The Snort Team
Revision History
-Revision 3.1.24.0 2022-02-23 09:29:36 EST TST
+Revision 3.1.25.0 2022-03-09 06:31:14 EST TST
---------------------------------------------------------------------
7.47. http_client_body
7.48. http_cookie
7.49. http_header
- 7.50. http_method
- 7.51. http_num_headers
- 7.52. http_num_trailers
- 7.53. http_param
- 7.54. http_raw_body
- 7.55. http_raw_cookie
- 7.56. http_raw_header
- 7.57. http_raw_request
- 7.58. http_raw_status
- 7.59. http_raw_trailer
- 7.60. http_raw_uri
- 7.61. http_stat_code
- 7.62. http_stat_msg
- 7.63. http_trailer
- 7.64. http_true_ip
- 7.65. http_uri
- 7.66. http_version
- 7.67. http_version_match
- 7.68. icmp_id
- 7.69. icmp_seq
- 7.70. icode
- 7.71. id
- 7.72. iec104_apci_type
- 7.73. iec104_asdu_func
- 7.74. ip_proto
- 7.75. ipopts
- 7.76. isdataat
- 7.77. itype
- 7.78. js_data
- 7.79. md5
- 7.80. metadata
- 7.81. modbus_data
- 7.82. modbus_func
- 7.83. modbus_unit
- 7.84. msg
- 7.85. mss
- 7.86. pcre
- 7.87. pkt_data
- 7.88. pkt_num
- 7.89. priority
- 7.90. raw_data
- 7.91. reference
- 7.92. regex
- 7.93. rem
- 7.94. replace
- 7.95. rev
- 7.96. rpc
- 7.97. s7commplus_content
- 7.98. s7commplus_func
- 7.99. s7commplus_opcode
- 7.100. sd_pattern
- 7.101. seq
- 7.102. service
- 7.103. sha256
- 7.104. sha512
- 7.105. sid
- 7.106. sip_body
- 7.107. sip_header
- 7.108. sip_method
- 7.109. sip_stat_code
- 7.110. so
- 7.111. soid
- 7.112. ssl_state
- 7.113. ssl_version
- 7.114. stream_reassemble
- 7.115. stream_size
- 7.116. tag
- 7.117. target
- 7.118. tos
- 7.119. ttl
- 7.120. urg
- 7.121. vba_data
- 7.122. window
- 7.123. wscale
+ 7.50. http_header_test
+ 7.51. http_method
+ 7.52. http_num_headers
+ 7.53. http_num_trailers
+ 7.54. http_param
+ 7.55. http_raw_body
+ 7.56. http_raw_cookie
+ 7.57. http_raw_header
+ 7.58. http_raw_request
+ 7.59. http_raw_status
+ 7.60. http_raw_trailer
+ 7.61. http_raw_uri
+ 7.62. http_stat_code
+ 7.63. http_stat_msg
+ 7.64. http_trailer
+ 7.65. http_trailer_test
+ 7.66. http_true_ip
+ 7.67. http_uri
+ 7.68. http_version
+ 7.69. http_version_match
+ 7.70. icmp_id
+ 7.71. icmp_seq
+ 7.72. icode
+ 7.73. id
+ 7.74. iec104_apci_type
+ 7.75. iec104_asdu_func
+ 7.76. ip_proto
+ 7.77. ipopts
+ 7.78. isdataat
+ 7.79. itype
+ 7.80. js_data
+ 7.81. md5
+ 7.82. metadata
+ 7.83. modbus_data
+ 7.84. modbus_func
+ 7.85. modbus_unit
+ 7.86. msg
+ 7.87. mss
+ 7.88. pcre
+ 7.89. pkt_data
+ 7.90. pkt_num
+ 7.91. priority
+ 7.92. raw_data
+ 7.93. reference
+ 7.94. regex
+ 7.95. rem
+ 7.96. replace
+ 7.97. rev
+ 7.98. rpc
+ 7.99. s7commplus_content
+ 7.100. s7commplus_func
+ 7.101. s7commplus_opcode
+ 7.102. sd_pattern
+ 7.103. seq
+ 7.104. service
+ 7.105. sha256
+ 7.106. sha512
+ 7.107. sid
+ 7.108. sip_body
+ 7.109. sip_header
+ 7.110. sip_method
+ 7.111. sip_stat_code
+ 7.112. so
+ 7.113. soid
+ 7.114. ssl_state
+ 7.115. ssl_version
+ 7.116. stream_reassemble
+ 7.117. stream_size
+ 7.118. tag
+ 7.119. target
+ 7.120. tos
+ 7.121. ttl
+ 7.122. urg
+ 7.123. vba_data
+ 7.124. window
+ 7.125. wscale
8. Search Engine Modules
9. SO Rule Modules
* int process.umask: set process umask (same as -m) { 0x000:0x1FF }
* bool process.utc = false: use UTC instead of local time for
timestamps
+ * int process.watchdog_timer = 0: watchdog timer for packet threads
+ (seconds, 0 to disable) { 0:60 }
2.25. profiler
signature info
* bool file_id.trace_stream = false: enable runtime dump of file
data
- * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no
- limit) { -1:65535 }
- * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment
- extraction depth (-1 no limit) { -1:65535 }
