src/service_inspectors/gtp/Makefile \
src/service_inspectors/imap/Makefile \
src/service_inspectors/modbus/Makefile \
-src/service_inspectors/nhttp_inspect/Makefile \
-src/service_inspectors/nhttp_inspect/test/Makefile \
+src/service_inspectors/http_inspect/Makefile \
+src/service_inspectors/http_inspect/test/Makefile \
src/service_inspectors/pop/Makefile \
src/service_inspectors/rpc_decode/Makefile \
src/service_inspectors/sip/Makefile \
</div></div>\r
<div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code\r
under src/service_inspectors/http_inspect.</p></div>\r
-<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release\r
-under extra/src/inspectors/http_server. Be sure not to configure both old and new HTTP inspectors\r
-at the same time.</p></div>\r
+<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release under\r
+extra. It has been renamed http_server. Be sure not to configure both old\r
+and new HTTP inspectors at the same time.</p></div>\r
<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
this software. But it should also be really nice for open-source\r
the new HTTP inspector’s knowledge of HTTP is centralized in a series of\r
tables where it can be easily reviewed and modified. Many significant\r
changes can be made just by updating these tables.</p></div>\r
-<div class="paragraph"><p>The new http_inspect is the first inspector written specifically for the new\r
+<div class="paragraph"><p>Http_inspect is the first inspector written specifically for the new\r
Snort 3.0 architecture. That provides access to one of the very best\r
-features of Snort 3.0: purely PDU-based inspection. Classic http_inspect\r
+features of Snort 3.0: purely PDU-based inspection. The classic preprocessor\r
processes HTTP messages, but even while doing so it is constantly aware of\r
IP packets and how they divide up the TCP data stream. The same HTTP\r
message might be processed differently depending on how the sender (bad\r
guy) divided it up into IP packets.</p></div>\r
-<div class="paragraph"><p>The new http_inspect is free of this burden and can focus exclusively on\r
-HTTP. That makes it much more simple, easier to test, and less prone to false\r
+<div class="paragraph"><p>Http_inspect is free of this burden and can focus exclusively on HTTP.\r
+That makes it much simpler, easier to test, and less prone to false\r
positives. It also greatly reduces the opportunity for adversaries to probe\r
the inspector for weak spots by adjusting packet boundaries to disguise bad\r
behavior.</p></div>\r
<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major\r
-new features. The new http_inspect design supports true stateful\r
+new features. The http_inspect design supports true stateful\r
processing. Want to ask questions that involve both the client request and\r
the server response? Or different requests in the same session? These\r
things are possible.</p></div>\r
HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and\r
on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture\r
because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but\r
-not any underlying packets. Exactly what the new http_inspect wants to input.</p></div>\r
-<div class="paragraph"><p>The new http_inspect is taking a very different approach to HTTP header fields.\r
-Classic http_inspect divides all the HTTP headers following the start line\r
+not any underlying packets. Exactly what http_inspect wants to input.</p></div>\r
+<div class="paragraph"><p>Http_inspect is taking a very different approach to HTTP header fields.\r
+The classic preprocessor divides all the HTTP headers following the start line\r
into cookies and everything else. It normalizes the two pieces using a\r
generic process and puts them in buffers that one can write rules against.\r
There is some limited support for examining individual headers within the\r
</div>\r
<div class="sect2">\r
<h3 id="_binder_and_wizard">Binder and Wizard</h3>\r
-<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration related to networks and ports. Here is a brief review of Snort’s configuration for network and service related components:</p></div>\r
+<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration\r
+related to networks and ports. Here is a brief review of Snort’s configuration for\r
+network and service related components:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
</li>\r
<li>\r
<p>\r
-<strong>116:468</strong> (decode) too many protocols present\r
+<strong>116:472</strong> (decode) too many protocols present\r
</p>\r
</li>\r
</ul></div>\r
string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+string <strong>side_channel.connector</strong>: connector handle\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
</div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_ciscometadata">ciscometadata</h3>\r
+<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_erspan2">erspan2</h3>\r
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }\r
</p>\r
</li>\r
<strong>119:75</strong> (http_inspect) Misformatted HTTP traffic\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>rpc.~app</strong>: application number\r
+int <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~ver</strong>: version number or * for any\r
+int <strong>rpc.ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~proc</strong>: procedure number or * for any\r
+int <strong>rpc.proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_alert_sfsocket">alert_sfsocket</h3>\r
+<div class="paragraph"><p>What: output event over socket</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>alert_sfsocket.file</strong>: name of unix socket file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1: }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_alert_syslog">alert_syslog</h3>\r
<div class="paragraph"><p>What: output event to syslog</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>-A</strong> <mode> set alert mode: none, cmg, or alert_*\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-B</strong> <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--bpf</strong> <filter options> are standard BPF options, as seen in TCPDump\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode\r
+<strong>-c</strong> <conf> use this configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--daq</strong> <type> select packet acquisition module (default is pcap)\r
+<strong>-C</strong> print out payloads with character data only (no hex)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--daq</strong> <type> select packet acquisition module (default is pcap)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--daq-var</strong> <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>-d</strong> dump the Application Layer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--dirty-pig</strong> don’t flush packets on shutdown\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>-D</strong> run Snort in background (daemon) mode\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--dump-builtin-rules</strong> [<module prefix>] output stub rules for selected modules\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-e</strong> display the second layer header info\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--enable-inline-test</strong> enable Inline-Test Mode Operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help</strong> list command line options\r
+<strong>-f</strong> turn off fflush() calls after binary log writes\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-G</strong> <0xid> (same as --logid) (0:65535)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-g</strong> <gname> run snort gid as <gname> group (or gid) after initialization\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--help</strong> list command line options\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--help-module</strong> <module> output description of given module\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-H</strong> make hash tables deterministic\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-i</strong> <iface>… list of interfaces\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-j</strong> <port> to listen for telnet connections\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-k</strong> <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--list-buffers</strong> output available inspection buffers\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-l</strong> <logdir> log to this directory instead of current directory\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-L</strong> <mode> logging mode (none, dump, pcap, or log_*)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--logid</strong> <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-M</strong> log messages to syslog (not alerts)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-m</strong> <umask> set umask = <umask> (0:)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-n</strong> <count> stop after count packets (0:)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--nolock-pidfile</strong> do not try to lock Snort PID file\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-O</strong> obfuscate the logged IP addresses\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-?</strong> <option prefix> output matching command line option quick help (same as --help-options) (optional)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--pause</strong> wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>-Q</strong> enable inline mode operation\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-q</strong> quiet mode - Don’t show banner and status report\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-r</strong> <pcap>… (same as --pcap-list)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>-R</strong> <rules> include this rules file in the default policy\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--rule</strong> <rules> to be added to configuration; may be repeated\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read\r
+<strong>-s</strong> <snap> (same as --snaplen); default is 1514 (68:65535)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup\r
+<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--treat-drop-as-ignore</strong> use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+<strong>-S</strong> <x=v> set config variable x equal to value v\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--version</strong> show version number (same as -V)\r
+<strong>-t</strong> <dir> chroots process to <dir> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-all</strong> enable all warnings\r
+<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-conf</strong> warn about configuration issues\r
+<strong>--treat-drop-as-ignore</strong> use drop, sdrop, and reject rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode\r
+<strong>-T</strong> test and report on the current Snort configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa\r
+<strong>-u</strong> <uname> run snort as <uname> or <uid> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-hosts</strong> warn about host table issues\r
+<strong>-U</strong> use UTC for timestamps\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading\r
+<strong>-v</strong> be verbose\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
+<strong>--version</strong> show version number (same as -V)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
+<strong>-V</strong> (same as --version)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
+<strong>--warn-all</strong> enable all warnings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-vars</strong> warn about variable definition and usage issues\r
+<strong>--warn-conf</strong> warn about configuration issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)\r
+<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
+<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-?</strong> <option prefix> output matching command line option quick help (same as --help-options) (optional)\r
+<strong>--warn-hosts</strong> warn about host table issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-A</strong> <mode> set alert mode: none, cmg, or alert_*\r
+<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-B</strong> <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
+<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-C</strong> print out payloads with character data only (no hex)\r
+<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-D</strong> run Snort in background (daemon) mode\r
+<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-G</strong> <0xid> (same as --logid) (0:65535)\r
+<strong>--warn-vars</strong> warn about variable definition and usage issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-H</strong> make hash tables deterministic\r
+<strong>-w</strong> dump 802.11 management and control frames\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-L</strong> <mode> logging mode (none, dump, pcap, or log_*)\r
+<strong>-W</strong> lists available interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-M</strong> log messages to syslog (not alerts)\r
+<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-O</strong> obfuscate the logged IP addresses\r
+<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-Q</strong> enable inline mode operation\r
+<strong>-X</strong> dump the raw packet data starting at the link layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-R</strong> <rules> include this rules file in the default policy\r
+<strong>-x</strong> same as --pedantic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-S</strong> <x=v> set config variable x equal to value v\r
+<strong>-y</strong> include year in timestamp in the alert and log files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-T</strong> test and report on the current Snort configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-U</strong> use UTC for timestamps\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-V</strong> (same as --version)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-W</strong> lists available interfaces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-X</strong> dump the raw packet data starting at the link layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-c</strong> <conf> use this configuration\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-d</strong> dump the Application Layer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-e</strong> display the second layer header info\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-f</strong> turn off fflush() calls after binary log writes\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-g</strong> <gname> run snort gid as <gname> group (or gid) after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-i</strong> <iface>… list of interfaces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-j</strong> <port> to listen for telnet connections\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-k</strong> <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-l</strong> <logdir> log to this directory instead of current directory\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-m</strong> <umask> set umask = <umask> (0:)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-n</strong> <count> stop after count packets (0:)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-q</strong> quiet mode - Don’t show banner and status report\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-r</strong> <pcap>… (same as --pcap-list)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-s</strong> <snap> (same as --snaplen); default is 1514 (68:65535)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-t</strong> <dir> chroots process to <dir> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-u</strong> <uname> run snort as <uname> or <uid> after initialization\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-v</strong> be verbose\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-w</strong> dump 802.11 management and control frames\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-x</strong> same as --pedantic\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-y</strong> include year in timestamp in the alert and log files\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)\r
+<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
+bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
+bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
</p>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
+int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)\r
+int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules\r
+string <strong>alert_sfsocket.file</strong>: name of unix socket file\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alerts.event_filter_memcap</strong> = 1048576: set available memory for filters { 0: }\r
+int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>appid.app_detector_dir</strong>: directory to load AppId detectors from\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
+string <strong>appids.~</strong>: appid option\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>appids.~</strong>: appid option\r
+string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.oct</strong>: convert from octal string\r
