---------------------------------------------------------------------
-Snort 3 User Manual
+Snort 3 Reference Manual
---------------------------------------------------------------------
The Snort Team
----------------------------------------------------------------------
-
-Table of Contents
-
-1. Overview
-
- 1.1. First Steps
- 1.2. Configuration
- 1.3. Output
-
-2. Concepts
-
- 2.1. Terminology
- 2.2. Modules
- 2.3. Parameters
- 2.4. Plugins
- 2.5. Operation
- 2.6. Rules
- 2.7. Pattern Matching
-
-3. Tutorial
-
- 3.1. Dependencies
- 3.2. Building
- 3.3. Running
- 3.4. Tips
- 3.5. Help
- 3.6. Common Errors
- 3.7. Gotchas
- 3.8. Known Issues
-
-4. Usage
-
- 4.1. Help
- 4.2. Sniffing and Logging
- 4.3. Configuration
- 4.4. IDS mode
- 4.5. Plugins
- 4.6. Output Files
- 4.7. DAQ Alternatives
- 4.8. Logger Alternatives
- 4.9. Shell
- 4.10. Signals
-
-5. Features
-
- 5.1. Active Response
- 5.2. AppId
- 5.3. Binder
- 5.4. Byte rule options
- 5.5. DCE Inspectors
- 5.6. File Processing
- 5.7. High Availability
- 5.8. FTP
- 5.9. HTTP Inspector
- 5.10. HTTP/2 Inspector
- 5.11. Performance Monitor
- 5.12. POP and IMAP
- 5.13. Port Scan
- 5.14. Sensitive Data Filtering
- 5.15. SMTP
- 5.16. Telnet
- 5.17. Trace
- 5.18. Wizard
-
-6. Basic Modules
-
- 6.1. active
- 6.2. alerts
- 6.3. attribute_table
- 6.4. classifications
- 6.5. daq
- 6.6. decode
- 6.7. detection
- 6.8. event_filter
- 6.9. event_queue
- 6.10. high_availability
- 6.11. host_cache
- 6.12. host_tracker
- 6.13. hosts
- 6.14. inspection
- 6.15. ips
- 6.16. latency
- 6.17. memory
- 6.18. network
- 6.19. output
- 6.20. packet_tracer
- 6.21. packets
- 6.22. payload_injector
- 6.23. process
- 6.24. profiler
- 6.25. rate_filter
- 6.26. references
- 6.27. rule_state
- 6.28. search_engine
- 6.29. side_channel
- 6.30. snort
- 6.31. suppress
- 6.32. trace
-
-7. Codec Modules
-
- 7.1. arp
- 7.2. auth
- 7.3. ciscometadata
- 7.4. eapol
- 7.5. erspan2
- 7.6. erspan3
- 7.7. esp
- 7.8. eth
- 7.9. fabricpath
- 7.10. gre
- 7.11. gtp
- 7.12. icmp4
- 7.13. icmp6
- 7.14. igmp
- 7.15. ipv4
- 7.16. ipv6
- 7.17. llc
- 7.18. mpls
- 7.19. pbb
- 7.20. pgm
- 7.21. pppoe
- 7.22. tcp
- 7.23. token_ring
- 7.24. udp
- 7.25. vlan
- 7.26. wlan
-
-8. Connector Modules
-
- 8.1. file_connector
- 8.2. tcp_connector
-
-9. Inspector Modules
-
- 9.1. appid
- 9.2. appid_listener
- 9.3. arp_spoof
- 9.4. back_orifice
- 9.5. binder
- 9.6. cip
- 9.7. data_log
- 9.8. dce_http_proxy
- 9.9. dce_http_server
- 9.10. dce_smb
- 9.11. dce_tcp
- 9.12. dce_udp
- 9.13. dnp3
- 9.14. dns
- 9.15. domain_filter
- 9.16. dpx
- 9.17. file_id
- 9.18. file_log
- 9.19. ftp_client
- 9.20. ftp_data
- 9.21. ftp_server
- 9.22. gtp_inspect
- 9.23. http2_inspect
- 9.24. http_inspect
- 9.25. imap
- 9.26. mem_test
- 9.27. modbus
- 9.28. normalizer
- 9.29. packet_capture
- 9.30. perf_monitor
- 9.31. pop
- 9.32. port_scan
- 9.33. reputation
- 9.34. rna
- 9.35. rpc_decode
- 9.36. s7commplus
- 9.37. sip
- 9.38. smtp
- 9.39. so_proxy
- 9.40. ssh
- 9.41. ssl
- 9.42. stream
- 9.43. stream_file
- 9.44. stream_icmp
- 9.45. stream_ip
- 9.46. stream_tcp
- 9.47. stream_udp
- 9.48. stream_user
- 9.49. telnet
- 9.50. wizard
-
-10. IPS Action Modules
-
- 10.1. react
- 10.2. reject
- 10.3. rewrite
-
-11. IPS Option Modules
-
- 11.1. ack
- 11.2. appids
- 11.3. asn1
- 11.4. base64_decode
- 11.5. ber_data
- 11.6. ber_skip
- 11.7. bufferlen
- 11.8. byte_extract
- 11.9. byte_jump
- 11.10. byte_math
- 11.11. byte_test
- 11.12. cip_attribute
- 11.13. cip_class
- 11.14. cip_conn_path_class
- 11.15. cip_instance
- 11.16. cip_req
- 11.17. cip_rsp
- 11.18. cip_service
- 11.19. cip_status
- 11.20. classtype
- 11.21. content
- 11.22. cvs
- 11.23. dce_iface
- 11.24. dce_opnum
- 11.25. dce_stub_data
- 11.26. detection_filter
- 11.27. dnp3_data
- 11.28. dnp3_func
- 11.29. dnp3_ind
- 11.30. dnp3_obj
- 11.31. dsize
- 11.32. enable
- 11.33. enip_command
- 11.34. enip_req
- 11.35. enip_rsp
- 11.36. file_data
- 11.37. file_type
- 11.38. flags
- 11.39. flow
- 11.40. flowbits
- 11.41. fragbits
- 11.42. fragoffset
- 11.43. gid
- 11.44. gtp_info
- 11.45. gtp_type
- 11.46. gtp_version
- 11.47. http2_decoded_header
- 11.48. http2_frame_header
- 11.49. http_client_body
- 11.50. http_cookie
- 11.51. http_header
- 11.52. http_method
- 11.53. http_param
- 11.54. http_raw_body
- 11.55. http_raw_cookie
- 11.56. http_raw_header
- 11.57. http_raw_request
- 11.58. http_raw_status
- 11.59. http_raw_trailer
- 11.60. http_raw_uri
- 11.61. http_stat_code
- 11.62. http_stat_msg
- 11.63. http_trailer
- 11.64. http_true_ip
- 11.65. http_uri
- 11.66. http_version
- 11.67. icmp_id
- 11.68. icmp_seq
- 11.69. icode
- 11.70. id
- 11.71. ip_proto
- 11.72. ipopts
- 11.73. isdataat
- 11.74. itype
- 11.75. md5
- 11.76. metadata
- 11.77. modbus_data
- 11.78. modbus_func
- 11.79. modbus_unit
- 11.80. msg
- 11.81. mss
- 11.82. pcre
- 11.83. pkt_data
- 11.84. pkt_num
- 11.85. priority
- 11.86. raw_data
- 11.87. reference
- 11.88. regex
- 11.89. rem
- 11.90. replace
- 11.91. rev
- 11.92. rpc
- 11.93. s7commplus_content
- 11.94. s7commplus_func
- 11.95. s7commplus_opcode
- 11.96. sd_pattern
- 11.97. seq
- 11.98. service
- 11.99. sha256
- 11.100. sha512
- 11.101. sid
- 11.102. sip_body
- 11.103. sip_header
- 11.104. sip_method
- 11.105. sip_stat_code
- 11.106. so
- 11.107. soid
- 11.108. ssl_state
- 11.109. ssl_version
- 11.110. stream_reassemble
- 11.111. stream_size
- 11.112. tag
- 11.113. target
- 11.114. tos
- 11.115. ttl
- 11.116. urg
- 11.117. window
- 11.118. wscale
-
-12. Search Engine Modules
-13. SO Rule Modules
-14. Logger Modules
-
- 14.1. alert_csv
- 14.2. alert_ex
- 14.3. alert_fast
- 14.4. alert_full
- 14.5. alert_json
- 14.6. alert_sfsocket
- 14.7. alert_syslog
- 14.8. alert_talos
- 14.9. alert_unixsock
- 14.10. log_codecs
- 14.11. log_hext
- 14.12. log_pcap
- 14.13. unified2
-
-15. DAQ Configuration and Modules
-
- 15.1. Building the DAQ Library and Its Bundled DAQ Modules
- 15.2. Configuration
- 15.3. Interaction With Multiple Packet Threads
- 15.4. DAQ Modules Included With Snort 3
-
-16. Snort 3 vs Snort 2
-
- 16.1. Features New to Snort 3
- 16.2. Features Improved over Snort 2
- 16.3. Build Options
- 16.4. Command Line
- 16.5. Conf File
- 16.6. Rules
- 16.7. Output
- 16.8. Sensitive Data
- 16.9. Features Not Yet Supported by Snort 3
-
-17. Snort2Lua
-
- 17.1. Snort2Lua Command Line
- 17.2. Known Problems
- 17.3. Usage
-
-18. Extending Snort
-
- 18.1. Plugins
- 18.2. Modules
- 18.3. Inspectors
- 18.4. Codecs
- 18.5. IPS Actions
- 18.6. Piglet Test Harness
- 18.7. Piglet Lua API
- 18.8. Developers Guide
- 18.9. Performance Considerations for Developers
-
-19. Coding Style
-
- 19.1. General
- 19.2. C++ Specific
- 19.3. Naming
- 19.4. Comments
- 19.5. Logging
- 19.6. Types
- 19.7. Macros (aka defines)
- 19.8. Formatting
- 19.9. Headers
- 19.10. Warnings
- 19.11. Uncrustify
-
-20. Reference
-
- 20.1. Build Options
- 20.2. Environment Variables
- 20.3. Command Line Options
- 20.4. Configuration
- 20.5. Counts
- 20.6. Generators
- 20.7. Builtin Rules
- 20.8. Command Set
- 20.9. Signals
- 20.10. Configuration Changes
- 20.11. Module Listing
- 20.12. Plugin Listing
- 20.13. Limitations
-
-Snorty
-
- ,,_ -*> Snort++ <*-
-o" )~ Version 3.0.2 (Build 2)
- '''' By Martin Roesch & The Snort Team
- http://snort.org/contact#team
- Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
- Copyright (C) 1998-2013 Sourcefire, Inc., et al.
-
-
----------------------------------------------------------------------
-
-1. Overview
-
----------------------------------------------------------------------
-
-Snort 3.0 is an updated version of the Snort Intrusion Prevention
-System (IPS) which features a new design that provides a superset of
-Snort 2.X functionality with better throughput, detection,
-scalability, and usability. Some of the key features of Snort 3.0
-are:
-
- * Support multiple packet processing threads
- * Use a shared configuration and attribute table
- * Autodetect services for portless configuration
- * Modular design
- * Plugin framework with over 200 plugins
- * More scalable memory profile
- * LuaJIT configuration, loggers, and rule options
- * Hyperscan support
- * Rewritten TCP handling
- * New rule parser and syntax
- * Service rules like alert http
- * Rule "sticky" buffers
- * Way better SO rules
- * New HTTP inspector
- * New performance monitor
- * New time and space profiling
- * New latency monitoring and enforcement
- * Piglets to facilitate component testing
- * Inspection Events
- * Automake and Cmake
- * Autogenerate reference documentation
-
-Additional features are on the road map:
-
- * Use a shared network map
- * Support hardware offload for fast pattern acceleration
- * Provide support for DPDK and ODP
- * Support pipelining of packet processing
- * Support proxy mode
- * Multi-tennant support
- * Incremental reload
- * New serialization of perf data and events
- * Enhanced rule processing
- * Windows support
- * Anomaly detection
- * and more!
-
-The remainder of this section provides a high level survey of the
-inputs, processing, and outputs available with Snort 3.0.
-
-Snort++ is the project that is creating Snort 3.0. In this manual
-"Snort" or "Snort 3" refers to the 3.0 version and earlier versions
-will be referred to as "Snort 2" where the distinction is relevant.
-
-
-1.1. First Steps
-
---------------
-
-Snort can be configured to perform complex packet processing and deep
-packet inspection but it is best start simply and work up to more
-interesting tasks. Snort won’t do anything you didn’t specifically
-ask it to do so it is safe to just try things out and see what
-happens. Let’s start by just running Snort with no arguments:
-
-$ snort
-
-That will output usage information including some basic help
-commands. You should run all of these commands now to see what is
-available:
-
-$ snort -V
-$ snort -?
-$ snort --help
-
-Note that Snort has extensive command line help available so if
-anything below isn’t clear, there is probably a way to get the exact
-information you need from the command line.
-
-Now let’s examine the packets in a capture file (pcap):
-
-$ snort -r a.pcap
-
-Snort will decode and count the packets in the file and output some
-statistics. Note that the output excludes non-zero numbers so it is
-easy to see what is there.
-
-You may have noticed that there are command line options to limit the
-number of packets examined or set a filter to select particular
-packets. Now is a good time to experiment with those options.
-
-If you want to see details on each packet, you can dump the packets
-to console like this:
-
-$ snort -r a.pcap -L dump
-
-Add the -d option to see the TCP and UDP payload. Now let’s switch to
-live traffic. Replace eth0 in the below command with an available
-network interface:
-
-$ snort -i eth0 -L dump
-
-Unless the interface is taken down, Snort will just keep running, so
-enter Control-C to terminate or use the -n option to limit the number
-of packets.
-
-Generally it is better to capture the packets for later analysis like
-this:
-
-$ snort -i eth0 -L pcap -n 10
-
-Snort will write 10 packets to log.pcap.# where # is a timestamp
-value. You can read these back with -r and dump to console or pcap
-with -L. You get the idea.
-
-Note that you can do similar things with other tools like tcpdump or
-Wireshark however these commands are very useful when you want to
-check your Snort setup.
-
-The examples above use the default pcap DAQ. Snort supports non-pcap
-interfaces as well via the DAQ (data acquisition) library. Other DAQs
-provide additional functionality such as inline operation and/or
-higher performance. There are even DAQs that support raw file
-processing (ie without packets), socket processing, and plain text
-packets. To load external DAQ libraries and see available DAQs or
-select a particular DAQ use one of these commands:
-
-$ snort --daq-dir <path> --daq-list
-$ snort --daq-dir <path> --daq <type>
-
-Be sure to put the --daq-dir option ahead of the --daq-list option or
-the external DAQs won’t appear in the list.
-
-To leverage intrusion detection features of Snort you will need to
-provide some configuration details. The next section breaks down what
-must be done.
-
-
-1.2. Configuration
-
---------------
-
-Effective configuration of Snort is done via the environment, command
-line, a Lua configuration file, and a set of rules.
-
-Note that backwards compatibility with Snort 2 was sacrificed to
-obtain new and improved functionality. While Snort 3 leverages some
-of the Snort 2 code base, a lot has changed. The configuration of
-Snort 3 is done with Lua, so your old conf won’t work as is. Rules
-are still text based but with syntax tweaks, so your 2.X rules must
-be fixed up. However, snort2lua will help you convert your conf and
-rules to the new format.
-
-1.2.1. Command Line
-
-A simple command line might look like this:
-
-snort -c snort.lua -R cool.rules -r some.pcap -A cmg
-
-To understand what that does, you can start by just running snort
-with no arguments by running snort --help. Help for all configuration
-and rule options is available via a suitable command line. In this
-case:
-
--c snort.lua is the main configuration file. This is a Lua script
-that is executed when loaded.
-
--R cool.rules contains some detection rules. You can write your own
-or obtain them from Talos (native 3.0 rules are not yet available
-from Talos so you must convert them with snort2lua). You can also put
-your rules directly in your configuration file.
-
--r some.pcap tells Snort to read network traffic from the given
-packet capture file. You could instead use -i eth0 to read from a
-live interface. There many other options available too depending on
-the DAQ you use.
-
--A cmg says to output intrusion events in "cmg" format, which has
-basic header details followed by the payload in hex and text.
-
-Note that you add to and/or override anything in your configuration
-file by using the --lua command line option. For example:
-
---lua 'ips = { enable_builtin_rules = true }'
-
-will load the built-in decoder and inspector rules. In this case, ips
-is overwritten with the config you see above. If you just want to
-change the config given in your configuration file you would do it
-like this:
-
---lua 'ips.enable_builtin_rules = true'
-
-1.2.2. Configuration File
-
-The configuration file gives you complete control over how Snort
-processes packets. Start with the default snort.lua included in the
-distribution because that contains some key ingredients. Note that
-most of the configurations look like:
-
-stream = { }
-
-This means enable the stream module using internal defaults. To see
-what those are, you could run:
-
-snort --help-config stream
-
-Snort is organized into a collection of builtin and plugin modules.
-If a module has parameters, it is configured by a Lua table of the
-same name. For example, we can see what the active module has to
-offer with this command:
-
-$ snort --help-module active
-
-What: configure responses
-
-Type: basic
-
-Configuration:
-
-int active.attempts = 0: number of TCP packets sent per response (with
-varying sequence numbers) { 0:20 }
-
-string active.device: use 'ip' for network layer responses or 'eth0' etc
-for link layer
-
-string active.dst_mac: use format '01:23:45:67:89:ab'
-
-int active.max_responses = 0: maximum number of responses { 0: }
-
-int active.min_interval = 255: minimum number of seconds between
-responses { 1: }
-
-This says active is a basic module that has several parameters. For
-each, you will see:
-
-type module.name = default: help { range }
-
-For example, the active module has a max_responses parameter that
-takes non-negative integer values and defaults to zero. We can change
-that in Lua as follows:
-
-active = { max_responses = 1 }
-
-or:
-
-active = { }
-active.max_responses = 1
-
-If we also wanted to limit retries to at least 5 seconds, we could
-do:
-
-active = { max_responses = 1, min_interval = 5 }
-
-1.2.3. Whitelist
-
-When Snort is run with the --warn-conf-strict option, warnings will
-be generated for all Lua tables present in the configuration files
-that do not map to Snort module names. Like with other warnings,
-these will upgraded to errors when Snort is run in pedantic mode.
-
-To dynamically add exceptions that should bypass this strict
-validation, two Lua functions are made available to be called during
-the evaluation of Snort configuration files: snort_whitelist_append()
-and snort_whitelist_add_prefix(). Each function takes a
-whitespace-delimited list, the former a list of exact table names and
-the latter a list of table name prefixes to allow.
-
-Examples: snort_whitelist_append("table1 table2")
-snort_whitelist_add_prefix("local_ foobar_")
-
-The accumulated contents of the whitelist (both exact and prefix)
-will be dumped when Snort is run in verbose mode (-v).
-
-1.2.4. Rules
-
-Rules determine what Snort is looking for. They can be put directly
-in your Lua configuration file with the ips module, on the command
-line with --lua, or in external files. Generally you will have many
-rules obtained from various sources such as Talos and loading
-external files is the way to go so we will summarize that here. Add
-this to your Lua configuration:
-
-ips = { include = 'rules.txt' }
-
-to load the external rules file named rules.txt. You can only specify
-one file this way but rules files can include other rules files with
-the include statement. In addition you can load rules like:
-
-$ sort -c snort.lua -R rules.txt
-
-You can use both approaches together.
-
-1.2.5. Includes
-
-Your configuration file file may include other files, either directly
-via Lua or via various parameters. Snort will find relative includes
-in the following order:
-
- 1. If you specify --include-path, this directory will be tried
- first.
- 2. Snort will try the directory containing the including file.
- 3. Snort will try the directory containing the -c configuration
- file.
-
-Some things to keep in mind:
-
- * If you use the Lua dofile function, then you must specify
- absolute paths or paths relative to your working directory since
- Lua will execute the include before Snort sees the file contents.
- * For best results, use include in place of dofile. This function
- is provided to follow Snort’s include logic.
- * As of now, appid and reputation paths must be absolute or
- relative to the working directory. These will be updated in a
- future release.
-
-1.2.6. Converting Your 2.X Configuration
-
-If you have a working 2.X configuration snort2lua makes it easy to
-get up and running with Snort 3. This tool will convert your
-configuration and/or rules files automatically. You will want to
-clean up the results and double check that it is doing exactly what
-you need.
-
-snort2lua -c snort.conf
-
-The above command will generate snort.lua based on your 2.X
-configuration. For more information and options for more
-sophisticated use cases, see the Snort2Lua section later in the
-manual.
-
-
-1.3. Output
-
---------------
-
-Snort can produce quite a lot of data. In the following we will
-summarize the key aspects of the core output types. Additional data
-such as from appid is covered later.
-
-1.3.1. Basic Statistics
-
-At shutdown, Snort will output various counts depending on
-configuration and the traffic processed. Generally, you may see:
-
- * Packet Statistics - this includes data from the DAQ and decoders
- such as the number of packets received and number of UDP packets.
- * Module Statistics - each module tracks activity via a set of peg
- counts that indicate how many times something was observed or
- performed. This might include the number of HTTP GET requests
- processed and the number of TCP reset packets trimmed.
- * File Statistics - look here for a breakdown of file type, bytes,
- signatures.
- * Summary Statistics - this includes total runtime for packet
- processing and the packets per second. Profiling data will appear
- here as well if configured.
-
-Note that only the non-zero counts are output. Run this to see the
-available counts:
-
-$ snort --help-counts
-
-1.3.2. Alerts
-
-If you configured rules, you will need to configure alerts to see the
-details of detection events. Use the -A option like this:
-
-$ snort -c snort.lua -r a.pcap -A cmg
-
-There are many types of alert outputs possible. Here is a brief list:
-
- * -A cmg is the same as -A fast -d -e and will show information
- about the alert along with packet headers and payload.
- * -A u2 is the same as -A unified2 and will log events and
- triggering packets in a binary file that you can feed to other
- tools for post processing. Note that Snort 3 does not provide the
- raw packets for alerts on PDUs; you will get the actual buffer
- that alerted.
- * -A csv will output various fields in comma separated value
- format. This is entirely customizable and very useful for pcap
- analysis.
-
-To see the available alert types, you can run this command:
-
-$ snort --list-plugins | grep logger
-
-1.3.3. Files and Paths
-
-Note that output is specific to each packet thread. If you run 4
-packet threads with u2 output, you will get 4 different u2 files. The
-basic structure is:
-
-<logdir>/[<run_prefix>][<id#>][<X>]<name>
-
-where:
-
- * logdir is set with -l and defaults to ./
- * run_prefix is set with --run-prefix else not used
- * id# is the packet thread number that writes the file; with one
- packet thread, id# (zero) is omitted without --id-zero
- * X is / if you use --id-subdir, else _ if id# is used
- * name is based on module name that writes the file
-
-Additional considerations:
-
- * There is no way to explicitly configure a full path to avoid
- issues with multiple packet threads.
- * All text mode outputs default to stdout
-
-1.3.4. Performance Statistics
-
-Still more data is available beyond the above.
-
- * By configuring the perf_monitor module you can capture a
- configurable set of peg counts during runtime. This is useful to
- feed to an external program so you can see what is happening
- without stopping Snort.
- * The profiler module allows you to track time and space used by
- module and rules. Use this data to tune your system for best
- performance. The output will show up under Summary Statistics at
- shutdown.
-
-
----------------------------------------------------------------------
-
-2. Concepts
+Revision History
+Revision 3.0.2 (Build 2) 2020-07-23 11:20:26 EDT TST
---------------------------------------------------------------------
-This section provides background on essential aspects of Snort’s
-operation.
-
-
-2.1. Terminology
-
---------------
-
- * basic module: a module integrated into Snort that does not come
- from a plugin.
- * binder: inspector that maps configuration to traffic
- * builtin rules: codec and inspector rules for anomalies detected
- internally.
- * codec: short for coder / decoder. These plugins are used for
- basic protocol decoding, anomaly detection, and construction of
- active responses.
- * data module: an adjunct configuration plugin for use with certain
- inspectors.
- * dynamic rules: plugin rules loaded at runtime. See SO rules.
- * fast pattern: the content in an IPS rule that must be found by
- the search engine in order for a rule to be evaluated.
- * fast pattern matcher: see search engine.
- * hex: a type of protocol magic that the wizard uses to identify
- binary protocols.
- * inspector: plugin that processes packets (similar to the Snort 2
- preprocessor)
- * IPS: intrusion prevention system, like Snort.
- * IPS action: plugin that allows you to perform custom actions when
- events are generated. Unlike loggers, these are invoked before
- thresholding and can be used to control external agents or send
- active responses.
- * IPS option: this plugin is the building blocks of IPS rules.
- * logger: a plugin that performs output of events and packets.
- Events are thresholded before reaching loggers.
- * module: the user facing portion of a Snort component. Modules
- chiefly provide configuration parameters, but may also provide
- commands, builtin rules, profiling statistics, peg counts, etc.
- Note that not all modules are plugins and not all plugins have
- modules.
- * peg count: the number of times a given event or condition occurs.
- * plugin: one of several types of software components that can be
- loaded from a dynamic library when Snort starts up. Some plugins
- are coupled with the main engine in such a way that they must be
- built statically, but a newer version can be loaded dynamically.
- * search engine: a plugin that performs multipattern searching of
- packets and payload to find rules that should be evaluated. There
- are currently no specific modules, although there are several
- search engine plugins. Related configuration is done with the
- basic detection module. Aka fast pattern matcher.
- * SO rule: a IPS rule plugin that performs custom detection that
- can’t be done by a text rule. These rules typically do not have
- associated modules. SO comes from shared object, meaning dynamic
- library.
- * spell: a type of protocol magic that the wizard uses to identify
- ASCII protocols.
- * text rule: a rule loaded from the configuration that has a header
- and body. The header specifies action, protocol, source and
- destination IP addresses and ports, and direction. The body
- specifies detection and non-detection options.
- * wizard: inspector that applies protocol magic to determine which
- inspectors should be bound to traffic absent a port specific
- binding. See hex and spell.
-
-
-2.2. Modules
-
---------------
-
-Modules are the building blocks of Snort. They encapsulate the types
-of data that many components need including parameters, peg counts,
-profiling, builtin rules, and commands. This allows Snort to handle
-them generically and consistently. You can learn quite a lot about
-any given module from the command line. For example, to see what
-stream_tcp is all about, do this:
-
-$ snort --help-config stream_tcp
-
-Modules are configured using Lua tables with the same name. So the
-stream_tcp module is configured with defaults like this:
-
-stream_tcp = { }
-
-The earlier help output showed that the default session tracking
-timeout is 30 seconds. To change that to 60 seconds, you can
-configure it this way:
-
-stream_tcp = { session_timeout = 60 }
-
-Or this way:
-
-stream_tcp = { }
-stream_tcp.session_timeout = 60
-
-More on parameters is given in the next section.
-
-Other things to note about modules:
-
- * Shutdown output will show the non-zero peg counts for all
- modules. For example, if stream_tcp did anything, you would see
- the number of sessions processed among other things.
- * Providing the builtin rules allows the documentation to include
- them automatically and also allows for autogenerating the rules
- at startup.
- * Only a few module provide commands at this point, most notably
- the snort module.
-
-
-2.3. Parameters
-
---------------
-
-Parameters are given with this format:
-
-type name = default: help { range }
-
-The following types are used:
-
- * addr: any valid IP4 or IP6 address or CIDR
- * addr_list: a space separated list of addr values
- * bit_list: a list of consecutive integer values from 1 to the
- range maximum
- * bool: true or false
- * dynamic: a select type determined by loaded plugins
- * enum: a string selected from the given range
- * implied: an IPS rule option that takes no value but means true
- * int: a whole number in the given range
- * interval: a set of ints (see below)
- * ip4: an IP4 address or CIDR
- * mac: an ethernet address with the form 01:02:03:04:05:06
- * multi: one or more space separated strings from the given range
- * port: an int in the range 0:65535 indicating a TCP or UDP port
- number
- * real: a real number in the given range
- * select: a string selected from the given range
- * string: any string with no more than the given length, if any
-
-The parameter name may be adorned in various ways to indicate
-additional information about the type and use of the parameter:
-
- * For Lua configuration (not IPS rules), if the name ends with []
- it is a list item and can be repeated.
- * For IPS rules only, names starting with ~ indicate positional
- parameters. The names of such parameters do not appear in the
- rule.
- * IPS rules may also have a wild card parameter, which is indicated
- by a *. Used for unquoted, comma-separated lists such as service
- and metadata.
- * The snort module has command line options starting with a -.
- * $ denotes variable names, eg rule_state.$gid_sid which would be
- used like rule_state["1:23456"] = { }.
-
-Some additional details to note:
-
- * Table and variable names are case sensitive; use lower case only.
- * String values are case sensitive too; use lower case only.
- * Numeric ranges may be of the form low:high where low and high are
- bounds included in the range. If either is omitted, there is no
- hard bound. E.g. 0: means any x where x >= 0.
- * Strings may have a numeric range indicating a length limit;
- otherwise there is no hard limit.
- * bit_list is typically used to store a set of byte, port, or VLAN
- ID values.
- * interval takes the form [operator]i, j<>k, or j<⇒k where i,j,k
- are integers and operator is one of =, !, != (same as !), <, ⇐,
- >, >=. j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.
- * Ranges may use maxXX like { 1:max32 } since max32 is easier to
- read than 4294967295. To get the values of maxXX, use snort
- --help-limits.
-
-
-2.4. Plugins
-
---------------
-
-Snort uses a variety of plugins to accomplish much of its processing
-objectives, including:
-
- * Codec - to decode and encode packets
- * Inspector - like Snort 2 preprocessors, for normalization, etc.
- * IpsOption - for detection in Snort rules
- * IpsAction - for custom actions
- * Logger - for handling events
- * Mpse - for fast pattern matching
- * So - for dynamic rules
-
-The power of plugins is that they have a very focused purpose and can
-be created with relative ease. For example, you can extend the rule
-language by writing your own IpsOption and it will plug in and
-function just like existing options. The extra directory has examples
-of each type of plugin.
-
-Most plugins can be built statically or dynamically. By default they
-are all static. There is no difference in functionality between
-static or dynamic plugins but the dynamic build generates a slightly
-lighter weight binary. Either way you can add dynamic plugins with
---plugin-path and newer versions will replace older versions, even
-when built statically.
-
-A single dynamic library may contain more than one plugin. For
-example, an inspector will typically be packaged together with any
-associated rule options.
-
-
-2.5. Operation
-
---------------
-
-Snort is a signature-based IPS, which means that as it receives
-network packets it reassembles and normalizes the content so that a
-set of rules can be evaluated to detect the presence of any
-significant conditions that merit further action. A rough processing
-flow is as follows:
-
-Snort 2
-
-The steps are:
-
- 1. Decode each packet to determine the basic network characteristics
- such as source and destination addresses and ports. A typical
- packet might have ethernet containing IP containing TCP
- containing HTTP (ie eth:ip:tcp:http). The various encapsulating
- protocols are examined for sanity and anomalies as the packet is
- decoded. This is essentially a stateless effort.
- 2. Preprocess each decoded packet using accumulated state to
- determine the purpose and content of the innermost message. This
- step may involve reordering and reassembling IP fragments and TCP
- segments to produce the original application protocol data unit
- (PDU). Such PDUs are analyzed and normalized as needed to support
- further processing.
- 3. Detection is a two step process. For efficiency, most rules
- contain a specific content pattern that can be searched for such
- that if no match is found no further processing is necessary.
- Upon start up, the rules are compiled into pattern groups such
- that a single, parallel search can be done for all patterns in
- the group. If any match is found, the full rule is examined
- according to the specifics of the signature.
- 4. The logging step is where Snort saves any pertinent information
- resulting from the earlier steps. More generally, this is where
- other actions can be taken as well such as blocking the packet.
-
-2.5.1. Snort 2 Processing
-
-The preprocess step in Snort 2 is highly configurable. Arbitrary
-preprocessors can be loaded dynamically at startup, configured in
-snort.conf, and then executed at runtime. Basically, the
-preprocessors are put into a list which is iterated for each packet.
-Recent versions have tweaked the list handling some, but the same
-basic architecture has allowed Snort 2 to grow from a sniffer, with
-no preprocessing, to a full-fledged IPS, with lots of preprocessing.
-
-While this "list of plugins" approach has considerable flexibility,
-it hampers future development when the flow of data from one
-preprocessor to the next depends on traffic conditions, a common
-situation with advanced features like application identification. In
-this case, a preprocessor like HTTP may be extracting and normalizing
-data that ultimately is not used, or appID may be repeatedly checking
-for data that is just not available.
-
-Callbacks help break out of the preprocess straitjacket. This is
-where one preprocessor supplies another with a function to call when
-certain data is available. Snort has started to take this approach to
-pass some HTTP and SIP preprocessor data to appID. However, it
-remains a peripheral feature and still requires the production of
-data that may not be consumed.
-
-2.5.2. Snort 3 Processing
-
-One of the goals of Snort 3 is to provide a more flexible framework
-for packet processing by implementing an event-driven approach.
-Another is to produce data only when needed to minimize expensive
-normalizations. However, the basic packet processing provides very
-similar functionality.
-
-The basic processing steps Snort 3 takes are similar to Snort 2 as
-seen in the following diagram. The preprocess step employs specific
-inspector types instead of a generalized list, but the basic
-procedure includes stateless packet decoding, TCP stream reassembly,
-and service specific analysis in both cases. (Snort 3 provides hooks
-for arbitrary inspectors, but they are not central to basic flow
-processing and are not shown.)
-
-Snort 3
-
-However, Snort 3 also provides a more flexible mechanism than
-callback functions. By using inspection events, it is possible for an
-inspector to supply data that other inspectors can process. This is
-known as the observer pattern or publish-subscribe pattern.
-
-Note that the data is not actually published. Instead, access to the
-data is published, and that means that subscribers can access the raw
-or normalized version(s) as needed. Normalizations are done only on
-the first access, and subsequent accesses get the previously
-normalized data. This results in just in time (JIT) processing.
-
-A basic example of this in action is provided by the extra data_log
-plugin. It is a passive inspector, ie it does nothing until it
-receives the data it subscribed for (other in the above diagram). By
-adding the following to your snort.lua configuration, you will get a
-simple URI logger.
-
-data_log = { key = 'http_raw_uri' }
-
-Inspection events coupled with pluggable inspectors provide a very
-flexible framework for implementing new features. And JIT buffer
-stuffers allow Snort to work smarter, not harder. These capabilities
-will be leveraged more and more as Snort development continues.
-
-
-2.6. Rules
-
---------------
-
-Rules tell Snort how to detect interesting conditions, such as an
-attack, and what to do when the condition is detected. Here is an
-example rule:
-
-alert tcp any any -> 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )
-
-The structure is:
-
-action proto source dir dest ( body )
-
-Where:
-
-action - tells Snort what to do when a rule "fires", ie when the
-signature matches. In this case Snort will log the event. It can also
-do thing like block the flow when running inline.
-
-proto - tells Snort what protocol applies. This may be ip, icmp, tcp,
-udp, http, etc.
-
-source - specifies the sending IP address and port, either of which
-can be the keyword any, which is a wildcard.
-
-dir - must be either unidirectional as above or bidirectional
-indicated by <>.
-
-dest - similar to source but indicates the receiving end.
-
-body - detection and other information contained in parenthesis.
-
-There are many rule options available to construct as sophisticated a
-signature as needed. In this case we are simply looking for the
-"attack" in any TCP packet. A better rule might look like this:
-
-alert http
-(
- msg:"Gotcha!";
- flow:established, to_server;
- http_uri:"attack";
- sid:2;
-)
-
-Note that these examples have a sid option, which indicates the
-signature ID. In general rules are specified by gid:sid:rev notation,
-where gid is the generator ID and rev is the revision of the rule. By
-default, text rules are gid 1 and shared-object (SO) rules are gid 3.
-The various components within Snort that generate events have 1XX
-gids, for example the decoder is gid 116. You can list the internal
-gids and sids with these commands:
-
-$ snort --list-gids
-$ snort --list-builtin
-
-For details on these and other options, see the reference section.
-
-
-2.7. Pattern Matching
-
---------------
-
-Snort evaluates rules in a two-step process which includes a fast
-pattern search and full evaluation of the signature. More details on
-this process follow.
-
-2.7.1. Rule Groups
-
-When Snort starts or reloads configuration, rules are grouped by
-protocol, port and service. For example, all TCP rules using the
-HTTP_PORTS variable will go in one group and all service HTTP rules
-will go in another group. These rule groups are compiled into
-multipattern search engines (MPSE) which are designed to search for
-all patterns with just a single pass through a given packet or
-buffer. You can select the algorithm to use for fast pattern searches
-with search_engine.search_method which defaults to ac_bnfa, which
-balances speed and memory. For a faster search at the expense of
-significantly more memory, use ac_full. For best performance and
-reasonable memory, download the hyperscan source from Intel.
-
-2.7.2. Fast Patterns
-
-Fast patterns are content strings that have the fast_pattern option
-or which have been selected by Snort automatically to be used as a
-fast pattern. Snort will by default choose the longest pattern in the
-rule since that is likely to be most unique. That is not always the
-case so add fast_pattern to the appropriate content option for best
-performance. The ideal fast pattern is one which, if found, is very
-likely to result in a rule match. Fast patterns that match frequently
-for unrelated traffic will cause Snort to work hard with little to
-show for it.
-
-Certain contents are not eligible to be used as fast patterns.
-Specifically, if a content is negated, then if it is also relative to
-another content, case sensitive, or has non-zero offset or depth,
-then it is not eligible to be used as a fast pattern.
-
-2.7.3. Rule Evaluation
-
-For each fast pattern match, the corresponding rule(s) are evaluated
-left-to-right. Rule evaluation requires checking each detection
-option in a rule and is a fairly costly process which is why fast
-patterns are so important. Rule evaluation aborts on the first
-non-matching option.
-
-When rule evaluation takes place, the fast pattern match will
-automatically be skipped if possible. Note that this differs from
-Snort 2 which provided the fast_pattern:only option to designate such
-cases. This is one less thing for the rule writer to worry about.
-
+Table of Contents
----------------------------------------------------------------------
+1. Help
+2. Basic Modules
+
+ 2.1. active
+ 2.2. alerts
+ 2.3. attribute_table
+ 2.4. classifications
+ 2.5. daq
+ 2.6. decode
+ 2.7. detection
+ 2.8. event_filter
+ 2.9. event_queue
+ 2.10. high_availability
+ 2.11. host_cache
+ 2.12. host_tracker
+ 2.13. hosts
+ 2.14. inspection
+ 2.15. ips
+ 2.16. latency
+ 2.17. memory
+ 2.18. network
+ 2.19. output
+ 2.20. packet_tracer
+ 2.21. packets
+ 2.22. payload_injector
+ 2.23. process
+ 2.24. profiler
+ 2.25. rate_filter
+ 2.26. references
+ 2.27. rule_state
+ 2.28. search_engine
+ 2.29. side_channel
+ 2.30. snort
+ 2.31. suppress
+ 2.32. trace
+
+3. Codec Modules
+
+ 3.1. arp
+ 3.2. auth
+ 3.3. ciscometadata
+ 3.4. eapol
+ 3.5. erspan2
+ 3.6. erspan3
+ 3.7. esp
+ 3.8. eth
+ 3.9. fabricpath
+ 3.10. gre
+ 3.11. gtp
+ 3.12. icmp4
+ 3.13. icmp6
+ 3.14. igmp
+ 3.15. ipv4
+ 3.16. ipv6
+ 3.17. llc
+ 3.18. mpls
+ 3.19. pbb
+ 3.20. pgm
+ 3.21. pppoe
+ 3.22. tcp
+ 3.23. token_ring
+ 3.24. udp
+ 3.25. vlan
+ 3.26. wlan
+
+4. Connector Modules
+
+ 4.1. file_connector
+ 4.2. tcp_connector
+
+5. Inspector Modules
+
+ 5.1. appid
+ 5.2. appid_listener
+ 5.3. arp_spoof
+ 5.4. back_orifice
+ 5.5. binder
+ 5.6. cip
+ 5.7. data_log
+ 5.8. dce_http_proxy
+ 5.9. dce_http_server
+ 5.10. dce_smb
+ 5.11. dce_tcp
+ 5.12. dce_udp
+ 5.13. dnp3
+ 5.14. dns
+ 5.15. domain_filter
+ 5.16. dpx
+ 5.17. file_id
+ 5.18. file_log
+ 5.19. ftp_client
+ 5.20. ftp_data
+ 5.21. ftp_server
+ 5.22. gtp_inspect
+ 5.23. http2_inspect
+ 5.24. http_inspect
+ 5.25. imap
+ 5.26. mem_test
+ 5.27. modbus
+ 5.28. normalizer
+ 5.29. null_trace_logger
+ 5.30. packet_capture
+ 5.31. perf_monitor
+ 5.32. pop
+ 5.33. port_scan
+ 5.34. reputation
+ 5.35. rna
+ 5.36. rpc_decode
+ 5.37. s7commplus
+ 5.38. sip
+ 5.39. smtp
+ 5.40. so_proxy
+ 5.41. ssh
+ 5.42. ssl
+ 5.43. stream
+ 5.44. stream_file
+ 5.45. stream_icmp
+ 5.46. stream_ip
+ 5.47. stream_tcp
+ 5.48. stream_udp
+ 5.49. stream_user
+ 5.50. telnet
+ 5.51. wizard
+
+6. IPS Action Modules
+
+ 6.1. react
+ 6.2. reject
+ 6.3. rewrite
+
+7. IPS Option Modules
+
+ 7.1. ack
+ 7.2. appids
+ 7.3. asn1
+ 7.4. base64_decode
+ 7.5. ber_data
+ 7.6. ber_skip
+ 7.7. bufferlen
+ 7.8. byte_extract
+ 7.9. byte_jump
+ 7.10. byte_math
+ 7.11. byte_test
+ 7.12. cip_attribute
+ 7.13. cip_class
+ 7.14. cip_conn_path_class
+ 7.15. cip_instance
+ 7.16. cip_req
+ 7.17. cip_rsp
+ 7.18. cip_service
+ 7.19. cip_status
+ 7.20. classtype
+ 7.21. content
+ 7.22. cvs
+ 7.23. dce_iface
+ 7.24. dce_opnum
+ 7.25. dce_stub_data
+ 7.26. detection_filter
+ 7.27. dnp3_data
+ 7.28. dnp3_func
+ 7.29. dnp3_ind
+ 7.30. dnp3_obj
+ 7.31. dsize
+ 7.32. enable
+ 7.33. enip_command
+ 7.34. enip_req
+ 7.35. enip_rsp
+ 7.36. file_data
+ 7.37. file_type
+ 7.38. flags
+ 7.39. flow
+ 7.40. flowbits
+ 7.41. fragbits
+ 7.42. fragoffset
+ 7.43. gid
+ 7.44. gtp_info
+ 7.45. gtp_type
+ 7.46. gtp_version
+ 7.47. http2_decoded_header
+ 7.48. http2_frame_header
+ 7.49. http_client_body
+ 7.50. http_cookie
+ 7.51. http_header
+ 7.52. http_method
+ 7.53. http_param
+ 7.54. http_raw_body
+ 7.55. http_raw_cookie
+ 7.56. http_raw_header
+ 7.57. http_raw_request
+ 7.58. http_raw_status
+ 7.59. http_raw_trailer
+ 7.60. http_raw_uri
+ 7.61. http_stat_code
+ 7.62. http_stat_msg
+ 7.63. http_trailer
+ 7.64. http_true_ip
+ 7.65. http_uri
+ 7.66. http_version
+ 7.67. icmp_id
+ 7.68. icmp_seq
+ 7.69. icode
+ 7.70. id
+ 7.71. ip_proto
+ 7.72. ipopts
+ 7.73. isdataat
+ 7.74. itype
+ 7.75. md5
+ 7.76. metadata
+ 7.77. modbus_data
+ 7.78. modbus_func
+ 7.79. modbus_unit
+ 7.80. msg
+ 7.81. mss
+ 7.82. pcre
+ 7.83. pkt_data
+ 7.84. pkt_num
+ 7.85. priority
+ 7.86. raw_data
+ 7.87. reference
+ 7.88. regex
+ 7.89. rem
+ 7.90. replace
+ 7.91. rev
+ 7.92. rpc
+ 7.93. s7commplus_content
+ 7.94. s7commplus_func
+ 7.95. s7commplus_opcode
+ 7.96. sd_pattern
+ 7.97. seq
+ 7.98. service
+ 7.99. sha256
+ 7.100. sha512
+ 7.101. sid
+ 7.102. sip_body
+ 7.103. sip_header
+ 7.104. sip_method
+ 7.105. sip_stat_code
+ 7.106. so
+ 7.107. soid
+ 7.108. ssl_state
+ 7.109. ssl_version
+ 7.110. stream_reassemble
+ 7.111. stream_size
+ 7.112. tag
+ 7.113. target
+ 7.114. tos
+ 7.115. ttl
+ 7.116. urg
+ 7.117. window
+ 7.118. wscale
+
+8. Search Engine Modules
+9. SO Rule Modules
+10. Logger Modules
+
+ 10.1. alert_csv
+ 10.2. alert_ex
+ 10.3. alert_fast
+ 10.4. alert_full
+ 10.5. alert_json
+ 10.6. alert_sfsocket
+ 10.7. alert_syslog
+ 10.8. alert_talos
+ 10.9. alert_unixsock
+ 10.10. log_codecs
+ 10.11. log_hext
+ 10.12. log_pcap
+ 10.13. unified2
+
+11. Appendix
+
+ 11.1. Build Options
+ 11.2. Environment Variables
+ 11.3. Command Line Options
+ 11.4. Configuration
+ 11.5. Counts
+ 11.6. Generators
+ 11.7. Builtin Rules
+ 11.8. Command Set
+ 11.9. Signals
+ 11.10. Module Listing
+ 11.11. Plugin Listing
-3. Tutorial
---------------------------------------------------------------------
-The section will walk you through building and running Snort. It is
-not exhaustive but, once you master this material, you should be able
-to figure out more advanced usage.
-
-
-3.1. Dependencies
-
---------------
-
-Required:
-
- * a compiler that supports the C++14 feature set
- * cmake to build from source
- * daq from https://github.com/snort3/libdaq for packet IO
- * dnet from https://github.com/dugsong/libdnet.git for network
- utility functions
- * hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU
- affinity management
- * LuaJIT from http://luajit.org for configuration and scripting
- * OpenSSL from https://www.openssl.org/source/ for SHA and MD5 file
- signatures, the protected_content rule option, and SSL service
- detection
- * pcap from http://www.tcpdump.org for tcpdump style logging
- * pcre from http://www.pcre.org for regular expression pattern
- matching
- * pkgconfig from https://www.freedesktop.org/wiki/Software/
- pkg-config/ to locate build dependencies
- * zlib from http://www.zlib.net for decompression (>= 1.2.8
- recommended)
-
-Optional:
-
- * asciidoc from http://www.methods.co.nz/asciidoc/ to build the
- HTML manual
- * cpputest from http://cpputest.github.io to run additional unit
- tests with make check
- * dblatex from http://dblatex.sourceforge.net to build the pdf
- manual (in addition to asciidoc)
- * flatbuffers from https://google.github.io/flatbuffers/ for
- enabling the flatbuffers serialization format
- * hyperscan >= 4.4.0 from https://github.com/01org/hyperscan to
- build new the regex and sd_pattern rule options and hyperscan
- search engine. Hyperscan is large so it recommended to follow
- their instructions for building it as a shared library.
- * iconv from https://ftp.gnu.org/pub/gnu/libiconv/ for converting
- UTF16-LE filenames to UTF8 (usually included in glibc)
- * libunwind from https://www.nongnu.org/libunwind/ to attempt to
- dump a somewhat readable backtrace when a fatal signal is
- received
- * lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
- SWF and PDF files
- * safec >= 3.5 from https://github.com/rurban/safeclib/ for runtime
- bounds checks on certain legacy C-library calls
- * source-highlight from http://www.gnu.org/software/src-highlite/
- to generate the dev guide
- * w3m from http://sourceforge.net/projects/w3m/ to build the plain
- text manual
- * uuid from uuid-dev package for unique identifiers
-
-
-3.2. Building
-
---------------
-
- * Optionally built features are listed in the reference section.
- * Create an install path:
-
- export my_path=/path/to/snorty
- mkdir -p $my_path
-
- * If LibDAQ was installed to a custom, non-system path:
-
- export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH
-
- * Now do one of the following:
-
- a. To build with cmake and make, run configure_cmake.sh. It will
- automatically create and populate a new subdirectory named
- build.
-
- ./configure_cmake.sh --prefix=$my_path
- cd build
- make -j
- make install
- ln -s $my_path/conf $my_path/etc
-
- b. You can also specify a cmake project generator:
-
- ./configure_cmake.sh --generator=Xcode --prefix=$my_path
-
- c. Or use ccmake directly to configure and generate from an
- arbitrary build directory like one of these:
-
- ccmake -G Xcode /path/to/Snort++/tree
- open snort.xcodeproj
-
- ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree
- run eclipse and do File > Import > Existing Eclipse Project
-
- * To build with g++ on OS X where clang is installed, do this
- first:
-
- export CXX=g++
-
-
-3.3. Running
-
---------------
-
-Examples:
-
- * Get some help:
-
- $my_path/bin/snort --help
- $my_path/bin/snort --help-module suppress
- $my_path/bin/snort --help-config | grep thread
-
- * Examine and dump a pcap:
-
- $my_path/bin/snort -r <pcap>
- $my_path/bin/snort -L dump -d -e -q -r <pcap>
-
- * Verify config, with or w/o rules:
-
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
-
- * Run IDS mode. To keep it brief, look at the first n packets in
- each file:
-
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
- -r <pcap> -A alert_test -n 100000
-
- * Let’s suppress 1:2123. We could edit the conf or just do this:
-
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
- -r <pcap> -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"
-
- * Go whole hog on a directory with multiple packet threads:
-
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
- --pcap-filter \*.pcap --pcap-dir <dir> -A alert_fast -n 1000 --max-packet-threads 8
-
-For more examples, see the usage section.
-
-
-3.4. Tips
-
---------------
-
-One of the goals of Snort 3 is to make it easier to configure your
-sensor. Here is a summary of tips and tricks you may find useful.
-
-General Use
-
- * Snort tries hard not to error out too quickly. It will report
- multiple semantic errors.
- * Snort always assumes the simplest mode of operation. Eg, you can
- omit the -T option to validate the conf if you don’t provide a
- packet source.
- * Warnings are not emitted unless --warn-* is specified. --warn-all
- enables all warnings, and --pedantic makes such warnings fatal.
- * You can process multiple sources at one time by using the -z or
- --max-threads option.
- * To make it easy to find the important data, zero counts are not
- output at shutdown.
- * Load plugins from the command line with --plugin-path /path/to/
- install/lib.
- * You can process multiple sources at one time by using the -z or
- --max-threads option.
- * Unit tests are configured with --enable-unit-tests. They can then
- be run with snort --catch-test [tags]|all.
-
-Lua Configuration
-
- * Configure the wizard and default bindings will be created based
- on configured inspectors. No need to explicitly bind ports in
- this case.
- * You can override or add to your Lua conf with the --lua command
- line option.
- * The Lua conf is a live script that is executed when loaded. You
- can add functions, grab environment variables, compute values,
- etc.
- * You can also rename symbols that you want to disable. For
- example, changing normalizer to Xnormalizer (an unknown symbol)
- will disable the normalizer. This can be easier than commenting
- in some cases.
- * By default, symbols unknown to Snort are silently ignored. You
- can generate warnings for them with --warn-unknown. To ignore
- such symbols, export them in the environment variable
- SNORT_IGNORE.
-
-Writing and Loading Rules
-
-Snort rules allow arbitrary whitespace. Multi-line rules make it
-easier to structure your rule for clarity. There are multiple ways to
-add comments to your rules:
-
- * The # character starts a comment to end of line. In addition, all
- lines between #begin and #end are comments.
- * The rem option allows you to write a comment that is conveyed
- with the rule.
- * C style multi-line comments are allowed, which means you can
- comment out portions of a rule while testing it out by putting
- the options between /* and */.
-
-There are multiple ways to load rules too:
-
- * Set ips.rules or ips.include.
- * include statements can be used in rules files.
- * Use -R to load a rules file.
- * Use --stdin-rules with command line redirection.
- * Use --lua to specify one or more rules as a command line
- argument.
-
-Output Files
-
-To make it simple to configure outputs when you run with multiple
-packet threads, output files are not explicitly configured. Instead,
-you can use the options below to format the paths:
-
-<logdir>/[<run_prefix>][<id#>][<X>]<name>
-
- * logdir is set with -l and defaults to ./
- * run_prefix is set with --run-prefix else not used
- * id# is the packet thread number that writes the file; with one
- packet thread, id# (zero) is omitted without --id-zero
- * X is / if you use --id-subdir, else _ if id# is used
- * name is based on module name that writes the file
- * all text mode outputs default to stdout
-
-
-3.5. Help
-
---------------
-
-Snort has several options to get more help:
-
--? list command line options (same as --help)
---help this overview of help
---help-commands [<module prefix>] output matching commands
---help-config [<module prefix>] output matching config options
---help-counts [<module prefix>] output matching peg counts
---help-limits print the int upper bounds denoted by max*
---help-module <module> output description of given module
---help-modules list all available modules with brief help
---help-plugins list all available plugins with brief help
---help-options [<option prefix>] output matching command line options
---help-signals dump available control signals
---list-buffers output available inspection buffers
---list-builtin [<module prefix>] output matching builtin rules
---list-gids [<module prefix>] output matching generators
---list-modules [<module type>] list all known modules
---list-plugins list all known modules
---show-plugins list module and plugin versions
-
---help* and --list* options preempt other processing so should be last on the
-command line since any following options are ignored. To ensure options like
---markup and --plugin-path take effect, place them ahead of the help or list
-options.
-
-Options that filter output based on a matching prefix, such as --help-config
-won't output anything if there is no match. If no prefix is given, everything
-matches.
-
-Report bugs to bugs@snort.org.
-
-
-3.6. Common Errors
-
---------------
-
-PANIC: unprotected error in call to Lua API (cannot open
-snort_defaults.lua: No such file or directory)
-
- * export SNORT_LUA_PATH to point to any dofiles
-
-ERROR can’t find xyz
-
- * if xyz is the name of a module, make sure you are not assigning a
- scalar where a table is required (e.g. xyz = 2 should be xyz = {
- }).
-
-ERROR can’t find x.y
-
- * module x does not have a parameter named y. check --help-module x
- for available parameters.
-
-ERROR invalid x.y = z
-
- * the value z is out of range for x.y. check --help-config x.y for
- the range allowed.
-
-ERROR: x = { y = z } is in conf but is not being applied
-
- * make sure that x = { } isn’t set later because it will override
- the earlier setting. same for x.y.
-
-FATAL: can’t load lua/errors.lua: lua/errors.lua:68: = expected near
-';'
-
- * this is a syntax error reported by Lua to Snort on line 68 of
- errors.lua.
-
-ERROR: rules(2) unknown rule keyword: find.
-
- * this was due to not including the --script-path.
-
-WARNING: unknown symbol x
-
- * if you any variables, you can squelch such warnings by setting
- them in an environment variable SNORT_IGNORE. to ignore x, y, and
- z:
-
- export SNORT_IGNORE="x y z"
-
-
-3.7. Gotchas
-
---------------
-
- * A nil key in a table will not be caught. Neither will a nil value
- in a table. Neither of the following will cause errors, nor will
- they actually set http_inspect.request_depth:
-
- http_inspect = { request_depth }
- http_inspect = { request_depth = undefined_symbol }
-
- * It is not an error to set a value multiple times. The actual
- value applied may not be the last in the table either. It is best
- to avoid such cases.
-
- http_inspect =
- {
- request_depth = 1234,
- request_depth = 4321
- }
-
- * Snort can’t tell you the exact filename or line number of a
- semantic error but it will tell you the fully qualified name.
-
-
-3.8. Known Issues
-
---------------
-
- * The dump DAQ will not work with multiple threads unless you use
- --daq-var output=none. This will be fixed at some point to use
- the Snort log directory, etc.
- * If you build with hyperscan on OS X and see:
-
- dyld: Library not loaded: @rpath/libhs.4.0.dylib
-
- when you try to run src/snort, export DYLD_LIBRARY_PATH with the path to
- libhs. You can also do:
-
- install_name_tool -change @rpath/libhs.4.0.dylib \
- /path-to/libhs.4.0.dylib src/snort
-
- * Snort built with tcmalloc support (--enable-tcmalloc) on Ubuntu
- 17.04/18.04 crashes immediately.
-
- Workaround:
- Uninstall gperftools 2.5 provided by the distribution and install gperftools
- 2.7 before building Snort.
-
-
----------------------------------------------------------------------
-
-4. Usage
-
----------------------------------------------------------------------
-
-For the following examples "$my_path" is assumed to be the path to
-the Snort install directory. Additionally, it is assumed that
-"$my_path/bin" is in your PATH.
-
-
-4.1. Help
-
---------------
-
-Print the help summary:
-
-snort --help
-
-Get help on a specific module ("stream", for example):
-
-snort --help-module stream
-
-Get help on the "-A" command line option:
-
-snort --help-options A
-
-Grep for help on threads:
-
-snort --help-config | grep thread
-
-Output help on "rule" options in AsciiDoc format:
-
-snort --markup --help-options rule
-
-Note
-
-Snort stops reading command-line options after the "--help-" and
-"--list-" options, so any other options should be placed before them.
-
-
-4.2. Sniffing and Logging
-
---------------
-
-Read a pcap:
-
-snort -r /path/to/my.pcap
-
-Dump the packets to stdout:
-
-snort -r /path/to/my.pcap -L dump
-
-Dump packets with application data and layer 2 headers
-
-snort -r /path/to/my.pcap -L dump -d -e
-
-Note
-
-Command line options must be specified separately. "snort -de" won’t
-work. You can still concatenate options and their arguments, however,
-so "snort -Ldump" will work.
-
-Dump packets from all pcaps in a directory:
-
-snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e
-
-Log packets to a directory:
-
-snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
-
-
-4.3. Configuration
-
---------------
-
-Validate a configuration file:
-
-snort -c $my_path/etc/snort/snort.lua
-
-Validate a configuration file and a separate rules file:
-
-snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
-
-Read rules from stdin and validate:
-
-snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules
-
-Enable warnings for Lua configurations and make warnings fatal:
-
-snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic
-
-Tell Snort where to look for additional Lua scripts:
-
-snort --script-path /path/to/script/dir
-
-
-4.4. IDS mode
-
---------------
-
-Run Snort in IDS mode, reading packets from a pcap:
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap
-
-Log any generated alerts to the console using the "-A" option:
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full
-
-Capture separate stdout, stderr, and stdlog files (out has startup
-and shutdown output, err has warnings and errors, and log has
-alerts):
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \
- 1>out 2>err 3>log
-
-Add or modify a configuration from the command line using the "--lua"
-option:
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \
- --lua 'ips = { enable_builtin_rules = true }'
-
-Note
-
-The "--lua" option can be specified multiple times.
-
-Run Snort in IDS mode on an entire directory of pcaps, processing
-each input source on a separate thread:
-
-snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
- --pcap-filter '*.pcap' --max-packet-threads 8
-
-Run Snort on 2 interfaces, eth0 and eth1:
-
-snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg
-
-Run Snort inline with the afpacket DAQ:
-
-snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
- -A cmg
-
-
-4.5. Plugins
-
---------------
-
-Load external plugins and use the "ex" alert:
-
-snort -c $my_path/etc/snort/snort.lua \
- --plugin-path $my_path/lib/snort_extra \
- -A alert_ex -r /path/to/my.pcap
-
-Test the LuaJIT rule option find loaded from stdin:
-
-snort -c $my_path/etc/snort/snort.lua \
- --script-path $my_path/lib/snort_extra \
- --stdin-rules -A cmg -r /path/to/my.pcap << END
-alert tcp any any -> any 80 (
- sid:3; msg:"found"; content:"GET";
- find:"pat='HTTP/1%.%d'" ; )
-END
-
-
-4.6. Output Files
-
---------------
-
-To make it simple to configure outputs when you run with multiple
-packet threads, output files are not explicitly configured. Instead,
-you can use the options below to format the paths:
-
-<logdir>/[<run_prefix>][<id#>][<X>]<name>
-
-Log to unified in the current directory:
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2
-
-Log to unified in the current directory with a different prefix:
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
- --run-prefix take2
-
-Log to unified in /tmp:
-
-snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp
-
-Run 4 packet threads and log with thread number prefix (0-3):
-
-snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
- --pcap-filter '*.pcap' -z 4 -A unified2
-
-Run 4 packet threads and log in thread number subdirs (0-3):
-
-snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
- --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir
-
-Note
-
-subdirectories are created automatically if required. Log filename is
-based on module name that writes the file. All text mode outputs
-default to stdout. These options can be combined.
-
-
-4.7. DAQ Alternatives
-
---------------
-
-Process hext packets from stdin:
-
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END
-$packet 10.1.2.3 48620 -> 10.9.8.7 80
-"GET / HTTP/1.1\r\n"
-"Host: localhost\r\n"
-"\r\n"
-END
-
-Process raw ethernet from hext file:
-
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq hext \
- --daq-var dlt=1 -r <hext-file>
-
-Process a directory of plain files (ie non-pcap) with 4 threads with
-8K buffers:
-
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq file \
- --pcap-dir path/to/files -z 4 -s 8192
-
-Bridge two TCP connections on port 8000 and inspect the traffic:
-
-snort -c $my_path/etc/snort/snort.lua \
- --daq-dir $my_path/lib/snort/daqs --daq socket
-
-
-4.8. Logger Alternatives
-
---------------
-
-Dump TCP stream payload in hext mode:
-
-snort -c $my_path/etc/snort/snort.lua -L hext
-
-Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap,
-dst_ap, rule, action for each alert:
-
-snort -c $my_path/etc/snort/snort.lua -A csv
-
-Output the old test format alerts:
-
-snort -c $my_path/etc/snort/snort.lua \
- --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
-
-
-4.9. Shell
-
---------------
-
-You must build with --enable-shell to make the command line shell
-available.
-
-Enable shell mode:
-
-snort --shell <args>
-
-You will see the shell mode command prompt, which looks like this:
-
-o")~
-
-(The prompt can be changed with the SNORT_PROMPT environment
-variable.)
-
-You can pause immediately after loading the configuration and again
-before exiting with:
-
-snort --shell --pause <args>
-
-In that case you must issue the resume() command to continue. Enter
-quit() to terminate Snort or detach() to exit the shell. You can list
-the available commands with help().
-
-To enable local telnet access on port 12345:
-
-snort --shell -j 12345 <args>
-
-The command line interface is still under development. Suggestions
-are welcome.
-
-
-4.10. Signals
-
---------------
-
-Note
-
-The following examples assume that Snort is currently running and has
-a process ID of <pid>.
-
-Modify and Reload Configuration:
-
-echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua
-kill -hup <pid>
-
-Dump stats to stdout:
-
-kill -usr1 <pid>
-
-Shutdown normally:
-
-kill -term <pid>
-
-Exit without flushing packets:
-
-kill -quit <pid>
-
-List available signals:
-
-snort --help-signals
-
-Note
-
-The available signals may vary from platform to platform.
-
-
----------------------------------------------------------------------
-
-5. Features
-
----------------------------------------------------------------------
-
-This section explains how to use key features of Snort.
-
-
-5.1. Active Response
-
---------------
-
-Snort can take more active role in securing network by sending active
-responses to shutdown offending sessions. When active responses is
-enabled, snort will send TCP RST or ICMP unreachable when dropping a
-session.
-
-5.1.1. Changes from Snort 2.9
-
- * stream5_global:max_active_responses and min_response_seconds are
- now active.max_responses and active.min_interval.
- * Response actions were removed from IPS rule body to the rule
- action in the header. This includes react, reject, and rewrite
- (split out of replace which now just does the detection part).
- These IPS actions are plugins.
- * drop and block are synonymous in Snort 2.9 but in Snort 3.0 drop
- means don’t forward the current packet only whereas block means
- don’t forward this or any following packet on the flow.
-
-5.1.2. Configure Active
-
-Active response is enabled by configuring one of following IPS action
-plugins:
-
-react = { }
-reject = { }
-rewrite = { }
-
-Active responses will be performed for reject, react or rewrite IPS
-rule actions, and response packets are encoded based on the
-triggering packet. TTL will be set to the value captured at session
-pickup.
-
-Configure the number of attempts to land a TCP RST within the
-session’s current window (so that it is accepted by the receiving
-TCP). This sequence "strafing" is really only useful in passive mode.
-In inline mode the reset is put straight into the stream in lieu of
-the triggering packet so strafing is not necessary.
-
-Each attempt (sent in rapid succession) has a different sequence
-number. Each active response will actually cause this number of TCP
-resets to be sent. TCP data is multiplied similarly. At most 1 ICMP
-unreachable is sent, iff attempts > 0.
-
-Device IP will perform network layer injection. It is probably a
-better choice to specify an interface and avoid kernel routing
-tables, etc.
-
-dst_mac will change response destination MAC address, if the device
-is eth0, eth1, eth2 etc. Otherwise, response destination MAC address
-is derived from packet.
-
-Example:
-
-active =
-{
- attempts = 2,
- device = "eth0",
- dst_mac = "00:06:76:DD:5F:E3",
-}
-
-5.1.3. Reject
-
-IPS action reject perform active response to shutdown hostile network
-session by injecting TCP resets (TCP connections) or ICMP unreachable
-packets.
-
-Example:
-
-reject = { reset = "both", control = "all" }
-
-local_rules =
-[[
-reject tcp ( msg:"hostile connection"; flow:established, to_server;
-content:"HACK!"; sid:1; )
-]]
-
-ips =
-{
- rules = local_rules,
-}
-
-5.1.4. React
-
-IPS action react enables sending an HTML page on a session and then
-resetting it.
-
-The page to be sent can be read from a file:
-
-react = { page = "customized_block_page.html", }
-
-or else the default is used:
-
-<default_page> ::= \
- "HTTP/1.1 403 Forbidden\r\n"
- "Connection: close\r\n"
- "Content-Type: text/html; charset=utf-8\r\n"
- "\r\n"
- "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
- " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \
- "<html xmlns=\"http://www.w3.org/1999/xhtml\"
- xml:lang=\"en\">\r\n" \
- "<head>\r\n" \
- "<meta http-equiv=\"Content-Type\" content=\"text/html;
- charset=UTF-8\" />\r\n" \
- "<title>Access Denied</title>\r\n" \
- "</head>\r\n" \
- "<body>\r\n" \
- "<h1>Access Denied</h1>\r\n" \
- "<p>%s</p>\r\n" \
- "</body>\r\n" \
- "</html>\r\n";
-
-Note that the file must contain the entire response, including any
-HTTP headers. In fact, the response isn’t strictly limited to HTTP.
-You could craft a binary payload of arbitrary content.
-
-When the rule is configured, the page is loaded and the %s is
-replaced with the selected message, which defaults to:
-
-"You are attempting to access a forbidden site.<br />" \
-"Consult your system administrator for details."
-
-Additional formatting operators beyond a single %s are prohibited,
-including %d, %x, %s, as well as any URL encodings such as as %20
-(space) that may be within a reference URL.
-
-Example:
-
-react = { page = "my_block_page.html" }
-
-local_rules =
-[[
-react http ( msg:"Unauthorized Access Prohibited!"; flow:established,
-to_server; http_method; content:"GET"; sid:1; )
-]]
-
-ips =
-{
- rules = local_rules,
-}
-
-5.1.5. Rewrite
-
-IPS action rewrite enables overwrite packet contents based on
-"replace" option in the rules.
-
-For example:
-
-rewrite = { }
-local_rules =
-[[
-rewrite tcp 10.1.1.87 any -> 10.1.1.0/24 80
-(
- sid:1000002;
- msg:"test replace rule";
- content:"index.php", nocase;
- replace:"indax.php";
-)
-]]
-
-ips =
-{
- rules = local_rules,
-}
-
-this rule replaces "index.php" with "indax.php", and rewrite action
-updates that packet.
-
-to enable rewrite action:
-
-rewrite = { }
-
-the replace operation can be disabled by changing the configuration:
-
-rewrite = { disable_replace = true }
-
-
-5.2. AppId
-
---------------
-
-Network administrators need application awareness in order to fine
-tune their management of the ever-growing number of applications
-passing traffic over the network. Application awareness allows an
-administrator to create rules for applications as needed by the
-business. The rules can be used to take action based on the
-application, such as block, allow or alert.
-
-5.2.1. Overview
-
-The AppId inspector provides an application level view when managing
-networks by providing the following features:
-
- * Network control: The inspector works with Snort rules by
- providing a set of application identifiers (AppIds) to Snort rule
- writers.
- * Application usage awareness: The inspector outputs statistics to
- show how many times applications are being used on the network.
- * Custom applications: Administrators can create their own
- application detectors to detect new applications. The detectors
- are written in Lua and interface with Snort using a well-defined
- C-Lua API.
- * Open Detector Package (ODP): A set of pre-defined application
- detectors are provided by the Snort team and can be downloaded
- from snort.org.
-
-5.2.2. Dependency Requirements
-
-For proper functioning of the AppId inspector, at a minimum stream
-flow tracking must be enabled. In addition, to identify TCP-based or
-UDP-based applications then the appropriate stream inspector must be
-enabled, e.g. stream_tcp or stream_udp.
-
-In addition, in order to identify HTTP-based applications, the HTTP
-inspector must be enabled. Otherwise, only non-HTTP applications will
-be identified.
-
-AppId subscribes to the inspection events published by other
-inspectors, such as the HTTP and SSL inspectors, to gain access to
-the data needed. It uses that data to help determine the application
-ID.
-
-5.2.3. Configuration
-
-The AppId feature can be enabled via configuration. To enable it with
-the default settings use:
-
-appid = { }
-
-To use an AppId as a matching parameter in an IPS rule, use the
-appids keyword. For example, to block HTTP traffic that contains a
-specific header:
-
-block tcp any any -> 192.168.0.1 any ( msg:"Block Malicious HTTP header";
- appids:"HTTP"; content:"X-Header: malicious"; sid:18000; )
-
-Alternatively, the HTTP application can be specified in place of tcp
-instead of using the appids keyword. The AppId inspector will set the
-service when it is discovered so it can be used in IPS rules like
-this. Note that this rule also does not specify the IPs or ports
-which default to any.
-
-block http ( msg:"Block Malicious HTTP header";
- content:"X-Header: malicious"; sid:18000; )
-
-It’s possible to specify multiple applications (as many as desired)
-with the appids keyword. A rule is considered a match if any of the
-applications on the rule match. Note that this rule does not match
-specific content which will reduce performance.
-
-alert tcp any any -> 192.168.0.1 any ( msg:"Alert ";
- appids:"telnet,ssh,smtp,http";
-
-Below is a minimal Snort configuration that is sufficient to block
-flows based on a specific HTTP header:
-
-stream = { }
-
-stream_tcp = { }
-
-binder =
-{
- {
- when =
- {
- proto = 'tcp',
- ports = [[ 80 8080 ]],
- },
- use =
- {
- type = 'http_inspect',
- },
- },
-}
-
-http_inspect = { }
-
-appid = { }
-
-local_rules =
-[[
-block http ( msg:"openAppId: test content match for app http";
-content:"X-Header: malicious"; sid:18760; rev:4; )
-]]
-
-ips =
-{
- rules = local_rules,
-}
-
-5.2.4. Session Application Identifiers
-
-There are up to four AppIds stored in a session as defined below:
-
- * serviceAppId - An appId associated with server side of a session.
- Example: http server.
- * clientAppId - An appId associated with application on client side
- of a session. Example: Firefox.
- * payloadAppId - For services like http this appId is associated
- with a webserver host. Example: Facebook.
- * miscAppId - For some encapsulated protocols, this is the highest
- encapsulated application.
-
-For packets originating from the client, a payloadAppid in a session
-is matched with all AppIds listed on a rule. Thereafter miscAppId,
-clientAppId and serviceAppId are matched. Since Alert Events contain
-one AppId, only the first match is reported. If a rule without an
-appids option matches, then the most specific appId (in order of
-payload, misc, client, server) is reported.
-
-The same logic is followed for packets originating from the server
-with one exception. The order of matching is changed to make
-serviceAppId come before clientAppId.
-
-5.2.5. AppId Usage Statistics
-
-The AppId inspector prints application network usage periodically in
-the snort log directory in unified2 format. File name, time interval
-for statistic and file rollover are controlled by appId inspection
-configuration.
-
-5.2.6. Open Detector Package (ODP) Installation
-
-Application detectors from Snort team will be delivered in a separate
-package called the Open Detector Package (ODP) that can be downloaded
-from snort.org. ODP is a package that contains the following
-artifacts:
-
- * Application detectors in the Lua language.
- * Port detectors, which are port only application detectors, in
- meta-data in YAML format.
- * appMapping.data file containing application metadata. This file
- should not be modified. The first column contains application
- identifier and second column contains application name. Other
- columns contain internal information.
- * Lua library files DetectorCommon.lua, flowTrackerModule.lua and
- hostServiceTrackerModule.lua
-
-A user can install the ODP package in any directory and configure
-this directory via the app_detector_dir option in the appid
-preprocessor configuration. Installing ODP will not modify any
-subdirectory named custom, where user-created detectors are located.
-
-When installed, ODP will create following sub-directories:
-
- * odp/port //Cisco port-only detectors
- * odp/lua //Cisco Lua detectors
- * odp/libs //Cisco Lua modules
-
-5.2.7. User Created Application Detectors
-
-Users can detect new applications by adding detectors in the Lua
-language. A document will be posted on the Snort Website with details
-on API. Users can also copy over Snort team provided detectors and
-modify them. Users can also use the detector creation tool described
-in the next section.
-
-Users must organize their Lua detectors and libraries by creating the
-following directory structure, under the ODP installation directory.
-
- * custom/port //port-only detectors
- * custom/lua //Lua detectors
- * custom/libs //Lua modules
-
-The root path is specified by the "app_detector_dir" parameter of the
-appid section of snort.conf:
-
-appid =
-{
- app_detector_dir = '/usr/local/lib/openappid',
-}
-
-So the path to the user-created lua files would be /usr/local/lib/
-openappid/custom/lua/
-
-None of the directories below /usr/local/lib/openappid/ would be
-added for you.
-
-5.2.8. Application Detector Creation Tool
-
-For rudimentary Lua detectors, there is a tool provided called
-appid_detector_builder.sh. This is a simple, menu-driven bash script
-which creates .lua files in your current directory, based on your
-choices and on patterns you supply.
-
-When you launch the script, it will prompt for the Application Id
-that you are giving for your detector. This is free-form ASCII with
-minor restrictions. The Lua detector file will be named based on your
-Application Id. If the file name already exists you will be prompted
-to overwrite it.
-
-You will also be prompted for a description of your detector to be
-placed in the comments of the Lua source code. This is optional.
-
-You will then be asked a series of questions designed to construct
-Lua code based on the kind of pattern data, protocol, port(s), etc.
-
-When complete, the Protocol menu will be changed to include the
-option, "Save Detector". Instead of saving the file and exiting the
-script, you are allowed to give additional criteria for another
-pattern which may also be incorporated in the detection scheme. Then
-either pattern, when matched, will be considered a valid detection.
-
-For example, your first choices might create an HTTP detection
-pattern of "example.com", and the next set of choices would add the
-HTTP detection pattern of "example.uk.co" (an equally fictional
-British counterpart). They would then co-exist in the Lua detector,
-and either would cause a detection with the name you give for your
-Application Id.
-
-The resulting .lua file will need to be placed in the directory,
-"custom/lua", described in the previous section of the README above
-called "User Created Application Detectors"
-
-
-5.3. Binder
-
---------------
-
-One of the fundamental differences between Snort 2 and Snort 3
-concerns configuration related to networks and ports. Here is a brief
-review of Snort 2 configuration for network and service related
-components:
-
- * Snort’s configuration has a default policy and optional policies
- selected by VLAN or network (with config binding).
- * Each policy contains a user defined set of preprocessor
- configurations.
- * Each preprocessor has a default configuration and some support
- non-default configurations selected by network.
- * Most preprocessors have port configurations.
- * The default policy may also contain a list of ports to ignore.
-
-In Snort 3, the above configurations are done in a single module
-called the binder. Here is an example:
-
-binder =
-{
- -- allow all tcp port 22:
- -- (similar to Snort 2 config ignore_ports)
- { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },
-
--- select a config file by vlan
--- (similar to Snort 2 config binding by vlan)
-{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },
-
--- use a non-default HTTP inspector for port 8080:
--- (similar to a Snort 2 targeted preprocessor config)
-{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
- use = { name = 'alt_http', type = 'http_inspect' } },
-
--- use the default inspectors:
--- (similar to a Snort 2 default preprocessor config)
-{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
-{ when = { service = 'http' }, use = { type = 'http_inspect' } },
-
- -- figure out which inspector to run automatically:
- { use = { type = 'wizard' } }
-}
-
-Bindings are evaluated when a session starts and again if and when
-service is identified on the session. Essentially, the bindings are a
-list of when-use rules evaluated from top to bottom. The first
-matching network and service configurations are applied. binder.when
-can contain any combination of criteria and binder.use can specify an
-action, config file, or inspector configuration.
-
-
-5.4. Byte rule options
-
---------------
-
-5.4.1. byte_test
-
-This rule option tests a byte field against a specific value (with
-operator). Capable of testing binary values or converting
-representative byte strings to their binary equivalent and testing
-them.
-
-Snort uses the C operators for each of these operators. If the &
-operator is used, then it would be the same as using
-
-if (data & value) { do_something(); }
-
-! operator negates the results from the base check. !<oper> is
-considered as
-
-!(data <oper> value)
-
-Note: The bitmask option applies bitwise AND operator on the bytes
-converted. The result will be right-shifted by the number of bits
-equal to the number of trailing zeros in the mask. This applies for
-the other rule options as well.
-
-5.4.1.1. Examples
-
-alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)
-
-This example extracts 2 bytes at offset 0, performs bitwise and with
-bitmask 0x3FF0, shifts the result by 4 bits and compares to 568.
-
-alert udp (byte_test:4, =, 1234, 0, string, dec;
- msg:"got 1234!";)
-
-alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;
- msg:"got DEADBEEF!";)
-
-5.4.2. byte_jump
-
-The byte_jump rule option allows rules to be written for length
-encoded protocols trivially. By having an option that reads the
-length of a portion of data, then skips that far forward in the
-packet, rules can be written that skip over specific portions of
-length-encoded protocols and perform detection in very specific
-locations.
-
-5.4.2.1. Examples
-
-alert tcp (content:"Begin";
- byte_jump:0, 0, from_end, post_offset -6;
- content:"end..", distance 0, within 5;
- msg:"Content match from end of the payload";)
-
-alert tcp (content:"catalog";
- byte_jump:2, 1, relative, post_offset 2, bitmask 0x03f0;
- byte_test:2, =, 968, 0, relative;
- msg:"Bitmask applied on the 2 bytes extracted for byte_jump";)
-
-5.4.3. byte_extract
-
-The byte_extract keyword is another useful option for writing rules
-against length-encoded protocols. It reads in some number of bytes
-from the packet payload and saves it to a variable. These variables
-can be referenced later in the rule, instead of using hard-coded
-values.
-
-5.4.3.1. Other options which use byte_extract variables
-
-A byte_extract rule option detects nothing by itself. Its use is in
-extracting packet data for use in other rule options.
-
-Here is a list of places where byte_extract variables can be used:
-
- * content/uricontent: offset, depth, distance, within
- * byte_test: offset, value
- * byte_jump: offset, post_offset
- * isdataat: offset
-
-5.4.3.2. Examples
-
-alert tcp (byte_extract:1, 0, str_offset;
- byte_extract:1, 1, str_depth;
- content:"bad stuff", offset str_offset, depth str_depth;
- msg:"Bad Stuff detected within field";)
-
-alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;
- byte_jump:1, 3, relative, post_offset myvar;
- content:"END", distance 6, within 3;
- msg: "byte_jump - pass variable to post_offset";)
-
-This example uses two variables.
-
-The first variable keeps the offset of a string, read from a byte at
-offset 0. The second variable keeps the depth of a string, read from
-a byte at offset 1. These values are used to constrain a pattern
-match to a smaller area.
-
-alert tcp (content:"|04 63 34 35|", offset 4, depth 4;
- byte_extract: 2, 0, var_match, relative, bitmask 0x03ff;
- byte_test: 2, =, var_match, 2, relative;
- msg:"Test value match, after applying bitmask on bytes extracted";)
-
-5.4.4. byte_math
-
-Perform a mathematical operation on an extracted value and a
-specified value or existing variable, and store the outcome in a new
-resulting variable. These resulting variables can be referenced later
-in the rule, at the same places as byte_extract variables.
-
-The syntax for this rule option is different. The order of the
-options is critical for the other rule options and can’t be changed.
-For example, the first option is the number of bytes to extract. Here
-the name of the option is explicitly written, for example : bytes 2.
-The order is not important.
-
-Note
-
-Byte_math operations are performed on unsigned 32-bit values. When
-writing a rule it should be taken into consideration to avoid wrap
-around.
-
-5.4.4.1. Examples
-
-alert tcp ( byte_math: bytes 2, offset 0, oper *, rvalue 10, result area;
- byte_test:2,>,area,16;)
-
-At the zero offset of the payload, extract 2 bytes and apply
-multiplication operation with value 10. Store result in variable
-area. The area variable is given as input to byte_test value option.
-
-Let’s consider 2 bytes of extracted data is 5. The rvalue is 10.
-Result variable area is 50 ( 5 * 10 ). Area variable can be used in
-either byte_test offset/value options.
-
-5.4.5. Testing Numerical Values
-
-The rule options byte_test and byte_jump were written to support
-writing rules for protocols that have length encoded data. RPC was
-the protocol that spawned the requirement for these two rule options,
-as RPC uses simple length based encoding for passing data.
-
-In order to understand why byte test and byte jump are useful, let’s
-go through an exploit attempt against the sadmind service.
-
-This is the payload of the exploit:
-
-89 09 9c e2 00 00 00 00 00 00 00 02 00 01 87 88 ................
-00 00 00 0a 00 00 00 01 00 00 00 01 00 00 00 20 ...............
-40 28 3a 10 00 00 00 0a 4d 45 54 41 53 50 4c 4f @(:.....metasplo
-49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 it..............
-00 00 00 00 00 00 00 00 40 28 3a 14 00 07 45 df ........@(:...e.
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
-00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 ................
-00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 04 ................
-7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 04 ................
-7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 11 ................
-00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 ................
-00 00 00 00 00 00 00 3b 4d 45 54 41 53 50 4c 4f .......;metasplo
-49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 it..............
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
-00 00 00 00 00 00 00 06 73 79 73 74 65 6d 00 00 ........system..
-00 00 00 15 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f ....../../../../
-2e 2e 2f 62 69 6e 2f 73 68 00 00 00 00 00 04 1e ../bin/sh.......
-
-Let’s break this up, describe each of the fields, and figure out how
-to write a rule to catch this exploit.
-
-There are a few things to note with RPC:
-
-Numbers are written as uint32s, taking four bytes. The number 26
-would show up as 0x0000001a.
-
-Strings are written as a uint32 specifying the length of the string,
-the string, and then null bytes to pad the length of the string to
-end on a 4-byte boundary. The string bob would show up as
-0x00000003626f6200.
-
-89 09 9c e2 - the request id, a random uint32, unique to each request
-00 00 00 00 - rpc type (call = 0, response = 1)
-00 00 00 02 - rpc version (2)
-00 01 87 88 - rpc program (0x00018788 = 100232 = sadmind)
-00 00 00 0a - rpc program version (0x0000000a = 10)
-00 00 00 01 - rpc procedure (0x00000001 = 1)
-00 00 00 01 - credential flavor (1 = auth_unix)
-00 00 00 20 - length of auth_unix data (0x20 = 32)
-
-## the next 32 bytes are the auth_unix data
-40 28 3a 10 - unix timestamp (0x40283a10 = 1076378128 = feb 10 01:55:28 2004 gmt)
-00 00 00 0a - length of the client machine name (0x0a = 10)
-4d 45 54 41 53 50 4c 4f 49 54 00 00 - metasploit
-
-00 00 00 00 - uid of requesting user (0)
-00 00 00 00 - gid of requesting user (0)
-00 00 00 00 - extra group ids (0)
-
-00 00 00 00 - verifier flavor (0 = auth_null, aka none)
-00 00 00 00 - length of verifier (0, aka none)
-
-The rest of the packet is the request that gets passed to procedure 1
-of sadmind.
-
-However, we know the vulnerability is that sadmind trusts the uid
-coming from the client. sadmind runs any request where the client’s
-uid is 0 as root. As such, we have decoded enough of the request to
-write our rule.
-
-First, we need to make sure that our packet is an RPC call.
-
-content:"|00 00 00 00|", offset 4, depth 4;
-
-Then, we need to make sure that our packet is a call to sadmind.
-
-content:"|00 01 87 88|", offset 12, depth 4;
-
-Then, we need to make sure that our packet is a call to the procedure
-1, the vulnerable procedure.
-
-content:"|00 00 00 01|", offset 20, depth 4;
-
-Then, we need to make sure that our packet has auth_unix credentials.
-
-content:"|00 00 00 01|", offset 24, depth 4;
-
-We don’t care about the hostname, but we want to skip over it and
-check a number value after the hostname. This is where byte_test is
-useful. Starting at the length of the hostname, the data we have is:
-
-00 00 00 0a 4d 45 54 41 53 50 4c 4f 49 54 00 00
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-00 00 00 00
-
-We want to read 4 bytes, turn it into a number, and jump that many
-bytes forward, making sure to account for the padding that RPC
-requires on strings. If we do that, we are now at:
-
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-00 00 00 00
-
-which happens to be the exact location of the uid, the value we want
-to check.
-
-In English, we want to read 4 bytes, 36 bytes from the beginning of
-the packet, and turn those 4 bytes into an integer and jump that many
-bytes forward, aligning on the 4-byte boundary. To do that in a Snort
-rule, we use:
-
-byte_jump:4,36,align;
-
-then we want to look for the uid of 0.
-
-content:"|00 00 00 00|", within 4;
-
-Now that we have all the detection capabilities for our rule, let’s
-put them all together.
-
-content:"|00 00 00 00|", offset 4, depth 4;
-content:"|00 01 87 88|", offset 12, depth 4;
-content:"|00 00 00 01|", offset 20, depth 4;
-content:"|00 00 00 01|", offset 24, depth 4;
-byte_jump:4,36,align;
-content:"|00 00 00 00|", within 4;
-
-The 3rd and fourth string match are right next to each other, so we
-should combine those patterns. We end up with:
-
-content:"|00 00 00 00|", offset 4, depth 4;
-content:"|00 01 87 88|", offset 12, depth 4;
-content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
-byte_jump:4,36,align;
-content:"|00 00 00 00|", within 4;
-
-If the sadmind service was vulnerable to a buffer overflow when
-reading the client’s hostname, instead of reading the length of the
-hostname and jumping that many bytes forward, we would check the
-length of the hostname to make sure it is not too large.
-
-To do that, we would read 4 bytes, starting 36 bytes into the packet,
-turn it into a number, and then make sure it is not too large (let’s
-say bigger than 200 bytes). In Snort, we do:
-
-byte_test:4,>,200,36;
-
-Our full rule would be:
-
-content:"|00 00 00 00|", offset 4, depth 4;
-content:"|00 01 87 88|", offset 12, depth 4;
-content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
-byte_test:4,>,200,36;
-
-
-5.5. DCE Inspectors
-
---------------
-
-The main purpose of these inspector are to perform SMB desegmentation
-and DCE/RPC defragmentation to avoid rule evasion using these
-techniques.
-
-5.5.1. Overview
-
-The following transports are supported for DCE/RPC: SMB, TCP, and
-UDP. New rule options have been implemented to improve performance,
-reduce false positives and reduce the count and complexity of DCE/RPC
-based rules.
-
-Different from Snort 2, the DCE-RPC preprocessor is split into three
-inspectors - one for each transport: dce_smb, dce_tcp, dce_udp. This
-includes the configuration as well as the inspector modules. The
-Snort 2 server configuration is now split between the inspectors.
-Options that are meaningful to all inspectors, such as policy and
-defragmentation, are copied into each inspector configuration. The
-address/port mapping is handled by the binder. Autodetect
-functionality is replaced by wizard curses.
-
-5.5.2. Quick Guide
-
-A typical dcerpce configuration looks like this:
-
-binder =
-{
- {
- when =
- {
- proto = 'tcp',
- ports = '139 445 1025',
- },
- use =
- {
- type = 'dce_smb',
- },
- },
- {
- when =
- {
- proto = 'tcp',
- ports = '135 2103',
- },
- use =
- {
- type = 'dce_tcp',
- },
- },
- {
- when =
- {
- proto = 'udp',
- ports = '1030',
- },
- use =
- {
- type = 'dce_udp',
- },
- }
- }
-
-dce_smb = { }
-
-dce_tcp = { }
-
-dce_udp = { }
-
-In this example, it defines smb, tcp and udp inspectors based on
-port. All the configurations are default.
-
-5.5.3. Target Based
-
-There are enough important differences between Windows and Samba
-versions that a target based approach has been implemented. Some
-important differences:
-
- * Named pipe instance tracking
- * Accepted SMB commands
- * AndX command chaining
- * Transaction tracking
- * Multiple Bind requests
- * DCE/RPC Fragmented requests - Context ID
- * DCE/RPC Fragmented requests - Operation number
- * DCE/RPC Stub data byte order
-
-Because of those differences, each inspector can be configured to
-different policy. Here are the list of policies supported:
-
- * WinXP (default)
- * Win2000
- * WinVista
- * Win2003
- * Win2008
- * Win7
- * Samba
- * Samba-3.0.37
- * Samba-3.0.22
- * Samba-3.0.20
-
-5.5.4. Reassembling
-
-Both SMB inspector and TCP inspector support reassemble. Reassemble
-threshold specifies a minimum number of bytes in the DCE/RPC
-desegmentation and defragmentation buffers before creating a
-reassembly packet to send to the detection engine. This option is
-useful in inline mode so as to potentially catch an exploit early
-before full defragmentation is done. A value of 0 s supplied as an
-argument to this option will, in effect, disable this option. Default
-is disabled.
-
-5.5.5. SMB
-
-SMB inspector is one of the most complex inspectors. In addition to
-supporting rule options and lots of inspector rule events, it also
-supports file processing for both SMB version 1, 2, and 3.
-
-5.5.5.1. Finger Print Policy
-
-In the initial phase of an SMB session, the client needs to
-authenticate with a SessionSetupAndX. Both the request and response
-to this command contain OS and version information that can allow the
-inspector to dynamically set the policy for a session which allows
-for better protection against Windows and Samba specific evasions.
-
-5.5.5.2. File Inspection
-
-SMB inspector supports file inspection. A typical configuration looks
-like this:
-
-binder =
-{
- {
- when =
- {
- proto = 'tcp',
- ports = '139 445',
- },
- use =
- {
- type = 'dce_smb',
- },
- },
-}
-
-dce_smb =
-{
- smb_file_inspection = 'on',
- smb_file_depth = 0,
- }
-
-file_id =
-{
- enable_type = true,
- enable_signature = true,
- enable_capture = true,
- file_rules = magics,
-}
-
-First, define a binder to map tcp port 139 and 445 to smb. Then,
-enable file inspection in smb inspection and set the file depth as
-unlimited. Lastly, enable file inspector to inspect file type,
-calculate file signature, and capture file. The details of file
-inspector are explained in file processing section.
-
-SMB inspector does inspection of normal SMB file transfers. This
-includes doing file type and signature through the file processing as
-well as setting a pointer for the "file_data" rule option. Note that
-the "file_depth" option only applies to the maximum amount of file
-data for which it will set the pointer for the "file_data" rule
-option. For file type and signature it will use the value configured
-for the file API. If "only" is specified, the inspector will only do
-SMB file inspection, i.e. it will not do any DCE/RPC tracking or
-inspection. If "on" is specified with no arguments, the default file
-depth is 16384 bytes. An argument of -1 to "file-depth" disables
-setting the pointer for "file_data", effectively disabling SMB file
-inspection in rules. An argument of 0 to "file_depth" means
-unlimited. Default is "off", i.e. no SMB file inspection is done in
-the inspector.
-
-5.5.6. TCP
-
-dce_tcp inspector supports defragmentation, reassembling, and policy
-that is similar to SMB.
-
-5.5.7. UDP
-
-dce_udp is a very simple inspector that only supports defragmentation
-
-5.5.8. Rule Options
-
-New rule options are supported by enabling the dcerpc2 inspectors:
-
- * dce_iface
- * dce_opnum
- * dce_stub_data
-
-New modifiers to existing byte_test and byte_jump rule options:
-
- * byte_test: dce
- * byte_jump: dce
-
-5.5.8.1. dce_iface
-
-For DCE/RPC based rules it has been necessary to set flow-bits based
-on a client bind to a service to avoid false positives. It is
-necessary for a client to bind to a service before being able to make
-a call to it. When a client sends a bind request to the server, it
-can, however, specify one or more service interfaces to bind to. Each
-interface is represented by a UUID. Each interface UUID is paired
-with a unique index (or context id) that future requests can use to
-reference the service that the client is making a call to. The server
-will respond with the interface UUIDs it accepts as valid and will
-allow the client to make requests to those services. When a client
-makes a request, it will specify the context id so the server knows
-what service the client is making a request to. Instead of using
-flow-bits, a rule can simply ask the inspector, using this rule
-option, whether or not the client has bound to a specific interface
-UUID and whether or not this client request is making a request to
-it. This can eliminate false positives where more than one service is
-bound to successfully since the inspector can correlate the bind UUID
-to the context id used in the request. A DCE/RPC request can specify
-whether numbers are represented as big endian or little endian. The
-representation of the interface UUID is different depending on the
-endianness specified in the DCE/RPC previously requiring two rules -
-one for big endian and one for little endian. The inspector
-eliminates the need for two rules by normalizing the UUID. An
-interface contains a version. Some versions of an interface may not
-be vulnerable to a certain exploit. Also, a DCE/RPC request can be
-broken up into 1 or more fragments. Flags (and a field in the
-connectionless header) are set in the DCE/RPC header to indicate
-whether the fragment is the first, a middle or the last fragment.
-Many checks for data in the DCE/RPC request are only relevant if the
-DCE/RPC request is a first fragment (or full request), since
-subsequent fragments will contain data deeper into the DCE/RPC
-request. A rule which is looking for data, say 5 bytes into the
-request (maybe it’s a length field), will be looking at the wrong
-data on a fragment other than the first, since the beginning of
-subsequent fragments are already offset some length from the
-beginning of the request. This can be a source of false positives in
-fragmented DCE/RPC traffic. By default it is reasonable to only
-evaluate if the request is a first fragment (or full request).
-However, if the "any_frag" option is used to specify evaluating on
-all fragments.
-
-Examples:
-
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2;
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag;
-
-This option is used to specify an interface UUID. Optional arguments
-are an interface version and operator to specify that the version be
-less than (<), greater than (>), equal to (=) or not equal to (!) the
-version specified. Also, by default the rule will only be evaluated
-for a first fragment (or full request, i.e. not a fragment) since
-most rules are written to start at the beginning of a request. The
-"any_frag" argument says to evaluate for middle and last fragments as
-well. This option requires tracking client Bind and Alter Context
-requests as well as server Bind Ack and Alter Context responses for
-connection-oriented DCE/RPC in the inspector. For each Bind and Alter
-Context request, the client specifies a list of interface UUIDs along
-with a handle (or context id) for each interface UUID that will be
-used during the DCE/RPC session to reference the interface. The
-server response indicates which interfaces it will allow the client
-to make requests to - it either accepts or rejects the client’s wish
-to bind to a certain interface. This tracking is required so that
-when a request is processed, the context id used in the request can
-be correlated with the interface UUID it is a handle for.
-
-hexlong and hexshort will be specified and interpreted to be in big
-endian order (this is usually the default way an interface UUID will
-be seen and represented). As an example, the following Messenger
-interface UUID as taken off the wire from a little endian Bind
-request:
-
-|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|
-
-must be written as:
-
-5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
-
-The same UUID taken off the wire from a big endian Bind request:
-
-|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|
-
-must be written the same way:
-
-5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
-
-This option matches if the specified interface UUID matches the
-interface UUID (as referred to by the context id) of the DCE/RPC
-request and if supplied, the version operation is true. This option
-will not match if the fragment is not a first fragment (or full
-request) unless the "any_frag" option is supplied in which case only
-the interface UUID and version need match. Note that a defragmented
-DCE/RPC request will be considered a full request.
-
-Using this rule option will automatically insert fast pattern
-contents into the fast pattern matcher. For UDP rules, the interface
-UUID, in both big and little endian format will be inserted into the
-fast pattern matcher. For TCP rules, (1) if the rule option
-"flow:to_server|from_client" is used, |05 00 00| will be inserted
-into the fast pattern matcher, (2) if the rule option
-"flow:from_server|to_client" is used, |05 00 02| will be inserted
-into the fast pattern matcher and (3) if the flow isn’t known, |05 00
-| will be inserted into the fast pattern matcher. Note that if the
-rule already has content rule options in it, the best (meaning
-longest) pattern will be used. If a content in the rule uses the
-fast_pattern rule option, it will unequivocally be used over the
-above mentioned patterns.
-
-5.5.8.2. dce_opnum
-
-The opnum represents a specific function call to an interface. After
-is has been determined that a client has bound to a specific
-interface and is making a request to it (see above - dce_iface)
-usually we want to know what function call it is making to that
-service. It is likely that an exploit lies in the particular DCE/RPC
-function call.
-
-Examples:
-
-dce_opnum: 15;
-dce_opnum: 15-18;
-dce_opnum: 15,18-20;
-dce_opnum: 15,17,20-22;
-
-This option is used to specify an opnum (or operation number), opnum
-range or list containing either or both opnum and/or opnum-range. The
-opnum of a DCE/RPC request will be matched against the opnums
-specified with this option. This option matches if any one of the
-opnums specified match the opnum of the DCE/RPC request.
-
-5.5.8.3. dce_stub_data
-
-Since most DCE/RPC based rules had to do protocol decoding only to
-get to the DCE/RPC stub data, i.e. the remote procedure call or
-function call data, this option will alleviate this need and place
-the cursor at the beginning of the DCE/RPC stub data. This reduces
-the number of rule option checks and the complexity of the rule.
-
-This option takes no arguments.
-
-Example:
-
-dce_stub_data;
-
-This option is used to place the cursor (used to walk the packet
-payload in rules processing) at the beginning of the DCE/RPC stub
-data, regardless of preceding rule options. There are no arguments to
-this option. This option matches if there is DCE/RPC stub data.
-
-The cursor is moved to the beginning of the stub data. All ensuing
-rule options will be considered "sticky" to this buffer. The first
-rule option following dce_stub_data should use absolute location
-modifiers if it is position-dependent. Subsequent rule options should
-use a relative modifier if they are meant to be relative to a
-previous rule option match in the stub data buffer. Any rule option
-that does not specify a relative modifier will be evaluated from the
-start of the stub data buffer. To leave the stub data buffer and
-return to the main payload buffer, use the "pkt_data" rule option.
-
-5.5.8.4. byte_test and byte_jump
-
-A DCE/RPC request can specify whether numbers are represented in big
-or little endian. These rule options will take as a new argument
-"dce" and will work basically the same as the normal byte_test/
-byte_jump, but since the DCE/RPC inspector will know the endianness
-of the request, it will be able to do the correct conversion.
-
-Examples:
-
-byte_test: 4,>,35000,0,relative,dce;
-byte_test: 2,!=,2280,-10,relative,dce;
-
-When using the "dce" argument to a byte_test, the following normal
-byte_test arguments will not be allowed: "big", "little", "string",
-"hex", "dec" and "oct".
-
-Examples:
-
-byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce;
-
-When using the dce argument to a byte_jump, the following normal
-byte_jump arguments will not be allowed: "big", "little", "string",
-"hex", "dec", "oct" and "from_beginning"
-
-
-5.6. File Processing
-
---------------
-
-With the volume of malware transferred through network increasing,
-network file inspection becomes more and more important. This feature
-will provide file type identification, file signature creation, and
-file capture capabilities to help users deal with those challenges.
-
-5.6.1. Overview
-
-There are two parts of file services: file APIs and file policy. File
-APIs provides all the file inspection functionalities, such as file
-type identification, file signature calculation, and file capture.
-File policy provides users ability to control file services, such as
-enable/disable/configure file type identification, file signature, or
-file capture.
-
-In addition to all capabilities from Snort 2, we support customized
-file policy along with file event log.
-
- * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
- * Supported file signature calculation: SHA256
-
-5.6.2. Quick Guide
-
-A very simple configuration has been included in lua/snort.lua file.
-A typical file configuration looks like this:
-
-dofile('magic.lua')
-
-my_file_policy =
-{
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
-}
-
-file_id =
-{
- enable_type = true,
- enable_signature = true,
- enable_capture = true,
- file_rules = magics,
- trace_type = true,
- trace_signature = true,
- trace_stream = true,
- file_policy = my_file_policy,
- }
-
-file_log =
-{
- log_pkt_time = true,
- log_sys_time = false,
-}
-
-There are 3 steps to enable file processing:
-
- * First, you need to include the file magic rules.
- * Then, define the file policy and configure the inspector
- * At last, enable file_log to get detailed information about file
- event
-
-5.6.3. Pre-packaged File Magic Rules
-
-A set of file magic rules is packaged with Snort. They can be located
-at "lua/file_magic.lua". To use this feature, it is recommended that
-these pre-packaged rules are used; doing so requires that you include
-the file in your Snort configuration as such (already in snort.lua):
-
-dofile('magic.lua')
-
-Example:
-
-{ type = "GIF", id = 62, category = "Graphics", rev = 1,
- magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },
-
-{ type = "GIF", id = 63, category = "Graphics", rev = 1,
- magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
-
-The previous two rules define GIF format, because two file magics are
-different. File magics are specified by content and offset, which
-look at content at particular file offset to identify the file type.
-In this case, two magics look at the beginning of the file. You can
-use character if it is printable or hex value in between "|".
-
-5.6.4. File Policy
-
-You can enabled file type, file signature, or file capture by
-configuring file_id. In addition, you can enable trace to see file
-stream data, file type, and file signature information.
-
-Most importantly, you can configure a file policy that can block/
-alert some file type or an individual file based on SHA. This allows
-you build a file blacklist or whitelist.
-
-Example:
-
-file_policy =
-{
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
-}
-
-In this example, it enables this policy:
-
- * For PDF files, they will be logged with signatures.
- * For the file matching this SHA, it will be blocked
- * For all file types identified, they will be logged with
- signature, and also captured onto log folder.
-
-5.6.5. File Capture
-
-File can be captured and stored to log folder. We use SHA as file
-name instead of actual file name to avoid conflicts. You can capture
-either all files, some file type, or a particular file based on SHA.
-
-You can enable file capture through this config:
-
-enable_capture = true,
-
-or enable it for some file or file type in your file policy:
-
-{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
-
-The above rule will enable PDF file capture.
-
-5.6.6. File Events
-
-File inspect preprocessor also works as a dynamic output plugin for
-file events. It logs basic information about file. The log file is in
-the same folder as other log files with name starting with
-"file.log".
-
-Example:
-
-file_log = { log_pkt_time = true, log_sys_time = false }
-
-All file events will be logged in packet time, system time is not
-logged.
-
-File event example:
-
-08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
-[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
-[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
-[Size: 1039328]
-
-
-5.7. High Availability
-
---------------
-
-High Availability includes the HA flow synchronization and the
-SideChannel messaging subsystems.
-
-5.7.1. HA
-
-HighAvailability (or HA) is a Snort module that provides state
-coherency between two partner snort instances. It uses SideChannel
-for messaging.
-
-There can be multiple types of HA within Snort and Snort plugins. HA
-implements an extensible architecture to enable plugins to subscribe
-to the base flow HA messaging. These plugins can then include their
-own messages along with the flow cache HA messages.
-
-HA produces and consumes two type of messages:
-
- * Update - Update flow status. Plugins may add their own data to
- the messages
- * Delete - A flow has been removed from the cache
-
-The HA module is configured with these items:
-
-high_availability =
-{
- ports = "1",
- enable = true,
- min_age = 0,
- min_sync = 0
-}
-
-The ports item maps to the SideChannel port to use for the HA
-messaging.
-
-The enabled item controls the overall HA operation.
-
-The items min_age and min_sync are used in the stream HA logic.
-min_age is the number of milliseconds that a flow must exist in the
-flow cache before sending HA messages to the partner. min_sync is the
-minimum time between HA status updates. HA messages for a particular
-flow will not be sent faster than min_sync. Both are expressed as a
-number of milliseconds.
-
-HA messages are composed of the base stream information plus any
-content from additional modules. Modules subscribe HA in order to add
-message content. The stream HA content is always present in the
-messages while the ancillary module content is only present when
-requested via a status change request.
-
-5.7.2. Connector
-
-Connectors are a set of modules that are used to exchange
-message-oriented data among Snort threads and the external world. A
-typical use-case is HA (High Availability) message exchange.
-Connectors serve to decouple the message transport from the message
-creation/consumption. Connectors expose a common API for several
-forms of message transport.
-
-Connectors are a Snort plugin type.
-
-5.7.2.1. Connector (parent plugin class)
-
-Connectors may either be a simplex channel and perform unidirectional
-communications. Or may be duplex and perform bidirectional
-communications. The TcpConnector is duplex while the FileConnector is
-simplex.
-
-All subtypes of Connector have a direction configuration element and
-a connector element. The connector string is the key used to identify
-the element for sidechannel configuration. The direction element may
-have a default value, for instance TcpConnector’s are duplex.
-
-There are currently two implementations of Connectors:
-
- * TcpConnector - Exchange messages over a tcp channel.
- * FileConnector - Write messages to files and read messages from
- files.
-
-5.7.2.2. TcpConnector
-
-TcpConnector is a subclass of Connector and implements a DUPLEX type
-Connector, able to send and receive messages over a tcp session.
-
-TcpConnector adds a few session setup configuration elements:
-
- * setup = call or answer - call is used to have TcpConnector
- initiate the connection. answer is used to have TcpConnector
- accept incoming connections.
- * address = <addr> - used for call setup to specify the partner
- * base_port = port - used to contruct the actual port number for
- call and answer modes. Actual port used is (base_port +
- instance_id).
-
-An example segment of TcpConnector configuration:
-
-tcp_connector =
-{
- {
- connector = 'tcp_1',
- address = '127.0.0.1',
- setup = 'call',
- base_port = 11000
- },
-}
-
-5.7.2.3. FileConnector
-
-FileConnector implements a Connector that can either read from files
-or write to files. FileConnector’s are simplex and must be configured
-to be CONN_TRANSMIT or CONN_RECEIVE.
-
-FileConnector configuration adds two additional element:
-
- * name = string - used as part of the message file name
- * format = text or binary - FileConnector supports two file types
-
-The configured name string is used to construct the actual names as
-in:
-
- * file_connector_NAME_transmit and file_connector_NAME_receive
-
-All messages for one Snort invocation are read and written to one
-file.
-
-In the case of a receive FileConnector, all messages are read from
-the file prior to the start of packet processing. This allows the
-messages to establish state information for all processed packets.
-
-Connectors are used solely by SideChannel
-
-An example segment of FileConnector configuration:
-
-file_connector =
-{
- {
- connector = 'file_tx_1',
- direction = 'transmit',
- format = 'text',
- name = 'HA'
- },
- {
- connector = 'file_rx_1',
- direction = 'receive',
- format = 'text',
- name = 'HA'
- },
-}
-
-5.7.3. Side Channel
-
-SideChannel is a Snort module that uses Connectors to implement a
-messaging infrastructure that is used to communicate between Snort
-threads and the outside world.
-
-SideChannel adds functionality onto the Connector as:
-
- * message multiplexing/demultiplexing - An additional protocol
- layer is added to the messages. This port number is used to
- direct message to/from various SideClass instancs.
- * application receive processing - handler for received messages on
- a specific port.
-
-SideChannel’s are always implement a duplex (bidirectional) messaging
-model and can map to separate transmit and receive Connectors.
-
-The message handling model leverages the underlying Connector
-handling. So please refer to the Connector documentation.
-
-SideChannel’s are instantiated by various applications. The
-SideChannel port numbers are the configuration element used to map
-SideChannel’s to applications.
-
-The SideChannel configuration mostly serves to map a port number to a
-Connector or set of connectors. Each port mapping can have at most
-one transmit plus one receive connector or one duplex connector.
-Multiple SideChannel’s may be configured and instantiated to support
-multiple applications.
-
-An example SideChannel configuration along with the corresponding
-Connector configuration:
-
-side_channel =
-{
- {
- ports = '1',
- connectors =
- {
- {
- connector = 'file_rx_1',
- },
- {
- connector = 'file_tx_1',
- }
- },
- },
-}
-
-file_connector =
-{
- {
- connector = 'file_tx_1',
- direction = 'transmit',
- format = 'text',
- name = 'HA'
- },
- {
- connector = 'file_rx_1',
- direction = 'receive',
- format = 'text',
- name = 'HA'
- },
-}
-
-
-5.8. FTP
-
---------------
-
-Given an FTP command channel buffer, FTP will interpret the data,
-identifying FTP commands and parameters, as well as FTP response
-codes and messages. It will enforce correctness of the parameters,
-determine when an FTP command connection is encrypted, and determine
-when an FTP data channel is opened.
-
-5.8.1. Configuring the inspector to block exploits and attacks
-
-5.8.1.1. ftp_server configuration
-
- * ftp_cmds
-
-This specifies additional FTP commands outside of those checked by
-default within the inspector. The inspector may be configured to
-generate an alert when it sees a command it does not recognize.
-
-Aside from the default commands recognized, it may be necessary to
-allow the use of the "X" commands, specified in RFC 775. To do so,
-use the following ftp_cmds option. Since these are rarely used by FTP
-client implementations, they are not included in the defaults.
-
-ftp_cmds = [[ XPWD XCWD XCUP XMKD XRMD ]]
-
- * def_max_param_len
-
-This specifies the default maximum parameter length for all commands
-in bytes. If the parameter for an FTP command exceeds that length,
-and the inspector is configured to do so, an alert will be generated.
-This is used to check for buffer overflow exploits within FTP
-servers.
-
- * cmd_validity
-
-This specifies the valid format and length for parameters of a given
-command.
-
- * cmd_validity[].len
-
-This specifies the maximum parameter length for the specified command
-in bytes, overriding the default. If the parameter for that FTP
-command exceeds that length, and the inspector is configured to do
-so, an alert will be generated. It can be used to restrict specific
-commands to small parameter values. For example the USER
-command — usernames may be no longer than 16 bytes, so the
-appropriate configuration would be:
-
-cmd_validity =
-{
- {
- command = 'USER',
- length = 16,
- }
-}
-
- * cmd_validity[].format
-
-format is as follows:
-
-int Param must be an integer
-number Param must be an integer between 1 and 255
-char <chars> Param must be a single char, and one of <chars>
-date <datefmt> Param follows format specified where
- # = Number, C=Char, []=optional, |=OR, {}=choice,
- anything else=literal (i.e., .+- )
-string Param is string (effectively unrestricted)
-host_port Param must a host port specifier, per RFC 959.
-long_host_port Parameter must be a long host port specified, per RFC 1639
-extended_host_port Parameter must be an extended host port specified, per RFC 2428
-
-Examples of the cmd_validity option are shown below. These examples
-are the default checks (per RFC 959 and others) performed by the
-inspector.
-
-cmd_validity =
-{
- {
- command = 'CWD',
- length = 200,
- },
- {
- command = 'MODE',
- format = '< char SBC >',
- },
- {
- command = 'STRU',
- format = '< char FRP >',
- },
- {
- command = 'ALLO',
- format = '< int [ char R int ] >',
- },
- {
- command = 'TYPE',
- format = [[ < { char AE [ char NTC ] | char I | char L [ number ]
- } > ]],
- },
- {
- command = 'PORT',
- format = '< host_port >',
- },
-}
-
-A cmd_validity entry in the configuration can be used to override
-these defaults and/or add a check for other commands. A few examples
-follow.
-
-This allows additional modes, including mode Z which allows for
-zip-style compression:
-
-cmd_validity =
-{
- {
- command = 'MODE',
- format = '< char ASBCZ >',
- },
-}
-
-Allow for a date in the MDTM command:
-
-cmd_validity =
-{
- {
- command = 'MDTM',
- format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >',
- },
-}
-
-MDTM is an odd case that is worth discussing…
-
-While not part of an established standard, certain FTP servers accept
-MDTM commands that set the modification time on a file. The most
-common among servers that do, accept a format using YYYYMMDDHHmmss
-[.uuu]. Some others accept a format using YYYYMMDDHHmmss[+|-]TZ
-format. The example above is for the first case.
-
-To check validity for a server that uses the TZ format, use the
-following:
-
-cmd_validity =
-{
- {
- command = 'MDTM',
- format = '< [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string >',
- },
-}
-
- * chk_str_fmt
-
-This causes the inspector to check for string format attacks on the
-specified commands.
-
- * telnet_cmds
-
-Detect and alert when telnet cmds are seen on the FTP command
-channel.
-
- * ignore_telnet_erase_cmds
-
-This option allows Snort to ignore telnet escape sequences for erase
-character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
-command channel. Some FTP servers do not process those telnet escape
-sequences.
-
- * ignore_data_chan
-
-When set to true, causes the FTP inspector to force the rest of snort
-to ignore the FTP data channel connections. NO INSPECTION other than
-state (inspector AND rules) will be performed on that data channel.
-It can be turned on to improve performance — especially with respect
-to large file transfers from a trusted source — by ignoring traffic.
-If your rule set includes virus-type rules, it is recommended that
-this option not be used.
-
-5.8.1.2. ftp_client configuration
-
- * max_resp_len
-
-This specifies the maximum length for all response messages in bytes.
-If the message for an FTP response (everything after the 3 digit
-code) exceeds that length, and the inspector is configured to do so,
-an alert will be generated. This is used to check for buffer overflow
-exploits within FTP clients.
-
- * telnet_cmds
-
-Detect and alert when telnet cmds are seen on the FTP command
-channel.
-
- * ignore_telnet_erase_cmds
-
-This option allows Snort to ignore telnet escape sequences for erase
-character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
-command channel. Some FTP clients do not process those telnet escape
-sequences.
-
-5.8.1.3. ftp_data
-
-In order to enable file inspection for ftp, the following should be
-added to the configuration:
-
-ftp_data = {}
-
-
-5.9. HTTP Inspector
-
---------------
-
-One of the major undertakings for Snort 3 is developing a completely
-new HTTP inspector.
-
-5.9.1. Overview
-
-You can configure it by adding:
-
-http_inspect = {}
-
-to your snort.lua configuration file. Or you can read about it in the
-source code under src/service_inspectors/http_inspect.
-
-So why a new HTTP inspector?
-
-For starters it is object-oriented. That’s good for us because we
-maintain this software. But it should also be really nice for
-open-source developers. You can make meaningful changes and additions
-to HTTP processing without having to understand the whole thing. In
-fact much of the new HTTP inspector’s knowledge of HTTP is
-centralized in a series of tables where it can be easily reviewed and
-modified. Many significant changes can be made just by updating these
-tables.
-
-http_inspect is the first inspector written specifically for the new
-Snort 3 architecture. This provides access to one of the very best
-features of Snort 3: purely PDU-based inspection. The classic
-preprocessor processes HTTP messages, but even while doing so it is
-constantly aware of IP packets and how they divide up the TCP data
-stream. The same HTTP message might be processed differently
-depending on how the sender (bad guy) divided it up into IP packets.
-
-http_inspect is free of this burden and can focus exclusively on
-HTTP. This makes it much simpler, easier to test, and less prone to
-false positives. It also greatly reduces the opportunity for
-adversaries to probe the inspector for weak spots by adjusting packet
-boundaries to disguise bad behavior.
-
-Dealing solely with HTTP messages also opens the door for developing
-major new features. The http_inspect design supports true stateful
-processing. Want to ask questions that involve both the client
-request and the server response? Or different requests in the same
-session? These things are possible.
-
-Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives
-from Google’s SPDY project and is in the process of being
-standardized. Despite the name, it is better to think of HTTP/2 not
-as a newer version of HTTP/1.1, but rather a separate protocol layer
-that runs under HTTP/1.1 and on top of TLS or TCP. It’s a perfect fit
-for the new Snort 3 architecture because a new HTTP/2 inspector would
-naturally output HTTP/1.1 messages but not any underlying packets.
-Exactly what http_inspect wants to input.
-
-http_inspect is taking a very different approach to HTTP header
-fields. The classic preprocessor divides all the HTTP headers
-following the start line into cookies and everything else. It
-normalizes the two pieces using a generic process and puts them in
-buffers that one can write rules against. There is some limited
-support for examining individual headers within the inspector but it
-is very specific.
-
-The new concept is that every header should be normalized in an
-appropriate and specific way and individually made available for the
-user to write rules against it. If for example a header is supposed
-to be a date then normalization means put that date in a standard
-format.
-
-5.9.2. Configuration
-
-Configuration can be as simple as adding:
-
-http_inspect = {}
-
-to your snort.lua file. The default configuration provides a thorough
-inspection and may be all that you need. But there are some options
-that provide extra features, tweak how things are done, or conserve
-resources by doing less.
-
-5.9.2.1. request_depth and response_depth
-
-These replace the flow depth parameters used by the old HTTP
-inspector but they work differently.
-
-The default is to inspect the entire HTTP message body. That’s a very
-sound approach but if your HTTP traffic includes many very large
-files such as videos the load on Snort can become burdensome. Setting
-the request_depth and response_depth parameters will limit the amount
-of body data that is sent to the rule engine. For example:
-
-request_depth = 10000,
-response_depth = 80000,
-
-would examine only the first 10000 bytes of POST, PUT, and other
-message bodies sent by the client. Responses from the server would be
-limited to 80000 bytes.
-
-These limits apply only to the message bodies. HTTP headers are
-always completely inspected.
-
-If you want to only inspect headers and no body, set the depth to 0.
-If you want to inspect the entire body set the depth to -1 or simply
-omit the depth parameter entirely because that is the default.
-
-These limits have no effect on how much data is forwarded to file
-processing.
-
-5.9.2.2. detained_inspection
-
-Detained inspection is an experimental feature currently under
-development. It enables Snort to more quickly detect and block
-response messages containing malicious JavaScript. As this feature
-involves actively blocking traffic it is designed for use with inline
-mode operation (-Q).
-
-This feature is off by default. detained_inspection = true will
-activate it.
-
-5.9.2.3. gzip
-
-http_inspect by default decompresses deflate and gzip message bodies
-before inspecting them. This feature can be turned off by unzip =
-false. Turning off decompression provides a substantial performance
-improvement but at a very high price. It is unlikely that any
-meaningful inspection of message bodies will be possible. Effectively
-HTTP processing would be limited to the headers.
-
-5.9.2.4. normalize_utf
-
-http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
-and utf-32be in response message bodies based on the Content-Type
-header. This feature is on by default: normalize_utf = false will
-deactivate it.
-
-5.9.2.5. decompress_pdf
-
-decompress_pdf = true will enable decompression of compressed
-portions of PDF files encountered in a response body. http_inspect
-will examine the response body for PDF files that are then parsed to
-locate PDF streams with a single /FlateDecode filter. The compressed
-content is decompressed and made available through the file data rule
-option.
-
-5.9.2.6. decompress_swf
-
-decompress_swf = true will enable decompression of compressed SWF
-(Adobe Flash content) files encountered in a response body. The
-available decompression modes are ’deflate’ and ’lzma’. http_inspect
-will search for the file signatures CWS for Deflate/ZLIB and ZWS for
-LZMA. The compressed content is decompressed and made available
-through the file data rule option. The compressed SWF file signature
-is converted to FWS to indicate an uncompressed file.
-
-5.9.2.7. normalize_javascript
-
-normalize_javascript = true will enable normalization of JavaScript
-within the HTTP response body. http_inspect looks for JavaScript by
-searching for the <script> tag without a type. Obfuscated data within
-the JavaScript functions such as unescape, String.fromCharCode,
-decodeURI, and decodeURIComponent are normalized. The different
-encodings handled within the unescape, decodeURI, or
-decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also
-replaces consecutive whitespaces with a single space and normalizes
-the plus by concatenating the strings.
-
-5.9.2.8. URI processing
-
-Normalization and inspection of the URI in the HTTP request message
-is a key aspect of what http_inspect does. The best way to normalize
-a URI is very dependent on the idiosyncrasies of the HTTP server
-being accessed. The goal is to interpret the URI the same way as the
-server will so that nothing the server will see can be hidden from
-the rule engine.
-
-The default URI inspection parameters are oriented toward following
-the HTTP RFCs—reading the URI the way the standards say it should be
-read. Most servers deviate from this ideal in various ways that can
-be exploited by an attacker. The options provide tools for the user
-to cope with that.
-
-utf8 = true
-plus_to_space = true
-percent_u = false
-utf8_bare_byte = false
-iis_unicode = false
-iis_double_decode = true
-
-The HTTP inspector normalizes percent encodings found in URIs. For
-instance it will convert "%48%69%64%64%65%6e" to "Hidden". All the
-options listed above control how this is done. The options listed as
-true are fairly standard features that are decoded by default. You
-don’t need to list them in snort.lua unless you want to turn them off
-by setting them to false. But that is not recommended unless you know
-what you are doing and have a definite reason.
-
-The other options are primarily for the protection of servers that
-support irregular forms of decoding. These features are off by
-default but you can activate them if you need to by setting them to
-true in snort.lua.