- * bool file_id.decompress_pdf = false: decompress pdf files
- * bool file_id.decompress_swf = false: decompress swf files
- * bool file_id.decompress_zip = false: decompress zip files
* int file_id.decompress_buffer_size = 100000: file decompression
buffer size { 1024:max31 }
- * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth
- (-1 no limit) { -1:65535 }
- * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1
- no limit) { -1:65535 }
Rules:
* 119:277 (http_inspect) HTTP version in start line is higher than
1
* 119:278 (http_inspect) HTTP gzip body with the FEXTRA flag set
+ * 119:279 (http_inspect) nested unescape functions in JavaScript
+ code
+ * 119:280 (http_inspect) mixing of escape formats in JavaScript
+ code
Peg counts:
than given segments per session and direction, 0 = unlimited {
0:max32 }
* int stream_tcp.small_segments.count = 0: number of consecutive
- TCP small segments considered to be excessive (129:12) { 0:2048 }
+ (in the received order) TCP small segments considered to be
+ excessive (129:12) { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 }
* int stream_tcp.session_timeout = 180: session tracking timeout {
message trailers
-7.50. http_method
+7.50. http_header_test
+
+--------------
+
+Help: rule option to perform range check on specified header field,
+check whether it is a number, or check if the field is absent
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string http_header_test.field: Header to perform check on. Header
+ name is case insensitive.
+ * implied http_header_test.request: match against the headers from
+ the request message even when examining the response
+ * implied http_header_test.with_header: this rule is limited to
+ examining HTTP message headers
+ * implied http_header_test.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_header_test.with_trailer: parts of this rule examine
+ HTTP message trailers
+ * interval http_header_test.check: range check to perform on header
+ value { 0:999999999999999999 }
+ * bool http_header_test.numeric: header value is a number
+ * implied http_header_test.absent: header is absent
+
+
+7.51. http_method
--------------
message trailers
-7.51. http_num_headers
+7.52. http_num_headers
--------------
HTTP message trailers
-7.52. http_num_trailers
+7.53. http_num_trailers
--------------
examine HTTP message trailers
-7.53. http_param
+7.54. http_param
--------------
* implied http_param.nocase: case insensitive match
-7.54. http_raw_body
+7.55. http_raw_body
--------------
Usage: detect
-7.55. http_raw_cookie
+7.56. http_raw_cookie
--------------
HTTP message trailers
-7.56. http_raw_header
+7.57. http_raw_header
--------------
HTTP message trailers
-7.57. http_raw_request
+7.58. http_raw_request
--------------
HTTP message trailers
-7.58. http_raw_status
+7.59. http_raw_status
--------------
HTTP message trailers
-7.59. http_raw_trailer
+7.60. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.60. http_raw_uri
+7.61. http_raw_uri
--------------
URI only
-7.61. http_stat_code
+7.62. http_stat_code
--------------
HTTP message trailers
-7.62. http_stat_msg
+7.63. http_stat_msg
--------------
HTTP message trailers
-7.63. http_trailer
+7.64. http_trailer
--------------
message body (must be combined with request)
-7.64. http_true_ip
+7.65. http_trailer_test
+
+--------------
+
+Help: rule option to perform range check on specified trailer field,
+check whether it is a number, or check if the field is absent
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string http_trailer_test.field: Trailer to perform check on.
