastpathed due to latency
+
+Peg counts:
+
+ * latency.total_packets: total packets monitored
+ * latency.packet_timeouts: packets that timed out
+ * latency.total_rule_evals: total rule evals monitored
+ * latency.rule_eval_timeouts: rule evals that timed out
+ * latency.rule_tree_enables: rule tree re-enables
+
+
+3.17. memory
+
+------------
+
+What: memory management configuration
+
+Type: basic
+
+Configuration:
+
+ * int memory.cap = 0: set the per-packet-thread cap on memory
+ (bytes, 0 to disable) { 0: }
+ * bool memory.soft = false: always succeed in allocating memory,
+ even if above the cap
+ * int memory.threshold = 0: set the per-packet-thread threshold for
+ preemptive cleanup actions (percent, 0 to disable) { 0: }
+
+
+3.18. network
------------
116:293 may fire. 0 = unlimited { 0:255 }
-3.15. output
+3.19. output
------------
* string output.logdir = .: where to put log files (same as -l)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
+ * bool output.obfuscate_pii = false: Mask all but the last 4
+ characters of credit card and social security numbers
* bool output.show_year = false: include year in timestamp in the
alert and log files (same as -y)
* int output.tagged_packet_limit = 256: maximum number of packets
* bool output.verbose = false: be verbose (same as -v)
-3.16. packets
+3.20. packets
------------
DAQ address space info is used to track fragments and connections
* string packets.bpf_file: file with BPF to select traffic for
Snort
- * bool packets.enable_inline_init_failopen = true: whether to pass
- traffic during later stage of initialization to avoid drops
* int packets.limit = 0: maximum number of packets to process
before stopping (0 is unlimited) { 0: }
* int packets.skip = 0: number of packets to skip before before
is used to track fragments and connections
-3.17. ppm
-
-------------
-
-What: packet and rule latency monitoring and control
-
-Type: basic
-
-Configuration:
-
- * int ppm.max_pkt_time = 0: enable packet latency thresholding
- (usec), 0 = off { 0: }
- * bool ppm.fastpath_expensive_packets = false: stop inspection if
- the max_pkt_time is exceeded
- * enum ppm.pkt_log = none: log event if max_pkt_time is exceeded {
- none | log | alert | both }
- * int ppm.max_rule_time = 0: enable rule latency thresholding
- (usec), 0 = off { 0: }
- * int ppm.threshold = 5: number of times to exceed limit before
- disabling rule { 1: }
- * bool ppm.suspend_expensive_rules = false: temporarily disable
- rule if threshold is reached
- * int ppm.suspend_timeout = 60: seconds to suspend rule, 0 =
- permanent { 0: }
- * enum ppm.rule_log = none: enable event logging for suspended
- rules { none|log|alert|both }
-
-Rules:
-
- * 134:1 (ppm) rule options disabled by rule latency
- * 134:2 (ppm) rule options re-enabled by rule latency
- * 134:3 (ppm) packet aborted due to latency
-
-
-3.18. process
+3.21. process
------------
Configuration:
* string process.chroot: set chroot directory (same as -t)
- * int process.threads[].cpu = 0: pin the associated source/thread
- to this cpu { 0:127 }
- * string process.threads[].source: set cpu affinity for this source
- (either pcap or <iface>
+ * string process.threads[].cpuset: pin the associated thread to
+ this cpuset
* int process.threads[].thread = 0: set cpu affinity for the
<cur_thread_num> thread that runs { 0: }
* bool process.daemon = false: fork as a daemon (same as -D)
timestamps
-3.19. profiler
+3.22. profiler
------------
avg_match | avg_no_match }
-3.20. rate_filter
+3.23. rate_filter
------------
according to track
-3.21. references
+3.24. references
------------
* string references[].url: where this reference is defined
-3.22. rule_state
+3.25. rule_state
------------
policies
-3.23. search_engine
+3.26. search_engine
------------
| ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
* bool search_engine.split_any_any = false: evaluate any-any rules
separately to save memory
- * bool search_engine.search_optimize = false: tweak state machine
+ * bool search_engine.search_optimize = true: tweak state machine
construction for better performance
+Peg counts:
+
+ * search_engine.max queued: maximum fast pattern matches queued for
+ further evaluation
+ * search_engine.total flushed: fast pattern matches discarded due
+ to overflow
+ * search_engine.total inserts: total fast pattern hits
+ * search_engine.total unique: total unique fast pattern hits
+ * search_engine.non-qualified events: total non-qualified events
+ * search_engine.qualified events: total qualified events
-3.24. snort
+
+3.27. side_channel
+
+------------
+
+What: implement the side-channel asynchronous messaging subsystem
+
+Type: basic
+
+Configuration:
+
+ * bit_list side_channel.ports: side channel message port list {
+ 65535 }
+ * string side_channel.connectors[].connector: connector handle
+
+Peg counts:
+
+
+3.28. snort
------------
DAQ
* implied snort.--daq-list: list packet acquisition modules
available in optional dir, default is static modules only
- * string snort.--daq-mode: <mode> select the DAQ operating mode
* string snort.--daq-var: <name=value> specify extra DAQ
configuration variable
* implied snort.--dirty-pig: don’t flush packets on shutdown
loaded rules libraries
* string snort.--dump-defaults: [<module prefix>] output module
defaults in Lua format { (optional) }
- * string snort.--dump-version: output the version, the whole
- version, and only the version { (optional) }
+ * implied snort.--dump-version: output the version, the whole
+ version, and only the version
* implied snort.--enable-inline-test: enable Inline-Test Mode
Operation
* implied snort.--help: list command line options
* snort.attribute table hosts: total number of hosts in table
-3.25. suppress
+3.29. suppress
------------
* 116:466 (auth) bad authentication header length
-4.3. eapol
-
-------------
-
-What: support for extensible authentication protocol over LAN
-
-Type: codec
-
-Rules:
-
- * 116:110 (eapol) truncated EAP header
- * 116:111 (eapol) EAP key truncated
- * 116:112 (eapol) EAP header truncated
-
-
-4.4. erspan2
+4.3. erspan2
------------
* 116:463 (erspan2) captured < ERSpan type2 header length
-4.5. erspan3
+4.4. erspan3
------------
* 116:464 (erspan3) captured < ERSpan type3 header length
-4.6. esp
+4.5. esp
------------
* 116:294 (esp) truncated encapsulated security payload header
-4.7. eth
+4.6. eth
------------
* 116:424 (eth) truncated eth header
-4.8. fabricpath
+4.7. fabricpath
------------
* 116:467 (fabricpath) truncated FabricPath header
-4.9. gre
+4.8. gre
------------
* 116:165 (gre) GRE trans header length > payload length
-4.10. gtp
+4.9. gtp
------------
* 116:298 (gtp) GTP header length is invalid
-4.11. icmp4
+4.10. icmp4
------------
* icmp4.bad checksum: non-zero icmp checksums
-4.12. icmp6
+4.11. icmp6
------------
* icmp6.bad checksum (ip6): nonzero ipcm6 checksums
-4.13. igmp
+4.12. igmp
------------
* 116:455 (igmp) DOS IGMP IP options validation attempt
-4.14. ipv4
+4.13. ipv4
------------
* ipv4.bad checksum: nonzero ip checksums
-4.15. ipv6
+4.14. ipv6
------------
* 116:456 (ipv6) too many IP6 extension headers
-4.16. mpls
+4.15. mpls
------------
* mpls.total bytes: total mpls labeled bytes processed
-4.17. pgm
+4.16. pgm
------------
* 116:454 (pgm) BAD-TRAFFIC PGM nak list overflow attempt
-4.18. pppoe
+4.17. pppoe
------------
* 116:120 (pppoe) bad PPPOE frame detected
-4.19. tcp
+4.18. tcp
------------
* tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
-4.20. token_ring
-
-------------
-
-What: support for token ring decoding
-
-Type: codec
-
-Rules:
-
- * 116:140 (token_ring) (token_ring) Bad Token Ring Header
- * 116:141 (token_ring) (token_ring) Bad Token Ring ETHLLC Header
- * 116:142 (token_ring) (token_ring) Bad Token Ring MRLENHeader
- * 116:143 (token_ring) (token_ring) Bad Token Ring MR Header
-
-
-4.21. udp
+4.19. udp
------------
* udp.bad checksum (ip6): nonzero udp over ipv6 checksums
-4.22. vlan
+4.20. vlan
------------
* 116:132 (vlan) bad extra LLC info
-4.23. wlan
+---------------------------------------------------------------------
-------------
+5. Inspector Modules
-What: support for wireless local area network protocol (DLT 105)
+---------------------------------------------------------------------
-Type: codec
+These modules perform a variety of functions, including analysis of
+protocols beyond basic decoding.
-Rules:
- * 116:133 (wlan) bad 802.11 LLC header
- * 116:134 (wlan) bad 802.11 extra LLC info
+5.1. appid
+------------
----------------------------------------------------------------------
+What: application and service identification
-5. Inspector Modules
+Type: inspector
----------------------------------------------------------------------
+Configuration:
-These modules perform a variety of functions, including analysis of
-protocols beyond basic decoding.
+ * string appid.conf: RNA configuration file
+ * int appid.memcap = 268435456: time period for collecting and
+ logging AppId statistics { 1048576:3221225472 }
+ * string appid.app_stats_filename: Filename for logging AppId
+ statistics
+ * int appid.app_stats_period = 300: time period for collecting and
+ logging AppId statistics { 0: }
+ * int appid.app_stats_rollover_size = 20971520: max file size for
+ AppId stats before rolling over the log file { 0: }
+ * int appid.app_stats_rollover_time = 86400: max time period for
+ collection AppId stats before rolling over the log file { 0: }
+ * string appid.app_detector_dir: directory to load AppId detectors
+ from
+ * int appid.instance_id = 0: instance id - need more details for
+ what this is { 0: }
+ * bool appid.debug = false: enable AppId debug logging
+ * bool appid.dump_ports = false: enable dump of AppId port
+ information
+ * string appid.thirdparty_appid_dir: directory to load thirdparty
+ AppId detectors from
+Peg counts:
-5.1. arp_spoof
+ * appid.packets: count of packets processed by appid
+ * appid.battlefield_flows: count of battle field flows discovered
+ by appid
+ * appid.bgp_flows: count of bgp flows discovered by appid
+ * appid.bit_clients: count of bittorrent clients discovered by
+ appid
+ * appid.bit_flows: count of bittorrent flows discovered by appid
+ * appid.bittracker_clients: count of bittorrent tracker clients
+ discovered by appid
+ * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
+ discovered by appid
+ * appid.dcerpc_udp_flows: count of dce rpc flows over udp
+ discovered by appid
+ * appid.dns_tcp_flows: count of dns flows over tcp discovered by
+ appid
+ * appid.dns_udp_flows: count of dns flows over udp discovered by
+ appid
+ * appid.ftp_flows: count of ftp flows discovered by appid
+ * appid.ftps_flows: count of ftps flows discovered by appid
+ * appid.imap_flows: count of imap service flows discovered by appid
+ * appid.imaps_flows: count of imap TLS service flows discovered by
+ appid
+ * appid.irc_flows: count of irc service flows discovered by appid
+ * appid.kerberos_clients: count of kerberos clients discovered by
+ appid
+ * appid.kerberos_flows: count of kerberos service flows discovered
+ by appid
+ * appid.kerberos_users: count of kerberos users discovered by appid
+ * appid.lpr_flows: count of lpr service flows discovered by appid
+ * appid.mdns_flows: count of mdns service flows discovered by appid
+ * appid.mysql_flows: count of mysql service flows discovered by
+ appid
+ * appid.netbios_flows: count of netbios service flows discovered by
+ appid
+ * appid.pop_flows: count of pop service flows discovered by appid
+ * appid.smtp_flows: count of smtp flows discovered by appid
+ * appid.smtps_flows: count of smtps flows discovered by appid
+ * appid.ssh_clients: count of ssh clients discovered by appid
+ * appid.ssh_flows: count of ssh flows discovered by appid
+ * appid.ssl_flows: count of ssl flows discovered by appid
+ * appid.telnet_flows: count of telnet flows discovered by appid
+ * appid.timbuktu_flows: count of timbuktu flows discovered by appid
+
+
+5.2. arp_spoof
------------
* arp_spoof.packets: total packets
-5.2. back_orifice
+5.3. back_orifice
------------
* back_orifice.packets: total packets
-5.3. binder
+5.4. binder
------------
* binder.inspects: inspect bindings
-5.4. data_log
-
-------------
-
-What: log selected published data to data.log
-
-Type: inspector
-
-Configuration:
-
- * string data_log.key = http_uri: name of data buffer to log
-
-Peg counts:
-
- * data_log.packets: total packets
-
-
5.5. dce_smb
------------
Rules:
- * 145:2 (dce_smb) SMB - Bad NetBIOS Session Service session type.
- * 145:3 (dce_smb) SMB - Bad SMB message type.
- * 145:4 (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \
+ * 133:2 (dce_smb) SMB - Bad NetBIOS Session Service session type.
+ * 133:3 (dce_smb) SMB - Bad SMB message type.
+ * 133:4 (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \
xfeSMB for SMB2).
- * 145:5 (dce_smb) SMB - Bad word count or structure size.
- * 145:6 (dce_smb) SMB - Bad byte count.
- * 145:7 (dce_smb) SMB - Bad format type.
- * 145:8 (dce_smb) SMB - Bad offset.
- * 145:9 (dce_smb) SMB - Zero total data count.
- * 145:10 (dce_smb) SMB - NetBIOS data length less than SMB header
+ * 133:5 (dce_smb) SMB - Bad word count or structure size.
+ * 133:6 (dce_smb) SMB - Bad byte count.
+ * 133:7 (dce_smb) SMB - Bad format type.
+ * 133:8 (dce_smb) SMB - Bad offset.
+ * 133:9 (dce_smb) SMB - Zero total data count.
+ * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
length.
- * 145:12 (dce_smb) SMB - Remaining NetBIOS data length less than
+ * 133:12 (dce_smb) SMB - Remaining NetBIOS data length less than
command byte count.
- * 145:13 (dce_smb) SMB - Remaining NetBIOS data length less than
+ * 133:13 (dce_smb) SMB - Remaining NetBIOS data length less than
command data size.
- * 145:14 (dce_smb) SMB - Remaining total data count less than this
+ * 133:14 (dce_smb) SMB - Remaining total data count less than this
command data size.
- * 145:15 (dce_smb) SMB - Total data sent (STDu64) greater than
+ * 133:15 (dce_smb) SMB - Total data sent (STDu64) greater than
command total data expected.
- * 145:16 (dce_smb) SMB - Byte count less than command data size
+ * 133:16 (dce_smb) SMB - Byte count less than command data size
(STDu64)
- * 145:17 (dce_smb) SMB - Invalid command data size for byte count.
- * 145:18 (dce_smb) SMB - Excessive Tree Connect requests with
+ * 133:17 (dce_smb) SMB - Invalid command data size for byte count.
+ * 133:18 (dce_smb) SMB - Excessive Tree Connect requests with
pending Tree Connect responses.
- * 145:19 (dce_smb) SMB - Excessive Read requests with pending Read
+ * 133:19 (dce_smb) SMB - Excessive Read requests with pending Read
responses.
- * 145:20 (dce_smb) SMB - Excessive command chaining.
- * 145:21 (dce_smb) SMB - Multiple chained tree connect requests.
- * 145:22 (dce_smb) SMB - Multiple chained tree connect requests.
- * 145:23 (dce_smb) SMB - Chained/Compounded login followed by
+ * 133:20 (dce_smb) SMB - Excessive command chaining.
+ * 133:21 (dce_smb) SMB - Multiple chained tree connect requests.
+ * 133:22 (dce_smb) SMB - Multiple chained tree connect requests.
+ * 133:23 (dce_smb) SMB - Chained/Compounded login followed by
logoff.
- * 145:24 (dce_smb) SMB - Chained/Compounded tree connect followed
+ * 133:24 (dce_smb) SMB - Chained/Compounded tree connect followed
by tree disconnect.
- * 145:25 (dce_smb) SMB - Chained/Compounded open pipe followed by
+ * 133:25 (dce_smb) SMB - Chained/Compounded open pipe followed by
close pipe.
- * 145:26 (dce_smb) SMB - Invalid share access.
- * 145:27 (dce_smb) Connection oriented DCE/RPC - Invalid major
+ * 133:26 (dce_smb) SMB - Invalid share access.
+ * 133:27 (dce_smb) Connection oriented DCE/RPC - Invalid major
version.
- * 145:28 (dce_smb) Connection oriented DCE/RPC - Invalid minor
+ * 133:28 (dce_smb) Connection oriented DCE/RPC - Invalid minor
version.
- * 145:29 (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.
- * 145:30 (dce_smb) Connection-oriented DCE/RPC - Fragment length
+ * 133:29 (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.
+ * 133:30 (dce_smb) Connection-oriented DCE/RPC - Fragment length
less than header size.
- * 145:32 (dce_smb) Connection-oriented DCE/RPC - No context items
+ * 133:32 (dce_smb) Connection-oriented DCE/RPC - No context items
specified.
- * 145:33 (dce_smb) Connection-oriented DCE/RPC -No transfer
+ * 133:33 (dce_smb) Connection-oriented DCE/RPC -No transfer
syntaxes specified.
- * 145:34 (dce_smb) Connection-oriented DCE/RPC - Fragment length on
+ * 133:34 (dce_smb) Connection-oriented DCE/RPC - Fragment length on
non-last fragment less than maximum negotiated fragment transmit
size for client.
- * 145:35 (dce_smb) Connection-oriented DCE/RPC - Fragment length
+ * 133:35 (dce_smb) Connection-oriented DCE/RPC - Fragment length
greater than maximum negotiated fragment transmit size.
- * 145:36 (dce_smb) Connection-oriented DCE/RPC - Alter Context byte
+ * 133:36 (dce_smb) Connection-oriented DCE/RPC - Alter Context byte
order different from Bind
- * 145:37 (dce_smb) Connection-oriented DCE/RPC - Call id of non
+ * 133:37 (dce_smb) Connection-oriented DCE/RPC - Call id of non
first/last fragment different from call id established for
fragmented request.
- * 145:38 (dce_smb) Connection-oriented DCE/RPC - Opnum of non first
+ * 133:38 (dce_smb) Connection-oriented DCE/RPC - Opnum of non first
/last fragment different from opnum established for fragmented
request.
- * 145:39 (dce_smb) Connection-oriented DCE/RPC - Context id of non
+ * 133:39 (dce_smb) Connection-oriented DCE/RPC - Context id of non
first/last fragment different from context id established for
fragmented request.
- * 145:44 (dce_smb) SMB - Invalid SMB version 1 seen.
- * 145:45 (dce_smb) SMB - Invalid SMB version 2 seen.
- * 145:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
- * 145:47 (dce_smb) SMB - Excessive command compounding.
- * 145:48 (dce_smb) SMB - Zero data count.
- * 145:50 (dce_smb) SMB - Maximum number of outstanding requests
+ * 133:44 (dce_smb) SMB - Invalid SMB version 1 seen.
+ * 133:45 (dce_smb) SMB - Invalid SMB version 2 seen.
+ * 133:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
+ * 133:47 (dce_smb) SMB - Excessive command compounding.
+ * 133:48 (dce_smb) SMB - Zero data count.
+ * 133:50 (dce_smb) SMB - Maximum number of outstanding requests
exceeded.
- * 145:51 (dce_smb) SMB - Outstanding requests with same MID.
- * 145:52 (dce_smb) SMB - Deprecated dialect negotiated.
- * 145:53 (dce_smb) SMB - Deprecated command used.
- * 145:54 (dce_smb) SMB - Unusual command used.
- * 145:55 (dce_smb) SMB - Invalid setup count for command.
- * 145:56 (dce_smb) SMB - Client attempted multiple dialect
+ * 133:51 (dce_smb) SMB - Outstanding requests with same MID.
+ * 133:52 (dce_smb) SMB - Deprecated dialect negotiated.
+ * 133:53 (dce_smb) SMB - Deprecated command used.
+ * 133:54 (dce_smb) SMB - Unusual command used.
+ * 133:55 (dce_smb) SMB - Invalid setup count for command.
+ * 133:56 (dce_smb) SMB - Client attempted multiple dialect
negotiations on session.
- * 145:57 (dce_smb) SMB - Client attempted to create or set a file’s
+ * 133:57 (dce_smb) SMB - Client attempted to create or set a file’s
attributes to readonly/hidden/system.
