<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0-a4 (Build 206) from 2.9.7-262\r
+o" )~ Version 3.0.0-a4 (Build 217) from 2.9.7-262\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.\r
<div class="sect2">\r
<h3 id="_new_http_inspector">New Http Inspector</h3>\r
<div class="paragraph"><p>One of the major undertakings for Snort 3.0 is developing a completely new\r
-HTTP inspector. It is incomplete right now but you can examine the\r
-work-in-progress. You can configure it by adding:</p></div>\r
+HTTP inspector. You can configure it by adding:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>new_http_inspect = {}</code></pre>\r
+<pre><code>http_inspect = {}</code></pre>\r
</div></div>\r
<div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code\r
-under src/service_inspectors/nhttp_inspect.</p></div>\r
-<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release as\r
-http_inspect. It’s probably the better choice for now if you just want to\r
-do some work and do not feel like experimenting. Be sure not to configure\r
- both old and new HTTP inspectors at the same time.</p></div>\r
+under src/service_inspectors/http_inspect.</p></div>\r
+<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release under\r
+extra. It has been renamed http_server. Be sure not to configure both old\r
+and new HTTP inspectors at the same time.</p></div>\r
<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
this software. But it should also be really nice for open-source\r
the new HTTP inspector’s knowledge of HTTP is centralized in a series of\r
tables where it can be easily reviewed and modified. Many significant\r
changes can be made just by updating these tables.</p></div>\r
-<div class="paragraph"><p>New_http_inspect is the first inspector written specifically for the new\r
+<div class="paragraph"><p>Http_inspect is the first inspector written specifically for the new\r
Snort 3.0 architecture. That provides access to one of the very best\r
-features of Snort 3.0: purely PDU-based inspection. Classic http_inspect\r
+features of Snort 3.0: purely PDU-based inspection. The classic preprocessor\r
processes HTTP messages, but even while doing so it is constantly aware of\r
IP packets and how they divide up the TCP data stream. The same HTTP\r
message might be processed differently depending on how the sender (bad\r
guy) divided it up into IP packets.</p></div>\r
-<div class="paragraph"><p>New_http_inspect is free of this burden and can focus exclusively on HTTP.\r
-That makes it much more simple, easier to test, and less prone to false\r
+<div class="paragraph"><p>Http_inspect is free of this burden and can focus exclusively on HTTP.\r
+That makes it much simpler, easier to test, and less prone to false\r
positives. It also greatly reduces the opportunity for adversaries to probe\r
the inspector for weak spots by adjusting packet boundaries to disguise bad\r
behavior.</p></div>\r
<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major\r
-new features. The new_http_inspect design supports true stateful\r
+new features. The http_inspect design supports true stateful\r
processing. Want to ask questions that involve both the client request and\r
the server response? Or different requests in the same session? These\r
things are possible.</p></div>\r
HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and\r
on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture\r
because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but\r
-not any underlying packets. Exactly what the new_http_inspect wants to\r
-input.</p></div>\r
-<div class="paragraph"><p>New_http_inspect is taking a very different approach to HTTP header fields.\r
-Classic http_inspect divides all the HTTP headers following the start line\r
+not any underlying packets. Exactly what http_inspect wants to input.</p></div>\r
+<div class="paragraph"><p>Http_inspect is taking a very different approach to HTTP header fields.\r
+The classic preprocessor divides all the HTTP headers following the start line\r
into cookies and everything else. It normalizes the two pieces using a\r
generic process and puts them in buffers that one can write rules against.\r
There is some limited support for examining individual headers within the\r
</div>\r
<div class="sect2">\r
<h3 id="_binder_and_wizard">Binder and Wizard</h3>\r
-<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration related to networks and ports. Here is a brief review of Snort’s configuration for network and service related components:</p></div>\r
+<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration\r
+related to networks and ports. Here is a brief review of Snort’s configuration for\r
+network and service related components:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:468</strong> (decode) too many protocols present\r
+<strong>116:472</strong> (decode) too many protocols present\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.slow searches</strong>: non-fast pattern rule evaluations\r
+<strong>detection.hard evals</strong>: non-fast pattern rule evaluations\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>file_id.enable_type</strong> = false: enable type ID\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.packet.action</strong> = alert_and_log: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
+enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
+enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>latency.total_packets</strong>: total packets monitored\r
+<strong>latency.total packets</strong>: total packets monitored\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.total usecs</strong>: total usecs elapsed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.packet_timeouts</strong>: packets that timed out\r
+<strong>latency.max usecs</strong>: maximum usecs elapsed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_rule_evals</strong>: total rule evals monitored\r
+<strong>latency.packet timeouts</strong>: packets that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out\r
+<strong>latency.total rule evals</strong>: total rule evals monitored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables\r
+<strong>latency.rule eval timeouts</strong>: rule evals that timed out\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.rule tree enables</strong>: rule tree re-enables\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-select <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { alert | drop | log | pass | | reject | sdrop }\r
+enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug_print_fast_pattern</strong> = false: print fast pattern info for each rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
+bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
+bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
</p>\r
</li>\r
</ul></div>\r
string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+string <strong>side_channel.connector</strong>: connector handle\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
</div>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-w</strong>: dump 802.11 management and control frames\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_ciscometadata">ciscometadata</h3>\r
+<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_erspan2">erspan2</h3>\r
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.app_stats_filename</strong>: Filename for logging AppId statistics\r
+bool <strong>appid.log_stats</strong> = false: enable logging of AppId statistics\r
</p>\r
</li>\r
<li>\r
string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source ip address in CIDR format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination ip address in CIDR format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>appid.session_log_filter.protocol</strong>: ip protocol\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.packets</strong>: count of packets processed by appid\r