+ Trailer name is case insensitive.
+ * implied http_trailer_test.request: match against the trailers
+ from the request message even when examining the response
+ * implied http_trailer_test.with_header: parts of this rule examine
+ HTTP headers
+ * implied http_trailer_test.with_body: parts of this rule examine
+ HTTP message body
+ * interval http_trailer_test.check: range check to perform on
+ trailer value { 0:999999999999999999 }
+ * bool http_trailer_test.numeric: trailer value is a number
+ * implied http_trailer_test.absent: trailer is absent
+
+
+7.66. http_true_ip
--------------
HTTP message trailers
-7.65. http_uri
+7.67. http_uri
--------------
only
-7.66. http_version
+7.68. http_version
--------------
HTTP message trailers
-7.67. http_version_match
+7.69. http_version_match
--------------
examine HTTP message trailers
-7.68. icmp_id
+7.70. icmp_id
--------------
0:65535 }
-7.69. icmp_seq
+7.71. icmp_seq
--------------
given range { 0:65535 }
-7.70. icode
+7.72. icode
--------------
0:255 }
-7.71. id
+7.73. id
--------------
}
-7.72. iec104_apci_type
+7.74. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.73. iec104_asdu_func
+7.75. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.74. ip_proto
+7.76. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.75. ipopts
+7.77. ipopts
--------------
lsrre|ssrr|satid|any }
-7.76. isdataat
+7.78. isdataat
--------------
buffer
-7.77. itype
+7.79. itype
--------------
0:255 }
-7.78. js_data
+7.80. js_data
--------------
Usage: detect
-7.79. md5
+7.81. md5
--------------
of buffer
-7.80. metadata
+7.82. metadata
--------------
pairs
-7.81. modbus_data
+7.83. modbus_data
--------------
Usage: detect
-7.82. modbus_func
+7.84. modbus_func
--------------
* string modbus_func.~: function code to match
-7.83. modbus_unit
+7.85. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.84. msg
+7.86. msg
--------------
* string msg.~: message describing rule
-7.85. mss
+7.87. mss
--------------
}
-7.86. pcre
+7.88. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.87. pkt_data
+7.89. pkt_data
--------------
Usage: detect
-7.88. pkt_num
+7.90. pkt_num
--------------
{ 1: }
-7.89. priority
+7.91. priority
--------------
1:max31 }
-7.90. raw_data
+7.92. raw_data
--------------
Usage: detect
-7.91. reference
+7.93. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.92. regex
+7.94. regex
--------------
instead of start of buffer
-7.93. rem
+7.95. rem
--------------
* string rem.~: comment
-7.94. replace
+7.96. replace
--------------
* string replace.~: byte code to replace with
-7.95. rev
+7.97. rev
--------------
* int rev.~: revision { 1:max32 }
-7.96. rpc
+7.98. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.97. s7commplus_content
+7.99. s7commplus_content
--------------
Usage: detect
-7.98. s7commplus_func
+7.100. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.99. s7commplus_opcode
+7.101. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.100. sd_pattern
+7.102. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.101. seq
+7.103. seq
--------------
range { 0: }
-7.102. service
+7.104. service
--------------
* string service.*: one or more comma-separated service names
-7.103. sha256
+7.105. sha256
--------------
start of buffer
-7.104. sha512
+7.106. sha512
--------------
start of buffer
-7.105. sid
+7.107. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.106. sip_body
+7.108. sip_body
--------------
Usage: detect
-7.107. sip_header
+7.109. sip_header
--------------
Usage: detect
-7.108. sip_method
+7.110. sip_method
--------------
* string sip_method.*method: sip method
-7.109. sip_stat_code
+7.111. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.110. so
+7.112. so
--------------
buffer
-7.111. soid
+7.113. soid
--------------
like 3_45678_9
-7.112. ssl_state
+7.114. ssl_state
--------------
unknown
-7.113. ssl_version
+7.115. ssl_version
--------------
tls1.2
-7.114. stream_reassemble
+7.116. stream_reassemble
--------------
remainder of the session
-7.115. stream_size
+7.117. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.116. tag
+7.118. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.117. target
+7.119. target
--------------
dst_ip }
-7.118. tos
+7.120. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.119. ttl
+7.121. ttl
--------------
0:255 }
-7.120. urg
+7.122. urg
--------------
{ 0:65535 }
-7.121. vba_data
+7.123. vba_data
--------------
Usage: detect
-7.122. window
+7.124. window
--------------
range { 0:65535 }
-7.123. wscale
+7.125. wscale
