+19/03/31 - build 251
+
+-- ActionManager: actions are tracked per packet for accurate packet suspension
+-- DetectionEngine: make onload safe for reentrance
+-- DetectionEngine: stall when out of contexts
+-- Flow: is_offloaded is now is_suspended
+-- IpsContext: removed useless SUSPENDED_OFFLOAD state
+-- Mpse: Addition and use of offload search method/engine
+-- Mpse: fixed build warning about constness of get_pattern_count
+-- MpseBatch: refactor into separate files
+-- Packet: fixed thread safety in onload flag checks
+-- RegexOffload: onload whatever is ready
+-- RegexOffload: refactor into mode-specific subclasses
+-- appid: Fix for FTP detection with multiline server response split across multiple packets
+-- appid: add unit test to make sure the AppIdServiceStateKey::operator<() is OK and modify
+ existing service cache memcap test to alternate ipv4 and ipv6 addresses.
+-- appid: change the service queue to store map iterators rather than the actual keys, as
+ (a) map iterators are stable and (b) sizeof(map::iterator)=8 while sizeof(key)=28.
+-- appid: compute the size of the memory used for a service cache entry only once, as it is
+ constant, and make it global.
+-- appid: fix AppIdServiceStateKey::operator<().
+-- appid: fix client discovery to only check on the first data packet.
+-- appid: fix comment in client_discovery.cc.
+-- appid: fix double free in service_state_queue and address reviewers comments.
+-- appid: fixup profiling
+-- appid: get rid of the map::find() in MapList::add(), just try to emplace directly.
+-- appid: implement service cache touch(). Must figure out where to call it from.
+-- appid: implement service discovery state queue to honor memcap.
+-- appid: introduce min memcap of 1024 with a default of 1Mb and refactor
+ AppIdServiceState::remove() to accept a ServiceCache_t::iterator rather than ip, proto,
+ port and decrypted.
+-- appid: introduce the do_touch flag to the add/get functions and call those functions with
+ the appropriate flag.
+-- appid: keep cppcheck happy.
+-- appid: more cppcheck clean-up.
+-- appid: pass HostPortKey by reference in HostPortKey::operator<().
+-- appid: put the service_state_cache and the service_state_queue into a class in its own
+ right and refactor the code.
+-- appid: remove forgotten WhereMacro.
+-- appid: rename some global variables in http_url_patterns_test.cc to suppress cppcheck messages.
+-- appid: replace the custom AppIdServiceCacheKey::operator< with memcmp in both service_state.h
+ and host_port_app_cache.cc.
+-- appid: return void in ClientDiscovery::exec_client_detectors() and set client_disco_state to
+ FINISHED in all cases except when the client validate returns APPID_INPROCESS.
+-- appid: set a range for app_stats_period parameter
+-- appid: skip empty detectors
+-- appid: the service queue should be of type AppIdServiceStateKey.
+-- appid: unit test for service cache and call the touch function.
+-- appid: untabify service_state.h and test/service_state_test.cc.
+-- appid: update unit test file.
+-- binder: Reset flow gadget and protocol ID on failed rebinding
+-- binder: store user set ips policy id from lua
+-- build: Add better support for libiconv on systems with iconv-providing libc
+-- build: fix always true warning
+-- build: fix constness warnings
+-- build: fix cppcheck warnings for file_connector, tcp_connector, ports, snort2lua, and
+ piglet_plugins,
+-- build: fix override warning
+-- catch: Update to Catch v2.7.0
+-- cd_tcp: some light refactoring
+-- conf: remove obscure and slow automatic iface var assignments; use Lua instead
+-- config: Use basename_r() function for FreeBSD versions < 12.0.0
+-- control: Avoid deleting objects on write failures so that they get deleted from main thread
+ during read polling
+-- copyright: update year to 2019
+-- cppcheck: fix some basic warnings
+-- dce_rpc: Added support to handle smb header compounding
+-- dce_rpc: Limiting each signature alert to once per session using 'limit_alerts' config
+-- dce_rpc: fix cppcheck warnings
+-- dce_rpc: fix style warning non-boolean returned
+-- decompress: add zip file decompression
+-- detection, snort2lua: added global rule state options for legacy conversions
+-- detection: Add search batching infrastructure
+-- detection: allow suspension of entire chains of contexts
+-- detection: fixed incorrect log messages
+-- detection: only swap offload configs when they change
+-- detection: split fast pattern processing when using context suspension
+-- doc: add a section for reload limitations
+-- doc: update default manuals
+-- doc: update reload limitations - adding/removing stream_*
+-- file: fixed data race at shutdown
+-- file_api: Added nullptr checking to prevent segfaults when file mempool is not configured
+-- file_api: call FileContext::set_file_name() from FileFlows::set_file_name with
+ fname = nullptr, in order to generate file event.
+-- file_api: fail the reload if max_files_cache is changed or if capture was initially enabled
+ and capture_memcap or capture_block_size change
+-- file_api: fix policy lookup
+-- file_capture: refactor max size handling
+-- filters: call get_ips_policy instead of get_network_policy when building the key for
+ rate filter.
+-- flow: Added a support to store generic objects in a stash
+-- flow: support for flow stash - allows storage of integers and strings
+-- flow_control: remove unused session flag
+-- fp_detect: suspend instead of onload if fp_local can't occur yet
+-- hash: Added lru_cache_shared.h to HASH_INCLUDES
+-- hash: Moved list_iter assignment inside to avoid improper memory access in LruCacheShared
+-- http_inspect: disable reg test assertion until interface with stream_tcp is updated
+-- http_inspect: patch around buffer ownership confusion
+-- ips_context: minimize iterations to clear data
+-- ips_options: implement FileTypeOption::hash() and FileTypeOption::operator==(), inherited
+ from IpsOption, using the types bitset array, in order to distinguish between different
+ file type options.
+-- loggers: add alert_talos, use in talos tweak
+-- loggers: alert_talos: fix copyright, author, unneeded check
+-- loggers: alert_talos: fix copyright, warnings
+-- loggers: alert_talos: fix cppcheck error
+-- loggers: alert_talos: fix include order
+-- loggers: alert_talos: fix memory leak
+-- loggers: workaround for cppcheck's false warning
+-- lua: make RTF file magic more generic
+-- main: log message when all pthreads started (REG_TEST only)
+-- main: shell commands and signals executed only after snort finish startup
+-- memory: Use only one variable to keep track of allocated and deallocated memory
+-- memory: add configurable L3/L4 specific weights for better estimation against cap
+-- memory: add size_of to various FlowData subclasses
+-- memory: apply fudge factor to tracking to better align with RSS
+-- memory: basic flow data allocation tracking
+-- memory: basic flow pruning
+-- memory: beware the perf_monitor, for she stealeth your numbers
+-- memory: do not re-enter the pruner
+-- memory: fix re-entry check
+-- memory: increase default tcp cache cap weight; fix default values
+-- memory: initial preemptive pruning based on flow data
+-- memory: refactor stats
+-- memory: remove overloading manager to make way for new implementation
+-- memory: remove useless thread local
+-- memory: require subclass implementation of FlowData::size_of()
+-- memory: track session allocations
+-- mime: add file decompression
+-- misc: fixed warnings generated from latest gcc
+-- packet tracer: initialize sf_ip structs
+-- policy: allow an empty policy be set explicitly
+ assigned to it.
+-- policy: Rename TRUE/FALSE to ENABLE/DISABLED
+-- port_scan: Fail reload if memcap changed
+-- profile: convert remaining layer 2 or greater profile scopes to the deep, dark underbelly
+-- profiler: add quick exit if not configured to minimize overhead
+-- profiler: add quick exit if not configured to minimize overhead (rule times)
+-- protocols: fix style warning non-boolean value returned
+-- react: sending reset to server only
+-- regex_offload: fix stats for thread
+-- reload: differentiate between restart required and bad config
+-- reload: fail reload if stream is in the original config and stream_* is added/removed
+-- reload: prompt reload failure and require restart when stream cache were changed
+-- reload: send reload completed message to control channel instead of logging it
+-- rule eval: ensure leaf children are properly counted
+-- rule_state: add rtn but disable if block is set on non-inline deployment
+-- rule_state: added default rule state to ips policy
+-- rule_state: added per-ips-policy rule states
+-- rules: do not preallocate actions
+-- safec: Update to work with modern versions of LibSafeC
+-- sfip: add a FIXIT for checking that the current implementation of _is_lesser(), which only
+ compares same-family ips is OK.
+-- sip: update sip options to use has_tcp_data instead of is_tcp
+-- snort2lua: Create dev_notes.txt for sticky buffers
+-- snort2lua: adding when.role for specific inspectors
+-- snort2lua: change the -l short option to --dont-convert-max-sessions.
+-- snort2lua: combining multiple zone in one binder rule
+-- snort2lua: comment gid 147 file rules
+-- snort2lua: convert file_capture config options
+-- snort2lua: do generate the tcp_cache instance even when we don't convert tcp_max to
+ max_sessions.
+-- snort2lua: do not translate max_sessions from snort.conf to snort.lua.
+-- snort2lua: fix pcre option issues
+-- snort2lua: fix sticky buffer duplication
+-- snort2lua: fixed duplication of split_any_any from config: detection
+-- snort2lua: introduce command line option -l to suppress conversion of max_tcp, max_udp,
+ max_icmp and max_ip to max_sessions.
+-- snort2lua: move obfuscate_pii to the ips table from the output table.
+-- snort_config: Add a setter for setting run_flags and set it to TRACK_ON_SYN for hs_timeout
+ config
+-- ssl: Count calls to disable_content for ssl sessions
+-- stream: Change StreamSplitter::scan to take a Packet instead of a Flow.
+-- stream: Pass Packet in flush_pdu_* -> paf_eval -> paf_callback chain.
+-- stream: fixed ignore_flow segfault bug caused by allocating generic flow data instead of
+ inspector specific flow data
+-- stream: log StreamBase::config in StreamBase::show().
+-- stream: purge remaining flows before shutdown counts
+-- stream_tcp: add track_only to disable reassembly
+-- stream_tcp: consolidate segment node and data
+-- stream_tcp: disambiguate seglist trace
+-- stream_tcp: do not purge partially acked segment
+-- stream_tcp: fix up stream order flags
+-- stream_tcp: fixup allocation tracking for overlapped segments
+-- stream_tcp: implement reserve seglist
+-- stream_tcp: initialize priv_ptr for pdus
+-- stream_tcp: patch around premature application of delayed actions that yoink the seglist
+-- stream_tcp: remove seglist node cruft
+-- stream_tcp: reset paf segment when switching splitters
+-- stream_tcp: simplify paf init
+-- stream_tcp: support unidirectional flushing similar to Snort 2
+-- stream_tcp: tweak PAF scanning
+-- stream_tcp: tweak ips mode flushing
+-- stream_udp: ensure all flows are cleared fully
+-- time: Adding timersub_ms function to return timersub in milliseconds
+
18/12/06 - build 250
-- actions: Fix incorrect order of IPS reject unreachable codes and adding forward option
-- build: fix some int type conversion warnings
-- build: reduce variable scope to address warnings
-- detection: enable offloading non-pdu packets
--- detection, stream: fixed assuming packets were offloaded when previous packets on flow have been offloaded
+-- detection, stream: fixed assuming packets were offloaded when previous packets on flow have
+ been offloaded
-- file_api: choose whether to get file config from current config or staged one
-- file: fail the reload if capture is enabled for the first time
-- framework: Clone databus to new config during module reload
-- perf_monitor: Actually allow building perf_monitor as a dynamic plugin
-- perf_monitor: fix benign parameter errors
-- perf_monitor: fixed fbs schema generation when not building with DEBUG
--- protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids; thanks to ymansour for reporting the issue
+-- protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids;
+ thanks to ymansour for reporting the issue
-- regex worker: removed assert that didn't handle locks cleanly
--- reputation: Fix iterations of layers for different nested_ip configs and show the blacklisted IP in events
+-- reputation: Fix iterations of layers for different nested_ip configs and show the
+ blacklisted IP in events
-- sip: Added sanity check for buffer boundary while parsing a sip message
-- snort2lua: add code to output control = forward under the reject module
-- snort2lua: Fix compiler warning for catching exceptions by value
-- snort2lua: Fix pcre H and P option conversions for sip
-- snort: add --help-limits to output max* values
-- snort: Default to a snaplen of 1518
--- snort: fix command line parameters to support setting in Lua; thanks to Meridoff <oagvozd@gmail.com> for reporting the issue
--- snort: remove obsolete and inadequate -W option; thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
--- snort: terminate gracefully upon DAQ start failure; thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
+-- snort: fix command line parameters to support setting in Lua;
+ thanks to Meridoff <oagvozd@gmail.com> for reporting the issue
+-- snort: remove obsolete and inadequate -W option;
+ thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
+-- snort: terminate gracefully upon DAQ start failure;
+ thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
-- so rules: add robust stub parsing
-- stream: fixed stream_base flow peg count sum_stats bug
-- stream tcp: fixed applying post-inspection operations to wrong rebuilt packet
-- stream tcp: fixed sequence overlap handling when working with empty seglist
-- style: clean up comment to reduce spelling exceptions
-- thread: No more breaks for pigs (union busting)
--- tools: Install appid-detector-builder.sh with the other tools; thanks to Jonathan McDowell <noodles-github@earth.li> for reporting the issue
+-- tools: Install appid-detector-builder.sh with the other tools;
+ thanks to Jonathan McDowell <noodles-github@earth.li> for reporting the issue
18/11/07 - build 249
-- dcerpc: fixed setting endianness on one packet and checking on another
-- detection : add function to clear ips_id from unit tests
-- detectionengine: Only clear inspector data after offloads have completed
--- detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload of HTTP flows
+-- detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload
+ of HTTP flows
-- doc: Adding performance consideration for developers
-- file_api: revert deleting gid 146 so existing 146 rulesets dont attempt empty rule eval
-- fixits: prioritize for RC
-- flow: fixed build warning
-- flow: track multiple offloads
-- fp_detect: onload before running local to ensure event ordering
--- framework: replace the newly introduced loop to reset the reload_type flags with the existing Inspector::update_policy function
--- framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in anticipation of future reloads.
+-- framework: replace the newly introduced loop to reset the reload_type flags with the
+ existing Inspector::update_policy function
+-- framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in
+ anticipation of future reloads.
