<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:450</strong> (decode) bad IP protocol\r
+<strong>116:150</strong> (decode) loopback IP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present\r
+<strong>116:151</strong> (decode) same src/dst IP\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:459</strong> (decode) fragment with zero length\r
+<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:150</strong> (decode) loopback IP\r
+<strong>116:449</strong> (decode) unassigned/reserved IP protocol\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:151</strong> (decode) same src/dst IP\r
+<strong>116:450</strong> (decode) bad IP protocol\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:449</strong> (decode) unassigned/reserved IP protocol\r
+<strong>116:459</strong> (decode) fragment with zero length\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.rules</strong>: snort rules and includes\r
+bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
+string <strong>ips.rules</strong>: snort rules and includes (may contain states too)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>ips.states</strong>: snort rule states and includes (may contain rules too)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_rule_state">rule_state</h3>\r
-<div class="paragraph"><p>What: enable/disable and set actions for specific IPS rules</p></div>\r
+<div class="paragraph"><p>What: enable/disable and set actions for specific IPS rules; deprecated, use rule state stubs with enable instead</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].action</code></strong> = alert: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>search_engine.queue_limit</strong> = 128: maximum number of fast pattern matches to queue per packet (0 means no maximum) { 0:max32 }\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow (sum)\r
+<strong>search_engine.total_flushed</strong>: total fast pattern matches processed (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>search_engine.total_overruns</strong>: fast pattern matches discarded due to overflow (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--version</strong>: show version number (same as -V)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>116:426</strong> (icmp4) truncated ICMP4 header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>116:434</strong> (icmp4) ICMP ping Nmap\r
</p>\r
</li>\r
<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>116:426</strong> (icmp4) truncated ICMP4 header\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>116:427</strong> (icmp6) truncated ICMPv6 header\r
+<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:431</strong> (icmp6) ICMPv6 type not decoded\r
+<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address\r
+<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280\r
+<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code\r
+<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0\r
+<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0\r
+<strong>116:427</strong> (icmp6) truncated ICMPv6 header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0\r
+<strong>116:431</strong> (icmp6) ICMPv6 type not decoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour\r
+<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit\r
+<strong>116:425</strong> (ipv4) truncated IPv4 header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set\r
+<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:448</strong> (ipv4) IPv4 reserved bit set\r
+<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:425</strong> (ipv4) truncated IPv4 header\r
+<strong>116:448</strong> (ipv4) IPv4 reserved bit set\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header\r
+<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack\r
+<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack\r
+<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header\r
+<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:456</strong> (ipv6) too many IPv6 extension headers\r
+<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload\r
+<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:420</strong> (tcp) TCP SYN with FIN\r
+<strong>116:403</strong> (tcp) SYN to multicast address\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:421</strong> (tcp) TCP SYN with RST\r
+<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:422</strong> (tcp) TCP PDU missing ack for established session\r
+<strong>116:420</strong> (tcp) TCP SYN with FIN\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST\r