+string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer\r
+implied <strong>byte_extract.oct</strong>: convert from octal string\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_extract.string</strong>: convert from string\r
+int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options\r
+implied <strong>byte_extract.string</strong>: convert from string\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }\r
+int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }\r
+implied <strong>byte_jump.big</strong>: big endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_jump.big</strong>: big endian\r
+int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+implied <strong>byte_test.big</strong>: big endian\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing\r
+string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.big</strong>: big endian\r
+int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>byte_test.string</strong>: convert from string\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against\r
+string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }\r
+string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing\r
+implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing\r
+implied <strong>byte_test.string</strong>: convert from string\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
+string <strong>content.~data</strong>: data to match\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
+string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
+string <strong>content.distance</strong>: var or number of bytes from cursor to start search\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>content.nocase</strong>: case insensitive match\r
+implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search\r
+implied <strong>content.nocase</strong>: case insensitive match\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
+string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>content.~data</strong>: data to match\r
+string <strong>content.within</strong>: var or maximum number of bytes to search from cursor\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching\r
+int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, -1 = max, 0 = off { -1:1000000 }\r
+int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, -1 = max, 0 = off { -1:10000 }\r
+enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
+bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1: }\r
+int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, -1 = max, 0 = off { -1:1000000 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }\r
+int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, -1 = max, 0 = off { -1:10000 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>flowbits.~arg1</strong>: bits or group\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>flow.established</strong>: match only during data transfer phase\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg1</strong>: bits or group\r
+string <strong>fragbits.~flags</strong>: these flags are tested\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~arg2</strong>: group if arg1 is bits\r
+string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>flowbits.~command</strong>: set|reset|isset|etc.\r
+bool <strong>ftp_client.bounce</strong> = false: check for bounces\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>fragbits.~flags</strong>: these flags are tested\r
+addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed ip address in CIDR format\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>ftp_client.bounce</strong> = false: check for bounces\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed ip address in CIDR format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive { 0: }\r
+port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>host_tracker[].services[].name</strong>: service identifier\r
+string <strong>hosts[].services[].name</strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>host_tracker[].services[].port</strong>: port number\r
+port <strong>hosts[].services[].port</strong>: port number\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
+enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>host_tracker[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
+enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>hosts[].services[].name</strong>: service identifier\r
+string <strong>host_tracker[].services[].name</strong>: service identifier\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>hosts[].services[].port</strong>: port number\r
+port <strong>host_tracker[].services[].port</strong>: port number\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
+enum <strong>host_tracker[].services[].proto</strong> = tcp: ip protocol { tcp | udp }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>hosts[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong>host_tracker[].tcp_policy</strong>: tcp reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
+int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }\r
+bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
+bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded\r
+bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ip_proto.~proto</strong>: [!|>|<] name or number\r
+select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
</p>\r
</li>\r
<li>\r
<p>\r
-select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }\r
+string <strong>ip_proto.~proto</strong>: [!|>|<] name or number\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer\r
+string <strong>isdataat.~length</strong>: num | !num\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>isdataat.~length</strong>: num | !num\r
+implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }\r
+string <strong>md5.~hash</strong>: data to match\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search\r
+int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer\r
+string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>md5.~hash</strong>: data to match\r
+implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
+string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>output.logdir</strong> = .: where to put log files (same as -l)\r
+bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>port_scan_global.memcap</strong> = 1048576: maximum tracker memory { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer\r
+string <strong>regex.~re</strong>: hyperscan regular expression\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>regex.~re</strong>: hyperscan regular expression\r
+implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
+string <strong>reputation.whitelist</strong>: whitelist file name with ip lists\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>reputation.whitelist</strong>: whitelist file name with ip lists\r
+enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~app</strong>: application number\r
+int <strong>rpc.~app</strong>: application number\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~proc</strong>: procedure number or * for any\r
+int <strong>rpc.proc</strong>: procedure number or * for any\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>rpc.~ver</strong>: version number or * for any\r
+int <strong>rpc.ver</strong>: version number or * for any\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>sd_pattern.threshold</strong>: number of matches before alerting { 1 }\r
+string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>sd_pattern.~pattern</strong>: The pattern to search for\r
+int <strong>sd_pattern.threshold</strong>: number of matches before alerting { 1 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>sha256.~hash</strong>: data to match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>sha256.~hash</strong>: data to match\r
+string <strong>sha512.~hash</strong>: data to match\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>sha512.~hash</strong>: data to match\r
+string <strong>side_channel.connector</strong>: connector handle\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>sid.~</strong>: signature id { 1: }\r
+string <strong>side_channel.connectors[].connector</strong>: connector handle\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>side_channel.connectors[].connector</strong>: connector handle\r
+bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }\r
+int <strong>sid.~</strong>: signature id { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in sip messages\r
+string <strong>sip_method.*method</strong>: sip method\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>sip_method.*method</strong>: sip method\r
+string <strong>sip.methods</strong> = invite cancel ack bye register options: list of methods to check in sip messages\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
+string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.normalize_cmds</strong>: list of commands to normalize\r
+enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--bpf</strong>: <filter options> are standard BPF options, as seen in TCPDump\r
+string <strong>snort.-A</strong>: <mode> set alert mode: none, cmg, or alert_*\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)\r
+addr <strong>snort.-B</strong> = 255.255.255.255/32: <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
+string <strong>snort.--bpf</strong>: <filter options> are standard BPF options, as seen in TCPDump\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode\r
+string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
+string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
+string <strong>snort.-c</strong>: <conf> use this configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only\r
+implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
+implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dirty-pig</strong>: don’t flush packets on shutdown\r
+string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules\r
+implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--dump-defaults</strong>: [<module prefix>] output module defaults in Lua format { (optional) }\r
+string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries\r
+string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
+implied <strong>snort.-d</strong>: dump the Application Layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation\r
+implied <strong>snort.--dirty-pig</strong>: don’t flush packets on shutdown\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help</strong>: list command line options\r
+implied <strong>snort.-D</strong>: run Snort in background (daemon) mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-commands</strong>: [<module prefix>] output matching commands { (optional) }\r
+implied <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-config</strong>: [<module prefix>] output matching config options { (optional) }\r
+string <strong>snort.--dump-defaults</strong>: [<module prefix>] output module defaults in Lua format { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-counts</strong>: [<module prefix>] output matching peg counts { (optional) }\r
+implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-module</strong>: <module> output description of given module\r
+implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help-modules</strong>: list all available modules with brief help\r
+implied <strong>snort.-e</strong>: display the second layer header info\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-options</strong>: <option prefix> output matching command line option quick help (same as -?) { (optional) }\r
+implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help\r
+implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--help-signals</strong>: dump available control signals\r
+int <strong>snort.-G</strong>: <0xid> (same as --logid) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
+string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread\r
+string <strong>snort.--help-commands</strong>: [<module prefix>] output matching commands { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
+string <strong>snort.--help-config</strong>: [<module prefix>] output matching config options { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-builtin</strong>: <module prefix> output matching builtin rules { (optional) }\r
+string <strong>snort.--help-counts</strong>: [<module prefix>] output matching peg counts { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-gids</strong>: [<module prefix>] output matching generators { (optional) }\r
+implied <strong>snort.--help</strong>: list command line options\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-modules</strong>: [<module type>] list all known modules of given type { (optional) }\r
+string <strong>snort.--help-module</strong>: <module> output description of given module\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--list-plugins</strong>: list all known plugins\r
+implied <strong>snort.--help-modules</strong>: list all available modules with brief help\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--logid</strong>: <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }\r
+string <strong>snort.--help-options</strong>: <option prefix> output matching command line option quick help (same as -?) { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--lua</strong>: <chunk> extend/override conf with chunk; may be repeated\r
+implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--markup</strong>: output help in asciidoc compatible format\r
+implied <strong>snort.--help-signals</strong>: dump available control signals\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--max-packet-threads</strong> = 1: <count> configure maximum number of packet threads (same as -z) { 0: }\r
+implied <strong>snort.-H</strong>: make hash tables deterministic\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file\r
+implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
+implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
+string <strong>snort.-i</strong>: <iface>… list of interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-dir</strong>: <dir> a directory to recurse to look for pcaps - read mode is implied\r
+port <strong>snort.-j</strong>: <port> to listen for telnet connections\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
+enum <strong>snort.-k</strong> = all: <mode> checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-filter</strong>: <filter> filter to apply when getting pcaps from file or directory\r
+implied <strong>snort.--list-buffers</strong>: output available inspection buffers\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--pcap-list</strong>: <list> a space separated list of pcaps to read - read mode is implied\r
+string <strong>snort.--list-builtin</strong>: <module prefix> output matching builtin rules { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--pcap-loop</strong>: <count> read all pcaps <count> times; 0 will read until Snort is terminated { -1: }\r
+string <strong>snort.--list-gids</strong>: [<module prefix>] output matching generators { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory\r
+string <strong>snort.--list-modules</strong>: [<module type>] list all known modules of given type { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps\r
+implied <strong>snort.--list-plugins</strong>: list all known plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read\r
+string <strong>snort.-l</strong>: <logdir> log to this directory instead of current directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--pedantic</strong>: warnings are fatal\r
+string <strong>snort.-L</strong>: <mode> logging mode (none, dump, pcap, or log_*)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
+int <strong>snort.--logid</strong>: <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
+string <strong>snort.--lua</strong>: <chunk> extend/override conf with chunk; may be repeated\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--process-all-events</strong>: process all action groups\r
+implied <strong>snort.--markup</strong>: output help in asciidoc compatible format\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
+int <strong>snort.--max-packet-threads</strong> = 1: <count> configure maximum number of packet threads (same as -z) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
+implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin\r
+int <strong>snort.-m</strong>: <umask> set umask = <umask> { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--run-prefix</strong>: <pfx> prepend this to each output file\r
+int <strong>snort.-n</strong>: <count> stop after count packets { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--script-path</strong>: <path> to a luajit script or directory containing luajit scripts\r
+implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--shell</strong>: enable the interactive command line\r
+implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
+implied <strong>snort.-O</strong>: obfuscate the logged IP addresses\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--skip</strong>: <n> skip 1st n packets { 0: }\r
