+2020/12/20 - 3.0.3 build 6
+
+-- active: Fix falling back on using raw IP for active responses when no device is specified
+-- appid: Add support for apps, http host, url and tls host in HA
+-- appid: Allow checking appid availability for a given http/2 stream
+-- appid: Change terms used in code, logs and peg counts
+-- appid: Do not override http fields with empty values
+-- appid: Dump userappid configurations upon reloading third-party
+-- appid: For http2 flow, return service id as http2 when no streams are yet created
+-- appid: Mark reload third-party complete after unloading old library and creating new third-party
+ context
+-- appid: Print more descriptive error message when lua detector registers invalid pattern
+-- binder: Pass service to get_bindings on flow service change
+-- binder: Specify service inspector type when getting a gadget instance
+-- build: Clean up various cppcheck warnings
+-- catch: Avoid using INTERNAL_CATCH_UNIQUE_NAME in our headers
+-- catch: Update to Catch v2.13.3
+-- dce_rpc: Fixed incorrect access of FileFlows while pruning the flow
+-- file_api: Fixed stats which weren't cleared when there were no stats for signature processing
+-- file_api: Handle resume block when multiple file rules are configured with store option enabled
+-- flow: Pause logging during timeout processing
+-- helpers: Handle SIGILL and SIGFPE with the oops handler
+-- high_availability: Add check for packet key equals HA key before consume
+-- host_attributes: Better error handling for reload to eliminate double free and memory leaks
+-- http2_inspect: Check for invalid flags
+-- http2_inspect: Fix bug with exceeding inspection depth
+-- http2_inspect: Fix empty queue access and some bookkeeping
+-- http2_inspect: Handle connection close during headers frames
+-- http2_inspect: Handle discard
+-- http2_inspect: HI error handling improvements
+-- http2_inspect: Improve error handling
+-- http2_inspect: Remove 0 length scan for most cases
+-- http_inspect: Explicit memory allocation for transactions and partial inspections
+-- http_inspect: Script detection for HTTP/2
+-- inspector_manager: Remove unused inspector_exists_in_any_policy() function
+-- inspector: Remove obsolete metapacket processing functionality
+-- main: Convert Request to shared_ptr to avoid memory problems
+-- main: Fix memory leak in reload_config() caused by incorrect code merge
+-- managers: Add inspector type in the help module output
+-- managers: Don't allow a referenced inspector to stall emptying the trash
+-- managers: Track removed inspectors during reload and call tear_down and tterm to release
+ resources
+-- packet_io: Export forwarding_packet() function
+-- packet_tracer: Fix the debug session information for non-ip packets
+-- parser: Add escaping for double quotes and special chars in a rule body
+-- parser: Fix escape logic for --dump-rule-meta output
+-- reload: Reset default policies after failed reload
+-- request: Expose methods to be used in plugins
+-- rna: Do null check in the Inspector rather than the Module in the control commands
+-- rna: Generate new host event for CDP traffic
+-- rna: Make the mac cache persist over reload config
+-- rna: Reduce host cache lock usage to improve performance
+-- rna: Remove unused function
+-- rna: Replace some tabs with spaces as per style guidelines
+-- rna: Support data purge command
+-- rna: Support DHCP fingerprint matching and event generation
+-- rna: Use service ip and port provided by appid for DHCP discovery events
+-- shell: Change terms used in code, logs and peg counts
+-- shell: Support for loading configuration in lua sandbox
+-- snort: Add OopsHandlerSuspend for suspending Snort's crash handler
+-- stream: Fix stream clean up when going from enabled to disabled
+-- stream_ha: Only flush on HA deactivate if not in STANDBY, set HA state to STANDBY when new Flow
+ is created
+-- stream_tcp: Initialize the alerts array to empty when a TcpReassembler instance is initialized
+ or reset
+-- stream_tcp: Set interfaces in both directions
+
2020/11/16 - 3.0.3 build 5
-- appid: Add unit test to verify HA data for flow unmonitored by appid
The Snort Team
Revision History
-Revision 3.0.3 (Build 5) 2020-11-16 12:11:59 EST TST
+Revision 3.0.3 (Build 6) 2020-12-20 13:38:32 EST TST
