doc/snort2lua_cmds.txt
doc/snort_manual.chunked/
doc/snort_manual.chunked.tgz
-doc/snort_manual.html
-doc/snort_manual.pdf
-doc/snort_manual.text
doc/snort_manual.tgz
doc/snort_manual.xml
doc/version.txt
snorty.png
snort2x.png
snort3x.png
+ snort_manual.html
+ snort_manual.pdf
+ snort_manual.text
snort_manual.txt
start.txt
style.txt
usage.txt
)
-if ( MAKE_HTML_DOC OR MAKE_TEXT_DOC OR MAKE_PDF_DOC )
- foreach ( output_file ${HELP_SOURCES} )
- add_help_command (
- "${CMAKE_CURRENT_LIST_DIR}/scripts/generate_help.sh"
- "${output_file}"
- )
- list ( APPEND BUILT_SOURCES "${output_file}" )
- endforeach ()
-
- foreach ( output_file ${LIST_SOURCES} )
- add_help_command (
- "${CMAKE_CURRENT_LIST_DIR}/scripts/generate_list.sh"
- "${output_file}"
- )
- list ( APPEND BUILT_SOURCES "${output_file}" )
- endforeach ()
-
- foreach ( output_file ${MODULE_SOURCES} )
- add_help_command (
- "${CMAKE_CURRENT_LIST_DIR}/scripts/generate_module.sh"
- "${output_file}"
- )
- list ( APPEND BUILT_SOURCES "${output_file}" )
- endforeach ()
-
- add_custom_command (
- OUTPUT version.txt
- COMMAND $<TARGET_FILE:snort> -V 2>&1 | grep -v Using > version.txt
- DEPENDS snort
- COMMENT "Documents: building version.txt"
+foreach ( output_file ${HELP_SOURCES} )
+ add_help_command (
+ "${CMAKE_CURRENT_LIST_DIR}/scripts/generate_help.sh"
+ "${output_file}"
)
- list ( APPEND BUILT_SOURCES version.txt )
+ list ( APPEND BUILT_SOURCES "${output_file}" )
+endforeach ()
- add_custom_command (
- OUTPUT snort2lua_cmds.txt
- COMMAND $<TARGET_FILE:snort2lua> --markup --help > snort2lua_cmds.txt
- DEPENDS snort2lua
- COMMENT "Documents: building snort2lua_cmds.txt"
+foreach ( output_file ${LIST_SOURCES} )
+ add_help_command (
+ "${CMAKE_CURRENT_LIST_DIR}/scripts/generate_list.sh"
+ "${output_file}"
)
- list ( APPEND BUILT_SOURCES snort2lua_cmds.txt )
-
- if ( RUBY_EXECUTABLE )
- add_custom_command (
- OUTPUT config_changes.txt
- COMMAND ${RUBY_EXECUTABLE}
- "${CMAKE_CURRENT_LIST_DIR}/get_differences.rb"
- "${CMAKE_SOURCE_DIR}/tools/snort2lua"
- > "${CMAKE_CURRENT_BINARY_DIR}/config_changes.txt"
- DEPENDS snort2lua get_differences.rb
- COMMENT "Documents: building config_changes.txt"
- )
- list ( APPEND BUILT_SOURCES config_changes.txt )
- elseif ( RUBY_EXECUTABLE )
- list ( APPEND UNBUILT_SOURCES config_changes.txt )
- endif ( RUBY_EXECUTABLE )
+ list ( APPEND BUILT_SOURCES "${output_file}" )
+endforeach ()
- add_custom_target (
- all_built_sources
- DEPENDS ${BUILT_SOURCES}
+foreach ( output_file ${MODULE_SOURCES} )
+ add_help_command (
+ "${CMAKE_CURRENT_LIST_DIR}/scripts/generate_module.sh"
+ "${output_file}"
)
+ list ( APPEND BUILT_SOURCES "${output_file}" )
+endforeach ()
+
+add_custom_command (
+ OUTPUT version.txt
+ COMMAND $<TARGET_FILE:snort> -V 2>&1 | grep -v Using > version.txt
+ DEPENDS snort
+ COMMENT "Documents: building version.txt"
+)
+list ( APPEND BUILT_SOURCES version.txt )
- foreach ( file_name ${BUILT_SOURCES} )
- list (
- APPEND
- BINARY_DIR_BUILT_SOURCES
- "${CMAKE_CURRENT_BINARY_DIR}/${file_name}"
- )
- endforeach ( file_name )
-
- foreach ( file_name ${UNBUILT_SOURCES} )
- list (
- APPEND
- LIST_DIR_SOURCES
- "${CMAKE_CURRENT_LIST_DIR}/${file_name}"
- )
- endforeach ( file_name )
-
- set ( BUILT_DIST ${BINARY_DIR_BUILT_SOURCES} ${BINARY_DIR_UNBUILT_SOURCES} )
-
- if ( MAKE_HTML_DOC )
- set (
- HTML_ASCIIDOC_ARGS
- -b xhtml11 -a toc2 -a icons -a imagesdir=.
- )
+add_custom_command (
+ OUTPUT snort2lua_cmds.txt
+ COMMAND $<TARGET_FILE:snort2lua> --markup --help > snort2lua_cmds.txt
+ DEPENDS snort2lua
+ COMMENT "Documents: building snort2lua_cmds.txt"
+)
+list ( APPEND BUILT_SOURCES snort2lua_cmds.txt )
- set (
- HTML_A2X_ARGS
- --format=chunked
- --attribute=linkcss --attribute=stylesdir --attribute=disable-javascript
- --xsltproc-opts=\"--stringparam chunk.tocs.and.lots 1\"
- --attribute=quirks! --attribute=imagesdir=.
- --resource=.
- )
+if ( RUBY_EXECUTABLE )
+ add_custom_command (
+ OUTPUT config_changes.txt
+ COMMAND ${RUBY_EXECUTABLE}
+ "${CMAKE_CURRENT_LIST_DIR}/get_differences.rb"
+ "${CMAKE_SOURCE_DIR}/tools/snort2lua"
+ > "${CMAKE_CURRENT_BINARY_DIR}/config_changes.txt"
+ DEPENDS snort2lua get_differences.rb
+ COMMENT "Documents: building config_changes.txt"
+ )
+ list ( APPEND BUILT_SOURCES config_changes.txt )
- add_custom_command (
- OUTPUT snort_manual.html
- COMMAND cp ${LIST_DIR_SOURCES} .
- COMMAND ${ASCIIDOC_EXE} ${HTML_ASCIIDOC_ARGS} snort_manual.txt
- DEPENDS all_built_sources
- COMMENT "Documents: building snort_manual.html"
- )
+elseif ( RUBY_EXECUTABLE )
+ list ( APPEND UNBUILT_SOURCES config_changes.txt )
- set ( HTML_DOC_TMP "${CMAKE_CURRENT_BINARY_DIR}/html/" )
+endif ( RUBY_EXECUTABLE )
- add_custom_command (
- OUTPUT "${HTML_DOC_TMP}/"
- COMMAND mkdir -p ${HTML_DOC_TMP}
- )
+foreach ( file_name ${BUILT_SOURCES} )
+ list (
+ APPEND
+ BINARY_DIR_BUILT_SOURCES
+ "${CMAKE_CURRENT_BINARY_DIR}/${file_name}"
+ )
+endforeach ( file_name )
- add_custom_command (
- OUTPUT snort_manual.chunked
- COMMAND cp ${LIST_DIR_SOURCES} ${BINARY_DIR_BUILT_SOURCES} .
- COMMAND ${ASCIIDOC_A2X_EXE} ${HTML_A2X_ARGS} snort_manual.txt
- COMMAND cp -r snort_manual.chunked ..
- DEPENDS all_built_sources "${HTML_DOC_TMP}/"
- WORKING_DIRECTORY ${HTML_DOC_TMP}
- COMMENT "Documents: building snort_manual.chunked"
- )
+foreach ( file_name ${UNBUILT_SOURCES} )
+ list (
+ APPEND
+ LIST_DIR_SOURCES
+ "${CMAKE_CURRENT_LIST_DIR}/${file_name}"
+ )
+endforeach ( file_name )
- add_custom_target (
- snort_manual_html
- COMMAND rm -rf ${HTML_DOC_TMP}
- DEPENDS snort_manual.html snort_manual.chunked
- )
+set ( BUILT_DIST ${BINARY_DIR_BUILT_SOURCES} ${BINARY_DIR_UNBUILT_SOURCES} )
- add_dependencies ( snort_manuals snort_manual_html )
+add_custom_target (
+ all_built_sources
+ DEPENDS ${BUILT_SOURCES}
+)
- list ( APPEND BUILT_DIST "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.html" )
+add_dependencies ( snort_manuals all_built_sources )
- foreach ( file_name ${UNBUILT_SOURCES} )
- list (
- APPEND
- BINARY_DIR_UNBUILT_SOURCES
- "${CMAKE_CURRENT_BINARY_DIR}/${file_name}"
- )
- endforeach ( file_name )
- list (
- APPEND
- EXTRA_CLEAN
- "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.html"
- "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.chunked"
- )
+if ( MAKE_HTML_DOC )
+ set (
+ HTML_ASCIIDOC_ARGS
+ -b xhtml11 -a toc2 -a icons -a imagesdir=.
+ )
- add_custom_target (
- snort_online.html
- COMMAND ${CMAKE_SOURCE_DIR}/doc/online_manual.sh
- DEPENDS all_built_sources
- )
+ set (
+ HTML_A2X_ARGS
+ --format=chunked
+ --attribute=linkcss --attribute=stylesdir --attribute=disable-javascript
+ --xsltproc-opts=\"--stringparam chunk.tocs.and.lots 1\"
+ --attribute=quirks! --attribute=imagesdir=.
+ --resource=.
+ )
- add_custom_target (
- dev_guide.html
- COMMAND ${CMAKE_SOURCE_DIR}/doc/dev_guide.sh ${CMAKE_SOURCE_DIR}
- DEPENDS all_built_sources
- )
+ add_custom_command (
+ OUTPUT snort_manual.html
+ COMMAND cp ${LIST_DIR_SOURCES} .
+ COMMAND ${ASCIIDOC_EXE} ${HTML_ASCIIDOC_ARGS} snort_manual.txt
+ DEPENDS all_built_sources
+ COMMENT "Documents: building snort_manual.html"
+ )
- endif ( MAKE_HTML_DOC )
+ set ( HTML_DOC_TMP "${CMAKE_CURRENT_BINARY_DIR}/html/" )
- if ( MAKE_TEXT_DOC )
- set (
- TEXT_A2X_ARGS
- --format=text
- )
+ add_custom_command (
+ OUTPUT "${HTML_DOC_TMP}/"
+ COMMAND mkdir -p ${HTML_DOC_TMP}
+ )
- set ( TEXT_DOC_TMP "${CMAKE_CURRENT_BINARY_DIR}/text" )
+ add_custom_command (
+ OUTPUT snort_manual.tgz
+ COMMAND cp ${LIST_DIR_SOURCES} ${BINARY_DIR_BUILT_SOURCES} .
+ COMMAND ${ASCIIDOC_A2X_EXE} ${HTML_A2X_ARGS} snort_manual.txt
+ COMMAND cp -r snort_manual.chunked ..