+string <strong>snort.-?</strong>: <option prefix> output matching command line option quick help (same as --help-options) { (optional) }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--snaplen</strong> = 1514: <snap> set snaplen of packet (same as -s) { 68:65535 }\r
+implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read\r
+string <strong>snort.--pcap-dir</strong>: <dir> a directory to recurse to look for pcaps - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
+string <strong>snort.--pcap-file</strong>: <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+string <strong>snort.--pcap-filter</strong>: <filter> filter to apply when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--version</strong>: show version number (same as -V)\r
+string <strong>snort.--pcap-list</strong>: <list> a space separated list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-all</strong>: enable all warnings\r
+int <strong>snort.--pcap-loop</strong>: <count> read all pcaps <count> times; 0 will read until Snort is terminated { -1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
+implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
+implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa\r
+implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-hosts</strong>: warn about host table issues\r
+implied <strong>snort.--pedantic</strong>: warnings are fatal\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading\r
+implied <strong>snort.--piglet</strong>: enable piglet test harness mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues\r
+string <strong>snort.--plugin-path</strong>: <path> where to find plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts\r
+implied <strong>snort.--process-all-events</strong>: process all action groups\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config\r
+implied <strong>snort.-Q</strong>: enable inline mode operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues\r
+implied <strong>snort.-q</strong>: quiet mode - Don’t show banner and status report\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x)\r
+string <strong>snort.-r</strong>: <pcap>… (same as --pcap-list)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
+string <strong>snort.-R</strong>: <rules> include this rules file in the default policy\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-?</strong>: <option prefix> output matching command line option quick help (same as --help-options) { (optional) }\r
+string <strong>snort.--rule</strong>: <rules> to be added to configuration; may be repeated\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-A</strong>: <mode> set alert mode: none, cmg, or alert_*\r
+implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>snort.-B</strong> = 255.255.255.255/32: <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask\r
+implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)\r
+string <strong>snort.--run-prefix</strong>: <pfx> prepend this to each output file\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-D</strong>: run Snort in background (daemon) mode\r
+int <strong>snort.-s</strong> = 1514: <snap> (same as --snaplen); default is 1514 { 68:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-G</strong>: <0xid> (same as --logid) { 0:65535 }\r
+string <strong>snort.--script-path</strong>: <path> to a luajit script or directory containing luajit scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-H</strong>: make hash tables deterministic\r
+implied <strong>snort.--shell</strong>: enable the interactive command line\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-L</strong>: <mode> logging mode (none, dump, pcap, or log_*)\r
+implied <strong>snort.--show-plugins</strong>: list module and plugin versions\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
+int <strong>snort.--skip</strong>: <n> skip 1st n packets { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-O</strong>: obfuscate the logged IP addresses\r
+int <strong>snort.--snaplen</strong> = 1514: <snap> set snaplen of packet (same as -s) { 68:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-Q</strong>: enable inline mode operation\r
+implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-R</strong>: <rules> include this rules file in the default policy\r
+string <strong>snort.-S</strong>: <x=v> set config variable x equal to value v\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-S</strong>: <x=v> set config variable x equal to value v\r
+string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-T</strong>: test and report on the current Snort configuration\r
+implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-U</strong>: use UTC for timestamps\r
+implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, sdrop, and reject rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-V</strong>: (same as --version)\r
+implied <strong>snort.-T</strong>: test and report on the current Snort configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-W</strong>: lists available interfaces\r
+string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
+implied <strong>snort.-U</strong>: use UTC for timestamps\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-c</strong>: <conf> use this configuration\r
+implied <strong>snort.-v</strong>: be verbose\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-d</strong>: dump the Application Layer\r
+implied <strong>snort.--version</strong>: show version number (same as -V)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-e</strong>: display the second layer header info\r
+implied <strong>snort.-V</strong>: (same as --version)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes\r
+implied <strong>snort.--warn-all</strong>: enable all warnings\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
+implied <strong>snort.--warn-conf</strong>: warn about configuration issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-i</strong>: <iface>… list of interfaces\r
+implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>snort.-j</strong>: <port> to listen for telnet connections\r
+implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>snort.-k</strong> = all: <mode> checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }\r
+implied <strong>snort.--warn-hosts</strong>: warn about host table issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-l</strong>: <logdir> log to this directory instead of current directory\r
+implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-m</strong>: <umask> set umask = <umask> { 0: }\r
+implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-n</strong>: <count> stop after count packets { 0: }\r
+implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-q</strong>: quiet mode - Don’t show banner and status report\r
+implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-r</strong>: <pcap>… (same as --pcap-list)\r
+implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>snort.-s</strong> = 1514: <snap> (same as --snaplen); default is 1514 { 68:65535 }\r
+implied <strong>snort.-w</strong>: dump 802.11 management and control frames\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
+implied <strong>snort.-W</strong>: lists available interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
+int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-v</strong>: be verbose\r
+string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.-w</strong>: dump 802.11 management and control frames\r
+implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
+implied <strong>ssl_state.client_hello</strong>: check for client hello\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.client_hello</strong>: check for client hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
implied <strong>ssl_state.client_keyx</strong>: check for client keyx\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_state.server_hello</strong>: check for server hello\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.server_keyx</strong>: check for server keyx\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_state.unknown</strong>: check for unknown record\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2\r
+implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.sslv2</strong>: check for sslv2\r
+implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.sslv3</strong>: check for sslv3\r
+implied <strong>ssl_state.server_hello</strong>: check for server hello\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.tls1.0</strong>: check for tls1.0\r
+implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.tls1.1</strong>: check for tls1.1\r
+implied <strong>ssl_state.server_keyx</strong>: check for server keyx\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>ssl_version.tls1.2</strong>: check for tls1.2\r
+implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+implied <strong>ssl_state.unknown</strong>: check for unknown record\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
+implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+implied <strong>ssl_version.sslv2</strong>: check for sslv2\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+implied <strong>ssl_version.sslv3</strong>: check for sslv3\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }\r
+implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+implied <strong>ssl_version.tls1.0</strong>: check for tls1.0\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+implied <strong>ssl_version.tls1.1</strong>: check for tls1.1\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
+implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+implied <strong>ssl_version.tls1.2</strong>: check for tls1.2\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>stream_udp.ignore_any_rules</strong> = false: process udp content rules w/o ports only if rules with ports are present\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>tag.packets</strong>: tag this many packets { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }\r
+string <strong>tcp_connector.address</strong>: address\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+port <strong>tcp_connector.base_port</strong>: base port number\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>tcp_connector.connector</strong>: connector name\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_smb.aborted sessions</strong>: total aborted sessions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_smb.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_smb.bad autodetects</strong>: total bad autodetects\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_smb.Bind acks</strong>: total connection-oriented binds acks\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_smb.events</strong>: total events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_smb.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests\r
+<strong>dce_smb.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
+<strong>dce_smb.Packets</strong>: total smb packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.Packets</strong>: total smb packets\r
+<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.aborted sessions</strong>: total aborted sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_smb.bad autodetects</strong>: total bad autodetects\r
+<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.events</strong>: total events\r
+<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_tcp.events</strong>: total events\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_tcp.Faults</strong>: total connection-oriented faults\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.aborted sessions</strong>: total aborted sessions\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.bad autodetects</strong>: total bad autodetects\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>dce_tcp.events</strong>: total events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>dce_tcp.tcp packets</strong>: total tcp packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.log limit</strong>: events queued but not logged\r
+<strong>detection.logged</strong>: logged packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.logged</strong>: logged packets\r
+<strong>detection.log limit</strong>: events queued but not logged\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.CONNECT requests</strong>: CONNECT requests inspected\r
+<strong>http_inspect.chunked</strong>: chunked message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.DELETE requests</strong>: DELETE requests inspected\r
+<strong>http_inspect.CONNECT requests</strong>: CONNECT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.GET requests</strong>: GET requests inspected\r
+<strong>http_inspect.DELETE requests</strong>: DELETE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.HEAD requests</strong>: HEAD requests inspected\r
+<strong>http_inspect.flows</strong>: HTTP connections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.OPTIONS requests</strong>: OPTIONS requests inspected\r
+<strong>http_inspect.GET requests</strong>: GET requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.POST requests</strong>: POST requests inspected\r
+<strong>http_inspect.HEAD requests</strong>: HEAD requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.PUT requests</strong>: PUT requests inspected\r
+<strong>http_inspect.inspections</strong>: total message sections inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.TRACE requests</strong>: TRACE requests inspected\r
+<strong>http_inspect.OPTIONS requests</strong>: OPTIONS requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.URI coding</strong>: URIs with character coding problems\r
+<strong>http_inspect.other requests</strong>: other request methods inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.URI normalizations</strong>: URIs needing to be normalization\r
+<strong>http_inspect.POST requests</strong>: POST requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.URI path</strong>: URIs with path problems\r
+<strong>http_inspect.PUT requests</strong>: PUT requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.chunked</strong>: chunked message bodies\r
+<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.flows</strong>: HTTP connections inspected\r
+<strong>http_inspect.request bodies</strong>: POST, PUT, and other requests with message bodies\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.inspections</strong>: total message sections inspected\r
+<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.other requests</strong>: other request methods inspected\r
+<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
+<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.request bodies</strong>: POST, PUT, and other requests with message bodies\r
+<strong>http_inspect.TRACE requests</strong>: TRACE requests inspected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
+<strong>http_inspect.URI coding</strong>: URIs with character coding problems\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
+<strong>http_inspect.URI normalizations</strong>: URIs needing to be normalization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
+<strong>http_inspect.URI path</strong>: URIs with path problems\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp excess prunes</strong>: icmp sessions pruned due to excess\r
+<strong>stream_icmp.created</strong>: icmp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp flows</strong>: total icmp sessions\r
+<strong>stream.icmp excess prunes</strong>: icmp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp memcap prunes</strong>: icmp sessions pruned due to memcap\r
+<strong>stream.icmp flows</strong>: total icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp preemptive prunes</strong>: icmp sessions pruned during preemptive pruning\r
+<strong>stream_icmp.max</strong>: max icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout\r
+<strong>stream.icmp memcap prunes</strong>: icmp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp total prunes</strong>: total icmp sessions pruned\r
+<strong>stream.icmp preemptive prunes</strong>: icmp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp uni prunes</strong>: icmp uni sessions pruned\r
+<strong>stream_icmp.prunes</strong>: icmp session prunes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons\r
+<strong>stream_icmp.released</strong>: icmp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip excess prunes</strong>: ip sessions pruned due to excess\r
+<strong>stream_icmp.sessions</strong>: total icmp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip flows</strong>: total ip sessions\r
+<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip memcap prunes</strong>: ip sessions pruned due to memcap\r
+<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip preemptive prunes</strong>: ip sessions pruned during preemptive pruning\r
+<strong>stream.icmp total prunes</strong>: total icmp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout\r
+<strong>stream.icmp uni prunes</strong>: icmp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
+<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip uni prunes</strong>: ip uni sessions pruned\r
+<strong>stream_ip.alerts</strong>: alerts generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons\r