+<strong>appid.packets</strong>: count of packets received by appid inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.processed packets</strong>: count of packets processed by appid inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ignored packets</strong>: count of packets ignored by appid inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.aim_clients</strong>: count of aim clients discovered by appid\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.bootp_flows</strong>: count of bootp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.http_flows</strong>: count of http flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.imap_flows</strong>: count of imap service flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.msn_clients</strong>: count of msn clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_flows</strong>: count of netbios service flows discovered by appid\r
+<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.nntp_flows</strong>: count of nntp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ntp_flows</strong>: count of ntp flows discovered by appid\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.radius_flows</strong>: count of radius flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rexec_flows</strong>: count of rexec flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rfb_flows</strong>: count of rfb flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rpc_flows</strong>: count of rpc flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rshell_flows</strong>: count of rshell flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rtp_clients</strong>: count of rtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.sip_clients</strong>: count of SIP clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.sip_flows</strong>: count of SIP flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.snmp_flows</strong>: count of snmp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.tftp_flows</strong>: count of tftp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>appid.tns_clients</strong>: count of tns clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.tns_flows</strong>: count of tns flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.vnc_clients</strong>: count of vnc clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered by appid\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<strong>133:57</strong> (dce_smb) SMB - Client attempted to create or set a file’s attributes to readonly/hidden/system.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>133:58</strong> (dce_smb) SMB - File offset provided is greater than file size specified\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:59</strong> (dce_smb) SMB - Next command specified in SMB2 header is beyond payload boundary\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_smb.Ignored bytes</strong>: total ignored bytes\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_smb.Client segs reassembled</strong>: total smb client segments reassembled\r
</p>\r
</li>\r
<strong>dce_smb.Files processed</strong>: total smb files processed\r
</p>\r
</li>\r
-</ul></div>\r
-</div>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 create</strong>: total number of SMBv2 create packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 write</strong>: total number of SMBv2 write packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 read</strong>: total number of SMBv2 read packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 set info</strong>: total number of SMBv2 set info packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 tree connect</strong>: total number of SMBv2 tree connect packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 tree disconnect</strong>: total number of SMBv2 tree disconnect packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 close</strong>: total number of SMBv2 close packets seen\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
<div class="sect2">\r
<h3 id="_dce_tcp">dce_tcp</h3>\r
<div class="paragraph"><p>What: dce over tcp inspection</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_dce_udp">dce_udp</h3>\r
+<div class="paragraph"><p>What: dce over udp inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>dce_udp.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>dce_udp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>133:40</strong> (dce_udp) Connection-less DCE/RPC - Invalid major version.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:41</strong> (dce_udp) Connection-less DCE/RPC - Invalid pdu type.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:42</strong> (dce_udp) Connection-less DCE/RPC - Data length less than header size.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:43</strong> (dce_udp) Connection-less DCE/RPC - Bad sequence number.\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>dce_udp.events</strong>: total events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.aborted sessions</strong>: total aborted sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.bad autodetects</strong>: total bad autodetects\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.udp sessions</strong>: total udp sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.udp packets</strong>: total udp packets\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Requests</strong>: total connection-less requests\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Acks</strong>: total connection-less acks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Cancels</strong>: total connection-less cancels\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Client facks</strong>: total connection-less client facks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Ping</strong>: total connection-less ping\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Responses</strong>: total connection-less responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Rejects</strong>: total connection-less rejects\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Server facks</strong>: total connection-less server facks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Faults</strong>: total connection-less faults\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.No calls</strong>: total connection-less no calls\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Working</strong>: total connection-less working\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Other requests</strong>: total connection-less other requests\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Other responses</strong>: total connection-less other responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Fragments</strong>: total connection-less fragments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Max fragment size</strong>: connection-less maximum fragment size\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Frags reassembled</strong>: total connection-less fragments reassembled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.Max seqnum</strong>: max connection-less seqnum\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_dnp3">dnp3</h3>\r
<div class="paragraph"><p>What: dnp3 inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
</li>\r
<li>\r
<p>\r
+string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>119:66</strong> (http_inspect) White space within header name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>119:67</strong> (http_inspect) Excessive gzip compression\r
</p>\r
</li>\r
<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
+bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout\r
+<strong>stream.ip idle prunes</strong>: ip sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons\r
