<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.1 (Build 3)\r
+o" )~ Version 3.0.1 (Build 4)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
<div class="paragraph"><p>What: general decoder rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Usage: context</p></div>\r
-<div class="paragraph"><p>Configuration:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-int <strong>decode.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.all</strong> = 0: enable detection module trace logging options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.buffer</strong> = 0: enable buffer trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>latency.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
</p>\r
</li>\r
implied <strong>snort.--trace</strong>: turn on main loop debug trace\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>snort.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Commands:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+int <strong>trace.modules.detection.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.detect_engine</strong>: enable detection engine trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.rule_eval</strong>: enable rule evaluation trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.buffer</strong>: enable buffer trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.rule_vars</strong>: enable rule variables trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.fp_search</strong>: enable fast pattern search trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.pkt_detect</strong>: enable packet detection trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.opt_tree</strong>: enable tree option trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.tag</strong>: enable tag trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.stream_user.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.stream_ip.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.stream.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.dce_smb.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.dce_udp.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.latency.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.wizard.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.gtp_inspect.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.appid.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.decode.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>trace.output</strong>: output method for trace log messages { stdout | syslog }\r
</p>\r
</li>\r
bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>appid.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Commands:</p></div>\r
<div class="ulist"><ul>\r
bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>dce_smb.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>dce_udp.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>gtp_inspect.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
int <strong>rt_global.memcap</strong> = 2048: cap on amount of memory used (0 is disabled) { 0:max53 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>rt_global.empty_ips</strong> = false: ips policy with no rules\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.held_packet_timeout</strong> = 1000: timeout in milliseconds for held packets { 1:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>stream.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>stream_ip.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.held_packet_timeouts</strong>: number of held packets that timed out (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.cur_packets_held</strong>: number of packets currently held (now)\r
</p>\r
</li>\r
<strong>stream_tcp.partial_flush_bytes</strong>: partial flush total bytes (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>stream_tcp.inspector_fallbacks</strong>: count of fallbacks from assigned service inspector (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream_tcp.partial_fallbacks</strong>: count of fallbacks from assigned service stream splitter (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>stream_user.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-int <strong>wizard.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_smb.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
multi <strong>dce_smb.valid_smb_versions</strong> = all: valid SMB versions { v1 | v2 | all }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>dce_udp.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>decode.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>detection.asn1</strong> = 0: maximum decode nodes { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.trace.all</strong> = 0: enable detection module trace logging options { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.buffer</strong> = 0: enable buffer trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.detect_engine</strong> = 0: enable detection engine trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.fp_search</strong> = 0: enable fast pattern search trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.opt_tree</strong> = 0: enable tree option trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.pkt_detect</strong> = 0: enable packet detection trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.rule_eval</strong> = 0: enable rule evaluation trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.rule_vars</strong> = 0: enable rule variables trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>detection.trace.tag</strong> = 0: enable tag trace logging { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>latency.