+<strong>stream_ip.anomalies</strong>: anomalies detected\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp excess prunes</strong>: tcp sessions pruned due to excess\r
+<strong>stream_ip.created</strong>: ip session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp flows</strong>: total tcp sessions\r
+<strong>stream_ip.current</strong>: current fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp memcap prunes</strong>: tcp sessions pruned due to memcap\r
+<strong>stream_ip.discards</strong>: fragments discarded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp preemptive prunes</strong>: tcp sessions pruned during preemptive pruning\r
+<strong>stream_ip.drops</strong>: fragments dropped\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout\r
+<strong>stream.ip excess prunes</strong>: ip sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp total prunes</strong>: total tcp sessions pruned\r
+<strong>stream.ip flows</strong>: total ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp uni prunes</strong>: tcp uni sessions pruned\r
+<strong>stream_ip.fragmented bytes</strong>: total fragmented bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons\r
+<strong>stream_ip.frag timeouts</strong>: datagrams abandoned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
+<strong>stream_ip.max frags</strong>: max fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp flows</strong>: total udp sessions\r
+<strong>stream_ip.max</strong>: max ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp memcap prunes</strong>: udp sessions pruned due to memcap\r
+<strong>stream.ip memcap prunes</strong>: ip sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp preemptive prunes</strong>: udp sessions pruned during preemptive pruning\r
+<strong>stream_ip.memory used</strong>: current memory usage in bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout\r
+<strong>stream_ip.nodes deleted</strong>: fragments deleted from tracker\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp total prunes</strong>: total udp sessions pruned\r
+<strong>stream_ip.nodes inserted</strong>: fragments added to tracker\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp uni prunes</strong>: udp uni sessions pruned\r
+<strong>stream_ip.overlaps</strong>: overlapping fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons\r
+<strong>stream.ip preemptive prunes</strong>: ip sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
+<strong>stream_ip.prunes</strong>: ip session prunes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user flows</strong>: total user sessions\r
+<strong>stream_ip.reassembled bytes</strong>: total reassembled bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
+<strong>stream_ip.reassembled</strong>: reassembled datagrams\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
+<strong>stream_ip.released</strong>: ip session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout\r
+<strong>stream_ip.sessions</strong>: total ip sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user total prunes</strong>: total user sessions pruned\r
+<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user uni prunes</strong>: user uni sessions pruned\r
+<strong>stream_ip.timeouts</strong>: ip session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user user prunes</strong>: user sessions pruned for other reasons\r
+<strong>stream.ip total prunes</strong>: total ip sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created\r
+<strong>stream_ip.total</strong>: total fragments\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions\r
+<strong>stream_ip.trackers added</strong>: datagram trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.prunes</strong>: icmp session prunes\r
+<strong>stream_ip.trackers cleared</strong>: datagram trackers cleared\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released\r
+<strong>stream_ip.trackers completed</strong>: datagram trackers completed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions\r
+<strong>stream_ip.trackers freed</strong>: datagram trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
+<strong>stream.ip uni prunes</strong>: ip uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.alerts</strong>: alerts generated\r
+<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.anomalies</strong>: anomalies detected\r
+<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.created</strong>: ip session trackers created\r
+<strong>stream_tcp.client cleanups</strong>: number of times data from server was flushed when session released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.current</strong>: current fragments\r
+<strong>stream_tcp.closing</strong>: number of sessions currently closing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.discards</strong>: fragments discarded\r
+<strong>stream_tcp.created</strong>: tcp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.drops</strong>: fragments dropped\r
+<strong>stream_tcp.data trackers</strong>: tcp session tracking started on data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.frag timeouts</strong>: datagrams abandoned\r
+<strong>stream_tcp.discards</strong>: tcp packets discarded\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.fragmented bytes</strong>: total fragmented bytes\r
+<strong>stream_tcp.established</strong>: number of sessions currently established\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max frags</strong>: max fragments\r
+<strong>stream_tcp.events</strong>: events generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max</strong>: max ip sessions\r
+<strong>stream.tcp excess prunes</strong>: tcp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory used</strong>: current memory usage in bytes\r
+<strong>stream.tcp flows</strong>: total tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes deleted</strong>: fragments deleted from tracker\r
+<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes inserted</strong>: fragments added to tracker\r
+<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.overlaps</strong>: overlapping fragments\r
+<strong>stream_tcp.initializing</strong>: number of sessions currently initializing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.prunes</strong>: ip session prunes\r
+<strong>stream_tcp.internal events</strong>: 135:X events generated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled bytes</strong>: total reassembled bytes\r
+<strong>stream_tcp.max bytes</strong>: number of times the maximum queued byte limit was reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled</strong>: reassembled datagrams\r
+<strong>stream_tcp.max</strong>: max tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.released</strong>: ip session trackers released\r
+<strong>stream_tcp.max segs</strong>: number of times the maximum queued segment limit was reached\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.sessions</strong>: total ip sessions\r
+<strong>stream.tcp memcap prunes</strong>: tcp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.timeouts</strong>: ip session timeouts\r
+<strong>stream_tcp.memory</strong>: current memory in use\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.total</strong>: total fragments\r
+<strong>stream_tcp.overlaps</strong>: overlapping segments queued\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers added</strong>: datagram trackers created\r
+<strong>stream.tcp preemptive prunes</strong>: tcp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers cleared</strong>: datagram trackers cleared\r
+<strong>stream_tcp.prunes</strong>: tcp session prunes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers completed</strong>: datagram trackers completed\r
+<strong>stream_tcp.rebuilt buffers</strong>: rebuilt PDU sections\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers freed</strong>: datagram trackers released\r
+<strong>stream_tcp.rebuilt bytes</strong>: total rebuilt bytes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack\r
+<strong>stream_tcp.rebuilt packets</strong>: total reassembled PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.client cleanups</strong>: number of times data from server was flushed when session released\r
+<strong>stream_tcp.released</strong>: tcp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.closing</strong>: number of sessions currently closing\r
+<strong>stream_tcp.resyns</strong>: SYN received on established session\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.created</strong>: tcp session trackers created\r
+<strong>stream_tcp.segs queued</strong>: total segments queued\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.data trackers</strong>: tcp session tracking started on data\r
+<strong>stream_tcp.segs released</strong>: total segments released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.discards</strong>: tcp packets discarded\r
+<strong>stream_tcp.segs split</strong>: tcp segments split when reassembling PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.established</strong>: number of sessions currently established\r
+<strong>stream_tcp.segs used</strong>: queued tcp segments applied to reassembled PDUs\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.events</strong>: events generated\r
+<strong>stream_tcp.server cleanups</strong>: number of times data from client was flushed when session released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
+<strong>stream_tcp.sessions</strong>: total tcp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
+<strong>stream_tcp.syn-ack trackers</strong>: tcp session tracking started on syn-ack\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.initializing</strong>: number of sessions currently initializing\r
+<strong>stream_tcp.syn trackers</strong>: tcp session tracking started on syn\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.internal events</strong>: 135:X events generated\r
+<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max bytes</strong>: number of times the maximum queued byte limit was reached\r
+<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max segs</strong>: number of times the maximum queued segment limit was reached\r
+<strong>stream.tcp total prunes</strong>: total tcp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max</strong>: max tcp sessions\r
+<strong>stream.tcp uni prunes</strong>: tcp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.memory</strong>: current memory in use\r
+<strong>stream_tcp.untracked</strong>: tcp packets not tracked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.overlaps</strong>: overlapping segments queued\r
+<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.prunes</strong>: tcp session prunes\r
+<strong>stream_udp.created</strong>: udp session trackers created\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt buffers</strong>: rebuilt PDU sections\r
+<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt bytes</strong>: total rebuilt bytes\r
+<strong>stream.udp flows</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt packets</strong>: total reassembled PDUs\r
+<strong>stream_udp.max</strong>: max udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.released</strong>: tcp session trackers released\r
+<strong>stream.udp memcap prunes</strong>: udp sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.resyns</strong>: SYN received on established session\r
+<strong>stream.udp preemptive prunes</strong>: udp sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs queued</strong>: total segments queued\r
+<strong>stream_udp.prunes</strong>: udp session prunes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs released</strong>: total segments released\r
+<strong>stream_udp.released</strong>: udp session trackers released\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs split</strong>: tcp segments split when reassembling PDUs\r
+<strong>stream_udp.sessions</strong>: total udp sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs used</strong>: queued tcp segments applied to reassembled PDUs\r
+<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.server cleanups</strong>: number of times data from client was flushed when session released\r
+<strong>stream_udp.timeouts</strong>: udp session timeouts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.sessions</strong>: total tcp sessions\r
+<strong>stream.udp total prunes</strong>: total udp sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn trackers</strong>: tcp session tracking started on syn\r
+<strong>stream.udp uni prunes</strong>: udp uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn-ack trackers</strong>: tcp session tracking started on syn-ack\r
+<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
+<strong>stream.user excess prunes</strong>: user sessions pruned due to excess\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.untracked</strong>: tcp packets not tracked\r
+<strong>stream.user flows</strong>: total user sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created\r
+<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.max</strong>: max udp sessions\r
+<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.prunes</strong>: udp session prunes\r
+<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.released</strong>: udp session trackers released\r
+<strong>stream.user total prunes</strong>: total user sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.sessions</strong>: total udp sessions\r
+<strong>stream.user uni prunes</strong>: user uni sessions pruned\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.timeouts</strong>: udp session timeouts\r
+<strong>stream.user user prunes</strong>: user sessions pruned for other reasons\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>tcp_connector.messages</strong>: total messages\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>telnet.packets</strong>: total packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>116</strong>: ciscometadata\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>116</strong>: decode\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>116:468</strong> (decode) too many protocols present\r
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>116:472</strong> (decode) too many protocols present\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>hosts</strong>(16): reload hosts file\r
+<strong>hosts</strong>(23): reload hosts file\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>rotate</strong>(31): rotate stats files\r
+<strong>rotate</strong>(12): rotate stats files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stats</strong>(30): dump stats to stdout\r
+<strong>stats</strong>(10): dump stats to stdout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>alert_sfsocket</strong> (logger): output event over socket\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>alert_syslog</strong> (logger): output event to syslog\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ciscometadata</strong> (codec): support for cisco metadata\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>classifications</strong> (basic): define rule categories with priority\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>tcp_connector</strong> (connector): implement the tcp stream connector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>telnet</strong> (inspector): telnet inspection and normalization\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>codec::ciscometadata</strong>: support for cisco metadata\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>connector::tcp_connector</strong>: implement the tcp stream connector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::appid</strong>: application and service identification\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>logger::alert_sfsocket</strong>: output event over socket\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>logger::alert_syslog</strong>: output event to syslog\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2016-08-10 17:28:55 EDT\r
+Last updated\r
+ 2015-08-03 17:17:47 EDT\r
</div>\r
</div>\r
</body>\r
4.1. arp
4.2. auth
- 4.3. erspan2
- 4.4. erspan3
- 4.5. esp
- 4.6. eth
- 4.7. fabricpath
- 4.8. gre
- 4.9. gtp
- 4.10. icmp4
- 4.11. icmp6
- 4.12. igmp
- 4.13. ipv4
- 4.14. ipv6
- 4.15. mpls
- 4.16. pgm
- 4.17. pppoe
- 4.18. tcp
- 4.19. udp
- 4.20. vlan
+ 4.3. ciscometadata
+ 4.4. erspan2
+ 4.5. erspan3
+ 4.6. esp
+ 4.7. eth
+ 4.8. fabricpath
+ 4.9. gre
+ 4.10. gtp
+ 4.11. icmp4
+ 4.12. icmp6
+ 4.13. igmp
+ 4.14. ipv4
+ 4.15. ipv6
+ 4.16. mpls
+ 4.17. pgm
+ 4.18. pppoe
+ 4.19. tcp
+ 4.20. udp
+ 4.21. vlan
5. Inspector Modules
10.1. alert_csv
10.2. alert_fast
10.3. alert_full
- 10.4. alert_syslog
- 10.5. log_codecs
- 10.6. log_hext
- 10.7. log_pcap
- 10.8. unified2
+ 10.4. alert_sfsocket
+ 10.5. alert_syslog
+ 10.6. log_codecs
+ 10.7. log_hext
+ 10.8. log_pcap
+ 10.9. unified2
11. DAQ Modules
1.1. Configuration
-------------
+--------------
Note that retaining backwards compatibility is not a goal. While
Snort++ leverages some of the Snort code base, a lot has changed. The
1.2. Modules
-------------
+--------------
Snort++ is organized into a collection of builtin and plugin modules.
