<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 260)\r
+o" )~ Version 3.0.0 (Build 261)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
The snort module has command line options starting with a -.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+$ denotes variable names, eg rule_state.$gid_sid which would be used\r
+ like rule_state["1:23456"] = { }.\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Some additional details to note:</p></div>\r
<div class="ulist"><ul>\r
j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+Ranges may use maxXX like { 1:max32 } since max32 is easier to read\r
+ than 4294967295. To get the values of maxXX, use snort --help-limits.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-safec from <a href="https://github.com/rurban/safeclib/">https://github.com/rurban/safeclib/</a> for runtime bounds\r
+safec >= 3.5 from <a href="https://github.com/rurban/safeclib/">https://github.com/rurban/safeclib/</a> for runtime bounds\r
checks on certain legacy C-library calls\r
</p>\r
</li>\r
<strong>daq.rx_bytes</strong>: total bytes received (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_queued</strong>: messages queued for retry (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_dropped</strong>: messages dropped when overrunning the retry queue (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_processed</strong>: messages processed from the retry queue (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection (now)\r
+<strong>detection.analyzed</strong>: total packets processed (now)\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.([0-9]+):([0-9]+)[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.([0-9]+):([0-9]+)[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>121:1</strong> (http2_inspect) Error in HPACK integer value\r
+<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:2</strong> (http2_inspect) integer value has leading zeros\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:3</strong> (http2_inspect) error in HPACK string value\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:2</strong> (http2_inspect) Integer value has leading zeros\r
+<strong>121:4</strong> (http2_inspect) missing continuation frame\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:3</strong> (http2_inspect) Error in HPACK string value\r
+<strong>121:5</strong> (http2_inspect) unexpected continuation frame\r
</p>\r
</li>\r
</ul></div>\r
bool <strong>rna.enable_logger</strong> = true: enable or disable writing discovery events into logger\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>rna.log_when_idle</strong> = false: enable host update logging when snort is idle\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>rna.icmp</strong>: count of ICMP packets received (sum)\r
+<strong>rna.icmp_bidirectional</strong>: count of bidirectional ICMP flows received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.icmp_new</strong>: count of new ICMP flows received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.ip_bidirectional</strong>: count of bidirectional IP received (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>rna.ip</strong>: count of IP packets received (sum)\r
+<strong>rna.ip_new</strong>: count of new IP flows received (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>rna.udp</strong>: count of UDP packets received (sum)\r
+<strong>rna.udp_bidirectional</strong>: count of bidirectional UDP flows received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.udp_new</strong>: count of new UDP flows received (sum)\r
</p>\r
</li>\r
<li>\r
<strong>rna.other_packets</strong>: count of packets received without session tracking (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>rna.change_host_update</strong>: count number of change host update events (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>rt_packet.test_daq_retry</strong> = true: test daq packet retry feature\r
+bool <strong>rt_packet.retry_targeted</strong> = false: request retry for packets whose data starts with <em>A</em>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>rt_packet.retry_all</strong> = false: request retry for all non-retry packets\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http2_decoded_header">http2_decoded_header</h3>\r
+<div class="paragraph"><p>What: rule option to set detection cursor to the decoded HTTP/2 header</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http2_frame_data">http2_frame_data</h3>\r