--------------
duplex }
* enum file_connector[].format: file format { binary | text }
* string file_connector[].name: channel name
- * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no
- limit) { -1:65535 }
- * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment
- extraction depth (-1 no limit) { -1:65535 }
* int file_id.block_timeout = 86400: stop blocking after this many
seconds { 0:max31 }
* bool file_id.block_timeout_lookup = false: block if lookup times
less than this { 0:max53 }
* int file_id.decompress_buffer_size = 100000: file decompression
buffer size { 1024:max31 }
- * bool file_id.decompress_pdf = false: decompress pdf files
- * bool file_id.decompress_swf = false: decompress swf files
- * bool file_id.decompress_zip = false: decompress zip files
* string file_id.file_rules[].category: file type category
* string file_id.file_rules[].group: comma separated list of groups
associated with file type
cached in memory { 8:max53 }
* int file_id.max_files_per_flow = 128: maximal number of files
able to be concurrently processed per flow { 1:max53 }
- * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth
- (-1 no limit) { -1:65535 }
* int file_id.show_data_depth = 100: print this many octets {
0:max53 }
* int file_id.signature_depth = 10485760: stop signature at this
* bool file_id.trace_type = false: enable runtime dump of type info
* int file_id.type_depth = 1460: stop type ID at this point {
0:max53 }
- * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1
- no limit) { -1:65535 }
* bool file_log.log_pkt_time = true: log the packet time when event
generated
* bool file_log.log_sys_time = false: log the system time when
is case insensitive.
* implied http_header.request: match against the headers from the
request message even when examining the response
+ * implied http_header_test.absent: header is absent
+ * interval http_header_test.check: range check to perform on header
+ value { 0:999999999999999999 }
+ * string http_header_test.field: Header to perform check on. Header
+ name is case insensitive.
+ * bool http_header_test.numeric: header value is a number
+ * implied http_header_test.request: match against the headers from
+ the request message even when examining the response
+ * implied http_header_test.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_header_test.with_header: this rule is limited to
+ examining HTTP message headers
+ * implied http_header_test.with_trailer: parts of this rule examine
+ HTTP message trailers
* implied http_header.with_body: parts of this rule examine HTTP
message body
* implied http_header.with_header: this rule is limited to
* string http_trailer.field: restrict to given trailer
* implied http_trailer.request: match against the trailers from the
request message even when examining the response
+ * implied http_trailer_test.absent: trailer is absent
+ * interval http_trailer_test.check: range check to perform on
+ trailer value { 0:999999999999999999 }
+ * string http_trailer_test.field: Trailer to perform check on.
+ Trailer name is case insensitive.
+ * bool http_trailer_test.numeric: trailer value is a number
+ * implied http_trailer_test.request: match against the trailers
+ from the request message even when examining the response
+ * implied http_trailer_test.with_body: parts of this rule examine
+ HTTP message body
+ * implied http_trailer_test.with_header: parts of this rule examine
+ HTTP headers
* implied http_trailer.with_body: parts of this rule examine HTTP
message body (must be combined with request)
* implied http_trailer.with_header: parts of this rule examine HTTP
* int process.umask: set process umask (same as -m) { 0x000:0x1FF }
* bool process.utc = false: use UTC instead of local time for
timestamps
+ * int process.watchdog_timer = 0: watchdog timer for packet threads
+ (seconds, 0 to disable) { 0:60 }
* int profiler.memory.count = 0: limit results to count items per
level (0 = no limit) { 0:max32 }
* int profiler.memory.max_depth = -1: limit depth to max_depth (-1
* bool stream_tcp.show_rebuilt_packets = false: enable cmg like
output of reassembled packets
* int stream_tcp.small_segments.count = 0: number of consecutive
- TCP small segments considered to be excessive (129:12) { 0:2048 }
+ (in the received order) TCP small segments considered to be
+ excessive (129:12) { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 }
* bool stream_tcp.track_only = false: disable reassembly if true
The HTTP message body is gzip encoded and the FEXTRA flag is set in
the gzip header.