+<strong>116:421</strong> (tcp) TCP SYN with RST\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:433</strong> (tcp) DDOS shaft SYN flood\r
+<strong>116:422</strong> (tcp) TCP PDU missing ack for established session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:446</strong> (tcp) TCP port 0 traffic\r
+<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected\r
+<strong>116:433</strong> (tcp) DDOS shaft SYN flood\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:403</strong> (tcp) SYN to multicast address\r
+<strong>116:446</strong> (tcp) TCP port 0 traffic\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
</p>\r
</li>\r
<div class="paragraph"><p>What: HTTP/2 inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
+</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_enable">enable</h3>\r
+<div class="paragraph"><p>What: stub rule option to enable or disable full rule</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+enum <strong>enable.~enable</strong> = yes: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_file_data">file_data</h3>\r
<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>--print-binding-order</strong>\r
+ Print sorting priority used when generating binder table\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
differences, between the Snort and Snort++ configurations to\r
the <out_file>\r
</li>\r
<li>\r
<p>\r
+<strong>--pause-after-n</strong> <count> pause after count packets (1:max53)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--piglet</strong> enable piglet test harness mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--plugin-path</strong> <path> where to find plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--version</strong> show version number (same as -V)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>enable.~enable</strong> = yes: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.rules</strong>: snort rules and includes\r
+string <strong>ips.rules</strong>: snort rules and includes (may contain states too)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>ips.states</strong>: snort rule states and includes (may contain rules too)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].action</code></strong> = alert: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>search_engine.queue_limit</strong> = 128: maximum number of fast pattern matches to queue per packet (0 means no maximum) { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.-c</strong>: <conf> use this configuration\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow (sum)\r
+<strong>search_engine.total_flushed</strong>: total fast pattern matches processed (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>search_engine.total_overruns</strong>: fast pattern matches discarded due to overflow (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>enable</strong> (ips_option): stub rule option to enable or disable full rule\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>erspan2</strong> (codec): support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>rule_state</strong> (basic): enable/disable and set actions for specific IPS rules\r
+<strong>rule_state</strong> (basic): enable/disable and set actions for specific IPS rules; deprecated, use rule state stubs with enable instead\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::enable</strong>: stub rule option to enable or disable full rule\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::file_data</strong>: rule option to set detection cursor to file data\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>piglet::pp_codec</strong>: Codec piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_inspector</strong>: Inspector piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_ips_action</strong>: Ips action piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_ips_option</strong>: Ips option piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_logger</strong>: Logger piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_search_engine</strong>: Search engine piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_so_rule</strong>: SO rule piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>piglet::pp_test</strong>: Test piglet\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-10-09 08:46:08 EDT\r
+ 2019-10-31 02:50:11 EDT\r
</div>\r
</div>\r
</body>\r
11.21. dnp3_ind
11.22. dnp3_obj
11.23. dsize
- 11.24. file_data
- 11.25. file_type
- 11.26. flags
- 11.27. flow
- 11.28. flowbits
- 11.29. fragbits
- 11.30. fragoffset
- 11.31. gid
- 11.32. gtp_info
- 11.33. gtp_type
- 11.34. gtp_version
- 11.35. http2_decoded_header
- 11.36. http2_frame_data
- 11.37. http2_frame_header