-- host_tracker: fixed uppcase IP param issue
-- http2_inspect: Change http2 GID from 219 to 121
-- ips_flowbits: move static structures to snort config
-- perfmon: fix issue for report correct stats after passing -n pkts
-- perf_monitor: trackers keep copy of the relevant config items from the inspector
-- reload: fixed smtp seg fault when reload failed
--- reputation: delete old conf before allocating a new one in ReputationModule::begin() if conf not null
+-- reputation: delete old conf before allocating a new one in ReputationModule::begin() if
+ conf not null
-- rule_state: indicate list format
-- search_tool: include bytes searched in pattern match stats
-- search_tool: validate ac_full and ac_bnfa wrt search and search_all
-- snort2lua: Add support for enable/disable iprep logging using suppress mechanism
-- snort2lua: Avoid returning reference of local variable
-- snort2lua: comment out deleted gid 146 rules
--- snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string sanity checks
+-- snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string
+ sanity checks
-- snort2lua: fixed paf_max to stream_tcp.max_pdu convertion
-- snort2lua: tweak for style consistency
-- snort: add --rule-path to load rules from all files under given dir
--- snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping reputation_id in flow instead of flow_data, and appid code improvements
+-- snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping
+ reputation_id in flow instead of flow_data, and appid code improvements
-- source: fix some typos
-- source: minor refactoring
-- spell: fix typo
-- appid: change metadata buffers from std::string to pointers, to avoid extra copying
-- appid: clean-up code for performance and implement is_tp_processing_done()
-- appid: create referer object only for non-null string
--- appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service discovery
+-- appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service
+ discovery
-- appid: fix memory leak in appid_http_event_test and warning in appid_http_session.cc
-- appid: fix segfault due to dereferencing null host pointer.
-- appid: fix tabs and indentation
-- appid: fixed http fields, referer payload and appid debug
-- appid: make tp_attribute_data more localized, so we only allocate/deallocate it if needed.
-- appid: moved HttpFieldIds to appid_http_session
--- appid: peg count / dynamic peg count update. Split peg counts into the ones known at compile time and dynamic ones. Update stats , module manager and module to support dumping dynamic stats.
+-- appid: peg count / dynamic peg count update. Split peg counts into the ones known at
+ compile time and dynamic ones. Update stats , module manager and module to support
+ dumping dynamic stats.
-- appid: report when third party appid is done inspecting
-- appid: sip: moved pattern thread local to class instance
-- base64_decode: moved buffer storage to regular heap
-- byte_jump: fix from_beginning
-- byte_math: allow rvalue == 0 except for division
-- catch: Update to Catch v2.2.1
--- clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46); thanks to j.mcdowell@titan-ic.com for the patch.
+-- clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46);
+ thanks to j.mcdowell@titan-ic.com for the patch.
-- clock: use uint64_t with tsc clock instead of std::chrono for performance
-- cmake: Add --enable-appid-third-party to configure_cmake.sh
-- cmake: Add support for building with tcmalloc
-- cmake: update for iconv
-- codecs: add config option to detection to enable check and alert for address anomalies
-- daq_hext: Make IpAddr() static to fix compiler warning
--- dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing the same ctx item over and over.
+-- dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is
+ called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing
+ the same ctx item over and over.
-- dce_rpc: fix parsing of dce/rpc ctx items
-- dce_rpc: pass frag_ptr by reference
-- debug: Remove debug messages from appid, arp_spoof, and perf_monitor
-- snort2lua: enable reject action when firewall is enabled
-- snort: -r- will read packets from stdin
-- spell check: fix memeory and indicies typos
--- steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions with defines
+-- steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions
+ with defines
-- stream ip: refactored to use MemoryManager allocators
-- stream: assume gid 135 so those rules are handled as standard builtins
-- stream: be selective about flow creation for scans
-- stream: remove usused ignore_any_rules from tcp and udp
-- stream: respect tcp require_3whs
-- stream: warning: potential memory leaks
--- stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations per flow
+-- stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations
+ per flow
-- stream_tcp: switch to splitter max
-- stream_tcp: tweak seglist cursor handling
-- target_based: 100% coverage on snort_protocols.cc
-- target_based: unit tests for ProtocolReference class
--- tcp codec: count bad ip6 checksums correctly; thanks to j.mcdowell@titan-ic.com for reporting the issue
+-- tcp codec: count bad ip6 checksums correctly; thanks to j.mcdowell@titan-ic.com for reporting
+ the issue
-- tcp: allow data handlding for packet with invalid ack
-- time: initialize Stopwatch::start_time member variable to 0 ticks when TSC clock is enabled
-- trace: add traces for deleted debug messages
-- perf_monitor: query modules for stats only after they have all loaded
-- snort: --rule-to-text [<delim>] raw string output
-- snort: allow colon separated directories for --daq-dir
--- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace
+-- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort'
+ namespace
18/02/12 - build 243
-- appid: gracefully handle failed Lua state instantiation
thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue.
-- appid: only update session flags and discovery state if service id actually set to http
--- appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow
+-- appid: patch to update the appid discovery state when an http event results in setting of the
+ service id for a flow
-- appid: return false from is_third_party_appid_available when no third party module is available.
-- appid: tweak warnings and errors
-- binder: activate profiler support
-- snort2lua: remove when udp from binding to support tcp too
-- snort2lua: tweak const name for clarity (internal)
-- snort2lua: urilen:<> --> bufferlen:<=>
--- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
+-- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces
+ from LeakSanitizer
-- soid: allow stub to contain any or all options
-- --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
-- stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
-- build: fixed issues on OSX
-- catch: update to Catch v1.10.0
-- cd_icmp6: fix encoded cksum calculation
--- cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <jhp@jhprins.org> for reporting the issue
+-- cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <jhp@jhprins.org> for
+ reporting the issue
-- cd_pflog: fix comments; thanks to Markus Lude <markus.lude@gmx.de> for the 2X patch
-- content: fix relative loop condition
-- control: delete the old binder while reloading inspector
-- doc: add POP, IMAP and SMTP to user manual features
-- doc: add port scan feature
-- flow key: support associating router solicit/reply packets to a single session
--- http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
+-- http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after
+ status line or headers
-- http_inspect: add random increment to message body division points
-- http_inspect: added http_raw_buffer rule option
--- http_inspect: create message sections with body data that has been dechunked and unzipped but not otherwise nortmalized
--- http_inspect: handle borked reassembly gracefully; thanks to João Soares <joaopsys@gmail.com> for reporting the issue
+-- http_inspect: create message sections with body data that has been dechunked and unzipped but
+ not otherwise nortmalized
+-- http_inspect: handle borked reassembly gracefully;
+ thanks to João Soares <joaopsys@gmail.com> for reporting the issue
-- http_inspect: support for u2 extra data logging
-- http_inspect: test tool improvements
-- http_inspect: true IP enhancements
+<?xml version="1.0" encoding="UTF-8"?>\r
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"\r
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">\r
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">\r
<head>\r
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />\r
-<meta name="generator" content="AsciiDoc 8.6.8" />\r
+<meta name="generator" content="AsciiDoc 8.6.10" />\r
<title>Snort 3 User Manual</title>\r
<style type="text/css">\r
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */\r
padding: 0;\r
margin: 0;\r
}\r
-\r
+pre {\r
+ white-space: pre-wrap;\r
+}\r
\r
#author {\r
color: #527bbd;\r
}\r
\r
div.imageblock div.content { padding-left: 0; }\r
-span.image img { border-style: none; }\r
+span.image img { border-style: none; vertical-align: text-bottom; }\r
a.image:visited { color: white; }\r
\r
dl {\r
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 250) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 251) from 2.9.11\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
- Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.\r
+ Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>\r
</div></div>\r
<div id="toc">\r
</li>\r
<li>\r
<p>\r
-safec from <a href="https://sourceforge.net/projects/safeclib/">https://sourceforge.net/projects/safeclib/</a> for runtime bounds\r
+safec from <a href="https://github.com/rurban/safeclib/">https://github.com/rurban/safeclib/</a> for runtime bounds\r
checks on certain legacy C-library calls\r
</p>\r
</li>\r
<div class="paragraph"><p>Snort uses the C operators for each of these operators. If the &\r
operator is used, then it would be the same as using</p></div>\r
<div class="listingblock">\r
-<div class="content"><!-- Generator: GNU source-highlight 3.1.8\r
+<div class="content"><!-- Generator: GNU source-highlight\r
by Lorenzo Bettini\r
http://www.lorenzobettini.it\r
http://www.gnu.org/software/src-highlite -->\r
<div class="paragraph"><p><em>!</em> operator negates the results from the base check. <em>!<oper></em> is\r
considered as</p></div>\r
<div class="listingblock">\r
-<div class="content"><!-- Generator: GNU source-highlight 3.1.8\r
+<div class="content"><!-- Generator: GNU source-highlight\r
by Lorenzo Bettini\r
http://www.lorenzobettini.it\r
http://www.gnu.org/software/src-highlite -->\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>classifications[].name</strong>: name used with classtype rule option\r
+string <strong><code>classifications[].name</code></strong>: name used with classtype rule option\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>classifications[].priority</strong> = 1: default priority for class { 0:max32 }\r
+int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>classifications[].text</strong>: description of class\r
+string <strong><code>classifications[].text</code></strong>: description of class\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>daq.module_dirs[].str</strong>: string parameter\r
+string <strong><code>daq.module_dirs[].str</code></strong>: string parameter\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.variables[].str</strong>: string parameter\r
+string <strong><code>daq.variables[].str</code></strong>: string parameter\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>daq.instances[].id</strong>: instance ID (required) { 0:max32 }\r
+int <strong><code>daq.instances[].id</code></strong>: instance ID (required) { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.instances[].input_spec</strong>: input specification\r
+string <strong><code>daq.instances[].input_spec</code></strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.instances[].variables[].str</strong>: string parameter\r
+string <strong><code>daq.instances[].variables[].str</code></strong>: string parameter\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }\r
</p>\r
</li>\r
<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0:max32 }\r
+int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0:max32 }\r
+int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
+enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }\r
+enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }\r
+int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].seconds</strong> = 0: count interval { 0:max32 }\r
+int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track\r
+string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>host_cache[].size</strong>: size of host cache { 1:max32 }\r
+int <strong><code>host_cache[].size</code></strong>: size of host cache { 1:max32 }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong><code>host_tracker[].ip</code></strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+enum <strong><code>host_tracker[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong><code>host_tracker[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>host_tracker[].services[].name</strong>: service identifier\r
+string <strong><code>host_tracker[].services[].name</code></strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].services[].proto</strong> = tcp: IP protocol { tcp | udp }\r
+enum <strong><code>host_tracker[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>host_tracker[].services[].port</strong>: port number\r
+port <strong><code>host_tracker[].services[].port</code></strong>: port number\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / CIDR\r
+addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>hosts[].services[].name</strong>: service identifier\r
+string <strong><code>hosts[].services[].name</code></strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].services[].proto</strong> = tcp: IP protocol { tcp | udp }\r
+enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>hosts[].services[].port</strong>: port number\r
+port <strong><code>hosts[].services[].port</code></strong>: port number\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { false | true | inherit }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap\r
+int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>memory.allocations</strong>: total number of allocations (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }\r
+<strong>memory.deallocations</strong>: total number of deallocations (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.allocated</strong>: total amount of memory allocated (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.deallocated</strong>: total amount of memory allocated (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.reap_failures</strong>: failures to reclaim memory (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.total_fudge</strong>: sum of all adjustments (now)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>output.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
+bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)\r
+int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }\r
+bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.verbose</strong> = false: be verbose (same as -v)\r
+bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset\r
+string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0:65535 }\r
+int <strong><code>process.threads[].thread</code></strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0:max32 }\r
+int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0:max32 }\r
+int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
+enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0:max32 }\r
+int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].seconds</strong> = 1: count interval { 0:max32 }\r
+int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
+enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].timeout</strong> = 1: count interval { 0:max32 }\r
+int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track\r
+string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>references[].name</strong>: name used with reference rule option\r
+string <strong><code>references[].name</code></strong>: name used with reference rule option\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>references[].url</strong>: where this reference is defined\r
+string <strong><code>references[].url</code></strong>: where this reference is defined\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_rule_state">rule_state</h3>\r
-<div class="paragraph"><p>What: enable/disable specific IPS rules</p></div>\r