Peg counts:
* dce_smb.events: total events
* dce_smb.aborted sessions: total aborted sessions
* dce_smb.bad autodetects: total bad autodetects
- * dce_smb.smb sessions: total smb sessions
- * dce_smb.smb packets: total smb packets
- * dce_smb.connection-oriented PDUs: total connection-oriented PDUs
- * dce_smb.connection-oriented binds: total connection-oriented
- binds
- * dce_smb.connection-oriented bind acks: total connection-oriented
- binds acks
- * dce_smb.connection-oriented alter contexts: total
- connection-oriented alter contexts
- * dce_smb.connection-oriented alter context responses: total
- connection-oriented alter context responses
- * dce_smb.connection-oriented bind naks: total connection-oriented
- bind naks
- * dce_smb.connection-oriented requests: total connection-oriented
- requests
- * dce_smb.connection-oriented responses: total connection-oriented
+ * dce_smb.PDUs: total connection-oriented PDUs
+ * dce_smb.Binds: total connection-oriented binds
+ * dce_smb.Bind acks: total connection-oriented binds acks
+ * dce_smb.Alter contexts: total connection-oriented alter contexts
+ * dce_smb.Alter context responses: total connection-oriented alter
+ context responses
+ * dce_smb.Bind naks: total connection-oriented bind naks
+ * dce_smb.Requests: total connection-oriented requests
+ * dce_smb.Responses: total connection-oriented responses
+ * dce_smb.Cancels: total connection-oriented cancels
+ * dce_smb.Orphaned: total connection-oriented orphaned
+ * dce_smb.Faults: total connection-oriented faults
+ * dce_smb.Auth3s: total connection-oriented auth3s
+ * dce_smb.Shutdowns: total connection-oriented shutdowns
+ * dce_smb.Rejects: total connection-oriented rejects
+ * dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
+ * dce_smb.Other requests: total connection-oriented other requests
+ * dce_smb.Other responses: total connection-oriented other
responses
- * dce_smb.connection-oriented cancels: total connection-oriented
- cancels
- * dce_smb.connection-oriented orphaned: total connection-oriented
- orphaned
- * dce_smb.connection-oriented faults: total connection-oriented
- faults
- * dce_smb.connection-oriented auth3s: total connection-oriented
- auth3s
- * dce_smb.connection-oriented shutdowns: total connection-oriented
- shutdowns
- * dce_smb.connection-oriented rejects: total connection-oriented
- rejects
- * dce_smb.connection-oriented other requests: total
- connection-oriented other requests
- * dce_smb.connection-oriented other responses: total
- connection-oriented other responses
- * dce_smb.connection-oriented request fragments: total
- connection-oriented request fragments
- * dce_smb.connection-oriented response fragments: total
- connection-oriented response fragments
- * dce_smb.connection-oriented client maximum fragment size:
- connection-oriented client maximum fragment size
- * dce_smb.connection-oriented client minimum fragment size:
- connection-oriented client minimum fragment size
- * dce_smb.connection-oriented client segments reassembled: total
- connection-oriented client segments reassembled
- * dce_smb.connection-oriented client fragments reassembled: total
- connection-oriented client fragments reassembled
- * dce_smb.connection-oriented server maximum fragment size:
- connection-oriented server maximum fragment size
- * dce_smb.connection-oriented server minimum fragment size:
- connection-oriented server minimum fragment size
- * dce_smb.connection-oriented server segments reassembled: total
- connection-oriented server segments reassembled
- * dce_smb.connection-oriented server fragments reassembled: total
- connection-oriented server fragments reassembled
- * dce_smb.smb client segments reassembled: total smb client
+ * dce_smb.Request fragments: total connection-oriented request
+ fragments
+ * dce_smb.Response fragments: total connection-oriented response
+ fragments
+ * dce_smb.Client max fragment size: connection-oriented client
+ maximum fragment size
+ * dce_smb.Client min fragment size: connection-oriented client
+ minimum fragment size
+ * dce_smb.Client segs reassembled: total connection-oriented client
segments reassembled
- * dce_smb.smb server segments reassembled: total smb server
+ * dce_smb.Client frags reassembled: total connection-oriented
+ client fragments reassembled
+ * dce_smb.Server max fragment size: connection-oriented server
+ maximum fragment size
+ * dce_smb.Server min fragment size: connection-oriented server
+ minimum fragment size
+ * dce_smb.Server segs reassembled: total connection-oriented server
segments reassembled
- * dce_smb.smb maximum outstanding requests: total smb maximum
- outstanding requests
- * dce_smb.smb files processed: total smb files processed
+ * dce_smb.Server frags reassembled: total connection-oriented
+ server fragments reassembled
+ * dce_smb.Sessions: total smb sessions
+ * dce_smb.Packets: total smb packets
+ * dce_smb.Client segs reassembled: total smb client segments
+ reassembled
+ * dce_smb.Server segs reassembled: total smb server segments
+ reassembled
+ * dce_smb.Max outstanding requests: total smb maximum outstanding
+ requests
+ * dce_smb.Files processed: total smb files processed
5.6. dce_tcp
Rules:
- * 145:27 (dce_tcp) Connection oriented DCE/RPC - Invalid major
+ * 133:27 (dce_tcp) Connection oriented DCE/RPC - Invalid major
version.
- * 145:28 (dce_tcp) Connection oriented DCE/RPC - Invalid minor
+ * 133:28 (dce_tcp) Connection oriented DCE/RPC - Invalid minor
version.
- * 145:29 (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.
- * 145:30 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
+ * 133:29 (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.
+ * 133:30 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
less than header size.
- * 145:32 (dce_tcp) Connection-oriented DCE/RPC - No context items
+ * 133:32 (dce_tcp) Connection-oriented DCE/RPC - No context items
specified.
- * 145:33 (dce_tcp) Connection-oriented DCE/RPC -No transfer
+ * 133:33 (dce_tcp) Connection-oriented DCE/RPC -No transfer
syntaxes specified.
- * 145:34 (dce_tcp) Connection-oriented DCE/RPC - Fragment length on
+ * 133:34 (dce_tcp) Connection-oriented DCE/RPC - Fragment length on
non-last fragment less than maximum negotiated fragment transmit
size for client.
- * 145:35 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
+ * 133:35 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
greater than maximum negotiated fragment transmit size.
- * 145:36 (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte
+ * 133:36 (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte
order different from Bind
- * 145:37 (dce_tcp) Connection-oriented DCE/RPC - Call id of non
+ * 133:37 (dce_tcp) Connection-oriented DCE/RPC - Call id of non
first/last fragment different from call id established for
fragmented request.
- * 145:38 (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first
+ * 133:38 (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first
/last fragment different from opnum established for fragmented
request.
- * 145:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
+ * 133:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
first/last fragment different from context id established for
fragmented request.
* dce_tcp.events: total events
* dce_tcp.aborted sessions: total aborted sessions
* dce_tcp.bad autodetects: total bad autodetects
+ * dce_tcp.PDUs: total connection-oriented PDUs
+ * dce_tcp.Binds: total connection-oriented binds
+ * dce_tcp.Bind acks: total connection-oriented binds acks
+ * dce_tcp.Alter contexts: total connection-oriented alter contexts
+ * dce_tcp.Alter context responses: total connection-oriented alter
+ context responses
+ * dce_tcp.Bind naks: total connection-oriented bind naks
+ * dce_tcp.Requests: total connection-oriented requests
+ * dce_tcp.Responses: total connection-oriented responses
+ * dce_tcp.Cancels: total connection-oriented cancels
+ * dce_tcp.Orphaned: total connection-oriented orphaned
+ * dce_tcp.Faults: total connection-oriented faults
+ * dce_tcp.Auth3s: total connection-oriented auth3s
+ * dce_tcp.Shutdowns: total connection-oriented shutdowns
+ * dce_tcp.Rejects: total connection-oriented rejects
+ * dce_tcp.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
+ * dce_tcp.Other requests: total connection-oriented other requests
+ * dce_tcp.Other responses: total connection-oriented other
+ responses
+ * dce_tcp.Request fragments: total connection-oriented request
+ fragments
+ * dce_tcp.Response fragments: total connection-oriented response
+ fragments
+ * dce_tcp.Client max fragment size: connection-oriented client
+ maximum fragment size
+ * dce_tcp.Client min fragment size: connection-oriented client
+ minimum fragment size
+ * dce_tcp.Client segs reassembled: total connection-oriented client
+ segments reassembled
+ * dce_tcp.Client frags reassembled: total connection-oriented
+ client fragments reassembled
+ * dce_tcp.Server max fragment size: connection-oriented server
+ maximum fragment size
+ * dce_tcp.Server min fragment size: connection-oriented server
+ minimum fragment size
+ * dce_tcp.Server segs reassembled: total connection-oriented server
+ segments reassembled
+ * dce_tcp.Server frags reassembled: total connection-oriented
+ server fragments reassembled
* dce_tcp.tcp sessions: total tcp sessions
* dce_tcp.tcp packets: total tcp packets
- * dce_tcp.connection-oriented PDUs: total connection-oriented PDUs
- * dce_tcp.connection-oriented binds: total connection-oriented
- binds
- * dce_tcp.connection-oriented bind acks: total connection-oriented
- binds acks
- * dce_tcp.connection-oriented alter contexts: total
- connection-oriented alter contexts
- * dce_tcp.connection-oriented alter context responses: total
- connection-oriented alter context responses
- * dce_tcp.connection-oriented bind naks: total connection-oriented
- bind naks
- * dce_tcp.connection-oriented requests: total connection-oriented
- requests
- * dce_tcp.connection-oriented responses: total connection-oriented
- responses
- * dce_tcp.connection-oriented cancels: total connection-oriented
- cancels
- * dce_tcp.connection-oriented orphaned: total connection-oriented
- orphaned
- * dce_tcp.connection-oriented faults: total connection-oriented
- faults
- * dce_tcp.connection-oriented auth3s: total connection-oriented
- auth3s
- * dce_tcp.connection-oriented shutdowns: total connection-oriented
- shutdowns
- * dce_tcp.connection-oriented rejects: total connection-oriented
- rejects
- * dce_tcp.connection-oriented other requests: total
- connection-oriented other requests
- * dce_tcp.connection-oriented other responses: total
- connection-oriented other responses
- * dce_tcp.connection-oriented request fragments: total
- connection-oriented request fragments
- * dce_tcp.connection-oriented response fragments: total
- connection-oriented response fragments
- * dce_tcp.connection-oriented client maximum fragment size:
- connection-oriented client maximum fragment size
- * dce_tcp.connection-oriented client minimum fragment size:
- connection-oriented client minimum fragment size
- * dce_tcp.connection-oriented client segments reassembled: total
- connection-oriented client segments reassembled
- * dce_tcp.connection-oriented client fragments reassembled: total
- connection-oriented client fragments reassembled
- * dce_tcp.connection-oriented server maximum fragment size:
- connection-oriented server maximum fragment size
- * dce_tcp.connection-oriented server minimum fragment size:
- connection-oriented server minimum fragment size
- * dce_tcp.connection-oriented server segments reassembled: total
- connection-oriented server segments reassembled
- * dce_tcp.connection-oriented server fragments reassembled: total
- connection-oriented server fragments reassembled
5.7. dnp3
* dns.responses: total dns responses
-5.9. dpx
+5.9. file_log
------------
-What: dynamic inspector example
+What: log file event to file.log
Type: inspector
Configuration:
- * port dpx.port: port to check
- * int dpx.max = 0: maximum payload before alert { 0:65535 }
-
-Rules:
-
- * 256:1 (dpx) too much data sent to port
+ * bool file_log.log_pkt_time = true: log the packet time when event
+ generated
+ * bool file_log.log_sys_time = false: log the system time when
+ event generated
Peg counts:
- * dpx.packets: total packets
+ * file_log.total events: total file events
5.10. ftp_client
* gtp_inspect.unknown infos: unknown information elements
-5.14. http_global
+5.14. http_inspect
------------
-What: http inspector global configuration and client rules for use
-with http_server
+What: HTTP inspector
Type: inspector
Configuration:
- * int http_global.compress_depth = 65535: maximum amount of packet
- payload to decompress { 1:65535 }
- * int http_global.decode.b64_decode_depth = 0: single packet decode
- depth { -1:65535 }
- * int http_global.decode.bitenc_decode_depth = 0: single packet
- decode depth { -1:65535 }
- * int http_global.decode.max_mime_mem = 838860: single packet
- decode depth { 3276: }
- * int http_global.decode.qp_decode_depth = 0: single packet decode
- depth { -1:65535 }
- * int http_global.decode.uu_decode_depth = 0: single packet decode
- depth { -1:65535 }
- * int http_global.decompress_depth = 65535: maximum amount of
- decompressed data to process { 1:65535 }
- * bool http_global.detect_anomalous_servers = false: inspect
- non-configured ports for HTTP - bad idea
- * int http_global.max_gzip_mem = 838860: total memory used for
- decompression across all active sessions { 3276: }
- * int http_global.memcap = 150994944: limit of memory used for
- logging extra data { 2304: }
- * bool http_global.proxy_alert = false: alert on proxy usage for
- servers without allow_proxy_use
- * int http_global.unicode_map.code_page = 1252: select code page in
- map file { 0: }
- * string http_global.unicode_map.map_file: unicode map file
-
-Rules:
-
- * 119:1 (http_global) ascii encoding
- * 119:2 (http_global) double decoding attack
- * 119:3 (http_global) u encoding
- * 119:4 (http_global) bare byte unicode encoding
- * 119:5 (http_global) base36 encoding
- * 119:6 (http_global) UTF-8 encoding
- * 119:7 (http_global) IIS unicode codepoint encoding
- * 119:8 (http_global) multi_slash encoding
- * 119:9 (http_global) IIS backslash evasion
- * 119:10 (http_global) self directory traversal
- * 119:11 (http_global) directory traversal
- * 119:12 (http_global) apache whitespace (tab)
- * 119:13 (http_global) non-RFC http delimiter
- * 119:14 (http_global) non-RFC defined char
- * 119:15 (http_global) oversize request-URI directory
- * 119:16 (http_global) oversize chunk encoding
- * 119:17 (http_global) unauthorized proxy use detected
- * 119:18 (http_global) webroot directory traversal
- * 119:19 (http_global) long header
- * 119:20 (http_global) max header fields
- * 119:21 (http_global) multiple content length
- * 119:22 (http_global) chunk size mismatch detected
- * 119:23 (http_global) invalid ip in true-client-IP/XFF header
- * 119:24 (http_global) multiple host hdrs detected
- * 119:25 (http_global) hostname exceeds 255 characters
- * 119:26 (http_global) header parsing space saturation
- * 119:27 (http_global) client consecutive small chunk sizes
- * 119:28 (http_global) post w/o content-length or chunks
- * 119:29 (http_global) multiple true IPs in a session
- * 119:30 (http_global) both true-client-IP and XFF hdrs present
- * 119:31 (http_global) unknown method
- * 119:32 (http_global) simple request
- * 119:33 (http_global) unescaped space in http URI
- * 119:34 (http_global) too many pipelined requests
-
-Peg counts:
-
- * http_global.packets: total packets processed
- * http_global.gets: GET requests
- * http_global.posts: POST requests
- * http_global.request headers: total requests
- * http_global.response headers: total responses
- * http_global.request cookies: requests with Cookie
- * http_global.response cookies: responses with Set-Cookie
- * http_global.post params: POST parameters extracted
- * http_global.unicode: unicode normalizations
- * http_global.double unicode: double unicode normalizations
- * http_global.non-ascii: non-ascii normalizations
- * http_global.paths with ../: directory traversal normalizations
- * http_global.paths with //: double slash normalizations
- * http_global.paths with ./: relative directory normalizations
- * http_global.gzip packets: packets with gzip compression
- * http_global.compressed bytes: total comparessed bytes processed
- * http_global.decompressed bytes: total bytes decompressed
-
-
-5.15. http_inspect
-
-------------
-
-What: http inspection and server rules; also configure http_inspect
-
-Type: inspector
-
-Configuration:
-
- * bool http_inspect.allow_proxy_use = false: don’t alert on proxy
- use for this server
- * bool http_inspect.decompress_pdf = false: enable decompression of
- the compressed portions of PDF files
- * bool http_inspect.decompress_swf = false: enable decompression of
- SWF (Adobe Flash content)
- * bool http_inspect.enable_cookies = true: extract cookies
- * bool http_inspect.enable_xff = false: log True-Client-IP and
- X-Forwarded-For headers with unified2 alerts as extra data
- * bool http_inspect.extended_ascii_uri = false: allow extended
- ASCII codes in the request URI
- * bool http_inspect.extended_response_inspection = true: extract
- response headers
- * string http_inspect.http_methods = GET POST PUT SEARCH MKCOL COPY
- MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK
- OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE
- UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
- PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
- RPC_OUT_DATA RPC_ECHO_DATA: request methods allowed in addition
- to GET and POST
- * bool http_inspect.inspect_gzip = true: enable gzip decompression
- of compressed bodies
- * bool http_inspect.inspect_uri_only = false: disable all detection
- except for uricontent
- * bool http_inspect.log_hostname = false: enable logging of
- Hostname with unified2 alerts as extra data
- * bool http_inspect.log_uri = false: enable logging of URI with
- unified2 alerts as extra data
- * bool http_inspect.no_pipeline_req = false: don’t inspect
- pipelined requests after first (still does general detection)
- * bit_list http_inspect.non_rfc_chars = 0x00 0x01 0x02 0x03 0x04
- 0x05 0x06 0x07: alert on given non-RFC chars being present in the
- URI { 255 }
- * bool http_inspect.normalize_cookies = false: normalize cookies
- similar to URI
- * bool http_inspect.normalize_headers = false: normalize headers
- other than cookie similar to URI
- * int http_inspect.oversize_dir_length = 500: alert if a URL has a
- directory longer than this limit { 0: }
- * bool http_inspect.profile.apache_whitespace = false: don’t alert
- if tab is used in lieu of space characters
- * bool http_inspect.profile.ascii = false: enable decoding ASCII
- like %2f to /
- * bool http_inspect.profile.bare_byte = false: decode non-standard,
- non-ASCII character encodings
- * int http_inspect.profile.chunk_length = 500000: alert on chunk
- lengths greater than specified { 1: }
- * int http_inspect.profile.client_flow_depth = 0: raw request
- payload to inspect { -1:1460 }
- * bool http_inspect.profile.directory = false: normalize . and ..
