<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 262)\r
+o" )~ Version 3.0.0 (Build 264)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.--version</strong>: show version number (same as -V)\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>dce_smb.smb_file_inspection</strong> = off: SMB file inspection { off | on | only }\r
+enum <strong>dce_smb.smb_file_inspection</strong>: deprecated (not used): file inspection controlled by smb_file_depth { off | on | only }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data { -1:32767 }\r
+int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data (-1 = disabled, 0 = unlimited) { -1:32767 }\r
</p>\r
</li>\r
<li>\r
<div class="paragraph"><p>What: HTTP/2 inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
-</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.accelerated_blocking</strong> = false: inspect JavaScript in response messages as soon as possible\r
+bool <strong>http_inspect.detained_inspection</strong> = false: store-and-forward as necessary to effectively block alerting JavaScript\r
</p>\r
</li>\r
<li>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.detained_packets</strong>: TCP packets delayed by accelerated blocking (sum)\r
+<strong>http_inspect.detained_packets</strong>: TCP packets delayed by detained inspection (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.partial_inspections</strong>: pre-inspections for accelerated blocking (sum)\r
+<strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.bitenc_decode_depth</strong> = -1: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.qp_decode_depth</strong> = -1: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data\r
+bool <strong>normalizer.tcp.ips</strong> = true: ensure consistency in retransmitted data\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1024:maxSZ }\r
+int <strong>port_scan.memcap</strong> = 10485760: maximum tracker memory in bytes { 1024:maxSZ }\r
</p>\r
</li>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_s7commplus">s7commplus</h3>\r
+<div class="paragraph"><p>What: s7commplus inspection</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>149:1</strong> (s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>149:2</strong> (s7commplus) S7commplus protocol ID is non-zero\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>149:3</strong> (s7commplus) reserved S7commplus function code in use\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>s7commplus.sessions</strong>: total sessions processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus.frames</strong>: total S7commplus messages (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus.concurrent_sessions</strong>: total concurrent s7commplus sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus.max_concurrent_sessions</strong>: maximum concurrent s7commplus sessions (max)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_sip">sip</h3>\r
<div class="paragraph"><p>What: sip inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.b64_decode_depth</strong> = 1460: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
+int <strong>smtp.b64_decode_depth</strong> = -1: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = 1460: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
+int <strong>smtp.bitenc_decode_depth</strong> = -1: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.qp_decode_depth</strong> = 1460: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>smtp.qp_decode_depth</strong> = -1: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>smtp.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<strong>stream.expected_overflows</strong>: number of expected cache overflows (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_total_adds</strong>: number of flows added by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_total_deletes</strong>: number of flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_freelist_deletes</strong>: number of flows deleted from the free list by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_allowed_deletes</strong>: number of allowed flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_blocked_deletes</strong>: number of blocked flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_offloaded_deletes</strong>: number of offloaded flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP\r
+bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet\r
</p>\r
</li>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_s7commplus_content">s7commplus_content</h3>\r
+<div class="paragraph"><p>What: rule option to set cursor to s7commplus content</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_s7commplus_func">s7commplus_func</h3>\r
+<div class="paragraph"><p>What: rule option to check s7commplus function code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>s7commplus_func.~</strong>: function code to match\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_s7commplus_opcode">s7commplus_opcode</h3>\r