If a module has parameters, it is configured by a Lua table of the
1.3. Plugins and Scripts
-------------
+--------------
There are several plugin types:
1.4. New Http Inspector
-------------
+--------------
One of the major undertakings for Snort 3.0 is developing a
-completely new HTTP inspector. It is incomplete right now but you can
-examine the work-in-progress. You can configure it by adding:
+completely new HTTP inspector. You can configure it by adding:
-new_http_inspect = {}
+http_inspect = {}
to your snort.lua configuration file. Or you can read it in the
-source code under src/service_inspectors/nhttp_inspect.
+source code under src/service_inspectors/http_inspect.
The classic HTTP preprocessor is still available in the alpha release
-as http_inspect. It’s probably the better choice for now if you just
-want to do some work and do not feel like experimenting. Be sure not
-to configure both old and new HTTP inspectors at the same time.
+under extra. It has been renamed http_server. Be sure not to
+configure both old and new HTTP inspectors at the same time.
So why a new HTTP inspector?
modified. Many significant changes can be made just by updating these
tables.
-New_http_inspect is the first inspector written specifically for the
-new Snort 3.0 architecture. That provides access to one of the very
-best features of Snort 3.0: purely PDU-based inspection. Classic
-http_inspect processes HTTP messages, but even while doing so it is
+Http_inspect is the first inspector written specifically for the new
+Snort 3.0 architecture. That provides access to one of the very best
+features of Snort 3.0: purely PDU-based inspection. The classic
+preprocessor processes HTTP messages, but even while doing so it is
constantly aware of IP packets and how they divide up the TCP data
stream. The same HTTP message might be processed differently
depending on how the sender (bad guy) divided it up into IP packets.
-New_http_inspect is free of this burden and can focus exclusively on
-HTTP. That makes it much more simple, easier to test, and less prone
-to false positives. It also greatly reduces the opportunity for
+Http_inspect is free of this burden and can focus exclusively on
+HTTP. That makes it much simpler, easier to test, and less prone to
+false positives. It also greatly reduces the opportunity for
adversaries to probe the inspector for weak spots by adjusting packet
boundaries to disguise bad behavior.
Dealing solely with HTTP messages also opens the door for developing
-major new features. The new_http_inspect design supports true
-stateful processing. Want to ask questions that involve both the
-client request and the server response? Or different requests in the
-same session? These things are possible.
+major new features. The http_inspect design supports true stateful
+processing. Want to ask questions that involve both the client
+request and the server response? Or different requests in the same
+session? These things are possible.
Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives
from Google’s SPDY project and is in the process of being
that runs under HTTP/1.1 and on top of TLS or TCP. It’s a perfect fit
for the new Snort 3.0 architecture because a new HTTP/2 inspector
would naturally output HTTP/1.1 messages but not any underlying
-packets. Exactly what the new_http_inspect wants to input.
+packets. Exactly what http_inspect wants to input.
-New_http_inspect is taking a very different approach to HTTP header
-fields. Classic http_inspect divides all the HTTP headers following
-the start line into cookies and everything else. It normalizes the
-two pieces using a generic process and puts them in buffers that one
-can write rules against. There is some limited support for examining
-individual headers within the inspector but it is very specific.
+Http_inspect is taking a very different approach to HTTP header
+fields. The classic preprocessor divides all the HTTP headers
+following the start line into cookies and everything else. It
+normalizes the two pieces using a generic process and puts them in
+buffers that one can write rules against. There is some limited
+support for examining individual headers within the inspector but it
+is very specific.
The new concept is that every header should be normalized in an
appropriate and specific way and individually made available for the
1.5. Binder and Wizard
-------------
+--------------
One of the fundamental differences between Snort and Snort++ concerns
configuration related to networks and ports. Here is a brief review
1.6. Packet Processing
-------------
+--------------
One of the goals of Snort++ is to provide a more flexible framework
for packet processing by implementing an event-driven approach.
2.1. Dependencies
-------------
+--------------
Required:
2.2. Building
-------------
+--------------
* Optionally built features are listed in the reference section.
* Create an install path:
2.3. Run
-------------
+--------------
First set up the environment:
2.4. Tips
-------------
+--------------
One of the goals of Snort++ is to make it easier to configure your
sensor. Here is a summary of tips and tricks you may find useful.
2.5. Help
-------------
+--------------
Snort has several options to get more help:
2.6. Common Errors
-------------
+--------------
FATAL: snort_config is required
2.7. Gotchas
-------------
+--------------
* A nil key in a table will not caught. Neither will a nil value in
a table. Neither of the following will cause errors, nor will
2.8. Bugs
-------------
+--------------
2.8.1. Build
3.1. active
-------------
+--------------
What: configure responses
3.2. alerts
-------------
+--------------
What: configure alerts
3.3. attribute_table
-------------
+--------------
What: configure hosts loading
3.4. classifications
-------------
+--------------
What: define rule categories with priority
3.5. daq
-------------
+--------------
What: configure packet acquisition interface
3.6. decode
-------------
+--------------
What: general decoder rules
* 116:150 (decode) bad traffic loopback IP
* 116:151 (decode) bad traffic same src/dst IP
* 116:449 (decode) BAD-TRAFFIC unassigned/reserved IP protocol
- * 116:468 (decode) too many protocols present
+ * 116:472 (decode) too many protocols present
3.7. detection
-------------
+--------------
What: configure general IPS rule processing parameters
3.8. event_filter
-------------
+--------------
What: configure thresholding of events
3.9. event_queue
-------------
+--------------
What: configure event queue parameters
3.10. file_id
-------------
+--------------
What: configure file identification
3.11. high_availability
-------------
+--------------
What: implement flow tracking high availability
3.12. host_cache
-------------
+--------------
What: configure hosts
3.13. host_tracker
-------------
+--------------
What: configure hosts
3.14. hosts
-------------
+--------------
What: configure hosts
3.15. ips
-------------
+--------------
What: configure IPS rule processing
3.16. latency
-------------
+--------------
What: packet and rule latency monitoring and control
3.17. memory
-------------
+--------------
What: memory management configuration
3.18. network
-------------
+--------------
What: configure basic network parameters
3.19. output
-------------
+--------------
What: configure general output parameters
3.20. packets
-------------
+--------------
What: configure basic packet handling
3.21. process
-------------
+--------------
What: configure basic process setup
3.22. profiler
-------------
+--------------
What: configure profiling of rules and/or modules
3.23. rate_filter
-------------
+--------------
What: configure rate filters (which change rule actions)
3.24. references
-------------
+--------------
What: define reference systems used in rules
3.25. rule_state
-------------
+--------------
What: enable/disable specific IPS rules
3.26. search_engine
-------------
+--------------
What: configure fast pattern matcher
3.27. side_channel
-------------
+--------------
What: implement the side-channel asynchronous messaging subsystem
* bit_list side_channel.ports: side channel message port list {
65535 }
* string side_channel.connectors[].connector: connector handle
+ * string side_channel.connector: connector handle
Peg counts:
3.28. snort
-------------
+--------------
What: command line configuration and shell commands
3.29. suppress
-------------
+--------------
What: configure event suppressions
4.1. arp
-------------
+--------------
What: support for address resolution protocol
4.2. auth
-------------
+--------------
What: support for IP authentication header
* 116:466 (auth) bad authentication header length
-4.3. erspan2
+4.3. ciscometadata
-------------
+--------------
+
+What: support for cisco metadata
+
+Type: codec
+
+Rules:
+
+ * 116:468 (ciscometadata) truncated Cisco Metadata header
+ * 116:469 (ciscometadata) invalid Cisco Metadata option length
+ * 116:470 (ciscometadata) invalid Cisco Metadata option type
+ * 116:471 (ciscometadata) invalid Cisco Metadata SGT
+
+
+4.4. erspan2
+
+--------------
What: support for encapsulated remote switched port analyzer - type 2
* 116:463 (erspan2) captured < ERSpan type2 header length
-4.4. erspan3
+4.5. erspan3
-------------
+--------------
What: support for encapsulated remote switched port analyzer - type 3
* 116:464 (erspan3) captured < ERSpan type3 header length
-4.5. esp
+4.6. esp
-------------
+--------------
What: support for encapsulating security payload
* 116:294 (esp) truncated encapsulated security payload header
-4.6. eth
+4.7. eth
-------------
+--------------
What: support for ethernet protocol (DLT 1) (DLT 51)
* 116:424 (eth) truncated eth header
-4.7. fabricpath
+4.8. fabricpath
-------------
+--------------
What: support for fabricpath
* 116:467 (fabricpath) truncated FabricPath header
-4.8. gre
+4.9. gre
-------------
+--------------
What: support for generic routing encapsulation
* 116:165 (gre) GRE trans header length > payload length
-4.9. gtp
+4.10. gtp
-------------
+--------------
What: support for general-packet-radio-service tunnelling protocol
* 116:298 (gtp) GTP header length is invalid
-4.10. icmp4
+4.11. icmp4
-------------
+--------------
What: support for Internet control message protocol v4
* icmp4.bad checksum: non-zero icmp checksums
-4.11. icmp6
+4.12. icmp6
-------------
+--------------
What: support for Internet control message protocol v6
* icmp6.bad checksum (ip6): nonzero ipcm6 checksums
-4.12. igmp
+4.13. igmp
-------------
+--------------
What: support for Internet group management protocol
* 116:455 (igmp) DOS IGMP IP options validation attempt