- sequences out of URI
- * bool http_inspect.profile.double_decode = false: iis specific
- extra decoding
- * bool http_inspect.profile.iis_backslash = false: normalize
- directory slashes
- * bool http_inspect.profile.iis_delimiter = false: allow use of
- non-standard delimiter
- * bool http_inspect.profile.iis_unicode = false: enable unicode
- code point mapping using unicode_map settings
- * int http_inspect.profile.iis_unicode_map.code_page = 1252: select
- code page in map file { 0: }
- * string http_inspect.profile.iis_unicode_map.map_file: unicode map
- file
- * int http_inspect.profile.max_header_length = 750: maximum allowed
- client request header field { 0:65535 }
- * int http_inspect.profile.max_headers = 100: maximum allowed
- client request headers { 0:1024 }
- * int http_inspect.profile.max_spaces = 200: maximum allowed
- whitespaces when folding { 0:65535 }
- * bool http_inspect.profile.multi_slash = false: normalize out
- consecutive slashes in URI
- * bool http_inspect.profile.non_strict = true: allows HTTP 0.9
- processing
- * int http_inspect.profile.max_javascript_whitespaces = 200:
- maximum number of consecutive whitespaces { 0: }
- * bool http_inspect.profile.normalize_utf = true: normalize
- response bodies with UTF content-types
- * bool http_inspect.profile.normalize_javascript = true: normalize
- javascript between <script> tags
- * int http_inspect.profile.post_depth = 65495: amount of POST data
- to inspect { -1:65535 }
- * enum http_inspect.profile.profile_type = default: set defaults
- appropriate for selected server { default | apache | iis | iis_40
- | iis_50 }
- * int http_inspect.profile.server_flow_depth = 0: response payload
- to inspect; includes headers with extended_response_inspection {
- -1:65535 }
- * bool http_inspect.profile.u_encode = true: decode %uXXXX
- character sequences
- * bool http_inspect.profile.utf_8 = false: decode UTF-8 unicode
- sequences in URI
- * bool http_inspect.profile.webroot = false: alert on directory
- traversals past the top level (web server root)
- * bit_list http_inspect.profile.whitespace_chars: allowed white
- space characters { 255 }
- * int http_inspect.small_chunk_count = 5: alert if more than this
- limit of consecutive chunks are below small_chunk_length { 0:255
- }
- * int http_inspect.small_chunk_length = 10: alert if more than
- small_chunk_count consecutive chunks below this limit { 0:255 }
- * bool http_inspect.tab_uri_delimiter = false: whether a tab not
- preceded by a space is considered a delimiter or part of URI
- * bool http_inspect.unlimited_decompress = true: decompress across
- multiple packets
- * bool http_inspect.xff_headers = false: not implemented
+ * int http_inspect.request_depth = -1: maximum request message body
+ bytes to examine (-1 no limit) { -1: }
+ * int http_inspect.response_depth = -1: maximum response message
+ body bytes to examine (-1 no limit) { -1: }
+ * bool http_inspect.unzip = true: decompress gzip and deflate
+ message bodies
+ * bit_list http_inspect.bad_characters: alert when any of specified
+ bytes are present in URI after percent decoding { 255 }
+ * string http_inspect.ignore_unreserved: do not alert when the
+ specified unreserved characters are percent-encoded in a
+ URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
+ tilde, and minus. { (optional) }
+ * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
+ encodings
+ * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
+ characters to a single byte
+ * bool http_inspect.utf8_bare_byte = false: when doing UTF-8
+ character normalization include bytes that were not percent
+ encoded
+ * bool http_inspect.iis_unicode = false: use IIS unicode code point
+ mapping to normalize characters
+ * string http_inspect.iis_unicode_map_file: file containing code
+ points for IIS unicode. { (optional) }
+ * int http_inspect.iis_unicode_code_page = 1252: code page to use
+ from the IIS unicode map file { 0:65535 }
+ * bool http_inspect.iis_double_decode = false: perform double
+ decoding of percent encodings to normalize characters
+ * int http_inspect.oversize_dir_length = 300: maximum length for
+ URL directory { 1:65535 }
+ * bool http_inspect.backslash_to_slash = false: replace \ with /
+ when normalizing URIs
+ * bool http_inspect.plus_to_space = true: replace + with <sp> when
+ normalizing URIs
+ * bool http_inspect.simplify_path = true: reduce URI directory path
+ to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:1000000 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
Rules:
- * 120:1 (http_inspect) anomalous http server on undefined HTTP port
- * 120:2 (http_inspect) invalid status code in HTTP response
- * 120:3 (http_inspect) no content-length or transfer-encoding in
+ * 119:1 (http_inspect) ascii encoding
+ * 119:2 (http_inspect) double decoding attack
+ * 119:3 (http_inspect) u encoding
+ * 119:4 (http_inspect) bare byte unicode encoding
+ * 119:5 (http_inspect) obsolete event—should not appear
+ * 119:6 (http_inspect) UTF-8 encoding
+ * 119:7 (http_inspect) IIS unicode codepoint encoding
+ * 119:8 (http_inspect) multi_slash encoding
+ * 119:9 (http_inspect) IIS backslash evasion
+ * 119:10 (http_inspect) self directory traversal
+ * 119:11 (http_inspect) directory traversal
+ * 119:12 (http_inspect) apache whitespace (tab)
+ * 119:13 (http_inspect) non-RFC http delimiter
+ * 119:14 (http_inspect) non-RFC defined char
+ * 119:15 (http_inspect) oversize request-uri directory
+ * 119:16 (http_inspect) oversize chunk encoding
+ * 119:17 (http_inspect) unauthorized proxy use detected
+ * 119:18 (http_inspect) webroot directory traversal
+ * 119:19 (http_inspect) long header
+ * 119:20 (http_inspect) max header fields
+ * 119:21 (http_inspect) multiple content length
+ * 119:22 (http_inspect) chunk size mismatch detected
+ * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
+ * 119:24 (http_inspect) multiple host hdrs detected
+ * 119:25 (http_inspect) hostname exceeds 255 characters
+ * 119:26 (http_inspect) header parsing space saturation
+ * 119:27 (http_inspect) client consecutive small chunk sizes
+ * 119:28 (http_inspect) post w/o content-length or chunks
+ * 119:29 (http_inspect) multiple true ips in a session
+ * 119:30 (http_inspect) both true-client-IP and XFF hdrs present
+ * 119:31 (http_inspect) unknown method
+ * 119:32 (http_inspect) simple request
+ * 119:33 (http_inspect) unescaped space in HTTP URI
+ * 119:34 (http_inspect) too many pipelined requests
+ * 119:35 (http_inspect) anomalous http server on undefined HTTP
+ port
+ * 119:36 (http_inspect) invalid status code in HTTP response
+ * 119:37 (http_inspect) no content-length or transfer-encoding in
HTTP response
- * 120:4 (http_inspect) HTTP response has UTF charset which failed
+ * 119:38 (http_inspect) HTTP response has UTF charset which failed
to normalize
- * 120:5 (http_inspect) HTTP response has UTF-7 charset
- * 120:6 (http_inspect) HTTP response gzip decompression failed
- * 120:7 (http_inspect) server consecutive small chunk sizes
- * 120:8 (http_inspect) invalid content-length or chunk size
- * 120:9 (http_inspect) javascript obfuscation levels exceeds 1
- * 120:10 (http_inspect) javascript whitespaces exceeds max allowed
- * 120:11 (http_inspect) multiple encodings within javascript
+ * 119:39 (http_inspect) HTTP response has UTF-7 charset
+ * 119:40 (http_inspect) HTTP response gzip decompression failed
+ * 119:41 (http_inspect) server consecutive small chunk sizes
+ * 119:42 (http_inspect) invalid content-length or chunk size
+ * 119:43 (http_inspect) javascript obfuscation levels exceeds 1
+ * 119:44 (http_inspect) javascript whitespaces exceeds max allowed
+ * 119:45 (http_inspect) multiple encodings within javascript
obfuscated data
- * 120:12 (http_inspect) HTTP response SWF file zlib decompression
- failure
- * 120:13 (http_inspect) HTTP response SWF file LZMA decompression
- failure
- * 120:14 (http_inspect) HTTP response PDF file deflate
- decompression failure
- * 120:15 (http_inspect) HTTP response PDF file unsupported
- compression type
- * 120:16 (http_inspect) HTTP response PDF file cascaded compression
- * 120:17 (http_inspect) HTTP response PDF file parse failure
+ * 119:46 (http_inspect) SWF file zlib decompression failure
+ * 119:47 (http_inspect) SWF file LZMA decompression failure
+ * 119:48 (http_inspect) PDF file deflate decompression failure
+ * 119:49 (http_inspect) PDF file unsupported compression type
+ * 119:50 (http_inspect) PDF file cascaded compression
+ * 119:51 (http_inspect) PDF file parse failure
+ * 119:52 (http_inspect) Not HTTP traffic
+ * 119:53 (http_inspect) Chunk length has excessive leading zeros
+ * 119:54 (http_inspect) White space before or between messages
+ * 119:55 (http_inspect) Request message without URI
+ * 119:56 (http_inspect) Control character in reason phrase
+ * 119:57 (http_inspect) Illegal extra whitespace in start line
+ * 119:58 (http_inspect) Corrupted HTTP version
+ * 119:59 (http_inspect) Unknown HTTP version
+ * 119:60 (http_inspect) Format error in HTTP header
+ * 119:61 (http_inspect) Chunk header options present
+ * 119:62 (http_inspect) URI badly formatted
+ * 119:63 (http_inspect) Unrecognized type of percent encoding in
+ URI
+ * 119:64 (http_inspect) HTTP chunk misformatted
+ * 119:65 (http_inspect) White space following chunk length
+ * 119:67 (http_inspect) Excessive gzip compression
+ * 119:68 (http_inspect) Gzip decompression failed
+ * 119:69 (http_inspect) HTTP 0.9 requested followed by another
+ request
+ * 119:70 (http_inspect) HTTP 0.9 request following a normal request
+ * 119:71 (http_inspect) Message has both Content-Length and
+ Transfer-Encoding
+ * 119:72 (http_inspect) Status code implying no body combined with
+ Transfer-Encoding or nonzero Content-Length
+ * 119:73 (http_inspect) Transfer-Encoding did not end with chunked
+ * 119:74 (http_inspect) Transfer-Encoding with chunked not at end
+ * 119:75 (http_inspect) Misformatted HTTP traffic
+Peg counts:
+
+ * http_inspect.flows: HTTP connections inspected
+ * http_inspect.scans: TCP segments scanned looking for HTTP
+ messages
+ * http_inspect.reassembles: TCP segments combined into HTTP
+ messages
+ * http_inspect.inspections: total message sections inspected
+ * http_inspect.requests: HTTP request messages inspected
+ * http_inspect.responses: HTTP response messages inspected
+ * http_inspect.GET requests: GET requests inspected
+ * http_inspect.HEAD requests: HEAD requests inspected
+ * http_inspect.POST requests: POST requests inspected
+ * http_inspect.PUT requests: PUT requests inspected
+ * http_inspect.DELETE requests: DELETE requests inspected
+ * http_inspect.CONNECT requests: CONNECT requests inspected
+ * http_inspect.OPTIONS requests: OPTIONS requests inspected
+ * http_inspect.TRACE requests: TRACE requests inspected
+ * http_inspect.other requests: other request methods inspected
+ * http_inspect.request bodies: POST, PUT, and other requests with
+ message bodies
+ * http_inspect.chunked: chunked message bodies
+ * http_inspect.URI normalizations: URIs needing to be normalization
+ * http_inspect.URI path: URIs with path problems
+ * http_inspect.URI coding: URIs with character coding problems
-5.16. imap
+
+5.15. imap
------------
* imap.non-encoded bytes: total non-encoded extracted bytes
-5.17. modbus
+5.16. modbus
------------
* modbus.frames: total Modbus messages
-5.18. new_http_inspect
-
-------------
-
-What: new HTTP inspector
-
-Type: inspector
-
-Configuration:
-
- * int new_http_inspect.request_depth = -1: maximum request message
- body bytes to examine (-1 no limit) { -1: }
- * int new_http_inspect.response_depth = -1: maximum response
- message body bytes to examine (-1 no limit) { -1: }
- * bool new_http_inspect.unzip = true: decompress gzip and deflate
- message bodies
- * bool new_http_inspect.test_input = false: read HTTP messages from
- text file
- * bool new_http_inspect.test_output = false: print out HTTP section
- data
- * int new_http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:1000000 }
-
-Rules:
-
- * 219:1 (new_http_inspect) ascii encoding
- * 219:2 (new_http_inspect) double decoding attack
- * 219:3 (new_http_inspect) u encoding
- * 219:4 (new_http_inspect) bare byte unicode encoding
- * 219:5 (new_http_inspect) obsolete event—should not appear
- * 219:6 (new_http_inspect) UTF-8 encoding
- * 219:7 (new_http_inspect) IIS unicode codepoint encoding
- * 219:8 (new_http_inspect) multi_slash encoding
- * 219:9 (new_http_inspect) IIS backslash evasion
- * 219:10 (new_http_inspect) self directory traversal
- * 219:11 (new_http_inspect) directory traversal
- * 219:12 (new_http_inspect) apache whitespace (tab)
- * 219:13 (new_http_inspect) non-RFC http delimiter
- * 219:14 (new_http_inspect) non-RFC defined char
- * 219:15 (new_http_inspect) oversize request-uri directory
- * 219:16 (new_http_inspect) oversize chunk encoding
- * 219:17 (new_http_inspect) unauthorized proxy use detected
- * 219:18 (new_http_inspect) webroot directory traversal
- * 219:19 (new_http_inspect) long header
- * 219:20 (new_http_inspect) max header fields
- * 219:21 (new_http_inspect) multiple content length
- * 219:22 (new_http_inspect) chunk size mismatch detected
- * 219:23 (new_http_inspect) invalid IP in true-client-IP/XFF header
- * 219:24 (new_http_inspect) multiple host hdrs detected
- * 219:25 (new_http_inspect) hostname exceeds 255 characters
- * 219:26 (new_http_inspect) header parsing space saturation
- * 219:27 (new_http_inspect) client consecutive small chunk sizes
- * 219:28 (new_http_inspect) post w/o content-length or chunks
- * 219:29 (new_http_inspect) multiple true ips in a session
- * 219:30 (new_http_inspect) both true-client-IP and XFF hdrs
- present
- * 219:31 (new_http_inspect) unknown method
- * 219:32 (new_http_inspect) simple request
- * 219:33 (new_http_inspect) unescaped space in HTTP URI
- * 219:34 (new_http_inspect) too many pipelined requests
- * 219:35 (new_http_inspect) anomalous http server on undefined HTTP
- port
- * 219:36 (new_http_inspect) invalid status code in HTTP response
- * 219:37 (new_http_inspect) no content-length or transfer-encoding
- in HTTP response
- * 219:38 (new_http_inspect) HTTP response has UTF charset which
- failed to normalize
- * 219:39 (new_http_inspect) HTTP response has UTF-7 charset
- * 219:40 (new_http_inspect) HTTP response gzip decompression failed
- * 219:41 (new_http_inspect) server consecutive small chunk sizes
- * 219:42 (new_http_inspect) invalid content-length or chunk size
- * 219:43 (new_http_inspect) javascript obfuscation levels exceeds 1
- * 219:44 (new_http_inspect) javascript whitespaces exceeds max
- allowed
- * 219:45 (new_http_inspect) multiple encodings within javascript
- obfuscated data
- * 219:46 (new_http_inspect) SWF file zlib decompression failure
- * 219:47 (new_http_inspect) SWF file LZMA decompression failure
- * 219:48 (new_http_inspect) PDF file deflate decompression failure
- * 219:49 (new_http_inspect) PDF file unsupported compression type
- * 219:50 (new_http_inspect) PDF file cascaded compression
- * 219:51 (new_http_inspect) PDF file parse failure
- * 219:52 (new_http_inspect) HTTP misformatted or not really HTTP
- * 219:53 (new_http_inspect) Chunk length has excessive leading
- zeros
- * 219:54 (new_http_inspect) White space before or between messages
- * 219:55 (new_http_inspect) Request message without URI
- * 219:56 (new_http_inspect) Control character in reason phrase
- * 219:57 (new_http_inspect) Illegal extra whitespace in start line
- * 219:58 (new_http_inspect) Corrupted HTTP version
- * 219:59 (new_http_inspect) Unknown HTTP version
- * 219:60 (new_http_inspect) Format error in HTTP header
- * 219:61 (new_http_inspect) Chunk header options present
- * 219:62 (new_http_inspect) URI badly formatted
- * 219:63 (new_http_inspect) Unused
- * 219:64 (new_http_inspect) HTTP chunk misformatted
- * 219:65 (new_http_inspect) White space following chunk length
- * 219:67 (new_http_inspect) Excessive gzip compression
- * 219:68 (new_http_inspect) Gzip decompression failed
-
-
-5.19. normalizer
+5.17. normalizer
------------
* normalizer.test tcp block: test blocked segments
-5.20. perf_monitor
+5.18. packet_capture
+
+------------
+
+What: raw packet dumping facility
+
+Type: inspector
+
+Configuration:
+
+ * bool packet_capture.enable = false: initially enable packet
+ dumping
+ * string packet_capture.filter: bpf filter to use for packet dump
+
+Commands:
+
+ * packet_capture.enable(filter): dump raw packets
+ * packet_capture.disable(): stop packet dump
+
+Peg counts:
+
+ * packet_capture.processed: packets processed against filter
+ * packet_capture.captured: packets matching dumped after matching
+ filter
+
+
+5.19. perf_monitor
------------
Configuration:
+ * bool perf_monitor.base = true: enable base statistics { nullptr }
+ * bool perf_monitor.cpu = false: enable cpu statistics { nullptr }
+ * bool perf_monitor.flow = false: enable traffic statistics
+ * bool perf_monitor.flow_ip = false: enable statistics on host
+ pairs
* int perf_monitor.packets = 10000: minimum packets to report { 0:
}
- * int perf_monitor.seconds = 60: report interval; 0 means report at
- exit only { 0: }
+ * int perf_monitor.seconds = 60: report interval { 1: }
* int perf_monitor.flow_ip_memcap = 52428800: maximum memory for
flow tracking { 8200: }
* int perf_monitor.max_file_size = 1073741824: files will be rolled
over if they exceed this size { 4096: }
- * int perf_monitor.flow_ports = 1023: maximum ports to track { 0: }
- * bool perf_monitor.reset = true: reset (clear) statistics after
- each reporting interval
- * bool perf_monitor.max = false: calculate theoretical maximum
- performance
- * bool perf_monitor.console = false: output to console
- * bool perf_monitor.events = false: report on qualified vs
- non-qualified events
- * bool perf_monitor.file = false: output base stats to
- perf_monitor.csv instead of stdout
- * bool perf_monitor.flow = false: enable traffic statistics
- * bool perf_monitor.flow_file = false: output traffic statistics to
- a perf_monitor_flow.csv instead of stdout
- * bool perf_monitor.flow_ip = false: enable statistics on host
- pairs
- * bool perf_monitor.flow_ip_file = false: output host pair
- statistics to perf_monitor_flow_ip.csv instead of stdout
+ * int perf_monitor.flow_ports = 1023: maximum ports to track {
+ 0:65535 }
+ * enum perf_monitor.output = file: Output location for stats { file
+ | console }
* string perf_monitor.modules[].name: name of the module
- * string perf_monitor.modules[].pegs[].name: name of the statistic
- to track
+ * string perf_monitor.modules[].pegs: list of statistics to track
+ or empty for all counters
+ * enum perf_monitor.format = csv: Output format for stats { csv |
+ text }
+ * bool perf_monitor.summary = false: Output summary at shutdown
Peg counts:
* perf_monitor.packets: total packets
-5.21. pop
+5.20. pop
------------
* pop.non-encoded bytes: total non-encoded extracted bytes
-5.22. port_scan
+5.21. port_scan
------------
* 122:27 (port_scan) open port
-5.23. port_scan_global
+5.22. port_scan_global
------------
* port_scan_global.packets: total packets
-5.24. reputation
+5.23. reputation
------------
* reputation.memory_allocated: total memory allocated
-5.25. rpc_decode
+5.24. rpc_decode
------------
* rpc_decode.packets: total packets
-5.26. sip
+5.25. sip
------------
* sip.9xx: 9xx
-5.27. smtp
+5.26. smtp
------------
extracted from the MAIL FROM command
* bool smtp.log_rcptto = false: log the recipient’s email address
extracted from the RCPT TO command
+ * int smtp.max_auth_command_line_len = 1000: max auth command Line
+ Length { 0:65535 }
* int smtp.max_command_line_len = 0: max Command Line Length {
0:65535 }
* int smtp.max_header_line_len = 0: max SMTP DATA header line {
* 124:6 (smtp) Illegal command
* 124:7 (smtp) Attempted header name buffer overflow
* 124:8 (smtp) Attempted X-Link2State command buffer overflow
- * 124:10 (smtp) Base64 Decoding failed.
- * 124:11 (smtp) Quoted-Printable Decoding failed.
- * 124:13 (smtp) Unix-to-Unix Decoding failed.
- * 124:14 (smtp) Cyrus SASL authentication attack.
+ * 124:10 (smtp) Base64 Decoding failed
+ * 124:11 (smtp) Quoted-Printable Decoding failed
+ * 124:13 (smtp) Unix-to-Unix Decoding failed
+ * 124:14 (smtp) Cyrus SASL authentication attack
+ * 124:15 (smtp) Attempted authentication command buffer overflow
Peg counts:
* smtp.non-encoded bytes: total non-encoded extracted bytes
-5.28. ssh
+5.27. ssh
------------
* ssh.packets: total packets
-5.29. ssl
+5.28. ssl
------------
* ssl.detection disabled: total detection disabled
-5.30. stream
+5.29. stream
------------
Configuration:
* int stream.ip_cache.max_sessions = 16384: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.ip_cache.memcap = 23920640: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.ip_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.ip_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.icmp_cache.max_sessions = 32768: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.icmp_cache.memcap = 1048576: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.icmp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.tcp_cache.max_sessions = 131072: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.tcp_cache.memcap = 268435456: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.tcp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.tcp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.udp_cache.max_sessions = 65536: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.udp_cache.memcap = 0: maximum cache memory before
- pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.udp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.udp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.user_cache.max_sessions = 1024: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.user_cache.memcap = 1048576: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.user_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.user_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.file_cache.max_sessions = 128: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.file_cache.memcap = 0: maximum cache memory before
- pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.file_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.file_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
Peg counts:
* stream.ip flows: total ip sessions
- * stream.ip prunes: ip sessions pruned
+ * stream.ip total prunes: total ip sessions pruned
+ * stream.ip timeout prunes: ip sessions pruned due to timeout
+ * stream.ip excess prunes: ip sessions pruned due to excess
+ * stream.ip uni prunes: ip uni sessions pruned
+ * stream.ip preemptive prunes: ip sessions pruned during preemptive
+ pruning
+ * stream.ip memcap prunes: ip sessions pruned due to memcap
+ * stream.ip user prunes: ip sessions pruned for other reasons
* stream.icmp flows: total icmp sessions
- * stream.icmp prunes: icmp sessions pruned
+ * stream.icmp total prunes: total icmp sessions pruned
+ * stream.icmp timeout prunes: icmp sessions pruned due to timeout
+ * stream.icmp excess prunes: icmp sessions pruned due to excess
+ * stream.icmp uni prunes: icmp uni sessions pruned
+ * stream.icmp preemptive prunes: icmp sessions pruned during
+ preemptive pruning
+ * stream.icmp memcap prunes: icmp sessions pruned due to memcap
+ * stream.icmp user prunes: icmp sessions pruned for other reasons
* stream.tcp flows: total tcp sessions
- * stream.tcp prunes: tcp sessions pruned
+ * stream.tcp total prunes: total tcp sessions pruned
+ * stream.tcp timeout prunes: tcp sessions pruned due to timeout
+ * stream.tcp excess prunes: tcp sessions pruned due to excess
+ * stream.tcp uni prunes: tcp uni sessions pruned
+ * stream.tcp preemptive prunes: tcp sessions pruned during
+ preemptive pruning
+ * stream.tcp memcap prunes: tcp sessions pruned due to memcap
+ * stream.tcp user prunes: tcp sessions pruned for other reasons
* stream.udp flows: total udp sessions
- * stream.udp prunes: udp sessions pruned
+ * stream.udp total prunes: total udp sessions pruned
+ * stream.udp timeout prunes: udp sessions pruned due to timeout
+ * stream.udp excess prunes: udp sessions pruned due to excess
+ * stream.udp uni prunes: udp uni sessions pruned
+ * stream.udp preemptive prunes: udp sessions pruned during
+ preemptive pruning
+ * stream.udp memcap prunes: udp sessions pruned due to memcap
+ * stream.udp user prunes: udp sessions pruned for other reasons
* stream.user flows: total user sessions
- * stream.user prunes: user sessions pruned
+ * stream.user total prunes: total user sessions pruned
+ * stream.user timeout prunes: user sessions pruned due to timeout
+ * stream.user excess prunes: user sessions pruned due to excess
+ * stream.user uni prunes: user uni sessions pruned
+ * stream.user preemptive prunes: user sessions pruned during
+ preemptive pruning
+ * stream.user memcap prunes: user sessions pruned due to memcap
+ * stream.user user prunes: user sessions pruned for other reasons
* stream.file flows: total file sessions
- * stream.file prunes: file sessions pruned
+ * stream.file total prunes: total file sessions pruned
+ * stream.file timeout prunes: file sessions pruned due to timeout
+ * stream.file excess prunes: file sessions pruned due to excess
+ * stream.file uni prunes: file uni sessions pruned
+ * stream.file preemptive prunes: file sessions pruned during
+ preemptive pruning
+ * stream.file memcap prunes: file sessions pruned due to memcap
+ * stream.file user prunes: file sessions pruned for other reasons
-5.31. stream_file
+5.30. stream_file
------------
* bool stream_file.upload = false: indicate file transfer direction
-5.32. stream_icmp
+5.31. stream_icmp
------------
* stream_icmp.prunes: icmp session prunes
-5.33. stream_ip
+5.32. stream_ip
------------
* stream_ip.max frags: max fragments
* stream_ip.reassembled: reassembled datagrams
* stream_ip.discards: fragments discarded
- * stream_ip.memory faults: memory faults
* stream_ip.frag timeouts: datagrams abandoned
* stream_ip.overlaps: overlapping fragments
* stream_ip.anomalies: anomalies detected
* stream_ip.fragmented bytes: total fragmented bytes
-5.34. stream_tcp
+5.33. stream_tcp
------------
flushed when session released
* stream_tcp.server cleanups: number of times data from client was
flushed when session released
- * stream_tcp.faults: number of times a new segment triggered a
- prune
* stream_tcp.memory: current memory in use
* stream_tcp.initializing: number of sessions currently
initializing
* stream_tcp.closing: number of sessions currently closing
-5.35. stream_udp
+5.34. stream_udp
------------
* stream_udp.prunes: udp session prunes
-5.36. stream_user
+5.35. stream_user
------------
1:86400 }
-5.37. telnet
+5.36. telnet
------------
* telnet.packets: total packets
-5.38. wizard
+5.37. wizard
------------
Configuration:
- * string ack.~range: check if packet payload size is size | min<>
- max | <max | >min
+ * string ack.~range: check if tcp ack value is value | min<>max |
+ <max | >min
-7.2. asn1
+7.2. appids
+
+------------
+
+What: detection option for application ids
+
+Type: ips_option
+
+Configuration:
+
+ * string appids.~: appid option
+
+
+7.3. asn1
------------
encodings that are known to be remotely exploitable.
* implied asn1.double_overflow: Detects a double ASCII encoding
that is larger than a standard buffer.
- * implied asn1.print: <>max | <max | >min
+ * implied asn1.print: dump decode data to console; always true
* int asn1.oversize_length: Compares ASN.1 type lengths with the
supplied argument. { 0: }
* int asn1.absolute_offset: Absolute offset from the beginning of
* int asn1.relative_offset: relative offset from the cursor.
-7.3. base64_decode
+7.4. base64_decode
------------
start of buffer.