+<div class="paragraph"><p>What: rule option to check s7commplus opcode code</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>s7commplus_opcode.~</strong>: opcode code to match\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_sd_pattern">sd_pattern</h3>\r
<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</li>\r
<li>\r
<p>\r
-<strong>--print-binding-order</strong>\r
- Print sorting priority used when generating binder table\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
differences, between the Snort and Snort++ configurations to\r
the <out_file>\r
</li>\r
<li>\r
<p>\r
-<strong>--pause-after-n</strong> <count> pause after count packets (1:max53)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--piglet</strong> enable piglet test harness mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--plugin-path</strong> <path> where to find plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>--version</strong> show version number (same as -V)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data { -1:32767 }\r
+int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data (-1 = disabled, 0 = unlimited) { -1:32767 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>dce_smb.smb_file_inspection</strong> = off: SMB file inspection { off | on | only }\r
+enum <strong>dce_smb.smb_file_inspection</strong>: deprecated (not used): file inspection controlled by smb_file_depth { off | on | only }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>http2_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_input</strong> = false: read HTTP/2 messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http2_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.accelerated_blocking</strong> = false: inspect JavaScript in response messages as soon as possible\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.detained_inspection</strong> = false: store-and-forward as necessary to effectively block alerting JavaScript\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.print_amount</strong> = 1200: number of characters to print from a Field { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.print_hex</strong> = false: nonprinting characters printed in [HH] format instead of using an asterisk\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with test output\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.show_scan</strong> = false: display scanned segments\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.test_input</strong> = false: read HTTP messages from text file\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>http_inspect.test_output</strong> = false: print out HTTP section data\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.bitenc_decode_depth</strong> = -1: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.qp_decode_depth</strong> = -1: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>imap.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data\r
+bool <strong>normalizer.tcp.ips</strong> = true: ensure consistency in retransmitted data\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
+bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>pop.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1024:maxSZ }\r
+int <strong>port_scan.memcap</strong> = 10485760: maximum tracker memory in bytes { 1024:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>s7commplus_func.~</strong>: function code to match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>s7commplus_opcode.~</strong>: opcode code to match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.b64_decode_depth</strong> = 1460: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
+int <strong>smtp.b64_decode_depth</strong> = -1: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = 1460: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
+int <strong>smtp.bitenc_decode_depth</strong> = -1: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.qp_decode_depth</strong> = 1460: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>smtp.qp_decode_depth</strong> = -1: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+int <strong>smtp.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.-c</strong>: <conf> use this configuration\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--pause-after-n</strong>: <count> pause after count packets { 1:max53 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP\r
+bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.detained_packets</strong>: TCP packets delayed by accelerated blocking (sum)\r
+<strong>http_inspect.detained_packets</strong>: TCP packets delayed by detained inspection (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.partial_inspections</strong>: pre-inspections for accelerated blocking (sum)\r
