set (VERSION_MAJOR 3)
set (VERSION_MINOR 1)
-set (VERSION_PATCH 18)
+set (VERSION_PATCH 19)
set (VERSION_SUBLEVEL 0)
set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
+2021/12/15 - 3.1.19.0
+
+appid,ssh: roll AppId's SSH detector into SSH service inspector
+appid: remove hard-coded SSH client patterns which are available as part of ODP
+build: add cppcheck suppressions for unusedFunctions
+build: clean up some cppcheck style issues
+build: move flex options to the template file
+cmake: fix CMP0115 Warning
+daq: sort --daq-list output by module name
+dce_smb: add new smb counters
+file_api: add null check for user file data
+file_api: handle file_data
+framework,appid: generate NO_SERVICE event when no inspector can be attached to a flow; wait for the event in appid before declaring service as unknown for the flow
+http_inspect,http2_inspect: refuse midstream pickups
+http_inspect: add JavaScript builtin de-aliasing
+http_inspect: rename js normalization options
+http_inspect: use correct detect_length for partial inspection cleanup
+loggers: fix truncated alert_syslog messages
+lua: configure a list of JS ignored IDs in default_http_inspect table
+managers: continue inspectors probe when packet has disable_inspect flag
+mime: add the support for vba macro data extraction of MS office files transferred over mime protocols
+parser: fix missing-prototypes warning in parse_ports.cc
+parser: fix parsing of portsets
+rpc: remove RpcSplitter altogether and use LogSplitter instead
+snort2lua: fix conversion of variable sets
+stream: add PKT_MORE_TO_FLUSH flag and use it in TcpReassembler::scan_data_post_ack() to signal AtomSplitter whether to flush or not
+stream: fix issue with atom splitter not returning FLUSH
+stream_tcp: remove unnecessary special adjustment methods
+utils: (JSTokenizer) fix braces initialization compilation error (gcc5)
+utils: fix state adjustment in JS Tokenizer
+utils: place init/deinit routine under a single function
+utils: update JS normalizer unit tests
+vlan: implement vlan encode function
+
2021/12/01 - 3.1.18.0
alert_sf_socket: remove obselete logger
The Snort Team
Revision History
-Revision 3.1.18.0 2021-12-01 10:40:58 EST TST
+Revision 3.1.19.0 2021-12-15 06:07:48 EST TST
---------------------------------------------------------------------
* dce_smb.concurrent_sessions: total concurrent sessions (now)
* dce_smb.max_concurrent_sessions: maximum concurrent sessions
(max)
+ * dce_smb.total_smb1_sessions: total smb1 sessions (sum)
+ * dce_smb.total_smb2_sessions: total smb2 sessions (sum)
+ * dce_smb.total_encrypted_sessions: total encrypted sessions (sum)
+ * dce_smb.total_mc_sessions: total multichannel sessions (sum)
5.12. dce_tcp
immediately upon script end
* bool http_inspect.normalize_javascript = false: use legacy
normalizer to normalize JavaScript in response bodies
- * int http_inspect.js_normalization_depth = -1: number of input
+ * int http_inspect.js_norm_bytes_depth = -1: number of input
JavaScript bytes to normalize (-1 unlimited) { -1:max53 }
* int http_inspect.js_norm_identifier_depth = 65536: max number of
unique JavaScript identifiers to normalize { 0:65536 }
* int http_inspect.js_norm_max_scope_depth = 256: maximum depth of
scope nesting that enhanced JavaScript normalizer will process {
1:65535 }
- * string http_inspect.js_norm_built_in_ident[].ident_name: name of
- built-in identifier
+ * string http_inspect.js_norm_ident_ignore[].ident_name: name of
+ the identifier to ignore
* int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 }
attachments
* bool imap.decompress_zip = false: decompress zip files in MIME
attachments
+ * bool imap.decompress_vba = false: decompress MS Office Visual
+ Basic for Applications macro files in MIME attachments
* int imap.qp_decode_depth = -1: quoted Printable decoding depth
(-1 no limit) { -1:65535 }
* int imap.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
attachments
* bool pop.decompress_zip = false: decompress zip files in MIME
attachments
+ * bool pop.decompress_vba = false: decompress MS Office Visual
+ Basic for Applications macro files in MIME attachments
