The Snort Team
Revision History
-Revision 3.0.2 (Build 4) 2020-08-06 08:06:49 EDT TST
+Revision 3.0.2 (Build 5) 2020-08-12 08:28:30 EDT TST
---------------------------------------------------------------------
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
+--help-modules-json dump description of all available modules in JSON format
--help-plugins list all available plugins with brief help
--help-options [<option prefix>] output matching command line options
--help-signals dump available control signals
--------------
-What: configure responses
+Help: configure responses
Type: basic
--------------
-What: configure alerts
+Help: configure alerts
Type: basic
--------------
-What: configure hosts loading
+Help: configure hosts loading
Type: basic
--------------
-What: define rule categories with priority
+Help: define rule categories with priority
Type: basic
--------------
-What: configure packet acquisition interface
+Help: configure packet acquisition interface
Type: basic
--------------
-What: general decoder rules
+Help: general decoder rules
Type: basic
--------------
-What: configure general IPS rule processing parameters
+Help: configure general IPS rule processing parameters
Type: basic
--------------
-What: configure thresholding of events
+Help: configure thresholding of events
Type: basic
--------------
-What: configure event queue parameters
+Help: configure event queue parameters
Type: basic
--------------
-What: implement flow tracking high availability
+Help: implement flow tracking high availability
Type: basic
--------------
-What: global LRU cache of host_tracker data about hosts
+Help: global LRU cache of host_tracker data about hosts
Type: basic
--------------
-What: configure hosts
+Help: configure hosts
Type: basic
--------------
-What: configure hosts
+Help: configure hosts
Type: basic
--------------
-What: configure basic inspection policy parameters
+Help: configure basic inspection policy parameters
Type: basic
--------------
-What: configure IPS rule processing
+Help: configure IPS rule processing
Type: basic
--------------
-What: packet and rule latency monitoring and control
+Help: packet and rule latency monitoring and control
Type: basic
--------------
-What: memory management configuration
+Help: memory management configuration
Type: basic
--------------
-What: configure basic network parameters
+Help: configure basic network parameters
Type: basic
--------------
-What: configure general output parameters
+Help: configure general output parameters
Type: basic
--------------
-What: generate debug trace messages for packets
+Help: generate debug trace messages for packets
Type: basic
--------------
-What: configure basic packet handling
+Help: configure basic packet handling
Type: basic
--------------
-What: payload injection utility
+Help: payload injection utility
Type: basic
--------------
-What: configure basic process setup
+Help: configure basic process setup
Type: basic
--------------
-What: configure profiling of rules and/or modules
+Help: configure profiling of rules and/or modules
Type: basic
--------------
-What: configure rate filters (which change rule actions)
+Help: configure rate filters (which change rule actions)
Type: basic
--------------
-What: define reference systems used in rules
+Help: define reference systems used in rules
Type: basic
--------------
-What: enable/disable and set actions for specific IPS rules;
+Help: enable/disable and set actions for specific IPS rules;
deprecated, use rule state stubs with enable instead
Type: basic
--------------
-What: configure fast pattern matcher
+Help: configure fast pattern matcher
Type: basic
--------------
-What: implement the side-channel asynchronous messaging subsystem
+Help: implement the side-channel asynchronous messaging subsystem
Type: basic
--------------
-What: command line configuration and shell commands
+Help: command line configuration and shell commands
Type: basic
module
* implied snort.--help-modules: list all available modules with
brief help
+ * implied snort.--help-modules-json: dump description of all
+ available modules in JSON format
* string snort.--help-options: [<option prefix>] output matching
command line option quick help (same as -?) { (optional) }
* implied snort.--help-plugins: list all available plugins with
--------------
-What: configure event suppressions
+Help: configure event suppressions
Type: basic
--------------
-What: configure trace log messages
+Help: configure trace log messages