+119:279 (http_inspect) nested unescape functions in JavaScript code
+
+Detected nesting of unescape functions(unescape, decodeURI,
+decodeURIComponent) in JavaScript code. Indicates that this code most
+likely has more than one level of obfuscation. This alert is raised
+by the enhanced JavaScript normalizer.
+
+119:280 (http_inspect) mixing of escape formats in JavaScript code
+
+Detected more than one encoding within unescape function call
+arguments in JavaScript code. This alert is raised by the enhanced
+JavaScript normalizer.
+
121:1 (http2_inspect) invalid flag set on HTTP/2 frame
Invalid flag set on HTTP/2 frame header
129:12 (stream_tcp) consecutive TCP small segments exceeding
threshold
-Consecutive TCP small segments exceed the configured threshold. The
-size required to be a small segment can be configured via
+Consecutive (in the order of received packets, not the order of
+sequence numbers) TCP small segments exceed the configured threshold.
+The size required to be a small segment can be configured via
stream_tcp.small_segments.maximum_size, and the maximum number of
these small segments can be configured with int
stream_tcp.small_segments.count.
to the HTTP cookie
* http_header (ips_option): rule option to set the detection cursor
to the normalized headers
+ * http_header_test (ips_option): rule option to perform range check
+ on specified header field, check whether it is a number, or check
+ if the field is absent
* http_inspect (inspector): HTTP inspector
* http_method (ips_option): rule option to set the detection cursor
to the HTTP request method
cursor to the HTTP status message
* http_trailer (ips_option): rule option to set the detection
cursor to the normalized trailers
+ * http_trailer_test (ips_option): rule option to perform range
+ check on specified trailer field, check whether it is a number,
+ or check if the field is absent
* http_true_ip (ips_option): rule option to set the detection
cursor to the final client IP address
* http_uri (ips_option): rule option to set the detection cursor to
to the HTTP cookie
* ips_option::http_header: rule option to set the detection cursor
to the normalized headers
+ * ips_option::http_header_test: rule option to perform range check
+ on specified header field, check whether it is a number, or check
+ if the field is absent
* ips_option::http_method: rule option to set the detection cursor
to the HTTP request method
* ips_option::http_num_headers: rule option to perform range check
cursor to the HTTP status message
* ips_option::http_trailer: rule option to set the detection cursor
to the normalized trailers
+ * ips_option::http_trailer_test: rule option to perform range check
+ on specified trailer field, check whether it is a number, or
+ check if the field is absent
* ips_option::http_true_ip: rule option to set the detection cursor
to the final client IP address
* ips_option::http_uri: rule option to set the detection cursor to
The Snort Team
Revision History
-Revision 3.1.24.0 2022-02-23 09:29:22 EST TST
+Revision 3.1.25.0 2022-03-09 06:31:00 EST TST
---------------------------------------------------------------------
5.10.3.5. decompress_pdf
decompress_pdf = true will enable decompression of compressed
-portions of PDF files encountered in a response body. http_inspect
-will examine the response body for PDF files that are then parsed to
+portions of PDF files encountered in a message body. http_inspect
+will examine the message body for PDF files that are then parsed to
locate PDF streams with a single /FlateDecode filter. The compressed
content is decompressed and made available through the file data rule
option.
5.10.3.6. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
-(Adobe Flash content) files encountered in a response body. The
+(Adobe Flash content) files encountered in a message body. The
available decompression modes are ’deflate’ and ’lzma’. http_inspect
will search for the file signatures CWS for Deflate/ZLIB and ZWS for
LZMA. The compressed content is decompressed and made available
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-5.10.3.7. decompress_vba
+5.10.3.7. decompress_zip
+
+decompress_zip = true will enable decompression of compressed zip
+archives encountered in a message body. The compressed content is
+decompressed and made available through the file_data rule option.
+
+5.10.3.8. decompress_vba
decompress_vba = true will enable decompression of RLE (Run Length
Encoding) compressed vba (Visual Basic for Applications) macro data
-of MS Office files. The MS office files are PKZIP compressed which
-are parsed to locate the OLE (Object Linking and Embedding) file
-embedded with the files containing RLE compressed vba macro data. The
-decompressed vba macro data is then made available through the
-vba_data ips rule option.