* int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1
no limit) { -1:65535 }
* int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
attachments
* bool smtp.decompress_zip = false: decompress zip files in MIME
attachments
+ * bool smtp.decompress_vba = false: decompress MS Office Visual
+ Basic for Applications macro files in MIME attachments
* int smtp.email_hdrs_log_depth = 1464: depth for logging email
headers { 0:20480 }
* bool smtp.ignore_data = false: ignore data section of mail
mapping to normalize characters
* string http_inspect.iis_unicode_map_file: file containing code
points for IIS unicode. { (optional) }
- * int http_inspect.js_normalization_depth = -1: number of input
+ * int http_inspect.js_norm_bytes_depth = -1: number of input
JavaScript bytes to normalize (-1 unlimited) { -1:max53 }
- * string http_inspect.js_norm_built_in_ident[].ident_name: name of
- built-in identifier
* int http_inspect.js_norm_identifier_depth = 65536: max number of
unique JavaScript identifiers to normalize { 0:65536 }
+ * string http_inspect.js_norm_ident_ignore[].ident_name: name of
+ the identifier to ignore
* int http_inspect.js_norm_max_bracket_depth = 256: maximum depth
of bracket nesting that enhanced JavaScript normalizer will
process { 1:65535 }
attachments
* bool imap.decompress_swf = false: decompress swf files in MIME
attachments
+ * bool imap.decompress_vba = false: decompress MS Office Visual
+ Basic for Applications macro files in MIME attachments
* bool imap.decompress_zip = false: decompress zip files in MIME
attachments
* int imap.qp_decode_depth = -1: quoted Printable decoding depth
attachments
* bool pop.decompress_swf = false: decompress swf files in MIME
attachments
+ * bool pop.decompress_vba = false: decompress MS Office Visual
+ Basic for Applications macro files in MIME attachments
* bool pop.decompress_zip = false: decompress zip files in MIME
attachments
* int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1
attachments
* bool smtp.decompress_swf = false: decompress swf files in MIME
attachments
+ * bool smtp.decompress_vba = false: decompress MS Office Visual
+ Basic for Applications macro files in MIME attachments
* bool smtp.decompress_zip = false: decompress zip files in MIME
attachments
* int smtp.email_hdrs_log_depth = 1464: depth for logging email
reassembled (sum)
* dce_smb.smb_server_segs_reassembled: total smb server segments
reassembled (sum)
+ * dce_smb.total_encrypted_sessions: total encrypted sessions (sum)
+ * dce_smb.total_mc_sessions: total multichannel sessions (sum)
+ * dce_smb.total_smb1_sessions: total smb1 sessions (sum)
+ * dce_smb.total_smb2_sessions: total smb2 sessions (sum)
* dce_smb.v2_bad_next_cmd_offset: total number of SMBv2 packets
seen with invalid next command offset (sum)
* dce_smb.v2_cls_err_resp: total number of SMBv2 close error
The Snort Team
Revision History
-Revision 3.1.18.0 2021-12-01 10:40:47 EST TST
+Revision 3.1.19.0 2021-12-15 06:07:38 EST TST
---------------------------------------------------------------------
The Snort Team
Revision History
-Revision 3.1.18.0 2021-12-01 10:40:47 EST TST
+Revision 3.1.19.0 2021-12-15 06:07:38 EST TST
---------------------------------------------------------------------
Normalizer. The Enhanced Normalizer can normalize inline/external
scripts. It supports scripts over multiple PDUs. It is a stateful
JavaScript whitespace and identifiers normalizer. All JavaScript
-identifier names, except those, are from the list of built-in
-identifiers, will be substituted to unified names with the following
-format: var_0000 → var_ffff. Moreover, Normalizer validates the
-syntax concerning ECMA-262 Standard, including scope tracking, and
-checks for restrictions for contents of script elements (since it is
-HTML-embedded JavaScript). For more information on how additionally
-configure Enhanced Normalizer check the following http_inspect
-options: js_normalization_depth, js_norm_identifier_depth,
-js_norm_max_tmpl_nest, js_norm_max_bracket_depth,
-js_norm_max_scope_depth, js_norm_built_in_ident. Eventually Enhanced
-Normalizer will completely replace Legacy Normalizer.