- 11.38. http_client_body
- 11.39. http_cookie
- 11.40. http_header
- 11.41. http_method
- 11.42. http_raw_body
- 11.43. http_raw_cookie
- 11.44. http_raw_header
- 11.45. http_raw_request
- 11.46. http_raw_status
- 11.47. http_raw_trailer
- 11.48. http_raw_uri
- 11.49. http_stat_code
- 11.50. http_stat_msg
- 11.51. http_trailer
- 11.52. http_true_ip
- 11.53. http_uri
- 11.54. http_version
- 11.55. icmp_id
- 11.56. icmp_seq
- 11.57. icode
- 11.58. id
- 11.59. ip_proto
- 11.60. ipopts
- 11.61. isdataat
- 11.62. itype
- 11.63. md5
- 11.64. metadata
- 11.65. modbus_data
- 11.66. modbus_func
- 11.67. modbus_unit
- 11.68. msg
- 11.69. mss
- 11.70. pcre
- 11.71. pkt_data
- 11.72. pkt_num
- 11.73. priority
- 11.74. raw_data
- 11.75. reference
- 11.76. regex
- 11.77. rem
- 11.78. replace
- 11.79. rev
- 11.80. rpc
- 11.81. sd_pattern
- 11.82. seq
- 11.83. service
- 11.84. session
- 11.85. sha256
- 11.86. sha512
- 11.87. sid
- 11.88. sip_body
- 11.89. sip_header
- 11.90. sip_method
- 11.91. sip_stat_code
- 11.92. so
- 11.93. soid
- 11.94. ssl_state
- 11.95. ssl_version
- 11.96. stream_reassemble
- 11.97. stream_size
- 11.98. tag
- 11.99. target
- 11.100. tos
- 11.101. ttl
- 11.102. urg
- 11.103. window
- 11.104. wscale
+ 11.24. enable
+ 11.25. file_data
+ 11.26. file_type
+ 11.27. flags
+ 11.28. flow
+ 11.29. flowbits
+ 11.30. fragbits
+ 11.31. fragoffset
+ 11.32. gid
+ 11.33. gtp_info
+ 11.34. gtp_type
+ 11.35. gtp_version
+ 11.36. http2_decoded_header
+ 11.37. http2_frame_data
+ 11.38. http2_frame_header
+ 11.39. http_client_body
+ 11.40. http_cookie
+ 11.41. http_header
+ 11.42. http_method
+ 11.43. http_raw_body
+ 11.44. http_raw_cookie
+ 11.45. http_raw_header
+ 11.46. http_raw_request
+ 11.47. http_raw_status
+ 11.48. http_raw_trailer
+ 11.49. http_raw_uri
+ 11.50. http_stat_code
+ 11.51. http_stat_msg
+ 11.52. http_trailer
+ 11.53. http_true_ip
+ 11.54. http_uri
+ 11.55. http_version
+ 11.56. icmp_id
+ 11.57. icmp_seq
+ 11.58. icode
+ 11.59. id
+ 11.60. ip_proto
+ 11.61. ipopts
+ 11.62. isdataat
+ 11.63. itype
+ 11.64. md5
+ 11.65. metadata
+ 11.66. modbus_data
+ 11.67. modbus_func
+ 11.68. modbus_unit
+ 11.69. msg
+ 11.70. mss
+ 11.71. pcre
+ 11.72. pkt_data
+ 11.73. pkt_num
+ 11.74. priority
+ 11.75. raw_data
+ 11.76. reference
+ 11.77. regex
+ 11.78. rem
+ 11.79. replace
+ 11.80. rev
+ 11.81. rpc
+ 11.82. sd_pattern
+ 11.83. seq
+ 11.84. service
+ 11.85. session
+ 11.86. sha256
+ 11.87. sha512
+ 11.88. sid
+ 11.89. sip_body
+ 11.90. sip_header
+ 11.91. sip_method
+ 11.92. sip_stat_code
+ 11.93. so
+ 11.94. soid
+ 11.95. ssl_state
+ 11.96. ssl_version
+ 11.97. stream_reassemble
+ 11.98. stream_size
+ 11.99. tag
+ 11.100. target
+ 11.101. tos
+ 11.102. ttl
+ 11.103. urg
+ 11.104. window
+ 11.105. wscale
12. Search Engine Modules
13. SO Rule Modules
Rules:
- * 116:450 (decode) bad IP protocol
- * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation
- layers present
- * 116:459 (decode) fragment with zero length
* 116:150 (decode) loopback IP
* 116:151 (decode) same src/dst IP
+ * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation
+ layers present
* 116:449 (decode) unassigned/reserved IP protocol
+ * 116:450 (decode) bad IP protocol
+ * 116:459 (decode) fragment with zero length
* 116:472 (decode) too many protocols present
* 116:473 (decode) ether type out of range
* string ips.includer: for internal use; where includes are
included from { (optional) }
* enum ips.mode: set policy mode { tap | inline | inline-test }
- * string ips.rules: snort rules and includes
* bool ips.obfuscate_pii = false: mask all but the last 4
characters of credit card and social security numbers
+ * string ips.rules: snort rules and includes (may contain states
+ too)
+ * string ips.states: snort rule states and includes (may contain
+ rules too)
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
* bool output.verbose = false: be verbose (same as -v)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.wide_hex_dump = false: output 20 bytes per lines
+ * bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
--------------
-What: enable/disable and set actions for specific IPS rules
+What: enable/disable and set actions for specific IPS rules;
+deprecated, use rule state stubs with enable instead
Type: basic
Configuration:
- * enum rule_state.$gid_sid[].action = inherit: apply action if rule
+ * enum rule_state.$gid_sid[].action = alert: apply action if rule
matches or inherit from rule definition { log | pass | alert |
- drop | block | reset | react | reject | rewrite | inherit }
+ drop | block | reset }
* enum rule_state.$gid_sid[].enable = inherit: enable or disable