+<div class="paragraph"><p>What: enable/disable and set actions for specific IPS rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>rule_state[].gid</strong> = 0: rule generator ID { 0:max32 }\r
+enum <strong><code>rule_state.([0-9]+):([0-9]+).action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rule_state[].sid</strong> = 0: rule signature ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>rule_state[].enable</strong> = true: enable or disable rule in all policies\r
+enum <strong><code>rule_state.([0-9]+):([0-9]+).enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>side_channel.connectors[].connector</strong>: connector handle\r
+string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>suppress[].gid</strong> = 0: rule generator ID { 0:max32 }\r
+int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>suppress[].sid</strong> = 0: rule signature ID { 0:max32 }\r
+int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
+enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track\r
+string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0:maxSZ }\r
+int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 0:max32 }\r
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address\r
+ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address\r
</p>\r
</li>\r
<li>\r
<p>\r
-mac <strong>arp_spoof.hosts[].mac</strong>: host mac address\r
+mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>binder[].when.ips_policy_id</strong> = 0: unique ID for selection of this config by external logic { 0:max32 }\r
+int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }\r
+bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }\r
+addr_list <strong><code>binder[].when.nets</code></strong>: list of networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.nets</strong>: list of networks\r
+addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.src_nets</strong>: list of source networks\r
+addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.dst_nets</strong>: list of destination networks\r
+enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
+bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }\r
+bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.src_ports</strong>: list of source ports { 65535 }\r
+bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.dst_ports</strong>: list of destination ports { 65535 }\r
+bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>binder[].when.src_zone</strong>: source zone { 0:max31 }\r
+bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>binder[].when.dst_zone</strong>: destination zone { 0:max31 }\r
+bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
+enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].when.service</strong>: override default configuration\r
+string <strong><code>binder[].when.service</code></strong>: override default configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
+enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.file</strong>: use configuration in given file\r
+string <strong><code>binder[].use.file</code></strong>: use configuration in given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.inspection_policy</strong>: use inspection policy from given file\r
+string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.ips_policy</strong>: use ips policy from given file\r
+string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.network_policy</strong>: use network policy from given file\r
+string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.service</strong>: override automatic service identification\r
+string <strong><code>binder[].use.service</code></strong>: override automatic service identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.type</strong>: select module for binding\r
+string <strong><code>binder[].use.type</code></strong>: select module for binding\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.name</strong>: symbol name (defaults to type)\r
+string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragmentation\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0:max32 }\r
+int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].msg</strong>: information about the file type\r
+string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].type</strong>: file type name\r
+string <strong><code>file_id.file_rules[].type</code></strong>: file type name\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0:max32 }\r
+int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].category</strong>: file type category\r
+string <strong><code>file_id.file_rules[].category</code></strong>: file type category\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].group</strong>: comma separated list of groups associated with file type\r
+string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].version</strong>: file type version\r
+string <strong><code>file_id.file_rules[].version</code></strong>: file type version\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].magic[].content</strong>: file magic content\r
+string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0:max32 }\r
+int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_policy[].when.file_type_id</strong> = 0: unique ID for file type in file magic rule { 0:max32 }\r
+int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_policy[].when.sha256</strong>: SHA 256\r
+string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>file_id.file_policy[].use.verdict</strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
+enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_type</strong> = false: true/false → enable/disable file type identification\r
+bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false → enable/disable file type identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_signature</strong> = false: true/false → enable/disable file signature\r
+bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false → enable/disable file signature\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_capture</strong> = false: true/false → enable/disable file capture\r
+bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false → enable/disable file capture\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed IP address in CIDR format\r
+addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port\r
+port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive\r
+port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command\r
+string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200:max32 }\r
+int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.cmd_validity[].command</strong>: command string\r
+string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.cmd_validity[].format</strong>: format specification\r
+string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0:max32 }\r
+int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].version</strong> = 2: GTP version { 0:2 }\r
+int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }\r
+int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>gtp_inspect[].messages[].name</strong>: message name\r
+string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }\r
+int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>gtp_inspect[].infos[].name</strong>: information element name\r
+string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }\r
+int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>http_inspect.normalize_javascript</strong> = false: normalize javascript in response bodies\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:229</strong> (http_inspect) PDF/SWF decompression of server response too big\r
+<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<strong>141:7</strong> (imap) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>141:8</strong> (imap) file decompression failed\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_mem_test">mem_test</h3>\r
+<div class="paragraph"><p>What: for testing memory management</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>mem_test.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_modbus">modbus</h3>\r
<div class="paragraph"><p>What: modbus inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].name</strong>: name of the module\r
+string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters\r
+string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<strong>142:7</strong> (pop) Unix-to-Unix decoding failed\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>142:8</strong> (pop) file decompression failed\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>smtp.alt_max_command_line_len[].command</strong>: command string\r
+string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0:max32 }\r
+int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
</p>\r
</li>\r
<strong>124:15</strong> (smtp) attempted authentication command buffer overflow\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>124:16</strong> (smtp) file decompression failed\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.ip_cache.cap_weight</strong> = 64: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.udp_cache.cap_weight</strong> = 128: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.user_cache.cap_weight</strong> = 256: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
</p>\r
</li>\r
int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].service</strong>: name of service\r
+string <strong><code>wizard.hexes[].service</code></strong>: name of service\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer\r
+bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)\r
+string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)\r
+string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].service</strong>: name of service\r
+string <strong><code>wizard.spells[].service</code></strong>: name of service\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer\r
+bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)\r
+string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)\r
+string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>metadata.</strong>*: comma-separated list of arbitrary name value pairs\r
+string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>service.</strong>*: one or more comma-separated service names\r
+string <strong><code>service.*</code></strong>: one or more comma-separated service names\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>sip_method.*method</strong>: sip method\r
+string <strong><code>sip_method.*method</code></strong>: sip method\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>sip_stat_code.*code</strong>: status code { 1:999 }\r
+int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1:max32 }\r
+int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1:max32 }\r
+int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_alert_talos">alert_talos</h3>\r
+<div class="paragraph"><p>What: output event in Talos alert format</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_alert_unixsock">alert_unixsock</h3>\r
<div class="paragraph"><p>What: output event over unix socket</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>--dont-convert-max-sessions</strong>\r
+ do not convert max_tcp, max_udp, max_icmp, max_ip to\r
+ max_session\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--error-file=<error_file></strong>\r
Same as <em>-e</em>. output all errors to <error_file>\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1:max32 }\r
+int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1:max32 }\r
+int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 0:max32 }\r
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0:maxSZ }\r
+int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address\r
+ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address\r
</p>\r
</li>\r
<li>\r
<p>\r
-mac <strong>arp_spoof.hosts[].mac</strong>: host mac address\r
+mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
+enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong><code>binder[].use.file</code></strong>: use configuration in given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.file</strong>: use configuration in given file\r
+string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.inspection_policy</strong>: use inspection policy from given file\r
+string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.ips_policy</strong>: use ips policy from given file\r
+string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.name</strong>: symbol name (defaults to type)\r
+string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.network_policy</strong>: use network policy from given file\r
+string <strong><code>binder[].use.service</code></strong>: override automatic service identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.service</strong>: override automatic service identification\r
+string <strong><code>binder[].use.type</code></strong>: select module for binding\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].use.type</strong>: select module for binding\r
+addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.dst_nets</strong>: list of destination networks\r
+bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.dst_ports</strong>: list of destination ports { 65535 }\r
+bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>binder[].when.dst_zone</strong>: destination zone { 0:max31 }\r
+bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }\r
+int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>binder[].when.ips_policy_id</strong> = 0: unique ID for selection of this config by external logic { 0:max32 }\r
+addr_list <strong><code>binder[].when.nets</code></strong>: list of networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.nets</strong>: list of networks\r
+bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }\r
+enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
+enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
+string <strong><code>binder[].when.service</code></strong>: override default configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>binder[].when.service</strong>: override default configuration\r
+addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.src_nets</strong>: list of source networks\r
+bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.src_ports</strong>: list of source ports { 65535 }\r
+bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>binder[].when.src_zone</strong>: source zone { 0:max31 }\r
+bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }\r
+bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>classifications[].name</strong>: name used with classtype rule option\r
+string <strong><code>classifications[].name</code></strong>: name used with classtype rule option\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>classifications[].priority</strong> = 1: default priority for class { 0:max32 }\r
+int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>classifications[].text</strong>: description of class\r
+string <strong><code>classifications[].text</code></strong>: description of class\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>daq.instances[].id</strong>: instance ID (required) { 0:max32 }\r
+int <strong><code>daq.instances[].id</code></strong>: instance ID (required) { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.instances[].input_spec</strong>: input specification\r
+string <strong><code>daq.instances[].input_spec</code></strong>: input specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.instances[].variables[].str</strong>: string parameter\r
+string <strong><code>daq.instances[].variables[].str</code></strong>: string parameter\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.module_dirs[].str</strong>: string parameter\r
+string <strong><code>daq.module_dirs[].str</code></strong>: string parameter\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.variables[].str</strong>: string parameter\r
+string <strong><code>daq.variables[].str</code></strong>: string parameter\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>dce_smb.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>dce_tcp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }\r
+int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0:max32 }\r
+int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track\r
+string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].seconds</strong> = 0: count interval { 0:max32 }\r
+int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0:max32 }\r
+int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }\r
+enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
+enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_capture</strong> = false: true/false → enable/disable file capture\r
+bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false → enable/disable file capture\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_signature</strong> = false: true/false → enable/disable file signature\r
+bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false → enable/disable file signature\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.file_policy[].use.enable_file_type</strong> = false: true/false → enable/disable file type identification\r
+bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false → enable/disable file type identification\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>file_id.file_policy[].use.verdict</strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
+enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_policy[].when.file_type_id</strong> = 0: unique ID for file type in file magic rule { 0:max32 }\r
+int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_policy[].when.sha256</strong>: SHA 256\r
+string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].category</strong>: file type category\r
+string <strong><code>file_id.file_rules[].category</code></strong>: file type category\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].group</strong>: comma separated list of groups associated with file type\r
+string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0:max32 }\r
+int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].magic[].content</strong>: file magic content\r
+string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0:max32 }\r
+int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].msg</strong>: information about the file type\r
+string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0:max32 }\r
+int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].type</strong>: file type name\r
+string <strong><code>file_id.file_rules[].type</code></strong>: file type name\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>file_id.file_rules[].version</strong>: file type version\r
+string <strong><code>file_id.file_rules[].version</code></strong>: file type version\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed IP address in CIDR format\r
+addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive\r
+port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port\r
+port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.cmd_validity[].command</strong>: command string\r
+string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.cmd_validity[].format</strong>: format specification\r
+string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0:max32 }\r
+int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command\r
+string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200:max32 }\r
+int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }\r
+int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>gtp_inspect[].infos[].name</strong>: information element name\r
+string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }\r
+int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>gtp_inspect[].messages[].name</strong>: message name\r
+string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }\r
+int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>gtp_inspect[].version</strong> = 2: GTP version { 0:2 }\r
+int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>host_cache[].size</strong>: size of host cache { 1:max32 }\r
+int <strong><code>host_cache[].size</code></strong>: size of host cache { 1:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / CIDR\r
+addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>hosts[].services[].name</strong>: service identifier\r
+string <strong><code>hosts[].services[].name</code></strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>hosts[].services[].port</strong>: port number\r
+port <strong><code>hosts[].services[].port</code></strong>: port number\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].services[].proto</strong> = tcp: IP protocol { tcp | udp }\r
+enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+enum <strong><code>host_tracker[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong><code>host_tracker[].ip</code></strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>host_tracker[].services[].name</strong>: service identifier\r
+string <strong><code>host_tracker[].services[].name</code></strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>host_tracker[].services[].port</strong>: port number\r
+port <strong><code>host_tracker[].services[].port</code></strong>: port number\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].services[].proto</strong> = tcp: IP protocol { tcp | udp }\r
+enum <strong><code>host_tracker[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong><code>host_tracker[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { false | true | inherit }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>ips.rules</strong>: snort rules and includes\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>metadata.</strong>*: comma-separated list of arbitrary name value pairs\r
+string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].name</strong>: name of the module\r
+string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters\r
+string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset\r
+string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0:65535 }\r
+int <strong><code>process.threads[].thread</code></strong> = 0: set cpu affinity for the <cur_thread_num> thread that runs { 0:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track\r
+string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0:max32 }\r
+int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0:max32 }\r
+int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
+enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].seconds</strong> = 1: count interval { 0:max32 }\r
+int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0:max32 }\r
+int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rate_filter[].timeout</strong> = 1: count interval { 0:max32 }\r
+int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
+enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>references[].name</strong>: name used with reference rule option\r
+string <strong><code>references[].name</code></strong>: name used with reference rule option\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>references[].url</strong>: where this reference is defined\r
+string <strong><code>references[].url</code></strong>: where this reference is defined\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>rule_state[].enable</strong> = true: enable or disable rule in all policies\r
+enum <strong><code>rule_state.([0-9]+):([0-9]+).action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>rule_state[].gid</strong> = 0: rule generator ID { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>rule_state[].sid</strong> = 0: rule signature ID { 0:max32 }\r
+enum <strong><code>rule_state.([0-9]+):([0-9]+).enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>service.</strong>*: one or more comma-separated service names\r
+string <strong><code>service.*</code></strong>: one or more comma-separated service names\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>side_channel.connectors[].connector</strong>: connector handle\r
+string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>sip_method.*method</strong>: sip method\r
+string <strong><code>sip_method.*method</code></strong>: sip method\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>sip_stat_code.*code</strong>: status code { 1:999 }\r
+int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.alt_max_command_line_len[].command</strong>: command string\r
+string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0:max32 }\r
+int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.ip_cache.cap_weight</strong> = 64: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
</p>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.udp_cache.cap_weight</strong> = 128: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.user_cache.cap_weight</strong> = 256: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>suppress[].gid</strong> = 0: rule generator ID { 0:max32 }\r
+int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track\r
+string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>suppress[].sid</strong> = 0: rule signature ID { 0:max32 }\r
+int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
+enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer\r
+bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].service</strong>: name of service\r
+string <strong><code>wizard.hexes[].service</code></strong>: name of service\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)\r
+string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)\r
+string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer\r
+bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }\r
+select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].service</strong>: name of service\r
+string <strong><code>wizard.spells[].service</code></strong>: name of service\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)\r
+string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)\r
+string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>memory.allocated</strong>: total amount of memory allocated (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.allocations</strong>: total number of allocations (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.deallocated</strong>: total amount of memory allocated (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.deallocations</strong>: total number of deallocations (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.reap_failures</strong>: failures to reclaim memory (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>memory.total_fudge</strong>: sum of all adjustments (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>mem_test.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:229</strong> (http_inspect) PDF/SWF decompression of server response too big\r
+<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>124:16</strong> (smtp) file decompression failed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>141:8</strong> (imap) file decompression failed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>142:1</strong> (pop) unknown POP3 command\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>142:8</strong> (pop) file decompression failed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>143:1</strong> (gtp_inspect) message length is invalid\r
</p>\r
</li>\r
change -> dynamicengine ==> 'snort.--plugin_path=<path>'\r
change -> dynamicpreprocessor ==> 'snort.--plugin_path=<path>'\r
change -> dynamicsidechannel ==> 'snort.--plugin_path=<path>'\r
-change -> alertfile: 'config alertfile:' ==> 'alert_fast.file'\r
-change -> alertfile: 'config alertfile:' ==> 'alert_full.file'\r
change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy'\r
change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'\r
change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic'\r
change -> config ' checksum_mode' ==> ' network. checksum_eval'\r
-change -> config ' daq' ==> ' daq. type'\r
-change -> config ' daq_dir' ==> ' daq. dir'\r
-change -> config ' daq_mode' ==> ' daq. mode'\r
-change -> config ' daq_var' ==> ' daq. var'\r
+change -> config ' daq' ==> ' daq. module'\r
+change -> config ' daq_dir' ==> ' daq. module_dirs, true'\r
+change -> config ' daq_var' ==> ' daq. variables, true'\r
change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap'\r
change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection'\r
change -> config ' event_filter' ==> ' alerts. event_filter_memcap'\r
change -> config ' rate_filter' ==> ' alerts. rate_filter_memcap'\r
change -> config ' react' ==> ' react. page'\r
change -> config ' threshold' ==> ' alerts. event_filter_memcap'\r
-change -> csv: 'dgmlen' ==> 'dgm_len'\r
+change -> converter: 'gen_id' ==> 'gid'\r
+change -> converter: 'sid_id' ==> 'sid'\r
+change -> csv: 'csv' ==> 'fields'\r
+change -> csv: 'dgmlen' ==> 'pkt_len'\r
change -> csv: 'dst' ==> 'dst_addr'\r
change -> csv: 'dstport' ==> 'dst_port'\r
change -> csv: 'ethdst' ==> 'eth_dst'\r
change -> csv: 'icmpid' ==> 'icmp_id'\r
change -> csv: 'icmpseq' ==> 'icmp_seq'\r
change -> csv: 'icmptype' ==> 'icmp_type'\r
+change -> csv: 'id' ==> 'ip_id'\r
change -> csv: 'iplen' ==> 'ip_len'\r
change -> csv: 'sig_generator' ==> 'gid'\r
change -> csv: 'sig_id' ==> 'sid'\r
change -> csv: 'tcpseq' ==> 'tcp_seq'\r
change -> csv: 'tcpwindow' ==> 'tcp_win'\r
change -> csv: 'udplength' ==> 'udp_len'\r
-change -> detection: 'ac' ==> 'ac_full_q'\r
+change -> detection: 'ac' ==> 'ac_full'\r
change -> detection: 'ac-banded' ==> 'ac_banded'\r
-change -> detection: 'ac-bnfa' ==> 'ac_bnfa_q'\r
+change -> detection: 'ac-bnfa' ==> 'ac_bnfa'\r
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'\r
-change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa_q'\r
+change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'\r
change -> detection: 'ac-nq' ==> 'ac_full'\r
-change -> detection: 'ac-q' ==> 'ac_full_q'\r
+change -> detection: 'ac-q' ==> 'ac_full'\r
change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'\r
-change -> detection: 'ac-split' ==> 'ac_full_q'\r
+change -> detection: 'ac-split' ==> 'ac_full'\r
change -> detection: 'ac-split' ==> 'split_any_any'\r
change -> detection: 'ac-std' ==> 'ac_std'\r
change -> detection: 'acs' ==> 'ac_sparse'\r
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'\r
-change -> detection: 'intel-cpm' ==> 'intel_cpm'\r
-change -> detection: 'lowmem' ==> 'lowmem_q'\r
+change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'\r
+change -> detection: 'intel-cpm' ==> 'hyperscan'\r
change -> detection: 'lowmem-nq' ==> 'lowmem'\r
-change -> detection: 'lowmem-q' ==> 'lowmem_q'\r
+change -> detection: 'lowmem-q' ==> 'lowmem'\r
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'\r
+change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'\r
change -> detection: 'search-method' ==> 'search_method'\r
change -> detection: 'search-optimize' ==> 'search_optimize'\r
+change -> detection: 'split-any-any' ==> 'split_any_any = true by default'\r
change -> detection: 'split-any-any' ==> 'split_any_any'\r
+change -> dnp3: 'ports' ==> 'bindings'\r
change -> dns: 'ports' ==> 'bindings'\r
change -> event_filter: 'gen_id' ==> 'gid'\r
change -> event_filter: 'sig_id' ==> 'sid'\r
change -> event_filter: 'threshold' ==> 'event_filter'\r
change -> file: 'config file: file_block_timeout' ==> 'block_timeout'\r
+change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size'\r
+change -> file: 'config file: file_capture_max' ==> 'capture_max_size'\r
+change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap'\r
+change -> file: 'config file: file_capture_min' ==> 'capture_min_size'\r
change -> file: 'config file: file_type_depth' ==> 'type_depth'\r
change -> file: 'config file: signature' ==> 'enable_signature'\r
change -> file: 'config file: type_id' ==> 'enable_type'\r
+change -> file: 'ver' ==> 'version'\r
change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length'\r
change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps'\r
change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right'\r
change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity'\r
change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan'\r
change -> ftp_telnet_protocol: 'ports' ==> 'bindings'\r
-change -> gtp: 'ports' ==> 'gtp_ports'\r
-change -> http_inspect: 'http_inspect' ==> 'http_global'\r
-change -> http_inspect_server: 'apache_whitespace' ==> 'profile.apache_whitespace'\r
-change -> http_inspect_server: 'ascii' ==> 'profile.ascii'\r
-change -> http_inspect_server: 'bare_byte' ==> 'profile.bare_byte'\r
-change -> http_inspect_server: 'chunk_length' ==> 'profile.chunk_length'\r
-change -> http_inspect_server: 'client_flow_depth' ==> 'profile.client_flow_depth'\r
-change -> http_inspect_server: 'directory' ==> 'profile.directory'\r
-change -> http_inspect_server: 'double_decode' ==> 'profile.double_decode'\r
-change -> http_inspect_server: 'enable_cookie' ==> 'enable_cookies'\r
-change -> http_inspect_server: 'flow_depth' ==> 'server_flow_depth'\r
+change -> gtp: 'ports' ==> 'bindings'\r
+change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte'\r
+change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth'\r
+change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode'\r
change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect'\r
