-- use with -c snort.lua --tweaks balanced
---------------------------------------------------------------------------
+arp_spoof = nil
+
http_inspect.request_depth = 300
http_inspect.response_depth = 500
-normalizer.tcp =
-{
- ips = false,
- rsv = false,
- pad = false,
- req_urg = false,
- req_pay = false,
- req_urp = false,
- block = false,
-}
-
port_scan = nil
+stream_ip.min_frag_length = 16
+
-- use with -c snort.lua --tweaks connectivity
---------------------------------------------------------------------------
+arp_spoof = nil
+
http_inspect.request_depth = 300
http_inspect.response_depth = 500
http_inspect.unzip = false
http_inspect.utf8 = false
-normalizer.tcp =
-{
- ips = false,
- rsv = false,
- pad = false,
- req_urg = false,
- req_pay = false,
- req_urp = false,
- block = false,
-}
-
port_scan = nil
+stream_ip.min_frag_length = 16
+
},
}
-normalizer = { tcp = { ips = true } }
-
-- use with -c snort.lua --tweaks max_detect
---------------------------------------------------------------------------
+arp_spoof = nil
+
ftp_server.check_encrypted = true
+detection =
+{
+ pcre_match_limit = 3500,
+ pcre_match_limit_recursion = 3500
+}
+
http_inspect.detained_inspection = true
http_inspect.decompress_pdf = true
http_inspect.decompress_swf = true
smtp.decompress_swf = true
smtp.decompress_zip = true
+stream_ip.min_frag_length = 100
+
stream_tcp.require_3whs = 0
stream_tcp.small_segments =
-- use with -c snort.lua --tweaks security
---------------------------------------------------------------------------
+arp_spoof = nil
+
ftp_server.check_encrypted = true
+detection =
+{
+ pcre_match_limit = 3500,
+ pcre_match_limit_recursion = 3500
+}
+
http_inspect.decompress_pdf = true
http_inspect.decompress_swf = true
http_inspect.decompress_zip = true
smtp.decompress_swf = true
smtp.decompress_zip = true
+stream_ip.min_frag_length = 100
+
stream_tcp.require_3whs = 180
stream_tcp.small_segments =
{ command = 'PORT', length = 400, format = '< host_port >' },
{ command = 'PROT', format = '< char CSEP >' },
{ command = 'STRU', format = '< char FRPO [ string ] >' },
- { command = 'TYPE',
- format = '< { char AE [ char NTC ] | char I | char L [ number ] } >' }
+ { command = 'TYPE', format = '< { char AE [ char NTC ] | char I | char L [ number ] } >' }
}
default_ftp_server =
smtp_default_normalize_cmds =
[[
- RCPT VRFY EXPN
+ ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN
+ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML STARTTLS
+ TICK TIME TURN TURNME VERB VRFY X-ADAT XADR XAUTH XCIR X-DRCP X-ERCP XEXCH50
+ X-EXCH50 X-EXPS XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR
]]
-smtp_default_valid_cmds =
-[[
- ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO
- HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE SOML
- STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH
- XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR
-]]
+smtp_default_valid_cmds = smtp_default_normalize_cmds
+
+smtp_default_alt_max_command_lines =
+{
+ { command = 'ATRN', length = 255, },
+ { command = 'AUTH', length = 246, },
+ { command = 'BDAT', length = 255, },
+ { command = 'DATA', length = 246, },
+ { command = 'DEBUG', length = 255, },
+ { command = 'EHLO', length = 500, },
+ { command = 'EMAL', length = 255, },
+ { command = 'ESAM', length = 255, },
+ { command = 'ESND', length = 255, },
+ { command = 'ESOM', length = 255, },
+ { command = 'ETRN', length = 500, },
+ { command = 'EVFY', length = 255, },
+ { command = 'EXPN', length = 255, },
+ { command = 'HELO', length = 500, },
+ { command = 'HELP', length = 500, },
+ { command = 'IDENT', length = 255, },
+ { command = 'MAIL', length = 260, },
+ { command = 'NOOP', length = 255, },
+ { command = 'ONEX', length = 246, },
+ { command = 'QUEU', length = 246, },
+ { command = 'QUIT', length = 246, },
+ { command = 'RCPT', length = 300, },
+ { command = 'RSET', length = 255, },
+ { command = 'SAML', length = 246, },
+ { command = 'SEND', length = 246, },
