+2021/04/21 - 3.1.4.0
+
+-- appid: (fix style) Local variable 'version' shadows outer variable
+-- appid: Delete third-party connections with context only if third-party reload is not in progress
+-- appid: clean up lua stack on C->lua function exit
+-- appid: clean-up parameters in service_bootp
+-- appid: detect payload based on dns host
+-- appid: in continue state for ftp traffic, do not change service to unknown on validation failure
+-- appid: monitor only the networks specified in rna configuration
+-- appid: refactor to set http scan flags in one place
+-- appid: remove detectors which are available in odp
+-- appid: remove duplicate rtmp code
+-- binder: update flow data inspector on a service change
+-- build: add better support for flex lexer; Thanks to Özkan KIRIK and Moin for reporting the issue.
+-- codecs: use held packet SYN in Tcp header creation
+-- copyright: Update year to 2021
+-- dce_rpc: Added a cleanup condition for DCERPC in close request
+-- dce_rpc: DCERPC Support over SMBv2
+-- dce_rpc: Fixed prototype mismatch. Smb2Tid doesn't need to be inline.
+-- doc: add documentation for script_data ips option
+-- doc: revert documentation related to script_data ips option
+-- framework: Adding IT_FIRST inspector type to analyze the first packet of a flow
+-- hash: prepond object creation in LRU cache find_else_create
+-- host_tracker: fix bug in set_visibility
+-- http2_inspect: fix possible read-after-free in hpack decoder
+-- http2_inspect: free streams in completed/error state
+-- http_inspect: fix end of script match after reload
+-- http_inspect: remove detained inspection config
+-- ips: allow null detection trees with negated lists
+-- ips_options: add sticky buffer script_data ips option within normalized javascripts payload
+-- main: Adding reload id to track config/module/policy reloads
+-- main: Log holding verdict only if packet was actually held.
+-- main: Update memcap for detained packets.
+-- netflow: add device list configuration
+-- netflow: add filter matching for v5 decoder
+-- netflow: get correct zone info from packet
+-- packet_io: If packet has no daq_instance, use thread-local daq_instance.
+-- packet_tracer: Appid daq trace log
+-- packet_tracer: fix trace condition for setting IP_PROTO
+-- payload_injector: send go away frame
+-- pcre: revert change that disabled jit
+-- reputation: Registering inspector to the IT_FIRST type
+-- rna: add the smb fingerprint processor to the get_or_create / set processor api
+-- ssl: refactoring SSLData out so it can be reused
+-- stream: Add held packet to retry queue when requested.
+-- stream: Add partial_flush. Flush one side of flow immediately.
+-- stream: IP frag packets won't have a flow so do not try to hold them.
+-- stream: fetch held packet SYN
+-- stream: fix race condition in HPQReloadTuner
+-- stream: store held packet SYN
+-- utils: enable Flex C++ mode via its option
+
2021/03/27 - 3.1.3.0
-- actions: Dynamically construct the default eval order for all the loaded IPS actions
The Snort Team
Revision History
-Revision 3.1.3.0 2021-03-27 11:49:00 EDT TST
+Revision 3.1.4.0 2021-04-21 12:58:32 EDT TST
---------------------------------------------------------------------
7.95. s7commplus_content
7.96. s7commplus_func
7.97. s7commplus_opcode
- 7.98. sd_pattern
- 7.99. seq
- 7.100. service
- 7.101. sha256
- 7.102. sha512
- 7.103. sid
- 7.104. sip_body
- 7.105. sip_header
- 7.106. sip_method
- 7.107. sip_stat_code
- 7.108. so
- 7.109. soid
- 7.110. ssl_state
- 7.111. ssl_version
- 7.112. stream_reassemble
- 7.113. stream_size
- 7.114. tag
- 7.115. target
- 7.116. tos
- 7.117. ttl
- 7.118. urg
- 7.119. window
- 7.120. wscale
+ 7.98. script_data
+ 7.99. sd_pattern
+ 7.100. seq
+ 7.101. service
+ 7.102. sha256
+ 7.103. sha512
+ 7.104. sid
+ 7.105. sip_body
+ 7.106. sip_header
+ 7.107. sip_method
+ 7.108. sip_stat_code
+ 7.109. so
+ 7.110. soid
+ 7.111. ssl_state
+ 7.112. ssl_version
+ 7.113. stream_reassemble
+ 7.114. stream_size
+ 7.115. tag
+ 7.116. target
+ 7.117. tos
+ 7.118. ttl
+ 7.119. urg
+ 7.120. window
+ 7.121. wscale
8. Search Engine Modules
9. SO Rule Modules
header buffer (sum)
* detection.method_searches: fast pattern searches in method buffer
(sum)
+ * detection.script_searches: fast pattern searches in script buffer
+ (sum)
* detection.stat_code_searches: fast pattern searches in status
code buffer (sum)
* detection.stat_msg_searches: fast pattern searches in status
on startup
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
+ * bool appid.enable_rna_filter = false: monitor only the networks