+<strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>s7commplus.concurrent_sessions</strong>: total concurrent s7commplus sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus.frames</strong>: total S7commplus messages (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus.max_concurrent_sessions</strong>: maximum concurrent s7commplus sessions (max)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus.sessions</strong>: total sessions processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.reload_allowed_deletes</strong>: number of allowed flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_blocked_deletes</strong>: number of blocked flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_freelist_deletes</strong>: number of flows deleted from the free list by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_offloaded_deletes</strong>: number of offloaded flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_total_adds</strong>: number of flows added by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.reload_total_deletes</strong>: number of flows deleted by config reloads (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>149</strong>: s7commplus\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>175</strong>: domain_filter\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>149:1</strong> (s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>149:2</strong> (s7commplus) S7commplus protocol ID is non-zero\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>149:3</strong> (s7commplus) reserved S7commplus function code in use\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>175:1</strong> (domain_filter) configured domain detected\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>s7commplus</strong> (inspector): s7commplus inspection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus_content</strong> (ips_option): rule option to set cursor to s7commplus content\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus_func</strong> (ips_option): rule option to check s7commplus function code\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>s7commplus_opcode</strong> (ips_option): rule option to check s7commplus opcode code\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>sd_pattern</strong> (ips_option): rule option for detecting sensitive data\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::s7commplus</strong>: s7commplus inspection\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::sip</strong>: sip inspection\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::s7commplus_content</strong>: rule option to set cursor to s7commplus content\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::s7commplus_func</strong>: rule option to check s7commplus function code\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::s7commplus_opcode</strong>: rule option to check s7commplus opcode code\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::sd_pattern</strong>: rule option for detecting sensitive data\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>piglet::pp_codec</strong>: Codec piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_inspector</strong>: Inspector piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_ips_action</strong>: Ips action piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_ips_option</strong>: Ips option piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_logger</strong>: Logger piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_search_engine</strong>: Search engine piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_so_rule</strong>: SO rule piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>piglet::pp_test</strong>: Test piglet\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-10-31 02:50:11 EDT\r
+ 2019-11-06 08:35:24 EST\r
</div>\r
</div>\r
</body>\r
9.35. rt_global
9.36. rt_packet
9.37. rt_service
- 9.38. sip
- 9.39. smtp
- 9.40. ssh
- 9.41. ssl
- 9.42. stream
- 9.43. stream_file
- 9.44. stream_icmp
- 9.45. stream_ip
- 9.46. stream_tcp
- 9.47. stream_udp
- 9.48. stream_user
- 9.49. telnet
- 9.50. wizard
+ 9.38. s7commplus
+ 9.39. sip
+ 9.40. smtp
+ 9.41. ssh
+ 9.42. ssl
+ 9.43. stream
+ 9.44. stream_file
+ 9.45. stream_icmp
+ 9.46. stream_ip
+ 9.47. stream_tcp
+ 9.48. stream_udp
+ 9.49. stream_user
+ 9.50. telnet
+ 9.51. wizard
10. IPS Action Modules
11.79. replace
11.80. rev
11.81. rpc
- 11.82. sd_pattern
- 11.83. seq
- 11.84. service
- 11.85. session
- 11.86. sha256
- 11.87. sha512
- 11.88. sid
- 11.89. sip_body
- 11.90. sip_header
- 11.91. sip_method
- 11.92. sip_stat_code
- 11.93. so
- 11.94. soid
- 11.95. ssl_state
- 11.96. ssl_version
- 11.97. stream_reassemble
- 11.98. stream_size
- 11.99. tag
- 11.100. target
- 11.101. tos
- 11.102. ttl
- 11.103. urg
- 11.104. window
- 11.105. wscale
+ 11.82. s7commplus_content
+ 11.83. s7commplus_func
+ 11.84. s7commplus_opcode
+ 11.85. sd_pattern
+ 11.86. seq
+ 11.87. service
+ 11.88. session
+ 11.89. sha256
+ 11.90. sha512
+ 11.91. sid
+ 11.92. sip_body
+ 11.93. sip_header
+ 11.94. sip_method
+ 11.95. sip_stat_code
+ 11.96. so
+ 11.97. soid
+ 11.98. ssl_state
+ 11.99. ssl_version
+ 11.100. stream_reassemble
+ 11.101. stream_size
+ 11.102. tag
+ 11.103. target
+ 11.104. tos
+ 11.105. ttl
+ 11.106. urg
+ 11.107. window
+ 11.108. wscale
12. Search Engine Modules