-7.4. bufferlen
+7.5. bufferlen
------------
* string bufferlen.~range: len | min<>max | <max | >min
-7.5. byte_extract
+7.6. byte_extract
------------
* implied byte_extract.dec: convert from decimal string
-7.6. byte_jump
+7.7. byte_jump
------------
* implied byte_jump.dec: convert from decimal string
-7.7. byte_test
+7.8. byte_test
------------
* implied byte_test.dec: convert from decimal string
-7.8. classtype
+7.9. classtype
------------
* string classtype.~: classification for this rule
-7.9. content
+7.10. content
------------
from cursor
-7.10. cvs
+7.11. cvs
------------
* implied cvs.invalid-entry: looks for an invalid Entry string
-7.11. dce_iface
+7.12. dce_iface
------------
* implied dce_iface.any_frag: match on any fragment
-7.12. dce_opnum
+7.13. dce_opnum
------------
list
-7.13. dce_stub_data
+7.14. dce_stub_data
------------
Type: ips_option
-7.14. detection_filter
+7.15. detection_filter
------------
1: }
-7.15. dnp3_data
+7.16. dnp3_data
------------
Type: ips_option
-7.16. dnp3_func
+7.17. dnp3_func
------------
* string dnp3_func.~: match dnp3 function code or name
-7.17. dnp3_ind
+7.18. dnp3_ind
------------
* string dnp3_ind.~: match given dnp3 indicator flags
-7.18. dnp3_obj
+7.19. dnp3_obj
------------
}
-7.19. dsize
+7.20. dsize
------------
max | <max | >min
-7.20. file_data
+7.21. file_data
------------
Type: ips_option
-7.21. flags
+7.22. file_type
+
+------------
+
+What: rule option to check file type
+
+Type: ips_option
+
+Configuration:
+
+ * string file_type.~: list of file type IDs to match
+
+
+7.23. flags
------------
* string flags.~mask_flags: these flags are don’t cares
-7.22. flow
+7.24. flow
------------
* implied flow.only_frag: match on defragmented packets only
-7.23. flowbits
+7.25. flowbits
------------
* string flowbits.~arg2: group if arg1 is bits
-7.24. fragbits
+7.26. fragbits
------------
* string fragbits.~flags: these flags are tested
-7.25. fragoffset
+7.27. fragoffset
------------
Configuration:
- * string fragoffset.~range: check if packet payload size is size |
- min<>max | <max | >min
+ * string fragoffset.~range: check if ip fragment offset value is
+ value | min<>max | <max | >min
-7.26. gid
+7.28. gid
------------
* int gid.~: generator id { 1: }
-7.27. gtp_info
+7.29. gtp_info
------------
* string gtp_info.~: info element to match
-7.28. gtp_type
+7.30. gtp_type
------------
* string gtp_type.~: list of types to match
-7.29. gtp_version
+7.31. gtp_version
------------
* int gtp_version.~: version to match { 0:2 }
-7.30. http_client_body
+7.32. http_client_body
------------
Type: ips_option
-7.31. http_cookie
+7.33. http_cookie
------------
Type: ips_option
+Configuration:
+
+ * implied http_cookie.request: Match against the cookie from the
+ request message even when examining the response
+ * implied http_cookie.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_cookie.with_trailer: Parts of this rule examine HTTP
+ message trailers
-7.32. http_header
+
+7.34. http_header
------------
What: rule option to set the detection cursor to the normalized
-header(s)
+headers
+
+Type: ips_option
+
+Configuration:
+
+ * string http_header.field: Restrict to given header. Header name
+ is case insensitive.
+ * implied http_header.request: Match against the headers from the
+ request message even when examining the response
+ * implied http_header.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_header.with_trailer: Parts of this rule examine HTTP
+ message trailers
+
+
+7.35. http_method
+
+------------
+
+What: rule option to set the detection cursor to the HTTP request
+method
+
+Type: ips_option
+
+Configuration:
+
+ * implied http_method.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_method.with_trailer: Parts of this rule examine HTTP
+ message trailers
+
+
+7.36. http_raw_cookie
+
+------------
+
+What: rule option to set the detection cursor to the unnormalized
+cookie
+
+Type: ips_option
+
+Configuration:
+
+ * implied http_raw_cookie.request: Match against the cookie from
+ the request message even when examining the response
+ * implied http_raw_cookie.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_cookie.with_trailer: Parts of this rule examine
+ HTTP message trailers
+
+
+7.37. http_raw_header
+
+------------
+
+What: rule option to set the detection cursor to the unnormalized
+headers
+
+Type: ips_option
+
+Configuration:
+
+ * implied http_raw_header.request: Match against the headers from
+ the request message even when examining the response
+ * implied http_raw_header.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_header.with_trailer: Parts of this rule examine
+ HTTP message trailers
+
+
+7.38. http_raw_request
+
+------------
+
+What: rule option to set the detection cursor to the unnormalized
+request line
+
+Type: ips_option
+
+Configuration:
+
+ * implied http_raw_request.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_request.with_trailer: Parts of this rule examine
+ HTTP message trailers
+
+
+7.39. http_raw_status
+
+------------
+
+What: rule option to set the detection cursor to the unnormalized
+status line
Type: ips_option
Configuration:
- * string http_header.~name: restrict to given header
+ * implied http_raw_status.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_status.with_trailer: Parts of this rule examine
+ HTTP message trailers
-7.33. http_method
+7.40. http_raw_trailer
------------
-What: rule option to set the detection cursor to the HTTP request
-method
+What: rule option to set the detection cursor to the unnormalized
+trailers
Type: ips_option
+Configuration:
+
+ * implied http_raw_trailer.request: Match against the trailers from
+ the request message even when examining the response
+ * implied http_raw_trailer.with_header: Parts of this rule examine
+ HTTP response message headers (must be combined with request)
+ * implied http_raw_trailer.with_body: Parts of this rule examine
+ HTTP response message body (must be combined with request)
-7.34. http_raw_cookie
+
+7.41. http_raw_uri
------------
-What: rule option to set the detection cursor to the unnormalized
-cookie
+What: rule option to set the detection cursor to the unnormalized URI
Type: ips_option
+Configuration:
+
+ * implied http_raw_uri.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_raw_uri.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_raw_uri.scheme: match against scheme section of URI
+ only
+ * implied http_raw_uri.host: match against host section of URI only
+ * implied http_raw_uri.port: match against port section of URI only
+ * implied http_raw_uri.path: match against path section of URI only
+ * implied http_raw_uri.query: match against query section of URI
+ only
+ * implied http_raw_uri.fragment: match against fragment section of
+ URI only
-7.35. http_raw_header
+
+7.42. http_stat_code
------------
-What: rule option to set the detection cursor to the unnormalized
-headers
+What: rule option to set the detection cursor to the HTTP status code
Type: ips_option
+Configuration:
+
+ * implied http_stat_code.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_stat_code.with_trailer: Parts of this rule examine
+ HTTP message trailers
-7.36. http_raw_uri
+
+7.43. http_stat_msg
------------
-What: rule option to set the detection cursor to the unnormalized URI
+What: rule option to set the detection cursor to the HTTP status
+message
Type: ips_option
+Configuration:
+
+ * implied http_stat_msg.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_stat_msg.with_trailer: Parts of this rule examine
+ HTTP message trailers
-7.37. http_stat_code
+
+7.44. http_trailer
------------
-What: rule option to set the detection cursor to the HTTP status code
+What: rule option to set the detection cursor to the normalized
+trailers
Type: ips_option
+Configuration:
+
+ * string http_trailer.field: restrict to given trailer
+ * implied http_trailer.request: Match against the trailers from the
+ request message even when examining the response
+ * implied http_trailer.with_header: Parts of this rule examine HTTP
+ response message headers (must be combined with request)
+ * implied http_trailer.with_body: Parts of this rule examine HTTP
+ message body (must be combined with request)
+
-7.38. http_stat_msg
+7.45. http_uri
------------
-What: rule option to set the detection cursor to the HTTP status
-message
+What: rule option to set the detection cursor to the normalized URI
+buffer
Type: ips_option
+Configuration:
+
+ * implied http_uri.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_uri.with_trailer: Parts of this rule examine HTTP
+ message trailers
+ * implied http_uri.scheme: match against scheme section of URI only
+ * implied http_uri.host: match against host section of URI only
+ * implied http_uri.port: match against port section of URI only
+ * implied http_uri.path: match against path section of URI only
+ * implied http_uri.query: match against query section of URI only
+ * implied http_uri.fragment: match against fragment section of URI
+ only
-7.39. http_uri
+
+7.46. http_version
------------
-What: rule option to set the detection cursor to the normalized URI
-buffer
+What: rule option to set the detection cursor to the version buffer
Type: ips_option
+Configuration:
+
+ * implied http_version.request: Match against the version from the
+ request message even when examining the response
+ * implied http_version.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_version.with_trailer: Parts of this rule examine
+ HTTP message trailers
+
-7.40. icmp_id
+7.47. icmp_id
------------
>min
-7.41. icmp_seq
+7.48. icmp_seq
------------
min<>max | <max | >min
-7.42. icode
+7.49. icode
------------
| >min
-7.43. id
+7.50. id
------------
min
-7.44. ip_proto
+7.51. ip_proto
------------
* string ip_proto.~proto: [!|>|<] name or number
-7.45. ipopts
+7.52. ipopts
------------
lsrre|ssrr|satid|any }
-7.46. isdataat
+7.53. isdataat
------------
buffer
-7.47. itype
+7.54. itype
------------
| >min
-7.48. md5
+7.55. md5
------------
of buffer
-7.49. metadata
+7.56. metadata
------------
* string metadata.*: additional parameters not used by snort
-7.50. modbus_data
+7.57. modbus_data
------------
Type: ips_option
-7.51. modbus_func
+7.58. modbus_func
------------
* string modbus_func.~: function code to match
-7.52. modbus_unit
+7.59. modbus_unit
------------
* int modbus_unit.~: modbus unit ID { 0:255 }
-7.53. msg
+7.60. msg
------------
* string msg.~: message describing rule
-7.54. pcre
+7.61. pcre
------------
* string pcre.~re: Snort regular expression
-7.55. pkt_data
+7.62. pkt_data
------------
Type: ips_option
-7.56. pkt_num
-
-------------
-
-What: alert on raw packet number
-
-Type: ips_option
-
-Configuration:
-
- * string pkt_num.~range: check if packet number is in given range
-
-
-7.57. priority
+7.63. priority
------------
1: }
-7.58. raw_data
+7.64. raw_data
------------
Type: ips_option
-7.59. reference
+7.65. reference
------------
* string reference.~id: reference id
-7.60. regex
+7.66. regex
------------
instead of start of buffer
-7.61. rem
+7.67. rem
------------
* string rem.~: comment
-7.62. replace
+7.68. replace
------------
* string replace.~: byte code to replace with
-7.63. rev
+7.69. rev
------------
* int rev.~: revision { 1: }
-7.64. rpc
+7.70. rpc
------------
* string rpc.~proc: procedure number or * for any
-7.65. seq
+7.71. sd_pattern
+
+------------
+
+What: rule option for detecting sensitive data
+
+Type: ips_option
+
+Configuration:
+
+ * string sd_pattern.~pattern: The pattern to search for
+ * int sd_pattern.threshold: number of matches before alerting { 1 }
+
+Peg counts:
+
+ * sd_pattern.below threshold: sd_pattern matched but missed
+ threshold
+ * sd_pattern.pattern not found: sd_pattern did not not match
+ * sd_pattern.terminated: hyperscan terminated
+
+
+7.72. seq
------------
Configuration:
- * string seq.~range: check if packet payload size is size | min<>
- max | <max | >min
+ * string seq.~range: check if tcp sequence number value is value |
+ min<>max | <max | >min
-7.66. session
+7.73. session
------------
* enum session.~mode: output format { printable|binary|all }
-7.67. sha256
+7.74. sha256
------------
start of buffer
-7.68. sha512
+7.75. sha512
------------
start of buffer
-7.69. sid
+7.76. sid
------------
* int sid.~: signature id { 1: }
-7.70. sip_body
+7.77. sip_body
------------
Type: ips_option
-7.71. sip_header
+7.78. sip_header
------------
Type: ips_option
-7.72. sip_method
+7.79. sip_method
------------
* string sip_method.*method: sip method
-7.73. sip_stat_code
+7.80. sip_stat_code
------------
* int sip_stat_code.*code: stat code { 1:999 }
-7.74. so
+7.81. so
------------
* string so.~func: name of eval function
-7.75. soid
+7.82. soid
------------
* string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
-7.76. ssl_state
+7.83. ssl_state
------------
unknown
-7.77. ssl_version
+7.84. ssl_version
------------
tls1.2
-7.78. stream_reassemble
+7.85. stream_reassemble
------------
remainder of the session
-7.79. stream_size
+7.86. stream_size
------------
direction(s) { either|to_server|to_client|both }
-7.80. tag
+7.87. tag
------------
* int tag.bytes: tag for this many bytes { 1: }
-7.81. tos
+7.88. tos
------------
Configuration:
- * string tos.~range: check if packet payload size is size | min<>
- max | <max | >min
+ * string tos.~range: check if ip tos value is value | min<>max |
+ <max | >min
-7.82. ttl
+7.89. ttl
------------
Configuration:
- * string ttl.~range: check if packet payload size is size | min<>
+ * string ttl.~range: check if ip ttl field value is value | min<>
max | <max | >min
-7.83. urg
-
-------------
-
-What: detection for TCP urgent pointer
-
-Type: ips_option
-
-Configuration:
-
- * string urg.~range: check if urgent offset is min<>max | <max | >
- min
-
-
-7.84. window
+7.90. window
------------
Configuration:
- * string window.~range: check if packet payload size is size | min
- <>max | <max | >min
+ * string window.~range: check if tcp window field size is size |
+ min<>max | <max | >min
---------------------------------------------------------------------
* enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.2. alert_ex
-
-------------
-
-What: output gid:sid:rev for alerts
-
-Type: logger
-
-Configuration:
-
- * bool alert_ex.upper = false: true/false → convert to upper/lower
- case
-
-
-10.3. alert_fast
+10.2. alert_fast
------------
* enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.4. alert_full
+10.3. alert_full
------------
K | M | G }
-10.5. alert_syslog
+10.4. alert_syslog
------------
cons | ndelay | perror | pid }
-10.6. alert_unixsock
-
-------------
-
-What: output event over unix socket
-
-Type: logger
-
-
-10.7. log_codecs
+10.5. log_codecs
------------
* bool log_codecs.msg = false: include alert msg
-10.8. log_hext
+10.6. log_hext
------------
* int log_hext.width = 20: set line width (0 is unlimited) { 0: }
-10.9. log_pcap
+10.7. log_pcap
------------
* enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.10. unified2
+10.8. unified2
------------
<error_file>
* --help Same as -h. this overview of snort2lua
* --markup print help in asciidoc compatible format
+ * --ohi Use Old Http Inspect format
* --output-file=<out_file> Same as -o. output the new Snort++ lua
configuration to <out_file>
* --print-all Same as -a. default option. print all data
end
}
-To run snort in piglet mode, first build snort with the BUILD_PIGLET
-option turned on (pass the flag -DBUILD_PIGLET:BOOL=ON in cmake).
+To run snort in piglet mode, first build snort with the ENABLE_PIGLET
+option turned on (pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).
Then, run the following command:
------------
* Generally try to follow http://google-styleguide.googlecode.com/
- svn/trunk/cppguide.xml, but there are a few differences.
+ svn/trunk/cppguide.xml, but there are some differences documented
+ here.
* Each source directory should have a dev_notes.txt file
- summarizing the key points for the code in that directory. These
- are built into the developers guide.
+ summarizing the key points and design decisions for the code in
+ that directory. These are built into the developers guide.
+ * Makefile.am and CMakeLists.txt should have the same files listed
+ in alpha order. This makes it easier to maintain both build
+ systems.
+ * All new code must come with unit tests providing 95% coverage or
+ better.
+ * Generally, Catch is preferred for tests in the source file and
+ CppUTest is preferred for test executables in a test
+ subdirectory.
+
+
+15.2. C++ Specific
+
+------------
+
+ * Do not use exceptions. Exception-safe code is non-trivial and we
+ have ported legacy code that makes use of exceptions unwise.
+ There are a few exceptions to this rule for the memory manager,
+ shell, etc. Other code should handle errors as errors.
+ * Do not use dynamic_cast or RTTI. Although compilers are getting
+ better all the time, there is a time and space cost to this that
+ is easily avoided.
+ * Use smart pointers judiciously as they aren’t free. If you would
+ have to roll your own, then use a smart pointer. If you just need
+ a dtor to delete something, write the dtor.
+ * Prefer and over && and or over || for new source files.
+ * Use nullptr instead of NULL.
+ * Use new, delete, and their [] counterparts instead of malloc and
+ free except where realloc must be used. But try not to use
+ realloc. New and delete can’t return nullptr so no need to check.
+ And Snort’s memory manager will ensure that we live within our
+ memory budget.
+ * Use references in lieu of pointers wherever possible.
+ * Use the order public, protected, private top to bottom in a class
+ declaration.
+ * Keep inline functions in a class declaration very brief,
+ preferably just one line. If you need a more complex inline
+ function, move the definition below the class declaration.
+ * The goal is to have highly readable class declarations. The user
+ shouldn’t have to sift through implementation details to see what
+ is available to the client.
-15.2. Naming
+15.3. Naming
------------
* Use lower case filenames with underscores.
-15.3. Comments
+15.4. Comments
------------
* Write comments sparingly with a mind towards future proofing.
Often the comments can be obviated with better code. Clear code
is better than a comment.
+ * Heed Tim Ottinger’s Rule on Comments (https://disqus.com/by/
+ tim_ottinger/):
+
+ 1. Comments should only say what the code is incapable of
+ saying.
+ 2. Comments that repeat (or pre-state) what the code is doing
+ must be removed.
+ 3. If the code CAN say what the comment is saying, it must be
+ changed at least until rule #2 is in force.
* Function comment blocks are generally just noise that quickly
becomes obsolete. If you absolutely must comment on parameters,
put each on a separate line along with the comment. That way
* Put author, description, etc. in separate comment(s) following
the license. Do not put such comments in the middle of the
license foo. Be sure to put the author line ahead of the header
- guard to exclude them from the developers guide.
+ guard to exclude them from the developers guide. Use the
+ following format, and include a mention to the original author if
+ this is derived work:
+
+ // ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>
+ // based on work by Ryan Jordan
+
* Each header should have a comment immediately after the header
guard to give an overview of the file so the user knows what’s
going on.
-15.4. Logging
+15.5. Logging
------------
* Messages intended for the user should not look like debug
- messages. Eg, the function name should not be included.
+ messages. Eg, the function name should not be included. It is
+ generally unhelpful to include pointers.
* Most debug messages should just be deleted.
* Don’t bang your error messages (no !). The user feels bad enough
about the problem already w/o you shouting at him.
-15.5. Types
+15.6. Types
------------
* Use forward declarations (e.g. struct SnortConfig;) instead of
void*.
* Try not to use extern data unless absolutely necessary and then
- put the extern in an appropriate header.
+ put the extern in an appropriate header. Exceptions for things
+ used in exactly one place like BaseApi pointers.
* Use const liberally. In most cases, const char* s = "foo" should
be const char* const s = "foo". The former goes in the
initialized data section and the latter in read only data
for multiple error returns. The C-style use of zero for success
and -1 for error is less readable and often leads to messy code
that either ignores the various errors anyway or needlessly and
- ineffectively tries to do something aobut them.
+ ineffectively tries to do something aobut them. Generally that
+ code is not updated if new errors are added.
-15.6. Macros (aka defines)
+15.7. Macros (aka defines)
------------
if-else type surprises.
-15.7. Formatting
+15.8. Formatting
------------
+ * Try to keep all source files under 2500 lines. 3000 is the max
+ allowed. If you need more lines, chances are that the code needs
+ to be refactored.
* Indent 4 space chars … no tabs!
* If you need to indent many times, something could be rewritten or
restructured to make it clearer. Fewer indents is generally
foo();
-15.8. Classes
-
-------------
-
- * Use the order public, protected, private top to bottom in a class
- declaration.
- * Keep inline functions in a class declaration very brief,
- preferably just one line. If you need a more complex inline
- function, move the definition outside the class declaration.
- * The goal is to have highly readable class declarations. The user
- shouldn’t have to sift through implementation details to see what
- is available to the client.
-
-
15.9. Headers
------------
the interface. And so on.
* A .cc should include its own .h before any others (including
system headers). This ensures that the header stands on its own
- and can be used by clients without include prerequisites.
+ and can be used by clients without include prerequisites and the
+ developer will be the first to find a dependency problem.
* Include required headers, all required headers, and nothing but
required headers. Don’t just clone a bunch of headers because it
is convenient.
- * Any file depending of #ifdefs should include config.h as shown
+ * Try to keep includes in alpha order. This makes it easier to
+ maintain, avoid duplicates, etc.
+ * Any file depending on #ifdefs should include config.h as shown
below. A .h should include it before any other includes, and a
.cc should include it immediately after the include of its own
.h.
#include "config.h"
#endif
- * Do not put using statements in headers.
+ * Do not put using statements in headers unless they are tightly
+ scoped.
15.10. Warnings
-Wall -Wextra -pedantic -Wformat -Wformat-security
-Wunused-but-set-variable -Wno-deprecated-declarations
+ -fsanitize=address -fno-omit-frame-pointer
* With clang, use at least these compiler flags:
-Wall -Wextra -pedantic -Wformat -Wformat-security
-Wno-deprecated-declarations
+ -fsanitize=address -fno-omit-frame-pointer
- * Then Fix All Warnings. None Allowed.
+ * Then Fix All Warnings and Aborts. None Allowed.
-15.11. Other
-
-------------
-
- * Prefer and over && and or over || for new source files.
-
-
-15.12. Uncrustify
+15.11. Uncrustify
------------
* --daq-dir <dir> tell snort where to find desired DAQ
* --daq-list list packet acquisition modules available in optional
dir, default is static modules only
- * --daq-mode <mode> select the DAQ operating mode
* --daq-var <name=value> specify extra DAQ configuration variable
* --dirty-pig don’t flush packets on shutdown
* --dump-builtin-rules [<module prefix>] output stub rules for
* --dump-dynamic-rules output stub rules for all loaded rules
libraries
* --dump-version output the version, the whole version, and only
- the version (optional)
+ the version
* --enable-inline-test enable Inline-Test Mode Operation
* --help list command line options
* --help-commands [<module prefix>] output matching commands
------------
- * string ack.~range: check if packet payload size is size | min<>
- max | <max | >min
+ * string ack.~range: check if tcp ack value is value | min<>max |
+ <max | >min
* int active.attempts = 0: number of TCP packets sent per response
(with varying sequence numbers) { 0:20 }
* string active.device: use ip for network layer responses or eth0
* string alert_csv.separator = , : separate fields with this
character sequence
* enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
- * bool alert_ex.upper = false: true/false → convert to upper/lower
- case
* bool alert_fast.file = false: output to alert_fast.txt instead of
stdout
* int alert_fast.limit = 0: set limit (0 is unlimited) { 0: }
(note: rule action still taken)
* string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
for GTP|Teredo|6in4|4in6 traffic
+ * string appid.app_detector_dir: directory to load AppId detectors
+ from
+ * string appid.app_stats_filename: Filename for logging AppId
+ statistics
+ * int appid.app_stats_period = 300: time period for collecting and
+ logging AppId statistics { 0: }
+ * int appid.app_stats_rollover_size = 20971520: max file size for
+ AppId stats before rolling over the log file { 0: }
+ * int appid.app_stats_rollover_time = 86400: max time period for
+ collection AppId stats before rolling over the log file { 0: }
+ * string appid.conf: RNA configuration file
+ * bool appid.debug = false: enable AppId debug logging
+ * bool appid.dump_ports = false: enable dump of AppId port
+ information
+ * int appid.instance_id = 0: instance id - need more details for
+ what this is { 0: }
+ * int appid.memcap = 268435456: time period for collecting and
+ logging AppId statistics { 1048576:3221225472 }
+ * string appid.thirdparty_appid_dir: directory to load thirdparty
+ AppId detectors from
+ * string appids.~: appid option
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
* int asn1.absolute_offset: Absolute offset from the beginning of
that is larger than a standard buffer.