rule in current ips policy or use default defined by ips policy {
no | yes | inherit }
info for each rule
* bool search_engine.split_any_any = true: evaluate any-any rules
separately to save memory
+ * int search_engine.queue_limit = 128: maximum number of fast
+ pattern matches to queue per packet (0 means no maximum) {
+ 0:max32 }
Peg counts:
* search_engine.max_queued: maximum fast pattern matches queued for
further evaluation (sum)
- * search_engine.total_flushed: fast pattern matches discarded due
- to overflow (sum)
+ * search_engine.total_flushed: total fast pattern matches processed
+ (sum)
* search_engine.total_inserts: total fast pattern hits (sum)
+ * search_engine.total_overruns: fast pattern matches discarded due
+ to overflow (sum)
* search_engine.total_unique: total unique fast pattern hits (sum)
* search_engine.non_qualified_events: total non-qualified events
(sum)
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
+ * int snort.--pause-after-n: <count> pause after count packets {
+ 1:max53 }
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
+ * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> where to find plugins
* implied snort.--process-all-events: process all action groups
* string snort.--rule: <rules> to be added to configuration; may be
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
* 116:415 (icmp4) ICMP4 packet to multicast dest address
* 116:416 (icmp4) ICMP4 packet to broadcast dest address
* 116:418 (icmp4) ICMP4 type other
+ * 116:426 (icmp4) truncated ICMP4 header
* 116:434 (icmp4) ICMP ping Nmap
* 116:435 (icmp4) ICMP icmpenum v1.1.1
* 116:436 (icmp4) ICMP redirect host
destination network is administratively prohibited
* 116:451 (icmp4) ICMP path MTU denial of service attempt
* 116:452 (icmp4) Linux ICMP header DOS attempt
- * 116:426 (icmp4) truncated ICMP4 header
Peg counts:
Rules:
- * 116:427 (icmp6) truncated ICMPv6 header
- * 116:431 (icmp6) ICMPv6 type not decoded
- * 116:432 (icmp6) ICMPv6 packet to multicast address
* 116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with
MTU field < 1280
* 116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
reserved field not equal to 0
* 116:290 (icmp6) ICMPv6 router advertisement packet with the
reachable time field set > 1 hour
+ * 116:427 (icmp6) truncated ICMPv6 header
+ * 116:431 (icmp6) ICMPv6 type not decoded
+ * 116:432 (icmp6) ICMPv6 packet to multicast address
* 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
with non-RFC 4443 code
* 116:460 (icmp6) ICMPv6 node info query/response packet with a
* 116:412 (ipv4) IPv4 packet to reserved dest address
* 116:413 (ipv4) IPv4 packet from broadcast source address
* 116:414 (ipv4) IPv4 packet to broadcast dest address
+ * 116:425 (ipv4) truncated IPv4 header
* 116:428 (ipv4) IPv4 packet below TTL limit
* 116:430 (ipv4) IPv4 packet both DF and offset set
- * 116:448 (ipv4) IPv4 reserved bit set
* 116:444 (ipv4) IPv4 option set
- * 116:425 (ipv4) truncated IPv4 header
+ * 116:448 (ipv4) IPv4 reserved bit set
Peg counts:
* 116:282 (ipv6) IPv6 header includes a routing extension header
followed by a hop-by-hop header
* 116:283 (ipv6) IPv6 header includes two routing extension headers
- * 116:292 (ipv6) IPv6 header has destination options followed by a
- routing header
* 116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated,
possible Linux kernel attack
+ * 116:292 (ipv6) IPv6 header has destination options followed by a
+ routing header
* 116:295 (ipv6) IPv6 header includes an option which is too big
for the containing header
* 116:296 (ipv6) IPv6 packet includes out-of-order extension
headers
* 116:429 (ipv6) IPv6 packet has zero hop limit
* 116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
+ * 116:456 (ipv6) too many IPv6 extension headers
* 116:458 (ipv6) bogus fragmentation packet, possible BSD attack
* 116:461 (ipv6) IPv6 routing type 0 extension header
- * 116:456 (ipv6) too many IPv6 extension headers
* 116:475 (ipv6) IPv6 mobility header includes an invalid value for
the payload protocol field
* 116:59 (tcp) TCP window scale option found with length > 14
* 116:400 (tcp) XMAS attack detected
* 116:401 (tcp) Nmap XMAS attack detected
+ * 116:402 (tcp) DOS NAPTHA vulnerability detected
+ * 116:403 (tcp) SYN to multicast address
* 116:419 (tcp) TCP urgent pointer exceeds payload length or no
payload
* 116:420 (tcp) TCP SYN with FIN
* 116:423 (tcp) TCP has no SYN, ACK, or RST
* 116:433 (tcp) DDOS shaft SYN flood
* 116:446 (tcp) TCP port 0 traffic
- * 116:402 (tcp) DOS NAPTHA vulnerability detected
- * 116:403 (tcp) SYN to multicast address
Peg counts:
Configuration:
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) {
+ 0:max32 }
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
Usage: inspect
+Configuration:
+
+ * bool http2_inspect.test_input = false: read HTTP/2 messages from
+ text file
+ * bool http2_inspect.test_output = false: print out HTTP section
+ data
+ * int http2_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http2_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http2_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http2_inspect.show_scan = false: display scanned segments
+
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.show_scan = false: display scanned segments
Rules:
given range { 0:65535 }
-11.24. file_data
+11.24. enable
+
+--------------
+
+What: stub rule option to enable or disable full rule
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * enum enable.~enable = yes: enable or disable rule in current ips
+ policy or use default defined by ips policy { no | yes | inherit
+ }
+
+
+11.25. file_data
--------------
Usage: detect
-11.25. file_type
+11.26. file_type
--------------
* string file_type.~: list of file type IDs to match
-11.26. flags
+11.27. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-11.27. flow
+11.28. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-11.28. flowbits
+11.29. flowbits
--------------
* string flowbits.~arg2: group if arg1 is bits
-11.29. fragbits
+11.30. fragbits
--------------
* string fragbits.~flags: these flags are tested
-11.30. fragoffset
+11.31. fragoffset
--------------
given range { 0:8192 }
-11.31. gid
+11.32. gid
--------------
* int gid.~: generator id { 1:max32 }
-11.32. gtp_info
+11.33. gtp_info
--------------
* string gtp_info.~: info element to match
-11.33. gtp_type
+11.34. gtp_type
--------------
* string gtp_type.~: list of types to match
-11.34. gtp_version
+11.35. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-11.35. http2_decoded_header
+11.36. http2_decoded_header
--------------
Usage: detect
-11.36. http2_frame_data
+11.37. http2_frame_data
--------------
Usage: detect
-11.37. http2_frame_header
+11.38. http2_frame_header
--------------
Usage: detect
-11.38. http_client_body
+11.39. http_client_body
--------------
Usage: detect
-11.39. http_cookie
+11.40. http_cookie
--------------
message trailers
-11.40. http_header
+11.41. http_header
--------------
message trailers
-11.41. http_method
+11.42. http_method
--------------
message trailers
-11.42. http_raw_body
+11.43. http_raw_body
--------------
Usage: detect
-11.43. http_raw_cookie
+11.44. http_raw_cookie
--------------
HTTP message trailers
-11.44. http_raw_header
+11.45. http_raw_header
--------------
HTTP message trailers
-11.45. http_raw_request
+11.46. http_raw_request
--------------
HTTP message trailers
-11.46. http_raw_status
+11.47. http_raw_status
--------------
HTTP message trailers
-11.47. http_raw_trailer
+11.48. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.48. http_raw_uri
+11.49. http_raw_uri
--------------
URI only
-11.49. http_stat_code
+11.50. http_stat_code
--------------
HTTP message trailers
-11.50. http_stat_msg
+11.51. http_stat_msg
--------------
HTTP message trailers
-11.51. http_trailer
+11.52. http_trailer
--------------
message body (must be combined with request)
-11.52. http_true_ip
+11.53. http_true_ip
--------------
HTTP message trailers
-11.53. http_uri
+11.54. http_uri
--------------
only
-11.54. http_version
+11.55. http_version
--------------
HTTP message trailers
-11.55. icmp_id
+11.56. icmp_id
--------------
0:65535 }
-11.56. icmp_seq
+11.57. icmp_seq
--------------
given range { 0:65535 }
-11.57. icode
+11.58. icode
--------------
0:255 }
-11.58. id
+11.59. id
--------------
}
-11.59. ip_proto
+11.60. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.60. ipopts
+11.61. ipopts
--------------
lsrre|ssrr|satid|any }
-11.61. isdataat
+11.62. isdataat
--------------
buffer
-11.62. itype
+11.63. itype
--------------
0:255 }
-11.63. md5
+11.64. md5
--------------
of buffer
-11.64. metadata
+11.65. metadata
--------------
pairs
-11.65. modbus_data
+11.66. modbus_data
--------------
Usage: detect
-11.66. modbus_func
+11.67. modbus_func
--------------
* string modbus_func.~: function code to match
-11.67. modbus_unit
+11.68. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.68. msg
+11.69. msg
--------------
* string msg.~: message describing rule
-11.69. mss
+11.70. mss
--------------
}
-11.70. pcre
+11.71. pcre
--------------
* string pcre.~re: Snort regular expression
-11.71. pkt_data
+11.72. pkt_data
--------------
Usage: detect
-11.72. pkt_num
+11.73. pkt_num
--------------
{ 1: }
-11.73. priority
+11.74. priority