13. SO Rule Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 262)
+o" )~ Version 3.0.0 (Build 264)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
* bool output.verbose = false: be verbose (same as -v)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.wide_hex_dump = true: output 20 bytes per lines
+ * bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
- * int snort.--pause-after-n: <count> pause after count packets {
- 1:max53 }
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> where to find plugins
* implied snort.--process-all-events: process all action groups
* string snort.--rule: <rules> to be added to configuration; may be
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
Configuration:
- * int appid.first_decrypted_packet_debug = 0: the first packet of
- an already decrypted SSL flow (debug single session only) {
- 0:max32 }
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
* int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
* multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 |
v2 | all }
- * enum dce_smb.smb_file_inspection = off: SMB file inspection { off
- | on | only }
+ * enum dce_smb.smb_file_inspection: deprecated (not used): file
+ inspection controlled by smb_file_depth { off | on | only }
* int dce_smb.smb_file_depth = 16384: SMB file depth for file data
- { -1:32767 }
+ (-1 = disabled, 0 = unlimited) { -1:32767 }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
* int dce_smb.trace: mask for enabling debug traces in module {
Usage: inspect
-Configuration:
-
- * bool http2_inspect.test_input = false: read HTTP/2 messages from
- text file
- * bool http2_inspect.test_output = false: print out HTTP section
- data
- * int http2_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http2_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http2_inspect.show_pegs = true: display peg counts with test
- output
- * bool http2_inspect.show_scan = false: display scanned segments
-
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
- * bool http_inspect.accelerated_blocking = false: inspect
- JavaScript in response messages as soon as possible
+ * bool http_inspect.detained_inspection = false: store-and-forward
+ as necessary to effectively block alerting JavaScript
* bool http_inspect.normalize_javascript = false: normalize
JavaScript in response bodies
* int http_inspect.max_javascript_whitespaces = 200: maximum
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
- * bool http_inspect.show_scan = false: display scanned segments
Rules:
(now)
* http_inspect.max_concurrent_sessions: maximum concurrent http
sessions (max)
- * http_inspect.detained_packets: TCP packets delayed by accelerated
- blocking (sum)
- * http_inspect.partial_inspections: pre-inspections for accelerated
- blocking (sum)
+ * http_inspect.detained_packets: TCP packets delayed by detained
+ inspection (sum)
+ * http_inspect.partial_inspections: pre-inspections for detained
+ inspection (sum)
9.24. imap
Configuration:
- * int imap.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ * int imap.b64_decode_depth = -1: base64 decoding depth (-1 no
limit) { -1:65535 }
- * int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
+ * int imap.bitenc_decode_depth = -1: non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
* bool imap.decompress_pdf = false: decompress pdf files in MIME
attachments
attachments
* bool imap.decompress_zip = false: decompress zip files in MIME
attachments
- * int imap.qp_decode_depth = 1460: quoted Printable decoding depth
+ * int imap.qp_decode_depth = -1: quoted Printable decoding depth
(-1 no limit) { -1:65535 }
- * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
- no limit) { -1:65535 }
+ * int imap.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
+ limit) { -1:65535 }
Rules:
normalization
* bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
segment length
- * bool normalizer.tcp.ips = false: ensure consistency in
+ * bool normalizer.tcp.ips = true: ensure consistency in
retransmitted data
* select normalizer.tcp.ecn = off: clear ecn for all packets |
sessions w/o ecn setup { off | packet | stream }
Configuration:
- * int pop.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ * int pop.b64_decode_depth = -1: base64 decoding depth (-1 no
limit) { -1:65535 }
- * int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
+ * int pop.bitenc_decode_depth = -1: Non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
* bool pop.decompress_pdf = false: decompress pdf files in MIME
attachments
attachments
* bool pop.decompress_zip = false: decompress zip files in MIME
attachments
- * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
- (-1 no limit) { -1:65535 }
- * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ * int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1
no limit) { -1:65535 }
+ * int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
+ limit) { -1:65535 }
Rules:
Configuration:
- * int port_scan.memcap = 1048576: maximum tracker memory in bytes {
- 1024:maxSZ }