* int asn1.oversize_length: Compares ASN.1 type lengths with the
supplied argument. { 0: }
- * implied asn1.print: <>max | <max | >min
+ * implied asn1.print: dump decode data to console; always true
* int asn1.relative_offset: relative offset from the cursor.
* int attribute_table.max_hosts = 1024: maximum number of hosts in
attribute table { 32:207551 }
from cursor
* string content.~data: data to match
* implied cvs.invalid-entry: looks for an invalid Entry string
- * bool daq.decode_data_link = false: display the second layer
- header info
- * string daq.dir: directory where to search for DAQ plugins
- * select daq.mode: set mode of operation { passive | inline |
- read-file }
+ * string daq.input_spec: input specification
+ * int daq.instances[].id: instance ID (required) { 0: }
+ * string daq.instances[].input_spec: input specification
+ * string daq.instances[].variables[].str: string parameter
+ * string daq.module: DAQ module to use
+ * string daq.module_dirs[].str: string parameter
* bool daq.no_promisc = false: whether to put DAQ device into
promiscuous mode
- * int daq.snaplen = deflt: set snap length (same as -P) { 0:65535 }
- * string daq.type: select type of DAQ
- * string daq.vars: comma separated list of name=value DAQ-specific
- parameters
- * string data_log.key = http_uri: name of data buffer to log
+ * int daq.snaplen: set snap length (same as -s) { 0:65535 }
+ * string daq.variables[].str: string parameter
* implied dce_iface.any_frag: match on any fragment
* string dce_iface.uuid: match given dcerpc uuid
* string dce_iface.version: interface version
0:255 }
* int dnp3_obj.var = 0: match given dnp3 object header var { 0:255
}
- * int dpx.max = 0: maximum payload before alert { 0:65535 }
- * port dpx.port: port to check
* string dsize.~range: check if packet payload size is size | min<>
max | <max | >min
* bool esp.decode_esp = false: enable for inspection of esp traffic
ordering incoming events { priority|content_length }
* bool event_queue.process_all_events = false: process just first
action group or all action groups
+ * string file_connector.connector: connector name
+ * enum file_connector.direction: usage { receive | transmit |
+ duplex }
+ * enum file_connector.format: file format { binary | text }
+ * string file_connector.name: channel name
* int file_id.block_timeout = 86400: stop blocking after this many
seconds { 0: }
* bool file_id.block_timeout_lookup = false: block if lookup times
out
+ * int file_id.capture_block_size = 32768: file capture block size
+ in bytes { 8: }
+ * int file_id.capture_max_size = 1048576: stop file capture beyond
+ this point { 0: }
+ * int file_id.capture_memcap = 100: memcap for file capture in
+ megabytes { 0: }
+ * int file_id.capture_min_size = 0: stop file capture if file size
+ less than this { 0: }
* bool file_id.enable_capture = false: enable file capture
* bool file_id.enable_signature = false: enable signature
calculation
data
* bool file_id.trace_type = false: enable runtime dump of type info
* int file_id.type_depth = 1460: stop type ID at this point { 0: }
+ * bool file_log.log_pkt_time = true: log the packet time when event
+ generated
+ * bool file_log.log_sys_time = false: log the system time when
+ event generated
+ * string file_type.~: list of file type IDs to match
* string flags.~mask_flags: these flags are don’t cares
* string flags.~test_flags: these flags are tested
* implied flow.established: match only during data transfer phase
* string flowbits.~arg2: group if arg1 is bits
* string flowbits.~command: set|reset|isset|etc.
* string fragbits.~flags: these flags are tested
- * string fragoffset.~range: check if packet payload size is size |
- min<>max | <max | >min
+ * string fragoffset.~range: check if ip fragment offset value is
+ value | min<>max | <max | >min
* bool ftp_client.bounce = false: check for bounces
* addr ftp_client.bounce_to[].address = 1.0.0.0/32: allowed ip
address in CIDR format
* int gtp_inspect[].version = 2: gtp version { 0:2 }
* string gtp_type.~: list of types to match
* int gtp_version.~: version to match { 0:2 }
+ * bool high_availability.daq_channel = false: enable use of daq
+ data plane channel
+ * bool high_availability.enable = false: enable high availability
+ * real high_availability.min_age = 1.0: minimum session life before
+ HA updates { 0.0:100.0 }
+ * real high_availability.min_sync = 1.0: minimum interval between
+ HA updates { 0.0:100.0 }
+ * bit_list high_availability.ports: side channel message port list
+ { 65535 }
+ * int host_cache[].size: size of host cache
* enum host_tracker[].frag_policy: defragmentation policy { first |
linux | bsd | bsd_right | last | windows | solaris }
* addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
* enum hosts[].tcp_policy: tcp reassembly policy { first | last |
linux | old_linux | bsd | macos | solaris | irix | hpux11 |
hpux10 | windows | win_2003 | vista | proxy }
- * int http_global.compress_depth = 65535: maximum amount of packet
- payload to decompress { 1:65535 }
- * int http_global.decode.b64_decode_depth = 0: single packet decode
- depth { -1:65535 }
- * int http_global.decode.bitenc_decode_depth = 0: single packet
- decode depth { -1:65535 }
- * int http_global.decode.max_mime_mem = 838860: single packet
- decode depth { 3276: }
- * int http_global.decode.qp_decode_depth = 0: single packet decode
- depth { -1:65535 }
- * int http_global.decode.uu_decode_depth = 0: single packet decode
- depth { -1:65535 }
- * int http_global.decompress_depth = 65535: maximum amount of
- decompressed data to process { 1:65535 }
- * bool http_global.detect_anomalous_servers = false: inspect
- non-configured ports for HTTP - bad idea
- * int http_global.max_gzip_mem = 838860: total memory used for
- decompression across all active sessions { 3276: }
- * int http_global.memcap = 150994944: limit of memory used for
- logging extra data { 2304: }
- * bool http_global.proxy_alert = false: alert on proxy usage for
- servers without allow_proxy_use
- * int http_global.unicode_map.code_page = 1252: select code page in
- map file { 0: }
- * string http_global.unicode_map.map_file: unicode map file
- * string http_header.~name: restrict to given header
- * bool http_inspect.allow_proxy_use = false: don’t alert on proxy
- use for this server
- * bool http_inspect.decompress_pdf = false: enable decompression of
- the compressed portions of PDF files
- * bool http_inspect.decompress_swf = false: enable decompression of
- SWF (Adobe Flash content)
- * bool http_inspect.enable_cookies = true: extract cookies
- * bool http_inspect.enable_xff = false: log True-Client-IP and
- X-Forwarded-For headers with unified2 alerts as extra data
- * bool http_inspect.extended_ascii_uri = false: allow extended
- ASCII codes in the request URI
- * bool http_inspect.extended_response_inspection = true: extract
- response headers
- * string http_inspect.http_methods = GET POST PUT SEARCH MKCOL COPY
- MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK
- OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE
- UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
- PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
- RPC_OUT_DATA RPC_ECHO_DATA: request methods allowed in addition
- to GET and POST
- * bool http_inspect.inspect_gzip = true: enable gzip decompression
- of compressed bodies
- * bool http_inspect.inspect_uri_only = false: disable all detection
- except for uricontent
- * bool http_inspect.log_hostname = false: enable logging of
- Hostname with unified2 alerts as extra data
- * bool http_inspect.log_uri = false: enable logging of URI with
- unified2 alerts as extra data
- * bool http_inspect.no_pipeline_req = false: don’t inspect
- pipelined requests after first (still does general detection)
- * bit_list http_inspect.non_rfc_chars = 0x00 0x01 0x02 0x03 0x04
- 0x05 0x06 0x07: alert on given non-RFC chars being present in the
- URI { 255 }
- * bool http_inspect.normalize_cookies = false: normalize cookies
- similar to URI
- * bool http_inspect.normalize_headers = false: normalize headers
- other than cookie similar to URI
- * int http_inspect.oversize_dir_length = 500: alert if a URL has a
- directory longer than this limit { 0: }
- * bool http_inspect.profile.apache_whitespace = false: don’t alert
- if tab is used in lieu of space characters
- * bool http_inspect.profile.ascii = false: enable decoding ASCII
- like %2f to /
- * bool http_inspect.profile.bare_byte = false: decode non-standard,
- non-ASCII character encodings
- * int http_inspect.profile.chunk_length = 500000: alert on chunk
- lengths greater than specified { 1: }
- * int http_inspect.profile.client_flow_depth = 0: raw request
- payload to inspect { -1:1460 }
- * bool http_inspect.profile.directory = false: normalize . and ..
- sequences out of URI
- * bool http_inspect.profile.double_decode = false: iis specific
- extra decoding
- * bool http_inspect.profile.iis_backslash = false: normalize
- directory slashes
- * bool http_inspect.profile.iis_delimiter = false: allow use of
- non-standard delimiter
- * bool http_inspect.profile.iis_unicode = false: enable unicode
- code point mapping using unicode_map settings
- * int http_inspect.profile.iis_unicode_map.code_page = 1252: select
- code page in map file { 0: }
- * string http_inspect.profile.iis_unicode_map.map_file: unicode map
- file
- * int http_inspect.profile.max_header_length = 750: maximum allowed
- client request header field { 0:65535 }
- * int http_inspect.profile.max_headers = 100: maximum allowed
- client request headers { 0:1024 }
- * int http_inspect.profile.max_javascript_whitespaces = 200:
- maximum number of consecutive whitespaces { 0: }
- * int http_inspect.profile.max_spaces = 200: maximum allowed
- whitespaces when folding { 0:65535 }
- * bool http_inspect.profile.multi_slash = false: normalize out
- consecutive slashes in URI
- * bool http_inspect.profile.non_strict = true: allows HTTP 0.9
- processing
- * bool http_inspect.profile.normalize_javascript = true: normalize
- javascript between <script> tags
- * bool http_inspect.profile.normalize_utf = true: normalize
- response bodies with UTF content-types
- * int http_inspect.profile.post_depth = 65495: amount of POST data
- to inspect { -1:65535 }
- * enum http_inspect.profile.profile_type = default: set defaults
- appropriate for selected server { default | apache | iis | iis_40
- | iis_50 }
- * int http_inspect.profile.server_flow_depth = 0: response payload
- to inspect; includes headers with extended_response_inspection {
- -1:65535 }
- * bool http_inspect.profile.u_encode = true: decode %uXXXX
- character sequences
- * bool http_inspect.profile.utf_8 = false: decode UTF-8 unicode
- sequences in URI
- * bool http_inspect.profile.webroot = false: alert on directory
- traversals past the top level (web server root)
- * bit_list http_inspect.profile.whitespace_chars: allowed white
- space characters { 255 }
- * int http_inspect.small_chunk_count = 5: alert if more than this
- limit of consecutive chunks are below small_chunk_length { 0:255
- }
- * int http_inspect.small_chunk_length = 10: alert if more than
- small_chunk_count consecutive chunks below this limit { 0:255 }
- * bool http_inspect.tab_uri_delimiter = false: whether a tab not
- preceded by a space is considered a delimiter or part of URI
- * bool http_inspect.unlimited_decompress = true: decompress across
- multiple packets
- * bool http_inspect.xff_headers = false: not implemented
+ * implied http_cookie.request: Match against the cookie from the
+ request message even when examining the response
+ * implied http_cookie.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_cookie.with_trailer: Parts of this rule examine HTTP
+ message trailers
+ * string http_header.field: Restrict to given header. Header name
+ is case insensitive.
+ * implied http_header.request: Match against the headers from the
+ request message even when examining the response
+ * implied http_header.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_header.with_trailer: Parts of this rule examine HTTP
+ message trailers
+ * bool http_inspect.backslash_to_slash = false: replace \ with /
+ when normalizing URIs
+ * bit_list http_inspect.bad_characters: alert when any of specified
+ bytes are present in URI after percent decoding { 255 }
+ * string http_inspect.ignore_unreserved: do not alert when the
+ specified unreserved characters are percent-encoded in a
+ URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
+ tilde, and minus. { (optional) }
+ * bool http_inspect.iis_double_decode = false: perform double
+ decoding of percent encodings to normalize characters
+ * bool http_inspect.iis_unicode = false: use IIS unicode code point
+ mapping to normalize characters
+ * int http_inspect.iis_unicode_code_page = 1252: code page to use
+ from the IIS unicode map file { 0:65535 }
+ * string http_inspect.iis_unicode_map_file: file containing code
+ points for IIS unicode. { (optional) }
+ * int http_inspect.oversize_dir_length = 300: maximum length for
+ URL directory { 1:65535 }
+ * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
+ encodings
+ * bool http_inspect.plus_to_space = true: replace + with <sp> when
+ normalizing URIs
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:1000000 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * int http_inspect.request_depth = -1: maximum request message body
+ bytes to examine (-1 no limit) { -1: }
+ * int http_inspect.response_depth = -1: maximum response message
+ body bytes to examine (-1 no limit) { -1: }
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.simplify_path = true: reduce URI directory path
+ to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
+ * bool http_inspect.unzip = true: decompress gzip and deflate
+ message bodies
+ * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
+ characters to a single byte
+ * bool http_inspect.utf8_bare_byte = false: when doing UTF-8
+ character normalization include bytes that were not percent
+ encoded
+ * implied http_method.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_method.with_trailer: Parts of this rule examine HTTP
+ message trailers
+ * implied http_raw_cookie.request: Match against the cookie from
+ the request message even when examining the response
+ * implied http_raw_cookie.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_cookie.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_raw_header.request: Match against the headers from
+ the request message even when examining the response
+ * implied http_raw_header.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_header.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_raw_request.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_request.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_raw_status.with_body: Parts of this rule examine
+ HTTP message body
+ * implied http_raw_status.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_raw_trailer.request: Match against the trailers from
+ the request message even when examining the response
+ * implied http_raw_trailer.with_body: Parts of this rule examine
+ HTTP response message body (must be combined with request)
+ * implied http_raw_trailer.with_header: Parts of this rule examine
+ HTTP response message headers (must be combined with request)
+ * implied http_raw_uri.fragment: match against fragment section of
+ URI only
+ * implied http_raw_uri.host: match against host section of URI only
+ * implied http_raw_uri.path: match against path section of URI only
+ * implied http_raw_uri.port: match against port section of URI only
+ * implied http_raw_uri.query: match against query section of URI
+ only
+ * implied http_raw_uri.scheme: match against scheme section of URI
+ only
+ * implied http_raw_uri.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_raw_uri.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_stat_code.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_stat_code.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * implied http_stat_msg.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_stat_msg.with_trailer: Parts of this rule examine
+ HTTP message trailers
+ * string http_trailer.field: restrict to given trailer
+ * implied http_trailer.request: Match against the trailers from the
+ request message even when examining the response
+ * implied http_trailer.with_body: Parts of this rule examine HTTP
+ message body (must be combined with request)
+ * implied http_trailer.with_header: Parts of this rule examine HTTP
+ response message headers (must be combined with request)
+ * implied http_uri.fragment: match against fragment section of URI
+ only
+ * implied http_uri.host: match against host section of URI only
+ * implied http_uri.path: match against path section of URI only
+ * implied http_uri.port: match against port section of URI only
+ * implied http_uri.query: match against query section of URI only
+ * implied http_uri.scheme: match against scheme section of URI only
+ * implied http_uri.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_uri.with_trailer: Parts of this rule examine HTTP
+ message trailers
+ * implied http_version.request: Match against the version from the
+ request message even when examining the response
+ * implied http_version.with_body: Parts of this rule examine HTTP
+ message body
+ * implied http_version.with_trailer: Parts of this rule examine
+ HTTP message trailers
* string icmp_id.~range: check if icmp id is id | min<>max | <max |
>min
* string icmp_seq.~range: check if icmp sequence number is seq |
* string isdataat.~length: num | !num
* string itype.~range: check if icmp type is type | min<>max | <max
| >min
+ * enum latency.packet.action = alert_and_log: event action if
+ packet times out and is fastpathed { none | alert | log |
+ alert_and_log }
+ * bool latency.packet.fastpath = false: fastpath expensive packets
+ (max_time exceeded)
+ * int latency.packet.max_time = 500: set timeout for packet latency
+ thresholding (usec) { 0: }
+ * enum latency.rule.action = alert_and_log: event action for rule
+ latency enable and suspend events { none | alert | log |
+ alert_and_log }
+ * int latency.rule.max_suspend_time = 30000: set max time for
+ suspending a rule (ms, 0 means permanently disable rule) { 0: }
+ * int latency.rule.max_time = 500: set timeout for rule evaluation
+ (usec) { 0: }
+ * bool latency.rule.suspend = false: temporarily suspend expensive
+ rules
+ * int latency.rule.suspend_threshold = 5: set threshold for number
+ of timeouts before suspending a rule { 1: }
* bool log_codecs.file = false: output to log_codecs.txt instead of
stdout
* bool log_codecs.msg = false: include alert msg
* implied md5.relative = false: offset from cursor instead of start
of buffer
* string md5.~hash: data to match
+ * int memory.cap = 0: set the per-packet-thread cap on memory
+ (bytes, 0 to disable) { 0: }
+ * bool memory.soft = false: always succeed in allocating memory,
+ even if above the cap
+ * int memory.threshold = 0: set the per-packet-thread threshold for
+ preemptive cleanup actions (percent, 0 to disable) { 0: }
* string metadata.*: additional parameters not used by snort
* string metadata.service: service name
* string modbus_func.~: function code to match
1:255 }
* int network.new_ttl = 1: use this value for responses and when
normalizing { 1:255 }
- * int new_http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:1000000 }
- * int new_http_inspect.request_depth = -1: maximum request message
- body bytes to examine (-1 no limit) { -1: }
- * int new_http_inspect.response_depth = -1: maximum response
- message body bytes to examine (-1 no limit) { -1: }
- * bool new_http_inspect.test_input = false: read HTTP messages from
- text file
- * bool new_http_inspect.test_output = false: print out HTTP section
- data
- * bool new_http_inspect.unzip = true: decompress gzip and deflate
- message bodies
* bool normalizer.icmp4 = false: clear reserved flag
* bool normalizer.icmp6 = false: clear reserved flag
* bool normalizer.ip4.base = true: clear options
* string output.logdir = .: where to put log files (same as -l)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
+ * bool output.obfuscate_pii = false: Mask all but the last 4
+ characters of credit card and social security numbers
* bool output.quiet = false: suppress non-fatal information (still
show alerts, same as -q)
* bool output.show_year = false: include year in timestamp in the
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0: }
* bool output.verbose = false: be verbose (same as -v)
+ * bool packet_capture.enable = false: initially enable packet
+ dumping
+ * string packet_capture.filter: bpf filter to use for packet dump
* bool packets.address_space_agnostic = false: determines whether
DAQ address space info is used to track fragments and connections
* string packets.bpf_file: file with BPF to select traffic for
Snort
- * bool packets.enable_inline_init_failopen = true: whether to pass
- traffic during later stage of initialization to avoid drops
* int packets.limit = 0: maximum number of packets to process
before stopping (0 is unlimited) { 0: }
* int packets.skip = 0: number of packets to skip before before
* bool packets.vlan_agnostic = false: determines whether VLAN info
is used to track fragments and connections
* string pcre.~re: Snort regular expression
- * bool perf_monitor.console = false: output to console
- * bool perf_monitor.events = false: report on qualified vs
- non-qualified events
- * bool perf_monitor.file = false: output base stats to
- perf_monitor.csv instead of stdout
+ * bool perf_monitor.base = true: enable base statistics { nullptr }
+ * bool perf_monitor.cpu = false: enable cpu statistics { nullptr }
* bool perf_monitor.flow = false: enable traffic statistics
- * bool perf_monitor.flow_file = false: output traffic statistics to
- a perf_monitor_flow.csv instead of stdout
* bool perf_monitor.flow_ip = false: enable statistics on host
pairs
- * bool perf_monitor.flow_ip_file = false: output host pair
- statistics to perf_monitor_flow_ip.csv instead of stdout
* int perf_monitor.flow_ip_memcap = 52428800: maximum memory for
flow tracking { 8200: }
- * int perf_monitor.flow_ports = 1023: maximum ports to track { 0: }
- * bool perf_monitor.max = false: calculate theoretical maximum
- performance
+ * int perf_monitor.flow_ports = 1023: maximum ports to track {
+ 0:65535 }
+ * enum perf_monitor.format = csv: Output format for stats { csv |
+ text }
* int perf_monitor.max_file_size = 1073741824: files will be rolled
over if they exceed this size { 4096: }
* string perf_monitor.modules[].name: name of the module
- * string perf_monitor.modules[].pegs[].name: name of the statistic
- to track
+ * string perf_monitor.modules[].pegs: list of statistics to track
+ or empty for all counters
+ * enum perf_monitor.output = file: Output location for stats { file
+ | console }
* int perf_monitor.packets = 10000: minimum packets to report { 0:
}
- * bool perf_monitor.reset = true: reset (clear) statistics after
- each reporting interval
- * int perf_monitor.seconds = 60: report interval; 0 means report at
- exit only { 0: }
- * string pkt_num.~range: check if packet number is in given range
