The Snort Team
Revision History
-Revision 3.3.6.0 2024-09-05 12:57:08 EDT TST
+Revision 3.3.7.0 2024-09-24 21:59:30 EDT TST
---------------------------------------------------------------------
7.44. gtp_info
7.45. gtp_type
7.46. gtp_version
- 7.47. http_client_body
- 7.48. http_cookie
- 7.49. http_header
- 7.50. http_header_test
- 7.51. http_max_header_line
- 7.52. http_max_trailer_line
- 7.53. http_method
- 7.54. http_num_cookies
- 7.55. http_num_headers
- 7.56. http_num_trailers
- 7.57. http_param
- 7.58. http_raw_body
- 7.59. http_raw_cookie
- 7.60. http_raw_header
- 7.61. http_raw_request
- 7.62. http_raw_status
- 7.63. http_raw_trailer
- 7.64. http_raw_uri
- 7.65. http_stat_code
- 7.66. http_stat_msg
- 7.67. http_trailer
- 7.68. http_trailer_test
- 7.69. http_true_ip
- 7.70. http_uri
- 7.71. http_version
- 7.72. http_version_match
- 7.73. icmp_id
- 7.74. icmp_seq
- 7.75. icode
- 7.76. id
- 7.77. iec104_apci_type
- 7.78. iec104_asdu_func
- 7.79. ip_proto
- 7.80. ipopts
- 7.81. isdataat
- 7.82. itype
- 7.83. js_data
- 7.84. md5
- 7.85. metadata
- 7.86. mms_data
- 7.87. mms_func
- 7.88. modbus_data
- 7.89. modbus_func
- 7.90. modbus_unit
- 7.91. msg
- 7.92. mss
- 7.93. pcre
- 7.94. pkt_data
- 7.95. pkt_num
- 7.96. priority
- 7.97. raw_data
- 7.98. reference
- 7.99. regex
- 7.100. rem
- 7.101. replace
- 7.102. rev
- 7.103. rpc
- 7.104. s7commplus_content
- 7.105. s7commplus_func
- 7.106. s7commplus_opcode
- 7.107. sd_pattern
- 7.108. seq
- 7.109. service
- 7.110. sha256
- 7.111. sha512
- 7.112. sid
- 7.113. sip_body
- 7.114. sip_header
- 7.115. sip_method
- 7.116. sip_stat_code
- 7.117. so
- 7.118. soid
- 7.119. ssl_state
- 7.120. ssl_version
- 7.121. stream_reassemble
- 7.122. stream_size
- 7.123. tag
- 7.124. target
- 7.125. tos
- 7.126. ttl
- 7.127. urg
- 7.128. vba_data
- 7.129. window
- 7.130. wscale
+ 7.47. http2_frame_data
+ 7.48. http2_frame_header
+ 7.49. http_client_body
+ 7.50. http_cookie
+ 7.51. http_header
+ 7.52. http_header_test
+ 7.53. http_max_header_line
+ 7.54. http_max_trailer_line
+ 7.55. http_method
+ 7.56. http_num_cookies
+ 7.57. http_num_headers
+ 7.58. http_num_trailers
+ 7.59. http_param
+ 7.60. http_raw_body
+ 7.61. http_raw_cookie
+ 7.62. http_raw_header
+ 7.63. http_raw_request
+ 7.64. http_raw_status
+ 7.65. http_raw_trailer
+ 7.66. http_raw_uri
+ 7.67. http_stat_code
+ 7.68. http_stat_msg
+ 7.69. http_trailer
+ 7.70. http_trailer_test
+ 7.71. http_true_ip
+ 7.72. http_uri
+ 7.73. http_version
+ 7.74. http_version_match
+ 7.75. icmp_id
+ 7.76. icmp_seq
+ 7.77. icode
+ 7.78. id
+ 7.79. iec104_apci_type
+ 7.80. iec104_asdu_func
+ 7.81. ip_proto
+ 7.82. ipopts
+ 7.83. isdataat
+ 7.84. itype
+ 7.85. js_data
+ 7.86. md5
+ 7.87. metadata
+ 7.88. mms_data
+ 7.89. mms_func
+ 7.90. modbus_data
+ 7.91. modbus_func
+ 7.92. modbus_unit
+ 7.93. msg
+ 7.94. mss
+ 7.95. pcre
+ 7.96. pkt_data
+ 7.97. pkt_num
+ 7.98. priority
+ 7.99. raw_data
+ 7.100. reference
+ 7.101. regex
+ 7.102. rem
+ 7.103. replace
+ 7.104. rev
+ 7.105. rpc
+ 7.106. s7commplus_content
+ 7.107. s7commplus_func
+ 7.108. s7commplus_opcode
+ 7.109. sd_pattern
+ 7.110. seq
+ 7.111. service
+ 7.112. sha256
+ 7.113. sha512
+ 7.114. sid
+ 7.115. sip_body
+ 7.116. sip_header
+ 7.117. sip_method
+ 7.118. sip_stat_code
+ 7.119. so
+ 7.120. soid
+ 7.121. ssl_state
+ 7.122. ssl_version
+ 7.123. stream_reassemble
+ 7.124. stream_size
+ 7.125. tag
+ 7.126. target
+ 7.127. tos
+ 7.128. ttl
+ 7.129. urg
+ 7.130. vba_data
+ 7.131. window
+ 7.132. wscale
8. Search Engine Modules
9. SO Rule Modules
default policy
* snort.dump_stats(): show summary statistics
* snort.dump_heap_stats(): show heap statistics
+ * snort.heap_profile(enable, sample_rate): jemalloc memory tracking
+ configuration
+ * snort.dump_heap_profile(): dump jemalloc memory profile
+ * snort.show_heap_profile(): show jemalloc memory profiling
+ configuration
* snort.reset_stats(type): clear summary statistics. Type can be:
daq|module|appid|file_id|snort|ha|all. reset_stats() without a
parameter clears all statistics.