Type: basic
--------------
-What: support for address resolution protocol
+Help: support for address resolution protocol
Type: codec
--------------
-What: support for IP authentication header
+Help: support for IP authentication header
Type: codec
--------------
-What: support for cisco metadata
+Help: support for cisco metadata
Type: codec
--------------
-What: support for extensible authentication protocol over LAN
+Help: support for extensible authentication protocol over LAN
Type: codec
--------------
-What: support for encapsulated remote switched port analyzer - type 2
+Help: support for encapsulated remote switched port analyzer - type 2
Type: codec
--------------
-What: support for encapsulated remote switched port analyzer - type 3
+Help: support for encapsulated remote switched port analyzer - type 3
Type: codec
--------------
-What: support for encapsulating security payload
+Help: support for encapsulating security payload
Type: codec
--------------
-What: support for ethernet protocol (DLT 1) (DLT 51)
+Help: support for ethernet protocol (DLT 1) (DLT 51)
Type: codec
--------------
-What: support for fabricpath
+Help: support for fabricpath
Type: codec
--------------
-What: support for generic routing encapsulation
+Help: support for generic routing encapsulation
Type: codec
--------------
-What: support for general-packet-radio-service tunneling protocol
+Help: support for general-packet-radio-service tunneling protocol
Type: codec
--------------
-What: support for Internet control message protocol v4
+Help: support for Internet control message protocol v4
Type: codec
--------------
-What: support for Internet control message protocol v6
+Help: support for Internet control message protocol v6
Type: codec
--------------
-What: support for Internet group management protocol
+Help: support for Internet group management protocol
Type: codec
--------------
-What: support for Internet protocol v4 (DLT 228)
+Help: support for Internet protocol v4 (DLT 228)
Type: codec
--------------
-What: support for Internet protocol v6 (DLT 229)
+Help: support for Internet protocol v6 (DLT 229)
Type: codec
--------------
-What: support for logical link control
+Help: support for logical link control
Type: codec
--------------
-What: support for multiprotocol label switching
+Help: support for multiprotocol label switching
Type: codec
--------------
-What: support for 802.1ah protocol
+Help: support for 802.1ah protocol
Type: codec
--------------
-What: support for pragmatic general multicast
+Help: support for pragmatic general multicast
Type: codec
--------------
-What: support for point-to-point protocol over ethernet
+Help: support for point-to-point protocol over ethernet
Type: codec
--------------
-What: support for transmission control protocol
+Help: support for transmission control protocol
Type: codec
--------------
-What: support for token ring decoding
+Help: support for token ring decoding
Type: codec
--------------
-What: support for user datagram protocol
+Help: support for user datagram protocol
Type: codec
--------------
-What: support for local area network
+Help: support for local area network
Type: codec
--------------
-What: support for wireless local area network protocol (DLT 105)
+Help: support for wireless local area network protocol (DLT 105)
Type: codec
--------------
-What: implement the file based connector
+Help: implement the file based connector
Type: connector
--------------
-What: implement the tcp stream connector
+Help: implement the tcp stream connector
Type: connector
--------------
-What: application and service identification
+Help: application and service identification
Type: inspector
Usage: context
+Instance Type: global
+
Configuration:
* int appid.memcap = 1048576: max size of the service cache before
--------------
-What: log selected published data to appid_listener.log
+Help: log selected published data to appid_listener.log
Type: inspector
Usage: context
+Instance Type: global
+
5.3. arp_spoof
--------------
-What: detect ARP attacks and anomalies
+Help: detect ARP attacks and anomalies
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* ip4 arp_spoof.hosts[].ip: host ip address
--------------
-What: back orifice detection
+Help: back orifice detection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Rules:
* 105:1 (back_orifice) BO traffic detected
--------------
-What: configure processing based on CIDRs, ports, services, etc.
+Help: configure processing based on CIDRs, ports, services, etc.
