+2020/10/27 - 3.0.3 build 4
+
+-- actions: Add support to react for HTTP/2
+-- appid: Fix -Wunused-private-field Clang warning in service_state.h
+-- build: Various build fixes for OS X
+-- file_api: Remove deletion of file_mempool
+-- framework: Fix ConnectorConfig dtor to be virtual
+-- ips: Move IPS variables to sub-tables which designate type
+-- lua: Update default_variables with 'nets', 'paths', and 'ports' tables in snort_defaults.lua
+-- module: Fix modules that accept their configuration as a list
+-- payload_injector: Support pages > 16k
+-- rna: Add unit tests for TCP fingerprint methods
+-- snort: Remove support for -S option
+-- src: Clean up zero-initialization of arrays
+-- tools: Update snort2lua to convert custom variables into ips.variables.nets/.paths/.ports tables
+-- trace: Add timestamps in trace log messages for stdout logger
+
2020/10/22 - 3.0.3 build 3
-- actions: Update react documentation
-- file_magic: Update POSIX tar archive pattern
-- flow: Add source/dest group id in flow key
-- flow: Stale and deleted flows due to EOF should generate would have dropped event
--- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted data channels
--- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp fingerprint and user agent fingerprint commands
+-- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted
+ data channels
+-- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp
+ fingerprint and user agent fingerprint commands
-- host_tracker: Implement client and server delete commands
-- http2_inspect: Handle stream creation for push promise frames
-- ips_options: Fix retry calculation in IPS content when handling "within" field
The Snort Team
Revision History
-Revision 3.0.3 (Build 3) 2020-10-22 13:10:50 EDT TST
+Revision 3.0.3 (Build 4) 2020-10-27 14:24:13 EDT TST
---------------------------------------------------------------------
rules too)
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
- * string ips.variables.$var: IPS policy variable
+ * string ips.variables.nets.$var: IPS policy variable
+ * string ips.variables.paths.$var: IPS policy variable
+ * string ips.variables.ports.$var: IPS policy variable
2.16. latency
Configuration:
- * bit_list side_channel.ports: side channel message port list {
+ * bit_list side_channel[].ports: side channel message port list {
65535 }
- * string side_channel.connectors[].connector: connector handle
- * string side_channel.connector: connector handle
+ * string side_channel[].connectors[].connector: connector handle
+ * string side_channel[].connector: connector handle
Peg counts:
* string snort.-R: <rules> include this rules file in the default
policy
* string snort.-r: <pcap>… (same as --pcap-list)
- * string snort.-S: <x=v> set config variable x equal to value v
* int snort.-s = 1518: <snap> (same as --snaplen); default is 1518
{ 68:65535 }
* implied snort.-T: test and report on the current Snort
traces
* enum trace.output: output method for trace log messages { stdout
| syslog }
- * bool trace.log_ntuple = false: use extended trace output with
- n-tuple packet info
+ * bool trace.ntuple = false: print packet n-tuple info with trace
+ messages
+ * bool trace.timestamp = false: print message timestamps with trace
+ messages
Commands:
- * trace.set(modules, constraints, log_ntuple): set modules traces,
- constraints and log_ntuple option
+ * trace.set(modules, constraints, ntuple, timestamp): set modules
+ traces, constraints, ntuple and timestamp options
* trace.clear(): clear modules traces and constraints
Configuration:
- * string file_connector.connector: connector name
- * string file_connector.name: channel name
- * enum file_connector.format: file format { binary | text }
- * enum file_connector.direction: usage { receive | transmit |
+ * string file_connector[].connector: connector name
+ * string file_connector[].name: channel name
+ * enum file_connector[].format: file format { binary | text }
+ * enum file_connector[].direction: usage { receive | transmit |
duplex }
Peg counts:
Configuration:
- * string tcp_connector.connector: connector name
- * string tcp_connector.address: address
- * port tcp_connector.base_port: base port number
- * enum tcp_connector.setup: stream establishment { call | answer }
+ * string tcp_connector[].connector: connector name
+ * string tcp_connector[].address: address
+ * port tcp_connector[].base_port: base port number
+ * enum tcp_connector[].setup: stream establishment { call | answer
+ }
Peg counts:
* -q quiet mode - suppress normal logging on stdout
* -R <rules> include this rules file in the default policy
* -r <pcap>… (same as --pcap-list)
- * -S <x=v> set config variable x equal to value v
* -s <snap> (same as --snaplen); default is 1518 (68:65535)