+ * int port_scan.memcap = 10485760: maximum tracker memory in bytes
+ { 1024:maxSZ }
* multi port_scan.protos = all: choose the protocols to monitor {
tcp | udp | icmp | ip | all }
* multi port_scan.scan_types = all: choose type of scans to look
* rt_service.search_requests: total splitter search requests (sum)
-9.38. sip
+9.38. s7commplus
+
+--------------
+
+What: s7commplus inspection
+
+Type: inspector
+
+Usage: inspect
+
+Rules:
+
+ * 149:1 (s7commplus) length in S7commplus MBAP header does not
+ match the length needed for the given S7commplus function
+ * 149:2 (s7commplus) S7commplus protocol ID is non-zero
+ * 149:3 (s7commplus) reserved S7commplus function code in use
+
+Peg counts:
+
+ * s7commplus.sessions: total sessions processed (sum)
+ * s7commplus.frames: total S7commplus messages (sum)
+ * s7commplus.concurrent_sessions: total concurrent s7commplus
+ sessions (now)
+ * s7commplus.max_concurrent_sessions: maximum concurrent s7commplus
+ sessions (max)
+
+
+9.39. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.39. smtp
+9.40. smtp
--------------
non-default maximum for command { 0:max32 }
* string smtp.auth_cmds: commands that initiate an authentication
exchange
- * int smtp.b64_decode_depth = 1460: depth used to decode the base64
+ * int smtp.b64_decode_depth = -1: depth used to decode the base64
encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.binary_data_cmds: commands that initiate sending of
data and use a length value after the command
- * int smtp.bitenc_decode_depth = 1460: depth used to extract the
+ * int smtp.bitenc_decode_depth = -1: depth used to extract the
non-encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.data_cmds: commands that initiate sending of data
with an end of data delimiter
* enum smtp.normalize = none: turns on/off normalization { none |
cmds | all }
* string smtp.normalize_cmds: list of commands to normalize
- * int smtp.qp_decode_depth = 1460: quoted-Printable decoding depth
+ * int smtp.qp_decode_depth = -1: quoted-Printable decoding depth
(-1 no limit) { -1:65535 }
- * int smtp.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
- no limit) { -1:65535 }
+ * int smtp.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
+ limit) { -1:65535 }
* string smtp.valid_cmds: list of valid commands
* enum smtp.xlink2state = alert: enable/disable xlink2state alert {
disable | alert | drop }
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.40. ssh
+9.41. ssh
--------------
(max)
-9.41. ssl
+9.42. ssl
--------------
(max)
-9.42. stream
+9.43. stream
--------------
* stream.expected_pruned: number of expected flows pruned (sum)
* stream.expected_overflows: number of expected cache overflows
(sum)
+ * stream.reload_total_adds: number of flows added by config reloads
+ (sum)
+ * stream.reload_total_deletes: number of flows deleted by config
+ reloads (sum)
+ * stream.reload_freelist_deletes: number of flows deleted from the
+ free list by config reloads (sum)
+ * stream.reload_allowed_deletes: number of allowed flows deleted by
+ config reloads (sum)
+ * stream.reload_blocked_deletes: number of blocked flows deleted by
+ config reloads (sum)
+ * stream.reload_offloaded_deletes: number of offloaded flows
+ deleted by config reloads (sum)
-9.43. stream_file
+9.44. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.44. stream_icmp
+9.45. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.45. stream_ip
+9.46. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.46. stream_tcp
+9.47. stream_tcp
--------------
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
-9.47. stream_udp
+9.48. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.48. stream_user
+9.49. stream_user
--------------
0:max53 }
-9.49. telnet
+9.50. telnet
--------------
consecutive Telnet AYT commands { -1:max31 }
* bool telnet.check_encrypted = false: check for end of encryption
* bool telnet.encrypted_traffic = false: check for encrypted Telnet
- and FTP
* bool telnet.normalize = false: eliminate escape sequences
Rules:
sessions (max)
-9.50. wizard
+9.51. wizard
--------------
* string rpc.~proc: procedure number or * for any
-11.82. sd_pattern
+11.82. s7commplus_content
+
+--------------
+
+What: rule option to set cursor to s7commplus content
+
+Type: ips_option
+
+Usage: detect
+
+
+11.83. s7commplus_func
+
+--------------
+
+What: rule option to check s7commplus function code
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string s7commplus_func.~: function code to match
+
+
+11.84. s7commplus_opcode
+
+--------------
+
+What: rule option to check s7commplus opcode code
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string s7commplus_opcode.~: opcode code to match
+
+
+11.85. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.83. seq
+11.86. seq
--------------
range { 0: }
-11.84. service
+11.87. service
--------------
* string service.*: one or more comma-separated service names
-11.85. session
+11.88. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.86. sha256
+11.89. sha256
--------------
