+18/11/07 - build 249
+
+-- appid: Fixing profiler data race and registration issues
+-- appid: make third party appid stats configurable
+-- appid: Remove detector flows from the list for faulty lua detectors
+-- build: remove dead code
+-- build: support dynamic imap, pop, and smtp
+-- comments: additional cleanup
+-- comments: delete obsolete comments
+-- comments: fixup format, spelling, priority, etc.
+-- comments: remove XXX and convert to FIXIT where appropriate
+-- connectors: Fix TCP connector unit test compilation on Alpine Linux (musl)
+-- cppcheck: cleanup some warnings
+-- dcerpc: fixed build warning with struct packing
+-- dcerpc: fixed setting endianness on one packet and checking on another
+-- detection : add function to clear ips_id from unit tests
+-- detectionengine: Only clear inspector data after offloads have completed
+-- detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload of HTTP flows
+-- doc: Adding performance consideration for developers
+-- file_api: revert deleting gid 146 so existing 146 rulesets dont attempt empty rule eval
+-- fixits: prioritize for RC
+-- flow: fixed build warning
+-- flow: track multiple offloads
+-- fp_detect: onload before running local to ensure event ordering
+-- framework: replace the newly introduced loop to reset the reload_type flags with the existing Inspector::update_policy function
+-- framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in anticipation of future reloads.
+-- host_tracker: fixed uppcase IP param issue
+-- http2_inspect: Change http2 GID from 219 to 121
+-- ips_flowbits: move static structures to snort config
+-- main: initialize shell_map and other maps in PolicyMap::clone()
+-- main: size analyzer notification ring appropriately
+-- manual: fix some typos
+-- mime: made the mime hdr info and current search thread local
+-- mime: move the decode buffer used by mime attachments to mime context data
+-- packet_tracer: can't emplace vector<bool> until c++14
+-- parser: bad filename during reload is not a fatal error
+-- perfmon: fix issue for report correct stats after passing -n pkts
+-- perf_monitor: trackers keep copy of the relevant config items from the inspector
+-- reload: fixed smtp seg fault when reload failed
+-- reputation: delete old conf before allocating a new one in ReputationModule::begin() if conf not null
+-- rule_state: indicate list format
+-- search_tool: include bytes searched in pattern match stats
+-- search_tool: validate ac_full and ac_bnfa wrt search and search_all
+-- snort2lua: Add support for enable/disable iprep logging using suppress mechanism
+-- snort2lua: Avoid returning reference of local variable
+-- snort2lua: comment out deleted gid 146 rules
+-- snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string sanity checks
+-- snort2lua: fixed paf_max to stream_tcp.max_pdu convertion
+-- snort2lua: tweak for style consistency
+-- snort: add --rule-path to load rules from all files under given dir
+-- snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping reputation_id in flow instead of flow_data, and appid code improvements
+-- source: fix some typos
+-- source: minor refactoring
+-- spell: fix typo
+-- stream, detection, flow: don't force onloads between pdus unless absolutey necessary
+-- stream: fixed build warning
+-- stream: only delete flows after all onloads
+-- stream tcp: don't delete flow data on rst, let session close handle it
+-- textlog: removed unused TextLog_Tell function
+-- thread_idle: call timeout flows with packet time for pcap replay
+-- utils: fixed deprecation build warning on register keyword
+
18/09/26 - build 248
-- appid: adding detector builder and fixing stats to recognize custom appid
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 246) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 248) from 2.9.11\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.\r
<div class="paragraph"><p>The page to be sent can be read from a file:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>react = { page = "custmized_block_page.html", }</code></pre>\r
+<pre><code>react = { page = "customized_block_page.html", }</code></pre>\r
</div></div>\r
<div class="paragraph"><p>or else the default is used:</p></div>\r
<div class="literalblock">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection (sum)\r
+<strong>detection.analyzed</strong>: packets sent to detection (now)\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].IP</strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rule_state.gid</strong> = 0: rule generator ID { 0: }\r
+int <strong>rule_state[].gid</strong> = 0: rule generator ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rule_state.sid</strong> = 0: rule signature ID { 0: }\r
+int <strong>rule_state[].sid</strong> = 0: rule signature ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>rule_state.enable</strong> = true: enable or disable rule in all policies\r
+bool <strong>rule_state[].enable</strong> = true: enable or disable rule in all policies\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--pause-after-n</strong>: <count> pause after count packets, to be used with single packet thread only { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--parsing-follows-files</strong>: parse relative paths from the perspective of the current configuration file\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--rule-path</strong>: <path> where to find rules files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>appid.tp_appid_stats_enable</strong>: enable collection of stats and print stats on exit in third party module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>appid.tp_appid_config_dump</strong>: print third party configuration on startup\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>133:11</strong> (dce_smb) SMB - remaining NetBIOS data length less than command length\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>133:31</strong> (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:101</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+<strong>119:101</strong> (http_inspect) obsolete event—deleted\r