---------------------------------------------------------------------
consumed (sum)
* high_availability.daq_stores: states stored via daq (sum)
* high_availability.daq_imports: states imported via daq (sum)
+ * high_availability.key_mismatch: messages received with a flow key
+ mismatch (sum)
* high_availability.msg_version_mismatch: messages received with a
version mismatch (sum)
* high_availability.msg_length_mismatch: messages received with an
* implied snort.--list-plugins: list all known plugins
* string snort.--lua: <chunk> extend/override conf with chunk; may
be repeated
+ * string snort.--lua-sandbox: <file> file that contains the lua
+ sandbox environment in which config will be loaded
* int snort.--logid: <0xid> log Identifier to uniquely id events
for multiple snorts (same as -G) { 0:65535 }
* implied snort.--markup: output help in asciidoc compatible format
Help: application and service identification
-Type: inspector
+Type: inspector (control)
Usage: context
Help: log selected published data to appid_listener.log
-Type: inspector
+Type: inspector (passive)
Usage: context
Help: detect ARP attacks and anomalies
-Type: inspector
+Type: inspector (network)
Usage: inspect
Help: back orifice detection
-Type: inspector
+Type: inspector (network)
Usage: inspect
Help: configure processing based on CIDRs, ports, services, etc.
-Type: inspector
+Type: inspector (passive)
Usage: inspect
Help: cip inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: log selected published data to data.log
-Type: inspector
+Type: inspector (passive)
Usage: inspect
Help: dce over http inspection - client to/from proxy
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: dce over http inspection - proxy to/from server
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: dce over smb inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: dce over tcp inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: dce over udp inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: dnp3 inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: dns inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: alert on configured HTTP domains
-Type: inspector
+Type: inspector (passive)
Usage: inspect
Help: dynamic inspector example
-Type: inspector
+Type: inspector (network)
Usage: inspect
Help: configure file identification
-Type: inspector
+Type: inspector (passive)
Usage: global
Help: log file event to file.log
-Type: inspector
+Type: inspector (passive)
Usage: inspect
Help: FTP client configuration module for use with ftp_server
-Type: inspector
+Type: inspector (passive)
Usage: inspect
Help: FTP data channel handler
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: main FTP module; ftp_client should also be configured
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: gtp control channel inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: HTTP/2 inspector
-Type: inspector
+Type: inspector (service)
Usage: inspect
Rules:
- * 121:1 (http2_inspect) error in HPACK integer value
+ * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame
* 121:2 (http2_inspect) HPACK integer value has leading zeros
- * 121:3 (http2_inspect) error in HPACK string value
+ * 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream
+ id
* 121:4 (http2_inspect) missing HTTP/2 continuation frame
* 121:5 (http2_inspect) unexpected HTTP/2 continuation frame
* 121:6 (http2_inspect) misformatted HTTP/2 traffic
* 121:8 (http2_inspect) HTTP/2 request missing required header
field
* 121:9 (http2_inspect) HTTP/2 response has no status code
- * 121:10 (http2_inspect) HTTP/2 invalid header field
+ * 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path
* 121:11 (http2_inspect) error in HTTP/2 settings frame
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
* 121:13 (http2_inspect) invalid HTTP/2 frame sequence
* 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
- * 121:15 (http2_inspect) invalid HTTP/2 start line
+ * 121:15 (http2_inspect) HTTP/2 push promise frame with invalid
+ promised stream id
* 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
data size
* 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
* 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
* 121:19 (http2_inspect) invalid HTTP/2 pseudo-header
* 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