+ COMMAND tar zcf ../snort_manual.tgz -C ../ snort_manual.chunked
+ DEPENDS all_built_sources "${HTML_DOC_TMP}/"
+ WORKING_DIRECTORY ${HTML_DOC_TMP}
+ COMMENT "Documents: building snort_manual.tgz"
+ )
- add_custom_command (
- OUTPUT "${TEXT_DOC_TMP}/"
- COMMAND mkdir -p ${TEXT_DOC_TMP}
- )
+ add_custom_target (
+ html
+ COMMAND rm -rf ${HTML_DOC_TMP}
+ DEPENDS snort_manual.html snort_manual.tgz
+ )
- add_custom_command (
- OUTPUT snort_manual.text
- COMMAND cp ${LIST_DIR_SOURCES} ${BINARY_DIR_BUILT_SOURCES} .
- COMMAND ${ASCIIDOC_A2X_EXE} ${TEXT_A2X_ARGS} snort_manual.txt
- COMMAND cp snort_manual.text ..
- DEPENDS all_built_sources "${TEXT_DOC_TMP}/"
- WORKING_DIRECTORY ${TEXT_DOC_TMP}
- COMMENT "Documents: building snort_manual.text"
+ foreach ( file_name ${UNBUILT_SOURCES} )
+ list (
+ APPEND
+ BINARY_DIR_UNBUILT_SOURCES
+ "${CMAKE_CURRENT_BINARY_DIR}/${file_name}"
)
+ endforeach ( file_name )
- add_custom_target (
- snort_manual_text
- COMMAND rm -rf ${TEXT_DOC_TMP}
- DEPENDS snort_manual.text
- )
+ list (
+ APPEND
+ EXTRA_CLEAN
+ "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.html"
+ "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.chunked"
+ "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.tgz"
+ )
- add_dependencies ( snort_manuals snort_manual_text )
-
- list ( APPEND BUILT_DIST "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.text" )
+ add_custom_target (
+ snort_online.html
+ COMMAND ${CMAKE_SOURCE_DIR}/doc/online_manual.sh
+ DEPENDS all_built_sources
+ )
- list (
- APPEND
- EXTRA_CLEAN
- "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.text"
- )
- endif ( MAKE_TEXT_DOC )
+ add_custom_target (
+ dev_guide.html
+ COMMAND ${CMAKE_SOURCE_DIR}/doc/dev_guide.sh ${CMAKE_SOURCE_DIR}
+ DEPENDS all_built_sources
+ )
+endif ( MAKE_HTML_DOC )
- if ( MAKE_PDF_DOC )
- set (
- PDF_A2X_ARGS
- --format=pdf
- --attribute=imagesdir=.
- )
+if ( MAKE_TEXT_DOC )
+ set (
+ TEXT_A2X_ARGS
+ --format=text
+ )
- set ( PDF_DOC_TMP "${CMAKE_CURRENT_BINARY_DIR}/pdf" )
+ set ( TEXT_DOC_TMP "${CMAKE_CURRENT_BINARY_DIR}/text" )
- add_custom_command (
- OUTPUT "${PDF_DOC_TMP}/"
- COMMAND mkdir -p ${PDF_DOC_TMP}
- )
+ add_custom_command (
+ OUTPUT "${TEXT_DOC_TMP}/"
+ COMMAND mkdir -p ${TEXT_DOC_TMP}
+ )
- add_custom_command (
- OUTPUT snort_manual.pdf
- COMMAND cp ${LIST_DIR_SOURCES} ${BINARY_DIR_BUILT_SOURCES} .
- COMMAND ${ASCIIDOC_A2X_EXE} ${PDF_A2X_ARGS} snort_manual.txt
- COMMAND cp snort_manual.pdf ..
- DEPENDS all_built_sources "${PDF_DOC_TMP}/"
- WORKING_DIRECTORY ${PDF_DOC_TMP}
- COMMENT "Documents: building snort_manual.pdf"
- )
+ add_custom_command (
+ OUTPUT snort_manual.text
+ COMMAND cp ${LIST_DIR_SOURCES} ${BINARY_DIR_BUILT_SOURCES} .
+ COMMAND ${ASCIIDOC_A2X_EXE} ${TEXT_A2X_ARGS} snort_manual.txt
+ COMMAND cp snort_manual.text ..
+ DEPENDS all_built_sources "${TEXT_DOC_TMP}/"
+ WORKING_DIRECTORY ${TEXT_DOC_TMP}
+ COMMENT "Documents: building snort_manual.text"
+ )
- add_custom_target (
- snort_manual_pdf
- COMMAND rm -rf ${PDF_DOC_TMP}
- DEPENDS snort_manual.pdf
- )
+ add_custom_target (
+ text
+ COMMAND rm -rf ${TEXT_DOC_TMP}
+ DEPENDS snort_manual.text
+ )
- add_dependencies ( snort_manuals snort_manual_pdf )
+ list (
+ APPEND
+ EXTRA_CLEAN
+ "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.text"
+ )
+endif ( MAKE_TEXT_DOC )
- list ( APPEND BUILT_DIST "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.pdf" )
+if ( MAKE_PDF_DOC )
+ set (
+ PDF_A2X_ARGS
+ --format=pdf
+ --attribute=imagesdir=.
+ )
- list (
- APPEND
- EXTRA_CLEAN
- "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.pdf"
- )
- endif ( MAKE_PDF_DOC )
+ set ( PDF_DOC_TMP "${CMAKE_CURRENT_BINARY_DIR}/pdf" )
+ add_custom_command (
+ OUTPUT "${PDF_DOC_TMP}/"
+ COMMAND mkdir -p ${PDF_DOC_TMP}
+ )
- if ( MAKE_HTML_DOC )
- install (
- DIRECTORY
- "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.chunked/"
- DESTINATION
- "${SNORT_DATA_DIR}/snort_manual.chunked"
- )
- endif ( MAKE_HTML_DOC )
+ add_custom_command (
+ OUTPUT snort_manual.pdf
+ COMMAND cp ${LIST_DIR_SOURCES} ${BINARY_DIR_BUILT_SOURCES} .
+ COMMAND ${ASCIIDOC_A2X_EXE} ${PDF_A2X_ARGS} snort_manual.txt
+ COMMAND cp snort_manual.pdf ..
+ DEPENDS all_built_sources "${PDF_DOC_TMP}/"
+ WORKING_DIRECTORY ${PDF_DOC_TMP}
+ COMMENT "Documents: building snort_manual.pdf"
+ )
- install (
- FILES
- ${BUILT_DIST}
- DESTINATION
- ${SNORT_DATA_DIR}
+ add_custom_target (
+ pdf
+ COMMAND rm -rf ${PDF_DOC_TMP}
+ DEPENDS snort_manual.pdf
)
- set (
+ list (
+ APPEND
EXTRA_CLEAN
- ${EXTRA_CLEAN}
- ${BINARY_DIR_BUILT_SOURCES}
- ${BINARY_DIR_UNBUILT_SOURCES}
+ "${CMAKE_CURRENT_BINARY_DIR}/snort_manual.pdf"
)
-endif ( MAKE_HTML_DOC OR MAKE_TEXT_DOC OR MAKE_PDF_DOC )
+endif ( MAKE_PDF_DOC )
+
+install (
+ FILES
+ ${BUILT_DIST}
+ ${UNBUILT_SOURCES}
+ DESTINATION
+ ${SNORT_DATA_DIR}
+)
+
+set (
+ EXTRA_CLEAN
+ ${EXTRA_CLEAN}
+ ${BINARY_DIR_BUILT_SOURCES}
+ ${BINARY_DIR_UNBUILT_SOURCES}
+)
if ( EXTRA_CLEAN )
set_property (
ADDITIONAL_MAKE_CLEAN_FILES ${EXTRA_CLEAN}
)
endif ( EXTRA_CLEAN )
+
$(BUILT_SOURCES)
EXTRA_DIST = \
-default_snort_manual.text \
-default_snort_manual.html \
-default_snort_manual.pdf \
+snort_manual.text \
+snort_manual.html \
+snort_manual.pdf \
online_manual.sh \
dev_guide.sh
snort_manual.pdf
dist_doc_DATA = \
-$(all_sources)
+$(unbuilt_sources)
snort = $(top_builddir)/src/snort
snort2lua = $(top_builddir)/tools/snort2lua/snort2lua
# asciidoc.css doesn't seem to work with -a linkcss asciidoc native html
# generation; buggy passthru of base64 data.
if MAKE_HTML_DOC
-snort_manual.html: $(all_sources)
+html: $(all_sources)
a2x -f chunked $(html_args) $(snort_src)
tar zcf snort_manual.tgz snort_manual.chunked
asciidoc -b xhtml11 -a toc2 -a icons -a imagesdir=. $(snort_src)
-else
-snort_manual.html: default_snort_manual.html
- cp $< $@
endif
-# a2x generates an intermediate xml file unconditionally and always places
-# it in this dir even if the output is put elsewhere, which breaks parallel
-# builds. hence we just build all sequentially, which is why dependencies
-# are: text depends on pdf depends on html.
if MAKE_PDF_DOC
-snort_manual.pdf: $(all_sources) snort_manual.html
+pdf: $(all_sources)
a2x -f pdf $(pdf_args) $(snort_src)
-else
-snort_manual.pdf: default_snort_manual.pdf snort_manual.html
- cp $< $@
endif
if MAKE_TEXT_DOC
-snort_manual.text: $(all_sources) snort_manual.pdf
+text: $(all_sources)
a2x -f text $(snort_src)