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>rt_global.empty_ips</strong> = false: ips policy with no rules\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>rt_global.memcap</strong> = 2048: cap on amount of memory used (0 is disabled) { 0:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>snort.--trace</strong>: turn on main loop debug trace\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.held_packet_timeout</strong> = 1000: timeout in milliseconds for held packets { 1:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.icmp_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_ip.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.udp_cache.cap_weight</strong> = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_user.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>trace.modules.appid.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.dce_smb.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.dce_udp.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.decode.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.buffer</strong>: enable buffer trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.detect_engine</strong>: enable detection engine trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.fp_search</strong>: enable fast pattern search trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.opt_tree</strong>: enable tree option trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.pkt_detect</strong>: enable packet detection trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.rule_eval</strong>: enable rule evaluation trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.rule_vars</strong>: enable rule variables trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.detection.tag</strong>: enable tag trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.gtp_inspect.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.latency.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.stream.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.stream_ip.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.stream_user.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.wizard.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>trace.output</strong>: output method for trace log messages { stdout | syslog }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>wizard.trace.all</strong> = 0: enable traces in module { 0:255 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.held_packet_timeouts</strong>: number of held packets that timed out (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.inspector_fallbacks</strong>: count of fallbacks from assigned service inspector (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.partial_fallbacks</strong>: count of fallbacks from assigned service stream splitter (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.partial_flush_bytes</strong>: partial flush total bytes (sum)\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2020-05-06 12:35:40 EDT\r
+ 2020-05-20 08:20:56 EDT\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.1 (Build 3)
+o" )~ Version 3.0.1 (Build 4)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Usage: context
-Configuration:
-
- * int decode.trace.all = 0: enable traces in module { 0:255 }
-
Rules:
* 116:150 (decode) loopback IP
instead of pcre for compatible expressions
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
- * int detection.trace.all = 0: enable detection module trace
- logging options { 0:255 }
- * int detection.trace.detect_engine = 0: enable detection engine
- trace logging { 0:255 }
- * int detection.trace.rule_eval = 0: enable rule evaluation trace
- logging { 0:255 }
- * int detection.trace.buffer = 0: enable buffer trace logging {
- 0:255 }
- * int detection.trace.rule_vars = 0: enable rule variables trace
- logging { 0:255 }
- * int detection.trace.fp_search = 0: enable fast pattern search
- trace logging { 0:255 }
- * int detection.trace.pkt_detect = 0: enable packet detection trace
- logging { 0:255 }
- * int detection.trace.opt_tree = 0: enable tree option trace
- logging { 0:255 }
- * int detection.trace.tag = 0: enable tag trace logging { 0:255 }
Peg counts:
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
- * int latency.trace.all = 0: enable traces in module { 0:255 }
Rules:
| ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
* multi network.checksum_eval = all: checksums to verify { all | ip
| noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
- * bool network.decode_drops = false: enable dropping of packets by
- the decoder
* int network.id = 0: correlate unified2 events with configuration
{ 0:65535 }
* int network.min_ttl = 1: alert / normalize packets with lower TTL
* string snort.--x2s: output ASCII string for given byte code (see
also --x2c)
* implied snort.--trace: turn on main loop debug trace
- * int snort.trace.all = 0: enable traces in module { 0:255 }
Commands:
Configuration:
+ * int trace.modules.detection.all: enable all trace options { 0:255
+ }
+ * int trace.modules.detection.detect_engine: enable detection
+ engine trace logging { 0:255 }
+ * int trace.modules.detection.rule_eval: enable rule evaluation
+ trace logging { 0:255 }
+ * int trace.modules.detection.buffer: enable buffer trace logging {
+ 0:255 }
+ * int trace.modules.detection.rule_vars: enable rule variables
+ trace logging { 0:255 }
+ * int trace.modules.detection.fp_search: enable fast pattern search
+ trace logging { 0:255 }
+ * int trace.modules.detection.pkt_detect: enable packet detection