+identifier names, except those from the ignore list, will be
+substituted with unified names in the following format: var_0000 →
+var_ffff. Moreover, Normalizer validates the syntax concerning
+ECMA-262 Standard, including scope tracking and restrictions for
+script elements. For more information on how additionally configure
+Enhanced Normalizer check with the following configuration options:
+js_norm_bytes_depth, js_norm_identifier_depth, js_norm_max_tmpl_nest,
+js_norm_max_bracket_depth, js_norm_max_scope_depth,
+js_norm_ident_ignore. Eventually Enhanced Normalizer will completely
+replace Legacy Normalizer.
5.10.3. Configuration
space and normalizes the plus by concatenating the strings. Such
normalizations refer to basic JavaScript normalization.
-5.10.3.9. js_normalization_depth
+5.10.3.9. js_norm_bytes_depth
-js_normalization_depth = N {-1 : max53} will set a number of input
+js_norm_bytes_depth = N {-1 : max53} will set a number of input
JavaScript bytes to normalize. When the depth is reached,
normalization will be stopped. It’s implemented per-script. By
-default js_normalization_depth = -1, will set unlimited depth. The
+default js_norm_bytes_depth = -1, will set unlimited depth. The
enhanced normalizer provides more precise whitespace normalization of
JavaScript, that removes all redundant whitespaces and line
terminators from the JavaScript syntax point of view (between
loops, code block, object scope, etc. This option is present to limit
the amount of memory dedicated to this tracking.
-5.10.3.14. js_norm_built_in_ident
+5.10.3.14. js_norm_ident_ignore
-js_norm_built_in_ident = {<the list of built-in JavaScript identifier
-names>}. The default list is present in "snort_defaults.lua".
+js_norm_ident_ignore = {<a list of ignored identifiers>}. The default
+list is present in "snort_defaults.lua".
-The built-in JavaScript identifiers will be placed as is, without
-substitution. Normalizer tracks built-in identifier expressions based
-on the configured list of built-in names. The built-in identifier
-expression is the built-in name (function or object) and the chain of
-dot and bracket accessors after it, including the function calls. For
-example:
+The Normalizer does not substitute ignored identifiers, keeping their
+name unchanged. Additionally, the Normalizer tracks expressions with
+ignored identifiers, so the subsequent identifiers are not
+substituted in the chain of dots, bracket accessors and function
+calls. For example:
console.log("bar")
document.getElementById("id").text
The list must contain object and function names only. For example:
-http_inspect.js_norm_built_in_ident = { 'console', 'document', 'eval', 'foo' }
+http_inspect.js_norm_ident_ignore = { 'console', 'document', 'eval', 'foo' }
5.10.3.15. xff_headers
The js_data contains normalized JavaScript text collected from the
whole PDU (inline or external scripts). It requires the Enhanced
-Normalizer enabled: http_inspect = { js_normalization_depth = N },
-js_normalization_depth option is described above. Despite what
-js_data has, file_data still contains the whole HTTP body with an
-original JavaScript in it.
+Normalizer enabled: http_inspect = { js_norm_bytes_depth = N },
+js_norm_bytes_depth option is described above. Despite what js_data
+has, file_data still contains the whole HTTP body with an original
+JavaScript in it.
5.10.6.15. vba_data
projects / thirdparty / snort3.git / commitdiff