-else
-snort_manual.text: default_snort_manual.text snort_manual.pdf
- cp $< $@
endif
+if MAKE_HTML_DOC
# autotools makes doesn't seem to like directory targets, especially ones
# with an unspecified set of files. to avoid these issues, we generate
# a tarball and then explode that upon install with a hook. note that
# there is no default for chunked.
-if MAKE_HTML_DOC
-install-data-hook:
- tar zxf $(builddir)/snort_manual.tgz -C $(DESTDIR)$(docdir)/
-
-uninstall-hook:
- rm -rf $(DESTDIR)$(docdir)/snort_manual.chunked
+#
+# after changing the target from all to html, exploding the tarball must
+# be conditional, but install fails with this hook:
+#
+#install-data-hook:
+# [ -e $(builddir)/snort_manual.tgz ] && \
+# tar zxf $(builddir)/snort_manual.tgz -C $(DESTDIR)$(docdir)/
+#
+#uninstall-hook:
+# rm -rf $(DESTDIR)$(docdir)/snort_manual.chunked
snort_online.html: $(all_sources)
$(srcdir)/online_manual.sh
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">\r
<head>\r
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />\r
-<meta name="generator" content="AsciiDoc 8.6.9" />\r
+<meta name="generator" content="AsciiDoc 8.6.8" />\r
<title>Snort++ User Manual</title>\r
<style type="text/css">\r
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */\r
padding: 0;\r
margin: 0;\r
}\r
-pre {\r
- white-space: pre-wrap;\r
-}\r
+\r
\r
#author {\r
color: #527bbd;\r
}\r
\r
div.imageblock div.content { padding-left: 0; }\r
-span.image img { border-style: none; vertical-align: text-bottom; }\r
+span.image img { border-style: none; }\r
a.image:visited { color: white; }\r
\r
dl {\r
<div class="sect2">\r
<h3 id="_new_http_inspector">New Http Inspector</h3>\r
<div class="paragraph"><p>One of the major undertakings for Snort 3.0 is developing a completely new\r
-HTTP inspector. You can configure it by adding:</p></div>\r
+HTTP inspector. It is incomplete right now but you can examine the\r
+work-in-progress. You can configure it by adding:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>http_inspect = {}</code></pre>\r
+<pre><code>new_http_inspect = {}</code></pre>\r
</div></div>\r
<div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code\r
-under src/service_inspectors/http_inspect.</p></div>\r
-<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release under\r
-extra. It has been renamed http_server. Be sure not to configure both old\r
-and new HTTP inspectors at the same time.</p></div>\r
+under src/service_inspectors/nhttp_inspect.</p></div>\r
+<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release as\r
+http_inspect. It’s probably the better choice for now if you just want to\r
+do some work and do not feel like experimenting. Be sure not to configure\r
+ both old and new HTTP inspectors at the same time.</p></div>\r
<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
this software. But it should also be really nice for open-source\r
the new HTTP inspector’s knowledge of HTTP is centralized in a series of\r
tables where it can be easily reviewed and modified. Many significant\r
changes can be made just by updating these tables.</p></div>\r
-<div class="paragraph"><p>Http_inspect is the first inspector written specifically for the new\r
+<div class="paragraph"><p>New_http_inspect is the first inspector written specifically for the new\r
Snort 3.0 architecture. That provides access to one of the very best\r
-features of Snort 3.0: purely PDU-based inspection. The classic preprocessor\r
+features of Snort 3.0: purely PDU-based inspection. Classic http_inspect\r
processes HTTP messages, but even while doing so it is constantly aware of\r
IP packets and how they divide up the TCP data stream. The same HTTP\r
message might be processed differently depending on how the sender (bad\r
guy) divided it up into IP packets.</p></div>\r
-<div class="paragraph"><p>Http_inspect is free of this burden and can focus exclusively on HTTP.\r
-That makes it much simpler, easier to test, and less prone to false\r
+<div class="paragraph"><p>New_http_inspect is free of this burden and can focus exclusively on HTTP.\r
+That makes it much more simple, easier to test, and less prone to false\r
positives. It also greatly reduces the opportunity for adversaries to probe\r
the inspector for weak spots by adjusting packet boundaries to disguise bad\r
behavior.</p></div>\r
<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major\r
-new features. The http_inspect design supports true stateful\r
+new features. The new_http_inspect design supports true stateful\r
processing. Want to ask questions that involve both the client request and\r
the server response? Or different requests in the same session? These\r
things are possible.</p></div>\r
HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and\r
on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture\r
because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but\r
-not any underlying packets. Exactly what http_inspect wants to input.</p></div>\r
-<div class="paragraph"><p>Http_inspect is taking a very different approach to HTTP header fields.\r
-The classic preprocessor divides all the HTTP headers following the start line\r
+not any underlying packets. Exactly what the new_http_inspect wants to\r
+input.</p></div>\r
+<div class="paragraph"><p>New_http_inspect is taking a very different approach to HTTP header fields.\r
+Classic http_inspect divides all the HTTP headers following the start line\r
into cookies and everything else. It normalizes the two pieces using a\r
generic process and puts them in buffers that one can write rules against.\r
There is some limited support for examining individual headers within the\r
</div>\r
<div class="sect2">\r
<h3 id="_binder_and_wizard">Binder and Wizard</h3>\r
-<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration\r
-related to networks and ports. Here is a brief review of Snort’s configuration for\r
-network and service related components:</p></div>\r
+<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration related to networks and ports. Here is a brief review of Snort’s configuration for network and service related components:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:472</strong> (decode) too many protocols present\r
+<strong>116:468</strong> (decode) too many protocols present\r
</p>\r
</li>\r
</ul></div>\r
string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-string <strong>side_channel.connector</strong>: connector handle\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
</div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ciscometadata">ciscometadata</h3>\r
-<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
-<div class="paragraph"><p>Type: codec</p></div>\r
-<div class="paragraph"><p>Rules:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_erspan2">erspan2</h3>\r
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
</p>\r
</li>\r
<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rpc.~app</strong>: application number\r
+string <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.ver</strong>: version number or * for any\r
+string <strong>rpc.~ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.proc</strong>: procedure number or * for any\r
+string <strong>rpc.~proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
</ul></div>\r
<div class="content">\r
<pre><code>snort --help-config http_inspect | grep http_inspect.profile</code></pre>\r
</div></div>\r
+<div class="paragraph"><p>The new Http Inspect (new_http_inspect) implementation of config options is\r
+still under development.</p></div>\r
</div>\r
</div>\r
</div>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.~app</strong>: application number\r
+string <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.proc</strong>: procedure number or * for any\r
+string <strong>rpc.~proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rpc.ver</strong>: version number or * for any\r
+string <strong>rpc.~ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>side_channel.connector</strong>: connector handle\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>tcp_connector.address</strong>: address\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>tcp_connector.base_port</strong>: base port number\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>tcp_connector.connector</strong>: connector name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>tcp_connector.messages</strong>: total messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>telnet.packets</strong>: total packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116</strong>: ciscometadata\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>116</strong>: decode\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>116:472</strong> (decode) too many protocols present\r
+<strong>116:468</strong> (decode) too many protocols present\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ciscometadata</strong> (codec): support for cisco metadata\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>classifications</strong> (basic): define rule categories with priority\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>tcp_connector</strong> (connector): implement the tcp stream connector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>telnet</strong> (inspector): telnet inspection and normalization\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::ciscometadata</strong>: support for cisco metadata\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>connector::tcp_connector</strong>: implement the tcp stream connector\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>inspector::appid</strong>: application and service identification\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated\r
- 2015-08-03 17:17:47 EDT\r
+Last updated 2016-08-11 02:38:58 EDT\r
</div>\r
</div>\r
</body>\r
5.4. binder
5.5. dce_smb
5.6. dce_tcp
- 5.7. dnp3
- 5.8. dns
- 5.9. file_log
- 5.10. ftp_client
- 5.11. ftp_data
- 5.12. ftp_server
- 5.13. gtp_inspect
- 5.14. http_inspect
- 5.15. imap
- 5.16. modbus
- 5.17. normalizer
- 5.18. packet_capture
- 5.19. perf_monitor
- 5.20. pop
- 5.21. port_scan
- 5.22. port_scan_global
- 5.23. reputation
- 5.24. rpc_decode
- 5.25. sip
- 5.26. smtp
- 5.27. ssh
- 5.28. ssl
- 5.29. stream
- 5.30. stream_file
- 5.31. stream_icmp
- 5.32. stream_ip
- 5.33. stream_tcp
- 5.34. stream_udp
- 5.35. stream_user
- 5.36. telnet
- 5.37. wizard
+ 5.7. dce_udp
+ 5.8. dnp3
+ 5.9. dns
+ 5.10. file_log
+ 5.11. ftp_client
+ 5.12. ftp_data
+ 5.13. ftp_server
+ 5.14. gtp_inspect
+ 5.15. http_inspect
+ 5.16. imap
+ 5.17. modbus
+ 5.18. normalizer
+ 5.19. packet_capture
+ 5.20. perf_monitor
+ 5.21. pop
+ 5.22. port_scan
+ 5.23. port_scan_global
+ 5.24. reputation
+ 5.25. rpc_decode
+ 5.26. sip
+ 5.27. smtp
+ 5.28. ssh
+ 5.29. ssl
+ 5.30. stream
+ 5.31. stream_file
+ 5.32. stream_icmp
+ 5.33. stream_ip
+ 5.34. stream_tcp
+ 5.35. stream_udp
+ 5.36. stream_user
+ 5.37. telnet
+ 5.38. wizard
6. IPS Action Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0-a4 (Build 206) from 2.9.7-262
+o" )~ Version 3.0.0-a4 (Build 213) from 2.9.7-262
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
less than this { 0: }
* int file_id.capture_block_size = 32768: file capture block size
in bytes { 8: }
+ * int file_id.max_files_cached = 65536: maximal number of files
+ cached in memory { 8: }
* bool file_id.enable_type = false: enable type ID
* bool file_id.enable_signature = false: enable signature
calculation
Peg counts:
- * latency.total_packets: total packets monitored
- * latency.packet_timeouts: packets that timed out
- * latency.total_rule_evals: total rule evals monitored
- * latency.rule_eval_timeouts: rule evals that timed out
- * latency.rule_tree_enables: rule tree re-enables
+ * latency.total packets: total packets monitored
+ * latency.total usecs: total usecs elapsed
+ * latency.max usecs: maximum usecs elapsed
+ * latency.packet timeouts: packets that timed out
+ * latency.total rule evals: total rule evals monitored
+ * latency.rule eval timeouts: rule evals that timed out
+ * latency.rule tree enables: rule tree re-enables
3.17. memory
* implied snort.-V: (same as --version)
* implied snort.-v: be verbose
* implied snort.-W: lists available interfaces
- * implied snort.-w: dump 802.11 management and control frames
* implied snort.-X: dump the raw packet data starting at the link
layer
* implied snort.-x: same as --pedantic
Peg counts:
- * appid.packets: count of packets processed by appid
+ * appid.packets: count of packets received by appid inspector
+ * appid.processed packets: count of packets processed by appid
+ inspector
+ * appid.ignored packets: count of packets ignored by appid
+ inspector
* appid.battlefield_flows: count of battle field flows discovered
by appid
* appid.bgp_flows: count of bgp flows discovered by appid
* appid.pop_flows: count of pop service flows discovered by appid
* appid.rsync_flows: count of rsync service flows discovered by
appid
+ * appid.smtp_aol_clients: count of AOL smtp clients discovered by
+ appid
+ * appid.smtp_applemail_clients: count of Apple Mail smtp clients
+ discovered by appid
+ * appid.smtp_eudora_clients: count of Eudora smtp clients
+ discovered by appid
+ * appid.smtp_eudora_pro_clients: count of Eudora Pro smtp clients
+ discovered by appid
+ * appid.smtp_evolution_clients: count of Evolution smtp clients
+ discovered by appid
+ * appid.smtp_kmail_clients: count of KMail smtp clients discovered
+ by appid
+ * appid.smtp_lotus_notes_clients: count of Lotus Notes smtp clients
+ discovered by appid
+ * appid.smtp_microsoft_outlook_clients: count of Microsoft Outlook
+ smtp clients discovered by appid
+ * appid.smtp_microsoft_outlook_express_clients: count of Microsoft
+ Outlook Express smtp clients discovered by appid
+ * appid.smtp_microsoft_outlook_imo_clients: count of Microsoft
+ Outlook IMO smtp clients discovered by appid
+ * appid.smtp_mutt_clients: count of Mutt smtp clients discovered by
+ appid
+ * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
+ discovered by appid
* appid.smtp_flows: count of smtp flows discovered by appid
* appid.smtps_flows: count of smtps flows discovered by appid
* appid.ssh_clients: count of ssh clients discovered by appid
* int dce_smb.smb_file_depth = 16384: SMB file depth for file data
{ -1: }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
+ * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
Rules:
negotiations on session.
* 133:57 (dce_smb) SMB - Client attempted to create or set a file’s
attributes to readonly/hidden/system.