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* int binder[].when.ips_policy_id = 0: unique ID for selection of
--------------
-What: cip inspection
+Help: cip inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* string cip.embedded_cip_path = false: check embedded CIP path
--------------
-What: log selected published data to data.log
+Help: log selected published data to data.log
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* select data_log.key = http_request_header_event : name of the
--------------
-What: dce over http inspection - client to/from proxy
+Help: dce over http inspection - client to/from proxy
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Peg counts:
* dce_http_proxy.http_proxy_sessions: successful http proxy
--------------
-What: dce over http inspection - proxy to/from server
+Help: dce over http inspection - proxy to/from server
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Peg counts:
* dce_http_server.http_server_sessions: successful http server
--------------
-What: dce over smb inspection
+Help: dce over smb inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool dce_smb.limit_alerts = true: limit DCE alert to at most one
--------------
-What: dce over tcp inspection
+Help: dce over tcp inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool dce_tcp.limit_alerts = true: limit DCE alert to at most one
--------------
-What: dce over udp inspection
+Help: dce over udp inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool dce_udp.limit_alerts = true: limit DCE alert to at most one
--------------
-What: dnp3 inspection
+Help: dnp3 inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool dnp3.check_crc = false: validate checksums in DNP3 link
--------------
-What: dns inspection
+Help: dns inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Rules:
* 131:1 (dns) obsolete DNS RR types
--------------
-What: alert on configured HTTP domains
+Help: alert on configured HTTP domains
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* string domain_filter.file: file with list of domains identifying
--------------
-What: dynamic inspector example
+Help: dynamic inspector example
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* port dpx.port: port to check
--------------
-What: configure file identification
+Help: configure file identification
Type: inspector
Usage: global
+Instance Type: global
+
Configuration:
* int file_id.type_depth = 1460: stop type ID at this point {
--------------
-What: log file event to file.log
+Help: log file event to file.log
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* bool file_log.log_pkt_time = true: log the packet time when event
--------------
-What: FTP client configuration module for use with ftp_server
+Help: FTP client configuration module for use with ftp_server
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool ftp_client.bounce = false: check for bounces
--------------
-What: FTP data channel handler
+Help: FTP data channel handler
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Peg counts:
* ftp_data.packets: total packets (sum)
--------------
-What: main FTP module; ftp_client should also be configured
+Help: main FTP module; ftp_client should also be configured
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* string ftp_server.chk_str_fmt: check the formatting of the given
(now)
* ftp_server.max_concurrent_sessions: maximum concurrent FTP
sessions (max)
+ * ftp_server.start_tls: total STARTTLS events generated (sum)
+ * ftp_server.ssl_search_abandoned: total SSL search abandoned (sum)
+ * ftp_server.ssl_srch_abandoned_early: total SSL search abandoned
+ too soon (sum)
5.22. gtp_inspect
--------------
-What: gtp control channel inspection
+Help: gtp control channel inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int gtp_inspect[].version = 2: GTP version { 0:2 }
--------------
-What: HTTP/2 inspector
+Help: HTTP/2 inspector
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
--------------
-What: HTTP inspector
+Help: HTTP inspector
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int http_inspect.request_depth = -1: maximum request message body
--------------
-What: imap inspection
+Help: imap inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int imap.b64_decode_depth = -1: base64 decoding depth (-1 no
--------------
-What: for testing memory management
+Help: for testing memory management
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Peg counts:
* mem_test.packets: total packets (sum)
--------------
-What: modbus inspection
+Help: modbus inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Rules:
* 144:1 (modbus) length in Modbus MBAP header does not match the
--------------
-What: packet scrubbing for inline mode
+Help: packet scrubbing for inline mode
Type: inspector
Usage: inspect
+Instance Type: singleton
+
Configuration:
* bool normalizer.ip4.base = false: clear options
--------------
-What: trace logger with a null printout
+Help: trace logger with a null printout
Type: inspector
Usage: global
+Instance Type: global
+
5.30. packet_capture
--------------
-What: raw packet dumping facility
+Help: raw packet dumping facility
Type: inspector
Usage: global
+Instance Type: global