+ trace logging { 0:255 }
+ * int trace.modules.detection.opt_tree: enable tree option trace
+ logging { 0:255 }
+ * int trace.modules.detection.tag: enable tag trace logging { 0:255
+ }
+ * int trace.modules.stream_user.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.stream_ip.all: enable all trace options { 0:255
+ }
+ * int trace.modules.stream.all: enable all trace options { 0:255 }
+ * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
+ * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
+ * int trace.modules.latency.all: enable all trace options { 0:255 }
+ * int trace.modules.wizard.all: enable all trace options { 0:255 }
+ * int trace.modules.gtp_inspect.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.appid.all: enable all trace options { 0:255 }
+ * int trace.modules.decode.all: enable all trace options { 0:255 }
* enum trace.output: output method for trace log messages { stdout
| syslog }
on startup
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
- * int appid.trace.all = 0: enable traces in module { 0:255 }
Commands:
(-1 = disabled, 0 = unlimited) { -1:32767 }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
- * int dce_smb.trace.all = 0: enable traces in module { 0:255 }
Rules:
defragmentation
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
- * int dce_udp.trace.all = 0: enable traces in module { 0:255 }
Rules:
* string gtp_inspect[].infos[].name: information element name
* int gtp_inspect[].infos[].length = 0: information element type
code { 0:255 }
- * int gtp_inspect.trace.all = 0: enable traces in module { 0:255 }
Rules:
!tls, 3 = !ctl and !file { 1:3 }
* int rt_global.memcap = 2048: cap on amount of memory used (0 is
disabled) { 0:max53 }
+ * bool rt_global.empty_ips = false: ips policy with no rules
Peg counts:
before pruning { 2:max32 }
* int stream.pruning_timeout = 30: minimum inactive time before
being eligible for pruning { 1:max32 }
+ * int stream.held_packet_timeout = 1000: timeout in milliseconds
+ for held packets { 1:max32 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.ip_cache.cap_weight = 0: additional bytes to track per
before retiring session tracker { 1:max32 }
* int stream.file_cache.cap_weight = 32: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.trace.all = 0: enable traces in module { 0:255 }
Rules:
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_ip.trace.all = 0: enable traces in module { 0:255 }
Rules:
(sum)
* stream_tcp.held_packets_passed: number of held packets passed
(sum)
+ * stream_tcp.held_packet_timeouts: number of held packets that
+ timed out (sum)
* stream_tcp.cur_packets_held: number of packets currently held
(now)
* stream_tcp.max_packets_held: maximum number of packets held
* stream_tcp.partial_flushes: number of partial flushes initiated
(sum)
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
+ * stream_tcp.inspector_fallbacks: count of fallbacks from assigned
+ service inspector (sum)
+ * stream_tcp.partial_fallbacks: count of fallbacks from assigned
+ service stream splitter (sum)
9.50. stream_udp
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_user.trace.all = 0: enable traces in module { 0:255 }
9.52. telnet
wild cards (*)
* multi wizard.curses: enable service identification based on
internal algorithm { dce_smb | dce_udp | dce_tcp }
- * int wizard.trace.all = 0: enable traces in module { 0:255 }
Peg counts:
library
* bool appid.tp_appid_stats_enable: enable collection of stats and
print stats on exit in third party module
- * int appid.trace.all = 0: enable traces in module { 0:255 }
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
* int asn1.absolute_offset: absolute offset from the beginning of
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
* int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
* int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
- * int dce_smb.trace.all = 0: enable traces in module { 0:255 }
* multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 |
v2 | all }
* bool dce_tcp.disable_defrag = false: disable DCE/RPC
per signature per flow
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
- * int dce_udp.trace.all = 0: enable traces in module { 0:255 }
- * int decode.trace.all = 0: enable traces in module { 0:255 }
* int detection.asn1 = 0: maximum decode nodes { 0:65535 }
* bool detection.enable_address_anomaly_checks = false: enable
check and alerting of address anomalies
overrides when pattern matching (ie ignore /O)
* bool detection.pcre_to_regex = false: enable the use of regex
instead of pcre for compatible expressions
- * int detection.trace.all = 0: enable detection module trace
- logging options { 0:255 }
- * int detection.trace.buffer = 0: enable buffer trace logging {
- 0:255 }
- * int detection.trace.detect_engine = 0: enable detection engine
- trace logging { 0:255 }
- * int detection.trace.fp_search = 0: enable fast pattern search
- trace logging { 0:255 }
- * int detection.trace.opt_tree = 0: enable tree option trace
- logging { 0:255 }
- * int detection.trace.pkt_detect = 0: enable packet detection trace
- logging { 0:255 }
- * int detection.trace.rule_eval = 0: enable rule evaluation trace
- logging { 0:255 }
- * int detection.trace.rule_vars = 0: enable rule variables trace
- logging { 0:255 }
- * int detection.trace.tag = 0: enable tag trace logging { 0:255 }
* bool dnp3.check_crc = false: validate checksums in DNP3 link
layer frames
* string dnp3_func.~: match DNP3 function code or name
* string gtp_inspect[].messages[].name: message name
* int gtp_inspect[].messages[].type = 0: message type code { 0:255
