The Snort Team
Revision History
-Revision 3.1.48.0 2022-12-01 11:51:55 EST TST
+Revision 3.1.49.0 2022-12-15 16:32:12 EST TST
---------------------------------------------------------------------
JavaScripts processed (sum)
* http_inspect.js_external_scripts: total number of external
JavaScripts processed (sum)
- * http_inspect.js_pdf_scripts: total number of PDF JavaScripts
- processed (sum)
+ * http_inspect.js_pdf_scripts: total number of PDF files processed
+ (sum)
* http_inspect.skip_mime_attach: total number of HTTP requests with
too many MIME attachments to inspect (sum)
* imap.non_encoded_attachments: total non-encoded attachments
extracted (sum)
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
+ * imap.js_pdf_scripts: total number of PDF files processed (sum)
5.28. mem_test
* pop.non_encoded_attachments: total non-encoded attachments
extracted (sum)
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
+ * pop.js_pdf_scripts: total number of PDF files processed (sum)
5.37. port_scan
* smtp.non_encoded_attachments: total non-encoded attachments
extracted (sum)
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
+ * smtp.js_pdf_scripts: total number of PDF files processed (sum)
5.44. so_proxy
* string wizard.hexes[].service: name of service
* select wizard.hexes[].proto = any: protocol to scan { tcp | udp |
any }
- * bool wizard.hexes[].client_first = true: which end initiates data
- transfer (deprecated)
* string wizard.hexes[].to_server[].hex: sequence of data with wild
chars (?)
* string wizard.hexes[].to_client[].hex: sequence of data with wild
* string wizard.spells[].service: name of service
* select wizard.spells[].proto = any: protocol to scan { tcp | udp
| any }
- * bool wizard.spells[].client_first = true: which end initiates
- data transfer (deprecated)
* string wizard.spells[].to_server[].spell: sequence of data with
wild cards (*)
* string wizard.spells[].to_client[].spell: sequence of data with
Configuration:
* int byte_extract.~count: number of bytes to pick up from the
- buffer { 1:10 }
+ buffer (string can pick less) { 1:10 }
* int byte_extract.~offset: number of bytes into the buffer to
start processing { -65535:65535 }
* string byte_extract.~name: name of the variable that will be used
Configuration:
* int byte_jump.~count: number of bytes to pick up from the buffer
- { 0:10 }
+ (string can pick less) { 0:10 }
* string byte_jump.~offset: variable name or number of bytes into
the buffer to start processing
* implied byte_jump.relative: offset from cursor instead of start
Configuration:
- * int byte_math.bytes: number of bytes to pick up from the buffer {
- 1:10 }
+ * int byte_math.bytes: number of bytes to pick up from the buffer
+ (string can pick less) { 1:10 }
* string byte_math.offset: number of bytes into the buffer to start
processing
* enum byte_math.oper: mathematical operation to perform { +|-|*|/|
Configuration:
* int byte_test.~count: number of bytes to pick up from the buffer
- { 1:10 }
+ (string can pick less) { 1:10 }
* string byte_test.~operator: operation to perform to test the
value
* string byte_test.~compare: variable name or value to test the
* int byte_extract.bitmask: applies as an AND to the extracted
value before storage in name { 0x1:0xFFFFFFFF }
* int byte_extract.~count: number of bytes to pick up from the
- buffer { 1:10 }
+ buffer (string can pick less) { 1:10 }
* implied byte_extract.dce: dcerpc2 determines endianness
* implied byte_extract.dec: convert from decimal string
* implied byte_extract.hex: convert from hex string
* int byte_jump.bitmask: applies as an AND prior to evaluation {
0x1:0xFFFFFFFF }
* int byte_jump.~count: number of bytes to pick up from the buffer
- { 0:10 }
+ (string can pick less) { 0:10 }
* implied byte_jump.dce: dcerpc2 determines endianness
* implied byte_jump.dec: convert from decimal string
* implied byte_jump.from_beginning: jump from start of buffer
* implied byte_jump.string: convert from string
* int byte_math.bitmask: applies as bitwise AND to the extracted
value before storage in name { 0x1:0xFFFFFFFF }
- * int byte_math.bytes: number of bytes to pick up from the buffer {
- 1:10 }
+ * int byte_math.bytes: number of bytes to pick up from the buffer
+ (string can pick less) { 1:10 }
* implied byte_math.dce: dcerpc2 determines endianness
* enum byte_math.endian: specify big/little endian { big|little }
* string byte_math.offset: number of bytes into the buffer to start
* string byte_test.~compare: variable name or value to test the
converted result against
* int byte_test.~count: number of bytes to pick up from the buffer
- { 1:10 }
+ (string can pick less) { 1:10 }
* implied byte_test.dce: dcerpc2 determines endianness
* implied byte_test.dec: convert from decimal string
* implied byte_test.hex: convert from hex string
* multi wizard.curses: enable service identification based on
internal algorithm { dce_smb | dce_udp | dce_tcp | mms |
s7commplus | sslv2 }
- * bool wizard.hexes[].client_first = true: which end initiates data
- transfer (deprecated)
* select wizard.hexes[].proto = any: protocol to scan { tcp | udp |
any }
* string wizard.hexes[].service: name of service
chars (?)