+<strong>stream.ip ha prunes</strong>: ip sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout\r
+<strong>stream.icmp idle prunes</strong>: icmp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons\r
+<strong>stream.icmp ha prunes</strong>: icmp sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout\r
+<strong>stream.tcp idle prunes</strong>: tcp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons\r
+<strong>stream.tcp ha prunes</strong>: tcp sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout\r
+<strong>stream.udp idle prunes</strong>: udp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons\r
+<strong>stream.udp ha prunes</strong>: udp sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout\r
+<strong>stream.user idle prunes</strong>: user sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user user prunes</strong>: user sessions pruned for other reasons\r
+<strong>stream.user ha prunes</strong>: user sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file timeout prunes</strong>: file sessions pruned due to timeout\r
+<strong>stream.file idle prunes</strong>: file sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file user prunes</strong>: file sessions pruned for other reasons\r
+<strong>stream.file ha prunes</strong>: file sessions pruned by high availability sync\r
</p>\r
</li>\r
</ul></div>\r
int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.total</strong>: total fragments\r
+<strong>stream_ip.total frags</strong>: total fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.current</strong>: current fragments\r
+<strong>stream_ip.current frags</strong>: current fragments\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>rpc.~app</strong>: application number\r
+int <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~ver</strong>: version number or * for any\r
+int <strong>rpc.ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~proc</strong>: procedure number or * for any\r
+int <strong>rpc.proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
</ul></div>\r
<div class="content">\r
<pre><code>snort --help-config http_inspect | grep http_inspect.profile</code></pre>\r
</div></div>\r
-<div class="paragraph"><p>The new Http Inspect (new_http_inspect) implementation of config options is\r
-still under development.</p></div>\r
</div>\r
</div>\r
</div>\r
available to the client.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+Any using statements in source files should be added only after all\r
+ includes have been declared.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+Do not start or end variable names with an underscore. This has a good\r
+ chance of conflicting with macro and/or system definitions.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
Use lower case filenames with underscores.\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-Presently using FIXIT-X where X = P | H | M | L, indicating perf, high,\r
- med, or low priority. For now, H, M, or L can indicate alpha 1, 2, or 3.\r
- Perf changes fall between alpha 1 and 2.\r
+Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,\r
+ warning, perf, high, med, or low priority. Place A and W comments on the\r
+ exact warning line so we can match up comments and build output. Supporting\r
+ comments can be added above.\r
</p>\r
</li>\r
<li>\r
<li>\r
<p>\r
Each header should have a comment immediately after the header guard to\r
- give an overview of the file so the user knows what’s going on.\r
+ give an overview of the file so the reader knows what’s going on.\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>-w</strong> dump 802.11 management and control frames\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>-W</strong> lists available interfaces\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.app_stats_filename</strong>: Filename for logging AppId statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging AppId statistics { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>appid.log_stats</strong> = false: enable logging of AppId statistics\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.memcap</strong> = 268435456: time period for collecting and logging AppId statistics { 1048576:3221225472 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination ip address in CIDR format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>appid.session_log_filter.protocol</strong>: ip protocol\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source ip address in CIDR format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>dce_udp.disable_defrag</strong> = false: Disable DCE/RPC defragmentation\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>dce_udp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.packet.action</strong> = alert_and_log: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
+enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
+enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-select <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { alert | drop | log | pass | | reject | sdrop }\r
+enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~app</strong>: application number\r
+int <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~proc</strong>: procedure number or * for any\r
+int <strong>rpc.proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~ver</strong>: version number or * for any\r
+int <strong>rpc.ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.debug_print_fast_pattern</strong> = false: print fast pattern info for each rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>side_channel.connector</strong>: connector handle\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-w</strong>: dump 802.11 management and control frames\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.-W</strong>: lists available interfaces\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>tcp_connector.address</strong>: address\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port <strong>tcp_connector.base_port</strong>: base port number\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>tcp_connector.connector</strong>: connector name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+<strong>appid.aim_clients</strong>: count of aim clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.battlefield_flows</strong>: count of battle field flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.bootp_flows</strong>: count of bootp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.http_flows</strong>: count of http flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ignored packets</strong>: count of packets ignored by appid inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.imap_flows</strong>: count of imap service flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.msn_clients</strong>: count of msn clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_flows</strong>: count of netbios service flows discovered by appid\r
+<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered by appid\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.packets</strong>: count of packets processed by appid\r