* -T test and report on the current Snort configuration
* -t <dir> chroots process to <dir> after initialization
ordering incoming events { priority|content_length }
* bool event_queue.process_all_events = false: process just first
action group or all action groups
- * string file_connector.connector: connector name
- * enum file_connector.direction: usage { receive | transmit |
+ * string file_connector[].connector: connector name
+ * enum file_connector[].direction: usage { receive | transmit |
duplex }
- * enum file_connector.format: file format { binary | text }
- * string file_connector.name: channel name
+ * enum file_connector[].format: file format { binary | text }
+ * string file_connector[].name: channel name
* int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no
limit) { -1:65535 }
* int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment
rules too)
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
- * string ips.variables.$var: IPS policy variable
+ * string ips.variables.nets.$var: IPS policy variable
+ * string ips.variables.paths.$var: IPS policy variable
+ * string ips.variables.ports.$var: IPS policy variable
* string isdataat.~length: num | !num
* implied isdataat.relative: offset from cursor instead of start of
buffer
to start search
* implied sha512.relative = false: offset from cursor instead of
start of buffer
- * string side_channel.connector: connector handle
- * string side_channel.connectors[].connector: connector handle
- * bit_list side_channel.ports: side channel message port list {
+ * string side_channel[].connector: connector handle
+ * string side_channel[].connectors[].connector: connector handle
+ * bit_list side_channel[].ports: side channel message port list {
65535 }
* int sid.~: signature id { 1:max32 }
* bool sip.ignore_call_channel = false: enables the support for
-s) { 68:65535 }
* implied snort.--stdin-rules: read rules from stdin until EOF or a
line starting with END is read
- * string snort.-S: <x=v> set config variable x equal to value v
* implied snort.--talos: enable Talos tweak (same as --tweaks
talos)
* string snort.-t: <dir> chroots process to <dir> after
* int tag.seconds: tag for this many seconds { 1:max32 }
* enum target.~: indicate the target of the attack { src_ip |
dst_ip }
- * string tcp_connector.address: address
- * port tcp_connector.base_port: base port number
- * string tcp_connector.connector: connector name
- * enum tcp_connector.setup: stream establishment { call | answer }
+ * string tcp_connector[].address: address
+ * port tcp_connector[].base_port: base port number
+ * string tcp_connector[].connector: connector name
+ * enum tcp_connector[].setup: stream establishment { call | answer
+ }
* int telnet.ayt_attack_thresh = -1: alert on this number of
consecutive Telnet AYT commands { -1:max31 }
* bool telnet.check_encrypted = false: check for end of encryption
traces
* string trace.constraints.src_ip: source IP address filter
* int trace.constraints.src_port: source port filter { 0:65535 }
- * bool trace.log_ntuple = false: use extended trace output with
- n-tuple packet info
* int trace.modules.all: enable trace for all modules { 0:255 }
* int trace.modules.appid.all: enable all trace options { 0:255 }
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
* int trace.modules.stream_user.all: enable all trace options {
0:255 }
* int trace.modules.wizard.all: enable all trace options { 0:255 }
+ * bool trace.ntuple = false: print packet n-tuple info with trace
+ messages
* enum trace.output: output method for trace log messages { stdout
| syslog }
+ * bool trace.timestamp = false: print message timestamps with trace
+ messages
* interval ttl.~range: check if IP TTL is in the given range {
0:255 }
* bool udp.deep_teredo_inspection = false: look for Teredo on all
* snort.detach(): exit shell w/o shutdown
* snort.quit(): shutdown and dump-stats
* snort.help(): this output
- * trace.set(modules, constraints, log_ntuple): set modules traces,
- constraints and log_ntuple option
+ * trace.set(modules, constraints, ntuple, timestamp): set modules
+ traces, constraints, ntuple and timestamp options
* trace.clear(): clear modules traces and constraints
The Snort Team
Revision History
-Revision 3.0.3 (Build 3) 2020-10-22 13:10:41 EDT TST
+Revision 3.0.3 (Build 4) 2020-10-27 14:24:05 EDT TST
---------------------------------------------------------------------
"HTTP/1.1 403 Forbidden\r\n" \
"Connection: close\r\n" \
"Content-Type: text/html; charset=utf-8\r\n" \
-"Content-Length: 439\r\n" \
+"Content-Length: 438\r\n" \
"\r\n"
The page to be sent can be read from a file:
"</html>\r\n"
Note that the file contains the message body only. The headers will
-be added with an updated value for Content-Length.