-4.13. ipv4
+4.14. ipv4
-------------
+--------------
What: support for Internet protocol v4
* ipv4.bad checksum: nonzero ip checksums
-4.14. ipv6
+4.15. ipv6
-------------
+--------------
What: support for Internet protocol v6
* 116:456 (ipv6) too many IP6 extension headers
-4.15. mpls
+4.16. mpls
-------------
+--------------
What: support for multiprotocol label switching
* mpls.total bytes: total mpls labeled bytes processed
-4.16. pgm
+4.17. pgm
-------------
+--------------
What: support for pragmatic general multicast
* 116:454 (pgm) BAD-TRAFFIC PGM nak list overflow attempt
-4.17. pppoe
+4.18. pppoe
-------------
+--------------
What: support for point-to-point protocol over ethernet
* 116:120 (pppoe) bad PPPOE frame detected
-4.18. tcp
+4.19. tcp
-------------
+--------------
What: support for transmission control protocol
* tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
-4.19. udp
+4.20. udp
-------------
+--------------
What: support for user datagram protocol
* udp.bad checksum (ip6): nonzero udp over ipv6 checksums
-4.20. vlan
+4.21. vlan
-------------
+--------------
What: support for local area network
5.1. appid
-------------
+--------------
What: application and service identification
* appid.netbios_flows: count of netbios service flows discovered by
appid
* appid.pop_flows: count of pop service flows discovered by appid
+ * appid.rsync_flows: count of rsync service flows discovered by
+ appid
* appid.smtp_flows: count of smtp flows discovered by appid
* appid.smtps_flows: count of smtps flows discovered by appid
* appid.ssh_clients: count of ssh clients discovered by appid
5.2. arp_spoof
-------------
+--------------
What: detect ARP attacks and anomalies
5.3. back_orifice
-------------
+--------------
What: back orifice detection
5.4. binder
-------------
+--------------
What: configure processing based on CIDRs, ports, services, etc.
5.5. dce_smb
-------------
+--------------
What: dce over smb inspection
5.6. dce_tcp
-------------
+--------------
What: dce over tcp inspection
5.7. dnp3
-------------
+--------------
What: dnp3 inspection
5.8. dns
-------------
+--------------
What: dns inspection
5.9. file_log
-------------
+--------------
What: log file event to file.log
5.10. ftp_client
-------------
+--------------
What: FTP client configuration module for use with ftp_server
5.11. ftp_data
-------------
+--------------
What: FTP data channel handler
5.12. ftp_server
-------------
+--------------
What: main FTP module; ftp_client should also be configured
5.13. gtp_inspect
-------------
+--------------
What: gtp control channel inspection
5.14. http_inspect
-------------
+--------------
What: HTTP inspector
body bytes to examine (-1 no limit) { -1: }
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
+ * bool http_inspect.normalize_utf = true: normalize charset utf
+ encodings
* bit_list http_inspect.bad_characters: alert when any of specified
bytes are present in URI after percent decoding { 255 }
* string http_inspect.ignore_unreserved: do not alert when the
* 119:73 (http_inspect) Transfer-Encoding did not end with chunked
* 119:74 (http_inspect) Transfer-Encoding with chunked not at end
* 119:75 (http_inspect) Misformatted HTTP traffic
+ * 119:76 (http_inspect) Unsupported Transfer-Encoding or
+ Content-Encoding used
+ * 119:77 (http_inspect) Unknown Transfer-Encoding or
+ Content-Encoding used
+ * 119:78 (http_inspect) Multiple layers of compression encodings
+ applied
Peg counts:
5.15. imap
-------------
+--------------
What: imap inspection
5.16. modbus
-------------
+--------------
What: modbus inspection
5.17. normalizer
-------------
+--------------
What: packet scrubbing for inline mode
5.18. packet_capture
-------------
+--------------
What: raw packet dumping facility
5.19. perf_monitor
-------------
+--------------
What: performance monitoring and flow statistics collection
5.20. pop
-------------
+--------------
What: pop inspection
5.21. port_scan
-------------
+--------------
What: port scan inspector; also configure port_scan_global
5.22. port_scan_global
-------------
+--------------
What: shared settings for port_scan inspectors for use with port_scan
5.23. reputation
-------------
+--------------
What: reputation inspection
5.24. rpc_decode
-------------
+--------------
What: RPC inspector
5.25. sip
-------------
+--------------
What: sip inspection
5.26. smtp
-------------
+--------------
What: smtp inspection
5.27. ssh
-------------
+--------------
What: ssh inspection
5.28. ssl
-------------
+--------------
What: ssl inspection
5.29. stream
-------------
+--------------
What: common flow tracking
5.30. stream_file
-------------
+--------------
What: stream inspector for file flow tracking and processing
5.31. stream_icmp
-------------
+--------------
What: stream inspector for ICMP flow tracking
5.32. stream_ip
-------------
+--------------
What: stream inspector for IP flow tracking and defragmentation
5.33. stream_tcp
-------------
+--------------
What: stream inspector for TCP flow tracking and stream normalization
and reassembly
5.34. stream_udp
-------------
+--------------
What: stream inspector for UDP flow tracking
5.35. stream_user
-------------
+--------------
What: stream inspector for user flow tracking and reassembly
5.36. telnet
-------------
+--------------
What: telnet inspection and normalization
5.37. wizard
-------------
+--------------
What: inspector that implements port-independent protocol
identification
6.1. react
-------------
+--------------
What: send response to client and terminate session
6.2. reject
-------------
+--------------
What: terminate session with TCP reset or ICMP unreachable
6.3. rewrite
-------------
+--------------
What: overwrite packet contents
7.1. ack
-------------
+--------------
What: rule option to match on TCP ack numbers
7.2. appids
-------------
+--------------
What: detection option for application ids
7.3. asn1
-------------
+--------------
What: rule option for asn1 detection
7.4. base64_decode
-------------
+--------------
What: rule option to decode base64 data - must be used with
base64_data option
7.5. bufferlen
-------------
+--------------
What: rule option to check length of current buffer
7.6. byte_extract
-------------
+--------------
What: rule option to convert data to an integer variable
7.7. byte_jump
-------------
+--------------
What: rule option to move the detection cursor
7.8. byte_test
-------------
+--------------
What: rule option to convert data to integer and compare
7.9. classtype
-------------
+--------------
What: general rule option for rule classification
7.10. content
-------------
+--------------
What: payload rule option for basic pattern matching
7.11. cvs
-------------
+--------------
What: payload rule option for detecting specific attacks
7.12. dce_iface
-------------
+--------------
What: detection option to check dcerpc interface
7.13. dce_opnum
-------------
+--------------
What: detection option to check dcerpc operation number
7.14. dce_stub_data
-------------
+--------------
What: sets the cursor to dcerpc stub data
7.15. detection_filter
-------------
+--------------
What: rule option to require multiple hits before a rule generates an
event
7.16. dnp3_data
-------------
+--------------
What: sets the cursor to dnp3 data
7.17. dnp3_func
-------------
+--------------
What: detection option to check dnp3 function code
7.18. dnp3_ind
-------------
+--------------
What: detection option to check dnp3 indicator flags
7.19. dnp3_obj
-------------
+--------------
What: detection option to check dnp3 object headers
7.20. dsize
-------------
+--------------
What: rule option to test payload size
7.21. file_data
-------------
+--------------
What: rule option to set detection cursor to file data
7.22. file_type
-------------
+--------------
What: rule option to check file type
7.23. flags
-------------
+--------------
What: rule option to test TCP control flags
7.24. flow
-------------
+--------------
What: rule option to check session properties
7.25. flowbits
-------------
+--------------
What: rule option to set and test arbitrary boolean flags
7.26. fragbits
-------------
+--------------
What: rule option to test IP frag flags
7.27. fragoffset
-------------
+--------------
What: rule option to test IP frag offset
7.28. gid
-------------
+--------------
What: rule option specifying rule generator
7.29. gtp_info
-------------
+--------------
What: rule option to check gtp info element
7.30. gtp_type
-------------
+--------------
What: rule option to check gtp types
7.31. gtp_version
-------------
+--------------
What: rule option to check gtp version
7.32. http_client_body
-------------
+--------------
What: rule option to set the detection cursor to the request body
7.33. http_cookie
-------------
+--------------
What: rule option to set the detection cursor to the HTTP cookie
7.34. http_header
-------------
+--------------
What: rule option to set the detection cursor to the normalized
headers
7.35. http_method
-------------
+--------------
What: rule option to set the detection cursor to the HTTP request
method
7.36. http_raw_cookie
-------------
+--------------
What: rule option to set the detection cursor to the unnormalized
cookie
7.37. http_raw_header
-------------
+--------------
What: rule option to set the detection cursor to the unnormalized
headers
7.38. http_raw_request
-------------
+--------------
What: rule option to set the detection cursor to the unnormalized
request line
7.39. http_raw_status
-------------
+--------------
What: rule option to set the detection cursor to the unnormalized
status line
7.40. http_raw_trailer
-------------
+--------------
What: rule option to set the detection cursor to the unnormalized
trailers
7.41. http_raw_uri
-------------
+--------------
What: rule option to set the detection cursor to the unnormalized URI
7.42. http_stat_code
-------------
+--------------
What: rule option to set the detection cursor to the HTTP status code
7.43. http_stat_msg
-------------
+--------------
What: rule option to set the detection cursor to the HTTP status
message
7.44. http_trailer
-------------
+--------------
What: rule option to set the detection cursor to the normalized
trailers
7.45. http_uri
-------------
+--------------
What: rule option to set the detection cursor to the normalized URI
buffer
7.46. http_version
-------------
+--------------
What: rule option to set the detection cursor to the version buffer
7.47. icmp_id
-------------
+--------------
What: rule option to check ICMP ID
7.48. icmp_seq
-------------
+--------------