-change -> http_inspect_server: 'iis_backslash' ==> 'profile.iis_backslash'\r
-change -> http_inspect_server: 'iis_delimiter' ==> 'profile.iis_delimiter'\r
-change -> http_inspect_server: 'iis_unicode' ==> 'profile.iis_unicode'\r
-change -> http_inspect_server: 'max_header_length' ==> 'profile.max_header_length'\r
-change -> http_inspect_server: 'max_headers' ==> 'profile.max_headers'\r
-change -> http_inspect_server: 'max_spaces' ==> 'profile.max_spaces'\r
-change -> http_inspect_server: 'multi_slash' ==> 'profile.multi_slash'\r
-change -> http_inspect_server: 'non_rfc_char' ==> 'non_rfc_chars'\r
-change -> http_inspect_server: 'non_strict' ==> 'profile.non_strict'\r
-change -> http_inspect_server: 'normalize_utf' ==> 'profile.normalize_utf'\r
+change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash'\r
+change -> http_inspect_server: 'inspect_gzip' ==> 'unzip'\r
+change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters'\r
change -> http_inspect_server: 'ports' ==> 'bindings'\r
-change -> http_inspect_server: 'u_encode' ==> 'profile.u_encode'\r
-change -> http_inspect_server: 'utf_8' ==> 'profile.utf_8'\r
-change -> http_inspect_server: 'webroot' ==> 'profile.webroot'\r
-change -> http_inspect_server: 'whitespace_chars' ==> 'profile.whitespace_chars'\r
+change -> http_inspect_server: 'u_encode' ==> 'percent_u'\r
+change -> http_inspect_server: 'utf_8' ==> 'utf8'\r
change -> imap: 'ports' ==> 'bindings'\r
-change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:63780]'\r
-change -> perfmonitor: 'accumulate' ==> 'reset = false'\r
-change -> perfmonitor: 'flow-file' ==> 'flow_file = true'\r
+change -> modbus: 'ports' ==> 'bindings'\r
+change -> na_policy_mode: 'na_policy_mode' ==> 'mode'\r
+change -> nap_selector: 'nap rules' ==> 'bindings'\r
+change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]'\r
+change -> perfmonitor: 'console' ==> 'format = 'text''\r
+change -> perfmonitor: 'console' ==> 'output = 'console''\r
+change -> perfmonitor: 'file' ==> 'format = 'csv''\r
+change -> perfmonitor: 'file' ==> 'output = 'file''\r
+change -> perfmonitor: 'flow-file' ==> 'format = 'csv''\r
+change -> perfmonitor: 'flow-file' ==> 'output = 'file''\r
change -> perfmonitor: 'flow-ip' ==> 'flow_ip'\r
-change -> perfmonitor: 'flow-ip-file' ==> 'flow_ip_file = true'\r
+change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv''\r
+change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file''\r
change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap'\r
change -> perfmonitor: 'flow-ports' ==> 'flow_ports'\r
change -> perfmonitor: 'pktcnt' ==> 'packets'\r
-change -> perfmonitor: 'snortfile' ==> 'file = true'\r
+change -> perfmonitor: 'snortfile' ==> 'format = 'csv''\r
+change -> perfmonitor: 'snortfile' ==> 'output = 'file''\r
change -> perfmonitor: 'time' ==> 'seconds'\r
change -> policy_mode: 'inline_test' ==> 'inline-test'\r
change -> pop: 'ports' ==> 'bindings'\r
-change -> ppm: 'max-pkt-time' ==> 'max_pkt_time'\r
-change -> ppm: 'max-rule-time' ==> 'max_rule_time'\r
-change -> ppm: 'pkt-log' ==> 'pkt_log'\r
-change -> ppm: 'rule-log' ==> 'rule_log'\r
-change -> ppm: 'suspend-timeout' ==> 'suspend_timeout'\r
+change -> ppm: ''both'' ==> ''alert_and_log''\r
+change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'\r
+change -> ppm: 'max-pkt-time' ==> 'packet.max_time'\r
+change -> ppm: 'max-rule-time' ==> 'rule.max_time'\r
+change -> ppm: 'pkt-log' ==> 'packet.action'\r
+change -> ppm: 'ppm' ==> 'latency'\r
+change -> ppm: 'rule-log' ==> 'rule.action'\r
+change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'\r
+change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'\r
+change -> ppm: 'threshold' ==> 'rule.suspend_threshold'\r
change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4'\r
change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6'\r
change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6'\r
change -> profile: 'print' ==> 'count'\r
+change -> profile: 'sort avg_ticks' ==> 'sort = avg_check'\r
+change -> profile: 'sort total_ticks' ==> 'sort = total_time'\r
change -> rate_filter: 'gen_id' ==> 'gid'\r
change -> rate_filter: 'sig_id' ==> 'sid'\r
-change -> rule_state: 'disabled' ==> 'enable'\r
-change -> rule_state: 'enabled' ==> 'enable'\r
+change -> reputation: 'shared_mem' ==> 'list_dir'\r
+change -> rule_state: 'enabled/disabled' ==> 'enable'\r
+change -> rule_state: 'sdrop' ==> 'drop'\r
change -> sfportscan: 'proto' ==> 'protos'\r
change -> sfportscan: 'scan_type' ==> 'scan_types'\r
change -> sip: 'ports' ==> 'bindings'\r
change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments'\r
change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11'\r
change -> stream5_tcp: 'timeout' ==> 'session_timeout'\r
-change -> stream5_tcp: 'use_static_footprint_sizes' ==> 'footprint'\r
change -> stream5_udp: 'timeout' ==> 'session_timeout'\r
change -> suppress: 'gen_id' ==> 'gid'\r
change -> suppress: 'sig_id' ==> 'sid'\r
deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'\r
deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'\r
deleted -> config ' cs_dir'\r
+deleted -> config ' daq_mode'\r
+deleted -> config ' decode_data_link'\r
deleted -> config ' disable_attribute_reload_thread'\r
deleted -> config ' disable_decode_alerts'\r
deleted -> config ' disable_decode_drops'\r
+deleted -> config ' disable_inline_init_failopen'\r
deleted -> config ' disable_ipopt_alerts'\r
deleted -> config ' disable_ipopt_drops'\r
deleted -> config ' disable_tcpopt_alerts'\r
deleted -> config ' include_vlan_in_alerts'\r
deleted -> config ' interface'\r
deleted -> config ' layer2resets'\r
-deleted -> config ' policy_version'\r
+deleted -> config ' log_ipv6_extra_data'\r
+deleted -> config ' nolog'\r
+deleted -> config ' protected_content'\r
+deleted -> config ' sidechannel'\r
deleted -> config ' so_rule_memcap'\r
+deleted -> config 'dynamicoutput'\r
+deleted -> config 'sfalert_unified2'\r
+deleted -> config 'sflog_unified2'\r
+deleted -> config 'sidechannel'\r
deleted -> csv: '<filename> can no longer be specific'\r
deleted -> csv: 'default'\r
deleted -> csv: 'trheader'\r
deleted -> detection: 'mwm'\r
+deleted -> dnp3: 'disabled'\r
+deleted -> dnp3: 'memcap'\r
deleted -> dns: 'enable_experimental_types'\r
deleted -> dns: 'enable_obsolete_types'\r
deleted -> dns: 'enable_rdata_overflow'\r
+deleted -> event_trace: 'file'\r
deleted -> fast: '<filename> can no longer be specific'\r
deleted -> frag3_engine: 'detect_anomalies'\r
deleted -> frag3_global: 'disabled'\r
deleted -> ftp_telnet_protocol: 'detect_anomalies'\r
deleted -> full: '<filename> can no longer be specific'\r
+deleted -> http_inspect: 'detect_anomalous_servers'\r
deleted -> http_inspect: 'disabled'\r
+deleted -> http_inspect: 'proxy_alert'\r
+deleted -> http_inspect_server: 'allow_proxy_use'\r
+deleted -> http_inspect_server: 'enable_cookie'\r
+deleted -> http_inspect_server: 'enable_xff'\r
+deleted -> http_inspect_server: 'extended_ascii_uri'\r
+deleted -> http_inspect_server: 'extended_response_inspection'\r
+deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever'\r
+deleted -> http_inspect_server: 'inspect_uri_only'\r
+deleted -> http_inspect_server: 'log_hostname'\r
+deleted -> http_inspect_server: 'log_uri'\r
deleted -> http_inspect_server: 'no_alerts'\r
+deleted -> http_inspect_server: 'no_pipeline_req'\r
+deleted -> http_inspect_server: 'non_strict'\r
+deleted -> http_inspect_server: 'normalize_cookies'\r
+deleted -> http_inspect_server: 'normalize_headers'\r
+deleted -> http_inspect_server: 'small_chunk_length'\r
+deleted -> http_inspect_server: 'tab_uri_delimiter'\r
+deleted -> http_inspect_server: 'unlimited_decompress'\r
deleted -> imap: 'disabled'\r
deleted -> imap: 'max_mime_mem'\r
deleted -> imap: 'memcap'\r
+deleted -> nap_selector: 'fw_required'\r
+deleted -> nap_selector: 'nap_stats_time'\r
+deleted -> perfmonitor: 'accumulate'\r
deleted -> perfmonitor: 'atexitonly'\r
deleted -> perfmonitor: 'atexitonly: base-stats'\r
deleted -> perfmonitor: 'atexitonly: events-stats'\r
deleted -> perfmonitor: 'atexitonly: flow-ip-stats'\r
deleted -> perfmonitor: 'atexitonly: flow-stats'\r
+deleted -> perfmonitor: 'atexitonly: reset'\r
+deleted -> perfmonitor: 'events'\r
+deleted -> perfmonitor: 'max'\r
deleted -> pop: 'disabled'\r
deleted -> pop: 'max_mime_mem'\r
deleted -> pop: 'memcap'\r
deleted -> ppm: 'debug-pkts'\r
deleted -> react: 'block'\r
deleted -> react: 'warn'\r
+deleted -> reputation: 'shared_max_instances'\r
+deleted -> reputation: 'shared_refresh'\r
deleted -> rpc_decode: 'alert_fragments'\r
deleted -> rpc_decode: 'no_alert_incomplete'\r
deleted -> rpc_decode: 'no_alert_large_fragments'\r
deleted -> rpc_decode: 'no_alert_multiple_requests'\r
-deleted -> rule_state: 'action'\r
deleted -> sfportscan: 'detect_ack_scans'\r
deleted -> sfportscan: 'disabled'\r
deleted -> sfportscan: 'logfile'\r
+deleted -> sfportscan: 'sense_level'\r
+deleted -> sfunified2: 'mpls_event_types'\r
+deleted -> sfunified2: 'vlan_event_types'\r
deleted -> sip: 'disabled'\r
+deleted -> sip: 'max_sessions'\r
deleted -> smtp: 'alert_unknown_cmds'\r
deleted -> smtp: 'disabled'\r
deleted -> smtp: 'enable_mime_decoding'\r
deleted -> ssl: 'noinspect_encrypted'\r
deleted -> stream5_global: 'disabled'\r
deleted -> stream5_global: 'flush_on_alert'\r
+deleted -> stream5_global: 'memcap'\r
deleted -> stream5_global: 'no_midstream_drop_alerts'\r
deleted -> stream5_tcp: 'check_session_hijacking'\r
deleted -> stream5_tcp: 'detect_anomalies'\r
deleted -> stream5_tcp: 'dont_store_large_packets'\r
+deleted -> stream5_tcp: 'ignore_any_rules'\r
+deleted -> stream5_tcp: 'log_asymmetric_traffic'\r
deleted -> stream5_tcp: 'policy noack'\r
deleted -> stream5_tcp: 'policy unknown'\r
+deleted -> stream5_udp: 'ignore_any_rules'\r
deleted -> tcpdump: '<filename> can no longer be specific'\r
deleted -> test: 'file'\r
deleted -> test: 'stdout'\r
-deleted -> unified2: 'filename'</code></pre>\r
+deleted -> unified2: 'filename'\r
+deleted -> unified2: 'mpls_event_types'\r
+deleted -> unified2: 'vlan_event_types'</code></pre>\r
</div></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+<strong>alert_talos</strong> (logger): output event in Talos alert format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>alert_unixsock</strong> (logger): output event over unix socket\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>mem_test</strong> (inspector): for testing memory management\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>memory</strong> (basic): memory management configuration\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>rule_state</strong> (basic): enable/disable specific IPS rules\r
+<strong>rule_state</strong> (basic): enable/disable and set actions for specific IPS rules\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::mem_test</strong>: for testing memory management\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::modbus</strong>: modbus inspection\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>logger::alert_talos</strong>: output event in Talos alert format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>logger::alert_unixsock</strong>: output event over unix socket\r
</p>\r
</li>\r
</ol></div>\r
</div>\r
</div>\r
+<div class="sect2">\r
+<h3 id="_limitations">Limitations</h3>\r
+<div class="sect3">\r
+<h4 id="_reload_limitations">Reload limitations</h4>\r
+<div class="paragraph"><p>The following parameters can’t be changed during reload, and require a restart:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+active.attempts\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+active.device\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+alerts.detection_filter_memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+alerts.event_filter_memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+alerts.rate_filter_memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+attribute_table.max_hosts\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+attribute_table.max_services_per_host\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+daq.snaplen\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+daq.no_promisc\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+detection.asn1\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+file_id.max_files_cached\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port_scan.memcap\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+process.chroot\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+process.daemon\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+process.set_gid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+process.set_uid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.footprint\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.ip_cache.max_sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.ip_cache.pruning_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.ip_cache.idle_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.icmp_cache.max_sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.icmp_cache.pruning_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.icmp_cache.idle_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.tcp_cache.max_sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.tcp_cache.pruning_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.tcp_cache.idle_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.udp_cache.max_sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.udp_cache.pruning_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.udp_cache.idle_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.user_cache.max_sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.user_cache.pruning_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.user_cache.idle_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.file_cache.max_sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.file_cache.pruning_timeout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+stream.file_cache.idle_timeout\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>In addition, the following scenarios require a restart:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Enabling file capture for the first time\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Changing file_id.capture_memcap if file capture was previously or currently\r
+ enabled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Changing file_id.capture_block_size if file capture was previously or\r
+ currently enabled\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Adding/removing stream_* inspectors if stream was already configured\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>In all of these cases reload will fail with the following message: "reload\r
+ failed - restart required". The original config will remain in use.</p></div>\r
+</div>\r
+</div>\r
</div>\r
</div>\r
</div>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2018-12-06 14:30:46 EST\r
+Last updated\r
+ 2019-03-31 01:50:27 EDT\r
</div>\r
</div>\r
</body>\r
9.21. http2_inspect
9.22. http_inspect
9.23. imap
- 9.24. modbus
- 9.25. normalizer
- 9.26. packet_capture
- 9.27. perf_monitor
- 9.28. pop
- 9.29. port_scan
- 9.30. reg_test
- 9.31. reputation
- 9.32. rpc_decode
- 9.33. sip
- 9.34. smtp
- 9.35. ssh
- 9.36. ssl
- 9.37. stream
- 9.38. stream_file
- 9.39. stream_icmp
- 9.40. stream_ip
- 9.41. stream_tcp
- 9.42. stream_udp
- 9.43. stream_user
- 9.44. telnet
- 9.45. wizard
+ 9.24. mem_test
+ 9.25. modbus
+ 9.26. normalizer
+ 9.27. packet_capture
+ 9.28. perf_monitor
+ 9.29. pop
+ 9.30. port_scan
+ 9.31. reg_test
+ 9.32. reputation
+ 9.33. rpc_decode
+ 9.34. sip
+ 9.35. smtp
+ 9.36. ssh
+ 9.37. ssl
+ 9.38. stream
+ 9.39. stream_file
+ 9.40. stream_icmp
+ 9.41. stream_ip
+ 9.42. stream_tcp
+ 9.43. stream_udp
+ 9.44. stream_user
+ 9.45. telnet
+ 9.46. wizard
10. IPS Action Modules
14.5. alert_json
14.6. alert_sfsocket
14.7. alert_syslog
- 14.8. alert_unixsock
- 14.9. log_codecs
- 14.10. log_hext
- 14.11. log_pcap
- 14.12. unified2
+ 14.8. alert_talos
+ 14.9. alert_unixsock
+ 14.10. log_codecs
+ 14.11. log_hext
+ 14.12. log_pcap
+ 14.13. unified2
15. DAQ Configuration and Modules
20.11. Module Listing
20.12. Plugin Listing
20.13. LibDAQ and DAQ Modules
+ 20.14. Limitations
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 250) from 2.9.11
+o" )~ Version 3.0.0 (Build 251) from 2.9.11
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
- Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
+ Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
UTF16-LE filenames to UTF8 (usually included in glibc)
* lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
SWF and PDF files