-
-bad_characters = "0x25 0x7e 0x6b 0x80 0x81 0x82 0x83 0x84"
-
-That’s a list of 8-bit Ascii characters that you don’t want present
-in any normalized URI after the percent decoding is done. For example
-0x25 is a hexadecimal number (37 in decimal) which stands for the %
-character. The % character is legitimately used for encoding special
-characters in a URI. But if there is still a percent after
-normalization one might conclude that something is wrong. If you
-choose to configure 0x25 as a bad character there will be an alert
-whenever this happens.
-
-Another example is 0x00 which signifies the null character zero. Null
-characters in a URI are generally wrong and very suspicious.
-
-The default is not to alert on any of the 256 8-bit Ascii characters.
-Add this option to your configuration if you want to define some bad
-characters.
-
-ignore_unreserved = "abc123"
-
-Percent encoding common characters such as letters and numbers that
-have no special meaning in HTTP is suspicious. It’s legal but why
-would you do it unless you have something to hide? http_inspect will
-alert whenever an upper-case or lower-case letter, a digit, period,
-underscore, tilde, or minus is percent-encoded. But if a legitimate
-application in your environment encodes some of these characters for
-some reason this allows you to create exemptions for those
-characters.
-
-In the example, the lower-case letters a, b, and c and the digits 1,
-2, and 3 are exempted. These may be percent-encoded without
-generating an alert.
-
-simplify_path = true
-backslash_to_slash = true
-
-HTTP inspector simplifies directory paths in URIs by eliminating
-extra traversals using ., .., and /.
-
-For example I can take a simple URI such as
-
-/very/easy/example
-
-and complicate it like this:
-
-/very/../very/././././easy//////detour/to/nowhere/../.././../example
-
-which may be very difficult to match with a detection rule.
-simplify_path is on by default and you should not turn it off unless
-you have no interest in URI paths.
-
-backslash_to_slash is a tweak to path simplification for servers that
-allow directories to be separated by backslashes:
-
-/this/is/the/normal/way/to/write/a/path
-
-\this\is\the\other\way\to\write\a\path
-
-backslash_to_slash is turned on by default. It replaces all the
-backslashes with slashes during normalization.
-
-5.9.3. CONNECT processing
-
-The HTTP CONNECT method is used by a client to establish a tunnel to
-a destination via an HTTP proxy server. If the connection is
-successful the server will send a 2XX success response to the client,
-then proceed to blindly forward traffic between the client and
-destination. That traffic belongs to a new session between the client
-and destination and may be of any protocol, so clearly the HTTP
-inspector will be unable to continue processing traffic following the
-CONNECT message as if it were just a continuation of the original
-HTTP/1.1 session.
-
-Therefore upon receiving a success response to a CONNECT request, the
-HTTP inspector will stop inspecting the session. The next packet will
-return to the wizard, which will determine the appropriate inspector
-to continue processing the flow. If the tunneled protocol happens to
-be HTTP/1.1, the HTTP inspector will again start inspecting the flow,
-but as an entirely new session.
-
-There is one scenario where the cutover to the wizard will not occur
-despite a 2XX success response to a CONNECT request. HTTP allows for
-pipelining, or sending multiple requests without waiting for a
-response. If the HTTP inspector sees any further traffic from the
-client after a CONNECT request before it has seen the CONNECT
-response, it is unclear whether this traffic should be interpreted as
-a pipelined HTTP request or tunnel traffic sent in anticipation of a
-success response from the server. Due to this potential evasion
-tactic, the HTTP inspector will not cut over to the wizard if it sees
-any early client-to-server traffic, but will continue normal HTTP
-processing of the flow regardless of the eventual server response.
-
-5.9.4. Detection rules
-
-http_inspect parses HTTP messages into their components and makes
-them available to the detection engine through rule options. Let’s
-start with an example:
-
-alert tcp any any -> any any ( msg:"URI example"; flow:established,
-to_server; http_uri; content:"chocolate"; sid:1; rev:1; )
-
-This rule looks for chocolate in the URI portion of the request
-message. Specifically, the http_uri rule option is the normalized URI
-with all the percent encodings removed. It will find chocolate in
-both:
-
-GET /chocolate/cake HTTP/1.1
-
-and
-
-GET /%63%68$6F%63%6F%6C%61%74%65/%63%61%6B%65 HTTP/1.1
-
-It is also possible to search the unnormalized URI
-
-alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,
-to_server; http_raw_uri; content:"chocolate"; sid:2; rev:1; )
-
-will match the first message but not the second. If you want to
-detect someone who is trying to hide his request for chocolate then
-
-alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,
-to_server; http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65";
-sid:3; rev:1; )
-
-will do the trick.
-
-Let’s look at possible ways of writing a rule to match HTTP response
-messages with the Content-Language header set to "da" (Danish). You
-could write:
-
-alert tcp any any -> any any ( msg:"whole header search";
-flow:established, to_client; http_header; content:
-"Content-Language: da", nocase; sid:4; rev:1; )
-
-This rule leaves much to be desired. Modern headers are often
-thousands of bytes and seem to get longer every year. Searching all
-of the headers consumes a lot of resources. Furthermore this rule is
-easily evaded:
-
-HTTP/1.1 ... Content-Language: da ...
-
-the extra space before the "da" throws the rule off. Or how about:
-
-HTTP/1.1 ... Content-Language: xx,da ...
-
-By adding a made up second language the attacker has once again
-thwarted the match.
-
-A better way to write this rule is:
-
-alert tcp any any -> any any ( msg:"individual header search";
-flow:established, to_client; http_header: field content-language;
-content:"da", nocase; sid:4; rev:2; )
-
-The field option improves performance by narrowing the search to the
-Content-Language field of the header. Because it uses the header
-parsing abilities of http_inspect to find the field of interest it
-will not be thrown off by extra spaces or other languages in the
-list.
-
-In addition to the headers there are rule options for virtually every
-part of the HTTP message.
-
-5.9.4.1. http_uri and http_raw_uri
-
-These provide the URI of the request message. The raw form is exactly
-as it appeared in the message and the normalized form is determined
-by the URI normalization options you selected. In addition to
-searching the entire URI there are six components that can be
-searched individually:
-
-alert tcp any any -> any any ( msg:"URI path"; flow:established,
-to_server; http_uri: path; content:"chocolate"; sid:1; rev:2; )
-
-By specifying "path" the search is limited to the path portion of the
-URI. Informally this is the part consisting of the directory path and
-file name. Thus it will match:
-
-GET /chocolate/cake HTTP/1.1
-
-but not:
-
-GET /book/recipes?chocolate+cake HTTP/1.1
-
-The question mark ends the path and begins the query portion of the
-URI. Informally the query is where parameter values are set and often
-contains a search to be performed.
-
-The six components are:
-
- 1. path: directory and file
- 2. query: user parameters
- 3. fragment: part of the file requested, normally found only inside
- a browser and not transmitted over the network
- 4. host: domain name of the server being addressed
- 5. port: TCP port number being addressed
- 6. scheme: normally "http" or "https" but others are possible such
- as "ftp"
-
-Here is an example with all six:
-
-GET https://www.samplehost.com:287/basic/example/of/path?with-query
-#and-fragment HTTP/1.1\r\n
-
-The URI is everything between the first space and the last space.
-"https" is the scheme, "www.samplehost.com" is the host, "287" is the
-port, "/basic/example/of/path" is the path, "with-query" is the
-query, and "and-fragment" is the fragment.
-
-http_uri represents the normalized uri, normalization of components
-depends on uri type. If the uri is of type absolute (contains all six
-components) or absolute path (contains path, query and fragment) then
-the path and query components are normalized. In these cases,
-http_uri represents the normalized path, query, and fragment (/path?
-query#fragment). If the uri is of type authority (host and port), the
-host is normalized and http_uri represents the normalized host with
-the port number. In all other cases http_uri is the same as
-http_raw_uri.
-
-Note: this section uses informal language to explain some things.
-Nothing here is intended to conflict with the technical language of
-the HTTP RFCs and the implementation follows the RFCs.
-
-5.9.4.2. http_header and http_raw_header
-
-These cover all the header lines except the first one. You may
-specify an individual header by name using the field option as shown
-in this earlier example:
-
-alert tcp any any -> any any ( msg:"individual header search";
-flow:established, to_client; http_header: field content-language;
-content:"da", nocase; sid:4; rev:2; )
-
-This rule searches the value of the Content-Language header. Header
-names are not case sensitive and may be written in the rule in any
-mixture of upper and lower case.
-
-With http_header the individual header value is normalized in a way
-that is appropriate for that header.
-
-Specifying an individual header is not available for http_raw_header.
-
-If you don’t specify a header you get all of the headers except for
-the cookie headers Cookie and Set-Cookie. http_raw_header includes
-the unmodified header names and values as they appeared in the
-original message. http_header is the same except percent encodings
-are removed and paths are simplified exactly as if the headers were a
-URI.
-
-In most cases specifying individual headers creates a more efficient
-and accurate rule. It is recommended that new rules be written using
-individual headers whenever possible.
-
-5.9.4.3. http_trailer and http_raw_trailer
-
-HTTP permits header lines to appear after a chunked body ends.
-Typically they contain information about the message content that was
-not available when the headers were created. For convenience we call
-them trailers.
-
-http_trailer and http_raw_trailer are identical to their header
-counterparts except they apply to these end headers. If you want a
-rule to inspect both kinds of headers you need to write two rules,
-one using header and one using trailer.
-
-5.9.4.4. http_cookie and http_raw_cookie
-
-These provide the value of the Cookie header for a request message
-and the Set-Cookie for a response message. If multiple cookies are
-present they will be concatenated into a comma-separated list.
-
-Normalization for http_cookie is the same URI-style normalization
-applied to http_header when no specific header is specified.
-
-5.9.4.5. http_true_ip
-
-This provides the original IP address of the client sending the
-request as it was stored by a proxy in the request message headers.
-Specifically it is the last IP address listed in the X-Forwarded-For
-or True-Client-IP header. If both headers are present the former is
-used.
-
-5.9.4.6. http_client_body
-
-This is the body of a request message such as POST or PUT.
-Normalization for http_client_body is the same URI-like normalization
-applied to http_header when no specific header is specified.
-
-5.9.4.7. http_raw_body
-
-This is the body of a request or response message. It will be
-dechunked and unzipped if applicable but will not be normalized in
-any other way. The difference between http_raw_body and packet data
-is a rule that uses packet data will search and may match an HTTP
-header, but http_raw_body is limited to the message body. Thus the
-latter is more efficient and more accurate for most uses.
-
-5.9.4.8. http_method
-
-The method field of a request message. Common values are "GET",
-"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
-
-5.9.4.9. http_stat_code
-
-The status code field of a response message. This is normally a
-3-digit number between 100 and 599. In this example it is 200.
-
-HTTP/1.1 200 OK
-
-5.9.4.10. http_stat_msg
-
-The reason phrase field of a response message. This is the
-human-readable text following the status code. "OK" in the previous
-example.
-
-5.9.4.11. http_version
-
-The protocol version information that appears on the first line of an
-HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
-
-5.9.4.12. http_raw_request and http_raw_status
-
-These are the unmodified first header line of the HTTP request and
-response messages respectively. These rule options are a safety valve
-in case you need to do something you cannot otherwise do. In most
-cases it is better to use a rule option for a specific part of the
-first header line. For a request message those are http_method,
-http_raw_uri, and http_version. For a response message those are
-http_version, http_stat_code, and http_stat_msg.
-
-5.9.4.13. file_data and packet data
-
-file_data contains the normalized message body. This is the
-normalization described above under gzip, normalize_utf,
-decompress_pdf, decompress_swf, and normalize_javascript.
-
-The unnormalized message content is available in the packet data. If
-gzip is configured the packet data will be unzipped.
-
-5.9.5. Timing issues and combining rule options
-
-HTTP inspector is stateful. That means it is aware of a bigger
-picture than the packet in front of it. It knows what all the pieces
-of a message are, the dividing lines between one message and the
-next, which request message triggered which response message,
-pipelines, and how many messages have been sent over the current
-connection.
-
-Some rules use a single rule option:
-
-alert tcp any any -> any any ( msg:"URI example"; flow:established,
-to_server; http_uri; content:"chocolate"; sid:1; rev:1; )
-
-Whenever a new URI is available this rule will be evaluated. Nothing
-complicated about that, but suppose we use more than one rule option:
-
-alert tcp any any -> any any ( msg:"combined example"; flow:established,
-to_server; http_uri: with_body; content:"chocolate"; file_data;
-content:"sinister POST data"; sid:5; rev:1; )
-
-The with_body option to http_uri causes the URI to be made available
-with the message body. Use with_body for header-related rule options
-in rules that also examine the message body.
-
-The with_trailer option is analogous and causes an earlier message
-element to be made available at the end of the message when the
-trailers following a chunked body arrive.
-
-alert tcp any any -> any any ( msg:"double content-language";
-flow:established, to_client; http_header: with_trailer, field
-content-language; content:"da", nocase; http_trailer: field
-content-language; content:"en", nocase; sid:6; rev:1; )
-
-This rule will alert if the Content-Language changes from Danish in
-the headers to English in the trailers. The with_trailer option is
-essential to make this rule work.
-
-It is also possible to write rules that examine both the client
-request and the server response to it.
-
-alert tcp any any -> any any ( msg:"request and response example";
-flow:established, to_client; http_uri: with_body; content:"chocolate";
-file_data; content:"white chocolate"; sid:7; rev:1; )
-
-This rule looks for white chocolate in a response message body where
-the URI of the request contained chocolate. Note that this is a
-"to_client" rule that will alert on and potentially block a server
-response containing white chocolate, but only if the client URI
-requested chocolate. If the rule were rewritten "to_server" it would
-be nonsense and not work. Snort cannot block a client request based
-on what the server response will be because that has not happened
-yet.
-
-Another point is "with_body" for http_uri. This ensures the rule
-works on the entire response body. If we were looking for white
-chocolate in the response headers this would not be necessary.
-
-Response messages do not have a URI so there was only one thing
-http_uri could have meant in the previous rule. It had to be
-referring to the request message. Sometimes that is not so clear.
-
-alert tcp any any -> any any ( msg:"header ambiguity example 1";
-flow:established, to_client; http_header: with_body; content:
-"chocolate"; file_data; content:"white chocolate"; sid:8; rev:1; )
-
-alert tcp any any -> any any ( msg:"header ambiguity example 2";
-flow:established, to_client; http_header: with_body, request; content:
-"chocolate"; file_data; content:"white chocolate"; sid:8; rev:2; )
-
-Our search for chocolate has moved from the URI to the message
-headers. Both the request and response messages have headers—which
-one are we asking about? Ambiguity is always resolved in favor of
-looking in the current message which is the response. The first rule
-is looking for a server response containing chocolate in the headers
-and white chocolate in the body.
-
-The second rule uses the "request" option to explicitly say that the
-http_header to be searched is the request header.
-
-Let’s put all of this together. There are six opportunities to do
-detection:
-
- 1. When the the request headers arrive. The request line and all of
- the headers go through detection at the same time.
- 2. When sections of the request message body arrive. If you want to
- combine this with something from the request line or headers you
- must use the with_body option.
- 3. When the request trailers arrive. If you want to combine this
- with something from the request line or headers you must use the
- with_trailer option.
- 4. When the response headers arrive. The status line and all of the
- headers go through detection at the same time. These may be
- combined with elements from the request line, request headers, or
- request trailers. Where ambiguity arises use the request option.
- 5. When sections of the response message body arrive. These may be
- combined with the status line, response headers, request line,
- request headers, or request trailers as described above.
- 6. When the response trailers arrive. Again these may be combined as
- described above.
-
-Message body sections can only go through detection at the time they
-are received. Headers may be combined with later items but the body
-cannot.
-
-
-5.10. HTTP/2 Inspector
-
---------------
-
-Snort 3 is developing an inspector for HTTP/2.
-
-You can configure it by adding:
-
-http2_inspect = {}
-
-to your snort.lua configuration file.
-
-Everything has a beginning and for http2_inspect this is the
-beginning of the beginning.
-
-Currently http2_inspect will divide an HTTP/2 connection into
-individual frames. Two new rule options are available for looking at
-HTTP/2 frames: http2_frame_header provides the 9-octet frame header.
-
-alert tcp any any -> any any (msg:"Frame type"; flow:established,
-to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
-sid:1; rev:1; )
-
-This will match if the Type byte of the frame header is 6 (PING).
-
-To smooth the transition to inspecting HTTP/2, rules that specify
-service:http will be treated as if they also specify service:http2.
-Thus:
-
-alert tcp any any -> any any (flow:established, to_server;
-http_uri; content:"/foo";
-service: http; sid:10; rev:1;)
-
-is understood to mean:
-
-alert tcp any any -> any any (flow:established, to_server;
-http_uri; content:"/foo";
-service: http,http2; sid:10; rev:1;)
-
-Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2
-traffic.
-
-The reverse is not true. "service: http2" without http will match on
-HTTP/2 flows but not HTTP/1 flows.
-
-This feature makes it easy to add HTTP/2 inspection without modifying
-large numbers of existing rules. New rules should explicitly specify
-"service http,http2;" if that is the desired behavior. Eventually
-support for http implies http2 may be deprecated and removed.
-
-In the future, http2_inspect will be fully integrated with
-http_inspect to provide full inspection of the individual HTTP/1.1
-streams.
-
-
-5.11. Performance Monitor
-
---------------
-
-The new and improved performance monitor! Is your sensor being bogged
-down by too many flows? perf_monitor! Why are certain TCP segments
-being dropped without hitting a rule? perf_monitor! Why is a sensor
-leaking water? Not perf_monitor, check with stream…
-
-5.11.1. Overview
-
-The Snort performance monitor is the built-in utility for monitoring
-system and traffic statistics. All statistics are separated by
-processing thread. perf_monitor supports several trackers for
-monitoring such data:
-
-5.11.2. Base Tracker
-
-The base tracker is used to gather running statistics about Snort and
-its running modules. All Snort modules gather, at the very least,
-counters for the number of packets reaching it. Most supplement these
-counts with those for domain specific functions, such as
-http_inspect’s number of GET requests seen.
-
-Statistics are gathered live and can be reported at regular
-intervals. The stats reported correspond only to the interval in
-question and are reset at the beginning of each interval.
-
-These are the same counts displayed when Snort shuts down, only
-sorted amongst the discrete intervals in which they occurred.
-
-Base differs from prior implementations in Snort in that all stats
-gathered are only raw counts, allowing the data to be evaluated as
-needed. Additionally, base is entirely pluggable. Data from new Snort
-plugins can be added to the existing stats either automatically or,
-if specified, by name and function.
-
-All plugins and counters can be enabled or disabled individually,
-allowing for only the data that is actually desired instead of overly
-verbose performance logs.
-
-To enable everything:
-
-perf_monitor = { modules = {} }
-
-To enable everything within a module:
-
-perf_monitor =
-{
- modules =
- {
- {
- name = 'stream_tcp',
- pegs = [[ ]]
- },
- }
-}
-
-To enable specific counts within modules:
-
-perf_monitor =
-{
- modules =
- {
- {
- name = 'stream_tcp',
- pegs = [[ overlaps gaps ]]
- },
- }
-
-Note: Event stats from prior Snorts are now located within base
-statistics.
-
-5.11.3. Flow Tracker
-
-Flow tracks statistics regarding traffic and L3/L4 protocol
-distributions. This data can be used to build a profile of traffic
-for inspector tuning and for identifying where Snort may be stressed.
-
-To enable:
-
-perf_monitor = { flow = true }
-
-5.11.4. FlowIP Tracker
-
-FlowIP provides statistics for individual hosts within a network.
-This data can be used for identifying communication habits, such as
-generating large or small amounts of data, opening a small or large
-number of sessions, and tendency to send smaller or larger IP
-packets.
-
-To enable:
-
-perf_monitor = { flow_ip = true }
-
-5.11.5. CPU Tracker
-
-This tracker monitors the CPU and wall time spent by a given
-processing thread.
-
-To enable:
-
-perf_monitor = { cpu = true }
-
-5.11.6. Formatters
-
-Performance monitor allows statistics to be output in a few formats.
-Along with human readable text (as seen at shutdown) and csv formats,
-a Flatbuffers binary format is also available if Flatbuffers is
-present at build. A utility for accessing the statistics generated in
-this format has been included for convenience (see fbstreamer in
-tools). This tool generates a YAML array of records found, allowing
-the data to be read by humans or passed into other analysis tools.
-For information on working directly with the Flatbuffers file format
-used by Performance monitor, see the developer notes for Performance
-monitor or the code provided for fbstreamer.
-
-
-5.12. POP and IMAP
-
---------------
-
-POP inspector is a service inspector for POP3 protocol and IMAP
-inspector is for IMAP4 protocol.
-
-5.12.1. Overview
-
-POP and IMAP inspectors examine data traffic and find POP and IMAP
-commands and responses. The inspectors also identify the command,
-header, body sections and extract the MIME attachments and decode it
-appropriately. The pop and imap also identify and whitelist the pop
-and imap traffic.
-
-5.12.2. Configuration
-
-POP inspector and IMAP inspector offer same set of configuration
-options for MIME decoding depth. These depths range from 0 to 65535
-bytes. Setting the value to 0 ("do none") turns the feature off.
-Alternatively the value -1 means an unlimited amount of data should
-be decoded. If you do not specify the default value is 1460 bytes.
-
-The depth limits apply per attachment. They are:
-
-5.12.2.1. b64_decode_depth
-
-Set the base64 decoding depth used to decode the base64-encoded MIME
-attachments.
-
-5.12.2.2. qp_decode_depth
-
-Set the Quoted-Printable (QP) decoding depth used to decode
-QP-encoded MIME attachments.
-
-5.12.2.3. bitenc_decode_depth
-
-Set the non-encoded MIME extraction depth used for non-encoded MIME
-attachments.
-
-5.12.2.4. uu_decode_depth
-
-Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
-attachments.
-
-5.12.2.5. Examples
-
-stream = { }
-
-stream_tcp = { }
-
-stream_ip = { }
-
-binder =
-{
- {
- {
- when = { proto = 'tcp', ports = '110', },
- use = { type = 'pop', },
- },
- {
- when = { proto = 'tcp', ports = '143', },
- use = { type = 'imap', },
- },
- },
-}
-
-imap =
-{
- qp_decode_depth = 500,
-}
-
-pop =
-{
- qp_decode_depth = -1,
- b64_decode_depth = 3000,
-}
-
-
-5.13. Port Scan
-
---------------
-
-A module to detect port scanning
-
-5.13.1. Overview
-
-This module is designed to detect the first phase in a network
-attack: Reconnaissance. In the Reconnaissance phase, an attacker
-determines what types of network protocols or services a host
-supports. This is the traditional place where a portscan takes place.
-This phase assumes the attacking host has no prior knowledge of what
-protocols or services are supported by the target, otherwise this
-phase would not be necessary.
-
-As the attacker has no beforehand knowledge of its intended target,
-most queries sent by the attacker will be negative (meaning that the
-services are closed). In the nature of legitimate network
-communications, negative responses from hosts are rare, and rarer
-still are multiple negative responses within a given amount of time.
-Our primary objective in detecting portscans is to detect and track
-these negative responses.
-
-One of the most common portscanning tools in use today is Nmap. Nmap
-encompasses many, if not all, of the current portscanning techniques.
-Portscan was designed to be able to detect the different types of
-scans Nmap can produce.
-
-The following are a list of the types of Nmap scans Portscan will
-currently alert for.
-
- * TCP Portscan
- * UDP Portscan
- * IP Portscan
-
-These alerts are for one to one portscans, which are the traditional
-types of scans; one host scans multiple ports on another host. Most
-of the port queries will be negative, since most hosts have
-relatively few services available.
-
- * TCP Decoy Portscan
- * UDP Decoy Portscan
- * IP Decoy Portscan
-
-Decoy portscans are much like regular, only the attacker has spoofed
-source address inter-mixed with the real scanning address. This
-tactic helps hide the true identity of the attacker.
-
- * TCP Distributed Portscan
- * UDP Distributed Portscan
- * IP Distributed Portscan
-
-These are many to one portscans. Distributed portscans occur when
-multiple hosts query one host for open services. This is used to
-evade an IDS and obfuscate command and control hosts.
-
-Note
-
-Negative queries will be distributed among scanning hosts, so we
-track this type of scan through the scanned host.
-
- * TCP Portsweep
- * UDP Portsweep
- * IP Portsweep
- * ICMP Portsweep
-
-These alerts are for one to many portsweeps. One host scans a single
-port on multiple hosts. This usually occurs when a new exploit comes
-out and the attacker is looking for a specific service.
-
-Note
-
-The characteristics of a portsweep scan may not result in many
-negative responses. For example, if an attacker portsweeps a web farm
-for port 80, we will most likely not see many negative responses.
-
- * TCP Filtered Portscan
- * UDP Filtered Portscan
- * IP Filtered Portscan
- * TCP Filtered Decoy Portscan
- * UDP Filtered Decoy Portscan
- * IP Filtered Decoy Portscan
- * TCP Filtered Portsweep
- * UDP Filtered Portsweep
- * IP Filtered Portsweep
- * ICMP Filtered Portsweep
- * TCP Filtered Distributed Portscan
- * UDP Filtered Distributed Portscan
- * IP Filtered Distributed Portscan
-
-"Filtered" alerts indicate that there were no network errors (ICMP
-unreachables or TCP RSTs) or responses on closed ports have been
-suppressed. It’s also a good indicator on whether the alert is just a
-very active legitimate host. Active hosts, such as NATs, can trigger
-these alerts because they can send out many connection attempts
-within a very small amount of time. A filtered alert may go off
-before responses from the remote hosts are received.
-
-Portscan only generates one alert for each host pair in question
-during the time window. On TCP scan alerts, Portscan will also
-display any open ports that were scanned. On TCP sweep alerts
-however, Portscan will only track open ports after the alert has been
-triggered. Open port events are not individual alerts, but tags based
-off the original scan alert.
-
-5.13.2. Scan levels
-
-There are 3 default scan levels that can be set.
-
-1) default_hi_port_scan
-2) default_med_port_scan
-3) default_low_port_scan
-
-Each of these default levels have separate options that can be edited
-to alter the scan sensitivity levels (scans, rejects, nets or ports)
-
-Example:
-
-port_scan = default_low_port_scan
-
-port_scan.tcp_decoy.ports = 1
-port_scan.tcp_decoy.scans = 1
-port_scan.tcp_decoy.rejects = 1
-port_scan.tcp_ports.nets = 1
-
-The example above would change each of the individual settings to 1.
-
-NOTE:The default levels for scans, rejects, nets and ports can be
-seen in the snort_defaults.lua file.
-
-The counts can be seen in the alert outputs (-Acmg shown below):
-
-50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
-30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 0.Connec tion Cou
-6E 74 3A 20 34 35 0A 49 50 20 43 6F 75 6E 74 3A nt: 45.I P Count:
-20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scann er IP Ra
-6E 67 65 3A 20 31 2E 32 2E 33 2E 34 3A 31 2E 32 nge: 1.2 .3.4:1.2
-2E 33 2E 34 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 .3.4.Por t/Proto
-43 6F 75 6E 74 3A 20 33 37 0A 50 6F 72 74 2F 50 Count: 3 7.Port/P
-72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 3A 39 0A roto Ran ge: 1:9.
-
-"Low" alerts are only generated on error packets sent from the target
-host, and because of the nature of error responses, this setting
-should see very few false positives. However, this setting will never
-trigger a Filtered Scan alert because of a lack of error responses.
-This setting is based on a static time window of 60 seconds, after
-which this window is reset.
-
-"Medium" alerts track Connection Counts, and so will generate
-Filtered Scan alerts. This setting may false positive on active hosts
-(NATs, proxies, DNS caches, etc), so the user may need to deploy the
-use of Ignore directives to properly tune this directive.
-
-"High" alerts continuously track hosts on a network using a time
-window to evaluate portscan statistics for that host. A "High"
-setting will catch some slow scans because of the continuous
-monitoring, but is very sensitive to active hosts. This most
-definitely will require the user to tune Portscan.
-
-5.13.3. Tuning Portscan
-
-The most important aspect in detecting portscans is tuning the
-detection engine for your network(s). Here are some tuning tips:
-
-Use the watch_ip, ignore_scanners, and ignore_scanned options. It’s
-important to correctly set these options. The watch_ip option is easy
-to understand. The analyst should set this option to the list of CIDR
-blocks and IPs that they want to watch. If no watch_ip is defined,
-Portscan will watch all network traffic. The ignore_scanners and
-ignore_scanned options come into play in weeding out legitimate hosts
-that are very active on your network. Some of the most common
-examples are NAT IPs, DNS cache servers, syslog servers, and nfs
-servers. Portscan may not generate false positives for these types of
-hosts, but be aware when first tuning Portscan for these IPs.
-Depending on the type of alert that the host generates, the analyst
-will know which to ignore it as. If the host is generating portsweep
-events, then add it to the ignore_scanners option. If the host is
-generating portscan alerts (and is the host that is being scanned),
-add it to the ignore_scanned option.
-
-Filtered scan alerts are much more prone to false positives. When
-determining false positives, the alert type is very important. Most
-of the false positives that Portscan may generate are of the filtered
-scan alert type. So be much more suspicious of filtered portscans.
-Many times this just indicates that a host was very active during the
-time period in question. If the host continually generates these
-types of alerts, add it to the ignore_scanners list or use a lower
-sensitivity level.
-
-Make use of the Priority Count, Connection Count, IP Count, Port
-Count, IP range, and Port range to determine false positives. The
-portscan alert details are vital in determining the scope of a
-portscan and also the confidence of the portscan. In the future, we
-hope to automate much of this analysis in assigning a scope level and
-confidence level, but for now the user must manually do this. The
-easiest way to determine false positives is through simple ratio
-estimations. The following is a list of ratios to estimate and the
-associated values that indicate a legitimate scan and not a false
-positive.
-
-Connection Count / IP Count: This ratio indicates an estimated
-average of connections per IP. For portscans, this ratio should be
-high, the higher the better. For portsweeps, this ratio should be
-low.
-
-Port Count / IP Count: This ratio indicates an estimated average of
-ports connected to per IP. For portscans, this ratio should be high
-and indicates that the scanned host’s ports were connected to by
-fewer IPs. For portsweeps, this ratio should be low, indicating that
-the scanning host connected to few ports but on many hosts.
-
-Connection Count / Port Count: This ratio indicates an estimated
-average of connections per port. For portscans, this ratio should be
-low. This indicates that each connection was to a different port. For
-portsweeps, this ratio should be high. This indicates that there were
-many connections to the same port.
-
-The reason that Priority Count is not included, is because the
-priority count is included in the connection count and the above
-comparisons take that into consideration. The Priority Count play an
-important role in tuning because the higher the priority count the
-more likely it is a real portscan or portsweep (unless the host is
-firewalled).
-
-If all else fails, lower the sensitivity level. If none of these
-other tuning techniques work or the analyst doesn’t have the time for
-tuning, lower the sensitivity level. You get the best protection the
-higher the sensitivity level, but it’s also important that the
-portscan detection engine generates alerts that the analyst will find
-informative. The low sensitivity level only generates alerts based on
-error responses. These responses indicate a portscan and the alerts
-generated by the low sensitivity level are highly accurate and
-require the least tuning. The low sensitivity level does not catch
-filtered scans, since these are more prone to false positives.
-
-
-5.14. Sensitive Data Filtering
-
---------------
-
-The sd_pattern IPS option provides detection and filtering of
-Personally Identifiable Information (PII). This information includes
-credit card numbers, U.S. Social Security numbers, and email
-addresses. A rich regular expression syntax is available for defining
-your own PII.
-
-5.14.1. Hyperscan
-
-The sd_pattern rule option is powered by the open source Hyperscan
-library from Intel. It provides a regex grammar which is mostly PCRE
-compatible. To learn more about Hyperscan see https://intel.github.io
-/hyperscan/dev-reference/
-
-5.14.2. Syntax
-
-Snort provides sd_pattern as IPS rule option with no additional
-inspector overhead. The Rule option takes the following syntax.
-
-sd_pattern: "<pattern>"[, threshold <count>];
-
-5.14.2.1. Pattern
-
-Pattern is the most important and is the only required parameter to
-sd_pattern. It supports 3 built in patterns which are configured by
-name: "credit_card", "us_social" and "us_social_nodashes", as well as
-user defined regular expressions of the Hyperscan dialect (see https:
-//intel.github.io/hyperscan/dev-reference/compilation.html#
-pattern-support).
-
-sd_pattern:"credit_card";
-
-When configured, Snort will replace the pattern credit_card with the
-built in pattern. In addition to pattern matching, Snort will
-validate that the matched digits will pass the Luhn-check algorithm.
-Currently the only pattern that performs extra verification.
-
-sd_pattern:"us_social";
-sd_pattern:"us_social_nodashes";
-
-These special patterns will also be replaced with a built in pattern.
-Naturally, "us_social" is a pattern of 9 digits separated by -'s in
-the canonical form.
-
-sd_pattern:"\b\w+@ourdomain\.com\b"
-
-This is a user defined pattern which matches what is most likely
-email addresses for the site "ourdomain.com". The pattern is a PCRE
-compatible regex, \b matches a word boundary (whitespace, end of
-line, non-word characters) and \w+ matches one or more word
-characters. \. matches a literal ..
-
-The above pattern would match "a@ourdomain.com", "aa@ourdomain.com"
-but would not match 1@ourdomain.com ab12@ourdomain.com or
-@ourdomain.com.
-
-Note: This is just an example, this pattern is not suitable to detect
-many correctly formatted emails.
-
-5.14.2.2. Threshold
-
-Threshold is an optional parameter allowing you to change built in
-default value (default value is 1). The following two instances are
-identical. The first will assume the default value of 1 the second
-declaration explicitly sets the threshold to 1.
-
-sd_pattern:"This rule requires 1 match";
-sd_pattern:"This rule requires 1 match", threshold 1;
-
-That’s pretty easy, but here is one more example anyway.
-
-sd_pattern:"This is a string literal", threshold 300;
-
-This example requires 300 matches of the pattern "This is a string
-literal" to qualify as a positive match. That is, if the string only
-occurred 299 times in a packet, you will not see an event.
-
-5.14.2.3. Obfuscating Credit Cards and Social Security Numbers
-
-Snort provides discreet logging for the built in patterns
-"credit_card", "us_social" and "us_social_nodashes". Enabling
-output.obfuscate_pii makes Snort obfuscate the suspect packet payload
-which was matched by the patterns. This configuration is disabled by
-default.
-
-output =
-{
- obfuscate_pii = true
-}
-
-5.14.3. Example
-
-A complete Snort IPS rule
-
-alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )
-
-Logged output when running Snort in "cmg" alert format.
-
-02/25-21:19:05.125553 [**] [1:1:0] "Credit Card" [**] [Priority: 0] {TCP} 10.1.2.3:48620 -> 10.9.8.7:8
-02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46
-10.1.2.3:48620 -> 10.9.8.7:8 TCP TTL:64 TOS:0x0 ID:14 IpLen:20 DgmLen:56
-***A**** Seq: 0xB2 Ack: 0x2 Win: 0x2000 TcpLen: 20
-- - - raw[16] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-5.14.4. Caveats
-
- 1. Snort currently requires setting the fast pattern engine to use
- "hyperscan" in order for sd_pattern ips option to function
- correctly.
-
- search_engine = { search_method = 'hyperscan' }
-
- 2. Log obfuscation is only applicable to CMG and Unified2 logging
- formats.
- 3. Log obfuscation doesn’t support user defined PII patterns. It is
- currently only supported for the built in patterns for Credit
- Cards and US Social Security numbers.
- 4. Log obfuscation doesn’t work with stream rebuilt packet payloads.
- (This is a known bug).
-
-
-5.15. SMTP
-
---------------
-
-SMTP inspector is a service inspector for SMTP protocol.
-
-5.15.1. Overview
-
-The SMTP inspector examines SMTP connections looking for commands and
-responses. It also identifies the command, header and body sections,
-TLS data and extracts the MIME attachments. This inspector also
-identifies and whitelists the SMTP traffic.
-
-SMTP inspector logs the filename, email addresses, attachment names
-when configured.
-
-5.15.2. Configuration
-
-SMTP command lines can be normalized to remove extraneous spaces.
-TLS-encrypted traffic can be ignored, which improves performance. In
-addition, plain-text mail data can be ignored for an additional
-performance boost.
-
-The configuration options are described below:
-
-5.15.2.1. normalize and normalize_cmds
-
-Normalization checks for more than one space character after a
-command. Space characters are defined as space (ASCII 0x20) or tab
-(ASCII 0x09). "normalize" provides options all|none|cmds, all checks
-all commands, none turns off normalization for all commands. cmds
-just checks commands listed with the "normalize_cmds" parameter. For
-example:
-
-smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-
-5.15.2.2. ignore_data
-
-Set it to true to ignore data section of mail (except for mail
-headers) when processing rules.
-
-5.15.2.3. ignore_tls_data
-
-Set it to true to ignore TLS-encrypted data when processing rules.
-
-5.15.2.4. max_command_line_len
-
-Alert if an SMTP command line is longer than this value. Absence of
-this option or a "0" means never alert on command line length. RFC
-2821 recommends 512 as a maximum command line length.
-
-5.15.2.5. max_header_line_len
-
-Alert if an SMTP DATA header line is longer than this value. Absence
-of this option or a "0" means never alert on data header line length.
-RFC 2821 recommends 1024 as a maximum data header line length.
-
-5.15.2.6. max_response_line_len
-
-Alert if an SMTP response line is longer than this value. Absence of
-this option or a "0" means never alert on response line length. RFC
-2821 recommends 512 as a maximum response line length.
-
-5.15.2.7. alt_max_command_line_len
-
-Overrides max_command_line_len for specific commands For example:
-
-alt_max_command_line_len =
-{
- {
- command = 'MAIL',
- length = 260,
- },
- {
- command = 'RCPT',
- length = 300,
- },
-}
-
-5.15.2.8. invalid_cmds
-
-Alert if this command is sent from client side.
-
-5.15.2.9. valid_cmds
-
-List of valid commands. We do not alert on commands in this list.
-
-DEFAULT empty list, but SMTP inspector has this list hard-coded: [[
-ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN
-HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE
-STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
-XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-
-5.15.2.10. data_cmds
-
-List of commands that initiate sending of data with an end of data
-delimiter the same as that of the DATA command per RFC 5321 - "
-<CRLF>.<CRLF>".
-
-5.15.2.11. binary_data_cmds
-
-List of commands that initiate sending of data and use a length value
-after the command to indicate the amount of data to be sent, similar
-to that of the BDAT command per RFC 3030.
-
-5.15.2.12. auth_cmds
-
-List of commands that initiate an authentication exchange between
-client and server.
-
-5.15.2.13. xlink2state
-
-Enable/disable xlink2state alert, options are {disable | alert |
-drop}. See CVE-2005-0560 for a description of the vulnerability.
-
-5.15.2.14. MIME processing depth parameters
-
-These four MIME processing depth parameters are identical to their
-POP and IMAP counterparts. See that section for further details.
-
-b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
-
-5.15.2.15. Log Options
-
-Following log options allow SMTP inspector to log email addresses and
-filenames. Please note, this is logged only with the unified2 output
-and is not logged with the console output (-A cmg). u2spewfoo can be
-used to read this data from the unified2.
-
-log_mailfrom
-
-This option enables SMTP inspector to parse and log the sender’s
-email address extracted from the "MAIL FROM" command along with all
-the generated events for that session. The maximum number of bytes
-logged for this option is 1024.
-
-log_rcptto
-
-This option enables SMTP inspector to parse and log the recipient
-email addresses extracted from the "RCPT TO" command along with all
-the generated events for that session. Multiple recipients are
-appended with commas. The maximum number of bytes logged for this
-option is 1024.
-
-log_filename
-
-This option enables SMTP inspector to parse and log the MIME
-attachment filenames extracted from the Content-Disposition header
-within the MIME body along with all the generated events for that
-session. Multiple filenames are appended with commas. The maximum
-number of bytes logged for this option is 1024.
-
-log_email_hdrs
-
-This option enables SMTP inspector to parse and log the SMTP email
-headers extracted from SMTP data along with all generated events for
-that session. The number of bytes extracted and logged depends upon
-the email_hdrs_log_depth.
-
-email_hdrs_log_depth
-
-This option specifies the depth for logging email headers. The
-allowed range for this option is 0 - 20480. A value of 0 will disable
-email headers logging. The default value for this option is 1464.
-
-5.15.3. Example
-
-smtp =
-{
- normalize = 'cmds',
- normalize_cmds = 'EXPN VRFY RCPT',
- b64_decode_depth = 0,
- qp_decode_depth = 0,
- bitenc_decode_depth = 0,
- uu_decode_depth = 0,
- log_mailfrom = true,
- log_rcptto = true,
- log_filename = true,
- log_email_hdrs = true,
- max_command_line_len = 512,
- max_header_line_len = 1000,
- max_response_line_len = 512,
- max_auth_command_line_len = 50,
- xlink2state = 'alert',
- alt_max_command_line_len =
- {
- {
- command = 'MAIL',
- length = 260,
- },
- {
- command = 'RCPT',
- length = 300,
- },
- {
- command = 'HELP',
- length = 500,
- },
- {
- command = 'HELO',
- length = 500,
- },
- {
- command = 'ETRN',
- length = 500,
- },
- {
- command = 'EXPN',
- length = 255,
- },
- {
- command = 'VRFY',
- length = 255,
- },
- },
-}
-
-
-5.16. Telnet
-
---------------
-
-Given a telnet data buffer, Telnet will normalize the buffer with
-respect to telnet commands and option negotiation, eliminating telnet
-command sequences per RFC 854. It will also determine when a telnet
-connection is encrypted, per the use of the telnet encryption option
-per RFC 2946.
-
-5.16.1. Configuring the inspector to block exploits and attacks
-
-ayt_attack_thresh number
-
-Detect and alert on consecutive are you there [AYT] commands beyond
-the threshold number specified. This addresses a few specific
-vulnerabilities relating to bsd-based implementations of telnet.
-
-
-5.17. Trace
-
---------------
-
-Snort 3 retired the different flavors of debug macros that used to be
-set through the SNORT_DEBUG environment variable. It was replaced by
-per-module trace functionality. Trace is turned on by setting the
-specific trace module configuration in snort.lua. As before, to
-enable debug tracing, Snort must be configured at build time with
---enable-debug-msgs. However, a growing number of modules (such as
-wizard and snort.inspector_manager) are providing non-debug trace
-messages in normal production builds.
-
-5.17.1. Trace module
-
-The trace module is responsible for configuring traces and supports
-the following parameters:
-
-output - configure the output method for trace messages
-modules - trace configuration for specific modules
-constraints - filter traces by the packet constraints
-
-The following lines, added in snort.lua, will enable trace messages
-for detection and codec modules. The messages will be printed to
-syslog if the packet filtering constraints match.
-
-trace =
-{
- output = "syslog",
- modules =
- {
- detection = { detect_engine = 1 },
- decode = { all = 1 }
- },
- constraints =
- {
- ip_proto = 17,
- dst_ip = "10.1.1.2",
- src_port = 100,
- dst_port = 200
- }
-}
-
-The trace module supports config reloading. Also, it’s possible to
-set or clear modules traces and packet filter constraints via the
-control channel command.
-
-5.17.2. Trace module - configuring traces
-
-The trace module has the modules option - a table with trace
-configuration for specific modules. The following lines placed in
-snort.lua will enable trace messages for detection, codec and wizard
-modules:
-
-trace =
-{
- modules =
- {
- detection = { all = 1 },
- decode = { all = 1 },
- wizard = { all = 1 }
- }
-}
-
-The detection and snort modules are currently the only modules to
-support multiple trace options. Others have only the default all
-option, which will enable or disable all traces in a given module.
-It’s available for multi-option modules also and works as a global
-switcher:
-
-trace =
-{
- modules =
- {
- detection = { all = 1 } -- set each detection option to level 1
- }
-}
-
-trace =
-{
- modules =
- {
- detection = { all = 1, tag = 2 } -- set each detection option to level 1 but the 'tag' to level 2
- }
-}
-
-The full list of available trace parameters is placed into the "Basic
-Modules.trace" chapter.
-
-Each option must be assigned an integer value between 0 and 255 to
-specify a level of verbosity for that option:
-
-0 - turn off trace messages printing for the option
-1 - print most significant trace messages for the option
-255 - print all available trace messages for the option
-
-Tracing is disabled by default (verbosity level equals 0). The
-verbosity level is treated as a threshold, so specifying a higher
-value will result in all messages with a lower level being printed as
-well. For example:
-
-trace =
-{
- modules =
- {
- decode = { all = 3 } -- messages with levels 1, 2, and 3 will be printed
- }
-}
-
-5.17.3. Trace module - configuring packet filter constraints for
-packet related trace messages
-
-There is a capability to filter traces by the packet constraints. The
-trace module has the constraints option - a table with filtering
-configuration that will be applied to all trace messages that include
-a packet. Filtering is done on a flow that packet is related. By
-default filtering is disabled.
-
-Available constraints options:
-
-ip_proto - numerical IP protocol ID
-src_ip - match all packets with a flow that has this client IP address (passed as a string)
-src_port - match all packets with a flow that has this source port
-dst_ip - match all packets with a flow that has this server IP address (passed as a string)
-dst_port - match all packets with a flow that has this destination port
-match - boolean flag to enable/disable whether constraints will ever match (enabled by default)
-
-The following lines placed in snort.lua will enable all trace
-messages for detection filtered by ip_proto, dst_ip, src_port and
-dst_port:
-
-trace =
-{
- modules =
- {
- detection = { all = 1 }
- },
- constraints =
- {
- ip_proto = 6, -- tcp
- dst_ip = "10.1.1.10",
- src_port = 150,
- dst_port = 250
- }
-}
-
-To create constraints that will never successfully match, set the
-match parameter to false. This is useful for situations where one is
-relying on external packet filtering from the DAQ module, or for
-preventing all trace messages in the context of a packet. The
-following is an example of such configuration:
-
-trace =
-{
- modules =
- {
- snort = { all = 1 }
- },
- constraints =
- {
- match = false
- }
-}
-
-5.17.4. Trace module - configuring trace output method
-
-There is a capability to configure the output method for trace
-messages. The trace module has the output option with two acceptable
-values:
-
-"stdout" - printing to stdout
-"syslog" - printing to syslog
-
-By default, the output method will be set based on the Snort run
-mode. Normally it will use stdout, but if -D (daemon mode) and/or -M
-(alert-syslog mode) are set, it will instead use syslog.
-
-Example - set output method as syslog:
-
-In snort.lua, the following lines were added:
-
-trace =
-{
- output = "syslog",
- modules =
- {
- detection = { all = 1 }
- }
-}
-
-As a result, each trace message will be printed into syslog (the
-Snort run-mode will be ignored).
-
-5.17.5. Configuring traces via control channel command
-
-There is a capability to configure module trace options and packet
-constraints via the control channel command by using a Snort shell.
-In order to enable shell, Snort has to be configured and built with
---enable-shell.
-
-The trace control channel command is a way how to configure module
-trace options and/or packet filter constraints directly during Snort
-run and without reloading the entire config.
-
-After entering the Snort shell, there are two commands available for
-the trace module:
-
-trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry)
-
-trace.clear() - clear modules traces and constraints
-
-Also, it’s possible to omit tables in the trace.set() command:
-
-trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces
-
-trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints
-
-trace.set({}) - disable traces and constraints (set to empty)
-
-5.17.6. Trace messages format
-
-Each tracing message has a standard format:
-
-<module_name>:<option_name>:<message_log_level>: <particular_message>
-
-The stdout logger also prints thread type and thread instance ID at
-the beginning of each trace message in a colon-separated manner.
-
-The capital letter at the beginning of the trace message indicates
-the thread type.
-
-Possible thread types: C – main (control) thread P – packet thread O
-– other thread
-
-5.17.7. Example - Debugging rules using detection trace
-
-The detection engine is responsible for rule evaluation. Turning on
-the trace for it can help with debugging new rules.
-
-The relevant options for detection are as follow:
-
-rule_eval - follow rule evaluation
-buffer - print evaluated buffer if it changed (level 1) or at every step (level 5)
-rule_vars - print value of ips rule options vars
-fp_search - print information on fast pattern search
-
-Buffer print is useful, but in case the buffer is very big can be too
-verbose. Choose between verbosity levels 1, 5, or no buffer trace
-accordingly.
-
-rule_vars is useful when the rule is using ips rule options vars.
-
-In snort.lua, the following lines were added:
-
-trace =
-{
- modules =
- {
- detection =
- {
- rule_eval = 1,
- buffer = 1,
- rule_vars = 1,
- fp_search = 1
- }
- }
-}
-
-The pcap has a single packet with payload:
-
-10.AAAAAAAfoobar
-
-Evaluated on rules:
-
-# byte_math + oper with byte extract and content
-# VAL = 1, byte_math = 0 + 10
-alert tcp ( byte_extract: 1, 0, VAL, string, dec;
-byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
-content:"foo", offset var1; sid:3)
-
-#This rule should not trigger
-alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
-content:"foo", within 3; sid:2)
-
-The output:
-
-detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns)
-detection:rule_eval:1: Fast pattern search
-detection:fp_search:1: 1 fp packet[16]
-
-snort.raw[16]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_eval:1: Processing pattern match #1
-detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
-detection:rule_eval:1: Starting tree eval
-detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0
-
-snort.raw[16]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
-detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
-
-snort.raw[8]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-41 41 66 6F 6F 62 61 72 AAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_eval:1: no match
-detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
-detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
-
-snort.raw[7]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-41 66 6F 6F 62 61 72 Afoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_eval:1: no match
-detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
-detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
-
-snort.raw[6]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-66 6F 6F 62 61 72 foobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_eval:1: no match
-detection:rule_eval:1: no match
-detection:rule_eval:1: Processing pattern match #2
-detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
-detection:rule_eval:1: Starting tree eval
-detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
-
-snort.raw[16]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0
-detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1
-
-snort.raw[15]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
-detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2
-
-snort.raw[14]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
-detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13
-
-snort.raw[3]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-62 61 72 bar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
-04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
-
-5.17.8. Example - Protocols decoding trace
-
-Turning on decode trace will print out information about the packets
-decoded protocols. Can be useful in case of tunneling.
-
-Example for a icmpv4-in-ipv6 packet:
-
-In snort.lua, the following line was added:
-
-trace =
-{
- modules =
- {
- decode = { all = 1 }
- }
-}
-
-The output:
-
-decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
-decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
-decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
-decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
+1. Help
-5.17.9. Example - Track the time packet spends in each inspector
+---------------------------------------------------------------------
-There is a capability to track which inspectors evaluate a packet,
-and how much time the inspector consumes doing so. These trace
-messages could be enabled by the Snort module trace options:
+The detail in this reference manual was generated from the various
+help commands available in Snort. snort --help will output:
-main - command execution traces (main trace logging)
-inspector_manager - inspectors execution and time tracking traces
+Snort has several options to get more help:
-Example for a single packet with payload:
+-? list command line options (same as --help)
+--help this overview of help
+--help-commands [<module prefix>] output matching commands
+--help-config [<module prefix>] output matching config options
+--help-counts [<module prefix>] output matching peg counts
+--help-limits print the int upper bounds denoted by max*
+--help-module <module> output description of given module
+--help-modules list all available modules with brief help
+--help-plugins list all available plugins with brief help
+--help-options [<option prefix>] output matching command line options
+--help-signals dump available control signals
+--list-buffers output available inspection buffers
+--list-builtin [<module prefix>] output matching builtin rules
+--list-gids [<module prefix>] output matching generators
+--list-modules [<module type>] list all known modules
+--list-plugins list all known modules
+--show-plugins list module and plugin versions
-10.AAAAAAAfoobar
+--help* and --list* options preempt other processing so should be last on the
+command line since any following options are ignored. To ensure options like
+--markup and --plugin-path take effect, place them ahead of the help or list
+options.
-In snort.lua, the following lines were added:
+Options that filter output based on a matching prefix, such as --help-config
+won't output anything if there is no match. If no prefix is given, everything
+matches.
-trace =
-{
- modules =
- {
- snort =
- {
- -- could be replaced by 'all = 1'
- main = 1,
- inspector_manager = 1
- }
- }
-}
-
-The output:
-
-snort:main:1: [0] Queuing command START for execution (refcount 1)
-snort:main:1: [0] Queuing command RUN for execution (refcount 1)
-snort:main:1: [0] Destroying completed command START
-snort:inspector_manager:1: start inspection, raw, packet 1, context 1
-snort:inspector_manager:1: enter stream
-snort:inspector_manager:1: exit stream, elapsed time: 2 usec
-snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec
-snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1
-snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
-snort:main:1: [0] Destroying completed command RUN
-
-5.17.10. Example - trace filtering by packet constraints:
-
-In snort.lua, the following lines were added:
-
-ips =
-{
- rules =
- [[
- alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
- alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
- ]]
-}
-
-trace =
-{
- modules =
- {
- detection = { rule_eval = 1 }
- },
- constraints =
- {
- ip_proto = 17, -- udp
- dst_ip = "10.1.1.2",
- src_port = 100,
- dst_port = 200
- }
-}
-
-The processed traffic was next:
-
-d ( stack="eth:ip4:udp" )
-
-c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
-a ( pay="pass" )
-b ( pay="pass" )
-
-c ( ip4:a="10.2.1.1" )
-a ( pay="pass" )
-b ( pay="pass" )
-
-c ( udp:a=101 )
-a ( pay="block" )
-b ( pay="block" )
-
-The output:
-
-detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
-detection:rule_eval:1: Fast pattern processing - no matches found
-detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
-detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns)
-detection:rule_eval:1: Fast pattern processing - no matches found
-detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns)
-detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns)
-detection:rule_eval:1: Fast pattern processing - no matches found
-detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns)
-detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns)
-detection:rule_eval:1: Fast pattern processing - no matches found
-detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns)
-
-The trace messages for two last packets (numbers 5 and 6) weren’t
-printed.
-
-5.17.11. Example - configuring traces via trace.set() command
-
-In snort.lua, the following lines were added:
-
-ips =
-{
- rules =
- [[
- alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
- alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
- ]]
-}
-
-trace =
-{
- constraints =
- {
- ip_proto = 17, -- udp
- dst_ip = "10.1.1.2",
- src_port = 100,
- dst_port = 200
- },
- modules =
- {
- detection = { rule_eval = 1 }
- }
-}
-
-The processed traffic was next:
-
-# Flow 1
-d ( stack="eth:ip4:udp" )
-c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
-a ( data="udp packet 1" )
-a ( data="udp packet 2" )
-
-# Flow 2
-d ( stack="eth:ip4:tcp" )
-c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 )
-a ( syn )
-b ( syn, ack )
-a ( ack )
-a ( ack, data="tcp packet 1" )
-a ( ack, data="tcp packet 2" )
-a ( fin, ack )
-b ( fin, ack )
-
-After 1 packet, entering shell and pass the trace.set() command as
-follows:
-
-trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } })
-
-The output (not full, only descriptive lines):
-
-detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
-detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
-decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
-detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
-detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
-detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
-detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
-detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
-detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
-detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
-detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
-
-The new configuration was applied. decode:all:1 messages aren’t
-filtered because they don’t include a packet (a packet isn’t
-well-formed at the point when the message is printing).
-
-5.17.12. Other available traces
-
-There are more trace options supported by detection:
-
-detect_engine - prints statistics about the engine
-pkt_detect - prints a message when disabling content detect for packet
-opt_tree - prints option tree data structure
-tag - prints a message when a new tag is added
-
-The rest support only 1 option, and can be turned on by adding all =
-1 to their table in trace lua config.
-
- * stream module trace:
-
-When turned on prints a message in case inspection is stopped on a
-flow. Example for output:
-
-stream:all:1: stop inspection on flow, dir BOTH
-
- * stream_ip, stream_user: trace will output general processing
- messages
-
-Other modules that support trace have messages as seemed fit to the
-developer. Some are for corner cases, others for complex data
-structures.
-
-
-5.18. Wizard
-
---------------
-
-Using the wizard enables port-independent configuration and the
-detection of malware command and control channels. If the wizard is
-bound to a session, it peeks at the initial payload to determine the
-service. For example, GET would indicate HTTP and HELO would indicate
-SMTP. Upon finding a match, the service bindings are reevaluated so
-the session can be handed off to the appropriate inspector. The
-wizard is still under development; if you find you need to tweak the
-defaults please let us know.
-
-Additional Details:
-
- * If the wizard and one or more service inspectors are configured w
- /o explicitly configuring the binder, default bindings will be
- generated which should work for most common cases.
- * Also note that while Snort 2 bindings can only be configured in
- the default policy, each Snort 3 policy can contain a binder
- leading to an arbitrary hierarchy.
- * The entire configuration can be reloaded and hot-swapped during
- run-time via signal or command in both Snort 2 and Snort 3.
- Ultimately, Snort 3 will support commands to update the binder on
- the fly, thus enabling incremental reloads of individual
- inspectors.
- * Both Snort 2 and Snort 3 support server specific configurations
- via a hosts table (XML in Snort 2 and Lua in Snort 3). The table
- allows you to map network, protocol, and port to a service and
- policy. This table can be reloaded and hot-swapped separately
- from the config file.
- * You can find the specifics on the binder, wizard, and hosts
- tables in the manual or command line like this: snort
- --help-module binder, etc.
+Report bugs to bugs@snort.org.
---------------------------------------------------------------------
-6. Basic Modules
+2. Basic Modules
---------------------------------------------------------------------
include configuration for core processing.
-6.1. active
+2.1. active
--------------
allowed (sum)
-6.2. alerts
+2.2. alerts
--------------
for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic
-6.3. attribute_table
+2.3. attribute_table
--------------
services in rule { 1:255 }
-6.4. classifications
+2.4. classifications
--------------
* string classifications[].text: description of class
-6.5. daq
+2.5. daq
--------------
message type (sum)
-6.6. decode
+2.6. decode
--------------
* 116:473 (decode) ether type out of range
-6.7. detection
+2.7. detection
--------------
(sum)
-6.8. event_filter
+2.8. event_filter
--------------
out of global memory (sum)
-6.9. event_queue
+2.9. event_queue
--------------
action group or all action groups
-6.10. high_availability
+2.10. high_availability
--------------
failure count (sum)
-6.11. host_cache
+2.11. host_cache
--------------
* host_cache.replaced: lru cache found entry and replaced it (sum)
-6.12. host_tracker
+2.12. host_tracker
--------------
* host_tracker.service_finds: host service finds (sum)
-6.13. hosts
+2.13. hosts
--------------
* port hosts[].services[].port: port number
-6.14. inspection
+2.14. inspection
--------------
inline-test }
-6.15. ips
+2.15. ips
--------------
policy uuid
-6.16. latency
+2.16. latency
--------------
thresholding (usec) { 0:max53 }
* bool latency.packet.fastpath = false: fastpath expensive packets
(max_time exceeded)
+ * bool latency.packet.test_timeout = false: timeout on every packet
* int latency.rule.max_time = 500: set timeout for rule evaluation
(usec) { 0:max53 }
* bool latency.rule.suspend = false: temporarily suspend expensive
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
+ * bool latency.rule.test_timeout = false: timeout on every rule
+ evaluation
Rules:
* latency.rule_tree_enables: rule tree re-enables (sum)
-6.17. memory
+2.17. memory
--------------
* memory.total_fudge: sum of all adjustments (now)
-6.18. network
+2.18. network
--------------
unlimited) { 0:255 }
-6.19. output
+2.19. output
--------------
* bool output.verbose = false: be verbose (same as -v)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.wide_hex_dump = false: output 20 bytes per lines
+ * bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
-6.20. packet_tracer
+2.20. packet_tracer
--------------
* packet_tracer.disable(): disable packet tracer
-6.21. packets
+2.21. packets
--------------
is used to track fragments and connections
-6.22. payload_injector
+2.22. payload_injector
--------------
(sum)
-6.23. process
+2.23. process
--------------
timestamps
-6.24. profiler
+2.24. profiler
--------------
avg_match | avg_no_match }
-6.25. rate_filter
+2.25. rate_filter
--------------
memory (sum)
-6.26. references
+2.26. references
--------------
* string references[].url: where this reference is defined
-6.27. rule_state
+2.27. rule_state
--------------
no | yes | inherit }
-6.28. search_engine
+2.28. search_engine
--------------
* search_engine.searched_bytes: total bytes searched (sum)
-6.29. side_channel
+2.29. side_channel
--------------
* side_channel.packets: total packets (sum)
-6.30. snort
+2.30. snort
--------------
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
+ * int snort.--pause-after-n: <count> pause after count packets {
+ 1:max53 }
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
+ * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> a colon separated list of
directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
failed due to attribute table full (sum)
-6.31. suppress
+2.31. suppress
--------------
according to track
-6.32. trace
+2.32. trace
--------------
Configuration:
* int trace.modules.latency.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.main: enable main trace logging { 0:255 }
+ * int trace.modules.snort.inspector_manager: enable inspector
+ manager trace logging { 0:255 }
* int trace.modules.detection.all: enable all trace options { 0:255
}
* int trace.modules.detection.detect_engine: enable detection
logging { 0:255 }
* int trace.modules.detection.tag: enable tag trace logging { 0:255
}
- * int trace.modules.stream.all: enable all trace options { 0:255 }
- * int trace.modules.gtp_inspect.all: enable all trace options {
- 0:255 }
+ * int trace.modules.stream_ip.all: enable all trace options { 0:255
+ }
* int trace.modules.stream_user.all: enable all trace options {
0:255 }
+ * int trace.modules.wizard.all: enable all trace options { 0:255 }
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
- * int trace.modules.decode.all: enable all trace options { 0:255 }
* int trace.modules.dce_udp.all: enable all trace options { 0:255 }
+ * int trace.modules.decode.all: enable all trace options { 0:255 }
+ * int trace.modules.stream.all: enable all trace options { 0:255 }
+ * int trace.modules.gtp_inspect.all: enable all trace options {
+ 0:255 }
* int trace.modules.appid.all: enable all trace options { 0:255 }
- * int trace.modules.snort.all: enable all trace options { 0:255 }
- * int trace.modules.snort.main: enable main trace logging { 0:255 }
- * int trace.modules.snort.inspector_manager: enable inspector
- manager trace logging { 0:255 }
- * int trace.modules.stream_ip.all: enable all trace options { 0:255
- }
- * int trace.modules.wizard.all: enable all trace options { 0:255 }
* int trace.constraints.ip_proto: numerical IP protocol ID filter {
0:255 }
* string trace.constraints.src_ip: source IP address filter
---------------------------------------------------------------------
-7. Codec Modules
+3. Codec Modules
---------------------------------------------------------------------
responses.
-7.1. arp
+3.1. arp
--------------
* 116:109 (arp) truncated ARP
-7.2. auth
+3.2. auth
--------------
* 116:466 (auth) bad authentication header length
-7.3. ciscometadata
+3.3. ciscometadata
--------------
group tags (sum)
-7.4. eapol
+3.4. eapol
--------------
* 116:112 (eapol) EAP header truncated
-7.5. erspan2
+3.5. erspan2
--------------
* 116:463 (erspan2) captured length < ERSpan type2 header length
-7.6. erspan3
+3.6. erspan3
--------------
* 116:464 (erspan3) captured < ERSpan type3 header length
-7.7. esp
+3.7. esp
--------------
* 116:294 (esp) truncated encapsulated security payload header
-7.8. eth
+3.8. eth
--------------
* 116:424 (eth) truncated ethernet header
-7.9. fabricpath
+3.9. fabricpath
--------------
* 116:467 (fabricpath) truncated FabricPath header
-7.10. gre
+3.10. gre
--------------
* 116:165 (gre) GRE trans header length > payload length
-7.11. gtp
+3.11. gtp
--------------
* 116:298 (gtp) GTP header length is invalid
-7.12. icmp4
+3.12. icmp4
--------------
* icmp4.checksum_bypassed: checksum calculations bypassed (sum)
-7.13. icmp6
+3.13. icmp6
--------------
* icmp6.checksum_bypassed: checksum calculations bypassed (sum)
-7.14. igmp
+3.14. igmp
--------------
* 116:455 (igmp) DOS IGMP IP options validation attempt
-7.15. ipv4
+3.15. ipv4
--------------
* ipv4.checksum_bypassed: checksum calculations bypassed (sum)
-7.16. ipv6
+3.16. ipv6
--------------
the payload protocol field
-7.17. llc
+3.17. llc
--------------
* 116:132 (llc) bad extra LLC info
-7.18. mpls
+3.18. mpls
--------------
* mpls.total_bytes: total mpls labeled bytes processed (sum)
-7.19. pbb
+3.19. pbb
--------------
* 116:424 (pbb) truncated ethernet header
-7.20. pgm
+3.20. pgm
--------------
* 116:454 (pgm) PGM nak list overflow attempt
-7.21. pppoe
+3.21. pppoe
--------------
* 116:120 (pppoe) bad PPPOE frame detected
-7.22. tcp
+3.22. tcp
--------------
* tcp.checksum_bypassed: checksum calculations bypassed (sum)
-7.23. token_ring
+3.23. token_ring
--------------
* 116:143 (token_ring) bad Token Ring MR header
-7.24. udp
+3.24. udp
--------------
* udp.checksum_bypassed: checksum calculations bypassed (sum)
-7.25. vlan
+3.25. vlan
--------------
* 116:130 (vlan) bad VLAN frame
-7.26. wlan
+3.26. wlan
--------------
---------------------------------------------------------------------
-8. Connector Modules
+4. Connector Modules
---------------------------------------------------------------------
Connectors support High Availability communication links.
-8.1. file_connector
+4.1. file_connector
--------------
* file_connector.messages: total messages (sum)
-8.2. tcp_connector
+4.2. tcp_connector
--------------
---------------------------------------------------------------------
-9. Inspector Modules
+5. Inspector Modules
---------------------------------------------------------------------
protocols beyond basic decoding.
-9.1. appid
+5.1. appid
--------------
Configuration:
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) {
+ 0:max32 }
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
from the service cache (sum)
-9.2. appid_listener
+5.2. appid_listener
--------------
Usage: context
-9.3. arp_spoof
+5.3. arp_spoof
--------------
* arp_spoof.packets: total packets (sum)
-9.4. back_orifice
+5.4. back_orifice
--------------
* back_orifice.packets: total packets (sum)
-9.5. binder
+5.5. binder
--------------
* binder.inspects: inspect bindings (sum)
-9.6. cip
+5.6. cip
--------------
(max)
-9.7. data_log
+5.7. data_log
--------------
* data_log.packets: total packets (sum)
-9.8. dce_http_proxy
+5.8. dce_http_proxy
--------------
sessions (sum)
-9.9. dce_http_server
+5.9. dce_http_server
--------------
sessions (sum)
-9.10. dce_smb
+5.10. dce_smb
--------------
(max)
-9.11. dce_tcp
+5.11. dce_tcp
--------------
(max)
-9.12. dce_udp
+5.12. dce_udp
--------------
(max)
-9.13. dnp3
+5.13. dnp3
--------------
(max)
-9.14. dns
+5.14. dns
--------------
(max)
-9.15. domain_filter
+5.15. domain_filter
--------------
* domain_filter.filtered: domains filtered (sum)
-9.16. dpx
+5.16. dpx
--------------
* dpx.packets: total packets (sum)
-9.17. file_id
+5.17. file_id
--------------
concurrently on a flow (max)
-9.18. file_log
+5.18. file_log
--------------
* file_log.total_events: total file events (sum)
-9.19. ftp_client
+5.19. ftp_client
--------------
sequences on FTP control channel
-9.20. ftp_data
+5.20. ftp_data
--------------
* ftp_data.packets: total packets (sum)
-9.21. ftp_server
+5.21. ftp_server
--------------
sessions (max)
-9.22. gtp_inspect
+5.22. gtp_inspect
--------------
* gtp_inspect.unknown_infos: unknown information elements (sum)
-9.23. http2_inspect
+5.23. http2_inspect
--------------
Usage: inspect
+Configuration:
+
+ * bool http2_inspect.test_input = false: read HTTP/2 messages from
+ text file
+ * bool http2_inspect.test_output = false: print out HTTP section
+ data
+ * int http2_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http2_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http2_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http2_inspect.show_scan = false: display scanned segments
+
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
transfers per HTTP/2 connection (max)
-9.24. http_inspect
+5.24. http_inspect
--------------
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.show_scan = false: display scanned segments
Rules:
cutovers to wizard (sum)
-9.25. imap
+5.25. imap
--------------
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.26. mem_test
+5.26. mem_test
--------------
* mem_test.packets: total packets (sum)
-9.27. modbus
+5.27. modbus
--------------
sessions (max)
-9.28. normalizer
+5.28. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-9.29. packet_capture
+5.29. null_trace_logger
+
+--------------
+
+What: trace logger with a null printout
+
+Type: inspector
+
+Usage: global
+
+
+5.30. packet_capture
--------------
filter (sum)
-9.30. perf_monitor
+5.31. perf_monitor
--------------
by new flows (sum)
-9.31. pop
+5.32. pop
--------------
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.32. port_scan
+5.33. port_scan
--------------
to reduced memcap (sum)
-9.33. reputation
+5.34. reputation
--------------
* reputation.memory_allocated: total memory allocated (sum)
-9.34. rna
+5.35. rna
--------------
(sum)
-9.35. rpc_decode
+5.36. rpc_decode
--------------
sessions (max)
-9.36. s7commplus
+5.37. s7commplus
--------------
sessions (max)
-9.37. sip
+5.38. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.38. smtp
+5.39. smtp
--------------
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.39. so_proxy
+5.40. so_proxy
--------------
Usage: global
-9.40. ssh
+5.41. ssh
--------------
(max)
-9.41. ssl
+5.42. ssl
--------------
(max)
-9.42. stream
+5.43. stream
--------------
Configuration:
+ * int stream.footprint = 0: use zero for production, non-zero for
+ testing at given size (for TCP and user) { 0:max32 }
* bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
deleted by config reloads (sum)
-9.43. stream_file
+5.44. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.44. stream_icmp
+5.45. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.45. stream_ip
+5.46. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.46. stream_tcp
+5.47. stream_tcp
--------------
service stream splitter (sum)
-9.47. stream_udp
+5.48. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.48. stream_user
+5.49. stream_user
--------------
1:max31 }
-9.49. telnet
+5.50. telnet
--------------
sessions (max)
-9.50. wizard
+5.51. wizard
--------------
* wizard.tcp_scans: tcp payload scans (sum)
* wizard.tcp_hits: tcp identifications (sum)
+ * wizard.tcp_misses: tcp searches abandoned (sum)
* wizard.udp_scans: udp payload scans (sum)
* wizard.udp_hits: udp identifications (sum)
+ * wizard.udp_misses: udp searches abandoned (sum)
* wizard.user_scans: user payload scans (sum)
* wizard.user_hits: user identifications (sum)
+ * wizard.user_misses: user searches abandoned (sum)
---------------------------------------------------------------------
-10. IPS Action Modules
+6. IPS Action Modules
---------------------------------------------------------------------
rule to parse.
-10.1. react
+6.1. react
--------------
body)
-10.2. reject
+6.2. reject
--------------
network|host|port|forward|all }
-10.3. rewrite
+6.3. rewrite
--------------
---------------------------------------------------------------------
-11. IPS Option Modules
+7. IPS Option Modules
---------------------------------------------------------------------
IPS options are the building blocks of IPS rules.
-11.1. ack
+7.1. ack
--------------
<max | >min { 0: }
-11.2. appids
+7.2. appids
--------------
* string appids.~: comma separated list of application names
-11.3. asn1
+7.3. asn1
--------------
-65535:65535 }
-11.4. base64_decode
+7.4. base64_decode
--------------
start of buffer
-11.5. ber_data
+7.5. ber_data
--------------
element type { 0:255 }
-11.6. ber_skip
+7.6. ber_skip
--------------
is not found
-11.7. bufferlen
+7.7. bufferlen
--------------
position) instead of total length
-11.8. byte_extract
+7.8. byte_extract
--------------
value before storage in name { 0x1:0xFFFFFFFF }
-11.9. byte_jump
+7.9. byte_jump
--------------
0x1:0xFFFFFFFF }
-11.10. byte_math
+7.10. byte_math
--------------
value before storage in name { 0x1:0xFFFFFFFF }
-11.11. byte_test
+7.11. byte_test
--------------
0x1:0xFFFFFFFF }
-11.12. cip_attribute
+7.12. cip_attribute
--------------
* interval cip_attribute.~range: match CIP attribute { 0:65535 }
-11.13. cip_class
+7.13. cip_class
--------------
* interval cip_class.~range: match CIP class { 0:65535 }
-11.14. cip_conn_path_class
+7.14. cip_conn_path_class
--------------
Class { 0:65535 }
-11.15. cip_instance
+7.15. cip_instance
--------------
* interval cip_instance.~range: match CIP instance { 0:4294967295 }
-11.16. cip_req
+7.16. cip_req
--------------
Usage: detect
-11.17. cip_rsp
+7.17. cip_rsp
--------------
Usage: detect
-11.18. cip_service
+7.18. cip_service
--------------
* interval cip_service.~range: match CIP service { 0:127 }
-11.19. cip_status
+7.19. cip_status
--------------
* interval cip_status.~range: match CIP response status { 0:255 }
-11.20. classtype
+7.20. classtype
--------------
* string classtype.~: classification for this rule
-11.21. content
+7.21. content
--------------
from cursor
-11.22. cvs
+7.22. cvs
--------------
* implied cvs.invalid-entry: looks for an invalid Entry string
-11.23. dce_iface
+7.23. dce_iface
--------------
* implied dce_iface.any_frag: match on any fragment
-11.24. dce_opnum
+7.24. dce_opnum
--------------
list
-11.25. dce_stub_data
+7.25. dce_stub_data
--------------
Usage: detect
-11.26. detection_filter
+7.26. detection_filter
--------------
1:max32 }
-11.27. dnp3_data
+7.27. dnp3_data
--------------
Usage: detect
-11.28. dnp3_func
+7.28. dnp3_func
--------------
* string dnp3_func.~: match DNP3 function code or name
-11.29. dnp3_ind
+7.29. dnp3_ind
--------------
* string dnp3_ind.~: match given DNP3 indicator flags
-11.30. dnp3_obj
+7.30. dnp3_obj
--------------
}
-11.31. dsize
+7.31. dsize
--------------
given range { 0:65535 }
-11.32. enable
+7.32. enable
--------------
}
-11.33. enip_command
+7.33. enip_command
--------------
* interval enip_command.~range: match CIP Enip Command { 0:65535 }
-11.34. enip_req
+7.34. enip_req
--------------
Usage: detect
-11.35. enip_rsp
+7.35. enip_rsp
--------------
Usage: detect
-11.36. file_data
+7.36. file_data
--------------
Usage: detect
-11.37. file_type
+7.37. file_type
--------------
* string file_type.~: list of file type IDs to match
-11.38. flags
+7.38. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-11.39. flow
+7.39. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-11.40. flowbits
+7.40. flowbits
--------------
* string flowbits.~bits: bit [|bit]* or bit [&bit]*
-11.41. fragbits
+7.41. fragbits
--------------
* string fragbits.~flags: these flags are tested
-11.42. fragoffset
+7.42. fragoffset
--------------
given range { 0:8192 }
-11.43. gid
+7.43. gid
--------------
* int gid.~: generator id { 1:max32 }
-11.44. gtp_info
+7.44. gtp_info
--------------
* string gtp_info.~: info element to match
-11.45. gtp_type
+7.45. gtp_type
--------------
* string gtp_type.~: list of types to match
-11.46. gtp_version
+7.46. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-11.47. http2_decoded_header
+7.47. http2_decoded_header
--------------
Usage: detect
-11.48. http2_frame_header
+7.48. http2_frame_header
--------------
Usage: detect
-11.49. http_client_body
+7.49. http_client_body
--------------
Usage: detect
-11.50. http_cookie
+7.50. http_cookie
--------------
message trailers
-11.51. http_header
+7.51. http_header
--------------
message trailers
-11.52. http_method
+7.52. http_method
--------------
message trailers
-11.53. http_param
+7.53. http_param
--------------
* implied http_param.nocase: case insensitive match
-11.54. http_raw_body
+7.54. http_raw_body
--------------
Usage: detect
-11.55. http_raw_cookie
+7.55. http_raw_cookie
--------------
HTTP message trailers
-11.56. http_raw_header
+7.56. http_raw_header
--------------
HTTP message trailers
-11.57. http_raw_request
+7.57. http_raw_request
--------------
HTTP message trailers
-11.58. http_raw_status
+7.58. http_raw_status
--------------
HTTP message trailers
-11.59. http_raw_trailer
+7.59. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.60. http_raw_uri
+7.60. http_raw_uri
--------------
URI only
-11.61. http_stat_code
+7.61. http_stat_code
--------------
HTTP message trailers
-11.62. http_stat_msg
+7.62. http_stat_msg
--------------
HTTP message trailers
-11.63. http_trailer
+7.63. http_trailer
--------------
message body (must be combined with request)
-11.64. http_true_ip
+7.64. http_true_ip
--------------
HTTP message trailers
-11.65. http_uri
+7.65. http_uri
--------------
only
-11.66. http_version
+7.66. http_version
--------------
HTTP message trailers
-11.67. icmp_id
+7.67. icmp_id
--------------
0:65535 }
-11.68. icmp_seq
+7.68. icmp_seq
--------------
given range { 0:65535 }
-11.69. icode
+7.69. icode
--------------
0:255 }
-11.70. id
+7.70. id
--------------
}
-11.71. ip_proto
+7.71. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.72. ipopts
+7.72. ipopts
--------------
lsrre|ssrr|satid|any }
-11.73. isdataat
+7.73. isdataat
--------------
buffer
-11.74. itype
+7.74. itype
--------------
0:255 }
-11.75. md5
+7.75. md5
--------------
of buffer
-11.76. metadata
+7.76. metadata
--------------
pairs
-11.77. modbus_data
+7.77. modbus_data
--------------
Usage: detect
-11.78. modbus_func
+7.78. modbus_func
--------------
* string modbus_func.~: function code to match
-11.79. modbus_unit
+7.79. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.80. msg
+7.80. msg
--------------
* string msg.~: message describing rule
-11.81. mss
+7.81. mss
--------------
}
-11.82. pcre
+7.82. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-11.83. pkt_data
+7.83. pkt_data
--------------
Usage: detect
-11.84. pkt_num
+7.84. pkt_num
--------------
{ 1: }
-11.85. priority
+7.85. priority
--------------
1:max31 }
-11.86. raw_data
+7.86. raw_data
--------------
Usage: detect
-11.87. reference
+7.87. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-11.88. regex
+7.88. regex
--------------
instead of start of buffer
-11.89. rem
+7.89. rem
--------------
* string rem.~: comment
-11.90. replace
+7.90. replace
--------------
* string replace.~: byte code to replace with
-11.91. rev
+7.91. rev
--------------
* int rev.~: revision { 1:max32 }
-11.92. rpc
+7.92. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.93. s7commplus_content
+7.93. s7commplus_content
--------------
Usage: detect
-11.94. s7commplus_func
+7.94. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-11.95. s7commplus_opcode
+7.95. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-11.96. sd_pattern
+7.96. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.97. seq
+7.97. seq
--------------
range { 0: }
-11.98. service
+7.98. service
--------------
* string service.*: one or more comma-separated service names
-11.99. sha256
+7.99. sha256
--------------
start of buffer
-11.100. sha512
+7.100. sha512
--------------
start of buffer
-11.101. sid
+7.101. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.102. sip_body
+7.102. sip_body
--------------
Usage: detect
-11.103. sip_header
+7.103. sip_header
--------------
Usage: detect
-11.104. sip_method
+7.104. sip_method
--------------
* string sip_method.*method: sip method
-11.105. sip_stat_code
+7.105. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.106. so
+7.106. so
--------------
buffer
-11.107. soid
+7.107. soid
--------------
like 3_45678_9
-11.108. ssl_state
+7.108. ssl_state
--------------
unknown
-11.109. ssl_version
+7.109. ssl_version
--------------
tls1.2
-11.110. stream_reassemble
+7.110. stream_reassemble
--------------
remainder of the session
-11.111. stream_size
+7.111. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.112. tag
+7.112. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.113. target
+7.113. target
--------------
dst_ip }
-11.114. tos
+7.114. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.115. ttl
+7.115. ttl
--------------
0:255 }
-11.116. urg
+7.116. urg
--------------
{ 0:65535 }
-11.117. window
+7.117. window
--------------
range { 0:65535 }
-11.118. wscale
+7.118. wscale
--------------
---------------------------------------------------------------------
-12. Search Engine Modules
+8. Search Engine Modules
---------------------------------------------------------------------
---------------------------------------------------------------------
-13. SO Rule Modules
+9. SO Rule Modules
---------------------------------------------------------------------
---------------------------------------------------------------------
-14. Logger Modules
+10. Logger Modules
---------------------------------------------------------------------
All output of events and packets is done by Loggers.
-14.1. alert_csv
+10.1. alert_csv
--------------
character sequence
-14.2. alert_ex
+10.2. alert_ex
--------------
case
-14.3. alert_fast
+10.3. alert_fast
--------------
(0 is unlimited) { 0:maxSZ }
-14.4. alert_full
+10.4. alert_full
--------------
(0 is unlimited) { 0:maxSZ }
-14.5. alert_json
+10.5. alert_json
--------------
character sequence
-14.6. alert_sfsocket
+10.6. alert_sfsocket
--------------
* int alert_sfsocket.rules[].sid = 1: rule signature ID { 1:max32 }
-14.7. alert_syslog
+10.7. alert_syslog
--------------
cons | ndelay | perror | pid }
-14.8. alert_talos
+10.8. alert_talos
--------------
Usage: global
-14.9. alert_unixsock
+10.9. alert_unixsock
--------------
Usage: global
-14.10. log_codecs
+10.10. log_codecs
--------------
* bool log_codecs.msg = false: include alert msg
-14.11. log_hext
+10.11. log_hext
--------------
0:max32 }
-14.12. log_pcap
+10.12. log_pcap
--------------
is unlimited) { 0:maxSZ }
-14.13. unified2
+10.13. unified2
--------------
---------------------------------------------------------------------
-15. DAQ Configuration and Modules
-
----------------------------------------------------------------------
-
-The Data AcQuisition library (DAQ), provides pluggable packet I/O.
-LibDAQ replaces direct calls to libraries like libpcap with an
-abstraction layer that facilitates operation on a variety of hardware
-and software interfaces without requiring changes to Snort. It is
-possible to select the DAQ module and mode when invoking Snort to
-perform pcap readback or inline operation, etc. The DAQ library may
-be useful for other packet processing applications and the modular
-nature allows you to build new modules for other platforms.
-
-The DAQ library exists as a separate repository on the official Snort
-3 GitHub project (https://github.com/snort3/libdaq) and contains a
-number of bundled DAQ modules including AFPacket, Divert, NFQ, PCAP,
-and Netmap implementations. Snort 3 itself contains a few new DAQ
-modules mostly used for testing as described below. Additionally, DAQ
-modules developed by third parties to facilitate the usage of their
-own hardware and software platforms exist.
-
-
-15.1. Building the DAQ Library and Its Bundled DAQ Modules
-
---------------
-
-Refer to the READMEs in the LibDAQ source tarball for instructions on
-how to build the library and modules as well as details on
-configuring and using the bundled DAQ modules.
-
-
-15.2. Configuration
-
---------------
-
-As with a number of features in Snort 3, the LibDAQ and DAQ module
-configuration may be controlled using either the command line options
-or by configuring the daq Snort module in the Lua configuration.
-
-DAQ modules may be statically built into Snort, but the more common
-case is to use DAQ modules that have been built as dynamically
-loadable objects. Because of this, the first thing to take care of is
-informing Snort of any locations it should search for dynamic DAQ
-modules. From the command line, this can be done with one or more
-invocations of the --daq-dir option, which takes a colon-separated
-set of paths to search as its argument. All arguments will be
-collected into a list of locations to be searched. In the Lua
-configuration, the daq.module_dirs[] property is a list of paths for
-the same purpose.
-
-Next, one must select which DAQ modules they wish to use by name. At
-least one base module and zero or more wrapper modules may be
-selected. This is done using the --daq options from the command line
-or the daq.modules[] list-type property. To get a list of the
-available modules, run Snort with the --daq-list option making sure
-to specify any DAQ module search directories beforehand. If no DAQ
-module is specified, Snort will default to attempting to find and use
-a DAQ module named pcap.
-
-Some DAQ modules can be further directly configured using DAQ module
-variables. All DAQ module variables come in the form of either just a
-key or a key and a value separated by an equals sign. For example,
-debug or fanout_type=hash. The command line option for specifying
-these is --daq-var and the configuration file equivalent is the
-daq.modules[].variables[] property. The available variables for each
-module will be shown when listing the available DAQ modules with
---daq-list.
-
-The LibDAQ concept of operational mode (passive, inline, or file
-readback) is automatically configured based on inferring the mode
-from other Snort configuration. The presence of -r or --pcap-*
-options implies read-file, -i without -Q implies passive, and -i with
--Q implies inline. The mode can be overridden on a per-DAQ module
-basis with the --daq-mode option on the command line or the
-daq.modules[].mode property.
-
-The DAQ module receive timeout is always configured to 1 second. The
-packet capture length (snaplen) defaults to 1518 bytes and can be
-overridden by the -s command line option or daq.snaplen property.
-
-Finally, and most importantly, is the input specification for the DAQ
-module. In readback mode, this is simply the file to be read back and
-analyzed. For live traffic processing, this is the name of the
-interface or other necessary input specification as required by the
-DAQ module to understand what to operate upon. From the command line,
-the -r option is used to specify a file to be read back and the -i
-option is used to indicate a live interface input specification. Both
-are covered by the daq.inputs[] property.
-
-For advanced use cases, one additional LibDAQ configuration exists:
-the number of DAQ messages to request per receive call. In Snort,
-this is referred to as the DAQ "batch size" and defaults to 64. The
-default can be overridden with the --daq-batch-size command line
-option or daq.batch_size property. The message pool size requested
-from the DAQ module will be four times this batch size.
-
-15.2.1. Command Line Example
-
- snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket
---daq-var debug --daq-var fanout_type=hash -i eth1:eth2 -Q
-
-15.2.2. Configuration File Example
-
-The following is the equivalent of the above command line DAQ
-configuration in Lua form:
-
-daq =
-{
- module_dirs =
- {
- '/usr/local/lib/daq',
- '/opt/lib/daq'
- },
- modules =
- {
- {
- name = 'afpacket',
- mode = 'inline',
- variables =
- {
- 'debug',
- 'fanout_type=hash'
- }
- }
- },
- inputs =
- {
- 'eth1:eth2',
- },
- snaplen = 1518
-}
-
-The daq.snaplen property was included for completeness and may be
-omitted if the default value is acceptable.
-
-15.2.3. DAQ Module Configuration Stacks
-
-Like briefly mentioned above, a DAQ configuration consists of a base
-DAQ module and zero or more wrapper DAQ modules. DAQ wrapper modules
-provide additional functionality layered on top of the base module in
-a decorator pattern. For example, the Dump DAQ module will capture
-all passed or injected packets and save them to a PCAP savefile. This
-can be layered on top of something like the PCAP DAQ module to assess
-which packets are making it through Snort without being dropped and
-what actions Snort has taken that involved sending new or modified
-packets out onto the network (e.g., TCP reset packets and TCP
-normalizations).
-
-To configure a DAQ module stack from the command line, the --daq
-option must be given multiple times with the base module specified
-first followed by the wrapper modules in the desired order (building
-up the stack). Each --daq option changes which module is being
-configured by subsequent --daq-var and --daq mode options.
-
-When configuring the same sort of stack in Lua, everything lives in
-the daq.modules[] property. daq.modules[] is an array of module
-configurations pushed onto the stack from top to bottom. Each module
-configuration must contain the name of the DAQ module. Additionally,
-it may contain an array of variables (daq.modules[].variables[]) and/
-or an operational mode (daq.modules[].mode).
-
-If only wrapper modules were specified, Snort will default to
-implicitly configuring a base module with the name pcap in read-file
-mode. This is a convenience to mimic the previous behavior when
-selecting something like the old Dump DAQ module that may be removed
-in the future.
-
-For any particularly complicated setup, it is recommended that one
-configure via a Lua configuration file rather than using the command
-line options.
-
-
-15.3. Interaction With Multiple Packet Threads
-
---------------
-
-All packet threads will receive the same DAQ instance configuration
-with the potential exception of the input specification.
-
-If Snort is in file readback mode, a full set of files will be
-constructed from the -r/--pcap-file/--pcap-list/--pcap-dir/
---pcap-filter options. A number of packet threads will be started up
-to the configured maximum (-z) to process these files one at a time.
-As a packet thread completes processing of a file, it will be stopped
-and then started again with a different file input to process. If the
-number of packet threads configured exceeds the number of files to
-process, or as the number of remaining input files dwindles below
-that number, Snort will stop spawning new packet threads when it runs
-out of unhandled input files.
-
-When Snort is operating on live interfaces (-i), all packet threads
-up to the configured maximum will always be started. By default, if
-only one input specification is given, all packet threads will
-receive the same input in their configuration. If multiple inputs are
-given, each thread will be given the matching input (ordinally),
-falling back to the first if the number of packet threads exceeds the
-number of inputs.
-
-
-15.4. DAQ Modules Included With Snort 3
-
---------------
-
-15.4.1. Socket Module
-
-The socket module provides provides a stream socket server that will
-accept up to 2 simultaneous connections and bridge them together
-while also passing data to Snort for inspection. The first connection
-accepted is considered the client and the second connection accepted
-is considered the server. If there is only one connection, stream
-data can’t be forwarded but it is still inspected.
-
-Each read from a socket of up to snaplen bytes is passed as a packet
-to Snort along with the ability to retrieve a DAQ_UsrHdr_t structure
-via ioctl. DAQ_UsrHdr_t conveys IP4 address, ports, protocol, and
-direction. Socket packets can be configured to be TCP or UDP. The
-socket DAQ can be operated in inline mode and is able to block
-packets.
-
-Packets from the socket DAQ module are handled by Snort’s stream_user
-module, which must be configured in the Snort configuration.
-
-To use the socket DAQ, start Snort like this:
-
-./snort --daq-dir /path/to/lib/snort_extra/daq \
- --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]
-
-<port> ::= 1..65535; default is 8000
-<proto> ::= tcp | udp
-
- * This module only supports ip4 traffic.
- * This module is only supported by Snort 3. It is not compatible
- with Snort 2.
- * This module is primarily for development and test.
-
-15.4.2. File Module
-
-The file module provides the ability to process files directly
-without having to extract them from pcaps. Use the file module with
-Snort’s stream_file to get file type identification and signature
-services. The usual IPS detection and logging, etc. is also
-available.
-
-You can process all the files in a directory recursively using 8
-threads with these Snort options:
-
---pcap-dir path -z 8
-
- * This module is only supported by Snort 3. It is not compatible
- with Snort 2.
- * This module is primarily for development and test.
-
-15.4.3. Hext Module
-
-The hext module generates packets suitable for processing by Snort
-from hex/plain text. Raw packets include full headers and are
-processed normally. Otherwise the packets contain only payload and
-are accompanied with flow information (4-tuple) suitable for
-processing by stream_user.
-
-The first character of the line determines it’s purpose:
-
-'$' command
-'#' comment
-'"' quoted string packet data
-'x' hex packet data
-' ' empty line separates packets
-
-The available commands are:
-
-$client <ip4> <port>
-$server <ip4> <port>
-
-$packet -> client
-$packet -> server
-
-$packet <addr> <port> -> <addr> <port>
-
-$sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
-$eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
-
-Client and server are determined as follows. $packet → client
-indicates to the client (from server) and $packet → server indicates
-a packet to the server (from client). $packet followed by a 4-tuple
-uses the heuristic that the client is the side with the greater port
-number.
-
-The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
-respectively. $packet commands with a 4-tuple do not change client
-and server set with the other $packet commands.
-
-$packet commands should be followed by packet data, which may contain
-any combination of hex and strings. Data for a packet ends with the
-next command or a blank line. Data after a blank line will start
-another packet with the same tuple as the prior one.
-
-$sof and $eof commands generate Start of Flow and End of Flow
-metapackets respectively. They are followed by a definition of a
-Flow_Stats_t data structure which will be fed into Snort via the
-metadata callback.
-
-Strings may contain the following escape sequences:
-
-\r = 0x0D = carriage return
-\n = 0x0A = new line
-\t = 0x09 = tab
-\\ = 0x5C = \
-
-Format your input carefully; there is minimal error checking and
-little tolerance for arbitrary whitespace. You can use Snort’s -L
-hext option to generate hext input from a pcap.
-
- * This module only supports ip4 traffic.
- * This module is only supported by Snort 3. It is not compatible
- with Snort 2.
- * This module is primarily for development and test.
-
-The hext DAQ also supports a raw mode which is activated by setting
-the data link type. For example, you can input full ethernet packets
-with --daq-var dlt=1 (Data link types are defined in the DAQ include
-sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a
-quick (and dirty) way to edit pcaps. With --lua "log_hext = { raw =
-true }", the hext logger will dump the full packet in a way that can
-be read by the hext DAQ in raw mode. Here is an example:
-
-# 3 [96]
-
-x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..
-x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..
-x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t
-x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H
-x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..
-
-A comment indicating packet number and size precedes each packet
-dump. Note that the commands are not applicable in raw mode and have
-no effect.
-
-
----------------------------------------------------------------------
-
-16. Snort 3 vs Snort 2
-
----------------------------------------------------------------------
-
-Snort 3 differs from Snort 2 in the following ways:
-
- * command line and conf file syntax made more uniform
- * removed unused and deprecated features
- * remove as many barriers to successful run as possible (e.g.: no
- upper bounds on memcaps)
- * assume the simplest mode of operation (e.g.: never assume input
- from or output to some hardcoded filename)
- * all Snort 2 config options are grouped into Snort 3 modules
-
-
-16.1. Features New to Snort 3
-
---------------
-
-Some things Snort++ can do today that Snort can not do:
-
- * regex fast patterns, not just literals
- * FlatBuffers and JSON perf monitor logs
- * LuaJIT scriptable rule options and loggers
- * pub/sub inspection events (currently used by sip and http_inspect
- to appid)
- * JIT buffer stuffers (notably with new http_inspect)
- * C-style comments in rules
- * #begin … #end comment blocks in rules
- * rule remarks (comment is part of rule, not just in it)
- * process raw files (eg read a PDF and do file processing)
- * process raw payload (eg bridge 2 sockets and do inspection)
- * fast pattern offload to separate thread (experimental)
- * track all memory allocated
- * add or override any config item on command line
- * set CPU affinity
- * pause and resume commands
-
-
-16.2. Features Improved over Snort 2
-
---------------
-
-Some things Snort++ can do today that Snort can not do as well:
-
- * Hyperscan search engine plugin (Intel provides patch for Snort 2)
- * fast pattern sensitive data (Snort 2 requires a slow, extra
- search)
- * multiple packet threads with one config (Snort 2 requires
- multiple processes)
- * wizard automatically detects service for first flow (Snort 2
- appid detects for next flow)
- * nested policy binding (Snort 2 has just one level)
- * decode arbitrary layers (Snort 2 supports only 2 IP layers)
- * process PDU buffers (Snort 2 only processes packets)
- * fully stateful http_inspect with 97 builtin alerts (Snort 2 is
- only partly stateful with 33 builtin alerts)
- * output all semantic errors before quitting (Snort 2 stops at
- first one)
- * alert file rules (Snort 2 must use multiple rules)
- * alert service rules, eg alert http (Snort 2 must use
- metadata:service)
- * automatic fast_pattern only (Snort 2 requires explicit
- fast_pattern:only)
- * elided rule headers omit nets and/or ports (Snort 2 requires
- explicit any)
- * dump builtin rule stubs (Snort 2 can only dump SO stubs)
- * rule sticky buffers (Snort 2 buffers must be repeated)
- * http_header:name supported to restrict to single field (Snort 2
- searches all headers)
- * fully equivalent SO rules (Snort 2 has some limitations with SO
- processing)
- * text-based SO rule implementation (Snort 2 requires tedious,
- nested C structs)
- * extensible module-based tracing (Snort 2 has a fixed set of
- flags)
- * over 200 plugins, no need to change core source code (Snort 2
- only supports preprocessors and outputs)
- * use consistent conf syntax (Snort 2 defines lists different ways
- in different places, etc.)
- * use consistent rule syntax (Snort 2 has semicolon separated
- suboptions, etc.)
- * arbitrary whitespace and comments in conf and rules (Snort 2
- requires newline escapes)
- * properly parse rules (Snort 2 can actually completely ignore
- stuff)
- * optional, expanded warnings output, can be fatal (Snort 2
- warnings limited and are not optional or fatal)
- * define and use arbitrary variables and functions in config with
- Lua (Snort 2 has variables just for rule headers)
- * text-based command line shell (Snort 2 has binary control socket)
- * generate text and HTML user guide in addition to PDF (Snort 2
- just has PDF and Talos provides HTML)
- * generate developer’s guide (Snort 2’s is manually written)
- * extensive command line help, eg every config item, rule option,
- and peg count (Snort 2 only has command line args)
- * cmake builds (Snort 2 only does automake)
- * read rules from separate file or stdin (Snort 2 requires rules
- directly in or included in conf)
- * simple, clean, uniform startup and shutdown output (Snort 2 is
- heavy and inconsistent)
- * port_scan is fully configurable (Snort 2 hard codes most of the
- configuration)
- * port_scan can block scans (Snort 2 can only detect scans)
- * sigquit will cause a --dirty-pig style exit (Snort 2 handles
- sigquit the same as sigterm and sigint)
- * detection trace (Snort 2 has more limited buffer dumping)
- * updated unified2 events with MPLS, VLAN, and IP6 (Snort 2
- requires configuration and extra data)
- * significantly more unit tests, including --catch and make check
- (Snort 2 has very few unit tests)
- * better modularity 346K/1534 = 226 lines/file, max=2700 (Snort 2
- has 440K/1021 = 431 lines/file, max=13K)
-
-
-16.3. Build Options
-
---------------
-
- * configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*
- * control socket, cs_dir, and users were deleted
- * POLICY_BY_ID_ONLY code was deleted
- * hardened --enable-inline-init-failopen / INLINE_FAILOPEN
-
-
-16.4. Command Line
-
---------------
-
- * --pause loads config and waits for resume before processing
- packets
- * --require-rule-sid is hardened
- * --shell enables interactive Lua shell
- * -T is assumed if no input given
- * added --help-config prefix to dump all matching settings
- * added --script-path
- * added -L none|dump|pcap
- * added -z <#> and --max-packet-threads <#>
- * delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
- --max-mpls-labelchain-len, --mpls-payload-type
- * deleted --pid-path and --no-interface-pidfile
- * deleting command line options which will be available with --lua
- or some such including: -I, -h, -F, -p,
- --disable-inline-init-failopen
- * hardened -n < 0
- * removed --search-method
- * replaced "unknown args are bpf" with --bpf
- * replaced --dynamic-*-lib[-dir] with --plugin-path (with :
- separators)
- * removed -b, -N, -Z and, --perfmon-file options
-
-
-16.5. Conf File
-
---------------
-
- * Snort 3 has a default unicode.map
- * Snort 3 will not enforce an upper bound on memcaps and the like
- within 64 bits
- * Snort 3 will supply a default *_global config if not specified
- (Snort 2 would fatal; e.g. http_inspect_server w/o
- http_inspect_global)
- * address list syntax changes: [[ and ]] must be [ [ and ] ] to
- avoid Lua string parsing errors (unless in quoted string)
- * because the Lua conf is live code, we lose file:line locations in
- app error messages (syntax errors from Lua have file:line)
- * changed search-method names for consistency
- * delete config include_vlan_in_alerts (not used in code)
- * delete config so_rule_memcap (not used in code)
- * deleted --disable-attribute-table-reload-thread
- * deleted config decode_*_{alerts,drops} (use rules only)
- * deleted config dump-dynamic-rules-path
- * deleted config ipv6_frag (not actually used)
- * deleted config threshold and ips rule threshold (→ event_filter)
- * eliminated ac-split; must use ac-full-q split-any-any
- * frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan,
- perfmonitor → perf_monitor, bo → back_orifice
- * limits like "1234K" are now "limit = 1234, units = K"
- * lua field names are (lower) case sensitive; snort.conf largely
- wasn’t
- * module filenames are not configurable: always <log-dir>/
- <module-name><suffix> (suffix is determined by module)
- * no positional parameters; all name = value
- * perf_monitor configuration was simplified
- * portscan.detect_ack_scans deleted (exact same as
- include_midstream)
- * removed various run modes - now just one
- * frag3 default policy is Linux not bsd
- * lowmem* search methods are now in snort_examples
- * deleted unused http_inspect stateful mode
- * deleted stateless inspection from ftp and telnet
- * deleted http and ftp alert options (now strictly rule based)
- * preprocessor disabled settings deleted since no longer relevant
- * sessions are always created; snort config stateful checks
- eliminated
- * stream5_tcp: prune_log_max deleted; to be replaced with histogram
- * stream5_tcp: max_active_responses, min_response_seconds moved to
- active.max_responses, min_interval
-
-
-16.6. Rules
-
---------------
-
- * all rules must have a sid
- * sid == 0 not allowed
- * deleted activate / dynamic rules
- * deleted unused rule_state.action
- * deleted metadata engine shared
- * deleted metadata: rule-flushing (with PDU flushing rule flushing
- can cause missed attacks, the opposite of its intent)
- * changed metadata:service one[, service two]; to service:one[,
- two];
- * soid is now a non-metadata option
- * metadata is now truly metadata with no impact on detection (Snort
- doesn’t care about metadata internal structure / syntax)
- * deleted fast_pattern:only; use fast_pattern, nocase (option is
- not added to detection tree if not required)
- * changed fast_pattern:<offset>,<length> to
- fast_pattern,fast_pattern_offset <offset>,fast_pattern_length
- <length>
- * fast pattern sensitive data with sd_pattern using hyperscan
- * hyperscan regex fast patterns with regex:"<regex>", fast_pattern;
- * no ; separated content suboptions
- * offset, depth, distance, and within must use a space separator
- not colon (e.g. offset:5; becomes offset 5;)
- * content suboptions http_* are now full options
- * added sticky buffers: buffer selector options must precede
- contents and remain in effect until changed
- * the following pcre options have been deleted: use sticky buffers
- instead B, U, P, H, M, C, I, D, K, S, Y
- * deleted uricontent option; use sticky buffer uricontent:"foo" -→
- http_uri; content:"foo"
- * deleted urilen raw and norm; must use http_raw_uri and http_uri
- instead
- * deleted unused http_encode option
- * urilen replaced with generic bufferlen which applies to current
- sticky buffer
- * added optional selector to http_header, e.g.
- http_header:User-Agent;
- * the all new http_inspect has new buffers and rule options
- * added alert file and alert service rules (service in body not
- required if there is only one and it is in header; alert service
- / file rules disable fast pattern searching of raw packets)
- * rule option sequence: <stub> soid <hidden>
- * arbitrary whitespace and multiline rules w/o \n
- * #begin … #end comments to easily comment out multiple lines
- * add rule remarks option with rem:"arbitrary comment"
- * nets and/or ports may be omitted from rule headers (matches any)
- * parse all rules and output all errors before quitting
- * read rules from conf, separate rules file, or stdin
- * The symbol =< in a byte test is recognized as a syntax error. The
- correct symbol is <=.
-
-
-16.7. Output
-
---------------
-
- * alert_fast includes packet data by default
- * all text mode outputs default to stdout
- * changed default logging mode to -L none
- * deleted layer2resets and flexresp2_*
- * deleted log_ascii
- * general output guideline: don’t print zero counts
- * Snort 3 queues decoder and inspector events to the main event
- queue before ips policy is selected; since some events may not be
- enabled, the queue needs to be sized larger than with Snort 2
- which used an intermediate queue for decoder events.
- * deleted the intermediate http and ftp_telnet event queues
- * alert_unified2 and log_unified2 have been deleted
-
-
-16.8. Sensitive Data
-
---------------
-
-The Snort 2.X SDF Preprocessor is gone, replaced by ips option
-sd_pattern. The sd_pattern rule option is synonymous with the
-sd_pattern option used for gid:138 rules, but has a different syntax.
-A major difference in syntax is the use of Hyperscan pattern matching
-library which provides a regex language similar to PCRE.
-
-To facilitate continued performance, sd_pattern rule option is
-implemented with Hyperscan pattern matching library. The rule option
-is now also utilized as a "fast pattern" in the Snort engine which
-provides a significant performance improvement over the separate
-detection step of earlier implementations.
-
-The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and
-has no replacement in Snort 3.X. This is because the rule offered no
-additional value over gid:138 rules and was difficult to interpret
-the result of.
-
-For more information, See Features > Sensitive Data Filtering for
-details.
-
-
-16.9. Features Not Yet Supported by Snort 3
-
---------------
-
- * Support in http_inspect for Original Client IP is limited to the
- X-Forwarded-For and True-Client-IP headers in that order. It is
- not possible to configure additional custom headers to search for
- Original Client IP.
- * The -n option does not work properly when perf_monitor is
- configured. The number of packets processed from the pcap is
- likely to be more than the number specified with the -n option.
- * When a file is transferred via SMB2 it may be allowed even though
- according to file policy it should be blocked. This occurs when
- the create and read requests are sent together and then the read
- and create responses are sent together. Blocking is done
- correctly if the create and read requests are sent separately or
- if the file is large enough to require two read responses.
- * This user manual is incomplete and does not fully cover many
- Snort 2.X features that are also supported by Snort 3.
-
-
----------------------------------------------------------------------
-
-17. Snort2Lua
-
----------------------------------------------------------------------
-
-One of the major differences between Snort 2 and Snort 3 is the
-configuration. Snort 2 configuration files are written in
-Snort-specific syntax while Snort 3 configuration files are written
-in Lua. Snort2Lua is a program specifically designed to convert valid
-Snort 2 configuration files into Lua files that Snort 3 can
-understand.
-
-Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3
-Lua and rules files. When running this program, the only mandatory
-option is to provide Snort2Lua with a Snort 2 configuration file. The
-default output file file is snort.lua, the default error file will be
-snort.rej, and the default rule file is the output file (default is
-snort.lua). When Snort2Lua finishes running, the resulting
-configuration file can be successfully run as the Snort3.0
-configuration file. The sole exception to this rule is when Snort2Lua
-cannot find an included file. If that occurs, the file will still be
-included in the output file and you will need to manually adjust or
-comment the file name. Additionally, if the exit code is not zero,
-some of the information may not be successfully converted. Check the
-error file for all of the conversion problems.
-
-Those errors can occur for a multitude of reasons and are not
-necessarily bad. Snort2Lua expects a valid Snort 2 configuration.
-Therefore, if the configuration is invalid or has questionable
-syntax, Snort2Lua may fail to parse the configuration file or create
-an invalid Snort 3 configuration file.
-
-There are a also few peculiarities of Snort2Lua that may be confusing
-to a first time user:
-
- * Aside from an initial configuration file (which is specified from
- the command line or as the file in ‘config binding’), every file
- that is included into Snort 3 must be either a Lua file or a rule
- file; the file cannot contain both rules and Lua syntax.
- Therefore, when parsing a file specified with the ‘include’
- command, Snort2Lua will output both a Lua file and a rule file.
- * Any line that is a comment in a configuration file will be added
- in to a comments section at the bottom of the main configuration
- file.
- * Rules that contain unsupported options will be converted to the
- best of Snort2Lua’s capability and then printed as a comment in
- the rule file.
- * Files with a .rules suffix are assumed to be Talos 2.X rules
- files and converted line-by-line. In this case, lines starting
- with alert are converted as usual but lines starting with # alert
- are assumed to be commented out rules which are converted to 3.0
- format and remain comments in the output file. All other comments
- are passed through directly. There is no support for other
- commented rule actions since these do not appear in Talos rules
- files.
-
-
-17.1. Snort2Lua Command Line
-
---------------
-
-By default, Snort2Lua will attempt to parse every ‘include’ file and
-every ‘binding’ file. There is an option to change this
-functionality.
-
-When specifying a rule file with one of the command line options,
-Snort2Lua will output all of the converted rules to that specified
-rule file. This is especially useful when you are only interesting in
-converting rules since there is no Lua syntax in rule files. There is
-also an option that tells Snort2Lua to output every rule for a given
-configuration into a single rule file. Similarly, there is an option
-pull all of the Lua syntax from every ‘include’ file into the output
-file.
-
-There are currently three output modes: default, quiet, and
-differences. As expected, quiet mode produces a Snort configuration.
-All errors (aside from Fatal Snort2Lua errors), differences, and
-comments will omitted from the final output file. Default mode will
-print everything. That mean you will be able to see exactly what
-changes have occurred between Snort 2 and Snort 3 in addition to the
-new syntax, the original file’s comments, and all errors that have
-occurred. Finally, differences mode will not actually output a valid
-Snort 3 configuration. Instead, you can see the exact options from
-the input configuration that have changed.
-
-17.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
-
-Converts the Snort configuration file specified by the -c or
---conf-file options into a Snort++ configuration file
-
-17.1.1.1. Options:
-
- * -? show usage
- * -h this overview of snort2lua
- * -a default option. print all data
- * -c <snort_conf> The Snort <snort_conf> file to convert
- * -d print the differences, and only the differences, between the
- Snort and Snort++ configurations to the <out_file>
- * -e <error_file> output all errors to <error_file>
- * -i if <snort_conf> file contains any <include_file> or
- <policy_file> (i.e. include path/to/conf/other_conf), do NOT
- parse those files
- * -m add a remark to the end of every converted rule
- * -o <out_file> output the new Snort++ lua configuration to
- <out_file>
- * -q quiet mode. Only output valid configuration information to the
- <out_file>
- * -r <rule_file> output any converted rule to <rule_file>
- * -s when parsing <include_file>, write <include_file>'s rules to
- <rule_file>. Meaningless if -i provided
- * -t when parsing <include_file>, write <include_file>'s
- information, excluding rules, to <out_file>. Meaningless if -i
- provided
- * -V Print the current Snort2Lua version
- * --bind-wizard Add default wizard to bindings
- * --bind-port Convert port bindings
- * --conf-file Same as -c. A Snort <snort_conf> file which will be
- converted
- * --dont-parse-includes Same as -p. if <snort_conf> file contains
- any <include_file> or <policy_file> (i.e. include path/to/conf/
- other_conf), do NOT parse those files
- * --dont-convert-max-sessions do not convert max_tcp, max_udp,
- max_icmp, max_ip to max_session
- * --error-file=<error_file> Same as -e. output all errors to
- <error_file>
- * --help Same as -h. this overview of snort2lua
- * --ips-policy-pattern Convert config bindings matching this path
- to ips policy bindings
- * --markup print help in asciidoc compatible format
- * --output-file=<out_file> Same as -o. output the new Snort++ lua
- configuration to <out_file>
- * --print-all Same as -a. default option. print all data
- * --print-differences Same as -d. output the differences, and only
- the differences, between the Snort and Snort++ configurations to
- the <out_file>
- * --quiet Same as -q. quiet mode. Only output valid configuration
- information to the <out_file>
- * --remark same as -m. add a remark to the end of every converted
- rule
- * --rule-file=<rule_file> Same as -r. output any converted rule to
- <rule_file>
- * --single-conf-file Same as -t. when parsing <include_file>, write
- <include_file>'s information, excluding rules, to <out_file>
- * --single-rule-file Same as -s. when parsing <include_file>, write
- <include_file>'s rules to <rule_file>.
- * --version Same as -V. Print the current Snort2Lua version
-
-17.1.1.2. Required option:
-
- * A Snort configuration file to convert. Set with either -c or
- --conf-file
-
-17.1.1.3. Default values:
-
- * <out_file> = snort.lua
- * <rule_file> = <out_file> = snort.lua. Rules are written to the
- local_rules variable in the <out_file>
- * <error_file> = snort.rej. This file will not be created in quiet
- mode.
-
-
-17.2. Known Problems
-
---------------
-
- * Any Snort 2 ‘string’ which is dependent on a variable will no
- longer have that variable in the Lua string.
- * Snort2Lua currently does not handle variables well. First, that
- means variables will not always be parsed correctly. Second,
- sometimes a variables value will be output in the lua file rather
- than a variable For instance, if Snort2Lua attempted to convert
- the line include $RULE_PATH/example.rule, the output may output
- include /etc/rules/example.rule instead.
- * When Snort2Lua parses a ‘binding’ configuration file, the rules
- and configuration will automatically be combined into the same
- file. Also, the new files name will automatically become the old
- file’s name with a .lua extension. There is currently no way to
- specify or change that files name.
- * If a rule’s action is a custom ruletype, that rule action will be
- silently converted to the rultype’s type. No warnings or errors
- are currently emitted. Additionally, the custom ruletypes outputs
- will be silently discarded.
- * If the original configuration contains a binding that points to
- another file and the binding file contains an error, Snort2Lua
- will output the number of rejects for the binding file in
- addition to the number of rejects in the main file. The two
- numbers will eventually be combined into one output.
- * If the original configuration contains a replace rule with alert
- action, Snort2Lua won’t translate the rule from alert to rewrite
- action. It will keep the action as alert, which does not actually
- replace the content in Snort 3. To replace content, the rule
- action needs to be rewrite, which can be added manually or by
- tooling.
-
-
-17.3. Usage
-
---------------
-
-Snort2Lua is included in the Snort 3 distribution. The Snort2Lua
-source code is located in the tools/snort2lua directory. The program
-is automatically built and installed.
-
-Translating your configuration
-
-To run Snort2Lua, the only requirement is a file containing Snort 2
-syntax. Assuming your configuration file is named snort.conf, run the
-command
-
-snort2lua –c snort.conf
-
-Snort2Lua will output a file named snort.lua. Assuming your
-snort.conf file is a valid Snort 2 configuration file, than the
-resulting snort.lua file will always be a valid Snort 3 configuration
-file; any errors that occur are because Snort 3 currently does not
-support all of the Snort 2 options.
-
-Every keyword from the Snort configuration can be found in the output
-file. If the option or keyword has changed, then a comment containing
-both the option or keyword’s old name and new name will be present in
-the output file.
-
-Translating a rule file
-
-Snort2Lua can also accommodate translating individual rule files.
-Assuming the Snort 2 rule file is named snort.rules and you want the
-new rule file to be name updated.rules, run the command
-
-snort2lua –c snort.rules -r updated.rules
-
-Snort2Lua will output a file named updated.rules. That file,
-updated.rules, will always be a valid Snort 3 rule file. Any rule
-that contains unsupported options will be a comment in the output
-file.
-
-Understanding the Output
-
-Although Snort2Lua outputs very little to the console, there are
-several things that occur when Snort2Lua runs. This is a list of
-Snort2Lua outputs.
-
-The console. Every line that Snort2Lua is unable to translate from
-the Snort 2.X format to the Snort 3 format is considered an error.
-Upon exiting, Snort2Lua will print the number of errors that
-occurred. Snort2Lua will also print the name of the error file.
-
-The output file. As previously mentioned, Snort2Lua will create a Lua
-file with valid Snort 3 syntax. The default Lua file is named
-snort.lua. This file is the equivalent of your main Snort 2
-configuration file.
-
-The rule file. By default, all rules will be printed to the Lua file.
-However, if a rule file is specified on the command line, any rules
-found in the Snort 2 configuration will be written to the rule file
-instead
-
-The error file. By default, the error file is snort.rej. It will only
-be created if errors exist. Every error referenced on the command
-line can be found in this file. There are two reasons an error can
-occur.
-
- * The Snort 2 configuration file has invalid syntax. If Snort 2
- cannot parse the configuration file, neither can Snort2Lua. In
- the example below, Snort2Lua could not convert the line config
- bad_option. Since that is not valid Snort 2 syntax, this is a
- syntax error.
- * The Snort 2 configuration file contains preprocessors and rule
- options that are not supported in Snort 3. If Snort 2 can parse a
- line that Snort2Lua cannot parse, than Snort 3 does not support
- something in the line. As Snort 3 begins supporting these
- preprocessors and rule options, Snort2Lua will also begin
- translating these lines. One example of such an error is dcerpc2.
-
-Additional .lua and .rules files. Every time Snort2Lua parses the
-include or binding keyword, the program will attempt to parse the
-file referenced by the keyword. Snort2Lua will then create one or two
-new files. The new files will have a .lua or .rules extension
-appended to the original filename.
-
-
----------------------------------------------------------------------
-
-18. Extending Snort
-
----------------------------------------------------------------------
-
-
-18.1. Plugins
-
---------------
-
-Plugins have an associated API defined for each type, all of which
-share a common header, called the BaseApi. A dynamic library makes
-its plugins available by exporting the snort_plugins symbol, which is
-a null terminated array of BaseApi pointers.
-
-The BaseApi includes type, name, API version, plugin version, and
-function pointers for constructing and destructing a Module. The
-specific API add various other data and functions for their given
-roles.
-
-
-18.2. Modules
-
---------------
-
-If we are defining a new Inspector called, say, gadget, it might be
-configured in snort.lua like this:
-
-gadget =
-{
- brain = true,
- claw = 3
-}
-
-When the gadget table is processed, Snort will look for a module
-called gadget. If that Module has an associated API, it will be used
-to configure a new instance of the plugin. In this case, a
-GadgetModule would be instantiated, brain and claw would be set, and
-the Module instance would be passed to the GadgetInspector
-constructor.
-
-Module has three key virtual methods:
-
- * begin() - called when Snort starts processing the associated Lua
- table. This is a good place to allocate any required data and set
- defaults.
- * set() - called to set each parameter after validation.
- * end() - called when Snort finishes processing the associated Lua
- table. This is where additional integrity checks of related
- parameters should be done.
-
-The configured Module is passed to the plugin constructor which pulls
-the configuration data from the Module. For non-trivial
-configurations, the working paradigm is that Module hands a pointer
-to the configured data to the plugin instance which takes ownership.
-
-Note that there is at most one instance of a given Module, even if
-multiple plugin instances are created which use that Module.
-(Multiple instances require Snort binding configuration.)
-
-
-18.3. Inspectors
-
---------------
-
-There are several types of inspector, which determines which
-inspectors are executed when:
-
- * IT_BINDER - determines which inspectors apply to given flows
- * IT_WIZARD - determines which service inspector to use if none
- explicitly bound
- * IT_PACKET - used to process all packets before session and
- service processing (e.g. normalize)
- * IT_NETWORK - processes packets w/o service (e.g. arp_spoof,
- back_orifice)
- * IT_STREAM - for flow tracking, ip defrag, and tcp reassembly
- * IT_SERVICE - for http, ftp, telnet, etc.
- * IT_PROBE - process all packets after all the above (e.g.
- perf_monitor, port_scan)
-
-
-18.4. Codecs
-
---------------
-
-The Snort Codecs decipher raw packets. These Codecs are now
-completely pluggable; almost every Snort Codec can be built
-dynamically and replaced with an alternative, customized Codec. The
-pluggable nature has also made it easier to build new Codecs for
-protocols without having to touch the Snort code base.
-
-The first step in creating a Codec is defining its class and
-protocol. Every Codec must inherit from the Snort Codec class defined
-in "framework/codec.h". The following is an example Codec named
-"example" and has an associated struct that is 14 bytes long.
-
-#include <cstdint>
-#include <arpa/inet.h>
-#include “framework/codec.h”
-#include "main/snort_types.h"
-
-#define EX_NAME “example”
-#define EX_HELP “example codec help string”
-
-struct Example
-{
- uint8_t dst[6];
- uint8_t src[6];
- uint16_t ethertype;
-
- static inline uint8_t size()
- { return 14; }
-}
-
-class ExCodec : public Codec
-{
-public:
- ExCodec() : Codec(EX_NAME) { }
- ~ExCodec() { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_protocol_ids(std::vector<uint16_t>&) override;
-};
-
-After defining ExCodec, the next step is adding the Codec’s decode
-functionality. The function below does this by implementing a valid
-decode function. The first parameter, which is the RawData struct,
-provides both a pointer to the raw data that has come from a wire and
-the length of that raw data. The function takes this information and
-validates that there are enough bytes for this protocol. If the raw
-data’s length is less than 14 bytes, the function returns false and
-Snort discards the packet; the packet is neither inspected nor
-processed. If the length is greater than 14 bytes, the function
-populates two fields in the CodecData struct, next_prot_id and
-lyr_len. The lyr_len field tells Snort the number of bytes that this
-layer contains. The next_prot_id field provides Snort the value of
-the next EtherType or IP protocol number.
-
-bool ExCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- if ( raw.len < Example::size() )
- return false;
-
- const Example* const ex = reinterpret_cast<const Example*>(raw.data);
- codec.next_prot_id = ntohs(ex->ethertype);
- codec.lyr_len = ex->size();
- return true;
-}
-
-For instance, assume this decode function receives the following raw
-data with a validated length of 32 bytes:
-
-00 11 22 33 44 55 66 77 88 99 aa bb 08 00 45 00
-00 38 00 01 00 00 40 06 5c ac 0a 01 02 03 0a 09
-
-The Example struct’s EtherType field is the 13 and 14 bytes.
-Therefore, this function tells Snort that the next protocol has an
-EtherType of 0x0800. Additionally, since the lyr_len is set to 14,
-Snort knows that the next protocol begins 14 bytes after the
-beginning of this protocol. The Codec with EtherType 0x0800, which
-happens to be the IPv4 Codec, will receive the following data with a
-validated length of 18 ( == 32 – 14):
-
-45 00 00 38 00 01 00 00 40 06 5c ac 0a 01 02 03
-0a 09
-
-How does Snort know that the IPv4 Codec has an EtherType of 0x0800?