+ * 133:58 (dce_smb) SMB - File offset provided is greater than file
+ size specified
+ * 133:59 (dce_smb) SMB - Next command specified in SMB2 header is
+ beyond payload boundary
Peg counts:
server fragments reassembled
* dce_smb.Sessions: total smb sessions
* dce_smb.Packets: total smb packets
+ * dce_smb.Ignored bytes: total ignored bytes
* dce_smb.Client segs reassembled: total smb client segments
reassembled
* dce_smb.Server segs reassembled: total smb server segments
* dce_smb.Max outstanding requests: total smb maximum outstanding
requests
* dce_smb.Files processed: total smb files processed
+ * dce_smb.SMBv2 create: total number of SMBv2 create packets seen
+ * dce_smb.SMBv2 write: total number of SMBv2 write packets seen
+ * dce_smb.SMBv2 read: total number of SMBv2 read packets seen
+ * dce_smb.SMBv2 set info: total number of SMBv2 set info packets
+ seen
+ * dce_smb.SMBv2 tree connect: total number of SMBv2 tree connect
+ packets seen
+ * dce_smb.SMBv2 tree disconnect: total number of SMBv2 tree
+ disconnect packets seen
+ * dce_smb.SMBv2 close: total number of SMBv2 close packets seen
5.6. dce_tcp
* dce_tcp.tcp packets: total tcp packets
-5.7. dnp3
+5.7. dce_udp
+
+--------------
+
+What: dce over udp inspection
+
+Type: inspector
+
+Configuration:
+
+ * bool dce_udp.disable_defrag = false: Disable DCE/RPC
+ defragmentation
+ * int dce_udp.max_frag_len = 65535: Maximum fragment size for
+ defragmentation { 1514:65535 }
+
+Rules:
+
+ * 133:40 (dce_udp) Connection-less DCE/RPC - Invalid major version.
+ * 133:41 (dce_udp) Connection-less DCE/RPC - Invalid pdu type.
+ * 133:42 (dce_udp) Connection-less DCE/RPC - Data length less than
+ header size.
+ * 133:43 (dce_udp) Connection-less DCE/RPC - Bad sequence number.
+
+Peg counts:
+
+ * dce_udp.events: total events
+ * dce_udp.aborted sessions: total aborted sessions
+ * dce_udp.bad autodetects: total bad autodetects
+ * dce_udp.udp sessions: total udp sessions
+ * dce_udp.udp packets: total udp packets
+ * dce_udp.Requests: total connection-less requests
+ * dce_udp.Acks: total connection-less acks
+ * dce_udp.Cancels: total connection-less cancels
+ * dce_udp.Client facks: total connection-less client facks
+ * dce_udp.Ping: total connection-less ping
+ * dce_udp.Responses: total connection-less responses
+ * dce_udp.Rejects: total connection-less rejects
+ * dce_udp.Cancel acks: total connection-less cancel acks
+ * dce_udp.Server facks: total connection-less server facks
+ * dce_udp.Faults: total connection-less faults
+ * dce_udp.No calls: total connection-less no calls
+ * dce_udp.Working: total connection-less working
+ * dce_udp.Other requests: total connection-less other requests
+ * dce_udp.Other responses: total connection-less other responses
+ * dce_udp.Fragments: total connection-less fragments
+ * dce_udp.Max fragment size: connection-less maximum fragment size
+ * dce_udp.Frags reassembled: total connection-less fragments
+ reassembled
+ * dce_udp.Max seqnum: max connection-less seqnum
+
+
+5.8. dnp3
--------------
* dnp3.dnp3 application pdus: total dnp3 application pdus
-5.8. dns
+5.9. dns
--------------
* dns.responses: total dns responses
-5.9. file_log
+5.10. file_log
--------------
* file_log.total events: total file events
-5.10. ftp_client
+5.11. ftp_client
--------------
sequences on ftp control channel
-5.11. ftp_data
+5.12. ftp_data
--------------
* ftp_data.packets: total packets
-5.12. ftp_server
+5.13. ftp_server
--------------
* ftp_server.packets: total packets
-5.13. gtp_inspect
+5.14. gtp_inspect
--------------
* gtp_inspect.unknown infos: unknown information elements
-5.14. http_inspect
+5.15. http_inspect
--------------
* http_inspect.URI coding: URIs with character coding problems
-5.15. imap
+5.16. imap
--------------
* imap.non-encoded bytes: total non-encoded extracted bytes
-5.16. modbus
+5.17. modbus
--------------
* modbus.frames: total Modbus messages
-5.17. normalizer
+5.18. normalizer
--------------
* normalizer.test tcp block: test blocked segments
-5.18. packet_capture
+5.19. packet_capture
--------------
filter
-5.19. perf_monitor
+5.20. perf_monitor
--------------
* perf_monitor.packets: total packets
-5.20. pop
+5.21. pop
--------------
* pop.non-encoded bytes: total non-encoded extracted bytes
-5.21. port_scan
+5.22. port_scan
--------------
* 122:27 (port_scan) open port
-5.22. port_scan_global
+5.23. port_scan_global
--------------
* port_scan_global.packets: total packets
-5.23. reputation
+5.24. reputation
--------------
* reputation.memory_allocated: total memory allocated
-5.24. rpc_decode
+5.25. rpc_decode
--------------
* rpc_decode.packets: total packets
-5.25. sip
+5.26. sip
--------------
* sip.9xx: 9xx
-5.26. smtp
+5.27. smtp
--------------
* smtp.non-encoded bytes: total non-encoded extracted bytes
-5.27. ssh
+5.28. ssh
--------------
* ssh.packets: total packets
-5.28. ssl
+5.29. ssl
--------------
* ssl.detection disabled: total detection disabled
-5.29. stream
+5.30. stream
--------------
Configuration:
+ * bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream.ip_cache.max_sessions = 16384: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.ip_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.ip_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
- * int stream.icmp_cache.max_sessions = 32768: maximum simultaneous
+ * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.icmp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
- * int stream.tcp_cache.max_sessions = 131072: maximum simultaneous
+ * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.tcp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.tcp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
- * int stream.udp_cache.max_sessions = 65536: maximum simultaneous
+ * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.udp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.udp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.user_cache.max_sessions = 1024: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.user_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.user_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.file_cache.max_sessions = 128: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.file_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.file_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
Peg counts:
* stream.ip flows: total ip sessions
* stream.ip total prunes: total ip sessions pruned
- * stream.ip timeout prunes: ip sessions pruned due to timeout
+ * stream.ip idle prunes: ip sessions pruned due to timeout
* stream.ip excess prunes: ip sessions pruned due to excess
* stream.ip uni prunes: ip uni sessions pruned
* stream.ip preemptive prunes: ip sessions pruned during preemptive
pruning
* stream.ip memcap prunes: ip sessions pruned due to memcap
- * stream.ip user prunes: ip sessions pruned for other reasons
+ * stream.ip ha prunes: ip sessions pruned by high availability sync
* stream.icmp flows: total icmp sessions
* stream.icmp total prunes: total icmp sessions pruned
- * stream.icmp timeout prunes: icmp sessions pruned due to timeout
+ * stream.icmp idle prunes: icmp sessions pruned due to timeout
* stream.icmp excess prunes: icmp sessions pruned due to excess
* stream.icmp uni prunes: icmp uni sessions pruned
* stream.icmp preemptive prunes: icmp sessions pruned during
preemptive pruning
* stream.icmp memcap prunes: icmp sessions pruned due to memcap
- * stream.icmp user prunes: icmp sessions pruned for other reasons
+ * stream.icmp ha prunes: icmp sessions pruned by high availability
+ sync
* stream.tcp flows: total tcp sessions
* stream.tcp total prunes: total tcp sessions pruned
- * stream.tcp timeout prunes: tcp sessions pruned due to timeout
+ * stream.tcp idle prunes: tcp sessions pruned due to timeout
* stream.tcp excess prunes: tcp sessions pruned due to excess
* stream.tcp uni prunes: tcp uni sessions pruned
* stream.tcp preemptive prunes: tcp sessions pruned during
preemptive pruning
* stream.tcp memcap prunes: tcp sessions pruned due to memcap
- * stream.tcp user prunes: tcp sessions pruned for other reasons
+ * stream.tcp ha prunes: tcp sessions pruned by high availability
+ sync
* stream.udp flows: total udp sessions
* stream.udp total prunes: total udp sessions pruned
- * stream.udp timeout prunes: udp sessions pruned due to timeout
+ * stream.udp idle prunes: udp sessions pruned due to timeout
* stream.udp excess prunes: udp sessions pruned due to excess
* stream.udp uni prunes: udp uni sessions pruned
* stream.udp preemptive prunes: udp sessions pruned during
preemptive pruning
* stream.udp memcap prunes: udp sessions pruned due to memcap
- * stream.udp user prunes: udp sessions pruned for other reasons
+ * stream.udp ha prunes: udp sessions pruned by high availability
+ sync
* stream.user flows: total user sessions
* stream.user total prunes: total user sessions pruned
- * stream.user timeout prunes: user sessions pruned due to timeout
+ * stream.user idle prunes: user sessions pruned due to timeout
* stream.user excess prunes: user sessions pruned due to excess
* stream.user uni prunes: user uni sessions pruned
* stream.user preemptive prunes: user sessions pruned during
preemptive pruning
* stream.user memcap prunes: user sessions pruned due to memcap
- * stream.user user prunes: user sessions pruned for other reasons
+ * stream.user ha prunes: user sessions pruned by high availability
+ sync
* stream.file flows: total file sessions
* stream.file total prunes: total file sessions pruned
- * stream.file timeout prunes: file sessions pruned due to timeout
+ * stream.file idle prunes: file sessions pruned due to timeout
* stream.file excess prunes: file sessions pruned due to excess
* stream.file uni prunes: file uni sessions pruned
* stream.file preemptive prunes: file sessions pruned during
preemptive pruning
* stream.file memcap prunes: file sessions pruned due to memcap
- * stream.file user prunes: file sessions pruned for other reasons
+ * stream.file ha prunes: file sessions pruned by high availability
+ sync
-5.30. stream_file
+5.31. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-5.31. stream_icmp
+5.32. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes
-5.32. stream_ip
+5.33. stream_ip
--------------
* stream_ip.released: ip session trackers released
* stream_ip.timeouts: ip session timeouts
* stream_ip.prunes: ip session prunes
- * stream_ip.total: total fragments
- * stream_ip.current: current fragments
+ * stream_ip.total frags: total fragments
+ * stream_ip.current frags: current fragments
* stream_ip.max frags: max fragments
* stream_ip.reassembled: reassembled datagrams
* stream_ip.discards: fragments discarded
* stream_ip.fragmented bytes: total fragmented bytes
-5.33. stream_tcp
+5.34. stream_tcp
--------------
* stream_tcp.closing: number of sessions currently closing
-5.34. stream_udp
+5.35. stream_udp
--------------
* stream_udp.prunes: udp session prunes
-5.35. stream_user
+5.36. stream_user
--------------
1:86400 }
-5.36. telnet
+5.37. telnet
--------------
* telnet.packets: total packets
-5.37. wizard
+5.38. wizard
--------------
* The goal is to have highly readable class declarations. The user
shouldn’t have to sift through implementation details to see what
is available to the client.
+ * Any using statements in source files should be added only after
+ all includes have been declared.
15.3. Naming
WhizBangPdfChecker.
