The Snort Team
Revision History
-Revision 3.1.19.0 2021-12-15 06:07:48 EST TST
+Revision 3.1.20.0 2022-01-12 09:17:34 EST TST
---------------------------------------------------------------------
7.62. http_true_ip
7.63. http_uri
7.64. http_version
- 7.65. icmp_id
- 7.66. icmp_seq
- 7.67. icode
- 7.68. id
- 7.69. iec104_apci_type
- 7.70. iec104_asdu_func
- 7.71. ip_proto
- 7.72. ipopts
- 7.73. isdataat
- 7.74. itype
- 7.75. js_data
- 7.76. md5
- 7.77. metadata
- 7.78. modbus_data
- 7.79. modbus_func
- 7.80. modbus_unit
- 7.81. msg
- 7.82. mss
- 7.83. num_headers
- 7.84. num_trailers
- 7.85. pcre
- 7.86. pkt_data
- 7.87. pkt_num
- 7.88. priority
- 7.89. raw_data
- 7.90. reference
- 7.91. regex
- 7.92. rem
- 7.93. replace
- 7.94. rev
- 7.95. rpc
- 7.96. s7commplus_content
- 7.97. s7commplus_func
- 7.98. s7commplus_opcode
- 7.99. sd_pattern
- 7.100. seq
- 7.101. service
- 7.102. sha256
- 7.103. sha512
- 7.104. sid
- 7.105. sip_body
- 7.106. sip_header
- 7.107. sip_method
- 7.108. sip_stat_code
- 7.109. so
- 7.110. soid
- 7.111. ssl_state
- 7.112. ssl_version
- 7.113. stream_reassemble
- 7.114. stream_size
- 7.115. tag
- 7.116. target
- 7.117. tos
- 7.118. ttl
- 7.119. urg
- 7.120. vba_data
- 7.121. window
- 7.122. wscale
+ 7.65. http_version_match
+ 7.66. icmp_id
+ 7.67. icmp_seq
+ 7.68. icode
+ 7.69. id
+ 7.70. iec104_apci_type
+ 7.71. iec104_asdu_func
+ 7.72. ip_proto
+ 7.73. ipopts
+ 7.74. isdataat
+ 7.75. itype
+ 7.76. js_data
+ 7.77. md5
+ 7.78. metadata
+ 7.79. modbus_data
+ 7.80. modbus_func
+ 7.81. modbus_unit
+ 7.82. msg
+ 7.83. mss
+ 7.84. num_headers
+ 7.85. num_trailers
+ 7.86. pcre
+ 7.87. pkt_data
+ 7.88. pkt_num
+ 7.89. priority
+ 7.90. raw_data
+ 7.91. reference
+ 7.92. regex
+ 7.93. rem
+ 7.94. replace
+ 7.95. rev
+ 7.96. rpc
+ 7.97. s7commplus_content
+ 7.98. s7commplus_func
+ 7.99. s7commplus_opcode
+ 7.100. sd_pattern
+ 7.101. seq
+ 7.102. service
+ 7.103. sha256
+ 7.104. sha512
+ 7.105. sid
+ 7.106. sip_body
+ 7.107. sip_header
+ 7.108. sip_method
+ 7.109. sip_stat_code
+ 7.110. so
+ 7.111. soid
+ 7.112. ssl_state
+ 7.113. ssl_version
+ 7.114. stream_reassemble
+ 7.115. stream_size
+ 7.116. tag
+ 7.117. target
+ 7.118. tos
+ 7.119. ttl
+ 7.120. urg
+ 7.121. vba_data
+ 7.122. window
+ 7.123. wscale
8. Search Engine Modules
9. SO Rule Modules
* appid.processed_packets: count of packets processed (sum)
* appid.ignored_packets: count of packets ignored (sum)
* appid.total_sessions: count of sessions created (sum)
- * appid.appid_unknown: count of sessions where appid could not be
- determined (sum)
* appid.service_cache_prunes: number of times the service cache was
pruned (sum)
* appid.service_cache_adds: number of times an entry was added to
updates in a single header block
* 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max
value set by decoder in SETTINGS frame
+ * 121:37 (http2_inspect) Nonempty HTTP/2 Data frame where message
+ body not expected
Peg counts:
phrase
* 119:206 (http_inspect) illegal extra whitespace in start line
* 119:207 (http_inspect) corrupted HTTP version
- * 119:208 (http_inspect) HTTP version in start line is not HTTP/1.0
- or 1.1
* 119:209 (http_inspect) format error in HTTP header
* 119:210 (http_inspect) chunk header options present
* 119:211 (http_inspect) URI badly formatted
* 119:273 (http_inspect) missed PDUs during JavaScript
normalization
* 119:274 (http_inspect) JavaScript scope nesting is over capacity
+ * 119:275 (http_inspect) HTTP/1 version other than 1.0 or 1.1
+ * 119:276 (http_inspect) HTTP version in start line is 0
+ * 119:277 (http_inspect) HTTP version in start line is higher than
+ 1
Peg counts:
HTTP message trailers
-7.65. icmp_id
+7.65. http_version_match
+
+--------------
+