-The Codec class has a second virtual function named get_protocol_ids
-(). When implementing the function, a Codec can register for any
-number of values between 0x0000 - 0xFFFF. Then, if the next_proto_id
-is set to a value for which this Codec has registered, this Codec’s
-decode function will be called. As a general note, the protocol ids
-between [0, 0x00FF] are IP protocol numbers, [0x0100, 0x05FF] are
-custom types, and [0x0600, 0xFFFF] are EtherTypes.
-
-For example, in the get_protocol_ids function below, the ExCodec
-registers for the protocols numbers 17, 787, and 2054. 17 happens to
-be the protocol number for UDP while 2054 is ARP’s EtherType.
-Therefore, this Codec will now attempt to decode UDP and ARP data.
-Additionally, if any Codec sets the next_protocol_id to 787,
-ExCodec’s decode function will be called. Some custom protocols are
-already defined in the file "protocols/protocol_ids.h"
-
-void ExCodec::get_protocol_ids(std::vector<uint16_t>&v)
-{
- v.push_back(0x0011); // == 17 == UDP
- v.push_back(0x1313); // == 787 == custom
- v.push_back(0x0806); // == 2054 == ARP
-}
-
-To register a Codec for Data Link Type’s rather than protocols, the
-function get_data_link_type() can be similarly implemented.
-
-The final step to creating a pluggable Codec is the snort_plugins
-array. This array is important because when Snort loads a dynamic
-library, the program only find plugins that are inside the
-snort_plugins array. In other words, if a plugin has not been added
-to the snort_plugins array, that plugin will not be loaded into
-Snort.
-
-Although the details will not be covered in this post, the following
-code snippet is a basic CodecApi that Snort can load. This snippet
-can be copied and used with only three minor changes. First, in the
-function ctor, ExCodec should be replaced with the name of the Codec
-that is being built. Second, EX_NAME must match the Codec’s name or
-Snort will be unable to load this Codec. Third, EX_HELP should be
-replaced with the general description of this Codec. Once this code
-snippet has been added, ExCodec is ready to be compiled and plugged
-into Snort.
-
-static Codec* ctor(Module*)
-{ return new ExCodec; }
-
-static void dtor(Codec *cd)
-{ delete cd; }
-
-static const CodecApi ex_api =
-{
- {
- PT_CODEC,
- EX_NAME,
- EX_HELP,
- CDAPI_PLUGIN_V0,
- 0,
- nullptr,
- nullptr,
- },
- nullptr, // pointer to a function called during Snort's startup.
- nullptr, // pointer to a function called during Snort's exit.
- nullptr, // pointer to a function called during thread's startup.
- nullptr, // pointer to a function called during thread's destruction.
- ctor, // pointer to the codec constructor.
- dtor, // pointer to the codec destructor.
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &ex_api.base,
- nullptr
-};
-
-Two example Codecs are available in the extra directory on git and
-the extra tarball on the Snort page. One of those examples is the
-Token Ring Codec while the other example is the PIM Codec.
-
-As a final note, there are four more virtual functions that a Codec
-should implement: encode, format, update, and log. If the functions
-are not implemented Snort will not throw any errors. However, Snort
-may also be unable to accomplish some of its basic functionality.
-
- * encode is called whenever Snort actively responds and needs to
- builds a packet, i.e. whenever a rule using an IPS ACTION like
- react, reject, or rewrite is triggered. This function is used to
- build the response packet protocol by protocol.
- * format is called when Snort is rebuilding a packet. For instance,
- every time Snort reassembles a TCP stream or IP fragment, format
- is called. Generally, this function either swaps any source and
- destination fields in the protocol or does nothing.
- * update is similar to format in that it is called when Snort is
- reassembling a packet. Unlike format, this function only sets
- length fields.
- * log is called when either the log_codecs logger or a custom
- logger that calls PacketManager::log_protocols is used when
- running Snort.
-
-
-18.5. IPS Actions
-
---------------
-
-Action plugins specify a builtin action in the API which is used to
-determine verdict. (Conversely, builtin actions don’t have an
-associated plugin function.)
-
-
-18.6. Piglet Test Harness
-
---------------
-
-In order to assist with plugin development, an experimental mode
-called "piglet" mode is provided. With piglet mode, you can call
-individual methods for a specific plugin. The piglet tests are
-specified as Lua scripts. Each piglet test script defines a test for
-a specific plugin.
-
-Here is a minimal example of a piglet test script for the IPv4 Codec
-plugin:
-
-plugin =
-{
- type = "piglet",
- name = "codec::ipv4",
- use_defaults = true,
- test = function()
- local daq_header = DAQHeader.new()
- local raw_buffer = RawBuffer.new("some data")
- local codec_data = CodecData.new()
- local decode_data = DecodeData.new()
-
- return Codec.decode(
- daq_header,
- raw_buffer,
- codec_data,
- decode_data
- )
- end
-}
-
-To run snort in piglet mode, first build snort with the ENABLE_PIGLET
-option turned on (pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).
-
-Then, run the following command:
-
-snort --script-path $test_scripts --piglet
-
-(where $test_scripts is the directory containing your piglet tests).
-
-The test runner will generate a check-like output, indicating the the
-results of each test script.
-
-
-18.7. Piglet Lua API
-
---------------
-
-This section documents the API that piglet exposes to Lua. Refer to
-the piglet directory in the source tree for examples of usage.
-
-Note: Because of the differences between the Lua and C++ data model
-and type system, not all parameters map directly to the parameters of
-the underlying C\++ member functions. Every effort has been made to
-keep the mappings consist, but there are still some differences. They
-are documented below.
-
-18.7.1. Plugin Instances
-
-For each test, piglet instantiates plugin specified in the name field
-of the plugin table. The virtual methods of the instance are exposed
-in a table unique to each plugin type. The name of the table is the
-CamelCase name of the plugin type.
-
-For example, codec plugins have a virtual method called decode. This
-method is called like this:
-
-Codec.decode(...)
-
-Codec
-
- * Codec.get_data_link_type() → { int, int, … }
- * Codec.get_protocol_ids() → { int, int, … }
- * Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) → bool
- * Codec.log(RawBuffer, uint[lyr_len])
- * Codec.encode(RawBuffer, EncState, Buffer) → bool
- * Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint
- [lyr_len] → int
- * Codec.format(bool[reverse], RawBuffer, DecodeData)
-
-Differences:
-
- * In Codec.update(), the (uint64_t) flags parameter has been split
- into flags_hi and flags_lo
-
-Inspector
-
- * Inspector.configure()
- * Inspector.tinit()
- * Inspector.tterm()
- * Inspector.likes(Packet)
- * Inspector.eval(Packet)
- * Inspector.clear(Packet)
- * Inspector.get_buf_from_key(string[key], Packet, RawBuffer) → bool
- * Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) → bool
- * Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) → bool
- * Inspector.get_splitter(bool[to_server]) → StreamSplitter
-
-Differences: * In Inspector.configure(), the SnortConfig* parameter
-is passed implicitly. * the overloaded get_buf() member function has
-been split into three separate methods.
-
-IpsOption
-
- * IpsOption.hash() → int
- * IpsOption.is_relative() → bool
- * IpsOption.fp_research() → bool
- * IpsOption.get_cursor_type() → int
- * IpsOption.eval(Cursor, Packet) → int
- * IpsOption.action(Packet)
-
-IpsAction
-
- * IpsAction.exec(Packet)
-
-Logger
-
- * Logger.open()
- * Logger.close()
- * Logger.reset()
- * Logger.alert(Packet, string[message], Event)
- * Logger.log(Packet, string[message], Event)
-
-SearchEngine
-
-Currently, SearchEngine does not expose any methods.
-
-SoRule
-
-Currently, SoRule does not expose any methods.
-
-18.7.1.1. Interface Objects
-
-Many of the plugins take C++ classes and structs as arguments. These
-objects are exposed to the Lua API as Lua userdata. Exposed objects
-are instantiated by calling the new method from each object’s method
-table.
-
-For example, the DecodeData object can be instantiated and exposed to
-Lua like this:
-
-local decode_data = DecodeData.new(...)
-
-Each object also exposes useful methods for getting and setting
-member variables, and calling the C++ methods contained in the the
-object. These methods can be accessed using the : accessor syntax:
-
-decode_data:set({ sp = 80, dp = 3500 })
-
-Since this is just syntactic sugar for passing the object as the
-first parameter of the function DecodeData.set, an equivalent form
-is:
-
-decode_data.set(decode_data, { sp = 80, dp = 3500 })
-
-or even:
-
-DecodeData.set(decode_data, { sp = 80, dp = 3500 })
-
-Buffer
-
- * Buffer.new(string[data]) → Buffer
- * Buffer.new(uint[length]) → Buffer
- * Buffer.new(RawBuffer) → Buffer
- * Buffer:allocate(uint[length]) → bool
- * Buffer:clear()
-
-CodecData
-
- * CodecData.new() → CodecData
- * CodecData.new(uint[next_prot_id]) → CodecData
- * CodecData.new(fields) → CodecData
- * CodecData:get() → fields
- * CodecData:set(fields)
-
-fields is a table with the following contents:
-
- * next_prot_id
- * lyr_len
- * invalid_bytes
- * proto_bits
- * codec_flags
- * ip_layer_cnt
- * ip6_extension_count
- * curr_ip6_extension
- * ip6_csum_proto
-
-Cursor
-
- * Cursor.new() → Cursor
- * Cursor.new(Packet) → Cursor
- * Cursor.new(string[data]) → Cursor
- * Cursor.new(RawBuffer) → Cursor
- * Cursor:reset()
- * Cursor:reset(Packet)
- * Cursor:reset(string[data])
- * Cursor:reset(RawBuffer)
-
-DAQHeader
-
- * DAQHeader.new() → DAQHeader
- * DAQHeader.new(fields) → DAQHeader
- * DAQHeader:get() → fields
- * DAQHeader:set(fields)
-
-fields is a table with the following contents:
-
- * caplen
- * pktlen
- * ingress_index
- * egress_index
- * ingress_group
- * egress_group
- * flags
- * opaque
-
-DecodeData
-
- * DecodeData.new() → DecodeData
- * DecodeData.new(fields) → DecodeData
- * DecodeData:reset()
- * DecodeData:get() → fields
- * DecodeData:set(fields)
- * DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])
-
-fields is a table with the following contents:
-
- * sp
- * dp
- * decode_flags
- * type
-
-EncState
-
- * EncState.new() → EncState
- * EncState.new(uint[flags_lo]) → EncState
- * EncState.new(uint[flags_lo], uint[flags_hi]) → EncState
- * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) →
- EncState
- * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto],
- uint[ttl]) → EncState
- * EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto],
- uint[ttl], uint[dsize]) → EncState
-
-Event
-
- * Event.new() → Event
- * Event.new(fields) → Event
- * Event:get() → fields
- * Event:set(fields)
-
-fields is a table with the following contents:
-
- * event_id
- * event_reference
- * sig_info
-
- + generator
- + id
- + rev
- + class_id
- + priority
- + text_rule
- + num_services
-
-Flow
-
- * Flow.new() → Flow
- * Flow:reset()
-
-Packet
-
- * Packet.new() → Packet
- * Packet.new(string[data]) → Packet
- * Packet.new(uint[size]) → Packet
- * Packet.new(fields) → Packet
- * Packet.new(RawBuffer) → Packet
- * Packet.new(DAQHeader) → Packet
- * Packet:set_decode_data(DecodeData)
- * Packet:set_data(uint[offset], uint[length])
- * Packet:set_flow(Flow)
- * Packet:get() → fields
- * Packet:set()
- * Packet:set(string[data])
- * Packet:set(uint[size])
- * Packet:set(fields)
- * Packet:set(RawBuffer)
- * Packet:set(DAQHeader)
-
-fields is a table with the following contents:
-
- * packet_flags
- * xtradata_mask
- * proto_bits
- * application_protocol_ordinal
- * alt_dsize
- * num_layers
- * iplist_id
- * user_policy_id
- * ps_proto
-
-Note: Packet.new() and Packet:set() accept multiple arguments of the
-types described above in any order
-
-RawBuffer
-
- * RawBuffer.new() → RawBuffer
- * RawBuffer.new(uint[size]) → RawBuffer
- * RawBuffer.new(string[data]) → RawBuffer
- * RawBuffer:size() → int
- * RawBuffer:resize(uint[size])
- * RawBuffer:write(string[data])
- * RawBuffer:write(string[data], uint[size])
- * RawBuffer:read() → string
- * RawBuffer:read(uint[end]) → string
- * RawBuffer:read(uint[start], uint[end]) → string
-
-Note: calling RawBuffer.new() with no arguments returns a RawBuffer
-of size 0
-
-StreamSplitter
-
- * StreamSplitter:scan(Flow, RawBuffer) → int, int
- * StreamSplitter:scan(Flow, RawBuffer, uint[len]) → int, int
- * StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) →
- int, int
- * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
- RawBuffer) → int, RawBuffer
- * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
- RawBuffer, uint[len]) → int, RawBuffer
- * StreamSplitter:reassemble(Flow, uint[total], uint[offset],
- RawBuffer, uint[len], uint[flags]) → int, RawBuffer
- * StreamSplitter:finish(Flow) → bool
-
-Note: StreamSplitter does not have a new() method, it must be created
-by an inspector via Inspector.get_splitter()
-
-
-18.8. Developers Guide
-
---------------
-
-Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
-guide to the source tree.
-
-
-18.9. Performance Considerations for Developers
-
---------------
-
- * Since C compilers evaluate compound conditional expression from
- left to right, put the costly condition last. Put the often-false
- condition first in && expression. Put the often-true condition
- first in || expression.
- * Use emplace_back/emplace instead of push_back/insert on STL
- containers.
- * In general, unordered_map is faster than map for frequent lookups
- using integer key on relatively static collection of unsorted
- elements. Whereas, map is faster for frequent insertions/
- deletions/iterations and for non-integer key such as string or
- custom objects. Consider the same factors when deciding ordered
- vs. unordered multimap and set.
- * Iterate using range-based for loop with reference (i.e., auto&).
- * Be mindful of construction and destruction of temporary objects
- which can be wasteful. Consider using std::move, std::swap,
- lvalue reference (&), and rvalue reference (&&).
- * Avoid thread-local storage. When unavoidable, minimize frequent
- TLS access by caching it to a local variable.
- * When writing inter-library APIs, consider interfaces depending on
- use cases to minimize context switching. For example, if two APIs
- foo() and bar() are needed to call, combine these into a single
- API to minimize jumps.
-
-
----------------------------------------------------------------------
-
-19. Coding Style
-
----------------------------------------------------------------------
-
-All new code should try to follow these style guidelines. These are
-not yet firm so feedback is welcome to get something we can live
-with.
-
-
-19.1. General
-
---------------
-
- * Generally try to follow https://google.github.io/styleguide/
- cppguide.html, but there are some differences documented here.
- * Each source directory should have a dev_notes.txt file
- summarizing the key points and design decisions for the code in
- that directory. These are built into the developers guide.
- * Makefile.am and CMakeLists.txt should have the same files listed
- in alpha order. This makes it easier to maintain both build
- systems.
- * All new code must come with unit tests providing 95% coverage or
- better.
- * Generally, Catch is preferred for tests in the source file and
- CppUTest is preferred for test executables in a test
- subdirectory.
-
-
-19.2. C++ Specific
-
---------------
-
- * Do not use exceptions. Exception-safe code is non-trivial and we
- have ported legacy code that makes use of exceptions unwise.
- There are a few exceptions to this rule for the memory manager,
- shell, etc. Other code should handle errors as errors.
- * Do not use dynamic_cast or RTTI. Although compilers are getting
- better all the time, there is a time and space cost to this that
- is easily avoided.
- * Use smart pointers judiciously as they aren’t free. If you would
- have to roll your own, then use a smart pointer. If you just need
- a dtor to delete something, write the dtor.
- * Prefer and over && and or over || for new source files.
- * Use nullptr instead of NULL.
- * Use new, delete, and their [] counterparts instead of malloc and
- free except where realloc must be used. But try not to use
- realloc. New and delete can’t return nullptr so no need to check.
- And Snort’s memory manager will ensure that we live within our
- memory budget.
- * Use references in lieu of pointers wherever possible.
- * Use the order public, protected, private top to bottom in a class
- declaration.
- * Keep inline functions in a class declaration very brief,
- preferably just one line. If you need a more complex inline
- function, move the definition below the class declaration.
- * The goal is to have highly readable class declarations. The user
- shouldn’t have to sift through implementation details to see what
- is available to the client.
- * Any using statements in source files should be added only after
- all includes have been declared.
-
-
-19.3. Naming
-
---------------
-
- * Use camel case for namespaces, classes, and types like
- WhizBangPdfChecker.
- * Use lower case identifiers with underscore separators, e.g.
- some_function() and my_var.
- * Do not start or end variable names with an underscore. This has a
- good chance of conflicting with macro and/or system definitions.
- * Use lower case filenames with underscores.
-
-
-19.4. Comments
-
---------------
-
- * Write comments sparingly with a mind towards future proofing.
- Often the comments can be obviated with better code. Clear code
- is better than a comment.
- * Heed Tim Ottinger’s Rules on Comments (https://disqus.com/by/
- tim_ottinger/):
-
- 1. Comments should only say what the code is incapable of
- saying.
- 2. Comments that repeat (or pre-state) what the code is doing
- must be removed.
- 3. If the code CAN say what the comment is saying, it must be
- changed at least until rule #2 is in force.
- * Function comment blocks are generally just noise that quickly
- becomes obsolete. If you absolutely must comment on parameters,
- put each on a separate line along with the comment. That way
- changing the signature may prompt a change to the comments too.
- * Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
- for a day or even just a minute. That way we can find them easily
- and won’t lose track of them.
- * Presently using FIXIT-X where X is one of the characters below.
- Place A and W comments on the exact warning line so we can match
- up comments and build output. Supporting comments can be added
- above.
- * A = known static analysis issue
- * D = deprecated - code to be removed after users update
- * E = enhancement - next steps for incomplete features (not a bug)
- * H = high priority - urgent deficiency
- * L = low priority - cleanup or similar technical debt (not a bug)
- * M = medium priority - suspected non-urgent deficiency
- * P = performance issue (not a bug)
- * W = warning - known compiler warning
- * Put the copyright(s) and license in a comment block at the top of
- each source file (.h and .cc). Don’t bother with trivial scripts
- and make foo. Some interesting Lua code should get a comment
- block too. Copy and paste exactly from src/main.h (don’t
- reformat).
- * Put author, description, etc. in separate comment(s) following
- the license. Do not put such comments in the middle of the
- license foo. Be sure to put the author line ahead of the header
- guard to exclude them from the developers guide. Use the
- following format, and include a mention to the original author if
- this is derived work:
-
- // ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>
- // based on work by Ryan Jordan
-
- * Each header should have a comment immediately after the header
- guard to give an overview of the file so the reader knows what’s
- going on.
- * Use the following comment on switch cases that intentionally fall
- through to the next case to suppress compiler warning on known
- valid cases:
-
- // fallthrough
-
-
-19.5. Logging
-
---------------
-
- * Messages intended for the user should not look like debug
- messages. Eg, the function name should not be included. It is
- generally unhelpful to include pointers.
- * Most debug messages should just be deleted.
- * Don’t bang your error messages (no !). The user feels bad enough
- about the problem already w/o you shouting at him.
-
-
-19.6. Types
-
---------------
-
- * Use logical types to make the code clearer and to help the
- compiler catch problems. typedef uint16_t Port; bool foo(Port) is
- way better than int foo(int port).
- * Use forward declarations (e.g. struct SnortConfig;) instead of
- void*.
- * Try not to use extern data unless absolutely necessary and then
- put the extern in an appropriate header. Exceptions for things
- used in exactly one place like BaseApi pointers.
- * Use const liberally. In most cases, const char* s = "foo" should
- be const char* const s = "foo". The former goes in the
- initialized data section and the latter in read only data
- section.
- * But use const char s[] = "foo" instead of const char* s = "foo"
- when possible. The latter form allocates a pointer variable and
- the data while the former allocates only the data.
- * Use static wherever possible to minimize public symbols and
- eliminate unneeded relocations.
- * Declare functions virtual only in the parent class introducing
- the function (not in a derived class that is overriding the
- function). This makes it clear which class introduces the
- function.
- * Declare functions as override if they are intended to override a
- function. This makes it possible to find derived implementations
- that didn’t get updated and therefore won’t get called due a
- change in the parent signature.
- * Use bool functions instead of int unless there is truly a need
- for multiple error returns. The C-style use of zero for success
- and -1 for error is less readable and often leads to messy code
- that either ignores the various errors anyway or needlessly and
- ineffectively tries to do something about them. Generally that
- code is not updated if new errors are added.
-
-
-19.7. Macros (aka defines)
-
---------------
-
- * In many cases, even in C++, use #define name "value" instead of a
- const char* const name = "value" because it will eliminate a
- symbol from the binary.
- * Use inline functions instead of macros where possible (pretty
- much all cases except where stringification is necessary).
- Functions offer better typing, avoid re-expansions, and a
- debugger can break there.
- * All macros except simple const values should be wrapped in () and
- all args should be wrapped in () too to avoid surprises upon
- expansion. Example:
-
- #define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
-
- * Multiline macros should be blocked (i.e. inside { }) to avoid
- if-else type surprises.
-
-
-19.8. Formatting
-
---------------
-
- * Try to keep all source files under 2500 lines. 3000 is the max
- allowed. If you need more lines, chances are that the code needs
- to be refactored.
- * Indent 4 space chars … no tabs!
- * If you need to indent many times, something could be rewritten or
- restructured to make it clearer. Fewer indents is generally
- easier to write, easier to read, and overall better code.
- * Braces go on the line immediately following a new scope (function
- signature, if, else, loop, switch, etc.
- * Use consistent spacing and line breaks. Always indent 4 spaces
- from the breaking line. Keep lines less than 100 chars; it
- greatly helps readability.
-
- No:
- calling_a_func_with_a_long_name(arg1,
- arg2,
- arg3);
-
- Yes:
- calling_a_func_with_a_long_name(
- arg1, arg2, arg3);
-
- * Put function signature on one line, except when breaking for the
- arg list:
-
- No:
- inline
- bool foo()
- { // ...
-
- Yes:
- inline bool foo()
- { // ...
-
- * Put conditional code on the line following the if so it is easy
- to break on the conditional block:
-
- No:
- if ( test ) foo();
-
- Yes:
- if ( test )
- foo();
-
-
-19.9. Headers
-
---------------
-
- * Don’t hesitate to create a new header if it is needed. Don’t lump
- unrelated stuff into an header because it is convenient.
- * Write header guards like this (leading underscores are reserved
- for system stuff). In my_header.h:
-
- #ifndef MY_HEADER_H
- #define MY_HEADER_H
- // ...
- #endif
-
- * Includes from a different directory should specify parent
- directory. This makes it clear exactly what is included and
- avoids the primordial soup that results from using -I this -I
- that -I the_other_thing … .
-
- // given:
- src/foo/foo.cc
- src/bar/bar.cc
- src/bar/baz.cc
-
- // in baz.cc
- #include "bar.h"
-
- // in foo.cc
- #include "bar/bar.h"
-
- * Includes within installed headers should specify parent
- directory.
- * Just because it is a #define doesn’t mean it goes in a header.
- Everything should be scoped as tightly as possible. Shared
- implementation declarations should go in a separate header from
- the interface. And so on.
- * All .cc files should include config.h with the standard block
- shown below immediately following the initial comment blocks and
- before anything else. This presents a consistent view of all
- included header files as well as access to any other
- configure-time definitions. No .h files should include config.h
- unless they are guaranteed to be local header files (never
- installed).
-
- #ifdef HAVE_CONFIG_H
- #include "config.h"
- #endif
-
- * A .cc should include its own .h before any others aside from the
- aforementioned config.h (including system headers). This ensures
- that the header stands on its own and can be used by clients
- without include prerequisites and the developer will be the first
- to find a dependency issue.
- * Split headers included from the local directory into a final
- block of headers. For a .cc file, the final order of sets of
- header includes should look like this:
-
- 1. config.h
- 2. its own .h file
- 3. system headers (.h/.hpp/.hxx)
- 4. C++ standard library headers (no file extension)
- 5. Snort headers external to the local directory (path-prefixed)
- 6. Snort headers in the local directory
- * Include required headers, all required headers, and nothing but
- required headers. Don’t just clone a bunch of headers because it
- is convenient.
- * Keep includes in alphabetical order. This makes it easier to
- maintain, avoid duplicates, etc.
- * Do not put using statements in headers unless they are tightly
- scoped.
-
-
-19.10. Warnings
-
---------------
-
- * With g++, use at least these compiler flags:
-
- -Wall -Wextra -pedantic -Wformat -Wformat-security
- -Wunused-but-set-variable -Wno-deprecated-declarations
- -fsanitize=address -fno-omit-frame-pointer
-
- * With clang, use at least these compiler flags:
-
- -Wall -Wextra -pedantic -Wformat -Wformat-security
- -Wno-deprecated-declarations
- -fsanitize=address -fno-omit-frame-pointer
-
- * Two macros (PADDING_GUARD_BEGIN and PADDING_GUARD_END) are
- provided by utils/cpp_macros.h. These should be used to surround
- any structure used as a hash key with a raw comparator or that
- would otherwise suffer from unintentional padding. A compiler
- warning will be generated if any structure definition is
- automatically padded between the macro invocations.
- * Then Fix All Warnings and Aborts. None Allowed.
-
-
-19.11. Uncrustify
-
---------------
-
-Currently using uncrustify from at https://github.com/bengardner/
-uncrustify to reformat legacy code and anything that happens to need
-a makeover at some point.
-
-The working config is crusty.cfg in the top level directory. It does
-well but will munge some things. Specially formatted INDENT-OFF
-comments were added in 2 places to avoid a real mess.
-
-You can use uncrustify something like this:
-
-uncrustify -c crusty.cfg --replace file.cc
-
-
----------------------------------------------------------------------
-
-20. Reference
+11. Appendix
---------------------------------------------------------------------
-20.1. Build Options
+11.1. Build Options
--------------
these libraries see the Getting Started section of the manual.
-20.2. Environment Variables
+11.2. Environment Variables
--------------
be added to the manuals.
-20.3. Command Line Options
+11.3. Command Line Options
--------------
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
+ * --pause-after-n <count> pause after count packets (1:max53)
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
file or directory
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
+ * --piglet enable piglet test harness mode
* --plugin-path <path> a colon separated list of directories or
plugin libraries
* --process-all-events process all action groups
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
session traffic when not inline
* --tweaks tune configuration
+ * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* --trace turn on main loop debug trace
-20.4. Configuration
+11.4. Configuration
--------------
logging appid statistics { 1:max32 }
* int appid.app_stats_rollover_size = 20971520: max file size for
appid stats before rolling over the log file { 0:max32 }
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) {
+ 0:max32 }
* bool appid.list_odp_detectors = false: enable logging of odp
detectors statistics
* bool appid.load_odp_detectors_in_ctrl = false: load odp detectors
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
+ * int http2_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http2_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http2_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http2_inspect.show_scan = false: display scanned segments
+ * bool http2_inspect.test_input = false: read HTTP/2 messages from
+ text file
+ * bool http2_inspect.test_output = false: print out HTTP section
+ data
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.show_scan = false: display scanned segments
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
(max_time exceeded)
* int latency.packet.max_time = 500: set timeout for packet latency
thresholding (usec) { 0:max53 }
+ * bool latency.packet.test_timeout = false: timeout on every packet
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
rules
* int latency.rule.suspend_threshold = 5: set threshold for number
of timeouts before suspending a rule { 1:max32 }
+ * bool latency.rule.test_timeout = false: timeout on every rule
+ evaluation
* bool log_codecs.file = false: output to log_codecs.txt instead of
stdout
* bool log_codecs.msg = false: include alert msg
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
- * bool output.wide_hex_dump = false: output 20 bytes per lines
+ * bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
* bool packet_capture.enable = false: initially enable packet
dumping
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
* string snort.-c: <conf> use this configuration
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
+ * int snort.--pause-after-n: <count> pause after count packets {
+ 1:max53 }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
+ * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> a colon separated list of
directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
+ * int stream.footprint = 0: use zero for production, non-zero for
+ testing at given size (for TCP and user) { 0:max32 }
* int stream.held_packet_timeout = 1000: timeout in milliseconds
for held packets { 1:max32 }
* int stream.icmp_cache.cap_weight = 0: additional bytes to track
range { 0:65535 }
-20.5. Counts
+11.5. Counts
--------------
* udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
* udp.checksum_bypassed: checksum calculations bypassed (sum)
* wizard.tcp_hits: tcp identifications (sum)
+ * wizard.tcp_misses: tcp searches abandoned (sum)
* wizard.tcp_scans: tcp payload scans (sum)
* wizard.udp_hits: udp identifications (sum)
+ * wizard.udp_misses: udp searches abandoned (sum)
* wizard.udp_scans: udp payload scans (sum)
* wizard.user_hits: user identifications (sum)
+ * wizard.user_misses: user searches abandoned (sum)
* wizard.user_scans: user payload scans (sum)
-20.6. Generators
+11.6. Generators
--------------
* 256: dpx
-20.7. Builtin Rules
+11.7. Builtin Rules
--------------
* 256:1 (dpx) too much data sent to port
-20.8. Command Set
+11.8. Command Set
--------------
* trace.clear(): clear modules traces and constraints
-20.9. Signals
+11.9. Signals
--------------
* hosts(23): reload hosts file
-20.10. Configuration Changes
-
---------------
-
-change -> dynamicdetection ==> 'snort.--plugin_path=<path>'
-change -> dynamicengine ==> 'snort.--plugin_path=<path>'
-change -> dynamicpreprocessor ==> 'snort.--plugin_path=<path>'
-change -> dynamicsidechannel ==> 'snort.--plugin_path=<path>'
-change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy'
-change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'
-change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic'
-change -> config ' checksum_mode' ==> ' network. checksum_eval'
-change -> config ' daq_dir' ==> ' daq. module_dirs, true'
-change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap'
-change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection'
-change -> config ' event_filter' ==> ' alerts. event_filter_memcap'
-change -> config ' max_attribute_hosts' ==> ' attribute_table. max_hosts'
-change -> config ' max_attribute_services_per_host' ==> ' attribute_table. max_services_per_host'
-change -> config ' nopcre' ==> ' detection. pcre_enable'
-change -> config ' pkt_count' ==> ' packets. limit'
-change -> config ' rate_filter' ==> ' alerts. rate_filter_memcap'
-change -> config ' react' ==> ' react. page'
-change -> config ' threshold' ==> ' alerts. event_filter_memcap'
-change -> converter: 'gen_id' ==> 'gid'
-change -> converter: 'sid_id' ==> 'sid'
-change -> csv: 'csv' ==> 'fields'
-change -> csv: 'dgmlen' ==> 'pkt_len'
-change -> csv: 'dst' ==> 'dst_addr'
-change -> csv: 'dstport' ==> 'dst_port'
-change -> csv: 'ethdst' ==> 'eth_dst'
-change -> csv: 'ethlen' ==> 'eth_len'
-change -> csv: 'ethsrc' ==> 'eth_src'
-change -> csv: 'ethtype' ==> 'eth_type'
-change -> csv: 'icmpcode' ==> 'icmp_code'
-change -> csv: 'icmpid' ==> 'icmp_id'
-change -> csv: 'icmpseq' ==> 'icmp_seq'
-change -> csv: 'icmptype' ==> 'icmp_type'
-change -> csv: 'id' ==> 'ip_id'
-change -> csv: 'iplen' ==> 'ip_len'
-change -> csv: 'sig_generator' ==> 'gid'
-change -> csv: 'sig_id' ==> 'sid'
-change -> csv: 'sig_rev' ==> 'rev'
-change -> csv: 'src' ==> 'src_addr'
-change -> csv: 'srcport' ==> 'src_port'
-change -> csv: 'tcpack' ==> 'tcp_ack'
-change -> csv: 'tcpflags' ==> 'tcp_flags'
-change -> csv: 'tcplen' ==> 'tcp_len'
-change -> csv: 'tcpseq' ==> 'tcp_seq'
-change -> csv: 'tcpwindow' ==> 'tcp_win'
-change -> csv: 'udplength' ==> 'udp_len'
-change -> daq: 'config daq:' ==> 'name'
-change -> daq_mode: 'config daq_mode:' ==> 'mode'
-change -> daq_var: 'config daq_var:' ==> 'variables'
-change -> detection: 'ac' ==> 'ac_full'
-change -> detection: 'ac-banded' ==> 'ac_banded'
-change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
-change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
-change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
-change -> detection: 'ac-nq' ==> 'ac_full'
-change -> detection: 'ac-q' ==> 'ac_full'
-change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
-change -> detection: 'ac-split' ==> 'ac_full'
-change -> detection: 'ac-split' ==> 'split_any_any'
-change -> detection: 'ac-std' ==> 'ac_std'
-change -> detection: 'acs' ==> 'ac_sparse'
-change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
-change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
-change -> detection: 'intel-cpm' ==> 'hyperscan'
-change -> detection: 'lowmem-nq' ==> 'lowmem'
-change -> detection: 'lowmem-q' ==> 'lowmem'
-change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
-change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
-change -> detection: 'search-method' ==> 'search_method'
-change -> detection: 'search-optimize' ==> 'search_optimize'
-change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
-change -> detection: 'split-any-any' ==> 'split_any_any'
-change -> dnp3: 'ports' ==> 'bindings'
-change -> dns: 'ports' ==> 'bindings'
-change -> event_filter: 'gen_id' ==> 'gid'
-change -> event_filter: 'sig_id' ==> 'sid'
-change -> event_filter: 'threshold' ==> 'event_filter'
-change -> file: 'config file: file_block_timeout' ==> 'block_timeout'
-change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size'
-change -> file: 'config file: file_capture_max' ==> 'capture_max_size'
-change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap'
-change -> file: 'config file: file_capture_min' ==> 'capture_min_size'
-change -> file: 'config file: file_type_depth' ==> 'type_depth'
-change -> file: 'config file: signature' ==> 'enable_signature'
-change -> file: 'config file: type_id' ==> 'enable_type'
-change -> file: 'ver' ==> 'version'
-change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length'
-change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps'
-change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right'
-change -> frag3_engine: 'timeout' ==> 'session_timeout'
-change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity'
-change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan'
-change -> ftp_telnet_protocol: 'ports' ==> 'bindings'
-change -> gtp: 'ports' ==> 'bindings'
-change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte'
-change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth'
-change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode'
-change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect'
-change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash'
-change -> http_inspect_server: 'inspect_gzip' ==> 'unzip'
-change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters'
-change -> http_inspect_server: 'ports' ==> 'bindings'
-change -> http_inspect_server: 'u_encode' ==> 'percent_u'
-change -> http_inspect_server: 'utf_8' ==> 'utf8'
-change -> imap: 'ports' ==> 'bindings'
-change -> modbus: 'ports' ==> 'bindings'
-change -> na_policy_mode: 'na_policy_mode' ==> 'mode'
-change -> nap_selector: 'nap rules' ==> 'bindings'
-change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]'
-change -> perfmonitor: 'console' ==> 'format = 'text''
-change -> perfmonitor: 'console' ==> 'output = 'console''
-change -> perfmonitor: 'file' ==> 'format = 'csv''
-change -> perfmonitor: 'file' ==> 'output = 'file''
-change -> perfmonitor: 'flow-file' ==> 'format = 'csv''
-change -> perfmonitor: 'flow-file' ==> 'output = 'file''
-change -> perfmonitor: 'flow-ip' ==> 'flow_ip'
-change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv''
-change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file''
-change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap'
-change -> perfmonitor: 'flow-ports' ==> 'flow_ports'
-change -> perfmonitor: 'pktcnt' ==> 'packets'
-change -> perfmonitor: 'snortfile' ==> 'format = 'csv''
-change -> perfmonitor: 'snortfile' ==> 'output = 'file''
-change -> perfmonitor: 'time' ==> 'seconds'
-change -> policy_mode: 'inline_test' ==> 'inline-test'
-change -> pop: 'ports' ==> 'bindings'
-change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'
-change -> ppm: 'max-pkt-time' ==> 'packet.max_time'
-change -> ppm: 'max-rule-time' ==> 'rule.max_time'
-change -> ppm: 'ppm' ==> 'latency'
-change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'
-change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'
-change -> ppm: 'threshold' ==> 'rule.suspend_threshold'
-change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4'
-change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6'
-change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6'
-change -> profile: 'print' ==> 'count'
-change -> profile: 'sort avg_ticks' ==> 'sort = avg_check'
-change -> profile: 'sort total_ticks' ==> 'sort = total_time'
-change -> rate_filter: 'gen_id' ==> 'gid'
-change -> rate_filter: 'sig_id' ==> 'sid'
-change -> reputation: 'shared_mem' ==> 'list_dir'
-change -> rule_state: 'enabled/disabled' ==> 'enable'
-change -> rule_state: 'sdrop' ==> 'drop'
-change -> sfportscan: 'proto' ==> 'protos'
-change -> sfportscan: 'scan_type' ==> 'scan_types'
-change -> sip: 'ports' ==> 'bindings'
-change -> smtp: 'ports' ==> 'bindings'
-change -> ssh: 'server_ports' ==> 'bindings'
-change -> ssl: 'ports' ==> 'bindings'
-change -> stream5_global: 'max_active_responses' ==> 'max_responses'
-change -> stream5_global: 'min_response_seconds' ==> 'min_interval'
-change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout'
-change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'
-change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'
-change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'
-change -> stream5_ha: 'stream5_ha' ==> 'high_availability'
-change -> stream5_ha: 'use_daq' ==> 'daq_channel'
-change -> stream5_ip: 'timeout' ==> 'session_timeout'
-change -> stream5_tcp: 'bind_to' ==> 'bindings'
-change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async'
-change -> stream5_tcp: 'max_queued_bytes' ==> 'queue_limit.max_bytes'
-change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments'
-change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11'
-change -> stream5_tcp: 'timeout' ==> 'session_timeout'
-change -> stream5_udp: 'timeout' ==> 'session_timeout'
-change -> suppress: 'gen_id' ==> 'gid'
-change -> suppress: 'sig_id' ==> 'sid'
-change -> syslog: 'log_alert' ==> 'level = alert'
-change -> syslog: 'log_auth' ==> 'facility = auth'
-change -> syslog: 'log_authpriv' ==> 'facility = authpriv'
-change -> syslog: 'log_cons' ==> 'options = cons'
-change -> syslog: 'log_crit' ==> 'level = crit'
-change -> syslog: 'log_daemon' ==> 'facility = daemon'
-change -> syslog: 'log_debug' ==> 'level = debug'
-change -> syslog: 'log_emerg' ==> 'level = emerg'
-change -> syslog: 'log_err' ==> 'level = err'
-change -> syslog: 'log_info' ==> 'level = info'
-change -> syslog: 'log_local0' ==> 'facility = local0'
-change -> syslog: 'log_local1' ==> 'facility = local1'
-change -> syslog: 'log_local2' ==> 'facility = local2'
-change -> syslog: 'log_local3' ==> 'facility = local3'
-change -> syslog: 'log_local4' ==> 'facility = local4'
-change -> syslog: 'log_local5' ==> 'facility = local5'
-change -> syslog: 'log_local6' ==> 'facility = local6'
-change -> syslog: 'log_local7' ==> 'facility = local7'
-change -> syslog: 'log_ndelay' ==> 'options = ndelay'
-change -> syslog: 'log_notice' ==> 'level = notice'
-change -> syslog: 'log_perror' ==> 'options = perror'
-change -> syslog: 'log_pid' ==> 'options = pid'
-change -> syslog: 'log_user' ==> 'facility = user'
-change -> syslog: 'log_warning' ==> 'level = warning'
-change -> threshold: 'ips_option: threshold' ==> 'event_filter'
-change -> unified2: ' alert_unified2' ==> 'unified2'
-change -> unified2: ' log_unified2' ==> 'unified2'
-change -> unified2: ' unified2' ==> 'unified2'
-deleted -> arpspoof: 'unicast'
-deleted -> attribute_table: '<FRAG_POLICY>hpux</FRAG_POLICY>'
-deleted -> attribute_table: '<FRAG_POLICY>irix</FRAG_POLICY>'
-deleted -> attribute_table: '<FRAG_POLICY>old-linux</FRAG_POLICY>'
-deleted -> attribute_table: '<FRAG_POLICY>unknown</FRAG_POLICY>'
-deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'
-deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'
-deleted -> config ' cs_dir'
-deleted -> config ' decode_data_link'
-deleted -> config ' disable_attribute_reload_thread'
-deleted -> config ' disable_decode_alerts'
-deleted -> config ' disable_decode_drops'
-deleted -> config ' disable_inline_init_failopen'
-deleted -> config ' disable_ipopt_alerts'
-deleted -> config ' disable_ipopt_drops'
-deleted -> config ' disable_tcpopt_alerts'
-deleted -> config ' disable_tcpopt_drops'
-deleted -> config ' disable_tcpopt_experimental_alerts'
-deleted -> config ' disable_tcpopt_experimental_drops'
-deleted -> config ' disable_tcpopt_obsolete_alerts'
-deleted -> config ' disable_tcpopt_obsolete_drops'
-deleted -> config ' disable_tcpopt_ttcp_alerts'
-deleted -> config ' disable_ttcp_alerts'
-deleted -> config ' disable_ttcp_drops'
-deleted -> config ' dump_dynamic_rules_path'
-deleted -> config ' enable_decode_drops'
-deleted -> config ' enable_decode_oversized_alerts'
-deleted -> config ' enable_decode_oversized_drops'
-deleted -> config ' enable_gtp'
-deleted -> config ' enable_ipopt_drops'
-deleted -> config ' enable_tcpopt_drops'
-deleted -> config ' enable_tcpopt_experimental_drops'
-deleted -> config ' enable_tcpopt_obsolete_drops'
-deleted -> config ' enable_tcpopt_ttcp_drops'
-deleted -> config ' enable_ttcp_drops'
-deleted -> config ' flexresp2_attempts'
-deleted -> config ' flexresp2_interface'
-deleted -> config ' flexresp2_memcap'
-deleted -> config ' flexresp2_rows'
-deleted -> config ' flowbits_size'
-deleted -> config ' include_vlan_in_alerts'
-deleted -> config ' interface'
-deleted -> config ' layer2resets'
-deleted -> config ' log_ipv6_extra_data'
-deleted -> config ' no_promisc'
-deleted -> config ' nolog'
-deleted -> config ' protected_content'
-deleted -> config ' sidechannel'
-deleted -> config ' so_rule_memcap'
-deleted -> config 'dynamicoutput'
-deleted -> config 'sfalert_unified2'
-deleted -> config 'sflog_unified2'
-deleted -> config 'sidechannel'
-deleted -> csv: '<filename> can no longer be specific'
-deleted -> csv: 'default'
-deleted -> csv: 'trheader'
-deleted -> detection: 'mwm'
-deleted -> dnp3: 'disabled'
-deleted -> dnp3: 'memcap'
-deleted -> dns: 'enable_experimental_types'
-deleted -> dns: 'enable_obsolete_types'
-deleted -> dns: 'enable_rdata_overflow'
-deleted -> event_trace: 'file'
-deleted -> fast: '<filename> can no longer be specific'
-deleted -> frag3_engine: 'detect_anomalies'
-deleted -> frag3_global: 'disabled'
-deleted -> ftp_telnet_protocol: 'detect_anomalies'
-deleted -> full: '<filename> can no longer be specific'
-deleted -> http_inspect: 'detect_anomalous_servers'
-deleted -> http_inspect: 'disabled'
-deleted -> http_inspect: 'proxy_alert'
-deleted -> http_inspect_server: 'allow_proxy_use'
-deleted -> http_inspect_server: 'enable_cookie'
-deleted -> http_inspect_server: 'enable_xff'
-deleted -> http_inspect_server: 'extended_ascii_uri'
-deleted -> http_inspect_server: 'extended_response_inspection'
-deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever'
-deleted -> http_inspect_server: 'inspect_uri_only'
-deleted -> http_inspect_server: 'log_hostname'
-deleted -> http_inspect_server: 'log_uri'
-deleted -> http_inspect_server: 'no_alerts'
-deleted -> http_inspect_server: 'no_pipeline_req'
-deleted -> http_inspect_server: 'non_strict'
-deleted -> http_inspect_server: 'normalize_cookies'
-deleted -> http_inspect_server: 'normalize_headers'
-deleted -> http_inspect_server: 'small_chunk_length'
-deleted -> http_inspect_server: 'tab_uri_delimiter'
-deleted -> http_inspect_server: 'unlimited_decompress'
-deleted -> imap: 'disabled'
-deleted -> imap: 'max_mime_mem'
-deleted -> imap: 'memcap'
-deleted -> nap_selector: 'fw_required'
-deleted -> nap_selector: 'nap_stats_time'
-deleted -> perfmonitor: 'accumulate'
-deleted -> perfmonitor: 'atexitonly'
-deleted -> perfmonitor: 'atexitonly: base-stats'
-deleted -> perfmonitor: 'atexitonly: events-stats'
-deleted -> perfmonitor: 'atexitonly: flow-ip-stats'
-deleted -> perfmonitor: 'atexitonly: flow-stats'
-deleted -> perfmonitor: 'atexitonly: reset'
-deleted -> perfmonitor: 'events'
-deleted -> perfmonitor: 'max'
-deleted -> pop: 'disabled'
-deleted -> pop: 'max_mime_mem'
-deleted -> pop: 'memcap'
-deleted -> ppm: 'debug-pkts'
-deleted -> reputation: 'shared_max_instances'
-deleted -> reputation: 'shared_refresh'
-deleted -> rpc_decode: 'alert_fragments'
-deleted -> rpc_decode: 'no_alert_incomplete'
-deleted -> rpc_decode: 'no_alert_large_fragments'
-deleted -> rpc_decode: 'no_alert_multiple_requests'
-deleted -> sfportscan: 'detect_ack_scans'
-deleted -> sfportscan: 'disabled'
-deleted -> sfportscan: 'logfile'
-deleted -> sfportscan: 'sense_level'
-deleted -> sfunified2: 'mpls_event_types'
-deleted -> sfunified2: 'vlan_event_types'
-deleted -> sip: 'disabled'
-deleted -> sip: 'max_sessions'
-deleted -> smtp: 'alert_unknown_cmds'
-deleted -> smtp: 'disabled'
-deleted -> smtp: 'enable_mime_decoding'
-deleted -> smtp: 'inspection_type'
-deleted -> smtp: 'max_mime_depth'
-deleted -> smtp: 'max_mime_mem'
-deleted -> smtp: 'memcap'
-deleted -> smtp: 'no_alerts'
-deleted -> smtp: 'print_cmds'
-deleted -> ssh: 'autodetect'
-deleted -> ssh: 'enable_badmsgdir'
-deleted -> ssh: 'enable_paysize'
-deleted -> ssh: 'enable_protomismatch'
-deleted -> ssh: 'enable_recognition'
-deleted -> ssh: 'enable_respoverflow'
-deleted -> ssh: 'enable_srvoverflow'
-deleted -> ssh: 'enable_ssh1crc32'
-deleted -> ssl: 'noinspect_encrypted'
-deleted -> stream5_global: 'disabled'
-deleted -> stream5_global: 'flush_on_alert'
-deleted -> stream5_global: 'memcap'
-deleted -> stream5_global: 'no_midstream_drop_alerts'
-deleted -> stream5_tcp: 'check_session_hijacking'
-deleted -> stream5_tcp: 'detect_anomalies'
-deleted -> stream5_tcp: 'dont_store_large_packets'
-deleted -> stream5_tcp: 'ignore_any_rules'
-deleted -> stream5_tcp: 'log_asymmetric_traffic'
-deleted -> stream5_tcp: 'policy noack'
-deleted -> stream5_tcp: 'policy unknown'
-deleted -> stream5_udp: 'ignore_any_rules'
-deleted -> tcpdump: '<filename> can no longer be specific'
-deleted -> test: 'file'
-deleted -> test: 'stdout'
-deleted -> unified2: 'filename'
-deleted -> unified2: 'mpls_event_types'
-deleted -> unified2: 'vlan_event_types'
-
-
-20.11. Module Listing
+11.10. Module Listing
--------------
* mss (ips_option): detection for TCP maximum segment size
* network (basic): configure basic network parameters
* normalizer (inspector): packet scrubbing for inline mode
+ * null_trace_logger (inspector): trace logger with a null printout
* output (basic): configure general output parameters
* packet_capture (inspector): raw packet dumping facility
* packet_tracer (basic): generate debug trace messages for packets
* wscale (ips_option): detection for TCP window scale
-20.12. Plugin Listing
+11.11. Plugin Listing
--------------
* inspector::mem_test: for testing memory management
* inspector::modbus: modbus inspection
* inspector::normalizer: packet scrubbing for inline mode
+ * inspector::null_trace_logger: trace logger with a null printout
* inspector::packet_capture: raw packet dumping facility
* inspector::perf_monitor: performance monitoring and flow
statistics collection
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
+ * piglet::pp_codec: Codec piglet
+ * piglet::pp_inspector: Inspector piglet
+ * piglet::pp_ips_action: Ips action piglet
+ * piglet::pp_ips_option: Ips option piglet
+ * piglet::pp_logger: Logger piglet
+ * piglet::pp_search_engine: Search engine piglet
+ * piglet::pp_so_rule: SO rule piglet
+ * piglet::pp_test: Test piglet
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
performance) MPSE
* so_rule::3|18758: SO rule example
-
-20.13. Limitations
-
---------------
-
-20.13.1. Reload limitations
-
-The following parameters can’t be changed during reload, and require
-a restart:
-
- * active.attempts
- * active.device
- * alerts.detection_filter_memcap
- * alerts.event_filter_memcap
- * alerts.rate_filter_memcap
- * attribute_table.max_hosts
- * attribute_table.max_services_per_host
- * daq.snaplen
- * detection.asn1
- * file_id.max_files_cached
- * process.chroot
- * process.daemon
- * process.set_gid
- * process.set_uid
- * snort.--bpf
- * snort.-l
-
-In addition, the following scenarios require a restart:
-
- * Enabling file capture for the first time
- * Changing file_id.capture_memcap if file capture was previously or
- currently enabled
- * Changing file_id.capture_block_size if file capture was
- previously or currently enabled
- * Adding/removing stream_* inspectors if stream was already
- configured
-
-In all of these cases reload will fail with the following message:
-"reload failed - restart required". The original config will remain
-in use.
-
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>\r
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"\r
- "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">\r
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">\r
-<head>\r
-<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />\r
-<meta name="generator" content="AsciiDoc 8.6.10" />\r
-<title>Snort 3 User Manual</title>\r
-<style type="text/css">\r
-/* Shared CSS for AsciiDoc xhtml11 and html5 backends */\r
-\r
-/* Default font. */\r
-body {\r
- font-family: Georgia,serif;\r
-}\r
-\r
-/* Title font. */\r
-h1, h2, h3, h4, h5, h6,\r
-div.title, caption.title,\r
-thead, p.table.header,\r
-#toctitle,\r
-#author, #revnumber, #revdate, #revremark,\r
-#footer {\r
- font-family: Arial,Helvetica,sans-serif;\r
-}\r
-\r
-body {\r
- margin: 1em 5% 1em 5%;\r
-}\r
-\r
-a {\r
- color: blue;\r
- text-decoration: underline;\r
-}\r
-a:visited {\r
- color: fuchsia;\r
-}\r
-\r
-em {\r
- font-style: italic;\r
- color: navy;\r
-}\r
-\r
-strong {\r
- font-weight: bold;\r
- color: #083194;\r
-}\r
-\r
-h1, h2, h3, h4, h5, h6 {\r
- color: #527bbd;\r
- margin-top: 1.2em;\r
- margin-bottom: 0.5em;\r
- line-height: 1.3;\r
-}\r
-\r
-h1, h2, h3 {\r
- border-bottom: 2px solid silver;\r
-}\r
-h2 {\r
- padding-top: 0.5em;\r
-}\r
-h3 {\r
- float: left;\r
-}\r
-h3 + * {\r
- clear: left;\r
-}\r
-h5 {\r
- font-size: 1.0em;\r
-}\r
-\r
-div.sectionbody {\r
- margin-left: 0;\r
-}\r
-\r
-hr {\r
- border: 1px solid silver;\r
-}\r
-\r
-p {\r
- margin-top: 0.5em;\r
- margin-bottom: 0.5em;\r
-}\r
-\r
-ul, ol, li > p {\r
- margin-top: 0;\r
-}\r
-ul > li { color: #aaa; }\r
-ul > li > * { color: black; }\r
-\r
-.monospaced, code, pre {\r
- font-family: "Courier New", Courier, monospace;\r
- font-size: inherit;\r
- color: navy;\r
- padding: 0;\r
- margin: 0;\r
-}\r
-pre {\r
- white-space: pre-wrap;\r
-}\r
-\r
-#author {\r
- color: #527bbd;\r
- font-weight: bold;\r
- font-size: 1.1em;\r
-}\r
-#email {\r
-}\r
-#revnumber, #revdate, #revremark {\r
-}\r
-\r
-#footer {\r
- font-size: small;\r
- border-top: 2px solid silver;\r
- padding-top: 0.5em;\r
- margin-top: 4.0em;\r
-}\r
-#footer-text {\r
- float: left;\r
- padding-bottom: 0.5em;\r
-}\r
-#footer-badges {\r
- float: right;\r
- padding-bottom: 0.5em;\r
-}\r
-\r
-#preamble {\r
- margin-top: 1.5em;\r
- margin-bottom: 1.5em;\r
-}\r
-div.imageblock, div.exampleblock, div.verseblock,\r
-div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,\r
-div.admonitionblock {\r
- margin-top: 1.0em;\r
- margin-bottom: 1.5em;\r
-}\r
-div.admonitionblock {\r
- margin-top: 2.0em;\r
- margin-bottom: 2.0em;\r
- margin-right: 10%;\r
- color: #606060;\r
-}\r
-\r
-div.content { /* Block element content. */\r
- padding: 0;\r
-}\r
-\r
-/* Block element titles. */\r
-div.title, caption.title {\r
- color: #527bbd;\r
- font-weight: bold;\r
- text-align: left;\r
- margin-top: 1.0em;\r
- margin-bottom: 0.5em;\r
-}\r
-div.title + * {\r
- margin-top: 0;\r
-}\r
-\r
-td div.title:first-child {\r
- margin-top: 0.0em;\r
-}\r
-div.content div.title:first-child {\r
- margin-top: 0.0em;\r
-}\r
-div.content + div.title {\r
- margin-top: 0.0em;\r
-}\r
-\r
-div.sidebarblock > div.content {\r
- background: #ffffee;\r
- border: 1px solid #dddddd;\r
- border-left: 4px solid #f0f0f0;\r
- padding: 0.5em;\r
-}\r
-\r
-div.listingblock > div.content {\r
- border: 1px solid #dddddd;\r
- border-left: 5px solid #f0f0f0;\r
- background: #f8f8f8;\r
- padding: 0.5em;\r
-}\r
-\r
-div.quoteblock, div.verseblock {\r
- padding-left: 1.0em;\r
- margin-left: 1.0em;\r
- margin-right: 10%;\r
- border-left: 5px solid #f0f0f0;\r
- color: #888;\r
-}\r
-\r
-div.quoteblock > div.attribution {\r
- padding-top: 0.5em;\r
- text-align: right;\r
-}\r
-\r
-div.verseblock > pre.content {\r
- font-family: inherit;\r
- font-size: inherit;\r
-}\r
-div.verseblock > div.attribution {\r
- padding-top: 0.75em;\r
- text-align: left;\r
-}\r
-/* DEPRECATED: Pre version 8.2.7 verse style literal block. */\r
-div.verseblock + div.attribution {\r
- text-align: left;\r
-}\r
-\r
-div.admonitionblock .icon {\r
- vertical-align: top;\r
- font-size: 1.1em;\r
- font-weight: bold;\r
- text-decoration: underline;\r
- color: #527bbd;\r
- padding-right: 0.5em;\r
-}\r
-div.admonitionblock td.content {\r
- padding-left: 0.5em;\r
- border-left: 3px solid #dddddd;\r
-}\r
-\r
-div.exampleblock > div.content {\r
- border-left: 3px solid #dddddd;\r
- padding-left: 0.5em;\r
-}\r
-\r
-div.imageblock div.content { padding-left: 0; }\r
-span.image img { border-style: none; vertical-align: text-bottom; }\r
-a.image:visited { color: white; }\r
-\r
-dl {\r
- margin-top: 0.8em;\r
- margin-bottom: 0.8em;\r
-}\r
-dt {\r
- margin-top: 0.5em;\r
- margin-bottom: 0;\r
- font-style: normal;\r
- color: navy;\r
-}\r
-dd > *:first-child {\r
- margin-top: 0.1em;\r
-}\r
-\r
-ul, ol {\r
- list-style-position: outside;\r
-}\r
-ol.arabic {\r
- list-style-type: decimal;\r
-}\r
-ol.loweralpha {\r
- list-style-type: lower-alpha;\r
-}\r
-ol.upperalpha {\r
- list-style-type: upper-alpha;\r
-}\r
-ol.lowerroman {\r
- list-style-type: lower-roman;\r
-}\r
-ol.upperroman {\r
- list-style-type: upper-roman;\r
-}\r
-\r
-div.compact ul, div.compact ol,\r
-div.compact p, div.compact p,\r
-div.compact div, div.compact div {\r
- margin-top: 0.1em;\r
- margin-bottom: 0.1em;\r
-}\r
-\r
-tfoot {\r
- font-weight: bold;\r
-}\r
-td > div.verse {\r
- white-space: pre;\r
-}\r
-\r
-div.hdlist {\r
- margin-top: 0.8em;\r
- margin-bottom: 0.8em;\r
-}\r
-div.hdlist tr {\r
- padding-bottom: 15px;\r
-}\r
-dt.hdlist1.strong, td.hdlist1.strong {\r
- font-weight: bold;\r
-}\r
-td.hdlist1 {\r
- vertical-align: top;\r
- font-style: normal;\r
- padding-right: 0.8em;\r
- color: navy;\r
-}\r
-td.hdlist2 {\r
- vertical-align: top;\r
-}\r
-div.hdlist.compact tr {\r
- margin: 0;\r
- padding-bottom: 0;\r
-}\r
-\r
-.comment {\r
- background: yellow;\r
-}\r
-\r
-.footnote, .footnoteref {\r
- font-size: 0.8em;\r
-}\r
-\r
-span.footnote, span.footnoteref {\r
- vertical-align: super;\r
-}\r
-\r
-#footnotes {\r
- margin: 20px 0 20px 0;\r
- padding: 7px 0 0 0;\r
-}\r
-\r
-#footnotes div.footnote {\r
- margin: 0 0 5px 0;\r
-}\r
-\r
-#footnotes hr {\r
- border: none;\r
- border-top: 1px solid silver;\r
- height: 1px;\r
- text-align: left;\r
- margin-left: 0;\r
- width: 20%;\r
- min-width: 100px;\r
-}\r
-\r
-div.colist td {\r
- padding-right: 0.5em;\r
- padding-bottom: 0.3em;\r
- vertical-align: top;\r
-}\r
-div.colist td img {\r
- margin-top: 0.3em;\r
-}\r
-\r
-@media print {\r
- #footer-badges { display: none; }\r
-}\r
-\r
-#toc {\r
- margin-bottom: 2.5em;\r
-}\r
-\r
-#toctitle {\r
- color: #527bbd;\r
- font-size: 1.1em;\r
- font-weight: bold;\r
- margin-top: 1.0em;\r
- margin-bottom: 0.1em;\r
-}\r
-\r
-div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {\r
- margin-top: 0;\r
- margin-bottom: 0;\r
-}\r
-div.toclevel2 {\r
- margin-left: 2em;\r
- font-size: 0.9em;\r
-}\r
-div.toclevel3 {\r
- margin-left: 4em;\r
- font-size: 0.9em;\r
-}\r
-div.toclevel4 {\r
- margin-left: 6em;\r
- font-size: 0.9em;\r
-}\r
-\r
-span.aqua { color: aqua; }\r
-span.black { color: black; }\r
-span.blue { color: blue; }\r
-span.fuchsia { color: fuchsia; }\r
-span.gray { color: gray; }\r
-span.green { color: green; }\r
-span.lime { color: lime; }\r
-span.maroon { color: maroon; }\r
-span.navy { color: navy; }\r
-span.olive { color: olive; }\r
-span.purple { color: purple; }\r
-span.red { color: red; }\r
-span.silver { color: silver; }\r
-span.teal { color: teal; }\r
-span.white { color: white; }\r
-span.yellow { color: yellow; }\r
-\r
-span.aqua-background { background: aqua; }\r
-span.black-background { background: black; }\r
-span.blue-background { background: blue; }\r
-span.fuchsia-background { background: fuchsia; }\r
-span.gray-background { background: gray; }\r
-span.green-background { background: green; }\r
-span.lime-background { background: lime; }\r
-span.maroon-background { background: maroon; }\r
-span.navy-background { background: navy; }\r
-span.olive-background { background: olive; }\r
-span.purple-background { background: purple; }\r
-span.red-background { background: red; }\r
-span.silver-background { background: silver; }\r
-span.teal-background { background: teal; }\r
-span.white-background { background: white; }\r
-span.yellow-background { background: yellow; }\r
-\r
-span.big { font-size: 2em; }\r
-span.small { font-size: 0.6em; }\r
-\r
-span.underline { text-decoration: underline; }\r
-span.overline { text-decoration: overline; }\r
-span.line-through { text-decoration: line-through; }\r
-\r
-div.unbreakable { page-break-inside: avoid; }\r
-\r
-\r
-/*\r
- * xhtml11 specific\r
- *\r
- * */\r
-\r
-div.tableblock {\r
- margin-top: 1.0em;\r
- margin-bottom: 1.5em;\r
-}\r
-div.tableblock > table {\r
- border: 3px solid #527bbd;\r
-}\r
-thead, p.table.header {\r
- font-weight: bold;\r
- color: #527bbd;\r
-}\r
-p.table {\r
- margin-top: 0;\r
-}\r
-/* Because the table frame attribute is overriden by CSS in most browsers. */\r
-div.tableblock > table[frame="void"] {\r
- border-style: none;\r
-}\r
-div.tableblock > table[frame="hsides"] {\r
- border-left-style: none;\r
- border-right-style: none;\r
-}\r
-div.tableblock > table[frame="vsides"] {\r
- border-top-style: none;\r
- border-bottom-style: none;\r
-}\r
-\r
-\r
-/*\r
- * html5 specific\r
- *\r
- * */\r
-\r
-table.tableblock {\r
- margin-top: 1.0em;\r
- margin-bottom: 1.5em;\r
-}\r
-thead, p.tableblock.header {\r
- font-weight: bold;\r
- color: #527bbd;\r
-}\r
-p.tableblock {\r
- margin-top: 0;\r
-}\r
-table.tableblock {\r
- border-width: 3px;\r
- border-spacing: 0px;\r
- border-style: solid;\r
- border-color: #527bbd;\r
- border-collapse: collapse;\r
-}\r
-th.tableblock, td.tableblock {\r
- border-width: 1px;\r
- padding: 4px;\r
- border-style: solid;\r
- border-color: #527bbd;\r
-}\r
-\r
-table.tableblock.frame-topbot {\r
- border-left-style: hidden;\r
- border-right-style: hidden;\r
-}\r
-table.tableblock.frame-sides {\r
- border-top-style: hidden;\r
- border-bottom-style: hidden;\r
-}\r
-table.tableblock.frame-none {\r
- border-style: hidden;\r
-}\r
-\r
-th.tableblock.halign-left, td.tableblock.halign-left {\r
- text-align: left;\r
-}\r
-th.tableblock.halign-center, td.tableblock.halign-center {\r
- text-align: center;\r
-}\r
-th.tableblock.halign-right, td.tableblock.halign-right {\r
- text-align: right;\r
-}\r
-\r
-th.tableblock.valign-top, td.tableblock.valign-top {\r
- vertical-align: top;\r
-}\r
-th.tableblock.valign-middle, td.tableblock.valign-middle {\r
- vertical-align: middle;\r
-}\r
-th.tableblock.valign-bottom, td.tableblock.valign-bottom {\r
- vertical-align: bottom;\r
-}\r
-\r
-\r
-/*\r
- * manpage specific\r
- *\r
- * */\r
-\r
-body.manpage h1 {\r
- padding-top: 0.5em;\r
- padding-bottom: 0.5em;\r
- border-top: 2px solid silver;\r
- border-bottom: 2px solid silver;\r
-}\r
-body.manpage h2 {\r
- border-style: none;\r
-}\r
-body.manpage div.sectionbody {\r
- margin-left: 3em;\r
-}\r
-\r
-@media print {\r
- body.manpage div#toc { display: none; }\r
-}\r
-\r
-\r
-@media screen {\r
- body {\r
- max-width: 50em; /* approximately 80 characters wide */\r
- margin-left: 16em;\r
- }\r
-\r
- #toc {\r
- position: fixed;\r
- top: 0;\r
- left: 0;\r
- bottom: 0;\r
- width: 13em;\r
- padding: 0.5em;\r
- padding-bottom: 1.5em;\r
- margin: 0;\r
- overflow: auto;\r
- border-right: 3px solid #f8f8f8;\r
- background-color: white;\r
- }\r
-\r
- #toc .toclevel1 {\r
- margin-top: 0.5em;\r
- }\r
-\r
- #toc .toclevel2 {\r
- margin-top: 0.25em;\r
- display: list-item;\r
- color: #aaaaaa;\r
- }\r
-\r
- #toctitle {\r
- margin-top: 0.5em;\r
- }\r
-}\r
-</style>\r
-<script type="text/javascript">\r
-/*<+'])');\r
- // Function that scans the DOM tree for header elements (the DOM2\r
- // nodeIterator API would be a better technique but not supported by all\r
- // browsers).\r
- var iterate = function (el) {\r
- for (var i = el.firstChild; i != null; i = i.nextSibling) {\r
- if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {\r
- var mo = re.exec(i.tagName);\r
- if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {\r
- result[result.length] = new TocEntry(i, getText(i), mo[1]-1);\r
- }\r
- iterate(i);\r
- }\r
- }\r
- }\r
- iterate(el);\r
- return result;\r
- }\r
-\r
- var toc = document.getElementById("toc");\r
- if (!toc) {\r
- return;\r
- }\r
-\r
- // Delete existing TOC entries in case we're reloading the TOC.\r
- var tocEntriesToRemove = [];\r
- var i;\r
- for (i = 0; i < toc.childNodes.length; i++) {\r
- var entry = toc.childNodes[i];\r
- if (entry.nodeName.toLowerCase() == 'div'\r
- && entry.getAttribute("class")\r
- && entry.getAttribute("class").match(/^toclevel/))\r
- tocEntriesToRemove.push(entry);\r
- }\r
- for (i = 0; i < tocEntriesToRemove.length; i++) {\r
- toc.removeChild(tocEntriesToRemove[i]);\r
- }\r
-\r
- // Rebuild TOC entries.\r
- var entries = tocEntries(document.getElementById("content"), toclevels);\r
- for (var i = 0; i < entries.length; ++i) {\r
- var entry = entries[i];\r
- if (entry.element.id == "")\r
- entry.element.id = "_toc_" + i;\r
- var a = document.createElement("a");\r
- a.href = "#" + entry.element.id;\r
- a.appendChild(document.createTextNode(entry.text));\r
- var div = document.createElement("div");\r
- div.appendChild(a);\r
- div.className = "toclevel" + entry.toclevel;\r
- toc.appendChild(div);\r
- }\r
- if (entries.length == 0)\r
- toc.parentNode.removeChild(toc);\r
-},\r
-\r
-\r
-/////////////////////////////////////////////////////////////////////\r
-// Footnotes generator\r
-/////////////////////////////////////////////////////////////////////\r
-\r
-/* Based on footnote generation code from:\r
- * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html\r
- */\r
-\r
-footnotes: function () {\r
- // Delete existing footnote entries in case we're reloading the footnodes.\r
- var i;\r
- var noteholder = document.getElementById("footnotes");\r
- if (!noteholder) {\r
- return;\r
- }\r
- var entriesToRemove = [];\r
- for (i = 0; i < noteholder.childNodes.length; i++) {\r
- var entry = noteholder.childNodes[i];\r
- if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")\r
- entriesToRemove.push(entry);\r
- }\r
- for (i = 0; i < entriesToRemove.length; i++) {\r
- noteholder.removeChild(entriesToRemove[i]);\r
- }\r
-\r
- // Rebuild footnote entries.\r
- var cont = document.getElementById("content");\r
- var spans = cont.getElementsByTagName("span");\r
- var refs = {};\r
- var n = 0;\r
- for (i=0; i<spans.length; i++) {\r
- if (spans[i].className == "footnote") {\r
- n++;\r
- var note = spans[i].getAttribute("data-note");\r
- if (!note) {\r
- // Use [\s\S] in place of . so multi-line matches work.\r
- // Because JavaScript has no s (dotall) regex flag.\r
- note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];\r
- spans[i].innerHTML =\r
- "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +\r
- "' title='View footnote' class='footnote'>" + n + "</a>]";\r
- spans[i].setAttribute("data-note", note);\r
- }\r
- noteholder.innerHTML +=\r
- "<div class='footnote' id='_footnote_" + n + "'>" +\r
- "<a href='#_footnoteref_" + n + "' title='Return to text'>" +\r
- n + "</a>. " + note + "</div>";\r
- var id =spans[i].getAttribute("id");\r
- if (id != null) refs["#"+id] = n;\r
- }\r
- }\r
- if (n == 0)\r
- noteholder.parentNode.removeChild(noteholder);\r
- else {\r
- // Process footnoterefs.\r
- for (i=0; i<spans.length; i++) {\r
- if (spans[i].className == "footnoteref") {\r
- var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");\r
- href = href.match(/#.*/)[0]; // Because IE return full URL.\r
- n = refs[href];\r
- spans[i].innerHTML =\r
- "[<a href='#_footnote_" + n +\r
- "' title='View footnote' class='footnote'>" + n + "</a>]";\r
- }\r
- }\r
- }\r
-},\r
-\r
-install: function(toclevels) {\r
- var timerId;\r
-\r
- function reinstall() {\r
- asciidoc.footnotes();\r
- if (toclevels) {\r
- asciidoc.toc(toclevels);\r
- }\r
- }\r
-\r
- function reinstallAndRemoveTimer() {\r
- clearInterval(timerId);\r
- reinstall();\r
- }\r
-\r
- timerId = setInterval(reinstall, 500);\r
- if (document.addEventListener)\r
- document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);\r
- else\r
- window.onload = reinstallAndRemoveTimer;\r
-}\r
-\r
-}\r
-asciidoc.install(2);\r
-/*]]>*/\r
-</script>\r
-</head>\r
-<body class="article">\r
-<div id="header">\r
-<h1>Snort 3 User Manual</h1>\r
-<span id="author">The Snort Team</span><br />\r
-</div>\r
-<div id="content">\r
-<div id="preamble">\r
-<div class="sectionbody">\r
-<div class="imageblock">\r
-<div class="content">\r
-<img src="./snorty.png" alt="Snorty" width="480" />\r
-</div>\r
-</div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.2 (Build 2)\r
- '''' By Martin Roesch & The Snort Team\r
- http://snort.org/contact#team\r
- Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
- Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>\r
-</div></div>\r
-<div id="toc">\r
- <div id="toctitle">Contents</div>\r
- <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_overview">Overview</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Snort 3.0 is an updated version of the Snort Intrusion Prevention System\r
-(IPS) which features a new design that provides a superset of Snort 2.X\r
-functionality with better throughput, detection, scalability, and\r
-usability. Some of the key features of Snort 3.0 are:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Support multiple packet processing threads\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use a shared configuration and attribute table\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Autodetect services for portless configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Modular design\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Plugin framework with over 200 plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-More scalable memory profile\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-LuaJIT configuration, loggers, and rule options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Hyperscan support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Rewritten TCP handling\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-New rule parser and syntax\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Service rules like alert http\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Rule "sticky" buffers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Way better SO rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-New HTTP inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-New performance monitor\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-New time and space profiling\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-New latency monitoring and enforcement\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Piglets to facilitate component testing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Inspection Events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Automake and Cmake\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Autogenerate reference documentation\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Additional features are on the road map:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Use a shared network map\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Support hardware offload for fast pattern acceleration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Provide support for DPDK and ODP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Support pipelining of packet processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Support proxy mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Multi-tennant support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Incremental reload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-New serialization of perf data and events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Enhanced rule processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Windows support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Anomaly detection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-and more!\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The remainder of this section provides a high level survey of the inputs,\r
-processing, and outputs available with Snort 3.0.</p></div>\r
-<div class="paragraph"><p>Snort++ is the project that is creating Snort 3.0. In this manual "Snort"\r
-or "Snort 3" refers to the 3.0 version and earlier versions will be\r
-referred to as "Snort 2" where the distinction is relevant.</p></div>\r
-<div class="sect2">\r
-<h3 id="_first_steps">First Steps</h3>\r
-<div class="paragraph"><p>Snort can be configured to perform complex packet processing and deep\r
-packet inspection but it is best start simply and work up to more\r
-interesting tasks. Snort won’t do anything you didn’t specifically ask it\r
-to do so it is safe to just try things out and see what happens. Let’s\r
-start by just running Snort with no arguments:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>That will output usage information including some basic help commands. You\r
-should run all of these commands now to see what is available:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort -V\r
-$ snort -?\r
-$ snort --help</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note that Snort has extensive command line help available so if anything\r
-below isn’t clear, there is probably a way to get the exact information you\r
-need from the command line.</p></div>\r
-<div class="paragraph"><p>Now let’s examine the packets in a capture file (pcap):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort -r a.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort will decode and count the packets in the file and output some\r
-statistics. Note that the output excludes non-zero numbers so it is easy\r
-to see what is there.</p></div>\r
-<div class="paragraph"><p>You may have noticed that there are command line options to limit the\r
-number of packets examined or set a filter to select particular packets.\r
-Now is a good time to experiment with those options.</p></div>\r
-<div class="paragraph"><p>If you want to see details on each packet, you can dump the packets to\r
-console like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort -r a.pcap -L dump</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Add the -d option to see the TCP and UDP payload. Now let’s switch to live\r
-traffic. Replace eth0 in the below command with an available network\r
-interface:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort -i eth0 -L dump</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Unless the interface is taken down, Snort will just keep running, so enter\r
-Control-C to terminate or use the -n option to limit the number of packets.</p></div>\r
-<div class="paragraph"><p>Generally it is better to capture the packets for later analysis like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort -i eth0 -L pcap -n 10</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort will write 10 packets to log.pcap.# where # is a timestamp value.\r
-You can read these back with -r and dump to console or pcap with -L. You\r
-get the idea.</p></div>\r
-<div class="paragraph"><p>Note that you can do similar things with other tools like tcpdump or\r
-Wireshark however these commands are very useful when you want to check\r
-your Snort setup.</p></div>\r
-<div class="paragraph"><p>The examples above use the default pcap DAQ. Snort supports non-pcap\r
-interfaces as well via the DAQ (data acquisition) library. Other DAQs\r
-provide additional functionality such as inline operation and/or higher\r
-performance. There are even DAQs that support raw file processing (ie\r
-without packets), socket processing, and plain text packets. To load\r
-external DAQ libraries and see available DAQs or select a particular DAQ\r
-use one of these commands:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort --daq-dir <path> --daq-list\r
-$ snort --daq-dir <path> --daq <type></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Be sure to put the --daq-dir option ahead of the --daq-list option or the\r
-external DAQs won’t appear in the list.</p></div>\r
-<div class="paragraph"><p>To leverage intrusion detection features of Snort you will need to provide\r
-some configuration details. The next section breaks down what must be\r
-done.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_configuration">Configuration</h3>\r
-<div class="paragraph"><p>Effective configuration of Snort is done via the environment, command\r
-line, a Lua configuration file, and a set of rules.</p></div>\r
-<div class="paragraph"><p>Note that backwards compatibility with Snort 2 was sacrificed to obtain\r
-new and improved functionality. While Snort 3 leverages some of the\r
-Snort 2 code base, a lot has changed. The configuration of Snort 3 is\r
-done with Lua, so your old conf won’t work as is. Rules are still text\r
-based but with syntax tweaks, so your 2.X rules must be fixed up. However,\r
-snort2lua will help you convert your conf and rules to the new format.</p></div>\r
-<div class="sect3">\r
-<h4 id="_command_line">Command Line</h4>\r
-<div class="paragraph"><p>A simple command line might look like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c snort.lua -R cool.rules -r some.pcap -A cmg</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To understand what that does, you can start by just running snort with no\r
-arguments by running snort --help. Help for all configuration and rule\r
-options is available via a suitable command line. In this case:</p></div>\r
-<div class="paragraph"><p>-c snort.lua is the main configuration file. This is a Lua script that is\r
-executed when loaded.</p></div>\r
-<div class="paragraph"><p>-R cool.rules contains some detection rules. You can write your own or\r
-obtain them from Talos (native 3.0 rules are not yet available from Talos\r
-so you must convert them with snort2lua). You can also put your rules\r
-directly in your configuration file.</p></div>\r
-<div class="paragraph"><p>-r some.pcap tells Snort to read network traffic from the given packet\r
-capture file. You could instead use -i eth0 to read from a live interface.\r
-There many other options available too depending on the DAQ you use.</p></div>\r
-<div class="paragraph"><p>-A cmg says to output intrusion events in "cmg" format, which has basic\r
-header details followed by the payload in hex and text.</p></div>\r
-<div class="paragraph"><p>Note that you add to and/or override anything in your configuration file by\r
-using the --lua command line option. For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>--lua 'ips = { enable_builtin_rules = true }'</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>will load the built-in decoder and inspector rules. In this case, ips is\r
-overwritten with the config you see above. If you just want to change the\r
-config given in your configuration file you would do it like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>--lua 'ips.enable_builtin_rules = true'</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_file">Configuration File</h4>\r
-<div class="paragraph"><p>The configuration file gives you complete control over how Snort processes\r
-packets. Start with the default snort.lua included in the distribution\r
-because that contains some key ingredients. Note that most of the\r
-configurations look like:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream = { }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This means enable the stream module using internal defaults. To see what\r
-those are, you could run:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-config stream</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort is organized into a collection of builtin and plugin modules.\r
-If a module has parameters, it is configured by a Lua table of the same\r
-name. For example, we can see what the active module has to offer with\r
-this command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort --help-module active</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>What: configure responses</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Type: basic</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Configuration:</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>int active.attempts = 0: number of TCP packets sent per response (with\r
-varying sequence numbers) { 0:20 }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>string active.device: use 'ip' for network layer responses or 'eth0' etc\r
-for link layer</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>string active.dst_mac: use format '01:23:45:67:89:ab'</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>int active.max_responses = 0: maximum number of responses { 0: }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>int active.min_interval = 255: minimum number of seconds between\r
-responses { 1: }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This says active is a basic module that has several parameters. For each,\r
-you will see:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>type module.name = default: help { range }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>For example, the active module has a max_responses parameter that takes\r
-non-negative integer values and defaults to zero. We can change that in\r
-Lua as follows:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>active = { max_responses = 1 }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>active = { }\r
-active.max_responses = 1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>If we also wanted to limit retries to at least 5 seconds, we could do:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>active = { max_responses = 1, min_interval = 5 }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_whitelist">Whitelist</h4>\r
-<div class="paragraph"><p>When Snort is run with the --warn-conf-strict option, warnings will be\r
-generated for all Lua tables present in the configuration files that do\r
-not map to Snort module names. Like with other warnings, these will\r
-upgraded to errors when Snort is run in pedantic mode.</p></div>\r
-<div class="paragraph"><p>To dynamically add exceptions that should bypass this strict validation,\r
-two Lua functions are made available to be called during the evaluation\r
-of Snort configuration files: snort_whitelist_append() and\r
-snort_whitelist_add_prefix(). Each function takes a whitespace-delimited\r
-list, the former a list of exact table names and the latter a list of table\r
-name prefixes to allow.</p></div>\r
-<div class="paragraph"><p>Examples:\r
-snort_whitelist_append("table1 table2")\r
-snort_whitelist_add_prefix("local_ foobar_")</p></div>\r
-<div class="paragraph"><p>The accumulated contents of the whitelist (both exact and prefix) will be\r
-dumped when Snort is run in verbose mode (-v).</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_rules">Rules</h4>\r
-<div class="paragraph"><p>Rules determine what Snort is looking for. They can be put directly in\r
-your Lua configuration file with the ips module, on the command line with\r
---lua, or in external files. Generally you will have many rules obtained\r
-from various sources such as Talos and loading external files is the way to\r
-go so we will summarize that here. Add this to your Lua configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips = { include = 'rules.txt' }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>to load the external rules file named rules.txt. You can only specify\r
-one file this way but rules files can include other rules files with the\r
-include statement. In addition you can load rules like:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ sort -c snort.lua -R rules.txt</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You can use both approaches together.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_includes">Includes</h4>\r
-<div class="paragraph"><p>Your configuration file file may include other files, either directly via Lua or via\r
-various parameters. Snort will find relative includes in the following order:</p></div>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-If you specify --include-path, this directory will be tried first.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort will try the directory containing the including file.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort will try the directory containing the -c configuration file.\r
-</p>\r
-</li>\r
-</ol></div>\r
-<div class="paragraph"><p>Some things to keep in mind:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-If you use the Lua dofile function, then you must specify absolute paths\r
- or paths relative to your working directory since Lua will execute the\r
- include before Snort sees the file contents.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-For best results, use include in place of dofile. This function is\r
- provided to follow Snort’s include logic.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-As of now, appid and reputation paths must be absolute or relative to the\r
- working directory. These will be updated in a future release.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_converting_your_2_x_configuration">Converting Your 2.X Configuration</h4>\r
-<div class="paragraph"><p>If you have a working 2.X configuration snort2lua makes it easy to get up\r
-and running with Snort 3. This tool will convert your configuration and/or\r
-rules files automatically. You will want to clean up the results and\r
-double check that it is doing exactly what you need.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort2lua -c snort.conf</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The above command will generate snort.lua based on your 2.X configuration.\r
-For more information and options for more sophisticated use cases, see the\r
-Snort2Lua section later in the manual.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_output">Output</h3>\r
-<div class="paragraph"><p>Snort can produce quite a lot of data. In the following we will summarize\r
-the key aspects of the core output types. Additional data such as from\r
-appid is covered later.</p></div>\r
-<div class="sect3">\r
-<h4 id="_basic_statistics">Basic Statistics</h4>\r
-<div class="paragraph"><p>At shutdown, Snort will output various counts depending on configuration\r
-and the traffic processed. Generally, you may see:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Packet Statistics - this includes data from the DAQ and decoders such as\r
- the number of packets received and number of UDP packets.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Module Statistics - each module tracks activity via a set of peg counts\r
- that indicate how many times something was observed or performed. This\r
- might include the number of HTTP GET requests processed and the number of\r
- TCP reset packets trimmed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-File Statistics - look here for a breakdown of file type, bytes,\r
- signatures.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Summary Statistics - this includes total runtime for packet processing\r
- and the packets per second. Profiling data will appear here as well if\r
- configured.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note that only the non-zero counts are output. Run this to see the\r
-available counts:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort --help-counts</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_alerts">Alerts</h4>\r
-<div class="paragraph"><p>If you configured rules, you will need to configure alerts to see the\r
-details of detection events. Use the -A option like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort -c snort.lua -r a.pcap -A cmg</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>There are many types of alert outputs possible. Here is a brief list:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
--A cmg is the same as -A fast -d -e and will show information about the\r
- alert along with packet headers and payload.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
--A u2 is the same as -A unified2 and will log events and triggering\r
- packets in a binary file that you can feed to other tools for post\r
- processing. Note that Snort 3 does not provide the raw packets for\r
- alerts on PDUs; you will get the actual buffer that alerted.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
--A csv will output various fields in comma separated value format. This\r
- is entirely customizable and very useful for pcap analysis.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>To see the available alert types, you can run this command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort --list-plugins | grep logger</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_files_and_paths">Files and Paths</h4>\r
-<div class="paragraph"><p>Note that output is specific to each packet thread. If you run 4 packet\r
-threads with u2 output, you will get 4 different u2 files. The basic\r
-structure is:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>where:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-logdir is set with -l and defaults to ./\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-run_prefix is set with --run-prefix else not used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-id# is the packet thread number that writes the file; with one packet\r
- thread, id# (zero) is omitted without --id-zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-X is / if you use --id-subdir, else _ if id# is used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-name is based on module name that writes the file\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Additional considerations:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-There is no way to explicitly configure a full path to avoid issues with\r
- multiple packet threads.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-All text mode outputs default to stdout\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_performance_statistics">Performance Statistics</h4>\r
-<div class="paragraph"><p>Still more data is available beyond the above.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-By configuring the perf_monitor module you can capture a configurable set\r
- of peg counts during runtime. This is useful to feed to an external\r
- program so you can see what is happening without stopping Snort.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The profiler module allows you to track time and space used by module and\r
- rules. Use this data to tune your system for best performance. The\r
- output will show up under Summary Statistics at shutdown.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_concepts">Concepts</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>This section provides background on essential aspects of Snort’s operation.</p></div>\r
-<div class="sect2">\r
-<h3 id="_terminology">Terminology</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>basic module</strong>: a module integrated into Snort that does not come from a\r
- plugin.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder</strong>: inspector that maps configuration to traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>builtin rules</strong>: codec and inspector rules for anomalies detected\r
- internally.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec</strong>: short for coder / decoder. These plugins are used for basic\r
- protocol decoding, anomaly detection, and construction of active responses.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>data module</strong>: an adjunct configuration plugin for use with certain inspectors.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dynamic rules</strong>: plugin rules loaded at runtime. See SO rules.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>fast pattern</strong>: the content in an IPS rule that must be found by the\r
- search engine in order for a rule to be evaluated.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>fast pattern matcher</strong>: see search engine.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>hex</strong>: a type of protocol magic that the wizard uses to identify binary\r
- protocols.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector</strong>: plugin that processes packets (similar to the Snort 2\r
- preprocessor)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>IPS</strong>: intrusion prevention system, like Snort.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>IPS action</strong>: plugin that allows you to perform custom actions when\r
- events are generated. Unlike loggers, these are invoked before\r
- thresholding and can be used to control external agents or send active\r
- responses.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>IPS option</strong>: this plugin is the building blocks of IPS rules.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger</strong>: a plugin that performs output of events and packets. Events\r
- are thresholded before reaching loggers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>module</strong>: the user facing portion of a Snort component. Modules chiefly\r
- provide configuration parameters, but may also provide commands, builtin\r
- rules, profiling statistics, peg counts, etc. Note that not all modules\r
- are plugins and not all plugins have modules.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>peg count</strong>: the number of times a given event or condition occurs.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>plugin</strong>: one of several types of software components that can be loaded\r
- from a dynamic library when Snort starts up. Some plugins are coupled\r
- with the main engine in such a way that they must be built statically,\r
- but a newer version can be loaded dynamically.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search engine</strong>: a plugin that performs multipattern searching of packets\r
- and payload to find rules that should be evaluated. There are currently\r
- no specific modules, although there are several search engine plugins.\r
- Related configuration is done with the basic detection module. Aka fast\r
- pattern matcher.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>SO rule</strong>: a IPS rule plugin that performs custom detection that can’t\r
- be done by a text rule. These rules typically do not have associated\r
- modules. SO comes from shared object, meaning dynamic library.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>spell</strong>: a type of protocol magic that the wizard uses to identify ASCII\r
- protocols.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>text rule</strong>: a rule loaded from the configuration that has a header and\r
- body. The header specifies action, protocol, source and destination IP\r
- addresses and ports, and direction. The body specifies detection and\r
- non-detection options.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard</strong>: inspector that applies protocol magic to determine which\r
- inspectors should be bound to traffic absent a port specific binding.\r
- See hex and spell.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modules">Modules</h3>\r
-<div class="paragraph"><p>Modules are the building blocks of Snort. They encapsulate the types of\r
-data that many components need including parameters, peg counts, profiling,\r
-builtin rules, and commands. This allows Snort to handle them generically\r
-and consistently. You can learn quite a lot about any given module from\r
-the command line. For example, to see what stream_tcp is all about, do\r
-this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort --help-config stream_tcp</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Modules are configured using Lua tables with the same name. So the\r
-stream_tcp module is configured with defaults like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream_tcp = { }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The earlier help output showed that the default session tracking timeout is\r
-30 seconds. To change that to 60 seconds, you can configure it this way:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream_tcp = { session_timeout = 60 }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Or this way:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream_tcp = { }\r
-stream_tcp.session_timeout = 60</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>More on parameters is given in the next section.</p></div>\r
-<div class="paragraph"><p>Other things to note about modules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Shutdown output will show the non-zero peg counts for all modules. For\r
- example, if stream_tcp did anything, you would see the number of sessions\r
- processed among other things.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Providing the builtin rules allows the documentation to include them\r
- automatically and also allows for autogenerating the rules at startup.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Only a few module provide commands at this point, most notably the snort\r
- module.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_parameters">Parameters</h3>\r
-<div class="paragraph"><p>Parameters are given with this format:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>type name = default: help { range }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The following types are used:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>addr</strong>: any valid IP4 or IP6 address or CIDR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>addr_list</strong>: a space separated list of addr values\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>bit_list</strong>: a list of consecutive integer values from 1 to the range\r
- maximum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>bool</strong>: true or false\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dynamic</strong>: a select type determined by loaded plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>enum</strong>: a string selected from the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>implied</strong>: an IPS rule option that takes no value but means true\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>int</strong>: a whole number in the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>interval</strong>: a set of ints (see below)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ip4</strong>: an IP4 address or CIDR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mac</strong>: an ethernet address with the form 01:02:03:04:05:06\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>multi</strong>: one or more space separated strings from the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port</strong>: an int in the range 0:65535 indicating a TCP or UDP port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>real</strong>: a real number in the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>select</strong>: a string selected from the given range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>string</strong>: any string with no more than the given length, if any\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The parameter name may be adorned in various ways to indicate additional\r
-information about the type and use of the parameter:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-For Lua configuration (not IPS rules), if the name ends with [] it is\r
- a list item and can be repeated.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-For IPS rules only, names starting with ~ indicate positional\r
- parameters. The names of such parameters do not appear in the rule.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IPS rules may also have a wild card parameter, which is indicated by a\r
- *. Used for unquoted, comma-separated lists such as service and metadata.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The snort module has command line options starting with a -.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-$ denotes variable names, eg rule_state.$gid_sid which would be used\r
- like rule_state["1:23456"] = { }.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Some additional details to note:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Table and variable names are case sensitive; use lower case only.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-String values are case sensitive too; use lower case only.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Numeric ranges may be of the form low:high where low and high are\r
- bounds included in the range. If either is omitted, there is no hard\r
- bound. E.g. 0: means any x where x >= 0.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Strings may have a numeric range indicating a length limit; otherwise\r
- there is no hard limit.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list is typically used to store a set of byte, port, or VLAN ID\r
- values.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval takes the form [operator]i, j<>k, or j<⇒k where i,j,k are\r
- integers and operator is one of =, !, != (same as !), <, ⇐, >, >=.\r
- j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Ranges may use maxXX like { 1:max32 } since max32 is easier to read\r
- than 4294967295. To get the values of maxXX, use snort --help-limits.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_plugins">Plugins</h3>\r
-<div class="paragraph"><p>Snort uses a variety of plugins to accomplish much of its processing\r
-objectives, including:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Codec - to decode and encode packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Inspector - like Snort 2 preprocessors, for normalization, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IpsOption - for detection in Snort rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IpsAction - for custom actions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Logger - for handling events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Mpse - for fast pattern matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-So - for dynamic rules\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The power of plugins is that they have a very focused purpose and can be\r
-created with relative ease. For example, you can extend the rule language\r
-by writing your own IpsOption and it will plug in and function just like\r
-existing options. The extra directory has examples of each type of plugin.</p></div>\r
-<div class="paragraph"><p>Most plugins can be built statically or dynamically. By default they are\r
-all static. There is no difference in functionality between static or\r
-dynamic plugins but the dynamic build generates a slightly lighter weight\r
-binary. Either way you can add dynamic plugins with --plugin-path and\r
-newer versions will replace older versions, even when built statically.</p></div>\r
-<div class="paragraph"><p>A single dynamic library may contain more than one plugin. For example, an\r
-inspector will typically be packaged together with any associated rule\r
-options.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_operation">Operation</h3>\r
-<div class="paragraph"><p>Snort is a signature-based IPS, which means that as it receives network\r
-packets it reassembles and normalizes the content so that a set of rules\r
-can be evaluated to detect the presence of any significant conditions that\r
-merit further action. A rough processing flow is as follows:</p></div>\r
-<div class="imageblock">\r
-<div class="content">\r
-<img src="./snort2x.png" alt="Snort 2" width="480" />\r
-</div>\r
-</div>\r
-<div class="paragraph"><p>The steps are:</p></div>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-Decode each packet to determine the basic network characteristics such\r
-as source and destination addresses and ports. A typical packet might have\r
-ethernet containing IP containing TCP containing HTTP (ie eth:ip:tcp:http).\r
-The various encapsulating protocols are examined for sanity and anomalies\r
-as the packet is decoded. This is essentially a stateless effort.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Preprocess each decoded packet using accumulated state to determine the\r
-purpose and content of the innermost message. This step may involve\r
-reordering and reassembling IP fragments and TCP segments to produce the\r
-original application protocol data unit (PDU). Such PDUs are analyzed and\r
-normalized as needed to support further processing.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Detection is a two step process. For efficiency, most rules contain a\r
-specific content pattern that can be searched for such that if no match is\r
-found no further processing is necessary. Upon start up, the rules are\r
-compiled into pattern groups such that a single, parallel search can be\r
-done for all patterns in the group. If any match is found, the full rule\r
-is examined according to the specifics of the signature.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The logging step is where Snort saves any pertinent information\r
-resulting from the earlier steps. More generally, this is where other\r
-actions can be taken as well such as blocking the packet.\r
-</p>\r
-</li>\r
-</ol></div>\r
-<div class="sect3">\r
-<h4 id="_snort_2_processing">Snort 2 Processing</h4>\r
-<div class="paragraph"><p>The preprocess step in Snort 2 is highly configurable. Arbitrary\r
-preprocessors can be loaded dynamically at startup, configured in\r
-snort.conf, and then executed at runtime. Basically, the preprocessors are\r
-put into a list which is iterated for each packet. Recent versions have\r
-tweaked the list handling some, but the same basic architecture has allowed\r
-Snort 2 to grow from a sniffer, with no preprocessing, to a full-fledged\r
-IPS, with lots of preprocessing.</p></div>\r
-<div class="paragraph"><p>While this "list of plugins" approach has considerable flexibility, it\r
-hampers future development when the flow of data from one preprocessor to\r
-the next depends on traffic conditions, a common situation with advanced\r
-features like application identification. In this case, a preprocessor\r
-like HTTP may be extracting and normalizing data that ultimately is not\r
-used, or appID may be repeatedly checking for data that is just not\r
-available.</p></div>\r
-<div class="paragraph"><p>Callbacks help break out of the preprocess straitjacket. This is where one\r
-preprocessor supplies another with a function to call when certain data is\r
-available. Snort has started to take this approach to pass some HTTP and\r
-SIP preprocessor data to appID. However, it remains a peripheral feature\r
-and still requires the production of data that may not be consumed.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_snort_3_processing">Snort 3 Processing</h4>\r
-<div class="paragraph"><p>One of the goals of Snort 3 is to provide a more flexible framework for\r
-packet processing by implementing an event-driven approach. Another is to\r
-produce data only when needed to minimize expensive normalizations.\r
-However, the basic packet processing provides very similar functionality.</p></div>\r
-<div class="paragraph"><p>The basic processing steps Snort 3 takes are similar to Snort 2 as seen\r
-in the following diagram. The preprocess step employs specific inspector\r
-types instead of a generalized list, but the basic procedure includes\r
-stateless packet decoding, TCP stream reassembly, and service specific\r
-analysis in both cases. (Snort 3 provides hooks for arbitrary inspectors,\r
-but they are not central to basic flow processing and are not shown.)</p></div>\r
-<div class="imageblock">\r
-<div class="content">\r
-<img src="./snort3x.png" alt="Snort 3" width="480" />\r
-</div>\r
-</div>\r
-<div class="paragraph"><p>However, Snort 3 also provides a more flexible mechanism than callback\r
-functions. By using inspection events, it is possible for an inspector to\r
-supply data that other inspectors can process. This is known as the\r
-observer pattern or publish-subscribe pattern.</p></div>\r
-<div class="paragraph"><p>Note that the data is not actually published. Instead, access to the data\r
-is published, and that means that subscribers can access the raw or\r
-normalized version(s) as needed. Normalizations are done only on the first\r
-access, and subsequent accesses get the previously normalized data. This\r
-results in just in time (JIT) processing.</p></div>\r
-<div class="paragraph"><p>A basic example of this in action is provided by the extra data_log plugin.\r
-It is a passive inspector, ie it does nothing until it receives the data it\r
-subscribed for (<em>other</em> in the above diagram). By adding the following to\r
-your snort.lua configuration, you will get a simple URI logger.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>data_log = { key = 'http_raw_uri' }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Inspection events coupled with pluggable inspectors provide a very flexible\r
-framework for implementing new features. And JIT buffer stuffers allow\r
-Snort to work smarter, not harder. These capabilities will be leveraged\r
-more and more as Snort development continues.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rules_2">Rules</h3>\r
-<div class="paragraph"><p>Rules tell Snort how to detect interesting conditions, such as an attack,\r
-and what to do when the condition is detected. Here is an example rule:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The structure is:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>action proto source dir dest ( body )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Where:</p></div>\r
-<div class="paragraph"><p>action - tells Snort what to do when a rule "fires", ie when the signature\r
-matches. In this case Snort will log the event. It can also do thing like\r
-block the flow when running inline.</p></div>\r
-<div class="paragraph"><p>proto - tells Snort what protocol applies. This may be ip, icmp, tcp, udp,\r
-http, etc.</p></div>\r
-<div class="paragraph"><p>source - specifies the sending IP address and port, either of which can be\r
-the keyword any, which is a wildcard.</p></div>\r
-<div class="paragraph"><p>dir - must be either unidirectional as above or bidirectional indicated by\r
-<>.</p></div>\r
-<div class="paragraph"><p>dest - similar to source but indicates the receiving end.</p></div>\r
-<div class="paragraph"><p>body - detection and other information contained in parenthesis.</p></div>\r
-<div class="paragraph"><p>There are many rule options available to construct as sophisticated a\r
-signature as needed. In this case we are simply looking for the "attack"\r
-in any TCP packet. A better rule might look like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert http\r
-(\r
- msg:"Gotcha!";\r
- flow:established, to_server;\r
- http_uri:"attack";\r
- sid:2;\r
-)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note that these examples have a sid option, which indicates the signature\r
-ID. In general rules are specified by gid:sid:rev notation, where gid is\r
-the generator ID and rev is the revision of the rule. By default, text\r
-rules are gid 1 and shared-object (SO) rules are gid 3. The various\r
-components within Snort that generate events have 1XX gids, for example the\r
-decoder is gid 116. You can list the internal gids and sids with these\r
-commands:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$ snort --list-gids\r
-$ snort --list-builtin</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>For details on these and other options, see the reference section.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pattern_matching">Pattern Matching</h3>\r
-<div class="paragraph"><p>Snort evaluates rules in a two-step process which includes a fast pattern\r
-search and full evaluation of the signature. More details on this process\r
-follow.</p></div>\r
-<div class="sect3">\r
-<h4 id="_rule_groups">Rule Groups</h4>\r
-<div class="paragraph"><p>When Snort starts or reloads configuration, rules are grouped by protocol,\r
-port and service. For example, all TCP rules using the HTTP_PORTS variable\r
-will go in one group and all service HTTP rules will go in another group.\r
-These rule groups are compiled into multipattern search engines (MPSE)\r
-which are designed to search for all patterns with just a single pass\r
-through a given packet or buffer. You can select the algorithm to use for\r
-fast pattern searches with search_engine.search_method which defaults to\r
-<em>ac_bnfa</em>, which balances speed and memory. For a faster search at the\r
-expense of significantly more memory, use <em>ac_full</em>. For best performance\r
-and reasonable memory, download the hyperscan source from Intel.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_fast_patterns">Fast Patterns</h4>\r
-<div class="paragraph"><p>Fast patterns are content strings that have the fast_pattern option or\r
-which have been selected by Snort automatically to be used as a fast\r
-pattern. Snort will by default choose the longest pattern in the rule\r
-since that is likely to be most unique. That is not always the case so add\r
-fast_pattern to the appropriate content option for best performance. The\r
-ideal fast pattern is one which, if found, is very likely to result in a\r
-rule match. Fast patterns that match frequently for unrelated traffic will\r
-cause Snort to work hard with little to show for it.</p></div>\r
-<div class="paragraph"><p>Certain contents are not eligible to be used as fast patterns.\r
-Specifically, if a content is negated, then if it is also relative to\r
-another content, case sensitive, or has non-zero offset or depth, then it\r
-is not eligible to be used as a fast pattern.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_rule_evaluation">Rule Evaluation</h4>\r
-<div class="paragraph"><p>For each fast pattern match, the corresponding rule(s) are evaluated\r
-left-to-right. Rule evaluation requires checking each detection option in\r
-a rule and is a fairly costly process which is why fast patterns are so\r
-important. Rule evaluation aborts on the first non-matching option.</p></div>\r
-<div class="paragraph"><p>When rule evaluation takes place, the fast pattern match will automatically\r
-be skipped if possible. Note that this differs from Snort 2 which provided\r
-the fast_pattern:only option to designate such cases. This is one less\r
-thing for the rule writer to worry about.</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_tutorial">Tutorial</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>The section will walk you through building and running Snort. It is not\r
-exhaustive but, once you master this material, you should be able to figure\r
-out more advanced usage.</p></div>\r
-<div class="sect2">\r
-<h3 id="_dependencies">Dependencies</h3>\r
-<div class="paragraph"><p>Required:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-a compiler that supports the C++14 feature set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-cmake to build from source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-daq from <a href="https://github.com/snort3/libdaq">https://github.com/snort3/libdaq</a> for packet IO\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dnet from <a href="https://github.com/dugsong/libdnet.git">https://github.com/dugsong/libdnet.git</a> for network utility\r
- functions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-hwloc from <a href="https://www.open-mpi.org/projects/hwloc/">https://www.open-mpi.org/projects/hwloc/</a> for CPU affinity\r
- management\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-LuaJIT from <a href="http://luajit.org">http://luajit.org</a> for configuration and scripting\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-OpenSSL from <a href="https://www.openssl.org/source/">https://www.openssl.org/source/</a> for SHA and MD5 file signatures,\r
- the protected_content rule option, and SSL service detection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-pcap from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a> for tcpdump style logging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-pcre from <a href="http://www.pcre.org">http://www.pcre.org</a> for regular expression pattern matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-pkgconfig from <a href="https://www.freedesktop.org/wiki/Software/pkg-config/">https://www.freedesktop.org/wiki/Software/pkg-config/</a> to locate\r
- build dependencies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (>= 1.2.8 recommended)\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Optional:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-asciidoc from <a href="http://www.methods.co.nz/asciidoc/">http://www.methods.co.nz/asciidoc/</a> to build the HTML\r
- manual\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-cpputest from <a href="http://cpputest.github.io">http://cpputest.github.io</a> to run additional unit tests with\r
- make check\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dblatex from <a href="http://dblatex.sourceforge.net">http://dblatex.sourceforge.net</a> to build the pdf manual (in\r
- addition to asciidoc)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-flatbuffers from <a href="https://google.github.io/flatbuffers/">https://google.github.io/flatbuffers/</a> for enabling the\r
- flatbuffers serialization format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-hyperscan >= 4.4.0 from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new\r
- the regex and sd_pattern rule options and hyperscan search engine.\r
- Hyperscan is large so it recommended to follow their instructions for\r
- building it as a shared library.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-iconv from <a href="https://ftp.gnu.org/pub/gnu/libiconv/">https://ftp.gnu.org/pub/gnu/libiconv/</a> for converting\r
- UTF16-LE filenames to UTF8 (usually included in glibc)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-libunwind from <a href="https://www.nongnu.org/libunwind/">https://www.nongnu.org/libunwind/</a> to attempt to dump a\r
- somewhat readable backtrace when a fatal signal is received\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-lzma >= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a> for decompression of SWF and\r
- PDF files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-safec >= 3.5 from <a href="https://github.com/rurban/safeclib/">https://github.com/rurban/safeclib/</a> for runtime bounds\r
- checks on certain legacy C-library calls\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-source-highlight from <a href="http://www.gnu.org/software/src-highlite/">http://www.gnu.org/software/src-highlite/</a> to\r
- generate the dev guide\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-w3m from <a href="http://sourceforge.net/projects/w3m/">http://sourceforge.net/projects/w3m/</a> to build the plain text\r
- manual\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-uuid from uuid-dev package for unique identifiers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_building">Building</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Optionally built features are listed in the reference section.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Create an install path:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export my_path=/path/to/snorty\r
-mkdir -p $my_path</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-If LibDAQ was installed to a custom, non-system path:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Now do one of the following:\r
-</p>\r
-<div class="olist loweralpha"><ol class="loweralpha">\r
-<li>\r
-<p>\r
-To build with cmake and make, run configure_cmake.sh. It will\r
- automatically create and populate a new subdirectory named <em>build</em>.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure_cmake.sh --prefix=$my_path\r
-cd build\r
-make -j\r
-make install\r
-ln -s $my_path/conf $my_path/etc</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-You can also specify a cmake project generator:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure_cmake.sh --generator=Xcode --prefix=$my_path</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Or use ccmake directly to configure and generate from an arbitrary build\r
- directory like one of these:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ccmake -G Xcode /path/to/Snort++/tree\r
-open snort.xcodeproj</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree\r
-run eclipse and do File > Import > Existing Eclipse Project</code></pre>\r
-</div></div>\r
-</li>\r
-</ol></div>\r
-</li>\r
-<li>\r
-<p>\r
-To build with g++ on OS X where clang is installed, do this first:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export CXX=g++</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_running">Running</h3>\r
-<div class="paragraph"><p>Examples:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Get some help:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort --help\r
-$my_path/bin/snort --help-module suppress\r
-$my_path/bin/snort --help-config | grep thread</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Examine and dump a pcap:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -r <pcap>\r
-$my_path/bin/snort -L dump -d -e -q -r <pcap></code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Verify config, with or w/o rules:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua\r
-$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Run IDS mode. To keep it brief, look at the first n packets in each file:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
- -r <pcap> -A alert_test -n 100000</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Let’s suppress 1:2123. We could edit the conf or just do this:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
- -r <pcap> -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Go whole hog on a directory with multiple packet threads:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \\r
- --pcap-filter \*.pcap --pcap-dir <dir> -A alert_fast -n 1000 --max-packet-threads 8</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>For more examples, see the usage section.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tips">Tips</h3>\r
-<div class="paragraph"><p>One of the goals of Snort 3 is to make it easier to configure your sensor.\r
-Here is a summary of tips and tricks you may find useful.</p></div>\r
-<div class="paragraph"><p>General Use</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Snort tries hard not to error out too quickly. It will report multiple\r
- semantic errors.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort always assumes the simplest mode of operation. Eg, you can omit the -T\r
- option to validate the conf if you don’t provide a packet source.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Warnings are not emitted unless --warn-* is specified. --warn-all enables all\r
- warnings, and --pedantic makes such warnings fatal.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-You can process multiple sources at one time by using the -z or --max-threads\r
- option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-To make it easy to find the important data, zero counts are not output at\r
- shutdown.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Load plugins from the command line with --plugin-path /path/to/install/lib.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-You can process multiple sources at one time by using the -z or\r
- --max-threads option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Unit tests are configured with --enable-unit-tests. They can then be run\r
- with snort --catch-test [tags]|all.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Lua Configuration</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Configure the wizard and default bindings will be created based on configured\r
- inspectors. No need to explicitly bind ports in this case.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-You can override or add to your Lua conf with the --lua command line option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The Lua conf is a live script that is executed when loaded. You can add\r
- functions, grab environment variables, compute values, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-You can also rename symbols that you want to disable. For example,\r
- changing normalizer to Xnormalizer (an unknown symbol) will disable the\r
- normalizer. This can be easier than commenting in some cases.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-By default, symbols unknown to Snort are silently ignored. You can\r
- generate warnings for them with --warn-unknown. To ignore such symbols,\r
- export them in the environment variable SNORT_IGNORE.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Writing and Loading Rules</p></div>\r
-<div class="paragraph"><p>Snort rules allow arbitrary whitespace. Multi-line rules make it easier to\r
-structure your rule for clarity. There are multiple ways to add comments to\r
-your rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-The # character starts a comment to end of line. In addition, all lines\r
- between #begin and #end are comments.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The rem option allows you to write a comment that is conveyed with the rule.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-C style multi-line comments are allowed, which means you can comment out\r
- portions of a rule while testing it out by putting the options between /* and\r
- */.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>There are multiple ways to load rules too:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Set ips.rules or ips.include.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-include statements can be used in rules files.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use -R to load a rules file.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use --stdin-rules with command line redirection.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use --lua to specify one or more rules as a command line argument.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Output Files</p></div>\r
-<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet\r
-threads, output files are not explicitly configured. Instead, you can use the\r
-options below to format the paths:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-logdir is set with -l and defaults to ./\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-run_prefix is set with --run-prefix else not used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-id# is the packet thread number that writes the file; with one packet thread,\r
- id# (zero) is omitted without --id-zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-X is / if you use --id-subdir, else _ if id# is used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-name is based on module name that writes the file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-all text mode outputs default to stdout\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_help">Help</h3>\r
-<div class="listingblock">\r
-<div class="content">\r
-<pre><code>Snort has several options to get more help:\r
-\r
--? list command line options (same as --help)\r
---help this overview of help\r
---help-commands [<module prefix>] output matching commands\r
---help-config [<module prefix>] output matching config options\r
---help-counts [<module prefix>] output matching peg counts\r
---help-limits print the int upper bounds denoted by max*\r
---help-module <module> output description of given module\r
---help-modules list all available modules with brief help\r
---help-plugins list all available plugins with brief help\r
---help-options [<option prefix>] output matching command line options\r
---help-signals dump available control signals\r
---list-buffers output available inspection buffers\r
---list-builtin [<module prefix>] output matching builtin rules\r
---list-gids [<module prefix>] output matching generators\r
---list-modules [<module type>] list all known modules\r
---list-plugins list all known modules\r
---show-plugins list module and plugin versions\r
-\r
---help* and --list* options preempt other processing so should be last on the\r
-command line since any following options are ignored. To ensure options like\r
---markup and --plugin-path take effect, place them ahead of the help or list\r
-options.\r
-\r
-Options that filter output based on a matching prefix, such as --help-config\r
-won't output anything if there is no match. If no prefix is given, everything\r
-matches.\r
-\r
-Report bugs to bugs@snort.org.</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_common_errors">Common Errors</h3>\r
-<div class="paragraph"><p><em>PANIC: unprotected error in call to Lua API (cannot open\r
-snort_defaults.lua: No such file or directory)</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-export SNORT_LUA_PATH to point to any dofiles\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR can’t find xyz</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-if xyz is the name of a module, make sure you are not assigning a scalar\r
- where a table is required (e.g. xyz = 2 should be xyz = { }).\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR can’t find x.y</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-module x does not have a parameter named y. check --help-module x for\r
- available parameters.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR invalid x.y = z</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-the value z is out of range for x.y. check --help-config x.y for the range\r
- allowed.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR: x = { y = z } is in conf but is not being applied</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-make sure that x = { } isn’t set later because it will override the\r
- earlier setting. same for x.y.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>FATAL: can’t load lua/errors.lua: lua/errors.lua:68: <em>=</em> expected near\r
-';'</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-this is a syntax error reported by Lua to Snort on line 68 of errors.lua.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>ERROR: rules(2) unknown rule keyword: find.</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-this was due to not including the --script-path.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><em>WARNING: unknown symbol x</em></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-if you any variables, you can squelch such warnings by setting them in\r
- an environment variable SNORT_IGNORE. to ignore x, y, and z:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export SNORT_IGNORE="x y z"</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gotchas">Gotchas</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-A nil key in a table will not be caught. Neither will a nil value in a\r
- table. Neither of the following will cause errors, nor will they\r
- actually set http_inspect.request_depth:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_inspect = { request_depth }\r
-http_inspect = { request_depth = undefined_symbol }</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-It is not an error to set a value multiple times. The actual value\r
- applied may not be the last in the table either. It is best to avoid\r
- such cases.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_inspect =\r
-{\r
- request_depth = 1234,\r
- request_depth = 4321\r
-}</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Snort can’t tell you the exact filename or line number of a semantic\r
- error but it will tell you the fully qualified name.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_known_issues">Known Issues</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-The dump DAQ will not work with multiple threads unless you use --daq-var\r
- output=none. This will be fixed at some point to use the Snort log\r
- directory, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-If you build with hyperscan on OS X and see:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dyld: Library not loaded: @rpath/libhs.4.0.dylib</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>when you try to run src/snort, export DYLD_LIBRARY_PATH with the path to\r
-libhs. You can also do:</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>install_name_tool -change @rpath/libhs.4.0.dylib \\r
- /path-to/libhs.4.0.dylib src/snort</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Snort built with tcmalloc support (--enable-tcmalloc) on Ubuntu 17.04/18.04\r
- crashes immediately.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Workaround:\r
-Uninstall gperftools 2.5 provided by the distribution and install gperftools\r
-2.7 before building Snort.</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_usage">Usage</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>For the following examples "$my_path" is assumed to be the path to the\r
-Snort install directory. Additionally, it is assumed that "$my_path/bin"\r
-is in your PATH.</p></div>\r
-<div class="sect2">\r
-<h3 id="_help_2">Help</h3>\r
-<div class="paragraph"><p>Print the help summary:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Get help on a specific module ("stream", for example):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-module stream</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Get help on the "-A" command line option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-options A</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Grep for help on threads:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-config | grep thread</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Output help on "rule" options in AsciiDoc format:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --markup --help-options rule</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Snort stops reading command-line options after the "--help-<strong>" and\r
-"--list-</strong>" options, so any other options should be placed before them.</td>\r
-</tr></table>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sniffing_and_logging">Sniffing and Logging</h3>\r
-<div class="paragraph"><p>Read a pcap:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -r /path/to/my.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Dump the packets to stdout:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -r /path/to/my.pcap -L dump</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Dump packets with application data and layer 2 headers</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -r /path/to/my.pcap -L dump -d -e</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Command line options must be specified separately. "snort -de" won’t\r
-work. You can still concatenate options and their arguments, however, so\r
-"snort -Ldump" will work.</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Dump packets from all pcaps in a directory:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log packets to a directory:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_configuration_2">Configuration</h3>\r
-<div class="paragraph"><p>Validate a configuration file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Validate a configuration file and a separate rules file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Read rules from stdin and validate:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Enable warnings for Lua configurations and make warnings fatal:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Tell Snort where to look for additional Lua scripts:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --script-path /path/to/script/dir</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ids_mode">IDS mode</h3>\r
-<div class="paragraph"><p>Run Snort in IDS mode, reading packets from a pcap:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log any generated alerts to the console using the "-A" option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Capture separate stdout, stderr, and stdlog files (out has startup and\r
-shutdown output, err has warnings and errors, and log has alerts):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \\r
- 1>out 2>err 3>log</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Add or modify a configuration from the command line using the "--lua" option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \\r
- --lua 'ips = { enable_builtin_rules = true }'</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The "--lua" option can be specified multiple times.</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Run Snort in IDS mode on an entire directory of pcaps, processing each\r
-input source on a separate thread:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
- --pcap-filter '*.pcap' --max-packet-threads 8</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run Snort on 2 interfaces, eth0 and eth1:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run Snort inline with the afpacket DAQ:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \\r
- -A cmg</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_plugins_2">Plugins</h3>\r
-<div class="paragraph"><p>Load external plugins and use the "ex" alert:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --plugin-path $my_path/lib/snort_extra \\r
- -A alert_ex -r /path/to/my.pcap</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Test the LuaJIT rule option <em>find</em> loaded from stdin:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --script-path $my_path/lib/snort_extra \\r
- --stdin-rules -A cmg -r /path/to/my.pcap << END\r
-alert tcp any any -> any 80 (\r
- sid:3; msg:"found"; content:"GET";\r
- find:"pat='HTTP/1%.%d'" ; )\r
-END</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_output_files">Output Files</h3>\r
-<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet\r
-threads, output files are not explicitly configured. Instead, you can use\r
-the options below to format the paths:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><logdir>/[<run_prefix>][<id#>][<X>]<name></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log to unified in the current directory:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log to unified in the current directory with a different prefix:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \\r
- --run-prefix take2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Log to unified in /tmp:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run 4 packet threads and log with thread number prefix (0-3):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
- --pcap-filter '*.pcap' -z 4 -A unified2</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Run 4 packet threads and log in thread number subdirs (0-3):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \\r
- --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">subdirectories are created automatically if required. Log filename\r
-is based on module name that writes the file. All text mode outputs\r
-default to stdout. These options can be combined.</td>\r
-</tr></table>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_daq_alternatives">DAQ Alternatives</h3>\r
-<div class="paragraph"><p>Process hext packets from stdin:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END\r
-$packet 10.1.2.3 48620 -> 10.9.8.7 80\r
-"GET / HTTP/1.1\r\n"\r
-"Host: localhost\r\n"\r
-"\r\n"\r
-END</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Process raw ethernet from hext file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq hext \\r
- --daq-var dlt=1 -r <hext-file></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Process a directory of plain files (ie non-pcap) with 4 threads with 8K\r
-buffers:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq file \\r
- --pcap-dir path/to/files -z 4 -s 8192</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Bridge two TCP connections on port 8000 and inspect the traffic:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --daq-dir $my_path/lib/snort/daqs --daq socket</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_logger_alternatives">Logger Alternatives</h3>\r
-<div class="paragraph"><p>Dump TCP stream payload in hext mode:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -L hext</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap,\r
-rule, action for each alert:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua -A csv</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Output the old test format alerts:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort -c $my_path/etc/snort/snort.lua \\r
- --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_shell">Shell</h3>\r
-<div class="paragraph"><p>You must build with --enable-shell to make the command line shell available.</p></div>\r
-<div class="paragraph"><p>Enable shell mode:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --shell <args></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>You will see the shell mode command prompt, which looks like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>o")~</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>(The prompt can be changed with the SNORT_PROMPT environment variable.)</p></div>\r
-<div class="paragraph"><p>You can pause immediately after loading the configuration and again before\r
-exiting with:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --shell --pause <args></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>In that case you must issue the resume() command to continue. Enter quit()\r
-to terminate Snort or detach() to exit the shell. You can list the\r
-available commands with help().</p></div>\r
-<div class="paragraph"><p>To enable local telnet access on port 12345:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --shell -j 12345 <args></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The command line interface is still under development. Suggestions are\r
-welcome.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_signals">Signals</h3>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The following examples assume that Snort is currently running and has\r
-a process ID of <pid>.</td>\r
-</tr></table>\r
-</div>\r
-<div class="paragraph"><p>Modify and Reload Configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua\r
-kill -hup <pid></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Dump stats to stdout:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>kill -usr1 <pid></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Shutdown normally:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>kill -term <pid></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Exit without flushing packets:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>kill -quit <pid></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>List available signals:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --help-signals</code></pre>\r
-</div></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The available signals may vary from platform to platform.</td>\r
-</tr></table>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_features">Features</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>This section explains how to use key features of Snort.</p></div>\r
-<div class="sect2">\r
-<h3 id="_active_response">Active Response</h3>\r
-<div class="paragraph"><p>Snort can take more active role in securing network by sending active\r
-responses to shutdown offending sessions. When active responses is\r
-enabled, snort will send TCP RST or ICMP unreachable when dropping a\r
-session.</p></div>\r
-<div class="sect3">\r
-<h4 id="_changes_from_snort_2_9">Changes from Snort 2.9</h4>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-stream5_global:max_active_responses and min_response_seconds are now\r
-active.max_responses and active.min_interval.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Response actions were removed from IPS rule body to the rule action\r
-in the header. This includes react, reject, and rewrite (split out of\r
-replace which now just does the detection part). These IPS actions are\r
-plugins.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-drop and block are synonymous in Snort 2.9 but in Snort 3.0 drop means\r
-don’t forward the current packet only whereas block means don’t forward\r
-this or any following packet on the flow.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configure_active">Configure Active</h4>\r
-<div class="paragraph"><p>Active response is enabled by configuring one of following IPS action\r
-plugins:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>react = { }\r
-reject = { }\r
-rewrite = { }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Active responses will be performed for reject, react or rewrite IPS rule\r
-actions, and response packets are encoded based on the triggering packet.\r
-TTL will be set to the value captured at session pickup.</p></div>\r
-<div class="paragraph"><p>Configure the number of attempts to land a TCP RST within the session’s\r
-current window (so that it is accepted by the receiving TCP). This\r
-sequence "strafing" is really only useful in passive mode. In inline mode\r
-the reset is put straight into the stream in lieu of the triggering packet\r
-so strafing is not necessary.</p></div>\r
-<div class="paragraph"><p>Each attempt (sent in rapid succession) has a different sequence number.\r
-Each active response will actually cause this number of TCP resets to be\r
-sent. TCP data is multiplied similarly. At most 1 ICMP unreachable is sent,\r
-iff attempts > 0.</p></div>\r
-<div class="paragraph"><p>Device IP will perform network layer injection. It is probably a better\r
-choice to specify an interface and avoid kernel routing tables, etc.</p></div>\r
-<div class="paragraph"><p>dst_mac will change response destination MAC address, if the device is\r
-eth0, eth1, eth2 etc. Otherwise, response destination MAC address is\r
-derived from packet.</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>active =\r
-{\r
- attempts = 2,\r
- device = "eth0",\r
- dst_mac = "00:06:76:DD:5F:E3",\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_reject">Reject</h4>\r
-<div class="paragraph"><p>IPS action reject perform active response to shutdown hostile network\r
-session by injecting TCP resets (TCP connections) or ICMP unreachable\r
-packets.</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>reject = { reset = "both", control = "all" }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>local_rules =\r
-[[\r
-reject tcp ( msg:"hostile connection"; flow:established, to_server;\r
-content:"HACK!"; sid:1; )\r
-]]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips =\r
-{\r
- rules = local_rules,\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_react">React</h4>\r
-<div class="paragraph"><p>IPS action react enables sending an HTML page on a session and then\r
-resetting it.</p></div>\r
-<div class="paragraph"><p>The page to be sent can be read from a file:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>react = { page = "customized_block_page.html", }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or else the default is used:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><default_page> ::= \\r
- "HTTP/1.1 403 Forbidden\r\n"\r
- "Connection: close\r\n"\r
- "Content-Type: text/html; charset=utf-8\r\n"\r
- "\r\n"\r
- "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \\r
- " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \\r
- "<html xmlns=\"http://www.w3.org/1999/xhtml\"\r
- xml:lang=\"en\">\r\n" \\r
- "<head>\r\n" \\r
- "<meta http-equiv=\"Content-Type\" content=\"text/html;\r
- charset=UTF-8\" />\r\n" \\r
- "<title>Access Denied</title>\r\n" \\r
- "</head>\r\n" \\r
- "<body>\r\n" \\r
- "<h1>Access Denied</h1>\r\n" \\r
- "<p>%s</p>\r\n" \\r
- "</body>\r\n" \\r
- "</html>\r\n";</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note that the file must contain the entire response, including any HTTP\r
-headers. In fact, the response isn’t strictly limited to HTTP. You could\r
-craft a binary payload of arbitrary content.</p></div>\r
-<div class="paragraph"><p>When the rule is configured, the page is loaded and the %s is replaced\r
-with the selected message, which defaults to:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>"You are attempting to access a forbidden site.<br />" \\r
-"Consult your system administrator for details."</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Additional formatting operators beyond a single %s are prohibited,\r
-including %d, %x, %s, as well as any URL encodings such as as %20 (space)\r
-that may be within a reference URL.</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>react = { page = "my_block_page.html" }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>local_rules =\r
-[[\r
-react http ( msg:"Unauthorized Access Prohibited!"; flow:established,\r
-to_server; http_method; content:"GET"; sid:1; )\r
-]]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips =\r
-{\r
- rules = local_rules,\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_rewrite">Rewrite</h4>\r
-<div class="paragraph"><p>IPS action rewrite enables overwrite packet contents based on "replace"\r
-option in the rules.</p></div>\r
-<div class="paragraph"><p>For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>rewrite = { }\r
-local_rules =\r
-[[\r
-rewrite tcp 10.1.1.87 any -> 10.1.1.0/24 80\r
-(\r
- sid:1000002;\r
- msg:"test replace rule";\r
- content:"index.php", nocase;\r
- replace:"indax.php";\r
-)\r
-]]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips =\r
-{\r
- rules = local_rules,\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>this rule replaces "index.php" with "indax.php", and rewrite action\r
-updates that packet.</p></div>\r
-<div class="paragraph"><p>to enable rewrite action:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>rewrite = { }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>the replace operation can be disabled by changing the configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>rewrite = { disable_replace = true }</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_appid">AppId</h3>\r
-<div class="paragraph"><p>Network administrators need application awareness in order to fine tune\r
-their management of the ever-growing number of applications passing traffic\r
-over the network. Application awareness allows an administrator to create\r
-rules for applications as needed by the business. The rules can be used to\r
-take action based on the application, such as block, allow or alert.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_2">Overview</h4>\r
-<div class="paragraph"><p>The AppId inspector provides an application level view when managing\r
-networks by providing the following features:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Network control: The inspector works with Snort rules by providing a set of\r
- application identifiers (AppIds) to Snort rule writers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Application usage awareness: The inspector outputs statistics to show\r
- how many times applications are being used on the network.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Custom applications: Administrators can create their own application\r
- detectors to detect new applications. The detectors are written in Lua\r
- and interface with Snort using a well-defined C-Lua API.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Open Detector Package (ODP): A set of pre-defined application detectors are\r
- provided by the Snort team and can be downloaded from snort.org.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_dependency_requirements">Dependency Requirements</h4>\r
-<div class="paragraph"><p>For proper functioning of the AppId inspector, at a minimum stream flow\r
-tracking must be enabled. In addition, to identify TCP-based or UDP-based\r
-applications then the appropriate stream inspector must be enabled, e.g.\r
-stream_tcp or stream_udp.</p></div>\r
-<div class="paragraph"><p>In addition, in order to identify HTTP-based applications, the HTTP\r
-inspector must be enabled. Otherwise, only non-HTTP applications will be\r
-identified.</p></div>\r
-<div class="paragraph"><p>AppId subscribes to the inspection events published by other inspectors,\r
-such as the HTTP and SSL inspectors, to gain access to the data needed. It\r
-uses that data to help determine the application ID.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_3">Configuration</h4>\r
-<div class="paragraph"><p>The AppId feature can be enabled via configuration. To enable it with the\r
-default settings use:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>appid = { }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To use an AppId as a matching parameter in an IPS rule, use the <em>appids</em>\r
-keyword. For example, to block HTTP traffic that contains a specific header:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>block tcp any any -> 192.168.0.1 any ( msg:"Block Malicious HTTP header";\r
- appids:"HTTP"; content:"X-Header: malicious"; sid:18000; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Alternatively, the HTTP application can be specified in place of <em>tcp</em> instead\r
-of using the <em>appids</em> keyword. The AppId inspector will set the service when\r
-it is discovered so it can be used in IPS rules like this. Note that this rule\r
-also does not specify the IPs or ports which default to <em>any</em>.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>block http ( msg:"Block Malicious HTTP header";\r
- content:"X-Header: malicious"; sid:18000; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>It’s possible to specify multiple applications (as many as desired) with\r
-the appids keyword. A rule is considered a match if any of the applications\r
-on the rule match. Note that this rule does not match specific content which\r
-will reduce performance.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> 192.168.0.1 any ( msg:"Alert ";\r
- appids:"telnet,ssh,smtp,http";</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Below is a minimal Snort configuration that is sufficient to block flows\r
-based on a specific HTTP header:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream_tcp = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- {\r
- when =\r
- {\r
- proto = 'tcp',\r
- ports = [[ 80 8080 ]],\r
- },\r
- use =\r
- {\r
- type = 'http_inspect',\r
- },\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_inspect = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>appid = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>local_rules =\r
-[[\r
-block http ( msg:"openAppId: test content match for app http";\r
-content:"X-Header: malicious"; sid:18760; rev:4; )\r
-]]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips =\r
-{\r
- rules = local_rules,\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_session_application_identifiers">Session Application Identifiers</h4>\r
-<div class="paragraph"><p>There are up to four AppIds stored in a session as defined below:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-serviceAppId - An appId associated with server side of a session. Example:\r
- http server.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-clientAppId - An appId associated with application on client side of a\r
- session. Example: Firefox.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-payloadAppId - For services like http this appId is associated with a\r
- webserver host. Example: Facebook.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-miscAppId - For some encapsulated protocols, this is the highest\r
- encapsulated application.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>For packets originating from the client, a payloadAppid in a session is\r
-matched with all AppIds listed on a rule. Thereafter miscAppId, clientAppId\r
-and serviceAppId are matched. Since Alert Events contain one AppId, only the\r
-first match is reported. If a rule without an appids option matches, then the\r
-most specific appId (in order of payload, misc, client, server) is reported.</p></div>\r
-<div class="paragraph"><p>The same logic is followed for packets originating from the server with one\r
-exception. The order of matching is changed to make serviceAppId come\r
-before clientAppId.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_appid_usage_statistics">AppId Usage Statistics</h4>\r
-<div class="paragraph"><p>The AppId inspector prints application network usage periodically in the snort\r
-log directory in unified2 format. File name, time interval for statistic and\r
-file rollover are controlled by appId inspection configuration.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_open_detector_package_odp_installation">Open Detector Package (ODP) Installation</h4>\r
-<div class="paragraph"><p>Application detectors from Snort team will be delivered in a separate package\r
-called the Open Detector Package (ODP) that can be downloaded from snort.org.\r
-ODP is a package that contains the following artifacts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Application detectors in the Lua language.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Port detectors, which are port only application detectors, in meta-data in\r
- YAML format.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-appMapping.data file containing application metadata. This file should not\r
- be modified. The first column contains application identifier and second\r
- column contains application name. Other columns contain internal\r
- information.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Lua library files DetectorCommon.lua, flowTrackerModule.lua and\r
- hostServiceTrackerModule.lua\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>A user can install the ODP package in any directory and configure this\r
-directory via the app_detector_dir option in the appid preprocessor\r
-configuration. Installing ODP will not modify any subdirectory named\r
-custom, where user-created detectors are located.</p></div>\r
-<div class="paragraph"><p>When installed, ODP will create following sub-directories:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-odp/port //Cisco port-only detectors\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-odp/lua //Cisco Lua detectors\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-odp/libs //Cisco Lua modules\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_user_created_application_detectors">User Created Application Detectors</h4>\r
-<div class="paragraph"><p>Users can detect new applications by adding detectors in the Lua language. A\r
-document will be posted on the Snort Website with details on API. Users can also\r
-copy over Snort team provided detectors and modify them. Users can also use the\r
-detector creation tool described in the next section.</p></div>\r
-<div class="paragraph"><p>Users must organize their Lua detectors and libraries by creating the\r
-following directory structure, under the ODP installation directory.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-custom/port //port-only detectors\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-custom/lua //Lua detectors\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-custom/libs //Lua modules\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The root path is specified by the "app_detector_dir" parameter of the appid\r
-section of snort.conf:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>appid =\r
-{\r
- app_detector_dir = '/usr/local/lib/openappid',\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>So the path to the user-created lua files would be\r
-/usr/local/lib/openappid/custom/lua/</p></div>\r
-<div class="paragraph"><p>None of the directories below /usr/local/lib/openappid/ would be added for\r
-you.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_application_detector_creation_tool">Application Detector Creation Tool</h4>\r
-<div class="paragraph"><p>For rudimentary Lua detectors, there is a tool provided called\r
-appid_detector_builder.sh. This is a simple, menu-driven bash script\r
-which creates .lua files in your current directory, based on your choices\r
-and on patterns you supply.</p></div>\r
-<div class="paragraph"><p>When you launch the script, it will prompt for the Application Id\r
-that you are giving for your detector. This is free-form ASCII with\r
-minor restrictions. The Lua detector file will be named based on your\r
-Application Id. If the file name already exists you will be prompted to\r
-overwrite it.</p></div>\r
-<div class="paragraph"><p>You will also be prompted for a description of your detector to be placed\r
-in the comments of the Lua source code. This is optional.</p></div>\r
-<div class="paragraph"><p>You will then be asked a series of questions designed to construct Lua\r
-code based on the kind of pattern data, protocol, port(s), etc.</p></div>\r
-<div class="paragraph"><p>When complete, the Protocol menu will be changed to include the option,\r
-"Save Detector". Instead of saving the file and exiting the script,\r
-you are allowed to give additional criteria for another pattern which\r
-may also be incorporated in the detection scheme. Then either pattern,\r
-when matched, will be considered a valid detection.</p></div>\r
-<div class="paragraph"><p>For example, your first choices might create an HTTP detection pattern\r
-of "example.com", and the next set of choices would add the HTTP\r
-detection pattern of "example.uk.co" (an equally fictional British\r
-counterpart). They would then co-exist in the Lua detector, and either\r
-would cause a detection with the name you give for your Application Id.</p></div>\r
-<div class="paragraph"><p>The resulting .lua file will need to be placed in the directory,\r
-"custom/lua", described in the previous section of the README above called\r
-"User Created Application Detectors"</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_binder">Binder</h3>\r
-<div class="paragraph"><p>One of the fundamental differences between Snort 2 and Snort 3 concerns configuration\r
-related to networks and ports. Here is a brief review of Snort 2 configuration for\r
-network and service related components:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Snort’s configuration has a default policy and optional policies selected by\r
- VLAN or network (with config binding).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Each policy contains a user defined set of preprocessor configurations.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Each preprocessor has a default configuration and some support non-default\r
- configurations selected by network.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Most preprocessors have port configurations.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The default policy may also contain a list of ports to ignore.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>In Snort 3, the above configurations are done in a single module called the\r
-binder. Here is an example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- -- allow all tcp port 22:\r
- -- (similar to Snort 2 config ignore_ports)\r
- { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-- select a config file by vlan\r
--- (similar to Snort 2 config binding by vlan)\r
-{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-- use a non-default HTTP inspector for port 8080:\r
--- (similar to a Snort 2 targeted preprocessor config)\r
-{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },\r
- use = { name = 'alt_http', type = 'http_inspect' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-- use the default inspectors:\r
--- (similar to a Snort 2 default preprocessor config)\r
-{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },\r
-{ when = { service = 'http' }, use = { type = 'http_inspect' } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> -- figure out which inspector to run automatically:\r
- { use = { type = 'wizard' } }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Bindings are evaluated when a session starts and again if and when service is\r
-identified on the session. Essentially, the bindings are a list of when-use\r
-rules evaluated from top to bottom. The first matching network and service\r
-configurations are applied. binder.when can contain any combination of\r
-criteria and binder.use can specify an action, config file, or inspector\r
-configuration.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_rule_options">Byte rule options</h3>\r
-<div class="sect3">\r
-<h4 id="_byte_test">byte_test</h4>\r
-<div class="paragraph"><p>This rule option tests a byte field against a specific value (with\r
-operator). Capable of testing binary values or converting\r
-representative byte strings to their binary equivalent and testing them.</p></div>\r
-<div class="paragraph"><p>Snort uses the C operators for each of these operators. If the &\r
-operator is used, then it would be the same as using</p></div>\r
-<div class="listingblock">\r
-<div class="content"><!-- Generator: GNU source-highlight\r
-by Lorenzo Bettini\r
-http://www.lorenzobettini.it\r
-http://www.gnu.org/software/src-highlite -->\r
-<pre><tt><span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="color: #990000">(</span>data <span style="color: #990000">&</span> value<span style="color: #990000">)</span> <span style="color: #FF0000">{</span> <span style="font-weight: bold"><span style="color: #000000">do_something</span></span><span style="color: #990000">();</span> <span style="color: #FF0000">}</span></tt></pre></div></div>\r
-<div class="paragraph"><p><em>!</em> operator negates the results from the base check. <em>!<oper></em> is\r
-considered as</p></div>\r
-<div class="listingblock">\r
-<div class="content"><!-- Generator: GNU source-highlight\r
-by Lorenzo Bettini\r
-http://www.lorenzobettini.it\r
-http://www.gnu.org/software/src-highlite -->\r
-<pre><tt><span style="color: #990000">!(</span>data <span style="color: #990000"><</span>oper<span style="color: #990000">></span> value<span style="color: #990000">)</span></tt></pre></div></div>\r
-<div class="paragraph"><p>Note:\r
-The bitmask option applies bitwise AND operator on the bytes\r
-converted. The result will be right-shifted by the number of bits\r
-equal to the number of trailing zeros in the mask.\r
-This applies for the other rule options as well.</p></div>\r
-<div class="sect4">\r
-<h5 id="_examples">Examples</h5>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This example extracts 2 bytes at offset 0, performs bitwise and with\r
-bitmask 0x3FF0, shifts the result by 4 bits and compares to 568.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert udp (byte_test:4, =, 1234, 0, string, dec;\r
- msg:"got 1234!";)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;\r
- msg:"got DEADBEEF!";)</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_byte_jump">byte_jump</h4>\r
-<div class="paragraph"><p>The byte_jump rule option allows rules to be written for length\r
-encoded protocols trivially. By having an option that reads the\r
-length of a portion of data, then skips that far forward in the\r
-packet, rules can be written that skip over specific portions of\r
-length-encoded protocols and perform detection in very specific\r
-locations.</p></div>\r
-<div class="sect4">\r
-<h5 id="_examples_2">Examples</h5>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp (content:"Begin";\r
- byte_jump:0, 0, from_end, post_offset -6;\r
- content:"end..", distance 0, within 5;\r
- msg:"Content match from end of the payload";)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp (content:"catalog";\r
- byte_jump:2, 1, relative, post_offset 2, bitmask 0x03f0;\r
- byte_test:2, =, 968, 0, relative;\r
- msg:"Bitmask applied on the 2 bytes extracted for byte_jump";)</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_byte_extract">byte_extract</h4>\r
-<div class="paragraph"><p>The byte_extract keyword is another useful option for writing rules\r
-against length-encoded protocols. It reads in some number of bytes\r
-from the packet payload and saves it to a variable. These variables\r
-can be referenced later in the rule, instead of using hard-coded values.</p></div>\r
-<div class="sect4">\r
-<h5 id="_other_options_which_use_byte_extract_variables">Other options which use byte_extract variables</h5>\r
-<div class="paragraph"><p>A byte_extract rule option detects nothing by itself. Its use is in\r
-extracting packet data for use in other rule options.</p></div>\r
-<div class="paragraph"><p>Here is a list of places where byte_extract variables can be used:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-content/uricontent: offset, depth, distance, within\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-byte_test: offset, value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-byte_jump: offset, post_offset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-isdataat: offset\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_examples_3">Examples</h5>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp (byte_extract:1, 0, str_offset;\r
- byte_extract:1, 1, str_depth;\r
- content:"bad stuff", offset str_offset, depth str_depth;\r
- msg:"Bad Stuff detected within field";)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;\r
- byte_jump:1, 3, relative, post_offset myvar;\r
- content:"END", distance 6, within 3;\r
- msg: "byte_jump - pass variable to post_offset";)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This example uses two variables.</p></div>\r
-<div class="paragraph"><p>The first variable keeps the offset of a string, read from a byte at offset 0.\r
-The second variable keeps the depth of a string, read from a byte at offset 1.\r
-These values are used to constrain a pattern match to a smaller area.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp (content:"|04 63 34 35|", offset 4, depth 4;\r
- byte_extract: 2, 0, var_match, relative, bitmask 0x03ff;\r
- byte_test: 2, =, var_match, 2, relative;\r
- msg:"Test value match, after applying bitmask on bytes extracted";)</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_byte_math">byte_math</h4>\r
-<div class="paragraph"><p>Perform a mathematical operation on an extracted value and a specified\r
-value or existing variable, and store the outcome in a new resulting\r
-variable. These resulting variables can be referenced later in the\r
-rule, at the same places as byte_extract variables.</p></div>\r
-<div class="paragraph"><p>The syntax for this rule option is different. The order of the options\r
-is critical for the other rule options and can’t be changed. For\r
-example, the first option is the number of bytes to extract.\r
-Here the name of the option is explicitly written, for example : bytes 2.\r
-The order is not important.</p></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Byte_math operations are performed on unsigned 32-bit values. When\r
- writing a rule it should be taken into consideration to avoid wrap around.</td>\r
-</tr></table>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_examples_4">Examples</h5>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp ( byte_math: bytes 2, offset 0, oper *, rvalue 10, result area;\r
- byte_test:2,>,area,16;)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>At the zero offset of the payload, extract 2 bytes and apply multiplication operation with\r
-value 10. Store result in variable area. The area variable is given as\r
-input to byte_test value option.</p></div>\r
-<div class="paragraph"><p>Let’s consider 2 bytes of extracted data is 5. The rvalue is 10.\r
-Result variable area is 50 ( 5 * 10 ).\r
-Area variable can be used in either byte_test offset/value options.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_testing_numerical_values">Testing Numerical Values</h4>\r
-<div class="paragraph"><p>The rule options byte_test and byte_jump were written to support\r
-writing rules for protocols that have length encoded data. RPC was\r
-the protocol that spawned the requirement for these two rule options,\r
-as RPC uses simple length based encoding for passing data.</p></div>\r
-<div class="paragraph"><p>In order to understand why byte test and byte jump are useful, let’s\r
-go through an exploit attempt against the sadmind service.</p></div>\r
-<div class="paragraph"><p>This is the payload of the exploit:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>89 09 9c e2 00 00 00 00 00 00 00 02 00 01 87 88 ................\r
-00 00 00 0a 00 00 00 01 00 00 00 01 00 00 00 20 ...............\r
-40 28 3a 10 00 00 00 0a 4d 45 54 41 53 50 4c 4f @(:.....metasplo\r
-49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 it..............\r
-00 00 00 00 00 00 00 00 40 28 3a 14 00 07 45 df ........@(:...e.\r
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r
-00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 ................\r
-00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 04 ................\r
-7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 04 ................\r
-7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 11 ................\r
-00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 ................\r
-00 00 00 00 00 00 00 3b 4d 45 54 41 53 50 4c 4f .......;metasplo\r
-49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 it..............\r
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r
-00 00 00 00 00 00 00 06 73 79 73 74 65 6d 00 00 ........system..\r
-00 00 00 15 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f ....../../../../\r
-2e 2e 2f 62 69 6e 2f 73 68 00 00 00 00 00 04 1e ../bin/sh.......</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Let’s break this up, describe each of the fields, and figure out how to write a\r
-rule to catch this exploit.</p></div>\r
-<div class="paragraph"><p>There are a few things to note with RPC:</p></div>\r
-<div class="paragraph"><p>Numbers are written as uint32s, taking four bytes. The number 26 would\r
-show up as 0x0000001a.</p></div>\r
-<div class="paragraph"><p>Strings are written as a uint32 specifying the length of the string, the\r
-string, and then null bytes to pad the length of the string to end on a 4-byte\r
-boundary. The string <em>bob</em> would show up as 0x00000003626f6200.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>89 09 9c e2 - the request id, a random uint32, unique to each request\r
-00 00 00 00 - rpc type (call = 0, response = 1)\r
-00 00 00 02 - rpc version (2)\r
-00 01 87 88 - rpc program (0x00018788 = 100232 = sadmind)\r
-00 00 00 0a - rpc program version (0x0000000a = 10)\r
-00 00 00 01 - rpc procedure (0x00000001 = 1)\r
-00 00 00 01 - credential flavor (1 = auth_unix)\r
-00 00 00 20 - length of auth_unix data (0x20 = 32)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>## the next 32 bytes are the auth_unix data\r
-40 28 3a 10 - unix timestamp (0x40283a10 = 1076378128 = feb 10 01:55:28 2004 gmt)\r
-00 00 00 0a - length of the client machine name (0x0a = 10)\r
-4d 45 54 41 53 50 4c 4f 49 54 00 00 - metasploit</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>00 00 00 00 - uid of requesting user (0)\r
-00 00 00 00 - gid of requesting user (0)\r
-00 00 00 00 - extra group ids (0)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>00 00 00 00 - verifier flavor (0 = auth_null, aka none)\r
-00 00 00 00 - length of verifier (0, aka none)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The rest of the packet is the request that gets passed to procedure 1 of\r
-sadmind.</p></div>\r
-<div class="paragraph"><p>However, we know the vulnerability is that sadmind trusts the uid coming from\r
-the client. sadmind runs any request where the client’s uid is 0 as root. As\r
-such, we have decoded enough of the request to write our rule.</p></div>\r
-<div class="paragraph"><p>First, we need to make sure that our packet is an RPC call.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 00|", offset 4, depth 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Then, we need to make sure that our packet is a call to sadmind.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 01 87 88|", offset 12, depth 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Then, we need to make sure that our packet is a call to the procedure 1, the\r
-vulnerable procedure.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 01|", offset 20, depth 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Then, we need to make sure that our packet has auth_unix credentials.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 01|", offset 24, depth 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>We don’t care about the hostname, but we want to skip over it and check a\r
-number value after the hostname. This is where byte_test is useful. Starting\r
-at the length of the hostname, the data we have is:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>00 00 00 0a 4d 45 54 41 53 50 4c 4f 49 54 00 00\r
-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r
-00 00 00 00</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>We want to read 4 bytes, turn it into a number, and jump that many bytes\r
-forward, making sure to account for the padding that RPC requires on strings.\r
-If we do that, we are now at:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r
-00 00 00 00</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>which happens to be the exact location of the uid, the value we want to check.</p></div>\r
-<div class="paragraph"><p>In English, we want to read 4 bytes, 36 bytes from the beginning of the packet,\r
-and turn those 4 bytes into an integer and jump that many bytes forward,\r
-aligning on the 4-byte boundary. To do that in a Snort rule, we use:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>byte_jump:4,36,align;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>then we want to look for the uid of 0.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 00|", within 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Now that we have all the detection capabilities for our rule, let’s put them\r
-all together.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 00|", offset 4, depth 4;\r
-content:"|00 01 87 88|", offset 12, depth 4;\r
-content:"|00 00 00 01|", offset 20, depth 4;\r
-content:"|00 00 00 01|", offset 24, depth 4;\r
-byte_jump:4,36,align;\r
-content:"|00 00 00 00|", within 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The 3rd and fourth string match are right next to each other, so we should\r
-combine those patterns. We end up with:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 00|", offset 4, depth 4;\r
-content:"|00 01 87 88|", offset 12, depth 4;\r
-content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;\r
-byte_jump:4,36,align;\r
-content:"|00 00 00 00|", within 4;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>If the sadmind service was vulnerable to a buffer overflow when reading the\r
-client’s hostname, instead of reading the length of the hostname and jumping\r
-that many bytes forward, we would check the length of the hostname to make sure\r
-it is not too large.</p></div>\r
-<div class="paragraph"><p>To do that, we would read 4 bytes, starting 36 bytes into the packet, turn it\r
-into a number, and then make sure it is not too large (let’s say bigger than\r
-200 bytes). In Snort, we do:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>byte_test:4,>,200,36;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Our full rule would be:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>content:"|00 00 00 00|", offset 4, depth 4;\r
-content:"|00 01 87 88|", offset 12, depth 4;\r
-content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;\r
-byte_test:4,>,200,36;</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_inspectors">DCE Inspectors</h3>\r
-<div class="paragraph"><p>The main purpose of these inspector are to perform SMB desegmentation and\r
-DCE/RPC defragmentation to avoid rule evasion using these techniques.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_3">Overview</h4>\r
-<div class="paragraph"><p>The following transports are supported for DCE/RPC: SMB, TCP, and UDP.\r
-New rule options have been implemented to improve performance, reduce false\r
-positives and reduce the count and complexity of DCE/RPC based rules.</p></div>\r
-<div class="paragraph"><p>Different from Snort 2, the DCE-RPC preprocessor is split into three inspectors\r
- - one for each transport: dce_smb, dce_tcp, dce_udp. This includes the\r
-configuration as well as the inspector modules. The Snort 2 server configuration\r
-is now split between the inspectors. Options that are meaningful to all\r
-inspectors, such as policy and defragmentation, are copied into each inspector\r
-configuration. The address/port mapping is handled by the binder. Autodetect\r
-functionality is replaced by wizard curses.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_quick_guide">Quick Guide</h4>\r
-<div class="paragraph"><p>A typical dcerpce configuration looks like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- {\r
- when =\r
- {\r
- proto = 'tcp',\r
- ports = '139 445 1025',\r
- },\r
- use =\r
- {\r
- type = 'dce_smb',\r
- },\r
- },\r
- {\r
- when =\r
- {\r
- proto = 'tcp',\r
- ports = '135 2103',\r
- },\r
- use =\r
- {\r
- type = 'dce_tcp',\r
- },\r
- },\r
- {\r
- when =\r
- {\r
- proto = 'udp',\r
- ports = '1030',\r
- },\r
- use =\r
- {\r
- type = 'dce_udp',\r
- },\r
- }\r
- }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_smb = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_tcp = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_udp = { }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>In this example, it defines smb, tcp and udp inspectors based on port. All the\r
-configurations are default.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_target_based">Target Based</h4>\r
-<div class="paragraph"><p>There are enough important differences between Windows and Samba versions that\r
-a target based approach has been implemented. Some important differences:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Named pipe instance tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Accepted SMB commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-AndX command chaining\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Transaction tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Multiple Bind requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-DCE/RPC Fragmented requests - Context ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-DCE/RPC Fragmented requests - Operation number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-DCE/RPC Stub data byte order\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Because of those differences, each inspector can be configured to different\r