* Use lower case identifiers with underscore separators, e.g.
some_function() and my_var.
+ * Do not start or end variable names with an underscore. This has a
+ good chance of conflicting with macro and/or system definitions.
* Use lower case filenames with underscores.
scripts
* --warn-symbols warn about unknown symbols in your Lua config
* --warn-vars warn about variable definition and usage issues
- * -w dump 802.11 management and control frames
* -W lists available interfaces
* --x2c output ASCII char for given hex (see also --c2x)
* --x2s output ASCII string for given byte code (see also --x2c)
* enum dce_smb.smb_fingerprint_policy = none: Target based SMB
policy to use { none | client | server | both }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
+ * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
* int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
* int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
* multi dce_smb.valid_smb_versions = all: Valid SMB versions { v1 |
Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
* int dce_tcp.reassemble_threshold = 0: Minimum bytes received
before performing reassembly { 0:65535 }
+ * bool dce_udp.disable_defrag = false: Disable DCE/RPC
+ defragmentation
+ * int dce_udp.max_frag_len = 65535: Maximum fragment size for
+ defragmentation { 1514:65535 }
* int detection.asn1 = 256: maximum decode nodes { 1: }
* int detection_filter.count: hits in interval before allowing the
rule to fire { 1: }
* string file_id.file_rules[].version: file type version
* int file_id.lookup_timeout = 2: give up on lookup after this many
seconds { 0: }
+ * int file_id.max_files_cached = 65536: maximal number of files
+ cached in memory { 8: }
* int file_id.show_data_depth = 100: print this many octets { 0: }
* int file_id.signature_depth = 10485760: stop signature at this
point { 0: }
Lua config
* implied snort.--warn-vars: warn about variable definition and
usage issues
- * implied snort.-w: dump 802.11 management and control frames
* implied snort.-W: lists available interfaces
* int snort.--x2c: output ASCII char for given hex (see also --c2x)
* string snort.--x2s: output ASCII string for given byte code (see
* implied ssl_version.!tls1.2: check for records that are not
tls1.2
* implied ssl_version.tls1.2: check for tls1.2
- * int stream.file_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.file_cache.max_sessions = 128: maximum simultaneous
* int stream.file_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* bool stream_file.upload = false: indicate file transfer direction
- * int stream.icmp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.icmp_cache.max_sessions = 32768: maximum simultaneous
+ * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
* int stream_icmp.session_timeout = 30: session tracking timeout {
1:86400 }
- * int stream.ip_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.ip_cache.max_sessions = 16384: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.ip_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream_ip.max_frags = 8192: maximum number of simultaneous
fragments being tracked { 1: }
* int stream_ip.max_overlaps = 0: maximum allowed overlaps per
* enum stream_size.~direction: compare applies to the given
direction(s) { either|to_server|to_client|both }
* string stream_size.~range: size for comparison
- * int stream.tcp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.tcp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.tcp_cache.max_sessions = 131072: maximum simultaneous
+ * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
segments queued { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: limit number of
small segments queued { 0:2048 }
- * int stream.udp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
- * int stream.udp_cache.max_sessions = 65536: maximum simultaneous
+ * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.udp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
rules w/o ports only if rules with ports are present
* int stream_udp.session_timeout = 30: session tracking timeout {
1:86400 }
- * int stream.user_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.user_cache.max_sessions = 1024: maximum simultaneous
appid
* appid.ftp_flows: count of ftp flows discovered by appid
* appid.ftps_flows: count of ftps flows discovered by appid
+ * appid.ignored packets: count of packets ignored by appid
+ inspector
* appid.imap_flows: count of imap service flows discovered by appid
* appid.imaps_flows: count of imap TLS service flows discovered by
appid
appid
* appid.netbios_flows: count of netbios service flows discovered by
appid
- * appid.packets: count of packets processed by appid
+ * appid.packets: count of packets received by appid inspector
* appid.pop_flows: count of pop service flows discovered by appid
+ * appid.processed packets: count of packets processed by appid
+ inspector
* appid.rsync_flows: count of rsync service flows discovered by
appid
+ * appid.smtp_aol_clients: count of AOL smtp clients discovered by
+ appid
+ * appid.smtp_applemail_clients: count of Apple Mail smtp clients
+ discovered by appid
+ * appid.smtp_eudora_clients: count of Eudora smtp clients
+ discovered by appid
+ * appid.smtp_eudora_pro_clients: count of Eudora Pro smtp clients
+ discovered by appid
+ * appid.smtp_evolution_clients: count of Evolution smtp clients
+ discovered by appid
* appid.smtp_flows: count of smtp flows discovered by appid
+ * appid.smtp_kmail_clients: count of KMail smtp clients discovered
+ by appid
+ * appid.smtp_lotus_notes_clients: count of Lotus Notes smtp clients
+ discovered by appid
+ * appid.smtp_microsoft_outlook_clients: count of Microsoft Outlook
+ smtp clients discovered by appid
+ * appid.smtp_microsoft_outlook_express_clients: count of Microsoft
+ Outlook Express smtp clients discovered by appid
+ * appid.smtp_microsoft_outlook_imo_clients: count of Microsoft
+ Outlook IMO smtp clients discovered by appid
+ * appid.smtp_mutt_clients: count of Mutt smtp clients discovered by
+ appid
* appid.smtps_flows: count of smtps flows discovered by appid
+ * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
+ discovered by appid
* appid.ssh_clients: count of ssh clients discovered by appid
* appid.ssh_flows: count of ssh flows discovered by appid
* appid.ssl_flows: count of ssl flows discovered by appid
* dce_smb.events: total events
* dce_smb.Faults: total connection-oriented faults
* dce_smb.Files processed: total smb files processed
+ * dce_smb.Ignored bytes: total ignored bytes
* dce_smb.Max outstanding requests: total smb maximum outstanding
requests
* dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
reassembled
* dce_smb.Sessions: total smb sessions
* dce_smb.Shutdowns: total connection-oriented shutdowns
+ * dce_smb.SMBv2 close: total number of SMBv2 close packets seen
+ * dce_smb.SMBv2 create: total number of SMBv2 create packets seen
+ * dce_smb.SMBv2 read: total number of SMBv2 read packets seen
+ * dce_smb.SMBv2 set info: total number of SMBv2 set info packets
+ seen
+ * dce_smb.SMBv2 tree connect: total number of SMBv2 tree connect
+ packets seen
+ * dce_smb.SMBv2 tree disconnect: total number of SMBv2 tree
+ disconnect packets seen
+ * dce_smb.SMBv2 write: total number of SMBv2 write packets seen
* dce_tcp.aborted sessions: total aborted sessions
* dce_tcp.Alter context responses: total connection-oriented alter
context responses
* dce_tcp.Shutdowns: total connection-oriented shutdowns
* dce_tcp.tcp packets: total tcp packets
* dce_tcp.tcp sessions: total tcp sessions
+ * dce_udp.aborted sessions: total aborted sessions
+ * dce_udp.Acks: total connection-less acks
+ * dce_udp.bad autodetects: total bad autodetects
+ * dce_udp.Cancel acks: total connection-less cancel acks
+ * dce_udp.Cancels: total connection-less cancels
+ * dce_udp.Client facks: total connection-less client facks
+ * dce_udp.events: total events
+ * dce_udp.Faults: total connection-less faults
+ * dce_udp.Fragments: total connection-less fragments
+ * dce_udp.Frags reassembled: total connection-less fragments
+ reassembled
+ * dce_udp.Max fragment size: connection-less maximum fragment size
+ * dce_udp.Max seqnum: max connection-less seqnum
+ * dce_udp.No calls: total connection-less no calls
+ * dce_udp.Other requests: total connection-less other requests
+ * dce_udp.Other responses: total connection-less other responses
+ * dce_udp.Ping: total connection-less ping
+ * dce_udp.Rejects: total connection-less rejects
+ * dce_udp.Requests: total connection-less requests
+ * dce_udp.Responses: total connection-less responses
+ * dce_udp.Server facks: total connection-less server facks
+ * dce_udp.udp packets: total udp packets
+ * dce_udp.udp sessions: total udp sessions
+ * dce_udp.Working: total connection-less working
* detection.alert limit: events previously triggered on same PDU
* detection.alerts: alerts not including IP reputation
* detection.alt searches: alt fast pattern searches in packet data
* imap.uu attachments: total uu attachments decoded
* imap.uu decoded bytes: total uu decoded bytes
* ipv4.bad checksum: nonzero ip checksums
- * latency.packet_timeouts: packets that timed out
- * latency.rule_eval_timeouts: rule evals that timed out
- * latency.rule_tree_enables: rule tree re-enables
- * latency.total_packets: total packets monitored
- * latency.total_rule_evals: total rule evals monitored
+ * latency.max usecs: maximum usecs elapsed
+ * latency.packet timeouts: packets that timed out
+ * latency.rule eval timeouts: rule evals that timed out
+ * latency.rule tree enables: rule tree re-enables
+ * latency.total packets: total packets monitored
+ * latency.total rule evals: total rule evals monitored
+ * latency.total usecs: total usecs elapsed
* modbus.frames: total Modbus messages
* modbus.sessions: total sessions processed
* mpls.total bytes: total mpls labeled bytes processed
* ssl.unrecognized records: total unrecognized records
* stream.file excess prunes: file sessions pruned due to excess
* stream.file flows: total file sessions
+ * stream.file ha prunes: file sessions pruned by high availability
+ sync
+ * stream.file idle prunes: file sessions pruned due to timeout
* stream.file memcap prunes: file sessions pruned due to memcap
* stream.file preemptive prunes: file sessions pruned during
preemptive pruning
- * stream.file timeout prunes: file sessions pruned due to timeout
* stream.file total prunes: total file sessions pruned
* stream.file uni prunes: file uni sessions pruned
- * stream.file user prunes: file sessions pruned for other reasons
* stream_icmp.created: icmp session trackers created
* stream.icmp excess prunes: icmp sessions pruned due to excess
* stream.icmp flows: total icmp sessions
+ * stream.icmp ha prunes: icmp sessions pruned by high availability
+ sync
+ * stream.icmp idle prunes: icmp sessions pruned due to timeout
* stream_icmp.max: max icmp sessions
* stream.icmp memcap prunes: icmp sessions pruned due to memcap
* stream.icmp preemptive prunes: icmp sessions pruned during
* stream_icmp.prunes: icmp session prunes
* stream_icmp.released: icmp session trackers released
* stream_icmp.sessions: total icmp sessions
- * stream.icmp timeout prunes: icmp sessions pruned due to timeout
* stream_icmp.timeouts: icmp session timeouts
* stream.icmp total prunes: total icmp sessions pruned