What: rule option to check ICMP sequence number
7.49. icode
-------------
+--------------
What: rule option to check ICMP code
7.50. id
-------------
+--------------
What: rule option to check the IP ID field
7.51. ip_proto
-------------
+--------------
What: rule option to check the IP protocol number
7.52. ipopts
-------------
+--------------
What: rule option to check for IP options
7.53. isdataat
-------------
+--------------
What: rule option to check for the presence of payload data
7.54. itype
-------------
+--------------
What: rule option to check ICMP type
7.55. md5
-------------
+--------------
What: payload rule option for hash matching
7.56. metadata
-------------
+--------------
What: rule option for conveying arbitrary name, value data within the
rule text
7.57. modbus_data
-------------
+--------------
What: rule option to set cursor to modbus data
7.58. modbus_func
-------------
+--------------
What: rule option to check modbus function code
7.59. modbus_unit
-------------
+--------------
What: rule option to check modbus unit ID
7.60. msg
-------------
+--------------
What: rule option summarizing rule purpose output with events
7.61. pcre
-------------
+--------------
What: rule option for matching payload data with pcre
7.62. pkt_data
-------------
+--------------
What: rule option to set the detection cursor to the normalized
packet data
7.63. priority
-------------
+--------------
What: rule option for prioritizing events
7.64. raw_data
-------------
+--------------
What: rule option to set the detection cursor to the raw packet data
7.65. reference
-------------
+--------------
What: rule option to indicate relevant attack identification system
7.66. regex
-------------
+--------------
What: rule option for matching payload data with hyperscan regex
7.67. rem
-------------
+--------------
What: rule option to convey an arbitrary comment in the rule body
7.68. replace
-------------
+--------------
What: rule option to overwrite payload data; use with rewrite action
7.69. rev
-------------
+--------------
What: rule option to indicate current revision of signature
7.70. rpc
-------------
+--------------
What: rule option to check SUNRPC CALL parameters
Configuration:
- * string rpc.~app: application number
- * string rpc.~ver: version number or * for any
- * string rpc.~proc: procedure number or * for any
+ * int rpc.~app: application number
+ * int rpc.ver: version number or * for any
+ * int rpc.proc: procedure number or * for any
7.71. sd_pattern
-------------
+--------------
What: rule option for detecting sensitive data
7.72. seq
-------------
+--------------
What: rule option to check TCP sequence number
7.73. session
-------------
+--------------
What: rule option to check user data from TCP sessions
7.74. sha256
-------------
+--------------
What: payload rule option for hash matching
7.75. sha512
-------------
+--------------
What: payload rule option for hash matching
7.76. sid
-------------
+--------------
What: rule option to indicate signature number
7.77. sip_body
-------------
+--------------
What: rule option to set the detection cursor to the request body
7.78. sip_header
-------------
+--------------
What: rule option to set the detection cursor to the SIP header
buffer
7.79. sip_method
-------------
+--------------
What: detection option for sip stat code
7.80. sip_stat_code
-------------
+--------------
What: detection option for sip stat code
7.81. so
-------------
+--------------
What: rule option to call custom eval function
7.82. soid
-------------
+--------------
What: rule option to specify a shared object rule ID
7.83. ssl_state
-------------
+--------------
What: detection option for ssl state
7.84. ssl_version
-------------
+--------------
What: detection option for ssl version
7.85. stream_reassemble
-------------
+--------------
What: detection option for stream reassembly control
7.86. stream_size
-------------
+--------------
What: detection option for stream size checking
7.87. tag
-------------
+--------------
What: rule option to log additional packets
7.88. tos
-------------
+--------------
What: rule option to check type of service field
7.89. ttl
-------------
+--------------
What: rule option to check time to live field
7.90. window
-------------
+--------------
What: rule option to check TCP window field
10.1. alert_csv
-------------
+--------------
What: output event in csv format
10.2. alert_fast
-------------
+--------------
What: output event with brief text format
10.3. alert_full
-------------
+--------------
What: output event with full packet dump
K | M | G }
-10.4. alert_syslog
+10.4. alert_sfsocket
+
+--------------
+
+What: output event over socket
+
+Type: logger
+
+Configuration:
+
+ * string alert_sfsocket.file: name of unix socket file
+ * int alert_sfsocket.rules[].gid = 1: rule generator ID { 1: }
+ * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
+
+
+10.5. alert_syslog
-------------
+--------------
What: output event to syslog
cons | ndelay | perror | pid }
-10.5. log_codecs
+10.6. log_codecs
-------------
+--------------
What: log protocols in packet by layer
* bool log_codecs.msg = false: include alert msg
-10.6. log_hext
+10.7. log_hext
-------------
+--------------
What: output payload suitable for daq hext
* int log_hext.width = 20: set line width (0 is unlimited) { 0: }
-10.7. log_pcap
+10.8. log_pcap
-------------
+--------------
What: log packet in pcap format
* enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
-10.8. unified2
+10.9. unified2
-------------
+--------------
What: output event and packet in unified2 format file
11.1. Building the DAQ Library and DAQ Modules
-------------
+--------------
The DAQ is bundled with Snort but must be built first using these
steps:
11.2. PCAP Module
-------------
+--------------
pcap is the default DAQ. If snort is run w/o any DAQ arguments, it
will operate as it always did using this module. These are
11.3. AFPACKET Module
-------------
+--------------
afpacket functions similar to the pcap DAQ but with better
performance:
11.4. NFQ Module
-------------
+--------------
NFQ is the new and improved way to process iptables packets:
11.5. IPQ Module
-------------
+--------------
IPQ is the old way to process iptables packets. It replaces the
inline version available in pre-2.9 versions built with this:
11.6. IPFW Module
-------------
+--------------
IPFW is available for BSD systems. It replaces the inline version
available in pre-2.9 versions built with this:
11.7. Dump Module
-------------
+--------------
The dump DAQ allows you to test the various inline mode features
available in 2.9 Snort like injection and normalization.
11.8. Netmap Module
-------------
+--------------
The netmap project is a framework for very high speed packet I/O. It
is available on both FreeBSD and Linux with varying amounts of
11.9. Notes on iptables
-------------
+--------------
These notes are just a quick reminder that you need to set up
iptables to use the IPQ or NFQ DAQs. Doing so may cause problems with
11.10. Notes on FreeBSD::IPFW
-------------
+--------------
Check the online manual at:
11.11. Notes on OpenBSD::IPFW
-------------
+--------------
OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.
11.12. Socket Module
-------------
+--------------
The socket module provides provides a stream socket server that will
accept up to 2 simultaneous connections and bridge them together
11.13. File Module
-------------
+--------------
The file module provides the ability to process files directly w/o
having to extract them from pcaps. Use the file module with Snort’s
11.14. Hext Module
-------------
+--------------
The hext module generates packets suitable for processing by Snort
from hex/plain text. Raw packets include full headers and are
12.1. Build Options
-------------
+--------------
* configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*
* control socket, cs_dir, and users were deleted
12.2. Command Line
-------------
+--------------
* --pause loads config and waits for resume before processing
packets
12.3. Conf File
-------------
+--------------
* Snort++ has a default unicode.map
* Snort++ will not enforce an upper bound on memcaps and the like
12.4. Rules
-------------
+--------------
* all rules must have a sid
* deleted activate / dynamic rules
12.5. Output
-------------
+--------------
* alert_fast includes packet data by default
* all text mode outputs default to stdout
12.6. HTTP Profiles
-------------
+--------------
This section describes the changes to the Http Inspect config option
"profile".
snort --help-config http_inspect | grep http_inspect.profile
-The new Http Inspect (new_http_inspect) implementation of config
-options is still under development.
-
---------------------------------------------------------------------
13.1. Snort2Lua Command Line
-------------
+--------------
By default, Snort2Lua will attempt to parse every ‘include’ file and
every ‘binding’ file. There is an option to change this
13.2. Known Problems
-------------
+--------------
* Any Snort ‘string’ which is dependent on a variable will no
longer have that variable in the Lua string.
13.3. Usage
-------------
+--------------
Snort2Lua is included in the Snort 3.0 distribution. The Snort2Lua
source code is located in the tools/snort2lua directory. The program
14.1. Plugins
-------------
+--------------
Snort++ uses a variety of plugins to accomplish much of its
processing objectives, including:
14.2. Modules
-------------
+--------------
The Module is pervasive in Snort+. It is how everything, including
plugins, are configured. It also provides access to builtin rules.
14.3. Inspectors
-------------
+--------------
There are several types of inspector, which determines which
inspectors are executed when:
14.4. Codecs
-------------
+--------------
The Snort3.0 Codecs decipher raw packets. These Codecs are now
completely pluggable; almost every Snort3.0 Codec can be built
14.5. IPS Actions
-------------
+--------------
Action plugins specify a builtin action in the API which is used to
determine verdict. (Conversely, builtin actions don’t have an
14.6. Developers Guide
-------------
+--------------
Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
guide to the source tree.
14.7. Piglet Test Harness
-------------
+--------------
In order to assist with plugin development, an experimental mode
called "piglet" mode is provided. With piglet mode, you can call
14.8. Piglet Lua API
-------------
+--------------
This section documents the API that piglet exposes to Lua. Refer to
the piglet directory in the source tree for examples of usage.