* string binder[].when.tenants: list of tenants
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
- * string binder[].when.service: space separated list of services
+ * string binder[].when.service: name of service to match
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
* 125:8 (ftp_server) FTP bounce attempt
* 125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command
channel
+ * 125:10 (ftp_server) FTP session aborted as server response
+ invalid
Peg counts:
packets with segment size change (sum)
* ftp_server.flow_segment_size_changed: total number of FTP
sessions with segment size change (sum)
+ * ftp_server.total_aborted_sessions: total aborted sessions (sum)
5.24. gtp_inspect
* ssh.concurrent_sessions: total concurrent ssh sessions (now)
* ssh.max_concurrent_sessions: maximum concurrent ssh sessions
(max)
+ * ssh.aborted_sessions: total session aborted (sum)
5.49. ssl
* int gtp_version.~: version to match { 0:2 }
-7.47. http_client_body
+7.47. http2_frame_data
+
+--------------
+
+Help: rule option to set detection cursor to the HTTP/2 frame body
+
+Type: ips_option
+
+Usage: detect
+
+
+7.48. http2_frame_header
+
+--------------
+
+Help: rule option to set detection cursor to the 9-octet HTTP/2 frame
+header
+
+Type: ips_option
+
+Usage: detect
+
+
+7.49. http_client_body
--------------
Usage: detect
-7.48. http_cookie
+7.50. http_cookie
--------------
will be removed in a future release
-7.49. http_header
+7.51. http_header
--------------
will be removed in a future release
-7.50. http_header_test
+7.52. http_header_test
--------------
* implied http_header_test.absent: header is absent
-7.51. http_max_header_line
+7.53. http_max_header_line
--------------
from the request message even when examining the response
-7.52. http_max_trailer_line
+7.54. http_max_trailer_line
--------------
from the request message even when examining the response
-7.53. http_method
+7.55. http_method
--------------
will be removed in a future release
-7.54. http_num_cookies
+7.56. http_num_cookies
--------------
the request message even when examining the response
-7.55. http_num_headers
+7.57. http_num_headers
--------------
and will be removed in a future release
-7.56. http_num_trailers
+7.58. http_num_trailers
--------------
and will be removed in a future release
-7.57. http_param
+7.59. http_param
--------------
* implied http_param.nocase: case insensitive match
-7.58. http_raw_body
+7.60. http_raw_body
--------------
Usage: detect
-7.59. http_raw_cookie
+7.61. http_raw_cookie
--------------
and will be removed in a future release
-7.60. http_raw_header
+7.62. http_raw_header
--------------
and will be removed in a future release
-7.61. http_raw_request
+7.63. http_raw_request
--------------
and will be removed in a future release
-7.62. http_raw_status
+7.64. http_raw_status
--------------
and will be removed in a future release
-7.63. http_raw_trailer
+7.65. http_raw_trailer
--------------
will be removed in a future release
-7.64. http_raw_uri
+7.66. http_raw_uri
--------------
URI only
-7.65. http_stat_code
+7.67. http_stat_code
--------------
will be removed in a future release
-7.66. http_stat_msg
+7.68. http_stat_msg
--------------
will be removed in a future release
-7.67. http_trailer
+7.69. http_trailer
--------------
be removed in a future release
-7.68. http_trailer_test
+7.70. http_trailer_test
--------------
* implied http_trailer_test.absent: trailer is absent
-7.69. http_true_ip
+7.71. http_true_ip
--------------
will be removed in a future release
-7.70. http_uri
+7.72. http_uri
--------------
only
-7.71. http_version
+7.73. http_version
--------------
will be removed in a future release
-7.72. http_version_match
+7.74. http_version_match
--------------
and will be removed in a future release
-7.73. icmp_id
+7.75. icmp_id
--------------
0:65535 }
-7.74. icmp_seq
+7.76. icmp_seq
--------------
given range { 0:65535 }
-7.75. icode
+7.77. icode
--------------
0:255 }
-7.76. id
+7.78. id
--------------
}
-7.77. iec104_apci_type
+7.79. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.78. iec104_asdu_func
+7.80. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.79. ip_proto
+7.81. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.80. ipopts
+7.82. ipopts
--------------
lsrre|ssrr|satid|any }
-7.81. isdataat
+7.83. isdataat
--------------
buffer
-7.82. itype
+7.84. itype
--------------
0:255 }
-7.83. js_data
+7.85. js_data
--------------
Usage: detect
-7.84. md5
+7.86. md5
--------------
of buffer
-7.85. metadata
+7.87. metadata
--------------
pairs
-7.86. mms_data
+7.88. mms_data