-policy. Here are the list of policies supported:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-WinXP (default)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Win2000\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-WinVista\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Win2003\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Win2008\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Win7\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Samba\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Samba-3.0.37\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Samba-3.0.22\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Samba-3.0.20\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_reassembling">Reassembling</h4>\r
-<div class="paragraph"><p>Both SMB inspector and TCP inspector support reassemble. Reassemble threshold\r
-specifies a minimum number of bytes in the DCE/RPC desegmentation and\r
-defragmentation buffers before creating a reassembly packet to send to the\r
-detection engine. This option is useful in inline mode so as to potentially\r
-catch an exploit early before full defragmentation is done. A value of 0 s\r
-supplied as an argument to this option will, in effect, disable this option.\r
-Default is disabled.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_smb">SMB</h4>\r
-<div class="paragraph"><p>SMB inspector is one of the most complex inspectors. In addition to supporting\r
-rule options and lots of inspector rule events, it also supports file\r
-processing for both SMB version 1, 2, and 3.</p></div>\r
-<div class="sect4">\r
-<h5 id="_finger_print_policy">Finger Print Policy</h5>\r
-<div class="paragraph"><p>In the initial phase of an SMB session, the client needs to authenticate with a\r
-SessionSetupAndX. Both the request and response to this command contain OS and\r
-version information that can allow the inspector to dynamically set the policy\r
-for a session which allows for better protection against Windows and Samba\r
-specific evasions.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_file_inspection">File Inspection</h5>\r
-<div class="paragraph"><p>SMB inspector supports file inspection. A typical configuration looks like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- {\r
- when =\r
- {\r
- proto = 'tcp',\r
- ports = '139 445',\r
- },\r
- use =\r
- {\r
- type = 'dce_smb',\r
- },\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_smb =\r
-{\r
- smb_file_inspection = 'on',\r
- smb_file_depth = 0,\r
- }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_id =\r
-{\r
- enable_type = true,\r
- enable_signature = true,\r
- enable_capture = true,\r
- file_rules = magics,\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>First, define a binder to map tcp port 139 and 445 to smb. Then, enable file\r
-inspection in smb inspection and set the file depth as unlimited. Lastly, enable\r
-file inspector to inspect file type, calculate file signature, and capture file.\r
-The details of file inspector are explained in file processing section.</p></div>\r
-<div class="paragraph"><p>SMB inspector does inspection of normal SMB file transfers. This includes doing\r
-file type and signature through the file processing as well as setting a pointer\r
-for the "file_data" rule option. Note that the "file_depth" option only applies\r
-to the maximum amount of file data for which it will set the pointer for the\r
-"file_data" rule option. For file type and signature it will use the value\r
-configured for the file API. If "only" is specified, the inspector will only\r
-do SMB file inspection, i.e. it will not do any DCE/RPC tracking or inspection.\r
-If "on" is specified with no arguments, the default file depth is 16384 bytes.\r
-An argument of -1 to "file-depth" disables setting the pointer for "file_data",\r
-effectively disabling SMB file inspection in rules. An argument of 0 to\r
-"file_depth" means unlimited. Default is "off", i.e. no SMB file inspection is\r
- done in the inspector.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_tcp">TCP</h4>\r
-<div class="paragraph"><p>dce_tcp inspector supports defragmentation, reassembling, and policy that is\r
-similar to SMB.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_udp">UDP</h4>\r
-<div class="paragraph"><p>dce_udp is a very simple inspector that only supports defragmentation</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_rule_options">Rule Options</h4>\r
-<div class="paragraph"><p>New rule options are supported by enabling the dcerpc2 inspectors:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-dce_iface\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dce_opnum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dce_stub_data\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>New modifiers to existing byte_test and byte_jump rule options:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-byte_test: dce\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-byte_jump: dce\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="sect4">\r
-<h5 id="_dce_iface">dce_iface</h5>\r
-<div class="paragraph"><p>For DCE/RPC based rules it has been necessary to set flow-bits based on a client\r
-bind to a service to avoid false positives. It is necessary for a client to bind\r
-to a service before being able to make a call to it. When a client sends a bind\r
-request to the server, it can, however, specify one or more service interfaces\r
-to bind to. Each interface is represented by a UUID. Each interface UUID is\r
-paired with a unique index (or context id) that future requests can use to\r
-reference the service that the client is making a call to. The server will\r
-respond with the interface UUIDs it accepts as valid and will allow the client\r
-to make requests to those services. When a client makes a request, it will\r
-specify the context id so the server knows what service the client is making a\r
-request to. Instead of using flow-bits, a rule can simply ask the inspector,\r
-using this rule option, whether or not the client has bound to a specific\r
-interface UUID and whether or not this client request is making a request to it.\r
-This can eliminate false positives where more than one service is bound to\r
-successfully since the inspector can correlate the bind UUID to the context\r
-id used in the request. A DCE/RPC request can specify whether numbers are\r
-represented as big endian or little endian. The representation of the interface\r
-UUID is different depending on the endianness specified in the DCE/RPC\r
-previously requiring two rules - one for big endian and one for little endian.\r
-The inspector eliminates the need for two rules by normalizing the UUID.\r
-An interface contains a version. Some versions of an interface may not be\r
-vulnerable to a certain exploit. Also, a DCE/RPC request can be broken up into\r
-1 or more fragments. Flags (and a field in the connectionless header) are set in\r
-the DCE/RPC header to indicate whether the fragment is the first, a middle or\r
-the last fragment. Many checks for data in the DCE/RPC request are only relevant\r
-if the DCE/RPC request is a first fragment (or full request), since subsequent\r
-fragments will contain data deeper into the DCE/RPC request. A rule which is\r
-looking for data, say 5 bytes into the request (maybe it’s a length field), will\r
-be looking at the wrong data on a fragment other than the first, since the\r
-beginning of subsequent fragments are already offset some length from the\r
-beginning of the request. This can be a source of false positives in fragmented\r
-DCE/RPC traffic. By default it is reasonable to only evaluate if the request is\r
-a first fragment (or full request). However, if the "any_frag" option is used to\r
-specify evaluating on all fragments.</p></div>\r
-<div class="paragraph"><p>Examples:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;\r
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2;\r
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;\r
-dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This option is used to specify an interface UUID. Optional arguments are an\r
-interface version and operator to specify that the version be less than (<em><</em>),\r
-greater than (<em>></em>), equal to (<em>=</em>) or not equal to (<em>!</em>) the version specified.\r
-Also, by default the rule will only be evaluated for a first fragment (or full\r
-request, i.e. not a fragment) since most rules are written to start at the\r
-beginning of a request. The "any_frag" argument says to evaluate for middle and\r
-last fragments as well. This option requires tracking client Bind and\r
-Alter Context requests as well as server Bind Ack and Alter Context responses\r
-for connection-oriented DCE/RPC in the inspector. For each Bind and\r
-Alter Context request, the client specifies a list of interface UUIDs along\r
-with a handle (or context id) for each interface UUID that will be used during\r
-the DCE/RPC session to reference the interface. The server response indicates\r
-which interfaces it will allow the client to make requests to - it either\r
-accepts or rejects the client’s wish to bind to a certain interface. This\r
-tracking is required so that when a request is processed, the context id used\r
-in the request can be correlated with the interface UUID it is a handle for.</p></div>\r
-<div class="paragraph"><p>hexlong and hexshort will be specified and interpreted to be in big endian\r
-order (this is usually the default way an interface UUID will be seen and\r
-represented). As an example, the following Messenger interface UUID as taken\r
-off the wire from a little endian Bind request:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>must be written as:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The same UUID taken off the wire from a big endian Bind request:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>must be written the same way:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This option matches if the specified interface UUID matches the interface UUID\r
-(as referred to by the context id) of the DCE/RPC request and if supplied, the\r
-version operation is true. This option will not match if the fragment is not a\r
-first fragment (or full request) unless the "any_frag" option is supplied in\r
-which case only the interface UUID and version need match. Note that a\r
-defragmented DCE/RPC request will be considered a full request.</p></div>\r
-<div class="paragraph"><p>Using this rule option will automatically insert fast pattern contents into\r
-the fast pattern matcher. For UDP rules, the interface UUID, in both big and\r
-little endian format will be inserted into the fast pattern matcher. For TCP\r
-rules, (1) if the rule option "flow:to_server|from_client" is used, |05 00 00|\r
-will be inserted into the fast pattern matcher, (2) if the rule option\r
-"flow:from_server|to_client" is used, |05 00 02| will be inserted into the\r
-fast pattern matcher and (3) if the flow isn’t known, |05 00| will be inserted\r
-into the fast pattern matcher. Note that if the rule already has content rule\r
-options in it, the best (meaning longest) pattern will be used. If a content\r
-in the rule uses the fast_pattern rule option, it will unequivocally be used\r
-over the above mentioned patterns.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_dce_opnum">dce_opnum</h5>\r
-<div class="paragraph"><p>The opnum represents a specific function call to an interface. After is has\r
-been determined that a client has bound to a specific interface and is making\r
-a request to it (see above - dce_iface) usually we want to know what function\r
-call it is making to that service. It is likely that an exploit lies in the\r
-particular DCE/RPC function call.</p></div>\r
-<div class="paragraph"><p>Examples:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_opnum: 15;\r
-dce_opnum: 15-18;\r
-dce_opnum: 15,18-20;\r
-dce_opnum: 15,17,20-22;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This option is used to specify an opnum (or operation number), opnum range or\r
-list containing either or both opnum and/or opnum-range. The opnum of a\r
-DCE/RPC request will be matched against the opnums specified with this option.\r
-This option matches if any one of the opnums specified match the opnum of the\r
-DCE/RPC request.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_dce_stub_data">dce_stub_data</h5>\r
-<div class="paragraph"><p>Since most DCE/RPC based rules had to do protocol decoding only to get to the\r
-DCE/RPC stub data, i.e. the remote procedure call or function call data, this\r
-option will alleviate this need and place the cursor at the beginning of the\r
-DCE/RPC stub data. This reduces the number of rule option checks and the\r
-complexity of the rule.</p></div>\r
-<div class="paragraph"><p>This option takes no arguments.</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dce_stub_data;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This option is used to place the cursor (used to walk the packet payload in\r
-rules processing) at the beginning of the DCE/RPC stub data, regardless of\r
-preceding rule options. There are no arguments to this option. This option\r
-matches if there is DCE/RPC stub data.</p></div>\r
-<div class="paragraph"><p>The cursor is moved to the beginning of the stub data. All ensuing rule\r
-options will be considered "sticky" to this buffer. The first rule option\r
-following dce_stub_data should use absolute location modifiers if it is\r
-position-dependent. Subsequent rule options should use a relative modifier if\r
-they are meant to be relative to a previous rule option match in the stub data\r
-buffer. Any rule option that does not specify a relative modifier will be\r
-evaluated from the start of the stub data buffer. To leave the stub data buffer\r
-and return to the main payload buffer, use the "pkt_data" rule option.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_byte_test_and_byte_jump">byte_test and byte_jump</h5>\r
-<div class="paragraph"><p>A DCE/RPC request can specify whether numbers are represented in big or little\r
-endian. These rule options will take as a new argument "dce" and will work\r
-basically the same as the normal byte_test/byte_jump, but since the DCE/RPC\r
-inspector will know the endianness of the request, it will be able to do\r
-the correct conversion.</p></div>\r
-<div class="paragraph"><p>Examples:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>byte_test: 4,>,35000,0,relative,dce;\r
-byte_test: 2,!=,2280,-10,relative,dce;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>When using the "dce" argument to a byte_test, the following normal byte_test\r
-arguments will not be allowed: "big", "little", "string", "hex", "dec" and\r
-"oct".</p></div>\r
-<div class="paragraph"><p>Examples:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>When using the dce argument to a byte_jump, the following normal byte_jump\r
-arguments will not be allowed: "big", "little", "string", "hex", "dec", "oct"\r
-and "from_beginning"</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_processing">File Processing</h3>\r
-<div class="paragraph"><p>With the volume of malware transferred through network increasing,\r
-network file inspection becomes more and more important. This feature\r
-will provide file type identification, file signature creation, and file\r
-capture capabilities to help users deal with those challenges.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_4">Overview</h4>\r
-<div class="paragraph"><p>There are two parts of file services: file APIs and file policy.\r
-File APIs provides all the file inspection functionalities, such as file\r
-type identification, file signature calculation, and file capture.\r
-File policy provides users ability to control file services, such\r
-as enable/disable/configure file type identification, file signature, or\r
-file capture.</p></div>\r
-<div class="paragraph"><p>In addition to all capabilities from Snort 2, we support customized file\r
-policy along with file event log.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Supported file signature calculation: SHA256\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_quick_guide_2">Quick Guide</h4>\r
-<div class="paragraph"><p>A very simple configuration has been included in lua/snort.lua file.\r
-A typical file configuration looks like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dofile('magic.lua')</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>my_file_policy =\r
-{\r
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_id =\r
-{\r
- enable_type = true,\r
- enable_signature = true,\r
- enable_capture = true,\r
- file_rules = magics,\r
- trace_type = true,\r
- trace_signature = true,\r
- trace_stream = true,\r
- file_policy = my_file_policy,\r
- }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_log =\r
-{\r
- log_pkt_time = true,\r
- log_sys_time = false,\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>There are 3 steps to enable file processing:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-First, you need to include the file magic rules.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Then, define the file policy and configure the inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-At last, enable file_log to get detailed information about file event\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_pre_packaged_file_magic_rules">Pre-packaged File Magic Rules</h4>\r
-<div class="paragraph"><p>A set of file magic rules is packaged with Snort. They can be located at\r
-"lua/file_magic.lua". To use this feature, it is recommended that these\r
-pre-packaged rules are used; doing so requires that you include\r
-the file in your Snort configuration as such (already in snort.lua):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>dofile('magic.lua')</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>{ type = "GIF", id = 62, category = "Graphics", rev = 1,\r
- magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>{ type = "GIF", id = 63, category = "Graphics", rev = 1,\r
- magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The previous two rules define GIF format, because two file magics are\r
-different. File magics are specified by content and offset, which look\r
-at content at particular file offset to identify the file type. In this\r
-case, two magics look at the beginning of the file. You can use character\r
-if it is printable or hex value in between "|".</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_file_policy">File Policy</h4>\r
-<div class="paragraph"><p>You can enabled file type, file signature, or file capture by configuring\r
-file_id. In addition, you can enable trace to see file stream data, file\r
-type, and file signature information.</p></div>\r
-<div class="paragraph"><p>Most importantly, you can configure a file policy that can block/alert\r
-some file type or an individual file based on SHA. This allows you\r
-build a file blacklist or whitelist.</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_policy =\r
-{\r
- { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },\r
- { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },\r
- { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>In this example, it enables this policy:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-For PDF files, they will be logged with signatures.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-For the file matching this SHA, it will be blocked\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-For all file types identified, they will be logged with signature, and\r
-also captured onto log folder.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_file_capture">File Capture</h4>\r
-<div class="paragraph"><p>File can be captured and stored to log folder. We use SHA as file name\r
-instead of actual file name to avoid conflicts. You can capture either\r
-all files, some file type, or a particular file based on SHA.</p></div>\r
-<div class="paragraph"><p>You can enable file capture through this config:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>enable_capture = true,</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or enable it for some file or file type in your file policy:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The above rule will enable PDF file capture.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_file_events">File Events</h4>\r
-<div class="paragraph"><p>File inspect preprocessor also works as a dynamic output plugin for file\r
-events. It logs basic information about file. The log file is in the same\r
-folder as other log files with name starting with "file.log".</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_log = { log_pkt_time = true, log_sys_time = false }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>All file events will be logged in packet time, system time is not logged.</p></div>\r
-<div class="paragraph"><p>File event example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,\r
-[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]\r
-[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]\r
-[Size: 1039328]</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_high_availability">High Availability</h3>\r
-<div class="paragraph"><p>High Availability includes the HA flow synchronization and the SideChannel\r
-messaging subsystems.</p></div>\r
-<div class="sect3">\r
-<h4 id="_ha">HA</h4>\r
-<div class="paragraph"><p>HighAvailability (or HA) is a Snort module that provides state coherency\r
-between two partner snort instances. It uses SideChannel for messaging.</p></div>\r
-<div class="paragraph"><p>There can be multiple types of HA within Snort and Snort plugins. HA\r
-implements an extensible architecture to enable plugins to subscribe to the\r
-base flow HA messaging. These plugins can then include their own messages\r
-along with the flow cache HA messages.</p></div>\r
-<div class="paragraph"><p>HA produces and consumes two type of messages:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Update - Update flow status. Plugins may add their own data to the messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Delete - A flow has been removed from the cache\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The HA module is configured with these items:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>high_availability =\r
-{\r
- ports = "1",\r
- enable = true,\r
- min_age = 0,\r
- min_sync = 0\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The <em>ports</em> item maps to the SideChannel port to use for the HA messaging.</p></div>\r
-<div class="paragraph"><p>The <em>enabled</em> item controls the overall HA operation.</p></div>\r
-<div class="paragraph"><p>The items min_age and min_sync are used in the stream HA logic. min_age is\r
-the number of milliseconds that a flow must exist in the flow cache before sending\r
-HA messages to the partner. min_sync is the minimum time between HA status\r
-updates. HA messages for a particular flow will not be sent faster than\r
-min_sync. Both are expressed as a number of milliseconds.</p></div>\r
-<div class="paragraph"><p>HA messages are composed of the base <em>stream</em> information plus any content\r
-from additional modules. Modules subscribe HA in order to add message\r
-content. The <em>stream</em> HA content is always present in the messages while\r
-the ancillary module content is only present when requested via a status\r
-change request.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_connector">Connector</h4>\r
-<div class="paragraph"><p>Connectors are a set of modules that are used to exchange message-oriented\r
-data among Snort threads and the external world. A typical use-case is\r
-HA (High Availability) message exchange. Connectors serve to decouple the\r
-message transport from the message creation/consumption. Connectors expose\r
-a common API for several forms of message transport.</p></div>\r
-<div class="paragraph"><p>Connectors are a Snort plugin type.</p></div>\r
-<div class="sect4">\r
-<h5 id="_connector_parent_plugin_class">Connector (parent plugin class)</h5>\r
-<div class="paragraph"><p>Connectors may either be a simplex channel and perform unidirectional\r
-communications. Or may be duplex and perform bidirectional communications.\r
-The TcpConnector is duplex while the FileConnector is simplex.</p></div>\r
-<div class="paragraph"><p>All subtypes of Connector have a <em>direction</em> configuration element and a\r
-<em>connector</em> element. The <em>connector</em> string is the key used to identify the\r
-element for sidechannel configuration. The <em>direction</em> element may have a\r
-default value, for instance TcpConnector’s are <em>duplex</em>.</p></div>\r
-<div class="paragraph"><p>There are currently two implementations of Connectors:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-TcpConnector - Exchange messages over a tcp channel.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-FileConnector - Write messages to files and read messages from files.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_tcpconnector">TcpConnector</h5>\r
-<div class="paragraph"><p>TcpConnector is a subclass of Connector and implements a DUPLEX type Connector,\r
-able to send and receive messages over a tcp session.</p></div>\r
-<div class="paragraph"><p>TcpConnector adds a few session setup configuration elements:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-setup = <em>call</em> or <em>answer</em> - <em>call</em> is used to have TcpConnector initiate\r
- the connection. <em>answer</em> is used to have TcpConnector accept incoming\r
- connections.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-address = <em><addr></em> - used for <em>call</em> setup to specify the partner\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-base_port = port - used to contruct the actual port number for <em>call</em> and\r
- <em>answer</em> modes. Actual port used is (base_port + instance_id).\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>An example segment of TcpConnector configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>tcp_connector =\r
-{\r
- {\r
- connector = 'tcp_1',\r
- address = '127.0.0.1',\r
- setup = 'call',\r
- base_port = 11000\r
- },\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_fileconnector">FileConnector</h5>\r
-<div class="paragraph"><p>FileConnector implements a Connector that can either read from files or write\r
-to files. FileConnector’s are simplex and must be configured to be\r
-CONN_TRANSMIT or CONN_RECEIVE.</p></div>\r
-<div class="paragraph"><p>FileConnector configuration adds two additional element:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-name = string - used as part of the message file name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-format = <em>text</em> or <em>binary</em> - FileConnector supports two file types\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The configured <em>name</em> string is used to construct the actual names as in:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-file_connector_NAME_transmit and file_connector_NAME_receive\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>All messages for one Snort invocation are read and written to one file.</p></div>\r
-<div class="paragraph"><p>In the case of a receive FileConnector, all messages are read from the file\r
-prior to the start of packet processing. This allows the messages to\r
-establish state information for all processed packets.</p></div>\r
-<div class="paragraph"><p>Connectors are used solely by SideChannel</p></div>\r
-<div class="paragraph"><p>An example segment of FileConnector configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_connector =\r
-{\r
- {\r
- connector = 'file_tx_1',\r
- direction = 'transmit',\r
- format = 'text',\r
- name = 'HA'\r
- },\r
- {\r
- connector = 'file_rx_1',\r
- direction = 'receive',\r
- format = 'text',\r
- name = 'HA'\r
- },\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_side_channel">Side Channel</h4>\r
-<div class="paragraph"><p>SideChannel is a Snort module that uses Connectors to implement a messaging\r
-infrastructure that is used to communicate between Snort threads and the\r
-outside world.</p></div>\r
-<div class="paragraph"><p>SideChannel adds functionality onto the Connector as:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-message multiplexing/demultiplexing - An additional protocol layer is\r
- added to the messages. This port number is used to direct message to/from\r
- various SideClass instancs.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-application receive processing - handler for received messages on a\r
- specific port.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>SideChannel’s are always implement a duplex (bidirectional) messaging model\r
-and can map to separate transmit and receive Connectors.</p></div>\r
-<div class="paragraph"><p>The message handling model leverages the underlying Connector handling. So\r
-please refer to the Connector documentation.</p></div>\r
-<div class="paragraph"><p>SideChannel’s are instantiated by various applications. The SideChannel port\r
-numbers are the configuration element used to map SideChannel’s to\r
-applications.</p></div>\r
-<div class="paragraph"><p>The SideChannel configuration mostly serves to map a port number to a Connector\r
-or set of connectors. Each port mapping can have at most one transmit plus\r
-one receive connector or one duplex connector. Multiple SideChannel’s\r
-may be configured and instantiated to support multiple applications.</p></div>\r
-<div class="paragraph"><p>An example SideChannel configuration along with the corresponding Connector\r
-configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>side_channel =\r
-{\r
- {\r
- ports = '1',\r
- connectors =\r
- {\r
- {\r
- connector = 'file_rx_1',\r
- },\r
- {\r
- connector = 'file_tx_1',\r
- }\r
- },\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>file_connector =\r
-{\r
- {\r
- connector = 'file_tx_1',\r
- direction = 'transmit',\r
- format = 'text',\r
- name = 'HA'\r
- },\r
- {\r
- connector = 'file_rx_1',\r
- direction = 'receive',\r
- format = 'text',\r
- name = 'HA'\r
- },\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp">FTP</h3>\r
-<div class="paragraph"><p>Given an FTP command channel buffer, FTP will interpret the data,\r
-identifying FTP commands and parameters, as well as FTP response codes\r
-and messages. It will enforce correctness of the parameters, determine\r
-when an FTP command connection is encrypted, and determine when an FTP\r
-data channel is opened.</p></div>\r
-<div class="sect3">\r
-<h4 id="_configuring_the_inspector_to_block_exploits_and_attacks">Configuring the inspector to block exploits and attacks</h4>\r
-<div class="sect4">\r
-<h5 id="_ftp_server_configuration">ftp_server configuration</h5>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-ftp_cmds\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This specifies additional FTP commands outside of those checked by\r
-default within the inspector. The inspector may be configured\r
-to generate an alert when it sees a command it does not recognize.</p></div>\r
-<div class="paragraph"><p>Aside from the default commands recognized, it may be necessary to\r
-allow the use of the "X" commands, specified in RFC 775. To do so, use\r
-the following ftp_cmds option. Since these are rarely used by FTP\r
-client implementations, they are not included in the defaults.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ftp_cmds = [[ XPWD XCWD XCUP XMKD XRMD ]]</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-def_max_param_len\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This specifies the default maximum parameter length for all commands\r
-in bytes. If the parameter for an FTP command exceeds that length,\r
-and the inspector is configured to do so, an alert will be generated.\r
-This is used to check for buffer overflow exploits within FTP servers.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-cmd_validity\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This specifies the valid format and length for parameters of a given command.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-cmd_validity[].len\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This specifies the maximum parameter length for the specified command\r
-in bytes, overriding the default. If the parameter for that FTP command\r
-exceeds that length, and the inspector is configured to do so, an\r
-alert will be generated. It can be used to restrict specific commands to\r
-small parameter values. For example the USER command — usernames may\r
-be no longer than 16 bytes, so the appropriate configuration would be:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>cmd_validity =\r
-{\r
- {\r
- command = 'USER',\r
- length = 16,\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-cmd_validity[].format\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>format is as follows:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>int Param must be an integer\r
-number Param must be an integer between 1 and 255\r
-char <chars> Param must be a single char, and one of <chars>\r
-date <datefmt> Param follows format specified where\r
- # = Number, C=Char, []=optional, |=OR, {}=choice,\r
- anything else=literal (i.e., .+- )\r
-string Param is string (effectively unrestricted)\r
-host_port Param must a host port specifier, per RFC 959.\r
-long_host_port Parameter must be a long host port specified, per RFC 1639\r
-extended_host_port Parameter must be an extended host port specified, per RFC 2428</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Examples of the cmd_validity option are shown below. These examples\r
-are the default checks (per RFC 959 and others) performed by the\r
-inspector.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>cmd_validity =\r
-{\r
- {\r
- command = 'CWD',\r
- length = 200,\r
- },\r
- {\r
- command = 'MODE',\r
- format = '< char SBC >',\r
- },\r
- {\r
- command = 'STRU',\r
- format = '< char FRP >',\r
- },\r
- {\r
- command = 'ALLO',\r
- format = '< int [ char R int ] >',\r
- },\r
- {\r
- command = 'TYPE',\r
- format = [[ < { char AE [ char NTC ] | char I | char L [ number ]\r
- } > ]],\r
- },\r
- {\r
- command = 'PORT',\r
- format = '< host_port >',\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>A cmd_validity entry in the configuration can be used to override these\r
-defaults and/or add a check for other commands. A few examples follow.</p></div>\r
-<div class="paragraph"><p>This allows additional modes, including mode Z which allows for\r
-zip-style compression:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>cmd_validity =\r
-{\r
- {\r
- command = 'MODE',\r
- format = '< char ASBCZ >',\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Allow for a date in the MDTM command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>cmd_validity =\r
-{\r
- {\r
- command = 'MDTM',\r
- format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >',\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>MDTM is an odd case that is worth discussing…</p></div>\r
-<div class="paragraph"><p>While not part of an established standard, certain FTP servers accept\r
-MDTM commands that set the modification time on a file. The most common\r
-among servers that do, accept a format using YYYYMMDDHHmmss[.uuu]. Some\r
-others accept a format using YYYYMMDDHHmmss[+|-]TZ format. The example\r
-above is for the first case.</p></div>\r
-<div class="paragraph"><p>To check validity for a server that uses the TZ format, use the following:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>cmd_validity =\r
-{\r
- {\r
- command = 'MDTM',\r
- format = '< [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string >',\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-chk_str_fmt\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This causes the inspector to check for string format attacks on\r
-the specified commands.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-telnet_cmds\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Detect and alert when telnet cmds are seen on the FTP command channel.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-ignore_telnet_erase_cmds\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This option allows Snort to ignore telnet escape sequences for erase character\r
-(TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some\r
-FTP servers do not process those telnet escape sequences.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-ignore_data_chan\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>When set to true, causes the FTP inspector to force the rest of snort\r
-to ignore the FTP data channel connections. NO INSPECTION other than state\r
-(inspector AND rules) will be performed on that data channel. It can\r
-be turned on to improve performance — especially with respect to large\r
-file transfers from a trusted source — by ignoring traffic. If your rule\r
-set includes virus-type rules, it is recommended that this option not be used.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_ftp_client_configuration">ftp_client configuration</h5>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-max_resp_len\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This specifies the maximum length for all response messages in bytes.\r
-If the message for an FTP response (everything after the 3 digit code)\r
-exceeds that length, and the inspector is configured to do so, an\r
-alert will be generated. This is used to check for buffer overflow\r
-exploits within FTP clients.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-telnet_cmds\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Detect and alert when telnet cmds are seen on the FTP command channel.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-ignore_telnet_erase_cmds\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>This option allows Snort to ignore telnet escape sequences for erase character\r
-(TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some\r
-FTP clients do not process those telnet escape sequences.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_ftp_data">ftp_data</h5>\r
-<div class="paragraph"><p>In order to enable file inspection for ftp, the following should be added to the\r
-configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ftp_data = {}</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_inspector">HTTP Inspector</h3>\r
-<div class="paragraph"><p>One of the major undertakings for Snort 3 is developing a completely new\r
-HTTP inspector.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_5">Overview</h4>\r
-<div class="paragraph"><p>You can configure it by adding:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_inspect = {}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>to your snort.lua configuration file. Or you can read about it in the\r
-source code under src/service_inspectors/http_inspect.</p></div>\r
-<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
-<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
-this software. But it should also be really nice for open-source\r
-developers. You can make meaningful changes and additions to HTTP\r
-processing without having to understand the whole thing. In fact much of\r
-the new HTTP inspector’s knowledge of HTTP is centralized in a series of\r
-tables where it can be easily reviewed and modified. Many significant\r
-changes can be made just by updating these tables.</p></div>\r
-<div class="paragraph"><p>http_inspect is the first inspector written specifically for the new\r
-Snort 3 architecture. This provides access to one of the very best features\r
-of Snort 3: purely PDU-based inspection. The classic preprocessor processes\r
-HTTP messages, but even while doing so it is constantly aware of IP packets\r
-and how they divide up the TCP data stream. The same HTTP message might be\r
-processed differently depending on how the sender (bad guy) divided it up\r
-into IP packets.</p></div>\r
-<div class="paragraph"><p>http_inspect is free of this burden and can focus exclusively on HTTP.\r
-This makes it much simpler, easier to test, and less prone to false\r
-positives. It also greatly reduces the opportunity for adversaries to probe\r
-the inspector for weak spots by adjusting packet boundaries to disguise bad\r
-behavior.</p></div>\r
-<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major\r
-new features. The http_inspect design supports true stateful processing.\r
-Want to ask questions that involve both the client request and the server\r
-response? Or different requests in the same session? These things are\r
-possible.</p></div>\r
-<div class="paragraph"><p>Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from\r
-Google’s SPDY project and is in the process of being standardized. Despite\r
-the name, it is better to think of HTTP/2 not as a newer version of\r
-HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and\r
-on top of TLS or TCP. It’s a perfect fit for the new Snort 3 architecture\r
-because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but\r
-not any underlying packets. Exactly what http_inspect wants to input.</p></div>\r
-<div class="paragraph"><p>http_inspect is taking a very different approach to HTTP header fields. The\r
-classic preprocessor divides all the HTTP headers following the start line\r
-into cookies and everything else. It normalizes the two pieces using a\r
-generic process and puts them in buffers that one can write rules against.\r
-There is some limited support for examining individual headers within the\r
-inspector but it is very specific.</p></div>\r
-<div class="paragraph"><p>The new concept is that every header should be normalized in an appropriate\r
-and specific way and individually made available for the user to write\r
-rules against it. If for example a header is supposed to be a date then\r
-normalization means put that date in a standard format.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_4">Configuration</h4>\r
-<div class="paragraph"><p>Configuration can be as simple as adding:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http_inspect = {}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>to your snort.lua file. The default configuration provides a thorough\r
-inspection and may be all that you need. But there are some options that\r
-provide extra features, tweak how things are done, or conserve resources by\r
-doing less.</p></div>\r
-<div class="sect4">\r
-<h5 id="_request_depth_and_response_depth">request_depth and response_depth</h5>\r
-<div class="paragraph"><p>These replace the flow depth parameters used by the old HTTP inspector but\r
-they work differently.</p></div>\r
-<div class="paragraph"><p>The default is to inspect the entire HTTP message body. That’s a very sound\r
-approach but if your HTTP traffic includes many very large files such as\r
-videos the load on Snort can become burdensome. Setting the request_depth\r
-and response_depth parameters will limit the amount of body data that is\r
-sent to the rule engine. For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>request_depth = 10000,\r
-response_depth = 80000,</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>would examine only the first 10000 bytes of POST, PUT, and other message\r
-bodies sent by the client. Responses from the server would be limited to\r
-80000 bytes.</p></div>\r
-<div class="paragraph"><p>These limits apply only to the message bodies. HTTP headers are always\r
-completely inspected.</p></div>\r
-<div class="paragraph"><p>If you want to only inspect headers and no body, set the depth to 0. If\r
-you want to inspect the entire body set the depth to -1 or simply omit the\r
-depth parameter entirely because that is the default.</p></div>\r
-<div class="paragraph"><p>These limits have no effect on how much data is forwarded to file\r
-processing.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_detained_inspection">detained_inspection</h5>\r
-<div class="paragraph"><p>Detained inspection is an experimental feature currently under development.\r
-It enables Snort to more quickly detect and block response messages\r
-containing malicious JavaScript. As this feature involves actively blocking\r
-traffic it is designed for use with inline mode operation (-Q).</p></div>\r
-<div class="paragraph"><p>This feature is off by default. detained_inspection = true will activate\r
-it.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_gzip">gzip</h5>\r
-<div class="paragraph"><p>http_inspect by default decompresses deflate and gzip message bodies\r
-before inspecting them. This feature can be turned off by unzip = false.\r
-Turning off decompression provides a substantial performance improvement\r
-but at a very high price. It is unlikely that any meaningful inspection of\r
-message bodies will be possible. Effectively HTTP processing would be\r
-limited to the headers.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_normalize_utf">normalize_utf</h5>\r
-<div class="paragraph"><p>http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le, and\r
-utf-32be in response message bodies based on the Content-Type header. This\r
-feature is on by default: normalize_utf = false will deactivate it.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_decompress_pdf">decompress_pdf</h5>\r
-<div class="paragraph"><p>decompress_pdf = true will enable decompression of compressed portions of\r
-PDF files encountered in a response body. http_inspect will examine the\r
-response body for PDF files that are then parsed to locate PDF streams with\r
-a single /FlateDecode filter. The compressed content is decompressed and\r
-made available through the file data rule option.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_decompress_swf">decompress_swf</h5>\r
-<div class="paragraph"><p>decompress_swf = true will enable decompression of compressed SWF (Adobe\r
-Flash content) files encountered in a response body. The available\r
-decompression modes are ’deflate’ and ’lzma’. http_inspect will search for\r
-the file signatures CWS for Deflate/ZLIB and ZWS for LZMA. The compressed\r
-content is decompressed and made available through the file data rule\r
-option. The compressed SWF file signature is converted to FWS to indicate\r
-an uncompressed file.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_normalize_javascript">normalize_javascript</h5>\r
-<div class="paragraph"><p>normalize_javascript = true will enable normalization of JavaScript within\r
-the HTTP response body. http_inspect looks for JavaScript by searching for\r
-the <script> tag without a type. Obfuscated data within the JavaScript\r
-functions such as unescape, String.fromCharCode, decodeURI, and\r
-decodeURIComponent are normalized. The different encodings handled within\r
-the unescape, decodeURI, or decodeURIComponent are %XX, %uXXXX, XX and\r
-uXXXXi. http_inspect also replaces consecutive whitespaces with a single\r
-space and normalizes the plus by concatenating the strings.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_uri_processing">URI processing</h5>\r
-<div class="paragraph"><p>Normalization and inspection of the URI in the HTTP request message is a\r
-key aspect of what http_inspect does. The best way to normalize a URI is\r
-very dependent on the idiosyncrasies of the HTTP server being accessed.\r
-The goal is to interpret the URI the same way as the server will so that\r
-nothing the server will see can be hidden from the rule engine.</p></div>\r
-<div class="paragraph"><p>The default URI inspection parameters are oriented toward following the\r
-HTTP RFCs—reading the URI the way the standards say it should be read.\r
-Most servers deviate from this ideal in various ways that can be exploited\r
-by an attacker. The options provide tools for the user to cope with that.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>utf8 = true\r
-plus_to_space = true\r
-percent_u = false\r
-utf8_bare_byte = false\r
-iis_unicode = false\r
-iis_double_decode = true</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The HTTP inspector normalizes percent encodings found in URIs. For instance\r
-it will convert "%48%69%64%64%65%6e" to "Hidden". All the options listed\r
-above control how this is done. The options listed as true are fairly\r
-standard features that are decoded by default. You don’t need to list them\r
-in snort.lua unless you want to turn them off by setting them to false. But\r
-that is not recommended unless you know what you are doing and have a\r
-definite reason.</p></div>\r
-<div class="paragraph"><p>The other options are primarily for the protection of servers that support\r
-irregular forms of decoding. These features are off by default but you can\r
-activate them if you need to by setting them to true in snort.lua.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>bad_characters = "0x25 0x7e 0x6b 0x80 0x81 0x82 0x83 0x84"</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>That’s a list of 8-bit Ascii characters that you don’t want present in any\r
-normalized URI after the percent decoding is done. For example 0x25 is a\r
-hexadecimal number (37 in decimal) which stands for the <em>%</em> character. The\r
-% character is legitimately used for encoding special characters in a URI.\r
-But if there is still a percent after normalization one might conclude that\r
-something is wrong. If you choose to configure 0x25 as a bad character\r
-there will be an alert whenever this happens.</p></div>\r
-<div class="paragraph"><p>Another example is 0x00 which signifies the null character zero. Null\r
-characters in a URI are generally wrong and very suspicious.</p></div>\r
-<div class="paragraph"><p>The default is not to alert on any of the 256 8-bit Ascii characters. Add\r
-this option to your configuration if you want to define some bad\r
-characters.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ignore_unreserved = "abc123"</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Percent encoding common characters such as letters and numbers that have no\r
-special meaning in HTTP is suspicious. It’s legal but why would you do it\r
-unless you have something to hide? http_inspect will alert whenever an\r
-upper-case or lower-case letter, a digit, period, underscore, tilde, or\r
-minus is percent-encoded. But if a legitimate application in your\r
-environment encodes some of these characters for some reason this allows\r
-you to create exemptions for those characters.</p></div>\r
-<div class="paragraph"><p>In the example, the lower-case letters a, b, and c and the digits 1, 2, and\r
-3 are exempted. These may be percent-encoded without generating an alert.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>simplify_path = true\r
-backslash_to_slash = true</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>HTTP inspector simplifies directory paths in URIs by eliminating extra\r
-traversals using ., .., and /.</p></div>\r
-<div class="paragraph"><p>For example I can take a simple URI such as</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>/very/easy/example</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>and complicate it like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>/very/../very/././././easy//////detour/to/nowhere/../.././../example</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>which may be very difficult to match with a detection rule. simplify_path\r
-is on by default and you should not turn it off unless you have no interest\r
-in URI paths.</p></div>\r
-<div class="paragraph"><p>backslash_to_slash is a tweak to path simplification for servers that allow\r
-directories to be separated by backslashes:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>/this/is/the/normal/way/to/write/a/path</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>\this\is\the\other\way\to\write\a\path</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>backslash_to_slash is turned on by default. It replaces all the backslashes\r
-with slashes during normalization.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_connect_processing">CONNECT processing</h4>\r
-<div class="paragraph"><p>The HTTP CONNECT method is used by a client to establish a tunnel to a destination via an HTTP proxy\r
-server. If the connection is successful the server will send a 2XX success response to the client,\r
-then proceed to blindly forward traffic between the client and destination. That traffic belongs to\r
-a new session between the client and destination and may be of any protocol, so clearly the HTTP\r
-inspector will be unable to continue processing traffic following the CONNECT message as if it were\r
-just a continuation of the original HTTP/1.1 session.</p></div>\r
-<div class="paragraph"><p>Therefore upon receiving a success response to a CONNECT request, the HTTP inspector will stop\r
-inspecting the session. The next packet will return to the wizard, which will determine the\r
-appropriate inspector to continue processing the flow. If the tunneled protocol happens to be\r
-HTTP/1.1, the HTTP inspector will again start inspecting the flow, but as an entirely new session.</p></div>\r
-<div class="paragraph"><p>There is one scenario where the cutover to the wizard will not occur despite a 2XX success response\r
-to a CONNECT request. HTTP allows for pipelining, or sending multiple requests without waiting for a\r
-response. If the HTTP inspector sees any further traffic from the client after a CONNECT request\r
-before it has seen the CONNECT response, it is unclear whether this traffic should be interpreted as\r
-a pipelined HTTP request or tunnel traffic sent in anticipation of a success response from the\r
-server. Due to this potential evasion tactic, the HTTP inspector will not cut over to the wizard if\r
-it sees any early client-to-server traffic, but will continue normal HTTP processing of the flow\r
-regardless of the eventual server response.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_detection_rules">Detection rules</h4>\r
-<div class="paragraph"><p>http_inspect parses HTTP messages into their components and makes them\r
-available to the detection engine through rule options. Let’s start with an\r
-example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"URI example"; flow:established,\r
-to_server; http_uri; content:"chocolate"; sid:1; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This rule looks for chocolate in the URI portion of the request message.\r
-Specifically, the http_uri rule option is the normalized URI with all the\r
-percent encodings removed. It will find chocolate in both:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>GET /chocolate/cake HTTP/1.1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>and</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>GET /%63%68$6F%63%6F%6C%61%74%65/%63%61%6B%65 HTTP/1.1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>It is also possible to search the unnormalized URI</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,\r
-to_server; http_raw_uri; content:"chocolate"; sid:2; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>will match the first message but not the second. If you want to detect\r
-someone who is trying to hide his request for chocolate then</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,\r
-to_server; http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65";\r
-sid:3; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>will do the trick.</p></div>\r
-<div class="paragraph"><p>Let’s look at possible ways of writing a rule to match HTTP response\r
-messages with the Content-Language header set to "da" (Danish). You could\r
-write:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"whole header search";\r
-flow:established, to_client; http_header; content:\r
-"Content-Language: da", nocase; sid:4; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This rule leaves much to be desired. Modern headers are often thousands of\r
-bytes and seem to get longer every year. Searching all of the headers\r
-consumes a lot of resources. Furthermore this rule is easily evaded:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>HTTP/1.1 ... Content-Language: da ...</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>the extra space before the "da" throws the rule off. Or how about:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>HTTP/1.1 ... Content-Language: xx,da ...</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>By adding a made up second language the attacker has once again thwarted\r
-the match.</p></div>\r
-<div class="paragraph"><p>A better way to write this rule is:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"individual header search";\r
-flow:established, to_client; http_header: field content-language;\r
-content:"da", nocase; sid:4; rev:2; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The field option improves performance by narrowing the search to the\r
-Content-Language field of the header. Because it uses the header parsing\r
-abilities of http_inspect to find the field of interest it will not be\r
-thrown off by extra spaces or other languages in the list.</p></div>\r
-<div class="paragraph"><p>In addition to the headers there are rule options for virtually every part\r
-of the HTTP message.</p></div>\r
-<div class="sect4">\r
-<h5 id="_http_uri_and_http_raw_uri">http_uri and http_raw_uri</h5>\r
-<div class="paragraph"><p>These provide the URI of the request message. The raw form is exactly as it\r
-appeared in the message and the normalized form is determined by the URI\r
-normalization options you selected. In addition to searching the entire URI\r
-there are six components that can be searched individually:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"URI path"; flow:established,\r
-to_server; http_uri: path; content:"chocolate"; sid:1; rev:2; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>By specifying "path" the search is limited to the path portion of the URI.\r
-Informally this is the part consisting of the directory path and file name.\r
-Thus it will match:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>GET /chocolate/cake HTTP/1.1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>but not:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>GET /book/recipes?chocolate+cake HTTP/1.1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The question mark ends the path and begins the query portion of the URI.\r
-Informally the query is where parameter values are set and often contains a\r
-search to be performed.</p></div>\r
-<div class="paragraph"><p>The six components are:</p></div>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-path: directory and file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-query: user parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-fragment: part of the file requested, normally found only inside a\r
- browser and not transmitted over the network\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-host: domain name of the server being addressed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port: TCP port number being addressed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-scheme: normally "http" or "https" but others are possible such as "ftp"\r
-</p>\r
-</li>\r
-</ol></div>\r
-<div class="paragraph"><p>Here is an example with all six:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>GET https://www.samplehost.com:287/basic/example/of/path?with-query\r
-#and-fragment HTTP/1.1\r\n</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The URI is everything between the first space and the last space. "https"\r
-is the scheme, "www.samplehost.com" is the host, "287" is the port,\r
-"/basic/example/of/path" is the path, "with-query" is the query, and\r
-"and-fragment" is the fragment.</p></div>\r
-<div class="paragraph"><p>http_uri represents the normalized uri, normalization of components depends\r
-on uri type. If the uri is of type absolute (contains all six components) or\r
-absolute path (contains path, query and fragment) then the path and query\r
-components are normalized. In these cases, http_uri represents the normalized\r
-path, query, and fragment (/path?query#fragment). If the uri is of type\r
-authority (host and port), the host is normalized and http_uri represents the\r
-normalized host with the port number. In all other cases http_uri is the same\r
-as http_raw_uri.</p></div>\r
-<div class="paragraph"><p>Note: this section uses informal language to explain some things. Nothing\r
-here is intended to conflict with the technical language of the HTTP RFCs\r
-and the implementation follows the RFCs.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_header_and_http_raw_header">http_header and http_raw_header</h5>\r
-<div class="paragraph"><p>These cover all the header lines except the first one. You may specify an\r
-individual header by name using the field option as shown in this earlier\r
-example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"individual header search";\r
-flow:established, to_client; http_header: field content-language;\r
-content:"da", nocase; sid:4; rev:2; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This rule searches the value of the Content-Language header. Header names\r
-are not case sensitive and may be written in the rule in any mixture of\r
-upper and lower case.</p></div>\r
-<div class="paragraph"><p>With http_header the individual header value is normalized in a way that is\r
-appropriate for that header.</p></div>\r
-<div class="paragraph"><p>Specifying an individual header is not available for http_raw_header.</p></div>\r
-<div class="paragraph"><p>If you don’t specify a header you get all of the headers except for the\r
-cookie headers Cookie and Set-Cookie. http_raw_header includes the\r
-unmodified header names and values as they appeared in the original\r
-message. http_header is the same except percent encodings are removed and\r
-paths are simplified exactly as if the headers were a URI.</p></div>\r
-<div class="paragraph"><p>In most cases specifying individual headers creates a more efficient and\r
-accurate rule. It is recommended that new rules be written using individual\r
-headers whenever possible.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_trailer_and_http_raw_trailer">http_trailer and http_raw_trailer</h5>\r
-<div class="paragraph"><p>HTTP permits header lines to appear after a chunked body ends. Typically\r
-they contain information about the message content that was not available\r
-when the headers were created. For convenience we call them trailers.</p></div>\r
-<div class="paragraph"><p>http_trailer and http_raw_trailer are identical to their header\r
-counterparts except they apply to these end headers. If you want a rule to\r
-inspect both kinds of headers you need to write two rules, one using header\r
-and one using trailer.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_cookie_and_http_raw_cookie">http_cookie and http_raw_cookie</h5>\r
-<div class="paragraph"><p>These provide the value of the Cookie header for a request message and the\r
-Set-Cookie for a response message. If multiple cookies are present they\r
-will be concatenated into a comma-separated list.</p></div>\r
-<div class="paragraph"><p>Normalization for http_cookie is the same URI-style normalization applied\r
-to http_header when no specific header is specified.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_true_ip">http_true_ip</h5>\r
-<div class="paragraph"><p>This provides the original IP address of the client sending the request as\r
-it was stored by a proxy in the request message headers. Specifically it\r
-is the last IP address listed in the X-Forwarded-For or True-Client-IP\r
-header. If both headers are present the former is used.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_client_body">http_client_body</h5>\r
-<div class="paragraph"><p>This is the body of a request message such as POST or PUT. Normalization\r
-for http_client_body is the same URI-like normalization applied to\r
-http_header when no specific header is specified.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_raw_body">http_raw_body</h5>\r
-<div class="paragraph"><p>This is the body of a request or response message. It will be dechunked\r
-and unzipped if applicable but will not be normalized in any other way.\r
-The difference between http_raw_body and packet data is a rule that uses\r
-packet data will search and may match an HTTP header, but http_raw_body\r
-is limited to the message body. Thus the latter is more efficient and\r
-more accurate for most uses.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_method">http_method</h5>\r
-<div class="paragraph"><p>The method field of a request message. Common values are "GET", "POST",\r
-"OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_stat_code">http_stat_code</h5>\r
-<div class="paragraph"><p>The status code field of a response message. This is normally a 3-digit\r
-number between 100 and 599. In this example it is 200.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>HTTP/1.1 200 OK</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_stat_msg">http_stat_msg</h5>\r
-<div class="paragraph"><p>The reason phrase field of a response message. This is the human-readable\r
-text following the status code. "OK" in the previous example.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_version">http_version</h5>\r
-<div class="paragraph"><p>The protocol version information that appears on the first line of an HTTP\r
-message. This is usually "HTTP/1.0" or "HTTP/1.1".</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_http_raw_request_and_http_raw_status">http_raw_request and http_raw_status</h5>\r
-<div class="paragraph"><p>These are the unmodified first header line of the HTTP request and response\r
-messages respectively. These rule options are a safety valve in case you\r
-need to do something you cannot otherwise do. In most cases it is better to\r
-use a rule option for a specific part of the first header line. For a\r
-request message those are http_method, http_raw_uri, and http_version. For\r
-a response message those are http_version, http_stat_code, and\r
-http_stat_msg.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_file_data_and_packet_data">file_data and packet data</h5>\r
-<div class="paragraph"><p>file_data contains the normalized message body. This is the normalization\r
-described above under gzip, normalize_utf, decompress_pdf, decompress_swf,\r
-and normalize_javascript.</p></div>\r
-<div class="paragraph"><p>The unnormalized message content is available in the packet data. If gzip\r
-is configured the packet data will be unzipped.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_timing_issues_and_combining_rule_options">Timing issues and combining rule options</h4>\r
-<div class="paragraph"><p>HTTP inspector is stateful. That means it is aware of a bigger picture than\r
-the packet in front of it. It knows what all the pieces of a message are,\r
-the dividing lines between one message and the next, which request message\r
-triggered which response message, pipelines, and how many messages have\r
-been sent over the current connection.</p></div>\r
-<div class="paragraph"><p>Some rules use a single rule option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"URI example"; flow:established,\r
-to_server; http_uri; content:"chocolate"; sid:1; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Whenever a new URI is available this rule will be evaluated. Nothing\r
-complicated about that, but suppose we use more than one rule option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"combined example"; flow:established,\r
-to_server; http_uri: with_body; content:"chocolate"; file_data;\r
-content:"sinister POST data"; sid:5; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The with_body option to http_uri causes the URI to be made available with\r
-the message body. Use with_body for header-related rule options in rules\r
-that also examine the message body.</p></div>\r
-<div class="paragraph"><p>The with_trailer option is analogous and causes an earlier message element\r
-to be made available at the end of the message when the trailers following\r
-a chunked body arrive.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"double content-language";\r
-flow:established, to_client; http_header: with_trailer, field\r
-content-language; content:"da", nocase; http_trailer: field\r
-content-language; content:"en", nocase; sid:6; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This rule will alert if the Content-Language changes from Danish in the\r
-headers to English in the trailers. The with_trailer option is essential to\r
-make this rule work.</p></div>\r
-<div class="paragraph"><p>It is also possible to write rules that examine both the client request and\r
-the server response to it.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"request and response example";\r
-flow:established, to_client; http_uri: with_body; content:"chocolate";\r
-file_data; content:"white chocolate"; sid:7; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This rule looks for white chocolate in a response message body where the\r
-URI of the request contained chocolate. Note that this is a "to_client"\r
-rule that will alert on and potentially block a server response containing\r
-white chocolate, but only if the client URI requested chocolate. If the\r
-rule were rewritten "to_server" it would be nonsense and not work. Snort\r
-cannot block a client request based on what the server response will be\r
-because that has not happened yet.</p></div>\r
-<div class="paragraph"><p>Another point is "with_body" for http_uri. This ensures the rule works on\r
-the entire response body. If we were looking for white chocolate in the\r
-response headers this would not be necessary.</p></div>\r
-<div class="paragraph"><p>Response messages do not have a URI so there was only one thing http_uri\r
-could have meant in the previous rule. It had to be referring to the\r
-request message. Sometimes that is not so clear.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"header ambiguity example 1";\r
-flow:established, to_client; http_header: with_body; content:\r
-"chocolate"; file_data; content:"white chocolate"; sid:8; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any ( msg:"header ambiguity example 2";\r
-flow:established, to_client; http_header: with_body, request; content:\r
-"chocolate"; file_data; content:"white chocolate"; sid:8; rev:2; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Our search for chocolate has moved from the URI to the message headers.\r
-Both the request and response messages have headers—which one are we\r
-asking about? Ambiguity is always resolved in favor of looking in the\r
-current message which is the response. The first rule is looking for a\r
-server response containing chocolate in the headers and white chocolate in\r
-the body.</p></div>\r
-<div class="paragraph"><p>The second rule uses the "request" option to explicitly say that the\r
-http_header to be searched is the request header.</p></div>\r
-<div class="paragraph"><p>Let’s put all of this together. There are six opportunities to do\r
-detection:</p></div>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-When the the request headers arrive. The request line and all of the\r
-headers go through detection at the same time.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When sections of the request message body arrive. If you want to combine\r
-this with something from the request line or headers you must use the\r
-with_body option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When the request trailers arrive. If you want to combine this with\r
-something from the request line or headers you must use the with_trailer\r
-option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When the response headers arrive. The status line and all of the headers\r
-go through detection at the same time. These may be combined with elements\r
-from the request line, request headers, or request trailers. Where\r
-ambiguity arises use the request option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When sections of the response message body arrive. These may be combined\r
-with the status line, response headers, request line, request headers, or\r
-request trailers as described above.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When the response trailers arrive. Again these may be combined as\r
-described above.\r
-</p>\r
-</li>\r
-</ol></div>\r
-<div class="paragraph"><p>Message body sections can only go through detection at the time they are\r
-received. Headers may be combined with later items but the body cannot.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_2_inspector">HTTP/2 Inspector</h3>\r
-<div class="paragraph"><p>Snort 3 is developing an inspector for HTTP/2.</p></div>\r
-<div class="paragraph"><p>You can configure it by adding:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>http2_inspect = {}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>to your snort.lua configuration file.</p></div>\r
-<div class="paragraph"><p>Everything has a beginning and for http2_inspect this is the beginning of\r
-the beginning.</p></div>\r
-<div class="paragraph"><p>Currently http2_inspect will divide an HTTP/2 connection into individual\r
-frames. Two new rule options are available for looking at HTTP/2 frames:\r
-http2_frame_header provides the 9-octet frame header.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any (msg:"Frame type"; flow:established,\r
-to_client; http2_frame_header; content:"|06|", offset 3, depth 1;\r
-sid:1; rev:1; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This will match if the Type byte of the frame header is 6 (PING).</p></div>\r
-<div class="paragraph"><p>To smooth the transition to inspecting HTTP/2, rules that specify\r
-service:http will be treated as if they also specify service:http2.\r
-Thus:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any (flow:established, to_server;\r
-http_uri; content:"/foo";\r
-service: http; sid:10; rev:1;)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>is understood to mean:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp any any -> any any (flow:established, to_server;\r
-http_uri; content:"/foo";\r
-service: http,http2; sid:10; rev:1;)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2 traffic.</p></div>\r
-<div class="paragraph"><p>The reverse is not true. "service: http2" without http will match on HTTP/2\r
-flows but not HTTP/1 flows.</p></div>\r
-<div class="paragraph"><p>This feature makes it easy to add HTTP/2 inspection without modifying\r
-large numbers of existing rules. New rules should explicitly specify\r
-"service http,http2;" if that is the desired behavior. Eventually\r
-support for http implies http2 may be deprecated and removed.</p></div>\r
-<div class="paragraph"><p>In the future, http2_inspect will be fully integrated with http_inspect to\r
-provide full inspection of the individual HTTP/1.1 streams.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_performance_monitor">Performance Monitor</h3>\r
-<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
-too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
-hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check\r
-with stream…</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_6">Overview</h4>\r
-<div class="paragraph"><p>The Snort performance monitor is the built-in utility for monitoring system\r
-and traffic statistics. All statistics are separated by processing thread.\r
-perf_monitor supports several trackers for monitoring such data:</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_base_tracker">Base Tracker</h4>\r
-<div class="paragraph"><p>The base tracker is used to gather running statistics about Snort and its\r
-running modules. All Snort modules gather, at the very least, counters for the\r
-number of packets reaching it. Most supplement these counts with those for\r
-domain specific functions, such as http_inspect’s number of GET requests seen.</p></div>\r
-<div class="paragraph"><p>Statistics are gathered live and can be reported at regular intervals. The stats\r
-reported correspond only to the interval in question and are reset at the\r
-beginning of each interval.</p></div>\r
-<div class="paragraph"><p>These are the same counts displayed when Snort shuts down, only sorted amongst\r
-the discrete intervals in which they occurred.</p></div>\r
-<div class="paragraph"><p>Base differs from prior implementations in Snort in that all stats gathered are\r
-only raw counts, allowing the data to be evaluated as needed. Additionally,\r
-base is entirely pluggable. Data from new Snort plugins can be added to the\r
-existing stats either automatically or, if specified, by name and function.</p></div>\r
-<div class="paragraph"><p>All plugins and counters can be enabled or disabled individually, allowing for\r
-only the data that is actually desired instead of overly verbose performance\r
-logs.</p></div>\r
-<div class="paragraph"><p>To enable everything:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { modules = {} }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To enable everything within a module:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor =\r
-{\r
- modules =\r
- {\r
- {\r
- name = 'stream_tcp',\r
- pegs = [[ ]]\r
- },\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To enable specific counts within modules:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor =\r
-{\r
- modules =\r
- {\r
- {\r
- name = 'stream_tcp',\r
- pegs = [[ overlaps gaps ]]\r
- },\r
- }</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Note: Event stats from prior Snorts are now located within base statistics.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_flow_tracker">Flow Tracker</h4>\r
-<div class="paragraph"><p>Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This\r
-data can be used to build a profile of traffic for inspector tuning and for\r
-identifying where Snort may be stressed.</p></div>\r
-<div class="paragraph"><p>To enable:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { flow = true }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_flowip_tracker">FlowIP Tracker</h4>\r
-<div class="paragraph"><p>FlowIP provides statistics for individual hosts within a network. This data can\r
-be used for identifying communication habits, such as generating large or small\r
-amounts of data, opening a small or large number of sessions, and tendency to\r
-send smaller or larger IP packets.</p></div>\r
-<div class="paragraph"><p>To enable:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { flow_ip = true }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_cpu_tracker">CPU Tracker</h4>\r
-<div class="paragraph"><p>This tracker monitors the CPU and wall time spent by a given processing thread.</p></div>\r
-<div class="paragraph"><p>To enable:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>perf_monitor = { cpu = true }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_formatters">Formatters</h4>\r
-<div class="paragraph"><p>Performance monitor allows statistics to be output in a few formats. Along with\r
-human readable text (as seen at shutdown) and csv formats, a Flatbuffers binary\r
-format is also available if Flatbuffers is present at build. A utility for\r
-accessing the statistics generated in this format has been included for\r
-convenience (see fbstreamer in tools). This tool generates a YAML array of\r
-records found, allowing the data to be read by humans or passed into other\r
-analysis tools. For information on working directly with the Flatbuffers file\r
-format used by Performance monitor, see the developer notes for Performance\r
-monitor or the code provided for fbstreamer.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pop_and_imap">POP and IMAP</h3>\r
-<div class="paragraph"><p>POP inspector is a service inspector for POP3 protocol and IMAP inspector\r
-is for IMAP4 protocol.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_7">Overview</h4>\r
-<div class="paragraph"><p>POP and IMAP inspectors examine data traffic and find POP and IMAP\r
-commands and responses. The inspectors also identify the command, header,\r
-body sections and extract the MIME attachments and decode it\r
-appropriately. The pop and imap also identify and whitelist the pop and\r
-imap traffic.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_5">Configuration</h4>\r
-<div class="paragraph"><p>POP inspector and IMAP inspector offer same set of configuration options\r
-for MIME decoding depth. These depths range from 0 to 65535 bytes. Setting\r
-the value to 0 ("do none") turns the feature off. Alternatively the value\r
--1 means an unlimited amount of data should be decoded. If you do not\r
-specify the default value is 1460 bytes.</p></div>\r
-<div class="paragraph"><p>The depth limits apply per attachment. They are:</p></div>\r
-<div class="sect4">\r
-<h5 id="_b64_decode_depth">b64_decode_depth</h5>\r
-<div class="paragraph"><p>Set the base64 decoding depth used to decode the base64-encoded MIME\r
-attachments.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_qp_decode_depth">qp_decode_depth</h5>\r
-<div class="paragraph"><p>Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded\r
-MIME attachments.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_bitenc_decode_depth">bitenc_decode_depth</h5>\r
-<div class="paragraph"><p>Set the non-encoded MIME extraction depth used for non-encoded MIME\r
-attachments.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_uu_decode_depth">uu_decode_depth</h5>\r
-<div class="paragraph"><p>Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded\r
-attachments.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_examples_5">Examples</h5>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream_tcp = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream_ip = { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>binder =\r
-{\r
- {\r
- {\r
- when = { proto = 'tcp', ports = '110', },\r
- use = { type = 'pop', },\r
- },\r
- {\r
- when = { proto = 'tcp', ports = '143', },\r
- use = { type = 'imap', },\r
- },\r
- },\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>imap =\r
-{\r
- qp_decode_depth = 500,\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>pop =\r
-{\r
- qp_decode_depth = -1,\r
- b64_decode_depth = 3000,\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_port_scan">Port Scan</h3>\r
-<div class="paragraph"><p>A module to detect port scanning</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_8">Overview</h4>\r
-<div class="paragraph"><p>This module is designed to detect the first phase in a network attack:\r
-Reconnaissance. In the Reconnaissance phase, an attacker determines\r
-what types of network protocols or services a host supports. This is\r
-the traditional place where a portscan takes place. This phase assumes\r
-the attacking host has no prior knowledge of what protocols or\r
-services are supported by the target, otherwise this phase would not\r
-be necessary.</p></div>\r
-<div class="paragraph"><p>As the attacker has no beforehand knowledge of its intended target,\r
-most queries sent by the attacker will be negative (meaning that the\r
-services are closed). In the nature of legitimate network\r
-communications, negative responses from hosts are rare, and rarer\r
-still are multiple negative responses within a given amount of time.\r
-Our primary objective in detecting portscans is to detect and track\r
-these negative responses.</p></div>\r
-<div class="paragraph"><p>One of the most common portscanning tools in use today is Nmap. Nmap\r
-encompasses many, if not all, of the current portscanning techniques.\r
-Portscan was designed to be able to detect the different types of\r
-scans Nmap can produce.</p></div>\r
-<div class="paragraph"><p>The following are a list of the types of Nmap scans Portscan\r
-will currently alert for.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-TCP Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Portscan\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>These alerts are for one to one portscans, which are the traditional\r
-types of scans; one host scans multiple ports on another host. Most of\r
-the port queries will be negative, since most hosts have relatively\r
-few services available.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-TCP Decoy Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Decoy Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Decoy Portscan\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Decoy portscans are much like regular, only the attacker has spoofed\r
-source address inter-mixed with the real scanning address. This tactic\r
-helps hide the true identity of the attacker.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-TCP Distributed Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Distributed Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Distributed Portscan\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>These are many to one portscans. Distributed portscans occur when\r
-multiple hosts query one host for open services. This is used to evade\r
-an IDS and obfuscate command and control hosts.</p></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">Negative queries will be distributed among scanning hosts, so\r
-we track this type of scan through the scanned host.</td>\r
-</tr></table>\r
-</div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-TCP Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-ICMP Portsweep\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>These alerts are for one to many portsweeps. One host scans a single\r
-port on multiple hosts. This usually occurs when a new exploit comes out\r
-and the attacker is looking for a specific service.</p></div>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/note.png" alt="Note" />\r
-</td>\r
-<td class="content">The characteristics of a portsweep scan may not result in many\r
-negative responses. For example, if an attacker portsweeps a web farm\r
-for port 80, we will most likely not see many negative responses.</td>\r
-</tr></table>\r
-</div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-TCP Filtered Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Filtered Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Filtered Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-TCP Filtered Decoy Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Filtered Decoy Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Filtered Decoy Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-TCP Filtered Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Filtered Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Filtered Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-ICMP Filtered Portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-TCP Filtered Distributed Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-UDP Filtered Distributed Portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IP Filtered Distributed Portscan\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>"Filtered" alerts indicate that there were no network errors (ICMP\r
-unreachables or TCP RSTs) or responses on closed ports have been\r
-suppressed. It’s also a good indicator on whether the alert is just a\r
-very active legitimate host. Active hosts, such as NATs, can trigger\r
-these alerts because they can send out many connection attempts within\r
-a very small amount of time. A filtered alert may go off before\r
-responses from the remote hosts are received.</p></div>\r
-<div class="paragraph"><p>Portscan only generates one alert for each host pair in question\r
-during the time window. On TCP scan alerts, Portscan\r
-will also display any open ports that were scanned. On TCP sweep alerts\r
-however, Portscan will only track open ports after the alert has been\r
-triggered. Open port events are not individual alerts, but tags based\r
-off the original scan alert.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_scan_levels">Scan levels</h4>\r
-<div class="paragraph"><p>There are 3 default scan levels that can be set.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>1) default_hi_port_scan\r
-2) default_med_port_scan\r
-3) default_low_port_scan</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Each of these default levels have separate options that can be edited\r
-to alter the scan sensitivity levels (scans, rejects, nets or ports)</p></div>\r
-<div class="paragraph"><p>Example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>port_scan = default_low_port_scan\r
-\r
-port_scan.tcp_decoy.ports = 1\r
-port_scan.tcp_decoy.scans = 1\r
-port_scan.tcp_decoy.rejects = 1\r
-port_scan.tcp_ports.nets = 1</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The example above would change each of the individual settings to 1.</p></div>\r
-<div class="paragraph"><p>NOTE:The default levels for scans, rejects, nets and ports can be\r
-seen in the snort_defaults.lua file.</p></div>\r
-<div class="paragraph"><p>The counts can be seen in the alert outputs (-Acmg shown below):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:\r
-30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 0.Connec tion Cou\r
-6E 74 3A 20 34 35 0A 49 50 20 43 6F 75 6E 74 3A nt: 45.I P Count:\r
-20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scann er IP Ra\r
-6E 67 65 3A 20 31 2E 32 2E 33 2E 34 3A 31 2E 32 nge: 1.2 .3.4:1.2\r
-2E 33 2E 34 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 .3.4.Por t/Proto\r
-43 6F 75 6E 74 3A 20 33 37 0A 50 6F 72 74 2F 50 Count: 3 7.Port/P\r
-72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 3A 39 0A roto Ran ge: 1:9.</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>"Low" alerts are only generated on error packets sent from the\r
-target host, and because of the nature of error responses, this\r
-setting should see very few false positives. However, this setting\r
-will never trigger a Filtered Scan alert because of a lack of error\r
-responses. This setting is based on a static time window of 60\r
-seconds, after which this window is reset.</p></div>\r
-<div class="paragraph"><p>"Medium" alerts track Connection Counts, and so will generate\r
-Filtered Scan alerts. This setting may false positive on active\r
-hosts (NATs, proxies, DNS caches, etc), so the user may need to\r
-deploy the use of Ignore directives to properly tune this directive.</p></div>\r
-<div class="paragraph"><p>"High" alerts continuously track hosts on a network using a time\r
-window to evaluate portscan statistics for that host. A "High"\r
-setting will catch some slow scans because of the continuous\r
-monitoring, but is very sensitive to active hosts. This most\r
-definitely will require the user to tune Portscan.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_tuning_portscan">Tuning Portscan</h4>\r
-<div class="paragraph"><p>The most important aspect in detecting portscans is tuning the detection\r
-engine for your network(s). Here are some tuning tips:</p></div>\r
-<div class="paragraph"><p>Use the watch_ip, ignore_scanners, and ignore_scanned options.\r
-It’s important to correctly set these options. The watch_ip option\r
-is easy to understand. The analyst should set this option to the\r
-list of CIDR blocks and IPs that they want to watch. If no\r
-watch_ip is defined, Portscan will watch all network traffic.\r
-The ignore_scanners and ignore_scanned options come into play in\r
-weeding out legitimate hosts that are very active on your network.\r
-Some of the most common examples are NAT IPs, DNS cache servers,\r
-syslog servers, and nfs servers. Portscan may not generate false\r
-positives for these types of hosts, but be aware when first tuning\r
-Portscan for these IPs. Depending on the type of alert that the\r
-host generates, the analyst will know which to ignore it as. If\r
-the host is generating portsweep events, then add it to the\r
-ignore_scanners option. If the host is generating portscan alerts\r
-(and is the host that is being scanned), add it to the\r
-ignore_scanned option.</p></div>\r
-<div class="paragraph"><p>Filtered scan alerts are much more prone to false positives.\r
-When determining false positives, the alert type is very important.\r
-Most of the false positives that Portscan may generate are of the\r
-filtered scan alert type. So be much more suspicious of filtered\r
-portscans. Many times this just indicates that a host was very\r
-active during the time period in question. If the host continually\r
-generates these types of alerts, add it to the ignore_scanners list\r
-or use a lower sensitivity level.</p></div>\r
-<div class="paragraph"><p>Make use of the Priority Count, Connection Count, IP Count,\r
-Port Count, IP range, and Port range to determine false positives.\r
-The portscan alert details are vital in determining the scope of a\r
-portscan and also the confidence of the portscan. In the future,\r
-we hope to automate much of this analysis in assigning a scope\r
-level and confidence level, but for now the user must manually do\r
-this. The easiest way to determine false positives is through\r
-simple ratio estimations. The following is a list of ratios to\r
-estimate and the associated values that indicate a legitimate scan\r
-and not a false positive.</p></div>\r
-<div class="paragraph"><p>Connection Count / IP Count: This ratio indicates an estimated\r
-average of connections per IP. For portscans, this ratio should be\r
-high, the higher the better. For portsweeps, this ratio should be\r
-low.</p></div>\r
-<div class="paragraph"><p>Port Count / IP Count: This ratio indicates an estimated average\r
-of ports connected to per IP. For portscans, this ratio should be\r
-high and indicates that the scanned host’s ports were connected to\r
-by fewer IPs. For portsweeps, this ratio should be low, indicating\r
-that the scanning host connected to few ports but on many hosts.</p></div>\r
-<div class="paragraph"><p>Connection Count / Port Count: This ratio indicates an estimated\r
-average of connections per port. For portscans, this ratio should\r
-be low. This indicates that each connection was to a different\r
-port. For portsweeps, this ratio should be high. This indicates\r
-that there were many connections to the same port.</p></div>\r
-<div class="paragraph"><p>The reason that Priority Count is not included, is because the\r
-priority count is included in the connection count and the above\r
-comparisons take that into consideration. The Priority Count play\r
-an important role in tuning because the higher the priority count\r
-the more likely it is a real portscan or portsweep (unless the host\r
-is firewalled).</p></div>\r
-<div class="paragraph"><p>If all else fails, lower the sensitivity level.\r
-If none of these other tuning techniques work or the analyst\r
-doesn’t have the time for tuning, lower the sensitivity level. You\r
-get the best protection the higher the sensitivity level, but it’s\r
-also important that the portscan detection engine generates alerts\r
-that the analyst will find informative. The low sensitivity level\r
-only generates alerts based on error responses. These responses\r
-indicate a portscan and the alerts generated by the low sensitivity\r
-level are highly accurate and require the least tuning. The low\r
-sensitivity level does not catch filtered scans, since these are\r
-more prone to false positives.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sensitive_data_filtering">Sensitive Data Filtering</h3>\r
-<div class="paragraph"><p>The <code>sd_pattern</code> IPS option provides detection and filtering of Personally\r
-Identifiable Information (PII). This information includes credit card\r
-numbers, U.S. Social Security numbers, and email addresses. A rich regular\r
-expression syntax is available for defining your own PII.</p></div>\r
-<div class="sect3">\r
-<h4 id="_hyperscan">Hyperscan</h4>\r
-<div class="paragraph"><p>The <code>sd_pattern</code> rule option is powered by the open source Hyperscan\r
-library from Intel. It provides a regex grammar which is mostly PCRE\r
-compatible. To learn more about Hyperscan see\r
-<a href="https://intel.github.io/hyperscan/dev-reference/">https://intel.github.io/hyperscan/dev-reference/</a></p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_syntax">Syntax</h4>\r
-<div class="paragraph"><p>Snort provides <code>sd_pattern</code> as IPS rule option with no additional inspector\r
-overhead. The Rule option takes the following syntax.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sd_pattern: "<pattern>"[, threshold <count>];</code></pre>\r
-</div></div>\r
-<div class="sect4">\r
-<h5 id="_pattern">Pattern</h5>\r
-<div class="paragraph"><p>Pattern is the most important and is the only required parameter to\r
-<code>sd_pattern</code>. It supports 3 built in patterns which are configured by name:\r
-"credit_card", "us_social" and "us_social_nodashes", as well as user\r
-defined regular expressions of the Hyperscan dialect (see\r
-<a href="https://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support">https://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support</a>).</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sd_pattern:"credit_card";</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>When configured, Snort will replace the pattern <em>credit_card</em> with the built in\r
-pattern. In addition to pattern matching, Snort will validate that the matched\r
-digits will pass the Luhn-check algorithm. Currently the only pattern that\r
-performs extra verification.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sd_pattern:"us_social";\r
-sd_pattern:"us_social_nodashes";</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>These special patterns will also be replaced with a built in pattern.\r
-Naturally, "us_social" is a pattern of 9 digits separated by <code>-</code>'s in the\r
-canonical form.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sd_pattern:"\b\w+@ourdomain\.com\b"</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This is a user defined pattern which matches what is most likely email\r
-addresses for the site "ourdomain.com". The pattern is a PCRE compatible\r
-regex, <em>\b</em> matches a word boundary (whitespace, end of line, non-word\r
-characters) and <em>\w+</em> matches one or more word characters. <em>\.</em> matches\r
-a literal <em>.</em>.</p></div>\r
-<div class="paragraph"><p>The above pattern would match "a@ourdomain.com", "aa@ourdomain.com" but would\r
-not match <code>1@ourdomain.com</code> <code>ab12@ourdomain.com</code> or <code>@ourdomain.com</code>.</p></div>\r
-<div class="paragraph"><p>Note: This is just an example, this pattern is not suitable to detect many\r
-correctly formatted emails.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_threshold">Threshold</h5>\r
-<div class="paragraph"><p>Threshold is an optional parameter allowing you to change built in default\r
-value (default value is <em>1</em>). The following two instances are identical.\r
-The first will assume the default value of <em>1</em> the second declaration\r
-explicitly sets the threshold to <em>1</em>.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sd_pattern:"This rule requires 1 match";\r
-sd_pattern:"This rule requires 1 match", threshold 1;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>That’s pretty easy, but here is one more example anyway.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>sd_pattern:"This is a string literal", threshold 300;</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>This example requires 300 matches of the pattern "This is a string literal"\r
-to qualify as a positive match. That is, if the string only occurred 299 times\r
-in a packet, you will not see an event.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_obfuscating_credit_cards_and_social_security_numbers">Obfuscating Credit Cards and Social Security Numbers</h5>\r
-<div class="paragraph"><p>Snort provides discreet logging for the built in patterns "credit_card",\r
-"us_social" and "us_social_nodashes". Enabling <code>output.obfuscate_pii</code> makes\r
-Snort obfuscate the suspect packet payload which was matched by the\r
-patterns. This configuration is disabled by default.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>output =\r
-{\r
- obfuscate_pii = true\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example">Example</h4>\r
-<div class="paragraph"><p>A complete Snort IPS rule</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Logged output when running Snort in "cmg" alert format.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>02/25-21:19:05.125553 [**] [1:1:0] "Credit Card" [**] [Priority: 0] {TCP} 10.1.2.3:48620 -> 10.9.8.7:8\r
-02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46\r
-10.1.2.3:48620 -> 10.9.8.7:8 TCP TTL:64 TOS:0x0 ID:14 IpLen:20 DgmLen:56\r
-***A**** Seq: 0xB2 Ack: 0x2 Win: 0x2000 TcpLen: 20\r
-- - - raw[16] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_caveats">Caveats</h4>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-Snort currently requires setting the fast pattern engine to use\r
-"hyperscan" in order for <code>sd_pattern</code> ips option to function correctly.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>search_engine = { search_method = 'hyperscan' }</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Log obfuscation is only applicable to CMG and Unified2 logging formats.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Log obfuscation doesn’t support user defined PII patterns. It is\r
-currently only supported for the built in patterns for Credit Cards and US\r
-Social Security numbers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Log obfuscation doesn’t work with stream rebuilt packet payloads. (This\r
-is a known bug).\r
-</p>\r
-</li>\r
-</ol></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_smtp">SMTP</h3>\r
-<div class="paragraph"><p>SMTP inspector is a service inspector for SMTP protocol.</p></div>\r
-<div class="sect3">\r
-<h4 id="_overview_9">Overview</h4>\r
-<div class="paragraph"><p>The SMTP inspector examines SMTP connections looking for commands and\r
-responses. It also identifies the command, header and body sections, TLS\r
-data and extracts the MIME attachments. This inspector also identifies and\r
-whitelists the SMTP traffic.</p></div>\r
-<div class="paragraph"><p>SMTP inspector logs the filename, email addresses, attachment names when\r
-configured.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_6">Configuration</h4>\r
-<div class="paragraph"><p>SMTP command lines can be normalized to remove extraneous spaces.\r
-TLS-encrypted traffic can be ignored, which improves performance. In\r
-addition, plain-text mail data can be ignored for an additional\r
-performance boost.</p></div>\r
-<div class="paragraph"><p>The configuration options are described below:</p></div>\r
-<div class="sect4">\r
-<h5 id="_normalize_and_normalize_cmds">normalize and normalize_cmds</h5>\r
-<div class="paragraph"><p>Normalization checks for more than one space character after a command.\r
-Space characters are defined as space (ASCII 0x20) or tab (ASCII 0x09).\r
-"normalize" provides options all|none|cmds, <em>all</em> checks all commands,\r
-<em>none</em> turns off normalization for all commands. <em>cmds</em> just checks\r
-commands listed with the "normalize_cmds" parameter.\r
-For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_ignore_data">ignore_data</h5>\r
-<div class="paragraph"><p>Set it to true to ignore data section of mail (except for mail headers)\r
-when processing rules.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_ignore_tls_data">ignore_tls_data</h5>\r
-<div class="paragraph"><p>Set it to true to ignore TLS-encrypted data when processing rules.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_max_command_line_len">max_command_line_len</h5>\r
-<div class="paragraph"><p>Alert if an SMTP command line is longer than this value. Absence of this\r
-option or a "0" means never alert on command line length. RFC 2821\r
-recommends 512 as a maximum command line length.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_max_header_line_len">max_header_line_len</h5>\r
-<div class="paragraph"><p>Alert if an SMTP DATA header line is longer than this value. Absence of\r
-this option or a "0" means never alert on data header line length. RFC\r
-2821 recommends 1024 as a maximum data header line length.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_max_response_line_len">max_response_line_len</h5>\r
-<div class="paragraph"><p>Alert if an SMTP response line is longer than this value. Absence of this\r
-option or a "0" means never alert on response line length. RFC 2821\r
-recommends 512 as a maximum response line length.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_alt_max_command_line_len">alt_max_command_line_len</h5>\r
-<div class="paragraph"><p>Overrides max_command_line_len for specific commands\r
-For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>alt_max_command_line_len =\r
-{\r
- {\r
- command = 'MAIL',\r
- length = 260,\r
- },\r
- {\r
- command = 'RCPT',\r
- length = 300,\r
- },\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_invalid_cmds">invalid_cmds</h5>\r
-<div class="paragraph"><p>Alert if this command is sent from client side.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_valid_cmds">valid_cmds</h5>\r
-<div class="paragraph"><p>List of valid commands. We do not alert on commands in this list.</p></div>\r
-<div class="paragraph"><p>DEFAULT empty list, but SMTP inspector has this list hard-coded:\r
-[[ ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN\r
- HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE\r
- STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE\r
- XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_data_cmds">data_cmds</h5>\r
-<div class="paragraph"><p>List of commands that initiate sending of data with an end of data\r
-delimiter the same as that of the DATA command per RFC 5321 -\r
-"<CRLF>.<CRLF>".</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_binary_data_cmds">binary_data_cmds</h5>\r
-<div class="paragraph"><p>List of commands that initiate sending of data and use a length value\r
-after the command to indicate the amount of data to be sent, similar to\r
-that of the BDAT command per RFC 3030.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_auth_cmds">auth_cmds</h5>\r
-<div class="paragraph"><p>List of commands that initiate an authentication exchange between client\r
-and server.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_xlink2state">xlink2state</h5>\r
-<div class="paragraph"><p>Enable/disable xlink2state alert, options are {disable | alert | drop}.\r
-See CVE-2005-0560 for a description of the vulnerability.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_mime_processing_depth_parameters">MIME processing depth parameters</h5>\r
-<div class="paragraph"><p>These four MIME processing depth parameters are identical to their POP and\r
-IMAP counterparts. See that section for further details.</p></div>\r
-<div class="paragraph"><p>b64_decode_depth\r
-qp_decode_depth\r
-bitenc_decode_depth\r
-uu_decode_depth</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_log_options">Log Options</h5>\r
-<div class="paragraph"><p>Following log options allow SMTP inspector to log email addresses and\r
-filenames.\r
-Please note, this is logged only with the unified2 output and is not\r
-logged with the console output (-A cmg). u2spewfoo can be used to read\r
-this data from the unified2.</p></div>\r
-<div class="paragraph"><p><em>log_mailfrom</em></p></div>\r
-<div class="paragraph"><p>This option enables SMTP inspector to parse and log the sender’s email\r
-address extracted from the "MAIL FROM" command along with all the\r
-generated events for that session. The maximum number of bytes logged for\r
-this option is 1024.</p></div>\r
-<div class="paragraph"><p><em>log_rcptto</em></p></div>\r
-<div class="paragraph"><p>This option enables SMTP inspector to parse and log the recipient email\r
-addresses extracted from the "RCPT TO" command along with all the\r
-generated events for that session. Multiple recipients are appended with\r
-commas. The maximum number of bytes logged for this option is 1024.</p></div>\r
-<div class="paragraph"><p><em>log_filename</em></p></div>\r
-<div class="paragraph"><p>This option enables SMTP inspector to parse and log the MIME attachment\r
-filenames extracted from the Content-Disposition header within the MIME\r
-body along with all the generated events for that session. Multiple\r
-filenames are appended with commas. The maximum number of bytes logged for\r
-this option is 1024.</p></div>\r
-<div class="paragraph"><p><em>log_email_hdrs</em></p></div>\r
-<div class="paragraph"><p>This option enables SMTP inspector to parse and log the SMTP email headers\r
-extracted from SMTP data along with all generated events for that session.\r
-The number of bytes extracted and logged depends upon the\r
-email_hdrs_log_depth.</p></div>\r
-<div class="paragraph"><p><em>email_hdrs_log_depth</em></p></div>\r
-<div class="paragraph"><p>This option specifies the depth for logging email headers. The allowed\r
-range for this option is 0 - 20480. A value of 0 will disable email\r
-headers logging. The default value for this option is 1464.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_2">Example</h4>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>smtp =\r
-{\r
- normalize = 'cmds',\r
- normalize_cmds = 'EXPN VRFY RCPT',\r
- b64_decode_depth = 0,\r
- qp_decode_depth = 0,\r
- bitenc_decode_depth = 0,\r
- uu_decode_depth = 0,\r
- log_mailfrom = true,\r
- log_rcptto = true,\r
- log_filename = true,\r
- log_email_hdrs = true,\r
- max_command_line_len = 512,\r
- max_header_line_len = 1000,\r
- max_response_line_len = 512,\r
- max_auth_command_line_len = 50,\r
- xlink2state = 'alert',\r
- alt_max_command_line_len =\r
- {\r
- {\r
- command = 'MAIL',\r
- length = 260,\r
- },\r
- {\r
- command = 'RCPT',\r
- length = 300,\r
- },\r
- {\r
- command = 'HELP',\r
- length = 500,\r
- },\r
- {\r
- command = 'HELO',\r
- length = 500,\r
- },\r
- {\r
- command = 'ETRN',\r
- length = 500,\r
- },\r
- {\r
- command = 'EXPN',\r
- length = 255,\r
- },\r
- {\r
- command = 'VRFY',\r
- length = 255,\r
- },\r
- },\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_telnet">Telnet</h3>\r
-<div class="paragraph"><p>Given a telnet data buffer, Telnet will normalize the buffer with\r
-respect to telnet commands and option negotiation, eliminating telnet\r
-command sequences per RFC 854. It will also determine when a\r
-telnet connection is encrypted, per the use of the telnet encryption\r
-option per RFC 2946.</p></div>\r
-<div class="sect3">\r
-<h4 id="_configuring_the_inspector_to_block_exploits_and_attacks_2">Configuring the inspector to block exploits and attacks</h4>\r
-<div class="paragraph"><p>ayt_attack_thresh number</p></div>\r
-<div class="paragraph"><p>Detect and alert on consecutive are you there [AYT] commands beyond the\r
-threshold number specified. This addresses a few specific vulnerabilities\r
-relating to bsd-based implementations of telnet.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_trace">Trace</h3>\r
-<div class="paragraph"><p>Snort 3 retired the different flavors of debug macros that used to be set\r
-through the SNORT_DEBUG environment variable. It was replaced by per-module\r
-trace functionality. Trace is turned on by setting the specific trace module\r
-configuration in snort.lua. As before, to enable debug tracing, Snort must be\r
-configured at build time with --enable-debug-msgs. However, a growing number\r
-of modules (such as wizard and snort.inspector_manager) are providing non-debug\r
-trace messages in normal production builds.</p></div>\r
-<div class="sect3">\r
-<h4 id="_trace_module">Trace module</h4>\r
-<div class="paragraph"><p>The trace module is responsible for configuring traces and supports the\r
-following parameters:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>output - configure the output method for trace messages\r
-modules - trace configuration for specific modules\r
-constraints - filter traces by the packet constraints</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The following lines, added in snort.lua, will enable trace messages for\r
-detection and codec modules. The messages will be printed to syslog if\r
-the packet filtering constraints match.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- output = "syslog",\r
- modules =\r
- {\r
- detection = { detect_engine = 1 },\r
- decode = { all = 1 }\r
- },\r
- constraints =\r
- {\r
- ip_proto = 17,\r
- dst_ip = "10.1.1.2",\r
- src_port = 100,\r
- dst_port = 200\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The trace module supports config reloading. Also, it’s possible to set or clear\r
-modules traces and packet filter constraints via the control channel command.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_trace_module_configuring_traces">Trace module - configuring traces</h4>\r
-<div class="paragraph"><p>The trace module has the <strong>modules</strong> option - a table with trace configuration\r
-for specific modules. The following lines placed in snort.lua will enable trace\r
-messages for detection, codec and wizard modules:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- detection = { all = 1 },\r
- decode = { all = 1 },\r
- wizard = { all = 1 }\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The detection and snort modules are currently the only modules to support\r
-multiple trace options. Others have only the default <strong>all</strong> option, which will\r
-enable or disable all traces in a given module. It’s available for multi-option\r
-modules also and works as a global switcher:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- detection = { all = 1 } -- set each detection option to level 1\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- detection = { all = 1, tag = 2 } -- set each detection option to level 1 but the 'tag' to level 2\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The full list of available trace parameters is placed into\r
-the "Basic Modules.trace" chapter.</p></div>\r
-<div class="paragraph"><p>Each option must be assigned an integer value between 0 and 255 to specify\r
-a level of verbosity for that option:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>0 - turn off trace messages printing for the option\r
-1 - print most significant trace messages for the option\r
-255 - print all available trace messages for the option</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Tracing is disabled by default (verbosity level equals 0). The verbosity level\r
-is treated as a threshold, so specifying a higher value will result in all\r
-messages with a lower level being printed as well. For example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- decode = { all = 3 } -- messages with levels 1, 2, and 3 will be printed\r
- }\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_trace_module_configuring_packet_filter_constraints_for_packet_related_trace_messages">Trace module - configuring packet filter constraints for packet related trace messages</h4>\r
-<div class="paragraph"><p>There is a capability to filter traces by the packet constraints. The trace\r
-module has the <strong>constraints</strong> option - a table with filtering configuration that\r
-will be applied to all trace messages that include a packet. Filtering is done\r
-on a flow that packet is related. By default filtering is disabled.</p></div>\r
-<div class="paragraph"><p>Available constraints options:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ip_proto - numerical IP protocol ID\r
-src_ip - match all packets with a flow that has this client IP address (passed as a string)\r
-src_port - match all packets with a flow that has this source port\r
-dst_ip - match all packets with a flow that has this server IP address (passed as a string)\r
-dst_port - match all packets with a flow that has this destination port\r
-match - boolean flag to enable/disable whether constraints will ever match (enabled by default)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The following lines placed in snort.lua will enable all trace messages for\r
-detection filtered by ip_proto, dst_ip, src_port and dst_port:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- detection = { all = 1 }\r
- },\r
- constraints =\r
- {\r
- ip_proto = 6, -- tcp\r
- dst_ip = "10.1.1.10",\r
- src_port = 150,\r
- dst_port = 250\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To create constraints that will never successfully match, set the <strong>match</strong>\r
-parameter to <em>false</em>. This is useful for situations where one is relying on\r
-external packet filtering from the DAQ module, or for preventing all trace\r
-messages in the context of a packet. The following is an example of such\r
-configuration:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- snort = { all = 1 }\r
- },\r
- constraints =\r
- {\r
- match = false\r
- }\r
-}</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_trace_module_configuring_trace_output_method">Trace module - configuring trace output method</h4>\r
-<div class="paragraph"><p>There is a capability to configure the output method for trace messages.\r
-The trace module has the <strong>output</strong> option with two acceptable values:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>"stdout" - printing to stdout\r
-"syslog" - printing to syslog</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>By default, the output method will be set based on the Snort run mode. Normally\r
-it will use stdout, but if -D (daemon mode) and/or -M (alert-syslog mode)\r
-are set, it will instead use syslog.</p></div>\r
-<div class="paragraph"><p>Example - set output method as syslog:</p></div>\r
-<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- output = "syslog",\r
- modules =\r
- {\r
- detection = { all = 1 }\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>As a result, each trace message will be printed into syslog\r
-(the Snort run-mode will be ignored).</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuring_traces_via_control_channel_command">Configuring traces via control channel command</h4>\r
-<div class="paragraph"><p>There is a capability to configure module trace options and packet constraints\r
-via the control channel command by using a Snort shell. In order to enable\r
-shell, Snort has to be configured and built with --enable-shell.</p></div>\r
-<div class="paragraph"><p>The trace control channel command is a way how to configure module trace\r
-options and/or packet filter constraints directly during Snort run and\r
-without reloading the entire config.</p></div>\r
-<div class="paragraph"><p>After entering the Snort shell, there are two commands available for\r
-the trace module:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace.clear() - clear modules traces and constraints</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Also, it’s possible to omit tables in the trace.set() command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace.set({}) - disable traces and constraints (set to empty)</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_trace_messages_format">Trace messages format</h4>\r
-<div class="paragraph"><p>Each tracing message has a standard format:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><module_name>:<option_name>:<message_log_level>: <particular_message></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The stdout logger also prints thread type and thread instance ID at the beginning\r
-of each trace message in a colon-separated manner.</p></div>\r
-<div class="paragraph"><p>The capital letter at the beginning of the trace message indicates the thread type.</p></div>\r
-<div class="paragraph"><p>Possible thread types:\r
-C – main (control) thread\r
-P – packet thread\r
-O – other thread</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_debugging_rules_using_detection_trace">Example - Debugging rules using detection trace</h4>\r
-<div class="paragraph"><p>The detection engine is responsible for rule evaluation. Turning on the\r
-trace for it can help with debugging new rules.</p></div>\r
-<div class="paragraph"><p>The relevant options for detection are as follow:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>rule_eval - follow rule evaluation\r
-buffer - print evaluated buffer if it changed (level 1) or at every step (level 5)\r
-rule_vars - print value of ips rule options vars\r
-fp_search - print information on fast pattern search</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Buffer print is useful, but in case the buffer is very big can be too verbose.\r
-Choose between verbosity levels 1, 5, or no buffer trace accordingly.</p></div>\r
-<div class="paragraph"><p>rule_vars is useful when the rule is using ips rule options vars.</p></div>\r
-<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- detection =\r
- {\r
- rule_eval = 1,\r
- buffer = 1,\r
- rule_vars = 1,\r
- fp_search = 1\r
- }\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The pcap has a single packet with payload:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>10.AAAAAAAfoobar</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Evaluated on rules:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code># byte_math + oper with byte extract and content\r
-# VAL = 1, byte_math = 0 + 10\r
-alert tcp ( byte_extract: 1, 0, VAL, string, dec;\r
-byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;\r
-content:"foo", offset var1; sid:3)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#This rule should not trigger\r
-alert tcp (content:"AAAAA"; byte_jump:2,0,relative;\r
-content:"foo", within 3; sid:2)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns)\r
-detection:rule_eval:1: Fast pattern search\r
-detection:fp_search:1: 1 fp packet[16]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[16]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_eval:1: Processing pattern match #1\r
-detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )\r
-detection:rule_eval:1: Starting tree eval\r
-detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[16]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0\r
-detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[8]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-41 41 66 6F 6F 62 61 72 AAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_eval:1: no match\r
-detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0\r
-detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[7]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-41 66 6F 6F 62 61 72 Afoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_eval:1: no match\r
-detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0\r
-detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[6]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-66 6F 6F 62 61 72 foobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_eval:1: no match\r
-detection:rule_eval:1: no match\r
-detection:rule_eval:1: Processing pattern match #2\r
-detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )\r
-detection:rule_eval:1: Starting tree eval\r
-detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[16]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0\r
-detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[15]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0\r
-detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[14]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0\r
-detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[3]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-62 61 72 bar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0\r
-detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0\r
-04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_protocols_decoding_trace">Example - Protocols decoding trace</h4>\r
-<div class="paragraph"><p>Turning on decode trace will print out information about the packets decoded\r
-protocols. Can be useful in case of tunneling.</p></div>\r
-<div class="paragraph"><p>Example for a icmpv4-in-ipv6 packet:</p></div>\r
-<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- decode = { all = 1 }\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14\r
-decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40\r
-decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8\r
-decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_track_the_time_packet_spends_in_each_inspector">Example - Track the time packet spends in each inspector</h4>\r
-<div class="paragraph"><p>There is a capability to track which inspectors evaluate a packet, and how much\r
-time the inspector consumes doing so. These trace messages could be enabled by\r
-the Snort module trace options:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>main - command execution traces (main trace logging)\r
-inspector_manager - inspectors execution and time tracking traces</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Example for a single packet with payload:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>10.AAAAAAAfoobar</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- snort =\r
- {\r
- -- could be replaced by 'all = 1'\r
- main = 1,\r
- inspector_manager = 1\r
- }\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort:main:1: [0] Queuing command START for execution (refcount 1)\r
-snort:main:1: [0] Queuing command RUN for execution (refcount 1)\r
-snort:main:1: [0] Destroying completed command START\r
-snort:inspector_manager:1: start inspection, raw, packet 1, context 1\r
-snort:inspector_manager:1: enter stream\r
-snort:inspector_manager:1: exit stream, elapsed time: 2 usec\r
-snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec\r
-snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1\r
-snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec\r
-snort:main:1: [0] Destroying completed command RUN</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_trace_filtering_by_packet_constraints">Example - trace filtering by packet constraints:</h4>\r
-<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips =\r
-{\r
- rules =\r
- [[\r
- alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )\r
- alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )\r
- ]]\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- modules =\r
- {\r
- detection = { rule_eval = 1 }\r
- },\r
- constraints =\r
- {\r
- ip_proto = 17, -- udp\r
- dst_ip = "10.1.1.2",\r
- src_port = 100,\r
- dst_port = 200\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The processed traffic was next:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>d ( stack="eth:ip4:udp" )</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )\r
-a ( pay="pass" )\r
-b ( pay="pass" )</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>c ( ip4:a="10.2.1.1" )\r
-a ( pay="pass" )\r
-b ( pay="pass" )</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>c ( udp:a=101 )\r
-a ( pay="block" )\r
-b ( pay="block" )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)\r
-detection:rule_eval:1: Fast pattern processing - no matches found\r
-detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)\r
-detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns)\r
-detection:rule_eval:1: Fast pattern processing - no matches found\r
-detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns)\r
-detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns)\r
-detection:rule_eval:1: Fast pattern processing - no matches found\r
-detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns)\r
-detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns)\r
-detection:rule_eval:1: Fast pattern processing - no matches found\r
-detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The trace messages for two last packets (numbers 5 and 6) weren’t printed.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_configuring_traces_via_trace_set_command">Example - configuring traces via trace.set() command</h4>\r
-<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>ips =\r
-{\r
- rules =\r
- [[\r
- alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )\r
- alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )\r
- ]]\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace =\r
-{\r
- constraints =\r
- {\r
- ip_proto = 17, -- udp\r
- dst_ip = "10.1.1.2",\r
- src_port = 100,\r
- dst_port = 200\r
- },\r
- modules =\r
- {\r
- detection = { rule_eval = 1 }\r
- }\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The processed traffic was next:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code># Flow 1\r
-d ( stack="eth:ip4:udp" )\r
-c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )\r
-a ( data="udp packet 1" )\r
-a ( data="udp packet 2" )</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code># Flow 2\r
-d ( stack="eth:ip4:tcp" )\r
-c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 )\r
-a ( syn )\r
-b ( syn, ack )\r
-a ( ack )\r
-a ( ack, data="tcp packet 1" )\r
-a ( ack, data="tcp packet 2" )\r
-a ( fin, ack )\r
-b ( fin, ack )</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>After 1 packet, entering shell and pass the trace.set() command as follows:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } })</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The output (not full, only descriptive lines):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)\r
-detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)\r
-decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
-detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)\r
-detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
-detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
-detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
-detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
-detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
-decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
-detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)\r
-detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The new configuration was applied. <strong>decode:all:1</strong> messages aren’t filtered\r
-because they don’t include a packet (a packet isn’t well-formed at the point\r
-when the message is printing).</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_other_available_traces">Other available traces</h4>\r
-<div class="paragraph"><p>There are more trace options supported by detection:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>detect_engine - prints statistics about the engine\r
-pkt_detect - prints a message when disabling content detect for packet\r
-opt_tree - prints option tree data structure\r
-tag - prints a message when a new tag is added</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The rest support only 1 option, and can be turned on by adding all = 1 to\r
-their table in trace lua config.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-stream module trace:\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>When turned on prints a message in case inspection is stopped on a flow.\r
-Example for output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>stream:all:1: stop inspection on flow, dir BOTH</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-stream_ip, stream_user: trace will output general processing messages\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Other modules that support trace have messages as seemed fit to the developer.\r
-Some are for corner cases, others for complex data structures.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_wizard">Wizard</h3>\r
-<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of\r
-malware command and control channels. If the wizard is bound to a session, it\r
-peeks at the initial payload to determine the service. For example, <em>GET</em>\r
-would indicate HTTP and <em>HELO</em> would indicate SMTP. Upon finding a match, the\r
-service bindings are reevaluated so the session can be handed off to the\r
-appropriate inspector. The wizard is still under development; if you find you\r
-need to tweak the defaults please let us know.</p></div>\r
-<div class="paragraph"><p>Additional Details:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-If the wizard and one or more service inspectors are configured w/o\r
- explicitly configuring the binder, default bindings will be generated which\r
- should work for most common cases.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Also note that while Snort 2 bindings can only be configured in the\r
- default policy, each Snort 3 policy can contain a binder leading to an\r
- arbitrary hierarchy.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The entire configuration can be reloaded and hot-swapped during run-time\r
- via signal or command in both Snort 2 and Snort 3. Ultimately, Snort 3\r
- will support commands to update the binder on the fly, thus enabling\r
- incremental reloads of individual inspectors.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Both Snort 2 and Snort 3 support server specific configurations via a hosts\r
- table (XML in Snort 2 and Lua in Snort 3). The table allows you to\r
- map network, protocol, and port to a service and policy. This table can\r
- be reloaded and hot-swapped separately from the config file.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-You can find the specifics on the binder, wizard, and hosts tables in the\r
- manual or command line like this: snort --help-module binder, etc.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_basic_modules">Basic Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Internal modules which are not plugins are termed "basic". These include\r
-configuration for core processing.</p></div>\r
-<div class="sect2">\r
-<h3 id="_active">active</h3>\r
-<div class="paragraph"><p>What: configure responses</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>active.max_responses</strong> = 0: maximum number of responses { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>active.injects</strong>: total crafted packets encoded and injected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.failed_injects</strong>: total crafted packet encode + injects that failed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.direct_injects</strong>: total crafted packets directly injected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.failed_direct_injects</strong>: total crafted packet direct injects that failed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.holds_denied</strong>: total number of packet hold requests denied (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.holds_canceled</strong>: total number of packet hold requests canceled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.holds_allowed</strong>: total number of packet hold requests allowed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alerts_2">alerts</h3>\r
-<div class="paragraph"><p>What: configure alerts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alerts.event_filter_memcap</strong> = 1048576: set available MB of memory for event_filters { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alerts.log_references</strong> = false: include rule references in alert info (full only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alerts.order</strong> = pass reset block drop alert log: change the order of rule action application\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available MB of memory for rate_filters { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alerts.stateful</strong> = false: don’t alert w/o established session (note: rule action still taken)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_attribute_table">attribute_table</h3>\r
-<div class="paragraph"><p>What: configure hosts loading</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>attribute_table.hosts_file</strong>: filename to load attribute host table from\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_metadata_services</strong> = 9: maximum number of services in rule { 1:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_classifications">classifications</h3>\r
-<div class="paragraph"><p>What: define rule categories with priority</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>classifications[].name</code></strong>: name used with classtype rule option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>classifications[].text</code></strong>: description of class\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_daq">daq</h3>\r
-<div class="paragraph"><p>What: configure packet acquisition interface</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>daq.module_dirs[].path</code></strong>: directory path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.inputs[].input</code></strong>: input source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>daq.snaplen</strong> = 1518: set snap length (same as -s) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>daq.batch_size</strong> = 64: set receive batch size (same as --daq-batch-size) { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.modules[].name</code></strong>: DAQ module name (required)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>daq.modules[].mode</code></strong> = passive: DAQ module mode { passive | inline | read-file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.modules[].variables[].variable</code></strong>: DAQ module variable (foo[=bar])\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.received</strong>: total packets received from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.analyzed</strong>: total packets analyzed from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.dropped</strong>: packets dropped (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.filtered</strong>: packets filtered out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.outstanding</strong>: packets unprocessed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.injected</strong>: active responses or replacements (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.allow</strong>: total allow verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.block</strong>: total block verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.replace</strong>: total replace verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.whitelist</strong>: total whitelist verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.blacklist</strong>: total blacklist verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.ignore</strong>: total ignore verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retry</strong>: total retry verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.skipped</strong>: packets skipped at startup (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.rx_bytes</strong>: total bytes received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.expected_flows</strong>: expected flows created in DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_queued</strong>: messages queued for retry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_dropped</strong>: messages dropped when overrunning the retry queue (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_processed</strong>: messages processed from the retry queue (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.sof_messages</strong>: start of flow messages received from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.eof_messages</strong>: end of flow messages received from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.other_messages</strong>: messages received from DAQ with unrecognized message type (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_decode">decode</h3>\r
-<div class="paragraph"><p>What: general decoder rules</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:150</strong> (decode) loopback IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:151</strong> (decode) same src/dst IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:449</strong> (decode) unassigned/reserved IP protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:450</strong> (decode) bad IP protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:459</strong> (decode) fragment with zero length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:472</strong> (decode) too many protocols present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:473</strong> (decode) ether type out of range\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_detection">detection</h3>\r
-<div class="paragraph"><p>What: configure general IPS rule processing parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>detection.asn1</strong> = 0: maximum decode nodes { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.hyperscan_literals</strong> = false: use hyperscan for content literal searches instead of boyer-moore\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.offload_threads</strong> = 0: maximum number of simultaneous offloads (defaults to disabled) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.pcre_enable</strong> = true: enable pcre pattern matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, 0 = off { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, 0 = off { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.pcre_override</strong> = true: enable pcre match limit overrides when pattern matching (ie ignore /O)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.pcre_to_regex</strong> = false: enable the use of regex instead of pcre for compatible expressions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>detection.analyzed</strong>: total packets processed (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.key_searches</strong>: fast pattern searches in key buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.header_searches</strong>: fast pattern searches in header buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.body_searches</strong>: fast pattern searches in body buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.file_searches</strong>: fast pattern searches in file buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.raw_key_searches</strong>: fast pattern searches in raw key buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.raw_header_searches</strong>: fast pattern searches in raw header buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.method_searches</strong>: fast pattern searches in method buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.stat_code_searches</strong>: fast pattern searches in status code buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.stat_msg_searches</strong>: fast pattern searches in status message buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.cookie_searches</strong>: fast pattern searches in cookie buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offloads</strong>: fast pattern searches that were offloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.alerts</strong>: alerts not including IP reputation (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.total_alerts</strong>: alerts including IP reputation (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.logged</strong>: logged packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.passed</strong>: passed packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.match_limit</strong>: fast pattern matches not processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.queue_limit</strong>: events not queued because queue full (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.log_limit</strong>: events queued but not logged (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.event_limit</strong>: events filtered (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_busy</strong>: times offload was not available (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.onload_waits</strong>: times processing waited for onload to complete (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_fallback</strong>: fast pattern offload search fallback attempts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_failures</strong>: fast pattern offload search failures (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_suspends</strong>: fast pattern search suspends due to offload context chains (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pcre_match_limit</strong>: total number of times pcre hit the match limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pcre_recursion_limit</strong>: total number of times pcre hit the recursion limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pcre_error</strong>: total number of times pcre returns error (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_event_filter">event_filter</h3>\r
-<div class="paragraph"><p>What: configure thresholding of events</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>event_filter.no_memory_local</strong>: number of times event filter ran out of local memory (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>event_filter.no_memory_global</strong>: number of times event filter ran out of global memory (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_event_queue">event_queue</h3>\r
-<div class="paragraph"><p>What: configure event queue parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>event_queue.log</strong> = 3: maximum events to log { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_high_availability_2">high_availability</h3>\r
-<div class="paragraph"><p>What: implement flow tracking high availability</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>high_availability.enable</strong> = false: enable high availability\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>high_availability.min_age</strong> = 0: minimum session life in milliseconds before HA updates { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>high_availability.min_sync</strong> = 0: minimum interval in milliseconds between HA updates { 0:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>high_availability.msgs_recv</strong>: total messages received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.update_msgs_recv</strong>: update messages received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.update_msgs_recv_no_flow</strong>: update messages received without a local flow (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.update_msgs_consumed</strong>: update messages fully consumed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.delete_msgs_consumed</strong>: deletion messages consumed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.daq_stores</strong>: states stored via daq (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.daq_imports</strong>: states imported via daq (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.msg_version_mismatch</strong>: messages received with a version mismatch (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.msg_length_mismatch</strong>: messages received with an inconsistent total length (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.truncated_msgs</strong>: truncated messages received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.unknown_key_type</strong>: messages received with an unknown flow key type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.unknown_client_idx</strong>: messages received with an unknown client index (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.client_consume_errors</strong>: client data consume failure count (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_host_cache">host_cache</h3>\r
-<div class="paragraph"><p>What: global LRU cache of host_tracker data about hosts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>host_cache.dump_file</strong>: file name to dump host cache on shutdown; won’t dump by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:maxSZ }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>host_cache.dump</strong>(file_name): dump host cache\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>host_cache.adds</strong>: lru cache added new entry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.alloc_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.find_hits</strong>: lru cache found entry in cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.find_misses</strong>: lru cache did not find entry in cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.reload_prunes</strong>: lru cache pruned entry for lower memcap during reload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.replaced</strong>: lru cache found entry and replaced it (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_host_tracker">host_tracker</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-addr <strong><code>host_tracker[].ip</code></strong>: hosts address / cidr\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>host_tracker[].services[].port</code></strong>: port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>host_tracker[].services[].proto</code></strong>: IP protocol { ip | tcp | udp }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>host_tracker.service_adds</strong>: host service adds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_tracker.service_finds</strong>: host service finds (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_hosts">hosts</h3>\r
-<div class="paragraph"><p>What: configure hosts</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>hosts[].services[].name</code></strong>: service identifier\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>hosts[].services[].port</code></strong>: port number\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_inspection">inspection</h3>\r
-<div class="paragraph"><p>What: configure basic inspection policy parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>inspection.id</strong> = 0: correlate policy and events with other items in configuration { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>inspection.uuid</strong>: correlate events by uuid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline | inline-test }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ips">ips</h3>\r
-<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { no | yes | inherit }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.include</strong>: snort rules and includes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.includer</strong>: for internal use; where includes are included from { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.rules</strong>: snort rules and includes (may contain states too)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.states</strong>: snort rule states and includes (may contain rules too)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_latency">latency</h3>\r
-<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>134:1</strong> (latency) rule tree suspended due to latency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>134:3</strong> (latency) packet fastpathed due to latency\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>latency.total_packets</strong>: total packets monitored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.total_usecs</strong>: total usecs elapsed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.packet_timeouts</strong>: packets that timed out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.total_rule_evals</strong>: total rule evals monitored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_memory">memory</h3>\r
-<div class="paragraph"><p>What: memory management configuration</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>memory.allocations</strong>: total number of allocations (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.deallocations</strong>: total number of deallocations (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.allocated</strong>: total amount of memory allocated (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.deallocated</strong>: total amount of memory allocated (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.reap_failures</strong>: failures to reclaim memory (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.total_fudge</strong>: sum of all adjustments (now)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_network">network</h3>\r
-<div class="paragraph"><p>What: configure basic network parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>network.checksum_eval</strong> = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower TTL / hop limit (you must enable rules and / or normalization also) { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.layers</strong> = 40: the maximum number of protocols that Snort can correctly decode { 3:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.max_ip6_extensions</strong> = 0: the maximum number of IP6 options Snort will process for a given IPv6 layer before raising 116:456 (0 = unlimited) { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.max_ip_layers</strong> = 0: the maximum number of IP layers Snort will process for a given packet before raising 116:293 (0 = unlimited) { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_output_2">output</h3>\r
-<div class="paragraph"><p>What: configure general output parameters</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.quiet</strong> = false: suppress normal logging on stdout (same as -q)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_packet_tracer">packet_tracer</h3>\r
-<div class="paragraph"><p>What: generate debug trace messages for packets</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>packet_tracer.enable</strong> = false: enable summary output of state that determined packet verdict\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>packet_tracer.output</strong> = console: select where to send packet trace { console | file }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>packet_tracer.enable</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_tracer.disable</strong>(): disable packet tracer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_packets">packets</h3>\r
-<div class="paragraph"><p>What: configure basic packet handling</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_payload_injector">payload_injector</h3>\r
-<div class="paragraph"><p>What: payload injection utility</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>payload_injector.http_injects</strong>: total number of http injections (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_process">process</h3>\r
-<div class="paragraph"><p>What: configure basic process setup</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>process.chroot</strong>: set chroot directory (same as -t)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>process.threads[].thread</code></strong>: set cpu affinity for the <cur_thread_num> thread that runs { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>process.threads[].type</code></strong>: define which threads will have specified affinity, by their type { other|packet|main }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>process.threads[].name</code></strong>: define which threads will have specified affinity, by thread name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>process.set_gid</strong>: set group ID (same as -g)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>process.set_uid</strong>: set user ID (same as -u)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>process.umask</strong>: set process umask (same as -m) { 0x000:0x1FF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_profiler">profiler</h3>\r
-<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>profiler.modules.show</strong> = true: show module time profile stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>profiler.memory.show</strong> = true: show module memory profile stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>profiler.rules.show</strong> = true: show rule time profile stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rate_filter">rate_filter</h3>\r
-<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>rate_filter.no_memory</strong>: number of times rate filter ran out of memory (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_references">references</h3>\r
-<div class="paragraph"><p>What: define reference systems used in rules</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>references[].name</code></strong>: name used with reference rule option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>references[].url</code></strong>: where this reference is defined\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rule_state">rule_state</h3>\r
-<div class="paragraph"><p>What: enable/disable and set actions for specific IPS rules; deprecated, use rule state stubs with enable instead</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong><code>rule_state.$gid_sid[].action</code></strong> = alert: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rule_state.$gid_sid[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_search_engine">search_engine</h3>\r
-<div class="paragraph"><p>What: configure fast pattern matcher</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet { 2:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.detect_raw_tcp</strong> = false: detect on TCP payload before reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.queue_limit</strong> = 128: maximum number of fast pattern matches to queue per packet (0 means no maximum) { 0:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_flushed</strong>: total fast pattern matches processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_inserts</strong>: total fast pattern hits (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_overruns</strong>: fast pattern matches discarded due to overflow (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.non_qualified_events</strong>: total non-qualified events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.qualified_events</strong>: total qualified events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.searched_bytes</strong>: total bytes searched (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_side_channel_2">side_channel</h3>\r
-<div class="paragraph"><p>What: implement the side-channel asynchronous messaging subsystem</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>side_channel.connector</strong>: connector handle\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>side_channel.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_snort">snort</h3>\r
-<div class="paragraph"><p>What: command line configuration and shell commands</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>snort.-?</strong>: <option prefix> output matching command line option quick help (same as --help-options) { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-A</strong>: <mode> set alert mode: none, cmg, or alert_*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong>snort.-B</strong> = 255.255.255.255/32: <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-c</strong>: <conf> use this configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-D</strong>: run Snort in background (daemon) mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-d</strong>: dump the Application Layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-e</strong>: display the second layer header info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-G</strong>: <0xid> (same as --logid) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-H</strong>: make hash tables deterministic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-i</strong>: <iface>… list of interfaces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>snort.-j</strong>: <port> to listen for Telnet connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>snort.-k</strong> = all: <mode> checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-L</strong>: <mode> logging mode (none, dump, pcap, or log_*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-l</strong>: <logdir> log to this directory instead of current directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-m</strong>: <umask> set the process file mode creation mask { 0x000:0x1FF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-n</strong>: <count> stop after count packets { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-O</strong>: obfuscate the logged IP addresses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-Q</strong>: enable inline mode operation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-q</strong>: quiet mode - suppress normal logging on stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-R</strong>: <rules> include this rules file in the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-r</strong>: <pcap>… (same as --pcap-list)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-S</strong>: <x=v> set config variable x equal to value v\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-s</strong> = 1518: <snap> (same as --snaplen); default is 1518 { 68:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-T</strong>: test and report on the current Snort configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-U</strong>: use UTC for timestamps\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-V</strong>: (same as --version)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-v</strong>: be verbose\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-x</strong>: same as --pedantic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-z</strong>: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--alert-before-pass</strong>: evaluate alert rules before pass rules; default is pass rules first\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--bpf</strong>: <filter options> are standard BPF options, as seen in TCPDump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--control-socket</strong>: <file> to create unix socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--daq-batch-size</strong> = 64: <size> set the DAQ receive batch size { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>snort.--daq-mode</strong>: <mode> select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dirty-pig</strong>: don’t flush packets on shutdown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--dump-defaults</strong>: [<module prefix>] output module defaults in Lua format { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-rule-deps</strong>: dump rule dependencies in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-rule-meta</strong>: dump configured rule info in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-rule-state</strong>: dump configured rule state in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--gen-msg-map</strong>: dump configured rules in gen-msg.map format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help</strong>: list command line options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-commands</strong>: [<module prefix>] output matching commands { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-config</strong>: [<module prefix>] output matching config options { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-counts</strong>: [<module prefix>] output matching peg counts { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-limits</strong>: print the int upper bounds denoted by max*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-module</strong>: <module> output description of given module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-modules</strong>: list all available modules with brief help\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-options</strong>: [<option prefix>] output matching command line option quick help (same as -?) { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-signals</strong>: dump available control signals\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--id-offset</strong> = 0: offset to add to instance IDs when logging to files { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--ignore-warn-flowbits</strong>: ignore warnings about flowbits that are checked but not set and vice-versa\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--ignore-warn-rules</strong>: ignore warnings about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--include-path</strong>: <path> where to find Lua and rule included files; searched before current or config directories\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--list-builtin</strong>: [<module prefix>] output matching builtin rules { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--list-gids</strong>: [<module prefix>] output matching generators { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--list-modules</strong>: [<module type>] list all known modules of given type { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--list-plugins</strong>: list all known plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--lua</strong>: <chunk> extend/override conf with chunk; may be repeated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--logid</strong>: <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--markup</strong>: output help in asciidoc compatible format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--max-packet-threads</strong>: <count> configure maximum number of packet threads (same as -z) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--mem-check</strong>: like -T but also compile search engines\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--metadata-filter</strong>: <filter> load only rules containing filter string in metadata if set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-list</strong>: <list> a space separated list of pcaps to read - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-dir</strong>: <dir> a directory to recurse to look for pcaps - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-filter</strong> = <strong>.*cap</strong>: <filter> filter to apply when getting pcaps from file or directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--pcap-loop</strong>: <count> read all pcaps <count> times; 0 will read until Snort is terminated { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pedantic</strong>: warnings are fatal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--plugin-path</strong>: <path> a colon separated list of directories or plugin libraries\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--process-all-events</strong>: process all action groups\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--rule-path</strong>: <path> where to find rules files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) { 16 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--run-prefix</strong>: <pfx> prepend this to each output file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--script-path</strong>: <path> to a luajit script or directory containing luajit scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--shell</strong>: enable the interactive command line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--show-file-codes</strong>: indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--skip</strong>: <n> skip 1st n packets { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--snaplen</strong> = 1518: <snap> set snaplen of packet (same as -s) { 68:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--talos</strong>: enable Talos tweak (same as --tweaks talos)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, block, and reset rules into alert rules when loaded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, block, and reset rules to ignore session traffic when not inline\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--tweaks</strong>: tune configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--version</strong>: show version number (same as -V)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-all</strong>: enable all warnings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-conf-strict</strong>: warn about unrecognized elements in configuration files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-hosts</strong>: warn about host table issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x) { 0x00:0xFF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--trace</strong>: turn on main loop debug trace\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>snort.show_plugins</strong>(): show available plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.dump_stats</strong>(): show summary statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.rotate_stats</strong>(): roll perfmonitor log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_config</strong>(filename): load new configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_module</strong>(module): reload module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_daq</strong>(): reload daq module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_hosts</strong>(filename): load a new hosts table\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.pause</strong>(): suspend packet processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.resume</strong>(pkt_num): continue packet processing. If number of packet is specified, will resume for n packets and pause\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.detach</strong>(): exit shell w/o shutdown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.quit</strong>(): shutdown and dump-stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.help</strong>(): this output\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>snort.local_commands</strong>: total local commands processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.remote_commands</strong>: total remote commands processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.signals</strong>: total signals processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.conf_reloads</strong>: number of times configuration was reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.policy_reloads</strong>: number of times policies were reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.inspector_deletions</strong>: number of times inspectors were deleted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.attribute_table_reloads</strong>: number of times hosts attribute table was reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.attribute_table_hosts</strong>: number of hosts added to the attribute table (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.attribute_table_overflow</strong>: number of host additions that failed due to attribute table full (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_suppress">suppress</h3>\r
-<div class="paragraph"><p>What: configure event suppressions</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_trace_2">trace</h3>\r
-<div class="paragraph"><p>What: configure trace log messages</p></div>\r
-<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.latency.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.detect_engine</strong>: enable detection engine trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.rule_eval</strong>: enable rule evaluation trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.buffer</strong>: enable buffer trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.rule_vars</strong>: enable rule variables trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.fp_search</strong>: enable fast pattern search trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.pkt_detect</strong>: enable packet detection trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.opt_tree</strong>: enable tree option trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.tag</strong>: enable tag trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.stream.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.gtp_inspect.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.stream_user.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.dce_smb.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.decode.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.dce_udp.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.appid.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.snort.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.snort.main</strong>: enable main trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.snort.inspector_manager</strong>: enable inspector manager trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.stream_ip.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.wizard.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.constraints.ip_proto</strong>: numerical IP protocol ID filter { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>trace.constraints.src_ip</strong>: source IP address filter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.constraints.src_port</strong>: source port filter { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>trace.constraints.dst_ip</strong>: destination IP address filter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.constraints.dst_port</strong>: destination port filter { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>trace.constraints.match</strong> = true: use constraints to filter traces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>trace.output</strong>: output method for trace log messages { stdout | syslog }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>trace.set</strong>(modules, constraints): set modules traces and constraints\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>trace.clear</strong>(): clear modules traces and constraints\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_codec_modules">Codec Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Codec is short for coder / decoder. These modules are used for basic\r
-protocol decoding, anomaly detection, and construction of active responses.</p></div>\r
-<div class="sect2">\r
-<h3 id="_arp">arp</h3>\r
-<div class="paragraph"><p>What: support for address resolution protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:109</strong> (arp) truncated ARP\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_auth">auth</h3>\r
-<div class="paragraph"><p>What: support for IP authentication header</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:465</strong> (auth) truncated authentication header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:466</strong> (auth) bad authentication header length\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ciscometadata">ciscometadata</h3>\r
-<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata security group tag\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.truncated_hdr</strong>: total truncated Cisco Metadata headers (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_hdr_ver</strong>: total invalid Cisco Metadata header versions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_hdr_len</strong>: total invalid Cisco Metadata header lengths (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_opt_len</strong>: total invalid Cisco Metadata option lengths (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_opt_type</strong>: total invalid Cisco Metadata option types (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_sgt</strong>: total invalid Cisco Metadata security group tags (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_eapol">eapol</h3>\r
-<div class="paragraph"><p>What: support for extensible authentication protocol over LAN</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:110</strong> (eapol) truncated EAP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:111</strong> (eapol) EAP key truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:112</strong> (eapol) EAP header truncated\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_erspan2">erspan2</h3>\r
-<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:462</strong> (erspan2) ERSpan header version mismatch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:463</strong> (erspan2) captured length < ERSpan type2 header length\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_erspan3">erspan3</h3>\r
-<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 3</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:464</strong> (erspan3) captured < ERSpan type3 header length\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_esp">esp</h3>\r
-<div class="paragraph"><p>What: support for encapsulating security payload</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:294</strong> (esp) truncated encapsulated security payload header\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_eth">eth</h3>\r
-<div class="paragraph"><p>What: support for ethernet protocol (DLT 1) (DLT 51)</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:424</strong> (eth) truncated ethernet header\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_fabricpath">fabricpath</h3>\r
-<div class="paragraph"><p>What: support for fabricpath</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:467</strong> (fabricpath) truncated FabricPath header\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gre">gre</h3>\r
-<div class="paragraph"><p>What: support for generic routing encapsulation</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:160</strong> (gre) GRE header length > payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:161</strong> (gre) multiple encapsulations in packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:162</strong> (gre) invalid GRE version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:163</strong> (gre) invalid GRE header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:165</strong> (gre) GRE trans header length > payload length\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp">gtp</h3>\r
-<div class="paragraph"><p>What: support for general-packet-radio-service tunneling protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:298</strong> (gtp) GTP header length is invalid\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icmp4">icmp4</h3>\r
-<div class="paragraph"><p>What: support for Internet control message protocol v4</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:105</strong> (icmp4) ICMP header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:106</strong> (icmp4) ICMP timestamp header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:107</strong> (icmp4) ICMP address header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:250</strong> (icmp4) ICMP original IP header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:252</strong> (icmp4) ICMP original datagram length < original IP header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:253</strong> (icmp4) ICMP original IP payload < 64 bits\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:254</strong> (icmp4) ICMP original IP payload > 576 bytes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:418</strong> (icmp4) ICMP4 type other\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:426</strong> (icmp4) truncated ICMP4 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:434</strong> (icmp4) ICMP ping Nmap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:436</strong> (icmp4) ICMP redirect host\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:437</strong> (icmp4) ICMP redirect net\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:438</strong> (icmp4) ICMP traceroute ipopts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:439</strong> (icmp4) ICMP source quench\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:440</strong> (icmp4) broadscan smurf scanner\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icmp6">icmp6</h3>\r
-<div class="paragraph"><p>What: support for Internet control message protocol v6</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:427</strong> (icmp6) truncated ICMPv6 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:431</strong> (icmp6) ICMPv6 type not decoded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:474</strong> (icmp6) ICMPv6 not encapsulated in IPv6\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp6.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_igmp">igmp</h3>\r
-<div class="paragraph"><p>What: support for Internet group management protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipv4">ipv4</h3>\r
-<div class="paragraph"><p>What: support for Internet protocol v4 (DLT 228)</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:1</strong> (ipv4) not IPv4 datagram\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:2</strong> (ipv4) IPv4 header length < minimum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:3</strong> (ipv4) IPv4 datagram length < header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:4</strong> (ipv4) IPv4 options found with bad lengths\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:5</strong> (ipv4) truncated IPv4 options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:6</strong> (ipv4) IPv4 datagram length > captured length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:404</strong> (ipv4) IPv4 packet with zero TTL\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:405</strong> (ipv4) IPv4 packet with bad frag bits (both MF and DF set)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:407</strong> (ipv4) IPv4 packet frag offset + length exceed maximum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:408</strong> (ipv4) IPv4 packet from <em>current net</em> source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:409</strong> (ipv4) IPv4 packet to <em>current net</em> dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:410</strong> (ipv4) IPv4 packet from multicast source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:411</strong> (ipv4) IPv4 packet from reserved source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:412</strong> (ipv4) IPv4 packet to reserved dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:413</strong> (ipv4) IPv4 packet from broadcast source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:414</strong> (ipv4) IPv4 packet to broadcast dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:425</strong> (ipv4) truncated IPv4 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:444</strong> (ipv4) IPv4 option set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:448</strong> (ipv4) IPv4 reserved bit set\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ipv4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipv6">ipv6</h3>\r