+Help: rule option to match version to listed values
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string http_version_match.~version_list: space-separated list of
+ versions to match
+
+
+7.66. icmp_id
--------------
0:65535 }
-7.66. icmp_seq
+7.67. icmp_seq
--------------
given range { 0:65535 }
-7.67. icode
+7.68. icode
--------------
0:255 }
-7.68. id
+7.69. id
--------------
}
-7.69. iec104_apci_type
+7.70. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.70. iec104_asdu_func
+7.71. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.71. ip_proto
+7.72. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.72. ipopts
+7.73. ipopts
--------------
lsrre|ssrr|satid|any }
-7.73. isdataat
+7.74. isdataat
--------------
buffer
-7.74. itype
+7.75. itype
--------------
0:255 }
-7.75. js_data
+7.76. js_data
--------------
Usage: detect
-7.76. md5
+7.77. md5
--------------
of buffer
-7.77. metadata
+7.78. metadata
--------------
pairs
-7.78. modbus_data
+7.79. modbus_data
--------------
Usage: detect
-7.79. modbus_func
+7.80. modbus_func
--------------
* string modbus_func.~: function code to match
-7.80. modbus_unit
+7.81. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.81. msg
+7.82. msg
--------------
* string msg.~: message describing rule
-7.82. mss
+7.83. mss
--------------
}
-7.83. num_headers
+7.84. num_headers
--------------
message trailers
-7.84. num_trailers
+7.85. num_trailers
--------------
HTTP message trailers
-7.85. pcre
+7.86. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.86. pkt_data
+7.87. pkt_data
--------------
Usage: detect
-7.87. pkt_num
+7.88. pkt_num
--------------
{ 1: }
-7.88. priority
+7.89. priority
--------------
1:max31 }
-7.89. raw_data
+7.90. raw_data
--------------
Usage: detect
-7.90. reference
+7.91. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.91. regex
+7.92. regex
--------------
instead of start of buffer
-7.92. rem
+7.93. rem
--------------
* string rem.~: comment
-7.93. replace
+7.94. replace
--------------
* string replace.~: byte code to replace with
-7.94. rev
+7.95. rev
--------------
* int rev.~: revision { 1:max32 }
-7.95. rpc
+7.96. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.96. s7commplus_content
+7.97. s7commplus_content
--------------
Usage: detect
-7.97. s7commplus_func
+7.98. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.98. s7commplus_opcode
+7.99. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.99. sd_pattern
+7.100. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.100. seq
+7.101. seq
--------------
range { 0: }
-7.101. service
+7.102. service
--------------
* string service.*: one or more comma-separated service names
-7.102. sha256
+7.103. sha256
--------------
start of buffer
-7.103. sha512
+7.104. sha512
--------------
start of buffer
-7.104. sid
+7.105. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.105. sip_body
+7.106. sip_body
--------------
Usage: detect
-7.106. sip_header
+7.107. sip_header
--------------
Usage: detect
-7.107. sip_method
+7.108. sip_method
--------------
* string sip_method.*method: sip method
-7.108. sip_stat_code
+7.109. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.109. so
+7.110. so
--------------
buffer
-7.110. soid
+7.111. soid
--------------
like 3_45678_9
-7.111. ssl_state
+7.112. ssl_state
--------------
unknown
-7.112. ssl_version
+7.113. ssl_version
--------------
tls1.2
-7.113. stream_reassemble
+7.114. stream_reassemble
--------------
remainder of the session
-7.114. stream_size
+7.115. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.115. tag
+7.116. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.116. target
+7.117. target
--------------
dst_ip }
-7.117. tos
+7.118. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.118. ttl