+of MS Office files encountered in a message body. The MS office files
+are PKZIP compressed which are parsed to locate the OLE (Object
+Linking and Embedding) file embedded with the files containing RLE
+compressed vba macro data. The decompressed vba macro data is then
+made available through the vba_data ips rule option.
-5.10.3.8. normalize_javascript
+5.10.3.9. normalize_javascript
normalize_javascript = true will enable legacy normalizer of
JavaScript within the HTTP response body. http_inspect looks for
space and normalizes the plus by concatenating the strings. Such
normalizations refer to basic JavaScript normalization.
-5.10.3.9. js_norm_bytes_depth
+5.10.3.10. js_norm_bytes_depth
js_norm_bytes_depth = N {-1 : max53} will set a number of input
JavaScript bytes to normalize. When the depth is reached,
The identifiers are variables and function names. The normalized data
is available through the js_data rule option.
-5.10.3.10. js_norm_identifier_depth
+5.10.3.11. js_norm_identifier_depth
js_norm_identifier_depth = N {0 : 65536} will set a number of unique
JavaScript identifiers to normalize. When the depth is reached, a
65536, which is the max allowed number of unique identifiers. The
generated names are in the range from var_0000 to var_ffff.
-5.10.3.11. js_norm_max_tmpl_nest
+5.10.3.12. js_norm_max_tmpl_nest
js_norm_max_tmpl_nest = N {0 : 255} (default 32) is an option of the
enhanced JavaScript normalizer that determines the deepest level of
option is present to limit the amount of memory dedicated to template
nesting tracking.
-5.10.3.12. js_norm_max_bracket_depth
+5.10.3.13. js_norm_max_bracket_depth
js_norm_max_bracket_depth = N {1 : 65535} (default 256) is an option
of the enhanced JavaScript normalizer that determines the maximum
option is present to limit the amount of memory dedicated to bracket
tracking.
-5.10.3.13. js_norm_max_scope_depth
+5.10.3.14. js_norm_max_scope_depth
js_norm_max_scope_depth = N {1 : 65535} (default 256) is an option of
the enhanced JavaScript normalizer that determines the deepest level
the global scope. This option is present to limit the amount of
memory dedicated to scope tracking.
-5.10.3.14. js_norm_ident_ignore
+5.10.3.15. js_norm_ident_ignore
js_norm_ident_ignore = {<list of ignored identifiers>} is an option
of the enhanced JavaScript normalizer that defines a list of
The default list of ignore-identifiers is present in
"snort_defaults.lua".
-5.10.3.15. xff_headers
+Unescape function names should remain intact in the output. They
+ought to be included in the ignore list. If for some reason the user
+wants to disable unescape related features, then removing function’s
+name from the ignore list does the trick.
+
+5.10.3.16. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-5.10.3.16. maximum_host_length
+5.10.3.17. maximum_host_length
Setting maximum_host_length causes http_inspect to generate 119:25 if
the Host header value including optional white space exceeds the
total length of the combined values is used. The default value is -1,
meaning do not perform this check.
-5.10.3.17. maximum_chunk_length
+5.10.3.18. maximum_chunk_length
http_inspect strictly limits individual chunks within a chunked
message body to be less than four gigabytes.
A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert.
-5.10.3.18. URI processing
+5.10.3.19. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
http_version rule option is available to examine the actual bytes in
the version field.
+5.10.6.18. http_header_test and http_trailer_test
+
+Rule options that perform various tests against a specific header and
+trailer field, respectively. It can perform a range test, check
+whether the value is numeric or whether it is absent. Negative values
+are considered non-numeric. Values with more than 18 digits are
+considered non-numeric.
+
5.10.7. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
options for MIME decoding depth. These depths range from 0 to 65535
bytes. Setting the value to 0 ("do none") turns the feature off.
Alternatively the value -1 means an unlimited amount of data should
-be decoded. If you do not specify the default value is 1460 bytes.
+be decoded. If you do not specify the default value is -1
+(unlimited).
The depth limits apply per attachment. They are:
projects / thirdparty / snort3.git / commitdiff