-<div class="paragraph"><p>What: support for Internet protocol v6 (DLT 229)</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:272</strong> (ipv6) IPv6 truncated extension header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:273</strong> (ipv6) IPv6 truncated header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:274</strong> (ipv6) IPv6 datagram length < header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:275</strong> (ipv6) IPv6 datagram length > captured length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:429</strong> (ipv6) IPv6 packet has zero hop limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:453</strong> (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:475</strong> (ipv6) IPv6 mobility header includes an invalid value for the <em>payload protocol</em> field\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_llc">llc</h3>\r
-<div class="paragraph"><p>What: support for logical link control</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:131</strong> (llc) bad LLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:132</strong> (llc) bad extra LLC info\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_mpls">mpls</h3>\r
-<div class="paragraph"><p>What: support for multiprotocol label switching</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:170</strong> (mpls) bad MPLS frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:174</strong> (mpls) MPLS label 3 appears in header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:176</strong> (mpls) too many MPLS headers\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>mpls.total_packets</strong>: total mpls labeled packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pbb">pbb</h3>\r
-<div class="paragraph"><p>What: support for 802.1ah protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:424</strong> (pbb) truncated ethernet header\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pgm">pgm</h3>\r
-<div class="paragraph"><p>What: support for pragmatic general multicast</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:454</strong> (pgm) PGM nak list overflow attempt\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pppoe">pppoe</h3>\r
-<div class="paragraph"><p>What: support for point-to-point protocol over ethernet</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:120</strong> (pppoe) bad PPPOE frame detected\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tcp_2">tcp</h3>\r
-<div class="paragraph"><p>What: support for transmission control protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:45</strong> (tcp) TCP packet length is smaller than 20 bytes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:46</strong> (tcp) TCP data offset is less than 5\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:47</strong> (tcp) TCP header length exceeds packet length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:54</strong> (tcp) TCP options found with bad lengths\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:55</strong> (tcp) truncated TCP options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:56</strong> (tcp) T/TCP detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:57</strong> (tcp) obsolete TCP options found\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:58</strong> (tcp) experimental TCP options found\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:59</strong> (tcp) TCP window scale option found with length > 14\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:400</strong> (tcp) XMAS attack detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:401</strong> (tcp) Nmap XMAS attack detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:403</strong> (tcp) SYN to multicast address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:420</strong> (tcp) TCP SYN with FIN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:421</strong> (tcp) TCP SYN with RST\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:422</strong> (tcp) TCP PDU missing ack for established session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:433</strong> (tcp) DDOS shaft SYN flood\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:446</strong> (tcp) TCP port 0 traffic\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_token_ring">token_ring</h3>\r
-<div class="paragraph"><p>What: support for token ring decoding</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:140</strong> (token_ring) bad Token Ring header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:141</strong> (token_ring) bad Token Ring ETHLLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:142</strong> (token_ring) bad Token Ring MRLEN header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:143</strong> (token_ring) bad Token Ring MR header\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_udp_2">udp</h3>\r
-<div class="paragraph"><p>What: support for user datagram protocol</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>udp.vxlan_ports</strong> = 4789: set VXLAN ports { 65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:95</strong> (udp) truncated UDP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:96</strong> (udp) invalid UDP header, length field < 8\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:97</strong> (udp) short UDP packet, length field > payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:98</strong> (udp) long UDP packet, length field < payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:445</strong> (udp) large UDP packet (> 4000 bytes)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:447</strong> (udp) UDP port 0 traffic\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_vlan">vlan</h3>\r
-<div class="paragraph"><p>What: support for local area network</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:130</strong> (vlan) bad VLAN frame\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_wlan">wlan</h3>\r
-<div class="paragraph"><p>What: support for wireless local area network protocol (DLT 105)</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:133</strong> (wlan) bad 802.11 LLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:134</strong> (wlan) bad 802.11 extra LLC info\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_connector_modules">Connector Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Connectors support High Availability communication links.</p></div>\r
-<div class="sect2">\r
-<h3 id="_file_connector">file_connector</h3>\r
-<div class="paragraph"><p>What: implement the file based connector</p></div>\r
-<div class="paragraph"><p>Type: connector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>file_connector.connector</strong>: connector name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>file_connector.name</strong>: channel name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>file_connector.format</strong>: file format { binary | text }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>file_connector.direction</strong>: usage { receive | transmit | duplex }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>file_connector.messages</strong>: total messages (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tcp_connector">tcp_connector</h3>\r
-<div class="paragraph"><p>What: implement the tcp stream connector</p></div>\r
-<div class="paragraph"><p>Type: connector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>tcp_connector.connector</strong>: connector name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>tcp_connector.address</strong>: address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>tcp_connector.base_port</strong>: base port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>tcp_connector.messages</strong>: total messages (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_inspector_modules">Inspector Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>These modules perform a variety of functions, including analysis of\r
-protocols beyond basic decoding.</p></div>\r
-<div class="sect2">\r
-<h3 id="_appid_2">appid</h3>\r
-<div class="paragraph"><p>What: application and service identification</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.log_stats</strong> = false: enable logging of appid statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for appid stats before rolling over the log file { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appid.app_detector_dir</strong>: directory to load appid detectors from\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.list_odp_detectors</strong> = false: enable logging of odp detectors statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appid.tp_appid_path</strong>: path to third party appid dynamic library\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.tp_appid_stats_enable</strong>: enable collection of stats and print stats on exit in third party module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.tp_appid_config_dump</strong>: print third party configuration on startup\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.load_odp_detectors_in_ctrl</strong> = false: load odp detectors in control thread\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>appid.enable_debug</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.disable_debug</strong>(): disable appid debugging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.reload_third_party</strong>(): reload appid third-party module\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>appid.packets</strong>: count of packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.processed_packets</strong>: count of packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ignored_packets</strong>: count of packets ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.total_sessions</strong>: count of sessions created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.service_cache_prunes</strong>: number of times the service cache was pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.service_cache_adds</strong>: number of times an entry was added to the service cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.service_cache_removes</strong>: number of times an item was removed from the service cache (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_appid_listener">appid_listener</h3>\r
-<div class="paragraph"><p>What: log selected published data to appid_listener.log</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_arp_spoof">arp_spoof</h3>\r
-<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>112:1</strong> (arp_spoof) unicast ARP request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>arp_spoof.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_back_orifice">back_orifice</h3>\r
-<div class="paragraph"><p>What: back orifice detection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>105:1</strong> (back_orifice) BO traffic detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>105:2</strong> (back_orifice) BO client traffic detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>105:3</strong> (back_orifice) BO server traffic detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>105:4</strong> (back_orifice) BO Snort buffer attack\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>back_orifice.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_binder_2">binder</h3>\r
-<div class="paragraph"><p>What: configure processing based on CIDRs, ports, services, etc.</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr_list <strong><code>binder[].when.nets</code></strong>: list of networks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].when.service</code></strong>: override default configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.file</code></strong>: use configuration in given file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.service</code></strong>: override automatic service identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.type</code></strong>: select module for binding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>binder.packets</strong>: initial bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.resets</strong>: reset bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.blocks</strong>: block bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.allows</strong>: allow bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.inspects</strong>: inspect bindings (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip">cip</h3>\r
-<div class="paragraph"><p>What: cip inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>cip.embedded_cip_path</strong> = false: check embedded CIP path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>cip.unconnected_timeout</strong> = 300: unconnected timeout in seconds { 0:360 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>cip.max_cip_connections</strong> = 100: max cip connections { 1:10000 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>cip.max_unconnected_messages</strong> = 100: max unconnected cip messages { 1:10000 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>148:1</strong> (cip) CIP data is malformed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:2</strong> (cip) CIP data is non-conforming to ODVA standard.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:3</strong> (cip) CIP connection limit exceeded. Least recently used connection removed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:4</strong> (cip) CIP unconnected request limit exceeded. Oldest request removed.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>cip.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.session</strong>: total sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.concurrent_sessions</strong>: total concurrent SIP sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_data_log">data_log</h3>\r
-<div class="paragraph"><p>What: log selected published data to data.log</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-select <strong>data_log.key</strong> = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>data_log.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_http_proxy">dce_http_proxy</h3>\r
-<div class="paragraph"><p>What: dce over http inspection - client to/from proxy</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_http_server">dce_http_server</h3>\r
-<div class="paragraph"><p>What: dce over http inspection - proxy to/from server</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_smb">dce_smb</h3>\r
-<div class="paragraph"><p>What: dce over smb inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_smb.smb_fingerprint_policy</strong> = none: target based SMB policy to use { none | client | server | both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_smb.policy</strong> = WinXP: target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_max_compound</strong> = 3: SMB max compound size { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>dce_smb.valid_smb_versions</strong> = all: valid SMB versions { v1 | v2 | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_smb.smb_file_inspection</strong>: deprecated (not used): file inspection controlled by smb_file_depth { off | on | only }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data (-1 = disabled, 0 = unlimited) { -1:32767 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_max_credit</strong> = 8192: Maximum number of outstanding request { 1:65536 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.memcap</strong> = 8388608: Memory utilization limit on smb { 512:maxSZ }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>133:2</strong> (dce_smb) SMB - bad NetBIOS session service session type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:3</strong> (dce_smb) SMB - bad SMB message type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:4</strong> (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:5</strong> (dce_smb) SMB - bad word count or structure size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:6</strong> (dce_smb) SMB - bad byte count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:7</strong> (dce_smb) SMB - bad format type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:8</strong> (dce_smb) SMB - bad offset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:9</strong> (dce_smb) SMB - zero total data count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:11</strong> (dce_smb) SMB - remaining NetBIOS data length less than command length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:13</strong> (dce_smb) SMB - remaining NetBIOS data length less than command data size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:14</strong> (dce_smb) SMB - remaining total data count less than this command data size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:15</strong> (dce_smb) SMB - total data sent (STDu64) greater than command total data expected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:16</strong> (dce_smb) SMB - byte count less than command data size (STDu64)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:17</strong> (dce_smb) SMB - invalid command data size for byte count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:18</strong> (dce_smb) SMB - excessive tree connect requests with pending tree connect responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:19</strong> (dce_smb) SMB - excessive read requests with pending read responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:20</strong> (dce_smb) SMB - excessive command chaining\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:21</strong> (dce_smb) SMB - multiple chained tree connect requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:22</strong> (dce_smb) SMB - multiple chained tree connect requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:23</strong> (dce_smb) SMB - chained/compounded login followed by logoff\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:24</strong> (dce_smb) SMB - chained/compounded tree connect followed by tree disconnect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:25</strong> (dce_smb) SMB - chained/compounded open pipe followed by close pipe\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:26</strong> (dce_smb) SMB - invalid share access\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:45</strong> (dce_smb) SMB - invalid SMB version 2 seen\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:46</strong> (dce_smb) SMB - invalid user, tree connect, file binding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:47</strong> (dce_smb) SMB - excessive command compounding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:48</strong> (dce_smb) SMB - zero data count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:50</strong> (dce_smb) SMB - maximum number of outstanding requests exceeded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:51</strong> (dce_smb) SMB - outstanding requests with same MID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:52</strong> (dce_smb) SMB - deprecated dialect negotiated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:53</strong> (dce_smb) SMB - deprecated command used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:54</strong> (dce_smb) SMB - unusual command used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:55</strong> (dce_smb) SMB - invalid setup count for command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:56</strong> (dce_smb) SMB - client attempted multiple dialect negotiations on session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:57</strong> (dce_smb) SMB - client attempted to create or set a file’s attributes to readonly/hidden/system\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:58</strong> (dce_smb) SMB - file offset provided is greater than file size specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:59</strong> (dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dce_smb.events</strong>: total events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.pdus</strong>: total connection-oriented PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.binds</strong>: total connection-oriented binds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.requests</strong>: total connection-oriented requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.responses</strong>: total connection-oriented responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.cancels</strong>: total connection-oriented cancels (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.faults</strong>: total connection-oriented faults (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.rejects</strong>: total connection-oriented rejects (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.other_requests</strong>: total connection-oriented other requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.other_responses</strong>: total connection-oriented other responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.sessions</strong>: total smb sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.packets</strong>: total smb packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.ignored_bytes</strong>: total ignored bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.files_processed</strong>: total smb files processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup</strong>: total number of SMBv2 setup packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup_err_resp</strong>: total number of SMBv2 setup error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup_inv_str_sz</strong>: total number of SMBv2 setup packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup_resp_hdr_err</strong>: total number of SMBv2 setup response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct</strong>: total number of SMBv2 tree connect packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_err_resp</strong>: total number of SMBv2 tree connect error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_ignored</strong>: total number of SMBv2 setup response packets ignored due to failure in creating tree tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_inv_str_sz</strong>: total number of SMBv2 tree connect packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_resp_hdr_err</strong>: total number of SMBv2 tree connect response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt</strong>: total number of SMBv2 create packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_err_resp</strong>: total number of SMBv2 create error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_inv_file_data</strong>: total number of SMBv2 create request packets ignored due to error in getting file name (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_inv_str_sz</strong>: total number of SMBv2 create packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_resp_hdr_err</strong>: total number of SMBv2 create response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_req_hdr_err</strong>: total number of SMBv2 create request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_rtrkr_misng</strong>: total number of SMBv2 create response packets ignored due to missing create request tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_req_ipc</strong>: total number of SMBv2 create request packets ignored as share type is IPC (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_tree_trkr_misng</strong>: total number of SMBv2 create response packets ignored due to missing tree tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt</strong>: total number of SMBv2 write packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_err_resp</strong>: total number of SMBv2 write error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_ignored</strong>: total number of SMBv2 write packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_inv_str_sz</strong>: total number of SMBv2 write packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_req_hdr_err</strong>: total number of SMBv2 write request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read</strong>: total number of SMBv2 read packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_err_resp</strong>: total number of SMBv2 read error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_ignored</strong>: total number of SMBv2 write packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_inv_str_sz</strong>: total number of SMBv2 read packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_rtrkr_misng</strong>: total number of SMBv2 read response packets ignored due to missing read request tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_resp_hdr_err</strong>: total number of SMBv2 read response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_req_hdr_err</strong>: total number of SMBv2 read request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf</strong>: total number of SMBv2 set info packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_err_resp</strong>: total number of SMBv2 set info error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_ignored</strong>: total number of SMBv2 set info packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_inv_str_sz</strong>: total number of SMBv2 set info packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_req_ftrkr_misng</strong>: total number of SMBv2 set info request packets ignored due to missing file tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_req_hdr_err</strong>: total number of SMBv2 set info request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls</strong>: total number of SMBv2 close packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_err_resp</strong>: total number of SMBv2 close error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_ignored</strong>: total number of SMBv2 close packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_inv_str_sz</strong>: total number of SMBv2 close packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_req_ftrkr_misng</strong>: total number of SMBv2 close request packets ignored due to missing file tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_req_hdr_err</strong>: total number of SMBv2 close request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn</strong>: total number of SMBv2 tree disconnect packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn_ignored</strong>: total number of SMBv2 tree disconnect packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn_inv_str_sz</strong>: total number of SMBv2 tree disconnect packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn_req_hdr_err</strong>: total number of SMBv2 tree disconnect request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_logoff</strong>: total number of SMBv2 logoff (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_logoff_inv_str_sz</strong>: total number of SMBv2 logoff packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_hdr_err</strong>: total number of SMBv2 packets seen with corrupted hdr (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_bad_next_cmd_offset</strong>: total number of SMBv2 packets seen with invalid next command offset (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_extra_file_data_err</strong>: total number of SMBv2 packets seen with where file data beyond file size is observed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_inv_file_ctx_err</strong>: total number of times null file context are seen resulting in not being able to set file size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_msgs_uninspected</strong>: total number of SMBv2 packets seen where command is not being inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cmpnd_req_lt_crossed</strong>: total number of SMBv2 packets seen where compound requests exceed the smb_max_compound limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.concurrent_sessions</strong>: total concurrent sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_tcp">dce_tcp</h3>\r
-<div class="paragraph"><p>What: dce over tcp inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_tcp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_tcp.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_tcp.policy</strong> = WinXP: target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:31</strong> (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.events</strong>: total events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.binds</strong>: total connection-oriented binds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.requests</strong>: total connection-oriented requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.responses</strong>: total connection-oriented responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.cancels</strong>: total connection-oriented cancels (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.faults</strong>: total connection-oriented faults (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.rejects</strong>: total connection-oriented rejects (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_expected_sessions</strong>: total tcp dynamic endpoint expected sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_expected_realized</strong>: total tcp dynamic endpoint expected realized sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.concurrent_sessions</strong>: total concurrent sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_udp">dce_udp</h3>\r
-<div class="paragraph"><p>What: dce over udp inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>133:40</strong> (dce_udp) connection-less DCE/RPC - invalid major version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:41</strong> (dce_udp) connection-less DCE/RPC - invalid PDU type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:42</strong> (dce_udp) connection-less DCE/RPC - data length less than header size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:43</strong> (dce_udp) connection-less DCE/RPC - bad sequence number\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dce_udp.events</strong>: total events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.udp_sessions</strong>: total udp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.udp_packets</strong>: total udp packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.requests</strong>: total connection-less requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.acks</strong>: total connection-less acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.cancels</strong>: total connection-less cancels (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.client_facks</strong>: total connection-less client facks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.ping</strong>: total connection-less ping (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.responses</strong>: total connection-less responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.rejects</strong>: total connection-less rejects (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.server_facks</strong>: total connection-less server facks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.faults</strong>: total connection-less faults (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.no_calls</strong>: total connection-less no calls (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.working</strong>: total connection-less working (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.other_requests</strong>: total connection-less other requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.other_responses</strong>: total connection-less other responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.fragments</strong>: total connection-less fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.concurrent_sessions</strong>: total concurrent sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3">dnp3</h3>\r
-<div class="paragraph"><p>What: dnp3 inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>145:1</strong> (dnp3) DNP3 link-layer frame contains bad CRC\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:2</strong> (dnp3) DNP3 link-layer frame was dropped\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:3</strong> (dnp3) DNP3 transport-layer segment was dropped during reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:4</strong> (dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:5</strong> (dnp3) DNP3 link-layer frame uses a reserved address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:6</strong> (dnp3) DNP3 application-layer fragment uses a reserved function code\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dnp3.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.udp_packets</strong>: total udp packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.tcp_pdus</strong>: total tcp pdus (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.concurrent_sessions</strong>: total concurrent dnp3 sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.max_concurrent_sessions</strong>: maximum concurrent dnp3 sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dns">dns</h3>\r
-<div class="paragraph"><p>What: dns inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>131:1</strong> (dns) obsolete DNS RR types\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>131:2</strong> (dns) experimental DNS RR types\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>131:3</strong> (dns) DNS client rdata txt overflow\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dns.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.requests</strong>: total dns requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.responses</strong>: total dns responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.concurrent_sessions</strong>: total concurrent dns sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.max_concurrent_sessions</strong>: maximum concurrent dns sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_domain_filter">domain_filter</h3>\r
-<div class="paragraph"><p>What: alert on configured HTTP domains</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>domain_filter.file</strong>: file with list of domains identifying hosts to be filtered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>domain_filter.hosts</strong>: list of domains identifying hosts to be filtered\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>175:1</strong> (domain_filter) configured domain detected\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>domain_filter.checked</strong>: domains checked (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>domain_filter.filtered</strong>: domains filtered (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dpx">dpx</h3>\r
-<div class="paragraph"><p>What: dynamic inspector example</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-port <strong>dpx.port</strong>: port to check\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>256:1</strong> (dpx) too much data sent to port\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>dpx.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_id">file_id</h3>\r
-<div class="paragraph"><p>What: configure file identification</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.max_files_per_flow</strong> = 32: maximal number of files able to be concurrently processed per flow { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.enable_type</strong> = true: enable type ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.enable_signature</strong> = false: enable signature calculation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.enable_capture</strong> = false: enable file capture\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].type</code></strong>: file type name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].category</code></strong>: file type category\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].version</code></strong>: file type version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false → enable/disable file type identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false → enable/disable file signature\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false → enable/disable file capture\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>150:1</strong> (file_id) file not processed due to per flow limit\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>file_id.total_files</strong>: number of files processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.total_file_data</strong>: number of file data bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.cache_failures</strong>: number of file cache add failures (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.files_not_processed</strong>: number of files not processed due to per-flow limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.max_concurrent_files</strong>: maximum files processed concurrently on a flow (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_log">file_log</h3>\r
-<div class="paragraph"><p>What: log file event to file.log</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>file_log.total_events</strong>: total file events (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp_client">ftp_client</h3>\r
-<div class="paragraph"><p>What: FTP client configuration module for use with ftp_server</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.bounce</strong> = false: check for bounces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ftp_client.max_resp_len</strong> = 4294967295: maximum FTP response accepted by client { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.telnet_cmds</strong> = false: detect Telnet escape sequences on FTP control channel\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp_data_2">ftp_data</h3>\r
-<div class="paragraph"><p>What: FTP data channel handler</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ftp_data.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ftp_server">ftp_server</h3>\r
-<div class="paragraph"><p>What: main FTP module; ftp_client should also be configured</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect FTP data channels\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.telnet_cmds</strong> = false: detect Telnet escape sequences of FTP control channel\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:2</strong> (ftp_server) invalid FTP command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:3</strong> (ftp_server) FTP command parameters were too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:4</strong> (ftp_server) FTP command parameters were malformed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:6</strong> (ftp_server) FTP response message was too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:7</strong> (ftp_server) FTP traffic encrypted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:8</strong> (ftp_server) FTP bounce attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ftp_server.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.concurrent_sessions</strong>: total concurrent FTP sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.max_concurrent_sessions</strong>: maximum concurrent FTP sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_inspect">gtp_inspect</h3>\r
-<div class="paragraph"><p>What: gtp control channel inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>143:1</strong> (gtp_inspect) message length is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:2</strong> (gtp_inspect) information element length is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:3</strong> (gtp_inspect) information elements are out of order\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:4</strong> (gtp_inspect) TEID is missing\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.sessions</strong>: total sessions processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.concurrent_sessions</strong>: total concurrent gtp sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.max_concurrent_sessions</strong>: maximum concurrent gtp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.events</strong>: requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.unknown_types</strong>: unknown message types (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.unknown_infos</strong>: unknown information elements (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http2_inspect">http2_inspect</h3>\r
-<div class="paragraph"><p>What: HTTP/2 inspector</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:2</strong> (http2_inspect) HPACK integer value has leading zeros\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:3</strong> (http2_inspect) error in HPACK string value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:4</strong> (http2_inspect) missing HTTP/2 continuation frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:5</strong> (http2_inspect) unexpected HTTP/2 continuation frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:6</strong> (http2_inspect) misformatted HTTP/2 traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:7</strong> (http2_inspect) HTTP/2 connection preface does not match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:8</strong> (http2_inspect) HTTP/2 request missing required header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:9</strong> (http2_inspect) HTTP/2 response has no status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:10</strong> (http2_inspect) HTTP/2 invalid header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:11</strong> (http2_inspect) error in HTTP/2 settings frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:12</strong> (http2_inspect) unknown parameter in HTTP/2 settings frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:13</strong> (http2_inspect) invalid HTTP/2 frame sequence\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:15</strong> (http2_inspect) invalid HTTP/2 start line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:16</strong> (http2_inspect) HTTP/2 padding length is bigger than frame data size\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.flows</strong>: HTTP/2 connections inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.max_table_entries</strong>: maximum entries in an HTTP/2 dynamic table (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.max_concurrent_files</strong>: maximum concurrent file transfers per HTTP/2 connection (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_inspect">http_inspect</h3>\r
-<div class="paragraph"><p>What: HTTP inspector</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.decompress_pdf</strong> = false: decompress pdf files in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.decompress_swf</strong> = false: decompress swf files in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.detained_inspection</strong> = false: store-and-forward as necessary to effectively block alerting JavaScript\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.normalize_javascript</strong> = false: normalize JavaScript in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.max_javascript_whitespaces</strong> = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.iis_double_decode</strong> = true: perform double decoding of percent encodings to normalize characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.backslash_to_slash</strong> = true: replace \ with / when normalizing URIs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.plus_to_space</strong> = true: replace + with <sp> when normalizing URIs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>119:1</strong> (http_inspect) ascii encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:2</strong> (http_inspect) double decoding attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:3</strong> (http_inspect) u encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:4</strong> (http_inspect) bare byte unicode encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:5</strong> (http_inspect) obsolete event—deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:6</strong> (http_inspect) UTF-8 encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:7</strong> (http_inspect) unicode map code point encoding in URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:8</strong> (http_inspect) multi_slash encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:9</strong> (http_inspect) backslash used in URI path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:10</strong> (http_inspect) self directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:11</strong> (http_inspect) directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:12</strong> (http_inspect) apache whitespace (tab)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:13</strong> (http_inspect) HTTP header line terminated by LF without a CR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:14</strong> (http_inspect) non-RFC defined char\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:15</strong> (http_inspect) oversize request-uri directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:16</strong> (http_inspect) oversize chunk encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:17</strong> (http_inspect) unauthorized proxy use detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:18</strong> (http_inspect) webroot directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:19</strong> (http_inspect) long header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:20</strong> (http_inspect) max header fields\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:21</strong> (http_inspect) multiple content length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:22</strong> (http_inspect) obsolete event—deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:24</strong> (http_inspect) multiple host hdrs detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:26</strong> (http_inspect) too much whitespace in header (not implemented yet)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:28</strong> (http_inspect) POST or PUT w/o content-length or chunks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:29</strong> (http_inspect) multiple true ips in a session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:31</strong> (http_inspect) unknown method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:32</strong> (http_inspect) simple request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:34</strong> (http_inspect) too many pipelined requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:101</strong> (http_inspect) obsolete event—deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:102</strong> (http_inspect) invalid status code in HTTP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:103</strong> (http_inspect) unused event number—should not appear\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:104</strong> (http_inspect) HTTP response has UTF charset that failed to normalize\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:105</strong> (http_inspect) HTTP response has UTF-7 charset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:106</strong> (http_inspect) HTTP response gzip decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:107</strong> (http_inspect) server consecutive small chunk sizes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:108</strong> (http_inspect) unused event number—should not appear\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:109</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:110</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:111</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:112</strong> (http_inspect) SWF file zlib decompression failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:113</strong> (http_inspect) SWF file LZMA decompression failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:114</strong> (http_inspect) PDF file deflate decompression failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:115</strong> (http_inspect) PDF file unsupported compression type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:116</strong> (http_inspect) PDF file cascaded compression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:117</strong> (http_inspect) PDF file parse failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:201</strong> (http_inspect) not HTTP traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:202</strong> (http_inspect) chunk length has excessive leading zeros\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:203</strong> (http_inspect) white space before or between messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:204</strong> (http_inspect) request message without URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:205</strong> (http_inspect) control character in reason phrase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:206</strong> (http_inspect) illegal extra whitespace in start line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:207</strong> (http_inspect) corrupted HTTP version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:208</strong> (http_inspect) unknown HTTP version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:209</strong> (http_inspect) format error in HTTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:210</strong> (http_inspect) chunk header options present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:211</strong> (http_inspect) URI badly formatted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:212</strong> (http_inspect) unrecognized type of percent encoding in URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:213</strong> (http_inspect) HTTP chunk misformatted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:214</strong> (http_inspect) white space adjacent to chunk length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:215</strong> (http_inspect) white space within header name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:216</strong> (http_inspect) excessive gzip compression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:217</strong> (http_inspect) gzip decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:218</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:219</strong> (http_inspect) HTTP 0.9 request following a normal request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:220</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:221</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:222</strong> (http_inspect) Transfer-Encoding not ending with chunked\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:223</strong> (http_inspect) Transfer-Encoding with encodings before chunked\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:224</strong> (http_inspect) misformatted HTTP traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:225</strong> (http_inspect) unsupported Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:226</strong> (http_inspect) unknown Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:227</strong> (http_inspect) multiple Content-Encodings applied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:228</strong> (http_inspect) server response before client request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:230</strong> (http_inspect) nonprinting character in HTTP message header name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:231</strong> (http_inspect) bad Content-Length value in HTTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:232</strong> (http_inspect) HTTP header line wrapped\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:233</strong> (http_inspect) HTTP header line terminated by CR without a LF\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:234</strong> (http_inspect) chunk terminated by nonstandard separator\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:235</strong> (http_inspect) chunk length terminated by LF without CR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:236</strong> (http_inspect) more than one response with 100 status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:237</strong> (http_inspect) 100 status code not in response to Expect header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:238</strong> (http_inspect) 1XX status code other than 100 or 101\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:239</strong> (http_inspect) Expect header sent without a message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:240</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:241</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:242</strong> (http_inspect) illegal field in chunked message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:243</strong> (http_inspect) header field inappropriately appears twice or has two values\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:244</strong> (http_inspect) invalid value chunked in Content-Encoding header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:245</strong> (http_inspect) 206 response sent to a request without a Range header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:246</strong> (http_inspect) <em>HTTP</em> in version field not all upper case\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:247</strong> (http_inspect) white space embedded in critical header value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:250</strong> (http_inspect) HTTP/2 Transfer-Encoding header other than identity\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:251</strong> (http_inspect) HTTP/2 message body overruns Content-Length header value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:252</strong> (http_inspect) HTTP/2 message body smaller than Content-Length header value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:253</strong> (http_inspect) HTTP CONNECT request with a message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:254</strong> (http_inspect) HTTP client-to-server traffic after CONNECT request but before CONNECT response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:255</strong> (http_inspect) HTTP CONNECT 2XX response with Content-Length header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:256</strong> (http_inspect) HTTP CONNECT 2XX response with Transfer-Encoding header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:257</strong> (http_inspect) HTTP CONNECT response with 1XX status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:258</strong> (http_inspect) HTTP CONNECT response before request message completed\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.inspections</strong>: total message sections inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.requests</strong>: HTTP request messages inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.responses</strong>: HTTP response messages inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.get_requests</strong>: GET requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.head_requests</strong>: HEAD requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.post_requests</strong>: POST requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.put_requests</strong>: PUT requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.delete_requests</strong>: DELETE requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.trace_requests</strong>: TRACE requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.other_requests</strong>: other request methods inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.chunked</strong>: chunked message bodies (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.uri_path</strong>: URIs with path problems (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.uri_coding</strong>: URIs with character coding problems (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.concurrent_sessions</strong>: total concurrent http sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.max_concurrent_sessions</strong>: maximum concurrent http sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.detains_requested</strong>: packet hold requests for detained inspection (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.excess_parameters</strong>: repeat parameters exceeding max (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.parameters</strong>: HTTP parameters inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.connect_tunnel_cutovers</strong>: CONNECT tunnel flow cutovers to wizard (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_imap">imap</h3>\r
-<div class="paragraph"><p>What: imap inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>imap.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = -1: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.qp_decode_depth</strong> = -1: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>141:1</strong> (imap) unknown IMAP3 command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:2</strong> (imap) unknown IMAP3 response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:4</strong> (imap) base64 decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:5</strong> (imap) quoted-printable decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:7</strong> (imap) Unix-to-Unix decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:8</strong> (imap) file decompression failed\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>imap.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.sessions</strong>: total imap sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.concurrent_sessions</strong>: total concurrent imap sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.max_concurrent_sessions</strong>: maximum concurrent imap sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.uu_attachments</strong>: total uu attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_mem_test">mem_test</h3>\r
-<div class="paragraph"><p>What: for testing memory management</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>mem_test.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus">modbus</h3>\r
-<div class="paragraph"><p>What: modbus inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>144:3</strong> (modbus) reserved Modbus function code in use\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>modbus.sessions</strong>: total sessions processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.frames</strong>: total Modbus messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.max_concurrent_sessions</strong>: maximum concurrent modbus sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_normalizer">normalizer</h3>\r
-<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.base</strong> = false: clear options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.df</strong> = false: clear don’t frag flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.base</strong> = false: clear reserved bits and option padding and fix urgent pointer / flags issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.block</strong> = false: allow packet drops during TCP normalization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.urp</strong> = false: adjust urgent pointer if beyond segment length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.ips</strong> = true: ensure consistency in retransmitted data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.pad</strong> = false: clear any option padding bytes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.opts</strong> = false: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.req_urg</strong> = false: clear the urgent pointer if the urgent flag is not set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.req_pay</strong> = false: clear the urgent pointer and the urgent flag if there is no payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.rsv</strong> = false: clear the reserved bits in the TCP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.req_urp</strong> = false: clear the urgent flag if the urgent pointer is not set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>normalizer.tcp.allow_names</strong>: don’t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>normalizer.tcp.allow_codes</strong>: don’t clear given option codes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip6</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.icmp6</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_df</strong>: test don’t frag bit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_options</strong>: test packets with options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_block</strong>: blocked segments (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_packet_capture">packet_capture</h3>\r
-<div class="paragraph"><p>What: raw packet dumping facility</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>packet_capture.enable</strong>(filter): dump raw packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture.disable</strong>(): stop packet dump\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>packet_capture.processed</strong>: packets processed against filter (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture.captured</strong>: packets matching dumped after matching filter (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_perf_monitor">perf_monitor</h3>\r
-<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.base</strong> = true: enable base statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.seconds</strong> = 60: report interval { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 236:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>perf_monitor.output</strong> = file: output location for stats { file | console }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>perf_monitor.format</strong> = csv: output format for stats { csv | text | json | flatbuffers }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.summary</strong> = false: output summary at shutdown\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.enable_flow_ip_profiling</strong>(seconds, packets): enable statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.disable_flow_ip_profiling</strong>(): disable statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.show_flow_ip_profiling</strong>(): show status of statistics on host pairs\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.packets</strong>: total packets processed by performance monitor (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_creates</strong>: total number of flow trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_total_deletes</strong>: flow trackers deleted to stay below memcap limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_reload_deletes</strong>: flow trackers deleted due to memcap change on config reload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_prunes</strong>: flow trackers pruned for reuse by new flows (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pop">pop</h3>\r
-<div class="paragraph"><p>What: pop inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>pop.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>142:1</strong> (pop) unknown POP3 command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:2</strong> (pop) unknown POP3 response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:4</strong> (pop) base64 decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:5</strong> (pop) quoted-printable decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:7</strong> (pop) Unix-to-Unix decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:8</strong> (pop) file decompression failed\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>pop.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.sessions</strong>: total pop sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.concurrent_sessions</strong>: total concurrent pop sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.max_concurrent_sessions</strong>: maximum concurrent pop sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.b64_attachments</strong>: total base64 attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_port_scan_2">port_scan</h3>\r
-<div class="paragraph"><p>What: detect various ip, icmp, tcp, and udp port or protocol scans</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>port_scan.memcap</strong> = 10485760: maximum tracker memory in bytes { 1024:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>port_scan.alert_all</strong> = false: alert on all events over threshold within window if true; else alert on first only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_window</strong> = 0: detection interval for all TCP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_window</strong> = 0: detection interval for all UDP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_window</strong> = 0: detection interval for all IP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_window</strong> = 0: detection interval for all ICMP scans { 0:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>122:1</strong> (port_scan) TCP portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:2</strong> (port_scan) TCP decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:3</strong> (port_scan) TCP portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:4</strong> (port_scan) TCP distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:5</strong> (port_scan) TCP filtered portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:9</strong> (port_scan) IP protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:11</strong> (port_scan) IP protocol sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:17</strong> (port_scan) UDP portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:18</strong> (port_scan) UDP decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:19</strong> (port_scan) UDP portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:20</strong> (port_scan) UDP distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:21</strong> (port_scan) UDP filtered portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:25</strong> (port_scan) ICMP sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:27</strong> (port_scan) open port\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>port_scan.packets</strong>: number of packets processed by port scan (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.trackers</strong>: number of trackers allocated by port scan (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.alloc_prunes</strong>: number of trackers pruned on allocation of new tracking (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.reload_prunes</strong>: number of trackers pruned on reload due to reduced memcap (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_reputation">reputation</h3>\r
-<div class="paragraph"><p>What: reputation inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>reputation.blacklist</strong>: blacklist file name with IP lists\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reputation.list_dir</strong>: directory for IP lists and manifest file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reputation.nested_ip</strong> = inner: IP to use when there is IP encapsulation { inner|outer|all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reputation.whitelist</strong>: whitelist file name with IP lists\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted based on source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:2</strong> (reputation) packets whitelisted based on source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:3</strong> (reputation) packets monitored based on source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:4</strong> (reputation) packets blacklisted based on destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:5</strong> (reputation) packets whitelisted based on destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:6</strong> (reputation) packets monitored based on destination\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>reputation.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.blacklisted</strong>: number of packets blacklisted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.whitelisted</strong>: number of packets whitelisted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.monitored</strong>: number of packets monitored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rna">rna</h3>\r
-<div class="paragraph"><p>What: Real-time network awareness and OS fingerprinting (experimental)</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>rna.rna_conf_path</strong>: path to rna configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rna.fingerprint_dir</strong>: directory to fingerprint patterns\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>rna.enable_logger</strong> = true: enable or disable writing discovery events into logger\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>rna.log_when_idle</strong> = false: enable host update logging when snort is idle\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Commands:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>rna.reload_fingerprint</strong>(): reload rna database of fingerprint patterns/signatures\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>rna.icmp_bidirectional</strong>: count of bidirectional ICMP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.icmp_new</strong>: count of new ICMP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.ip_bidirectional</strong>: count of bidirectional IP received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.ip_new</strong>: count of new IP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.udp_bidirectional</strong>: count of bidirectional UDP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.udp_new</strong>: count of new UDP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.tcp_syn</strong>: count of TCP SYN packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.tcp_syn_ack</strong>: count of TCP SYN-ACK packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.tcp_midstream</strong>: count of TCP midstream packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.other_packets</strong>: count of packets received without session tracking (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.change_host_update</strong>: count number of change host update events (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rpc_decode">rpc_decode</h3>\r
-<div class="paragraph"><p>What: RPC inspector</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>106:1</strong> (rpc_decode) fragmented RPC records\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:2</strong> (rpc_decode) multiple RPC records\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:3</strong> (rpc_decode) large RPC record fragment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:4</strong> (rpc_decode) incomplete RPC segment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:5</strong> (rpc_decode) zero-length RPC fragment\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>rpc_decode.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc_decode.concurrent_sessions</strong>: total concurrent rpc sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc_decode.max_concurrent_sessions</strong>: maximum concurrent rpc sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_s7commplus">s7commplus</h3>\r
-<div class="paragraph"><p>What: s7commplus inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>149:1</strong> (s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>149:2</strong> (s7commplus) S7commplus protocol ID is non-zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>149:3</strong> (s7commplus) reserved S7commplus function code in use\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>s7commplus.sessions</strong>: total sessions processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.frames</strong>: total S7commplus messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.concurrent_sessions</strong>: total concurrent s7commplus sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.max_concurrent_sessions</strong>: maximum concurrent s7commplus sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip">sip</h3>\r
-<div class="paragraph"><p>What: sip inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in SIP messages\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>140:2</strong> (sip) empty request URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:3</strong> (sip) URI is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:4</strong> (sip) empty call-Id\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:5</strong> (sip) Call-Id is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:6</strong> (sip) CSeq number is too large or negative\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:7</strong> (sip) request name in CSeq is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:8</strong> (sip) empty From header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:9</strong> (sip) From header is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:10</strong> (sip) empty To header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:11</strong> (sip) To header is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:12</strong> (sip) empty Via header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:13</strong> (sip) Via header is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:14</strong> (sip) empty Contact\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:15</strong> (sip) contact is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:16</strong> (sip) content length is too large or negative\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:17</strong> (sip) multiple SIP messages in a packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:18</strong> (sip) content length mismatch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:19</strong> (sip) request name is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:20</strong> (sip) Invite replay attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:21</strong> (sip) illegal session information modification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:22</strong> (sip) response status code is not a 3 digit number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:23</strong> (sip) empty Content-type header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:24</strong> (sip) SIP version is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:25</strong> (sip) mismatch in METHOD of request and the CSEQ header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:26</strong> (sip) method is unknown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:27</strong> (sip) maximum dialogs within a session reached\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>sip.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.sessions</strong>: total sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.concurrent_sessions</strong>: total concurrent SIP sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.events</strong>: events generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.dialogs</strong>: total dialogs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.ignored_channels</strong>: total channels ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.ignored_sessions</strong>: total sessions ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.total_requests</strong>: total requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.invite</strong>: invite (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.cancel</strong>: cancel (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.ack</strong>: ack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.bye</strong>: bye (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.register</strong>: register (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.options</strong>: options (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.refer</strong>: refer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.subscribe</strong>: subscribe (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.update</strong>: update (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.join</strong>: join (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.info</strong>: info (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.message</strong>: message (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.notify</strong>: notify (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.prack</strong>: prack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.total_responses</strong>: total responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_1xx</strong>: 1xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_2xx</strong>: 2xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_3xx</strong>: 3xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_4xx</strong>: 4xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_5xx</strong>: 5xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_6xx</strong>: 6xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_7xx</strong>: 7xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_8xx</strong>: 8xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_9xx</strong>: 9xx (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_smtp_2">smtp</h3>\r
-<div class="paragraph"><p>What: smtp inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.b64_decode_depth</strong> = -1: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = -1: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_mailfrom</strong> = false: log the sender’s email address extracted from the MAIL FROM command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_rcptto</strong> = false: log the recipient’s email address extracted from the RCPT TO command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_command_line_len</strong> = 512: max Command Line Length { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_header_line_len</strong> = 1000: max SMTP DATA header line { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_response_line_len</strong> = 512: max SMTP response line { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.qp_decode_depth</strong> = -1: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.valid_cmds</strong>: list of valid commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>124:1</strong> (smtp) attempted command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:2</strong> (smtp) attempted data header buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:3</strong> (smtp) attempted response buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:4</strong> (smtp) attempted specific command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:5</strong> (smtp) unknown command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:6</strong> (smtp) illegal command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:7</strong> (smtp) attempted header name buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:8</strong> (smtp) attempted X-Link2State command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:10</strong> (smtp) base64 decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:11</strong> (smtp) quoted-printable decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:13</strong> (smtp) Unix-to-Unix decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:14</strong> (smtp) Cyrus SASL authentication attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:15</strong> (smtp) attempted authentication command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:16</strong> (smtp) file decompression failed\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>smtp.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.sessions</strong>: total smtp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.b64_attachments</strong>: total base64 attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_so_proxy">so_proxy</h3>\r
-<div class="paragraph"><p>What: a proxy inspector to track flow data from SO rules (internal use only)</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssh">ssh</h3>\r
-<div class="paragraph"><p>What: ssh inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>128:1</strong> (ssh) challenge-response overflow exploit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:3</strong> (ssh) server version string overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:5</strong> (ssh) bad message direction\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:6</strong> (ssh) payload size incorrect for the given payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:7</strong> (ssh) failed to detect SSH version string\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ssh.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.max_concurrent_sessions</strong>: maximum concurrent ssh sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssl">ssl</h3>\r
-<div class="paragraph"><p>What: ssl inspection</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>137:1</strong> (ssl) invalid client HELLO after server HELLO detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:2</strong> (ssl) invalid server HELLO without client HELLO detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:3</strong> (ssl) heartbeat read overrun attempt detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:4</strong> (ssl) large heartbeat response detected\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ssl.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.decoded</strong>: ssl packets decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.client_hello</strong>: total client hellos (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_hello</strong>: total server hellos (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.certificate</strong>: total ssl certificates (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_done</strong>: total server done (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.client_key_exchange</strong>: total client key exchanges (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_key_exchange</strong>: total server key exchanges (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.change_cipher</strong>: total change cipher records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.finished</strong>: total handshakes finished (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.client_application</strong>: total client application records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_application</strong>: total server application records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.alert</strong>: total ssl alert records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.unrecognized_records</strong>: total unrecognized records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.bad_handshakes</strong>: total bad handshakes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.sessions_ignored</strong>: total sessions ignore (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.detection_disabled</strong>: total detection disabled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.concurrent_sessions</strong>: total concurrent ssl sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.max_concurrent_sessions</strong>: maximum concurrent ssl sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream">stream</h3>\r
-<div class="paragraph"><p>What: common flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.held_packet_timeout</strong> = 1000: timeout in milliseconds for held packets { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.cap_weight</strong> = 11000: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>135:1</strong> (stream) TCP SYN received\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>135:2</strong> (stream) TCP session established\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>135:3</strong> (stream) TCP session cleared\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream.flows</strong>: total sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.total_prunes</strong>: total sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.idle_prunes</strong>: sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.excess_prunes</strong>: sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.preemptive_prunes</strong>: sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.memcap_prunes</strong>: sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.stale_prunes</strong>: sessions pruned due to stale connection (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_flows</strong>: total expected flows created within snort (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_realized</strong>: number of expected flows realized (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_pruned</strong>: number of expected flows pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_overflows</strong>: number of expected cache overflows (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_tuning_idle</strong>: number of times stream resource tuner called while idle (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_tuning_packets</strong>: number of times stream resource tuner called while processing packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_total_adds</strong>: number of flows added by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_total_deletes</strong>: number of flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_freelist_deletes</strong>: number of flows deleted from the free list by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_allowed_deletes</strong>: number of allowed flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_blocked_deletes</strong>: number of blocked flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_offloaded_deletes</strong>: number of offloaded flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_file">stream_file</h3>\r
-<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_icmp">stream_icmp</h3>\r
-<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_ip">stream_ip</h3>\r
-<div class="paragraph"><p>What: stream inspector for IP flow tracking and defragmentation</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with TTL below the minimum { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:2</strong> (stream_ip) teardrop attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:5</strong> (stream_ip) zero-byte fragment packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:8</strong> (stream_ip) fragmentation overlap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:12</strong> (stream_ip) excessive fragment overlap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:13</strong> (stream_ip) tiny fragment\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream_ip.sessions</strong>: total ip sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.max</strong>: max ip sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.created</strong>: ip session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.released</strong>: ip session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.timeouts</strong>: ip session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.prunes</strong>: ip session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.total_frags</strong>: total fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.current_frags</strong>: current fragments (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.max_frags</strong>: max fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.reassembled</strong>: reassembled datagrams (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.discards</strong>: fragments discarded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.overlaps</strong>: overlapping fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.anomalies</strong>: anomalies detected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.alerts</strong>: alerts generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.drops</strong>: fragments dropped (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_freed</strong>: datagram trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_completed</strong>: datagram trackers completed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_tcp">stream_tcp</h3>\r
-<div class="paragraph"><p>What: stream inspector for TCP flow tracking and stream normalization and reassembly</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.max_window</strong> = 0: maximum allowed TCP window { 0:1073725440 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.no_ack</strong> = false: received data is implicitly acked immediately\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.require_3whs</strong> = -1: don’t track midstream sessions after given seconds from start up; -1 tracks all { -1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don’t queue more than given bytes per session and direction { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don’t queue more than given segments per session and direction { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.small_segments.count</strong> = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>129:1</strong> (stream_tcp) SYN on established session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:2</strong> (stream_tcp) data on SYN packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:8</strong> (stream_tcp) data sent on stream after TCP reset sent\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:10</strong> (stream_tcp) TCP server possibly hijacked, different ethernet address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:13</strong> (stream_tcp) 4-way handshake detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:14</strong> (stream_tcp) TCP timestamp is missing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:15</strong> (stream_tcp) reset outside window\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:18</strong> (stream_tcp) data sent on stream after TCP reset received\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.sessions</strong>: total tcp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.max</strong>: max tcp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.created</strong>: tcp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.released</strong>: tcp session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.timeouts</strong>: tcp session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.setups</strong>: session initializations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.restarts</strong>: sessions restarted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.discards</strong>: tcp packets discarded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.events</strong>: events generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_queued</strong>: total segments queued (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_released</strong>: total segments released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.overlaps</strong>: overlapping segments queued (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.memory</strong>: current memory in use (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.initializing</strong>: number of sessions currently initializing (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.established</strong>: number of sessions currently established (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.closing</strong>: number of sessions currently closing (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syns</strong>: number of syn packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.resets</strong>: number of reset packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.fins</strong>: number of fin packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.meta_acks</strong>: number of meta acks processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.packets_held</strong>: number of packets held (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packet_rexmits</strong>: number of retransmits of held packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packets_dropped</strong>: number of held packets dropped (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packets_passed</strong>: number of held packets passed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packet_timeouts</strong>: number of held packets that timed out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packet_purges</strong>: number of held packets that were purged without flushing (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.cur_packets_held</strong>: number of packets currently held (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.max_packets_held</strong>: maximum number of packets held simultaneously (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.partial_flushes</strong>: number of partial flushes initiated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.partial_flush_bytes</strong>: partial flush total bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.inspector_fallbacks</strong>: count of fallbacks from assigned service inspector (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.partial_fallbacks</strong>: count of fallbacks from assigned service stream splitter (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_udp">stream_udp</h3>\r
-<div class="paragraph"><p>What: stream inspector for UDP flow tracking</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>stream_udp.sessions</strong>: total udp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.max</strong>: max udp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.released</strong>: udp session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.timeouts</strong>: udp session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.prunes</strong>: udp session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.ignored</strong>: udp packets ignored (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_user">stream_user</h3>\r
-<div class="paragraph"><p>What: stream inspector for user flow tracking and reassembly</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_telnet_2">telnet</h3>\r
-<div class="paragraph"><p>What: telnet inspection and normalization</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive Telnet AYT commands { -1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>telnet.normalize</strong> = false: eliminate escape sequences\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>126:1</strong> (telnet) consecutive Telnet AYT commands beyond threshold\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>126:2</strong> (telnet) Telnet traffic encrypted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>126:3</strong> (telnet) Telnet subnegotiation begin command without subnegotiation end\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>telnet.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet.concurrent_sessions</strong>: total concurrent Telnet sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet.max_concurrent_sessions</strong>: maximum concurrent Telnet sessions (max)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_wizard_2">wizard</h3>\r
-<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>\r
-<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.hexes[].service</code></strong>: name of service\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.spells[].service</code></strong>: name of service\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>wizard.tcp_scans</strong>: tcp payload scans (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.tcp_hits</strong>: tcp identifications (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.udp_scans</strong>: udp payload scans (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.udp_hits</strong>: udp identifications (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.user_scans</strong>: user payload scans (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.user_hits</strong>: user identifications (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_ips_action_modules">IPS Action Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>IPS actions allow you to perform custom actions when events are generated.\r
-Unlike loggers, these are invoked before thresholding and can be used to\r
-control external agents.</p></div>\r
-<div class="paragraph"><p>Externally defined actions must be configured to become available to the\r
-parser. For the reject rule, you can set reject = { } to get the rule to\r
-parse.</p></div>\r
-<div class="sect2">\r
-<h3 id="_react_2">react</h3>\r
-<div class="paragraph"><p>What: send response to client and terminate session</p></div>\r
-<div class="paragraph"><p>Type: ips_action</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>react.page</strong>: file containing HTTP response (headers and body)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_reject_2">reject</h3>\r
-<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>\r
-<div class="paragraph"><p>Type: ips_action</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>reject.reset</strong> = both: send TCP reset to one or both ends { none|source|dest|both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reject.control</strong> = none: send ICMP unreachable(s) { none|network|host|port|forward|all }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rewrite_2">rewrite</h3>\r
-<div class="paragraph"><p>What: overwrite packet contents</p></div>\r
-<div class="paragraph"><p>Type: ips_action</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>rewrite.disable_replace</strong> = false: disable replace of packet contents with rewrite rules\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_ips_option_modules">IPS Option Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>IPS options are the building blocks of IPS rules.</p></div>\r
-<div class="sect2">\r
-<h3 id="_ack">ack</h3>\r
-<div class="paragraph"><p>What: rule option to match on TCP ack numbers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>ack.~range</strong>: check if TCP ack value is <em>value | min<>max | <max | >min</em> { 0: }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_appids">appids</h3>\r
-<div class="paragraph"><p>What: detection option for application ids</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>appids.~</strong>: comma separated list of application names\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_asn1">asn1</h3>\r
-<div class="paragraph"><p>What: rule option for asn1 detection</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>asn1.bitstring_overflow</strong>: detects invalid bitstring encodings that are known to be remotely exploitable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>asn1.double_overflow</strong>: detects a double ASCII encoding that is larger than a standard buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>asn1.print</strong>: dump decode data to console; always true\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>asn1.oversize_length</strong>: compares ASN.1 type lengths with the supplied argument { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>asn1.absolute_offset</strong>: absolute offset from the beginning of the packet { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>asn1.relative_offset</strong>: relative offset from the cursor { -65535:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_base64_decode">base64_decode</h3>\r
-<div class="paragraph"><p>What: rule option to decode base64 data - must be used with base64_data option</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>base64_decode.bytes</strong>: number of base64 encoded bytes to decode { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>base64_decode.offset</strong> = 0: bytes past start of buffer to start decoding { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>base64_decode.relative</strong>: apply offset to cursor instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ber_data">ber_data</h3>\r
-<div class="paragraph"><p>What: rule option to move to the data for a specified BER element</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>ber_data.~type</strong>: move to the data for the specified BER element type { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ber_skip">ber_skip</h3>\r
-<div class="paragraph"><p>What: rule option to skip BER element</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>ber_skip.~type</strong>: BER element type to skip { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ber_skip.optional</strong>: match even if the specified BER type is not found\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_bufferlen">bufferlen</h3>\r
-<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>bufferlen.~range</strong>: check that total length of current buffer is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>bufferlen.relative</strong>: use remaining length (from current position) instead of total length\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_extract_2">byte_extract</h3>\r
-<div class="paragraph"><p>What: rule option to convert data to an integer variable</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.big</strong>: big endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.little</strong>: little endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.hex</strong>: convert from hex string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.oct</strong>: convert from octal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.dec</strong>: convert from decimal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.bitmask</strong>: applies as an AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_jump_2">byte_jump</h3>\r
-<div class="paragraph"><p>What: rule option to move the detection cursor</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 0:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.from_end</strong>: jump backward from end of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_jump.post_offset</strong>: skip forward or backward (positive or negative value) by variable name or number of bytes after the other jump options have been applied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.big</strong>: big endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.little</strong>: little endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.hex</strong>: convert from hex string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.oct</strong>: convert from octal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.dec</strong>: convert from decimal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_math_2">byte_math</h3>\r
-<div class="paragraph"><p>What: rule option to perform mathematical operations on extracted value and a specified value or existing variable</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>byte_math.bytes</strong>: number of bytes to pick up from the buffer { 1:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_math.offset</strong>: number of bytes into the buffer to start processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>byte_math.oper</strong>: mathematical operation to perform { +|-|*|/|<<|>> }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_math.rvalue</strong>: value to use mathematical operation against\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_math.result</strong>: name of the variable to store the result\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_math.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>byte_math.endian</strong>: specify big/little endian { big|little }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_math.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>byte_math.string</strong>: convert extracted string to dec/hex/oct { hex|dec|oct }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_math.bitmask</strong>: applies as bitwise AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_byte_test_2">byte_test</h3>\r
-<div class="paragraph"><p>What: rule option to convert data to integer and compare</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~operator</strong>: operation to perform to test the value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.big</strong>: big endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.little</strong>: little endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.hex</strong>: convert from hex string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.oct</strong>: convert from octal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.dec</strong>: convert from decimal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_test.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_attribute">cip_attribute</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP attribute</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>cip_attribute.~range</strong>: match CIP attribute { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_class">cip_class</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP class</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>cip_class.~range</strong>: match CIP class { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_conn_path_class">cip_conn_path_class</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP Connection Path Class</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>cip_conn_path_class.~range</strong>: match CIP Connection Path Class { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_instance">cip_instance</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP instance</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>cip_instance.~range</strong>: match CIP instance { 0:4294967295 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_req">cip_req</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP request</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_rsp">cip_rsp</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP response</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_service">cip_service</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP service</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>cip_service.~range</strong>: match CIP service { 0:127 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cip_status">cip_status</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP response status</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>cip_status.~range</strong>: match CIP response status { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_classtype">classtype</h3>\r
-<div class="paragraph"><p>What: general rule option for rule classification</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>classtype.~</strong>: classification for this rule\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_content">content</h3>\r
-<div class="paragraph"><p>What: payload rule option for basic pattern matching</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>content.~data</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>content.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_cvs">cvs</h3>\r
-<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_iface_2">dce_iface</h3>\r
-<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>dce_iface.uuid</strong>: match given dcerpc uuid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>dce_iface.version</strong>: interface version { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>dce_iface.any_frag</strong>: match on any fragment\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_opnum_2">dce_opnum</h3>\r
-<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dce_stub_data_2">dce_stub_data</h3>\r
-<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_detection_filter">detection_filter</h3>\r
-<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_data">dnp3_data</h3>\r
-<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_func">dnp3_func</h3>\r
-<div class="paragraph"><p>What: detection option to check DNP3 function code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>dnp3_func.~</strong>: match DNP3 function code or name\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_ind">dnp3_ind</h3>\r
-<div class="paragraph"><p>What: detection option to check DNP3 indicator flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>dnp3_ind.~</strong>: match given DNP3 indicator flags\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dnp3_obj">dnp3_obj</h3>\r
-<div class="paragraph"><p>What: detection option to check DNP3 object headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>dnp3_obj.group</strong> = 0: match given DNP3 object header group { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dnp3_obj.var</strong> = 0: match given DNP3 object header var { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_dsize">dsize</h3>\r
-<div class="paragraph"><p>What: rule option to test payload size</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>dsize.~range</strong>: check if packet payload size is in the given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_enable">enable</h3>\r
-<div class="paragraph"><p>What: stub rule option to enable or disable full rule</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>enable.~enable</strong> = yes: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_enip_command">enip_command</h3>\r
-<div class="paragraph"><p>What: detection option to match CIP Enip Command</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>enip_command.~range</strong>: match CIP Enip Command { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_enip_req">enip_req</h3>\r
-<div class="paragraph"><p>What: detection option to match ENIP Request</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_enip_rsp">enip_rsp</h3>\r
-<div class="paragraph"><p>What: detection option to match ENIP response</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_data">file_data</h3>\r
-<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_file_type">file_type</h3>\r
-<div class="paragraph"><p>What: rule option to check file type</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>file_type.~</strong>: list of file type IDs to match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_flags">flags</h3>\r
-<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>flags.~test_flags</strong>: these flags are tested\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_flow">flow</h3>\r
-<div class="paragraph"><p>What: rule option to check session properties</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>flow.to_client</strong>: match on server responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.to_server</strong>: match on client requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.from_client</strong>: same as to_server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.from_server</strong>: same as to_client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.established</strong>: match only during data transfer phase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.not_established</strong>: match only outside data transfer phase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.stateless</strong>: match regardless of stream state\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.no_stream</strong>: match on raw packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.only_stream</strong>: match on reassembled packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.no_frag</strong>: match on raw packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.only_frag</strong>: match on defragmented packets only\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_flowbits">flowbits</h3>\r
-<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>flowbits.~op</strong>: bit operation or noalert (no bits) { set | unset | isset | isnotset | noalert }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>flowbits.~bits</strong>: bit [|bit]* or bit [&bit]*\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_fragbits">fragbits</h3>\r
-<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>fragbits.~flags</strong>: these flags are tested\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_fragoffset">fragoffset</h3>\r
-<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>fragoffset.~range</strong>: check if ip fragment offset is in given range { 0:8192 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gid">gid</h3>\r
-<div class="paragraph"><p>What: rule option specifying rule generator</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>gid.~</strong>: generator id { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_info">gtp_info</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp info element</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>gtp_info.~</strong>: info element to match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_type">gtp_type</h3>\r
-<div class="paragraph"><p>What: rule option to check gtp types</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>gtp_type.~</strong>: list of types to match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_gtp_version">gtp_version</h3>\r
-<div class="paragraph"><p>What: rule option to check GTP version</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>gtp_version.~</strong>: version to match { 0:2 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http2_decoded_header">http2_decoded_header</h3>\r
-<div class="paragraph"><p>What: rule option to set detection cursor to the decoded HTTP/2 header</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http2_frame_header">http2_frame_header</h3>\r
-<div class="paragraph"><p>What: rule option to set detection cursor to the 9-octet HTTP/2 frame header</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_client_body_2">http_client_body</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_cookie">http_cookie</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_header">http_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>http_header.field</strong>: restrict to given header. Header name is case insensitive.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.request</strong>: match against the headers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_method_2">http_method</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_method.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_param">http_param</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>http_param.~param</strong>: parameter to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_param.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_body_2">http_raw_body</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized message body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_cookie">http_raw_cookie</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_header">http_raw_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.request</strong>: match against the headers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_request">http_raw_request</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized request line</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_request.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_status">http_raw_status</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized status line</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_status.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_status.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_trailer">http_raw_trailer</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized trailers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_trailer.with_body</strong>: parts of this rule examine HTTP response message body (must be combined with request)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_raw_uri">http_raw_uri</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.host</strong>: match against host section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.port</strong>: match against port section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.path</strong>: match against path section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.query</strong>: match against query section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_stat_code_2">http_stat_code</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_code.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_code.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_stat_msg_2">http_stat_msg</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_msg.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_msg.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_trailer">http_trailer</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized trailers</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>http_trailer.field</strong>: restrict to given trailer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_trailer.with_body</strong>: parts of this rule examine HTTP message body (must be combined with request)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_true_ip_2">http_true_ip</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the final client IP address</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_true_ip.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_uri">http_uri</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.scheme</strong>: match against scheme section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.host</strong>: match against host section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.port</strong>: match against port section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.path</strong>: match against path section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.query</strong>: match against query section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_http_version_2">http_version</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the version buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>http_version.request</strong>: match against the version from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icmp_id">icmp_id</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>icmp_id.~range</strong>: check if ICMP ID is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icmp_seq">icmp_seq</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP sequence number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>icmp_seq.~range</strong>: check if ICMP sequence number is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_icode">icode</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>icode.~range</strong>: check if ICMP code is in given range is { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_id">id</h3>\r
-<div class="paragraph"><p>What: rule option to check the IP ID field</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>id.~range</strong>: check if the IP ID is in the given range { 0: }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ip_proto">ip_proto</h3>\r
-<div class="paragraph"><p>What: rule option to check the IP protocol number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>ip_proto.~proto</strong>: [!|>|<] name or number\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ipopts">ipopts</h3>\r
-<div class="paragraph"><p>What: rule option to check for IP options</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_isdataat">isdataat</h3>\r
-<div class="paragraph"><p>What: rule option to check for the presence of payload data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>isdataat.~length</strong>: num | !num\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_itype">itype</h3>\r
-<div class="paragraph"><p>What: rule option to check ICMP type</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>itype.~range</strong>: check if ICMP type is in given range { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_md5">md5</h3>\r
-<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>md5.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_metadata">metadata</h3>\r
-<div class="paragraph"><p>What: rule option for conveying arbitrary comma-separated name, value data within the rule text</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus_data">modbus_data</h3>\r
-<div class="paragraph"><p>What: rule option to set cursor to modbus data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus_func">modbus_func</h3>\r
-<div class="paragraph"><p>What: rule option to check modbus function code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>modbus_func.~</strong>: function code to match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modbus_unit">modbus_unit</h3>\r
-<div class="paragraph"><p>What: rule option to check Modbus unit ID</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>modbus_unit.~</strong>: Modbus unit ID { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_msg">msg</h3>\r
-<div class="paragraph"><p>What: rule option summarizing rule purpose output with events</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>msg.~</strong>: message describing rule\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_mss">mss</h3>\r
-<div class="paragraph"><p>What: detection for TCP maximum segment size</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>mss.~range</strong>: check if TCP MSS is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pcre">pcre</h3>\r
-<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>pcre.~re</strong>: Snort regular expression\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_rules</strong>: total rules processed with pcre option (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_to_hyper</strong>: total pcre rules by hyperscan engine (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_native</strong>: total pcre rules compiled by pcre engine (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_negated</strong>: total pcre rules using negation syntax (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pkt_data">pkt_data</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_pkt_num">pkt_num</h3>\r
-<div class="paragraph"><p>What: alert on raw packet number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>pkt_num.~range</strong>: check if packet number is in given range { 1: }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_priority">priority</h3>\r
-<div class="paragraph"><p>What: rule option for prioritizing events</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1:max31 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_raw_data">raw_data</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the raw packet data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_reference">reference</h3>\r
-<div class="paragraph"><p>What: rule option to indicate relevant attack identification system</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>reference.~ref</strong>: reference: <scheme>,<id>\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_regex">regex</h3>\r
-<div class="paragraph"><p>What: rule option for matching payload data with hyperscan regex; uses pcre syntax</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>regex.~re</strong>: hyperscan regular expression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.dotall</strong>: matching a . will not exclude newlines\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rem">rem</h3>\r
-<div class="paragraph"><p>What: rule option to convey an arbitrary comment in the rule body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>rem.~</strong>: comment\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_replace">replace</h3>\r
-<div class="paragraph"><p>What: rule option to overwrite payload data; use with rewrite action</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>replace.~</strong>: byte code to replace with\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rev">rev</h3>\r
-<div class="paragraph"><p>What: rule option to indicate current revision of signature</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>rev.~</strong>: revision { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rpc">rpc</h3>\r
-<div class="paragraph"><p>What: rule option to check SUNRPC CALL parameters</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>rpc.~app</strong>: application number { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rpc.~ver</strong>: version number or * for any\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rpc.~proc</strong>: procedure number or * for any\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_s7commplus_content">s7commplus_content</h3>\r
-<div class="paragraph"><p>What: rule option to set cursor to s7commplus content</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_s7commplus_func">s7commplus_func</h3>\r
-<div class="paragraph"><p>What: rule option to check s7commplus function code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>s7commplus_func.~</strong>: function code to match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_s7commplus_opcode">s7commplus_opcode</h3>\r
-<div class="paragraph"><p>What: rule option to check s7commplus opcode code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>s7commplus_opcode.~</strong>: opcode code to match\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sd_pattern">sd_pattern</h3>\r
-<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sd_pattern.threshold</strong> = 1: number of matches before alerting { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sd_pattern.terminated</strong>: hyperscan terminated (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_seq">seq</h3>\r
-<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>seq.~range</strong>: check if TCP sequence number is in given range { 0: }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_service">service</h3>\r
-<div class="paragraph"><p>What: rule option to specify list of services for grouping rules</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>service.*</code></strong>: one or more comma-separated service names\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sha256">sha256</h3>\r
-<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>sha256.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sha512">sha512</h3>\r
-<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>sha512.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sid">sid</h3>\r
-<div class="paragraph"><p>What: rule option to indicate signature number</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>sid.~</strong>: signature id { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_body">sip_body</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_header">sip_header</h3>\r
-<div class="paragraph"><p>What: rule option to set the detection cursor to the SIP header buffer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_method">sip_method</h3>\r
-<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong><code>sip_method.*method</code></strong>: sip method\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sip_stat_code">sip_stat_code</h3>\r
-<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_so">so</h3>\r
-<div class="paragraph"><p>What: rule option to call custom eval function</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>so.~func</strong>: name of eval function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>so.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_soid">soid</h3>\r
-<div class="paragraph"><p>What: rule option to specify a shared object rule ID</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>soid.~</strong>: SO rule ID is unique key, eg <gid>_<sid>_<rev> like 3_45678_9\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssl_state">ssl_state</h3>\r
-<div class="paragraph"><p>What: detection option for ssl state</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.client_hello</strong>: check for client hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.server_hello</strong>: check for server hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.client_keyx</strong>: check for client keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.server_keyx</strong>: check for server keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.unknown</strong>: check for unknown record\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ssl_version">ssl_version</h3>\r
-<div class="paragraph"><p>What: detection option for ssl version</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.sslv2</strong>: check for sslv2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.sslv3</strong>: check for sslv3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.tls1.0</strong>: check for tls1.0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.tls1.1</strong>: check for tls1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.tls1.2</strong>: check for tls1.2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_reassemble">stream_reassemble</h3>\r
-<div class="paragraph"><p>What: detection option for stream reassembly control</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>stream_reassemble.noalert</strong>: don’t alert when rule matches\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_stream_size">stream_size</h3>\r
-<div class="paragraph"><p>What: detection option for stream size checking</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tag">tag</h3>\r
-<div class="paragraph"><p>What: rule option to log additional packets</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>tag.packets</strong>: tag this many packets { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>tag.seconds</strong>: tag for this many seconds { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>tag.bytes</strong>: tag for this many bytes { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_target">target</h3>\r
-<div class="paragraph"><p>What: rule option to indicate target of attack</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>target.~</strong>: indicate the target of the attack { src_ip | dst_ip }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_tos">tos</h3>\r
-<div class="paragraph"><p>What: rule option to check type of service field</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>tos.~range</strong>: check if IP TOS is in given range { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ttl">ttl</h3>\r
-<div class="paragraph"><p>What: rule option to check time to live field</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>ttl.~range</strong>: check if IP TTL is in the given range { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_urg">urg</h3>\r
-<div class="paragraph"><p>What: detection for TCP urgent pointer</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>urg.~range</strong>: check if tcp urgent offset is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_window">window</h3>\r
-<div class="paragraph"><p>What: rule option to check TCP window field</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>window.~range</strong>: check if TCP window size is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_wscale">wscale</h3>\r
-<div class="paragraph"><p>What: detection for TCP window scale</p></div>\r
-<div class="paragraph"><p>Type: ips_option</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_search_engine_modules">Search Engine Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Search engines perform multipattern searching of packets and payload to find\r
-rules that should be evaluated. There are currently no specific modules,\r
-although there are several search engine plugins. Related configuration\r
-is done with the basic detection module.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_so_rule_modules">SO Rule Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>SO rules are dynamic rules that require custom coding to perform detection\r
-not possible with the existing rule options. These rules typically do not\r
-have associated modules.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_logger_modules">Logger Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>All output of events and packets is done by Loggers.</p></div>\r
-<div class="sect2">\r
-<h3 id="_alert_csv">alert_csv</h3>\r
-<div class="paragraph"><p>What: output event in csv format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sgt| sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_csv.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_ex">alert_ex</h3>\r
-<div class="paragraph"><p>What: output gid:sid:rev for alerts</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alert_ex.upper</strong> = false: true/false → convert to upper/lower case\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_fast">alert_fast</h3>\r
-<div class="paragraph"><p>What: output event with brief text format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_fast.packet</strong> = false: output packet dump with alert\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_fast.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_full">alert_full</h3>\r
-<div class="paragraph"><p>What: output event with full packet dump</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_full.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_json">alert_json</h3>\r
-<div class="paragraph"><p>What: output event in json format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>alert_json.file</strong> = false: output to alert_json.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sgt| sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_json.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alert_json.separator</strong> = , : separate fields with this character sequence\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_sfsocket">alert_sfsocket</h3>\r
-<div class="paragraph"><p>What: output event over socket</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-string <strong>alert_sfsocket.file</strong>: name of unix socket file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_syslog">alert_syslog</h3>\r
-<div class="paragraph"><p>What: output event to syslog</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_talos">alert_talos</h3>\r
-<div class="paragraph"><p>What: output event in Talos alert format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_alert_unixsock">alert_unixsock</h3>\r
-<div class="paragraph"><p>What: output event over unix socket</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_log_codecs">log_codecs</h3>\r
-<div class="paragraph"><p>What: log protocols in packet by layer</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_codecs.msg</strong> = false: include alert msg\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_log_hext">log_hext</h3>\r
-<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>log_hext.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0:max32 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_log_pcap">log_pcap</h3>\r
-<div class="paragraph"><p>What: log packet in pcap format</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>log_pcap.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_unified2">unified2</h3>\r
-<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>\r
-<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: global</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>unified2.legacy_events</strong> = false: generate Snort 2.X style events for barnyard2 compatibility\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>unified2.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_daq_configuration_and_modules">DAQ Configuration and Modules</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>The Data AcQuisition library (DAQ), provides pluggable packet I/O. LibDAQ\r
-replaces direct calls to libraries like libpcap with an abstraction layer\r
-that facilitates operation on a variety of hardware and software interfaces\r
-without requiring changes to Snort. It is possible to select the DAQ module\r
-and mode when invoking Snort to perform pcap readback or inline operation,\r
-etc. The DAQ library may be useful for other packet processing\r
-applications and the modular nature allows you to build new modules for\r
-other platforms.</p></div>\r
-<div class="paragraph"><p>The DAQ library exists as a separate repository on the official Snort 3 GitHub\r
-project (<a href="https://github.com/snort3/libdaq">https://github.com/snort3/libdaq</a>) and contains a number of bundled DAQ\r
-modules including AFPacket, Divert, NFQ, PCAP, and Netmap implementations.\r
-Snort 3 itself contains a few new DAQ modules mostly used for testing as\r
-described below. Additionally, DAQ modules developed by third parties to\r
-facilitate the usage of their own hardware and software platforms exist.</p></div>\r
-<div class="sect2">\r
-<h3 id="_building_the_daq_library_and_its_bundled_daq_modules">Building the DAQ Library and Its Bundled DAQ Modules</h3>\r
-<div class="paragraph"><p>Refer to the READMEs in the LibDAQ source tarball for instructions on how to\r
-build the library and modules as well as details on configuring and using the\r
-bundled DAQ modules.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_configuration_7">Configuration</h3>\r
-<div class="paragraph"><p>As with a number of features in Snort 3, the LibDAQ and DAQ module\r
-configuration may be controlled using either the command line options or by\r
-configuring the <em>daq</em> Snort module in the Lua configuration.</p></div>\r
-<div class="paragraph"><p>DAQ modules may be statically built into Snort, but the more common case is to\r
-use DAQ modules that have been built as dynamically loadable objects. Because\r
-of this, the first thing to take care of is informing Snort of any locations it\r
-should search for dynamic DAQ modules. From the command line, this can be done\r
-with one or more invocations of the --daq-dir option, which takes a\r
-colon-separated set of paths to search as its argument. All arguments will be\r
-collected into a list of locations to be searched. In the Lua configuration, the\r
-<em>daq.module_dirs[]</em> property is a list of paths for the same purpose.</p></div>\r
-<div class="paragraph"><p>Next, one must select which DAQ modules they wish to use by name. At least one\r
-base module and zero or more wrapper modules may be selected. This is done\r
-using the --daq options from the command line or the <em>daq.modules[]</em> list-type\r
-property. To get a list of the available modules, run Snort with the --daq-list\r
-option making sure to specify any DAQ module search directories beforehand. If\r
-no DAQ module is specified, Snort will default to attempting to find and use a\r
-DAQ module named <em>pcap</em>.</p></div>\r
-<div class="paragraph"><p>Some DAQ modules can be further directly configured using DAQ module variables.\r
-All DAQ module variables come in the form of either just a key or a key and a\r
-value separated by an equals sign. For example, <em>debug</em> or <em>fanout_type=hash</em>.\r
-The command line option for specifying these is --daq-var and the configuration\r
-file equivalent is the <em>daq.modules[].variables[]</em> property. The available\r
-variables for each module will be shown when listing the available DAQ modules\r
-with --daq-list.</p></div>\r
-<div class="paragraph"><p>The LibDAQ concept of operational mode (passive, inline, or file readback) is\r
-automatically configured based on inferring the mode from other Snort\r
-configuration. The presence of -r or --pcap-* options implies <em>read-file</em>, -i\r
-without -Q implies <em>passive</em>, and -i with -Q implies <em>inline</em>. The mode can be\r
-overridden on a per-DAQ module basis with the --daq-mode option on the command\r
-line or the <em>daq.modules[].mode</em> property.</p></div>\r
-<div class="paragraph"><p>The DAQ module receive timeout is always configured to 1 second. The packet\r
-capture length (snaplen) defaults to 1518 bytes and can be overridden by the -s\r
-command line option or <em>daq.snaplen</em> property.</p></div>\r
-<div class="paragraph"><p>Finally, and most importantly, is the input specification for the DAQ module.\r
-In readback mode, this is simply the file to be read back and analyzed. For\r
-live traffic processing, this is the name of the interface or other necessary\r
-input specification as required by the DAQ module to understand what to operate\r
-upon. From the command line, the -r option is used to specify a file to be\r
-read back and the -i option is used to indicate a live interface input\r
-specification. Both are covered by the <em>daq.inputs[]</em> property.</p></div>\r
-<div class="paragraph"><p>For advanced use cases, one additional LibDAQ configuration exists: the number\r
-of DAQ messages to request per receive call. In Snort, this is referred to as\r
-the DAQ "batch size" and defaults to 64. The default can be overridden with\r
-the --daq-batch-size command line option or <em>daq.batch_size</em> property. The\r
-message pool size requested from the DAQ module will be four times this batch\r
-size.</p></div>\r
-<div class="sect3">\r
-<h4 id="_command_line_example">Command Line Example</h4>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket\r
---daq-var debug --daq-var fanout_type=hash -i eth1:eth2 -Q</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_configuration_file_example">Configuration File Example</h4>\r
-<div class="paragraph"><p>The following is the equivalent of the above command line DAQ configuration in\r
-Lua form:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>daq =\r
-{\r
- module_dirs =\r
- {\r
- '/usr/local/lib/daq',\r
- '/opt/lib/daq'\r
- },\r
- modules =\r
- {\r
- {\r
- name = 'afpacket',\r
- mode = 'inline',\r
- variables =\r
- {\r
- 'debug',\r
- 'fanout_type=hash'\r
- }\r
- }\r
- },\r
- inputs =\r
- {\r
- 'eth1:eth2',\r
- },\r
- snaplen = 1518\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The <em>daq.snaplen</em> property was included for completeness and may be omitted if\r
-the default value is acceptable.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_daq_module_configuration_stacks">DAQ Module Configuration Stacks</h4>\r
-<div class="paragraph"><p>Like briefly mentioned above, a DAQ configuration consists of a base DAQ module\r
-and zero or more wrapper DAQ modules. DAQ wrapper modules provide additional\r
-functionality layered on top of the base module in a decorator pattern. For\r
-example, the Dump DAQ module will capture all passed or injected packets and\r
-save them to a PCAP savefile. This can be layered on top of something like the\r
-PCAP DAQ module to assess which packets are making it through Snort without\r
-being dropped and what actions Snort has taken that involved sending new or\r
-modified packets out onto the network (e.g., TCP reset packets and TCP\r
-normalizations).</p></div>\r
-<div class="paragraph"><p>To configure a DAQ module stack from the command line, the --daq option must\r
-be given multiple times with the base module specified first followed by the\r
-wrapper modules in the desired order (building up the stack). Each --daq\r
-option changes which module is being configured by subsequent --daq-var and\r
---daq mode options.</p></div>\r
-<div class="paragraph"><p>When configuring the same sort of stack in Lua, everything lives in the\r
-<em>daq.modules[]</em> property. <em>daq.modules[]</em> is an array of module configurations\r
-pushed onto the stack from top to bottom. Each module configuration <strong>must</strong>\r
-contain the name of the DAQ module. Additionally, it may contain an array of\r
-variables (<em>daq.modules[].variables[]</em>) and/or an operational mode\r
-(<em>daq.modules[].mode</em>).</p></div>\r
-<div class="paragraph"><p>If only wrapper modules were specified, Snort will default to implicitly\r
-configuring a base module with the name <em>pcap</em> in <em>read-file</em> mode. This is a\r
-convenience to mimic the previous behavior when selecting something like the\r
-old Dump DAQ module that may be removed in the future.</p></div>\r
-<div class="paragraph"><p>For any particularly complicated setup, it is recommended that one configure\r
-via a Lua configuration file rather than using the command line options.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_interaction_with_multiple_packet_threads">Interaction With Multiple Packet Threads</h3>\r
-<div class="paragraph"><p>All packet threads will receive the same DAQ instance configuration with the\r
-potential exception of the input specification.</p></div>\r
-<div class="paragraph"><p>If Snort is in file readback mode, a full set of files will be constructed from\r
-the -r/--pcap-file/--pcap-list/--pcap-dir/--pcap-filter options. A number of\r
-packet threads will be started up to the configured maximum (-z) to process\r
-these files one at a time. As a packet thread completes processing of a file,\r
-it will be stopped and then started again with a different file input to\r
-process. If the number of packet threads configured exceeds the number of\r
-files to process, or as the number of remaining input files dwindles below that\r
-number, Snort will stop spawning new packet threads when it runs out of\r
-unhandled input files.</p></div>\r
-<div class="paragraph"><p>When Snort is operating on live interfaces (-i), all packet threads up to the\r
-configured maximum will always be started. By default, if only one input\r
-specification is given, all packet threads will receive the same input in their\r
-configuration. If multiple inputs are given, each thread will be given the\r
-matching input (ordinally), falling back to the first if the number of packet\r
-threads exceeds the number of inputs.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_daq_modules_included_with_snort_3">DAQ Modules Included With Snort 3</h3>\r
-<div class="sect3">\r
-<h4 id="_socket_module">Socket Module</h4>\r
-<div class="paragraph"><p>The socket module provides provides a stream socket server that will accept\r
-up to 2 simultaneous connections and bridge them together while also\r
-passing data to Snort for inspection. The first connection accepted is\r
-considered the client and the second connection accepted is considered the\r
-server. If there is only one connection, stream data can’t be forwarded\r
-but it is still inspected.</p></div>\r
-<div class="paragraph"><p>Each read from a socket of up to snaplen bytes is passed as a packet to\r
-Snort along with the ability to retrieve a DAQ_UsrHdr_t structure via ioctl.\r
-DAQ_UsrHdr_t conveys IP4 address, ports, protocol, and direction. Socket\r
-packets can be configured to be TCP or UDP. The socket DAQ can be operated\r
-in inline mode and is able to block packets.</p></div>\r
-<div class="paragraph"><p>Packets from the socket DAQ module are handled by Snort’s stream_user module,\r
-which must be configured in the Snort configuration.</p></div>\r
-<div class="paragraph"><p>To use the socket DAQ, start Snort like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./snort --daq-dir /path/to/lib/snort_extra/daq \\r
- --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code><port> ::= 1..65535; default is 8000\r
-<proto> ::= tcp | udp</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-This module only supports ip4 traffic.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-This module is only supported by Snort 3. It is not compatible with\r
- Snort 2.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-This module is primarily for development and test.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_file_module">File Module</h4>\r
-<div class="paragraph"><p>The file module provides the ability to process files directly without having\r
-to extract them from pcaps. Use the file module with Snort’s stream_file to\r
-get file type identification and signature services. The usual IPS detection\r
-and logging, etc. is also available.</p></div>\r
-<div class="paragraph"><p>You can process all the files in a directory recursively using 8 threads\r
-with these Snort options:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>--pcap-dir path -z 8</code></pre>\r
-</div></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-This module is only supported by Snort 3. It is not compatible with\r
- Snort 2.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-This module is primarily for development and test.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_hext_module">Hext Module</h4>\r
-<div class="paragraph"><p>The hext module generates packets suitable for processing by Snort from\r
-hex/plain text. Raw packets include full headers and are processed\r
-normally. Otherwise the packets contain only payload and are accompanied\r
-with flow information (4-tuple) suitable for processing by stream_user.</p></div>\r
-<div class="paragraph"><p>The first character of the line determines it’s purpose:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>'$' command\r
-'#' comment\r
-'"' quoted string packet data\r
-'x' hex packet data\r
-' ' empty line separates packets</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The available commands are:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$client <ip4> <port>\r
-$server <ip4> <port></code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$packet -> client\r
-$packet -> server</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$packet <addr> <port> -> <addr> <port></code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>$sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>\r
-$eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol></code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Client and server are determined as follows. $packet → client indicates\r
-to the client (from server) and $packet → server indicates a packet to the\r
-server (from client). $packet followed by a 4-tuple uses the heuristic\r
-that the client is the side with the greater port number.</p></div>\r
-<div class="paragraph"><p>The default client and server are 192.168.1.1 12345 and 10.1.2.3 80\r
-respectively. $packet commands with a 4-tuple do not change client and\r
-server set with the other $packet commands.</p></div>\r
-<div class="paragraph"><p>$packet commands should be followed by packet data, which may contain any\r
-combination of hex and strings. Data for a packet ends with the next\r
-command or a blank line. Data after a blank line will start another packet\r
-with the same tuple as the prior one.</p></div>\r
-<div class="paragraph"><p>$sof and $eof commands generate Start of Flow and End of Flow metapackets\r
-respectively. They are followed by a definition of a Flow_Stats_t data structure\r
-which will be fed into Snort via the metadata callback.</p></div>\r
-<div class="paragraph"><p>Strings may contain the following escape sequences:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>\r = 0x0D = carriage return\r
-\n = 0x0A = new line\r
-\t = 0x09 = tab\r
-\\ = 0x5C = \</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Format your input carefully; there is minimal error checking and little\r
-tolerance for arbitrary whitespace. You can use Snort’s -L hext option to\r
-generate hext input from a pcap.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-This module only supports ip4 traffic.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-This module is only supported by Snort 3. It is not compatible with\r
- Snort 2.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-This module is primarily for development and test.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The hext DAQ also supports a raw mode which is activated by setting the\r
-data link type. For example, you can input full ethernet packets with\r
---daq-var dlt=1 (Data link types are defined in the DAQ include\r
-sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a quick\r
-(and dirty) way to edit pcaps. With --lua "log_hext = { raw = true }", the\r
-hext logger will dump the full packet in a way that can be read by the hext\r
-DAQ in raw mode. Here is an example:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code># 3 [96]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..\r
-x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..\r
-x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t\r
-x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H\r
-x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>A comment indicating packet number and size precedes each packet dump.\r
-Note that the commands are not applicable in raw mode and have no effect.</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_snort_3_vs_snort_2">Snort 3 vs Snort 2</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>Snort 3 differs from Snort 2 in the following ways:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-command line and conf file syntax made more uniform\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-removed unused and deprecated features\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-remove as many barriers to successful run as possible\r
- (e.g.: no upper bounds on memcaps)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-assume the simplest mode of operation\r
- (e.g.: never assume input from or output to some hardcoded filename)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-all Snort 2 config options are grouped into Snort 3 modules\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="sect2">\r
-<h3 id="_features_new_to_snort_3">Features New to Snort 3</h3>\r
-<div class="paragraph"><p>Some things Snort++ can do today that Snort can not do:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-regex fast patterns, not just literals\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-FlatBuffers and JSON perf monitor logs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-LuaJIT scriptable rule options and loggers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-pub/sub inspection events (currently used by sip and http_inspect to appid)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-JIT buffer stuffers (notably with new http_inspect)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-C-style comments in rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-#begin … #end comment blocks in rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-rule remarks (comment is part of rule, not just in it)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process raw files (eg read a PDF and do file processing)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process raw payload (eg bridge 2 sockets and do inspection)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-fast pattern offload to separate thread (experimental)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-track all memory allocated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-add or override any config item on command line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-set CPU affinity\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-pause and resume commands\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_features_improved_over_snort_2">Features Improved over Snort 2</h3>\r
-<div class="paragraph"><p>Some things Snort++ can do today that Snort can not do as well:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Hyperscan search engine plugin\r
- (Intel provides patch for Snort 2)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-fast pattern sensitive data\r
- (Snort 2 requires a slow, extra search)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multiple packet threads with one config\r
- (Snort 2 requires multiple processes)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-wizard automatically detects service for first flow\r
- (Snort 2 appid detects for next flow)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-nested policy binding\r
- (Snort 2 has just one level)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-decode arbitrary layers\r
- (Snort 2 supports only 2 IP layers)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process PDU buffers\r
- (Snort 2 only processes packets)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-fully stateful http_inspect with 97 builtin alerts\r
- (Snort 2 is only partly stateful with 33 builtin alerts)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-output all semantic errors before quitting\r
- (Snort 2 stops at first one)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alert file rules\r
- (Snort 2 must use multiple rules)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alert service rules, eg alert http\r
- (Snort 2 must use metadata:service)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-automatic fast_pattern only\r
- (Snort 2 requires explicit fast_pattern:only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-elided rule headers omit nets and/or ports\r
- (Snort 2 requires explicit <em>any</em>)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dump builtin rule stubs\r
- (Snort 2 can only dump SO stubs)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-rule sticky buffers\r
- (Snort 2 buffers must be repeated)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-http_header:name supported to restrict to single field\r
- (Snort 2 searches all headers)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-fully equivalent SO rules\r
- (Snort 2 has some limitations with SO processing)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-text-based SO rule implementation\r
- (Snort 2 requires tedious, nested C structs)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-extensible module-based tracing\r
- (Snort 2 has a fixed set of flags)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-over 200 plugins, no need to change core source code\r
- (Snort 2 only supports preprocessors and outputs)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-use consistent conf syntax\r
- (Snort 2 defines lists different ways in different places, etc.)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-use consistent rule syntax\r
- (Snort 2 has semicolon separated suboptions, etc.)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-arbitrary whitespace and comments in conf and rules\r
- (Snort 2 requires newline escapes)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-properly parse rules\r
- (Snort 2 can actually completely ignore stuff)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-optional, expanded warnings output, can be fatal\r
- (Snort 2 warnings limited and are not optional or fatal)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-define and use arbitrary variables and functions in config with Lua\r
- (Snort 2 has variables just for rule headers)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-text-based command line shell\r
- (Snort 2 has binary control socket)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-generate text and HTML user guide in addition to PDF\r
- (Snort 2 just has PDF and Talos provides HTML)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-generate developer’s guide\r
- (Snort 2’s is manually written)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-extensive command line help, eg every config item, rule option, and peg count\r
- (Snort 2 only has command line args)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-cmake builds\r
- (Snort 2 only does automake)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-read rules from separate file or stdin\r
- (Snort 2 requires rules directly in or included in conf)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-simple, clean, uniform startup and shutdown output\r
- (Snort 2 is heavy and inconsistent)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port_scan is fully configurable\r
- (Snort 2 hard codes most of the configuration)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port_scan can block scans\r
- (Snort 2 can only detect scans)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-sigquit will cause a --dirty-pig style exit\r
- (Snort 2 handles sigquit the same as sigterm and sigint)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-detection trace\r
- (Snort 2 has more limited buffer dumping)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-updated unified2 events with MPLS, VLAN, and IP6\r
- (Snort 2 requires configuration and extra data)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-significantly more unit tests, including --catch and make check\r
- (Snort 2 has very few unit tests)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-better modularity 346K/1534 = 226 lines/file, max=2700\r
- (Snort 2 has 440K/1021 = 431 lines/file, max=13K)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_build_options">Build Options</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-control socket, cs_dir, and users were deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-POLICY_BY_ID_ONLY code was deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-hardened --enable-inline-init-failopen / INLINE_FAILOPEN\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_command_line_2">Command Line</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
---pause loads config and waits for resume before processing packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
---require-rule-sid is hardened\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
---shell enables interactive Lua shell\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
--T is assumed if no input given\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added --help-config prefix to dump all matching settings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added --script-path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added -L none|dump|pcap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added -z <#> and --max-packet-threads <#>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,\r
- --max-mpls-labelchain-len, --mpls-payload-type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted --pid-path and --no-interface-pidfile\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleting command line options which will be available with --lua or some such including:\r
- -I, -h, -F, -p, --disable-inline-init-failopen\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-hardened -n < 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-removed --search-method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-replaced "unknown args are bpf" with --bpf\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-replaced --dynamic-*-lib[-dir] with --plugin-path (with : separators)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-removed -b, -N, -Z and, --perfmon-file options\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_conf_file">Conf File</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Snort 3 has a default unicode.map\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort 3 will not enforce an upper bound on memcaps and the like within 64 bits\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort 3 will supply a default *_global config if not specified\r
- (Snort 2 would fatal; e.g. http_inspect_server w/o http_inspect_global)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-address list syntax changes: [[ and ]] must be [ [ and ] ] to avoid Lua string\r
- parsing errors (unless in quoted string)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-because the Lua conf is live code, we lose file:line locations in app error messages\r
- (syntax errors from Lua have file:line)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-changed search-method names for consistency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-delete config include_vlan_in_alerts (not used in code)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-delete config so_rule_memcap (not used in code)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted --disable-attribute-table-reload-thread\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted config decode_*_{alerts,drops} (use rules only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted config dump-dynamic-rules-path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted config ipv6_frag (not actually used)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted config threshold and ips rule threshold (→ event_filter)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-eliminated ac-split; must use ac-full-q split-any-any\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan,\r
- perfmonitor → perf_monitor, bo → back_orifice\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-limits like "1234K" are now "limit = 1234, units = <em>K</em>"\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-lua field names are (lower) case sensitive; snort.conf largely wasn’t\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-module filenames are not configurable: always <log-dir>/<module-name><suffix>\r
- (suffix is determined by module)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-no positional parameters; all name = value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-perf_monitor configuration was simplified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-portscan.detect_ack_scans deleted (exact same as include_midstream)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-removed various run modes - now just one\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-frag3 default policy is Linux not bsd\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-lowmem* search methods are now in snort_examples\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted unused http_inspect stateful mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted stateless inspection from ftp and telnet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted http and ftp alert options (now strictly rule based)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-preprocessor disabled settings deleted since no longer relevant\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-sessions are always created; snort config stateful checks eliminated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream5_tcp: prune_log_max deleted; to be replaced with histogram\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream5_tcp: max_active_responses, min_response_seconds moved to\r
- active.max_responses, min_interval\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_rules_3">Rules</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-all rules must have a sid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-sid == 0 not allowed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted activate / dynamic rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted unused rule_state.action\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted metadata engine shared\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted metadata: rule-flushing (with PDU flushing rule flushing can cause\r
- missed attacks, the opposite of its intent)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-changed metadata:service one[, service two]; to service:one[, two];\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-soid is now a non-metadata option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-metadata is now truly metadata with no impact on detection\r
- (Snort doesn’t care about metadata internal structure / syntax)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted fast_pattern:only; use fast_pattern, nocase\r
- (option is not added to detection tree if not required)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-changed fast_pattern:<offset>,<length> to\r
- fast_pattern,fast_pattern_offset <offset>,fast_pattern_length <length>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-fast pattern sensitive data with sd_pattern using hyperscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-hyperscan regex fast patterns with regex:"<regex>", fast_pattern;\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-no ; separated content suboptions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-offset, depth, distance, and within must use a space separator not colon\r
- (e.g. offset:5; becomes offset 5;)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-content suboptions http_* are now full options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added sticky buffers: buffer selector options must precede contents and remain\r
- in effect until changed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-the following pcre options have been deleted: use sticky buffers instead\r
- B, U, P, H, M, C, I, D, K, S, Y\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted uricontent option; use sticky buffer\r
- uricontent:"foo" -→ http_uri; content:"foo"\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted urilen raw and norm; must use http_raw_uri and http_uri instead\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted unused http_encode option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-urilen replaced with generic bufferlen which applies to current sticky\r
- buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added optional selector to http_header, e.g. http_header:User-Agent;\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-the all new http_inspect has new buffers and rule options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-added alert file and alert service rules\r
- (service in body not required if there is only one and it is in header;\r
- alert service / file rules disable fast pattern searching of raw packets)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-rule option sequence: <stub> soid <hidden>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-arbitrary whitespace and multiline rules w/o \n\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-#begin … #end comments to easily comment out multiple lines\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-add rule remarks option with rem:"arbitrary comment"\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-nets and/or ports may be omitted from rule headers (matches any)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-parse all rules and output all errors before quitting\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-read rules from conf, separate rules file, or stdin\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The symbol =< in a byte test is recognized as a syntax error. The correct\r
- symbol is <=.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_output_3">Output</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-alert_fast includes packet data by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-all text mode outputs default to stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-changed default logging mode to -L none\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted layer2resets and flexresp2_*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted log_ascii\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-general output guideline: don’t print zero counts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort 3 queues decoder and inspector events to the main event queue before ips policy\r
- is selected; since some events may not be enabled, the queue needs to be sized larger\r
- than with Snort 2 which used an intermediate queue for decoder events.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-deleted the intermediate http and ftp_telnet event queues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alert_unified2 and log_unified2 have been deleted\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_sensitive_data">Sensitive Data</h3>\r
-<div class="paragraph"><p>The Snort 2.X SDF Preprocessor is gone, replaced by ips option <code>sd_pattern</code>.\r
-The sd_pattern rule option is synonymous with the sd_pattern option used\r
-for gid:138 rules, but has a different syntax. A major difference in syntax\r
-is the use of Hyperscan pattern matching library which provides a regex\r
-language similar to PCRE.</p></div>\r
-<div class="paragraph"><p>To facilitate continued performance, sd_pattern rule option is implemented\r
-with Hyperscan pattern matching library. The rule option is now also utilized\r
-as a "fast pattern" in the Snort engine which provides a significant performance\r
-improvement over the separate detection step of earlier implementations.</p></div>\r
-<div class="paragraph"><p>The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and has no\r
-replacement in Snort 3.X. This is because the rule offered no additional\r
-value over gid:138 rules and was difficult to interpret the result of.</p></div>\r
-<div class="paragraph"><p>For more information, See Features > Sensitive Data Filtering for details.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_features_not_yet_supported_by_snort_3">Features Not Yet Supported by Snort 3</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Support in http_inspect for Original Client IP is limited to the\r
- X-Forwarded-For and True-Client-IP headers in that order. It is not\r
- possible to configure additional custom headers to search for Original\r
- Client IP.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The -n option does not work properly when perf_monitor is configured. The\r
- number of packets processed from the pcap is likely to be more than the\r
- number specified with the -n option.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When a file is transferred via SMB2 it may be allowed even though\r
- according to file policy it should be blocked. This occurs when the\r
- create and read requests are sent together and then the read and create\r
- responses are sent together. Blocking is done correctly if the create and\r
- read requests are sent separately or if the file is large enough to\r
- require two read responses.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-This user manual is incomplete and does not fully cover many Snort 2.X\r
- features that are also supported by Snort 3.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_snort2lua">Snort2Lua</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>One of the major differences between Snort 2 and Snort 3 is the\r
-configuration. Snort 2 configuration files are written in Snort-specific\r
-syntax while Snort 3 configuration files are written in Lua. Snort2Lua is a\r
-program specifically designed to convert valid Snort 2 configuration files\r
-into Lua files that Snort 3 can understand.</p></div>\r
-<div class="paragraph"><p>Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3 Lua\r
-and rules files. When running this program, the only mandatory option is to\r
-provide Snort2Lua with a Snort 2 configuration file. The default output\r
-file file is snort.lua, the default error file will be snort.rej, and the\r
-default rule file is the output file (default is snort.lua). When\r
-Snort2Lua finishes running, the resulting configuration file can be\r
-successfully run as the Snort3.0 configuration file. The sole exception to\r
-this rule is when Snort2Lua cannot find an included file. If that occurs,\r
-the file will still be included in the output file and you will need to\r
-manually adjust or comment the file name. Additionally, if the exit code is\r
-not zero, some of the information may not be successfully converted. Check\r
-the error file for all of the conversion problems.</p></div>\r
-<div class="paragraph"><p>Those errors can occur for a multitude of reasons and are not necessarily\r
-bad. Snort2Lua expects a valid Snort 2 configuration. Therefore, if the\r
-configuration is invalid or has questionable syntax, Snort2Lua may fail to\r
-parse the configuration file or create an invalid Snort 3 configuration\r
-file.</p></div>\r
-<div class="paragraph"><p>There are a also few peculiarities of Snort2Lua that may be confusing to a\r
-first time user:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Aside from an initial configuration file (which is specified from the\r
- command line or as the file in ‘config binding’), every file that is\r
- included into Snort 3 must be either a Lua file or a rule file; the file\r
- cannot contain both rules and Lua syntax. Therefore, when parsing a file\r
- specified with the ‘include’ command, Snort2Lua will output both a Lua\r
- file and a rule file.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Any line that is a comment in a configuration file will be added in to a\r
- comments section at the bottom of the main configuration file.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Rules that contain unsupported options will be converted to the best of\r
- Snort2Lua’s capability and then printed as a comment in the rule file.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Files with a <em>.rules</em> suffix are assumed to be Talos 2.X rules files and\r
- converted line-by-line. In this case, lines starting with <em>alert</em> are\r
- converted as usual but lines starting with <em># alert</em> are\r
- assumed to be commented out rules which are converted to 3.0 format and\r
- remain comments in the output file. All other comments are passed\r
- through directly. There is no support for other commented rule actions\r
- since these do not appear in Talos rules files.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="sect2">\r
-<h3 id="_snort2lua_command_line">Snort2Lua Command Line</h3>\r
-<div class="paragraph"><p>By default, Snort2Lua will attempt to parse every ‘include’ file and every\r
-‘binding’ file. There is an option to change this functionality.</p></div>\r
-<div class="paragraph"><p>When specifying a rule file with one of the command line options, Snort2Lua\r
-will output all of the converted rules to that specified rule file. This\r
-is especially useful when you are only interesting in converting rules\r
-since there is no Lua syntax in rule files. There is also an option that\r
-tells Snort2Lua to output every rule for a given configuration into a\r
-single rule file. Similarly, there is an option pull all of the Lua syntax\r
-from every ‘include’ file into the output file.</p></div>\r
-<div class="paragraph"><p>There are currently three output modes: default, quiet, and differences.\r
-As expected, quiet mode produces a Snort configuration. All errors (aside\r
-from Fatal Snort2Lua errors), differences, and comments will omitted from\r
-the final output file. Default mode will print everything. That mean you\r
-will be able to see exactly what changes have occurred between Snort 2 and\r
-Snort 3 in addition to the new syntax, the original file’s comments, and\r
-all errors that have occurred. Finally, differences mode will not actually\r
-output a valid Snort 3 configuration. Instead, you can see the exact\r
-options from the input configuration that have changed.</p></div>\r
-<div class="sect3">\r
-<h4 id="_usage_snort2lua_options_8230_c_lt_snort_conf_gt_8230">Usage: snort2lua [OPTIONS]… -c <snort_conf> …</h4>\r
-<div class="paragraph"><p>Converts the Snort configuration file specified by the -c or --conf-file\r
-options into a Snort++ configuration file</p></div>\r
-<div class="sect4">\r
-<h5 id="_options">Options:</h5>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>-?</strong> show usage\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-h</strong> this overview of snort2lua\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-a</strong> default option. print all data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-c <snort_conf></strong> The Snort <snort_conf> file to convert\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-d</strong> print the differences, and only the differences, between the\r
- Snort and Snort++ configurations to the <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-e <error_file></strong> output all errors to <error_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-i</strong> if <snort_conf> file contains any <include_file> or\r
- <policy_file> (i.e. <em>include path/to/conf/other_conf</em>), do\r
- NOT parse those files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-m</strong> add a remark to the end of every converted rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-o <out_file></strong> output the new Snort++ lua configuration to <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-q</strong> quiet mode. Only output valid configuration information to\r
- the <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-r <rule_file></strong> output any converted rule to <rule_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-s</strong> when parsing <include_file>, write <include_file>'s rules to\r
- <rule_file>. Meaningless if <em>-i</em> provided\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-t</strong> when parsing <include_file>, write <include_file>'s\r
- information, excluding rules, to <out_file>. Meaningless if\r
- <em>-i</em> provided\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-V</strong> Print the current Snort2Lua version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--bind-wizard</strong> Add default wizard to bindings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--bind-port</strong> Convert port bindings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--conf-file</strong> Same as <em>-c</em>. A Snort <snort_conf> file which will be\r
- converted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dont-parse-includes</strong>\r
- Same as <em>-p</em>. if <snort_conf> file contains any\r
- <include_file> or <policy_file> (i.e. <em>include\r
- path/to/conf/other_conf</em>), do NOT parse those files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dont-convert-max-sessions</strong>\r
- do not convert max_tcp, max_udp, max_icmp, max_ip to\r
- max_session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--error-file=<error_file></strong>\r
- Same as <em>-e</em>. output all errors to <error_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help</strong> Same as <em>-h</em>. this overview of snort2lua\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--ips-policy-pattern</strong> Convert config bindings matching this path to ips policy\r
- bindings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--markup</strong> print help in asciidoc compatible format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--output-file=<out_file></strong>\r
- Same as <em>-o</em>. output the new Snort++ lua configuration to\r
- <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--print-all</strong> Same as <em>-a</em>. default option. print all data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
- differences, between the Snort and Snort++ configurations to\r
- the <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--quiet</strong> Same as <em>-q</em>. quiet mode. Only output valid configuration\r
- information to the <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--remark</strong> same as <em>-m</em>. add a remark to the end of every converted\r
- rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--rule-file=<rule_file></strong>\r
- Same as <em>-r</em>. output any converted rule to <rule_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--single-conf-file</strong> Same as <em>-t</em>. when parsing <include_file>, write\r
- <include_file>'s information, excluding rules, to\r
- <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--single-rule-file</strong> Same as <em>-s</em>. when parsing <include_file>, write\r