-<div class="paragraph"><p>What: rule option to see HTTP/2 frame body</p></div>\r
+<div class="paragraph"><p>What: rule option to set detection cursor to the HTTP/2 frame body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_http2_frame_header">http2_frame_header</h3>\r
-<div class="paragraph"><p>What: rule option to see 9-octet HTTP/2 frame header</p></div>\r
+<div class="paragraph"><p>What: rule option to set detection cursor to the 9-octet HTTP/2 frame header</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<li>\r
<p>\r
Generally try to follow\r
- <a href="http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml">http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml</a>,\r
+ <a href="https://google.github.io/styleguide/cppguide.html">https://google.github.io/styleguide/cppguide.html</a>,\r
but there are some differences documented here.\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>rna.log_when_idle</strong> = false: enable host update logging when snort is idle\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>rna.rna_conf_path</strong>: path to RNA configuration\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>rt_packet.test_daq_retry</strong> = true: test daq packet retry feature\r
+bool <strong>rt_packet.retry_all</strong> = false: request retry for all non-retry packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.([0-9]+):([0-9]+)[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
+bool <strong>rt_packet.retry_targeted</strong> = false: request retry for packets whose data starts with <em>A</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.([0-9]+):([0-9]+)[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong><code>rule_state.$gid_sid[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_dropped</strong>: messages dropped when overrunning the retry queue (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_processed</strong>: messages processed from the retry queue (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.retries_queued</strong>: messages queued for retry (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>daq.retry</strong>: total retry verdicts (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection (now)\r
+<strong>detection.analyzed</strong>: total packets processed (now)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>rna.icmp</strong>: count of ICMP packets received (sum)\r
+<strong>rna.change_host_update</strong>: count number of change host update events (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.icmp_bidirectional</strong>: count of bidirectional ICMP flows received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.icmp_new</strong>: count of new ICMP flows received (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>rna.ip</strong>: count of IP packets received (sum)\r
+<strong>rna.ip_bidirectional</strong>: count of bidirectional IP received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.ip_new</strong>: count of new IP flows received (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>rna.udp</strong>: count of UDP packets received (sum)\r
+<strong>rna.udp_bidirectional</strong>: count of bidirectional UDP flows received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rna.udp_new</strong>: count of new UDP flows received (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>121:1</strong> (http2_inspect) Error in HPACK integer value\r
+<strong>121:1</strong> (http2_inspect) error in HPACK integer value\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:2</strong> (http2_inspect) Integer value has leading zeros\r
+<strong>121:2</strong> (http2_inspect) integer value has leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>121:3</strong> (http2_inspect) Error in HPACK string value\r
+<strong>121:3</strong> (http2_inspect) error in HPACK string value\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:4</strong> (http2_inspect) missing continuation frame\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:5</strong> (http2_inspect) unexpected continuation frame\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>http2_frame_data</strong> (ips_option): rule option to see HTTP/2 frame body\r