- * 121:21 (http2_inspect) padding flag set on invalid HTTP/2 frame
- type
+ * 121:21 (http2_inspect) HTTP/2 push promise frame sent when
+ prohibited by receiver
* 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
length
* 121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction
time
* 121:26 (http2_inspect) invalid parameter value sent in HTTP/2
settings frame
- * 121:27 (http2_inspect) HTTP/2 push promise frame sent when
- prohibited by receiver
- * 121:28 (http2_inspect) HTTP/2 push promise frame with invalid
- promised stream id
- * 121:29 (http2_inspect) HTTP/2 stream initiated with invalid
- stream id
- * 121:30 (http2_inspect) invalid flag set on HTTP/2 frame
Peg counts:
Help: HTTP inspector
-Type: inspector
+Type: inspector (service)
Usage: inspect
cutovers to wizard (sum)
* http_inspect.ssl_srch_abandoned_early: total SSL search abandoned
too soon (sum)
+ * http_inspect.pipelined_flows: total HTTP connections containing
+ pipelined requests (sum)
+ * http_inspect.pipelined_requests: total requests placed in a
+ pipeline (sum)
5.25. imap
Help: imap inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: for testing memory management
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: modbus inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: netflow inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: packet scrubbing for inline mode
-Type: inspector
+Type: inspector (packet)
Usage: inspect
Help: trace logger with a null printout
-Type: inspector
+Type: inspector (passive)
Usage: global
Help: raw packet dumping facility
-Type: inspector
+Type: inspector (probe)
Usage: global
Help: performance monitoring and flow statistics collection
-Type: inspector
+Type: inspector (probe)
Usage: global
Help: pop inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: detect various ip, icmp, tcp, and udp port or protocol scans
-Type: inspector
+Type: inspector (probe)
Usage: global
Help: reputation inspection
-Type: inspector
+Type: inspector (network)
Usage: global
Help: Real-time network awareness and OS fingerprinting
(experimental)
-Type: inspector
+Type: inspector (control)
Usage: context
of user agent string
* string rna.tcp_fingerprints[].host_name: host name information
* string rna.tcp_fingerprints[].device: device information
+ * string rna.tcp_fingerprints[].dhcp55: dhcp option 55 values
+ * string rna.tcp_fingerprints[].dhcp60: dhcp option 60 values
* int rna.ua_fingerprints[].fpid = 0: fingerprint id { 0:max32 }
* int rna.ua_fingerprints[].type = 0: fingerprint type { 0:max32 }
* string rna.ua_fingerprints[].uuid: fingerprint uuid
of user agent string
* string rna.ua_fingerprints[].host_name: host name information
* string rna.ua_fingerprints[].device: device information
+ * string rna.ua_fingerprints[].dhcp55: dhcp option 55 values
+ * string rna.ua_fingerprints[].dhcp60: dhcp option 60 values
+ * int rna.udp_fingerprints[].fpid = 0: fingerprint id { 0:max32 }
+ * int rna.udp_fingerprints[].type = 0: fingerprint type { 0:max32 }
+ * string rna.udp_fingerprints[].uuid: fingerprint uuid
+ * int rna.udp_fingerprints[].ttl = 0: fingerprint ttl { 0:256 }
+ * string rna.udp_fingerprints[].tcp_window: fingerprint tcp window
+ * string rna.udp_fingerprints[].mss = X: fingerprint mss
+ * string rna.udp_fingerprints[].id = X: id
+ * string rna.udp_fingerprints[].topts: fingerprint tcp options
+ * string rna.udp_fingerprints[].ws = X: fingerprint window size
+ * bool rna.udp_fingerprints[].df = false: fingerprint don’t
+ fragment flag
+ * enum rna.udp_fingerprints[].ua_type = os: type of user agent
+ fingerprints { os | device | jail-broken | jail-broken-host }
+ * string rna.udp_fingerprints[].user_agent[].substring: a substring
+ of user agent string
+ * string rna.udp_fingerprints[].host_name: host name information
+ * string rna.udp_fingerprints[].device: device information
+ * string rna.udp_fingerprints[].dhcp55: dhcp option 55 values
+ * string rna.udp_fingerprints[].dhcp60: dhcp option 60 values
Commands:
* rna.delete_mac_host(mac): delete a MAC from rna’s MAC cache
* rna.delete_mac_host_proto(mac, proto): delete a protocol
associated with a MAC host
+ * rna.purge_data(): purge all host cache and mac cache data
Peg counts:
tracking (sum)
* rna.change_host_update: count number of change host update events