+ * int perf_monitor.seconds = 60: report interval { 1: }
+ * bool perf_monitor.summary = false: Output summary at shutdown
* int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
}
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
watch
* int port_scan_global.memcap = 1048576: maximum tracker memory {
1: }
- * bool ppm.fastpath_expensive_packets = false: stop inspection if
- the max_pkt_time is exceeded
- * int ppm.max_pkt_time = 0: enable packet latency thresholding
- (usec), 0 = off { 0: }
- * int ppm.max_rule_time = 0: enable rule latency thresholding
- (usec), 0 = off { 0: }
- * enum ppm.pkt_log = none: log event if max_pkt_time is exceeded {
- none | log | alert | both }
- * enum ppm.rule_log = none: enable event logging for suspended
- rules { none|log|alert|both }
- * bool ppm.suspend_expensive_rules = false: temporarily disable
- rule if threshold is reached
- * int ppm.suspend_timeout = 60: seconds to suspend rule, 0 =
- permanent { 0: }
- * int ppm.threshold = 5: number of times to exceed limit before
- disabling rule { 1: }
* int priority.~: relative severity level; 1 is highest priority {
1: }
* string process.chroot: set chroot directory (same as -t)
* bool process.dirty_pig = false: shutdown without internal cleanup
* string process.set_gid: set group ID (same as -g)
* string process.set_uid: set user ID (same as -u)
- * int process.threads[].cpu = 0: pin the associated source/thread
- to this cpu { 0:127 }
- * string process.threads[].source: set cpu affinity for this source
- (either pcap or <iface>
+ * string process.threads[].cpuset: pin the associated thread to
+ this cpuset
* int process.threads[].thread = 0: set cpu affinity for the
<cur_thread_num> thread that runs { 0: }
* string process.umask: set process umask (same as -m)
policies
* int rule_state.gid = 0: rule generator ID { 0: }
* int rule_state.sid = 0: rule signature ID { 0: }
+ * int sd_pattern.threshold: number of matches before alerting { 1 }
+ * string sd_pattern.~pattern: The pattern to search for
* int search_engine.bleedover_port_limit = 1024: maximum ports in
rule before demotion to any-any port group { 1: }
* bool search_engine.bleedover_warnings_enabled = false: print
matching fast pattern states to queue per packet
* dynamic search_engine.search_method = ac_bnfa: set fast pattern
algorithm - choose available search engine { ac_banded | ac_bnfa
- | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
- lowmem }
- * bool search_engine.search_optimize = false: tweak state machine
+ | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
+ * bool search_engine.search_optimize = true: tweak state machine
construction for better performance
* bool search_engine.split_any_any = false: evaluate any-any rules
separately to save memory
- * string seq.~range: check if packet payload size is size | min<>
- max | <max | >min
+ * string seq.~range: check if tcp sequence number value is value |
+ min<>max | <max | >min
* enum session.~mode: output format { printable|binary|all }
* int sha256.length: number of octets in plain text { 1:65535 }
* string sha256.offset: var or number of bytes from start of buffer
start of buffer
* string sha512.~hash: data to match
* int sid.~: signature id { 1: }
+ * string side_channel.connectors[].connector: connector handle
+ * bit_list side_channel.ports: side channel message port list {
+ 65535 }
* bool sip.ignore_call_channel = false: enables the support for
ignoring audio/video data channel
* int sip.max_call_id_len = 256: maximum call id field size {
extracted from the MAIL FROM command
* bool smtp.log_rcptto = false: log the recipient’s email address
extracted from the RCPT TO command
+ * int smtp.max_auth_command_line_len = 1000: max auth command Line
+ Length { 0:65535 }
* int smtp.max_command_line_len = 0: max Command Line Length {
0:65535 }
* int smtp.max_header_line_len = 0: max SMTP DATA header line {
DAQ
* implied snort.--daq-list: list packet acquisition modules
available in optional dir, default is static modules only
- * string snort.--daq-mode: <mode> select the DAQ operating mode
* string snort.--daq-var: <name=value> specify extra DAQ
configuration variable
* implied snort.--dirty-pig: don’t flush packets on shutdown
defaults in Lua format { (optional) }
* implied snort.--dump-dynamic-rules: output stub rules for all
loaded rules libraries
- * string snort.--dump-version: output the version, the whole
- version, and only the version { (optional) }
+ * implied snort.--dump-version: output the version, the whole
+ version, and only the version
* implied snort.--enable-inline-test: enable Inline-Test Mode
Operation
* implied snort.--help: list command line options
* implied ssl_version.tls1.0: check for tls1.0
* implied ssl_version.tls1.1: check for tls1.1
* implied ssl_version.tls1.2: check for tls1.2
+ * int stream.file_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.file_cache.max_sessions = 128: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.file_cache.memcap = 0: maximum cache memory before
- pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.file_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * int stream.icmp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.icmp_cache.max_sessions = 32768: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.icmp_cache.memcap = 1048576: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * int stream.ip_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.ip_cache.max_sessions = 16384: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.ip_cache.memcap = 23920640: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.ip_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * int stream.tcp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.tcp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.tcp_cache.max_sessions = 131072: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.tcp_cache.memcap = 268435456: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * int stream.udp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.udp_cache.max_sessions = 65536: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.udp_cache.memcap = 0: maximum cache memory before
- pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.udp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * int stream.user_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.user_cache.max_sessions = 1024: maximum simultaneous
- sessions tracked before pruning { 1: }
- * int stream.user_cache.memcap = 1048576: maximum cache memory
- before pruning (0 is unlimited) { 0: }
+ sessions tracked before pruning { 2: }
* int stream.user_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* bool stream_file.upload = false: indicate file transfer direction
* bool telnet.encrypted_traffic = false: check for encrypted telnet
and ftp
* bool telnet.normalize = false: eliminate escape sequences
- * string tos.~range: check if packet payload size is size | min<>
- max | <max | >min
- * string ttl.~range: check if packet payload size is size | min<>
+ * string tos.~range: check if ip tos value is value | min<>max |
+ <max | >min
+ * string ttl.~range: check if ip ttl field value is value | min<>
max | <max | >min
* bool udp.deep_teredo_inspection = false: look for Teredo on all
UDP ports (default is only 3544)
* enum unified2.units = B: limit multiplier { B | K | M | G }
* bool unified2.vlan_event_types = false: include vlan IDs in
events
- * string urg.~range: check if urgent offset is min<>max | <max | >
- min
- * string window.~range: check if packet payload size is size | min
- <>max | <max | >min
+ * string window.~range: check if tcp window field size is size |
+ min<>max | <max | >min
* bool wizard.hexes[].client_first = true: which end initiates data
transfer
* select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
------------
+ * appid.battlefield_flows: count of battle field flows discovered
+ by appid
+ * appid.bgp_flows: count of bgp flows discovered by appid
+ * appid.bit_clients: count of bittorrent clients discovered by
+ appid
+ * appid.bit_flows: count of bittorrent flows discovered by appid
+ * appid.bittracker_clients: count of bittorrent tracker clients
+ discovered by appid
+ * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
+ discovered by appid
+ * appid.dcerpc_udp_flows: count of dce rpc flows over udp
+ discovered by appid
+ * appid.dns_tcp_flows: count of dns flows over tcp discovered by
+ appid
+ * appid.dns_udp_flows: count of dns flows over udp discovered by
+ appid
+ * appid.ftp_flows: count of ftp flows discovered by appid
+ * appid.ftps_flows: count of ftps flows discovered by appid
+ * appid.imap_flows: count of imap service flows discovered by appid
+ * appid.imaps_flows: count of imap TLS service flows discovered by
+ appid
+ * appid.irc_flows: count of irc service flows discovered by appid
+ * appid.kerberos_clients: count of kerberos clients discovered by
+ appid
+ * appid.kerberos_flows: count of kerberos service flows discovered
+ by appid
+ * appid.kerberos_users: count of kerberos users discovered by appid
+ * appid.lpr_flows: count of lpr service flows discovered by appid
+ * appid.mdns_flows: count of mdns service flows discovered by appid
+ * appid.mysql_flows: count of mysql service flows discovered by
+ appid
+ * appid.netbios_flows: count of netbios service flows discovered by
+ appid
+ * appid.packets: count of packets processed by appid
+ * appid.pop_flows: count of pop service flows discovered by appid
+ * appid.smtp_flows: count of smtp flows discovered by appid
+ * appid.smtps_flows: count of smtps flows discovered by appid
+ * appid.ssh_clients: count of ssh clients discovered by appid
+ * appid.ssh_flows: count of ssh flows discovered by appid
+ * appid.ssl_flows: count of ssl flows discovered by appid
+ * appid.telnet_flows: count of telnet flows discovered by appid
+ * appid.timbuktu_flows: count of timbuktu flows discovered by appid
* arp_spoof.packets: total packets
* back_orifice.packets: total packets
* binder.allows: allow bindings
* daq.blacklist: total blacklist verdicts
* daq.block: total block verdicts
* daq.dropped: packets dropped
- * daq.fail open: packets passed during initialization
* daq.filtered: packets filtered out
* daq.idle: attempts to acquire from DAQ without available packets
* daq.ignore: total ignore verdicts
* daq.replace: total replace verdicts
* daq.skipped: packets skipped at startup
* daq.whitelist: total whitelist verdicts
- * data_log.packets: total packets
- * dce_smb.aborted sessions: total aborted sessions
- * dce_smb.bad autodetects: total bad autodetects
- * dce_smb.connection-oriented PDUs: total connection-oriented PDUs
- * dce_smb.connection-oriented alter context responses: total
- connection-oriented alter context responses
- * dce_smb.connection-oriented alter contexts: total
- connection-oriented alter contexts
- * dce_smb.connection-oriented auth3s: total connection-oriented
- auth3s
- * dce_smb.connection-oriented bind acks: total connection-oriented
- binds acks
- * dce_smb.connection-oriented bind naks: total connection-oriented
- bind naks
- * dce_smb.connection-oriented binds: total connection-oriented
- binds
- * dce_smb.connection-oriented cancels: total connection-oriented
- cancels
- * dce_smb.connection-oriented client fragments reassembled: total
- connection-oriented client fragments reassembled
- * dce_smb.connection-oriented client maximum fragment size:
- connection-oriented client maximum fragment size
- * dce_smb.connection-oriented client minimum fragment size:
- connection-oriented client minimum fragment size
- * dce_smb.connection-oriented client segments reassembled: total
- connection-oriented client segments reassembled
- * dce_smb.connection-oriented faults: total connection-oriented
- faults
- * dce_smb.connection-oriented orphaned: total connection-oriented
- orphaned
- * dce_smb.connection-oriented other requests: total
- connection-oriented other requests
- * dce_smb.connection-oriented other responses: total
- connection-oriented other responses
- * dce_smb.connection-oriented rejects: total connection-oriented
- rejects
- * dce_smb.connection-oriented request fragments: total
- connection-oriented request fragments
- * dce_smb.connection-oriented requests: total connection-oriented
+ * dce_smb.Alter context responses: total connection-oriented alter
+ context responses
+ * dce_smb.Alter contexts: total connection-oriented alter contexts
+ * dce_smb.Auth3s: total connection-oriented auth3s
+ * dce_smb.Bind acks: total connection-oriented binds acks
+ * dce_smb.Bind naks: total connection-oriented bind naks
+ * dce_smb.Binds: total connection-oriented binds
+ * dce_smb.Cancels: total connection-oriented cancels
+ * dce_smb.Client frags reassembled: total connection-oriented
+ client fragments reassembled
+ * dce_smb.Client max fragment size: connection-oriented client
+ maximum fragment size
+ * dce_smb.Client min fragment size: connection-oriented client
+ minimum fragment size
+ * dce_smb.Client segs reassembled: total connection-oriented client
+ segments reassembled
+ * dce_smb.Client segs reassembled: total smb client segments
+ reassembled
+ * dce_smb.Faults: total connection-oriented faults
+ * dce_smb.Files processed: total smb files processed
+ * dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
+ * dce_smb.Max outstanding requests: total smb maximum outstanding
requests
- * dce_smb.connection-oriented response fragments: total
- connection-oriented response fragments
- * dce_smb.connection-oriented responses: total connection-oriented
+ * dce_smb.Orphaned: total connection-oriented orphaned
+ * dce_smb.Other requests: total connection-oriented other requests
+ * dce_smb.Other responses: total connection-oriented other
responses
- * dce_smb.connection-oriented server fragments reassembled: total
- connection-oriented server fragments reassembled
- * dce_smb.connection-oriented server maximum fragment size:
- connection-oriented server maximum fragment size
- * dce_smb.connection-oriented server minimum fragment size:
- connection-oriented server minimum fragment size
- * dce_smb.connection-oriented server segments reassembled: total
- connection-oriented server segments reassembled
- * dce_smb.connection-oriented shutdowns: total connection-oriented
- shutdowns
+ * dce_smb.PDUs: total connection-oriented PDUs
+ * dce_smb.Packets: total smb packets
+ * dce_smb.Rejects: total connection-oriented rejects
+ * dce_smb.Request fragments: total connection-oriented request
+ fragments
+ * dce_smb.Requests: total connection-oriented requests
+ * dce_smb.Response fragments: total connection-oriented response
+ fragments
+ * dce_smb.Responses: total connection-oriented responses
+ * dce_smb.Server frags reassembled: total connection-oriented
+ server fragments reassembled
+ * dce_smb.Server max fragment size: connection-oriented server
+ maximum fragment size
+ * dce_smb.Server min fragment size: connection-oriented server
+ minimum fragment size
+ * dce_smb.Server segs reassembled: total connection-oriented server
+ segments reassembled
+ * dce_smb.Server segs reassembled: total smb server segments
+ reassembled
+ * dce_smb.Sessions: total smb sessions
+ * dce_smb.Shutdowns: total connection-oriented shutdowns
+ * dce_smb.aborted sessions: total aborted sessions
+ * dce_smb.bad autodetects: total bad autodetects
* dce_smb.events: total events
- * dce_smb.smb client segments reassembled: total smb client
+ * dce_tcp.Alter context responses: total connection-oriented alter
+ context responses
+ * dce_tcp.Alter contexts: total connection-oriented alter contexts
+ * dce_tcp.Auth3s: total connection-oriented auth3s
+ * dce_tcp.Bind acks: total connection-oriented binds acks
+ * dce_tcp.Bind naks: total connection-oriented bind naks
+ * dce_tcp.Binds: total connection-oriented binds
+ * dce_tcp.Cancels: total connection-oriented cancels
+ * dce_tcp.Client frags reassembled: total connection-oriented
+ client fragments reassembled
+ * dce_tcp.Client max fragment size: connection-oriented client
+ maximum fragment size
+ * dce_tcp.Client min fragment size: connection-oriented client
+ minimum fragment size
+ * dce_tcp.Client segs reassembled: total connection-oriented client
segments reassembled
- * dce_smb.smb files processed: total smb files processed
- * dce_smb.smb maximum outstanding requests: total smb maximum
- outstanding requests
- * dce_smb.smb packets: total smb packets
- * dce_smb.smb server segments reassembled: total smb server
+ * dce_tcp.Faults: total connection-oriented faults
+ * dce_tcp.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
+ * dce_tcp.Orphaned: total connection-oriented orphaned
+ * dce_tcp.Other requests: total connection-oriented other requests
+ * dce_tcp.Other responses: total connection-oriented other
+ responses
+ * dce_tcp.PDUs: total connection-oriented PDUs
+ * dce_tcp.Rejects: total connection-oriented rejects
+ * dce_tcp.Request fragments: total connection-oriented request
+ fragments
+ * dce_tcp.Requests: total connection-oriented requests
+ * dce_tcp.Response fragments: total connection-oriented response
+ fragments
+ * dce_tcp.Responses: total connection-oriented responses
+ * dce_tcp.Server frags reassembled: total connection-oriented
+ server fragments reassembled
+ * dce_tcp.Server max fragment size: connection-oriented server
+ maximum fragment size
+ * dce_tcp.Server min fragment size: connection-oriented server
+ minimum fragment size
+ * dce_tcp.Server segs reassembled: total connection-oriented server
segments reassembled
- * dce_smb.smb sessions: total smb sessions
+ * dce_tcp.Shutdowns: total connection-oriented shutdowns
* dce_tcp.aborted sessions: total aborted sessions
* dce_tcp.bad autodetects: total bad autodetects
- * dce_tcp.connection-oriented PDUs: total connection-oriented PDUs
- * dce_tcp.connection-oriented alter context responses: total
- connection-oriented alter context responses
- * dce_tcp.connection-oriented alter contexts: total
- connection-oriented alter contexts
- * dce_tcp.connection-oriented auth3s: total connection-oriented
- auth3s
- * dce_tcp.connection-oriented bind acks: total connection-oriented
- binds acks
- * dce_tcp.connection-oriented bind naks: total connection-oriented
- bind naks
- * dce_tcp.connection-oriented binds: total connection-oriented
- binds
- * dce_tcp.connection-oriented cancels: total connection-oriented
- cancels
- * dce_tcp.connection-oriented client fragments reassembled: total
- connection-oriented client fragments reassembled
- * dce_tcp.connection-oriented client maximum fragment size:
- connection-oriented client maximum fragment size
- * dce_tcp.connection-oriented client minimum fragment size:
- connection-oriented client minimum fragment size
- * dce_tcp.connection-oriented client segments reassembled: total
- connection-oriented client segments reassembled
- * dce_tcp.connection-oriented faults: total connection-oriented
- faults
- * dce_tcp.connection-oriented orphaned: total connection-oriented
- orphaned
- * dce_tcp.connection-oriented other requests: total
- connection-oriented other requests
- * dce_tcp.connection-oriented other responses: total
- connection-oriented other responses
- * dce_tcp.connection-oriented rejects: total connection-oriented
- rejects
- * dce_tcp.connection-oriented request fragments: total
- connection-oriented request fragments
- * dce_tcp.connection-oriented requests: total connection-oriented
- requests
- * dce_tcp.connection-oriented response fragments: total
- connection-oriented response fragments
- * dce_tcp.connection-oriented responses: total connection-oriented
- responses
- * dce_tcp.connection-oriented server fragments reassembled: total
- connection-oriented server fragments reassembled
- * dce_tcp.connection-oriented server maximum fragment size:
- connection-oriented server maximum fragment size
- * dce_tcp.connection-oriented server minimum fragment size:
- connection-oriented server minimum fragment size
- * dce_tcp.connection-oriented server segments reassembled: total
- connection-oriented server segments reassembled
- * dce_tcp.connection-oriented shutdowns: total connection-oriented
- shutdowns
* dce_tcp.events: total events
* dce_tcp.tcp packets: total tcp packets
* dce_tcp.tcp sessions: total tcp sessions
* dns.packets: total packets processed
* dns.requests: total dns requests
* dns.responses: total dns responses
- * dpx.packets: total packets
+ * file_connector.messages: total messages
+ * file_log.total events: total file events
* ftp_data.packets: total packets
* ftp_server.packets: total packets
* gtp_inspect.events: requests
* gtp_inspect.sessions: total sessions processed
* gtp_inspect.unknown infos: unknown information elements
* gtp_inspect.unknown types: unknown message types
- * http_global.compressed bytes: total comparessed bytes processed
- * http_global.decompressed bytes: total bytes decompressed
- * http_global.double unicode: double unicode normalizations
- * http_global.gets: GET requests
- * http_global.gzip packets: packets with gzip compression
- * http_global.non-ascii: non-ascii normalizations
- * http_global.packets: total packets processed
- * http_global.paths with ../: directory traversal normalizations
- * http_global.paths with ./: relative directory normalizations
- * http_global.paths with //: double slash normalizations
- * http_global.post params: POST parameters extracted
- * http_global.posts: POST requests
- * http_global.request cookies: requests with Cookie
- * http_global.request headers: total requests
- * http_global.response cookies: responses with Set-Cookie
- * http_global.response headers: total responses
- * http_global.unicode: unicode normalizations
+ * host_cache.lru cache adds: lru cache added new entry
+ * host_cache.lru cache clears: lru cache clear API calls
+ * host_cache.lru cache find hits: lru cache found entry in cache
+ * host_cache.lru cache find misses: lru cache did not find entry in
+ cache
+ * host_cache.lru cache prunes: lru cache pruned entry to make space
+ for new entry
+ * host_cache.lru cache removes: lru cache found entry and removed
+ it
+ * host_cache.lru cache replaces: lru cache replaced existing entry
+ * host_tracker.service adds: host service adds
+ * host_tracker.service finds: host service finds
+ * host_tracker.service removes: host service removes
+ * http_inspect.CONNECT requests: CONNECT requests inspected
+ * http_inspect.DELETE requests: DELETE requests inspected
+ * http_inspect.GET requests: GET requests inspected
+ * http_inspect.HEAD requests: HEAD requests inspected
+ * http_inspect.OPTIONS requests: OPTIONS requests inspected
+ * http_inspect.POST requests: POST requests inspected
+ * http_inspect.PUT requests: PUT requests inspected
+ * http_inspect.TRACE requests: TRACE requests inspected
+ * http_inspect.URI coding: URIs with character coding problems
+ * http_inspect.URI normalizations: URIs needing to be normalization
+ * http_inspect.URI path: URIs with path problems
+ * http_inspect.chunked: chunked message bodies
+ * http_inspect.flows: HTTP connections inspected
+ * http_inspect.inspections: total message sections inspected
+ * http_inspect.other requests: other request methods inspected