+<strong>http2_decoded_header</strong> (ips_option): rule option to set detection cursor to the decoded HTTP/2 header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_frame_data</strong> (ips_option): rule option to set detection cursor to the HTTP/2 frame body\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http2_frame_header</strong> (ips_option): rule option to see 9-octet HTTP/2 frame header\r
+<strong>http2_frame_header</strong> (ips_option): rule option to set detection cursor to the 9-octet HTTP/2 frame header\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::http2_frame_data</strong>: rule option to see HTTP/2 frame body\r
+<strong>ips_option::http2_decoded_header</strong>: rule option to set detection cursor to the decoded HTTP/2 header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::http2_frame_data</strong>: rule option to set detection cursor to the HTTP/2 frame body\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ips_option::http2_frame_header</strong>: rule option to see 9-octet HTTP/2 frame header\r
+<strong>ips_option::http2_frame_header</strong>: rule option to set detection cursor to the 9-octet HTTP/2 frame header\r
</p>\r
</li>\r
<li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-08-28 09:32:47 EDT\r
+ 2019-09-12 19:44:55 EDT\r
</div>\r
</div>\r
</body>\r
11.32. gtp_info
11.33. gtp_type
11.34. gtp_version
- 11.35. http2_frame_data
- 11.36. http2_frame_header
- 11.37. http_client_body
- 11.38. http_cookie
- 11.39. http_header
- 11.40. http_method
- 11.41. http_raw_body
- 11.42. http_raw_cookie
- 11.43. http_raw_header
- 11.44. http_raw_request
- 11.45. http_raw_status
- 11.46. http_raw_trailer
- 11.47. http_raw_uri
- 11.48. http_stat_code
- 11.49. http_stat_msg
- 11.50. http_trailer
- 11.51. http_true_ip
- 11.52. http_uri
- 11.53. http_version
- 11.54. icmp_id
- 11.55. icmp_seq
- 11.56. icode
- 11.57. id
- 11.58. ip_proto
- 11.59. ipopts
- 11.60. isdataat
- 11.61. itype
- 11.62. md5
- 11.63. metadata
- 11.64. modbus_data
- 11.65. modbus_func
- 11.66. modbus_unit
- 11.67. msg
- 11.68. mss
- 11.69. pcre
- 11.70. pkt_data
- 11.71. pkt_num
- 11.72. priority
- 11.73. raw_data
- 11.74. reference
- 11.75. regex
- 11.76. rem
- 11.77. replace
- 11.78. rev
- 11.79. rpc
- 11.80. sd_pattern
- 11.81. seq
- 11.82. service
- 11.83. session
- 11.84. sha256
- 11.85. sha512
- 11.86. sid
- 11.87. sip_body
- 11.88. sip_header
- 11.89. sip_method
- 11.90. sip_stat_code
- 11.91. so
- 11.92. soid
- 11.93. ssl_state
- 11.94. ssl_version
- 11.95. stream_reassemble
- 11.96. stream_size
- 11.97. tag
- 11.98. target
- 11.99. tos
- 11.100. ttl
- 11.101. urg
- 11.102. window
- 11.103. wscale
+ 11.35. http2_decoded_header
+ 11.36. http2_frame_data
+ 11.37. http2_frame_header
+ 11.38. http_client_body
+ 11.39. http_cookie
+ 11.40. http_header
+ 11.41. http_method
+ 11.42. http_raw_body
+ 11.43. http_raw_cookie
+ 11.44. http_raw_header
+ 11.45. http_raw_request
+ 11.46. http_raw_status
+ 11.47. http_raw_trailer
+ 11.48. http_raw_uri
+ 11.49. http_stat_code
+ 11.50. http_stat_msg
+ 11.51. http_trailer
+ 11.52. http_true_ip
+ 11.53. http_uri
+ 11.54. http_version
+ 11.55. icmp_id
+ 11.56. icmp_seq
+ 11.57. icode
+ 11.58. id
+ 11.59. ip_proto
+ 11.60. ipopts
+ 11.61. isdataat
+ 11.62. itype
+ 11.63. md5
+ 11.64. metadata
+ 11.65. modbus_data
+ 11.66. modbus_func
+ 11.67. modbus_unit
+ 11.68. msg
+ 11.69. mss
+ 11.70. pcre
+ 11.71. pkt_data
+ 11.72. pkt_num
+ 11.73. priority
+ 11.74. raw_data
+ 11.75. reference
+ 11.76. regex
+ 11.77. rem
+ 11.78. replace
+ 11.79. rev
+ 11.80. rpc
+ 11.81. sd_pattern
+ 11.82. seq
+ 11.83. service
+ 11.84. session
+ 11.85. sha256
+ 11.86. sha512
+ 11.87. sid
+ 11.88. sip_body
+ 11.89. sip_header
+ 11.90. sip_method
+ 11.91. sip_stat_code
+ 11.92. so
+ 11.93. soid
+ 11.94. ssl_state
+ 11.95. ssl_version
+ 11.96. stream_reassemble
+ 11.97. stream_size
+ 11.98. tag
+ 11.99. target
+ 11.100. tos
+ 11.101. ttl
+ 11.102. urg
+ 11.103. window
+ 11.104. wscale
12. Search Engine Modules
13. SO Rule Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 260)
+o" )~ Version 3.0.0 (Build 261)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
by a *. Used for unquoted, comma-separated lists such as service
and metadata.
* The snort module has command line options starting with a -.
+ * $ denotes variable names, eg rule_state.$gid_sid which would be
+ used like rule_state["1:23456"] = { }.
Some additional details to note:
* interval takes the form [operator]i, j<>k, or j<⇒k where i,j,k
are integers and operator is one of =, !, != (same as !), <, ⇐,
>, >=. j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.