+
Configuration:
* bool packet_capture.enable = false: initially enable packet
--------------
-What: performance monitoring and flow statistics collection
+Help: performance monitoring and flow statistics collection
Type: inspector
Usage: global
+Instance Type: global
+
Configuration:
* bool perf_monitor.base = true: enable base statistics
--------------
-What: pop inspection
+Help: pop inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int pop.b64_decode_depth = -1: base64 decoding depth (-1 no
--------------
-What: detect various ip, icmp, tcp, and udp port or protocol scans
+Help: detect various ip, icmp, tcp, and udp port or protocol scans
Type: inspector
Usage: global
+Instance Type: global
+
Configuration:
* int port_scan.memcap = 10485760: maximum tracker memory in bytes
--------------
-What: reputation inspection
+Help: reputation inspection
Type: inspector
Usage: global
+Instance Type: global
+
Configuration:
* string reputation.blacklist: blacklist file name with IP lists
--------------
-What: Real-time network awareness and OS fingerprinting
+Help: Real-time network awareness and OS fingerprinting
(experimental)
Type: inspector
Usage: context
+Instance Type: global
+
Configuration:
* string rna.rna_conf_path: path to rna configuration
discovery events into logger
* bool rna.log_when_idle = false: enable host update logging when
snort is idle
+ * string rna.dump_file: file name to dump RNA mac cache on
+ shutdown; won’t dump by default
Commands:
* rna.reload_fingerprint(): reload rna database of fingerprint
patterns/signatures
+ * rna.dump_macs(): dump rna’s internal MAC trackers
Peg counts:
--------------
-What: RPC inspector
+Help: RPC inspector
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Rules:
* 106:1 (rpc_decode) fragmented RPC records
--------------
-What: s7commplus inspection
+Help: s7commplus inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Rules:
* 149:1 (s7commplus) length in S7commplus MBAP header does not
--------------
-What: sip inspection
+Help: sip inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool sip.ignore_call_channel = false: enables the support for
--------------
-What: smtp inspection
+Help: smtp inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* string smtp.alt_max_command_line_len[].command: command string
* smtp.concurrent_sessions: total concurrent smtp sessions (now)
* smtp.max_concurrent_sessions: maximum concurrent smtp sessions
(max)
+ * smtp.start_tls: total STARTTLS events generated (sum)
+ * smtp.ssl_search_abandoned: total SSL search abandoned (sum)
+ * smtp.ssl_srch_abandoned_early: total SSL search abandoned too
+ soon (sum)
* smtp.b64_attachments: total base64 attachments decoded (sum)
* smtp.b64_decoded_bytes: total base64 decoded bytes (sum)
* smtp.qp_attachments: total quoted-printable attachments decoded
--------------
-What: a proxy inspector to track flow data from SO rules (internal
+Help: a proxy inspector to track flow data from SO rules (internal
use only)
Type: inspector
Usage: global
+Instance Type: global
+
5.41. ssh
--------------
-What: ssh inspection
+Help: ssh inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int ssh.max_encrypted_packets = 25: ignore session after this
--------------
-What: ssl inspection
+Help: ssl inspection
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool ssl.trust_servers = false: disables requirement that
--------------
-What: common flow tracking
+Help: common flow tracking
Type: inspector
Usage: global
+Instance Type: global
+
Configuration:
* bool stream.ip_frags_only = false: don’t process non-frag flows
--------------
-What: stream inspector for file flow tracking and processing
+Help: stream inspector for file flow tracking and processing
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* bool stream_file.upload = false: indicate file transfer direction
--------------
-What: stream inspector for ICMP flow tracking
+Help: stream inspector for ICMP flow tracking
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int stream_icmp.session_timeout = 30: session tracking timeout {
--------------
-What: stream inspector for IP flow tracking and defragmentation
+Help: stream inspector for IP flow tracking and defragmentation
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int stream_ip.max_frags = 8192: maximum number of simultaneous
--------------
-What: stream inspector for TCP flow tracking and stream normalization
+Help: stream inspector for TCP flow tracking and stream normalization
and reassembly
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in
--------------
-What: stream inspector for UDP flow tracking
+Help: stream inspector for UDP flow tracking
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int stream_udp.session_timeout = 30: session tracking timeout {
--------------
-What: stream inspector for user flow tracking and reassembly
+Help: stream inspector for user flow tracking and reassembly
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int stream_user.session_timeout = 30: session tracking timeout {
--------------
-What: telnet inspection and normalization
+Help: telnet inspection and normalization
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* int telnet.ayt_attack_thresh = -1: alert on this number of