+be added with an updated value for Content-Length. For HTTP/2 traffic
+Snort will translate the page to HTTP/2 format.
-When using react, payload injector must be configured as well.
+Limitations for HTTP/2:
+
+ * Packet will be injected against the last received stream id.
+ * Injection triggered while server-to-client flow of traffic is in
+ a middle of a frame is not supported. The traffic will be
+ blocked, but the page will not be injected/displayed.
+
+When using react, payload injector must be configured as well. Also
+Snort should be in ips mode, so the rule is triggered on the client
+packet, and not delayed until the server sends ACK. To achieve this
+use the default normalizer. It will set normalizer.tcp.ips = true.
Example:
react = { page = "my_block_page.html" }
payload_injector = { }
+normalizer = { }
local_rules =
[[
output - configure the output method for trace messages
modules - trace configuration for specific modules
constraints - filter traces by the packet constraints
-log_ntuple - on/off packet n-tuple info logging
+ntuple - on/off packet n-tuple info logging
+timestamp - on/off message timestamps logging
The following lines, added in snort.lua, will enable trace messages
for detection and codec modules. The messages will be printed to
syslog if the packet filtering constraints match. Messages will be in
-extended format, including n-tuple packet info at the beginning of
-each trace message.
+extended format, including timestamp and n-tuple packet info at the
+beginning of each trace message.
trace =
{
src_port = 100,
dst_port = 200
},
- log_ntuple = true
+ ntuple = true,
+ timestamp = true
}
The trace module supports config reloading. Also, it’s possible to
run and without reloading the entire config.
Control channel also allow adjusting trace output format by setting
-log_ntuple switcher.
+ntuple and timestamp switchers.
After entering the Snort shell, there are two commands available for
the trace module:
trace.set({ modules = { all = N } }) - enable traces for all modules with verbosity level N
-trace.set({ log_ntuple = true/false }) - on/off packet n-tuple info logging
+trace.set({ ntuple = true/false }) - on/off packet n-tuple info logging
+
+trace.set({ timestamp = true/false }) - on/off timestamp logging
trace.clear() - clear modules traces and constraints
Possible thread types: C – main (control) thread P – packet thread O
– other thread
-Setting the option - log_ntuple allows you to change the trace
-message format, expanding it with information about the processed
-packet.
+Setting the option - ntuple allows you to change the trace message
+format, expanding it with information about the processed packet.
It will be added at the beginning, right after the thread type and
instance ID, in the following format:
Those info can be displayed only for IP packets. Port defaults to
zero if a packet doesn’t have it.
+The timestamp option extends output format by logging the message
+time in the next format:
+
+MM/DD-hh:mm:ss.SSSSSS
+
+Where:
+
+M – month
+D – day
+h – hours
+m – minutes
+s – seconds
+S – milliseconds
+
6.18.7. Example - Debugging rules using detection trace
The detection engine is responsible for rule evaluation. Turning on
projects / thirdparty / snort3.git / commitdiff