- <include_file>'s rules to <rule_file>.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--version</strong> Same as <em>-V</em>. Print the current Snort2Lua version\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_required_option">Required option:</h5>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-A Snort configuration file to convert. Set with either <em>-c</em> or <em>--conf-file</em>\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_default_values">Default values:</h5>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<out_file> = snort.lua\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<rule_file> = <out_file> = snort.lua. Rules are written to the <em>local_rules</em> variable in the <out_file>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<error_file> = snort.rej. This file will not be created in quiet mode.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_known_problems">Known Problems</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Any Snort 2 ‘string’ which is dependent on a variable will no longer\r
- have that variable in the Lua string.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort2Lua currently does not handle variables well. First, that means\r
- variables will not always be parsed correctly. Second, sometimes a\r
- variables value will be output in the lua file rather than a variable\r
- For instance, if Snort2Lua attempted to convert the line <em>include\r
- $RULE_PATH/example.rule</em>, the output may output <em>include\r
- /etc/rules/example.rule</em> instead.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When Snort2Lua parses a ‘binding’ configuration file, the rules and\r
- configuration will automatically be combined into the same file. Also,\r
- the new files name will automatically become the old file’s name with a\r
- .lua extension. There is currently no way to specify or change that\r
- files name.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-If a rule’s action is a custom ruletype, that rule action will be\r
- silently converted to the rultype’s <em>type</em>. No warnings or errors are\r
- currently emitted. Additionally, the custom ruletypes outputs will be\r
- silently discarded.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-If the original configuration contains a binding that points to another\r
- file and the binding file contains an error, Snort2Lua will output the\r
- number of rejects for the binding file in addition to the number of\r
- rejects in the main file. The two numbers will eventually be combined\r
- into one output.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-If the original configuration contains a replace rule with alert action,\r
- Snort2Lua won’t translate the rule from alert to rewrite action. It will\r
- keep the action as alert, which does not actually replace the content in\r
- Snort 3. To replace content, the rule action needs to be rewrite, which\r
- can be added manually or by tooling.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_usage_2">Usage</h3>\r
-<div class="paragraph"><p>Snort2Lua is included in the Snort 3 distribution. The Snort2Lua source\r
-code is located in the tools/snort2lua directory. The program is\r
-automatically built and installed.</p></div>\r
-<div class="paragraph"><p>Translating your configuration</p></div>\r
-<div class="paragraph"><p>To run Snort2Lua, the only requirement is a file containing Snort 2 syntax.\r
-Assuming your configuration file is named snort.conf, run the command</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort2lua –c snort.conf</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort2Lua will output a file named snort.lua. Assuming your snort.conf file\r
-is a valid Snort 2 configuration file, than the resulting snort.lua file\r
-will always be a valid Snort 3 configuration file; any errors that occur\r
-are because Snort 3 currently does not support all of the Snort 2 options.</p></div>\r
-<div class="paragraph"><p>Every keyword from the Snort configuration can be found in the output file.\r
-If the option or keyword has changed, then a comment containing both the\r
-option or keyword’s old name and new name will be present in the output\r
-file.</p></div>\r
-<div class="paragraph"><p>Translating a rule file</p></div>\r
-<div class="paragraph"><p>Snort2Lua can also accommodate translating individual rule files. Assuming\r
-the Snort 2 rule file is named snort.rules and you want the new rule file\r
-to be name updated.rules, run the command</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort2lua –c snort.rules -r updated.rules</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Snort2Lua will output a file named updated.rules. That file, updated.rules,\r
-will always be a valid Snort 3 rule file. Any rule that contains\r
-unsupported options will be a comment in the output file.</p></div>\r
-<div class="paragraph"><p>Understanding the Output</p></div>\r
-<div class="paragraph"><p>Although Snort2Lua outputs very little to the console, there are several\r
-things that occur when Snort2Lua runs. This is a list of Snort2Lua\r
-outputs.</p></div>\r
-<div class="paragraph"><p><em>The console</em>. Every line that Snort2Lua is unable to translate from the\r
-Snort 2.X format to the Snort 3 format is considered an error. Upon\r
-exiting, Snort2Lua will print the number of errors that occurred. Snort2Lua\r
-will also print the name of the error file.</p></div>\r
-<div class="paragraph"><p><em>The output file</em>. As previously mentioned, Snort2Lua will create a Lua\r
-file with valid Snort 3 syntax. The default Lua file is named snort.lua.\r
-This file is the equivalent of your main Snort 2 configuration file.</p></div>\r
-<div class="paragraph"><p><em>The rule file</em>. By default, all rules will be printed to the Lua file.\r
-However, if a rule file is specified on the command line, any rules found\r
-in the Snort 2 configuration will be written to the rule file instead</p></div>\r
-<div class="paragraph"><p><em>The error file</em>. By default, the error file is snort.rej. It will only be\r
-created if errors exist. Every error referenced on the command line can be\r
-found in this file. There are two reasons an error can occur.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-The Snort 2 configuration file has invalid syntax. If Snort 2 cannot\r
- parse the configuration file, neither can Snort2Lua. In the example below,\r
- Snort2Lua could not convert the line <em>config bad_option</em>. Since that is not\r
- valid Snort 2 syntax, this is a syntax error.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The Snort 2 configuration file contains preprocessors and rule options\r
- that are not supported in Snort 3. If Snort 2 can parse a line that\r
- Snort2Lua cannot parse, than Snort 3 does not support something in the line.\r
- As Snort 3 begins supporting these preprocessors and rule options, Snort2Lua\r
- will also begin translating these lines. One example of such an error is\r
- dcerpc2.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Additional .lua and .rules files. Every time Snort2Lua parses the include\r
-or binding keyword, the program will attempt to parse the file referenced\r
-by the keyword. Snort2Lua will then create one or two new files. The new\r
-files will have a .lua or .rules extension appended to the original\r
-filename.</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_extending_snort">Extending Snort</h2>\r
-<div class="sectionbody">\r
-<div class="sect2">\r
-<h3 id="_plugins_3">Plugins</h3>\r
-<div class="paragraph"><p>Plugins have an associated API defined for each type, all of which share a\r
-common <em>header</em>, called the BaseApi. A dynamic library makes its plugins\r
-available by exporting the snort_plugins symbol, which is a null terminated\r
-array of BaseApi pointers.</p></div>\r
-<div class="paragraph"><p>The BaseApi includes type, name, API version, plugin version, and function\r
-pointers for constructing and destructing a Module. The specific API add\r
-various other data and functions for their given roles.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_modules_2">Modules</h3>\r
-<div class="paragraph"><p>If we are defining a new Inspector called, say, gadget, it might be\r
-configured in snort.lua like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>gadget =\r
-{\r
- brain = true,\r
- claw = 3\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>When the gadget table is processed, Snort will look for a module called\r
-gadget. If that Module has an associated API, it will be used to configure\r
-a new instance of the plugin. In this case, a GadgetModule would be\r
-instantiated, brain and claw would be set, and the Module instance would be\r
-passed to the GadgetInspector constructor.</p></div>\r
-<div class="paragraph"><p>Module has three key virtual methods:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>begin()</strong> - called when Snort starts processing the associated Lua\r
- table. This is a good place to allocate any required data and set\r
- defaults.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>set()</strong> - called to set each parameter after validation.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>end()</strong> - called when Snort finishes processing the associated Lua\r
- table. This is where additional integrity checks of related parameters\r
- should be done.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>The configured Module is passed to the plugin constructor which pulls the\r
-configuration data from the Module. For non-trivial configurations, the\r
-working paradigm is that Module hands a pointer to the configured data to\r
-the plugin instance which takes ownership.</p></div>\r
-<div class="paragraph"><p>Note that there is at most one instance of a given Module, even if multiple\r
-plugin instances are created which use that Module. (Multiple instances\r
-require Snort binding configuration.)</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_inspectors">Inspectors</h3>\r
-<div class="paragraph"><p>There are several types of inspector, which determines which inspectors are\r
-executed when:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-IT_BINDER - determines which inspectors apply to given flows\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_WIZARD - determines which service inspector to use if none explicitly\r
- bound\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_PACKET - used to process all packets before session and service processing\r
- (e.g. normalize)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_NETWORK - processes packets w/o service (e.g. arp_spoof, back_orifice)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_STREAM - for flow tracking, ip defrag, and tcp reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_SERVICE - for http, ftp, telnet, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-IT_PROBE - process all packets after all the above (e.g. perf_monitor,\r
- port_scan)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_codecs">Codecs</h3>\r
-<div class="paragraph"><p>The Snort Codecs decipher raw packets. These Codecs are now completely\r
-pluggable; almost every Snort Codec can be built dynamically and replaced\r
-with an alternative, customized Codec. The pluggable nature has also made\r
-it easier to build new Codecs for protocols without having to touch the\r
-Snort code base.</p></div>\r
-<div class="paragraph"><p>The first step in creating a Codec is defining its class and protocol.\r
-Every Codec must inherit from the Snort Codec class defined in\r
-"framework/codec.h". The following is an example Codec named "example" and\r
-has an associated struct that is 14 bytes long.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#include <cstdint>\r
-#include <arpa/inet.h>\r
-#include “framework/codec.h”\r
-#include "main/snort_types.h"</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#define EX_NAME “example”\r
-#define EX_HELP “example codec help string”</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>struct Example\r
-{\r
- uint8_t dst[6];\r
- uint8_t src[6];\r
- uint16_t ethertype;</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> static inline uint8_t size()\r
- { return 14; }\r
-}</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>class ExCodec : public Codec\r
-{\r
-public:\r
- ExCodec() : Codec(EX_NAME) { }\r
- ~ExCodec() { }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> bool decode(const RawData&, CodecData&, DecodeData&) override;\r
- void get_protocol_ids(std::vector<uint16_t>&) override;\r
-};</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>After defining ExCodec, the next step is adding the Codec’s decode\r
-functionality. The function below does this by implementing a valid decode\r
-function. The first parameter, which is the RawData struct, provides both a\r
-pointer to the raw data that has come from a wire and the length of that raw\r
-data. The function takes this information and validates that there are enough\r
-bytes for this protocol. If the raw data’s length is less than 14 bytes, the\r
-function returns false and Snort discards the packet; the packet is neither\r
-inspected nor processed. If the length is greater than 14 bytes, the function\r
-populates two fields in the CodecData struct, next_prot_id and lyr_len. The\r
-lyr_len field tells Snort the number of bytes that this layer contains. The\r
-next_prot_id field provides Snort the value of the next EtherType or IP\r
-protocol number.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>bool ExCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)\r
-{\r
- if ( raw.len < Example::size() )\r
- return false;</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> const Example* const ex = reinterpret_cast<const Example*>(raw.data);\r
- codec.next_prot_id = ntohs(ex->ethertype);\r
- codec.lyr_len = ex->size();\r
- return true;\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>For instance, assume this decode function receives the following raw data with\r
-a validated length of 32 bytes:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>00 11 22 33 44 55 66 77 88 99 aa bb 08 00 45 00\r
-00 38 00 01 00 00 40 06 5c ac 0a 01 02 03 0a 09</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The Example struct’s EtherType field is the 13 and 14 bytes. Therefore, this\r
-function tells Snort that the next protocol has an EtherType of 0x0800.\r
-Additionally, since the lyr_len is set to 14, Snort knows that the next\r
-protocol begins 14 bytes after the beginning of this protocol. The Codec with\r
-EtherType 0x0800, which happens to be the IPv4 Codec, will receive the\r
-following data with a validated length of 18 ( == 32 – 14):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>45 00 00 38 00 01 00 00 40 06 5c ac 0a 01 02 03\r
-0a 09</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>How does Snort know that the IPv4 Codec has an EtherType of 0x0800? The\r
-Codec class has a second virtual function named get_protocol_ids(). When\r
-implementing the function, a Codec can register for any number of values\r
-between 0x0000 - 0xFFFF. Then, if the next_proto_id is set to a value for which\r
-this Codec has registered, this Codec’s decode function will be called. As a\r
-general note, the protocol ids between [0, 0x00FF] are IP protocol numbers,\r
-[0x0100, 0x05FF] are custom types, and [0x0600, 0xFFFF] are EtherTypes.</p></div>\r
-<div class="paragraph"><p>For example, in the get_protocol_ids function below, the ExCodec registers for\r
-the protocols numbers 17, 787, and 2054. 17 happens to be the protocol number\r
-for UDP while 2054 is ARP’s EtherType. Therefore, this Codec will now attempt\r
-to decode UDP and ARP data. Additionally, if any Codec sets the\r
-next_protocol_id to 787, ExCodec’s decode function will be called. Some custom\r
-protocols are already defined in the file "protocols/protocol_ids.h"</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>void ExCodec::get_protocol_ids(std::vector<uint16_t>&v)\r
-{\r
- v.push_back(0x0011); // == 17 == UDP\r
- v.push_back(0x1313); // == 787 == custom\r
- v.push_back(0x0806); // == 2054 == ARP\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To register a Codec for Data Link Type’s rather than protocols, the function\r
-get_data_link_type() can be similarly implemented.</p></div>\r
-<div class="paragraph"><p>The final step to creating a pluggable Codec is the snort_plugins array. This\r
-array is important because when Snort loads a dynamic library, the program\r
-only find plugins that are inside the snort_plugins array. In other words, if a\r
-plugin has not been added to the snort_plugins array, that plugin will not be\r
-loaded into Snort.</p></div>\r
-<div class="paragraph"><p>Although the details will not be covered in this post, the following code\r
-snippet is a basic CodecApi that Snort can load. This snippet can be copied\r
-and used with only three minor changes. First, in the function ctor, ExCodec\r
-should be replaced with the name of the Codec that is being built. Second,\r
-EX_NAME must match the Codec’s name or Snort will be unable to load this Codec.\r
-Third, EX_HELP should be replaced with the general description of this Codec.\r
-Once this code snippet has been added, ExCodec is ready to be compiled and\r
-plugged into Snort.</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>static Codec* ctor(Module*)\r
-{ return new ExCodec; }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>static void dtor(Codec *cd)\r
-{ delete cd; }</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>static const CodecApi ex_api =\r
-{\r
- {\r
- PT_CODEC,\r
- EX_NAME,\r
- EX_HELP,\r
- CDAPI_PLUGIN_V0,\r
- 0,\r
- nullptr,\r
- nullptr,\r
- },\r
- nullptr, // pointer to a function called during Snort's startup.\r
- nullptr, // pointer to a function called during Snort's exit.\r
- nullptr, // pointer to a function called during thread's startup.\r
- nullptr, // pointer to a function called during thread's destruction.\r
- ctor, // pointer to the codec constructor.\r
- dtor, // pointer to the codec destructor.\r
-};</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>SO_PUBLIC const BaseApi* snort_plugins[] =\r
-{\r
- &ex_api.base,\r
- nullptr\r
-};</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Two example Codecs are available in the extra directory on git and the extra\r
-tarball on the Snort page. One of those examples is the Token Ring Codec\r
-while the other example is the PIM Codec.</p></div>\r
-<div class="paragraph"><p>As a final note, there are four more virtual functions that a Codec should\r
-implement: encode, format, update, and log. If the functions are not\r
-implemented Snort will not throw any errors. However, Snort may also be unable\r
-to accomplish some of its basic functionality.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-encode is called whenever Snort actively responds and needs to builds a\r
- packet, i.e. whenever a rule using an IPS ACTION like react, reject, or rewrite\r
- is triggered. This function is used to build the response packet protocol by\r
- protocol.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-format is called when Snort is rebuilding a packet. For instance, every time\r
- Snort reassembles a TCP stream or IP fragment, format is called. Generally,\r
- this function either swaps any source and destination fields in the protocol or\r
- does nothing.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-update is similar to format in that it is called when Snort is reassembling a\r
- packet. Unlike format, this function only sets length fields.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-log is called when either the log_codecs logger or a custom logger that calls\r
- PacketManager::log_protocols is used when running Snort.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_ips_actions">IPS Actions</h3>\r
-<div class="paragraph"><p>Action plugins specify a builtin action in the API which is used to\r
-determine verdict. (Conversely, builtin actions don’t have an associated\r
-plugin function.)</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_piglet_test_harness">Piglet Test Harness</h3>\r
-<div class="paragraph"><p>In order to assist with plugin development, an experimental mode called "piglet" mode\r
-is provided. With piglet mode, you can call individual methods for a specific plugin.\r
-The piglet tests are specified as Lua scripts. Each piglet test script defines a test\r
-for a specific plugin.</p></div>\r
-<div class="paragraph"><p>Here is a minimal example of a piglet test script for the IPv4 Codec plugin:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>plugin =\r
-{\r
- type = "piglet",\r
- name = "codec::ipv4",\r
- use_defaults = true,\r
- test = function()\r
- local daq_header = DAQHeader.new()\r
- local raw_buffer = RawBuffer.new("some data")\r
- local codec_data = CodecData.new()\r
- local decode_data = DecodeData.new()</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code> return Codec.decode(\r
- daq_header,\r
- raw_buffer,\r
- codec_data,\r
- decode_data\r
- )\r
- end\r
-}</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>To run snort in piglet mode, first build snort with the ENABLE_PIGLET option turned on\r
-(pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).</p></div>\r
-<div class="paragraph"><p>Then, run the following command:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort --script-path $test_scripts --piglet</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>(where $test_scripts is the directory containing your piglet tests).</p></div>\r
-<div class="paragraph"><p>The test runner will generate a check-like output, indicating the\r
-the results of each test script.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_piglet_lua_api">Piglet Lua API</h3>\r
-<div class="paragraph"><p>This section documents the API that piglet exposes to Lua.\r
-Refer to the piglet directory in the source tree for examples of usage.</p></div>\r
-<div class="paragraph"><p>Note: Because of the differences between the Lua and C++ data model and type\r
-system, not all parameters map directly to the parameters of the underlying\r
-C\++ member functions. Every effort has been made to keep the mappings consist,\r
-but there are still some differences. They are documented below.</p></div>\r
-<div class="sect3">\r
-<h4 id="_plugin_instances">Plugin Instances</h4>\r
-<div class="paragraph"><p>For each test, piglet instantiates plugin specified in the <code>name</code> field of the\r
-<code>plugin</code> table. The virtual methods of the instance are exposed in a table\r
-unique to each plugin type. The name of the table is the CamelCase name of the\r
-plugin type.</p></div>\r
-<div class="paragraph"><p>For example, codec plugins have a virtual method called <code>decode</code>. This method\r
-is called like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Codec.decode(...)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p><strong>Codec</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Codec.get_data_link_type() → { int, int, … }</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Codec.get_protocol_ids() → { int, int, … }</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Codec.log(RawBuffer, uint[lyr_len])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Codec.encode(RawBuffer, EncState, Buffer) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint[lyr_len] → int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Codec.format(bool[reverse], RawBuffer, DecodeData)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Differences:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-In <code>Codec.update()</code>, the <code>(uint64_t) flags</code> parameter has been split into\r
-<code>flags_hi</code> and <code>flags_lo</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Inspector</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Inspector.configure()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.tinit()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.tterm()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.likes(Packet)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.eval(Packet)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.clear(Packet)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.get_buf_from_key(string[key], Packet, RawBuffer) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Inspector.get_splitter(bool[to_server]) → StreamSplitter</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Differences:\r
-* In <code>Inspector.configure()</code>, the <code>SnortConfig*</code> parameter is passed implicitly.\r
-* the overloaded <code>get_buf()</code> member function has been split into three separate methods.</p></div>\r
-<div class="paragraph"><p><strong>IpsOption</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>IpsOption.hash() → int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>IpsOption.is_relative() → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>IpsOption.fp_research() → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>IpsOption.get_cursor_type() → int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>IpsOption.eval(Cursor, Packet) → int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>IpsOption.action(Packet)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>IpsAction</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>IpsAction.exec(Packet)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Logger</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Logger.open()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Logger.close()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Logger.reset()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Logger.alert(Packet, string[message], Event)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Logger.log(Packet, string[message], Event)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>SearchEngine</strong></p></div>\r
-<div class="paragraph"><p>Currently, SearchEngine does not expose any methods.</p></div>\r
-<div class="paragraph"><p><strong>SoRule</strong></p></div>\r
-<div class="paragraph"><p>Currently, SoRule does not expose any methods.</p></div>\r
-<div class="sect4">\r
-<h5 id="_interface_objects">Interface Objects</h5>\r
-<div class="paragraph"><p>Many of the plugins take C++ classes and structs as arguments. These objects\r
-are exposed to the Lua API as Lua userdata. Exposed objects are instantiated\r
-by calling the <code>new</code> method from each object’s method table.</p></div>\r
-<div class="paragraph"><p>For example, the DecodeData object can be instantiated and exposed to Lua\r
-like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>local decode_data = DecodeData.new(...)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Each object also exposes useful methods for getting and setting member variables,\r
-and calling the C++ methods contained in the the object. These methods can\r
-be accessed using the <code>:</code> accessor syntax:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>decode_data:set({ sp = 80, dp = 3500 })</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Since this is just syntactic sugar for passing the object as the first parameter\r
-of the function <code>DecodeData.set</code>, an equivalent form is:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>decode_data.set(decode_data, { sp = 80, dp = 3500 })</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>or even:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>DecodeData.set(decode_data, { sp = 80, dp = 3500 })</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p><strong>Buffer</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Buffer.new(string[data]) → Buffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer.new(uint[length]) → Buffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer.new(RawBuffer) → Buffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer:allocate(uint[length]) → bool</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Buffer:clear()</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>CodecData</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>CodecData.new() → CodecData</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>CodecData.new(uint[next_prot_id]) → CodecData</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>CodecData.new(fields) → CodecData</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>CodecData:get() → fields</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>CodecData:set(fields)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>next_prot_id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>lyr_len</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>invalid_bytes</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>proto_bits</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>codec_flags</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>ip_layer_cnt</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>ip6_extension_count</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>curr_ip6_extension</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>ip6_csum_proto</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Cursor</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Cursor.new() → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor.new(Packet) → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor.new(string[data]) → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor.new(RawBuffer) → Cursor</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset(Packet)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset(string[data])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Cursor:reset(RawBuffer)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>DAQHeader</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>DAQHeader.new() → DAQHeader</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DAQHeader.new(fields) → DAQHeader</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DAQHeader:get() → fields</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DAQHeader:set(fields)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>caplen</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>pktlen</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>ingress_index</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>egress_index</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>ingress_group</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>egress_group</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>flags</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>opaque</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>DecodeData</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>DecodeData.new() → DecodeData</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DecodeData.new(fields) → DecodeData</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DecodeData:reset()</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DecodeData:get() → fields</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DecodeData:set(fields)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>sp</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>dp</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>decode_flags</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>type</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>EncState</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>EncState.new() → EncState</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>EncState.new(uint[flags_lo]) → EncState</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi]) → EncState</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) → EncState</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl]) → EncState</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl], uint[dsize]) → EncState</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Event</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Event.new() → Event</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Event.new(fields) → Event</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Event:get() → fields</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Event:set(fields)</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>event_id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>event_reference</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>sig_info</code>\r
-</p>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>generator</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>rev</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>class_id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>priority</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>text_rule</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>num_services</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Flow</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Flow.new() → Flow</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Flow:reset()</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><strong>Packet</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>Packet.new() → Packet</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet.new(string[data]) → Packet</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet.new(uint[size]) → Packet</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet.new(fields) → Packet</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet.new(RawBuffer) → Packet</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet.new(DAQHeader) → Packet</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set_decode_data(DecodeData)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set_data(uint[offset], uint[length])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set_flow(Flow)</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:get() → fields</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set() </code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set(string[data]) </code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set(uint[size]) </code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set(fields) </code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set(RawBuffer) </code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>Packet:set(DAQHeader) </code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>packet_flags</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>xtradata_mask</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>proto_bits</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>application_protocol_ordinal</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>alt_dsize</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>num_layers</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>iplist_id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>user_policy_id</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>ps_proto</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note: <code>Packet.new()</code> and <code>Packet:set()</code> accept multiple arguments of the\r
-types described above in any order</p></div>\r
-<div class="paragraph"><p><strong>RawBuffer</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>RawBuffer.new() → RawBuffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer.new(uint[size]) → RawBuffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer.new(string[data]) → RawBuffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:size() → int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:resize(uint[size])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:write(string[data])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:write(string[data], uint[size])</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:read() → string</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:read(uint[end]) → string</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>RawBuffer:read(uint[start], uint[end]) → string</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note: calling <code>RawBuffer.new()</code> with no arguments returns a RawBuffer of size 0</p></div>\r
-<div class="paragraph"><p><strong>StreamSplitter</strong></p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:scan(Flow, RawBuffer) → int, int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:scan(Flow, RawBuffer, uint[len]) → int, int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) → int, int</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer) → int, RawBuffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len]) → int, RawBuffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len], uint[flags]) → int, RawBuffer</code>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<code>StreamSplitter:finish(Flow) → bool</code>\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Note: StreamSplitter does not have a <code>new()</code> method, it must be created by an inspector via\r
-<code>Inspector.get_splitter()</code></p></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_developers_guide">Developers Guide</h3>\r
-<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to\r
-the source tree.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_performance_considerations_for_developers">Performance Considerations for Developers</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Since C compilers evaluate compound conditional expression from left to\r
- right, put the costly condition last. Put the often-false condition first\r
- in && expression. Put the often-true condition first in || expression.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use emplace_back/emplace instead of push_back/insert on STL containers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-In general, unordered_map is faster than map for frequent lookups using\r
- integer key on relatively static collection of unsorted elements. Whereas,\r
- map is faster for frequent insertions/deletions/iterations and for\r
- non-integer key such as string or custom objects. Consider the same factors\r
- when deciding ordered vs. unordered multimap and set.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Iterate using range-based for loop with reference (i.e., auto&).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Be mindful of construction and destruction of temporary objects which can\r
- be wasteful. Consider using std::move, std::swap, lvalue reference (&),\r
- and rvalue reference (&&).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Avoid thread-local storage. When unavoidable, minimize frequent TLS access\r
- by caching it to a local variable.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When writing inter-library APIs, consider interfaces depending on use cases\r
- to minimize context switching. For example, if two APIs foo() and bar() are\r
- needed to call, combine these into a single API to minimize jumps.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_coding_style">Coding Style</h2>\r
-<div class="sectionbody">\r
-<div class="paragraph"><p>All new code should try to follow these style guidelines. These are not\r
-yet firm so feedback is welcome to get something we can live with.</p></div>\r
-<div class="sect2">\r
-<h3 id="_general">General</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Generally try to follow\r
- <a href="https://google.github.io/styleguide/cppguide.html">https://google.github.io/styleguide/cppguide.html</a>,\r
- but there are some differences documented here.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Each source directory should have a dev_notes.txt file summarizing the\r
- key points and design decisions for the code in that directory. These\r
- are built into the developers guide.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Makefile.am and CMakeLists.txt should have the same files listed in alpha\r
- order. This makes it easier to maintain both build systems.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-All new code must come with unit tests providing 95% coverage or better.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Generally, Catch is preferred for tests in the source file and CppUTest\r
- is preferred for test executables in a test subdirectory.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_c_specific">C++ Specific</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Do not use exceptions. Exception-safe code is non-trivial and we have\r
- ported legacy code that makes use of exceptions unwise. There are a few\r
- exceptions to this rule for the memory manager, shell, etc. Other code\r
- should handle errors as errors.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Do not use dynamic_cast or RTTI. Although compilers are getting better\r
- all the time, there is a time and space cost to this that is easily\r
- avoided.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use smart pointers judiciously as they aren’t free. If you would have to\r
- roll your own, then use a smart pointer. If you just need a dtor to\r
- delete something, write the dtor.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Prefer <em>and</em> over && and <em>or</em> over || for new source files.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use nullptr instead of NULL.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use new, delete, and their [] counterparts instead of malloc and free\r
- except where realloc must be used. But try not to use realloc. New and\r
- delete can’t return nullptr so no need to check. And Snort’s memory\r
- manager will ensure that we live within our memory budget.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use references in lieu of pointers wherever possible.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use the order public, protected, private top to bottom in a class\r
- declaration.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Keep inline functions in a class declaration very brief, preferably just\r
- one line. If you need a more complex inline function, move the\r
- definition below the class declaration.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The goal is to have highly readable class declarations. The user\r
- shouldn’t have to sift through implementation details to see what is\r
- available to the client.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Any using statements in source files should be added only after all\r
- includes have been declared.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_naming">Naming</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Use camel case for namespaces, classes, and types like WhizBangPdfChecker.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use lower case identifiers with underscore separators, e.g. some_function()\r
- and my_var.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Do not start or end variable names with an underscore. This has a good\r
- chance of conflicting with macro and/or system definitions.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use lower case filenames with underscores.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_comments">Comments</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Write comments sparingly with a mind towards future proofing. Often the\r
- comments can be obviated with better code. Clear code is better than a\r
- comment.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Heed Tim Ottinger’s Rules on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):\r
-</p>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-Comments should only say what the code is incapable of saying.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Comments that repeat (or pre-state) what the code is doing must be\r
- removed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-If the code CAN say what the comment is saying, it must be changed at\r
- least until rule #2 is in force.\r
-</p>\r
-</li>\r
-</ol></div>\r
-</li>\r
-<li>\r
-<p>\r
-Function comment blocks are generally just noise that quickly becomes\r
- obsolete. If you absolutely must comment on parameters, put each on a\r
- separate line along with the comment. That way changing the signature\r
- may prompt a change to the comments too.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a\r
- day or even just a minute. That way we can find them easily and won’t\r
- lose track of them.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Presently using FIXIT-X where X is one of the characters below. Place A\r
- and W comments on the exact warning line so we can match up comments and\r
- build output. Supporting comments can be added above.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-A = known static analysis issue\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-D = deprecated - code to be removed after users update\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-E = enhancement - next steps for incomplete features (not a bug)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-H = high priority - urgent deficiency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-L = low priority - cleanup or similar technical debt (not a bug)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-M = medium priority - suspected non-urgent deficiency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-P = performance issue (not a bug)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-W = warning - known compiler warning\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Put the copyright(s) and license in a comment block at the top of each\r
- source file (.h and .cc). Don’t bother with trivial scripts and make\r
- foo. Some interesting Lua code should get a comment block too. Copy and\r
- paste exactly from src/main.h (don’t reformat).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Put author, description, etc. in separate comment(s) following the\r
- license. Do not put such comments in the middle of the license foo.\r
- Be sure to put the author line ahead of the header guard to exclude them\r
- from the developers guide. Use the following format, and include a\r
- mention to the original author if this is derived work:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// ips_dnp3_obj.cc author Maya Dagon <mdagon@cisco.com>\r
-// based on work by Ryan Jordan</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Each header should have a comment immediately after the header guard to\r
- give an overview of the file so the reader knows what’s going on.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use the following comment on switch cases that intentionally fall through\r
- to the next case to suppress compiler warning on known valid cases:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// fallthrough</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_logging">Logging</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Messages intended for the user should not look like debug messages. Eg,\r
- the function name should not be included. It is generally unhelpful to\r
- include pointers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Most debug messages should just be deleted.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Don’t bang your error messages (no !). The user feels bad enough about the\r
- problem already w/o you shouting at him.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_types">Types</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Use logical types to make the code clearer and to help the compiler catch\r
- problems. typedef uint16_t Port; bool foo(Port) is way better than\r
- int foo(int port).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use forward declarations (e.g. struct SnortConfig;) instead of void*.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Try not to use extern data unless absolutely necessary and then put the\r
- extern in an appropriate header. Exceptions for things used in exactly\r
- one place like BaseApi pointers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use const liberally. In most cases, const char* s = "foo" should be\r
- const char* const s = "foo". The former goes in the initialized data\r
- section and the latter in read only data section.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-But use const char s[] = "foo" instead of const char* s = "foo" when\r
- possible. The latter form allocates a pointer variable and the data\r
- while the former allocates only the data.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use static wherever possible to minimize public symbols and eliminate\r
- unneeded relocations.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Declare functions virtual only in the parent class introducing the\r
- function (not in a derived class that is overriding the function).\r
- This makes it clear which class introduces the function.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Declare functions as override if they are intended to override a\r
- function. This makes it possible to find derived implementations that\r
- didn’t get updated and therefore won’t get called due a change in the\r
- parent signature.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use bool functions instead of int unless there is truly a need for\r
- multiple error returns. The C-style use of zero for success and -1 for\r
- error is less readable and often leads to messy code that either ignores\r
- the various errors anyway or needlessly and ineffectively tries to do\r
- something about them. Generally that code is not updated if new errors\r
- are added.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_macros_aka_defines">Macros (aka defines)</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-In many cases, even in C++, use #define name "value" instead of a\r
- const char* const name = "value" because it will eliminate a symbol from\r
- the binary.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use inline functions instead of macros where possible (pretty much all\r
- cases except where stringification is necessary). Functions offer better\r
- typing, avoid re-expansions, and a debugger can break there.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-All macros except simple const values should be wrapped in () and all\r
- args should be wrapped in () too to avoid surprises upon expansion.\r
- Example:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Multiline macros should be blocked (i.e. inside { }) to avoid if-else type\r
- surprises.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_formatting">Formatting</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Try to keep all source files under 2500 lines. 3000 is the max allowed.\r
- If you need more lines, chances are that the code needs to be refactored.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Indent 4 space chars … no tabs!\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-If you need to indent many times, something could be rewritten or\r
- restructured to make it clearer. Fewer indents is generally easier to\r
- write, easier to read, and overall better code.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Braces go on the line immediately following a new scope (function\r
- signature, if, else, loop, switch, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Use consistent spacing and line breaks. Always indent 4 spaces from the\r
- breaking line. Keep lines less than 100 chars; it greatly helps\r
- readability.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>No:\r
- calling_a_func_with_a_long_name(arg1,\r
- arg2,\r
- arg3);</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Yes:\r
- calling_a_func_with_a_long_name(\r
- arg1, arg2, arg3);</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Put function signature on one line, except when breaking for the arg\r
- list:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>No:\r
- inline\r
- bool foo()\r
- { // ...</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Yes:\r
- inline bool foo()\r
- { // ...</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Put conditional code on the line following the if so it is easy to break\r
- on the conditional block:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>No:\r
- if ( test ) foo();</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>Yes:\r
- if ( test )\r
- foo();</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_headers">Headers</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Don’t hesitate to create a new header if it is needed. Don’t lump\r
- unrelated stuff into an header because it is convenient.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Write header guards like this (leading underscores are reserved for\r
- system stuff). In my_header.h:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#ifndef MY_HEADER_H\r
-#define MY_HEADER_H\r
-// ...\r
-#endif</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Includes from a different directory should specify parent directory.\r
- This makes it clear exactly what is included and avoids the primordial\r
- soup that results from using -I this -I that -I the_other_thing … .\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// given:\r
-src/foo/foo.cc\r
-src/bar/bar.cc\r
-src/bar/baz.cc</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// in baz.cc\r
-#include "bar.h"</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>// in foo.cc\r
-#include "bar/bar.h"</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Includes within installed headers should specify parent directory.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Just because it is a #define doesn’t mean it goes in a header.\r
- Everything should be scoped as tightly as possible. Shared\r
- implementation declarations should go in a separate header from the\r
- interface. And so on.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-All .cc files should include config.h with the standard block shown below\r
- immediately following the initial comment blocks and before anything else.\r
- This presents a consistent view of all included header files as well as\r
- access to any other configure-time definitions. No .h files should include\r
- config.h unless they are guaranteed to be local header files (never\r
- installed).\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#ifdef HAVE_CONFIG_H\r
-#include "config.h"\r
-#endif</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-A .cc should include its own .h before any others aside from the\r
- aforementioned config.h (including system headers). This ensures that the\r
- header stands on its own and can be used by clients without include\r
- prerequisites and the developer will be the first to find a dependency issue.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Split headers included from the local directory into a final block of\r
- headers. For a .cc file, the final order of sets of header includes should\r
- look like this:\r
-</p>\r
-<div class="olist arabic"><ol class="arabic">\r
-<li>\r
-<p>\r
-config.h\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-its own .h file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-system headers (.h/.hpp/.hxx)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-C++ standard library headers (no file extension)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort headers external to the local directory (path-prefixed)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Snort headers in the local directory\r
-</p>\r
-</li>\r
-</ol></div>\r
-</li>\r
-<li>\r
-<p>\r
-Include required headers, all required headers, and nothing but required\r
- headers. Don’t just clone a bunch of headers because it is convenient.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Keep includes in alphabetical order. This makes it easier to maintain, avoid\r
- duplicates, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Do not put using statements in headers unless they are tightly scoped.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_warnings">Warnings</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-With g++, use at least these compiler flags:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
--Wunused-but-set-variable -Wno-deprecated-declarations\r
--fsanitize=address -fno-omit-frame-pointer</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-With clang, use at least these compiler flags:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security\r
--Wno-deprecated-declarations\r
--fsanitize=address -fno-omit-frame-pointer</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Two macros (PADDING_GUARD_BEGIN and PADDING_GUARD_END) are provided by\r
- utils/cpp_macros.h. These should be used to surround any structure used as\r
- a hash key with a raw comparator or that would otherwise suffer from\r
- unintentional padding. A compiler warning will be generated if any structure\r
- definition is automatically padded between the macro invocations.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Then Fix All Warnings and Aborts. None Allowed.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_uncrustify">Uncrustify</h3>\r
-<div class="paragraph"><p>Currently using uncrustify from at <a href="https://github.com/bengardner/uncrustify">https://github.com/bengardner/uncrustify</a>\r
-to reformat legacy code and anything that happens to need a makeover at\r
-some point.</p></div>\r
-<div class="paragraph"><p>The working config is crusty.cfg in the top level directory. It does well\r
-but will munge some things. Specially formatted INDENT-OFF comments were\r
-added in 2 places to avoid a real mess.</p></div>\r
-<div class="paragraph"><p>You can use uncrustify something like this:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>uncrustify -c crusty.cfg --replace file.cc</code></pre>\r
-</div></div>\r
-</div>\r
-</div>\r
-</div>\r
-<div class="sect1">\r
-<h2 id="_reference_2">Reference</h2>\r
-<div class="sectionbody">\r
-<div class="sect2">\r
-<h3 id="_build_options_2">Build Options</h3>\r
-<div class="paragraph"><p>The options listed below must be explicitly enabled so they are built\r
-into the Snort binary. For a full list of build options, run ./configure\r
---help.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>--enable-shell</strong>: enable building local and remote command line shell\r
- support.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--enable-tsc-clock</strong>: use the TSC register on x86 systems for improved\r
- performance of latency and profiler features.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>These options are built only if the required libraries and headers are\r
-present. There is no need to explicitly enable.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>flatbuffers</strong>: for an alternative perf_monitor logging format.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>hyperscan</strong> >= 4.4.0: for the regex and sd_pattern rule options and the hyperscan\r
- search engine.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>iconv</strong>: for converting UTF16-LE filenames to UTF8 (usually included in glibc)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>libunwind</strong>: for printing a backtrace when a fatal signal is received.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>lzma</strong>: for decompression of SWF and PDF files.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>safec</strong>: for additional runtime error checking of some memory copy operations.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>If you need to use headers and/or libraries in non-standard locations, you\r
-can use these options:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>--with-pkg-includes</strong>: specify the directory containing the package\r
- headers.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--with-pkg-libraries</strong>: specify the directory containing the package\r
- libraries.\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl,\r
-flatbuffers, iconv, and hyperscan packages. For more information on\r
-these libraries see the Getting Started section of the manual.</p></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_environment_variables">Environment Variables</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>HOSTTYPE</strong>: optional string that is output with the version at end of\r
- line.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>SNORT_IGNORE</strong>: the list of symbols Snort should ignore when parsing the\r
- Lua conf. Unknown symbols not in SNORT_IGNORE will cause warnings with\r
- --warn-unknown or fatals with --warn-unknown --pedantic.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>SNORT_PROMPT</strong>: the character sequence that is printed at startup,\r
- shutdown, and in the shell. The default is the mini-pig: o")~ .\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>SNORT_PLUGIN_PATH</strong>: an optional path where Snort can find supplemental\r
- shared libraries. This is only used when Snort is building manuals.\r
- Modules in supplemental shared libraries will be added to the manuals.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_command_line_options">Command Line Options</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>-?</strong> <option prefix> output matching command line option quick help (same as --help-options) (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-A</strong> <mode> set alert mode: none, cmg, or alert_*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-B</strong> <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-C</strong> print out payloads with character data only (no hex)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-c</strong> <conf> use this configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-D</strong> run Snort in background (daemon) mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-d</strong> dump the Application Layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-e</strong> display the second layer header info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-f</strong> turn off fflush() calls after binary log writes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-G</strong> <0xid> (same as --logid) (0:65535)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-g</strong> <gname> run snort gid as <gname> group (or gid) after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-H</strong> make hash tables deterministic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-i</strong> <iface>… list of interfaces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-j</strong> <port> to listen for Telnet connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-k</strong> <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-L</strong> <mode> logging mode (none, dump, pcap, or log_*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-l</strong> <logdir> log to this directory instead of current directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-M</strong> log messages to syslog (not alerts)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-m</strong> <umask> set the process file mode creation mask (0x000:0x1FF)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-n</strong> <count> stop after count packets (0:max53)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-O</strong> obfuscate the logged IP addresses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-Q</strong> enable inline mode operation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-q</strong> quiet mode - suppress normal logging on stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-R</strong> <rules> include this rules file in the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-r</strong> <pcap>… (same as --pcap-list)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-S</strong> <x=v> set config variable x equal to value v\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-s</strong> <snap> (same as --snaplen); default is 1518 (68:65535)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-T</strong> test and report on the current Snort configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-t</strong> <dir> chroots process to <dir> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-U</strong> use UTC for timestamps\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-u</strong> <uname> run snort as <uname> or <uid> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-V</strong> (same as --version)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-v</strong> be verbose\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-X</strong> dump the raw packet data starting at the link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-x</strong> same as --pedantic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-y</strong> include year in timestamp in the alert and log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:max32)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--alert-before-pass</strong> evaluate alert rules before pass rules; default is pass rules first\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--bpf</strong> <filter options> are standard BPF options, as seen in TCPDump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--c2x</strong> output hex for given char (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--control-socket</strong> <file> to create unix socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--daq</strong> <type> select packet acquisition module (default is pcap)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--daq-batch-size</strong> <size> set the DAQ receive batch size (1:)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--daq-dir</strong> <dir> tell snort where to find desired DAQ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--daq-list</strong> list packet acquisition modules available in optional dir, default is static modules only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--daq-mode</strong> <mode> select DAQ module operating mode (overrides automatic selection) (passive | inline | read-file)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--daq-var</strong> <name=value> specify extra DAQ configuration variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dirty-pig</strong> don’t flush packets on shutdown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-builtin-rules</strong> [<module prefix>] output stub rules for selected modules (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-dynamic-rules</strong> output stub rules for all loaded rules libraries\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-defaults</strong> [<module prefix>] output module defaults in Lua format (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-rule-deps</strong> dump rule dependencies in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-rule-meta</strong> dump configured rule info in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-rule-state</strong> dump configured rule state in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--dump-version</strong> output the version, the whole version, and only the version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--enable-inline-test</strong> enable Inline-Test Mode Operation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--gen-msg-map</strong> dump configured rules in gen-msg.map format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help</strong> list command line options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-commands</strong> [<module prefix>] output matching commands (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-config</strong> [<module prefix>] output matching config options (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-counts</strong> [<module prefix>] output matching peg counts (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-limits</strong> print the int upper bounds denoted by max*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-module</strong> <module> output description of given module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-modules</strong> list all available modules with brief help\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-options</strong> [<option prefix>] output matching command line option quick help (same as -?) (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-plugins</strong> list all available plugins with brief help\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--help-signals</strong> dump available control signals\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--id-offset</strong> offset to add to instance IDs when logging to files (0:65535)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--id-zero</strong> use id prefix / subdirectory even with one packet thread\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--ignore-warn-flowbits</strong> ignore warnings about flowbits that are checked but not set and vice-versa\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--ignore-warn-rules</strong> ignore warnings about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--include-path</strong> <path> where to find Lua and rule included files; searched before current or config directories\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--list-buffers</strong> output available inspection buffers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--list-builtin</strong> [<module prefix>] output matching builtin rules (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--list-gids</strong> [<module prefix>] output matching generators (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--list-modules</strong> [<module type>] list all known modules of given type (optional)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--list-plugins</strong> list all known plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--lua</strong> <chunk> extend/override conf with chunk; may be repeated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--logid</strong> <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--markup</strong> output help in asciidoc compatible format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--max-packet-threads</strong> <count> configure maximum number of packet threads (same as -z) (0:max32)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--mem-check</strong> like -T but also compile search engines\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--metadata-filter</strong> <filter> load only rules containing filter string in metadata if set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--nostamps</strong> don’t include timestamps in log file names\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--nolock-pidfile</strong> do not try to lock Snort PID file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pause</strong> wait for resume/quit command before processing packets/terminating\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-list</strong> <list> a space separated list of pcaps to read - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-dir</strong> <dir> a directory to recurse to look for pcaps - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-filter</strong> <filter> filter to apply when getting pcaps from file or directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-loop</strong> <count> read all pcaps <count> times; 0 will read until Snort is terminated (0:max32)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-no-filter</strong> reset to use no filter when getting pcaps from file or directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pcap-show</strong> print a line saying what pcap is currently being read\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--pedantic</strong> warnings are fatal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--plugin-path</strong> <path> a colon separated list of directories or plugin libraries\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--process-all-events</strong> process all action groups\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--rule</strong> <rules> to be added to configuration; may be repeated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--rule-path</strong> <path> where to find rules files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--rule-to-hex</strong> output so rule header to stdout for text rule on stdin\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--rule-to-text</strong> output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) (16)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--run-prefix</strong> <pfx> prepend this to each output file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--script-path</strong> <path> to a luajit script or directory containing luajit scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--shell</strong> enable the interactive command line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--show-file-codes</strong> indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--show-plugins</strong> list module and plugin versions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--skip</strong> <n> skip 1st n packets (0:max53)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--snaplen</strong> <snap> set snaplen of packet (same as -s) (68:65535)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--talos</strong> enable Talos tweak (same as --tweaks talos)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--treat-drop-as-alert</strong> converts drop, block, and reset rules into alert rules when loaded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--treat-drop-as-ignore</strong> use drop, block, and reset rules to ignore session traffic when not inline\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--tweaks</strong> tune configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--version</strong> show version number (same as -V)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-all</strong> enable all warnings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-conf</strong> warn about configuration issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-conf-strict</strong> warn about unrecognized elements in configuration files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-hosts</strong> warn about host table issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--warn-vars</strong> warn about variable definition and usage issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--x2c</strong> output ASCII char for given hex (see also --c2x) (0x00:0xFF)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>--trace</strong> turn on main loop debug trace\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_configuration_8">Configuration</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-interval <strong>ack.~range</strong>: check if TCP ack value is <em>value | min<>max | <max | >min</em> { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>active.max_responses</strong> = 0: maximum number of responses { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sgt| sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_csv.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_ex.upper</strong> = false: true/false → convert to upper/lower case\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_fast.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_fast.packet</strong> = false: output packet dump with alert\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_full.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sgt| sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alert_json.file</strong> = false: output to alert_json.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alert_json.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alert_json.separator</strong> = , : separate fields with this character sequence\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alerts.event_filter_memcap</strong> = 1048576: set available MB of memory for event_filters { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alert_sfsocket.file</strong>: name of unix socket file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alerts.log_references</strong> = false: include rule references in alert info (full only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alerts.order</strong> = pass reset block drop alert log: change the order of rule action application\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available MB of memory for rate_filters { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>alerts.stateful</strong> = false: don’t alert w/o established session (note: rule action still taken)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appid.app_detector_dir</strong>: directory to load appid detectors from\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for appid stats before rolling over the log file { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.list_odp_detectors</strong> = false: enable logging of odp detectors statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.load_odp_detectors_in_ctrl</strong> = false: load odp detectors in control thread\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.log_stats</strong> = false: enable logging of appid statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appids.~</strong>: comma separated list of application names\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.tp_appid_config_dump</strong>: print third party configuration on startup\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>appid.tp_appid_path</strong>: path to third party appid dynamic library\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.tp_appid_stats_enable</strong>: enable collection of stats and print stats on exit in third party module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>asn1.absolute_offset</strong>: absolute offset from the beginning of the packet { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>asn1.bitstring_overflow</strong>: detects invalid bitstring encodings that are known to be remotely exploitable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>asn1.double_overflow</strong>: detects a double ASCII encoding that is larger than a standard buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>asn1.oversize_length</strong>: compares ASN.1 type lengths with the supplied argument { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>asn1.print</strong>: dump decode data to console; always true\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>asn1.relative_offset</strong>: relative offset from the cursor { -65535:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>attribute_table.hosts_file</strong>: filename to load attribute host table from\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_metadata_services</strong> = 9: maximum number of services in rule { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>base64_decode.bytes</strong>: number of base64 encoded bytes to decode { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>base64_decode.offset</strong> = 0: bytes past start of buffer to start decoding { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>base64_decode.relative</strong>: apply offset to cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ber_data.~type</strong>: move to the data for the specified BER element type { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ber_skip.optional</strong>: match even if the specified BER type is not found\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ber_skip.~type</strong>: BER element type to skip { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.file</code></strong>: use configuration in given file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.service</code></strong>: override automatic service identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].use.type</code></strong>: select module for binding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr_list <strong><code>binder[].when.nets</code></strong>: list of networks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>binder[].when.service</code></strong>: override default configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>bufferlen.~range</strong>: check that total length of current buffer is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>bufferlen.relative</strong>: use remaining length (from current position) instead of total length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.big</strong>: big endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.bitmask</strong>: applies as an AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.dec</strong>: convert from decimal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.hex</strong>: convert from hex string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.little</strong>: little endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.oct</strong>: convert from octal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_extract.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.big</strong>: big endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 0:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.dec</strong>: convert from decimal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.from_end</strong>: jump backward from end of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.hex</strong>: convert from hex string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.little</strong>: little endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.oct</strong>: convert from octal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_jump.post_offset</strong>: skip forward or backward (positive or negative value) by variable name or number of bytes after the other jump options have been applied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_jump.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_math.bitmask</strong>: applies as bitwise AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_math.bytes</strong>: number of bytes to pick up from the buffer { 1:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_math.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>byte_math.endian</strong>: specify big/little endian { big|little }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_math.offset</strong>: number of bytes into the buffer to start processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>byte_math.oper</strong>: mathematical operation to perform { +|-|*|/|<<|>> }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_math.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_math.result</strong>: name of the variable to store the result\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_math.rvalue</strong>: value to use mathematical operation against\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>byte_math.string</strong>: convert extracted string to dec/hex/oct { hex|dec|oct }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.big</strong>: big endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_test.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.dec</strong>: convert from decimal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.hex</strong>: convert from hex string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.little</strong>: little endian\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.oct</strong>: convert from octal string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~operator</strong>: operation to perform to test the value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>cip_attribute.~range</strong>: match CIP attribute { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>cip_class.~range</strong>: match CIP class { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>cip_conn_path_class.~range</strong>: match CIP Connection Path Class { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>cip.embedded_cip_path</strong> = false: check embedded CIP path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>cip_instance.~range</strong>: match CIP instance { 0:4294967295 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>cip.max_cip_connections</strong> = 100: max cip connections { 1:10000 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>cip.max_unconnected_messages</strong> = 100: max unconnected cip messages { 1:10000 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>cip_service.~range</strong>: match CIP service { 0:127 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>cip_status.~range</strong>: match CIP response status { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>cip.unconnected_timeout</strong> = 300: unconnected timeout in seconds { 0:360 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>classifications[].name</code></strong>: name used with classtype rule option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>classifications[].text</code></strong>: description of class\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>classtype.~</strong>: classification for this rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.~data</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>content.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>daq.batch_size</strong> = 64: set receive batch size (same as --daq-batch-size) { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.inputs[].input</code></strong>: input source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.module_dirs[].path</code></strong>: directory path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>daq.modules[].mode</code></strong> = passive: DAQ module mode { passive | inline | read-file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.modules[].name</code></strong>: DAQ module name (required)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.modules[].variables[].variable</code></strong>: DAQ module variable (foo[=bar])\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>daq.snaplen</strong> = 1518: set snap length (same as -s) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong>data_log.key</strong> = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>dce_iface.any_frag</strong>: match on any fragment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dce_iface.uuid</strong>: match given dcerpc uuid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>dce_iface.version</strong>: interface version { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.memcap</strong> = 8388608: Memory utilization limit on smb { 512:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_smb.policy</strong> = WinXP: target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data (-1 = disabled, 0 = unlimited) { -1:32767 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_smb.smb_file_inspection</strong>: deprecated (not used): file inspection controlled by smb_file_depth { off | on | only }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_smb.smb_fingerprint_policy</strong> = none: target based SMB policy to use { none | client | server | both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_max_compound</strong> = 3: SMB max compound size { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.smb_max_credit</strong> = 8192: Maximum number of outstanding request { 1:65536 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>dce_smb.valid_smb_versions</strong> = all: valid SMB versions { v1 | v2 | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_tcp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>dce_tcp.policy</strong> = WinXP: target based policy to use { Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_tcp.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.asn1</strong> = 0: maximum decode nodes { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.hyperscan_literals</strong> = false: use hyperscan for content literal searches instead of boyer-moore\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.offload_threads</strong> = 0: maximum number of simultaneous offloads (defaults to disabled) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.pcre_enable</strong> = true: enable pcre pattern matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, 0 = off { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, 0 = off { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.pcre_override</strong> = true: enable pcre match limit overrides when pattern matching (ie ignore /O)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>detection.pcre_to_regex</strong> = false: enable the use of regex instead of pcre for compatible expressions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dnp3_func.~</strong>: match DNP3 function code or name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>dnp3_ind.~</strong>: match given DNP3 indicator flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dnp3_obj.group</strong> = 0: match given DNP3 object header group { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dnp3_obj.var</strong> = 0: match given DNP3 object header var { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>domain_filter.file</strong>: file with list of domains identifying hosts to be filtered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>domain_filter.hosts</strong>: list of domains identifying hosts to be filtered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>dpx.port</strong>: port to check\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>dsize.~range</strong>: check if packet payload size is in the given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>enable.~enable</strong> = yes: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>enip_command.~range</strong>: match CIP Enip Command { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>event_queue.log</strong> = 3: maximum events to log { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>file_connector.connector</strong>: connector name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>file_connector.direction</strong>: usage { receive | transmit | duplex }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>file_connector.format</strong>: file format { binary | text }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>file_connector.name</strong>: channel name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.enable_capture</strong> = false: enable file capture\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.enable_signature</strong> = false: enable signature calculation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.enable_type</strong> = true: enable type ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false → enable/disable file capture\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false → enable/disable file signature\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false → enable/disable file type identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].category</code></strong>: file type category\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].type</code></strong>: file type name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>file_id.file_rules[].version</code></strong>: file type version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.max_files_per_flow</strong> = 32: maximal number of files able to be concurrently processed per flow { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>file_type.~</strong>: list of file type IDs to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>flags.~mask_flags</strong>: these flags are don’t cares\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>flags.~test_flags</strong>: these flags are tested\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>flowbits.~bits</strong>: bit [|bit]* or bit [&bit]*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>flowbits.~op</strong>: bit operation or noalert (no bits) { set | unset | isset | isnotset | noalert }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.established</strong>: match only during data transfer phase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.from_client</strong>: same as to_server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.from_server</strong>: same as to_client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.no_frag</strong>: match on raw packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.no_stream</strong>: match on raw packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.not_established</strong>: match only outside data transfer phase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.only_frag</strong>: match on defragmented packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.only_stream</strong>: match on reassembled packets only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.stateless</strong>: match regardless of stream state\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.to_client</strong>: match on server responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>flow.to_server</strong>: match on client requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>fragbits.~flags</strong>: these flags are tested\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>fragoffset.~range</strong>: check if ip fragment offset is in given range { 0:8192 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.bounce</strong> = false: check for bounces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ftp_client.max_resp_len</strong> = 4294967295: maximum FTP response accepted by client { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.telnet_cmds</strong> = false: detect Telnet escape sequences on FTP control channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect FTP data channels\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_server.telnet_cmds</strong> = false: detect Telnet escape sequences of FTP control channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>gid.~</strong>: generator id { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>gtp_info.~</strong>: info element to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>gtp_type.~</strong>: list of types to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>gtp_version.~</strong>: version to match { 0:2 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>high_availability.enable</strong> = false: enable high availability\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>high_availability.min_age</strong> = 0: minimum session life in milliseconds before HA updates { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>high_availability.min_sync</strong> = 0: minimum interval in milliseconds between HA updates { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>host_cache.dump_file</strong>: file name to dump host cache on shutdown; won’t dump by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>hosts[].services[].name</code></strong>: service identifier\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>hosts[].services[].port</code></strong>: port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong><code>host_tracker[].ip</code></strong>: hosts address / cidr\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong><code>host_tracker[].services[].port</code></strong>: port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>host_tracker[].services[].proto</code></strong>: IP protocol { ip | tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_header.field</strong>: restrict to given header. Header name is case insensitive.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.request</strong>: match against the headers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.backslash_to_slash</strong> = true: replace \ with / when normalizing URIs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.decompress_pdf</strong> = false: decompress pdf files in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.decompress_swf</strong> = false: decompress swf files in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.detained_inspection</strong> = false: store-and-forward as necessary to effectively block alerting JavaScript\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.iis_double_decode</strong> = true: perform double decoding of percent encodings to normalize characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.max_javascript_whitespaces</strong> = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.normalize_javascript</strong> = false: normalize JavaScript in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings in response bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.plus_to_space</strong> = true: replace + with <sp> when normalizing URIs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_method.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_param.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_param.~param</strong>: parameter to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.request</strong>: match against the headers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_request.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_status.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_status.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_trailer.with_body</strong>: parts of this rule examine HTTP response message body (must be combined with request)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.host</strong>: match against host section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.path</strong>: match against path section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.port</strong>: match against port section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.query</strong>: match against query section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_code.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_code.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_msg.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_stat_msg.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>http_trailer.field</strong>: restrict to given trailer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_trailer.request</strong>: match against the trailers from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_trailer.with_body</strong>: parts of this rule examine HTTP message body (must be combined with request)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_true_ip.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.host</strong>: match against host section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.path</strong>: match against path section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.port</strong>: match against port section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.query</strong>: match against query section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.scheme</strong>: match against scheme section of URI only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.request</strong>: match against the version from the request message even when examining the response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.with_header</strong>: this rule is limited to examining HTTP message headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>icmp_id.~range</strong>: check if ICMP ID is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>icmp_seq.~range</strong>: check if ICMP sequence number is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>icode.~range</strong>: check if ICMP code is in given range is { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>id.~range</strong>: check if the IP ID is in the given range { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = -1: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.qp_decode_depth</strong> = -1: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>imap.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>inspection.id</strong> = 0: correlate policy and events with other items in configuration { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline | inline-test }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>inspection.uuid</strong>: correlate events by uuid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ip_proto.~proto</strong>: [!|>|<] name or number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { no | yes | inherit }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.includer</strong>: for internal use; where includes are included from { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.include</strong>: snort rules and includes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.rules</strong>: snort rules and includes (may contain states too)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.states</strong>: snort rule states and includes (may contain rules too)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>isdataat.~length</strong>: num | !num\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>itype.~range</strong>: check if ICMP type is in given range { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_codecs.msg</strong> = false: include alert msg\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>log_hext.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>log_pcap.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>md5.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>modbus_func.~</strong>: function code to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>modbus_unit.~</strong>: Modbus unit ID { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>msg.~</strong>: message describing rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>mss.~range</strong>: check if TCP MSS is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>network.checksum_eval</strong> = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.layers</strong> = 40: the maximum number of protocols that Snort can correctly decode { 3:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.max_ip6_extensions</strong> = 0: the maximum number of IP6 options Snort will process for a given IPv6 layer before raising 116:456 (0 = unlimited) { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.max_ip_layers</strong> = 0: the maximum number of IP layers Snort will process for a given packet before raising 116:293 (0 = unlimited) { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower TTL / hop limit (you must enable rules and / or normalization also) { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.icmp4</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.icmp6</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.base</strong> = false: clear options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.df</strong> = false: clear don’t frag flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.ip6</strong> = false: clear reserved flag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>normalizer.tcp.allow_codes</strong>: don’t clear given option codes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>normalizer.tcp.allow_names</strong>: don’t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.base</strong> = false: clear reserved bits and option padding and fix urgent pointer / flags issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.block</strong> = false: allow packet drops during TCP normalization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.ips</strong> = true: ensure consistency in retransmitted data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.opts</strong> = false: clear all options except mss, wscale, timestamp, and any explicitly allowed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.pad</strong> = false: clear any option padding bytes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.req_pay</strong> = false: clear the urgent pointer and the urgent flag if there is no payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.req_urg</strong> = false: clear the urgent pointer if the urgent flag is not set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.req_urp</strong> = false: clear the urgent flag if the urgent pointer is not set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.rsv</strong> = false: clear the reserved bits in the TCP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>normalizer.tcp.urp</strong> = false: adjust urgent pointer if beyond segment length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.quiet</strong> = false: suppress normal logging on stdout (same as -q)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>packet_tracer.enable</strong> = false: enable summary output of state that determined packet verdict\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>packet_tracer.output</strong> = console: select where to send packet trace { console | file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>pcre.~re</strong>: Snort regular expression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.base</strong> = true: enable base statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 236:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>perf_monitor.format</strong> = csv: output format for stats { csv | text | json | flatbuffers }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>perf_monitor.output</strong> = file: output location for stats { file | console }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>perf_monitor.seconds</strong> = 60: report interval { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>perf_monitor.summary</strong> = false: output summary at shutdown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>pkt_num.~range</strong>: check if packet number is in given range { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>pop.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>port_scan.alert_all</strong> = false: alert on all events over threshold within window if true; else alert on first only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.icmp_window</strong> = 0: detection interval for all ICMP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_decoy.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_dist.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_proto.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.ip_window</strong> = 0: detection interval for all IP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.memcap</strong> = 10485760: maximum tracker memory in bytes { 1024:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_decoy.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_dist.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_ports.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.tcp_window</strong> = 0: detection interval for all TCP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_decoy.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_dist.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_ports.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_sweep.scans</strong> = 100: scan attempts { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>port_scan.udp_window</strong> = 0: detection interval for all UDP scans { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>process.chroot</strong>: set chroot directory (same as -t)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>process.set_gid</strong>: set group ID (same as -g)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>process.set_uid</strong>: set user ID (same as -u)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>process.threads[].name</code></strong>: define which threads will have specified affinity, by thread name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>process.threads[].thread</code></strong>: set cpu affinity for the <cur_thread_num> thread that runs { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>process.threads[].type</code></strong>: define which threads will have specified affinity, by their type { other|packet|main }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>process.umask</strong>: set process umask (same as -m) { 0x000:0x1FF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>profiler.memory.show</strong> = true: show module memory profile stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>profiler.modules.show</strong> = true: show module time profile stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>profiler.rules.show</strong> = true: show rule time profile stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>react.page</strong>: file containing HTTP response (headers and body)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reference.~ref</strong>: reference: <scheme>,<id>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>references[].name</code></strong>: name used with reference rule option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>references[].url</code></strong>: where this reference is defined\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.dotall</strong>: matching a . will not exclude newlines\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.nocase</strong>: case insensitive match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>regex.~re</strong>: hyperscan regular expression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reject.control</strong> = none: send ICMP unreachable(s) { none|network|host|port|forward|all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reject.reset</strong> = both: send TCP reset to one or both ends { none|source|dest|both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rem.~</strong>: comment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>replace.~</strong>: byte code to replace with\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reputation.blacklist</strong>: blacklist file name with IP lists\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reputation.list_dir</strong>: directory for IP lists and manifest file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reputation.nested_ip</strong> = inner: IP to use when there is IP encapsulation { inner|outer|all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>reputation.whitelist</strong>: whitelist file name with IP lists\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>rev.~</strong>: revision { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>rewrite.disable_replace</strong> = false: disable replace of packet contents with rewrite rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>rna.enable_logger</strong> = true: enable or disable writing discovery events into logger\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rna.fingerprint_dir</strong>: directory to fingerprint patterns\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>rna.log_when_idle</strong> = false: enable host update logging when snort is idle\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rna.rna_conf_path</strong>: path to rna configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>rpc.~app</strong>: application number { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rpc.~proc</strong>: procedure number or * for any\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>rpc.~ver</strong>: version number or * for any\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rule_state.$gid_sid[].action</code></strong> = alert: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>rule_state.$gid_sid[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>s7commplus_func.~</strong>: function code to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>s7commplus_opcode.~</strong>: opcode code to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sd_pattern.threshold</strong> = 1: number of matches before alerting { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.detect_raw_tcp</strong> = false: detect on TCP payload before reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet { 2:100 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>search_engine.queue_limit</strong> = 128: maximum number of fast pattern matches to queue per packet (0 means no maximum) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>seq.~range</strong>: check if TCP sequence number is in given range { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>service.*</code></strong>: one or more comma-separated service names\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sha256.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sha512.~hash</strong>: data to match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>side_channel.connector</strong>: connector handle\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sid.~</strong>: signature id { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>sip_method.*method</code></strong>: sip method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in SIP messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.b64_decode_depth</strong> = -1: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = -1: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_mailfrom</strong> = false: log the sender’s email address extracted from the MAIL FROM command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>smtp.log_rcptto</strong> = false: log the recipient’s email address extracted from the RCPT TO command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_command_line_len</strong> = 512: max Command Line Length { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_header_line_len</strong> = 1000: max SMTP DATA header line { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.max_response_line_len</strong> = 512: max SMTP response line { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.qp_decode_depth</strong> = -1: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>smtp.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>smtp.valid_cmds</strong>: list of valid commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--alert-before-pass</strong>: evaluate alert rules before pass rules; default is pass rules first\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-A</strong>: <mode> set alert mode: none, cmg, or alert_*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong>snort.-B</strong> = 255.255.255.255/32: <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--bpf</strong>: <filter options> are standard BPF options, as seen in TCPDump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-c</strong>: <conf> use this configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--control-socket</strong>: <file> to create unix socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--daq-batch-size</strong> = 64: <size> set the DAQ receive batch size { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>snort.--daq-mode</strong>: <mode> select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-d</strong>: dump the Application Layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dirty-pig</strong>: don’t flush packets on shutdown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-D</strong>: run Snort in background (daemon) mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--dump-defaults</strong>: [<module prefix>] output module defaults in Lua format { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-rule-deps</strong>: dump rule dependencies in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-rule-meta</strong>: dump configured rule info in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-rule-state</strong>: dump configured rule state in json format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-e</strong>: display the second layer header info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-G</strong>: <0xid> (same as --logid) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--gen-msg-map</strong>: dump configured rules in gen-msg.map format for use by other tools\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-commands</strong>: [<module prefix>] output matching commands { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-config</strong>: [<module prefix>] output matching config options { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-counts</strong>: [<module prefix>] output matching peg counts { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-limits</strong>: print the int upper bounds denoted by max*\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help</strong>: list command line options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-module</strong>: <module> output description of given module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-modules</strong>: list all available modules with brief help\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--help-options</strong>: [<option prefix>] output matching command line option quick help (same as -?) { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--help-signals</strong>: dump available control signals\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-H</strong>: make hash tables deterministic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--id-offset</strong> = 0: offset to add to instance IDs when logging to files { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--ignore-warn-flowbits</strong>: ignore warnings about flowbits that are checked but not set and vice-versa\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--ignore-warn-rules</strong>: ignore warnings about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-i</strong>: <iface>… list of interfaces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--include-path</strong>: <path> where to find Lua and rule included files; searched before current or config directories\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>snort.-j</strong>: <port> to listen for Telnet connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>snort.-k</strong> = all: <mode> checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--list-builtin</strong>: [<module prefix>] output matching builtin rules { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--list-gids</strong>: [<module prefix>] output matching generators { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--list-modules</strong>: [<module type>] list all known modules of given type { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--list-plugins</strong>: list all known plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-l</strong>: <logdir> log to this directory instead of current directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-L</strong>: <mode> logging mode (none, dump, pcap, or log_*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--logid</strong>: <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--lua</strong>: <chunk> extend/override conf with chunk; may be repeated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--markup</strong>: output help in asciidoc compatible format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--max-packet-threads</strong>: <count> configure maximum number of packet threads (same as -z) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--mem-check</strong>: like -T but also compile search engines\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--metadata-filter</strong>: <filter> load only rules containing filter string in metadata if set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-m</strong>: <umask> set the process file mode creation mask { 0x000:0x1FF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-n</strong>: <count> stop after count packets { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-O</strong>: obfuscate the logged IP addresses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-?</strong>: <option prefix> output matching command line option quick help (same as --help-options) { (optional) }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-dir</strong>: <dir> a directory to recurse to look for pcaps - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-filter</strong> = <strong>.*cap</strong>: <filter> filter to apply when getting pcaps from file or directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--pcap-list</strong>: <list> a space separated list of pcaps to read - read mode is implied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--pcap-loop</strong>: <count> read all pcaps <count> times; 0 will read until Snort is terminated { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--pedantic</strong>: warnings are fatal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--plugin-path</strong>: <path> a colon separated list of directories or plugin libraries\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--process-all-events</strong>: process all action groups\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-Q</strong>: enable inline mode operation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-q</strong>: quiet mode - suppress normal logging on stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-r</strong>: <pcap>… (same as --pcap-list)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-R</strong>: <rules> include this rules file in the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--rule-path</strong>: <path> where to find rules files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) { 16 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--run-prefix</strong>: <pfx> prepend this to each output file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-s</strong> = 1518: <snap> (same as --snaplen); default is 1518 { 68:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--script-path</strong>: <path> to a luajit script or directory containing luajit scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--shell</strong>: enable the interactive command line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--show-file-codes</strong>: indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--skip</strong>: <n> skip 1st n packets { 0:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--snaplen</strong> = 1518: <snap> set snaplen of packet (same as -s) { 68:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-S</strong>: <x=v> set config variable x equal to value v\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--talos</strong>: enable Talos tweak (same as --tweaks talos)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--trace</strong>: turn on main loop debug trace\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, block, and reset rules into alert rules when loaded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, block, and reset rules to ignore session traffic when not inline\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-T</strong>: test and report on the current Snort configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--tweaks</strong>: tune configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-U</strong>: use UTC for timestamps\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-v</strong>: be verbose\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--version</strong>: show version number (same as -V)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-V</strong>: (same as --version)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-all</strong>: enable all warnings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-conf-strict</strong>: warn about unrecognized elements in configuration files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-hosts</strong>: warn about host table issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x) { 0x00:0xFF }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-x</strong>: same as --pedantic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>snort.-z</strong>: <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>so.~func</strong>: name of eval function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>soid.~</strong>: SO rule ID is unique key, eg <gid>_<sid>_<rev> like 3_45678_9\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>so.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.client_hello</strong>: check for client hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.client_keyx</strong>: check for client keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.server_hello</strong>: check for server hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.server_keyx</strong>: check for server keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.unknown</strong>: check for unknown record\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.sslv2</strong>: check for sslv2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.sslv3</strong>: check for sslv3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.tls1.0</strong>: check for tls1.0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.tls1.1</strong>: check for tls1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.tls1.2</strong>: check for tls1.2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.held_packet_timeout</strong> = 1000: timeout in milliseconds for held packets { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with TTL below the minimum { 1:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>stream_reassemble.noalert</strong>: don’t alert when rule matches\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.cap_weight</strong> = 11000: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.max_window</strong> = 0: maximum allowed TCP window { 0:1073725440 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.no_ack</strong> = false: received data is implicitly acked immediately\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don’t queue more than given bytes per session and direction { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don’t queue more than given segments per session and direction { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.require_3whs</strong> = -1: don’t track midstream sessions after given seconds from start up; -1 tracks all { -1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.small_segments.count</strong> = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>tag.bytes</strong>: tag for this many bytes { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>tag.packets</strong>: tag this many packets { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>tag.seconds</strong>: tag for this many seconds { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>target.~</strong>: indicate the target of the attack { src_ip | dst_ip }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>tcp_connector.address</strong>: address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>tcp_connector.base_port</strong>: base port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>tcp_connector.connector</strong>: connector name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive Telnet AYT commands { -1:max31 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>telnet.normalize</strong> = false: eliminate escape sequences\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>tos.~range</strong>: check if IP TOS is in given range { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>trace.constraints.dst_ip</strong>: destination IP address filter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.constraints.dst_port</strong>: destination port filter { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.constraints.ip_proto</strong>: numerical IP protocol ID filter { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>trace.constraints.match</strong> = true: use constraints to filter traces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>trace.constraints.src_ip</strong>: source IP address filter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.constraints.src_port</strong>: source port filter { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.appid.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.dce_smb.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.dce_udp.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.decode.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.buffer</strong>: enable buffer trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.detect_engine</strong>: enable detection engine trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.fp_search</strong>: enable fast pattern search trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.opt_tree</strong>: enable tree option trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.pkt_detect</strong>: enable packet detection trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.rule_eval</strong>: enable rule evaluation trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.rule_vars</strong>: enable rule variables trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.detection.tag</strong>: enable tag trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.gtp_inspect.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.latency.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.snort.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.snort.inspector_manager</strong>: enable inspector manager trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.snort.main</strong>: enable main trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.stream.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.stream_ip.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.stream_user.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>trace.modules.wizard.all</strong>: enable all trace options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>trace.output</strong>: output method for trace log messages { stdout | syslog }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>ttl.~range</strong>: check if IP TTL is in the given range { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bit_list <strong>udp.vxlan_ports</strong> = 4789: set VXLAN ports { 65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>unified2.legacy_events</strong> = false: generate Snort 2.X style events for barnyard2 compatibility\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>unified2.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>urg.~range</strong>: check if tcp urgent offset is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>window.~range</strong>: check if TCP window size is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.hexes[].service</code></strong>: name of service\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.spells[].service</code></strong>: name of service\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_counts">Counts</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>active.direct_injects</strong>: total crafted packets directly injected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.failed_direct_injects</strong>: total crafted packet direct injects that failed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.failed_injects</strong>: total crafted packet encode + injects that failed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.holds_allowed</strong>: total number of packet hold requests allowed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.holds_canceled</strong>: total number of packet hold requests canceled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.holds_denied</strong>: total number of packet hold requests denied (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active.injects</strong>: total crafted packets encoded and injected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ignored_packets</strong>: count of packets ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.packets</strong>: count of packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.processed_packets</strong>: count of packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.service_cache_adds</strong>: number of times an entry was added to the service cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.service_cache_prunes</strong>: number of times the service cache was pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.service_cache_removes</strong>: number of times an item was removed from the service cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.total_sessions</strong>: count of sessions created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>arp_spoof.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>back_orifice.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.allows</strong>: allow bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.blocks</strong>: block bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.inspects</strong>: inspect bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.packets</strong>: initial bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder.resets</strong>: reset bindings (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.concurrent_sessions</strong>: total concurrent SIP sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip.session</strong>: total sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_hdr_len</strong>: total invalid Cisco Metadata header lengths (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_hdr_ver</strong>: total invalid Cisco Metadata header versions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_opt_len</strong>: total invalid Cisco Metadata option lengths (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_opt_type</strong>: total invalid Cisco Metadata option types (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.invalid_sgt</strong>: total invalid Cisco Metadata security group tags (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata.truncated_hdr</strong>: total truncated Cisco Metadata headers (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.allow</strong>: total allow verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.analyzed</strong>: total packets analyzed from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.blacklist</strong>: total blacklist verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.block</strong>: total block verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.dropped</strong>: packets dropped (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.eof_messages</strong>: end of flow messages received from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.expected_flows</strong>: expected flows created in DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.filtered</strong>: packets filtered out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.ignore</strong>: total ignore verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.injected</strong>: active responses or replacements (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.other_messages</strong>: messages received from DAQ with unrecognized message type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.outstanding</strong>: packets unprocessed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.received</strong>: total packets received from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.replace</strong>: total replace verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_dropped</strong>: messages dropped when overrunning the retry queue (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_processed</strong>: messages processed from the retry queue (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retries_queued</strong>: messages queued for retry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.retry</strong>: total retry verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.rx_bytes</strong>: total bytes received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.skipped</strong>: packets skipped at startup (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.sof_messages</strong>: start of flow messages received from DAQ (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq.whitelist</strong>: total whitelist verdicts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>data_log.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.binds</strong>: total connection-oriented binds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.cancels</strong>: total connection-oriented cancels (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.concurrent_sessions</strong>: total concurrent sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.events</strong>: total events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.faults</strong>: total connection-oriented faults (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.files_processed</strong>: total smb files processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.ignored_bytes</strong>: total ignored bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.other_requests</strong>: total connection-oriented other requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.other_responses</strong>: total connection-oriented other responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.packets</strong>: total smb packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.pdus</strong>: total connection-oriented PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.rejects</strong>: total connection-oriented rejects (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.requests</strong>: total connection-oriented requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.responses</strong>: total connection-oriented responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.sessions</strong>: total smb sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_bad_next_cmd_offset</strong>: total number of SMBv2 packets seen with invalid next command offset (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_err_resp</strong>: total number of SMBv2 close error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_ignored</strong>: total number of SMBv2 close packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_inv_str_sz</strong>: total number of SMBv2 close packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_req_ftrkr_misng</strong>: total number of SMBv2 close request packets ignored due to missing file tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls_req_hdr_err</strong>: total number of SMBv2 close request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cls</strong>: total number of SMBv2 close packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_cmpnd_req_lt_crossed</strong>: total number of SMBv2 packets seen where compound requests exceed the smb_max_compound limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_err_resp</strong>: total number of SMBv2 create error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_inv_file_data</strong>: total number of SMBv2 create request packets ignored due to error in getting file name (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_inv_str_sz</strong>: total number of SMBv2 create packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_req_hdr_err</strong>: total number of SMBv2 create request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_req_ipc</strong>: total number of SMBv2 create request packets ignored as share type is IPC (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_resp_hdr_err</strong>: total number of SMBv2 create response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_rtrkr_misng</strong>: total number of SMBv2 create response packets ignored due to missing create request tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt</strong>: total number of SMBv2 create packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_crt_tree_trkr_misng</strong>: total number of SMBv2 create response packets ignored due to missing tree tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_extra_file_data_err</strong>: total number of SMBv2 packets seen with where file data beyond file size is observed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_hdr_err</strong>: total number of SMBv2 packets seen with corrupted hdr (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_inv_file_ctx_err</strong>: total number of times null file context are seen resulting in not being able to set file size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_logoff_inv_str_sz</strong>: total number of SMBv2 logoff packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_logoff</strong>: total number of SMBv2 logoff (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_msgs_uninspected</strong>: total number of SMBv2 packets seen where command is not being inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_err_resp</strong>: total number of SMBv2 read error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_ignored</strong>: total number of SMBv2 write packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_inv_str_sz</strong>: total number of SMBv2 read packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_req_hdr_err</strong>: total number of SMBv2 read request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_resp_hdr_err</strong>: total number of SMBv2 read response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read_rtrkr_misng</strong>: total number of SMBv2 read response packets ignored due to missing read request tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_read</strong>: total number of SMBv2 read packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup_err_resp</strong>: total number of SMBv2 setup error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup_inv_str_sz</strong>: total number of SMBv2 setup packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup_resp_hdr_err</strong>: total number of SMBv2 setup response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_setup</strong>: total number of SMBv2 setup packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_err_resp</strong>: total number of SMBv2 set info error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_ignored</strong>: total number of SMBv2 set info packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_inv_str_sz</strong>: total number of SMBv2 set info packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_req_ftrkr_misng</strong>: total number of SMBv2 set info request packets ignored due to missing file tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf_req_hdr_err</strong>: total number of SMBv2 set info request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_stinf</strong>: total number of SMBv2 set info packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_err_resp</strong>: total number of SMBv2 tree connect error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_ignored</strong>: total number of SMBv2 setup response packets ignored due to failure in creating tree tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_inv_str_sz</strong>: total number of SMBv2 tree connect packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct_resp_hdr_err</strong>: total number of SMBv2 tree connect response packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_cnct</strong>: total number of SMBv2 tree connect packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn_ignored</strong>: total number of SMBv2 tree disconnect packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn_inv_str_sz</strong>: total number of SMBv2 tree disconnect packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn_req_hdr_err</strong>: total number of SMBv2 tree disconnect request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_tree_discn</strong>: total number of SMBv2 tree disconnect packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_err_resp</strong>: total number of SMBv2 write error response packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_ignored</strong>: total number of SMBv2 write packets ignored due to missing trackers or invalid share type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_inv_str_sz</strong>: total number of SMBv2 write packets seen with invalid structure size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt_req_hdr_err</strong>: total number of SMBv2 write request packets ignored due to corrupted header (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.v2_wrt</strong>: total number of SMBv2 write packets seen (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.binds</strong>: total connection-oriented binds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.cancels</strong>: total connection-oriented cancels (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.concurrent_sessions</strong>: total concurrent sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.events</strong>: total events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.faults</strong>: total connection-oriented faults (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.rejects</strong>: total connection-oriented rejects (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.requests</strong>: total connection-oriented requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.responses</strong>: total connection-oriented responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_expected_realized</strong>: total tcp dynamic endpoint expected realized sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_expected_sessions</strong>: total tcp dynamic endpoint expected sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.acks</strong>: total connection-less acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.cancels</strong>: total connection-less cancels (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.client_facks</strong>: total connection-less client facks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.concurrent_sessions</strong>: total concurrent sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.events</strong>: total events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.faults</strong>: total connection-less faults (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.fragments</strong>: total connection-less fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.no_calls</strong>: total connection-less no calls (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.other_requests</strong>: total connection-less other requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.other_responses</strong>: total connection-less other responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.ping</strong>: total connection-less ping (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.rejects</strong>: total connection-less rejects (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.requests</strong>: total connection-less requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.responses</strong>: total connection-less responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.server_facks</strong>: total connection-less server facks (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.udp_packets</strong>: total udp packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.udp_sessions</strong>: total udp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp.working</strong>: total connection-less working (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.alerts</strong>: alerts not including IP reputation (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.analyzed</strong>: total packets processed (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.body_searches</strong>: fast pattern searches in body buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.cookie_searches</strong>: fast pattern searches in cookie buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.event_limit</strong>: events filtered (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.file_searches</strong>: fast pattern searches in file buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.header_searches</strong>: fast pattern searches in header buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.key_searches</strong>: fast pattern searches in key buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.logged</strong>: logged packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.log_limit</strong>: events queued but not logged (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.match_limit</strong>: fast pattern matches not processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.method_searches</strong>: fast pattern searches in method buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_busy</strong>: times offload was not available (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_failures</strong>: fast pattern offload search failures (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_fallback</strong>: fast pattern offload search fallback attempts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offloads</strong>: fast pattern searches that were offloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.offload_suspends</strong>: fast pattern search suspends due to offload context chains (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.onload_waits</strong>: times processing waited for onload to complete (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.passed</strong>: passed packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pcre_error</strong>: total number of times pcre returns error (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pcre_match_limit</strong>: total number of times pcre hit the match limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pcre_recursion_limit</strong>: total number of times pcre hit the recursion limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.queue_limit</strong>: events not queued because queue full (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.raw_header_searches</strong>: fast pattern searches in raw header buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.raw_key_searches</strong>: fast pattern searches in raw key buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.stat_code_searches</strong>: fast pattern searches in status code buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.stat_msg_searches</strong>: fast pattern searches in status message buffer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection.total_alerts</strong>: alerts including IP reputation (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.concurrent_sessions</strong>: total concurrent dnp3 sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.max_concurrent_sessions</strong>: maximum concurrent dnp3 sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.tcp_pdus</strong>: total tcp pdus (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3.udp_packets</strong>: total udp packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.concurrent_sessions</strong>: total concurrent dns sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.max_concurrent_sessions</strong>: maximum concurrent dns sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.requests</strong>: total dns requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns.responses</strong>: total dns responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>domain_filter.checked</strong>: domains checked (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>domain_filter.filtered</strong>: domains filtered (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dpx.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>event_filter.no_memory_global</strong>: number of times event filter ran out of global memory (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>event_filter.no_memory_local</strong>: number of times event filter ran out of local memory (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_connector.messages</strong>: total messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.cache_failures</strong>: number of file cache add failures (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.files_not_processed</strong>: number of files not processed due to per-flow limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.max_concurrent_files</strong>: maximum files processed concurrently on a flow (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.total_file_data</strong>: number of file data bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id.total_files</strong>: number of files processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_log.total_events</strong>: total file events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_data.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.concurrent_sessions</strong>: total concurrent FTP sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.max_concurrent_sessions</strong>: maximum concurrent FTP sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.concurrent_sessions</strong>: total concurrent gtp sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.events</strong>: requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.max_concurrent_sessions</strong>: maximum concurrent gtp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.sessions</strong>: total sessions processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.unknown_infos</strong>: unknown information elements (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect.unknown_types</strong>: unknown message types (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.client_consume_errors</strong>: client data consume failure count (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.daq_imports</strong>: states imported via daq (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.daq_stores</strong>: states stored via daq (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.delete_msgs_consumed</strong>: deletion messages consumed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.msg_length_mismatch</strong>: messages received with an inconsistent total length (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.msgs_recv</strong>: total messages received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.msg_version_mismatch</strong>: messages received with a version mismatch (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.truncated_msgs</strong>: truncated messages received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.unknown_client_idx</strong>: messages received with an unknown client index (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.unknown_key_type</strong>: messages received with an unknown flow key type (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.update_msgs_consumed</strong>: update messages fully consumed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.update_msgs_recv_no_flow</strong>: update messages received without a local flow (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability.update_msgs_recv</strong>: update messages received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.adds</strong>: lru cache added new entry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.alloc_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.find_hits</strong>: lru cache found entry in cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.find_misses</strong>: lru cache did not find entry in cache (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.reload_prunes</strong>: lru cache pruned entry for lower memcap during reload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.replaced</strong>: lru cache found entry and replaced it (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_tracker.service_adds</strong>: host service adds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_tracker.service_finds</strong>: host service finds (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.flows</strong>: HTTP/2 connections inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.max_concurrent_files</strong>: maximum concurrent file transfers per HTTP/2 connection (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect.max_table_entries</strong>: maximum entries in an HTTP/2 dynamic table (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.chunked</strong>: chunked message bodies (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.concurrent_sessions</strong>: total concurrent http sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.connect_tunnel_cutovers</strong>: CONNECT tunnel flow cutovers to wizard (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.delete_requests</strong>: DELETE requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.detains_requested</strong>: packet hold requests for detained inspection (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.excess_parameters</strong>: repeat parameters exceeding max (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.get_requests</strong>: GET requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.head_requests</strong>: HEAD requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.inspections</strong>: total message sections inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.max_concurrent_sessions</strong>: maximum concurrent http sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.other_requests</strong>: other request methods inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.parameters</strong>: HTTP parameters inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.post_requests</strong>: POST requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.put_requests</strong>: PUT requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.requests</strong>: HTTP request messages inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.responses</strong>: HTTP response messages inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.trace_requests</strong>: TRACE requests inspected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.uri_coding</strong>: URIs with character coding problems (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect.uri_path</strong>: URIs with path problems (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp6.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.concurrent_sessions</strong>: total concurrent imap sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.max_concurrent_sessions</strong>: maximum concurrent imap sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.sessions</strong>: total imap sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.uu_attachments</strong>: total uu attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ipv4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.packet_timeouts</strong>: packets that timed out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.total_packets</strong>: total packets monitored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.total_rule_evals</strong>: total rule evals monitored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency.total_usecs</strong>: total usecs elapsed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.allocated</strong>: total amount of memory allocated (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.allocations</strong>: total number of allocations (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.deallocated</strong>: total amount of memory allocated (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.deallocations</strong>: total number of deallocations (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.reap_failures</strong>: failures to reclaim memory (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory.total_fudge</strong>: sum of all adjustments (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mem_test.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.frames</strong>: total Modbus messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.max_concurrent_sessions</strong>: maximum concurrent modbus sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus.sessions</strong>: total sessions processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mpls.total_packets</strong>: total mpls labeled packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_block</strong>: blocked segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_df</strong>: test don’t frag bit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_options</strong>: test packets with options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture.captured</strong>: packets matching dumped after matching filter (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture.processed</strong>: packets processed against filter (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>payload_injector.http_injects</strong>: total number of http injections (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_native</strong>: total pcre rules compiled by pcre engine (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_negated</strong>: total pcre rules using negation syntax (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_rules</strong>: total rules processed with pcre option (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre.pcre_to_hyper</strong>: total pcre rules by hyperscan engine (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_creates</strong>: total number of flow trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_prunes</strong>: flow trackers pruned for reuse by new flows (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_reload_deletes</strong>: flow trackers deleted due to memcap change on config reload (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.flow_tracker_total_deletes</strong>: flow trackers deleted to stay below memcap limit (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.packets</strong>: total packets processed by performance monitor (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.b64_attachments</strong>: total base64 attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.concurrent_sessions</strong>: total concurrent pop sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.max_concurrent_sessions</strong>: maximum concurrent pop sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.sessions</strong>: total pop sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.alloc_prunes</strong>: number of trackers pruned on allocation of new tracking (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.packets</strong>: number of packets processed by port scan (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.reload_prunes</strong>: number of trackers pruned on reload due to reduced memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan.trackers</strong>: number of trackers allocated by port scan (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rate_filter.no_memory</strong>: number of times rate filter ran out of memory (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.blacklisted</strong>: number of packets blacklisted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.monitored</strong>: number of packets monitored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation.whitelisted</strong>: number of packets whitelisted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.change_host_update</strong>: count number of change host update events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.icmp_bidirectional</strong>: count of bidirectional ICMP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.icmp_new</strong>: count of new ICMP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.ip_bidirectional</strong>: count of bidirectional IP received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.ip_new</strong>: count of new IP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.other_packets</strong>: count of packets received without session tracking (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.tcp_midstream</strong>: count of TCP midstream packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.tcp_syn_ack</strong>: count of TCP SYN-ACK packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.tcp_syn</strong>: count of TCP SYN packets received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.udp_bidirectional</strong>: count of bidirectional UDP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.udp_new</strong>: count of new UDP flows received (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc_decode.concurrent_sessions</strong>: total concurrent rpc sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc_decode.max_concurrent_sessions</strong>: maximum concurrent rpc sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc_decode.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.concurrent_sessions</strong>: total concurrent s7commplus sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.frames</strong>: total S7commplus messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.max_concurrent_sessions</strong>: maximum concurrent s7commplus sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus.sessions</strong>: total sessions processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sd_pattern.terminated</strong>: hyperscan terminated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.non_qualified_events</strong>: total non-qualified events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.qualified_events</strong>: total qualified events (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.searched_bytes</strong>: total bytes searched (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_flushed</strong>: total fast pattern matches processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_inserts</strong>: total fast pattern hits (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_overruns</strong>: fast pattern matches discarded due to overflow (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>side_channel.