</p>\r
</li>\r
<li>\r
plugin function.)</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_developers_guide">Developers Guide</h3>\r
-<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to\r
-the source tree.</p></div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_piglet_test_harness">Piglet Test Harness</h3>\r
<div class="paragraph"><p>In order to assist with plugin development, an experimental mode called "piglet" mode\r
is provided. With piglet mode, you can call individual methods for a specific plugin.\r
</div>\r
</div>\r
</div>\r
+<div class="sect2">\r
+<h3 id="_developers_guide">Developers Guide</h3>\r
+<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to\r
+the source tree.</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_performance_considerations_for_developers">Performance Considerations for Developers</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Since C compilers evaluate compound conditional expression from left to\r
+ right, put the costly condition last. Put the often-false condition first\r
+ in && expression. Put the often-true condition first in || expression.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Use emplace_back/emplace instead of push_back/insert on STL containers.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+In general, unordered_map is faster than map for frequent lookups using\r
+ integer key on relatively static collection of unsorted elements. Whereas,\r
+ map is faster for frequent insertions/deletions/iterations and for\r
+ non-integer key such as string or custom objects. Consider the same factors\r
+ when deciding ordered vs. unordered multimap and set.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Iterate using range-based for loop with reference (i.e., auto&).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Be mindful of construction and destruction of temporary objects which can\r
+ be wasteful. Consider using std::move, std::swap, lvalue reference (&),\r
+ and rvalue reference (&&).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Avoid thread-local storage. When unavoidable, minimize frequent TLS access\r
+ by caching it to a local variable.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+When writing inter-library APIs, consider interfaces depending on use cases\r
+ to minimize context switching. For example, if two APIs foo() and bar() are\r
+ needed to call, combine these into a single API to minimize jumps.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
</div>\r
</div>\r
<div class="sect1">\r
</li>\r
<li>\r
<p>\r
+<strong>--pause-after-n</strong> <count> pause after count packets, to be used with single packet thread only (1:)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--parsing-follows-files</strong> parse relative paths from the perspective of the current configuration file\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--rule-path</strong> <path> where to find rules files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--rule-to-hex</strong> output so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>appid.tp_appid_config_dump</strong>: print third party configuration on startup\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>appid.tp_appid_stats_enable</strong>: enable collection of stats and print stats on exit in third party module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.trace</strong>: mask for enabling debug traces in module\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].IP</strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>rule_state.enable</strong> = true: enable or disable rule in all policies\r
+bool <strong>rule_state[].enable</strong> = true: enable or disable rule in all policies\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rule_state.gid</strong> = 0: rule generator ID { 0: }\r
+int <strong>rule_state[].gid</strong> = 0: rule generator ID { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rule_state.sid</strong> = 0: rule signature ID { 0: }\r
+int <strong>rule_state[].sid</strong> = 0: rule signature ID { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--pause-after-n</strong>: <count> pause after count packets, to be used with single packet thread only { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--rule-path</strong>: <path> where to find rules files\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection (sum)\r
+<strong>detection.analyzed</strong>: packets sent to detection (now)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>121</strong>: http2_inspect\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122</strong>: port_scan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>219</strong>: http2_inspect\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>256</strong>: dpx\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:101</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+<strong>119:101</strong> (http_inspect) obsolete event—deleted\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>133:11</strong> (dce_smb) SMB - remaining NetBIOS data length less than command length\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>133:31</strong> (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2018-08-19 02:32:12 EDT\r
+Last updated 2018-11-07 02:34:08 EST\r
</div>\r
</div>\r
</body>\r
18.3. Inspectors
18.4. Codecs
18.5. IPS Actions
- 18.6. Developers Guide
- 18.7. Piglet Test Harness
- 18.8. Piglet Lua API