+ specified in rna configuration
+ * string appid.rna_conf_path: path to rna configuration file
Commands:
missing tree tracker (sum)
* dce_smb.v2_session_ignored: total number of packets ignored due
to missing session tracker (sum)
+ * dce_smb.v2_ioctl: total number of ioctl calls (sum)
+ * dce_smb.v2_ioctl_err_resp: total number of ioctl errors responses
+ (sum)
+ * dce_smb.v2_ioctl_inv_str_sz: total number of ioctl invalid
+ structure size (sum)
+ * dce_smb.v2_ioctl_req_hdr_err: total number of ioctl request
+ header errors (sum)
+ * dce_smb.v2_ioctl_resp_hdr_err: total number of ioctl response
+ header errors (sum)
* dce_smb.concurrent_sessions: total concurrent sessions (now)
* dce_smb.max_concurrent_sessions: maximum concurrent sessions
(max)
response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
- * bool http_inspect.detained_inspection = false: obsolete, do not
- configure
* bool http_inspect.script_detection = false: inspect JavaScript
immediately upon script end
- * bool http_inspect.normalize_javascript = false: normalize
- JavaScript in response bodies
- * int http_inspect.normalization_depth = 0: number of input
- JavaScript bytes to normalize { -1:65535 }
+ * bool http_inspect.normalize_javascript = false: use legacy
+ normalizer to normalize JavaScript in response bodies
+ * int http_inspect.js_normalization_depth = 0: number of input
+ JavaScript bytes to normalize with enhanced normalizer (-1 max
+ allowed value) (experimental) { -1:max53 }
* int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 }
* string netflow.dump_file: file name to dump netflow cache on
shutdown; won’t dump by default
+ * int netflow.update_timeout = 3600: the interval at which the
+ system updates host cache information { 0:max32 }
+ * addr netflow.rules[].device_ip: restrict the NetFlow devices from
+ which Snort will analyze packets
+ * bool netflow.rules[].exclude = false: exclude the NetFlow records
+ that match this rule
+ * string netflow.rules[].zones: generate events only for NetFlow
+ packets that originate from these zones
+ * string netflow.rules[].networks: generate events for NetFlow
+ records that contain an initiator or responder IP from these
+ networks
+ * bool netflow.rules[].create_host = false: generate a new host
+ event
+ * bool netflow.rules[].create_service = false: generate a new or
+ changed service event
Peg counts:
Help: reputation inspection
-Type: inspector (network)
+Type: inspector (first)
Usage: global
timed out (sum)
* stream_tcp.held_packet_purges: number of held packets that were
purged without flushing (sum)
+ * stream_tcp.held_packet_retries: number of held packets that were
+ added to the retry queue (sum)
* stream_tcp.cur_packets_held: number of packets currently held
(now)
* stream_tcp.max_packets_held: maximum number of packets held
* string s7commplus_opcode.~: opcode code to match
-7.98. sd_pattern
+7.98. script_data
+
+--------------
+
+Help: rule option to set detection cursor to normalized script data
+
+Type: ips_option
+
+Usage: detect
+
+
+7.99. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.99. seq
+7.100. seq
--------------
range { 0: }
-7.100. service
+7.101. service
--------------
* string service.*: one or more comma-separated service names
-7.101. sha256
+7.102. sha256
--------------
start of buffer
-7.102. sha512
+7.103. sha512
--------------
start of buffer
-7.103. sid
+7.104. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.104. sip_body
+7.105. sip_body
--------------
Usage: detect
-7.105. sip_header
+7.106. sip_header
--------------
Usage: detect
-7.106. sip_method
+7.107. sip_method
--------------
* string sip_method.*method: sip method
-7.107. sip_stat_code
+7.108. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.108. so
+7.109. so
--------------
buffer
-7.109. soid
+7.110. soid
--------------
like 3_45678_9
-7.110. ssl_state
+7.111. ssl_state
--------------
unknown
-7.111. ssl_version
+7.112. ssl_version
--------------
tls1.2
-7.112. stream_reassemble
+7.113. stream_reassemble
--------------
remainder of the session
-7.113. stream_size
+7.114. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.114. tag
+7.115. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.115. target
+7.116. target
--------------
dst_ip }
-7.116. tos
+7.117. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.117. ttl
+7.118. ttl
--------------
0:255 }
-7.118. urg
+7.119. urg
--------------
{ 0:65535 }
-7.119. window
+7.120. window
--------------
range { 0:65535 }
-7.120. wscale
+7.121. wscale
--------------
logging appid statistics { 1:max32 }