+ * Ranges may use maxXX like { 1:max32 } since max32 is easier to
+ read than 4294967295. To get the values of maxXX, use snort
+ --help-limits.
2.4. Plugins
UTF16-LE filenames to UTF8 (usually included in glibc)
* lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
SWF and PDF files
- * safec from https://github.com/rurban/safeclib/ for runtime bounds
- checks on certain legacy C-library calls
+ * safec >= 3.5 from https://github.com/rurban/safeclib/ for runtime
+ bounds checks on certain legacy C-library calls
* source-highlight from http://www.gnu.org/software/src-highlite/
to generate the dev guide
* w3m from http://sourceforge.net/projects/w3m/ to build the plain
* daq.idle: attempts to acquire from DAQ without available packets
(sum)
* daq.rx_bytes: total bytes received (sum)
+ * daq.retries_queued: messages queued for retry (sum)
+ * daq.retries_dropped: messages dropped when overrunning the retry
+ queue (sum)
+ * daq.retries_processed: messages processed from the retry queue
+ (sum)
+ * daq.retries_discarded: messages discarded when purging the retry
+ queue (sum)
6.6. decode
Peg counts:
- * detection.analyzed: packets sent to detection (now)
+ * detection.analyzed: total packets processed (now)
* detection.hard_evals: non-fast pattern rule evaluations (sum)
* detection.raw_searches: fast pattern searches in raw packet data
(sum)
Configuration:
- * enum rule_state.([0-9]+):([0-9]+)[].action = inherit: apply
- action if rule matches or inherit from rule definition { log |
- pass | alert | drop | block | reset | inherit }
- * enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or
- disable rule in current ips policy or use default defined by ips
- policy { no | yes | inherit }
+ * enum rule_state.$gid_sid[].action = inherit: apply action if rule
+ matches or inherit from rule definition { log | pass | alert |
+ drop | block | reset | inherit }
+ * enum rule_state.$gid_sid[].enable = inherit: enable or disable
+ rule in current ips policy or use default defined by ips policy {
+ no | yes | inherit }
6.27. search_engine
Rules:
- * 121:1 (http2_inspect) Error in HPACK integer value
- * 121:2 (http2_inspect) Integer value has leading zeros
- * 121:3 (http2_inspect) Error in HPACK string value
+ * 121:1 (http2_inspect) error in HPACK integer value
+ * 121:2 (http2_inspect) integer value has leading zeros
+ * 121:3 (http2_inspect) error in HPACK string value
+ * 121:4 (http2_inspect) missing continuation frame
+ * 121:5 (http2_inspect) unexpected continuation frame
Peg counts:
fingerprint patterns
* bool rna.enable_logger = true: enable or disable writing
discovery events into logger
+ * bool rna.log_when_idle = false: enable host update logging when
+ snort is idle
Peg counts:
- * rna.icmp: count of ICMP packets received (sum)
- * rna.ip: count of IP packets received (sum)
- * rna.udp: count of UDP packets received (sum)
+ * rna.icmp_bidirectional: count of bidirectional ICMP flows
+ received (sum)
+ * rna.icmp_new: count of new ICMP flows received (sum)
+ * rna.ip_bidirectional: count of bidirectional IP received (sum)
+ * rna.ip_new: count of new IP flows received (sum)
+ * rna.udp_bidirectional: count of bidirectional UDP flows received
+ (sum)
+ * rna.udp_new: count of new UDP flows received (sum)
* rna.tcp_syn: count of TCP SYN packets received (sum)
* rna.tcp_syn_ack: count of TCP SYN-ACK packets received (sum)
* rna.tcp_midstream: count of TCP midstream packets received (sum)
* rna.other_packets: count of packets received without session
tracking (sum)
+ * rna.change_host_update: count number of change host update events
+ (sum)
9.34. rpc_decode
Configuration:
- * bool rt_packet.test_daq_retry = true: test daq packet retry
- feature
+ * bool rt_packet.retry_targeted = false: request retry for packets
+ whose data starts with A
+ * bool rt_packet.retry_all = false: request retry for all non-retry