- * safec from https://sourceforge.net/projects/safeclib/ for runtime
- bounds checks on certain legacy C-library calls
+ * safec from https://github.com/rurban/safeclib/ for runtime bounds
+ checks on certain legacy C-library calls
* source-highlight from http://www.gnu.org/software/src-highlite/
to generate the dev guide
* w3m from http://sourceforge.net/projects/w3m/ to build the plain
* bool alerts.alert_with_interface_name = false: include interface
in alert info (fast, full, or syslog only)
- * bool alerts.default_rule_state = true: enable or disable ips
- rules
* int alerts.detection_filter_memcap = 1048576: set available MB of
memory for detection_filters { 0:max32 }
* int alerts.event_filter_memcap = 1048576: set available MB of
Configuration:
* int detection.asn1 = 0: maximum decode nodes { 0:65535 }
+ * bool detection.global_default_rule_state = true: enable or
+ disable rules by default (overridden by ips policy settings)
+ * bool detection.global_rule_state = false: apply rule_state
+ against all policies
* int detection.offload_limit = 99999: minimum sizeof PDU to
offload fast pattern search (defaults to disabled) { 0:max32 }
* int detection.offload_threads = 0: maximum number of simultaneous
* detection.event_limit: events filtered (sum)
* detection.alert_limit: events previously triggered on same PDU
(sum)
+ * detection.context_stalls: times processing stalled to wait for an
+ available context (sum)
6.8. event_filter
Configuration:
+ * enum ips.default_rule_state = inherit: enable or disable ips
+ rules { false | true | inherit }
* bool ips.enable_builtin_rules = false: enable events from builtin
rules w/o stubs
* int ips.id = 0: correlate unified2 events with configuration {
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
+ * bool ips.obfuscate_pii = false: mask all but the last 4
+ characters of credit card and social security numbers
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
* int memory.cap = 0: set the per-packet-thread cap on memory
(bytes, 0 to disable) { 0:maxSZ }
- * bool memory.soft = false: always succeed in allocating memory,
- even if above the cap
* int memory.threshold = 0: set the per-packet-thread threshold for
preemptive cleanup actions (percent, 0 to disable) { 0:100 }
+Peg counts:
+
+ * memory.allocations: total number of allocations (now)
+ * memory.deallocations: total number of deallocations (now)
+ * memory.allocated: total amount of memory allocated (now)
+ * memory.deallocated: total amount of memory allocated (now)
+ * memory.reap_attempts: attempts to reclaim memory (now)
+ * memory.reap_failures: failures to reclaim memory (now)
+ * memory.max_in_use: highest allocated - deallocated (max)
+ * memory.total_fudge: sum of all adjustments (now)
+
6.18. network
* bool output.quiet = false: suppress non-fatal information (still
show alerts, same as -q)
* string output.logdir = .: where to put log files (same as -l)
- * bool output.obfuscate = false: obfuscate the logged IP addresses
- (same as -O)
- * bool output.obfuscate_pii = false: mask all but the last 4
- characters of credit card and social security numbers
* bool output.show_year = false: include year in timestamp in the
alert and log files (same as -y)
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
+ * bool output.obfuscate = false: obfuscate the logged IP addresses
+ (same as -O)
* bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
--------------
-What: enable/disable specific IPS rules
+What: enable/disable and set actions for specific IPS rules
Type: basic
Configuration:
- * int rule_state[].gid = 0: rule generator ID { 0:max32 }
- * int rule_state[].sid = 0: rule signature ID { 0:max32 }
- * bool rule_state[].enable = true: enable or disable rule in all
- policies
+ * enum rule_state.([0-9]+):([0-9]+).action = inherit: apply action
+ if rule matches or inherit from rule definition { log | pass |
+ alert | drop | block | reset | inherit }
+ * enum rule_state.([0-9]+):([0-9]+).enable = inherit: enable or
+ disable rule in current ips policy or use default defined by ips
+ policy { false | true | inherit }
6.27. search_engine
algorithm - choose available search engine { ac_banded | ac_bnfa
| ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
lowmem }
+ * dynamic search_engine.offload_search_method: set fast pattern
+ offload algorithm - choose available search engine { ac_banded |
+ ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std |
+ hyperscan | lowmem }
* bool search_engine.search_optimize = true: tweak state machine
construction for better performance
* bool search_engine.show_fast_patterns = false: print fast pattern
Configuration:
- * int appid.memcap = 0: disregard - not implemented { 0:maxSZ }
+ * int appid.memcap = 1048576: max size of the service cache before
+ we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
* int appid.app_stats_period = 300: time period for collecting and
- logging appid statistics { 0:max32 }
+ logging appid statistics { 1:max32 }
* int appid.app_stats_rollover_size = 20971520: max file size for
appid stats before rolling over the log file { 0:max32 }
* int appid.app_stats_rollover_time = 86400: max time period for
* bit_list binder[].when.src_ports: list of source ports { 65535 }
* bit_list binder[].when.dst_ports: list of destination ports {
65535 }
- * int binder[].when.src_zone: source zone { 0:max31 }
- * int binder[].when.dst_zone: destination zone { 0:max31 }
+ * bit_list binder[].when.zones: zones { 63 }
+ * bit_list binder[].when.src_zone: source zone { 63 }
+ * bit_list binder[].when.dst_zone: destination zone { 63 }
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
* string binder[].when.service: override default configuration
Configuration:
+ * bool dce_smb.limit_alerts = true: limit DCE alert to at most one
+ per signature per flow
* bool dce_smb.disable_defrag = false: disable DCE/RPC
defragmentation
* int dce_smb.max_frag_len = 65535: maximum fragment size for
Configuration:
+ * bool dce_tcp.limit_alerts = true: limit DCE alert to at most one
+ per signature per flow
* bool dce_tcp.disable_defrag = false: disable DCE/RPC
defragmentation
* int dce_tcp.max_frag_len = 65535: maximum fragment size for
Configuration:
+ * bool dce_udp.limit_alerts = true: limit DCE alert to at most one
+ per signature per flow
* bool dce_udp.disable_defrag = false: disable DCE/RPC
defragmentation
* int dce_udp.max_frag_len = 65535: maximum fragment size for
response bodies
* bool http_inspect.decompress_swf = false: decompress swf files in
response bodies
+ * bool http_inspect.decompress_zip = false: decompress zip files in
+ response bodies
* bool http_inspect.normalize_javascript = false: normalize
javascript in response bodies
* int http_inspect.max_javascript_whitespaces = 200: maximum
* 119:226 (http_inspect) unknown Content-Encoding used
* 119:227 (http_inspect) multiple Content-Encodings applied
* 119:228 (http_inspect) server response before client request
- * 119:229 (http_inspect) PDF/SWF decompression of server response
- too big
+ * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server
+ response too big
* 119:230 (http_inspect) nonprinting character in HTTP message
header name
* 119:231 (http_inspect) bad Content-Length value in HTTP header
limit) { -1:65535 }
* int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
+ * bool imap.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool imap.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool imap.decompress_zip = false: decompress zip files in MIME
+ attachments
* int imap.qp_decode_depth = 1460: quoted Printable decoding depth
(-1 no limit) { -1:65535 }
* int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
* 141:4 (imap) base64 decoding failed
* 141:5 (imap) quoted-printable decoding failed
* 141:7 (imap) Unix-to-Unix decoding failed
+ * 141:8 (imap) file decompression failed
Peg counts:
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.24. modbus
+9.24. mem_test
+
+--------------
+
+What: for testing memory management
+
+Type: inspector
+
+Usage: inspect
+
+Peg counts:
+
+ * mem_test.packets: total packets (sum)
+
+
+9.25. modbus
--------------
sessions (max)
-9.25. normalizer
+9.26. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-9.26. packet_capture
+9.27. packet_capture
--------------
filter (sum)
-9.27. perf_monitor
+9.28. perf_monitor
--------------
* perf_monitor.packets: total packets (sum)
-9.28. pop
+9.29. pop
--------------
limit) { -1:65535 }
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
+ * bool pop.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool pop.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool pop.decompress_zip = false: decompress zip files in MIME
+ attachments
* int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
(-1 no limit) { -1:65535 }
* int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
* 142:4 (pop) base64 decoding failed
* 142:5 (pop) quoted-printable decoding failed
* 142:7 (pop) Unix-to-Unix decoding failed
+ * 142:8 (pop) file decompression failed
Peg counts:
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.29. port_scan
+9.30. port_scan
--------------
* port_scan.packets: total packets (sum)
-9.30. reg_test
+9.31. reg_test
--------------
* reg_test.retry_packets: total retried packets received (sum)
-9.31. reputation
+9.32. reputation
--------------
* reputation.memory_allocated: total memory allocated (sum)
-9.32. rpc_decode
+9.33. rpc_decode
--------------
sessions (max)
-9.33. sip
+9.34. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.34. smtp
+9.35. smtp
--------------
non-encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.data_cmds: commands that initiate sending of data
with an end of data delimiter
+ * bool smtp.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool smtp.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool smtp.decompress_zip = false: decompress zip files in MIME
+ attachments
* int smtp.email_hdrs_log_depth = 1464: depth for logging email
headers { 0:20480 }
* bool smtp.ignore_data = false: ignore data section of mail
* 124:13 (smtp) Unix-to-Unix decoding failed
* 124:14 (smtp) Cyrus SASL authentication attack
* 124:15 (smtp) attempted authentication command buffer overflow
+ * 124:16 (smtp) file decompression failed
Peg counts:
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.35. ssh
+9.36. ssh
--------------
(max)
-9.36. ssl
+9.37. ssl
--------------
(max)
-9.37. stream
+9.38. stream
--------------
before being eligible for pruning { 1:max32 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
+ * int stream.ip_cache.cap_weight = 64: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
sessions tracked before pruning { 2:max32 }
* int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1:max32 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
+ * int stream.icmp_cache.cap_weight = 8: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
sessions tracked before pruning { 2:max32 }
* int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1:max32 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 }
+ * int stream.tcp_cache.cap_weight = 11500: additional bytes to
+ track per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.max_sessions = 131072: maximum simultaneous
sessions tracked before pruning { 2:max32 }
* int stream.udp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1:max32 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
+ * int stream.udp_cache.cap_weight = 128: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.user_cache.max_sessions = 1024: maximum simultaneous
sessions tracked before pruning { 2:max32 }
* int stream.user_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1:max32 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
+ * int stream.user_cache.cap_weight = 256: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.file_cache.max_sessions = 128: maximum simultaneous
sessions tracked before pruning { 2:max32 }
* int stream.file_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1:max32 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
+ * int stream.file_cache.cap_weight = 32: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.trace: mask for enabling debug traces in module {
0:max53 }
sync (sum)
-9.38. stream_file
+9.39. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.39. stream_icmp
+9.40. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.40. stream_ip
+9.41. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.41. stream_tcp
+9.42. stream_tcp
--------------
small segments queued { 0:2048 }
* int stream_tcp.session_timeout = 30: session tracking timeout {
1:max31 }
+ * bool stream_tcp.track_only = false: disable reassembly if true
Rules:
* stream_tcp.fins: number of fin packets (sum)
-9.42. stream_udp
+9.43. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.43. stream_user
+9.44. stream_user
--------------
0:max53 }
-9.44. telnet
+9.45. telnet
--------------
sessions (max)
-9.45. wizard
+9.46. wizard
--------------
cons | ndelay | perror | pid }
-14.8. alert_unixsock
+14.8. alert_talos
+
+--------------
+
+What: output event in Talos alert format
+
+Type: logger
+
+Usage: context
+
+
+14.9. alert_unixsock
--------------
Usage: context
-14.9. log_codecs
+14.10. log_codecs
--------------
* bool log_codecs.msg = false: include alert msg
-14.10. log_hext
+14.11. log_hext
--------------
0:max32 }
-14.11. log_pcap
+14.12. log_pcap
--------------
is unlimited) { 0:maxSZ }
-14.12. unified2
+14.13. unified2
--------------
* --dont-parse-includes Same as -p. if <snort_conf> file contains
any <include_file> or <policy_file> (i.e. include path/to/conf/
other_conf), do NOT parse those files
+ * --dont-convert-max-sessions do not convert max_tcp, max_udp,
+ max_icmp, max_ip to max_session
* --error-file=<error_file> Same as -e. output all errors to
<error_file>
* --help Same as -h. this overview of snort2lua
character sequence
* bool alerts.alert_with_interface_name = false: include interface
in alert info (fast, full, or syslog only)
- * bool alerts.default_rule_state = true: enable or disable ips
- rules
* int alerts.detection_filter_memcap = 1048576: set available MB of
memory for detection_filters { 0:max32 }
* int alerts.event_filter_memcap = 1048576: set available MB of
* string appid.app_detector_dir: directory to load appid detectors
from
* int appid.app_stats_period = 300: time period for collecting and
- logging appid statistics { 0:max32 }
+ logging appid statistics { 1:max32 }
* int appid.app_stats_rollover_size = 20971520: max file size for
appid stats before rolling over the log file { 0:max32 }
* int appid.app_stats_rollover_time = 86400: max time period for
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* bool appid.log_stats = false: enable logging of appid statistics
- * int appid.memcap = 0: disregard - not implemented { 0:maxSZ }
+ * int appid.memcap = 1048576: max size of the service cache before
+ we start pruning the cache { 1024:maxSZ }
* string appids.~: comma separated list of application names
* bool appid.tp_appid_config_dump: print third party configuration
on startup
* addr_list binder[].when.dst_nets: list of destination networks
* bit_list binder[].when.dst_ports: list of destination ports {
65535 }
- * int binder[].when.dst_zone: destination zone { 0:max31 }
+ * bit_list binder[].when.dst_zone: destination zone { 63 }
* bit_list binder[].when.ifaces: list of interface indices { 255 }
* int binder[].when.ips_policy_id = 0: unique ID for selection of
this config by external logic { 0:max32 }
* string binder[].when.service: override default configuration
* addr_list binder[].when.src_nets: list of source networks
* bit_list binder[].when.src_ports: list of source ports { 65535 }
- * int binder[].when.src_zone: source zone { 0:max31 }
+ * bit_list binder[].when.src_zone: source zone { 63 }
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
+ * bit_list binder[].when.zones: zones { 63 }
* interval bufferlen.~range: check that length of current buffer is
in given range { 0:65535 }
* int byte_extract.align = 0: round the number of converted bytes
list
* bool dce_smb.disable_defrag = false: disable DCE/RPC
defragmentation
+ * bool dce_smb.limit_alerts = true: limit DCE alert to at most one
+ per signature per flow
* int dce_smb.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
* enum dce_smb.policy = WinXP: target based policy to use { Win2000
v2 | all }
* bool dce_tcp.disable_defrag = false: disable DCE/RPC
defragmentation
+ * bool dce_tcp.limit_alerts = true: limit DCE alert to at most one
+ per signature per flow
* int dce_tcp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
* enum dce_tcp.policy = WinXP: target based policy to use { Win2000
before performing reassembly { 0:65535 }