--------------
-What: inspector that implements port-independent protocol
+Help: inspector that implements port-independent protocol
identification
Type: inspector
Usage: inspect
+Instance Type: multiton
+
Configuration:
* string wizard.hexes[].service: name of service
--------------
-What: send response to client and terminate session
+Help: send response to client and terminate session
Type: ips_action
--------------
-What: terminate session with TCP reset or ICMP unreachable
+Help: terminate session with TCP reset or ICMP unreachable
Type: ips_action
--------------
-What: overwrite packet contents
+Help: overwrite packet contents
Type: ips_action
--------------
-What: rule option to match on TCP ack numbers
+Help: rule option to match on TCP ack numbers
Type: ips_option
--------------
-What: detection option for application ids
+Help: detection option for application ids
Type: ips_option
--------------
-What: rule option for asn1 detection
+Help: rule option for asn1 detection
Type: ips_option
--------------
-What: rule option to decode base64 data - must be used with
+Help: rule option to decode base64 data - must be used with
base64_data option
Type: ips_option
--------------
-What: rule option to move to the data for a specified BER element
+Help: rule option to move to the data for a specified BER element
Type: ips_option
--------------
-What: rule option to skip BER element
+Help: rule option to skip BER element
Type: ips_option
--------------
-What: rule option to check length of current buffer
+Help: rule option to check length of current buffer
Type: ips_option
--------------
-What: rule option to convert data to an integer variable
+Help: rule option to convert data to an integer variable
Type: ips_option
--------------
-What: rule option to move the detection cursor
+Help: rule option to move the detection cursor
Type: ips_option
--------------
-What: rule option to perform mathematical operations on extracted
+Help: rule option to perform mathematical operations on extracted
value and a specified value or existing variable
Type: ips_option
--------------
-What: rule option to convert data to integer and compare
+Help: rule option to convert data to integer and compare
Type: ips_option
--------------
-What: detection option to match CIP attribute
+Help: detection option to match CIP attribute
Type: ips_option
--------------
-What: detection option to match CIP class
+Help: detection option to match CIP class
Type: ips_option
--------------
-What: detection option to match CIP Connection Path Class
+Help: detection option to match CIP Connection Path Class
Type: ips_option
--------------
-What: detection option to match CIP instance
+Help: detection option to match CIP instance
Type: ips_option
--------------
-What: detection option to match CIP request
+Help: detection option to match CIP request
Type: ips_option
--------------
-What: detection option to match CIP response
+Help: detection option to match CIP response
Type: ips_option
--------------
-What: detection option to match CIP service
+Help: detection option to match CIP service
Type: ips_option
--------------
-What: detection option to match CIP response status
+Help: detection option to match CIP response status
Type: ips_option
--------------
-What: general rule option for rule classification
+Help: general rule option for rule classification
Type: ips_option
--------------
-What: payload rule option for basic pattern matching
+Help: payload rule option for basic pattern matching
Type: ips_option
--------------
-What: payload rule option for detecting specific attacks
+Help: payload rule option for detecting specific attacks
Type: ips_option
--------------
-What: detection option to check dcerpc interface
+Help: detection option to check dcerpc interface
Type: ips_option
--------------
-What: detection option to check dcerpc operation number
+Help: detection option to check dcerpc operation number
Type: ips_option
--------------
-What: sets the cursor to dcerpc stub data
+Help: sets the cursor to dcerpc stub data
Type: ips_option
--------------
-What: rule option to require multiple hits before a rule generates an
+Help: rule option to require multiple hits before a rule generates an
event
Type: ips_option
--------------
-What: sets the cursor to dnp3 data
+Help: sets the cursor to dnp3 data
Type: ips_option
--------------
-What: detection option to check DNP3 function code
+Help: detection option to check DNP3 function code
Type: ips_option
--------------
-What: detection option to check DNP3 indicator flags
+Help: detection option to check DNP3 indicator flags
Type: ips_option
--------------
-What: detection option to check DNP3 object headers
+Help: detection option to check DNP3 object headers
Type: ips_option
--------------
-What: rule option to test payload size
+Help: rule option to test payload size
Type: ips_option
--------------
-What: stub rule option to enable or disable full rule
+Help: stub rule option to enable or disable full rule
Type: ips_option
--------------
-What: detection option to match CIP Enip Command
+Help: detection option to match CIP Enip Command
Type: ips_option
--------------