+7.119. ttl
--------------
0:255 }
-7.119. urg
+7.120. urg
--------------
{ 0:65535 }
-7.120. vba_data
+7.121. vba_data
--------------
Usage: detect
-7.121. window
+7.122. window
--------------
range { 0:65535 }
-7.122. wscale
+7.123. wscale
--------------
HTTP message headers
* implied http_uri.with_trailer: parts of this rule examine HTTP
message trailers
+ * string http_version_match.~version_list: space-separated list of
+ versions to match
* implied http_version.request: match against the version from the
request message even when examining the response
* implied http_version.with_body: parts of this rule examine HTTP
* address_space_selector.no_match: selection evaluations that had
no matches (sum)
* address_space_selector.packets: packets evaluated (sum)
- * appid.appid_unknown: count of sessions where appid could not be
- determined (sum)
* appid.ignored_packets: count of packets ignored (sum)
* appid.odp_reload_ignored_pkts: count of packets ignored after
open detector package is reloaded (sum)
The HTTP version in the start line begins with "HTTP/" but the
remainder is not in the expected <digit>.<digit> format.
-119:208 (http_inspect) HTTP version in start line is not HTTP/1.0 or
-1.1
-
-The HTTP version in the start line has a valid format but is not HTTP
-/1.0 or HTTP/1.1. This alert does not apply to HTTP/2 or HTTP/3
-traffic.
-
119:209 (http_inspect) format error in HTTP header
An HTTP header line contains a format error. A well-formed header
119:265 (http_inspect) bad token in JavaScript
-JavaScript normalizer has encountered a symbol that is not expected
-as a part of a valid JavaScript statement, making further
+Enhanced JavaScript normalizer has encountered a symbol that is not
+expected as a part of a valid JavaScript statement, making further
normalization impossible.
119:266 (http_inspect) unexpected script opening tag in JavaScript
HTML <script> tag must not have a nested <script> tag inside it. If a
-nested tag is encountered, this alert is raised.
+nested tag is encountered, this alert is raised. This alert is raised
+by the enhanced JavaScript normalizer.
119:267 (http_inspect) unexpected script closing tag in JavaScript
This alert is raised when </script> end-tag is encountered inside a
JavaScript comment or literal, which is a syntax error, as the last
-comment or literal is not closed before script end.
+comment or literal is not closed before script end. This alert is
+raised by the enhanced JavaScript normalizer.
119:268 (http_inspect) JavaScript code under the external script tags
When HTML <script> tag contains a reference to an external script, it
must not contain any executable JavaScript code. This alert is raised
if executable (i.e. not comment) code is found inside a script tag
-that has an external reference.
+that has an external reference. This alert is raised by the enhanced
+JavaScript normalizer.
119:269 (http_inspect) script opening tag in a short form
In HTML, a script tag must not be self-closing (written as <script />
without a following end-tag). If a self-closing "short-form" script
-tag is encountered, this alert is raised.
+tag is encountered, this alert is raised. This alert is raised by the
+enhanced JavaScript normalizer.
119:270 (http_inspect) max number of unique JavaScript identifiers
reached
considerations, with http_inspect.js_norm_identifier_depth parameter.
When this threshold is reached, a corresponding alert is raised. This
alert is not expected for typical network traffic and may be an
-indication that an attacker is trying to exhaust resources.
+indication that an attacker is trying to exhaust resources. This
+alert is raised by the enhanced JavaScript normalizer.