+ { command = 'SIZE', length = 255, },
+ { command = 'SOML', length = 246, },
+ { command = 'STARTTLS', length = 246, },
+ { command = 'TICK', length = 246, },
+ { command = 'TIME', length = 246, },
+ { command = 'TURN', length = 246, },
+ { command = 'TURNME', length = 246, },
+ { command = 'VERB', length = 246, },
+ { command = 'VRFY', length = 255, },
+ { command = 'XADR', length = 246, },
+ { command = 'XAUTH', length = 246, },
+ { command = 'XCIR', length = 246, },
+ { command = 'XEXCH50', length = 246, },
+ { command = 'X-EXPS', length = 246, },
+ { command = 'XGEN', length = 246, },
+ { command = 'XLICENSE', length = 246, },
+ { command = 'X-LINK2STATE', length = 246, },
+ { command = 'XQUE', length = 246, },
+ { command = 'XSTA', length = 246, },
+ { command = 'XTRN', length = 246, },
+ { command = 'XUSR', length = 246, }
+}
default_smtp =
{
-- params not specified here get internal defaults
+ alt_max_command_line_len = default_smtp_alt_max_command_lines,
auth_cmds = smtp_default_auth_cmds,
binary_data_cmds = smtp_default_binary_data_cmds,
data_cmds = smtp_default_data_cmds,
case tcp::TcpOptCode::MAXSEG:
code = validate_option(opt, end_ptr, TCPOLEN_MAXSEG);
+ if (code == 0)
+ snort.decode_flags |= DECODE_TCP_MSS;
break;
case tcp::TcpOptCode::SACKOK:
/* LOG INVALID WINDOWSCALE alert */
codec_event(codec, DECODE_TCPOPT_WSCALE_INVALID);
}
- snort.decode_flags |= DECODE_WSCALE;
+ snort.decode_flags |= DECODE_TCP_WS;
}
break;
case tcp::TcpOptCode::TIMESTAMP:
code = validate_option(opt, end_ptr, TCPOLEN_TIMESTAMP);
+ if (code == 0)
+ snort.decode_flags |= DECODE_TCP_TS;
break;
case tcp::TcpOptCode::SKEETER:
// guessing direction based on ports is misleading
return false;
- if ( !p->ptrs.tcph->is_syn_only() or SnortConfig::get_conf()->track_on_syn() or
- (p->ptrs.decode_flags & DECODE_WSCALE) )
+ if ( !p->ptrs.tcph->is_syn_only() or SnortConfig::get_conf()->track_on_syn() )
+ return true;
+
+ const unsigned DECODE_TCP_HS = DECODE_TCP_MSS | DECODE_TCP_TS | DECODE_TCP_WS;
+
+ if ( (p->ptrs.decode_flags & DECODE_TCP_HS) or p->dsize )
return true;
p->packet_flags |= PKT_FROM_CLIENT;
DECODE_EOF = 0x0400, // user - end of flow
DECODE_GTP = 0x0800,
- DECODE_WSCALE = 0x1000,
+ DECODE_TCP_MSS = 0x1000,
+ DECODE_TCP_TS = 0x2000,
+ DECODE_TCP_WS = 0x4000,
};
struct DecodeData
{
#ifdef HAVE_HYPERSCAN
HyperSearch::cleanup(h);
+#else
+ UNUSED(h);
#endif
}
struct PcreStats
{
PegCount pcre_rules;
+#ifdef HAVE_HYPERSCAN
PegCount pcre_to_hyper;
+#endif
PegCount pcre_native;
PegCount pcre_negated;
};
const PegInfo pcre_pegs[] =
{
{ CountType::SUM, "pcre_rules", "total rules processed with pcre option" },
+#ifdef HAVE_HYPERSCAN
{ CountType::SUM, "pcre_to_hyper", "total pcre rules by hyperscan engine" },
+#endif
{ CountType::SUM, "pcre_native", "total pcre rules compiled by pcre engine" },
{ CountType::SUM, "pcre_negated", "total pcre rules using negation syntax" },
{ CountType::END, nullptr, nullptr }
delete scratcher;
}
+#ifdef HAVE_HYPERSCAN
bool begin(const char*, int, SnortConfig*) override;
+#endif
bool set(const char*, Value&, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
Usage get_usage() const override
{ return DETECT; }
- void get_mod_regex_instance(const char* name, int v, SnortConfig* sc);
Module* get_mod_regex() const
{ return mod_regex; }
PegCount* PcreModule::get_counts() const
{ return (PegCount*)&pcre_stats; }
-void PcreModule::get_mod_regex_instance(const char* name, int v, SnortConfig* sc)
+#ifdef HAVE_HYPERSCAN
+bool PcreModule::begin(const char* name, int v, SnortConfig* sc)
{
if ( sc->pcre_to_regex )
{
if( mod_regex )
mod_regex = mod_regex->begin(name, v, sc) ? mod_regex : nullptr;
}
-}
-
-bool PcreModule::begin(const char* name, int v, SnortConfig* sc)
-{
- get_mod_regex_instance(name, v, sc);
return true;
}
+#endif
bool PcreModule::set(const char* name, Value& v, SnortConfig* sc)
{
pcre_stats.pcre_rules++;
PcreModule* m = (PcreModule*)p;
+#ifdef HAVE_HYPERSCAN
Module* mod_regex = m->get_mod_regex();
if ( mod_regex )
{