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.ack</strong>: ack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.bye</strong>: bye (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.cancel</strong>: cancel (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_1xx</strong>: 1xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_2xx</strong>: 2xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_3xx</strong>: 3xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_4xx</strong>: 4xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_5xx</strong>: 5xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_6xx</strong>: 6xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_7xx</strong>: 7xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_8xx</strong>: 8xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.code_9xx</strong>: 9xx (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.concurrent_sessions</strong>: total concurrent SIP sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.dialogs</strong>: total dialogs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.events</strong>: events generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.ignored_channels</strong>: total channels ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.ignored_sessions</strong>: total sessions ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.info</strong>: info (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.invite</strong>: invite (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.join</strong>: join (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.message</strong>: message (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.notify</strong>: notify (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.options</strong>: options (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.prack</strong>: prack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.refer</strong>: refer (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.register</strong>: register (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.sessions</strong>: total sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.subscribe</strong>: subscribe (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.total_requests</strong>: total requests (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.total_responses</strong>: total responses (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip.update</strong>: update (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.b64_attachments</strong>: total base64 attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.sessions</strong>: total smtp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.attribute_table_hosts</strong>: number of hosts added to the attribute table (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.attribute_table_overflow</strong>: number of host additions that failed due to attribute table full (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.attribute_table_reloads</strong>: number of times hosts attribute table was reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.conf_reloads</strong>: number of times configuration was reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.inspector_deletions</strong>: number of times inspectors were deleted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.local_commands</strong>: total local commands processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.policy_reloads</strong>: number of times policies were reloaded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.remote_commands</strong>: total remote commands processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.signals</strong>: total signals processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.max_concurrent_sessions</strong>: maximum concurrent ssh sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.alert</strong>: total ssl alert records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.bad_handshakes</strong>: total bad handshakes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.certificate</strong>: total ssl certificates (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.change_cipher</strong>: total change cipher records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.client_application</strong>: total client application records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.client_hello</strong>: total client hellos (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.client_key_exchange</strong>: total client key exchanges (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.concurrent_sessions</strong>: total concurrent ssl sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.decoded</strong>: ssl packets decoded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.detection_disabled</strong>: total detection disabled (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.finished</strong>: total handshakes finished (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.max_concurrent_sessions</strong>: maximum concurrent ssl sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.packets</strong>: total packets processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_application</strong>: total server application records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_done</strong>: total server done (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_hello</strong>: total server hellos (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.server_key_exchange</strong>: total server key exchanges (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.sessions_ignored</strong>: total sessions ignore (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl.unrecognized_records</strong>: total unrecognized records (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.excess_prunes</strong>: sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_flows</strong>: total expected flows created within snort (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_overflows</strong>: number of expected cache overflows (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_pruned</strong>: number of expected flows pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.expected_realized</strong>: number of expected flows realized (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.flows</strong>: total sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.idle_prunes</strong>: sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.alerts</strong>: alerts generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.anomalies</strong>: anomalies detected (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.created</strong>: ip session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.current_frags</strong>: current fragments (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.discards</strong>: fragments discarded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.drops</strong>: fragments dropped (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.max_frags</strong>: max fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.max</strong>: max ip sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.overlaps</strong>: overlapping fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.prunes</strong>: ip session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.reassembled</strong>: reassembled datagrams (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.released</strong>: ip session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.sessions</strong>: total ip sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.timeouts</strong>: ip session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.total_frags</strong>: total fragments (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_completed</strong>: datagram trackers completed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip.trackers_freed</strong>: datagram trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.memcap_prunes</strong>: sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.preemptive_prunes</strong>: sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_allowed_deletes</strong>: number of allowed flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_blocked_deletes</strong>: number of blocked flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_freelist_deletes</strong>: number of flows deleted from the free list by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_offloaded_deletes</strong>: number of offloaded flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_total_adds</strong>: number of flows added by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_total_deletes</strong>: number of flows deleted by config reloads (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_tuning_idle</strong>: number of times stream resource tuner called while idle (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.reload_tuning_packets</strong>: number of times stream resource tuner called while processing packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.stale_prunes</strong>: sessions pruned due to stale connection (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.closing</strong>: number of sessions currently closing (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.created</strong>: tcp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.cur_packets_held</strong>: number of packets currently held (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.discards</strong>: tcp packets discarded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.established</strong>: number of sessions currently established (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.events</strong>: events generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.fins</strong>: number of fin packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packet_purges</strong>: number of held packets that were purged without flushing (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packet_rexmits</strong>: number of retransmits of held packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packets_dropped</strong>: number of held packets dropped (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packets_passed</strong>: number of held packets passed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.held_packet_timeouts</strong>: number of held packets that timed out (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.initializing</strong>: number of sessions currently initializing (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.inspector_fallbacks</strong>: count of fallbacks from assigned service inspector (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.max</strong>: max tcp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.max_packets_held</strong>: maximum number of packets held simultaneously (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.memory</strong>: current memory in use (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.meta_acks</strong>: number of meta acks processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.overlaps</strong>: overlapping segments queued (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.packets_held</strong>: number of packets held (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.partial_fallbacks</strong>: count of fallbacks from assigned service stream splitter (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.partial_flush_bytes</strong>: partial flush total bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.partial_flushes</strong>: number of partial flushes initiated (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.released</strong>: tcp session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.resets</strong>: number of reset packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.restarts</strong>: sessions restarted (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_queued</strong>: total segments queued (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_released</strong>: total segments released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.sessions</strong>: total tcp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.setups</strong>: session initializations (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syns</strong>: number of syn packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.timeouts</strong>: tcp session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.total_prunes</strong>: total sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.ignored</strong>: udp packets ignored (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.max</strong>: max udp sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.prunes</strong>: udp session prunes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.released</strong>: udp session trackers released (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.sessions</strong>: total udp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.timeouts</strong>: udp session timeouts (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp.total_bytes</strong>: total number of bytes processed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp_connector.messages</strong>: total messages (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet.concurrent_sessions</strong>: total concurrent Telnet sessions (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet.max_concurrent_sessions</strong>: maximum concurrent Telnet sessions (max)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet.total_packets</strong>: total packets (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.tcp_hits</strong>: tcp identifications (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.tcp_scans</strong>: tcp payload scans (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.udp_hits</strong>: udp identifications (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.udp_scans</strong>: udp payload scans (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.user_hits</strong>: user identifications (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.user_scans</strong>: user payload scans (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_generators">Generators</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>105</strong>: back_orifice\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106</strong>: rpc_decode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112</strong>: arp_spoof\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: arp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: auth\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: ciscometadata\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: decode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: eapol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: erspan2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: erspan3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: esp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: eth\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: fabricpath\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: gre\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: gtp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: icmp4\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: icmp6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: igmp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: ipv4\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: ipv6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: llc\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: mpls\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: pbb\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: pgm\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: pppoe\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: tcp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: token_ring\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: udp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: vlan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116</strong>: wlan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119</strong>: http_inspect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121</strong>: http2_inspect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122</strong>: port_scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123</strong>: stream_ip\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124</strong>: smtp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125</strong>: ftp_server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>126</strong>: telnet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128</strong>: ssh\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129</strong>: stream_tcp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>131</strong>: dns\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133</strong>: dce_http_proxy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133</strong>: dce_http_server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133</strong>: dce_smb\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133</strong>: dce_tcp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133</strong>: dce_udp\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>134</strong>: latency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>135</strong>: stream\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136</strong>: reputation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137</strong>: ssl\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140</strong>: sip\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141</strong>: imap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142</strong>: pop\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143</strong>: gtp_inspect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>144</strong>: modbus\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145</strong>: dnp3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148</strong>: cip\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>149</strong>: s7commplus\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>150</strong>: file_id\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>175</strong>: domain_filter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>256</strong>: dpx\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_builtin_rules">Builtin Rules</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>105:1</strong> (back_orifice) BO traffic detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>105:2</strong> (back_orifice) BO client traffic detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>105:3</strong> (back_orifice) BO server traffic detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>105:4</strong> (back_orifice) BO Snort buffer attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:1</strong> (rpc_decode) fragmented RPC records\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:2</strong> (rpc_decode) multiple RPC records\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:3</strong> (rpc_decode) large RPC record fragment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:4</strong> (rpc_decode) incomplete RPC segment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>106:5</strong> (rpc_decode) zero-length RPC fragment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:1</strong> (arp_spoof) unicast ARP request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:1</strong> (ipv4) not IPv4 datagram\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:2</strong> (ipv4) IPv4 header length < minimum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:3</strong> (ipv4) IPv4 datagram length < header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:4</strong> (ipv4) IPv4 options found with bad lengths\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:5</strong> (ipv4) truncated IPv4 options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:6</strong> (ipv4) IPv4 datagram length > captured length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:45</strong> (tcp) TCP packet length is smaller than 20 bytes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:46</strong> (tcp) TCP data offset is less than 5\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:47</strong> (tcp) TCP header length exceeds packet length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:54</strong> (tcp) TCP options found with bad lengths\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:55</strong> (tcp) truncated TCP options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:56</strong> (tcp) T/TCP detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:57</strong> (tcp) obsolete TCP options found\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:58</strong> (tcp) experimental TCP options found\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:59</strong> (tcp) TCP window scale option found with length > 14\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:95</strong> (udp) truncated UDP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:96</strong> (udp) invalid UDP header, length field < 8\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:97</strong> (udp) short UDP packet, length field > payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:98</strong> (udp) long UDP packet, length field < payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:105</strong> (icmp4) ICMP header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:106</strong> (icmp4) ICMP timestamp header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:107</strong> (icmp4) ICMP address header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:109</strong> (arp) truncated ARP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:110</strong> (eapol) truncated EAP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:111</strong> (eapol) EAP key truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:112</strong> (eapol) EAP header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:120</strong> (pppoe) bad PPPOE frame detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:130</strong> (vlan) bad VLAN frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:131</strong> (llc) bad LLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:132</strong> (llc) bad extra LLC info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:133</strong> (wlan) bad 802.11 LLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:134</strong> (wlan) bad 802.11 extra LLC info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:140</strong> (token_ring) bad Token Ring header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:141</strong> (token_ring) bad Token Ring ETHLLC header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:142</strong> (token_ring) bad Token Ring MRLEN header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:143</strong> (token_ring) bad Token Ring MR header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:150</strong> (decode) loopback IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:151</strong> (decode) same src/dst IP\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:160</strong> (gre) GRE header length > payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:161</strong> (gre) multiple encapsulations in packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:162</strong> (gre) invalid GRE version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:163</strong> (gre) invalid GRE header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:165</strong> (gre) GRE trans header length > payload length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:170</strong> (mpls) bad MPLS frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:174</strong> (mpls) MPLS label 3 appears in header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:176</strong> (mpls) too many MPLS headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:250</strong> (icmp4) ICMP original IP header truncated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:252</strong> (icmp4) ICMP original datagram length < original IP header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:253</strong> (icmp4) ICMP original IP payload < 64 bits\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:254</strong> (icmp4) ICMP original IP payload > 576 bytes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:272</strong> (ipv6) IPv6 truncated extension header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:273</strong> (ipv6) IPv6 truncated header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:274</strong> (ipv6) IPv6 datagram length < header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:275</strong> (ipv6) IPv6 datagram length > captured length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:294</strong> (esp) truncated encapsulated security payload header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:298</strong> (gtp) GTP header length is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:400</strong> (tcp) XMAS attack detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:401</strong> (tcp) Nmap XMAS attack detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:403</strong> (tcp) SYN to multicast address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:404</strong> (ipv4) IPv4 packet with zero TTL\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:405</strong> (ipv4) IPv4 packet with bad frag bits (both MF and DF set)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:407</strong> (ipv4) IPv4 packet frag offset + length exceed maximum\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:408</strong> (ipv4) IPv4 packet from <em>current net</em> source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:409</strong> (ipv4) IPv4 packet to <em>current net</em> dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:410</strong> (ipv4) IPv4 packet from multicast source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:411</strong> (ipv4) IPv4 packet from reserved source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:412</strong> (ipv4) IPv4 packet to reserved dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:413</strong> (ipv4) IPv4 packet from broadcast source address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:414</strong> (ipv4) IPv4 packet to broadcast dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:418</strong> (icmp4) ICMP4 type other\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:420</strong> (tcp) TCP SYN with FIN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:421</strong> (tcp) TCP SYN with RST\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:422</strong> (tcp) TCP PDU missing ack for established session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:424</strong> (eth) truncated ethernet header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:424</strong> (pbb) truncated ethernet header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:425</strong> (ipv4) truncated IPv4 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:426</strong> (icmp4) truncated ICMP4 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:427</strong> (icmp6) truncated ICMPv6 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:429</strong> (ipv6) IPv6 packet has zero hop limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:431</strong> (icmp6) ICMPv6 type not decoded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:433</strong> (tcp) DDOS shaft SYN flood\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:434</strong> (icmp4) ICMP ping Nmap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:436</strong> (icmp4) ICMP redirect host\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:437</strong> (icmp4) ICMP redirect net\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:438</strong> (icmp4) ICMP traceroute ipopts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:439</strong> (icmp4) ICMP source quench\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:440</strong> (icmp4) broadscan smurf scanner\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:444</strong> (ipv4) IPv4 option set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:445</strong> (udp) large UDP packet (> 4000 bytes)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:446</strong> (tcp) TCP port 0 traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:447</strong> (udp) UDP port 0 traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:448</strong> (ipv4) IPv4 reserved bit set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:449</strong> (decode) unassigned/reserved IP protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:450</strong> (decode) bad IP protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:453</strong> (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:454</strong> (pgm) PGM nak list overflow attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:459</strong> (decode) fragment with zero length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:462</strong> (erspan2) ERSpan header version mismatch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:463</strong> (erspan2) captured length < ERSpan type2 header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:464</strong> (erspan3) captured < ERSpan type3 header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:465</strong> (auth) truncated authentication header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:466</strong> (auth) bad authentication header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:467</strong> (fabricpath) truncated FabricPath header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata security group tag\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:472</strong> (decode) too many protocols present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:473</strong> (decode) ether type out of range\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:474</strong> (icmp6) ICMPv6 not encapsulated in IPv6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:475</strong> (ipv6) IPv6 mobility header includes an invalid value for the <em>payload protocol</em> field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:1</strong> (http_inspect) ascii encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:2</strong> (http_inspect) double decoding attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:3</strong> (http_inspect) u encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:4</strong> (http_inspect) bare byte unicode encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:5</strong> (http_inspect) obsolete event—deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:6</strong> (http_inspect) UTF-8 encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:7</strong> (http_inspect) unicode map code point encoding in URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:8</strong> (http_inspect) multi_slash encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:9</strong> (http_inspect) backslash used in URI path\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:10</strong> (http_inspect) self directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:11</strong> (http_inspect) directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:12</strong> (http_inspect) apache whitespace (tab)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:13</strong> (http_inspect) HTTP header line terminated by LF without a CR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:14</strong> (http_inspect) non-RFC defined char\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:15</strong> (http_inspect) oversize request-uri directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:16</strong> (http_inspect) oversize chunk encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:17</strong> (http_inspect) unauthorized proxy use detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:18</strong> (http_inspect) webroot directory traversal\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:19</strong> (http_inspect) long header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:20</strong> (http_inspect) max header fields\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:21</strong> (http_inspect) multiple content length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:22</strong> (http_inspect) obsolete event—deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:24</strong> (http_inspect) multiple host hdrs detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:26</strong> (http_inspect) too much whitespace in header (not implemented yet)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:28</strong> (http_inspect) POST or PUT w/o content-length or chunks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:29</strong> (http_inspect) multiple true ips in a session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:31</strong> (http_inspect) unknown method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:32</strong> (http_inspect) simple request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:34</strong> (http_inspect) too many pipelined requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:101</strong> (http_inspect) obsolete event—deleted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:102</strong> (http_inspect) invalid status code in HTTP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:103</strong> (http_inspect) unused event number—should not appear\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:104</strong> (http_inspect) HTTP response has UTF charset that failed to normalize\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:105</strong> (http_inspect) HTTP response has UTF-7 charset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:106</strong> (http_inspect) HTTP response gzip decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:107</strong> (http_inspect) server consecutive small chunk sizes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:108</strong> (http_inspect) unused event number—should not appear\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:109</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:110</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:111</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:112</strong> (http_inspect) SWF file zlib decompression failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:113</strong> (http_inspect) SWF file LZMA decompression failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:114</strong> (http_inspect) PDF file deflate decompression failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:115</strong> (http_inspect) PDF file unsupported compression type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:116</strong> (http_inspect) PDF file cascaded compression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:117</strong> (http_inspect) PDF file parse failure\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:201</strong> (http_inspect) not HTTP traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:202</strong> (http_inspect) chunk length has excessive leading zeros\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:203</strong> (http_inspect) white space before or between messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:204</strong> (http_inspect) request message without URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:205</strong> (http_inspect) control character in reason phrase\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:206</strong> (http_inspect) illegal extra whitespace in start line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:207</strong> (http_inspect) corrupted HTTP version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:208</strong> (http_inspect) unknown HTTP version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:209</strong> (http_inspect) format error in HTTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:210</strong> (http_inspect) chunk header options present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:211</strong> (http_inspect) URI badly formatted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:212</strong> (http_inspect) unrecognized type of percent encoding in URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:213</strong> (http_inspect) HTTP chunk misformatted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:214</strong> (http_inspect) white space adjacent to chunk length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:215</strong> (http_inspect) white space within header name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:216</strong> (http_inspect) excessive gzip compression\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:217</strong> (http_inspect) gzip decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:218</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:219</strong> (http_inspect) HTTP 0.9 request following a normal request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:220</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:221</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:222</strong> (http_inspect) Transfer-Encoding not ending with chunked\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:223</strong> (http_inspect) Transfer-Encoding with encodings before chunked\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:224</strong> (http_inspect) misformatted HTTP traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:225</strong> (http_inspect) unsupported Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:226</strong> (http_inspect) unknown Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:227</strong> (http_inspect) multiple Content-Encodings applied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:228</strong> (http_inspect) server response before client request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:230</strong> (http_inspect) nonprinting character in HTTP message header name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:231</strong> (http_inspect) bad Content-Length value in HTTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:232</strong> (http_inspect) HTTP header line wrapped\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:233</strong> (http_inspect) HTTP header line terminated by CR without a LF\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:234</strong> (http_inspect) chunk terminated by nonstandard separator\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:235</strong> (http_inspect) chunk length terminated by LF without CR\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:236</strong> (http_inspect) more than one response with 100 status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:237</strong> (http_inspect) 100 status code not in response to Expect header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:238</strong> (http_inspect) 1XX status code other than 100 or 101\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:239</strong> (http_inspect) Expect header sent without a message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:240</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:241</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:242</strong> (http_inspect) illegal field in chunked message trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:243</strong> (http_inspect) header field inappropriately appears twice or has two values\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:244</strong> (http_inspect) invalid value chunked in Content-Encoding header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:245</strong> (http_inspect) 206 response sent to a request without a Range header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:246</strong> (http_inspect) <em>HTTP</em> in version field not all upper case\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:247</strong> (http_inspect) white space embedded in critical header value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:250</strong> (http_inspect) HTTP/2 Transfer-Encoding header other than identity\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:251</strong> (http_inspect) HTTP/2 message body overruns Content-Length header value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:252</strong> (http_inspect) HTTP/2 message body smaller than Content-Length header value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:253</strong> (http_inspect) HTTP CONNECT request with a message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:254</strong> (http_inspect) HTTP client-to-server traffic after CONNECT request but before CONNECT response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:255</strong> (http_inspect) HTTP CONNECT 2XX response with Content-Length header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:256</strong> (http_inspect) HTTP CONNECT 2XX response with Transfer-Encoding header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:257</strong> (http_inspect) HTTP CONNECT response with 1XX status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:258</strong> (http_inspect) HTTP CONNECT response before request message completed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:2</strong> (http2_inspect) HPACK integer value has leading zeros\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:3</strong> (http2_inspect) error in HPACK string value\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:4</strong> (http2_inspect) missing HTTP/2 continuation frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:5</strong> (http2_inspect) unexpected HTTP/2 continuation frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:6</strong> (http2_inspect) misformatted HTTP/2 traffic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:7</strong> (http2_inspect) HTTP/2 connection preface does not match\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:8</strong> (http2_inspect) HTTP/2 request missing required header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:9</strong> (http2_inspect) HTTP/2 response has no status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:10</strong> (http2_inspect) HTTP/2 invalid header field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:11</strong> (http2_inspect) error in HTTP/2 settings frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:12</strong> (http2_inspect) unknown parameter in HTTP/2 settings frame\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:13</strong> (http2_inspect) invalid HTTP/2 frame sequence\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:15</strong> (http2_inspect) invalid HTTP/2 start line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>121:16</strong> (http2_inspect) HTTP/2 padding length is bigger than frame data size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:1</strong> (port_scan) TCP portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:2</strong> (port_scan) TCP decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:3</strong> (port_scan) TCP portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:4</strong> (port_scan) TCP distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:5</strong> (port_scan) TCP filtered portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:6</strong> (port_scan) TCP filtered decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:7</strong> (port_scan) TCP filtered portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:8</strong> (port_scan) TCP filtered distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:9</strong> (port_scan) IP protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:10</strong> (port_scan) IP decoy protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:11</strong> (port_scan) IP protocol sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:12</strong> (port_scan) IP distributed protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:13</strong> (port_scan) IP filtered protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:15</strong> (port_scan) IP filtered protocol sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:17</strong> (port_scan) UDP portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:18</strong> (port_scan) UDP decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:19</strong> (port_scan) UDP portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:20</strong> (port_scan) UDP distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:21</strong> (port_scan) UDP filtered portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:22</strong> (port_scan) UDP filtered decoy portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:23</strong> (port_scan) UDP filtered portsweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:24</strong> (port_scan) UDP filtered distributed portscan\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:25</strong> (port_scan) ICMP sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:26</strong> (port_scan) ICMP filtered sweep\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>122:27</strong> (port_scan) open port\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:2</strong> (stream_ip) teardrop attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:5</strong> (stream_ip) zero-byte fragment packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:8</strong> (stream_ip) fragmentation overlap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:12</strong> (stream_ip) excessive fragment overlap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>123:13</strong> (stream_ip) tiny fragment\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:1</strong> (smtp) attempted command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:2</strong> (smtp) attempted data header buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:3</strong> (smtp) attempted response buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:4</strong> (smtp) attempted specific command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:5</strong> (smtp) unknown command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:6</strong> (smtp) illegal command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:7</strong> (smtp) attempted header name buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:8</strong> (smtp) attempted X-Link2State command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:10</strong> (smtp) base64 decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:11</strong> (smtp) quoted-printable decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:13</strong> (smtp) Unix-to-Unix decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:14</strong> (smtp) Cyrus SASL authentication attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:15</strong> (smtp) attempted authentication command buffer overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>124:16</strong> (smtp) file decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:2</strong> (ftp_server) invalid FTP command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:3</strong> (ftp_server) FTP command parameters were too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:4</strong> (ftp_server) FTP command parameters were malformed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:6</strong> (ftp_server) FTP response message was too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:7</strong> (ftp_server) FTP traffic encrypted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:8</strong> (ftp_server) FTP bounce attempt\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>126:1</strong> (telnet) consecutive Telnet AYT commands beyond threshold\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>126:2</strong> (telnet) Telnet traffic encrypted\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>126:3</strong> (telnet) Telnet subnegotiation begin command without subnegotiation end\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:1</strong> (ssh) challenge-response overflow exploit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:2</strong> (ssh) SSH1 CRC32 exploit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:3</strong> (ssh) server version string overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:5</strong> (ssh) bad message direction\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:6</strong> (ssh) payload size incorrect for the given payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>128:7</strong> (ssh) failed to detect SSH version string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:1</strong> (stream_tcp) SYN on established session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:2</strong> (stream_tcp) data on SYN packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:5</strong> (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:8</strong> (stream_tcp) data sent on stream after TCP reset sent\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:10</strong> (stream_tcp) TCP server possibly hijacked, different ethernet address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:13</strong> (stream_tcp) 4-way handshake detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:14</strong> (stream_tcp) TCP timestamp is missing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:15</strong> (stream_tcp) reset outside window\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:18</strong> (stream_tcp) data sent on stream after TCP reset received\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>131:1</strong> (dns) obsolete DNS RR types\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>131:2</strong> (dns) experimental DNS RR types\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>131:3</strong> (dns) DNS client rdata txt overflow\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:2</strong> (dce_smb) SMB - bad NetBIOS session service session type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:3</strong> (dce_smb) SMB - bad SMB message type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:4</strong> (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:5</strong> (dce_smb) SMB - bad word count or structure size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:6</strong> (dce_smb) SMB - bad byte count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:7</strong> (dce_smb) SMB - bad format type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:8</strong> (dce_smb) SMB - bad offset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:9</strong> (dce_smb) SMB - zero total data count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:11</strong> (dce_smb) SMB - remaining NetBIOS data length less than command length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:13</strong> (dce_smb) SMB - remaining NetBIOS data length less than command data size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:14</strong> (dce_smb) SMB - remaining total data count less than this command data size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:15</strong> (dce_smb) SMB - total data sent (STDu64) greater than command total data expected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:16</strong> (dce_smb) SMB - byte count less than command data size (STDu64)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:17</strong> (dce_smb) SMB - invalid command data size for byte count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:18</strong> (dce_smb) SMB - excessive tree connect requests with pending tree connect responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:19</strong> (dce_smb) SMB - excessive read requests with pending read responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:20</strong> (dce_smb) SMB - excessive command chaining\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:21</strong> (dce_smb) SMB - multiple chained tree connect requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:22</strong> (dce_smb) SMB - multiple chained tree connect requests\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:23</strong> (dce_smb) SMB - chained/compounded login followed by logoff\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:24</strong> (dce_smb) SMB - chained/compounded tree connect followed by tree disconnect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:25</strong> (dce_smb) SMB - chained/compounded open pipe followed by close pipe\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:26</strong> (dce_smb) SMB - invalid share access\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:31</strong> (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:40</strong> (dce_udp) connection-less DCE/RPC - invalid major version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:41</strong> (dce_udp) connection-less DCE/RPC - invalid PDU type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:42</strong> (dce_udp) connection-less DCE/RPC - data length less than header size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:43</strong> (dce_udp) connection-less DCE/RPC - bad sequence number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:45</strong> (dce_smb) SMB - invalid SMB version 2 seen\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:46</strong> (dce_smb) SMB - invalid user, tree connect, file binding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:47</strong> (dce_smb) SMB - excessive command compounding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:48</strong> (dce_smb) SMB - zero data count\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:50</strong> (dce_smb) SMB - maximum number of outstanding requests exceeded\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:51</strong> (dce_smb) SMB - outstanding requests with same MID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:52</strong> (dce_smb) SMB - deprecated dialect negotiated\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:53</strong> (dce_smb) SMB - deprecated command used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:54</strong> (dce_smb) SMB - unusual command used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:55</strong> (dce_smb) SMB - invalid setup count for command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:56</strong> (dce_smb) SMB - client attempted multiple dialect negotiations on session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:57</strong> (dce_smb) SMB - client attempted to create or set a file’s attributes to readonly/hidden/system\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:58</strong> (dce_smb) SMB - file offset provided is greater than file size specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:59</strong> (dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>134:1</strong> (latency) rule tree suspended due to latency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>134:3</strong> (latency) packet fastpathed due to latency\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>135:1</strong> (stream) TCP SYN received\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>135:2</strong> (stream) TCP session established\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>135:3</strong> (stream) TCP session cleared\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted based on source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:2</strong> (reputation) packets whitelisted based on source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:3</strong> (reputation) packets monitored based on source\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:4</strong> (reputation) packets blacklisted based on destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:5</strong> (reputation) packets whitelisted based on destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>136:6</strong> (reputation) packets monitored based on destination\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:1</strong> (ssl) invalid client HELLO after server HELLO detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:2</strong> (ssl) invalid server HELLO without client HELLO detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:3</strong> (ssl) heartbeat read overrun attempt detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>137:4</strong> (ssl) large heartbeat response detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:2</strong> (sip) empty request URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:3</strong> (sip) URI is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:4</strong> (sip) empty call-Id\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:5</strong> (sip) Call-Id is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:6</strong> (sip) CSeq number is too large or negative\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:7</strong> (sip) request name in CSeq is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:8</strong> (sip) empty From header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:9</strong> (sip) From header is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:10</strong> (sip) empty To header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:11</strong> (sip) To header is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:12</strong> (sip) empty Via header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:13</strong> (sip) Via header is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:14</strong> (sip) empty Contact\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:15</strong> (sip) contact is too long\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:16</strong> (sip) content length is too large or negative\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:17</strong> (sip) multiple SIP messages in a packet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:18</strong> (sip) content length mismatch\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:19</strong> (sip) request name is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:20</strong> (sip) Invite replay attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:21</strong> (sip) illegal session information modification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:22</strong> (sip) response status code is not a 3 digit number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:23</strong> (sip) empty Content-type header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:24</strong> (sip) SIP version is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:25</strong> (sip) mismatch in METHOD of request and the CSEQ header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:26</strong> (sip) method is unknown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>140:27</strong> (sip) maximum dialogs within a session reached\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:1</strong> (imap) unknown IMAP3 command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:2</strong> (imap) unknown IMAP3 response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:4</strong> (imap) base64 decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:5</strong> (imap) quoted-printable decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:7</strong> (imap) Unix-to-Unix decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>141:8</strong> (imap) file decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:1</strong> (pop) unknown POP3 command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:2</strong> (pop) unknown POP3 response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:4</strong> (pop) base64 decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:5</strong> (pop) quoted-printable decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:7</strong> (pop) Unix-to-Unix decoding failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>142:8</strong> (pop) file decompression failed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:1</strong> (gtp_inspect) message length is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:2</strong> (gtp_inspect) information element length is invalid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:3</strong> (gtp_inspect) information elements are out of order\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>143:4</strong> (gtp_inspect) TEID is missing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>144:3</strong> (modbus) reserved Modbus function code in use\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:1</strong> (dnp3) DNP3 link-layer frame contains bad CRC\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:2</strong> (dnp3) DNP3 link-layer frame was dropped\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:3</strong> (dnp3) DNP3 transport-layer segment was dropped during reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:4</strong> (dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:5</strong> (dnp3) DNP3 link-layer frame uses a reserved address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>145:6</strong> (dnp3) DNP3 application-layer fragment uses a reserved function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:1</strong> (cip) CIP data is malformed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:2</strong> (cip) CIP data is non-conforming to ODVA standard.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:3</strong> (cip) CIP connection limit exceeded. Least recently used connection removed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>148:4</strong> (cip) CIP unconnected request limit exceeded. Oldest request removed.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>149:1</strong> (s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>149:2</strong> (s7commplus) S7commplus protocol ID is non-zero\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>149:3</strong> (s7commplus) reserved S7commplus function code in use\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>150:1</strong> (file_id) file not processed due to per flow limit\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>175:1</strong> (domain_filter) configured domain detected\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>256:1</strong> (dpx) too much data sent to port\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_command_set">Command Set</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>appid.enable_debug</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.disable_debug</strong>(): disable appid debugging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.reload_third_party</strong>(): reload appid third-party module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.dump</strong>(file_name): dump host cache\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture.enable</strong>(filter): dump raw packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture.disable</strong>(): stop packet dump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_tracer.enable</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_tracer.disable</strong>(): disable packet tracer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.enable_flow_ip_profiling</strong>(seconds, packets): enable statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.disable_flow_ip_profiling</strong>(): disable statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor.show_flow_ip_profiling</strong>(): show status of statistics on host pairs\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna.reload_fingerprint</strong>(): reload rna database of fingerprint patterns/signatures\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.show_plugins</strong>(): show available plugins\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.dump_stats</strong>(): show summary statistics\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.rotate_stats</strong>(): roll perfmonitor log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_config</strong>(filename): load new configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_module</strong>(module): reload module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_daq</strong>(): reload daq module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.reload_hosts</strong>(filename): load a new hosts table\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.pause</strong>(): suspend packet processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.resume</strong>(pkt_num): continue packet processing. If number of packet is specified, will resume for n packets and pause\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.detach</strong>(): exit shell w/o shutdown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.quit</strong>(): shutdown and dump-stats\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort.help</strong>(): this output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>trace.set</strong>(modules, constraints): set modules traces and constraints\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>trace.clear</strong>(): clear modules traces and constraints\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_signals_2">Signals</h3>\r
-<div class="admonitionblock">\r
-<table><tr>\r
-<td class="icon">\r
-<img src="./images/icons/important.png" alt="Important" />\r
-</td>\r
-<td class="content">Signal numbers are for the system that generated this\r
-documentation and are not applicable elsewhere.</td>\r
-</tr></table>\r
-</div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>term</strong>(15): shutdown normally\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>int</strong>(2): shutdown normally\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>quit</strong>(3): shutdown as if started with --dirty-pig\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stats</strong>(10): dump stats to stdout\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rotate</strong>(12): rotate stats files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reload</strong>(1): reload config file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>hosts</strong>(23): reload hosts file\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_configuration_changes">Configuration Changes</h3>\r
-<div class="listingblock">\r
-<div class="content">\r
-<pre><code>change -> dynamicdetection ==> 'snort.--plugin_path=<path>'\r
-change -> dynamicengine ==> 'snort.--plugin_path=<path>'\r
-change -> dynamicpreprocessor ==> 'snort.--plugin_path=<path>'\r
-change -> dynamicsidechannel ==> 'snort.--plugin_path=<path>'\r
-change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy'\r
-change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'\r
-change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic'\r
-change -> config ' checksum_mode' ==> ' network. checksum_eval'\r
-change -> config ' daq_dir' ==> ' daq. module_dirs, true'\r
-change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap'\r
-change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection'\r
-change -> config ' event_filter' ==> ' alerts. event_filter_memcap'\r
-change -> config ' max_attribute_hosts' ==> ' attribute_table. max_hosts'\r
-change -> config ' max_attribute_services_per_host' ==> ' attribute_table. max_services_per_host'\r
-change -> config ' nopcre' ==> ' detection. pcre_enable'\r
-change -> config ' pkt_count' ==> ' packets. limit'\r
-change -> config ' rate_filter' ==> ' alerts. rate_filter_memcap'\r
-change -> config ' react' ==> ' react. page'\r
-change -> config ' threshold' ==> ' alerts. event_filter_memcap'\r
-change -> converter: 'gen_id' ==> 'gid'\r
-change -> converter: 'sid_id' ==> 'sid'\r
-change -> csv: 'csv' ==> 'fields'\r
-change -> csv: 'dgmlen' ==> 'pkt_len'\r
-change -> csv: 'dst' ==> 'dst_addr'\r
-change -> csv: 'dstport' ==> 'dst_port'\r
-change -> csv: 'ethdst' ==> 'eth_dst'\r
-change -> csv: 'ethlen' ==> 'eth_len'\r
-change -> csv: 'ethsrc' ==> 'eth_src'\r
-change -> csv: 'ethtype' ==> 'eth_type'\r
-change -> csv: 'icmpcode' ==> 'icmp_code'\r
-change -> csv: 'icmpid' ==> 'icmp_id'\r
-change -> csv: 'icmpseq' ==> 'icmp_seq'\r
-change -> csv: 'icmptype' ==> 'icmp_type'\r
-change -> csv: 'id' ==> 'ip_id'\r
-change -> csv: 'iplen' ==> 'ip_len'\r
-change -> csv: 'sig_generator' ==> 'gid'\r
-change -> csv: 'sig_id' ==> 'sid'\r
-change -> csv: 'sig_rev' ==> 'rev'\r
-change -> csv: 'src' ==> 'src_addr'\r
-change -> csv: 'srcport' ==> 'src_port'\r
-change -> csv: 'tcpack' ==> 'tcp_ack'\r
-change -> csv: 'tcpflags' ==> 'tcp_flags'\r
-change -> csv: 'tcplen' ==> 'tcp_len'\r
-change -> csv: 'tcpseq' ==> 'tcp_seq'\r
-change -> csv: 'tcpwindow' ==> 'tcp_win'\r
-change -> csv: 'udplength' ==> 'udp_len'\r
-change -> daq: 'config daq:' ==> 'name'\r
-change -> daq_mode: 'config daq_mode:' ==> 'mode'\r
-change -> daq_var: 'config daq_var:' ==> 'variables'\r
-change -> detection: 'ac' ==> 'ac_full'\r
-change -> detection: 'ac-banded' ==> 'ac_banded'\r
-change -> detection: 'ac-bnfa' ==> 'ac_bnfa'\r
-change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'\r
-change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'\r
-change -> detection: 'ac-nq' ==> 'ac_full'\r
-change -> detection: 'ac-q' ==> 'ac_full'\r
-change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'\r
-change -> detection: 'ac-split' ==> 'ac_full'\r
-change -> detection: 'ac-split' ==> 'split_any_any'\r
-change -> detection: 'ac-std' ==> 'ac_std'\r
-change -> detection: 'acs' ==> 'ac_sparse'\r
-change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'\r
-change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'\r
-change -> detection: 'intel-cpm' ==> 'hyperscan'\r
-change -> detection: 'lowmem-nq' ==> 'lowmem'\r
-change -> detection: 'lowmem-q' ==> 'lowmem'\r
-change -> detection: 'max-pattern-len' ==> 'max_pattern_len'\r
-change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'\r
-change -> detection: 'search-method' ==> 'search_method'\r
-change -> detection: 'search-optimize' ==> 'search_optimize'\r
-change -> detection: 'split-any-any' ==> 'split_any_any = true by default'\r
-change -> detection: 'split-any-any' ==> 'split_any_any'\r
-change -> dnp3: 'ports' ==> 'bindings'\r
-change -> dns: 'ports' ==> 'bindings'\r
-change -> event_filter: 'gen_id' ==> 'gid'\r
-change -> event_filter: 'sig_id' ==> 'sid'\r
-change -> event_filter: 'threshold' ==> 'event_filter'\r
-change -> file: 'config file: file_block_timeout' ==> 'block_timeout'\r
-change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size'\r
-change -> file: 'config file: file_capture_max' ==> 'capture_max_size'\r
-change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap'\r
-change -> file: 'config file: file_capture_min' ==> 'capture_min_size'\r
-change -> file: 'config file: file_type_depth' ==> 'type_depth'\r
-change -> file: 'config file: signature' ==> 'enable_signature'\r
-change -> file: 'config file: type_id' ==> 'enable_type'\r
-change -> file: 'ver' ==> 'version'\r
-change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length'\r
-change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps'\r
-change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right'\r
-change -> frag3_engine: 'timeout' ==> 'session_timeout'\r
-change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity'\r
-change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan'\r
-change -> ftp_telnet_protocol: 'ports' ==> 'bindings'\r
-change -> gtp: 'ports' ==> 'bindings'\r
-change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte'\r
-change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth'\r
-change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode'\r
-change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect'\r
-change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash'\r
-change -> http_inspect_server: 'inspect_gzip' ==> 'unzip'\r
-change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters'\r
-change -> http_inspect_server: 'ports' ==> 'bindings'\r
-change -> http_inspect_server: 'u_encode' ==> 'percent_u'\r
-change -> http_inspect_server: 'utf_8' ==> 'utf8'\r
-change -> imap: 'ports' ==> 'bindings'\r
-change -> modbus: 'ports' ==> 'bindings'\r
-change -> na_policy_mode: 'na_policy_mode' ==> 'mode'\r
-change -> nap_selector: 'nap rules' ==> 'bindings'\r
-change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]'\r
-change -> perfmonitor: 'console' ==> 'format = 'text''\r
-change -> perfmonitor: 'console' ==> 'output = 'console''\r
-change -> perfmonitor: 'file' ==> 'format = 'csv''\r
-change -> perfmonitor: 'file' ==> 'output = 'file''\r
-change -> perfmonitor: 'flow-file' ==> 'format = 'csv''\r
-change -> perfmonitor: 'flow-file' ==> 'output = 'file''\r
-change -> perfmonitor: 'flow-ip' ==> 'flow_ip'\r
-change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv''\r
-change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file''\r
-change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap'\r
-change -> perfmonitor: 'flow-ports' ==> 'flow_ports'\r
-change -> perfmonitor: 'pktcnt' ==> 'packets'\r
-change -> perfmonitor: 'snortfile' ==> 'format = 'csv''\r
-change -> perfmonitor: 'snortfile' ==> 'output = 'file''\r
-change -> perfmonitor: 'time' ==> 'seconds'\r
-change -> policy_mode: 'inline_test' ==> 'inline-test'\r
-change -> pop: 'ports' ==> 'bindings'\r
-change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'\r
-change -> ppm: 'max-pkt-time' ==> 'packet.max_time'\r
-change -> ppm: 'max-rule-time' ==> 'rule.max_time'\r
-change -> ppm: 'ppm' ==> 'latency'\r
-change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'\r
-change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'\r
-change -> ppm: 'threshold' ==> 'rule.suspend_threshold'\r
-change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4'\r
-change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6'\r
-change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6'\r
-change -> profile: 'print' ==> 'count'\r
-change -> profile: 'sort avg_ticks' ==> 'sort = avg_check'\r
-change -> profile: 'sort total_ticks' ==> 'sort = total_time'\r
-change -> rate_filter: 'gen_id' ==> 'gid'\r
-change -> rate_filter: 'sig_id' ==> 'sid'\r
-change -> reputation: 'shared_mem' ==> 'list_dir'\r
-change -> rule_state: 'enabled/disabled' ==> 'enable'\r
-change -> rule_state: 'sdrop' ==> 'drop'\r
-change -> sfportscan: 'proto' ==> 'protos'\r
-change -> sfportscan: 'scan_type' ==> 'scan_types'\r
-change -> sip: 'ports' ==> 'bindings'\r
-change -> smtp: 'ports' ==> 'bindings'\r
-change -> ssh: 'server_ports' ==> 'bindings'\r
-change -> ssl: 'ports' ==> 'bindings'\r
-change -> stream5_global: 'max_active_responses' ==> 'max_responses'\r
-change -> stream5_global: 'min_response_seconds' ==> 'min_interval'\r
-change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout'\r
-change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'\r
-change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'\r
-change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'\r
-change -> stream5_ha: 'stream5_ha' ==> 'high_availability'\r
-change -> stream5_ha: 'use_daq' ==> 'daq_channel'\r
-change -> stream5_ip: 'timeout' ==> 'session_timeout'\r
-change -> stream5_tcp: 'bind_to' ==> 'bindings'\r
-change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async'\r
-change -> stream5_tcp: 'max_queued_bytes' ==> 'queue_limit.max_bytes'\r
-change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments'\r
-change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11'\r
-change -> stream5_tcp: 'timeout' ==> 'session_timeout'\r
-change -> stream5_udp: 'timeout' ==> 'session_timeout'\r
-change -> suppress: 'gen_id' ==> 'gid'\r
-change -> suppress: 'sig_id' ==> 'sid'\r
-change -> syslog: 'log_alert' ==> 'level = alert'\r
-change -> syslog: 'log_auth' ==> 'facility = auth'\r
-change -> syslog: 'log_authpriv' ==> 'facility = authpriv'\r
-change -> syslog: 'log_cons' ==> 'options = cons'\r
-change -> syslog: 'log_crit' ==> 'level = crit'\r
-change -> syslog: 'log_daemon' ==> 'facility = daemon'\r
-change -> syslog: 'log_debug' ==> 'level = debug'\r
-change -> syslog: 'log_emerg' ==> 'level = emerg'\r
-change -> syslog: 'log_err' ==> 'level = err'\r
-change -> syslog: 'log_info' ==> 'level = info'\r
-change -> syslog: 'log_local0' ==> 'facility = local0'\r
-change -> syslog: 'log_local1' ==> 'facility = local1'\r
-change -> syslog: 'log_local2' ==> 'facility = local2'\r
-change -> syslog: 'log_local3' ==> 'facility = local3'\r
-change -> syslog: 'log_local4' ==> 'facility = local4'\r
-change -> syslog: 'log_local5' ==> 'facility = local5'\r
-change -> syslog: 'log_local6' ==> 'facility = local6'\r
-change -> syslog: 'log_local7' ==> 'facility = local7'\r
-change -> syslog: 'log_ndelay' ==> 'options = ndelay'\r
-change -> syslog: 'log_notice' ==> 'level = notice'\r
-change -> syslog: 'log_perror' ==> 'options = perror'\r
-change -> syslog: 'log_pid' ==> 'options = pid'\r
-change -> syslog: 'log_user' ==> 'facility = user'\r
-change -> syslog: 'log_warning' ==> 'level = warning'\r
-change -> threshold: 'ips_option: threshold' ==> 'event_filter'\r
-change -> unified2: ' alert_unified2' ==> 'unified2'\r
-change -> unified2: ' log_unified2' ==> 'unified2'\r
-change -> unified2: ' unified2' ==> 'unified2'\r
-deleted -> arpspoof: 'unicast'\r
-deleted -> attribute_table: '<FRAG_POLICY>hpux</FRAG_POLICY>'\r
-deleted -> attribute_table: '<FRAG_POLICY>irix</FRAG_POLICY>'\r
-deleted -> attribute_table: '<FRAG_POLICY>old-linux</FRAG_POLICY>'\r
-deleted -> attribute_table: '<FRAG_POLICY>unknown</FRAG_POLICY>'\r
-deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'\r
-deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'\r
-deleted -> config ' cs_dir'\r
-deleted -> config ' decode_data_link'\r
-deleted -> config ' disable_attribute_reload_thread'\r
-deleted -> config ' disable_decode_alerts'\r
-deleted -> config ' disable_decode_drops'\r
-deleted -> config ' disable_inline_init_failopen'\r
-deleted -> config ' disable_ipopt_alerts'\r
-deleted -> config ' disable_ipopt_drops'\r
-deleted -> config ' disable_tcpopt_alerts'\r
-deleted -> config ' disable_tcpopt_drops'\r
-deleted -> config ' disable_tcpopt_experimental_alerts'\r
-deleted -> config ' disable_tcpopt_experimental_drops'\r
-deleted -> config ' disable_tcpopt_obsolete_alerts'\r
-deleted -> config ' disable_tcpopt_obsolete_drops'\r
-deleted -> config ' disable_tcpopt_ttcp_alerts'\r
-deleted -> config ' disable_ttcp_alerts'\r
-deleted -> config ' disable_ttcp_drops'\r
-deleted -> config ' dump_dynamic_rules_path'\r
-deleted -> config ' enable_decode_drops'\r
-deleted -> config ' enable_decode_oversized_alerts'\r
-deleted -> config ' enable_decode_oversized_drops'\r
-deleted -> config ' enable_gtp'\r
-deleted -> config ' enable_ipopt_drops'\r
-deleted -> config ' enable_tcpopt_drops'\r
-deleted -> config ' enable_tcpopt_experimental_drops'\r
-deleted -> config ' enable_tcpopt_obsolete_drops'\r
-deleted -> config ' enable_tcpopt_ttcp_drops'\r
-deleted -> config ' enable_ttcp_drops'\r
-deleted -> config ' flexresp2_attempts'\r
-deleted -> config ' flexresp2_interface'\r
-deleted -> config ' flexresp2_memcap'\r
-deleted -> config ' flexresp2_rows'\r
-deleted -> config ' flowbits_size'\r
-deleted -> config ' include_vlan_in_alerts'\r
-deleted -> config ' interface'\r
-deleted -> config ' layer2resets'\r
-deleted -> config ' log_ipv6_extra_data'\r
-deleted -> config ' no_promisc'\r
-deleted -> config ' nolog'\r
-deleted -> config ' protected_content'\r
-deleted -> config ' sidechannel'\r
-deleted -> config ' so_rule_memcap'\r
-deleted -> config 'dynamicoutput'\r
-deleted -> config 'sfalert_unified2'\r
-deleted -> config 'sflog_unified2'\r
-deleted -> config 'sidechannel'\r
-deleted -> csv: '<filename> can no longer be specific'\r
-deleted -> csv: 'default'\r
-deleted -> csv: 'trheader'\r
-deleted -> detection: 'mwm'\r
-deleted -> dnp3: 'disabled'\r
-deleted -> dnp3: 'memcap'\r
-deleted -> dns: 'enable_experimental_types'\r
-deleted -> dns: 'enable_obsolete_types'\r
-deleted -> dns: 'enable_rdata_overflow'\r
-deleted -> event_trace: 'file'\r
-deleted -> fast: '<filename> can no longer be specific'\r
-deleted -> frag3_engine: 'detect_anomalies'\r
-deleted -> frag3_global: 'disabled'\r
-deleted -> ftp_telnet_protocol: 'detect_anomalies'\r
-deleted -> full: '<filename> can no longer be specific'\r
-deleted -> http_inspect: 'detect_anomalous_servers'\r
-deleted -> http_inspect: 'disabled'\r
-deleted -> http_inspect: 'proxy_alert'\r
-deleted -> http_inspect_server: 'allow_proxy_use'\r
-deleted -> http_inspect_server: 'enable_cookie'\r
-deleted -> http_inspect_server: 'enable_xff'\r
-deleted -> http_inspect_server: 'extended_ascii_uri'\r
-deleted -> http_inspect_server: 'extended_response_inspection'\r
-deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever'\r
-deleted -> http_inspect_server: 'inspect_uri_only'\r
-deleted -> http_inspect_server: 'log_hostname'\r
-deleted -> http_inspect_server: 'log_uri'\r
-deleted -> http_inspect_server: 'no_alerts'\r
-deleted -> http_inspect_server: 'no_pipeline_req'\r
-deleted -> http_inspect_server: 'non_strict'\r
-deleted -> http_inspect_server: 'normalize_cookies'\r
-deleted -> http_inspect_server: 'normalize_headers'\r
-deleted -> http_inspect_server: 'small_chunk_length'\r
-deleted -> http_inspect_server: 'tab_uri_delimiter'\r
-deleted -> http_inspect_server: 'unlimited_decompress'\r
-deleted -> imap: 'disabled'\r
-deleted -> imap: 'max_mime_mem'\r
-deleted -> imap: 'memcap'\r
-deleted -> nap_selector: 'fw_required'\r
-deleted -> nap_selector: 'nap_stats_time'\r
-deleted -> perfmonitor: 'accumulate'\r
-deleted -> perfmonitor: 'atexitonly'\r
-deleted -> perfmonitor: 'atexitonly: base-stats'\r
-deleted -> perfmonitor: 'atexitonly: events-stats'\r
-deleted -> perfmonitor: 'atexitonly: flow-ip-stats'\r
-deleted -> perfmonitor: 'atexitonly: flow-stats'\r
-deleted -> perfmonitor: 'atexitonly: reset'\r
-deleted -> perfmonitor: 'events'\r
-deleted -> perfmonitor: 'max'\r
-deleted -> pop: 'disabled'\r
-deleted -> pop: 'max_mime_mem'\r
-deleted -> pop: 'memcap'\r
-deleted -> ppm: 'debug-pkts'\r
-deleted -> reputation: 'shared_max_instances'\r
-deleted -> reputation: 'shared_refresh'\r
-deleted -> rpc_decode: 'alert_fragments'\r
-deleted -> rpc_decode: 'no_alert_incomplete'\r
-deleted -> rpc_decode: 'no_alert_large_fragments'\r
-deleted -> rpc_decode: 'no_alert_multiple_requests'\r
-deleted -> sfportscan: 'detect_ack_scans'\r
-deleted -> sfportscan: 'disabled'\r
-deleted -> sfportscan: 'logfile'\r
-deleted -> sfportscan: 'sense_level'\r
-deleted -> sfunified2: 'mpls_event_types'\r
-deleted -> sfunified2: 'vlan_event_types'\r
-deleted -> sip: 'disabled'\r
-deleted -> sip: 'max_sessions'\r
-deleted -> smtp: 'alert_unknown_cmds'\r
-deleted -> smtp: 'disabled'\r
-deleted -> smtp: 'enable_mime_decoding'\r
-deleted -> smtp: 'inspection_type'\r
-deleted -> smtp: 'max_mime_depth'\r
-deleted -> smtp: 'max_mime_mem'\r
-deleted -> smtp: 'memcap'\r
-deleted -> smtp: 'no_alerts'\r
-deleted -> smtp: 'print_cmds'\r
-deleted -> ssh: 'autodetect'\r
-deleted -> ssh: 'enable_badmsgdir'\r
-deleted -> ssh: 'enable_paysize'\r
-deleted -> ssh: 'enable_protomismatch'\r
-deleted -> ssh: 'enable_recognition'\r
-deleted -> ssh: 'enable_respoverflow'\r
-deleted -> ssh: 'enable_srvoverflow'\r
-deleted -> ssh: 'enable_ssh1crc32'\r
-deleted -> ssl: 'noinspect_encrypted'\r
-deleted -> stream5_global: 'disabled'\r
-deleted -> stream5_global: 'flush_on_alert'\r
-deleted -> stream5_global: 'memcap'\r
-deleted -> stream5_global: 'no_midstream_drop_alerts'\r
-deleted -> stream5_tcp: 'check_session_hijacking'\r
-deleted -> stream5_tcp: 'detect_anomalies'\r
-deleted -> stream5_tcp: 'dont_store_large_packets'\r
-deleted -> stream5_tcp: 'ignore_any_rules'\r
-deleted -> stream5_tcp: 'log_asymmetric_traffic'\r
-deleted -> stream5_tcp: 'policy noack'\r
-deleted -> stream5_tcp: 'policy unknown'\r
-deleted -> stream5_udp: 'ignore_any_rules'\r
-deleted -> tcpdump: '<filename> can no longer be specific'\r
-deleted -> test: 'file'\r
-deleted -> test: 'stdout'\r
-deleted -> unified2: 'filename'\r
-deleted -> unified2: 'mpls_event_types'\r
-deleted -> unified2: 'vlan_event_types'</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_module_listing">Module Listing</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ack</strong> (ips_option): rule option to match on TCP ack numbers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>active</strong> (basic): configure responses\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_csv</strong> (logger): output event in csv format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_ex</strong> (logger): output gid:sid:rev for alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_fast</strong> (logger): output event with brief text format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_full</strong> (logger): output event with full packet dump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_json</strong> (logger): output event in json format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_sfsocket</strong> (logger): output event over socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_syslog</strong> (logger): output event to syslog\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_talos</strong> (logger): output event in Talos alert format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alert_unixsock</strong> (logger): output event over unix socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>alerts</strong> (basic): configure alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid</strong> (inspector): application and service identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid_listener</strong> (inspector): log selected published data to appid_listener.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appids</strong> (ips_option): detection option for application ids\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>arp</strong> (codec): support for address resolution protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>arp_spoof</strong> (inspector): detect ARP attacks and anomalies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>asn1</strong> (ips_option): rule option for asn1 detection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>attribute_table</strong> (basic): configure hosts loading\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>auth</strong> (codec): support for IP authentication header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>back_orifice</strong> (inspector): back orifice detection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>base64_decode</strong> (ips_option): rule option to decode base64 data - must be used with base64_data option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ber_data</strong> (ips_option): rule option to move to the data for a specified BER element\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ber_skip</strong> (ips_option): rule option to skip BER element\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>binder</strong> (inspector): configure processing based on CIDRs, ports, services, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>bufferlen</strong> (ips_option): rule option to check length of current buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>byte_extract</strong> (ips_option): rule option to convert data to an integer variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>byte_jump</strong> (ips_option): rule option to move the detection cursor\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>byte_math</strong> (ips_option): rule option to perform mathematical operations on extracted value and a specified value or existing variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>byte_test</strong> (ips_option): rule option to convert data to integer and compare\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip</strong> (inspector): cip inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_attribute</strong> (ips_option): detection option to match CIP attribute\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_class</strong> (ips_option): detection option to match CIP class\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_conn_path_class</strong> (ips_option): detection option to match CIP Connection Path Class\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_instance</strong> (ips_option): detection option to match CIP instance\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_req</strong> (ips_option): detection option to match CIP request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_rsp</strong> (ips_option): detection option to match CIP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_service</strong> (ips_option): detection option to match CIP service\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cip_status</strong> (ips_option): detection option to match CIP response status\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ciscometadata</strong> (codec): support for cisco metadata\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>classifications</strong> (basic): define rule categories with priority\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>classtype</strong> (ips_option): general rule option for rule classification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>content</strong> (ips_option): payload rule option for basic pattern matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>cvs</strong> (ips_option): payload rule option for detecting specific attacks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>daq</strong> (basic): configure packet acquisition interface\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>data_log</strong> (inspector): log selected published data to data.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_proxy</strong> (inspector): dce over http inspection - client to/from proxy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_http_server</strong> (inspector): dce over http inspection - proxy to/from server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_iface</strong> (ips_option): detection option to check dcerpc interface\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_opnum</strong> (ips_option): detection option to check dcerpc operation number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb</strong> (inspector): dce over smb inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_stub_data</strong> (ips_option): sets the cursor to dcerpc stub data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp</strong> (inspector): dce over tcp inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_udp</strong> (inspector): dce over udp inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>decode</strong> (basic): general decoder rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection</strong> (basic): configure general IPS rule processing parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>detection_filter</strong> (ips_option): rule option to require multiple hits before a rule generates an event\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3</strong> (inspector): dnp3 inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3_data</strong> (ips_option): sets the cursor to dnp3 data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3_func</strong> (ips_option): detection option to check DNP3 function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3_ind</strong> (ips_option): detection option to check DNP3 indicator flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dnp3_obj</strong> (ips_option): detection option to check DNP3 object headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dns</strong> (inspector): dns inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>domain_filter</strong> (inspector): alert on configured HTTP domains\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dpx</strong> (inspector): dynamic inspector example\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dsize</strong> (ips_option): rule option to test payload size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>eapol</strong> (codec): support for extensible authentication protocol over LAN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>enable</strong> (ips_option): stub rule option to enable or disable full rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>enip_command</strong> (ips_option): detection option to match CIP Enip Command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>enip_req</strong> (ips_option): detection option to match ENIP Request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>enip_rsp</strong> (ips_option): detection option to match ENIP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>erspan2</strong> (codec): support for encapsulated remote switched port analyzer - type 2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>erspan3</strong> (codec): support for encapsulated remote switched port analyzer - type 3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>esp</strong> (codec): support for encapsulating security payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>eth</strong> (codec): support for ethernet protocol (DLT 1) (DLT 51)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>event_filter</strong> (basic): configure thresholding of events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>event_queue</strong> (basic): configure event queue parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>fabricpath</strong> (codec): support for fabricpath\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_connector</strong> (connector): implement the file based connector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_data</strong> (ips_option): rule option to set detection cursor to file data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_id</strong> (inspector): configure file identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_log</strong> (inspector): log file event to file.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>file_type</strong> (ips_option): rule option to check file type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>flags</strong> (ips_option): rule option to test TCP control flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>flow</strong> (ips_option): rule option to check session properties\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>flowbits</strong> (ips_option): rule option to set and test arbitrary boolean flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>fragbits</strong> (ips_option): rule option to test IP frag flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>fragoffset</strong> (ips_option): rule option to test IP frag offset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_client</strong> (inspector): FTP client configuration module for use with ftp_server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_data</strong> (inspector): FTP data channel handler\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ftp_server</strong> (inspector): main FTP module; ftp_client should also be configured\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gid</strong> (ips_option): rule option specifying rule generator\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gre</strong> (codec): support for generic routing encapsulation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp</strong> (codec): support for general-packet-radio-service tunneling protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_info</strong> (ips_option): rule option to check gtp info element\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_inspect</strong> (inspector): gtp control channel inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_type</strong> (ips_option): rule option to check gtp types\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>gtp_version</strong> (ips_option): rule option to check GTP version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>high_availability</strong> (basic): implement flow tracking high availability\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_cache</strong> (basic): global LRU cache of host_tracker data about hosts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>host_tracker</strong> (basic): configure hosts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>hosts</strong> (basic): configure hosts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_decoded_header</strong> (ips_option): rule option to set detection cursor to the decoded HTTP/2 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_frame_header</strong> (ips_option): rule option to set detection cursor to the 9-octet HTTP/2 frame header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http2_inspect</strong> (inspector): HTTP/2 inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_client_body</strong> (ips_option): rule option to set the detection cursor to the request body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_cookie</strong> (ips_option): rule option to set the detection cursor to the HTTP cookie\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_header</strong> (ips_option): rule option to set the detection cursor to the normalized headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_inspect</strong> (inspector): HTTP inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_method</strong> (ips_option): rule option to set the detection cursor to the HTTP request method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_param</strong> (ips_option): rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_body</strong> (ips_option): rule option to set the detection cursor to the unnormalized message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_cookie</strong> (ips_option): rule option to set the detection cursor to the unnormalized cookie\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_header</strong> (ips_option): rule option to set the detection cursor to the unnormalized headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_request</strong> (ips_option): rule option to set the detection cursor to the unnormalized request line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_status</strong> (ips_option): rule option to set the detection cursor to the unnormalized status line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_trailer</strong> (ips_option): rule option to set the detection cursor to the unnormalized trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_raw_uri</strong> (ips_option): rule option to set the detection cursor to the unnormalized URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_stat_code</strong> (ips_option): rule option to set the detection cursor to the HTTP status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_stat_msg</strong> (ips_option): rule option to set the detection cursor to the HTTP status message\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_trailer</strong> (ips_option): rule option to set the detection cursor to the normalized trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_true_ip</strong> (ips_option): rule option to set the detection cursor to the final client IP address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_uri</strong> (ips_option): rule option to set the detection cursor to the normalized URI buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>http_version</strong> (ips_option): rule option to set the detection cursor to the version buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>hyperscan</strong> (search_engine): intel hyperscan-based mpse with regex support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp4</strong> (codec): support for Internet control message protocol v4\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp6</strong> (codec): support for Internet control message protocol v6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp_id</strong> (ips_option): rule option to check ICMP ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icmp_seq</strong> (ips_option): rule option to check ICMP sequence number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>icode</strong> (ips_option): rule option to check ICMP code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>id</strong> (ips_option): rule option to check the IP ID field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>igmp</strong> (codec): support for Internet group management protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>imap</strong> (inspector): imap inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspection</strong> (basic): configure basic inspection policy parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ip_proto</strong> (ips_option): rule option to check the IP protocol number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ipopts</strong> (ips_option): rule option to check for IP options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips</strong> (basic): configure IPS rule processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ipv4</strong> (codec): support for Internet protocol v4 (DLT 228)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ipv6</strong> (codec): support for Internet protocol v6 (DLT 229)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>isdataat</strong> (ips_option): rule option to check for the presence of payload data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>itype</strong> (ips_option): rule option to check ICMP type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>latency</strong> (basic): packet and rule latency monitoring and control\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>llc</strong> (codec): support for logical link control\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>log_codecs</strong> (logger): log protocols in packet by layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>log_hext</strong> (logger): output payload suitable for daq hext\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>log_pcap</strong> (logger): log packet in pcap format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>md5</strong> (ips_option): payload rule option for hash matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mem_test</strong> (inspector): for testing memory management\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>memory</strong> (basic): memory management configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>metadata</strong> (ips_option): rule option for conveying arbitrary comma-separated name, value data within the rule text\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus</strong> (inspector): modbus inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus_data</strong> (ips_option): rule option to set cursor to modbus data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus_func</strong> (ips_option): rule option to check modbus function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>modbus_unit</strong> (ips_option): rule option to check Modbus unit ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mpls</strong> (codec): support for multiprotocol label switching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>msg</strong> (ips_option): rule option summarizing rule purpose output with events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>mss</strong> (ips_option): detection for TCP maximum segment size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>network</strong> (basic): configure basic network parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>normalizer</strong> (inspector): packet scrubbing for inline mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>output</strong> (basic): configure general output parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_capture</strong> (inspector): raw packet dumping facility\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packet_tracer</strong> (basic): generate debug trace messages for packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>packets</strong> (basic): configure basic packet handling\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>payload_injector</strong> (basic): payload injection utility\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pbb</strong> (codec): support for 802.1ah protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pcre</strong> (ips_option): rule option for matching payload data with pcre\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>perf_monitor</strong> (inspector): performance monitoring and flow statistics collection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pgm</strong> (codec): support for pragmatic general multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pkt_data</strong> (ips_option): rule option to set the detection cursor to the normalized packet data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pkt_num</strong> (ips_option): alert on raw packet number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pop</strong> (inspector): pop inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>port_scan</strong> (inspector): detect various ip, icmp, tcp, and udp port or protocol scans\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>pppoe</strong> (codec): support for point-to-point protocol over ethernet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>priority</strong> (ips_option): rule option for prioritizing events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>process</strong> (basic): configure basic process setup\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>profiler</strong> (basic): configure profiling of rules and/or modules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rate_filter</strong> (basic): configure rate filters (which change rule actions)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>raw_data</strong> (ips_option): rule option to set the detection cursor to the raw packet data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>react</strong> (ips_action): send response to client and terminate session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reference</strong> (ips_option): rule option to indicate relevant attack identification system\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>references</strong> (basic): define reference systems used in rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>regex</strong> (ips_option): rule option for matching payload data with hyperscan regex; uses pcre syntax\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reject</strong> (ips_action): terminate session with TCP reset or ICMP unreachable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rem</strong> (ips_option): rule option to convey an arbitrary comment in the rule body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>replace</strong> (ips_option): rule option to overwrite payload data; use with rewrite action\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>reputation</strong> (inspector): reputation inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rev</strong> (ips_option): rule option to indicate current revision of signature\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rewrite</strong> (ips_action): overwrite packet contents\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rna</strong> (inspector): Real-time network awareness and OS fingerprinting (experimental)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc</strong> (ips_option): rule option to check SUNRPC CALL parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rpc_decode</strong> (inspector): RPC inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>rule_state</strong> (basic): enable/disable and set actions for specific IPS rules; deprecated, use rule state stubs with enable instead\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus</strong> (inspector): s7commplus inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus_content</strong> (ips_option): rule option to set cursor to s7commplus content\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus_func</strong> (ips_option): rule option to check s7commplus function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>s7commplus_opcode</strong> (ips_option): rule option to check s7commplus opcode code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sd_pattern</strong> (ips_option): rule option for detecting sensitive data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine</strong> (basic): configure fast pattern matcher\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>seq</strong> (ips_option): rule option to check TCP sequence number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>service</strong> (ips_option): rule option to specify list of services for grouping rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sha256</strong> (ips_option): payload rule option for hash matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sha512</strong> (ips_option): payload rule option for hash matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sid</strong> (ips_option): rule option to indicate signature number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>side_channel</strong> (basic): implement the side-channel asynchronous messaging subsystem\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip</strong> (inspector): sip inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip_body</strong> (ips_option): rule option to set the detection cursor to the request body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip_header</strong> (ips_option): rule option to set the detection cursor to the SIP header buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip_method</strong> (ips_option): detection option for sip stat code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>sip_stat_code</strong> (ips_option): detection option for sip stat code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>smtp</strong> (inspector): smtp inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>snort</strong> (basic): command line configuration and shell commands\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>so</strong> (ips_option): rule option to call custom eval function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>so_proxy</strong> (inspector): a proxy inspector to track flow data from SO rules (internal use only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>soid</strong> (ips_option): rule option to specify a shared object rule ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssh</strong> (inspector): ssh inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl</strong> (inspector): ssl inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl_state</strong> (ips_option): detection option for ssl state\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ssl_version</strong> (ips_option): detection option for ssl version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream</strong> (inspector): common flow tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_file</strong> (inspector): stream inspector for file flow tracking and processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_icmp</strong> (inspector): stream inspector for ICMP flow tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_ip</strong> (inspector): stream inspector for IP flow tracking and defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_reassemble</strong> (ips_option): detection option for stream reassembly control\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_size</strong> (ips_option): detection option for stream size checking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_tcp</strong> (inspector): stream inspector for TCP flow tracking and stream normalization and reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_udp</strong> (inspector): stream inspector for UDP flow tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream_user</strong> (inspector): stream inspector for user flow tracking and reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>suppress</strong> (basic): configure event suppressions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tag</strong> (ips_option): rule option to log additional packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>target</strong> (ips_option): rule option to indicate target of attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp</strong> (codec): support for transmission control protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp_connector</strong> (connector): implement the tcp stream connector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet</strong> (inspector): telnet inspection and normalization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>token_ring</strong> (codec): support for token ring decoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tos</strong> (ips_option): rule option to check type of service field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>trace</strong> (basic): configure trace log messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ttl</strong> (ips_option): rule option to check time to live field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp</strong> (codec): support for user datagram protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>unified2</strong> (logger): output event and packet in unified2 format file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>urg</strong> (ips_option): detection for TCP urgent pointer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>vlan</strong> (codec): support for local area network\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>window</strong> (ips_option): rule option to check TCP window field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard</strong> (inspector): inspector that implements port-independent protocol identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wlan</strong> (codec): support for wireless local area network protocol (DLT 105)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wscale</strong> (ips_option): detection for TCP window scale\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_plugin_listing">Plugin Listing</h3>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>codec::arp</strong>: support for address resolution protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::auth</strong>: support for IP authentication header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::bad_proto</strong>: bad protocol id\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ciscometadata</strong>: support for cisco metadata\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::eapol</strong>: support for extensible authentication protocol over LAN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::erspan3</strong>: support for encapsulated remote switched port analyzer - type 3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::esp</strong>: support for encapsulating security payload\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::eth</strong>: support for ethernet protocol (DLT 1) (DLT 51)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::fabricpath</strong>: support for fabricpath\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::gre</strong>: support for generic routing encapsulation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::gtp</strong>: support for general-packet-radio-service tunneling protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::icmp4</strong>: support for Internet control message protocol v4\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::icmp4_ip</strong>: support for IP in ICMPv4\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::icmp6</strong>: support for Internet control message protocol v6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::icmp6_ip</strong>: support for IP in ICMPv6\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::igmp</strong>: support for Internet group management protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv4</strong>: support for Internet protocol v4 (DLT 228)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6</strong>: support for Internet protocol v6 (DLT 229)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6_dst_opts</strong>: support for ipv6 destination options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6_frag</strong>: support for IPv6 fragment decoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6_hop_opts</strong>: support for IPv6 hop options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6_mobility</strong>: support for mobility\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6_no_next</strong>: sentinel codec\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ipv6_routing</strong>: support for IPv6 routing extension\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::linux_sll</strong>: support for Linux SLL (DLT 113)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::llc</strong>: support for logical link control\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::mpls</strong>: support for multiprotocol label switching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::null</strong>: support for null encapsulation (DLT 0)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::pbb</strong>: support for 802.1ah protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::pflog</strong>: support for OpenBSD PF log (DLT 117)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::pgm</strong>: support for pragmatic general multicast\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ppp</strong>: support for point-to-point encapsulation (DLT 9)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::ppp_encap</strong>: support for point-to-point encapsulation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::pppoe_disc</strong>: support for point-to-point discovery\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::pppoe_sess</strong>: support for point-to-point session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::raw</strong>: support for raw IP (DLT 12)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::slip</strong>: support for slip protocol (DLT 8)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::tcp</strong>: support for transmission control protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::teredo</strong>: support for teredo\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::token_ring</strong>: support for token ring decoding\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::trans_bridge</strong>: support for trans-bridging\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::udp</strong>: support for user datagram protocol\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::user</strong>: support for user sessions (DLT 230)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::vlan</strong>: support for local area network\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::vxlan</strong>: support for Virtual Extensible LAN\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::wlan</strong>: support for wireless local area network protocol (DLT 105)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>connector::file_connector</strong>: implement the file based connector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>connector::tcp_connector</strong>: implement the tcp stream connector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::appid</strong>: application and service identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::appid_listener</strong>: log selected published data to appid_listener.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::arp_spoof</strong>: detect ARP attacks and anomalies\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::back_orifice</strong>: back orifice detection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::binder</strong>: configure processing based on CIDRs, ports, services, etc.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::cip</strong>: cip inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::data_log</strong>: log selected published data to data.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dce_http_proxy</strong>: dce over http inspection - client to/from proxy\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dce_http_server</strong>: dce over http inspection - proxy to/from server\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dce_smb</strong>: dce over smb inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dce_tcp</strong>: dce over tcp inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dce_udp</strong>: dce over udp inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dnp3</strong>: dnp3 inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dns</strong>: dns inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::domain_filter</strong>: alert on configured HTTP domains\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::dpx</strong>: dynamic inspector example\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::file_id</strong>: configure file identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::file_log</strong>: log file event to file.log\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::ftp_client</strong>: FTP inspector client module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::ftp_data</strong>: FTP data channel handler\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::ftp_server</strong>: FTP inspector server module\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::gtp_inspect</strong>: gtp control channel inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::http2_inspect</strong>: the HTTP/2 inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::http_inspect</strong>: the new HTTP inspector!\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::imap</strong>: imap inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::mem_test</strong>: for testing memory management\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::modbus</strong>: modbus inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::normalizer</strong>: packet scrubbing for inline mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::packet_capture</strong>: raw packet dumping facility\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::perf_monitor</strong>: performance monitoring and flow statistics collection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::pop</strong>: pop inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::port_scan</strong>: detect various ip, icmp, tcp, and udp port or protocol scans\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::reputation</strong>: reputation inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::rna</strong>: Real-time network awareness and OS fingerprinting (experimental)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::rpc_decode</strong>: RPC inspector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::s7commplus</strong>: s7commplus inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::sip</strong>: sip inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::smtp</strong>: smtp inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::so_proxy</strong>: a proxy inspector to track flow data from SO rules (internal use only)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::ssh</strong>: ssh inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::ssl</strong>: ssl inspection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream</strong>: common flow tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream_file</strong>: stream inspector for file flow tracking and processing\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream_icmp</strong>: stream inspector for ICMP flow tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream_ip</strong>: stream inspector for IP flow tracking and defragmentation\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream_tcp</strong>: stream inspector for TCP flow tracking and stream normalization and reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream_udp</strong>: stream inspector for UDP flow tracking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::stream_user</strong>: stream inspector for user flow tracking and reassembly\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::telnet</strong>: telnet inspection and normalization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>inspector::wizard</strong>: inspector that implements port-independent protocol identification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_action::react</strong>: send response to client and terminate session\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_action::reject</strong>: terminate session with TCP reset or ICMP unreachable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_action::rewrite</strong>: overwrite packet contents\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ack</strong>: rule option to match on TCP ack numbers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::appids</strong>: detection option for application ids\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::asn1</strong>: rule option for asn1 detection\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::base64_data</strong>: set detection cursor to decoded Base64 data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::base64_decode</strong>: rule option to decode base64 data - must be used with base64_data option\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ber_data</strong>: rule option to move to the data for a specified BER element\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ber_skip</strong>: rule option to skip BER element\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::bufferlen</strong>: rule option to check length of current buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::byte_extract</strong>: rule option to convert data to an integer variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::byte_jump</strong>: rule option to move the detection cursor\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::byte_math</strong>: rule option to perform mathematical operations on extracted value and a specified value or existing variable\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::byte_test</strong>: rule option to convert data to integer and compare\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_attribute</strong>: detection option to match CIP attribute\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_class</strong>: detection option to match CIP class\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_conn_path_class</strong>: detection option to match CIP Connection Path Class\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_instance</strong>: detection option to match CIP instance\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_req</strong>: detection option to match CIP request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_rsp</strong>: detection option to match CIP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_service</strong>: detection option to match CIP service\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cip_status</strong>: detection option to match CIP response status\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::classtype</strong>: general rule option for rule classification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::content</strong>: payload rule option for basic pattern matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::cvs</strong>: payload rule option for detecting specific attacks\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dce_iface</strong>: detection option to check dcerpc interface\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dce_opnum</strong>: detection option to check dcerpc operation number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dce_stub_data</strong>: sets the cursor to dcerpc stub data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::detection_filter</strong>: rule option to require multiple hits before a rule generates an event\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dnp3_data</strong>: sets the cursor to dnp3 data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dnp3_func</strong>: detection option to check DNP3 function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dnp3_ind</strong>: detection option to check DNP3 indicator flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dnp3_obj</strong>: detection option to check DNP3 object headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::dsize</strong>: rule option to test payload size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::enable</strong>: stub rule option to enable or disable full rule\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::enip_command</strong>: detection option to match CIP Enip Command\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::enip_req</strong>: detection option to match ENIP Request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::enip_rsp</strong>: detection option to match ENIP response\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::file_data</strong>: rule option to set detection cursor to file data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::file_type</strong>: rule option to check file type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::flags</strong>: rule option to test TCP control flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::flow</strong>: rule option to check session properties\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::flowbits</strong>: rule option to set and test arbitrary boolean flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::fragbits</strong>: rule option to test IP frag flags\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::fragoffset</strong>: rule option to test IP frag offset\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::gid</strong>: rule option specifying rule generator\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::gtp_info</strong>: rule option to check gtp info element\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::gtp_type</strong>: rule option to check gtp types\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::gtp_version</strong>: rule option to check GTP version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http2_decoded_header</strong>: rule option to set detection cursor to the decoded HTTP/2 header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http2_frame_header</strong>: rule option to set detection cursor to the 9-octet HTTP/2 frame header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_client_body</strong>: rule option to set the detection cursor to the request body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_cookie</strong>: rule option to set the detection cursor to the HTTP cookie\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_header</strong>: rule option to set the detection cursor to the normalized headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_method</strong>: rule option to set the detection cursor to the HTTP request method\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_param</strong>: rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_body</strong>: rule option to set the detection cursor to the unnormalized message body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_cookie</strong>: rule option to set the detection cursor to the unnormalized cookie\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_header</strong>: rule option to set the detection cursor to the unnormalized headers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_request</strong>: rule option to set the detection cursor to the unnormalized request line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_status</strong>: rule option to set the detection cursor to the unnormalized status line\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_trailer</strong>: rule option to set the detection cursor to the unnormalized trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_raw_uri</strong>: rule option to set the detection cursor to the unnormalized URI\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_stat_code</strong>: rule option to set the detection cursor to the HTTP status code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_stat_msg</strong>: rule option to set the detection cursor to the HTTP status message\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_trailer</strong>: rule option to set the detection cursor to the normalized trailers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_true_ip</strong>: rule option to set the detection cursor to the final client IP address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_uri</strong>: rule option to set the detection cursor to the normalized URI buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::http_version</strong>: rule option to set the detection cursor to the version buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::icmp_id</strong>: rule option to check ICMP ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::icmp_seq</strong>: rule option to check ICMP sequence number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::icode</strong>: rule option to check ICMP code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::id</strong>: rule option to check the IP ID field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ip_proto</strong>: rule option to check the IP protocol number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ipopts</strong>: rule option to check for IP options\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::isdataat</strong>: rule option to check for the presence of payload data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::itype</strong>: rule option to check ICMP type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::md5</strong>: payload rule option for hash matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::metadata</strong>: rule option for conveying arbitrary comma-separated name, value data within the rule text\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::modbus_data</strong>: rule option to set cursor to modbus data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::modbus_func</strong>: rule option to check modbus function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::modbus_unit</strong>: rule option to check Modbus unit ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::msg</strong>: rule option summarizing rule purpose output with events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::mss</strong>: detection for TCP maximum segment size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::pcre</strong>: rule option for matching payload data with pcre\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::pkt_data</strong>: rule option to set the detection cursor to the normalized packet data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::pkt_num</strong>: alert on raw packet number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::priority</strong>: rule option for prioritizing events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::raw_data</strong>: rule option to set the detection cursor to the raw packet data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::reference</strong>: rule option to indicate relevant attack identification system\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::regex</strong>: rule option for matching payload data with hyperscan regex; uses pcre syntax\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::rem</strong>: rule option to convey an arbitrary comment in the rule body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::replace</strong>: rule option to overwrite payload data; use with rewrite action\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::rev</strong>: rule option to indicate current revision of signature\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::rpc</strong>: rule option to check SUNRPC CALL parameters\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::s7commplus_content</strong>: rule option to set cursor to s7commplus content\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::s7commplus_func</strong>: rule option to check s7commplus function code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::s7commplus_opcode</strong>: rule option to check s7commplus opcode code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sd_pattern</strong>: rule option for detecting sensitive data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::seq</strong>: rule option to check TCP sequence number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::service</strong>: rule option to specify list of services for grouping rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sha256</strong>: payload rule option for hash matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sha512</strong>: payload rule option for hash matching\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sid</strong>: rule option to indicate signature number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sip_body</strong>: rule option to set the detection cursor to the request body\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sip_header</strong>: rule option to set the detection cursor to the SIP header buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sip_method</strong>: detection option for sip stat code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::sip_stat_code</strong>: detection option for sip stat code\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::so</strong>: rule option to call custom eval function\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::soid</strong>: rule option to specify a shared object rule ID\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ssl_state</strong>: detection option for ssl state\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ssl_version</strong>: detection option for ssl version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::stream_reassemble</strong>: detection option for stream reassembly control\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::stream_size</strong>: detection option for stream size checking\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::tag</strong>: rule option to log additional packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::target</strong>: rule option to indicate target of attack\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::tos</strong>: rule option to check type of service field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::ttl</strong>: rule option to check time to live field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::urg</strong>: detection for TCP urgent pointer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::window</strong>: rule option to check TCP window field\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>ips_option::wscale</strong>: detection for TCP window scale\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_csv</strong>: output event in csv format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_ex</strong>: output gid:sid:rev for alerts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_fast</strong>: output event with brief text format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_full</strong>: output event with full packet dump\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_json</strong>: output event in json format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_sfsocket</strong>: output event over socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_syslog</strong>: output event to syslog\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_talos</strong>: output event in Talos alert format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::alert_unixsock</strong>: output event over unix socket\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::log_codecs</strong>: log protocols in packet by layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::log_hext</strong>: output payload suitable for daq hext\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::log_null</strong>: disable logging of packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::log_pcap</strong>: log packet in pcap format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>logger::unified2</strong>: output event and packet in unified2 format file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::ac_bnfa</strong>: Aho-Corasick Binary NFA (low memory, high performance) MPSE\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::ac_full</strong>: Aho-Corasick Full (high memory, best performance), implements search_all()\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::ac_sparse</strong>: Aho-Corasick Sparse (high memory, moderate performance) MPSE\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::ac_sparse_bands</strong>: Aho-Corasick Sparse-Banded (high memory, moderate performance) MPSE\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::ac_std</strong>: Aho-Corasick Full (high memory, best performance) MPSE\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::hyperscan</strong>: intel hyperscan-based mpse with regex support\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>search_engine::lowmem</strong>: Keyword Trie (low memory, moderate performance) MPSE\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>so_rule::3|18758</strong>: SO rule example\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
-<h3 id="_limitations">Limitations</h3>\r
-<div class="sect3">\r
-<h4 id="_reload_limitations">Reload limitations</h4>\r
-<div class="paragraph"><p>The following parameters can’t be changed during reload, and require a restart:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-active.attempts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-active.device\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alerts.detection_filter_memcap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alerts.event_filter_memcap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alerts.rate_filter_memcap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-attribute_table.max_hosts\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-attribute_table.max_services_per_host\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-daq.snaplen\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-detection.asn1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-file_id.max_files_cached\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process.chroot\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process.daemon\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process.set_gid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-process.set_uid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-snort.--bpf\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-snort.-l\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>In addition, the following scenarios require a restart:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Enabling file capture for the first time\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Changing file_id.capture_memcap if file capture was previously or currently\r
- enabled\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Changing file_id.capture_block_size if file capture was previously or\r
- currently enabled\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Adding/removing stream_* inspectors if stream was already configured\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>In all of these cases reload will fail with the following message: "reload\r
- failed - restart required". The original config will remain in use.</p></div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-</div>\r
-<div id="footnotes"><hr /></div>\r
-<div id="footer">\r
-<div id="footer-text">\r
-Last updated\r
- 2020-07-15 08:52:02 EDT\r
-</div>\r
-</div>\r
-</body>\r
-</html>\r
--- /dev/null
+
+---------------------------------------------------------------------
+
+Snort 3 User Manual
+
+---------------------------------------------------------------------
+
+The Snort Team
+
+Revision History
+Revision 3.0.2 (Build 2) 2020-07-23 11:19:59 EDT TST
+
+---------------------------------------------------------------------
+
+Table of Contents
+
+1. Overview
+
+ 1.1. First Steps
+ 1.2. Configuration
+ 1.3. Output
+
+2. Concepts
+
+ 2.1. Terminology
+ 2.2. Modules
+ 2.3. Parameters
+ 2.4. Plugins
+ 2.5. Operation
+ 2.6. Rules
+ 2.7. Pattern Matching
+
+3. Tutorial
+
+ 3.1. Dependencies
+ 3.2. Building
+ 3.3. Running
+ 3.4. Tips
+ 3.5. Common Errors
+ 3.6. Gotchas
+ 3.7. Known Issues
+
+4. Usage
+
+ 4.1. Help
+ 4.2. Sniffing and Logging
+ 4.3. Configuration
+ 4.4. IDS mode
+ 4.5. Plugins
+ 4.6. Output Files
+ 4.7. DAQ Alternatives
+ 4.8. Logger Alternatives
+ 4.9. Shell
+ 4.10. Signals
+
+5. Features
+
+ 5.1. Active Response
+ 5.2. AppId
+ 5.3. Binder
+ 5.4. Byte rule options
+ 5.5. DCE Inspectors
+ 5.6. File Processing
+ 5.7. High Availability
+ 5.8. FTP
+ 5.9. HTTP Inspector
+ 5.10. HTTP/2 Inspector
+ 5.11. Performance Monitor
+ 5.12. POP and IMAP
+ 5.13. Port Scan
+ 5.14. Sensitive Data Filtering
+ 5.15. SMTP
+ 5.16. Telnet
+ 5.17. Trace
+ 5.18. Wizard
+
+6. DAQ Configuration and Modules
+
+ 6.1. Building the DAQ Library and Its Bundled DAQ Modules
+ 6.2. Configuration
+ 6.3. Interaction With Multiple Packet Threads
+ 6.4. DAQ Modules Included With Snort 3
+
+Snorty
+
+---------------------------------------------------------------------
+
+1. Overview
+
+---------------------------------------------------------------------
+
+Snort 3.0 is an updated version of the Snort Intrusion Prevention
+System (IPS) which features a new design that provides a superset of
+Snort 2.X functionality with better throughput, detection,
+scalability, and usability. Some of the key features of Snort 3.0
+are:
+
+ * Support multiple packet processing threads
+ * Use a shared configuration and attribute table
+ * Autodetect services for portless configuration
+ * Modular design
+ * Plugin framework with over 200 plugins
+ * More scalable memory profile
+ * LuaJIT configuration, loggers, and rule options
+ * Hyperscan support
+ * Rewritten TCP handling
+ * New rule parser and syntax
+ * Service rules like alert http
+ * Rule "sticky" buffers
+ * Way better SO rules
+ * New HTTP inspector
+ * New performance monitor
+ * New time and space profiling
+ * New latency monitoring and enforcement
+ * Piglets to facilitate component testing
+ * Inspection Events
+ * Automake and Cmake
+ * Autogenerate reference documentation
+
+Additional features are on the road map:
+
+ * Use a shared network map
+ * Support hardware offload for fast pattern acceleration
+ * Provide support for DPDK and ODP
+ * Support pipelining of packet processing
+ * Support proxy mode
+ * Multi-tennant support
+ * Incremental reload
+ * New serialization of perf data and events
+ * Enhanced rule processing
+ * Windows support
+ * Anomaly detection
+ * and more!
+
+The remainder of this section provides a high level survey of the
+inputs, processing, and outputs available with Snort 3.0.
+
+Snort++ is the project that is creating Snort 3.0. In this manual
+"Snort" or "Snort 3" refers to the 3.0 version and earlier versions
+will be referred to as "Snort 2" where the distinction is relevant.
+
+
+1.1. First Steps
+
+--------------
+
+Snort can be configured to perform complex packet processing and deep
+packet inspection but it is best start simply and work up to more
+interesting tasks. Snort won’t do anything you didn’t specifically
+ask it to do so it is safe to just try things out and see what
+happens. Let’s start by just running Snort with no arguments:
+
+$ snort
+
+That will output usage information including some basic help
+commands. You should run all of these commands now to see what is
+available:
+
+$ snort -V
+$ snort -?
+$ snort --help
+
+Note that Snort has extensive command line help available so if
+anything below isn’t clear, there is probably a way to get the exact
+information you need from the command line.
+
+Now let’s examine the packets in a capture file (pcap):
+
+$ snort -r a.pcap
+
+Snort will decode and count the packets in the file and output some
+statistics. Note that the output excludes non-zero numbers so it is
+easy to see what is there.
+
+You may have noticed that there are command line options to limit the
+number of packets examined or set a filter to select particular
+packets. Now is a good time to experiment with those options.
+
+If you want to see details on each packet, you can dump the packets
+to console like this:
+
+$ snort -r a.pcap -L dump
+
+Add the -d option to see the TCP and UDP payload. Now let’s switch to
+live traffic. Replace eth0 in the below command with an available
+network interface:
+
+$ snort -i eth0 -L dump
+
+Unless the interface is taken down, Snort will just keep running, so
+enter Control-C to terminate or use the -n option to limit the number
+of packets.
+
+Generally it is better to capture the packets for later analysis like
+this:
+
+$ snort -i eth0 -L pcap -n 10
+
+Snort will write 10 packets to log.pcap.# where # is a timestamp
+value. You can read these back with -r and dump to console or pcap
+with -L. You get the idea.
+
+Note that you can do similar things with other tools like tcpdump or
+Wireshark however these commands are very useful when you want to
+check your Snort setup.
+
+The examples above use the default pcap DAQ. Snort supports non-pcap
+interfaces as well via the DAQ (data acquisition) library. Other DAQs
+provide additional functionality such as inline operation and/or
+higher performance. There are even DAQs that support raw file
+processing (ie without packets), socket processing, and plain text
+packets. To load external DAQ libraries and see available DAQs or
+select a particular DAQ use one of these commands:
+
+$ snort --daq-dir <path> --daq-list
+$ snort --daq-dir <path> --daq <type>
+
+Be sure to put the --daq-dir option ahead of the --daq-list option or
+the external DAQs won’t appear in the list.
+
+To leverage intrusion detection features of Snort you will need to
+provide some configuration details. The next section breaks down what
+must be done.
+
+
+1.2. Configuration
+
+--------------
+
+Effective configuration of Snort is done via the environment, command
+line, a Lua configuration file, and a set of rules.
+
+Note that backwards compatibility with Snort 2 was sacrificed to
+obtain new and improved functionality. While Snort 3 leverages some
+of the Snort 2 code base, a lot has changed. The configuration of
+Snort 3 is done with Lua, so your old conf won’t work as is. Rules
+are still text based but with syntax tweaks, so your 2.X rules must
+be fixed up. However, snort2lua will help you convert your conf and
+rules to the new format.
+
+1.2.1. Command Line
+
+A simple command line might look like this:
+
+snort -c snort.lua -R cool.rules -r some.pcap -A cmg
+
+To understand what that does, you can start by just running snort
+with no arguments by running snort --help. Help for all configuration
+and rule options is available via a suitable command line. In this
+case:
+
+-c snort.lua is the main configuration file. This is a Lua script
+that is executed when loaded.
+
+-R cool.rules contains some detection rules. You can write your own
+or obtain them from Talos (native 3.0 rules are not yet available
+from Talos so you must convert them with snort2lua). You can also put
+your rules directly in your configuration file.
+
+-r some.pcap tells Snort to read network traffic from the given
+packet capture file. You could instead use -i eth0 to read from a
+live interface. There many other options available too depending on
+the DAQ you use.
+
+-A cmg says to output intrusion events in "cmg" format, which has
+basic header details followed by the payload in hex and text.
+
+Note that you add to and/or override anything in your configuration
+file by using the --lua command line option. For example:
+
+--lua 'ips = { enable_builtin_rules = true }'
+
+will load the built-in decoder and inspector rules. In this case, ips
+is overwritten with the config you see above. If you just want to
+change the config given in your configuration file you would do it
+like this:
+
+--lua 'ips.enable_builtin_rules = true'
+
+1.2.2. Configuration File
+
+The configuration file gives you complete control over how Snort
+processes packets. Start with the default snort.lua included in the
+distribution because that contains some key ingredients. Note that
+most of the configurations look like:
+
+stream = { }
+
+This means enable the stream module using internal defaults. To see
+what those are, you could run:
+
+snort --help-config stream
+
+Snort is organized into a collection of builtin and plugin modules.
+If a module has parameters, it is configured by a Lua table of the
+same name. For example, we can see what the active module has to
+offer with this command:
+
+$ snort --help-module active
+
+What: configure responses
+
+Type: basic
+
+Configuration:
+
+int active.attempts = 0: number of TCP packets sent per response (with
+varying sequence numbers) { 0:20 }
+
+string active.device: use 'ip' for network layer responses or 'eth0' etc
+for link layer
+
+string active.dst_mac: use format '01:23:45:67:89:ab'
+
+int active.max_responses = 0: maximum number of responses { 0: }
+
+int active.min_interval = 255: minimum number of seconds between
+responses { 1: }
+
+This says active is a basic module that has several parameters. For
+each, you will see:
+
+type module.name = default: help { range }
+
+For example, the active module has a max_responses parameter that
+takes non-negative integer values and defaults to zero. We can change
+that in Lua as follows:
+
+active = { max_responses = 1 }
+
+or:
+
+active = { }
+active.max_responses = 1
+
+If we also wanted to limit retries to at least 5 seconds, we could
+do:
+
+active = { max_responses = 1, min_interval = 5 }
+
+1.2.3. Whitelist
+
+When Snort is run with the --warn-conf-strict option, warnings will
+be generated for all Lua tables present in the configuration files
+that do not map to Snort module names. Like with other warnings,
+these will upgraded to errors when Snort is run in pedantic mode.
+
+To dynamically add exceptions that should bypass this strict
+validation, two Lua functions are made available to be called during
+the evaluation of Snort configuration files: snort_whitelist_append()
+and snort_whitelist_add_prefix(). Each function takes a
+whitespace-delimited list, the former a list of exact table names and
+the latter a list of table name prefixes to allow.
+
+Examples: snort_whitelist_append("table1 table2")
+snort_whitelist_add_prefix("local_ foobar_")
+
+The accumulated contents of the whitelist (both exact and prefix)
+will be dumped when Snort is run in verbose mode (-v).
+
+1.2.4. Rules
+
+Rules determine what Snort is looking for. They can be put directly
+in your Lua configuration file with the ips module, on the command
+line with --lua, or in external files. Generally you will have many
+rules obtained from various sources such as Talos and loading
+external files is the way to go so we will summarize that here. Add
+this to your Lua configuration:
+
+ips = { include = 'rules.txt' }
+
+to load the external rules file named rules.txt. You can only specify
+one file this way but rules files can include other rules files with
+the include statement. In addition you can load rules like:
+
+$ sort -c snort.lua -R rules.txt
+
+You can use both approaches together.
+
+1.2.5. Includes
+
+Your configuration file file may include other files, either directly
+via Lua or via various parameters. Snort will find relative includes
+in the following order:
+
+ 1. If you specify --include-path, this directory will be tried
+ first.
+ 2. Snort will try the directory containing the including file.
+ 3. Snort will try the directory containing the -c configuration
+ file.
+
+Some things to keep in mind:
+
+ * If you use the Lua dofile function, then you must specify
+ absolute paths or paths relative to your working directory since
+ Lua will execute the include before Snort sees the file contents.
+ * For best results, use include in place of dofile. This function
+ is provided to follow Snort’s include logic.
+ * As of now, appid and reputation paths must be absolute or
+ relative to the working directory. These will be updated in a
+ future release.
+
+1.2.6. Converting Your 2.X Configuration
+
+If you have a working 2.X configuration snort2lua makes it easy to
+get up and running with Snort 3. This tool will convert your
+configuration and/or rules files automatically. You will want to
+clean up the results and double check that it is doing exactly what
+you need.
+
+snort2lua -c snort.conf
+
+The above command will generate snort.lua based on your 2.X
+configuration. For more information and options for more
+sophisticated use cases, see the Snort2Lua section later in the
+manual.
+
+
+1.3. Output
+
+--------------
+
+Snort can produce quite a lot of data. In the following we will
+summarize the key aspects of the core output types. Additional data
+such as from appid is covered later.
+
+1.3.1. Basic Statistics
+
+At shutdown, Snort will output various counts depending on
+configuration and the traffic processed. Generally, you may see:
+
+ * Packet Statistics - this includes data from the DAQ and decoders
+ such as the number of packets received and number of UDP packets.
+ * Module Statistics - each module tracks activity via a set of peg
+ counts that indicate how many times something was observed or
+ performed. This might include the number of HTTP GET requests
+ processed and the number of TCP reset packets trimmed.
+ * File Statistics - look here for a breakdown of file type, bytes,
+ signatures.
+ * Summary Statistics - this includes total runtime for packet
+ processing and the packets per second. Profiling data will appear
+ here as well if configured.
+
+Note that only the non-zero counts are output. Run this to see the
+available counts:
+
+$ snort --help-counts
+
+1.3.2. Alerts
+
+If you configured rules, you will need to configure alerts to see the
+details of detection events. Use the -A option like this:
+
+$ snort -c snort.lua -r a.pcap -A cmg
+
+There are many types of alert outputs possible. Here is a brief list:
+
+ * -A cmg is the same as -A fast -d -e and will show information
+ about the alert along with packet headers and payload.
+ * -A u2 is the same as -A unified2 and will log events and
+ triggering packets in a binary file that you can feed to other
+ tools for post processing. Note that Snort 3 does not provide the
+ raw packets for alerts on PDUs; you will get the actual buffer
+ that alerted.
+ * -A csv will output various fields in comma separated value
+ format. This is entirely customizable and very useful for pcap
+ analysis.
+
+To see the available alert types, you can run this command:
+
+$ snort --list-plugins | grep logger
+
+1.3.3. Files and Paths
+
+Note that output is specific to each packet thread. If you run 4
+packet threads with u2 output, you will get 4 different u2 files. The
+basic structure is:
+
+<logdir>/[<run_prefix>][<id#>][<X>]<name>
+
+where:
+
+ * logdir is set with -l and defaults to ./
+ * run_prefix is set with --run-prefix else not used
+ * id# is the packet thread number that writes the file; with one
+ packet thread, id# (zero) is omitted without --id-zero
+ * X is / if you use --id-subdir, else _ if id# is used
+ * name is based on module name that writes the file
+
+Additional considerations:
+
+ * There is no way to explicitly configure a full path to avoid
+ issues with multiple packet threads.
+ * All text mode outputs default to stdout
+
+1.3.4. Performance Statistics
+
+Still more data is available beyond the above.
+
+ * By configuring the perf_monitor module you can capture a
+ configurable set of peg counts during runtime. This is useful to
+ feed to an external program so you can see what is happening
+ without stopping Snort.
+ * The profiler module allows you to track time and space used by
+ module and rules. Use this data to tune your system for best
+ performance. The output will show up under Summary Statistics at
+ shutdown.
+
+
+---------------------------------------------------------------------
+
+2. Concepts
+
+---------------------------------------------------------------------
+
+This section provides background on essential aspects of Snort’s
+operation.
+
+
+2.1. Terminology
+
+--------------
+
+ * basic module: a module integrated into Snort that does not come
+ from a plugin.
+ * binder: inspector that maps configuration to traffic
+ * builtin rules: codec and inspector rules for anomalies detected
+ internally.
+ * codec: short for coder / decoder. These plugins are used for
+ basic protocol decoding, anomaly detection, and construction of
+ active responses.
+ * data module: an adjunct configuration plugin for use with certain
+ inspectors.
+ * dynamic rules: plugin rules loaded at runtime. See SO rules.
+ * fast pattern: the content in an IPS rule that must be found by
+ the search engine in order for a rule to be evaluated.
+ * fast pattern matcher: see search engine.
+ * hex: a type of protocol magic that the wizard uses to identify
+ binary protocols.
+ * inspector: plugin that processes packets (similar to the Snort 2
+ preprocessor)
+ * IPS: intrusion prevention system, like Snort.
+ * IPS action: plugin that allows you to perform custom actions when
+ events are generated. Unlike loggers, these are invoked before
+ thresholding and can be used to control external agents or send
+ active responses.
+ * IPS option: this plugin is the building blocks of IPS rules.
+ * logger: a plugin that performs output of events and packets.
+ Events are thresholded before reaching loggers.
+ * module: the user facing portion of a Snort component. Modules
+ chiefly provide configuration parameters, but may also provide
+ commands, builtin rules, profiling statistics, peg counts, etc.
+ Note that not all modules are plugins and not all plugins have
+ modules.
+ * peg count: the number of times a given event or condition occurs.
+ * plugin: one of several types of software components that can be
+ loaded from a dynamic library when Snort starts up. Some plugins
+ are coupled with the main engine in such a way that they must be
+ built statically, but a newer version can be loaded dynamically.
+ * search engine: a plugin that performs multipattern searching of
+ packets and payload to find rules that should be evaluated. There
+ are currently no specific modules, although there are several
+ search engine plugins. Related configuration is done with the
+ basic detection module. Aka fast pattern matcher.
+ * SO rule: a IPS rule plugin that performs custom detection that
+ can’t be done by a text rule. These rules typically do not have
+ associated modules. SO comes from shared object, meaning dynamic
+ library.
+ * spell: a type of protocol magic that the wizard uses to identify
+ ASCII protocols.
+ * text rule: a rule loaded from the configuration that has a header
+ and body. The header specifies action, protocol, source and
+ destination IP addresses and ports, and direction. The body
+ specifies detection and non-detection options.
+ * wizard: inspector that applies protocol magic to determine which
+ inspectors should be bound to traffic absent a port specific
+ binding. See hex and spell.
+
+
+2.2. Modules
+
+--------------
+
+Modules are the building blocks of Snort. They encapsulate the types
+of data that many components need including parameters, peg counts,
+profiling, builtin rules, and commands. This allows Snort to handle
+them generically and consistently. You can learn quite a lot about
+any given module from the command line. For example, to see what
+stream_tcp is all about, do this:
+
+$ snort --help-config stream_tcp
+
+Modules are configured using Lua tables with the same name. So the
+stream_tcp module is configured with defaults like this:
+
+stream_tcp = { }
+
+The earlier help output showed that the default session tracking
+timeout is 30 seconds. To change that to 60 seconds, you can
+configure it this way:
+
+stream_tcp = { session_timeout = 60 }
+
+Or this way:
+
+stream_tcp = { }
+stream_tcp.session_timeout = 60
+
+More on parameters is given in the next section.
+
+Other things to note about modules:
+
+ * Shutdown output will show the non-zero peg counts for all
+ modules. For example, if stream_tcp did anything, you would see
+ the number of sessions processed among other things.
+ * Providing the builtin rules allows the documentation to include
+ them automatically and also allows for autogenerating the rules
+ at startup.
+ * Only a few module provide commands at this point, most notably
+ the snort module.
+
+
+2.3. Parameters
+
+--------------
+
+Parameters are given with this format:
+
+type name = default: help { range }
+
+The following types are used:
+
+ * addr: any valid IP4 or IP6 address or CIDR
+ * addr_list: a space separated list of addr values
+ * bit_list: a list of consecutive integer values from 1 to the
+ range maximum
+ * bool: true or false
+ * dynamic: a select type determined by loaded plugins
+ * enum: a string selected from the given range
+ * implied: an IPS rule option that takes no value but means true
+ * int: a whole number in the given range
+ * interval: a set of ints (see below)
+ * ip4: an IP4 address or CIDR
+ * mac: an ethernet address with the form 01:02:03:04:05:06
+ * multi: one or more space separated strings from the given range
+ * port: an int in the range 0:65535 indicating a TCP or UDP port
+ number
+ * real: a real number in the given range
+ * select: a string selected from the given range
+ * string: any string with no more than the given length, if any
+
+The parameter name may be adorned in various ways to indicate
+additional information about the type and use of the parameter:
+
+ * For Lua configuration (not IPS rules), if the name ends with []
+ it is a list item and can be repeated.
+ * For IPS rules only, names starting with ~ indicate positional
+ parameters. The names of such parameters do not appear in the
+ rule.
+ * IPS rules may also have a wild card parameter, which is indicated
+ by a *. Used for unquoted, comma-separated lists such as service
+ and metadata.
+ * The snort module has command line options starting with a -.
+ * $ denotes variable names, eg rule_state.$gid_sid which would be
+ used like rule_state["1:23456"] = { }.
+
+Some additional details to note:
+
+ * Table and variable names are case sensitive; use lower case only.
+ * String values are case sensitive too; use lower case only.
+ * Numeric ranges may be of the form low:high where low and high are
+ bounds included in the range. If either is omitted, there is no
+ hard bound. E.g. 0: means any x where x >= 0.
+ * Strings may have a numeric range indicating a length limit;
+ otherwise there is no hard limit.
+ * bit_list is typically used to store a set of byte, port, or VLAN
+ ID values.
+ * interval takes the form [operator]i, j<>k, or j<⇒k where i,j,k
+ are integers and operator is one of =, !, != (same as !), <, ⇐,
+ >, >=. j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.
+ * Ranges may use maxXX like { 1:max32 } since max32 is easier to
+ read than 4294967295. To get the values of maxXX, use snort
+ --help-limits.
+
+Parameter limits:
+
+ * max31 = 2147483647
+ * max32 = 4294967295
+ * max53 = 9007199254740992
+ * maxSZ = 9007199254740992
+
+
+2.4. Plugins
+
+--------------
+
+Snort uses a variety of plugins to accomplish much of its processing
+objectives, including:
+
+ * Codec - to decode and encode packets
+ * Inspector - like Snort 2 preprocessors, for normalization, etc.
+ * IpsOption - for detection in Snort rules
+ * IpsAction - for custom actions
+ * Logger - for handling events
+ * Mpse - for fast pattern matching
+ * So - for dynamic rules
+
+The power of plugins is that they have a very focused purpose and can
+be created with relative ease. For example, you can extend the rule
+language by writing your own IpsOption and it will plug in and
+function just like existing options. The extra directory has examples
+of each type of plugin.
+
+Most plugins can be built statically or dynamically. By default they
+are all static. There is no difference in functionality between
+static or dynamic plugins but the dynamic build generates a slightly
+lighter weight binary. Either way you can add dynamic plugins with
+--plugin-path and newer versions will replace older versions, even
+when built statically.
+
+A single dynamic library may contain more than one plugin. For
+example, an inspector will typically be packaged together with any
+associated rule options.
+
+
+2.5. Operation
+
+--------------
+
+Snort is a signature-based IPS, which means that as it receives
+network packets it reassembles and normalizes the content so that a
+set of rules can be evaluated to detect the presence of any
+significant conditions that merit further action. A rough processing
+flow is as follows:
+
+Snort 2
+
+The steps are:
+
+ 1. Decode each packet to determine the basic network characteristics
+ such as source and destination addresses and ports. A typical
+ packet might have ethernet containing IP containing TCP
+ containing HTTP (ie eth:ip:tcp:http). The various encapsulating
+ protocols are examined for sanity and anomalies as the packet is
+ decoded. This is essentially a stateless effort.
+ 2. Preprocess each decoded packet using accumulated state to
+ determine the purpose and content of the innermost message. This
+ step may involve reordering and reassembling IP fragments and TCP
+ segments to produce the original application protocol data unit
+ (PDU). Such PDUs are analyzed and normalized as needed to support
+ further processing.
+ 3. Detection is a two step process. For efficiency, most rules
+ contain a specific content pattern that can be searched for such
+ that if no match is found no further processing is necessary.
+ Upon start up, the rules are compiled into pattern groups such
+ that a single, parallel search can be done for all patterns in
+ the group. If any match is found, the full rule is examined
+ according to the specifics of the signature.
+ 4. The logging step is where Snort saves any pertinent information
+ resulting from the earlier steps. More generally, this is where
+ other actions can be taken as well such as blocking the packet.
+
+2.5.1. Snort 2 Processing
+
+The preprocess step in Snort 2 is highly configurable. Arbitrary
+preprocessors can be loaded dynamically at startup, configured in
+snort.conf, and then executed at runtime. Basically, the
+preprocessors are put into a list which is iterated for each packet.
+Recent versions have tweaked the list handling some, but the same
+basic architecture has allowed Snort 2 to grow from a sniffer, with
+no preprocessing, to a full-fledged IPS, with lots of preprocessing.
+
+While this "list of plugins" approach has considerable flexibility,
+it hampers future development when the flow of data from one
+preprocessor to the next depends on traffic conditions, a common
+situation with advanced features like application identification. In
+this case, a preprocessor like HTTP may be extracting and normalizing
+data that ultimately is not used, or appID may be repeatedly checking
+for data that is just not available.
+
+Callbacks help break out of the preprocess straitjacket. This is
+where one preprocessor supplies another with a function to call when
+certain data is available. Snort has started to take this approach to
+pass some HTTP and SIP preprocessor data to appID. However, it
+remains a peripheral feature and still requires the production of
+data that may not be consumed.
+
+2.5.2. Snort 3 Processing
+
+One of the goals of Snort 3 is to provide a more flexible framework
+for packet processing by implementing an event-driven approach.
+Another is to produce data only when needed to minimize expensive
+normalizations. However, the basic packet processing provides very
+similar functionality.
+
+The basic processing steps Snort 3 takes are similar to Snort 2 as
+seen in the following diagram. The preprocess step employs specific
+inspector types instead of a generalized list, but the basic
+procedure includes stateless packet decoding, TCP stream reassembly,
+and service specific analysis in both cases. (Snort 3 provides hooks
+for arbitrary inspectors, but they are not central to basic flow
+processing and are not shown.)
+
+Snort 3
+
+However, Snort 3 also provides a more flexible mechanism than
+callback functions. By using inspection events, it is possible for an
+inspector to supply data that other inspectors can process. This is
+known as the observer pattern or publish-subscribe pattern.
+
+Note that the data is not actually published. Instead, access to the
+data is published, and that means that subscribers can access the raw
+or normalized version(s) as needed. Normalizations are done only on
+the first access, and subsequent accesses get the previously
+normalized data. This results in just in time (JIT) processing.
+
+A basic example of this in action is provided by the extra data_log
+plugin. It is a passive inspector, ie it does nothing until it
+receives the data it subscribed for (other in the above diagram). By
+adding the following to your snort.lua configuration, you will get a
+simple URI logger.
+
+data_log = { key = 'http_raw_uri' }
+
+Inspection events coupled with pluggable inspectors provide a very
+flexible framework for implementing new features. And JIT buffer
+stuffers allow Snort to work smarter, not harder. These capabilities
+will be leveraged more and more as Snort development continues.
+
+
+2.6. Rules
+
+--------------
+
+Rules tell Snort how to detect interesting conditions, such as an
+attack, and what to do when the condition is detected. Here is an
+example rule:
+
+alert tcp any any -> 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )
+
+The structure is:
+
+action proto source dir dest ( body )
+
+Where:
+
+action - tells Snort what to do when a rule "fires", ie when the
+signature matches. In this case Snort will log the event. It can also
+do thing like block the flow when running inline.
+
+proto - tells Snort what protocol applies. This may be ip, icmp, tcp,
+udp, http, etc.
+
+source - specifies the sending IP address and port, either of which
+can be the keyword any, which is a wildcard.
+
+dir - must be either unidirectional as above or bidirectional
+indicated by <>.
+
+dest - similar to source but indicates the receiving end.
+
+body - detection and other information contained in parenthesis.
+
+There are many rule options available to construct as sophisticated a
+signature as needed. In this case we are simply looking for the
+"attack" in any TCP packet. A better rule might look like this:
+
+alert http
+(
+ msg:"Gotcha!";
+ flow:established, to_server;
+ http_uri:"attack";
+ sid:2;
+)
+
+Note that these examples have a sid option, which indicates the
+signature ID. In general rules are specified by gid:sid:rev notation,
+where gid is the generator ID and rev is the revision of the rule. By
+default, text rules are gid 1 and shared-object (SO) rules are gid 3.
+The various components within Snort that generate events have 1XX
+gids, for example the decoder is gid 116. You can list the internal
+gids and sids with these commands:
+
+$ snort --list-gids
+$ snort --list-builtin
+
+For details on these and other options, see the reference section.
+
+
+2.7. Pattern Matching
+
+--------------
+
+Snort evaluates rules in a two-step process which includes a fast
+pattern search and full evaluation of the signature. More details on
+this process follow.
+
+2.7.1. Rule Groups
+
+When Snort starts or reloads configuration, rules are grouped by
+protocol, port and service. For example, all TCP rules using the
+HTTP_PORTS variable will go in one group and all service HTTP rules
+will go in another group. These rule groups are compiled into
+multipattern search engines (MPSE) which are designed to search for
+all patterns with just a single pass through a given packet or
+buffer. You can select the algorithm to use for fast pattern searches
+with search_engine.search_method which defaults to ac_bnfa, which
+balances speed and memory. For a faster search at the expense of
+significantly more memory, use ac_full. For best performance and
+reasonable memory, download the hyperscan source from Intel.
+
+2.7.2. Fast Patterns
+
+Fast patterns are content strings that have the fast_pattern option
+or which have been selected by Snort automatically to be used as a
+fast pattern. Snort will by default choose the longest pattern in the
+rule since that is likely to be most unique. That is not always the
+case so add fast_pattern to the appropriate content option for best
+performance. The ideal fast pattern is one which, if found, is very
+likely to result in a rule match. Fast patterns that match frequently
+for unrelated traffic will cause Snort to work hard with little to
+show for it.
+
+Certain contents are not eligible to be used as fast patterns.
+Specifically, if a content is negated, then if it is also relative to
+another content, case sensitive, or has non-zero offset or depth,
+then it is not eligible to be used as a fast pattern.
+
+2.7.3. Rule Evaluation
+
+For each fast pattern match, the corresponding rule(s) are evaluated
+left-to-right. Rule evaluation requires checking each detection
+option in a rule and is a fairly costly process which is why fast
+patterns are so important. Rule evaluation aborts on the first
+non-matching option.
+
+When rule evaluation takes place, the fast pattern match will
+automatically be skipped if possible. Note that this differs from
+Snort 2 which provided the fast_pattern:only option to designate such
+cases. This is one less thing for the rule writer to worry about.
+
+
+---------------------------------------------------------------------
+
+3. Tutorial
+
+---------------------------------------------------------------------
+
+The section will walk you through building and running Snort. It is
+not exhaustive but, once you master this material, you should be able
+to figure out more advanced usage.
+
+
+3.1. Dependencies
+
+--------------
+
+Required:
+
+ * a compiler that supports the C++14 feature set
+ * cmake to build from source
+ * daq from https://github.com/snort3/libdaq for packet IO
+ * dnet from https://github.com/dugsong/libdnet.git for network
+ utility functions
+ * hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU
+ affinity management
+ * LuaJIT from http://luajit.org for configuration and scripting
+ * OpenSSL from https://www.openssl.org/source/ for SHA and MD5 file
+ signatures, the protected_content rule option, and SSL service
+ detection
+ * pcap from http://www.tcpdump.org for tcpdump style logging
+ * pcre from http://www.pcre.org for regular expression pattern
+ matching
+ * pkgconfig from https://www.freedesktop.org/wiki/Software/
+ pkg-config/ to locate build dependencies
+ * zlib from http://www.zlib.net for decompression (>= 1.2.8
+ recommended)
+
+Optional:
+
+ * asciidoc from http://www.methods.co.nz/asciidoc/ to build the
+ HTML manual
+ * cpputest from http://cpputest.github.io to run additional unit
+ tests with make check
+ * dblatex from http://dblatex.sourceforge.net to build the pdf
+ manual (in addition to asciidoc)
+ * flatbuffers from https://google.github.io/flatbuffers/ for
+ enabling the flatbuffers serialization format
+ * hyperscan >= 4.4.0 from https://github.com/01org/hyperscan to
+ build new the regex and sd_pattern rule options and hyperscan
+ search engine. Hyperscan is large so it recommended to follow
+ their instructions for building it as a shared library.
+ * iconv from https://ftp.gnu.org/pub/gnu/libiconv/ for converting
+ UTF16-LE filenames to UTF8 (usually included in glibc)
+ * libunwind from https://www.nongnu.org/libunwind/ to attempt to
+ dump a somewhat readable backtrace when a fatal signal is
+ received
+ * lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
+ SWF and PDF files
+ * safec >= 3.5 from https://github.com/rurban/safeclib/ for runtime
+ bounds checks on certain legacy C-library calls
+ * source-highlight from http://www.gnu.org/software/src-highlite/
+ to generate the dev guide
+ * w3m from http://sourceforge.net/projects/w3m/ to build the plain
+ text manual
+ * uuid from uuid-dev package for unique identifiers
+
+
+3.2. Building
+
+--------------
+
+ * Optionally built features are listed in the reference section.
+ * Create an install path:
+
+ export my_path=/path/to/snorty
+ mkdir -p $my_path
+
+ * If LibDAQ was installed to a custom, non-system path:
+
+ export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH
+
+ * Now do one of the following:
+
+ a. To build with cmake and make, run configure_cmake.sh. It will
+ automatically create and populate a new subdirectory named
+ build.
+
+ ./configure_cmake.sh --prefix=$my_path
+ cd build
+ make -j
+ make install
+ ln -s $my_path/conf $my_path/etc
+
+ b. You can also specify a cmake project generator:
+
+ ./configure_cmake.sh --generator=Xcode --prefix=$my_path
+
+ c. Or use ccmake directly to configure and generate from an
+ arbitrary build directory like one of these:
+
+ ccmake -G Xcode /path/to/Snort++/tree
+ open snort.xcodeproj
+
+ ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree
+ run eclipse and do File > Import > Existing Eclipse Project
+
+ * To build with g++ on OS X where clang is installed, do this
+ first:
+
+ export CXX=g++
+
+
+3.3. Running
+
+--------------
+
+Examples:
+
+ * Get some help:
+
+ $my_path/bin/snort --help
+ $my_path/bin/snort --help-module suppress
+ $my_path/bin/snort --help-config | grep thread
+
+ * Examine and dump a pcap:
+
+ $my_path/bin/snort -r <pcap>
+ $my_path/bin/snort -L dump -d -e -q -r <pcap>
+
+ * Verify config, with or w/o rules:
+
+ $my_path/bin/snort -c $my_path/etc/snort/snort.lua
+ $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
+
+ * Run IDS mode. To keep it brief, look at the first n packets in
+ each file:
+
+ $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
+ -r <pcap> -A alert_test -n 100000
+
+ * Let’s suppress 1:2123. We could edit the conf or just do this:
+
+ $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
+ -r <pcap> -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"
+
+ * Go whole hog on a directory with multiple packet threads:
+
+ $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
+ --pcap-filter \*.pcap --pcap-dir <dir> -A alert_fast -n 1000 --max-packet-threads 8
+
+For more examples, see the usage section.
+
+
+3.4. Tips
+
+--------------
+
+One of the goals of Snort 3 is to make it easier to configure your
+sensor. Here is a summary of tips and tricks you may find useful.
+
+General Use
+
+ * Snort tries hard not to error out too quickly. It will report
+ multiple semantic errors.
+ * Snort always assumes the simplest mode of operation. Eg, you can
+ omit the -T option to validate the conf if you don’t provide a
+ packet source.
+ * Warnings are not emitted unless --warn-* is specified. --warn-all
+ enables all warnings, and --pedantic makes such warnings fatal.
+ * You can process multiple sources at one time by using the -z or
+ --max-threads option.
+ * To make it easy to find the important data, zero counts are not
+ output at shutdown.
+ * Load plugins from the command line with --plugin-path /path/to/
+ install/lib.
+ * You can process multiple sources at one time by using the -z or
+ --max-threads option.
+ * Unit tests are configured with --enable-unit-tests. They can then
+ be run with snort --catch-test [tags]|all.
+
+Lua Configuration
+
+ * Configure the wizard and default bindings will be created based
+ on configured inspectors. No need to explicitly bind ports in
+ this case.
+ * You can override or add to your Lua conf with the --lua command
+ line option.
+ * The Lua conf is a live script that is executed when loaded. You
+ can add functions, grab environment variables, compute values,
+ etc.
+ * You can also rename symbols that you want to disable. For
+ example, changing normalizer to Xnormalizer (an unknown symbol)
+ will disable the normalizer. This can be easier than commenting
+ in some cases.
+ * By default, symbols unknown to Snort are silently ignored. You
+ can generate warnings for them with --warn-unknown. To ignore
+ such symbols, export them in the environment variable
+ SNORT_IGNORE.
+
+Writing and Loading Rules
+
+Snort rules allow arbitrary whitespace. Multi-line rules make it
+easier to structure your rule for clarity. There are multiple ways to
+add comments to your rules:
+
+ * The # character starts a comment to end of line. In addition, all
+ lines between #begin and #end are comments.
+ * The rem option allows you to write a comment that is conveyed
+ with the rule.
+ * C style multi-line comments are allowed, which means you can
+ comment out portions of a rule while testing it out by putting
+ the options between /* and */.
+
+There are multiple ways to load rules too:
+
+ * Set ips.rules or ips.include.
+ * include statements can be used in rules files.
+ * Use -R to load a rules file.
+ * Use --stdin-rules with command line redirection.
+ * Use --lua to specify one or more rules as a command line
+ argument.
+
+Output Files
+
+To make it simple to configure outputs when you run with multiple
+packet threads, output files are not explicitly configured. Instead,
+you can use the options below to format the paths:
+
+<logdir>/[<run_prefix>][<id#>][<X>]<name>
+
+ * logdir is set with -l and defaults to ./
+ * run_prefix is set with --run-prefix else not used
+ * id# is the packet thread number that writes the file; with one
+ packet thread, id# (zero) is omitted without --id-zero
+ * X is / if you use --id-subdir, else _ if id# is used
+ * name is based on module name that writes the file
+ * all text mode outputs default to stdout
+
+
+3.5. Common Errors
+
+--------------
+
+PANIC: unprotected error in call to Lua API (cannot open
+snort_defaults.lua: No such file or directory)
+
+ * export SNORT_LUA_PATH to point to any dofiles
+
+ERROR can’t find xyz
+
+ * if xyz is the name of a module, make sure you are not assigning a
+ scalar where a table is required (e.g. xyz = 2 should be xyz = {
+ }).
+
+ERROR can’t find x.y
+
+ * module x does not have a parameter named y. check --help-module x
+ for available parameters.
+
+ERROR invalid x.y = z
+
+ * the value z is out of range for x.y. check --help-config x.y for
+ the range allowed.
+
+ERROR: x = { y = z } is in conf but is not being applied
+
+ * make sure that x = { } isn’t set later because it will override
+ the earlier setting. same for x.y.
+
+FATAL: can’t load lua/errors.lua: lua/errors.lua:68: = expected near
+';'
+
+ * this is a syntax error reported by Lua to Snort on line 68 of
+ errors.lua.
+
+ERROR: rules(2) unknown rule keyword: find.
+
+ * this was due to not including the --script-path.
+
+WARNING: unknown symbol x
+
+ * if you any variables, you can squelch such warnings by setting
+ them in an environment variable SNORT_IGNORE. to ignore x, y, and
+ z:
+
+ export SNORT_IGNORE="x y z"
+
+
+3.6. Gotchas
+
+--------------
+
+ * A nil key in a table will not be caught. Neither will a nil value
+ in a table. Neither of the following will cause errors, nor will
+ they actually set http_inspect.request_depth:
+
+ http_inspect = { request_depth }
+ http_inspect = { request_depth = undefined_symbol }
+
+ * It is not an error to set a value multiple times. The actual
+ value applied may not be the last in the table either. It is best
+ to avoid such cases.
+
+ http_inspect =
+ {
+ request_depth = 1234,
+ request_depth = 4321
+ }
+
+ * Snort can’t tell you the exact filename or line number of a
+ semantic error but it will tell you the fully qualified name.
+
+
+3.7. Known Issues
+
+--------------
+
+ * The dump DAQ will not work with multiple threads unless you use
+ --daq-var output=none. This will be fixed at some point to use
+ the Snort log directory, etc.
+ * If you build with hyperscan on OS X and see:
+
+ dyld: Library not loaded: @rpath/libhs.4.0.dylib
+
+ when you try to run src/snort, export DYLD_LIBRARY_PATH with the path to
+ libhs. You can also do:
+
+ install_name_tool -change @rpath/libhs.4.0.dylib \
+ /path-to/libhs.4.0.dylib src/snort
+
+ * Snort built with tcmalloc support (--enable-tcmalloc) on Ubuntu
+ 17.04/18.04 crashes immediately.
+
+ Workaround:
+ Uninstall gperftools 2.5 provided by the distribution and install gperftools
+ 2.7 before building Snort.
+
+3.7.1. Reload Limitations
+
+The following parameters can’t be changed during reload, and require
+a restart:
+
+ * active.attempts
+ * active.device
+ * alerts.detection_filter_memcap
+ * alerts.event_filter_memcap
+ * alerts.rate_filter_memcap
+ * attribute_table.max_hosts
+ * attribute_table.max_services_per_host
+ * daq.snaplen
+ * detection.asn1
+ * file_id.max_files_cached
+ * process.chroot
+ * process.daemon
+ * process.set_gid
+ * process.set_uid
+ * snort.--bpf
+ * snort.-l
+
+In addition, the following scenarios require a restart:
+
+ * Enabling file capture for the first time
+ * Changing file_id.capture_memcap if file capture was previously or
+ currently enabled
+ * Changing file_id.capture_block_size if file capture was
+ previously or currently enabled
+ * Adding/removing stream_* inspectors if stream was already
+ configured
+
+In all of these cases reload will fail with the following message:
+"reload failed - restart required". The original config will remain
+in use.
+
+
+---------------------------------------------------------------------
+
+4. Usage
+
+---------------------------------------------------------------------
+
+For the following examples "$my_path" is assumed to be the path to
+the Snort install directory. Additionally, it is assumed that
+"$my_path/bin" is in your PATH.
+
+
+4.1. Help
+
+--------------
+
+Print the help summary:
+
+snort --help
+
+Get help on a specific module ("stream", for example):
+
+snort --help-module stream
+
+Get help on the "-A" command line option:
+
+snort --help-options A
+
+Grep for help on threads:
+
+snort --help-config | grep thread
+
+Output help on "rule" options in AsciiDoc format:
+
+snort --markup --help-options rule
+
+Note
+
+Snort stops reading command-line options after the "--help-" and
+"--list-" options, so any other options should be placed before them.
+
+
+4.2. Sniffing and Logging
+
+--------------
+
+Read a pcap:
+
+snort -r /path/to/my.pcap
+
+Dump the packets to stdout:
+
+snort -r /path/to/my.pcap -L dump
+
+Dump packets with application data and layer 2 headers
+
+snort -r /path/to/my.pcap -L dump -d -e
+
+Note
+
+Command line options must be specified separately. "snort -de" won’t
+work. You can still concatenate options and their arguments, however,
+so "snort -Ldump" will work.
+
+Dump packets from all pcaps in a directory:
+
+snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e
+
+Log packets to a directory:
+
+snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
+
+
+4.3. Configuration
+
+--------------
+
+Validate a configuration file:
+
+snort -c $my_path/etc/snort/snort.lua
+
+Validate a configuration file and a separate rules file:
+
+snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
+
+Read rules from stdin and validate:
+
+snort -c $my_path/etc/snort/snort.lua --stdin-rules < $my_path/etc/snort/sample.rules
+
+Enable warnings for Lua configurations and make warnings fatal:
+
+snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic
+
+Tell Snort where to look for additional Lua scripts:
+
+snort --script-path /path/to/script/dir
+
+
+4.4. IDS mode
+
+--------------
+
+Run Snort in IDS mode, reading packets from a pcap:
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap
+
+Log any generated alerts to the console using the "-A" option:
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full
+
+Capture separate stdout, stderr, and stdlog files (out has startup
+and shutdown output, err has warnings and errors, and log has
+alerts):
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \
+ 1>out 2>err 3>log
+
+Add or modify a configuration from the command line using the "--lua"
+option:
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \
+ --lua 'ips = { enable_builtin_rules = true }'
+
+Note
+
+The "--lua" option can be specified multiple times.
+
+Run Snort in IDS mode on an entire directory of pcaps, processing
+each input source on a separate thread:
+
+snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
+ --pcap-filter '*.pcap' --max-packet-threads 8
+
+Run Snort on 2 interfaces, eth0 and eth1:
+
+snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg
+
+Run Snort inline with the afpacket DAQ:
+
+snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
+ -A cmg
+
+
+4.5. Plugins
+
+--------------
+
+Load external plugins and use the "ex" alert:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --plugin-path $my_path/lib/snort_extra \
+ -A alert_ex -r /path/to/my.pcap
+
+Test the LuaJIT rule option find loaded from stdin:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --script-path $my_path/lib/snort_extra \
+ --stdin-rules -A cmg -r /path/to/my.pcap << END
+alert tcp any any -> any 80 (
+ sid:3; msg:"found"; content:"GET";
+ find:"pat='HTTP/1%.%d'" ; )
+END
+
+
+4.6. Output Files
+
+--------------
+
+To make it simple to configure outputs when you run with multiple
+packet threads, output files are not explicitly configured. Instead,
+you can use the options below to format the paths:
+
+<logdir>/[<run_prefix>][<id#>][<X>]<name>
+
+Log to unified in the current directory:
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2
+
+Log to unified in the current directory with a different prefix:
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
+ --run-prefix take2
+
+Log to unified in /tmp:
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp
+
+Run 4 packet threads and log with thread number prefix (0-3):
+
+snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
+ --pcap-filter '*.pcap' -z 4 -A unified2
+
+Run 4 packet threads and log in thread number subdirs (0-3):
+
+snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
+ --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir
+
+Note
+
+subdirectories are created automatically if required. Log filename is
+based on module name that writes the file. All text mode outputs
+default to stdout. These options can be combined.
+
+
+4.7. DAQ Alternatives
+
+--------------
+
+Process hext packets from stdin:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq hext -i tty << END
+$packet 10.1.2.3 48620 -> 10.9.8.7 80
+"GET / HTTP/1.1\r\n"
+"Host: localhost\r\n"
+"\r\n"
+END
+
+Process raw ethernet from hext file:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq hext \
+ --daq-var dlt=1 -r <hext-file>
+
+Process a directory of plain files (ie non-pcap) with 4 threads with
+8K buffers:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq file \
+ --pcap-dir path/to/files -z 4 -s 8192
+
+Bridge two TCP connections on port 8000 and inspect the traffic:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --daq-dir $my_path/lib/snort/daqs --daq socket
+
+
+4.8. Logger Alternatives
+
+--------------
+
+Dump TCP stream payload in hext mode:
+
+snort -c $my_path/etc/snort/snort.lua -L hext
+
+Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap,
+dst_ap, rule, action for each alert:
+
+snort -c $my_path/etc/snort/snort.lua -A csv
+
+Output the old test format alerts:
+
+snort -c $my_path/etc/snort/snort.lua \
+ --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
+
+
+4.9. Shell
+
+--------------
+
+You must build with --enable-shell to make the command line shell
+available.
+
+Enable shell mode:
+
+snort --shell <args>
+
+You will see the shell mode command prompt, which looks like this:
+
+o")~
+
+(The prompt can be changed with the SNORT_PROMPT environment
+variable.)
+
+You can pause immediately after loading the configuration and again
+before exiting with:
+
+snort --shell --pause <args>
+
+In that case you must issue the resume() command to continue. Enter
+quit() to terminate Snort or detach() to exit the shell. You can list
+the available commands with help().
+
+To enable local telnet access on port 12345:
+
+snort --shell -j 12345 <args>
+
+The command line interface is still under development. Suggestions
+are welcome.
+
+
+4.10. Signals
+
+--------------
+
+Note
+
+The following examples assume that Snort is currently running and has
+a process ID of <pid>.
+
+Modify and Reload Configuration:
+
+echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua
+kill -hup <pid>
+
+Dump stats to stdout:
+
+kill -usr1 <pid>
+
+Shutdown normally:
+
+kill -term <pid>
+
+Exit without flushing packets:
+
+kill -quit <pid>
+
+List available signals:
+
+snort --help-signals
+
+Note
+
+The available signals may vary from platform to platform.
+
+
+---------------------------------------------------------------------
+
+5. Features
+
+---------------------------------------------------------------------
+
+This section explains how to use key features of Snort.
+
+
+5.1. Active Response
+
+--------------
+
+Snort can take more active role in securing network by sending active
+responses to shutdown offending sessions. When active responses is
+enabled, snort will send TCP RST or ICMP unreachable when dropping a
+session.
+
+5.1.1. Changes from Snort 2.9
+
+ * stream5_global:max_active_responses and min_response_seconds are
+ now active.max_responses and active.min_interval.
+ * Response actions were removed from IPS rule body to the rule
+ action in the header. This includes react, reject, and rewrite
+ (split out of replace which now just does the detection part).
+ These IPS actions are plugins.
+ * drop and block are synonymous in Snort 2.9 but in Snort 3.0 drop
+ means don’t forward the current packet only whereas block means
+ don’t forward this or any following packet on the flow.
+
+5.1.2. Configure Active
+
+Active response is enabled by configuring one of following IPS action
+plugins:
+
+react = { }
+reject = { }
+rewrite = { }
+
+Active responses will be performed for reject, react or rewrite IPS
+rule actions, and response packets are encoded based on the
+triggering packet. TTL will be set to the value captured at session
+pickup.
+
+Configure the number of attempts to land a TCP RST within the
+session’s current window (so that it is accepted by the receiving
+TCP). This sequence "strafing" is really only useful in passive mode.
+In inline mode the reset is put straight into the stream in lieu of
+the triggering packet so strafing is not necessary.
+
+Each attempt (sent in rapid succession) has a different sequence
+number. Each active response will actually cause this number of TCP
+resets to be sent. TCP data is multiplied similarly. At most 1 ICMP
+unreachable is sent, iff attempts > 0.
+
+Device IP will perform network layer injection. It is probably a
+better choice to specify an interface and avoid kernel routing
+tables, etc.
+
+dst_mac will change response destination MAC address, if the device
+is eth0, eth1, eth2 etc. Otherwise, response destination MAC address
+is derived from packet.
+
+Example:
+
+active =
+{
+ attempts = 2,
+ device = "eth0",
+ dst_mac = "00:06:76:DD:5F:E3",
+}
+
+5.1.3. Reject
+
+IPS action reject perform active response to shutdown hostile network
+session by injecting TCP resets (TCP connections) or ICMP unreachable
+packets.
+
+Example:
+
+reject = { reset = "both", control = "all" }
+
+local_rules =
+[[
+reject tcp ( msg:"hostile connection"; flow:established, to_server;
+content:"HACK!"; sid:1; )
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+5.1.4. React
+
+IPS action react enables sending an HTML page on a session and then
+resetting it.
+
+The page to be sent can be read from a file:
+
+react = { page = "customized_block_page.html", }
+
+or else the default is used:
+
+<default_page> ::= \
+ "HTTP/1.1 403 Forbidden\r\n"
+ "Connection: close\r\n"
+ "Content-Type: text/html; charset=utf-8\r\n"
+ "\r\n"
+ "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
+ " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \
+ "<html xmlns=\"http://www.w3.org/1999/xhtml\"
+ xml:lang=\"en\">\r\n" \
+ "<head>\r\n" \
+ "<meta http-equiv=\"Content-Type\" content=\"text/html;
+ charset=UTF-8\" />\r\n" \
+ "<title>Access Denied</title>\r\n" \
+ "</head>\r\n" \
+ "<body>\r\n" \
+ "<h1>Access Denied</h1>\r\n" \
+ "<p>%s</p>\r\n" \
+ "</body>\r\n" \
+ "</html>\r\n";
+
+Note that the file must contain the entire response, including any
+HTTP headers. In fact, the response isn’t strictly limited to HTTP.
+You could craft a binary payload of arbitrary content.
+
+When the rule is configured, the page is loaded and the %s is
+replaced with the selected message, which defaults to:
+
+"You are attempting to access a forbidden site.<br />" \
+"Consult your system administrator for details."
+
+Additional formatting operators beyond a single %s are prohibited,
+including %d, %x, %s, as well as any URL encodings such as as %20
+(space) that may be within a reference URL.
+
+Example:
+
+react = { page = "my_block_page.html" }
+
+local_rules =
+[[
+react http ( msg:"Unauthorized Access Prohibited!"; flow:established,
+to_server; http_method; content:"GET"; sid:1; )
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+5.1.5. Rewrite
+
+IPS action rewrite enables overwrite packet contents based on
+"replace" option in the rules.
+
+For example:
+
+rewrite = { }
+local_rules =
+[[
+rewrite tcp 10.1.1.87 any -> 10.1.1.0/24 80
+(
+ sid:1000002;
+ msg:"test replace rule";
+ content:"index.php", nocase;
+ replace:"indax.php";
+)
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+this rule replaces "index.php" with "indax.php", and rewrite action
+updates that packet.