start of buffer
-11.87. sha512
+11.90. sha512
--------------
start of buffer
-11.88. sid
+11.91. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.89. sip_body
+11.92. sip_body
--------------
Usage: detect
-11.90. sip_header
+11.93. sip_header
--------------
Usage: detect
-11.91. sip_method
+11.94. sip_method
--------------
* string sip_method.*method: sip method
-11.92. sip_stat_code
+11.95. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.93. so
+11.96. so
--------------
buffer
-11.94. soid
+11.97. soid
--------------
like 3_45678_9
-11.95. ssl_state
+11.98. ssl_state
--------------
unknown
-11.96. ssl_version
+11.99. ssl_version
--------------
tls1.2
-11.97. stream_reassemble
+11.100. stream_reassemble
--------------
remainder of the session
-11.98. stream_size
+11.101. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.99. tag
+11.102. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.100. target
+11.103. target
--------------
dst_ip }
-11.101. tos
+11.104. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.102. ttl
+11.105. ttl
--------------
0:255 }
-11.103. urg
+11.106. urg
--------------
{ 0:65535 }
-11.104. window
+11.107. window
--------------
range { 0:65535 }
-11.105. wscale
+11.108. wscale
--------------
* --output-file=<out_file> Same as -o. output the new Snort++ lua
configuration to <out_file>
* --print-all Same as -a. default option. print all data
- * --print-binding-order Print sorting priority used when generating
- binder table
* --print-differences Same as -d. output the differences, and only
the differences, between the Snort and Snort++ configurations to
the <out_file>
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
- * --pause-after-n <count> pause after count packets (1:max53)
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
between pcaps
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
- * --piglet enable piglet test harness mode
* --plugin-path <path> where to find plugins
* --process-all-events process all action groups
* --rule <rules> to be added to configuration; may be repeated
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
session traffic when not inline
* --tweaks tune configuration
- * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
- * int appid.first_decrypted_packet_debug = 0: the first packet of
- an already decrypted SSL flow (debug single session only) {
- 0:max32 }
* int appid.instance_id = 0: instance id - ignored { 0:max32 }
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* int dce_smb.reassemble_threshold = 0: minimum bytes received
before performing reassembly { 0:65535 }
* int dce_smb.smb_file_depth = 16384: SMB file depth for file data
- { -1:32767 }
- * enum dce_smb.smb_file_inspection = off: SMB file inspection { off
- | on | only }
+ (-1 = disabled, 0 = unlimited) { -1:32767 }
+ * enum dce_smb.smb_file_inspection: deprecated (not used): file
+ inspection controlled by smb_file_depth { off | on | only }
* enum dce_smb.smb_fingerprint_policy = none: target based SMB
policy to use { none | client | server | both }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
- * int http2_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http2_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http2_inspect.show_pegs = true: display peg counts with test
- output
- * bool http2_inspect.show_scan = false: display scanned segments
- * bool http2_inspect.test_input = false: read HTTP/2 messages from
- text file
- * bool http2_inspect.test_output = false: print out HTTP section
- data
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
examining HTTP message headers
* implied http_header.with_trailer: parts of this rule examine HTTP
message trailers
- * bool http_inspect.accelerated_blocking = false: inspect
- JavaScript in response messages as soon as possible
* bool http_inspect.backslash_to_slash = false: replace \ with /
when normalizing URIs
* bit_list http_inspect.bad_characters: alert when any of specified
response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
+ * bool http_inspect.detained_inspection = false: store-and-forward
+ as necessary to effectively block alerting JavaScript
* string http_inspect.ignore_unreserved: do not alert when the
specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
- * bool http_inspect.show_scan = false: display scanned segments
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
0:255 }
* interval id.~range: check if the IP ID is in the given range { 0:
}
- * int imap.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ * int imap.b64_decode_depth = -1: base64 decoding depth (-1 no
limit) { -1:65535 }
- * int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
+ * int imap.bitenc_decode_depth = -1: non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
* bool imap.decompress_pdf = false: decompress pdf files in MIME
attachments
attachments
* bool imap.decompress_zip = false: decompress zip files in MIME
attachments
- * int imap.qp_decode_depth = 1460: quoted Printable decoding depth