119:271 (http_inspect) JavaScript bracket nesting is over capacity
http_inspect.js_norm_max_tmpl_nest or in
http_inspect.js_norm_max_bracket_depth, this alert is raised. This
alert is not expected for typical network traffic and may be an
-indication that an attacker is trying to exhaust resources.
+indication that an attacker is trying to exhaust resources. This
+alert is raised by the enhanced JavaScript normalizer.
119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
header
match file_data FP search and JavaScript normalization won’t be
executed for these PDUs. The normalization of the following PDUs for
inline/external scripts will be stopped for current request within
-the flow.
+the flow. This alert is raised by the enhanced JavaScript normalizer.
119:274 (http_inspect) JavaScript scope nesting is over capacity
-In JavaScript, a program is split into several scopes such as a
-global scope, function scope, if block, block of code, object, etc.
-The scope has a nesting nature which requires a stack to track it for
-proper normalization of JavaScript identifiers. When the depth of
-nesting exceeds limit set in http_inspect.js_norm_max_scope_depth,
-this alert is raised. This alert is not expected for typical network
-traffic and may be an indication that an attacker is trying to
-exhaust resources.
+To resolve variable names in JavaScript, a current stack of variable
+scopes has to be tracked. When the depth of nesting exceeds the limit
+set in http_inspect.js_norm_max_scope_depth, this alert is raised.
+This alert is not expected for typical network traffic and may be an
+indication that an attacker is trying to exhaust resources. This
+alert is raised by the enhanced JavaScript normalizer.
+
+119:275 (http_inspect) HTTP/1 version other than 1.0 or 1.1
+
+The HTTP version in the start line has a valid 1.<subversion> format,
+but the subversion is not 0 or 1.
+
+119:276 (http_inspect) HTTP version in start line is 0
+
+The HTTP version in the start line has a valid format but the version
+is 0.
+
+119:277 (http_inspect) HTTP version in start line is higher than 1
+
+The HTTP version in the start line has a valid format but the version
+is higher than 1. This alert does not apply to HTTP/2 or HTTP/3
+traffic.
121:1 (http2_inspect) invalid flag set on HTTP/2 frame
HTTP/2 HPACK table size update exceeds max value set by decoder in
SETTINGS frame
+121:37 (http2_inspect) Nonempty HTTP/2 Data frame where message body
+not expected
+
+Nonempty HTTP/2 Data frame where a message body was not expected.
+
122:1 (port_scan) TCP portscan
Basic one host to one host TCP portscan where multiple TCP ports are
the normalized URI buffer
* http_version (ips_option): rule option to set the detection
cursor to the version buffer
+ * http_version_match (ips_option): rule option to match version to
+ listed values
* hyperscan (search_engine): intel hyperscan-based mpse with regex
support
* icmp4 (codec): support for Internet control message protocol v4
the normalized URI buffer
* ips_option::http_version: rule option to set the detection cursor
to the version buffer
+ * ips_option::http_version_match: rule option to match version to
+ listed values
* ips_option::icmp_id: rule option to check ICMP ID
* ips_option::icmp_seq: rule option to check ICMP sequence number
* ips_option::icode: rule option to check ICMP code
The Snort Team
Revision History
-Revision 3.1.19.0 2021-12-15 06:07:38 EST TST
+Revision 3.1.20.0 2022-01-12 09:17:24 EST TST
---------------------------------------------------------------------
js_norm_identifier_depth = N {0 : 65536} will set a number of unique
JavaScript identifiers to normalize. When the depth is reached, a
-built-in alert is generated. Every HTTP Response has its own
-identifier substitution context. Thus, all scripts from the same
-response will be normalized as if they are a single script.. By
-default, the value is set to 65536, which is the max allowed number
-of unique identifiers. The generated names are in the range from
-var_0000 to var_ffff.
+built-in alert is generated. Every HTTP response has its own
+identifier substitution context, which means that identifier will
+retain same normal form in multiple scripts, if they are a part of
+the same HTTP response, and that this limit is set for a single HTTP
+response and not a single script. By default, the value is set to
+65536, which is the max allowed number of unique identifiers. The
+generated names are in the range from var_0000 to var_ffff.