return opt_api->ctor(mod_regex, otn);
}
else
+#else
+ UNUSED(otn);
+#endif
{
pcre_stats.pcre_native++;
PcreData* d = m->get_data();
{ "pcre_override", Parameter::PT_BOOL, nullptr, "true",
"enable pcre match limit overrides when pattern matching (ie ignore /O)" },
+#ifdef HAVE_HYPERSCAN
{ "pcre_to_regex", Parameter::PT_BOOL, nullptr, "false",
- "disable pcre pattern matching" },
+ "enable the use of regex instead of pcre for compatible expressions" },
+#endif
{ "enable_address_anomaly_checks", Parameter::PT_BOOL, nullptr, "false",
"enable check and alerting of address anomalies" },
else if ( v.is("pcre_override") )
sc->pcre_override = v.get_bool();
-
+
+#ifdef HAVE_HYPERSCAN
else if ( v.is("pcre_to_regex") )
sc->pcre_to_regex = v.get_bool();
+#endif
else if ( v.is("enable_address_anomaly_checks") )
sc->address_anomaly_check_enabled = v.get_bool();
#ifdef HAVE_HYPERSCAN
bool hyperscan_literals = false;
+ bool pcre_to_regex = false;
#endif
bool global_rule_state = false;
bool global_default_rule_state = true;
- bool pcre_to_regex = false;
//------------------------------------------------------
// process stuff
DceContextData* DceContextData::get_current_data(const Packet* p)
{
- IpsContext* context = p ? p->context : nullptr;
+ assert(p);
+
+ if ( !p->flow )
+ return nullptr;
+
unsigned ips_id = get_ips_id(get_dce2_trans_type(p));
if ( !ips_id )
return nullptr;
- DceContextData* dcd = (DceContextData*)DetectionEngine::get_data(ips_id, context);
+ DceContextData* dcd = (DceContextData*)DetectionEngine::get_data(ips_id, p->context);
if ( !dcd )
return nullptr;
{ "max_auth_command_line_len", Parameter::PT_INT, "0:65535", "1000",
"max auth command Line Length" },
- { "max_command_line_len", Parameter::PT_INT, "0:65535", "0",
+ { "max_command_line_len", Parameter::PT_INT, "0:65535", "512",
"max Command Line Length" },
- { "max_header_line_len", Parameter::PT_INT, "0:65535", "0",
+ { "max_header_line_len", Parameter::PT_INT, "0:65535", "1000",
"max SMTP DATA header line" },
- { "max_response_line_len", Parameter::PT_INT, "0:65535", "0",
+ { "max_response_line_len", Parameter::PT_INT, "0:65535", "512",
"max SMTP response line" },
{ "normalize", Parameter::PT_ENUM, "none | cmds | all", "none",
uint32_t TcpNormalizer::get_tcp_timestamp(
TcpNormalizerState& tns, TcpSegmentDescriptor& tsd, bool strip)
{
- tcp::TcpOptIterator iter(tsd.get_tcph(), tsd.get_pkt() );
-
- // using const because non-const is not supported
- for ( const tcp::TcpOption& opt : iter )
+ if ( tsd.get_pkt()->ptrs.decode_flags & DECODE_TCP_TS )
{
- if ( opt.code == tcp::TcpOptCode::TIMESTAMP )
+ tcp::TcpOptIterator iter(tsd.get_tcph(), tsd.get_pkt() );
+
+ // using const because non-const is not supported
+ for ( const tcp::TcpOption& opt : iter )
{
- bool stripped = false;
+ if ( opt.code == tcp::TcpOptCode::TIMESTAMP )
+ {
+ bool stripped = false;
- if (strip)
- stripped = strip_tcp_timestamp(tns, tsd, &opt, (NormMode)tns.opt_block);
+ if (strip)
+ stripped = strip_tcp_timestamp(tns, tsd, &opt, (NormMode)tns.opt_block);
- if (!stripped)
- {
- tsd.set_ts(extract_32bits(opt.data) );
- return TF_TSTAMP;
+ if (!stripped)
+ {
+ tsd.set_ts(extract_32bits(opt.data) );
+ return TF_TSTAMP;
+ }
}
}
}
tsd.set_ts(0);
-
return TF_NONE;
}
uint32_t TcpSegmentDescriptor::init_mss(uint16_t* value)
{
- tcp::TcpOptIterator iter(tcph, pkt);
- for ( const tcp::TcpOption& opt : iter )
+ if ( pkt->ptrs.decode_flags & DECODE_TCP_MSS )
{
- if ( opt.code == tcp::TcpOptCode::MAXSEG )
+ tcp::TcpOptIterator iter(tcph, pkt);
+
+ for ( const tcp::TcpOption& opt : iter )
{
- *value = extract_16bits(opt.data);
- return TF_MSS;
+ if ( opt.code == tcp::TcpOptCode::MAXSEG )
+ {
+ *value = extract_16bits(opt.data);
+ return TF_MSS;
+ }
}
}
-
*value = 0;
-
return TF_NONE;
}
{
uint16_t wscale;
- if ( !(pkt->ptrs.decode_flags & DECODE_WSCALE) )
+ if ( !(pkt->ptrs.decode_flags & DECODE_TCP_WS) )
return false;
return ( init_wscale(&wscale) & TF_WSCALE ) != TF_NONE;
projects / thirdparty / snort3.git / commitdiff