+ 18.6. Piglet Test Harness
+ 18.7. Piglet Lua API
+ 18.8. Developers Guide
+ 18.9. Performance Considerations for Developers
19. Coding Style
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 246) from 2.9.11
+o" )~ Version 3.0.0 (Build 248) from 2.9.11
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
The page to be sent can be read from a file:
-react = { page = "custmized_block_page.html", }
+react = { page = "customized_block_page.html", }
or else the default is used:
Peg counts:
- * detection.analyzed: packets sent to detection (sum)
+ * detection.analyzed: packets sent to detection (now)
* detection.hard_evals: non-fast pattern rule evaluations (sum)
* detection.raw_searches: fast pattern searches in raw packet data
(sum)
Configuration:
- * addr host_tracker[].IP = 0.0.0.0/32: hosts address / cidr
+ * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
* enum host_tracker[].frag_policy: defragmentation policy { first |
linux | bsd | bsd_right | last | windows | solaris }
* enum host_tracker[].tcp_policy: TCP reassembly policy { first |
Configuration:
- * int rule_state.gid = 0: rule generator ID { 0: }
- * int rule_state.sid = 0: rule signature ID { 0: }
- * bool rule_state.enable = true: enable or disable rule in all
+ * int rule_state[].gid = 0: rule generator ID { 0: }
+ * int rule_state[].sid = 0: rule signature ID { 0: }
+ * bool rule_state[].enable = true: enable or disable rule in all
policies
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
+ * int snort.--pause-after-n: <count> pause after count packets, to
+ be used with single packet thread only { 1: }
* implied snort.--parsing-follows-files: parse relative paths from
the perspective of the current configuration file
* string snort.--pcap-file: <file> file that contains a list of
* implied snort.--process-all-events: process all action groups
* string snort.--rule: <rules> to be added to configuration; may be
repeated
+ * string snort.--rule-path: <path> where to find rules files
* implied snort.--rule-to-hex: output so rule header to stdout for
text rule on stdin
* string snort.--rule-to-text = [SnortFoo]: output plain so rule
library
* string appid.tp_appid_config: path to third party appid
configuration file
+ * bool appid.tp_appid_stats_enable: enable collection of stats and
+ print stats on exit in third party module
+ * bool appid.tp_appid_config_dump: print third party configuration
+ on startup
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* int appid.trace: mask for enabling debug traces in module
* 133:9 (dce_smb) SMB - zero total data count
* 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
length
+ * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than
+ command length
* 133:12 (dce_smb) SMB - remaining NetBIOS data length less than
command byte count
* 133:13 (dce_smb) SMB - remaining NetBIOS data length less than
* 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
* 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length
less than header size
+ * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment
+ length less than size needed
* 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
specified
* 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer
* 119:32 (http_inspect) simple request
* 119:33 (http_inspect) unescaped space in HTTP URI
* 119:34 (http_inspect) too many pipelined requests
- * 119:101 (http_inspect) anomalous http server on undefined HTTP
- port
+ * 119:101 (http_inspect) obsolete event—deleted
* 119:102 (http_inspect) invalid status code in HTTP response
* 119:103 (http_inspect) unused event number—should not appear
* 119:104 (http_inspect) HTTP response has UTF charset that failed
associated plugin function.)
-18.6. Developers Guide
-
---------------
-
-Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
-guide to the source tree.
-
-
-18.7. Piglet Test Harness
+18.6. Piglet Test Harness
--------------
results of each test script.
-18.8. Piglet Lua API
+18.7. Piglet Lua API
--------------
keep the mappings consist, but there are still some differences. They
are documented below.
-18.8.1. Plugin Instances
+18.7.1. Plugin Instances
For each test, piglet instantiates plugin specified in the name field
of the plugin table. The virtual methods of the instance are exposed
Currently, SoRule does not expose any methods.
-18.8.1.1. Interface Objects
+18.7.1.1. Interface Objects
Many of the plugins take C++ classes and structs as arguments. These
objects are exposed to the Lua API as Lua userdata. Exposed objects
by an inspector via Inspector.get_splitter()
+18.8. Developers Guide
+
+--------------
+
+Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
+guide to the source tree.
+
+
+18.9. Performance Considerations for Developers
+
+--------------
+
+ * Since C compilers evaluate compound conditional expression from
+ left to right, put the costly condition last. Put the often-false
+ condition first in && expression. Put the often-true condition
+ first in || expression.
+ * Use emplace_back/emplace instead of push_back/insert on STL
+ containers.
+ * In general, unordered_map is faster than map for frequent lookups
+ using integer key on relatively static collection of unsorted
+ elements. Whereas, map is faster for frequent insertions/
+ deletions/iterations and for non-integer key such as string or
+ custom objects. Consider the same factors when deciding ordered
+ vs. unordered multimap and set.
+ * Iterate using range-based for loop with reference (i.e., auto&).
+ * Be mindful of construction and destruction of temporary objects
+ which can be wasteful. Consider using std::move, std::swap,
+ lvalue reference (&), and rvalue reference (&&).
+ * Avoid thread-local storage. When unavoidable, minimize frequent
+ TLS access by caching it to a local variable.