+ packets
Peg counts:
* int gtp_version.~: version to match { 0:2 }
-11.35. http2_frame_data
+11.35. http2_decoded_header
--------------
-What: rule option to see HTTP/2 frame body
+What: rule option to set detection cursor to the decoded HTTP/2
+header
Type: ips_option
Usage: detect
-11.36. http2_frame_header
+11.36. http2_frame_data
--------------
-What: rule option to see 9-octet HTTP/2 frame header
+What: rule option to set detection cursor to the HTTP/2 frame body
Type: ips_option
Usage: detect
-11.37. http_client_body
+11.37. http2_frame_header
+
+--------------
+
+What: rule option to set detection cursor to the 9-octet HTTP/2 frame
+header
+
+Type: ips_option
+
+Usage: detect
+
+
+11.38. http_client_body
--------------
Usage: detect
-11.38. http_cookie
+11.39. http_cookie
--------------
message trailers
-11.39. http_header
+11.40. http_header
--------------
message trailers
-11.40. http_method
+11.41. http_method
--------------
message trailers
-11.41. http_raw_body
+11.42. http_raw_body
--------------
Usage: detect
-11.42. http_raw_cookie
+11.43. http_raw_cookie
--------------
HTTP message trailers
-11.43. http_raw_header
+11.44. http_raw_header
--------------
HTTP message trailers
-11.44. http_raw_request
+11.45. http_raw_request
--------------
HTTP message trailers
-11.45. http_raw_status
+11.46. http_raw_status
--------------
HTTP message trailers
-11.46. http_raw_trailer
+11.47. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.47. http_raw_uri
+11.48. http_raw_uri
--------------
URI only
-11.48. http_stat_code
+11.49. http_stat_code
--------------
HTTP message trailers
-11.49. http_stat_msg
+11.50. http_stat_msg
--------------
HTTP message trailers
-11.50. http_trailer
+11.51. http_trailer
--------------
message body (must be combined with request)
-11.51. http_true_ip
+11.52. http_true_ip
--------------
HTTP message trailers
-11.52. http_uri
+11.53. http_uri
--------------
only
-11.53. http_version
+11.54. http_version
--------------
HTTP message trailers
-11.54. icmp_id
+11.55. icmp_id
--------------
0:65535 }
-11.55. icmp_seq
+11.56. icmp_seq
--------------
given range { 0:65535 }
-11.56. icode
+11.57. icode
--------------
0:255 }
-11.57. id
+11.58. id
--------------
}
-11.58. ip_proto
+11.59. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.59. ipopts
+11.60. ipopts
--------------
lsrre|ssrr|satid|any }
-11.60. isdataat
+11.61. isdataat
--------------
buffer
-11.61. itype
+11.62. itype
--------------
0:255 }
-11.62. md5
+11.63. md5
--------------
of buffer
-11.63. metadata
+11.64. metadata
--------------
pairs
-11.64. modbus_data
+11.65. modbus_data
--------------
Usage: detect
-11.65. modbus_func
+11.66. modbus_func
--------------
* string modbus_func.~: function code to match
-11.66. modbus_unit
+11.67. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.67. msg
+11.68. msg
--------------
* string msg.~: message describing rule
-11.68. mss
+11.69. mss
--------------
}
-11.69. pcre
+11.70. pcre
--------------
* string pcre.~re: Snort regular expression
-11.70. pkt_data
+11.71. pkt_data
--------------
Usage: detect
-11.71. pkt_num
+11.72. pkt_num
--------------
{ 1: }
-11.72. priority
+11.73. priority
--------------
1:max31 }
-11.73. raw_data
+11.74. raw_data
--------------
Usage: detect
-11.74. reference
+11.75. reference
--------------
* string reference.~id: reference id
-11.75. regex
+11.76. regex
--------------
instead of start of buffer
-11.76. rem
+11.77. rem
--------------
* string rem.~: comment
-11.77. replace
+11.78. replace
--------------
* string replace.~: byte code to replace with
-11.78. rev
+11.79. rev
--------------
* int rev.~: revision { 1:max32 }
-11.79. rpc
+11.80. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.80. sd_pattern
+11.81. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.81. seq
+11.82. seq
--------------
range { 0: }
-11.82. service