}
- * int gtp_inspect.trace.all = 0: enable traces in module { 0:255 }
* int gtp_inspect[].version = 2: GTP version { 0:2 }
* string gtp_type.~: list of types to match
* int gtp_version.~: version to match { 0:2 }
rules
* int latency.rule.suspend_threshold = 5: set threshold for number
of timeouts before suspending a rule { 1:max32 }
- * int latency.trace.all = 0: enable traces in module { 0:255 }
* bool log_codecs.file = false: output to log_codecs.txt instead of
stdout
* bool log_codecs.msg = false: include alert msg
| ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
* multi network.checksum_eval = all: checksums to verify { all | ip
| noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
- * bool network.decode_drops = false: enable dropping of packets by
- the decoder
* int network.id = 0: correlate unified2 events with configuration
{ 0:65535 }
* int network.layers = 40: the maximum number of protocols that
!tls, 3 = !ctl and !file { 1:3 }
* int rt_global.downshift_packet = 0: attempt downshift at this
packet on flow (0 is disabled) { 0:max32 }
+ * bool rt_global.empty_ips = false: ips policy with no rules
* int rt_global.memcap = 2048: cap on amount of memory used (0 is
disabled) { 0:max53 }
* bool rt_packet.retry_all = false: request retry for all non-retry
talos)
* string snort.-t: <dir> chroots process to <dir> after
initialization
- * int snort.trace.all = 0: enable traces in module { 0:255 }
* implied snort.--trace: turn on main loop debug trace
* implied snort.--treat-drop-as-alert: converts drop, block, and
reset rules into alert rules when loaded
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
+ * int stream.held_packet_timeout = 1000: timeout in milliseconds
+ for held packets { 1:max32 }
* int stream.icmp_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
| linux | bsd | bsd_right | last | windows | solaris }
* int stream_ip.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_ip.trace.all = 0: enable traces in module { 0:255 }
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
* int stream.pruning_timeout = 30: minimum inactive time before
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 }
* bool stream_tcp.track_only = false: disable reassembly if true
- * int stream.trace.all = 0: enable traces in module { 0:255 }
* int stream.udp_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
- * int stream_user.trace.all = 0: enable traces in module { 0:255 }
* int suppress[].gid = 0: rule generator ID { 0:max32 }
* string suppress[].ip: restrict suppression to these addresses
according to track
* bool telnet.encrypted_traffic = false: check for encrypted Telnet
* bool telnet.normalize = false: eliminate escape sequences
* interval tos.~range: check if IP TOS is in given range { 0:255 }
+ * int trace.modules.appid.all: enable all trace options { 0:255 }
+ * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
+ * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
+ * int trace.modules.decode.all: enable all trace options { 0:255 }
+ * int trace.modules.detection.all: enable all trace options { 0:255
+ }
+ * int trace.modules.detection.buffer: enable buffer trace logging {
+ 0:255 }
+ * int trace.modules.detection.detect_engine: enable detection
+ engine trace logging { 0:255 }
+ * int trace.modules.detection.fp_search: enable fast pattern search
+ trace logging { 0:255 }
+ * int trace.modules.detection.opt_tree: enable tree option trace
+ logging { 0:255 }
+ * int trace.modules.detection.pkt_detect: enable packet detection
+ trace logging { 0:255 }
+ * int trace.modules.detection.rule_eval: enable rule evaluation
+ trace logging { 0:255 }
+ * int trace.modules.detection.rule_vars: enable rule variables
+ trace logging { 0:255 }
+ * int trace.modules.detection.tag: enable tag trace logging { 0:255
+ }
+ * int trace.modules.gtp_inspect.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.latency.all: enable all trace options { 0:255 }
+ * int trace.modules.stream.all: enable all trace options { 0:255 }
+ * int trace.modules.stream_ip.all: enable all trace options { 0:255
+ }
+ * int trace.modules.stream_user.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.wizard.all: enable all trace options { 0:255 }
* enum trace.output: output method for trace log messages { stdout
| syslog }
* interval ttl.~range: check if IP TTL is in the given range {
wild cards (*)
* string wizard.spells[].to_server[].spell: sequence of data with
wild cards (*)
- * int wizard.trace.all = 0: enable traces in module { 0:255 }
* interval wscale.~range: check if TCP window scale is in given
range { 0:65535 }
(sum)
* stream_tcp.held_packets_passed: number of held packets passed
(sum)
+ * stream_tcp.held_packet_timeouts: number of held packets that
+ timed out (sum)
* stream_tcp.ignored: tcp packets ignored (sum)
* stream_tcp.initializing: number of sessions currently
initializing (now)
+ * stream_tcp.inspector_fallbacks: count of fallbacks from assigned
+ service inspector (sum)
* stream_tcp.instantiated: new sessions instantiated (sum)
* stream_tcp.internal_events: 135:X events generated (sum)
* stream_tcp.max: max tcp sessions (max)
* stream_tcp.memory: current memory in use (now)
* stream_tcp.overlaps: overlapping segments queued (sum)
* stream_tcp.packets_held: number of packets held (sum)
+ * stream_tcp.partial_fallbacks: count of fallbacks from assigned
+ service stream splitter (sum)
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
* stream_tcp.partial_flushes: number of partial flushes initiated
(sum)
projects / thirdparty / snort3.git / commitdiff