+ * When writing inter-library APIs, consider interfaces depending on
+ use cases to minimize context switching. For example, if two APIs
+ foo() and bar() are needed to call, combine these into a single
+ API to minimize jumps.
+
+
---------------------------------------------------------------------
19. Coding Style
* --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
+ * --pause-after-n <count> pause after count packets, to be used
+ with single packet thread only (1:)
* --parsing-follows-files parse relative paths from the perspective
of the current configuration file
* --pcap-file <file> file that contains a list of pcaps to read -
* --plugin-path <path> where to find plugins
* --process-all-events process all action groups
* --rule <rules> to be added to configuration; may be repeated
+ * --rule-path <path> where to find rules files
* --rule-to-hex output so rule header to stdout for text rule on
stdin
* --rule-to-text output plain so rule header to stdout for text
* bool appid.log_stats = false: enable logging of appid statistics
* int appid.memcap = 0: disregard - not implemented { 0: }
* string appids.~: comma separated list of application names
+ * bool appid.tp_appid_config_dump: print third party configuration
+ on startup
* string appid.tp_appid_config: path to third party appid
configuration file
* string appid.tp_appid_path: path to third party appid dynamic
library
+ * bool appid.tp_appid_stats_enable: enable collection of stats and
+ print stats on exit in third party module
* int appid.trace: mask for enabling debug traces in module
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
hpux10 | windows | win_2003 | vista | proxy }
* enum host_tracker[].frag_policy: defragmentation policy { first |
linux | bsd | bsd_right | last | windows | solaris }
- * addr host_tracker[].IP = 0.0.0.0/32: hosts address / cidr
+ * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
* string host_tracker[].services[].name: service identifier
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto = tcp: IP protocol { tcp |
* int rpc.~app: application number
* string rpc.~proc: procedure number or * for any
* string rpc.~ver: version number or * for any
- * bool rule_state.enable = true: enable or disable rule in all
+ * bool rule_state[].enable = true: enable or disable rule in all
policies
- * int rule_state.gid = 0: rule generator ID { 0: }
- * int rule_state.sid = 0: rule signature ID { 0: }
+ * int rule_state[].gid = 0: rule generator ID { 0: }
+ * int rule_state[].sid = 0: rule signature ID { 0: }
* string sd_pattern.~pattern: The pattern to search for
* int sd_pattern.threshold: number of matches before alerting { 1 }
* int search_engine.bleedover_port_limit = 1024: maximum ports in
option quick help (same as --help-options) { (optional) }
* implied snort.--parsing-follows-files: parse relative paths from
the perspective of the current configuration file
+ * int snort.--pause-after-n: <count> pause after count packets, to
+ be used with single packet thread only { 1: }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* string snort.-r: <pcap>… (same as --pcap-list)
* string snort.-R: <rules> include this rules file in the default
policy
+ * string snort.--rule-path: <path> where to find rules files
* string snort.--rule: <rules> to be added to configuration; may be
repeated
* implied snort.--rule-to-hex: output so rule header to stdout for
* detection.alerts: alerts not including IP reputation (sum)
* detection.alt_searches: alt fast pattern searches in packet data
(sum)
- * detection.analyzed: packets sent to detection (sum)
+ * detection.analyzed: packets sent to detection (now)
* detection.body_searches: fast pattern searches in body buffer
(sum)
* detection.cooked_searches: fast pattern searches in cooked packet
* 116: vlan
* 116: wlan
* 119: http_inspect
+ * 121: http2_inspect
* 122: port_scan
* 123: stream_ip
* 124: smtp
* 145: dnp3
* 146: file_id
* 175: domain_filter
- * 219: http2_inspect
* 256: dpx
* 119:32 (http_inspect) simple request
* 119:33 (http_inspect) unescaped space in HTTP URI
* 119:34 (http_inspect) too many pipelined requests
- * 119:101 (http_inspect) anomalous http server on undefined HTTP
- port
+ * 119:101 (http_inspect) obsolete event—deleted
* 119:102 (http_inspect) invalid status code in HTTP response
* 119:103 (http_inspect) unused event number—should not appear
* 119:104 (http_inspect) HTTP response has UTF charset that failed
* 133:9 (dce_smb) SMB - zero total data count
* 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
length
+ * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than
+ command length
* 133:12 (dce_smb) SMB - remaining NetBIOS data length less than
command byte count
* 133:13 (dce_smb) SMB - remaining NetBIOS data length less than
* 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
* 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length
less than header size
+ * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment
+ length less than size needed
* 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
specified
* 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer
projects / thirdparty / snort3.git / commitdiff