--------------
1:max31 }
-11.74. raw_data
+11.75. raw_data
--------------
Usage: detect
-11.75. reference
+11.76. reference
--------------
* string reference.~id: reference id
-11.76. regex
+11.77. regex
--------------
instead of start of buffer
-11.77. rem
+11.78. rem
--------------
* string rem.~: comment
-11.78. replace
+11.79. replace
--------------
* string replace.~: byte code to replace with
-11.79. rev
+11.80. rev
--------------
* int rev.~: revision { 1:max32 }
-11.80. rpc
+11.81. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.81. sd_pattern
+11.82. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.82. seq
+11.83. seq
--------------
range { 0: }
-11.83. service
+11.84. service
--------------
* string service.*: one or more comma-separated service names
-11.84. session
+11.85. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.85. sha256
+11.86. sha256
--------------
start of buffer
-11.86. sha512
+11.87. sha512
--------------
start of buffer
-11.87. sid
+11.88. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.88. sip_body
+11.89. sip_body
--------------
Usage: detect
-11.89. sip_header
+11.90. sip_header
--------------
Usage: detect
-11.90. sip_method
+11.91. sip_method
--------------
* string sip_method.*method: sip method
-11.91. sip_stat_code
+11.92. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.92. so
+11.93. so
--------------
buffer
-11.93. soid
+11.94. soid
--------------
like 3_45678_9
-11.94. ssl_state
+11.95. ssl_state
--------------
unknown
-11.95. ssl_version
+11.96. ssl_version
--------------
tls1.2
-11.96. stream_reassemble
+11.97. stream_reassemble
--------------
remainder of the session
-11.97. stream_size
+11.98. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.98. tag
+11.99. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.99. target
+11.100. target
--------------
dst_ip }
-11.100. tos
+11.101. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.101. ttl
+11.102. ttl
--------------
0:255 }
-11.102. urg
+11.103. urg
--------------
{ 0:65535 }
-11.103. window
+11.104. window
--------------
range { 0:65535 }
-11.104. wscale
+11.105. wscale
--------------
* --output-file=<out_file> Same as -o. output the new Snort++ lua
configuration to <out_file>
* --print-all Same as -a. default option. print all data
+ * --print-binding-order Print sorting priority used when generating
+ binder table
* --print-differences Same as -d. output the differences, and only
the differences, between the Snort and Snort++ configurations to
the <out_file>
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
+ * --pause-after-n <count> pause after count packets (1:max53)
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
between pcaps
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
+ * --piglet enable piglet test harness mode
* --plugin-path <path> where to find plugins
* --process-all-events process all action groups
* --rule <rules> to be added to configuration; may be repeated
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
session traffic when not inline
* --tweaks tune configuration
+ * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) {
+ 0:max32 }
* int appid.instance_id = 0: instance id - ignored { 0:max32 }
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* port dpx.port: port to check
* interval dsize.~range: check if packet payload size is in the
given range { 0:65535 }
+ * enum enable.~enable = yes: enable or disable rule in current ips
+ policy or use default defined by ips policy { no | yes | inherit
+ }
* bool esp.decode_esp = false: enable for inspection of esp traffic
that has authentication but not encryption
* int event_filter[].count = 0: number of events in interval before
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
+ * int http2_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http2_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
+ * bool http2_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http2_inspect.show_scan = false: display scanned segments
+ * bool http2_inspect.test_input = false: read HTTP/2 messages from
+ text file
+ * bool http2_inspect.test_output = false: print out HTTP section
+ data
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
+ * int http_inspect.print_amount = 1200: number of characters to
+ print from a Field { 1:max53 }
+ * bool http_inspect.print_hex = false: nonprinting characters
+ printed in [HH] format instead of using an asterisk
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
+ * bool http_inspect.show_pegs = true: display peg counts with test
+ output
+ * bool http_inspect.show_scan = false: display scanned segments