* bool dce_udp.disable_defrag = false: disable DCE/RPC
defragmentation
+ * bool dce_udp.limit_alerts = true: limit DCE alert to at most one
+ per signature per flow
* int dce_udp.max_frag_len = 65535: maximum fragment size for
defragmentation { 1514:65535 }
* int dce_udp.trace: mask for enabling debug traces in module {
1:max32 }
* enum detection_filter.track: track hits by source or destination
IP address { by_src | by_dst }
+ * bool detection.global_default_rule_state = true: enable or
+ disable rules by default (overridden by ips policy settings)
+ * bool detection.global_rule_state = false: apply rule_state
+ against all policies
* int detection.offload_limit = 99999: minimum sizeof PDU to
offload fast pattern search (defaults to disabled) { 0:max32 }
* int detection.offload_threads = 0: maximum number of simultaneous
response bodies
* bool http_inspect.decompress_swf = false: decompress swf files in
response bodies
+ * bool http_inspect.decompress_zip = false: decompress zip files in
+ response bodies
* string http_inspect.ignore_unreserved: do not alert when the
specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
limit) { -1:65535 }
* int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
+ * bool imap.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool imap.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool imap.decompress_zip = false: decompress zip files in MIME
+ attachments
* int imap.qp_decode_depth = 1460: quoted Printable decoding depth
(-1 no limit) { -1:65535 }
* int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
* select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
lsrre|ssrr|satid|any }
* string ip_proto.~proto: [!|>|<] name or number
+ * enum ips.default_rule_state = inherit: enable or disable ips
+ rules { false | true | inherit }
* bool ips.enable_builtin_rules = false: enable events from builtin
rules w/o stubs
* int ips.id = 0: correlate unified2 events with configuration {
0:65535 }
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
+ * bool ips.obfuscate_pii = false: mask all but the last 4
+ characters of credit card and social security numbers
* string ips.rules: snort rules and includes
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
of buffer
* int memory.cap = 0: set the per-packet-thread cap on memory
(bytes, 0 to disable) { 0:maxSZ }
- * bool memory.soft = false: always succeed in allocating memory,
- even if above the cap
* int memory.threshold = 0: set the per-packet-thread threshold for
preemptive cleanup actions (percent, 0 to disable) { 0:100 }
* string metadata.*: comma-separated list of arbitrary name value
* string output.logdir = .: where to put log files (same as -l)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.obfuscate_pii = false: mask all but the last 4
- characters of credit card and social security numbers
* bool output.quiet = false: suppress non-fatal information (still
show alerts, same as -q)
* bool output.show_year = false: include year in timestamp in the
limit) { -1:65535 }
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
extraction depth (-1 no limit) { -1:65535 }
+ * bool pop.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool pop.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool pop.decompress_zip = false: decompress zip files in MIME
+ attachments
* int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
(-1 no limit) { -1:65535 }
* int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
* int rpc.~app: application number { 0:max32 }
* string rpc.~proc: procedure number or * for any
* string rpc.~ver: version number or * for any
- * bool rule_state[].enable = true: enable or disable rule in all
- policies
- * int rule_state[].gid = 0: rule generator ID { 0:max32 }
- * int rule_state[].sid = 0: rule signature ID { 0:max32 }
+ * enum rule_state.([0-9]+):([0-9]+).action = inherit: apply action
+ if rule matches or inherit from rule definition { log | pass |
+ alert | drop | block | reset | inherit }
+ * enum rule_state.([0-9]+):([0-9]+).enable = inherit: enable or
+ disable rule in current ips policy or use default defined by ips
+ policy { false | true | inherit }
* string sd_pattern.~pattern: The pattern to search for
* int sd_pattern.threshold = 1: number of matches before alerting {
1:max32 }
compiling into state machine (0 means no maximum) { 0:max32 }
* int search_engine.max_queue_events = 5: maximum number of
matching fast pattern states to queue per packet { 2:100 }
+ * dynamic search_engine.offload_search_method: set fast pattern
+ offload algorithm - choose available search engine { ac_banded |
+ ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std |
+ hyperscan | lowmem }
* dynamic search_engine.search_method = ac_bnfa: set fast pattern
algorithm - choose available search engine { ac_banded | ac_bnfa
| ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
non-encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.data_cmds: commands that initiate sending of data
with an end of data delimiter
+ * bool smtp.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool smtp.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool smtp.decompress_zip = false: decompress zip files in MIME
+ attachments
* int smtp.email_hdrs_log_depth = 1464: depth for logging email
headers { 0:20480 }
* bool smtp.ignore_data = false: ignore data section of mail
* implied ssl_version.!tls1.2: check for records that are not
tls1.2
* implied ssl_version.tls1.2: check for tls1.2
+ * int stream.file_cache.cap_weight = 32: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.file_cache.max_sessions = 128: maximum simultaneous
* bool stream_file.upload = false: indicate file transfer direction
* int stream.footprint = 0: use zero for production, non-zero for
testing at given size (for TCP and user) { 0:max32 }
+ * int stream.icmp_cache.cap_weight = 8: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
before being eligible for pruning { 1:max32 }
* int stream_icmp.session_timeout = 30: session tracking timeout {
1:max31 }
+ * int stream.ip_cache.cap_weight = 64: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.ip_cache.max_sessions = 16384: maximum simultaneous
direction(s) { either|to_server|to_client|both }
* interval stream_size.~range: check if the stream size is in the
given range { 0: }
+ * int stream.tcp_cache.cap_weight = 11500: additional bytes to
+ track per flow for better estimation against cap { 0:65535 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
segments queued { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: limit number of
small segments queued { 0:2048 }
+ * bool stream_tcp.track_only = false: disable reassembly if true
* int stream.trace: mask for enabling debug traces in module {
0:max53 }
+ * int stream.udp_cache.cap_weight = 128: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.udp_cache.max_sessions = 131072: maximum simultaneous
before being eligible for pruning { 1:max32 }
* int stream_udp.session_timeout = 30: session tracking timeout {
1:max31 }
+ * int stream.user_cache.cap_weight = 256: additional bytes to track
+ per flow for better estimation against cap { 0:65535 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.user_cache.max_sessions = 1024: maximum simultaneous
* detection.analyzed: packets sent to detection (now)
* detection.body_searches: fast pattern searches in body buffer
(sum)
+ * detection.context_stalls: times processing stalled to wait for an
+ available context (sum)
* detection.cooked_searches: fast pattern searches in cooked packet
data (sum)
* detection.event_limit: events filtered (sum)
* latency.total_packets: total packets monitored (sum)
* latency.total_rule_evals: total rule evals monitored (sum)
* latency.total_usecs: total usecs elapsed (sum)
+ * memory.allocated: total amount of memory allocated (now)
+ * memory.allocations: total number of allocations (now)
+ * memory.deallocated: total amount of memory allocated (now)
+ * memory.deallocations: total number of deallocations (now)
+ * memory.max_in_use: highest allocated - deallocated (max)
+ * memory.reap_attempts: attempts to reclaim memory (now)
+ * memory.reap_failures: failures to reclaim memory (now)
+ * memory.total_fudge: sum of all adjustments (now)
+ * mem_test.packets: total packets (sum)
* modbus.concurrent_sessions: total concurrent modbus sessions
(now)
* modbus.frames: total Modbus messages (sum)
* 119:226 (http_inspect) unknown Content-Encoding used
* 119:227 (http_inspect) multiple Content-Encodings applied
* 119:228 (http_inspect) server response before client request
- * 119:229 (http_inspect) PDF/SWF decompression of server response
- too big
+ * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server
+ response too big
* 119:230 (http_inspect) nonprinting character in HTTP message
header name
* 119:231 (http_inspect) bad Content-Length value in HTTP header
* 124:13 (smtp) Unix-to-Unix decoding failed
* 124:14 (smtp) Cyrus SASL authentication attack
* 124:15 (smtp) attempted authentication command buffer overflow
+ * 124:16 (smtp) file decompression failed
* 125:1 (ftp_server) TELNET cmd on FTP command channel
* 125:2 (ftp_server) invalid FTP command
* 125:3 (ftp_server) FTP command parameters were too long
* 141:4 (imap) base64 decoding failed
* 141:5 (imap) quoted-printable decoding failed
* 141:7 (imap) Unix-to-Unix decoding failed
+ * 141:8 (imap) file decompression failed
* 142:1 (pop) unknown POP3 command
* 142:2 (pop) unknown POP3 response
* 142:4 (pop) base64 decoding failed
* 142:5 (pop) quoted-printable decoding failed
* 142:7 (pop) Unix-to-Unix decoding failed
+ * 142:8 (pop) file decompression failed
* 143:1 (gtp_inspect) message length is invalid
* 143:2 (gtp_inspect) information element length is invalid
* 143:3 (gtp_inspect) information elements are out of order
change -> dynamicengine ==> 'snort.--plugin_path=<path>'
change -> dynamicpreprocessor ==> 'snort.--plugin_path=<path>'
change -> dynamicsidechannel ==> 'snort.--plugin_path=<path>'
-change -> alertfile: 'config alertfile:' ==> 'alert_fast.file'
-change -> alertfile: 'config alertfile:' ==> 'alert_full.file'
change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy'
change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'
change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic'
change -> config ' checksum_mode' ==> ' network. checksum_eval'
-change -> config ' daq' ==> ' daq. type'
-change -> config ' daq_dir' ==> ' daq. dir'
-change -> config ' daq_mode' ==> ' daq. mode'
-change -> config ' daq_var' ==> ' daq. var'
+change -> config ' daq' ==> ' daq. module'
+change -> config ' daq_dir' ==> ' daq. module_dirs, true'
+change -> config ' daq_var' ==> ' daq. variables, true'
change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap'
change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection'
change -> config ' event_filter' ==> ' alerts. event_filter_memcap'
change -> config ' rate_filter' ==> ' alerts. rate_filter_memcap'
change -> config ' react' ==> ' react. page'
change -> config ' threshold' ==> ' alerts. event_filter_memcap'
-change -> csv: 'dgmlen' ==> 'dgm_len'
+change -> converter: 'gen_id' ==> 'gid'
+change -> converter: 'sid_id' ==> 'sid'
+change -> csv: 'csv' ==> 'fields'
+change -> csv: 'dgmlen' ==> 'pkt_len'
change -> csv: 'dst' ==> 'dst_addr'
change -> csv: 'dstport' ==> 'dst_port'
change -> csv: 'ethdst' ==> 'eth_dst'
change -> csv: 'icmpid' ==> 'icmp_id'
change -> csv: 'icmpseq' ==> 'icmp_seq'
change -> csv: 'icmptype' ==> 'icmp_type'
+change -> csv: 'id' ==> 'ip_id'
change -> csv: 'iplen' ==> 'ip_len'
change -> csv: 'sig_generator' ==> 'gid'
change -> csv: 'sig_id' ==> 'sid'
change -> csv: 'tcpseq' ==> 'tcp_seq'
change -> csv: 'tcpwindow' ==> 'tcp_win'
change -> csv: 'udplength' ==> 'udp_len'
-change -> detection: 'ac' ==> 'ac_full_q'
+change -> detection: 'ac' ==> 'ac_full'
change -> detection: 'ac-banded' ==> 'ac_banded'
-change -> detection: 'ac-bnfa' ==> 'ac_bnfa_q'
+change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
-change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa_q'
+change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
change -> detection: 'ac-nq' ==> 'ac_full'
-change -> detection: 'ac-q' ==> 'ac_full_q'
+change -> detection: 'ac-q' ==> 'ac_full'
change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
-change -> detection: 'ac-split' ==> 'ac_full_q'
+change -> detection: 'ac-split' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'split_any_any'
change -> detection: 'ac-std' ==> 'ac_std'
change -> detection: 'acs' ==> 'ac_sparse'
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
-change -> detection: 'intel-cpm' ==> 'intel_cpm'
-change -> detection: 'lowmem' ==> 'lowmem_q'
+change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
+change -> detection: 'intel-cpm' ==> 'hyperscan'
change -> detection: 'lowmem-nq' ==> 'lowmem'
-change -> detection: 'lowmem-q' ==> 'lowmem_q'
+change -> detection: 'lowmem-q' ==> 'lowmem'
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
+change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
change -> detection: 'search-method' ==> 'search_method'
change -> detection: 'search-optimize' ==> 'search_optimize'
+change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
change -> detection: 'split-any-any' ==> 'split_any_any'
+change -> dnp3: 'ports' ==> 'bindings'
change -> dns: 'ports' ==> 'bindings'
change -> event_filter: 'gen_id' ==> 'gid'
change -> event_filter: 'sig_id' ==> 'sid'
change -> event_filter: 'threshold' ==> 'event_filter'
change -> file: 'config file: file_block_timeout' ==> 'block_timeout'
+change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size'
+change -> file: 'config file: file_capture_max' ==> 'capture_max_size'
+change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap'
+change -> file: 'config file: file_capture_min' ==> 'capture_min_size'
change -> file: 'config file: file_type_depth' ==> 'type_depth'
change -> file: 'config file: signature' ==> 'enable_signature'
change -> file: 'config file: type_id' ==> 'enable_type'
+change -> file: 'ver' ==> 'version'
change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length'
change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps'
change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right'
change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity'
change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan'
change -> ftp_telnet_protocol: 'ports' ==> 'bindings'
-change -> gtp: 'ports' ==> 'gtp_ports'
-change -> http_inspect: 'http_inspect' ==> 'http_global'
-change -> http_inspect_server: 'apache_whitespace' ==> 'profile.apache_whitespace'
-change -> http_inspect_server: 'ascii' ==> 'profile.ascii'
-change -> http_inspect_server: 'bare_byte' ==> 'profile.bare_byte'
-change -> http_inspect_server: 'chunk_length' ==> 'profile.chunk_length'
-change -> http_inspect_server: 'client_flow_depth' ==> 'profile.client_flow_depth'
-change -> http_inspect_server: 'directory' ==> 'profile.directory'
-change -> http_inspect_server: 'double_decode' ==> 'profile.double_decode'
-change -> http_inspect_server: 'enable_cookie' ==> 'enable_cookies'
-change -> http_inspect_server: 'flow_depth' ==> 'server_flow_depth'
+change -> gtp: 'ports' ==> 'bindings'
+change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte'
+change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth'
+change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode'
change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect'
-change -> http_inspect_server: 'iis_backslash' ==> 'profile.iis_backslash'
-change -> http_inspect_server: 'iis_delimiter' ==> 'profile.iis_delimiter'
-change -> http_inspect_server: 'iis_unicode' ==> 'profile.iis_unicode'
-change -> http_inspect_server: 'max_header_length' ==> 'profile.max_header_length'
-change -> http_inspect_server: 'max_headers' ==> 'profile.max_headers'
-change -> http_inspect_server: 'max_spaces' ==> 'profile.max_spaces'
-change -> http_inspect_server: 'multi_slash' ==> 'profile.multi_slash'
-change -> http_inspect_server: 'non_rfc_char' ==> 'non_rfc_chars'
-change -> http_inspect_server: 'non_strict' ==> 'profile.non_strict'
-change -> http_inspect_server: 'normalize_utf' ==> 'profile.normalize_utf'
+change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash'
+change -> http_inspect_server: 'inspect_gzip' ==> 'unzip'
+change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters'
change -> http_inspect_server: 'ports' ==> 'bindings'
-change -> http_inspect_server: 'u_encode' ==> 'profile.u_encode'
-change -> http_inspect_server: 'utf_8' ==> 'profile.utf_8'
-change -> http_inspect_server: 'webroot' ==> 'profile.webroot'