* stream.icmp uni prunes: icmp uni sessions pruned
- * stream.icmp user prunes: icmp sessions pruned for other reasons
* stream_ip.alerts: alerts generated
* stream_ip.anomalies: anomalies detected
* stream_ip.created: ip session trackers created
- * stream_ip.current: current fragments
+ * stream_ip.current frags: current fragments
* stream_ip.discards: fragments discarded
* stream_ip.drops: fragments dropped
* stream.ip excess prunes: ip sessions pruned due to excess
* stream.ip flows: total ip sessions
* stream_ip.fragmented bytes: total fragmented bytes
* stream_ip.frag timeouts: datagrams abandoned
+ * stream.ip ha prunes: ip sessions pruned by high availability sync
+ * stream.ip idle prunes: ip sessions pruned due to timeout
* stream_ip.max frags: max fragments
* stream_ip.max: max ip sessions
* stream.ip memcap prunes: ip sessions pruned due to memcap
* stream_ip.reassembled: reassembled datagrams
* stream_ip.released: ip session trackers released
* stream_ip.sessions: total ip sessions
- * stream.ip timeout prunes: ip sessions pruned due to timeout
* stream_ip.timeouts: ip session timeouts
+ * stream_ip.total frags: total fragments
* stream.ip total prunes: total ip sessions pruned
- * stream_ip.total: total fragments
* stream_ip.trackers added: datagram trackers created
* stream_ip.trackers cleared: datagram trackers cleared
* stream_ip.trackers completed: datagram trackers completed
* stream_ip.trackers freed: datagram trackers released
* stream.ip uni prunes: ip uni sessions pruned
- * stream.ip user prunes: ip sessions pruned for other reasons
* stream_tcp.3way trackers: tcp session tracking started on ack
* stream_tcp.client cleanups: number of times data from server was
flushed when session released
* stream.tcp excess prunes: tcp sessions pruned due to excess
* stream.tcp flows: total tcp sessions
* stream_tcp.gaps: missing data between PDUs
+ * stream.tcp ha prunes: tcp sessions pruned by high availability
+ sync
+ * stream.tcp idle prunes: tcp sessions pruned due to timeout
* stream_tcp.ignored: tcp packets ignored
* stream_tcp.initializing: number of sessions currently
initializing
* stream_tcp.syn-ack trackers: tcp session tracking started on
syn-ack
* stream_tcp.syn trackers: tcp session tracking started on syn
- * stream.tcp timeout prunes: tcp sessions pruned due to timeout
* stream_tcp.timeouts: tcp session timeouts
* stream.tcp total prunes: total tcp sessions pruned
* stream.tcp uni prunes: tcp uni sessions pruned
* stream_tcp.untracked: tcp packets not tracked
- * stream.tcp user prunes: tcp sessions pruned for other reasons
* stream_udp.created: udp session trackers created
* stream.udp excess prunes: udp sessions pruned due to excess
* stream.udp flows: total udp sessions
+ * stream.udp ha prunes: udp sessions pruned by high availability
+ sync
+ * stream.udp idle prunes: udp sessions pruned due to timeout
* stream_udp.max: max udp sessions
* stream.udp memcap prunes: udp sessions pruned due to memcap
* stream.udp preemptive prunes: udp sessions pruned during
* stream_udp.prunes: udp session prunes
* stream_udp.released: udp session trackers released
* stream_udp.sessions: total udp sessions
- * stream.udp timeout prunes: udp sessions pruned due to timeout
* stream_udp.timeouts: udp session timeouts
* stream.udp total prunes: total udp sessions pruned
* stream.udp uni prunes: udp uni sessions pruned
- * stream.udp user prunes: udp sessions pruned for other reasons
* stream.user excess prunes: user sessions pruned due to excess
* stream.user flows: total user sessions
+ * stream.user ha prunes: user sessions pruned by high availability
+ sync
+ * stream.user idle prunes: user sessions pruned due to timeout
* stream.user memcap prunes: user sessions pruned due to memcap
* stream.user preemptive prunes: user sessions pruned during
preemptive pruning
- * stream.user timeout prunes: user sessions pruned due to timeout
* stream.user total prunes: total user sessions pruned
* stream.user uni prunes: user uni sessions pruned
- * stream.user user prunes: user sessions pruned for other reasons
* tcp.bad checksum (ip4): nonzero tcp over ip checksums
* tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
* tcp_connector.messages: total messages
* 131: dns
* 133: dce_smb
* 133: dce_tcp
+ * 133: dce_udp
* 134: latency
* 136: reputation
* 137: ssl
* 133:39 (dce_tcp) Connection-oriented DCE/RPC - Context id of non
first/last fragment different from context id established for
fragmented request.
+ * 133:40 (dce_udp) Connection-less DCE/RPC - Invalid major version.
+ * 133:41 (dce_udp) Connection-less DCE/RPC - Invalid pdu type.
+ * 133:42 (dce_udp) Connection-less DCE/RPC - Data length less than
+ header size.
+ * 133:43 (dce_udp) Connection-less DCE/RPC - Bad sequence number.
* 133:44 (dce_smb) SMB - Invalid SMB version 1 seen.
* 133:45 (dce_smb) SMB - Invalid SMB version 2 seen.
* 133:46 (dce_smb) SMB - Invalid user, tree connect, file binding.
negotiations on session.
* 133:57 (dce_smb) SMB - Client attempted to create or set a file’s
attributes to readonly/hidden/system.
+ * 133:58 (dce_smb) SMB - File offset provided is greater than file
+ size specified
+ * 133:59 (dce_smb) SMB - Next command specified in SMB2 header is
+ beyond payload boundary
* 134:1 (latency) rule tree suspended due to latency
* 134:2 (latency) rule tree re-enabled after suspend timeout
* 134:3 (latency) packet fastpathed due to latency
* dce_smb (inspector): dce over smb inspection
* dce_stub_data (ips_option): sets the cursor to dcerpc stub data
* dce_tcp (inspector): dce over tcp inspection
+ * dce_udp (inspector): dce over udp inspection
* decode (basic): general decoder rules
* detection (basic): configure general IPS rule processing
parameters
services, etc.
* inspector::dce_smb: dce over smb inspection
* inspector::dce_tcp: dce over tcp inspection
+ * inspector::dce_udp: dce over udp inspection
* inspector::dnp3: dnp3 inspection
* inspector::dns: dns inspection
* inspector::file_log: log file event to file.log
day or even just a minute. That way we can find them easily and won't
lose track of them.
-* Presently using FIXIT-X where X = A | P | H | M | L, indicating analysis,
- perf, high, med, or low priority. For now, H, M, or L can indicate alpha
- 1, 2, or 3. Perf changes fall between alpha 1 and 2.
+* Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,
+ warning, perf, high, med, or low priority. Place A and W comments on the
+ exact warning line so we can match up comments and build output. Supporting
+ comments can be added above.
* Put the copyright(s) and license in a comment block at the top of each
source file (.h and .cc). Don't bother with trivial scripts and make
// based on work by Ryan Jordan
* Each header should have a comment immediately after the header guard to
- give an overview of the file so the user knows what's going on.
+ give an overview of the file so the reader knows what's going on.
=== Logging
#include "detect.h"
-/****************************************************************************
- *
- * Function: AddOptFuncToList(int (*func)(), OptTreeNode *)
- *
- * Purpose: Links the option detection module to the OTN
- *
- * Arguments: (*func)() => function pointer to the detection module
- * otn => pointer to the current OptTreeNode
- *
- * Returns: void function
- *
- ***************************************************************************/
OptFpList* AddOptFuncToList(RuleOptEvalFunc ro_eval_func, OptTreeNode* otn)
{
OptFpList* ofp = (OptFpList*)snort_calloc(sizeof(OptFpList));
+ ofp->OptTestFunc = ro_eval_func;
- DebugMessage(DEBUG_CONFIGRULES,"Adding new rule to list\n");
-
- /* if there are no nodes on the function list... */
- if (otn->opt_func == NULL)
+ if ( !otn->opt_func )
{
otn->opt_func = ofp;
}
{
OptFpList* tmp = otn->opt_func;
- /* walk to the end of the list */
+ // walk to the end of the list
while ( tmp->next )
tmp = tmp->next;
tmp->next = ofp;
}
-
- DebugFormat(DEBUG_CONFIGRULES,"Set OptTestFunc to %p\n", (void*)ro_eval_func);
-
- ofp->OptTestFunc = ro_eval_func;
-
return ofp;
}
strncat(buf, why, sizeof(buf)-strlen(buf)-1);
strncat(buf, " signal, exiting\n", sizeof(buf)-strlen(buf)-1);
- (void)write(STDOUT_FILENO, buf, strlen(buf));
+ (void)write(STDOUT_FILENO, buf, strlen(buf)); // FIXIT-W ignoring return value
}
static void exit_handler(int signal)
{ "fastpath", Parameter::PT_BOOL, nullptr, "false",
"fastpath expensive packets (max_time exceeded)" },
- { "action", Parameter::PT_ENUM, "none | alert | log | alert_and_log", "alert_and_log",
+ { "action", Parameter::PT_ENUM, "none | alert | log | alert_and_log", "none",
"event action if packet times out and is fastpathed" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
{ "max_suspend_time", Parameter::PT_INT, "0:", "30000",
"set max time for suspending a rule (ms, 0 means permanently disable rule)" },
- { "action", Parameter::PT_ENUM, "none | alert | log | alert_and_log", "alert_and_log",
+ { "action", Parameter::PT_ENUM, "none | alert | log | alert_and_log", "none",
"event action for rule latency enable and suspend events" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
}
os << clock_usecs(duration_cast<microseconds>(e.elapsed).count()) << " usec, ";
- os << e.root->otn->sigInfo.generator << ":" << e.root->otn->sigInfo.id;
+ os << e.root->otn->sigInfo.generator << ":" << e.root->otn->sigInfo.id << ":"
+ << e.root->otn->sigInfo.rev;
if ( e.root->num_children > 1 )
os << " (of " << e.root->num_children << ")";
// alert_luajit.cc author Russ Combs <rucombs@cisco.com>
#include <assert.h>
-#include <vector> // FIXIT-A Returning null reference (somewhere below)
+#include <vector> // FIXIT-W Returning null reference (somewhere below)
#include <lua.hpp>
#include "main/snort_types.h"
return;
}
// FIXIT-L count errors?
- (void)write(fd, s, strlen(s));
+ (void)write(fd, s, strlen(s)); // FIXIT-W ignoring return value
}
// FIXIT-L would like to flush prompt w/o \n
/* Break out of the DAQ acquire loop so that the command will be processed.
This is explicitly safe to call from another thread. */
- if (daq_instance)
+ if ( state == State::RUNNING and daq_instance )
daq_instance->break_loop(0);
}
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { }
void sfvar_free(sfip_var_t*) {}
-int sfvar_ip_in(sfip_var_t*, const sfip_t*) { return 0; }
+bool sfvar_ip_in(sfip_var_t*, const sfip_t*) { return false; }
SO_PUBLIC Inspector* InspectorManager::get_inspector(const char*, bool) { return s_inspector; }
InspectorType InspectorManager::get_type(const char*) { return InspectorType::IT_BINDER; }
Inspector* InspectorManager::get_binder() { return nullptr; }
// base_tracker.cc author Carter Waxman <cwaxman@cisco.com>
-#include "base_tracker.h" // FIXIT-A Returning null reference (from <vector>)
+#include "base_tracker.h" // FIXIT-W Returning null reference (from <vector>)
#include "perf_module.h"
#include "framework/module.h"
if ((*value == '[') && (*(value+1) == ']'))
return 1;
- while (*value == '!' || *value == '[')
+ while ( *value == '!' or *value == '[' or isspace(*value) )
value++;
/* Check for dotted-quad */
{
int num_brackets = 0;
- while (*value == '!')
+ while ( *value == '!' or isspace(*value) )
value++;
if ((value[0] != '[') || value[strlen(value)-1] != ']')
// 1. Undefined or garbage value returned to caller (rep count())
// 2. The left expression of the compound assignment is an uninitialized value.