5.10.3.11. js_norm_max_tmpl_nest
can have arbitrary JavaScript substitutions, that will be evaluated
and inserted into the string. Such substitutions can be nested, and
require keeping track of every layer for proper normalization. This
-option is present to limit the amount of memory dedicated to this
-tracking.
+option is present to limit the amount of memory dedicated to template
+nesting tracking.
5.10.3.12. js_norm_max_bracket_depth
js_norm_max_bracket_depth = N {1 : 65535} (default 256) is an option
-of the enhanced JavaScript normalizer that determines the deepest
-level of nested bracket scope. The scope term includes code sections
-("{}"), parentheses("()") and brackets("[]"). This option is present
-to limit the amount of memory dedicated to this tracking.
+of the enhanced JavaScript normalizer that determines the maximum
+depth of nesting brackets, i.e. parentheses, braces and square
+brackets, nested within a matching pair, in any combination. This
+option is present to limit the amount of memory dedicated to bracket
+tracking.
5.10.3.13. js_norm_max_scope_depth
js_norm_max_scope_depth = N {1 : 65535} (default 256) is an option of
the enhanced JavaScript normalizer that determines the deepest level
-of nested scope. The scope term includes any type of JavaScript
-program scope such as the global one, function scope, if block,
-loops, code block, object scope, etc. This option is present to limit
-the amount of memory dedicated to this tracking.
+of nested variable scope, i.e. functions, code blocks, etc. including
+the global scope. This option is present to limit the amount of
+memory dedicated to scope tracking.
5.10.3.14. js_norm_ident_ignore
-js_norm_ident_ignore = {<a list of ignored identifiers>}. The default
-list is present in "snort_defaults.lua".
+js_norm_ident_ignore = {<list of ignored identifiers>} is an option
+of the enhanced JavaScript normalizer that defines a list of
+identifiers to keep intact.
-The Normalizer does not substitute ignored identifiers, keeping their
-name unchanged. Additionally, the Normalizer tracks expressions with
-ignored identifiers, so the subsequent identifiers are not
-substituted in the chain of dots, bracket accessors and function
-calls. For example:
+Identifiers in this list will not be put into normal form (var_0000).
+Subsequent accessors, after dot, in square brackets or after function
+call, will not be normalized as well.
+
+For example:
console.log("bar")
document.getElementById("id").text
eval("script")
-foo["bar"]
+console["log"]
-The list must contain object and function names only. For example:
+Every entry has to be a simple identifier, i.e. not include dots,
+brackets, etc. For example:
http_inspect.js_norm_ident_ignore = { 'console', 'document', 'eval', 'foo' }
+When a variable assignment that aliases an identifier from the list
+is found, the assignment will be tracked, and subsequent occurrences
+of the variable will be replaced with the stored value. This
+substitution will follow JavaScript variable scope limits.
+
+For example:
+
+var a = console.log
+a("hello") // will be substituted to 'console.log("hello")'
+
+The default list of ignore-identifiers is present in
+"snort_defaults.lua".
+
5.10.3.15. xff_headers
This configuration supports defining custom x-forwarded-for type
"⇐", less or greater than ">=", in range "<>", in range or equal to "
<⇒".
+5.10.6.17. http_version_match
+
+Rule option that matches HTTP version to one of the listed version
+values. Possible match values: 1.0, 1.1, 2.0, 0.9, other, and
+malformed. When receiving a request line or status line, if the
+version is present it will be used for comparison. If the version
+doesn’t have a format of [0-9].[0-9] it is considered malformed. A
+[0-9].[0-9] that is not 1.0 or 1.1 is considered other. 0.9 refers to
+the original HTTP protocol version that uses simple GET requests
+without headers and includes no version number. 2.0 refers to the
+actual HTTP/2 protocol with framed data. Messages that follow the
+general HTTP/1 format but contain version fields falsely claiming to
+be HTTP/2.0 or HTTP/0.9 will match "other" as described above. The
+http_version rule option is available to examine the actual bytes in
+the version field.
+
5.10.7. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
projects / thirdparty / snort3.git / commitdiff