+ * int imap.qp_decode_depth = -1: quoted Printable decoding depth
(-1 no limit) { -1:65535 }
- * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
- no limit) { -1:65535 }
+ * int imap.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
+ limit) { -1:65535 }
* int inspection.id = 0: correlate policy and events with other
items in configuration { 0:65535 }
* enum inspection.mode = inline-test: set policy mode { inline |
normalization
* select normalizer.tcp.ecn = off: clear ecn for all packets |
sessions w/o ecn setup { off | packet | stream }
- * bool normalizer.tcp.ips = false: ensure consistency in
+ * bool normalizer.tcp.ips = true: ensure consistency in
retransmitted data
* bool normalizer.tcp.opts = true: clear all options except mss,
wscale, timestamp, and any explicitly allowed
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
- * bool output.wide_hex_dump = true: output 20 bytes per lines
+ * bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
* bool packet_capture.enable = false: initially enable packet
dumping
* bool perf_monitor.summary = false: output summary at shutdown
* interval pkt_num.~range: check if packet number is in given range
{ 1: }
- * int pop.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ * int pop.b64_decode_depth = -1: base64 decoding depth (-1 no
limit) { -1:65535 }
- * int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
+ * int pop.bitenc_decode_depth = -1: Non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
* bool pop.decompress_pdf = false: decompress pdf files in MIME
attachments
attachments
* bool pop.decompress_zip = false: decompress zip files in MIME
attachments
- * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
- (-1 no limit) { -1:65535 }
- * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ * int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1
no limit) { -1:65535 }
+ * int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
+ limit) { -1:65535 }
* bool port_scan.alert_all = false: alert on all events over
threshold within window if true; else alert on first only
* int port_scan.icmp_sweep.nets = 25: number of times address
* int port_scan.ip_sweep.scans = 100: scan attempts { 0:65535 }
* int port_scan.ip_window = 0: detection interval for all IP scans
{ 0:max32 }
- * int port_scan.memcap = 1048576: maximum tracker memory in bytes {
- 1024:maxSZ }
+ * int port_scan.memcap = 10485760: maximum tracker memory in bytes
+ { 1024:maxSZ }
* multi port_scan.protos = all: choose the protocols to monitor {
tcp | udp | icmp | ip | all }
* multi port_scan.scan_types = all: choose type of scans to look
* enum rule_state.$gid_sid[].enable = inherit: enable or disable
rule in current ips policy or use default defined by ips policy {
no | yes | inherit }
+ * string s7commplus_func.~: function code to match
+ * string s7commplus_opcode.~: opcode code to match
* string sd_pattern.~pattern: The pattern to search for
* int sd_pattern.threshold = 1: number of matches before alerting {
1:max32 }
non-default maximum for command { 0:max32 }
* string smtp.auth_cmds: commands that initiate an authentication
exchange
- * int smtp.b64_decode_depth = 1460: depth used to decode the base64
+ * int smtp.b64_decode_depth = -1: depth used to decode the base64
encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.binary_data_cmds: commands that initiate sending of
data and use a length value after the command
- * int smtp.bitenc_decode_depth = 1460: depth used to extract the
+ * int smtp.bitenc_decode_depth = -1: depth used to extract the
non-encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.data_cmds: commands that initiate sending of data
with an end of data delimiter
* string smtp.normalize_cmds: list of commands to normalize
* enum smtp.normalize = none: turns on/off normalization { none |
cmds | all }
- * int smtp.qp_decode_depth = 1460: quoted-Printable decoding depth
+ * int smtp.qp_decode_depth = -1: quoted-Printable decoding depth
(-1 no limit) { -1:65535 }
- * int smtp.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
- no limit) { -1:65535 }
+ * int smtp.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no
+ limit) { -1:65535 }
* string smtp.valid_cmds: list of valid commands
* enum smtp.xlink2state = alert: enable/disable xlink2state alert {
disable | alert | drop }
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
* string snort.-c: <conf> use this configuration
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
- * int snort.--pause-after-n: <count> pause after count packets {
- 1:max53 }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> where to find plugins
* implied snort.--process-all-events: process all action groups
* implied snort.-Q: enable inline mode operation
consecutive Telnet AYT commands { -1:max31 }
* bool telnet.check_encrypted = false: check for end of encryption
* bool telnet.encrypted_traffic = false: check for encrypted Telnet
- and FTP
* bool telnet.normalize = false: eliminate escape sequences
* interval tos.~range: check if IP TOS is in given range { 0:255 }