// The computed value will also be garbage (duration& operator+=(const duration& __d))
-#include "detection/detection_options.h" // ... FIXIT-A
+#include "detection/detection_options.h" // ... FIXIT-W
#include "detection/treenodes.h"
#include "hash/sfghash.h"
{
/* Treat first bit of flags as the upper byte to length */
// The left operand of '&' is a garbage value
- return ((nb->flags & 0x01) << 16) | ntohs(nb->length); // ... FIXIT-A
+ return ((nb->flags & 0x01) << 16) | ntohs(nb->length); // ... FIXIT-W
}
inline uint8_t NbssType(const NbssHdr* nb)
{
// Access to field 'smb_flg' results in a dereference of a null pointer
// (loaded from variable 'hdr')
- if (hdr->smb_flg & SMB_FLG__TYPE) // ... FIXIT-A
+ if (hdr->smb_flg & SMB_FLG__TYPE) // ... FIXIT-W
return SMB_TYPE__RESPONSE;
return SMB_TYPE__REQUEST;
{
// Clang analyzer is false positive, dlist->head is updated after free
// (Use of memory after it is freed)
- dialog = SIP_addDialog(sipMsg, dList->head, dList); // ... FIXIT-A
+ dialog = SIP_addDialog(sipMsg, dList->head, dList); // ... FIXIT-W
}
methodFlag = sipMsg->methodFlag;
ret->flags |= SFIP_NEGATED;
}
+ while ( isspace(*str) )
+ ++str;
+
/* Check if this is an "any" */
if (!strncasecmp(str, "any", 3))
{
neg_ip = 0;
/* Handle multiple negations */
- for (; *str == '!'; str++)
- neg_ip = !neg_ip;
+ for (; *str == '!' or isspace(*str); str++)
+ {
+ if ( *str == '!' )
+ neg_ip = !neg_ip;
+ }
/* Find end of this token */
for (end = str+1;
}
/* Support function for sfvar_ip_in */
-static inline int _sfvar_ip_in4(sfip_var_t* var, const sfip_t* ip)
+static inline bool sfvar_ip_in4(sfip_var_t* var, const sfip_t* ip)
{
int match;
sfip_node_t* pos_idx, * neg_idx;
continue;
if (sfip_fast_cont4(neg_idx->ip, ip))
- {
- return 0;
- }
+ return false;
}
- return 1;
+ return true;
}
while (pos_idx)
if (sfip_family(neg_idx->ip) == AF_INET &&
sfip_fast_cont4(neg_idx->ip, ip))
{
- return 0;
+ return false;
}
neg_idx = neg_idx->next;
/* No more potential negations. Check if we've already matched. */
else if (match)
{
- return 1;
+ return true;
}
if (!match)
}
}
- return 0;
+ return false;
}
/* Support function for sfvar_ip_in */
-static inline int _sfvar_ip_in6(sfip_var_t* var, const sfip_t* ip)
+static inline bool sfvar_ip_in6(sfip_var_t* var, const sfip_t* ip)
{
int match;
sfip_node_t* pos_idx, * neg_idx;
continue;
if (sfip_fast_cont6(neg_idx->ip, ip))
- {
- return 0;
- }
+ return false;
}
- return 1;
+ return true;
}
while (pos_idx)
if (sfip_family(neg_idx->ip) == AF_INET6 &&
sfip_fast_cont6(neg_idx->ip, ip))
{
- return 0;
+ return false;
}
neg_idx = neg_idx->next;
/* No more potential negations. Check if we've already matched. */
else if (match)
{
- return 1;
+ return true;
}
if (!match)
}
}
- return 0;
+ return false;
}
-// FIXIT-L sfvar_ip_in, _sfvar_ip_in4 and _sfvar_ip_in6 should all return boool
-/* Returns SFIP_SUCCESS if ip is contained in 'var', SFIP_FAILURE otherwise
- If either argument is NULL, SFIP_ARG_ERR is returned. */
-int sfvar_ip_in(sfip_var_t* var, const sfip_t* ip)
+bool sfvar_ip_in(sfip_var_t* var, const sfip_t* ip)
{
if (!var || !ip)
- return 0;
+ return false;
-#if 0
- if (var->mode == SFIP_TABLE)
- {
- // XXX
- }
- else
- {
-#endif
/* Since this is a performance-critical function it uses different
* codepaths for IPv6 and IPv4 traffic, rather than the dual-stack
* functions. */
if (sfip_family(ip) == AF_INET)
{
- return _sfvar_ip_in4(var, ip);
+ return sfvar_ip_in4(var, ip);
}
else
{
- return _sfvar_ip_in6(var, ip);
+ return sfvar_ip_in6(var, ip);
}
-#if 0
-}
-
-#endif
}
-/* XXX The unit tests for this code are performed within sf_vartable.c */
/* Free an allocated variable */
void sfvar_free(sfip_var_t* var);
-/* Returns non-zero if ip is contained in 'var', 0 otherwise
- If either argument is NULL, 0 is returned. */
-int sfvar_ip_in(sfip_var_t* var, const sfip_t* ip);
+// returns true if both args are valid and ip is contained by var
+bool sfvar_ip_in(sfip_var_t* var, const sfip_t* ip);
#endif
puts("Containment checks:");
var = sfvt_lookup(table, "goo");
ip = sfip_alloc("192.168.248.255");
- TEST(sfvar_ip_in(var, ip) == SFIP_SUCCESS);
+ TEST(sfvar_ip_in(var, ip));
/* Check against the 'any' variable */
var = sfvt_lookup_var(table, "moo");
- TEST(sfvar_ip_in(var, ip) == SFIP_SUCCESS);
+ TEST(sfvar_ip_in(var, ip));
/* Verify it's not in this variable */
var = sfvt_lookup_var(table, "foo");
- TEST(sfvar_ip_in(var, ip) == SFIP_FAILURE);
+ TEST(!sfvar_ip_in(var, ip));
/* Check boundary cases */
var = sfvt_lookup_var(table, "goo");
free_ip(ip);
ip = sfip_alloc_str("192.168.0.3");
- TEST(sfvar_ip_in(var, ip) == SFIP_FAILURE);
+ TEST(!sfvar_ip_in(var, ip));
free_ip(ip);
ip = sfip_alloc_str("192.168.0.2");
- TEST(sfvar_ip_in(var, ip) == SFIP_SUCCESS);
+ TEST(sfvar_ip_in(var, ip));
puts("");
puts("********************************************************************");
{
node->next = ft->fraglist;
if (node->next)
- node->next->prev = node; // FIXIT-A Use of memory after it is freed
+ node->next->prev = node; // FIXIT-W Use of memory after it is freed
else
ft->fraglist_tail = node;
ft->fraglist = node;
tel.log_internal_event(INTERNAL_EVENT_SYN_RECEIVED);
}
- #ifdef DEBUG_STREAM_EX
- print_tsd( );
- #endif
+#ifdef DEBUG_STREAM_EX
+ LogMessage("Tcp Segment Descriptor:\n");
+ LogMessage(" seq: 0x%08X\n", seg_seq);
+ LogMessage(" ack: 0x%08X\n", seg_ack);
+ LogMessage(" win: %d\n", seg_wnd);
+ LogMessage(" end: 0x%08X\n", end_seq);
+#endif
}
TcpSegmentDescriptor::~TcpSegmentDescriptor()
return ( init_wscale(&wscale) & TF_WSCALE ) != TF_NONE;
}
-void TcpSegmentDescriptor::print_tsd()
-{
- LogMessage("Tcp Segment Descriptor:\n");
- LogMessage(" seq: 0x%08X\n", seg_seq);
- LogMessage(" ack: 0x%08X\n", seg_ack);
- LogMessage(" win: %d\n", seg_wnd);
- LogMessage(" end: 0x%08X\n", end_seq);
-}
-
pkt->dsize -= offset;
}
- void print_tsd();
-
private:
Flow* flow;
Packet* pkt;
#include "segment_overlap_editor.h"
+#include <assert.h>
+
#include "log/messages.h"
#include "main/snort_debug.h"
#include "protocols/packet.h"
// Don't want to count retransmits as overlaps or do anything
// else with them. Account for retransmits of multiple PDUs
// in one segment.
- if ( right->is_retransmit(rdata, rsize, rseq, right->orig_dsize, ((rseq == tsd->get_seg_seq())?full_retransmit:nullptr)) )
+ bool* pb = (rseq == tsd->get_seg_seq()) ? full_retransmit : nullptr;
+
+ if ( right->is_retransmit(rdata, rsize, rseq, right->orig_dsize, pb) )
{
if ( !(*full_retransmit) )
{
while ( right && SEQ_LT(right->seq, seq_end) )
{
trunc_len = 0;
+
+ assert(SEQ_LEQ(seq, right->seq));
overlap = ( int )( seq_end - right->seq );
DebugFormat(DEBUG_STREAM_STATE, "right overlap(%d): len: %d right->seq: 0x%X seq: 0x%X\n",
// Treat sequence number overlap as a retransmission, only check right side since
// left side happens rarely
- session->retransmit_handle(tsd->get_pkt() );
+ session->retransmit_handle(tsd->get_pkt());
if ( overlap < right->payload_size )
{
delete_reassembly_segment(drop_seg);
}
-int SegmentOverlapEditor::generate_bad_segment_event()
-{
- DebugFormat(DEBUG_STREAM_STATE, "bad segment: overlap with invalid sequence number"
- "(seq: %X seq_end: %X overlap: %d\n", seq, seq_end, overlap);
- session->tel.set_tcp_event(EVENT_BAD_SEGMENT);
- inc_tcp_discards();
- return STREAM_INSERT_ANOMALY;
-}
-
int SegmentOverlapEditor::left_overlap_keep_first()
{
- int rc = STREAM_INSERT_OK;
-
DebugFormat(DEBUG_STREAM_STATE, "left overlap %d\n", overlap);
+ // NOTE that overlap will always be less than left->size since
+ // seq is always greater than left->seq
+ assert(SEQ_GT(seq, left->seq));
+
len = tsd->get_seg_len();
overlap = left->seq + left->payload_size - seq;
+
+ if ( len < overlap )
+ overlap = len;
+
if ( overlap > 0 )
{
- // NOTE that overlap will always be less than left->size since
- // seq is always greater than left->seq
tcpStats.overlaps++;
overlap_count++;
DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring old data\n");
- if ( SEQ_LT(left->seq, tsd->get_seg_seq() ) && SEQ_GT(left->seq + left->payload_size,
- tsd->get_seg_seq() + tsd->get_seg_len() ) )
+
+ if ( SEQ_GT(left->seq + left->payload_size, seq_end) )
{
if (tcp_ips_data == NORM_MODE_ON)
{
unsigned offset = tsd->get_seg_seq() - left->seq;
- memcpy((uint8_t*)tsd->get_pkt()->data, left->payload + offset, tsd->get_seg_len());
+ memcpy((uint8_t*)tsd->get_pkt()->data, left->payload()+offset, tsd->get_seg_len());
tsd->get_pkt()->packet_flags |= PKT_MODIFIED;
}
tcp_norm_stats[PC_TCP_IPS_DATA][tcp_ips_data]++;
}
- else if ( SEQ_LT(left->seq, tsd->get_seg_seq() ) )
+ else
{
if ( tcp_ips_data == NORM_MODE_ON )
{
unsigned offset = tsd->get_seg_seq() - left->seq;
unsigned length = left->seq + left->payload_size - tsd->get_seg_seq();
- memcpy((uint8_t*)tsd->get_pkt()->data, left->payload + offset, length);
+ memcpy((uint8_t*)tsd->get_pkt()->data, left->payload()+offset, length);
tsd->get_pkt()->packet_flags |= PKT_MODIFIED;
}
}
seq += overlap;
- if ( SEQ_LEQ(seq_end, seq) )
- return generate_bad_segment_event();
}
- return rc;
+ return STREAM_INSERT_OK;
}
int SegmentOverlapEditor::left_overlap_trim_first()
{
- int rc = STREAM_INSERT_OK;
-
DebugFormat(DEBUG_STREAM_STATE, "left overlap %d\n", overlap);
+ assert(SEQ_GT(seq, left->seq));
len = tsd->get_seg_len();
overlap = left->seq + left->payload_size - seq;
+
if ( overlap > 0 )
{
tcpStats.overlaps++;
overlap_count++;
- if ( SEQ_LT(left->seq, seq) && SEQ_GEQ(left->seq + left->payload_size, seq + len) )
+ if ( SEQ_GEQ(left->seq + left->payload_size, seq + len) )
{
// existing packet overlaps new on both sides. Drop the new data.
DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring old data\n");
- seq += overlap;
- if ( SEQ_LEQ(seq_end, seq) )
- return generate_bad_segment_event();
+ seq += len;
+ }
+ else
+ {
+ /* Otherwise, trim the old data accordingly */
+ left->payload_size -= ( int16_t )overlap;
+ seg_bytes_logical -= overlap;
+ DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring new data\n");
}
-
- /* Otherwise, trim the old data accordingly */
- left->payload_size -= ( int16_t )overlap;
- seg_bytes_logical -= overlap;
- DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring new data\n");
}
- return rc;
+ return STREAM_INSERT_OK;
}
int SegmentOverlapEditor::left_overlap_keep_last()
{
DebugFormat(DEBUG_STREAM_STATE, "left overlap %d\n", overlap);
+ assert(SEQ_GT(seq, left->seq));
len = tsd->get_seg_len();
overlap = left->seq + left->payload_size - seq;
+
if ( overlap > 0 )
{
tcpStats.overlaps++;
overlap_count++;
/* True "Last" policy" */
- if ( SEQ_LT(left->seq, seq) && SEQ_GT(left->seq + left->payload_size, seq + len) )
+ if ( SEQ_GT(left->seq + left->payload_size, seq + len) )
{
/* New data is overlapped on both sides by existing data. Existing data needs to be
* split and the new data inserted in the middle.
right->seq = seq + len;
uint16_t delta = ( int16_t )( right->seq - left->seq );
right->payload_size -= delta;
- right->payload += delta;
+ right->offset += delta;
seg_bytes_logical -= delta;
}
else
{
/* partial overlap */
right->seq += overlap;
- right->payload += overlap;
+ right->offset += overlap;
right->payload_size -= (int16_t)overlap;
seg_bytes_logical -= overlap;
total_bytes_queued -= overlap;
{
unsigned offset = right->seq - tsd->get_seg_seq();
unsigned length = tsd->get_seg_seq() + tsd->get_seg_len() - right->seq;
- memcpy((uint8_t*)tsd->get_pkt()->data + offset, right->payload, length);
+ memcpy((uint8_t*)tsd->get_pkt()->data + offset, right->payload(), length);
tsd->get_pkt()->packet_flags |= PKT_MODIFIED;
}
if ( tcp_ips_data == NORM_MODE_ON )
{
unsigned offset = right->seq - tsd->get_seg_seq();
- memcpy((uint8_t*)tsd->get_pkt()->data + offset, right->payload, right->payload_size);
+ memcpy((uint8_t*)tsd->get_pkt()->data + offset, right->payload(), right->payload_size);
tsd->get_pkt()->packet_flags |= PKT_MODIFIED;
}
/* Adjusted seq is fully overlapped */
if ( SEQ_EQ(seq, seq_end) )
- return generate_bad_segment_event();
+ return STREAM_INSERT_OK;
}
else
{
if ( SEQ_EQ(right->seq, seq) && ( right->payload_size == len )
&& ( left && !SEQ_EQ(left->seq + left->payload_size, seq) ) )
{
- trunc_len += overlap;
- if ( SEQ_LEQ( ( int )( seq_end - trunc_len ), seq) )
- return generate_bad_segment_event();
+ right_overlap_truncate_new();
+
+ rdata += right->payload_size;
+ rsize -= right->payload_size;
+ rseq += right->payload_size;
+ seq += right->payload_size;
+ left = right;
+ right = right->next;
}
else
{
#include "tcp_segment_node.h"
#include "tcp_session.h"
-#define STREAM_INSERT_OK 0
-#define STREAM_INSERT_ANOMALY 1
-#define STREAM_INSERT_TIMEOUT 2
-#define STREAM_INSERT_FAILED 3
+#define STREAM_INSERT_OK 0 // FIXIT-L replace with bool
class SegmentOverlapEditor
{
virtual bool is_segment_retransmit(bool*);
virtual void drop_old_segment();
- virtual int generate_bad_segment_event();
virtual int left_overlap_keep_first();
virtual int left_overlap_trim_first();
if ( newSize <= 0 )
{
+ // FIXIT-L ideally newSize would not go negative
+ //assert(newSize == 0);
+
// zero size data because of trimming. Don't insert it
DebugFormat(DEBUG_STREAM_STATE, "zero size TCP data after left & right trimming "
"(len: %hd slide: %u trunc: %u)\n", len, slide, trunc_len);
+
inc_tcp_discards();
tracker->normalizer->trim_win_payload(tsd);
-#ifdef DEBUG_STREAM_EX
- {
- TcpSegmentNode* idx = seglist.head;
- unsigned long i = 0;
- DebugFormat(DEBUG_STREAM_STATE, "Dumping seglist, %d segments\n", tracker->seg_count);
- while (idx)
- {
- i++;
- DebugFormat(DEBUG_STREAM_STATE,
- "%d ptr: %p seq: 0x%X size: %d nxt: %p prv: %p\n",
- i, idx, idx->seq, idx->payload_size, idx->next, idx->prev);
-
- if (tracker->seg_count < i)
- FatalError("Circular list\n");
-
- idx = idx->next;
- }
- }
-#endif
- return STREAM_INSERT_ANOMALY;
+ return STREAM_INSERT_OK;
}
// FIXIT-L don't allocate overlapped part
tsn = TcpSegmentNode::init(tsd);
- tsn->payload = tsn->data + slide;
+ tsn->offset = slide;
tsn->payload_size = (uint16_t)newSize;
tsn->seq = seq;
tsn->ts = tsd.get_ts();
tcpStats.segs_split++;
// twiddle the values for overlaps
- tsn->payload = tsn->data;
tsn->payload_size = left->payload_size;
tsn->seq = left->seq;
flags |= PKT_PDU_TAIL;
const StreamBuffer* sb = tracker->splitter->reassemble(
- p->flow, total, bytes_flushed, tsn->payload, bytes_to_copy, flags, bytes_copied);
+ p->flow, total, bytes_flushed, tsn->payload(), bytes_to_copy, flags, bytes_copied);
flags = 0;
tsn->payload_size = bytes_to_copy;
sr->seq += bytes_to_copy;
sr->payload_size -= bytes_to_copy;
- sr->payload += bytes_to_copy;
+ sr->offset += bytes_to_copy;
}
tsn->buffered = true;
flush_count++;
footprint = stop_seq - seglist_base_seq;
if (footprint == 0)
- {
- DebugFormat(DEBUG_STREAM_STATE, "Negative footprint, bailing %u (0x%X - 0x%X)\n",
- footprint, stop_seq, seglist_base_seq);
return bytes_processed;
- }
-
-#ifdef DEBUG_STREAM_EX
- if (footprint < tracker->seg_bytes_logical)
- {
- DebugFormat(DEBUG_STREAM_STATE,
- "Footprint less than queued bytes, win_base: 0x%X base_seq: 0x%X\n",
- stop_seq, seglist_base_seq);
- }
-#endif
if (footprint > s5_pkt->max_dsize )
{
}
flush_pt = paf_check(tracker->splitter, &tracker->paf_state, session->flow,
- tsn->payload, size, total, tsn->seq, flags);
+ tsn->payload(), size, total, tsn->seq, flags);
if (flush_pt >= 0)
{
total += size;
flush_pt = paf_check(tracker->splitter, &tracker->paf_state, session->flow,
- tsn->payload, size, total, tsn->seq, flags);
+ tsn->payload(), size, total, tsn->seq, flags);
if ( flush_pt >= 0 )
{
#include "utils/util.h"
#include "tcp_module.h"
+// FIXIT-P this is going to set each member 2X; once here and once in init
+// separate ctors with default initializers would set them only once
TcpSegmentNode::TcpSegmentNode() :
- prev(nullptr), next(nullptr), tv({ 0, 0 }), ts(0), seq(0), orig_dsize(0),
- payload_size(0), urg_offset(0), buffered(false), data(nullptr), payload(nullptr)
+ prev(nullptr), next(nullptr), data(nullptr),
+ tv({ 0, 0 }), ts(0), seq(0), offset(0), orig_dsize(0),
+ payload_size(0), urg_offset(0), buffered(false)
{
}
TcpSegmentNode* TcpSegmentNode::init(TcpSegmentNode& tsn)
{
- return init(tsn.tv, tsn.payload, tsn.payload_size);
+ return init(tsn.tv, tsn.payload(), tsn.payload_size);
}
TcpSegmentNode* TcpSegmentNode::init(const struct timeval& tv, const uint8_t* data, unsigned dsize)
{
TcpSegmentNode* ss = new TcpSegmentNode;
ss->data = ( uint8_t* )snort_alloc(dsize);
- ss->payload = ss->data;
+ memcpy(ss->data, data, dsize);
+ ss->offset = 0;
ss->tv = tv;
- memcpy(ss->payload, data, dsize);
ss->orig_dsize = dsize;
ss->payload_size = ss->orig_dsize;
tcpStats.mem_in_use += dsize;
// ... however, use of padding below is critical, adjust if needed
//-----------------------------------------------------------------
-class TcpSegmentNode
+struct TcpSegmentNode
{
-public:
TcpSegmentNode();
- virtual ~TcpSegmentNode();
+ ~TcpSegmentNode();
static TcpSegmentNode* init(TcpSegmentDescriptor& tsd);
static TcpSegmentNode* init(TcpSegmentNode& tsn);
void term();
bool is_retransmit(const uint8_t*, uint16_t size, uint32_t, uint16_t, bool*);
+ uint8_t* payload()
+ { return data + offset; }
+
TcpSegmentNode* prev;
TcpSegmentNode* next;
+ uint8_t* data;
+
struct timeval tv;
uint32_t ts;
uint32_t seq;
+
+ uint16_t offset;
uint16_t orig_dsize;
uint16_t payload_size;
uint16_t urg_offset;
- bool buffered;
- uint8_t* data;
- uint8_t* payload;
+ bool buffered;
};
class TcpSegmentList
projects / thirdparty / snort3.git / commitdiff