(sum)
+ * rna.dhcp_data: count of DHCP data events received (sum)
+ * rna.dhcp_info: count of new DHCP lease events received (sum)
5.37. rpc_decode
Help: RPC inspector
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: s7commplus inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: sip inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: smtp inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: a proxy inspector to track flow data from SO rules (internal
use only)
-Type: inspector
+Type: inspector (passive)
Usage: global
Help: ssh inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: ssl inspection
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: common flow tracking
-Type: inspector
+Type: inspector (stream)
Usage: global
Help: stream inspector for file flow tracking and processing
-Type: inspector
+Type: inspector (stream)
Usage: inspect
Help: stream inspector for ICMP flow tracking
-Type: inspector
+Type: inspector (stream)
Usage: inspect
Help: stream inspector for IP flow tracking and defragmentation
-Type: inspector
+Type: inspector (stream)
Usage: inspect
Help: stream inspector for TCP flow tracking and stream normalization
and reassembly
-Type: inspector
+Type: inspector (stream)
Usage: inspect
Help: stream inspector for UDP flow tracking
-Type: inspector
+Type: inspector (stream)
Usage: inspect
Help: stream inspector for user flow tracking and reassembly
-Type: inspector
+Type: inspector (stream)
Usage: inspect
Help: telnet inspection and normalization
-Type: inspector
+Type: inspector (service)
Usage: inspect
Help: inspector that implements port-independent protocol
identification
-Type: inspector
+Type: inspector (wizard)
Usage: inspect
type (optional)
* --list-plugins list all known plugins
* --lua <chunk> extend/override conf with chunk; may be repeated
+ * --lua-sandbox <file> file that contains the lua sandbox
+ environment in which config will be loaded
* --logid <0xid> log Identifier to uniquely id events for multiple
snorts (same as -G) (0:65535)
* --markup output help in asciidoc compatible format
* string rna.tcp_fingerprints[].device: device information
* bool rna.tcp_fingerprints[].df = false: fingerprint don’t
fragment flag
+ * string rna.tcp_fingerprints[].dhcp55: dhcp option 55 values
+ * string rna.tcp_fingerprints[].dhcp60: dhcp option 60 values
* int rna.tcp_fingerprints[].fpid = 0: fingerprint id { 0:max32 }
* string rna.tcp_fingerprints[].host_name: host name information
* string rna.tcp_fingerprints[].id = X: id
* string rna.ua_fingerprints[].device: device information
* bool rna.ua_fingerprints[].df = false: fingerprint don’t fragment
flag
+ * string rna.ua_fingerprints[].dhcp55: dhcp option 55 values
+ * string rna.ua_fingerprints[].dhcp60: dhcp option 60 values
* int rna.ua_fingerprints[].fpid = 0: fingerprint id { 0:max32 }
* string rna.ua_fingerprints[].host_name: host name information
* string rna.ua_fingerprints[].id = X: id
of user agent string
* string rna.ua_fingerprints[].uuid: fingerprint uuid
* string rna.ua_fingerprints[].ws = X: fingerprint window size
+ * string rna.udp_fingerprints[].device: device information
+ * bool rna.udp_fingerprints[].df = false: fingerprint don’t
+ fragment flag
+ * string rna.udp_fingerprints[].dhcp55: dhcp option 55 values
+ * string rna.udp_fingerprints[].dhcp60: dhcp option 60 values
+ * int rna.udp_fingerprints[].fpid = 0: fingerprint id { 0:max32 }
+ * string rna.udp_fingerprints[].host_name: host name information
+ * string rna.udp_fingerprints[].id = X: id
+ * string rna.udp_fingerprints[].mss = X: fingerprint mss
+ * string rna.udp_fingerprints[].tcp_window: fingerprint tcp window
+ * string rna.udp_fingerprints[].topts: fingerprint tcp options
+ * int rna.udp_fingerprints[].ttl = 0: fingerprint ttl { 0:256 }
+ * int rna.udp_fingerprints[].type = 0: fingerprint type { 0:max32 }
+ * enum rna.udp_fingerprints[].ua_type = os: type of user agent
+ fingerprints { os | device | jail-broken | jail-broken-host }
+ * string rna.udp_fingerprints[].user_agent[].substring: a substring
+ of user agent string
+ * string rna.udp_fingerprints[].uuid: fingerprint uuid
+ * string rna.udp_fingerprints[].ws = X: fingerprint window size
* int rpc.~app: application number { 0:max32 }
* string rpc.~proc: procedure number or * for any