-change -> http_inspect_server: 'whitespace_chars' ==> 'profile.whitespace_chars'
+change -> http_inspect_server: 'u_encode' ==> 'percent_u'
+change -> http_inspect_server: 'utf_8' ==> 'utf8'
change -> imap: 'ports' ==> 'bindings'
-change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:63780]'
-change -> perfmonitor: 'accumulate' ==> 'reset = false'
-change -> perfmonitor: 'flow-file' ==> 'flow_file = true'
+change -> modbus: 'ports' ==> 'bindings'
+change -> na_policy_mode: 'na_policy_mode' ==> 'mode'
+change -> nap_selector: 'nap rules' ==> 'bindings'
+change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]'
+change -> perfmonitor: 'console' ==> 'format = 'text''
+change -> perfmonitor: 'console' ==> 'output = 'console''
+change -> perfmonitor: 'file' ==> 'format = 'csv''
+change -> perfmonitor: 'file' ==> 'output = 'file''
+change -> perfmonitor: 'flow-file' ==> 'format = 'csv''
+change -> perfmonitor: 'flow-file' ==> 'output = 'file''
change -> perfmonitor: 'flow-ip' ==> 'flow_ip'
-change -> perfmonitor: 'flow-ip-file' ==> 'flow_ip_file = true'
+change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv''
+change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file''
change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap'
change -> perfmonitor: 'flow-ports' ==> 'flow_ports'
change -> perfmonitor: 'pktcnt' ==> 'packets'
-change -> perfmonitor: 'snortfile' ==> 'file = true'
+change -> perfmonitor: 'snortfile' ==> 'format = 'csv''
+change -> perfmonitor: 'snortfile' ==> 'output = 'file''
change -> perfmonitor: 'time' ==> 'seconds'
change -> policy_mode: 'inline_test' ==> 'inline-test'
change -> pop: 'ports' ==> 'bindings'
-change -> ppm: 'max-pkt-time' ==> 'max_pkt_time'
-change -> ppm: 'max-rule-time' ==> 'max_rule_time'
-change -> ppm: 'pkt-log' ==> 'pkt_log'
-change -> ppm: 'rule-log' ==> 'rule_log'
-change -> ppm: 'suspend-timeout' ==> 'suspend_timeout'
+change -> ppm: ''both'' ==> ''alert_and_log''
+change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'
+change -> ppm: 'max-pkt-time' ==> 'packet.max_time'
+change -> ppm: 'max-rule-time' ==> 'rule.max_time'
+change -> ppm: 'pkt-log' ==> 'packet.action'
+change -> ppm: 'ppm' ==> 'latency'
+change -> ppm: 'rule-log' ==> 'rule.action'
+change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'
+change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'
+change -> ppm: 'threshold' ==> 'rule.suspend_threshold'
change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4'
change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6'
change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6'
change -> profile: 'print' ==> 'count'
+change -> profile: 'sort avg_ticks' ==> 'sort = avg_check'
+change -> profile: 'sort total_ticks' ==> 'sort = total_time'
change -> rate_filter: 'gen_id' ==> 'gid'
change -> rate_filter: 'sig_id' ==> 'sid'
-change -> rule_state: 'disabled' ==> 'enable'
-change -> rule_state: 'enabled' ==> 'enable'
+change -> reputation: 'shared_mem' ==> 'list_dir'
+change -> rule_state: 'enabled/disabled' ==> 'enable'
+change -> rule_state: 'sdrop' ==> 'drop'
change -> sfportscan: 'proto' ==> 'protos'
change -> sfportscan: 'scan_type' ==> 'scan_types'
change -> sip: 'ports' ==> 'bindings'
change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments'
change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11'
change -> stream5_tcp: 'timeout' ==> 'session_timeout'
-change -> stream5_tcp: 'use_static_footprint_sizes' ==> 'footprint'
change -> stream5_udp: 'timeout' ==> 'session_timeout'
change -> suppress: 'gen_id' ==> 'gid'
change -> suppress: 'sig_id' ==> 'sid'
deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'
deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'
deleted -> config ' cs_dir'
+deleted -> config ' daq_mode'
+deleted -> config ' decode_data_link'
deleted -> config ' disable_attribute_reload_thread'
deleted -> config ' disable_decode_alerts'
deleted -> config ' disable_decode_drops'
+deleted -> config ' disable_inline_init_failopen'
deleted -> config ' disable_ipopt_alerts'
deleted -> config ' disable_ipopt_drops'
deleted -> config ' disable_tcpopt_alerts'
deleted -> config ' include_vlan_in_alerts'
deleted -> config ' interface'
deleted -> config ' layer2resets'
-deleted -> config ' policy_version'
+deleted -> config ' log_ipv6_extra_data'
+deleted -> config ' nolog'
+deleted -> config ' protected_content'
+deleted -> config ' sidechannel'
deleted -> config ' so_rule_memcap'
+deleted -> config 'dynamicoutput'
+deleted -> config 'sfalert_unified2'
+deleted -> config 'sflog_unified2'
+deleted -> config 'sidechannel'
deleted -> csv: '<filename> can no longer be specific'
deleted -> csv: 'default'
deleted -> csv: 'trheader'
deleted -> detection: 'mwm'
+deleted -> dnp3: 'disabled'
+deleted -> dnp3: 'memcap'
deleted -> dns: 'enable_experimental_types'
deleted -> dns: 'enable_obsolete_types'
deleted -> dns: 'enable_rdata_overflow'
+deleted -> event_trace: 'file'
deleted -> fast: '<filename> can no longer be specific'
deleted -> frag3_engine: 'detect_anomalies'
deleted -> frag3_global: 'disabled'
deleted -> ftp_telnet_protocol: 'detect_anomalies'
deleted -> full: '<filename> can no longer be specific'
+deleted -> http_inspect: 'detect_anomalous_servers'
deleted -> http_inspect: 'disabled'
+deleted -> http_inspect: 'proxy_alert'
+deleted -> http_inspect_server: 'allow_proxy_use'
+deleted -> http_inspect_server: 'enable_cookie'
+deleted -> http_inspect_server: 'enable_xff'
+deleted -> http_inspect_server: 'extended_ascii_uri'
+deleted -> http_inspect_server: 'extended_response_inspection'
+deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever'
+deleted -> http_inspect_server: 'inspect_uri_only'
+deleted -> http_inspect_server: 'log_hostname'
+deleted -> http_inspect_server: 'log_uri'
deleted -> http_inspect_server: 'no_alerts'
+deleted -> http_inspect_server: 'no_pipeline_req'
+deleted -> http_inspect_server: 'non_strict'
+deleted -> http_inspect_server: 'normalize_cookies'
+deleted -> http_inspect_server: 'normalize_headers'
+deleted -> http_inspect_server: 'small_chunk_length'
+deleted -> http_inspect_server: 'tab_uri_delimiter'
+deleted -> http_inspect_server: 'unlimited_decompress'
deleted -> imap: 'disabled'
deleted -> imap: 'max_mime_mem'
deleted -> imap: 'memcap'
+deleted -> nap_selector: 'fw_required'
+deleted -> nap_selector: 'nap_stats_time'
+deleted -> perfmonitor: 'accumulate'
deleted -> perfmonitor: 'atexitonly'
deleted -> perfmonitor: 'atexitonly: base-stats'
deleted -> perfmonitor: 'atexitonly: events-stats'
deleted -> perfmonitor: 'atexitonly: flow-ip-stats'
deleted -> perfmonitor: 'atexitonly: flow-stats'
+deleted -> perfmonitor: 'atexitonly: reset'
+deleted -> perfmonitor: 'events'
+deleted -> perfmonitor: 'max'
deleted -> pop: 'disabled'
deleted -> pop: 'max_mime_mem'
deleted -> pop: 'memcap'
deleted -> ppm: 'debug-pkts'
deleted -> react: 'block'
deleted -> react: 'warn'
+deleted -> reputation: 'shared_max_instances'
+deleted -> reputation: 'shared_refresh'
deleted -> rpc_decode: 'alert_fragments'
deleted -> rpc_decode: 'no_alert_incomplete'
deleted -> rpc_decode: 'no_alert_large_fragments'
deleted -> rpc_decode: 'no_alert_multiple_requests'
-deleted -> rule_state: 'action'
deleted -> sfportscan: 'detect_ack_scans'
deleted -> sfportscan: 'disabled'
deleted -> sfportscan: 'logfile'
+deleted -> sfportscan: 'sense_level'
+deleted -> sfunified2: 'mpls_event_types'
+deleted -> sfunified2: 'vlan_event_types'
deleted -> sip: 'disabled'
+deleted -> sip: 'max_sessions'
deleted -> smtp: 'alert_unknown_cmds'
deleted -> smtp: 'disabled'
deleted -> smtp: 'enable_mime_decoding'
deleted -> ssl: 'noinspect_encrypted'
deleted -> stream5_global: 'disabled'
deleted -> stream5_global: 'flush_on_alert'
+deleted -> stream5_global: 'memcap'
deleted -> stream5_global: 'no_midstream_drop_alerts'
deleted -> stream5_tcp: 'check_session_hijacking'
deleted -> stream5_tcp: 'detect_anomalies'
deleted -> stream5_tcp: 'dont_store_large_packets'
+deleted -> stream5_tcp: 'ignore_any_rules'
+deleted -> stream5_tcp: 'log_asymmetric_traffic'
deleted -> stream5_tcp: 'policy noack'
deleted -> stream5_tcp: 'policy unknown'
+deleted -> stream5_udp: 'ignore_any_rules'
deleted -> tcpdump: '<filename> can no longer be specific'
deleted -> test: 'file'
deleted -> test: 'stdout'
deleted -> unified2: 'filename'
+deleted -> unified2: 'mpls_event_types'
+deleted -> unified2: 'vlan_event_types'
20.11. Module Listing
* alert_json (logger): output event in json format
* alert_sfsocket (logger): output event over socket
* alert_syslog (logger): output event to syslog
+ * alert_talos (logger): output event in Talos alert format
* alert_unixsock (logger): output event over unix socket
* alerts (basic): configure alerts
* appid (inspector): application and service identification
* log_hext (logger): output payload suitable for daq hext
* log_pcap (logger): log packet in pcap format
* md5 (ips_option): payload rule option for hash matching
+ * mem_test (inspector): for testing memory management
* memory (basic): memory management configuration
* metadata (ips_option): rule option for conveying arbitrary name,
value data within the rule text
* rewrite (ips_action): overwrite packet contents
* rpc (ips_option): rule option to check SUNRPC CALL parameters
* rpc_decode (inspector): RPC inspector
- * rule_state (basic): enable/disable specific IPS rules
+ * rule_state (basic): enable/disable and set actions for specific
+ IPS rules
* sd_pattern (ips_option): rule option for detecting sensitive data
* search_engine (basic): configure fast pattern matcher
* seq (ips_option): rule option to check TCP sequence number
* inspector::http2_inspect: the HTTP/2 inspector
* inspector::http_inspect: the new HTTP inspector!
* inspector::imap: imap inspection
+ * inspector::mem_test: for testing memory management
* inspector::modbus: modbus inspection
* inspector::normalizer: packet scrubbing for inline mode
* inspector::packet_capture: raw packet dumping facility
* logger::alert_json: output event in json format
* logger::alert_sfsocket: output event over socket
* logger::alert_syslog: output event to syslog
+ * logger::alert_talos: output event in Talos alert format
* logger::alert_unixsock: output event over unix socket
* logger::log_codecs: log protocols in packet by layer
* logger::log_hext: output payload suitable for daq hext
+ Note that on OpenBSD, divert sockets don’t work with bridges!
+
+20.14. Limitations
+
+--------------
+
+20.14.1. Reload limitations
+
+The following parameters can’t be changed during reload, and require
+a restart:
+
+ * active.attempts
+ * active.device
+ * alerts.detection_filter_memcap
+ * alerts.event_filter_memcap
+ * alerts.rate_filter_memcap
+ * attribute_table.max_hosts
+ * attribute_table.max_services_per_host
+ * daq.snaplen
+ * daq.no_promisc
+ * detection.asn1
+ * file_id.max_files_cached
+ * port_scan.memcap
+ * process.chroot
+ * process.daemon
+ * process.set_gid
+ * process.set_uid
+ * stream.footprint
+ * stream.ip_cache.max_sessions
+ * stream.ip_cache.pruning_timeout
+ * stream.ip_cache.idle_timeout
+ * stream.icmp_cache.max_sessions
+ * stream.icmp_cache.pruning_timeout
+ * stream.icmp_cache.idle_timeout
+ * stream.tcp_cache.max_sessions
+ * stream.tcp_cache.pruning_timeout
+ * stream.tcp_cache.idle_timeout
+ * stream.udp_cache.max_sessions
+ * stream.udp_cache.pruning_timeout
+ * stream.udp_cache.idle_timeout
+ * stream.user_cache.max_sessions
+ * stream.user_cache.pruning_timeout
+ * stream.user_cache.idle_timeout
+ * stream.file_cache.max_sessions
+ * stream.file_cache.pruning_timeout
+ * stream.file_cache.idle_timeout
+
+In addition, the following scenarios require a restart:
+
+ * Enabling file capture for the first time
+ * Changing file_id.capture_memcap if file capture was previously or
+ currently enabled
+ * Changing file_id.capture_block_size if file capture was
+ previously or currently enabled
+ * Adding/removing stream_* inspectors if stream was already
+ configured
+
+In all of these cases reload will fail with the following message:
+"reload failed - restart required". The original config will remain
+in use.
+
const string& Markup::escape(const char* const c)
{ return escape(string(c)); }
-// FIXIT-L some asciidoc chars need to be escaped.
-// This function should escape all of those characters
const string& Markup::escape(const string& s)
{
static string m;
m = s;
-#if 0
- const char* const asciidoc_chars = "*<>^'";
+ const char* const asciidoc_chars = "+*<>[]^'";
- if (enabled)
+ if ( enabled and (m.find_first_of(asciidoc_chars, 0) != string::npos) )
{
- for (size_t found = m.find_first_of(asciidoc_chars, 0);
- found != string::npos;
- found = m.find_first_of(asciidoc_chars, found))
- {
- m.insert(found, "\\");
- found +=2;
- }
+ m.insert(0, "`");
+ m += "`";
}
-#endif
return m;
}
// //
//-----------------------------------------------//
-#define BUILD_NUMBER 250
+#define BUILD_NUMBER 251
#ifndef EXTRABUILD
#define BUILD STRINGIFY_MX(BUILD_NUMBER)
cout << Markup::item();
cout << Markup::emphasis_on();
- cout << Markup::escape(p->name);
+ cout << p->name;
cout << Markup::emphasis_off();
- cout << " " << Markup::escape(p->help);
+ cout << " " << p->help;
if ( const char* r = p->get_range() )
{
static void dump_field_std(const string& key, const Parameter* p)
{
cout << Markup::item();
- cout << Markup::escape(p->get_type());
+ cout << p->get_type();
cout << " " << Markup::emphasis(Markup::escape(key));
if ( p->deflt )
- cout << " = " << Markup::escape(p->deflt);
+ cout << " = " << p->deflt;
cout << ": " << p->help;
if ( const char* r = p->get_range() )
- cout << " { " << Markup::escape(r) << " }";
+ cout << " { " << r << " }";
cout << endl;
}
cout << "\t" << Markup::emphasis(Markup::escape(key));
if ( p->deflt )
- cout << "\t" << Markup::escape(p->deflt);
+ cout << "\t" << p->deflt;
else
cout << "\t";
cout << "\t" << p->help;
if ( const char* r = p->get_range() )
- cout << "\t" << Markup::escape(r);
+ cout << "\t" << r;
else
cout << "\t";
if ( strcmp(m->get_name(), name) )
continue;
- cout << endl << Markup::head(3) << Markup::escape(name) << endl << endl;
+ cout << endl << Markup::head(3) << name << endl << endl;
if ( const char* h = m->get_help() )
- cout << endl << "What: " << Markup::escape(h) << endl;
+ cout << endl << "What: " << h << endl;
cout << endl << "Type: " << mod_type(p->api) << endl;
cout << endl << "Usage: " << mod_use(m->get_usage()) << endl;
{
cout << Markup::item();
cout << Markup::emphasis_on();
- cout << Markup::escape(p->mod->get_name());
- cout << "." << Markup::escape(c->name);
+ cout << p->mod->get_name();
+ cout << "." << c->name;
cout << Markup::emphasis_off();
cout << c->get_arg_list();
- cout << ": " << Markup::escape(c->help);
+ cout << ": " << c->help;
cout << endl;
c++;
}
cout << Markup::emphasis_on();
cout << gid;
cout << Markup::emphasis_off();
- cout << ": " << Markup::escape(m->get_name());
+ cout << ": " << m->get_name();
cout << endl;
}
c++;
{
cout << Markup::item();
cout << Markup::emphasis_on();
- cout << Markup::escape(p->mod->get_name());
- cout << "." << Markup::escape(pegs->name);
+ cout << p->mod->get_name();
+ cout << "." << pegs->name;
cout << Markup::emphasis_off();
- cout << ": " << Markup::escape(pegs->help);
- cout << Markup::escape(peg_op(pegs->type));
+ cout << ": " << pegs->help;
+ cout << peg_op(pegs->type);
cout << endl;
++pegs;
}
cout << gid << ":" << r->sid;
cout << Markup::emphasis_off();
cout << " (" << m->get_name() << ")";
- cout << " " << Markup::escape(r->msg);
+ cout << " " << r->msg;
cout << endl;
r++;
}
{
Plugin& p = it->second;
cout << Markup::item();
- cout << Markup::escape(p.key);
+ cout << p.key;
cout << " v" << p.api->version;
cout << " " << p.source;
cout << endl;
else
std::cout << "\n" << std::setw(name_field_len) << " ";
- std::cout << std::left << Markup::escape(help_str.substr(0, len));
+ std::cout << std::left << help_str.substr(0, len);
if (len < help_str.size())
help_str = help_str.substr(len + 1);
const string& Markup::escape(const char* const c)
{ return escape(string(c)); }
-// FIXIT-L some asciidoc characters need to be escaped.
-// This function should escape all of those characters
const string& Markup::escape(const string& s)
{
static string m;
m = s;
-#if 0
+ const char* const asciidoc_chars = "+*<>[]^'";
- const char* const asciidoc_chars = "*<>^'";
-
- if (enabled)
+ if ( enabled and (m.find_first_of(asciidoc_chars, 0) != string::npos) )
{
- for (size_t found = m.find_first_of(asciidoc_chars, 0);
- found != string::npos;
- found = m.find_first_of(asciidoc_chars, found))
- {
- m.insert(found, "\\");
- found +=2;
- }
+ m.insert(0, "`");
+ m += "`";
}
-#endif
return m;
}
projects / thirdparty / snort3.git / commitdiff