--------------
Usage: detect
-7.87. mms_func
+7.89. mms_func
--------------
* string mms_func.~: func to match
-7.88. modbus_data
+7.90. modbus_data
--------------
Usage: detect
-7.89. modbus_func
+7.91. modbus_func
--------------
* string modbus_func.~: function code to match
-7.90. modbus_unit
+7.92. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.91. msg
+7.93. msg
--------------
* string msg.~: message describing rule
-7.92. mss
+7.94. mss
--------------
}
-7.93. pcre
+7.95. pcre
--------------
* pcre.pcre_error: total number of times pcre returns error (sum)
-7.94. pkt_data
+7.96. pkt_data
--------------
Usage: detect
-7.95. pkt_num
+7.97. pkt_num
--------------
{ 1: }
-7.96. priority
+7.98. priority
--------------
1:max31 }
-7.97. raw_data
+7.99. raw_data
--------------
Usage: detect
-7.98. reference
+7.100. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.99. regex
+7.101. regex
--------------
instead of start of buffer
-7.100. rem
+7.102. rem
--------------
* string rem.~: comment
-7.101. replace
+7.103. replace
--------------
* string replace.~: byte code to replace with
-7.102. rev
+7.104. rev
--------------
* int rev.~: revision { 1:max32 }
-7.103. rpc
+7.105. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.104. s7commplus_content
+7.106. s7commplus_content
--------------
Usage: detect
-7.105. s7commplus_func
+7.107. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.106. s7commplus_opcode
+7.108. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.107. sd_pattern
+7.109. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.108. seq
+7.110. seq
--------------
range { 0: }
-7.109. service
+7.111. service
--------------
* string service.*: one or more comma-separated service names
-7.110. sha256
+7.112. sha256
--------------
start of buffer
-7.111. sha512
+7.113. sha512
--------------
start of buffer
-7.112. sid
+7.114. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.113. sip_body
+7.115. sip_body
--------------
Usage: detect
-7.114. sip_header
+7.116. sip_header
--------------
Usage: detect
-7.115. sip_method
+7.117. sip_method
--------------
* string sip_method.*method: sip method
-7.116. sip_stat_code
+7.118. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.117. so
+7.119. so
--------------
buffer
-7.118. soid
+7.120. soid
--------------
like 3_45678_9
-7.119. ssl_state
+7.121. ssl_state
--------------
unknown
-7.120. ssl_version
+7.122. ssl_version
--------------
tls1.2
-7.121. stream_reassemble
+7.123. stream_reassemble
--------------
remainder of the session
-7.122. stream_size
+7.124. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.123. tag
+7.125. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.124. target
+7.126. target
--------------
dst_ip }
-7.125. tos
+7.127. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.126. ttl
+7.128. ttl
--------------
0:255 }
-7.127. urg
+7.129. urg
--------------
{ 0:65535 }
-7.128. vba_data
+7.130. vba_data
--------------
Usage: detect
-7.129. window
+7.131. window
--------------
range { 0:65535 }
-7.130. wscale
+7.132. wscale
--------------
| user | file }
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
- * string binder[].when.service: space separated list of services
+ * string binder[].when.service: name of service to match
* string binder[].when.src_groups: list of source interface group
IDs
* string binder[].when.src_intfs: list of source interface IDs
* ftp_server.ssl_srch_abandoned_early: total SSL search abandoned
too soon (sum)
* ftp_server.start_tls: total STARTTLS events generated (sum)
+ * ftp_server.total_aborted_sessions: total aborted sessions (sum)
* ftp_server.total_bytes: total number of bytes processed (sum)
* ftp_server.total_packets: total packets (sum)
* gtp_inspect.concurrent_sessions: total concurrent gtp sessions
(sum)
* snort.remote_commands: total remote commands processed (sum)
* snort.signals: total signals processed (sum)
+ * ssh.aborted_sessions: total session aborted (sum)
* ssh.concurrent_sessions: total concurrent ssh sessions (now)
* ssh.max_concurrent_sessions: maximum concurrent ssh sessions
(max)
default policy
* snort.dump_stats(): show summary statistics
* snort.dump_heap_stats(): show heap statistics
+ * snort.heap_profile(enable, sample_rate): jemalloc memory tracking
+ configuration
+ * snort.dump_heap_profile(): dump jemalloc memory profile
+ * snort.show_heap_profile(): show jemalloc memory profiling
+ configuration
* snort.reset_stats(type): clear summary statistics. Type can be:
daq|module|appid|file_id|snort|ha|all. reset_stats() without a
parameter clears all statistics.