* int wizard.max_search_depth = 8192: maximum scan depth per flow {
0:65535 }
- * bool wizard.spells[].client_first = true: which end initiates
- data transfer (deprecated)
* select wizard.spells[].proto = any: protocol to scan { tcp | udp
| any }
* string wizard.spells[].service: name of service
JavaScripts processed (sum)
* http_inspect.js_inline_scripts: total number of inline
JavaScripts processed (sum)
- * http_inspect.js_pdf_scripts: total number of PDF JavaScripts
- processed (sum)
+ * http_inspect.js_pdf_scripts: total number of PDF files processed
+ (sum)
* http_inspect.max_concurrent_sessions: maximum concurrent http
sessions (max)
* http_inspect.options_requests: OPTIONS requests inspected (sum)
* imap.b64_attachments: total base64 attachments decoded (sum)
* imap.b64_decoded_bytes: total base64 decoded bytes (sum)
* imap.concurrent_sessions: total concurrent imap sessions (now)
+ * imap.js_pdf_scripts: total number of PDF files processed (sum)
* imap.max_concurrent_sessions: maximum concurrent imap sessions
(max)
* imap.non_encoded_attachments: total non-encoded attachments
* pop.b64_attachments: total base64 attachments decoded (sum)
* pop.b64_decoded_bytes: total base64 decoded bytes (sum)
* pop.concurrent_sessions: total concurrent pop sessions (now)
+ * pop.js_pdf_scripts: total number of PDF files processed (sum)
* pop.max_concurrent_sessions: maximum concurrent pop sessions
(max)
* pop.non_encoded_attachments: total non-encoded attachments
* smtp.b64_attachments: total base64 attachments decoded (sum)
* smtp.b64_decoded_bytes: total base64 decoded bytes (sum)
* smtp.concurrent_sessions: total concurrent smtp sessions (now)
+ * smtp.js_pdf_scripts: total number of PDF files processed (sum)
* smtp.max_concurrent_sessions: maximum concurrent smtp sessions
(max)
* smtp.non_encoded_attachments: total non-encoded attachments
The Snort Team
Revision History
-Revision 3.1.48.0 2022-12-01 11:52:17 EST TST
+Revision 3.1.49.0 2022-12-15 16:32:34 EST TST
---------------------------------------------------------------------
content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
byte_test:4,>,200,36;
+In case of using any byte_* option with "string" parameter, the
+amount of bytes to be extracted from payload can be less than
+specified by user. This might happen when the buffer has fewer bytes
+(from the cursor position) than specified in the option.