* int appid.app_stats_rollover_size = 20971520: max file size for
appid stats before rolling over the log file { 0:max32 }
+ * bool appid.enable_rna_filter = false: monitor only the networks
+ specified in rna configuration
* string appid_listener.file: output data to given file
* bool appid_listener.json_logging = false: log appid data in json
format
* bool appid.log_stats = false: enable logging of appid statistics
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
+ * string appid.rna_conf_path: path to rna configuration file
* string appids.~: comma separated list of application names
* bool appid.tp_appid_config_dump: print third party configuration
on startup
response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
- * bool http_inspect.detained_inspection = false: obsolete, do not
- configure
* string http_inspect.ignore_unreserved: do not alert when the
specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
mapping to normalize characters
* string http_inspect.iis_unicode_map_file: file containing code
points for IIS unicode. { (optional) }
+ * int http_inspect.js_normalization_depth = 0: number of input
+ JavaScript bytes to normalize with enhanced normalizer (-1 max
+ allowed value) (experimental) { -1:max53 }
* int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 }
- * int http_inspect.normalization_depth = 0: number of input
- JavaScript bytes to normalize { -1:65535 }
- * bool http_inspect.normalize_javascript = false: normalize
- JavaScript in response bodies
+ * bool http_inspect.normalize_javascript = false: use legacy
+ normalizer to normalize JavaScript in response bodies
* bool http_inspect.normalize_utf = true: normalize charset utf
encodings in response bodies
* int http_inspect.oversize_dir_length = 300: maximum length for
}
* string netflow.dump_file: file name to dump netflow cache on
shutdown; won’t dump by default
+ * bool netflow.rules[].create_host = false: generate a new host
+ event
+ * bool netflow.rules[].create_service = false: generate a new or
+ changed service event
+ * addr netflow.rules[].device_ip: restrict the NetFlow devices from
+ which Snort will analyze packets
+ * bool netflow.rules[].exclude = false: exclude the NetFlow records
+ that match this rule
+ * string netflow.rules[].networks: generate events for NetFlow
+ records that contain an initiator or responder IP from these
+ networks
+ * string netflow.rules[].zones: generate events only for NetFlow
+ packets that originate from these zones
+ * int netflow.update_timeout = 3600: the interval at which the
+ system updates host cache information { 0:max32 }
* multi network.checksum_drop = none: drop if checksum is bad { all
| ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
* multi network.checksum_eval = all: checksums to verify { all | ip
* dce_smb.v2_inv_file_ctx_err: total number of times null file
context are seen resulting in not being able to set file size
(sum)
+ * dce_smb.v2_ioctl_err_resp: total number of ioctl errors responses
+ (sum)
+ * dce_smb.v2_ioctl_inv_str_sz: total number of ioctl invalid
+ structure size (sum)
+ * dce_smb.v2_ioctl_req_hdr_err: total number of ioctl request
+ header errors (sum)
+ * dce_smb.v2_ioctl_resp_hdr_err: total number of ioctl response
+ header errors (sum)
+ * dce_smb.v2_ioctl: total number of ioctl calls (sum)
* dce_smb.v2_logoff_inv_str_sz: total number of SMBv2 logoff
packets seen with invalid structure size (sum)
* dce_smb.v2_logoff: total number of SMBv2 logoff (sum)
buffer (sum)
* detection.raw_searches: fast pattern searches in raw packet data
(sum)
+ * detection.script_searches: fast pattern searches in script buffer
+ (sum)
* detection.stat_code_searches: fast pattern searches in status
code buffer (sum)
* detection.stat_msg_searches: fast pattern searches in status
* stream_tcp.gaps: missing data between PDUs (sum)
* stream_tcp.held_packet_purges: number of held packets that were
purged without flushing (sum)
+ * stream_tcp.held_packet_retries: number of held packets that were
+ added to the retry queue (sum)
* stream_tcp.held_packet_rexmits: number of retransmits of held
packets (sum)
* stream_tcp.held_packets_dropped: number of held packets dropped
function code
* s7commplus_opcode (ips_option): rule option to check s7commplus
opcode code
+ * script_data (ips_option): rule option to set detection cursor to
+ normalized script data
* sd_pattern (ips_option): rule option for detecting sensitive data
* search_engine (basic): configure fast pattern matcher
* seq (ips_option): rule option to check TCP sequence number
function code