+<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.nntp_flows</strong>: count of nntp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ntp_flows</strong>: count of ntp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.packets</strong>: count of packets received by appid inspector\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.processed packets</strong>: count of packets processed by appid inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.radius_flows</strong>: count of radius flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rexec_flows</strong>: count of rexec flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rfb_flows</strong>: count of rfb flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rpc_flows</strong>: count of rpc flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rshell_flows</strong>: count of rshell flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.rtp_clients</strong>: count of rtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.sip_clients</strong>: count of SIP clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.sip_flows</strong>: count of SIP flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.smtps_flows</strong>: count of smtps flows discovered by appid\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.snmp_flows</strong>: count of snmp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.tftp_flows</strong>: count of tftp flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.tns_clients</strong>: count of tns clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.tns_flows</strong>: count of tns flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.vnc_clients</strong>: count of vnc clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>arp_spoof.packets</strong>: total packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_smb.Ignored bytes</strong>: total ignored bytes\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Other responses</strong>: total connection-oriented other responses\r
+<strong>dce_smb.Other responses</strong>: total connection-oriented other responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Packets</strong>: total smb packets\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Rejects</strong>: total connection-oriented rejects\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Requests</strong>: total connection-oriented requests\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Responses</strong>: total connection-oriented responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Sessions</strong>: total smb sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 close</strong>: total number of SMBv2 close packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 create</strong>: total number of SMBv2 create packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 read</strong>: total number of SMBv2 read packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 set info</strong>: total number of SMBv2 set info packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 tree connect</strong>: total number of SMBv2 tree connect packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 tree disconnect</strong>: total number of SMBv2 tree disconnect packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.SMBv2 write</strong>: total number of SMBv2 write packets seen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Binds</strong>: total connection-oriented binds\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Packets</strong>: total smb packets\r
+<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Rejects</strong>: total connection-oriented rejects\r
+<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Requests</strong>: total connection-oriented requests\r
+<strong>dce_tcp.events</strong>: total events\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Responses</strong>: total connection-oriented responses\r
+<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled\r
+<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Sessions</strong>: total smb sessions\r
+<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_tcp.Requests</strong>: total connection-oriented requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
+<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_tcp.Responses</strong>: total connection-oriented responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
+<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks\r
+<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks\r
+<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Binds</strong>: total connection-oriented binds\r
+<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels\r
+<strong>dce_tcp.tcp sessions</strong>: total tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_udp.aborted sessions</strong>: total aborted sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_udp.Acks</strong>: total connection-less acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_udp.bad autodetects</strong>: total bad autodetects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.events</strong>: total events\r
+<strong>dce_udp.Cancels</strong>: total connection-less cancels\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
+<strong>dce_udp.Client facks</strong>: total connection-less client facks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>dce_udp.events</strong>: total events\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_udp.Faults</strong>: total connection-less faults\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests\r
+<strong>dce_udp.Fragments</strong>: total connection-less fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses\r
+<strong>dce_udp.Frags reassembled</strong>: total connection-less fragments reassembled\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_udp.Max fragment size</strong>: connection-less maximum fragment size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects\r
+<strong>dce_udp.Max seqnum</strong>: max connection-less seqnum\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_udp.No calls</strong>: total connection-less no calls\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Requests</strong>: total connection-oriented requests\r
+<strong>dce_udp.Other requests</strong>: total connection-less other requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_udp.Other responses</strong>: total connection-less other responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Responses</strong>: total connection-oriented responses\r
+<strong>dce_udp.Ping</strong>: total connection-less ping\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_udp.Rejects</strong>: total connection-less rejects\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_udp.Requests</strong>: total connection-less requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_udp.Responses</strong>: total connection-less responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_udp.Server facks</strong>: total connection-less server facks\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_udp.udp packets</strong>: total udp packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
+<strong>dce_udp.udp sessions</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp sessions</strong>: total tcp sessions\r
+<strong>dce_udp.Working</strong>: total connection-less working\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>detection.hard evals</strong>: non-fast pattern rule evaluations\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>detection.header searches</strong>: fast pattern searches in header buffer\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.slow searches</strong>: non-fast pattern rule evaluations\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>detection.total alerts</strong>: alerts including IP reputation\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.packet_timeouts</strong>: packets that timed out\r
+<strong>latency.max usecs</strong>: maximum usecs elapsed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out\r
+<strong>latency.packet timeouts</strong>: packets that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables\r
+<strong>latency.rule eval timeouts</strong>: rule evals that timed out\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_packets</strong>: total packets monitored\r
+<strong>latency.rule tree enables</strong>: rule tree re-enables\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_rule_evals</strong>: total rule evals monitored\r