hosts
* host_tracker (basic): configure hosts
* hosts (basic): configure hosts
+ * http2_frame_data (ips_option): rule option to set detection
+ cursor to the HTTP/2 frame body
+ * http2_frame_header (ips_option): rule option to set detection
+ cursor to the 9-octet HTTP/2 frame header
* http2_inspect (inspector): HTTP/2 inspector
* http_client_body (ips_option): rule option to set the detection
cursor to the request body
* ips_option::gtp_info: rule option to check gtp info element
* ips_option::gtp_type: rule option to check gtp types
* ips_option::gtp_version: rule option to check GTP version
+ * ips_option::http2_frame_data: rule option to set detection cursor
+ to the HTTP/2 frame body
+ * ips_option::http2_frame_header: rule option to set detection
+ cursor to the 9-octet HTTP/2 frame header
* ips_option::http_client_body: rule option to set the detection
cursor to the request body
* ips_option::http_cookie: rule option to set the detection cursor
The Snort Team
Revision History
-Revision 3.3.6.0 2024-09-05 12:57:20 EDT TST
+Revision 3.3.7.0 2024-09-24 21:59:55 EDT TST
---------------------------------------------------------------------
"service http,http2;" if that is the desired behavior. Eventually
support for http implies http2 may be deprecated and removed.
+Occasionally one needs a rule that looks at the content of the raw
+HTTP/2 frame, for example to match some odd value for an identifier
+in a settings frame:
+
+alert http2 (
+ msg:"SETTINGS frame with odd max frame size";
+ flow:to_server,established;
+ http2_frame_header; content:"|04|",offset 3,depth 1;
+ http2_frame_data; content:"|00 05 12 34 56 78|";
+ sid:1;
+)
+
+Here http2_frame_header represents the 9 bytes of the HTTP/2 header
+of the frame, and http2_frame_data represents the data part of the
+same frame after any padding was removed.
+
+Support for http2_frame_header is limited to data, headers, settings
+and push promise frames, while support for http2_frame_data is
+limited to headers, settings, push promise and continuation frames.
+
+For frames that support both http2_frame_header and http2_frame_data
+the rule has to match both on the same frame as in the example above.
+
+When http2_frame_data is matching on a headers or push promise
+continuation frame, http2_frame_header will match on the header of
+the headers or push promise frame. In the example below the header
+string is matched on a continuation of a headers frame.
+
+alert http2 (
+ http2_frame_header; content:"|01|", offset 3, depth 1;
+ http2_frame_data; content:"header";
+ sid:1;
+)
+
+In the example below the header string is matched on a continuation
+of a push promise frame.
+
+alert http2 (
+ http2_frame_header; content:"|05|", offset 3, depth 1;
+ http2_frame_data; content:"header";
+ sid:1;
+)
+
+Matching http2_frame_header on a data frame may be mixed matching on
+its payload, and, as one would expect, the http2_frame_header is the
+one from the data frame that is matching the payload.
+
+alert http2 (
+ http2_frame_header; content:"|00|", offset 3, depth 1;
+ file_data; content:"response";
+ sid:1;
+)
+
+Mixing the two HTTP/2 frame options with HTTP options at the level of
+an HTTP transaction (where the two matches correspond to different
+HTTP/2 frames) is not recommended. This is an example that will not
+work, it tries to match on the header of a data frame and the payload
+of a headers frame.
+
+alert http2 (
+ msg:"DO NOT ATTEMPT - THIS RULE WILL NOT WORK";
+ http2_frame_header; content:"|00|", offset 3, depth 1;
+ http_method; content:"GET";
+ sid:1;
+)
+
5.12. IEC104 Inspector
projects / thirdparty / snort3.git / commitdiff