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * bool http_inspect.test_input = false: read HTTP messages from
+ text file
+ * bool http_inspect.test_output = false: print out HTTP section
+ data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
* enum ips.mode: set policy mode { tap | inline | inline-test }
* bool ips.obfuscate_pii = false: mask all but the last 4
characters of credit card and social security numbers
- * string ips.rules: snort rules and includes
+ * string ips.rules: snort rules and includes (may contain states
+ too)
+ * string ips.states: snort rule states and includes (may contain
+ rules too)
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
* string isdataat.~length: num | !num
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
- * bool output.wide_hex_dump = false: output 20 bytes per lines
+ * bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
* bool packet_capture.enable = false: initially enable packet
dumping
packets
* bool rt_packet.retry_targeted = false: request retry for packets
whose data starts with A
- * enum rule_state.$gid_sid[].action = inherit: apply action if rule
+ * enum rule_state.$gid_sid[].action = alert: apply action if rule
matches or inherit from rule definition { log | pass | alert |
- drop | block | reset | react | reject | rewrite | inherit }
+ drop | block | reset }
* enum rule_state.$gid_sid[].enable = inherit: enable or disable
rule in current ips policy or use default defined by ips policy {
no | yes | inherit }
offload algorithm - choose available search engine { ac_banded |
ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std |
hyperscan | lowmem }
+ * int search_engine.queue_limit = 128: maximum number of fast
+ pattern matches to queue per packet (0 means no maximum) {
+ 0:max32 }
* dynamic search_engine.search_method = ac_bnfa: set fast pattern
algorithm - choose available search engine { ac_banded | ac_bnfa
| ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
+ * string snort.--catch-test: comma separated list of cat unit test
+ tags or all
* string snort.-c: <conf> use this configuration
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
+ * int snort.--pause-after-n: <count> pause after count packets {
+ 1:max53 }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
+ * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> where to find plugins
* implied snort.--process-all-events: process all action groups
* implied snort.-Q: enable inline mode operation
(sum)
* search_engine.qualified_events: total qualified events (sum)
* search_engine.searched_bytes: total bytes searched (sum)
- * search_engine.total_flushed: fast pattern matches discarded due
- to overflow (sum)
+ * search_engine.total_flushed: total fast pattern matches processed
+ (sum)
* search_engine.total_inserts: total fast pattern hits (sum)
+ * search_engine.total_overruns: fast pattern matches discarded due
+ to overflow (sum)
* search_engine.total_unique: total unique fast pattern hits (sum)
* side_channel.packets: total packets (sum)
* sip.ack: ack (sum)
* dsize (ips_option): rule option to test payload size
* eapol (codec): support for extensible authentication protocol
over LAN
+ * enable (ips_option): stub rule option to enable or disable full
+ rule
* erspan2 (codec): support for encapsulated remote switched port
analyzer - type 2
* erspan3 (codec): support for encapsulated remote switched port
used by regression tests that require custom service inspector
support.
* rule_state (basic): enable/disable and set actions for specific
- IPS rules
+ IPS rules; deprecated, use rule state stubs with enable instead
* sd_pattern (ips_option): rule option for detecting sensitive data
* search_engine (basic): configure fast pattern matcher
* seq (ips_option): rule option to check TCP sequence number
* ips_option::dnp3_obj: detection option to check DNP3 object
headers
* ips_option::dsize: rule option to test payload size
+ * ips_option::enable: stub rule option to enable or disable full
+ rule
* ips_option::file_data: rule option to set detection cursor to
file data
* ips_option::file_type: rule option to check file type
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
+ * piglet::pp_codec: Codec piglet
+ * piglet::pp_inspector: Inspector piglet
+ * piglet::pp_ips_action: Ips action piglet
+ * piglet::pp_ips_option: Ips option piglet
+ * piglet::pp_logger: Logger piglet
+ * piglet::pp_search_engine: Search engine piglet
+ * piglet::pp_so_rule: SO rule piglet
+ * piglet::pp_test: Test piglet
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
projects / thirdparty / snort3.git / commitdiff