+<strong>latency.total packets</strong>: total packets monitored\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.total rule evals</strong>: total rule evals monitored\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>latency.total usecs</strong>: total usecs elapsed\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap\r
+<strong>stream.file ha prunes</strong>: file sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning\r
+<strong>stream.file idle prunes</strong>: file sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file timeout prunes</strong>: file sessions pruned due to timeout\r
+<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file total prunes</strong>: total file sessions pruned\r
+<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file uni prunes</strong>: file uni sessions pruned\r
+<strong>stream.file total prunes</strong>: total file sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file user prunes</strong>: file sessions pruned for other reasons\r
+<strong>stream.file uni prunes</strong>: file uni sessions pruned\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.icmp ha prunes</strong>: icmp sessions pruned by high availability sync\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.icmp idle prunes</strong>: icmp sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_icmp.max</strong>: max icmp sessions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.alerts</strong>: alerts generated\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.current</strong>: current fragments\r
+<strong>stream_ip.current frags</strong>: current fragments\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.ip ha prunes</strong>: ip sessions pruned by high availability sync\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.ip idle prunes</strong>: ip sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_ip.max frags</strong>: max fragments\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.timeouts</strong>: ip session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
+<strong>stream_ip.total frags</strong>: total fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.total</strong>: total fragments\r
+<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.tcp ha prunes</strong>: tcp sessions pruned by high availability sync\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.tcp idle prunes</strong>: tcp sessions pruned due to timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons\r
+<strong>stream_udp.created</strong>: udp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created\r
+<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
+<strong>stream.udp flows</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp flows</strong>: total udp sessions\r
+<strong>stream.udp ha prunes</strong>: udp sessions pruned by high availability sync\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.udp idle prunes</strong>: udp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_udp.timeouts</strong>: udp session timeouts\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons\r
+<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
+<strong>stream.user flows</strong>: total user sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user flows</strong>: total user sessions\r
+<strong>stream.user ha prunes</strong>: user sessions pruned by high availability sync\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
+<strong>stream.user idle prunes</strong>: user sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
+<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout\r
+<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user user prunes</strong>: user sessions pruned for other reasons\r
+<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums\r
+<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums\r
+<strong>tcp_connector.messages</strong>: total messages\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>116</strong>: ciscometadata\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>116</strong>: decode\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>133</strong>: dce_udp\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>134</strong>: latency\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:468</strong> (decode) too many protocols present\r
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:472</strong> (decode) too many protocols present\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>119:66</strong> (http_inspect) White space within header name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>119:67</strong> (http_inspect) Excessive gzip compression\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>133:40</strong> (dce_udp) Connection-less DCE/RPC - Invalid major version.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:41</strong> (dce_udp) Connection-less DCE/RPC - Invalid pdu type.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:42</strong> (dce_udp) Connection-less DCE/RPC - Data length less than header size.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:43</strong> (dce_udp) Connection-less DCE/RPC - Bad sequence number.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>133:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>133:58</strong> (dce_smb) SMB - File offset provided is greater than file size specified\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>133:59</strong> (dce_smb) SMB - Next command specified in SMB2 header is beyond payload boundary\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>134:1</strong> (latency) rule tree suspended due to latency\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ciscometadata</strong> (codec): support for cisco metadata\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>classifications</strong> (basic): define rule categories with priority\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_udp</strong> (inspector): dce over udp inspection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>decode</strong> (basic): general decoder rules\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>tcp_connector</strong> (connector): implement the tcp stream connector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>telnet</strong> (inspector): telnet inspection and normalization\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>codec::ciscometadata</strong>: support for cisco metadata\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>connector::tcp_connector</strong>: implement the tcp stream connector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::appid</strong>: application and service identification\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::dce_udp</strong>: dce over udp inspection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::dnp3</strong>: dnp3 inspection\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2016-08-11 02:38:58 EDT\r
+Last updated 2016-11-03 23:18:47 EDT\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0-a4 (Build 213) from 2.9.7-262
+o" )~ Version 3.0.0-a4 (Build 217) from 2.9.7-262
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Peg counts:
* detection.analyzed: packets sent to detection
- * detection.slow searches: non-fast pattern rule evaluations
+ * detection.hard evals: non-fast pattern rule evaluations
* detection.raw searches: fast pattern searches in raw packet data
* detection.cooked searches: fast pattern searches in cooked packet
data
thresholding (usec) { 0: }
* bool latency.packet.fastpath = false: fastpath expensive packets
(max_time exceeded)
- * enum latency.packet.action = alert_and_log: event action if
- packet times out and is fastpathed { none | alert | log |
- alert_and_log }
+ * enum latency.packet.action = none: event action if packet times
+ out and is fastpathed { none | alert | log | alert_and_log }