+11.83. service
--------------
* string service.*: one or more comma-separated service names
-11.83. session
+11.84. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.84. sha256
+11.85. sha256
--------------
start of buffer
-11.85. sha512
+11.86. sha512
--------------
start of buffer
-11.86. sid
+11.87. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.87. sip_body
+11.88. sip_body
--------------
Usage: detect
-11.88. sip_header
+11.89. sip_header
--------------
Usage: detect
-11.89. sip_method
+11.90. sip_method
--------------
* string sip_method.*method: sip method
-11.90. sip_stat_code
+11.91. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.91. so
+11.92. so
--------------
buffer
-11.92. soid
+11.93. soid
--------------
like 3_45678_9
-11.93. ssl_state
+11.94. ssl_state
--------------
unknown
-11.94. ssl_version
+11.95. ssl_version
--------------
tls1.2
-11.95. stream_reassemble
+11.96. stream_reassemble
--------------
remainder of the session
-11.96. stream_size
+11.97. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.97. tag
+11.98. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.98. target
+11.99. target
--------------
dst_ip }
-11.99. tos
+11.100. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.100. ttl
+11.101. ttl
--------------
0:255 }
-11.101. urg
+11.102. urg
--------------
{ 0:65535 }
-11.102. window
+11.103. window
--------------
range { 0:65535 }
-11.103. wscale
+11.104. wscale
--------------
--------------
- * Generally try to follow http://google-styleguide.googlecode.com/
- svn/trunk/cppguide.xml, but there are some differences documented
- here.
+ * Generally try to follow https://google.github.io/styleguide/
+ cppguide.html, but there are some differences documented here.
* Each source directory should have a dev_notes.txt file
summarizing the key points and design decisions for the code in
that directory. These are built into the developers guide.
* bool rna.enable_logger = true: enable or disable writing
discovery events into logger
* string rna.fingerprint_dir: directory to fingerprint patterns
+ * bool rna.log_when_idle = false: enable host update logging when
+ snort is idle
* string rna.rna_conf_path: path to RNA configuration
* string rna.rna_util_lib_path: path to library for utilities such
as fingerprint decoder
* string rpc.~proc: procedure number or * for any
* string rpc.~ver: version number or * for any
* int rt_global.memcap = 2048: cap on amount of memory used
- * bool rt_packet.test_daq_retry = true: test daq packet retry
- feature
- * enum rule_state.([0-9]+):([0-9]+)[].action = inherit: apply
- action if rule matches or inherit from rule definition { log |
- pass | alert | drop | block | reset | inherit }
- * enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or
- disable rule in current ips policy or use default defined by ips
- policy { no | yes | inherit }
+ * bool rt_packet.retry_all = false: request retry for all non-retry
+ packets
+ * bool rt_packet.retry_targeted = false: request retry for packets
+ whose data starts with A
+ * enum rule_state.$gid_sid[].action = inherit: apply action if rule
+ matches or inherit from rule definition { log | pass | alert |
+ drop | block | reset | inherit }
+ * enum rule_state.$gid_sid[].enable = inherit: enable or disable
+ rule in current ips policy or use default defined by ips policy {
+ no | yes | inherit }
* string sd_pattern.~pattern: The pattern to search for
* int sd_pattern.threshold = 1: number of matches before alerting {
1:max32 }
* daq.pcaps: total files and interfaces processed (max)
* daq.received: total packets received from DAQ (sum)
* daq.replace: total replace verdicts (sum)
+ * daq.retries_discarded: messages discarded when purging the retry
+ queue (sum)
+ * daq.retries_dropped: messages dropped when overrunning the retry
+ queue (sum)