* interval ttl.~range: check if IP TTL is in the given range {
(now)
* http_inspect.connect_requests: CONNECT requests inspected (sum)
* http_inspect.delete_requests: DELETE requests inspected (sum)
- * http_inspect.detained_packets: TCP packets delayed by accelerated
- blocking (sum)
+ * http_inspect.detained_packets: TCP packets delayed by detained
+ inspection (sum)
* http_inspect.flows: HTTP connections inspected (sum)
* http_inspect.get_requests: GET requests inspected (sum)
* http_inspect.head_requests: HEAD requests inspected (sum)
* http_inspect.options_requests: OPTIONS requests inspected (sum)
* http_inspect.other_requests: other request methods inspected
(sum)
- * http_inspect.partial_inspections: pre-inspections for accelerated
- blocking (sum)
+ * http_inspect.partial_inspections: pre-inspections for detained
+ inspection (sum)
* http_inspect.post_requests: POST requests inspected (sum)
* http_inspect.put_requests: PUT requests inspected (sum)
* http_inspect.reassembles: TCP segments combined into HTTP
* rt_service.hold_requests: total splitter hold requests (sum)
* rt_service.packets: total packets (sum)
* rt_service.search_requests: total splitter search requests (sum)
+ * s7commplus.concurrent_sessions: total concurrent s7commplus
+ sessions (now)
+ * s7commplus.frames: total S7commplus messages (sum)
+ * s7commplus.max_concurrent_sessions: maximum concurrent s7commplus
+ sessions (max)
+ * s7commplus.sessions: total sessions processed (sum)
* sd_pattern.below_threshold: sd_pattern matched but missed
threshold (sum)
* sd_pattern.pattern_not_found: sd_pattern did not not match (sum)
* stream.memcap_prunes: sessions pruned due to memcap (sum)
* stream.preemptive_prunes: sessions pruned during preemptive
pruning (sum)
+ * stream.reload_allowed_deletes: number of allowed flows deleted by
+ config reloads (sum)
+ * stream.reload_blocked_deletes: number of blocked flows deleted by
+ config reloads (sum)
+ * stream.reload_freelist_deletes: number of flows deleted from the
+ free list by config reloads (sum)
+ * stream.reload_offloaded_deletes: number of offloaded flows
+ deleted by config reloads (sum)
+ * stream.reload_total_adds: number of flows added by config reloads
+ (sum)
+ * stream.reload_total_deletes: number of flows deleted by config
+ reloads (sum)
* stream_tcp.client_cleanups: number of times data from server was
flushed when session released (sum)
* stream_tcp.closing: number of sessions currently closing (now)
* 144: modbus
* 145: dnp3
* 146: file_id
+ * 149: s7commplus
* 175: domain_filter
* 256: dpx
* 145:5 (dnp3) DNP3 link-layer frame uses a reserved address
* 145:6 (dnp3) DNP3 application-layer fragment uses a reserved
function code
+ * 149:1 (s7commplus) length in S7commplus MBAP header does not
+ match the length needed for the given S7commplus function
+ * 149:2 (s7commplus) S7commplus protocol ID is non-zero
+ * 149:3 (s7commplus) reserved S7commplus function code in use
* 175:1 (domain_filter) configured domain detected
* 256:1 (dpx) too much data sent to port
support.
* rule_state (basic): enable/disable and set actions for specific
IPS rules; deprecated, use rule state stubs with enable instead
+ * s7commplus (inspector): s7commplus inspection
+ * s7commplus_content (ips_option): rule option to set cursor to
+ s7commplus content
+ * s7commplus_func (ips_option): rule option to check s7commplus
+ function code
+ * s7commplus_opcode (ips_option): rule option to check s7commplus
+ opcode code
* sd_pattern (ips_option): rule option for detecting sensitive data
* search_engine (basic): configure fast pattern matcher
* seq (ips_option): rule option to check TCP sequence number
* inspector::rt_service: The regression test service inspector is
used by regression tests that require custom service inspector
support.
+ * inspector::s7commplus: s7commplus inspection
* inspector::sip: sip inspection
* inspector::smtp: smtp inspection
* inspector::ssh: ssh inspection
* ips_option::rev: rule option to indicate current revision of
signature
* ips_option::rpc: rule option to check SUNRPC CALL parameters
+ * ips_option::s7commplus_content: rule option to set cursor to
+ s7commplus content
+ * ips_option::s7commplus_func: rule option to check s7commplus
+ function code
+ * ips_option::s7commplus_opcode: rule option to check s7commplus
+ opcode code
* ips_option::sd_pattern: rule option for detecting sensitive data
* ips_option::seq: rule option to check TCP sequence number
* ips_option::service: rule option to specify list of services for
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
- * piglet::pp_codec: Codec piglet
- * piglet::pp_inspector: Inspector piglet
- * piglet::pp_ips_action: Ips action piglet
- * piglet::pp_ips_option: Ips option piglet
- * piglet::pp_logger: Logger piglet
- * piglet::pp_search_engine: Search engine piglet
- * piglet::pp_so_rule: SO rule piglet
- * piglet::pp_test: Test piglet
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
projects / thirdparty / snort3.git / commitdiff