+
5.5. Consolidated Config
{
spells =
{
- { service = 'http', proto = 'tcp', client_first = true, to_server = { 'GET' }, to_client = { 'HTTP/' } },
+ { service = 'http', proto = 'tcp', to_server = { 'GET' }, to_client = { 'HTTP/' } },
}
}
stream_tcp.show_rebuilt_packets=true
consolidated config for http.lua
wizard.spells[0].proto="tcp"
-wizard.spells[0].client_first=true
wizard.spells[0].service="http"
wizard.spells[0].to_client[0].spell="HTTP/"
wizard.spells[0].to_server[0].spell="GET"
consolidated config for sip.lua
wizard.spells[0].proto="tcp"
-wizard.spells[0].client_first=true
wizard.spells[0].service="sip"
wizard.spells[0].to_server[0].spell="INVITE"
"spells": [
{
"proto": "tcp",
- "client_first": true,
"service": "http",
"to_client": [
{
"spells": [
{
"proto": "tcp",
- "client_first": true,
"service": "sip",
"to_server": [
{
One of the improvements in Snort 3 is Enhanced JavaScript Normalizer
which has its own module and can be used with any service inspectors
-where JavaScript code might occur. Currently it is only used by HTTP
-inspector.
+where JavaScript code might occur. Currently it is supported for the
+following inspectors: HTTP, SMTP, IMAP, POP.
5.13.1. Overview
The Enhanced Normalizer can normalize JavaScript embedded in HTML
(inline scripts), in separate .js files (external scripts), and
-JavaScript embedded in PDF files sent over HTTP. It supports scripts
-over multiple PDUs. It is a stateful JavaScript whitespace and
-identifiers normalizer. Normalizer concatenates string literals
-whenever it’s possible to do. This also works with any other
-normalizations that result in string literals. All JavaScript
-identifier names, except those from the ignore lists, will be
-substituted with unified names in the following format: var_0000 →
-var_ffff. The Normalizer tries to expand escaped text, so it will
-appear in a readable form in the output. When such text is a
+JavaScript embedded in PDF files sent over HTTP/1, HTTP/2, SMTP, IMAP
+and POP3 protocols. It supports scripts over multiple PDUs. It is a
+stateful JavaScript whitespace and identifiers normalizer. Normalizer
+concatenates string literals whenever it’s possible to do. This also
+works with any other normalizations that result in string literals.
+All JavaScript identifier names, except those from the ignore lists,
+will be substituted with unified names in the following format:
+var_0000 → var_ffff. The Normalizer tries to expand escaped text, so
+it will appear in a readable form in the output. When such text is a
parameter of an unescape function, the entire function call will be
replaced by the unescaped string. Moreover, Normalizer validates the
syntax concerning ECMA-262 Standard, including scope tracking and
-restrictions for script elements.
+restrictions for script elements. JavaScript, embedded in PDF files,
+has to be decompressed before normalization. For that, decompress_pdf
+= true option has to be set in configuration of appropriate service
+inspectors.
Check with the following options for more configurations:
bytes_depth, identifier_depth, max_tmpl_nest, max_bracket_depth,
Also, there are default lists of ignored identifiers and object
properties provided. To get a complete default configuration, use
-default_js_norm from lua/snort_default.lua by adding:
+default_js_norm from $SNORT_LUA_PATH/snort_defaults.lua by adding:
js_norm = default_js_norm
context is detected and 154:8 built-in alert is raised. Further
normalization is not possible for the script. For example:
-alert http (msg:"JavaScript in HTTP"; js_data; content:"var var_0000=1;"; sid:1;)
+alert http (msg:"JS in HTTP"; js_data; content:"var var_0000"; sid:1;)
+alert smtp (msg:"JS in SMTP"; js_data; content:"var var_0000"; sid:2;)
5.13.3.1. js_data
* service - name of the service that would be assigned
* proto - protocol to scan
- * client_first - indicator of which end initiates data transfer
- (deprecated)
* to_server - list of text patterns to search in the data sent to
the client
* to_client - list of text patterns to search in the data sent to
{
service = 'smtp',
proto = 'tcp',
- client_first = true,
to_server = { 'HELO', 'EHLO' },
to_client = { '220*SMTP', '220*MAIL' }
}
{
service = 'dnp3',
proto = 'tcp',
- client_first = true,
to_server = { '|05 64|' },
to_client = { '|05 64|' }
}
projects / thirdparty / snort3.git / commitdiff