-What: detection option to match ENIP Request
+Help: detection option to match ENIP Request
Type: ips_option
--------------
-What: detection option to match ENIP response
+Help: detection option to match ENIP response
Type: ips_option
--------------
-What: rule option to set detection cursor to file data
+Help: rule option to set detection cursor to file data
Type: ips_option
--------------
-What: rule option to check file type
+Help: rule option to check file type
Type: ips_option
--------------
-What: rule option to test TCP control flags
+Help: rule option to test TCP control flags
Type: ips_option
--------------
-What: rule option to check session properties
+Help: rule option to check session properties
Type: ips_option
--------------
-What: rule option to set and test arbitrary boolean flags
+Help: rule option to set and test arbitrary boolean flags
Type: ips_option
--------------
-What: rule option to test IP frag flags
+Help: rule option to test IP frag flags
Type: ips_option
--------------
-What: rule option to test IP frag offset
+Help: rule option to test IP frag offset
Type: ips_option
--------------
-What: rule option specifying rule generator
+Help: rule option specifying rule generator
Type: ips_option
--------------
-What: rule option to check gtp info element
+Help: rule option to check gtp info element
Type: ips_option
--------------
-What: rule option to check gtp types
+Help: rule option to check gtp types
Type: ips_option
--------------
-What: rule option to check GTP version
+Help: rule option to check GTP version
Type: ips_option
--------------
-What: rule option to set detection cursor to the decoded HTTP/2
+Help: rule option to set detection cursor to the decoded HTTP/2
header
Type: ips_option
--------------
-What: rule option to set detection cursor to the 9-octet HTTP/2 frame
+Help: rule option to set detection cursor to the 9-octet HTTP/2 frame
header
Type: ips_option
--------------
-What: rule option to set the detection cursor to the request body
+Help: rule option to set the detection cursor to the request body
Type: ips_option
--------------
-What: rule option to set the detection cursor to the HTTP cookie
+Help: rule option to set the detection cursor to the HTTP cookie
Type: ips_option
--------------
-What: rule option to set the detection cursor to the normalized
+Help: rule option to set the detection cursor to the normalized
headers
Type: ips_option
--------------
-What: rule option to set the detection cursor to the HTTP request
+Help: rule option to set the detection cursor to the HTTP request
method
Type: ips_option
--------------
-What: rule option to set the detection cursor to the value of the
+Help: rule option to set the detection cursor to the value of the
specified HTTP parameter key which may be in the query or body
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized
+Help: rule option to set the detection cursor to the unnormalized
message body
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized
+Help: rule option to set the detection cursor to the unnormalized
cookie
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized
+Help: rule option to set the detection cursor to the unnormalized
headers
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized
+Help: rule option to set the detection cursor to the unnormalized
request line
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized
+Help: rule option to set the detection cursor to the unnormalized
status line
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized
+Help: rule option to set the detection cursor to the unnormalized
trailers
Type: ips_option
--------------
-What: rule option to set the detection cursor to the unnormalized URI
+Help: rule option to set the detection cursor to the unnormalized URI
Type: ips_option
--------------
-What: rule option to set the detection cursor to the HTTP status code
+Help: rule option to set the detection cursor to the HTTP status code
Type: ips_option
--------------
-What: rule option to set the detection cursor to the HTTP status
+Help: rule option to set the detection cursor to the HTTP status
message
Type: ips_option
--------------
-What: rule option to set the detection cursor to the normalized
+Help: rule option to set the detection cursor to the normalized
trailers
Type: ips_option
--------------
-What: rule option to set the detection cursor to the final client IP
+Help: rule option to set the detection cursor to the final client IP
address
Type: ips_option
--------------
-What: rule option to set the detection cursor to the normalized URI
+Help: rule option to set the detection cursor to the normalized URI
buffer
Type: ips_option
--------------
-What: rule option to set the detection cursor to the version buffer
+Help: rule option to set the detection cursor to the version buffer
Type: ips_option
--------------
-What: rule option to check ICMP ID
+Help: rule option to check ICMP ID
Type: ips_option
--------------
-What: rule option to check ICMP sequence number
+Help: rule option to check ICMP sequence number
Type: ips_option
--------------
-What: rule option to check ICMP code
+Help: rule option to check ICMP code
Type: ips_option
--------------