* int latency.rule.max_time = 500: set timeout for rule evaluation
(usec) { 0: }
* bool latency.rule.suspend = false: temporarily suspend expensive
of timeouts before suspending a rule { 1: }
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) { 0: }
- * enum latency.rule.action = alert_and_log: event action for rule
- latency enable and suspend events { none | alert | log |
- alert_and_log }
+ * enum latency.rule.action = none: event action for rule latency
+ enable and suspend events { none | alert | log | alert_and_log }
Rules:
* int rate_filter[].count = 1: number of events in interval before
tripping { 0: }
* int rate_filter[].seconds = 1: count interval { 0: }
- * select rate_filter[].new_action = alert: take this action on
- future hits until timeout { alert | drop | log | pass | | reject
- | sdrop }
+ * enum rate_filter[].new_action = alert: take this action on future
+ hits until timeout { log | pass | alert | drop | block | reset }
* int rate_filter[].timeout = 1: count interval { 0: }
* string rate_filter[].apply_to: restrict filter to these addresses
according to track
prints uncompiled rule group information
* bool search_engine.debug_print_rule_groups_compiled = false:
prints compiled rule group information
- * bool search_engine.debug_print_fast_pattern = false: print fast
- pattern info for each rule
* int search_engine.max_pattern_len = 0: truncate patterns when
compiling into state machine (0 means no maximum) { 0: }
* int search_engine.max_queue_events = 5: maximum number of
* dynamic search_engine.search_method = ac_bnfa: set fast pattern
algorithm - choose available search engine { ac_banded | ac_bnfa
| ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
- * bool search_engine.split_any_any = false: evaluate any-any rules
- separately to save memory
* bool search_engine.search_optimize = true: tweak state machine
construction for better performance
+ * bool search_engine.show_fast_patterns = false: print fast pattern
+ info for each rule
+ * bool search_engine.split_any_any = false: evaluate any-any rules
+ separately to save memory
Peg counts:
* string appid.conf: RNA configuration file
* int appid.memcap = 268435456: time period for collecting and
logging AppId statistics { 1048576:3221225472 }
- * string appid.app_stats_filename: Filename for logging AppId
- statistics
+ * bool appid.log_stats = false: enable logging of AppId statistics
* int appid.app_stats_period = 300: time period for collecting and
logging AppId statistics { 0: }
* int appid.app_stats_rollover_size = 20971520: max file size for
information
* string appid.thirdparty_appid_dir: directory to load thirdparty
AppId detectors from
+ * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source ip
+ address in CIDR format
+ * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
+ address in CIDR format
+ * port appid.session_log_filter.src_port: source port { 1: }
+ * port appid.session_log_filter.dst_port: destination port { 1: }
+ * string appid.session_log_filter.protocol: ip protocol
+ * bool appid.session_log_filter.log_all_sessions = false: enable
+ logging for all appid sessions
Peg counts:
inspector
* appid.ignored packets: count of packets ignored by appid
inspector
+ * appid.aim_clients: count of aim clients discovered by appid
* appid.battlefield_flows: count of battle field flows discovered
by appid
* appid.bgp_flows: count of bgp flows discovered by appid
* appid.bit_flows: count of bittorrent flows discovered by appid
* appid.bittracker_clients: count of bittorrent tracker clients
discovered by appid
+ * appid.bootp_flows: count of bootp flows discovered by appid
* appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
discovered by appid
* appid.dcerpc_udp_flows: count of dce rpc flows over udp
discovered by appid
+ * appid.direct_connect_flows: count of direct connect flows
+ discovered by appid
* appid.dns_tcp_flows: count of dns flows over tcp discovered by
appid
* appid.dns_udp_flows: count of dns flows over udp discovered by
appid
* appid.ftp_flows: count of ftp flows discovered by appid
* appid.ftps_flows: count of ftps flows discovered by appid
+ * appid.http_flows: count of http flows discovered by appid
* appid.imap_flows: count of imap service flows discovered by appid
* appid.imaps_flows: count of imap TLS service flows discovered by
appid
* appid.kerberos_users: count of kerberos users discovered by appid
* appid.lpr_flows: count of lpr service flows discovered by appid
* appid.mdns_flows: count of mdns service flows discovered by appid
+ * appid.msn_clients: count of msn clients discovered by appid
* appid.mysql_flows: count of mysql service flows discovered by
appid
- * appid.netbios_flows: count of netbios service flows discovered by
- appid
+ * appid.netbios_dgm_flows: count of netbios-dgm service flows
+ discovered by appid
+ * appid.netbios_ns_flows: count of netbios-ns service flows
+ discovered by appid
+ * appid.netbios_ssn_flows: count of netbios-ssn service flows
+ discovered by appid
+ * appid.nntp_flows: count of nntp flows discovered by appid
+ * appid.ntp_flows: count of ntp flows discovered by appid
* appid.pop_flows: count of pop service flows discovered by appid
+ * appid.radius_flows: count of radius flows discovered by appid
+ * appid.rexec_flows: count of rexec flows discovered by appid
+ * appid.rfb_flows: count of rfb flows discovered by appid
+ * appid.rlogin_flows: count of rlogin flows discovered by appid
+ * appid.rpc_flows: count of rpc flows discovered by appid
+ * appid.rshell_flows: count of rshell flows discovered by appid
* appid.rsync_flows: count of rsync service flows discovered by
appid
+ * appid.rtmp_flows: count of rtmp flows discovered by appid
+ * appid.rtp_clients: count of rtp clients discovered by appid
+ * appid.sip_clients: count of SIP clients discovered by appid
+ * appid.sip_flows: count of SIP flows discovered by appid
* appid.smtp_aol_clients: count of AOL smtp clients discovered by
appid
* appid.smtp_applemail_clients: count of Apple Mail smtp clients
discovered by appid
* appid.smtp_flows: count of smtp flows discovered by appid
* appid.smtps_flows: count of smtps flows discovered by appid
+ * appid.snmp_flows: count of snmp flows discovered by appid
* appid.ssh_clients: count of ssh clients discovered by appid
* appid.ssh_flows: count of ssh flows discovered by appid
* appid.ssl_flows: count of ssl flows discovered by appid
* appid.telnet_flows: count of telnet flows discovered by appid
+ * appid.tftp_flows: count of tftp flows discovered by appid
* appid.timbuktu_flows: count of timbuktu flows discovered by appid
+ * appid.tns_clients: count of tns clients discovered by appid
+ * appid.tns_flows: count of tns flows discovered by appid
+ * appid.vnc_clients: count of vnc clients discovered by appid
+ * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
+ discovered by appid
5.2. arp_spoof
commands
* string ftp_server.data_chan_cmds: check the formatting of the
given commands
+ * string ftp_server.data_rest_cmds: check the formatting of the
+ given commands
* string ftp_server.data_xfer_cmds: check the formatting of the
given commands
* string ftp_server.directory_cmds[].dir_cmd: directory command
URI
* 119:64 (http_inspect) HTTP chunk misformatted
* 119:65 (http_inspect) White space following chunk length
+ * 119:66 (http_inspect) White space within header name
* 119:67 (http_inspect) Excessive gzip compression
* 119:68 (http_inspect) Gzip decompression failed
* 119:69 (http_inspect) HTTP 0.9 requested followed by another
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:86400 }
+ * int stream_ip.trace: mask for enabling debug traces in module
Rules:
* Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
for a day or even just a minute. That way we can find them easily
and won’t lose track of them.