+ * daq.retries_processed: messages processed from the retry queue
+ (sum)
+ * daq.retries_queued: messages queued for retry (sum)
* daq.retry: total retry verdicts (sum)
* daq.rx_bytes: total bytes received (sum)
* daq.skipped: packets skipped at startup (sum)
* detection.alerts: alerts not including IP reputation (sum)
* detection.alt_searches: alt fast pattern searches in packet data
(sum)
- * detection.analyzed: packets sent to detection (now)
+ * detection.analyzed: total packets processed (now)
* detection.body_searches: fast pattern searches in body buffer
(sum)
* detection.context_stalls: times processing stalled to wait for an
* reputation.monitored: number of packets monitored (sum)
* reputation.packets: total packets processed (sum)
* reputation.whitelisted: number of packets whitelisted (sum)
- * rna.icmp: count of ICMP packets received (sum)
- * rna.ip: count of IP packets received (sum)
+ * rna.change_host_update: count number of change host update events
+ (sum)
+ * rna.icmp_bidirectional: count of bidirectional ICMP flows
+ received (sum)
+ * rna.icmp_new: count of new ICMP flows received (sum)
+ * rna.ip_bidirectional: count of bidirectional IP received (sum)
+ * rna.ip_new: count of new IP flows received (sum)
* rna.other_packets: count of packets received without session
tracking (sum)
* rna.tcp_midstream: count of TCP midstream packets received (sum)
* rna.tcp_syn_ack: count of TCP SYN-ACK packets received (sum)
* rna.tcp_syn: count of TCP SYN packets received (sum)
- * rna.udp: count of UDP packets received (sum)
+ * rna.udp_bidirectional: count of bidirectional UDP flows received
+ (sum)
+ * rna.udp_new: count of new UDP flows received (sum)
* rpc_decode.concurrent_sessions: total concurrent rpc sessions
(now)
* rpc_decode.max_concurrent_sessions: maximum concurrent rpc
value
* 119:248 (http_inspect) gzip compressed data followed by
unexpected non-gzip data
- * 121:1 (http2_inspect) Error in HPACK integer value
- * 121:2 (http2_inspect) Integer value has leading zeros
- * 121:3 (http2_inspect) Error in HPACK string value
+ * 121:1 (http2_inspect) error in HPACK integer value
+ * 121:2 (http2_inspect) integer value has leading zeros
+ * 121:3 (http2_inspect) error in HPACK string value
+ * 121:4 (http2_inspect) missing continuation frame
+ * 121:5 (http2_inspect) unexpected continuation frame
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
hosts
* host_tracker (basic): configure hosts
* hosts (basic): configure hosts
- * http2_frame_data (ips_option): rule option to see HTTP/2 frame
- body
- * http2_frame_header (ips_option): rule option to see 9-octet HTTP/
- 2 frame header
+ * http2_decoded_header (ips_option): rule option to set detection
+ cursor to the decoded HTTP/2 header
+ * http2_frame_data (ips_option): rule option to set detection
+ cursor to the HTTP/2 frame body
+ * http2_frame_header (ips_option): rule option to set detection
+ cursor to the 9-octet HTTP/2 frame header
* http2_inspect (inspector): HTTP/2 inspector
* http_client_body (ips_option): rule option to set the detection
cursor to the request body
* ips_option::gtp_info: rule option to check gtp info element
* ips_option::gtp_type: rule option to check gtp types
* ips_option::gtp_version: rule option to check GTP version
- * ips_option::http2_frame_data: rule option to see HTTP/2 frame
- body
- * ips_option::http2_frame_header: rule option to see 9-octet HTTP/2
- frame header
+ * ips_option::http2_decoded_header: rule option to set detection
+ cursor to the decoded HTTP/2 header
+ * ips_option::http2_frame_data: rule option to set detection cursor
+ to the HTTP/2 frame body
+ * ips_option::http2_frame_header: rule option to set detection
+ cursor to the 9-octet HTTP/2 frame header
* ips_option::http_client_body: rule option to set the detection
cursor to the request body
* ips_option::http_cookie: rule option to set the detection cursor