-What: rule option to check the IP ID field
+Help: rule option to check the IP ID field
Type: ips_option
--------------
-What: rule option to check the IP protocol number
+Help: rule option to check the IP protocol number
Type: ips_option
--------------
-What: rule option to check for IP options
+Help: rule option to check for IP options
Type: ips_option
--------------
-What: rule option to check for the presence of payload data
+Help: rule option to check for the presence of payload data
Type: ips_option
--------------
-What: rule option to check ICMP type
+Help: rule option to check ICMP type
Type: ips_option
--------------
-What: payload rule option for hash matching
+Help: payload rule option for hash matching
Type: ips_option
--------------
-What: rule option for conveying arbitrary comma-separated name, value
+Help: rule option for conveying arbitrary comma-separated name, value
data within the rule text
Type: ips_option
--------------
-What: rule option to set cursor to modbus data
+Help: rule option to set cursor to modbus data
Type: ips_option
--------------
-What: rule option to check modbus function code
+Help: rule option to check modbus function code
Type: ips_option
--------------
-What: rule option to check Modbus unit ID
+Help: rule option to check Modbus unit ID
Type: ips_option
--------------
-What: rule option summarizing rule purpose output with events
+Help: rule option summarizing rule purpose output with events
Type: ips_option
--------------
-What: detection for TCP maximum segment size
+Help: detection for TCP maximum segment size
Type: ips_option
--------------
-What: rule option for matching payload data with pcre
+Help: rule option for matching payload data with pcre
Type: ips_option
--------------
-What: rule option to set the detection cursor to the normalized
+Help: rule option to set the detection cursor to the normalized
packet data
Type: ips_option
--------------
-What: alert on raw packet number
+Help: alert on raw packet number
Type: ips_option
--------------
-What: rule option for prioritizing events
+Help: rule option for prioritizing events
Type: ips_option
--------------
-What: rule option to set the detection cursor to the raw packet data
+Help: rule option to set the detection cursor to the raw packet data
Type: ips_option
--------------
-What: rule option to indicate relevant attack identification system
+Help: rule option to indicate relevant attack identification system
Type: ips_option
--------------
-What: rule option for matching payload data with hyperscan regex;
+Help: rule option for matching payload data with hyperscan regex;
uses pcre syntax
Type: ips_option
--------------
-What: rule option to convey an arbitrary comment in the rule body
+Help: rule option to convey an arbitrary comment in the rule body
Type: ips_option
--------------
-What: rule option to overwrite payload data; use with rewrite action
+Help: rule option to overwrite payload data; use with rewrite action
Type: ips_option
--------------
-What: rule option to indicate current revision of signature
+Help: rule option to indicate current revision of signature
Type: ips_option
--------------
-What: rule option to check SUNRPC CALL parameters
+Help: rule option to check SUNRPC CALL parameters
Type: ips_option
--------------
-What: rule option to set cursor to s7commplus content
+Help: rule option to set cursor to s7commplus content
Type: ips_option
--------------
-What: rule option to check s7commplus function code
+Help: rule option to check s7commplus function code
Type: ips_option
--------------
-What: rule option to check s7commplus opcode code
+Help: rule option to check s7commplus opcode code
Type: ips_option
--------------
-What: rule option for detecting sensitive data
+Help: rule option for detecting sensitive data
Type: ips_option
--------------
-What: rule option to check TCP sequence number
+Help: rule option to check TCP sequence number
Type: ips_option
--------------
-What: rule option to specify list of services for grouping rules
+Help: rule option to specify list of services for grouping rules
Type: ips_option
--------------
-What: payload rule option for hash matching
+Help: payload rule option for hash matching
Type: ips_option
--------------
-What: payload rule option for hash matching
+Help: payload rule option for hash matching
Type: ips_option
--------------
-What: rule option to indicate signature number
+Help: rule option to indicate signature number
Type: ips_option
--------------
-What: rule option to set the detection cursor to the request body
+Help: rule option to set the detection cursor to the request body
Type: ips_option
--------------
-What: rule option to set the detection cursor to the SIP header
+Help: rule option to set the detection cursor to the SIP header
buffer
Type: ips_option
--------------
-What: detection option for sip stat code
+Help: detection option for sip stat code
Type: ips_option
--------------
-What: detection option for sip stat code
+Help: detection option for sip stat code
Type: ips_option
--------------
-What: rule option to call custom eval function
+Help: rule option to call custom eval function
Type: ips_option
--------------
-What: rule option to specify a shared object rule ID