+ * http_inspect.reassembles: TCP segments combined into HTTP
+ messages
+ * http_inspect.request bodies: POST, PUT, and other requests with
+ message bodies
+ * http_inspect.requests: HTTP request messages inspected
+ * http_inspect.responses: HTTP response messages inspected
+ * http_inspect.scans: TCP segments scanned looking for HTTP
+ messages
* icmp4.bad checksum: non-zero icmp checksums
* icmp6.bad checksum (ip4): nonzero ipcm4 checksums
* icmp6.bad checksum (ip6): nonzero ipcm6 checksums
* imap.uu attachments: total uu attachments decoded
* imap.uu decoded bytes: total uu decoded bytes
* ipv4.bad checksum: nonzero ip checksums
+ * latency.packet_timeouts: packets that timed out
+ * latency.rule_eval_timeouts: rule evals that timed out
+ * latency.rule_tree_enables: rule tree re-enables
+ * latency.total_packets: total packets monitored
+ * latency.total_rule_evals: total rule evals monitored
* modbus.frames: total Modbus messages
* modbus.sessions: total sessions processed
* mpls.total bytes: total mpls labeled bytes processed
* normalizer.test tcp ts nop: test timestamp options cleared
* normalizer.test tcp urgent ptr: test packets without data with
urgent pointer cleared
+ * packet_capture.captured: packets matching dumped after matching
+ filter
+ * packet_capture.processed: packets processed against filter
* perf_monitor.packets: total packets
* pop.b64 attachments: total base64 attachments decoded
* pop.b64 decoded bytes: total base64 decoded bytes
* reputation.packets: total packets processed
* reputation.whitelisted: number of packets whitelisted
* rpc_decode.packets: total packets
+ * sd_pattern.below threshold: sd_pattern matched but missed
+ threshold
+ * sd_pattern.pattern not found: sd_pattern did not not match
+ * sd_pattern.terminated: hyperscan terminated
+ * search_engine.max queued: maximum fast pattern matches queued for
+ further evaluation
+ * search_engine.non-qualified events: total non-qualified events
+ * search_engine.qualified events: total qualified events
+ * search_engine.total flushed: fast pattern matches discarded due
+ to overflow
+ * search_engine.total inserts: total fast pattern hits
+ * search_engine.total unique: total unique fast pattern hits
* sip.1xx: 1xx
* sip.2xx: 2xx
* sip.3xx: 3xx
* ssl.server key exchange: total server key exchanges
* ssl.sessions ignored: total sessions ignore
* ssl.unrecognized records: total unrecognized records
+ * stream.file excess prunes: file sessions pruned due to excess
* stream.file flows: total file sessions
- * stream.file prunes: file sessions pruned
+ * stream.file memcap prunes: file sessions pruned due to memcap
+ * stream.file preemptive prunes: file sessions pruned during
+ preemptive pruning
+ * stream.file timeout prunes: file sessions pruned due to timeout
+ * stream.file total prunes: total file sessions pruned
+ * stream.file uni prunes: file uni sessions pruned
+ * stream.file user prunes: file sessions pruned for other reasons
+ * stream.icmp excess prunes: icmp sessions pruned due to excess
* stream.icmp flows: total icmp sessions
- * stream.icmp prunes: icmp sessions pruned
+ * stream.icmp memcap prunes: icmp sessions pruned due to memcap
+ * stream.icmp preemptive prunes: icmp sessions pruned during
+ preemptive pruning
+ * stream.icmp timeout prunes: icmp sessions pruned due to timeout
+ * stream.icmp total prunes: total icmp sessions pruned
+ * stream.icmp uni prunes: icmp uni sessions pruned
+ * stream.icmp user prunes: icmp sessions pruned for other reasons
+ * stream.ip excess prunes: ip sessions pruned due to excess
* stream.ip flows: total ip sessions
- * stream.ip prunes: ip sessions pruned
+ * stream.ip memcap prunes: ip sessions pruned due to memcap
+ * stream.ip preemptive prunes: ip sessions pruned during preemptive
+ pruning
+ * stream.ip timeout prunes: ip sessions pruned due to timeout
+ * stream.ip total prunes: total ip sessions pruned
+ * stream.ip uni prunes: ip uni sessions pruned
+ * stream.ip user prunes: ip sessions pruned for other reasons
+ * stream.tcp excess prunes: tcp sessions pruned due to excess
* stream.tcp flows: total tcp sessions
- * stream.tcp prunes: tcp sessions pruned
+ * stream.tcp memcap prunes: tcp sessions pruned due to memcap
+ * stream.tcp preemptive prunes: tcp sessions pruned during
+ preemptive pruning
+ * stream.tcp timeout prunes: tcp sessions pruned due to timeout
+ * stream.tcp total prunes: total tcp sessions pruned
+ * stream.tcp uni prunes: tcp uni sessions pruned
+ * stream.tcp user prunes: tcp sessions pruned for other reasons
+ * stream.udp excess prunes: udp sessions pruned due to excess
* stream.udp flows: total udp sessions
- * stream.udp prunes: udp sessions pruned
+ * stream.udp memcap prunes: udp sessions pruned due to memcap
+ * stream.udp preemptive prunes: udp sessions pruned during
+ preemptive pruning
+ * stream.udp timeout prunes: udp sessions pruned due to timeout
+ * stream.udp total prunes: total udp sessions pruned
+ * stream.udp uni prunes: udp uni sessions pruned
+ * stream.udp user prunes: udp sessions pruned for other reasons
+ * stream.user excess prunes: user sessions pruned due to excess
* stream.user flows: total user sessions
- * stream.user prunes: user sessions pruned
+ * stream.user memcap prunes: user sessions pruned due to memcap
+ * stream.user preemptive prunes: user sessions pruned during
+ preemptive pruning
+ * stream.user timeout prunes: user sessions pruned due to timeout
+ * stream.user total prunes: total user sessions pruned
+ * stream.user uni prunes: user uni sessions pruned
+ * stream.user user prunes: user sessions pruned for other reasons
* stream_icmp.created: icmp session trackers created
* stream_icmp.max: max icmp sessions
* stream_icmp.prunes: icmp session prunes
* stream_ip.fragmented bytes: total fragmented bytes
* stream_ip.max frags: max fragments
* stream_ip.max: max ip sessions
- * stream_ip.memory faults: memory faults
* stream_ip.memory used: current memory usage in bytes
* stream_ip.nodes deleted: fragments deleted from tracker
* stream_ip.nodes inserted: fragments added to tracker
* stream_tcp.discards: tcp packets discarded
* stream_tcp.established: number of sessions currently established
* stream_tcp.events: events generated
- * stream_tcp.faults: number of times a new segment triggered a
- prune
* stream_tcp.gaps: missing data between PDUs
* stream_tcp.ignored: tcp packets ignored
* stream_tcp.initializing: number of sessions currently
* 116: arp
* 116: auth
* 116: decode
- * 116: eapol
* 116: erspan2
* 116: erspan3
* 116: esp
* 116: pgm
* 116: pppoe
* 116: tcp
- * 116: token_ring
* 116: udp
* 116: vlan
- * 116: wlan
- * 119: http_global
- * 120: http_inspect
+ * 119: http_inspect
* 122: port_scan
* 123: stream_ip
* 124: smtp
* 128: ssh
* 129: stream_tcp
* 131: dns
- * 134: ppm
+ * 133: dce_smb
+ * 133: dce_tcp
+ * 134: latency
* 136: reputation
* 137: ssl
* 140: sip
* 142: pop
* 143: gtp_inspect
* 144: modbus
- * 145: dce_smb
- * 145: dce_tcp
* 145: dnp3
- * 219: new_http_inspect
- * 256: dpx
16.12. Builtin Rules
* 116:106 (icmp4) ICMP timestamp header truncated
* 116:107 (icmp4) ICMP address header truncated
* 116:109 (arp) truncated ARP
- * 116:110 (eapol) truncated EAP header
- * 116:111 (eapol) EAP key truncated
- * 116:112 (eapol) EAP header truncated
* 116:120 (pppoe) bad PPPOE frame detected
* 116:130 (vlan) bad VLAN frame
* 116:131 (vlan) bad LLC header
* 116:132 (vlan) bad extra LLC info
- * 116:133 (wlan) bad 802.11 LLC header
- * 116:134 (wlan) bad 802.11 extra LLC info
- * 116:140 (token_ring) (token_ring) Bad Token Ring Header
- * 116:141 (token_ring) (token_ring) Bad Token Ring ETHLLC Header
- * 116:142 (token_ring) (token_ring) Bad Token Ring MRLENHeader
- * 116:143 (token_ring) (token_ring) Bad Token Ring MR Header
* 116:150 (decode) bad traffic loopback IP
* 116:151 (decode) bad traffic same src/dst IP
* 116:160 (gre) GRE header length > payload length
* 116:466 (auth) bad authentication header length
* 116:467 (fabricpath) truncated FabricPath header
* 116:468 (decode) too many protocols present
- * 119:1 (http_global) ascii encoding
- * 119:2 (http_global) double decoding attack
- * 119:3 (http_global) u encoding
- * 119:4 (http_global) bare byte unicode encoding
- * 119:5 (http_global) base36 encoding
- * 119:6 (http_global) UTF-8 encoding
- * 119:7 (http_global) IIS unicode codepoint encoding
- * 119:8 (http_global) multi_slash encoding
- * 119:9 (http_global) IIS backslash evasion
- * 119:10 (http_global) self directory traversal
- * 119:11 (http_global) directory traversal
- * 119:12 (http_global) apache whitespace (tab)
- * 119:13 (http_global) non-RFC http delimiter
- * 119:14 (http_global) non-RFC defined char
- * 119:15 (http_global) oversize request-URI directory
- * 119:16 (http_global) oversize chunk encoding
- * 119:17 (http_global) unauthorized proxy use detected
- * 119:18 (http_global) webroot directory traversal
- * 119:19 (http_global) long header
- * 119:20 (http_global) max header fields
- * 119:21 (http_global) multiple content length
- * 119:22 (http_global) chunk size mismatch detected
- * 119:23 (http_global) invalid ip in true-client-IP/XFF header
- * 119:24 (http_global) multiple host hdrs detected
- * 119:25 (http_global) hostname exceeds 255 characters
- * 119:26 (http_global) header parsing space saturation
- * 119:27 (http_global) client consecutive small chunk sizes
- * 119:28 (http_global) post w/o content-length or chunks
- * 119:29 (http_global) multiple true IPs in a session
- * 119:30 (http_global) both true-client-IP and XFF hdrs present
- * 119:31 (http_global) unknown method
- * 119:32 (http_global) simple request
- * 119:33 (http_global) unescaped space in http URI
- * 119:34 (http_global) too many pipelined requests
- * 120:1 (http_inspect) anomalous http server on undefined HTTP port
- * 120:2 (http_inspect) invalid status code in HTTP response
- * 120:3 (http_inspect) no content-length or transfer-encoding in
+ * 119:1 (http_inspect) ascii encoding
+ * 119:2 (http_inspect) double decoding attack
+ * 119:3 (http_inspect) u encoding
+ * 119:4 (http_inspect) bare byte unicode encoding
+ * 119:5 (http_inspect) obsolete event—should not appear
+ * 119:6 (http_inspect) UTF-8 encoding
+ * 119:7 (http_inspect) IIS unicode codepoint encoding
+ * 119:8 (http_inspect) multi_slash encoding
+ * 119:9 (http_inspect) IIS backslash evasion
+ * 119:10 (http_inspect) self directory traversal
+ * 119:11 (http_inspect) directory traversal
+ * 119:12 (http_inspect) apache whitespace (tab)
+ * 119:13 (http_inspect) non-RFC http delimiter
+ * 119:14 (http_inspect) non-RFC defined char
+ * 119:15 (http_inspect) oversize request-uri directory
+ * 119:16 (http_inspect) oversize chunk encoding
+ * 119:17 (http_inspect) unauthorized proxy use detected
+ * 119:18 (http_inspect) webroot directory traversal
+ * 119:19 (http_inspect) long header
+ * 119:20 (http_inspect) max header fields
+ * 119:21 (http_inspect) multiple content length
+ * 119:22 (http_inspect) chunk size mismatch detected
+ * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
+ * 119:24 (http_inspect) multiple host hdrs detected
+ * 119:25 (http_inspect) hostname exceeds 255 characters
+ * 119:26 (http_inspect) header parsing space saturation
+ * 119:27 (http_inspect) client consecutive small chunk sizes
+ * 119:28 (http_inspect) post w/o content-length or chunks
+ * 119:29 (http_inspect) multiple true ips in a session
+ * 119:30 (http_inspect) both true-client-IP and XFF hdrs present
+ * 119:31 (http_inspect) unknown method
+ * 119:32 (http_inspect) simple request
+ * 119:33 (http_inspect) unescaped space in HTTP URI
+ * 119:34 (http_inspect) too many pipelined requests
+ * 119:35 (http_inspect) anomalous http server on undefined HTTP
+ port
+ * 119:36 (http_inspect) invalid status code in HTTP response
+ * 119:37 (http_inspect) no content-length or transfer-encoding in
HTTP response
- * 120:4 (http_inspect) HTTP response has UTF charset which failed
+ * 119:38 (http_inspect) HTTP response has UTF charset which failed
to normalize
- * 120:5 (http_inspect) HTTP response has UTF-7 charset
- * 120:6 (http_inspect) HTTP response gzip decompression failed
- * 120:7 (http_inspect) server consecutive small chunk sizes
- * 120:8 (http_inspect) invalid content-length or chunk size
- * 120:9 (http_inspect) javascript obfuscation levels exceeds 1
- * 120:10 (http_inspect) javascript whitespaces exceeds max allowed
- * 120:11 (http_inspect) multiple encodings within javascript
+ * 119:39 (http_inspect) HTTP response has UTF-7 charset
+ * 119:40 (http_inspect) HTTP response gzip decompression failed
+ * 119:41 (http_inspect) server consecutive small chunk sizes
+ * 119:42 (http_inspect) invalid content-length or chunk size
+ * 119:43 (http_inspect) javascript obfuscation levels exceeds 1
+ * 119:44 (http_inspect) javascript whitespaces exceeds max allowed
+ * 119:45 (http_inspect) multiple encodings within javascript
obfuscated data
- * 120:12 (http_inspect) HTTP response SWF file zlib decompression
- failure
- * 120:13 (http_inspect) HTTP response SWF file LZMA decompression
- failure
- * 120:14 (http_inspect) HTTP response PDF file deflate
- decompression failure
- * 120:15 (http_inspect) HTTP response PDF file unsupported
- compression type
- * 120:16 (http_inspect) HTTP response PDF file cascaded compression
- * 120:17 (http_inspect) HTTP response PDF file parse failure
+ * 119:46 (http_inspect) SWF file zlib decompression failure
+ * 119:47 (http_inspect) SWF file LZMA decompression failure
+ * 119:48 (http_inspect) PDF file deflate decompression failure
+ * 119:49 (http_inspect) PDF file unsupported compression type
+ * 119:50 (http_inspect) PDF file cascaded compression
+ * 119:51 (http_inspect) PDF file parse failure
+ * 119:52 (http_inspect) Not HTTP traffic
+ * 119:53 (http_inspect) Chunk length has excessive leading zeros
+ * 119:54 (http_inspect) White space before or between messages
+ * 119:55 (http_inspect) Request message without URI
+ * 119:56 (http_inspect) Control character in reason phrase
+ * 119:57 (http_inspect) Illegal extra whitespace in start line
+ * 119:58 (http_inspect) Corrupted HTTP version
+ * 119:59 (http_inspect) Unknown HTTP version
+ * 119:60 (http_inspect) Format error in HTTP header
+ * 119:61 (http_inspect) Chunk header options present
+ * 119:62 (http_inspect) URI badly formatted
+ * 119:63 (http_inspect) Unrecognized type of percent encoding in
+ URI
+ * 119:64 (http_inspect) HTTP chunk misformatted
+ * 119:65 (http_inspect) White space following chunk length
+ * 119:67 (http_inspect) Excessive gzip compression
+ * 119:68 (http_inspect) Gzip decompression failed
+ * 119:69 (http_inspect) HTTP 0.9 requested followed by another
+ request
+ * 119:70 (http_inspect) HTTP 0.9 request following a normal request
+ * 119:71 (http_inspect) Message has both Content-Length and
+ Transfer-Encoding
+ * 119:72 (http_inspect) Status code implying no body combined with
+ Transfer-Encoding or nonzero Content-Length
+ * 119:73 (http_inspect) Transfer-Encoding did not end with chunked
+ * 119:74 (http_inspect) Transfer-Encoding with chunked not at end
+ * 119:75 (http_inspect) Misformatted HTTP traffic
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* 124:6 (smtp) Illegal command
* 124:7 (smtp) Attempted header name buffer overflow
* 124:8 (smtp) Attempted X-Link2State command buffer overflow
- * 124:10 (smtp) Base64 Decoding failed.
- * 124:11 (smtp) Quoted-Printable Decoding failed.
- * 124:13 (smtp) Unix-to-Unix Decoding failed.
- * 124:14 (smtp) Cyrus SASL authentication attack.
+ * 124:10 (smtp) Base64 Decoding failed
+ * 124:11 (smtp) Quoted-Printable Decoding failed
+ * 124:13 (smtp) Unix-to-Unix Decoding failed
+ * 124:14 (smtp) Cyrus SASL authentication attack
+ * 124:15 (smtp) Attempted authentication command buffer overflow
* 125:1 (ftp_server) TELNET cmd on FTP command channel
* 125:2 (ftp_server) invalid FTP command
* 125:3 (ftp_server) FTP command parameters were too long
* 131:1 (dns) Obsolete DNS RR Types
* 131:2 (dns) Experimental DNS RR Types
* 131:3 (dns) DNS Client rdata txt Overflow
- * 134:1 (ppm) rule options disabled by rule latency
- * 134:2 (ppm) rule options re-enabled by rule latency
- * 134:3 (ppm) packet aborted due to latency
+ * 133:2 (dce_smb) SMB - Bad NetBIOS Session Service session type.
+ * 133:3 (dce_smb) SMB - Bad SMB message type.
+ * 133:4 (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \
+ xfeSMB for SMB2).
+ * 133:5 (dce_smb) SMB - Bad word count or structure size.
+ * 133:6 (dce_smb) SMB - Bad byte count.
+ * 133:7 (dce_smb) SMB - Bad format type.
+ * 133:8 (dce_smb) SMB - Bad offset.
+ * 133:9 (dce_smb) SMB - Zero total data count.
+ * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
+ length.
+ * 133:12 (dce_smb) SMB - Remaining NetBIOS data length less than
+ command byte count.
+ * 133:13 (dce_smb) SMB - Remaining NetBIOS data length less than
+ command data size.
+ * 133:14 (dce_smb) SMB - Remaining total data count less than this
+ command data size.
+ * 133:15 (dce_smb) SMB - Total data sent (STDu64) greater than
+ command total data expected.
+ * 133:16 (dce_smb) SMB - Byte count less than command data size
+ (STDu64)
+ * 133:17 (dce_smb) SMB - Invalid command data size for byte count.
+ * 133:18 (dce_smb) SMB - Excessive Tree Connect requests with
+ pending Tree Connect responses.
+ * 133:19 (dce_smb) SMB - Excessive Read requests with pending Read
+ responses.
+ * 133:20 (dce_smb) SMB - Excessive command chaining.
+ * 133:21 (dce_smb) SMB - Multiple chained tree connect requests.
+ * 133:22 (dce_smb) SMB - Multiple chained tree connect requests.
+ * 133:23 (dce_smb) SMB - Chained/Compounded login followed by
+ logoff.
+ * 133:24 (dce_smb) SMB - Chained/Compounded tree connect followed
+ by tree disconnect.
+ * 133:25 (dce_smb) SMB - Chained/Compounded open pipe followed by
+ close pipe.
+ * 133:26 (dce_smb) SMB - Invalid share access.
+ * 133:27 (dce_smb) Connection oriented DCE/RPC - Invalid major
+ version.
+ * 133:27 (dce_tcp) Connection oriented DCE/RPC - Invalid major
+ version.
+ * 133:28 (dce_smb) Connection oriented DCE/RPC - Invalid minor
+ version.
+ * 133:28 (dce_tcp) Connection oriented DCE/RPC - Invalid minor
+ version.
+ * 133:29 (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.
+ * 133:29 (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.
+ * 133:30 (dce_smb) Connection-oriented DCE/RPC - Fragment length
+ less than header size.
+ * 133:30 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
+ less than header size.
+ * 133:32 (dce_smb) Connection-oriented DCE/RPC - No context items
+ specified.
+ * 133:32 (dce_tcp) Connection-oriented DCE/RPC - No context items
+ specified.
+ * 133:33 (dce_smb) Connection-oriented DCE/RPC -No transfer
+ syntaxes specified.
+ * 133:33 (dce_tcp) Connection-oriented DCE/RPC -No transfer
+ syntaxes specified.
+ * 133:34 (dce_smb) Connection-oriented DCE/RPC - Fragment length on
+ non-last fragment less than maximum negotiated fragment transmit
+ size for client.
+ * 133:34 (dce_tcp) Connection-oriented DCE/RPC - Fragment length on
+ non-last fragment less than maximum negotiated fragment transmit
+ size for client.
+ * 133:35 (dce_smb) Connection-oriented DCE/RPC - Fragment length
+ greater than maximum negotiated fragment transmit size.
+ * 133:35 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
+ greater than maximum negotiated fragment transmit size.
+ * 133:36 (dce_smb) Connection-oriented DCE/RPC - Alter Context byte
+ order different from Bind
+ * 133:36 (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte
+ order different from Bind
+ * 133:37 (dce_smb) Connection-oriented DCE/RPC - Call id of non
+ first/last fragment different from call id established for
+ fragmented request.
+ * 133:37 (dce_tcp) Connection-oriented DCE/RPC - Call id of non
+ first/last fragment different from call id established for
+ fragmented request.
+ * 133:38 (dce_smb) Connection-oriented DCE/RPC - Opnum of non first
+ /last fragment different from opnum established for fragmented
+ request.
+ * 133:38 (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first
+ /last fragment different from opnum established for fragmented
+ request.
+ * 133:39 (dce_smb) Connection-oriented DCE/RPC - Context id of non
+ first/last fragment different from context id established for
+ fragmented request.
+ * 133:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
+ first/last fragment different from context id established for
+ fragmented request.
+ * 133:44 (dce_smb) SMB - Invalid SMB version 1 seen.
+ * 133:45 (dce_smb) SMB - Invalid SMB version 2 seen.
+ * 133:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
+ * 133:47 (dce_smb) SMB - Excessive command compounding.
+ * 133:48 (dce_smb) SMB - Zero data count.
+ * 133:50 (dce_smb) SMB - Maximum number of outstanding requests
+ exceeded.
+ * 133:51 (dce_smb) SMB - Outstanding requests with same MID.
+ * 133:52 (dce_smb) SMB - Deprecated dialect negotiated.
+ * 133:53 (dce_smb) SMB - Deprecated command used.
+ * 133:54 (dce_smb) SMB - Unusual command used.
+ * 133:55 (dce_smb) SMB - Invalid setup count for command.
+ * 133:56 (dce_smb) SMB - Client attempted multiple dialect
+ negotiations on session.
+ * 133:57 (dce_smb) SMB - Client attempted to create or set a file’s
+ attributes to readonly/hidden/system.
+ * 134:1 (latency) rule tree suspended due to latency
+ * 134:2 (latency) rule tree re-enabled after suspend timeout
+ * 134:3 (latency) packet fastpathed due to latency
* 136:1 (reputation) packets blacklisted
* 136:2 (reputation) Packets whitelisted
* 136:3 (reputation) Packets monitored
* 144:2 (modbus) Modbus protocol ID is non-zero
* 144:3 (modbus) Reserved Modbus function code in use
* 145:1 (dnp3) DNP3 Link-Layer Frame contains bad CRC.
- * 145:2 (dce_smb) SMB - Bad NetBIOS Session Service session type.
* 145:2 (dnp3) DNP3 Link-Layer Frame was dropped.
- * 145:3 (dce_smb) SMB - Bad SMB message type.
* 145:3 (dnp3) DNP3 Transport-Layer Segment was dropped during
reassembly.
- * 145:4 (dce_smb) SMB - Bad SMB Id (not \xffSMB for SMB1 or not \
- xfeSMB for SMB2).
* 145:4 (dnp3) DNP3 Reassembly Buffer was cleared without
reassembling a complete message.
- * 145:5 (dce_smb) SMB - Bad word count or structure size.
* 145:5 (dnp3) DNP3 Link-Layer Frame uses a reserved address.
- * 145:6 (dce_smb) SMB - Bad byte count.
* 145:6 (dnp3) DNP3 Application-Layer Fragment uses a reserved
function code.
- * 145:7 (dce_smb) SMB - Bad format type.
- * 145:8 (dce_smb) SMB - Bad offset.
- * 145:9 (dce_smb) SMB - Zero total data count.
- * 145:10 (dce_smb) SMB - NetBIOS data length less than SMB header
- length.
- * 145:12 (dce_smb) SMB - Remaining NetBIOS data length less than
- command byte count.
- * 145:13 (dce_smb) SMB - Remaining NetBIOS data length less than
- command data size.
- * 145:14 (dce_smb) SMB - Remaining total data count less than this
- command data size.
- * 145:15 (dce_smb) SMB - Total data sent (STDu64) greater than
- command total data expected.
- * 145:16 (dce_smb) SMB - Byte count less than command data size
- (STDu64)
- * 145:17 (dce_smb) SMB - Invalid command data size for byte count.
- * 145:18 (dce_smb) SMB - Excessive Tree Connect requests with
- pending Tree Connect responses.