* ips_option::s7commplus_opcode: rule option to check s7commplus
opcode code
+ * ips_option::script_data: rule option to set detection cursor to
+ normalized script data
* ips_option::sd_pattern: rule option for detecting sensitive data
* ips_option::seq: rule option to check TCP sequence number
* ips_option::service: rule option to specify list of services for
The Snort Team
Revision History
-Revision 3.1.3.0 2021-03-27 11:48:49 EDT TST
+Revision 3.1.4.0 2021-04-21 12:58:20 EDT TST
---------------------------------------------------------------------
6.10.2.7. normalize_javascript
-normalize_javascript = true will enable normalization of JavaScript
-within the HTTP response body. http_inspect looks for JavaScript by
-searching for the <script> tag without a type. Obfuscated data within
-the JavaScript functions such as unescape, String.fromCharCode,
-decodeURI, and decodeURIComponent are normalized. The different
-encodings handled within the unescape, decodeURI, or
-decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also
-replaces consecutive whitespaces with a single space and normalizes
-the plus by concatenating the strings. Such normalizations refer to
-basic JavaScript normalization.
-
-6.10.2.8. normalization_depth
-
-normalization_depth = N {-1 : 65535} will set a number of input
-JavaScript bytes to normalize and enable the whitespace normalizer
-instead of the basic one. Meanwhile, normalize_javascript = true must
-be configured as well. When the depth is reached, normalization will
-be stopped. It’s implemented per-script. normalization_depth = -1
-will configure max depth value. By default, the value is set to 0.
-Configure this option to enable more precise whitespace normalization
-of JavaScript, that removes all redundant whitespaces and line
-terminators from the JavaScript syntax point of view (between
-identifier and punctuator, between identifier and operator, etc.)
-according to ECMAScript 5.1 standard.
+normalize_javascript = true will enable legacy normalizer of
+JavaScript within the HTTP response body. http_inspect looks for
+JavaScript by searching for the <script> tag without a type.
+Obfuscated data within the JavaScript functions such as unescape,
+String.fromCharCode, decodeURI, and decodeURIComponent are
+normalized. The different encodings handled within the unescape,
+decodeURI, or decodeURIComponent are %XX, %uXXXX, XX and uXXXXi.
+http_inspect also replaces consecutive whitespaces with a single
+space and normalizes the plus by concatenating the strings. Such
+normalizations refer to basic JavaScript normalization. Cannot be
+used together with js_normalization_depth (doing so will cause Snort
+to fail to load). This is planned to be deprecated at some point.
+
+6.10.2.8. js_normalization_depth
+
+js_normalization_depth = N {-1 : max53} will set a number of input
+JavaScript bytes to normalize and enable the enhanced normalizer. The
+enhanced and legacy normalizers have mutual exclusion behaviour, so
+you cannot enable both at the same time (doing so will cause Snort to
+fail to load). When the depth is reached, normalization will be
+stopped. It’s implemented per-script. js_normalization_depth = -1,
+will set the max allowed depth value. By default, the value is set to
+0 which means that normalizer is disabled. The enhanced normalizer
+provides more precise whitespace normalization of JavaScript, that
+removes all redundant whitespaces and line terminators from the
+JavaScript syntax point of view (between identifier and punctuator,
+between identifier and operator, etc.) according to ECMAScript 5.1
+standard. This is currently experimental and still under development.
6.10.2.9. xff_headers
6.10.4.13. file_data
-file_data contains the normalized message body. This is the
+The file_data contains the normalized message body. This is the
normalization described above under gzip, normalize_utf,
decompress_pdf, decompress_swf, and normalize_javascript.
+6.10.4.14. script_data
+
+The script_data ips option is used as sticky buffer and contains only
+the normalized JavaScript HTTP response body without script tags. In
+scope of rules the script_data option takes place with enabled new
+enhanced normalizer, so it is used in combination with http_inspect =
+{ js_normalization_depth = N }. The js_normalization_depth option is
+described above. In rules the script_data can be used with file_data
+option where file_data would contain the whole HTTP response body for
+content matching.
+
6.10.5. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
projects / thirdparty / snort3.git / commitdiff