+Help: rule option to specify a shared object rule ID
Type: ips_option
--------------
-What: detection option for ssl state
+Help: detection option for ssl state
Type: ips_option
--------------
-What: detection option for ssl version
+Help: detection option for ssl version
Type: ips_option
--------------
-What: detection option for stream reassembly control
+Help: detection option for stream reassembly control
Type: ips_option
--------------
-What: detection option for stream size checking
+Help: detection option for stream size checking
Type: ips_option
--------------
-What: rule option to log additional packets
+Help: rule option to log additional packets
Type: ips_option
--------------
-What: rule option to indicate target of attack
+Help: rule option to indicate target of attack
Type: ips_option
--------------
-What: rule option to check type of service field
+Help: rule option to check type of service field
Type: ips_option
--------------
-What: rule option to check time to live field
+Help: rule option to check time to live field
Type: ips_option
--------------
-What: detection for TCP urgent pointer
+Help: detection for TCP urgent pointer
Type: ips_option
--------------
-What: rule option to check TCP window field
+Help: rule option to check TCP window field
Type: ips_option
--------------
-What: detection for TCP window scale
+Help: detection for TCP window scale
Type: ips_option
--------------
-What: output event in csv format
+Help: output event in csv format
Type: logger
--------------
-What: output gid:sid:rev for alerts
+Help: output gid:sid:rev for alerts
Type: logger
--------------
-What: output event with brief text format
+Help: output event with brief text format
Type: logger
--------------
-What: output event with full packet dump
+Help: output event with full packet dump
Type: logger
--------------
-What: output event in json format
+Help: output event in json format
Type: logger
--------------
-What: output event over socket
+Help: output event over socket
Type: logger
--------------
-What: output event to syslog
+Help: output event to syslog
Type: logger
--------------
-What: output event in Talos alert format
+Help: output event in Talos alert format
Type: logger
--------------
-What: output event over unix socket
+Help: output event over unix socket
Type: logger
--------------
-What: log protocols in packet by layer
+Help: log protocols in packet by layer
Type: logger
--------------
-What: output payload suitable for daq hext
+Help: output payload suitable for daq hext
Type: logger
--------------
-What: log packet in pcap format
+Help: log packet in pcap format
Type: logger
--------------
-What: output event and packet in unified2 format file
+Help: output event and packet in unified2 format file
Type: logger
* --help-limits print the int upper bounds denoted by max*
* --help-module <module> output description of given module
* --help-modules list all available modules with brief help
+ * --help-modules-json dump description of all available modules in
+ JSON format
* --help-options [<option prefix>] output matching command line
option quick help (same as -?) (optional)
* --help-plugins list all available plugins with brief help
* int rev.~: revision { 1:max32 }
* bool rewrite.disable_replace = false: disable replace of packet
contents with rewrite rules
+ * string rna.dump_file: file name to dump RNA mac cache on
+ shutdown; won’t dump by default
* bool rna.enable_logger = true: enable or disable writing
discovery events into logger
* string rna.fingerprint_dir: directory to fingerprint patterns
* implied snort.--help: list command line options
* string snort.--help-module: <module> output description of given
module
+ * implied snort.--help-modules-json: dump description of all
+ available modules in JSON format
* implied snort.--help-modules: list all available modules with
brief help
* string snort.--help-options: [<option prefix>] output matching
(now)
* ftp_server.max_concurrent_sessions: maximum concurrent FTP
sessions (max)
+ * ftp_server.ssl_search_abandoned: total SSL search abandoned (sum)
+ * ftp_server.ssl_srch_abandoned_early: total SSL search abandoned
+ too soon (sum)
+ * ftp_server.start_tls: total STARTTLS events generated (sum)
* ftp_server.total_bytes: total number of bytes processed (sum)
* ftp_server.total_packets: total packets (sum)
* gtp_inspect.concurrent_sessions: total concurrent gtp sessions
(sum)
* smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
* smtp.sessions: total smtp sessions (sum)
+ * smtp.ssl_search_abandoned: total SSL search abandoned (sum)
+ * smtp.ssl_srch_abandoned_early: total SSL search abandoned too
+ soon (sum)
+ * smtp.start_tls: total STARTTLS events generated (sum)
* smtp.total_bytes: total number of bytes processed (sum)
* smtp.uu_attachments: total uu attachments decoded (sum)
* smtp.uu_decoded_bytes: total uu decoded bytes (sum)
on host pairs
* rna.reload_fingerprint(): reload rna database of fingerprint
patterns/signatures
+ * rna.dump_macs(): dump rna’s internal MAC trackers
* snort.show_plugins(): show available plugins
* snort.delete_inspector(inspector): delete an inspector from the
default policy
projects / thirdparty / snort3.git / commitdiff