- * Presently using FIXIT-X where X = P | H | M | L, indicating perf,
- high, med, or low priority. For now, H, M, or L can indicate
- alpha 1, 2, or 3. Perf changes fall between alpha 1 and 2.
+ * Presently using FIXIT-X where X = A | W | P | H | M | L,
+ indicating analysis, warning, perf, high, med, or low priority.
+ Place A and W comments on the exact warning line so we can match
+ up comments and build output. Supporting comments can be added
+ above.
* Put the copyright(s) and license in a comment block at the top of
each source file (.h and .cc). Don’t bother with trivial scripts
and make foo. Some interesting Lua code should get a comment
// based on work by Ryan Jordan
* Each header should have a comment immediately after the header
- guard to give an overview of the file so the user knows what’s
+ guard to give an overview of the file so the reader knows what’s
going on.
cons | ndelay | perror | pid }
* string appid.app_detector_dir: directory to load AppId detectors
from
- * string appid.app_stats_filename: Filename for logging AppId
- statistics
* int appid.app_stats_period = 300: time period for collecting and
logging AppId statistics { 0: }
* int appid.app_stats_rollover_size = 20971520: max file size for
information
* int appid.instance_id = 0: instance id - need more details for
what this is { 0: }
+ * bool appid.log_stats = false: enable logging of AppId statistics
* int appid.memcap = 268435456: time period for collecting and
logging AppId statistics { 1048576:3221225472 }
* string appids.~: appid option
+ * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
+ address in CIDR format
+ * port appid.session_log_filter.dst_port: destination port { 1: }
+ * bool appid.session_log_filter.log_all_sessions = false: enable
+ logging for all appid sessions
+ * string appid.session_log_filter.protocol: ip protocol
+ * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source ip
+ address in CIDR format
+ * port appid.session_log_filter.src_port: source port { 1: }
* string appid.thirdparty_appid_dir: directory to load thirdparty
AppId detectors from
* ip4 arp_spoof.hosts[].ip: host ip address
maximum for command { 0: }
* string ftp_server.data_chan_cmds: check the formatting of the
given commands
+ * string ftp_server.data_rest_cmds: check the formatting of the
+ given commands
* string ftp_server.data_xfer_cmds: check the formatting of the
given commands
* int ftp_server.def_max_param_len = 100: default maximum length of
buffer
* string itype.~range: check if icmp type is type | min<>max | <max
| >min
- * enum latency.packet.action = alert_and_log: event action if
- packet times out and is fastpathed { none | alert | log |
- alert_and_log }
+ * enum latency.packet.action = none: event action if packet times
+ out and is fastpathed { none | alert | log | alert_and_log }
* bool latency.packet.fastpath = false: fastpath expensive packets
(max_time exceeded)
* int latency.packet.max_time = 500: set timeout for packet latency
thresholding (usec) { 0: }
- * enum latency.rule.action = alert_and_log: event action for rule
- latency enable and suspend events { none | alert | log |
- alert_and_log }
+ * enum latency.rule.action = none: event action for rule latency
+ enable and suspend events { none | alert | log | alert_and_log }
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) { 0: }
* int latency.rule.max_time = 500: set timeout for rule evaluation
* int rate_filter[].count = 1: number of events in interval before
tripping { 0: }
* int rate_filter[].gid = 1: rule generator ID { 0: }
- * select rate_filter[].new_action = alert: take this action on
- future hits until timeout { alert | drop | log | pass | | reject
- | sdrop }
+ * enum rate_filter[].new_action = alert: take this action on future
+ hits until timeout { log | pass | alert | drop | block | reset }
* int rate_filter[].seconds = 1: count interval { 0: }
* int rate_filter[].sid = 1: rule signature ID { 0: }
* int rate_filter[].timeout = 1: count interval { 0: }
* bool search_engine.bleedover_warnings_enabled = false: print
warning if a rule is demoted to any-any port group
* bool search_engine.debug = false: print verbose fast pattern info
- * bool search_engine.debug_print_fast_pattern = false: print fast
- pattern info for each rule
* bool search_engine.debug_print_nocontent_rule_tests = false:
print rule group info during packet evaluation
* bool search_engine.debug_print_rule_group_build_details = false:
| ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
* bool search_engine.search_optimize = true: tweak state machine
construction for better performance
+ * bool search_engine.show_fast_patterns = false: print fast pattern
+ info for each rule
* bool search_engine.split_any_any = false: evaluate any-any rules
separately to save memory
* string seq.~range: check if tcp sequence number value is value |
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:86400 }
+ * int stream_ip.trace: mask for enabling debug traces in module
* enum stream_reassemble.action: stop or start stream reassembly {
disable|enable }