- * 145:19 (dce_smb) SMB - Excessive Read requests with pending Read
- responses.
- * 145:20 (dce_smb) SMB - Excessive command chaining.
- * 145:21 (dce_smb) SMB - Multiple chained tree connect requests.
- * 145:22 (dce_smb) SMB - Multiple chained tree connect requests.
- * 145:23 (dce_smb) SMB - Chained/Compounded login followed by
- logoff.
- * 145:24 (dce_smb) SMB - Chained/Compounded tree connect followed
- by tree disconnect.
- * 145:25 (dce_smb) SMB - Chained/Compounded open pipe followed by
- close pipe.
- * 145:26 (dce_smb) SMB - Invalid share access.
- * 145:27 (dce_smb) Connection oriented DCE/RPC - Invalid major
- version.
- * 145:27 (dce_tcp) Connection oriented DCE/RPC - Invalid major
- version.
- * 145:28 (dce_smb) Connection oriented DCE/RPC - Invalid minor
- version.
- * 145:28 (dce_tcp) Connection oriented DCE/RPC - Invalid minor
- version.
- * 145:29 (dce_smb) Connection-oriented DCE/RPC - Invalid pdu type.
- * 145:29 (dce_tcp) Connection-oriented DCE/RPC - Invalid pdu type.
- * 145:30 (dce_smb) Connection-oriented DCE/RPC - Fragment length
- less than header size.
- * 145:30 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
- less than header size.
- * 145:32 (dce_smb) Connection-oriented DCE/RPC - No context items
- specified.
- * 145:32 (dce_tcp) Connection-oriented DCE/RPC - No context items
- specified.
- * 145:33 (dce_smb) Connection-oriented DCE/RPC -No transfer
- syntaxes specified.
- * 145:33 (dce_tcp) Connection-oriented DCE/RPC -No transfer
- syntaxes specified.
- * 145:34 (dce_smb) Connection-oriented DCE/RPC - Fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client.
- * 145:34 (dce_tcp) Connection-oriented DCE/RPC - Fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client.
- * 145:35 (dce_smb) Connection-oriented DCE/RPC - Fragment length
- greater than maximum negotiated fragment transmit size.
- * 145:35 (dce_tcp) Connection-oriented DCE/RPC - Fragment length
- greater than maximum negotiated fragment transmit size.
- * 145:36 (dce_smb) Connection-oriented DCE/RPC - Alter Context byte
- order different from Bind
- * 145:36 (dce_tcp) Connection-oriented DCE/RPC - Alter Context byte
- order different from Bind
- * 145:37 (dce_smb) Connection-oriented DCE/RPC - Call id of non
- first/last fragment different from call id established for
- fragmented request.
- * 145:37 (dce_tcp) Connection-oriented DCE/RPC - Call id of non
- first/last fragment different from call id established for
- fragmented request.
- * 145:38 (dce_smb) Connection-oriented DCE/RPC - Opnum of non first
- /last fragment different from opnum established for fragmented
- request.
- * 145:38 (dce_tcp) Connection-oriented DCE/RPC - Opnum of non first
- /last fragment different from opnum established for fragmented
- request.
- * 145:39 (dce_smb) Connection-oriented DCE/RPC - Context id of non
- first/last fragment different from context id established for
- fragmented request.
- * 145:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
- first/last fragment different from context id established for
- fragmented request.
- * 145:44 (dce_smb) SMB - Invalid SMB version 1 seen.
- * 145:45 (dce_smb) SMB - Invalid SMB version 2 seen.
- * 145:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
- * 145:47 (dce_smb) SMB - Excessive command compounding.
- * 145:48 (dce_smb) SMB - Zero data count.
- * 145:50 (dce_smb) SMB - Maximum number of outstanding requests
- exceeded.
- * 145:51 (dce_smb) SMB - Outstanding requests with same MID.
- * 145:52 (dce_smb) SMB - Deprecated dialect negotiated.
- * 145:53 (dce_smb) SMB - Deprecated command used.
- * 145:54 (dce_smb) SMB - Unusual command used.
- * 145:55 (dce_smb) SMB - Invalid setup count for command.
- * 145:56 (dce_smb) SMB - Client attempted multiple dialect
- negotiations on session.
- * 145:57 (dce_smb) SMB - Client attempted to create or set a file’s
- attributes to readonly/hidden/system.
- * 219:1 (new_http_inspect) ascii encoding
- * 219:2 (new_http_inspect) double decoding attack
- * 219:3 (new_http_inspect) u encoding
- * 219:4 (new_http_inspect) bare byte unicode encoding
- * 219:5 (new_http_inspect) obsolete event—should not appear
- * 219:6 (new_http_inspect) UTF-8 encoding
- * 219:7 (new_http_inspect) IIS unicode codepoint encoding
- * 219:8 (new_http_inspect) multi_slash encoding
- * 219:9 (new_http_inspect) IIS backslash evasion
- * 219:10 (new_http_inspect) self directory traversal
- * 219:11 (new_http_inspect) directory traversal
- * 219:12 (new_http_inspect) apache whitespace (tab)
- * 219:13 (new_http_inspect) non-RFC http delimiter
- * 219:14 (new_http_inspect) non-RFC defined char
- * 219:15 (new_http_inspect) oversize request-uri directory
- * 219:16 (new_http_inspect) oversize chunk encoding
- * 219:17 (new_http_inspect) unauthorized proxy use detected
- * 219:18 (new_http_inspect) webroot directory traversal
- * 219:19 (new_http_inspect) long header
- * 219:20 (new_http_inspect) max header fields
- * 219:21 (new_http_inspect) multiple content length
- * 219:22 (new_http_inspect) chunk size mismatch detected
- * 219:23 (new_http_inspect) invalid IP in true-client-IP/XFF header
- * 219:24 (new_http_inspect) multiple host hdrs detected
- * 219:25 (new_http_inspect) hostname exceeds 255 characters
- * 219:26 (new_http_inspect) header parsing space saturation
- * 219:27 (new_http_inspect) client consecutive small chunk sizes
- * 219:28 (new_http_inspect) post w/o content-length or chunks
- * 219:29 (new_http_inspect) multiple true ips in a session
- * 219:30 (new_http_inspect) both true-client-IP and XFF hdrs
- present
- * 219:31 (new_http_inspect) unknown method
- * 219:32 (new_http_inspect) simple request
- * 219:33 (new_http_inspect) unescaped space in HTTP URI
- * 219:34 (new_http_inspect) too many pipelined requests
- * 219:35 (new_http_inspect) anomalous http server on undefined HTTP
- port
- * 219:36 (new_http_inspect) invalid status code in HTTP response
- * 219:37 (new_http_inspect) no content-length or transfer-encoding
- in HTTP response
- * 219:38 (new_http_inspect) HTTP response has UTF charset which
- failed to normalize
- * 219:39 (new_http_inspect) HTTP response has UTF-7 charset
- * 219:40 (new_http_inspect) HTTP response gzip decompression failed
- * 219:41 (new_http_inspect) server consecutive small chunk sizes
- * 219:42 (new_http_inspect) invalid content-length or chunk size
- * 219:43 (new_http_inspect) javascript obfuscation levels exceeds 1
- * 219:44 (new_http_inspect) javascript whitespaces exceeds max
- allowed
- * 219:45 (new_http_inspect) multiple encodings within javascript
- obfuscated data
- * 219:46 (new_http_inspect) SWF file zlib decompression failure
- * 219:47 (new_http_inspect) SWF file LZMA decompression failure
- * 219:48 (new_http_inspect) PDF file deflate decompression failure
- * 219:49 (new_http_inspect) PDF file unsupported compression type
- * 219:50 (new_http_inspect) PDF file cascaded compression
- * 219:51 (new_http_inspect) PDF file parse failure
- * 219:52 (new_http_inspect) HTTP misformatted or not really HTTP
- * 219:53 (new_http_inspect) Chunk length has excessive leading
- zeros
- * 219:54 (new_http_inspect) White space before or between messages
- * 219:55 (new_http_inspect) Request message without URI
- * 219:56 (new_http_inspect) Control character in reason phrase
- * 219:57 (new_http_inspect) Illegal extra whitespace in start line
- * 219:58 (new_http_inspect) Corrupted HTTP version
- * 219:59 (new_http_inspect) Unknown HTTP version
- * 219:60 (new_http_inspect) Format error in HTTP header
- * 219:61 (new_http_inspect) Chunk header options present
- * 219:62 (new_http_inspect) URI badly formatted
- * 219:63 (new_http_inspect) Unused
- * 219:64 (new_http_inspect) HTTP chunk misformatted
- * 219:65 (new_http_inspect) White space following chunk length
- * 219:67 (new_http_inspect) Excessive gzip compression
- * 219:68 (new_http_inspect) Gzip decompression failed
- * 256:1 (dpx) too much data sent to port
16.13. Command Set
------------
+ * packet_capture.disable(): stop packet dump
+ * packet_capture.enable(filter): dump raw packets
* snort.detach(): exit shell w/o shutdown
* snort.dump_stats(): show summary statistics
* snort.help(): this output
* ack (ips_option): rule option to match on TCP ack numbers
* active (basic): configure responses
* alert_csv (logger): output event in csv format
- * alert_ex (logger): output gid:sid:rev for alerts
* alert_fast (logger): output event with brief text format
* alert_full (logger): output event with full packet dump
* alert_syslog (logger): output event to syslog
- * alert_unixsock (logger): output event over unix socket
* alerts (basic): configure alerts
+ * appid (inspector): application and service identification
+ * appids (ips_option): detection option for application ids
* arp (codec): support for address resolution protocol
* arp_spoof (inspector): detect ARP attacks and anomalies
* asn1 (ips_option): rule option for asn1 detection
* cvs (ips_option): payload rule option for detecting specific
attacks
* daq (basic): configure packet acquisition interface
- * data_log (inspector): log selected published data to data.log
* dce_iface (ips_option): detection option to check dcerpc
interface
* dce_opnum (ips_option): detection option to check dcerpc
* dnp3_obj (ips_option): detection option to check dnp3 object
headers
* dns (inspector): dns inspection
- * dpx (inspector): dynamic inspector example
* dsize (ips_option): rule option to test payload size
- * eapol (codec): support for extensible authentication protocol
- over LAN
* erspan2 (codec): support for encapsulated remote switched port
analyzer - type 2
* erspan3 (codec): support for encapsulated remote switched port
* event_filter (basic): configure thresholding of events
* event_queue (basic): configure event queue parameters
* fabricpath (codec): support for fabricpath
+ * file_connector (connector): implement the file based connector
* file_data (ips_option): rule option to set detection cursor to
file data
* file_id (basic): configure file identification
+ * file_log (inspector): log file event to file.log
+ * file_type (ips_option): rule option to check file type
* flags (ips_option): rule option to test TCP control flags
* flow (ips_option): rule option to check session properties
* flowbits (ips_option): rule option to set and test arbitrary
* gtp_inspect (inspector): gtp control channel inspection
* gtp_type (ips_option): rule option to check gtp types
* gtp_version (ips_option): rule option to check gtp version
+ * high_availability (basic): implement flow tracking high
+ availability
+ * host_cache (basic): configure hosts
* host_tracker (basic): configure hosts
* hosts (basic): configure hosts
* http_client_body (ips_option): rule option to set the detection
cursor to the request body
* http_cookie (ips_option): rule option to set the detection cursor
to the HTTP cookie
- * http_global (inspector): http inspector global configuration and
- client rules for use with http_server
* http_header (ips_option): rule option to set the detection cursor
- to the normalized header(s)
- * http_inspect (inspector): http inspection and server rules; also
- configure http_inspect
+ to the normalized headers
+ * http_inspect (inspector): HTTP inspector
* http_method (ips_option): rule option to set the detection cursor
to the HTTP request method
* http_raw_cookie (ips_option): rule option to set the detection
cursor to the unnormalized cookie
* http_raw_header (ips_option): rule option to set the detection
cursor to the unnormalized headers
+ * http_raw_request (ips_option): rule option to set the detection
+ cursor to the unnormalized request line
+ * http_raw_status (ips_option): rule option to set the detection
+ cursor to the unnormalized status line
+ * http_raw_trailer (ips_option): rule option to set the detection
+ cursor to the unnormalized trailers
* http_raw_uri (ips_option): rule option to set the detection
cursor to the unnormalized URI
* http_stat_code (ips_option): rule option to set the detection
cursor to the HTTP status code
* http_stat_msg (ips_option): rule option to set the detection
cursor to the HTTP status message
+ * http_trailer (ips_option): rule option to set the detection
+ cursor to the normalized trailers
* http_uri (ips_option): rule option to set the detection cursor to
the normalized URI buffer
+ * http_version (ips_option): rule option to set the detection
+ cursor to the version buffer
* icmp4 (codec): support for Internet control message protocol v4
* icmp6 (codec): support for Internet control message protocol v6
* icmp_id (ips_option): rule option to check ICMP ID
* isdataat (ips_option): rule option to check for the presence of
payload data
* itype (ips_option): rule option to check ICMP type
+ * latency (basic): packet and rule latency monitoring and control
* log_codecs (logger): log protocols in packet by layer
* log_hext (logger): output payload suitable for daq hext
* log_pcap (logger): log packet in pcap format
* md5 (ips_option): payload rule option for hash matching
+ * memory (basic): memory management configuration
* metadata (ips_option): rule option for conveying arbitrary name,
value data within the rule text
* modbus (inspector): modbus inspection
* msg (ips_option): rule option summarizing rule purpose output
with events
* network (basic): configure basic network parameters
- * new_http_inspect (inspector): new HTTP inspector
* normalizer (inspector): packet scrubbing for inline mode
* output (basic): configure general output parameters
+ * packet_capture (inspector): raw packet dumping facility
* packets (basic): configure basic packet handling
* pcre (ips_option): rule option for matching payload data with
pcre
* pgm (codec): support for pragmatic general multicast
* pkt_data (ips_option): rule option to set the detection cursor to
the normalized packet data
- * pkt_num (ips_option): alert on raw packet number
* pop (inspector): pop inspection
* port_scan (inspector): port scan inspector; also configure
port_scan_global
* port_scan_global (inspector): shared settings for port_scan
inspectors for use with port_scan
- * ppm (basic): packet and rule latency monitoring and control
* pppoe (codec): support for point-to-point protocol over ethernet
* priority (ips_option): rule option for prioritizing events
* process (basic): configure basic process setup
* rpc (ips_option): rule option to check SUNRPC CALL parameters
* rpc_decode (inspector): RPC inspector
* rule_state (basic): enable/disable specific IPS rules
+ * sd_pattern (ips_option): rule option for detecting sensitive data
* search_engine (basic): configure fast pattern matcher
* seq (ips_option): rule option to check TCP sequence number
* session (ips_option): rule option to check user data from TCP
* sha256 (ips_option): payload rule option for hash matching
* sha512 (ips_option): payload rule option for hash matching
* sid (ips_option): rule option to indicate signature number
+ * side_channel (basic): implement the side-channel asynchronous
+ messaging subsystem
* sip (inspector): sip inspection
* sip_body (ips_option): rule option to set the detection cursor to
the request body
* tag (ips_option): rule option to log additional packets
* tcp (codec): support for transmission control protocol
* telnet (inspector): telnet inspection and normalization
- * token_ring (codec): support for token ring decoding
* tos (ips_option): rule option to check type of service field
* ttl (ips_option): rule option to check time to live field
* udp (codec): support for user datagram protocol
* unified2 (logger): output event and packet in unified2 format
file
- * urg (ips_option): detection for TCP urgent pointer
* vlan (codec): support for local area network
* window (ips_option): rule option to check TCP window field
* wizard (inspector): inspector that implements port-independent
- protocol identification
- * wlan (codec): support for wireless local area network protocol
- (DLT 105) :leveloffset: 0
+ protocol identification :leveloffset: 0
16.16.1. Plugin Listing
* codec::arp: support for address resolution protocol
* codec::auth: support for IP authentication header
- * codec::eapol: support for extensible authentication protocol over
- LAN
* codec::erspan2: support for encapsulated remote switched port
analyzer - type 2
* codec::erspan3: support for encapsulated remote switched port
* codec::gre: support for generic routing encapsulation
* codec::gtp: support for general-packet-radio-service tunnelling
protocol
- * codec::i4l_rawip: support for I4L IP
* codec::icmp4: support for Internet control message protocol v4
* codec::icmp4_ip: support for IP in ICMPv4
* codec::icmp6: support for Internet control message protocol v6
* codec::ipv6_mobility: support for mobility
* codec::ipv6_no_next: sentinel codec
* codec::ipv6_routing: support for IPv6 routing extension
- * codec::linux_sll: support for Linux SLL (DLT 113)
* codec::llc: support for logical link control
* codec::mpls: support for multiprotocol label switching
- * codec::null: support for null encapsulation (DLT 0)
- * codec::pflog: support for OpenBSD PF log (DLT 117)
* codec::pgm: support for pragmatic general multicast
- * codec::pim: support for protocol independent multicast
- * codec::ppp: support for point-to-point encapsulation (DLT
- DLT_PPP)
* codec::ppp_encap: support for point-to-point encapsulation
* codec::pppoe_disc: support for point-to-point discovery
* codec::pppoe_sess: support for point-to-point session
- * codec::raw4: support for unencapsulated IPv4 (DLT 12) (DLT 228)
- * codec::raw6: support for unencapsulated IPv6 (DLT 229)
- * codec::slip: support for slip protocol (DLT 8)
* codec::sun_nd: support for Sun ND
* codec::swipe: support for Swipe
* codec::tcp: support for transmission control protocol
* codec::teredo: support for teredo
- * codec::token_ring: support for token ring decoding
* codec::trans_bridge: support for trans-bridging
* codec::udp: support for user datagram protocol
* codec::user: support for user sessions (DLT 230)
* codec::vlan: support for local area network
- * codec::wlan: support for wireless local area network protocol
- (DLT 105)
+ * connector::file_connector: implement the file based connector
+ * inspector::appid: application and service identification
* inspector::arp_spoof: detect ARP attacks and anomalies
* inspector::back_orifice: back orifice detection
* inspector::binder: configure processing based on CIDRs, ports,
services, etc.
- * inspector::data_log: log selected published data to data.log
* inspector::dce_smb: dce over smb inspection
* inspector::dce_tcp: dce over tcp inspection
* inspector::dnp3: dnp3 inspection
* inspector::dns: dns inspection
- * inspector::dpx: dynamic inspector example
+ * inspector::file_log: log file event to file.log
* inspector::ftp_client: FTP inspector client module
* inspector::ftp_data: FTP data channel handler
* inspector::ftp_server: FTP inspector server module
* inspector::gtp_inspect: gtp control channel inspection
- * inspector::http_global: shared HTTP inspector settings
- * inspector::http_inspect: main HTTP inspector module
+ * inspector::http_inspect: the new HTTP inspector!
* inspector::imap: imap inspection
* inspector::modbus: modbus inspection
- * inspector::new_http_inspect: the new HTTP inspector!
* inspector::normalizer: packet scrubbing for inline mode
+ * inspector::packet_capture: raw packet dumping facility
* inspector::perf_monitor: performance monitoring and flow
statistics collection
* inspector::pop: pop inspection
unreachable
* ips_action::rewrite: overwrite packet contents
* ips_option::ack: rule option to match on TCP ack numbers
+ * ips_option::appids: detection option for application ids
* ips_option::asn1: rule option for asn1 detection
* ips_option::base64_data: set detection cursor to decoded Base64
data
* ips_option::dsize: rule option to test payload size
* ips_option::file_data: rule option to set detection cursor to
file data
+ * ips_option::file_type: rule option to check file type
* ips_option::flags: rule option to test TCP control flags
* ips_option::flow: rule option to check session properties
* ips_option::flowbits: rule option to set and test arbitrary
* ips_option::http_cookie: rule option to set the detection cursor
to the HTTP cookie
* ips_option::http_header: rule option to set the detection cursor
- to the normalized header(s)
+ to the normalized headers
* ips_option::http_method: rule option to set the detection cursor
to the HTTP request method
* ips_option::http_raw_cookie: rule option to set the detection
cursor to the unnormalized cookie
* ips_option::http_raw_header: rule option to set the detection
cursor to the unnormalized headers
+ * ips_option::http_raw_request: rule option to set the detection
+ cursor to the unnormalized request line
+ * ips_option::http_raw_status: rule option to set the detection
+ cursor to the unnormalized status line
+ * ips_option::http_raw_trailer: rule option to set the detection
+ cursor to the unnormalized trailers
* ips_option::http_raw_uri: rule option to set the detection cursor
to the unnormalized URI
* ips_option::http_stat_code: rule option to set the detection
cursor to the HTTP status code
* ips_option::http_stat_msg: rule option to set the detection
cursor to the HTTP status message
+ * ips_option::http_trailer: rule option to set the detection cursor
+ to the normalized trailers
* ips_option::http_uri: rule option to set the detection cursor to
the normalized URI buffer
+ * ips_option::http_version: rule option to set the detection cursor
+ to the version buffer
* ips_option::icmp_id: rule option to check ICMP ID
* ips_option::icmp_seq: rule option to check ICMP sequence number
* ips_option::icode: rule option to check ICMP code
* ips_option::pcre: rule option for matching payload data with pcre
* ips_option::pkt_data: rule option to set the detection cursor to
the normalized packet data
- * ips_option::pkt_num: alert on raw packet number
* ips_option::priority: rule option for prioritizing events
* ips_option::raw_data: rule option to set the detection cursor to
the raw packet data
* ips_option::rev: rule option to indicate current revision of
signature
* ips_option::rpc: rule option to check SUNRPC CALL parameters
+ * ips_option::sd_pattern: rule option for detecting sensitive data
* ips_option::seq: rule option to check TCP sequence number
* ips_option::session: rule option to check user data from TCP
sessions
* ips_option::tag: rule option to log additional packets
* ips_option::tos: rule option to check type of service field
* ips_option::ttl: rule option to check time to live field
- * ips_option::urg: detection for TCP urgent pointer
* ips_option::window: rule option to check TCP window field
* logger::alert_csv: output event in csv format
- * logger::alert_ex: output gid:sid:rev for alerts
* logger::alert_fast: output event with brief text format
* logger::alert_full: output event with full packet dump
* logger::alert_syslog: output event to syslog
- * logger::alert_unixsock: output event over unix socket
* logger::log_codecs: log protocols in packet by layer
* logger::log_hext: output payload suitable for daq hext
- * logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
* piglet::pp_codec: Codec piglet
performance) MPSE
* search_engine::hyperscan: intel hyperscan-based mpse with regex
support
- * search_engine::lowmem: Keyword Trie (low memory, moderate
- performance) MPSE
- * so_rule::3|18758: SO rule example
projects / thirdparty / snort3.git / commitdiff