+
+to enable rewrite action:
+
+rewrite = { }
+
+the replace operation can be disabled by changing the configuration:
+
+rewrite = { disable_replace = true }
+
+
+5.2. AppId
+
+--------------
+
+Network administrators need application awareness in order to fine
+tune their management of the ever-growing number of applications
+passing traffic over the network. Application awareness allows an
+administrator to create rules for applications as needed by the
+business. The rules can be used to take action based on the
+application, such as block, allow or alert.
+
+5.2.1. Overview
+
+The AppId inspector provides an application level view when managing
+networks by providing the following features:
+
+ * Network control: The inspector works with Snort rules by
+ providing a set of application identifiers (AppIds) to Snort rule
+ writers.
+ * Application usage awareness: The inspector outputs statistics to
+ show how many times applications are being used on the network.
+ * Custom applications: Administrators can create their own
+ application detectors to detect new applications. The detectors
+ are written in Lua and interface with Snort using a well-defined
+ C-Lua API.
+ * Open Detector Package (ODP): A set of pre-defined application
+ detectors are provided by the Snort team and can be downloaded
+ from snort.org.
+
+5.2.2. Dependency Requirements
+
+For proper functioning of the AppId inspector, at a minimum stream
+flow tracking must be enabled. In addition, to identify TCP-based or
+UDP-based applications then the appropriate stream inspector must be
+enabled, e.g. stream_tcp or stream_udp.
+
+In addition, in order to identify HTTP-based applications, the HTTP
+inspector must be enabled. Otherwise, only non-HTTP applications will
+be identified.
+
+AppId subscribes to the inspection events published by other
+inspectors, such as the HTTP and SSL inspectors, to gain access to
+the data needed. It uses that data to help determine the application
+ID.
+
+5.2.3. Configuration
+
+The AppId feature can be enabled via configuration. To enable it with
+the default settings use:
+
+appid = { }
+
+To use an AppId as a matching parameter in an IPS rule, use the
+appids keyword. For example, to block HTTP traffic that contains a
+specific header:
+
+block tcp any any -> 192.168.0.1 any ( msg:"Block Malicious HTTP header";
+ appids:"HTTP"; content:"X-Header: malicious"; sid:18000; )
+
+Alternatively, the HTTP application can be specified in place of tcp
+instead of using the appids keyword. The AppId inspector will set the
+service when it is discovered so it can be used in IPS rules like
+this. Note that this rule also does not specify the IPs or ports
+which default to any.
+
+block http ( msg:"Block Malicious HTTP header";
+ content:"X-Header: malicious"; sid:18000; )
+
+It’s possible to specify multiple applications (as many as desired)
+with the appids keyword. A rule is considered a match if any of the
+applications on the rule match. Note that this rule does not match
+specific content which will reduce performance.
+
+alert tcp any any -> 192.168.0.1 any ( msg:"Alert ";
+ appids:"telnet,ssh,smtp,http";
+
+Below is a minimal Snort configuration that is sufficient to block
+flows based on a specific HTTP header:
+
+stream = { }
+
+stream_tcp = { }
+
+binder =
+{
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = [[ 80 8080 ]],
+ },
+ use =
+ {
+ type = 'http_inspect',
+ },
+ },
+}
+
+http_inspect = { }
+
+appid = { }
+
+local_rules =
+[[
+block http ( msg:"openAppId: test content match for app http";
+content:"X-Header: malicious"; sid:18760; rev:4; )
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+5.2.4. Session Application Identifiers
+
+There are up to four AppIds stored in a session as defined below:
+
+ * serviceAppId - An appId associated with server side of a session.
+ Example: http server.
+ * clientAppId - An appId associated with application on client side
+ of a session. Example: Firefox.
+ * payloadAppId - For services like http this appId is associated
+ with a webserver host. Example: Facebook.
+ * miscAppId - For some encapsulated protocols, this is the highest
+ encapsulated application.
+
+For packets originating from the client, a payloadAppid in a session
+is matched with all AppIds listed on a rule. Thereafter miscAppId,
+clientAppId and serviceAppId are matched. Since Alert Events contain
+one AppId, only the first match is reported. If a rule without an
+appids option matches, then the most specific appId (in order of
+payload, misc, client, server) is reported.
+
+The same logic is followed for packets originating from the server
+with one exception. The order of matching is changed to make
+serviceAppId come before clientAppId.
+
+5.2.5. AppId Usage Statistics
+
+The AppId inspector prints application network usage periodically in
+the snort log directory in unified2 format. File name, time interval
+for statistic and file rollover are controlled by appId inspection
+configuration.
+
+5.2.6. Open Detector Package (ODP) Installation
+
+Application detectors from Snort team will be delivered in a separate
+package called the Open Detector Package (ODP) that can be downloaded
+from snort.org. ODP is a package that contains the following
+artifacts:
+
+ * Application detectors in the Lua language.
+ * Port detectors, which are port only application detectors, in
+ meta-data in YAML format.
+ * appMapping.data file containing application metadata. This file
+ should not be modified. The first column contains application
+ identifier and second column contains application name. Other
+ columns contain internal information.
+ * Lua library files DetectorCommon.lua, flowTrackerModule.lua and
+ hostServiceTrackerModule.lua
+
+A user can install the ODP package in any directory and configure
+this directory via the app_detector_dir option in the appid
+preprocessor configuration. Installing ODP will not modify any
+subdirectory named custom, where user-created detectors are located.
+
+When installed, ODP will create following sub-directories:
+
+ * odp/port //Cisco port-only detectors
+ * odp/lua //Cisco Lua detectors
+ * odp/libs //Cisco Lua modules
+
+5.2.7. User Created Application Detectors
+
+Users can detect new applications by adding detectors in the Lua
+language. A document will be posted on the Snort Website with details
+on API. Users can also copy over Snort team provided detectors and
+modify them. Users can also use the detector creation tool described
+in the next section.
+
+Users must organize their Lua detectors and libraries by creating the
+following directory structure, under the ODP installation directory.
+
+ * custom/port //port-only detectors
+ * custom/lua //Lua detectors
+ * custom/libs //Lua modules
+
+The root path is specified by the "app_detector_dir" parameter of the
+appid section of snort.conf:
+
+appid =
+{
+ app_detector_dir = '/usr/local/lib/openappid',
+}
+
+So the path to the user-created lua files would be /usr/local/lib/
+openappid/custom/lua/
+
+None of the directories below /usr/local/lib/openappid/ would be
+added for you.
+
+5.2.8. Application Detector Creation Tool
+
+For rudimentary Lua detectors, there is a tool provided called
+appid_detector_builder.sh. This is a simple, menu-driven bash script
+which creates .lua files in your current directory, based on your
+choices and on patterns you supply.
+
+When you launch the script, it will prompt for the Application Id
+that you are giving for your detector. This is free-form ASCII with
+minor restrictions. The Lua detector file will be named based on your
+Application Id. If the file name already exists you will be prompted
+to overwrite it.
+
+You will also be prompted for a description of your detector to be
+placed in the comments of the Lua source code. This is optional.
+
+You will then be asked a series of questions designed to construct
+Lua code based on the kind of pattern data, protocol, port(s), etc.
+
+When complete, the Protocol menu will be changed to include the
+option, "Save Detector". Instead of saving the file and exiting the
+script, you are allowed to give additional criteria for another
+pattern which may also be incorporated in the detection scheme. Then
+either pattern, when matched, will be considered a valid detection.
+
+For example, your first choices might create an HTTP detection
+pattern of "example.com", and the next set of choices would add the
+HTTP detection pattern of "example.uk.co" (an equally fictional
+British counterpart). They would then co-exist in the Lua detector,
+and either would cause a detection with the name you give for your
+Application Id.
+
+The resulting .lua file will need to be placed in the directory,
+"custom/lua", described in the previous section of the README above
+called "User Created Application Detectors"
+
+
+5.3. Binder
+
+--------------
+
+One of the fundamental differences between Snort 2 and Snort 3
+concerns configuration related to networks and ports. Here is a brief
+review of Snort 2 configuration for network and service related
+components:
+
+ * Snort’s configuration has a default policy and optional policies
+ selected by VLAN or network (with config binding).
+ * Each policy contains a user defined set of preprocessor
+ configurations.
+ * Each preprocessor has a default configuration and some support
+ non-default configurations selected by network.
+ * Most preprocessors have port configurations.
+ * The default policy may also contain a list of ports to ignore.
+
+In Snort 3, the above configurations are done in a single module
+called the binder. Here is an example:
+
+binder =
+{
+ -- allow all tcp port 22:
+ -- (similar to Snort 2 config ignore_ports)
+ { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },
+
+-- select a config file by vlan
+-- (similar to Snort 2 config binding by vlan)
+{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },
+
+-- use a non-default HTTP inspector for port 8080:
+-- (similar to a Snort 2 targeted preprocessor config)
+{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
+ use = { name = 'alt_http', type = 'http_inspect' } },
+
+-- use the default inspectors:
+-- (similar to a Snort 2 default preprocessor config)
+{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
+{ when = { service = 'http' }, use = { type = 'http_inspect' } },
+
+ -- figure out which inspector to run automatically:
+ { use = { type = 'wizard' } }
+}
+
+Bindings are evaluated when a session starts and again if and when
+service is identified on the session. Essentially, the bindings are a
+list of when-use rules evaluated from top to bottom. The first
+matching network and service configurations are applied. binder.when
+can contain any combination of criteria and binder.use can specify an
+action, config file, or inspector configuration.
+
+
+5.4. Byte rule options
+
+--------------
+
+5.4.1. byte_test
+
+This rule option tests a byte field against a specific value (with
+operator). Capable of testing binary values or converting
+representative byte strings to their binary equivalent and testing
+them.
+
+Snort uses the C operators for each of these operators. If the &
+operator is used, then it would be the same as using
+
+if (data & value) { do_something(); }
+
+! operator negates the results from the base check. !<oper> is
+considered as
+
+!(data <oper> value)
+
+Note: The bitmask option applies bitwise AND operator on the bytes
+converted. The result will be right-shifted by the number of bits
+equal to the number of trailing zeros in the mask. This applies for
+the other rule options as well.
+
+5.4.1.1. Examples
+
+alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)
+
+This example extracts 2 bytes at offset 0, performs bitwise and with
+bitmask 0x3FF0, shifts the result by 4 bits and compares to 568.
+
+alert udp (byte_test:4, =, 1234, 0, string, dec;
+ msg:"got 1234!";)
+
+alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;
+ msg:"got DEADBEEF!";)
+
+5.4.2. byte_jump
+
+The byte_jump rule option allows rules to be written for length
+encoded protocols trivially. By having an option that reads the
+length of a portion of data, then skips that far forward in the
+packet, rules can be written that skip over specific portions of
+length-encoded protocols and perform detection in very specific
+locations.
+
+5.4.2.1. Examples
+
+alert tcp (content:"Begin";
+ byte_jump:0, 0, from_end, post_offset -6;
+ content:"end..", distance 0, within 5;
+ msg:"Content match from end of the payload";)
+
+alert tcp (content:"catalog";
+ byte_jump:2, 1, relative, post_offset 2, bitmask 0x03f0;
+ byte_test:2, =, 968, 0, relative;
+ msg:"Bitmask applied on the 2 bytes extracted for byte_jump";)
+
+5.4.3. byte_extract
+
+The byte_extract keyword is another useful option for writing rules
+against length-encoded protocols. It reads in some number of bytes
+from the packet payload and saves it to a variable. These variables
+can be referenced later in the rule, instead of using hard-coded
+values.
+
+5.4.3.1. Other options which use byte_extract variables
+
+A byte_extract rule option detects nothing by itself. Its use is in
+extracting packet data for use in other rule options.
+
+Here is a list of places where byte_extract variables can be used:
+
+ * content/uricontent: offset, depth, distance, within
+ * byte_test: offset, value
+ * byte_jump: offset, post_offset
+ * isdataat: offset
+
+5.4.3.2. Examples
+
+alert tcp (byte_extract:1, 0, str_offset;
+ byte_extract:1, 1, str_depth;
+ content:"bad stuff", offset str_offset, depth str_depth;
+ msg:"Bad Stuff detected within field";)
+
+alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;
+ byte_jump:1, 3, relative, post_offset myvar;
+ content:"END", distance 6, within 3;
+ msg: "byte_jump - pass variable to post_offset";)
+
+This example uses two variables.
+
+The first variable keeps the offset of a string, read from a byte at
+offset 0. The second variable keeps the depth of a string, read from
+a byte at offset 1. These values are used to constrain a pattern
+match to a smaller area.
+
+alert tcp (content:"|04 63 34 35|", offset 4, depth 4;
+ byte_extract: 2, 0, var_match, relative, bitmask 0x03ff;
+ byte_test: 2, =, var_match, 2, relative;
+ msg:"Test value match, after applying bitmask on bytes extracted";)
+
+5.4.4. byte_math
+
+Perform a mathematical operation on an extracted value and a
+specified value or existing variable, and store the outcome in a new
+resulting variable. These resulting variables can be referenced later
+in the rule, at the same places as byte_extract variables.
+
+The syntax for this rule option is different. The order of the
+options is critical for the other rule options and can’t be changed.
+For example, the first option is the number of bytes to extract. Here
+the name of the option is explicitly written, for example : bytes 2.
+The order is not important.
+
+Note
+
+Byte_math operations are performed on unsigned 32-bit values. When
+writing a rule it should be taken into consideration to avoid wrap
+around.
+
+5.4.4.1. Examples
+
+alert tcp ( byte_math: bytes 2, offset 0, oper *, rvalue 10, result area;
+ byte_test:2,>,area,16;)
+
+At the zero offset of the payload, extract 2 bytes and apply
+multiplication operation with value 10. Store result in variable
+area. The area variable is given as input to byte_test value option.
+
+Let’s consider 2 bytes of extracted data is 5. The rvalue is 10.
+Result variable area is 50 ( 5 * 10 ). Area variable can be used in
+either byte_test offset/value options.
+
+5.4.5. Testing Numerical Values
+
+The rule options byte_test and byte_jump were written to support
+writing rules for protocols that have length encoded data. RPC was
+the protocol that spawned the requirement for these two rule options,
+as RPC uses simple length based encoding for passing data.
+
+In order to understand why byte test and byte jump are useful, let’s
+go through an exploit attempt against the sadmind service.
+
+This is the payload of the exploit:
+
+89 09 9c e2 00 00 00 00 00 00 00 02 00 01 87 88 ................
+00 00 00 0a 00 00 00 01 00 00 00 01 00 00 00 20 ...............
+40 28 3a 10 00 00 00 0a 4d 45 54 41 53 50 4c 4f @(:.....metasplo
+49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 it..............
+00 00 00 00 00 00 00 00 40 28 3a 14 00 07 45 df ........@(:...e.
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 04 ................
+7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 04 ................
+7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 11 ................
+00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 3b 4d 45 54 41 53 50 4c 4f .......;metasplo
+49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 it..............
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 06 73 79 73 74 65 6d 00 00 ........system..
+00 00 00 15 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f ....../../../../
+2e 2e 2f 62 69 6e 2f 73 68 00 00 00 00 00 04 1e ../bin/sh.......
+
+Let’s break this up, describe each of the fields, and figure out how
+to write a rule to catch this exploit.
+
+There are a few things to note with RPC:
+
+Numbers are written as uint32s, taking four bytes. The number 26
+would show up as 0x0000001a.
+
+Strings are written as a uint32 specifying the length of the string,
+the string, and then null bytes to pad the length of the string to
+end on a 4-byte boundary. The string bob would show up as
+0x00000003626f6200.
+
+89 09 9c e2 - the request id, a random uint32, unique to each request
+00 00 00 00 - rpc type (call = 0, response = 1)
+00 00 00 02 - rpc version (2)
+00 01 87 88 - rpc program (0x00018788 = 100232 = sadmind)
+00 00 00 0a - rpc program version (0x0000000a = 10)
+00 00 00 01 - rpc procedure (0x00000001 = 1)
+00 00 00 01 - credential flavor (1 = auth_unix)
+00 00 00 20 - length of auth_unix data (0x20 = 32)
+
+## the next 32 bytes are the auth_unix data
+40 28 3a 10 - unix timestamp (0x40283a10 = 1076378128 = feb 10 01:55:28 2004 gmt)
+00 00 00 0a - length of the client machine name (0x0a = 10)
+4d 45 54 41 53 50 4c 4f 49 54 00 00 - metasploit
+
+00 00 00 00 - uid of requesting user (0)
+00 00 00 00 - gid of requesting user (0)
+00 00 00 00 - extra group ids (0)
+
+00 00 00 00 - verifier flavor (0 = auth_null, aka none)
+00 00 00 00 - length of verifier (0, aka none)
+
+The rest of the packet is the request that gets passed to procedure 1
+of sadmind.
+
+However, we know the vulnerability is that sadmind trusts the uid
+coming from the client. sadmind runs any request where the client’s
+uid is 0 as root. As such, we have decoded enough of the request to
+write our rule.
+
+First, we need to make sure that our packet is an RPC call.
+
+content:"|00 00 00 00|", offset 4, depth 4;
+
+Then, we need to make sure that our packet is a call to sadmind.
+
+content:"|00 01 87 88|", offset 12, depth 4;
+
+Then, we need to make sure that our packet is a call to the procedure
+1, the vulnerable procedure.
+
+content:"|00 00 00 01|", offset 20, depth 4;
+
+Then, we need to make sure that our packet has auth_unix credentials.
+
+content:"|00 00 00 01|", offset 24, depth 4;
+
+We don’t care about the hostname, but we want to skip over it and
+check a number value after the hostname. This is where byte_test is
+useful. Starting at the length of the hostname, the data we have is:
+
+00 00 00 0a 4d 45 54 41 53 50 4c 4f 49 54 00 00
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00 00 00 00
+
+We want to read 4 bytes, turn it into a number, and jump that many
+bytes forward, making sure to account for the padding that RPC
+requires on strings. If we do that, we are now at:
+
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00 00 00 00
+
+which happens to be the exact location of the uid, the value we want
+to check.
+
+In English, we want to read 4 bytes, 36 bytes from the beginning of
+the packet, and turn those 4 bytes into an integer and jump that many
+bytes forward, aligning on the 4-byte boundary. To do that in a Snort
+rule, we use:
+
+byte_jump:4,36,align;
+
+then we want to look for the uid of 0.
+
+content:"|00 00 00 00|", within 4;
+
+Now that we have all the detection capabilities for our rule, let’s
+put them all together.
+
+content:"|00 00 00 00|", offset 4, depth 4;
+content:"|00 01 87 88|", offset 12, depth 4;
+content:"|00 00 00 01|", offset 20, depth 4;
+content:"|00 00 00 01|", offset 24, depth 4;
+byte_jump:4,36,align;
+content:"|00 00 00 00|", within 4;
+
+The 3rd and fourth string match are right next to each other, so we
+should combine those patterns. We end up with:
+
+content:"|00 00 00 00|", offset 4, depth 4;
+content:"|00 01 87 88|", offset 12, depth 4;
+content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
+byte_jump:4,36,align;
+content:"|00 00 00 00|", within 4;
+
+If the sadmind service was vulnerable to a buffer overflow when
+reading the client’s hostname, instead of reading the length of the
+hostname and jumping that many bytes forward, we would check the
+length of the hostname to make sure it is not too large.
+
+To do that, we would read 4 bytes, starting 36 bytes into the packet,
+turn it into a number, and then make sure it is not too large (let’s
+say bigger than 200 bytes). In Snort, we do:
+
+byte_test:4,>,200,36;
+
+Our full rule would be:
+
+content:"|00 00 00 00|", offset 4, depth 4;
+content:"|00 01 87 88|", offset 12, depth 4;
+content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
+byte_test:4,>,200,36;
+
+
+5.5. DCE Inspectors
+
+--------------
+
+The main purpose of these inspector are to perform SMB desegmentation
+and DCE/RPC defragmentation to avoid rule evasion using these
+techniques.
+
+5.5.1. Overview
+
+The following transports are supported for DCE/RPC: SMB, TCP, and
+UDP. New rule options have been implemented to improve performance,
+reduce false positives and reduce the count and complexity of DCE/RPC
+based rules.
+
+Different from Snort 2, the DCE-RPC preprocessor is split into three
+inspectors - one for each transport: dce_smb, dce_tcp, dce_udp. This
+includes the configuration as well as the inspector modules. The
+Snort 2 server configuration is now split between the inspectors.
+Options that are meaningful to all inspectors, such as policy and
+defragmentation, are copied into each inspector configuration. The
+address/port mapping is handled by the binder. Autodetect
+functionality is replaced by wizard curses.
+
+5.5.2. Quick Guide
+
+A typical dcerpce configuration looks like this:
+
+binder =
+{
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '139 445 1025',
+ },
+ use =
+ {
+ type = 'dce_smb',
+ },
+ },
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '135 2103',
+ },
+ use =
+ {
+ type = 'dce_tcp',
+ },
+ },
+ {
+ when =
+ {
+ proto = 'udp',
+ ports = '1030',
+ },
+ use =
+ {
+ type = 'dce_udp',
+ },
+ }
+ }
+
+dce_smb = { }
+
+dce_tcp = { }
+
+dce_udp = { }
+
+In this example, it defines smb, tcp and udp inspectors based on
+port. All the configurations are default.
+
+5.5.3. Target Based
+
+There are enough important differences between Windows and Samba
+versions that a target based approach has been implemented. Some
+important differences:
+
+ * Named pipe instance tracking
+ * Accepted SMB commands
+ * AndX command chaining
+ * Transaction tracking
+ * Multiple Bind requests
+ * DCE/RPC Fragmented requests - Context ID
+ * DCE/RPC Fragmented requests - Operation number
+ * DCE/RPC Stub data byte order
+
+Because of those differences, each inspector can be configured to
+different policy. Here are the list of policies supported:
+
+ * WinXP (default)
+ * Win2000
+ * WinVista
+ * Win2003
+ * Win2008
+ * Win7
+ * Samba
+ * Samba-3.0.37
+ * Samba-3.0.22
+ * Samba-3.0.20
+
+5.5.4. Reassembling
+
+Both SMB inspector and TCP inspector support reassemble. Reassemble
+threshold specifies a minimum number of bytes in the DCE/RPC
+desegmentation and defragmentation buffers before creating a
+reassembly packet to send to the detection engine. This option is
+useful in inline mode so as to potentially catch an exploit early
+before full defragmentation is done. A value of 0 s supplied as an
+argument to this option will, in effect, disable this option. Default
+is disabled.
+
+5.5.5. SMB
+
+SMB inspector is one of the most complex inspectors. In addition to
+supporting rule options and lots of inspector rule events, it also
+supports file processing for both SMB version 1, 2, and 3.
+
+5.5.5.1. Finger Print Policy
+
+In the initial phase of an SMB session, the client needs to
+authenticate with a SessionSetupAndX. Both the request and response
+to this command contain OS and version information that can allow the
+inspector to dynamically set the policy for a session which allows
+for better protection against Windows and Samba specific evasions.
+
+5.5.5.2. File Inspection
+
+SMB inspector supports file inspection. A typical configuration looks
+like this:
+
+binder =
+{
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '139 445',
+ },
+ use =
+ {
+ type = 'dce_smb',
+ },
+ },
+}
+
+dce_smb =
+{
+ smb_file_inspection = 'on',
+ smb_file_depth = 0,
+ }
+
+file_id =
+{
+ enable_type = true,
+ enable_signature = true,
+ enable_capture = true,
+ file_rules = magics,
+}
+
+First, define a binder to map tcp port 139 and 445 to smb. Then,
+enable file inspection in smb inspection and set the file depth as
+unlimited. Lastly, enable file inspector to inspect file type,
+calculate file signature, and capture file. The details of file
+inspector are explained in file processing section.
+
+SMB inspector does inspection of normal SMB file transfers. This
+includes doing file type and signature through the file processing as
+well as setting a pointer for the "file_data" rule option. Note that
+the "file_depth" option only applies to the maximum amount of file
+data for which it will set the pointer for the "file_data" rule
+option. For file type and signature it will use the value configured
+for the file API. If "only" is specified, the inspector will only do
+SMB file inspection, i.e. it will not do any DCE/RPC tracking or
+inspection. If "on" is specified with no arguments, the default file
+depth is 16384 bytes. An argument of -1 to "file-depth" disables
+setting the pointer for "file_data", effectively disabling SMB file
+inspection in rules. An argument of 0 to "file_depth" means
+unlimited. Default is "off", i.e. no SMB file inspection is done in
+the inspector.
+
+5.5.6. TCP
+
+dce_tcp inspector supports defragmentation, reassembling, and policy
+that is similar to SMB.
+
+5.5.7. UDP
+
+dce_udp is a very simple inspector that only supports defragmentation
+
+5.5.8. Rule Options
+
+New rule options are supported by enabling the dcerpc2 inspectors:
+
+ * dce_iface
+ * dce_opnum
+ * dce_stub_data
+
+New modifiers to existing byte_test and byte_jump rule options:
+
+ * byte_test: dce
+ * byte_jump: dce
+
+5.5.8.1. dce_iface
+
+For DCE/RPC based rules it has been necessary to set flow-bits based
+on a client bind to a service to avoid false positives. It is
+necessary for a client to bind to a service before being able to make
+a call to it. When a client sends a bind request to the server, it
+can, however, specify one or more service interfaces to bind to. Each
+interface is represented by a UUID. Each interface UUID is paired
+with a unique index (or context id) that future requests can use to
+reference the service that the client is making a call to. The server
+will respond with the interface UUIDs it accepts as valid and will
+allow the client to make requests to those services. When a client
+makes a request, it will specify the context id so the server knows
+what service the client is making a request to. Instead of using
+flow-bits, a rule can simply ask the inspector, using this rule
+option, whether or not the client has bound to a specific interface
+UUID and whether or not this client request is making a request to
+it. This can eliminate false positives where more than one service is
+bound to successfully since the inspector can correlate the bind UUID
+to the context id used in the request. A DCE/RPC request can specify
+whether numbers are represented as big endian or little endian. The
+representation of the interface UUID is different depending on the
+endianness specified in the DCE/RPC previously requiring two rules -
+one for big endian and one for little endian. The inspector
+eliminates the need for two rules by normalizing the UUID. An
+interface contains a version. Some versions of an interface may not
+be vulnerable to a certain exploit. Also, a DCE/RPC request can be
+broken up into 1 or more fragments. Flags (and a field in the
+connectionless header) are set in the DCE/RPC header to indicate
+whether the fragment is the first, a middle or the last fragment.
+Many checks for data in the DCE/RPC request are only relevant if the
+DCE/RPC request is a first fragment (or full request), since
+subsequent fragments will contain data deeper into the DCE/RPC
+request. A rule which is looking for data, say 5 bytes into the
+request (maybe it’s a length field), will be looking at the wrong
+data on a fragment other than the first, since the beginning of
+subsequent fragments are already offset some length from the
+beginning of the request. This can be a source of false positives in
+fragmented DCE/RPC traffic. By default it is reasonable to only
+evaluate if the request is a first fragment (or full request).
+However, if the "any_frag" option is used to specify evaluating on
+all fragments.
+
+Examples:
+
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,<2;
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;
+dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag;
+
+This option is used to specify an interface UUID. Optional arguments
+are an interface version and operator to specify that the version be
+less than (<), greater than (>), equal to (=) or not equal to (!) the
+version specified. Also, by default the rule will only be evaluated
+for a first fragment (or full request, i.e. not a fragment) since
+most rules are written to start at the beginning of a request. The
+"any_frag" argument says to evaluate for middle and last fragments as
+well. This option requires tracking client Bind and Alter Context
+requests as well as server Bind Ack and Alter Context responses for
+connection-oriented DCE/RPC in the inspector. For each Bind and Alter
+Context request, the client specifies a list of interface UUIDs along
+with a handle (or context id) for each interface UUID that will be
+used during the DCE/RPC session to reference the interface. The
+server response indicates which interfaces it will allow the client
+to make requests to - it either accepts or rejects the client’s wish
+to bind to a certain interface. This tracking is required so that
+when a request is processed, the context id used in the request can
+be correlated with the interface UUID it is a handle for.
+
+hexlong and hexshort will be specified and interpreted to be in big
+endian order (this is usually the default way an interface UUID will
+be seen and represented). As an example, the following Messenger
+interface UUID as taken off the wire from a little endian Bind
+request:
+
+|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|
+
+must be written as:
+
+5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
+
+The same UUID taken off the wire from a big endian Bind request:
+
+|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|
+
+must be written the same way:
+
+5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
+
+This option matches if the specified interface UUID matches the
+interface UUID (as referred to by the context id) of the DCE/RPC
+request and if supplied, the version operation is true. This option
+will not match if the fragment is not a first fragment (or full
+request) unless the "any_frag" option is supplied in which case only
+the interface UUID and version need match. Note that a defragmented
+DCE/RPC request will be considered a full request.
+
+Using this rule option will automatically insert fast pattern
+contents into the fast pattern matcher. For UDP rules, the interface
+UUID, in both big and little endian format will be inserted into the
+fast pattern matcher. For TCP rules, (1) if the rule option
+"flow:to_server|from_client" is used, |05 00 00| will be inserted
+into the fast pattern matcher, (2) if the rule option
+"flow:from_server|to_client" is used, |05 00 02| will be inserted
+into the fast pattern matcher and (3) if the flow isn’t known, |05 00
+| will be inserted into the fast pattern matcher. Note that if the
+rule already has content rule options in it, the best (meaning
+longest) pattern will be used. If a content in the rule uses the
+fast_pattern rule option, it will unequivocally be used over the
+above mentioned patterns.
+
+5.5.8.2. dce_opnum
+
+The opnum represents a specific function call to an interface. After
+is has been determined that a client has bound to a specific
+interface and is making a request to it (see above - dce_iface)
+usually we want to know what function call it is making to that
+service. It is likely that an exploit lies in the particular DCE/RPC
+function call.
+
+Examples:
+
+dce_opnum: 15;
+dce_opnum: 15-18;
+dce_opnum: 15,18-20;
+dce_opnum: 15,17,20-22;
+
+This option is used to specify an opnum (or operation number), opnum
+range or list containing either or both opnum and/or opnum-range. The
+opnum of a DCE/RPC request will be matched against the opnums
+specified with this option. This option matches if any one of the
+opnums specified match the opnum of the DCE/RPC request.
+
+5.5.8.3. dce_stub_data
+
+Since most DCE/RPC based rules had to do protocol decoding only to
+get to the DCE/RPC stub data, i.e. the remote procedure call or
+function call data, this option will alleviate this need and place
+the cursor at the beginning of the DCE/RPC stub data. This reduces
+the number of rule option checks and the complexity of the rule.
+
+This option takes no arguments.
+
+Example:
+
+dce_stub_data;
+
+This option is used to place the cursor (used to walk the packet
+payload in rules processing) at the beginning of the DCE/RPC stub
+data, regardless of preceding rule options. There are no arguments to
+this option. This option matches if there is DCE/RPC stub data.
+
+The cursor is moved to the beginning of the stub data. All ensuing
+rule options will be considered "sticky" to this buffer. The first
+rule option following dce_stub_data should use absolute location
+modifiers if it is position-dependent. Subsequent rule options should
+use a relative modifier if they are meant to be relative to a
+previous rule option match in the stub data buffer. Any rule option
+that does not specify a relative modifier will be evaluated from the
+start of the stub data buffer. To leave the stub data buffer and
+return to the main payload buffer, use the "pkt_data" rule option.
+
+5.5.8.4. byte_test and byte_jump
+
+A DCE/RPC request can specify whether numbers are represented in big
+or little endian. These rule options will take as a new argument
+"dce" and will work basically the same as the normal byte_test/
+byte_jump, but since the DCE/RPC inspector will know the endianness
+of the request, it will be able to do the correct conversion.
+
+Examples:
+
+byte_test: 4,>,35000,0,relative,dce;
+byte_test: 2,!=,2280,-10,relative,dce;
+
+When using the "dce" argument to a byte_test, the following normal
+byte_test arguments will not be allowed: "big", "little", "string",
+"hex", "dec" and "oct".
+
+Examples:
+
+byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce;
+
+When using the dce argument to a byte_jump, the following normal
+byte_jump arguments will not be allowed: "big", "little", "string",
+"hex", "dec", "oct" and "from_beginning"
+
+
+5.6. File Processing
+
+--------------
+
+With the volume of malware transferred through network increasing,
+network file inspection becomes more and more important. This feature
+will provide file type identification, file signature creation, and
+file capture capabilities to help users deal with those challenges.
+
+5.6.1. Overview
+
+There are two parts of file services: file APIs and file policy. File
+APIs provides all the file inspection functionalities, such as file
+type identification, file signature calculation, and file capture.
+File policy provides users ability to control file services, such as
+enable/disable/configure file type identification, file signature, or
+file capture.
+
+In addition to all capabilities from Snort 2, we support customized
+file policy along with file event log.
+
+ * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
+ * Supported file signature calculation: SHA256
+
+5.6.2. Quick Guide
+
+A very simple configuration has been included in lua/snort.lua file.
+A typical file configuration looks like this:
+
+dofile('magic.lua')
+
+my_file_policy =
+{
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+}
+
+file_id =
+{
+ enable_type = true,
+ enable_signature = true,
+ enable_capture = true,
+ file_rules = magics,
+ trace_type = true,
+ trace_signature = true,
+ trace_stream = true,
+ file_policy = my_file_policy,
+ }
+
+file_log =
+{
+ log_pkt_time = true,
+ log_sys_time = false,
+}
+
+There are 3 steps to enable file processing:
+
+ * First, you need to include the file magic rules.
+ * Then, define the file policy and configure the inspector
+ * At last, enable file_log to get detailed information about file
+ event
+
+5.6.3. Pre-packaged File Magic Rules
+
+A set of file magic rules is packaged with Snort. They can be located
+at "lua/file_magic.lua". To use this feature, it is recommended that
+these pre-packaged rules are used; doing so requires that you include
+the file in your Snort configuration as such (already in snort.lua):
+
+dofile('magic.lua')
+
+Example:
+
+{ type = "GIF", id = 62, category = "Graphics", rev = 1,
+ magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },
+
+{ type = "GIF", id = 63, category = "Graphics", rev = 1,
+ magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
+
+The previous two rules define GIF format, because two file magics are
+different. File magics are specified by content and offset, which
+look at content at particular file offset to identify the file type.
+In this case, two magics look at the beginning of the file. You can
+use character if it is printable or hex value in between "|".
+
+5.6.4. File Policy
+
+You can enabled file type, file signature, or file capture by
+configuring file_id. In addition, you can enable trace to see file
+stream data, file type, and file signature information.
+
+Most importantly, you can configure a file policy that can block/
+alert some file type or an individual file based on SHA. This allows
+you build a file blacklist or whitelist.
+
+Example:
+
+file_policy =
+{
+ { when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+ { when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+ { when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+}
+
+In this example, it enables this policy:
+
+ * For PDF files, they will be logged with signatures.
+ * For the file matching this SHA, it will be blocked
+ * For all file types identified, they will be logged with
+ signature, and also captured onto log folder.
+
+5.6.5. File Capture
+
+File can be captured and stored to log folder. We use SHA as file
+name instead of actual file name to avoid conflicts. You can capture
+either all files, some file type, or a particular file based on SHA.
+
+You can enable file capture through this config:
+
+enable_capture = true,
+
+or enable it for some file or file type in your file policy:
+
+{ when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
+
+The above rule will enable PDF file capture.
+
+5.6.6. File Events
+
+File inspect preprocessor also works as a dynamic output plugin for
+file events. It logs basic information about file. The log file is in
+the same folder as other log files with name starting with
+"file.log".
+
+Example:
+
+file_log = { log_pkt_time = true, log_sys_time = false }
+
+All file events will be logged in packet time, system time is not
+logged.
+
+File event example:
+
+08/14-19:14:19.100891 10.22.75.72:33734 -> 10.22.75.36:80,
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
+[Size: 1039328]
+
+
+5.7. High Availability
+
+--------------
+
+High Availability includes the HA flow synchronization and the
+SideChannel messaging subsystems.
+
+5.7.1. HA
+
+HighAvailability (or HA) is a Snort module that provides state
+coherency between two partner snort instances. It uses SideChannel
+for messaging.
+
+There can be multiple types of HA within Snort and Snort plugins. HA
+implements an extensible architecture to enable plugins to subscribe
+to the base flow HA messaging. These plugins can then include their
+own messages along with the flow cache HA messages.
+
+HA produces and consumes two type of messages:
+
+ * Update - Update flow status. Plugins may add their own data to
+ the messages
+ * Delete - A flow has been removed from the cache
+
+The HA module is configured with these items:
+
+high_availability =
+{
+ ports = "1",
+ enable = true,
+ min_age = 0,
+ min_sync = 0
+}
+
+The ports item maps to the SideChannel port to use for the HA
+messaging.
+
+The enabled item controls the overall HA operation.
+
+The items min_age and min_sync are used in the stream HA logic.
+min_age is the number of milliseconds that a flow must exist in the
+flow cache before sending HA messages to the partner. min_sync is the
+minimum time between HA status updates. HA messages for a particular
+flow will not be sent faster than min_sync. Both are expressed as a
+number of milliseconds.
+
+HA messages are composed of the base stream information plus any
+content from additional modules. Modules subscribe HA in order to add
+message content. The stream HA content is always present in the
+messages while the ancillary module content is only present when
+requested via a status change request.
+
+5.7.2. Connector
+
+Connectors are a set of modules that are used to exchange
+message-oriented data among Snort threads and the external world. A
+typical use-case is HA (High Availability) message exchange.
+Connectors serve to decouple the message transport from the message
+creation/consumption. Connectors expose a common API for several
+forms of message transport.
+
+Connectors are a Snort plugin type.
+
+5.7.2.1. Connector (parent plugin class)
+
+Connectors may either be a simplex channel and perform unidirectional
+communications. Or may be duplex and perform bidirectional
+communications. The TcpConnector is duplex while the FileConnector is
+simplex.
+
+All subtypes of Connector have a direction configuration element and
+a connector element. The connector string is the key used to identify
+the element for sidechannel configuration. The direction element may
+have a default value, for instance TcpConnector’s are duplex.
+
+There are currently two implementations of Connectors:
+
+ * TcpConnector - Exchange messages over a tcp channel.
+ * FileConnector - Write messages to files and read messages from
+ files.
+
+5.7.2.2. TcpConnector
+
+TcpConnector is a subclass of Connector and implements a DUPLEX type
+Connector, able to send and receive messages over a tcp session.
+
+TcpConnector adds a few session setup configuration elements:
+
+ * setup = call or answer - call is used to have TcpConnector
+ initiate the connection. answer is used to have TcpConnector
+ accept incoming connections.
+ * address = <addr> - used for call setup to specify the partner
+ * base_port = port - used to contruct the actual port number for
+ call and answer modes. Actual port used is (base_port +
+ instance_id).
+
+An example segment of TcpConnector configuration:
+
+tcp_connector =
+{
+ {
+ connector = 'tcp_1',
+ address = '127.0.0.1',
+ setup = 'call',
+ base_port = 11000
+ },
+}
+
+5.7.2.3. FileConnector
+
+FileConnector implements a Connector that can either read from files
+or write to files. FileConnector’s are simplex and must be configured
+to be CONN_TRANSMIT or CONN_RECEIVE.
+
+FileConnector configuration adds two additional element:
+
+ * name = string - used as part of the message file name
+ * format = text or binary - FileConnector supports two file types
+
+The configured name string is used to construct the actual names as
+in:
+
+ * file_connector_NAME_transmit and file_connector_NAME_receive
+
+All messages for one Snort invocation are read and written to one
+file.
+
+In the case of a receive FileConnector, all messages are read from
+the file prior to the start of packet processing. This allows the
+messages to establish state information for all processed packets.
+
+Connectors are used solely by SideChannel
+
+An example segment of FileConnector configuration:
+
+file_connector =
+{
+ {
+ connector = 'file_tx_1',
+ direction = 'transmit',
+ format = 'text',
+ name = 'HA'
+ },
+ {
+ connector = 'file_rx_1',
+ direction = 'receive',
+ format = 'text',
+ name = 'HA'
+ },
+}
+
+5.7.3. Side Channel
+
+SideChannel is a Snort module that uses Connectors to implement a
+messaging infrastructure that is used to communicate between Snort
+threads and the outside world.
+
+SideChannel adds functionality onto the Connector as:
+
+ * message multiplexing/demultiplexing - An additional protocol
+ layer is added to the messages. This port number is used to
+ direct message to/from various SideClass instancs.
+ * application receive processing - handler for received messages on
+ a specific port.
+
+SideChannel’s are always implement a duplex (bidirectional) messaging
+model and can map to separate transmit and receive Connectors.
+
+The message handling model leverages the underlying Connector
+handling. So please refer to the Connector documentation.
+
+SideChannel’s are instantiated by various applications. The
+SideChannel port numbers are the configuration element used to map
+SideChannel’s to applications.
+
+The SideChannel configuration mostly serves to map a port number to a
+Connector or set of connectors. Each port mapping can have at most
+one transmit plus one receive connector or one duplex connector.
+Multiple SideChannel’s may be configured and instantiated to support
+multiple applications.
+
+An example SideChannel configuration along with the corresponding
+Connector configuration:
+
+side_channel =
+{
+ {
+ ports = '1',
+ connectors =
+ {
+ {
+ connector = 'file_rx_1',
+ },
+ {
+ connector = 'file_tx_1',
+ }
+ },
+ },
+}
+
+file_connector =
+{
+ {
+ connector = 'file_tx_1',
+ direction = 'transmit',
+ format = 'text',
+ name = 'HA'
+ },
+ {
+ connector = 'file_rx_1',
+ direction = 'receive',
+ format = 'text',
+ name = 'HA'
+ },
+}
+
+
+5.8. FTP
+
+--------------
+
+Given an FTP command channel buffer, FTP will interpret the data,
+identifying FTP commands and parameters, as well as FTP response
+codes and messages. It will enforce correctness of the parameters,
+determine when an FTP command connection is encrypted, and determine
+when an FTP data channel is opened.
+
+5.8.1. Configuring the inspector to block exploits and attacks
+
+5.8.1.1. ftp_server configuration
+
+ * ftp_cmds
+
+This specifies additional FTP commands outside of those checked by
+default within the inspector. The inspector may be configured to
+generate an alert when it sees a command it does not recognize.
+
+Aside from the default commands recognized, it may be necessary to
+allow the use of the "X" commands, specified in RFC 775. To do so,
+use the following ftp_cmds option. Since these are rarely used by FTP
+client implementations, they are not included in the defaults.
+
+ftp_cmds = [[ XPWD XCWD XCUP XMKD XRMD ]]
+
+ * def_max_param_len
+
+This specifies the default maximum parameter length for all commands
+in bytes. If the parameter for an FTP command exceeds that length,
+and the inspector is configured to do so, an alert will be generated.
+This is used to check for buffer overflow exploits within FTP
+servers.
+
+ * cmd_validity
+
+This specifies the valid format and length for parameters of a given
+command.
+
+ * cmd_validity[].len
+
+This specifies the maximum parameter length for the specified command
+in bytes, overriding the default. If the parameter for that FTP
+command exceeds that length, and the inspector is configured to do
+so, an alert will be generated. It can be used to restrict specific
+commands to small parameter values. For example the USER
+command — usernames may be no longer than 16 bytes, so the
+appropriate configuration would be:
+
+cmd_validity =
+{
+ {
+ command = 'USER',
+ length = 16,
+ }
+}
+
+ * cmd_validity[].format
+
+format is as follows:
+
+int Param must be an integer
+number Param must be an integer between 1 and 255
+char <chars> Param must be a single char, and one of <chars>
+date <datefmt> Param follows format specified where
+ # = Number, C=Char, []=optional, |=OR, {}=choice,
+ anything else=literal (i.e., .+- )
+string Param is string (effectively unrestricted)
+host_port Param must a host port specifier, per RFC 959.
+long_host_port Parameter must be a long host port specified, per RFC 1639
+extended_host_port Parameter must be an extended host port specified, per RFC 2428
+
+Examples of the cmd_validity option are shown below. These examples
+are the default checks (per RFC 959 and others) performed by the
+inspector.
+
+cmd_validity =
+{
+ {
+ command = 'CWD',
+ length = 200,
+ },
+ {
+ command = 'MODE',
+ format = '< char SBC >',
+ },
+ {
+ command = 'STRU',
+ format = '< char FRP >',
+ },
+ {
+ command = 'ALLO',
+ format = '< int [ char R int ] >',
+ },
+ {
+ command = 'TYPE',
+ format = [[ < { char AE [ char NTC ] | char I | char L [ number ]
+ } > ]],
+ },
+ {
+ command = 'PORT',
+ format = '< host_port >',
+ },
+}
+
+A cmd_validity entry in the configuration can be used to override
+these defaults and/or add a check for other commands. A few examples
+follow.
+
+This allows additional modes, including mode Z which allows for
+zip-style compression:
+
+cmd_validity =
+{
+ {
+ command = 'MODE',
+ format = '< char ASBCZ >',
+ },
+}
+
+Allow for a date in the MDTM command:
+
+cmd_validity =
+{
+ {
+ command = 'MDTM',
+ format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >',
+ },
+}
+
+MDTM is an odd case that is worth discussing…
+
+While not part of an established standard, certain FTP servers accept
+MDTM commands that set the modification time on a file. The most
+common among servers that do, accept a format using YYYYMMDDHHmmss
+[.uuu]. Some others accept a format using YYYYMMDDHHmmss[+|-]TZ
+format. The example above is for the first case.
+
+To check validity for a server that uses the TZ format, use the
+following:
+
+cmd_validity =
+{
+ {
+ command = 'MDTM',
+ format = '< [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string >',
+ },
+}
+
+ * chk_str_fmt
+
+This causes the inspector to check for string format attacks on the
+specified commands.
+
+ * telnet_cmds
+
+Detect and alert when telnet cmds are seen on the FTP command
+channel.
+
+ * ignore_telnet_erase_cmds
+
+This option allows Snort to ignore telnet escape sequences for erase
+character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
+command channel. Some FTP servers do not process those telnet escape
+sequences.
+
+ * ignore_data_chan
+
+When set to true, causes the FTP inspector to force the rest of snort
+to ignore the FTP data channel connections. NO INSPECTION other than
+state (inspector AND rules) will be performed on that data channel.
+It can be turned on to improve performance — especially with respect
+to large file transfers from a trusted source — by ignoring traffic.
+If your rule set includes virus-type rules, it is recommended that
+this option not be used.
+
+5.8.1.2. ftp_client configuration
+
+ * max_resp_len
+
+This specifies the maximum length for all response messages in bytes.
+If the message for an FTP response (everything after the 3 digit
+code) exceeds that length, and the inspector is configured to do so,
+an alert will be generated. This is used to check for buffer overflow
+exploits within FTP clients.
+
+ * telnet_cmds
+
+Detect and alert when telnet cmds are seen on the FTP command
+channel.
+
+ * ignore_telnet_erase_cmds
+
+This option allows Snort to ignore telnet escape sequences for erase
+character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
+command channel. Some FTP clients do not process those telnet escape
+sequences.
+
+5.8.1.3. ftp_data
+
+In order to enable file inspection for ftp, the following should be
+added to the configuration:
+
+ftp_data = {}
+
+
+5.9. HTTP Inspector
+
+--------------
+
+One of the major undertakings for Snort 3 is developing a completely
+new HTTP inspector.
+
+5.9.1. Overview
+
+You can configure it by adding:
+
+http_inspect = {}
+
+to your snort.lua configuration file. Or you can read about it in the
+source code under src/service_inspectors/http_inspect.
+
+So why a new HTTP inspector?
+
+For starters it is object-oriented. That’s good for us because we
+maintain this software. But it should also be really nice for
+open-source developers. You can make meaningful changes and additions
+to HTTP processing without having to understand the whole thing. In
+fact much of the new HTTP inspector’s knowledge of HTTP is
+centralized in a series of tables where it can be easily reviewed and
+modified. Many significant changes can be made just by updating these
+tables.
+
+http_inspect is the first inspector written specifically for the new
+Snort 3 architecture. This provides access to one of the very best
+features of Snort 3: purely PDU-based inspection. The classic
+preprocessor processes HTTP messages, but even while doing so it is
+constantly aware of IP packets and how they divide up the TCP data
+stream. The same HTTP message might be processed differently
+depending on how the sender (bad guy) divided it up into IP packets.
+
+http_inspect is free of this burden and can focus exclusively on
+HTTP. This makes it much simpler, easier to test, and less prone to
+false positives. It also greatly reduces the opportunity for
+adversaries to probe the inspector for weak spots by adjusting packet
+boundaries to disguise bad behavior.
+
+Dealing solely with HTTP messages also opens the door for developing
+major new features. The http_inspect design supports true stateful
+processing. Want to ask questions that involve both the client
+request and the server response? Or different requests in the same
+session? These things are possible.
+
+Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives
+from Google’s SPDY project and is in the process of being
+standardized. Despite the name, it is better to think of HTTP/2 not
+as a newer version of HTTP/1.1, but rather a separate protocol layer
+that runs under HTTP/1.1 and on top of TLS or TCP. It’s a perfect fit
+for the new Snort 3 architecture because a new HTTP/2 inspector would
+naturally output HTTP/1.1 messages but not any underlying packets.
+Exactly what http_inspect wants to input.
+
+http_inspect is taking a very different approach to HTTP header
+fields. The classic preprocessor divides all the HTTP headers
+following the start line into cookies and everything else. It
+normalizes the two pieces using a generic process and puts them in
+buffers that one can write rules against. There is some limited
+support for examining individual headers within the inspector but it
+is very specific.
+
+The new concept is that every header should be normalized in an
+appropriate and specific way and individually made available for the
+user to write rules against it. If for example a header is supposed
+to be a date then normalization means put that date in a standard
+format.
+
+5.9.2. Configuration
+
+Configuration can be as simple as adding:
+
+http_inspect = {}
+
+to your snort.lua file. The default configuration provides a thorough
+inspection and may be all that you need. But there are some options
+that provide extra features, tweak how things are done, or conserve
+resources by doing less.
+
+5.9.2.1. request_depth and response_depth
+
+These replace the flow depth parameters used by the old HTTP
+inspector but they work differently.
+
+The default is to inspect the entire HTTP message body. That’s a very
+sound approach but if your HTTP traffic includes many very large
+files such as videos the load on Snort can become burdensome. Setting
+the request_depth and response_depth parameters will limit the amount
+of body data that is sent to the rule engine. For example:
+
+request_depth = 10000,
+response_depth = 80000,
+
+would examine only the first 10000 bytes of POST, PUT, and other
+message bodies sent by the client. Responses from the server would be
+limited to 80000 bytes.
+
+These limits apply only to the message bodies. HTTP headers are
+always completely inspected.
+
+If you want to only inspect headers and no body, set the depth to 0.
+If you want to inspect the entire body set the depth to -1 or simply
+omit the depth parameter entirely because that is the default.
+
+These limits have no effect on how much data is forwarded to file
+processing.
+
+5.9.2.2. detained_inspection
+
+Detained inspection is an experimental feature currently under
+development. It enables Snort to more quickly detect and block
+response messages containing malicious JavaScript. As this feature
+involves actively blocking traffic it is designed for use with inline
+mode operation (-Q).
+
+This feature is off by default. detained_inspection = true will
+activate it.
+
+5.9.2.3. gzip
+
+http_inspect by default decompresses deflate and gzip message bodies
+before inspecting them. This feature can be turned off by unzip =
+false. Turning off decompression provides a substantial performance
+improvement but at a very high price. It is unlikely that any
+meaningful inspection of message bodies will be possible. Effectively
+HTTP processing would be limited to the headers.
+
+5.9.2.4. normalize_utf
+
+http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
+and utf-32be in response message bodies based on the Content-Type
+header. This feature is on by default: normalize_utf = false will
+deactivate it.
+
+5.9.2.5. decompress_pdf
+
+decompress_pdf = true will enable decompression of compressed
+portions of PDF files encountered in a response body. http_inspect
+will examine the response body for PDF files that are then parsed to
+locate PDF streams with a single /FlateDecode filter. The compressed
+content is decompressed and made available through the file data rule
+option.
+
+5.9.2.6. decompress_swf
+
+decompress_swf = true will enable decompression of compressed SWF
+(Adobe Flash content) files encountered in a response body. The
+available decompression modes are ’deflate’ and ’lzma’. http_inspect
+will search for the file signatures CWS for Deflate/ZLIB and ZWS for
+LZMA. The compressed content is decompressed and made available
+through the file data rule option. The compressed SWF file signature
+is converted to FWS to indicate an uncompressed file.
+
+5.9.2.7. normalize_javascript
+
+normalize_javascript = true will enable normalization of JavaScript
+within the HTTP response body. http_inspect looks for JavaScript by
+searching for the <script> tag without a type. Obfuscated data within
+the JavaScript functions such as unescape, String.fromCharCode,
+decodeURI, and decodeURIComponent are normalized. The different
+encodings handled within the unescape, decodeURI, or
+decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also
+replaces consecutive whitespaces with a single space and normalizes
+the plus by concatenating the strings.
+
+5.9.2.8. URI processing
+
+Normalization and inspection of the URI in the HTTP request message
+is a key aspect of what http_inspect does. The best way to normalize
+a URI is very dependent on the idiosyncrasies of the HTTP server
+being accessed. The goal is to interpret the URI the same way as the
+server will so that nothing the server will see can be hidden from
+the rule engine.
+
+The default URI inspection parameters are oriented toward following
+the HTTP RFCs—reading the URI the way the standards say it should be
+read. Most servers deviate from this ideal in various ways that can
+be exploited by an attacker. The options provide tools for the user
+to cope with that.
+
+utf8 = true
+plus_to_space = true
+percent_u = false
+utf8_bare_byte = false
+iis_unicode = false
+iis_double_decode = true
+
+The HTTP inspector normalizes percent encodings found in URIs. For
+instance it will convert "%48%69%64%64%65%6e" to "Hidden". All the
+options listed above control how this is done. The options listed as
+true are fairly standard features that are decoded by default. You
+don’t need to list them in snort.lua unless you want to turn them off
+by setting them to false. But that is not recommended unless you know
+what you are doing and have a definite reason.
+
+The other options are primarily for the protection of servers that
+support irregular forms of decoding. These features are off by
+default but you can activate them if you need to by setting them to
+true in snort.lua.
+
+bad_characters = "0x25 0x7e 0x6b 0x80 0x81 0x82 0x83 0x84"
+
+That’s a list of 8-bit Ascii characters that you don’t want present
+in any normalized URI after the percent decoding is done. For example
+0x25 is a hexadecimal number (37 in decimal) which stands for the %
+character. The % character is legitimately used for encoding special
+characters in a URI. But if there is still a percent after
+normalization one might conclude that something is wrong. If you
+choose to configure 0x25 as a bad character there will be an alert
+whenever this happens.
+
+Another example is 0x00 which signifies the null character zero. Null
+characters in a URI are generally wrong and very suspicious.
+
+The default is not to alert on any of the 256 8-bit Ascii characters.
+Add this option to your configuration if you want to define some bad
+characters.
+
+ignore_unreserved = "abc123"
+
+Percent encoding common characters such as letters and numbers that
+have no special meaning in HTTP is suspicious. It’s legal but why
+would you do it unless you have something to hide? http_inspect will
+alert whenever an upper-case or lower-case letter, a digit, period,
+underscore, tilde, or minus is percent-encoded. But if a legitimate
+application in your environment encodes some of these characters for
+some reason this allows you to create exemptions for those
+characters.
+
+In the example, the lower-case letters a, b, and c and the digits 1,
+2, and 3 are exempted. These may be percent-encoded without
+generating an alert.
+
+simplify_path = true
+backslash_to_slash = true
+
+HTTP inspector simplifies directory paths in URIs by eliminating
+extra traversals using ., .., and /.
+
+For example I can take a simple URI such as
+
+/very/easy/example
+
+and complicate it like this:
+
+/very/../very/././././easy//////detour/to/nowhere/../.././../example
+
+which may be very difficult to match with a detection rule.
+simplify_path is on by default and you should not turn it off unless
+you have no interest in URI paths.
+
+backslash_to_slash is a tweak to path simplification for servers that
+allow directories to be separated by backslashes:
+
+/this/is/the/normal/way/to/write/a/path
+
+\this\is\the\other\way\to\write\a\path
+
+backslash_to_slash is turned on by default. It replaces all the
+backslashes with slashes during normalization.
+
+5.9.3. CONNECT processing
+
+The HTTP CONNECT method is used by a client to establish a tunnel to
+a destination via an HTTP proxy server. If the connection is
+successful the server will send a 2XX success response to the client,
+then proceed to blindly forward traffic between the client and
+destination. That traffic belongs to a new session between the client
+and destination and may be of any protocol, so clearly the HTTP
+inspector will be unable to continue processing traffic following the
+CONNECT message as if it were just a continuation of the original
+HTTP/1.1 session.
+
+Therefore upon receiving a success response to a CONNECT request, the
+HTTP inspector will stop inspecting the session. The next packet will
+return to the wizard, which will determine the appropriate inspector
+to continue processing the flow. If the tunneled protocol happens to
+be HTTP/1.1, the HTTP inspector will again start inspecting the flow,
+but as an entirely new session.
+
+There is one scenario where the cutover to the wizard will not occur
+despite a 2XX success response to a CONNECT request. HTTP allows for
+pipelining, or sending multiple requests without waiting for a
+response. If the HTTP inspector sees any further traffic from the
+client after a CONNECT request before it has seen the CONNECT
+response, it is unclear whether this traffic should be interpreted as
+a pipelined HTTP request or tunnel traffic sent in anticipation of a
+success response from the server. Due to this potential evasion
+tactic, the HTTP inspector will not cut over to the wizard if it sees
+any early client-to-server traffic, but will continue normal HTTP
+processing of the flow regardless of the eventual server response.
+
+5.9.4. Detection rules
+
+http_inspect parses HTTP messages into their components and makes
+them available to the detection engine through rule options. Let’s
+start with an example:
+
+alert tcp any any -> any any ( msg:"URI example"; flow:established,
+to_server; http_uri; content:"chocolate"; sid:1; rev:1; )
+
+This rule looks for chocolate in the URI portion of the request
+message. Specifically, the http_uri rule option is the normalized URI
+with all the percent encodings removed. It will find chocolate in
+both:
+
+GET /chocolate/cake HTTP/1.1
+
+and
+
+GET /%63%68$6F%63%6F%6C%61%74%65/%63%61%6B%65 HTTP/1.1
+
+It is also possible to search the unnormalized URI
+
+alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,
+to_server; http_raw_uri; content:"chocolate"; sid:2; rev:1; )
+
+will match the first message but not the second. If you want to
+detect someone who is trying to hide his request for chocolate then
+
+alert tcp any any -> any any ( msg:"Raw URI example"; flow:established,
+to_server; http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65";
+sid:3; rev:1; )
+
+will do the trick.
+
+Let’s look at possible ways of writing a rule to match HTTP response
+messages with the Content-Language header set to "da" (Danish). You
+could write:
+
+alert tcp any any -> any any ( msg:"whole header search";
+flow:established, to_client; http_header; content:
+"Content-Language: da", nocase; sid:4; rev:1; )
+
+This rule leaves much to be desired. Modern headers are often
+thousands of bytes and seem to get longer every year. Searching all
+of the headers consumes a lot of resources. Furthermore this rule is
+easily evaded:
+
+HTTP/1.1 ... Content-Language: da ...
+
+the extra space before the "da" throws the rule off. Or how about:
+
+HTTP/1.1 ... Content-Language: xx,da ...
+
+By adding a made up second language the attacker has once again
+thwarted the match.
+
+A better way to write this rule is:
+
+alert tcp any any -> any any ( msg:"individual header search";
+flow:established, to_client; http_header: field content-language;
+content:"da", nocase; sid:4; rev:2; )
+
+The field option improves performance by narrowing the search to the
+Content-Language field of the header. Because it uses the header
+parsing abilities of http_inspect to find the field of interest it
+will not be thrown off by extra spaces or other languages in the
+list.
+
+In addition to the headers there are rule options for virtually every
+part of the HTTP message.
+
+5.9.4.1. http_uri and http_raw_uri
+
+These provide the URI of the request message. The raw form is exactly
+as it appeared in the message and the normalized form is determined
+by the URI normalization options you selected. In addition to
+searching the entire URI there are six components that can be
+searched individually:
+
+alert tcp any any -> any any ( msg:"URI path"; flow:established,
+to_server; http_uri: path; content:"chocolate"; sid:1; rev:2; )
+
+By specifying "path" the search is limited to the path portion of the
+URI. Informally this is the part consisting of the directory path and
+file name. Thus it will match:
+
+GET /chocolate/cake HTTP/1.1
+
+but not:
+
+GET /book/recipes?chocolate+cake HTTP/1.1
+
+The question mark ends the path and begins the query portion of the
+URI. Informally the query is where parameter values are set and often
+contains a search to be performed.
+
+The six components are:
+
+ 1. path: directory and file
+ 2. query: user parameters
+ 3. fragment: part of the file requested, normally found only inside
+ a browser and not transmitted over the network
+ 4. host: domain name of the server being addressed
+ 5. port: TCP port number being addressed
+ 6. scheme: normally "http" or "https" but others are possible such
+ as "ftp"
+
+Here is an example with all six:
+
+GET https://www.samplehost.com:287/basic/example/of/path?with-query
+#and-fragment HTTP/1.1\r\n
+
+The URI is everything between the first space and the last space.
+"https" is the scheme, "www.samplehost.com" is the host, "287" is the
+port, "/basic/example/of/path" is the path, "with-query" is the
+query, and "and-fragment" is the fragment.
+
+http_uri represents the normalized uri, normalization of components
+depends on uri type. If the uri is of type absolute (contains all six
+components) or absolute path (contains path, query and fragment) then
+the path and query components are normalized. In these cases,
+http_uri represents the normalized path, query, and fragment (/path?
+query#fragment). If the uri is of type authority (host and port), the
+host is normalized and http_uri represents the normalized host with
+the port number. In all other cases http_uri is the same as
+http_raw_uri.
+
+Note: this section uses informal language to explain some things.
+Nothing here is intended to conflict with the technical language of
+the HTTP RFCs and the implementation follows the RFCs.
+
+5.9.4.2. http_header and http_raw_header
+
+These cover all the header lines except the first one. You may
+specify an individual header by name using the field option as shown
+in this earlier example:
+
+alert tcp any any -> any any ( msg:"individual header search";
+flow:established, to_client; http_header: field content-language;
+content:"da", nocase; sid:4; rev:2; )
+
+This rule searches the value of the Content-Language header. Header
+names are not case sensitive and may be written in the rule in any
+mixture of upper and lower case.
+
+With http_header the individual header value is normalized in a way
+that is appropriate for that header.
+
+Specifying an individual header is not available for http_raw_header.
+
+If you don’t specify a header you get all of the headers except for
+the cookie headers Cookie and Set-Cookie. http_raw_header includes
+the unmodified header names and values as they appeared in the
+original message. http_header is the same except percent encodings
+are removed and paths are simplified exactly as if the headers were a
+URI.
+
+In most cases specifying individual headers creates a more efficient
+and accurate rule. It is recommended that new rules be written using
+individual headers whenever possible.
+
+5.9.4.3. http_trailer and http_raw_trailer
+
+HTTP permits header lines to appear after a chunked body ends.
+Typically they contain information about the message content that was
+not available when the headers were created. For convenience we call
+them trailers.
+
+http_trailer and http_raw_trailer are identical to their header
+counterparts except they apply to these end headers. If you want a
+rule to inspect both kinds of headers you need to write two rules,
+one using header and one using trailer.
+
+5.9.4.4. http_cookie and http_raw_cookie
+
+These provide the value of the Cookie header for a request message
+and the Set-Cookie for a response message. If multiple cookies are
+present they will be concatenated into a comma-separated list.
+
+Normalization for http_cookie is the same URI-style normalization
+applied to http_header when no specific header is specified.
+
+5.9.4.5. http_true_ip
+
+This provides the original IP address of the client sending the
+request as it was stored by a proxy in the request message headers.
+Specifically it is the last IP address listed in the X-Forwarded-For
+or True-Client-IP header. If both headers are present the former is
+used.
+
+5.9.4.6. http_client_body
+
+This is the body of a request message such as POST or PUT.
+Normalization for http_client_body is the same URI-like normalization
+applied to http_header when no specific header is specified.
+
+5.9.4.7. http_raw_body
+
+This is the body of a request or response message. It will be
+dechunked and unzipped if applicable but will not be normalized in
+any other way. The difference between http_raw_body and packet data
+is a rule that uses packet data will search and may match an HTTP
+header, but http_raw_body is limited to the message body. Thus the
+latter is more efficient and more accurate for most uses.
+
+5.9.4.8. http_method
+
+The method field of a request message. Common values are "GET",
+"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
+
+5.9.4.9. http_stat_code
+
+The status code field of a response message. This is normally a
+3-digit number between 100 and 599. In this example it is 200.
+
+HTTP/1.1 200 OK
+
+5.9.4.10. http_stat_msg
+
+The reason phrase field of a response message. This is the
+human-readable text following the status code. "OK" in the previous
+example.
+
+5.9.4.11. http_version
+
+The protocol version information that appears on the first line of an
+HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
+
+5.9.4.12. http_raw_request and http_raw_status
+
+These are the unmodified first header line of the HTTP request and
+response messages respectively. These rule options are a safety valve
+in case you need to do something you cannot otherwise do. In most
+cases it is better to use a rule option for a specific part of the
+first header line. For a request message those are http_method,
+http_raw_uri, and http_version. For a response message those are
+http_version, http_stat_code, and http_stat_msg.
+
+5.9.4.13. file_data and packet data
+
+file_data contains the normalized message body. This is the
+normalization described above under gzip, normalize_utf,
+decompress_pdf, decompress_swf, and normalize_javascript.
+
+The unnormalized message content is available in the packet data. If
+gzip is configured the packet data will be unzipped.
+
+5.9.5. Timing issues and combining rule options
+
+HTTP inspector is stateful. That means it is aware of a bigger
+picture than the packet in front of it. It knows what all the pieces
+of a message are, the dividing lines between one message and the
+next, which request message triggered which response message,
+pipelines, and how many messages have been sent over the current
+connection.
+
+Some rules use a single rule option:
+
+alert tcp any any -> any any ( msg:"URI example"; flow:established,
+to_server; http_uri; content:"chocolate"; sid:1; rev:1; )
+
+Whenever a new URI is available this rule will be evaluated. Nothing
+complicated about that, but suppose we use more than one rule option:
+
+alert tcp any any -> any any ( msg:"combined example"; flow:established,
+to_server; http_uri: with_body; content:"chocolate"; file_data;
+content:"sinister POST data"; sid:5; rev:1; )
+
+The with_body option to http_uri causes the URI to be made available
+with the message body. Use with_body for header-related rule options
+in rules that also examine the message body.
+
+The with_trailer option is analogous and causes an earlier message
+element to be made available at the end of the message when the
+trailers following a chunked body arrive.
+
+alert tcp any any -> any any ( msg:"double content-language";
+flow:established, to_client; http_header: with_trailer, field
+content-language; content:"da", nocase; http_trailer: field
+content-language; content:"en", nocase; sid:6; rev:1; )
+
+This rule will alert if the Content-Language changes from Danish in
+the headers to English in the trailers. The with_trailer option is
+essential to make this rule work.
+
+It is also possible to write rules that examine both the client
+request and the server response to it.
+
+alert tcp any any -> any any ( msg:"request and response example";
+flow:established, to_client; http_uri: with_body; content:"chocolate";
+file_data; content:"white chocolate"; sid:7; rev:1; )
+
+This rule looks for white chocolate in a response message body where
+the URI of the request contained chocolate. Note that this is a
+"to_client" rule that will alert on and potentially block a server
+response containing white chocolate, but only if the client URI
+requested chocolate. If the rule were rewritten "to_server" it would
+be nonsense and not work. Snort cannot block a client request based
+on what the server response will be because that has not happened
+yet.
+
+Another point is "with_body" for http_uri. This ensures the rule
+works on the entire response body. If we were looking for white
+chocolate in the response headers this would not be necessary.
+
+Response messages do not have a URI so there was only one thing
+http_uri could have meant in the previous rule. It had to be
+referring to the request message. Sometimes that is not so clear.
+
+alert tcp any any -> any any ( msg:"header ambiguity example 1";
+flow:established, to_client; http_header: with_body; content:
+"chocolate"; file_data; content:"white chocolate"; sid:8; rev:1; )
+
+alert tcp any any -> any any ( msg:"header ambiguity example 2";
+flow:established, to_client; http_header: with_body, request; content:
+"chocolate"; file_data; content:"white chocolate"; sid:8; rev:2; )
+
+Our search for chocolate has moved from the URI to the message
+headers. Both the request and response messages have headers—which
+one are we asking about? Ambiguity is always resolved in favor of
+looking in the current message which is the response. The first rule
+is looking for a server response containing chocolate in the headers
+and white chocolate in the body.
+
+The second rule uses the "request" option to explicitly say that the
+http_header to be searched is the request header.
+
+Let’s put all of this together. There are six opportunities to do
+detection:
+
+ 1. When the the request headers arrive. The request line and all of
+ the headers go through detection at the same time.
+ 2. When sections of the request message body arrive. If you want to
+ combine this with something from the request line or headers you
+ must use the with_body option.
+ 3. When the request trailers arrive. If you want to combine this
+ with something from the request line or headers you must use the
+ with_trailer option.
+ 4. When the response headers arrive. The status line and all of the
+ headers go through detection at the same time. These may be
+ combined with elements from the request line, request headers, or
+ request trailers. Where ambiguity arises use the request option.
+ 5. When sections of the response message body arrive. These may be
+ combined with the status line, response headers, request line,
+ request headers, or request trailers as described above.
+ 6. When the response trailers arrive. Again these may be combined as
+ described above.
+
+Message body sections can only go through detection at the time they
+are received. Headers may be combined with later items but the body
+cannot.
+
+
+5.10. HTTP/2 Inspector
+
+--------------
+
+Snort 3 is developing an inspector for HTTP/2.
+
+You can configure it by adding:
+
+http2_inspect = {}
+
+to your snort.lua configuration file.
+
+Everything has a beginning and for http2_inspect this is the
+beginning of the beginning.
+
+Currently http2_inspect will divide an HTTP/2 connection into
+individual frames. Two new rule options are available for looking at
+HTTP/2 frames: http2_frame_header provides the 9-octet frame header.
+
+alert tcp any any -> any any (msg:"Frame type"; flow:established,
+to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
+sid:1; rev:1; )
+
+This will match if the Type byte of the frame header is 6 (PING).
+
+To smooth the transition to inspecting HTTP/2, rules that specify
+service:http will be treated as if they also specify service:http2.
+Thus:
+
+alert tcp any any -> any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http; sid:10; rev:1;)
+
+is understood to mean:
+
+alert tcp any any -> any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http,http2; sid:10; rev:1;)
+
+Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2
+traffic.
+
+The reverse is not true. "service: http2" without http will match on
+HTTP/2 flows but not HTTP/1 flows.
+
+This feature makes it easy to add HTTP/2 inspection without modifying
+large numbers of existing rules. New rules should explicitly specify
+"service http,http2;" if that is the desired behavior. Eventually
+support for http implies http2 may be deprecated and removed.
+
+In the future, http2_inspect will be fully integrated with
+http_inspect to provide full inspection of the individual HTTP/1.1
+streams.
+
+
+5.11. Performance Monitor
+
+--------------
+
+The new and improved performance monitor! Is your sensor being bogged
+down by too many flows? perf_monitor! Why are certain TCP segments
+being dropped without hitting a rule? perf_monitor! Why is a sensor
+leaking water? Not perf_monitor, check with stream…
+
+5.11.1. Overview
+
+The Snort performance monitor is the built-in utility for monitoring
+system and traffic statistics. All statistics are separated by
+processing thread. perf_monitor supports several trackers for
+monitoring such data:
+
+5.11.2. Base Tracker
+
+The base tracker is used to gather running statistics about Snort and
+its running modules. All Snort modules gather, at the very least,
+counters for the number of packets reaching it. Most supplement these
+counts with those for domain specific functions, such as
+http_inspect’s number of GET requests seen.
+
+Statistics are gathered live and can be reported at regular
+intervals. The stats reported correspond only to the interval in
+question and are reset at the beginning of each interval.
+
+These are the same counts displayed when Snort shuts down, only
+sorted amongst the discrete intervals in which they occurred.
+
+Base differs from prior implementations in Snort in that all stats
+gathered are only raw counts, allowing the data to be evaluated as
+needed. Additionally, base is entirely pluggable. Data from new Snort
+plugins can be added to the existing stats either automatically or,
+if specified, by name and function.
+
+All plugins and counters can be enabled or disabled individually,
+allowing for only the data that is actually desired instead of overly
+verbose performance logs.
+
+To enable everything:
+
+perf_monitor = { modules = {} }
+
+To enable everything within a module:
+
+perf_monitor =
+{
+ modules =
+ {
+ {
+ name = 'stream_tcp',
+ pegs = [[ ]]
+ },
+ }
+}
+
+To enable specific counts within modules:
+
+perf_monitor =
+{
+ modules =
+ {
+ {
+ name = 'stream_tcp',
+ pegs = [[ overlaps gaps ]]
+ },
+ }
+
+Note: Event stats from prior Snorts are now located within base
+statistics.
+
+5.11.3. Flow Tracker
+
+Flow tracks statistics regarding traffic and L3/L4 protocol
+distributions. This data can be used to build a profile of traffic
+for inspector tuning and for identifying where Snort may be stressed.
+
+To enable:
+
+perf_monitor = { flow = true }
+
+5.11.4. FlowIP Tracker
+
+FlowIP provides statistics for individual hosts within a network.
+This data can be used for identifying communication habits, such as
+generating large or small amounts of data, opening a small or large
+number of sessions, and tendency to send smaller or larger IP
+packets.
+
+To enable:
+
+perf_monitor = { flow_ip = true }
+
+5.11.5. CPU Tracker
+
+This tracker monitors the CPU and wall time spent by a given
+processing thread.
+
+To enable:
+
+perf_monitor = { cpu = true }
+
+5.11.6. Formatters
+
+Performance monitor allows statistics to be output in a few formats.
+Along with human readable text (as seen at shutdown) and csv formats,
+a Flatbuffers binary format is also available if Flatbuffers is
+present at build. A utility for accessing the statistics generated in
+this format has been included for convenience (see fbstreamer in
+tools). This tool generates a YAML array of records found, allowing
+the data to be read by humans or passed into other analysis tools.
+For information on working directly with the Flatbuffers file format
+used by Performance monitor, see the developer notes for Performance
+monitor or the code provided for fbstreamer.
+
+
+5.12. POP and IMAP
+
+--------------
+
+POP inspector is a service inspector for POP3 protocol and IMAP
+inspector is for IMAP4 protocol.
+
+5.12.1. Overview
+
+POP and IMAP inspectors examine data traffic and find POP and IMAP
+commands and responses. The inspectors also identify the command,
+header, body sections and extract the MIME attachments and decode it
+appropriately. The pop and imap also identify and whitelist the pop
+and imap traffic.
+
+5.12.2. Configuration
+
+POP inspector and IMAP inspector offer same set of configuration
+options for MIME decoding depth. These depths range from 0 to 65535
+bytes. Setting the value to 0 ("do none") turns the feature off.
+Alternatively the value -1 means an unlimited amount of data should
+be decoded. If you do not specify the default value is 1460 bytes.
+
+The depth limits apply per attachment. They are:
+
+5.12.2.1. b64_decode_depth
+
+Set the base64 decoding depth used to decode the base64-encoded MIME
+attachments.
+
+5.12.2.2. qp_decode_depth
+
+Set the Quoted-Printable (QP) decoding depth used to decode
+QP-encoded MIME attachments.
+
+5.12.2.3. bitenc_decode_depth
+
+Set the non-encoded MIME extraction depth used for non-encoded MIME
+attachments.
+
+5.12.2.4. uu_decode_depth
+
+Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
+attachments.
+
+5.12.2.5. Examples
+
+stream = { }
+
+stream_tcp = { }
+
+stream_ip = { }
+
+binder =
+{
+ {
+ {
+ when = { proto = 'tcp', ports = '110', },
+ use = { type = 'pop', },
+ },
+ {
+ when = { proto = 'tcp', ports = '143', },
+ use = { type = 'imap', },
+ },
+ },
+}
+
+imap =
+{
+ qp_decode_depth = 500,
+}
+
+pop =
+{
+ qp_decode_depth = -1,
+ b64_decode_depth = 3000,
+}
+
+
+5.13. Port Scan
+
+--------------
+
+A module to detect port scanning
+
+5.13.1. Overview
+
+This module is designed to detect the first phase in a network
+attack: Reconnaissance. In the Reconnaissance phase, an attacker
+determines what types of network protocols or services a host
+supports. This is the traditional place where a portscan takes place.
+This phase assumes the attacking host has no prior knowledge of what
+protocols or services are supported by the target, otherwise this
+phase would not be necessary.
+
+As the attacker has no beforehand knowledge of its intended target,
+most queries sent by the attacker will be negative (meaning that the
+services are closed). In the nature of legitimate network
+communications, negative responses from hosts are rare, and rarer
+still are multiple negative responses within a given amount of time.
+Our primary objective in detecting portscans is to detect and track
+these negative responses.
+
+One of the most common portscanning tools in use today is Nmap. Nmap
+encompasses many, if not all, of the current portscanning techniques.
+Portscan was designed to be able to detect the different types of
+scans Nmap can produce.
+
+The following are a list of the types of Nmap scans Portscan will
+currently alert for.
+
+ * TCP Portscan
+ * UDP Portscan
+ * IP Portscan
+
+These alerts are for one to one portscans, which are the traditional
+types of scans; one host scans multiple ports on another host. Most
+of the port queries will be negative, since most hosts have
+relatively few services available.
+
+ * TCP Decoy Portscan
+ * UDP Decoy Portscan
+ * IP Decoy Portscan
+
+Decoy portscans are much like regular, only the attacker has spoofed
+source address inter-mixed with the real scanning address. This
+tactic helps hide the true identity of the attacker.
+
+ * TCP Distributed Portscan
+ * UDP Distributed Portscan
+ * IP Distributed Portscan
+
+These are many to one portscans. Distributed portscans occur when
+multiple hosts query one host for open services. This is used to
+evade an IDS and obfuscate command and control hosts.
+
+Note
+
+Negative queries will be distributed among scanning hosts, so we
+track this type of scan through the scanned host.
+
+ * TCP Portsweep
+ * UDP Portsweep
+ * IP Portsweep
+ * ICMP Portsweep
+
+These alerts are for one to many portsweeps. One host scans a single
+port on multiple hosts. This usually occurs when a new exploit comes
+out and the attacker is looking for a specific service.
+
+Note
+
+The characteristics of a portsweep scan may not result in many
+negative responses. For example, if an attacker portsweeps a web farm
+for port 80, we will most likely not see many negative responses.
+
+ * TCP Filtered Portscan
+ * UDP Filtered Portscan
+ * IP Filtered Portscan
+ * TCP Filtered Decoy Portscan
+ * UDP Filtered Decoy Portscan
+ * IP Filtered Decoy Portscan
+ * TCP Filtered Portsweep
+ * UDP Filtered Portsweep
+ * IP Filtered Portsweep
+ * ICMP Filtered Portsweep
+ * TCP Filtered Distributed Portscan
+ * UDP Filtered Distributed Portscan
+ * IP Filtered Distributed Portscan
+
+"Filtered" alerts indicate that there were no network errors (ICMP
+unreachables or TCP RSTs) or responses on closed ports have been
+suppressed. It’s also a good indicator on whether the alert is just a
+very active legitimate host. Active hosts, such as NATs, can trigger
+these alerts because they can send out many connection attempts
+within a very small amount of time. A filtered alert may go off
+before responses from the remote hosts are received.
+
+Portscan only generates one alert for each host pair in question
+during the time window. On TCP scan alerts, Portscan will also
+display any open ports that were scanned. On TCP sweep alerts
+however, Portscan will only track open ports after the alert has been
+triggered. Open port events are not individual alerts, but tags based
+off the original scan alert.
+
+5.13.2. Scan levels
+
+There are 3 default scan levels that can be set.
+
+1) default_hi_port_scan
+2) default_med_port_scan
+3) default_low_port_scan
+
+Each of these default levels have separate options that can be edited
+to alter the scan sensitivity levels (scans, rejects, nets or ports)
+
+Example:
+
+port_scan = default_low_port_scan
+
+port_scan.tcp_decoy.ports = 1
+port_scan.tcp_decoy.scans = 1
+port_scan.tcp_decoy.rejects = 1
+port_scan.tcp_ports.nets = 1
+
+The example above would change each of the individual settings to 1.
+
+NOTE:The default levels for scans, rejects, nets and ports can be
+seen in the snort_defaults.lua file.
+
+The counts can be seen in the alert outputs (-Acmg shown below):
+
+50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
+30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 0.Connec tion Cou
+6E 74 3A 20 34 35 0A 49 50 20 43 6F 75 6E 74 3A nt: 45.I P Count:
+20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scann er IP Ra
+6E 67 65 3A 20 31 2E 32 2E 33 2E 34 3A 31 2E 32 nge: 1.2 .3.4:1.2
+2E 33 2E 34 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 .3.4.Por t/Proto
+43 6F 75 6E 74 3A 20 33 37 0A 50 6F 72 74 2F 50 Count: 3 7.Port/P
+72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 3A 39 0A roto Ran ge: 1:9.
+
+"Low" alerts are only generated on error packets sent from the target
+host, and because of the nature of error responses, this setting
+should see very few false positives. However, this setting will never
+trigger a Filtered Scan alert because of a lack of error responses.
+This setting is based on a static time window of 60 seconds, after
+which this window is reset.
+
+"Medium" alerts track Connection Counts, and so will generate
+Filtered Scan alerts. This setting may false positive on active hosts
+(NATs, proxies, DNS caches, etc), so the user may need to deploy the
+use of Ignore directives to properly tune this directive.
+
+"High" alerts continuously track hosts on a network using a time
+window to evaluate portscan statistics for that host. A "High"
+setting will catch some slow scans because of the continuous
+monitoring, but is very sensitive to active hosts. This most
+definitely will require the user to tune Portscan.
+
+5.13.3. Tuning Portscan
+
+The most important aspect in detecting portscans is tuning the
+detection engine for your network(s). Here are some tuning tips:
+
+Use the watch_ip, ignore_scanners, and ignore_scanned options. It’s
+important to correctly set these options. The watch_ip option is easy
+to understand. The analyst should set this option to the list of CIDR
+blocks and IPs that they want to watch. If no watch_ip is defined,
+Portscan will watch all network traffic. The ignore_scanners and
+ignore_scanned options come into play in weeding out legitimate hosts
+that are very active on your network. Some of the most common
+examples are NAT IPs, DNS cache servers, syslog servers, and nfs
+servers. Portscan may not generate false positives for these types of
+hosts, but be aware when first tuning Portscan for these IPs.
+Depending on the type of alert that the host generates, the analyst
+will know which to ignore it as. If the host is generating portsweep
+events, then add it to the ignore_scanners option. If the host is
+generating portscan alerts (and is the host that is being scanned),
+add it to the ignore_scanned option.
+
+Filtered scan alerts are much more prone to false positives. When
+determining false positives, the alert type is very important. Most
+of the false positives that Portscan may generate are of the filtered
+scan alert type. So be much more suspicious of filtered portscans.
+Many times this just indicates that a host was very active during the
+time period in question. If the host continually generates these
+types of alerts, add it to the ignore_scanners list or use a lower
+sensitivity level.
+
+Make use of the Priority Count, Connection Count, IP Count, Port
+Count, IP range, and Port range to determine false positives. The
+portscan alert details are vital in determining the scope of a
+portscan and also the confidence of the portscan. In the future, we
+hope to automate much of this analysis in assigning a scope level and
+confidence level, but for now the user must manually do this. The
+easiest way to determine false positives is through simple ratio
+estimations. The following is a list of ratios to estimate and the
+associated values that indicate a legitimate scan and not a false
+positive.
+
+Connection Count / IP Count: This ratio indicates an estimated
+average of connections per IP. For portscans, this ratio should be
+high, the higher the better. For portsweeps, this ratio should be
+low.
+
+Port Count / IP Count: This ratio indicates an estimated average of
+ports connected to per IP. For portscans, this ratio should be high
+and indicates that the scanned host’s ports were connected to by
+fewer IPs. For portsweeps, this ratio should be low, indicating that
+the scanning host connected to few ports but on many hosts.
+
+Connection Count / Port Count: This ratio indicates an estimated
+average of connections per port. For portscans, this ratio should be
+low. This indicates that each connection was to a different port. For
+portsweeps, this ratio should be high. This indicates that there were
+many connections to the same port.
+
+The reason that Priority Count is not included, is because the
+priority count is included in the connection count and the above
+comparisons take that into consideration. The Priority Count play an
+important role in tuning because the higher the priority count the
+more likely it is a real portscan or portsweep (unless the host is
+firewalled).
+
+If all else fails, lower the sensitivity level. If none of these
+other tuning techniques work or the analyst doesn’t have the time for
+tuning, lower the sensitivity level. You get the best protection the
+higher the sensitivity level, but it’s also important that the
+portscan detection engine generates alerts that the analyst will find
+informative. The low sensitivity level only generates alerts based on
+error responses. These responses indicate a portscan and the alerts
+generated by the low sensitivity level are highly accurate and
+require the least tuning. The low sensitivity level does not catch
+filtered scans, since these are more prone to false positives.
+
+
+5.14. Sensitive Data Filtering
+
+--------------
+
+The sd_pattern IPS option provides detection and filtering of
+Personally Identifiable Information (PII). This information includes
+credit card numbers, U.S. Social Security numbers, and email
+addresses. A rich regular expression syntax is available for defining
+your own PII.
+
+5.14.1. Hyperscan
+
+The sd_pattern rule option is powered by the open source Hyperscan
+library from Intel. It provides a regex grammar which is mostly PCRE
+compatible. To learn more about Hyperscan see https://intel.github.io
+/hyperscan/dev-reference/
+
+5.14.2. Syntax
+
+Snort provides sd_pattern as IPS rule option with no additional
+inspector overhead. The Rule option takes the following syntax.
+
+sd_pattern: "<pattern>"[, threshold <count>];
+
+5.14.2.1. Pattern
+
+Pattern is the most important and is the only required parameter to
+sd_pattern. It supports 3 built in patterns which are configured by
+name: "credit_card", "us_social" and "us_social_nodashes", as well as
+user defined regular expressions of the Hyperscan dialect (see https:
+//intel.github.io/hyperscan/dev-reference/compilation.html#
+pattern-support).
+
+sd_pattern:"credit_card";
+
+When configured, Snort will replace the pattern credit_card with the
+built in pattern. In addition to pattern matching, Snort will
+validate that the matched digits will pass the Luhn-check algorithm.
+Currently the only pattern that performs extra verification.
+
+sd_pattern:"us_social";
+sd_pattern:"us_social_nodashes";
+
+These special patterns will also be replaced with a built in pattern.
+Naturally, "us_social" is a pattern of 9 digits separated by -'s in
+the canonical form.
+
+sd_pattern:"\b\w+@ourdomain\.com\b"
+
+This is a user defined pattern which matches what is most likely
+email addresses for the site "ourdomain.com". The pattern is a PCRE
+compatible regex, \b matches a word boundary (whitespace, end of
+line, non-word characters) and \w+ matches one or more word
+characters. \. matches a literal ..
+
+The above pattern would match "a@ourdomain.com", "aa@ourdomain.com"
+but would not match 1@ourdomain.com ab12@ourdomain.com or
+@ourdomain.com.
+
+Note: This is just an example, this pattern is not suitable to detect
+many correctly formatted emails.
+
+5.14.2.2. Threshold
+
+Threshold is an optional parameter allowing you to change built in
+default value (default value is 1). The following two instances are
+identical. The first will assume the default value of 1 the second
+declaration explicitly sets the threshold to 1.
+
+sd_pattern:"This rule requires 1 match";
+sd_pattern:"This rule requires 1 match", threshold 1;
+
+That’s pretty easy, but here is one more example anyway.
+
+sd_pattern:"This is a string literal", threshold 300;
+
+This example requires 300 matches of the pattern "This is a string
+literal" to qualify as a positive match. That is, if the string only
+occurred 299 times in a packet, you will not see an event.
+
+5.14.2.3. Obfuscating Credit Cards and Social Security Numbers
+
+Snort provides discreet logging for the built in patterns
+"credit_card", "us_social" and "us_social_nodashes". Enabling
+output.obfuscate_pii makes Snort obfuscate the suspect packet payload
+which was matched by the patterns. This configuration is disabled by
+default.
+
+output =
+{
+ obfuscate_pii = true
+}
+
+5.14.3. Example
+
+A complete Snort IPS rule
+
+alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )
+
+Logged output when running Snort in "cmg" alert format.
+
+02/25-21:19:05.125553 [**] [1:1:0] "Credit Card" [**] [Priority: 0] {TCP} 10.1.2.3:48620 -> 10.9.8.7:8
+02:01:02:03:04:05 -> 02:09:08:07:06:05 type:0x800 len:0x46
+10.1.2.3:48620 -> 10.9.8.7:8 TCP TTL:64 TOS:0x0 ID:14 IpLen:20 DgmLen:56
+***A**** Seq: 0xB2 Ack: 0x2 Win: 0x2000 TcpLen: 20
+- - - raw[16] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+5.14.4. Caveats
+
+ 1. Snort currently requires setting the fast pattern engine to use
+ "hyperscan" in order for sd_pattern ips option to function
+ correctly.
+
+ search_engine = { search_method = 'hyperscan' }
+
+ 2. Log obfuscation is only applicable to CMG and Unified2 logging
+ formats.
+ 3. Log obfuscation doesn’t support user defined PII patterns. It is
+ currently only supported for the built in patterns for Credit
+ Cards and US Social Security numbers.
+ 4. Log obfuscation doesn’t work with stream rebuilt packet payloads.
+ (This is a known bug).
+
+
+5.15. SMTP
+
+--------------
+
+SMTP inspector is a service inspector for SMTP protocol.
+
+5.15.1. Overview
+
+The SMTP inspector examines SMTP connections looking for commands and
+responses. It also identifies the command, header and body sections,
+TLS data and extracts the MIME attachments. This inspector also
+identifies and whitelists the SMTP traffic.
+
+SMTP inspector logs the filename, email addresses, attachment names
+when configured.
+
+5.15.2. Configuration
+
+SMTP command lines can be normalized to remove extraneous spaces.
+TLS-encrypted traffic can be ignored, which improves performance. In
+addition, plain-text mail data can be ignored for an additional
+performance boost.
+
+The configuration options are described below:
+
+5.15.2.1. normalize and normalize_cmds
+
+Normalization checks for more than one space character after a
+command. Space characters are defined as space (ASCII 0x20) or tab
+(ASCII 0x09). "normalize" provides options all|none|cmds, all checks
+all commands, none turns off normalization for all commands. cmds
+just checks commands listed with the "normalize_cmds" parameter. For
+example:
+
+smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
+
+5.15.2.2. ignore_data
+
+Set it to true to ignore data section of mail (except for mail
+headers) when processing rules.
+
+5.15.2.3. ignore_tls_data
+
+Set it to true to ignore TLS-encrypted data when processing rules.
+
+5.15.2.4. max_command_line_len
+
+Alert if an SMTP command line is longer than this value. Absence of
+this option or a "0" means never alert on command line length. RFC
+2821 recommends 512 as a maximum command line length.
+
+5.15.2.5. max_header_line_len
+
+Alert if an SMTP DATA header line is longer than this value. Absence
+of this option or a "0" means never alert on data header line length.
+RFC 2821 recommends 1024 as a maximum data header line length.
+
+5.15.2.6. max_response_line_len
+
+Alert if an SMTP response line is longer than this value. Absence of
+this option or a "0" means never alert on response line length. RFC
+2821 recommends 512 as a maximum response line length.
+
+5.15.2.7. alt_max_command_line_len
+
+Overrides max_command_line_len for specific commands For example:
+
+alt_max_command_line_len =
+{
+ {
+ command = 'MAIL',
+ length = 260,
+ },
+ {
+ command = 'RCPT',
+ length = 300,
+ },
+}
+
+5.15.2.8. invalid_cmds
+
+Alert if this command is sent from client side.
+
+5.15.2.9. valid_cmds
+
+List of valid commands. We do not alert on commands in this list.
+
+DEFAULT empty list, but SMTP inspector has this list hard-coded: [[
+ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN
+HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE
+STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
+XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
+
+5.15.2.10. data_cmds
+
+List of commands that initiate sending of data with an end of data
+delimiter the same as that of the DATA command per RFC 5321 - "
+<CRLF>.<CRLF>".
+
+5.15.2.11. binary_data_cmds
+
+List of commands that initiate sending of data and use a length value
+after the command to indicate the amount of data to be sent, similar
+to that of the BDAT command per RFC 3030.
+
+5.15.2.12. auth_cmds
+
+List of commands that initiate an authentication exchange between
+client and server.
+
+5.15.2.13. xlink2state
+
+Enable/disable xlink2state alert, options are {disable | alert |
+drop}. See CVE-2005-0560 for a description of the vulnerability.
+
+5.15.2.14. MIME processing depth parameters
+
+These four MIME processing depth parameters are identical to their
+POP and IMAP counterparts. See that section for further details.
+
+b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
+
+5.15.2.15. Log Options
+
+Following log options allow SMTP inspector to log email addresses and
+filenames. Please note, this is logged only with the unified2 output
+and is not logged with the console output (-A cmg). u2spewfoo can be
+used to read this data from the unified2.
+
+log_mailfrom
+
+This option enables SMTP inspector to parse and log the sender’s
+email address extracted from the "MAIL FROM" command along with all
+the generated events for that session. The maximum number of bytes
+logged for this option is 1024.
+
+log_rcptto
+
+This option enables SMTP inspector to parse and log the recipient
+email addresses extracted from the "RCPT TO" command along with all
+the generated events for that session. Multiple recipients are
+appended with commas. The maximum number of bytes logged for this
+option is 1024.
+
+log_filename
+
+This option enables SMTP inspector to parse and log the MIME
+attachment filenames extracted from the Content-Disposition header
+within the MIME body along with all the generated events for that
+session. Multiple filenames are appended with commas. The maximum
+number of bytes logged for this option is 1024.
+
+log_email_hdrs
+
+This option enables SMTP inspector to parse and log the SMTP email
+headers extracted from SMTP data along with all generated events for
+that session. The number of bytes extracted and logged depends upon
+the email_hdrs_log_depth.
+
+email_hdrs_log_depth
+
+This option specifies the depth for logging email headers. The
+allowed range for this option is 0 - 20480. A value of 0 will disable
+email headers logging. The default value for this option is 1464.
+
+5.15.3. Example
+
+smtp =
+{
+ normalize = 'cmds',
+ normalize_cmds = 'EXPN VRFY RCPT',
+ b64_decode_depth = 0,
+ qp_decode_depth = 0,
+ bitenc_decode_depth = 0,
+ uu_decode_depth = 0,
+ log_mailfrom = true,
+ log_rcptto = true,
+ log_filename = true,
+ log_email_hdrs = true,
+ max_command_line_len = 512,
+ max_header_line_len = 1000,
+ max_response_line_len = 512,
+ max_auth_command_line_len = 50,
+ xlink2state = 'alert',
+ alt_max_command_line_len =
+ {
+ {
+ command = 'MAIL',
+ length = 260,
+ },
+ {
+ command = 'RCPT',
+ length = 300,
+ },
+ {
+ command = 'HELP',
+ length = 500,
+ },
+ {
+ command = 'HELO',
+ length = 500,
+ },
+ {
+ command = 'ETRN',
+ length = 500,
+ },
+ {
+ command = 'EXPN',
+ length = 255,
+ },
+ {
+ command = 'VRFY',
+ length = 255,
+ },
+ },
+}
+
+
+5.16. Telnet
+
+--------------
+
+Given a telnet data buffer, Telnet will normalize the buffer with
+respect to telnet commands and option negotiation, eliminating telnet
+command sequences per RFC 854. It will also determine when a telnet
+connection is encrypted, per the use of the telnet encryption option
+per RFC 2946.
+
+5.16.1. Configuring the inspector to block exploits and attacks
+
+ayt_attack_thresh number
+
+Detect and alert on consecutive are you there [AYT] commands beyond
+the threshold number specified. This addresses a few specific
+vulnerabilities relating to bsd-based implementations of telnet.
+
+
+5.17. Trace
+
+--------------
+
+Snort 3 retired the different flavors of debug macros that used to be
+set through the SNORT_DEBUG environment variable. It was replaced by
+per-module trace functionality. Trace is turned on by setting the
+specific trace module configuration in snort.lua. As before, to
+enable debug tracing, Snort must be configured at build time with
+--enable-debug-msgs. However, a growing number of modules (such as
+wizard and snort.inspector_manager) are providing non-debug trace
+messages in normal production builds.
+
+5.17.1. Trace module
+
+The trace module is responsible for configuring traces and supports
+the following parameters:
+
+output - configure the output method for trace messages
+modules - trace configuration for specific modules
+constraints - filter traces by the packet constraints
+
+The following lines, added in snort.lua, will enable trace messages
+for detection and codec modules. The messages will be printed to
+syslog if the packet filtering constraints match.
+
+trace =
+{
+ output = "syslog",
+ modules =
+ {
+ detection = { detect_engine = 1 },
+ decode = { all = 1 }
+ },
+ constraints =
+ {
+ ip_proto = 17,
+ dst_ip = "10.1.1.2",
+ src_port = 100,
+ dst_port = 200
+ }
+}
+
+The trace module supports config reloading. Also, it’s possible to
+set or clear modules traces and packet filter constraints via the
+control channel command.
+
+5.17.2. Trace module - configuring traces
+
+The trace module has the modules option - a table with trace
+configuration for specific modules. The following lines placed in
+snort.lua will enable trace messages for detection, codec and wizard
+modules:
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1 },
+ decode = { all = 1 },
+ wizard = { all = 1 }
+ }
+}
+
+The detection and snort modules are currently the only modules to
+support multiple trace options. Others have only the default all
+option, which will enable or disable all traces in a given module.
+It’s available for multi-option modules also and works as a global
+switcher:
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1 } -- set each detection option to level 1
+ }
+}
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1, tag = 2 } -- set each detection option to level 1 but the 'tag' to level 2
+ }
+}
+
+The full list of available trace parameters is placed into the "Basic
+Modules.trace" chapter.
+
+Each option must be assigned an integer value between 0 and 255 to
+specify a level of verbosity for that option:
+
+0 - turn off trace messages printing for the option
+1 - print most significant trace messages for the option
+255 - print all available trace messages for the option
+
+Tracing is disabled by default (verbosity level equals 0). The
+verbosity level is treated as a threshold, so specifying a higher
+value will result in all messages with a lower level being printed as
+well. For example:
+
+trace =
+{
+ modules =
+ {
+ decode = { all = 3 } -- messages with levels 1, 2, and 3 will be printed
+ }
+}
+
+5.17.3. Trace module - configuring packet filter constraints for
+packet related trace messages
+
+There is a capability to filter traces by the packet constraints. The
+trace module has the constraints option - a table with filtering
+configuration that will be applied to all trace messages that include
+a packet. Filtering is done on a flow that packet is related. By
+default filtering is disabled.
+
+Available constraints options:
+
+ip_proto - numerical IP protocol ID
+src_ip - match all packets with a flow that has this client IP address (passed as a string)
+src_port - match all packets with a flow that has this source port
+dst_ip - match all packets with a flow that has this server IP address (passed as a string)
+dst_port - match all packets with a flow that has this destination port
+match - boolean flag to enable/disable whether constraints will ever match (enabled by default)
+
+The following lines placed in snort.lua will enable all trace
+messages for detection filtered by ip_proto, dst_ip, src_port and
+dst_port:
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1 }
+ },
+ constraints =
+ {
+ ip_proto = 6, -- tcp
+ dst_ip = "10.1.1.10",
+ src_port = 150,
+ dst_port = 250
+ }
+}
+
+To create constraints that will never successfully match, set the
+match parameter to false. This is useful for situations where one is
+relying on external packet filtering from the DAQ module, or for
+preventing all trace messages in the context of a packet. The
+following is an example of such configuration:
+
+trace =
+{
+ modules =
+ {
+ snort = { all = 1 }
+ },
+ constraints =
+ {
+ match = false
+ }
+}
+
+5.17.4. Trace module - configuring trace output method
+
+There is a capability to configure the output method for trace
+messages. The trace module has the output option with two acceptable
+values:
+
+"stdout" - printing to stdout
+"syslog" - printing to syslog
+
+By default, the output method will be set based on the Snort run
+mode. Normally it will use stdout, but if -D (daemon mode) and/or -M
+(alert-syslog mode) are set, it will instead use syslog.
+
+Example - set output method as syslog:
+
+In snort.lua, the following lines were added:
+
+trace =
+{
+ output = "syslog",
+ modules =
+ {
+ detection = { all = 1 }
+ }
+}
+
+As a result, each trace message will be printed into syslog (the
+Snort run-mode will be ignored).
+
+5.17.5. Configuring traces via control channel command
+
+There is a capability to configure module trace options and packet
+constraints via the control channel command by using a Snort shell.
+In order to enable shell, Snort has to be configured and built with
+--enable-shell.
+
+The trace control channel command is a way how to configure module
+trace options and/or packet filter constraints directly during Snort
+run and without reloading the entire config.
+
+After entering the Snort shell, there are two commands available for
+the trace module:
+
+trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry)
+
+trace.clear() - clear modules traces and constraints
+
+Also, it’s possible to omit tables in the trace.set() command:
+
+trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces
+
+trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints
+
+trace.set({}) - disable traces and constraints (set to empty)
+
+5.17.6. Trace messages format
+
+Each tracing message has a standard format:
+
+<module_name>:<option_name>:<message_log_level>: <particular_message>
+
+The stdout logger also prints thread type and thread instance ID at
+the beginning of each trace message in a colon-separated manner.
+
+The capital letter at the beginning of the trace message indicates
+the thread type.
+
+Possible thread types: C – main (control) thread P – packet thread O
+– other thread
+
+5.17.7. Example - Debugging rules using detection trace
+
+The detection engine is responsible for rule evaluation. Turning on
+the trace for it can help with debugging new rules.
+
+The relevant options for detection are as follow:
+
+rule_eval - follow rule evaluation
+buffer - print evaluated buffer if it changed (level 1) or at every step (level 5)
+rule_vars - print value of ips rule options vars
+fp_search - print information on fast pattern search
+
+Buffer print is useful, but in case the buffer is very big can be too
+verbose. Choose between verbosity levels 1, 5, or no buffer trace
+accordingly.
+
+rule_vars is useful when the rule is using ips rule options vars.
+
+In snort.lua, the following lines were added:
+
+trace =
+{
+ modules =
+ {
+ detection =
+ {
+ rule_eval = 1,
+ buffer = 1,
+ rule_vars = 1,
+ fp_search = 1
+ }
+ }
+}
+
+The pcap has a single packet with payload:
+
+10.AAAAAAAfoobar
+
+Evaluated on rules:
+
+# byte_math + oper with byte extract and content
+# VAL = 1, byte_math = 0 + 10
+alert tcp ( byte_extract: 1, 0, VAL, string, dec;
+byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
+content:"foo", offset var1; sid:3)
+
+#This rule should not trigger
+alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
+content:"foo", within 3; sid:2)
+
+The output:
+
+detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns)
+detection:rule_eval:1: Fast pattern search
+detection:fp_search:1: 1 fp packet[16]
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: Processing pattern match #1
+detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
+detection:rule_eval:1: Starting tree eval
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
+
+snort.raw[8]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+41 41 66 6F 6F 62 61 72 AAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: no match
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
+
+snort.raw[7]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+41 66 6F 6F 62 61 72 Afoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: no match
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
+
+snort.raw[6]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+66 6F 6F 62 61 72 foobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: no match
+detection:rule_eval:1: no match
+detection:rule_eval:1: Processing pattern match #2
+detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
+detection:rule_eval:1: Starting tree eval
+detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1
+
+snort.raw[15]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2
+
+snort.raw[14]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13
+
+snort.raw[3]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+62 61 72 bar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
+
+5.17.8. Example - Protocols decoding trace
+
+Turning on decode trace will print out information about the packets
+decoded protocols. Can be useful in case of tunneling.
+
+Example for a icmpv4-in-ipv6 packet:
+
+In snort.lua, the following line was added:
+
+trace =
+{
+ modules =
+ {
+ decode = { all = 1 }
+ }
+}
+
+The output:
+
+decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
+decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
+decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
+decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
+
+5.17.9. Example - Track the time packet spends in each inspector
+
+There is a capability to track which inspectors evaluate a packet,
+and how much time the inspector consumes doing so. These trace
+messages could be enabled by the Snort module trace options:
+
+main - command execution traces (main trace logging)
+inspector_manager - inspectors execution and time tracking traces
+
+Example for a single packet with payload:
+
+10.AAAAAAAfoobar
+
+In snort.lua, the following lines were added:
+
+trace =
+{
+ modules =
+ {
+ snort =
+ {
+ -- could be replaced by 'all = 1'
+ main = 1,
+ inspector_manager = 1
+ }
+ }
+}
+
+The output:
+
+snort:main:1: [0] Queuing command START for execution (refcount 1)
+snort:main:1: [0] Queuing command RUN for execution (refcount 1)
+snort:main:1: [0] Destroying completed command START
+snort:inspector_manager:1: start inspection, raw, packet 1, context 1
+snort:inspector_manager:1: enter stream
+snort:inspector_manager:1: exit stream, elapsed time: 2 usec
+snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec
+snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1
+snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
+snort:main:1: [0] Destroying completed command RUN
+
+5.17.10. Example - trace filtering by packet constraints:
+
+In snort.lua, the following lines were added:
+
+ips =
+{
+ rules =
+ [[
+ alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
+ alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
+ ]]
+}
+
+trace =
+{
+ modules =
+ {
+ detection = { rule_eval = 1 }
+ },
+ constraints =
+ {
+ ip_proto = 17, -- udp
+ dst_ip = "10.1.1.2",
+ src_port = 100,
+ dst_port = 200
+ }
+}
+
+The processed traffic was next:
+
+d ( stack="eth:ip4:udp" )
+
+c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
+a ( pay="pass" )
+b ( pay="pass" )
+
+c ( ip4:a="10.2.1.1" )
+a ( pay="pass" )
+b ( pay="pass" )
+
+c ( udp:a=101 )
+a ( pay="block" )
+b ( pay="block" )
+
+The output:
+
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns)
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns)
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns)
+
+The trace messages for two last packets (numbers 5 and 6) weren’t
+printed.
+
+5.17.11. Example - configuring traces via trace.set() command
+
+In snort.lua, the following lines were added:
+
+ips =
+{
+ rules =
+ [[
+ alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
+ alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
+ ]]
+}
+
+trace =
+{
+ constraints =
+ {
+ ip_proto = 17, -- udp
+ dst_ip = "10.1.1.2",
+ src_port = 100,
+ dst_port = 200
+ },
+ modules =
+ {
+ detection = { rule_eval = 1 }
+ }
+}
+
+The processed traffic was next:
+
+# Flow 1
+d ( stack="eth:ip4:udp" )
+c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
+a ( data="udp packet 1" )
+a ( data="udp packet 2" )
+
+# Flow 2
+d ( stack="eth:ip4:tcp" )
+c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 )
+a ( syn )
+b ( syn, ack )
+a ( ack )
+a ( ack, data="tcp packet 1" )
+a ( ack, data="tcp packet 2" )
+a ( fin, ack )
+b ( fin, ack )
+
+After 1 packet, entering shell and pass the trace.set() command as
+follows:
+
+trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } })
+
+The output (not full, only descriptive lines):
+
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
+decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
+
+The new configuration was applied. decode:all:1 messages aren’t
+filtered because they don’t include a packet (a packet isn’t
+well-formed at the point when the message is printing).
+
+5.17.12. Other available traces
+
+There are more trace options supported by detection:
+
+detect_engine - prints statistics about the engine
+pkt_detect - prints a message when disabling content detect for packet
+opt_tree - prints option tree data structure
+tag - prints a message when a new tag is added
+
+The rest support only 1 option, and can be turned on by adding all =
+1 to their table in trace lua config.
+
+ * stream module trace:
+
+When turned on prints a message in case inspection is stopped on a
+flow. Example for output:
+
+stream:all:1: stop inspection on flow, dir BOTH
+
+ * stream_ip, stream_user: trace will output general processing
+ messages
+
+Other modules that support trace have messages as seemed fit to the
+developer. Some are for corner cases, others for complex data
+structures.
+
+
+5.18. Wizard
+
+--------------
+
+Using the wizard enables port-independent configuration and the
+detection of malware command and control channels. If the wizard is
+bound to a session, it peeks at the initial payload to determine the
+service. For example, GET would indicate HTTP and HELO would indicate
+SMTP. Upon finding a match, the service bindings are reevaluated so
+the session can be handed off to the appropriate inspector. The
+wizard is still under development; if you find you need to tweak the
+defaults please let us know.
+
+Additional Details:
+
+ * If the wizard and one or more service inspectors are configured w
+ /o explicitly configuring the binder, default bindings will be
+ generated which should work for most common cases.
+ * Also note that while Snort 2 bindings can only be configured in
+ the default policy, each Snort 3 policy can contain a binder
+ leading to an arbitrary hierarchy.
+ * The entire configuration can be reloaded and hot-swapped during
+ run-time via signal or command in both Snort 2 and Snort 3.
+ Ultimately, Snort 3 will support commands to update the binder on
+ the fly, thus enabling incremental reloads of individual
+ inspectors.
+ * Both Snort 2 and Snort 3 support server specific configurations
+ via a hosts table (XML in Snort 2 and Lua in Snort 3). The table
+ allows you to map network, protocol, and port to a service and
+ policy. This table can be reloaded and hot-swapped separately
+ from the config file.
+ * You can find the specifics on the binder, wizard, and hosts
+ tables in the manual or command line like this: snort
+ --help-module binder, etc.
+
+
+---------------------------------------------------------------------
+
+6. DAQ Configuration and Modules
+
+---------------------------------------------------------------------
+
+The Data AcQuisition library (DAQ), provides pluggable packet I/O.
+LibDAQ replaces direct calls to libraries like libpcap with an
+abstraction layer that facilitates operation on a variety of hardware
+and software interfaces without requiring changes to Snort. It is
+possible to select the DAQ module and mode when invoking Snort to
+perform pcap readback or inline operation, etc. The DAQ library may
+be useful for other packet processing applications and the modular
+nature allows you to build new modules for other platforms.
+
+The DAQ library exists as a separate repository on the official Snort
+3 GitHub project (https://github.com/snort3/libdaq) and contains a
+number of bundled DAQ modules including AFPacket, Divert, NFQ, PCAP,
+and Netmap implementations. Snort 3 itself contains a few new DAQ
+modules mostly used for testing as described below. Additionally, DAQ
+modules developed by third parties to facilitate the usage of their
+own hardware and software platforms exist.
+
+
+6.1. Building the DAQ Library and Its Bundled DAQ Modules
+
+--------------
+
+Refer to the READMEs in the LibDAQ source tarball for instructions on
+how to build the library and modules as well as details on
+configuring and using the bundled DAQ modules.
+
+
+6.2. Configuration
+
+--------------
+
+As with a number of features in Snort 3, the LibDAQ and DAQ module
+configuration may be controlled using either the command line options
+or by configuring the daq Snort module in the Lua configuration.
+
+DAQ modules may be statically built into Snort, but the more common
+case is to use DAQ modules that have been built as dynamically
+loadable objects. Because of this, the first thing to take care of is
+informing Snort of any locations it should search for dynamic DAQ
+modules. From the command line, this can be done with one or more
+invocations of the --daq-dir option, which takes a colon-separated
+set of paths to search as its argument. All arguments will be
+collected into a list of locations to be searched. In the Lua
+configuration, the daq.module_dirs[] property is a list of paths for
+the same purpose.
+
+Next, one must select which DAQ modules they wish to use by name. At
+least one base module and zero or more wrapper modules may be
+selected. This is done using the --daq options from the command line
+or the daq.modules[] list-type property. To get a list of the
+available modules, run Snort with the --daq-list option making sure
+to specify any DAQ module search directories beforehand. If no DAQ
+module is specified, Snort will default to attempting to find and use
+a DAQ module named pcap.
+
+Some DAQ modules can be further directly configured using DAQ module
+variables. All DAQ module variables come in the form of either just a
+key or a key and a value separated by an equals sign. For example,
+debug or fanout_type=hash. The command line option for specifying
+these is --daq-var and the configuration file equivalent is the
+daq.modules[].variables[] property. The available variables for each
+module will be shown when listing the available DAQ modules with
+--daq-list.
+
+The LibDAQ concept of operational mode (passive, inline, or file
+readback) is automatically configured based on inferring the mode
+from other Snort configuration. The presence of -r or --pcap-*
+options implies read-file, -i without -Q implies passive, and -i with
+-Q implies inline. The mode can be overridden on a per-DAQ module
+basis with the --daq-mode option on the command line or the
+daq.modules[].mode property.
+
+The DAQ module receive timeout is always configured to 1 second. The
+packet capture length (snaplen) defaults to 1518 bytes and can be
+overridden by the -s command line option or daq.snaplen property.
+
+Finally, and most importantly, is the input specification for the DAQ
+module. In readback mode, this is simply the file to be read back and
+analyzed. For live traffic processing, this is the name of the
+interface or other necessary input specification as required by the
+DAQ module to understand what to operate upon. From the command line,
+the -r option is used to specify a file to be read back and the -i
+option is used to indicate a live interface input specification. Both
+are covered by the daq.inputs[] property.
+
+For advanced use cases, one additional LibDAQ configuration exists:
+the number of DAQ messages to request per receive call. In Snort,
+this is referred to as the DAQ "batch size" and defaults to 64. The
+default can be overridden with the --daq-batch-size command line
+option or daq.batch_size property. The message pool size requested
+from the DAQ module will be four times this batch size.
+
+6.2.1. Command Line Example
+
+ snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket
+--daq-var debug --daq-var fanout_type=hash -i eth1:eth2 -Q
+
+6.2.2. Configuration File Example
+
+The following is the equivalent of the above command line DAQ
+configuration in Lua form:
+
+daq =
+{
+ module_dirs =
+ {
+ '/usr/local/lib/daq',
+ '/opt/lib/daq'
+ },
+ modules =
+ {
+ {
+ name = 'afpacket',
+ mode = 'inline',
+ variables =
+ {
+ 'debug',
+ 'fanout_type=hash'
+ }
+ }
+ },
+ inputs =
+ {
+ 'eth1:eth2',
+ },
+ snaplen = 1518
+}
+
+The daq.snaplen property was included for completeness and may be
+omitted if the default value is acceptable.
+
+6.2.3. DAQ Module Configuration Stacks
+
+Like briefly mentioned above, a DAQ configuration consists of a base
+DAQ module and zero or more wrapper DAQ modules. DAQ wrapper modules
+provide additional functionality layered on top of the base module in
+a decorator pattern. For example, the Dump DAQ module will capture
+all passed or injected packets and save them to a PCAP savefile. This
+can be layered on top of something like the PCAP DAQ module to assess
+which packets are making it through Snort without being dropped and
+what actions Snort has taken that involved sending new or modified
+packets out onto the network (e.g., TCP reset packets and TCP
+normalizations).
+
+To configure a DAQ module stack from the command line, the --daq
+option must be given multiple times with the base module specified
+first followed by the wrapper modules in the desired order (building
+up the stack). Each --daq option changes which module is being
+configured by subsequent --daq-var and --daq mode options.
+
+When configuring the same sort of stack in Lua, everything lives in
+the daq.modules[] property. daq.modules[] is an array of module
+configurations pushed onto the stack from top to bottom. Each module
+configuration must contain the name of the DAQ module. Additionally,
+it may contain an array of variables (daq.modules[].variables[]) and/
+or an operational mode (daq.modules[].mode).
+
+If only wrapper modules were specified, Snort will default to
+implicitly configuring a base module with the name pcap in read-file
+mode. This is a convenience to mimic the previous behavior when
+selecting something like the old Dump DAQ module that may be removed
+in the future.
+
+For any particularly complicated setup, it is recommended that one
+configure via a Lua configuration file rather than using the command
+line options.
+
+
+6.3. Interaction With Multiple Packet Threads
+
+--------------
+
+All packet threads will receive the same DAQ instance configuration
+with the potential exception of the input specification.
+
+If Snort is in file readback mode, a full set of files will be
+constructed from the -r/--pcap-file/--pcap-list/--pcap-dir/
+--pcap-filter options. A number of packet threads will be started up
+to the configured maximum (-z) to process these files one at a time.
+As a packet thread completes processing of a file, it will be stopped
+and then started again with a different file input to process. If the
+number of packet threads configured exceeds the number of files to
+process, or as the number of remaining input files dwindles below
+that number, Snort will stop spawning new packet threads when it runs
+out of unhandled input files.
+
+When Snort is operating on live interfaces (-i), all packet threads
+up to the configured maximum will always be started. By default, if
+only one input specification is given, all packet threads will
+receive the same input in their configuration. If multiple inputs are
+given, each thread will be given the matching input (ordinally),
+falling back to the first if the number of packet threads exceeds the
+number of inputs.
+
+
+6.4. DAQ Modules Included With Snort 3
+
+--------------
+
+6.4.1. Socket Module
+
+The socket module provides provides a stream socket server that will
+accept up to 2 simultaneous connections and bridge them together
+while also passing data to Snort for inspection. The first connection
+accepted is considered the client and the second connection accepted
+is considered the server. If there is only one connection, stream
+data can’t be forwarded but it is still inspected.
+
+Each read from a socket of up to snaplen bytes is passed as a packet
+to Snort along with the ability to retrieve a DAQ_UsrHdr_t structure
+via ioctl. DAQ_UsrHdr_t conveys IP4 address, ports, protocol, and
+direction. Socket packets can be configured to be TCP or UDP. The
+socket DAQ can be operated in inline mode and is able to block
+packets.
+
+Packets from the socket DAQ module are handled by Snort’s stream_user
+module, which must be configured in the Snort configuration.
+
+To use the socket DAQ, start Snort like this:
+
+./snort --daq-dir /path/to/lib/snort_extra/daq \
+ --daq socket [--daq-var port=<port>] [--daq-var proto=<proto>] [-Q]
+
+<port> ::= 1..65535; default is 8000
+<proto> ::= tcp | udp
+
+ * This module only supports ip4 traffic.
+ * This module is only supported by Snort 3. It is not compatible
+ with Snort 2.
+ * This module is primarily for development and test.
+
+6.4.2. File Module
+
+The file module provides the ability to process files directly
+without having to extract them from pcaps. Use the file module with
+Snort’s stream_file to get file type identification and signature
+services. The usual IPS detection and logging, etc. is also
+available.
+
+You can process all the files in a directory recursively using 8
+threads with these Snort options:
+
+--pcap-dir path -z 8
+
+ * This module is only supported by Snort 3. It is not compatible
+ with Snort 2.
+ * This module is primarily for development and test.
+
+6.4.3. Hext Module
+
+The hext module generates packets suitable for processing by Snort
+from hex/plain text. Raw packets include full headers and are
+processed normally. Otherwise the packets contain only payload and
+are accompanied with flow information (4-tuple) suitable for
+processing by stream_user.
+
+The first character of the line determines it’s purpose:
+
+'$' command
+'#' comment
+'"' quoted string packet data
+'x' hex packet data
+' ' empty line separates packets
+
+The available commands are:
+
+$client <ip4> <port>
+$server <ip4> <port>
+
+$packet -> client
+$packet -> server
+
+$packet <addr> <port> -> <addr> <port>
+
+$sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
+$eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
+
+Client and server are determined as follows. $packet → client
+indicates to the client (from server) and $packet → server indicates
+a packet to the server (from client). $packet followed by a 4-tuple
+uses the heuristic that the client is the side with the greater port
+number.
+
+The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
+respectively. $packet commands with a 4-tuple do not change client
+and server set with the other $packet commands.
+
+$packet commands should be followed by packet data, which may contain
+any combination of hex and strings. Data for a packet ends with the
+next command or a blank line. Data after a blank line will start
+another packet with the same tuple as the prior one.
+
+$sof and $eof commands generate Start of Flow and End of Flow
+metapackets respectively. They are followed by a definition of a
+Flow_Stats_t data structure which will be fed into Snort via the
+metadata callback.
+
+Strings may contain the following escape sequences:
+
+\r = 0x0D = carriage return
+\n = 0x0A = new line
+\t = 0x09 = tab
+\\ = 0x5C = \
+
+Format your input carefully; there is minimal error checking and
+little tolerance for arbitrary whitespace. You can use Snort’s -L
+hext option to generate hext input from a pcap.
+
+ * This module only supports ip4 traffic.
+ * This module is only supported by Snort 3. It is not compatible
+ with Snort 2.
+ * This module is primarily for development and test.
+
+The hext DAQ also supports a raw mode which is activated by setting
+the data link type. For example, you can input full ethernet packets
+with --daq-var dlt=1 (Data link types are defined in the DAQ include
+sfbpf_dlt.h.) Combine that with the hext logger in raw mode for a
+quick (and dirty) way to edit pcaps. With --lua "log_hext = { raw =
+true }", the hext logger will dump the full packet in a way that can
+be read by the hext DAQ in raw mode. Here is an example:
+
+# 3 [96]
+
+x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03 # ..............E..R..
+x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00 # ..@.\............P..
+x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74 # ......P. .....GET /t
+x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48 # rigger/1 HTTP/1.1..H
+x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A # ost: localhost..
+
+A comment indicating packet number and size precedes each packet
+dump. Note that the commands are not applicable in raw mode and have
+no effect.
+
projects / thirdparty / snort3.git / commitdiff