* enum stream_reassemble.direction: action applies to the given
--------------
+ * appid.aim_clients: count of aim clients discovered by appid
* appid.battlefield_flows: count of battle field flows discovered
by appid
* appid.bgp_flows: count of bgp flows discovered by appid
* appid.bit_flows: count of bittorrent flows discovered by appid
* appid.bittracker_clients: count of bittorrent tracker clients
discovered by appid
+ * appid.bootp_flows: count of bootp flows discovered by appid
* appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
discovered by appid
* appid.dcerpc_udp_flows: count of dce rpc flows over udp
discovered by appid
+ * appid.direct_connect_flows: count of direct connect flows
+ discovered by appid
* appid.dns_tcp_flows: count of dns flows over tcp discovered by
appid
* appid.dns_udp_flows: count of dns flows over udp discovered by
appid
* appid.ftp_flows: count of ftp flows discovered by appid
* appid.ftps_flows: count of ftps flows discovered by appid
+ * appid.http_flows: count of http flows discovered by appid
* appid.ignored packets: count of packets ignored by appid
inspector
* appid.imap_flows: count of imap service flows discovered by appid
* appid.kerberos_users: count of kerberos users discovered by appid
* appid.lpr_flows: count of lpr service flows discovered by appid
* appid.mdns_flows: count of mdns service flows discovered by appid
+ * appid.msn_clients: count of msn clients discovered by appid
* appid.mysql_flows: count of mysql service flows discovered by
appid
- * appid.netbios_flows: count of netbios service flows discovered by
- appid
+ * appid.netbios_dgm_flows: count of netbios-dgm service flows
+ discovered by appid
+ * appid.netbios_ns_flows: count of netbios-ns service flows
+ discovered by appid
+ * appid.netbios_ssn_flows: count of netbios-ssn service flows
+ discovered by appid
+ * appid.nntp_flows: count of nntp flows discovered by appid
+ * appid.ntp_flows: count of ntp flows discovered by appid
* appid.packets: count of packets received by appid inspector
* appid.pop_flows: count of pop service flows discovered by appid
* appid.processed packets: count of packets processed by appid
inspector
+ * appid.radius_flows: count of radius flows discovered by appid
+ * appid.rexec_flows: count of rexec flows discovered by appid
+ * appid.rfb_flows: count of rfb flows discovered by appid
+ * appid.rlogin_flows: count of rlogin flows discovered by appid
+ * appid.rpc_flows: count of rpc flows discovered by appid
+ * appid.rshell_flows: count of rshell flows discovered by appid
* appid.rsync_flows: count of rsync service flows discovered by
appid
+ * appid.rtmp_flows: count of rtmp flows discovered by appid
+ * appid.rtp_clients: count of rtp clients discovered by appid
+ * appid.sip_clients: count of SIP clients discovered by appid
+ * appid.sip_flows: count of SIP flows discovered by appid
* appid.smtp_aol_clients: count of AOL smtp clients discovered by
appid
* appid.smtp_applemail_clients: count of Apple Mail smtp clients
* appid.smtps_flows: count of smtps flows discovered by appid
* appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
discovered by appid
+ * appid.snmp_flows: count of snmp flows discovered by appid
* appid.ssh_clients: count of ssh clients discovered by appid
* appid.ssh_flows: count of ssh flows discovered by appid
* appid.ssl_flows: count of ssl flows discovered by appid
* appid.telnet_flows: count of telnet flows discovered by appid
+ * appid.tftp_flows: count of tftp flows discovered by appid
* appid.timbuktu_flows: count of timbuktu flows discovered by appid
+ * appid.tns_clients: count of tns clients discovered by appid
+ * appid.tns_flows: count of tns flows discovered by appid
+ * appid.vnc_clients: count of vnc clients discovered by appid
+ * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
+ discovered by appid
* arp_spoof.packets: total packets
* back_orifice.packets: total packets
* binder.allows: allow bindings
data
* detection.event limit: events filtered
* detection.file searches: fast pattern searches in file buffer
+ * detection.hard evals: non-fast pattern rule evaluations
* detection.header searches: fast pattern searches in header buffer
* detection.key searches: fast pattern searches in key buffer
* detection.logged: logged packets
* detection.pkt searches: fast pattern searches in packet data
* detection.queue limit: events not queued because queue full
* detection.raw searches: fast pattern searches in raw packet data
- * detection.slow searches: non-fast pattern rule evaluations
* detection.total alerts: alerts including IP reputation
* dnp3.dnp3 application pdus: total dnp3 application pdus
* dnp3.dnp3 link layer frames: total dnp3 link layer frames
URI
* 119:64 (http_inspect) HTTP chunk misformatted
* 119:65 (http_inspect) White space following chunk length
+ * 119:66 (http_inspect) White space within header name
* 119:67 (http_inspect) Excessive gzip compression
* 119:68 (http_inspect) Gzip decompression failed
* 119:69 (http_inspect) HTTP 0.9 requested followed by another
projects / thirdparty / snort3.git / commitdiff