* string rpc.~ver: version number or * for any
for multiple snorts (same as -G) { 0:65535 }
* string snort.--lua: <chunk> extend/override conf with chunk; may
be repeated
+ * string snort.--lua-sandbox: <file> file that contains the lua
+ sandbox environment in which config will be loaded
* implied snort.--markup: output help in asciidoc compatible format
* int snort.--max-packet-threads: <count> configure maximum number
of packet threads (same as -z) { 0:max32 }
* high_availability.daq_stores: states stored via daq (sum)
* high_availability.delete_msgs_consumed: deletion messages
consumed (sum)
+ * high_availability.key_mismatch: messages received with a flow key
+ mismatch (sum)
* high_availability.msg_length_mismatch: messages received with an
inconsistent total length (sum)
* high_availability.msgs_recv: total messages received (sum)
* http_inspect.parameters: HTTP parameters inspected (sum)
* http_inspect.partial_inspections: pre-inspections for detained
inspection (sum)
+ * http_inspect.pipelined_flows: total HTTP connections containing
+ pipelined requests (sum)
+ * http_inspect.pipelined_requests: total requests placed in a
+ pipeline (sum)
* http_inspect.post_requests: POST requests inspected (sum)
* http_inspect.put_requests: PUT requests inspected (sum)
* http_inspect.reassembles: TCP segments combined into HTTP
* rna.appid_change: count of appid change events received (sum)
* rna.change_host_update: count number of change host update events
(sum)
+ * rna.dhcp_data: count of DHCP data events received (sum)
+ * rna.dhcp_info: count of new DHCP lease events received (sum)
* rna.icmp_bidirectional: count of bidirectional ICMP flows
received (sum)
* rna.icmp_new: count of new ICMP flows received (sum)
message completed
* 119:259 (http_inspect) malformed HTTP Content-Disposition
filename parameter
- * 121:1 (http2_inspect) error in HPACK integer value
+ * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame
* 121:2 (http2_inspect) HPACK integer value has leading zeros
- * 121:3 (http2_inspect) error in HPACK string value
+ * 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream
+ id
* 121:4 (http2_inspect) missing HTTP/2 continuation frame
* 121:5 (http2_inspect) unexpected HTTP/2 continuation frame
* 121:6 (http2_inspect) misformatted HTTP/2 traffic
* 121:8 (http2_inspect) HTTP/2 request missing required header
field
* 121:9 (http2_inspect) HTTP/2 response has no status code
- * 121:10 (http2_inspect) HTTP/2 invalid header field
+ * 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path
* 121:11 (http2_inspect) error in HTTP/2 settings frame
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
* 121:13 (http2_inspect) invalid HTTP/2 frame sequence
* 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
- * 121:15 (http2_inspect) invalid HTTP/2 start line
+ * 121:15 (http2_inspect) HTTP/2 push promise frame with invalid
+ promised stream id
* 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
data size
* 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
* 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
* 121:19 (http2_inspect) invalid HTTP/2 pseudo-header
* 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
- * 121:21 (http2_inspect) padding flag set on invalid HTTP/2 frame
- type
+ * 121:21 (http2_inspect) HTTP/2 push promise frame sent when
+ prohibited by receiver
* 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
length
* 121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction
time
* 121:26 (http2_inspect) invalid parameter value sent in HTTP/2
settings frame
- * 121:27 (http2_inspect) HTTP/2 push promise frame sent when
- prohibited by receiver
- * 121:28 (http2_inspect) HTTP/2 push promise frame with invalid
- promised stream id
- * 121:29 (http2_inspect) HTTP/2 stream initiated with invalid
- stream id
- * 121:30 (http2_inspect) invalid flag set on HTTP/2 frame
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* rna.delete_mac_host(mac): delete a MAC from rna’s MAC cache
* rna.delete_mac_host_proto(mac, proto): delete a protocol
associated with a MAC host
+ * rna.purge_data(): purge all host cache and mac cache data
* snort.show_plugins(): show available plugins
* snort.delete_inspector(inspector): delete an inspector from the
default policy
projects / thirdparty / snort3.git / commitdiff