15.1. General
-------------
+--------------
* Generally try to follow http://google-styleguide.googlecode.com/
svn/trunk/cppguide.xml, but there are some differences documented
15.2. C++ Specific
-------------
+--------------
* Do not use exceptions. Exception-safe code is non-trivial and we
have ported legacy code that makes use of exceptions unwise.
15.3. Naming
-------------
+--------------
* Use camel case for namespaces, classes, and types like
WhizBangPdfChecker.
15.4. Comments
-------------
+--------------
* Write comments sparingly with a mind towards future proofing.
Often the comments can be obviated with better code. Clear code
15.5. Logging
-------------
+--------------
* Messages intended for the user should not look like debug
messages. Eg, the function name should not be included. It is
15.6. Types
-------------
+--------------
* Use logical types to make the code clearer and to help the
compiler catch problems. typedef uint16_t Port; bool foo(Port) is
15.7. Macros (aka defines)
-------------
+--------------
* In many cases, even in C++, use #define name "value" instead of a
const char* const name = "value" because it will eliminate a
15.8. Formatting
-------------
+--------------
* Try to keep all source files under 2500 lines. 3000 is the max
allowed. If you need more lines, chances are that the code needs
15.9. Headers
-------------
+--------------
* Don’t hesitate to create a new header if it is needed. Don’t lump
unrelated stuff into an header because it is convenient.
15.10. Warnings
-------------
+--------------
* With g++, use at least these compiler flags:
15.11. Uncrustify
-------------
+--------------
Currently using uncrustify from at https://github.com/bengardner/
uncrustify to reformat legacy code and anything that happens to need
16.1. Terminology
-------------
+--------------
* basic module: a module integrated into Snort that does not come
from a plugin.
16.2. Usage
-------------
+--------------
For the following examples "$my_path" is assumed to be the path to
the Snort++ install directory. Additionally, it is assumed that
16.3. Plugins
-------------
+--------------
Load external plugins and use the "ex" alert:
16.4. Output Files
-------------
+--------------
To make it simple to configure outputs when you run with multiple
packet threads, output files are not explicitly configured. Instead,
16.5. Optional Features
-------------
+--------------
The features listed below must be explicitly enabled so they are
built into the Snort binary. For a full list of build features, run .
16.6. Environment Variables
-------------
+--------------
* HOSTTYPE: optional string that is output with the version at end
of line.
16.7. Command Line Options
-------------
+--------------
* --alert-before-pass process alert, drop, sdrop, or reject before
pass; default is pass before alert, drop,…
+ * -A <mode> set alert mode: none, cmg, or alert_*
+ * -B <mask> obfuscated IP addresses in alerts and packet dumps
+ using CIDR mask
* --bpf <filter options> are standard BPF options, as seen in
TCPDump
* --c2x output hex for given char (see also --x2c)
* --catch-test comma separated list of cat unit test tags or all
+ * -c <conf> use this configuration
+ * -C print out payloads with character data only (no hex)
* --create-pidfile create PID file, even when not in Daemon mode
- * --daq <type> select packet acquisition module (default is pcap)
* --daq-dir <dir> tell snort where to find desired DAQ
* --daq-list list packet acquisition modules available in optional
dir, default is static modules only
+ * --daq <type> select packet acquisition module (default is pcap)
* --daq-var <name=value> specify extra DAQ configuration variable
+ * -d dump the Application Layer
* --dirty-pig don’t flush packets on shutdown
+ * -D run Snort in background (daemon) mode
* --dump-builtin-rules [<module prefix>] output stub rules for
selected modules
* --dump-defaults [<module prefix>] output module defaults in Lua
libraries
* --dump-version output the version, the whole version, and only
the version
+ * -e display the second layer header info
* --enable-inline-test enable Inline-Test Mode Operation
- * --help list command line options
+ * -f turn off fflush() calls after binary log writes
+ * -G <0xid> (same as --logid) (0:65535)
+ * -g <gname> run snort gid as <gname> group (or gid) after
+ initialization
* --help-commands [<module prefix>] output matching commands
(optional)
* --help-config [<module prefix>] output matching config options
(optional)
* --help-counts [<module prefix>] output matching peg counts
(optional)
+ * --help list command line options
* --help-module <module> output description of given module
* --help-modules list all available modules with brief help
* --help-options <option prefix> output matching command line
option quick help (same as -?) (optional)
* --help-plugins list all available plugins with brief help
* --help-signals dump available control signals
+ * -H make hash tables deterministic
* --id-subdir create/use instance subdirectories in logdir instead
of instance filename prefix
* --id-zero use id prefix / subdirectory even with one packet
thread
+ * -i <iface>… list of interfaces
+ * -j <port> to listen for telnet connections
+ * -k <mode> checksum mode; default is all (all|noip|notcp|noudp|
+ noicmp|none)
* --list-buffers output available inspection buffers
* --list-builtin <module prefix> output matching builtin rules
(optional)
* --list-modules [<module type>] list all known modules of given
type (optional)
* --list-plugins list all known plugins
+ * -l <logdir> log to this directory instead of current directory
+ * -L <mode> logging mode (none, dump, pcap, or log_*)
* --logid <0xid> log Identifier to uniquely id events for multiple
snorts (same as -G) (0:65535)
* --lua <chunk> extend/override conf with chunk; may be repeated
* --markup output help in asciidoc compatible format
* --max-packet-threads <count> configure maximum number of packet
threads (same as -z) (0:)
+ * -M log messages to syslog (not alerts)
+ * -m <umask> set umask = <umask> (0:)
+ * -n <count> stop after count packets (0:)
* --nolock-pidfile do not try to lock Snort PID file
* --nostamps don’t include timestamps in log file names
+ * -O obfuscate the logged IP addresses
+ * -? <option prefix> output matching command line option quick help
+ (same as --help-options) (optional)
* --pause wait for resume/quit command before processing packets/
terminating
* --pcap-dir <dir> a directory to recurse to look for pcaps - read
* --piglet enable piglet test harness mode
* --plugin-path <path> where to find plugins
* --process-all-events process all action groups
+ * -Q enable inline mode operation
+ * -q quiet mode - Don’t show banner and status report
+ * -r <pcap>… (same as --pcap-list)
+ * -R <rules> include this rules file in the default policy
* --rule <rules> to be added to configuration; may be repeated
* --rule-to-hex output so rule header to stdout for text rule on
stdin
* --show-plugins list module and plugin versions
* --skip <n> skip 1st n packets (0:)
* --snaplen <snap> set snaplen of packet (same as -s) (68:65535)
+ * -s <snap> (same as --snaplen); default is 1514 (68:65535)
* --stdin-rules read rules from stdin until EOF or a line starting
with END is read
+ * -S <x=v> set config variable x equal to value v
+ * -t <dir> chroots process to <dir> after initialization
* --treat-drop-as-alert converts drop, sdrop, and reject rules into
alert rules during startup
* --treat-drop-as-ignore use drop, sdrop, and reject rules to
ignore session traffic when not inline
+ * -T test and report on the current Snort configuration
+ * -u <uname> run snort as <uname> or <uid> after initialization
+ * -U use UTC for timestamps
+ * -v be verbose
* --version show version number (same as -V)
+ * -V (same as --version)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* --warn-daq warn about DAQ issues, usually related to mode
scripts
* --warn-symbols warn about unknown symbols in your Lua config
* --warn-vars warn about variable definition and usage issues
+ * -w dump 802.11 management and control frames
+ * -W lists available interfaces
* --x2c output ASCII char for given hex (see also --c2x)
* --x2s output ASCII string for given byte code (see also --x2c)
- * -? <option prefix> output matching command line option quick help
- (same as --help-options) (optional)
- * -A <mode> set alert mode: none, cmg, or alert_*
- * -B <mask> obfuscated IP addresses in alerts and packet dumps
- using CIDR mask
- * -C print out payloads with character data only (no hex)
- * -D run Snort in background (daemon) mode
- * -G <0xid> (same as --logid) (0:65535)
- * -H make hash tables deterministic
- * -L <mode> logging mode (none, dump, pcap, or log_*)
- * -M log messages to syslog (not alerts)
- * -O obfuscate the logged IP addresses
- * -Q enable inline mode operation
- * -R <rules> include this rules file in the default policy
- * -S <x=v> set config variable x equal to value v
- * -T test and report on the current Snort configuration
- * -U use UTC for timestamps
- * -V (same as --version)
- * -W lists available interfaces
* -X dump the raw packet data starting at the link layer
- * -c <conf> use this configuration
- * -d dump the Application Layer
- * -e display the second layer header info
- * -f turn off fflush() calls after binary log writes
- * -g <gname> run snort gid as <gname> group (or gid) after
- initialization
- * -i <iface>… list of interfaces
- * -j <port> to listen for telnet connections
- * -k <mode> checksum mode; default is all (all|noip|notcp|noudp|
- noicmp|none)
- * -l <logdir> log to this directory instead of current directory
- * -m <umask> set umask = <umask> (0:)
- * -n <count> stop after count packets (0:)
- * -q quiet mode - Don’t show banner and status report
- * -r <pcap>… (same as --pcap-list)
- * -s <snap> (same as --snaplen); default is 1514 (68:65535)
- * -t <dir> chroots process to <dir> after initialization
- * -u <uname> run snort as <uname> or <uid> after initialization
- * -v be verbose
- * -w dump 802.11 management and control frames
* -x same as --pedantic
* -y include year in timestamp in the alert and log files
* -z <count> maximum number of packet threads (same as
16.8. Parameters
-------------
+--------------
Parameters are given with this format:
16.9. Configuration
-------------
+--------------
* string ack.~range: check if tcp ack value is value | min<>max |
<max | >min
* int alert_full.limit = 0: set limit (0 is unlimited) { 0: }
* enum alert_full.units = B: limit is in bytes | KB | MB | GB { B |
K | M | G }
- * enum alert_syslog.facility = auth: part of priority applied to
- each message { auth | authpriv | daemon | user | local0 | local1
- | local2 | local3 | local4 | local5 | local6 | local7 }
- * enum alert_syslog.level = info: part of priority applied to each
- message { emerg | alert | crit | err | warning | notice | info |
- debug }
- * multi alert_syslog.options: used to open the syslog connection {
- cons | ndelay | perror | pid }
* bool alerts.alert_with_interface_name = false: include interface
in alert info (fast, full, or syslog only)
* bool alerts.default_rule_state = true: enable or disable ips
memory for filters { 0: }
* int alerts.event_filter_memcap = 1048576: set available memory
for filters { 0: }
+ * string alert_sfsocket.file: name of unix socket file
+ * int alert_sfsocket.rules[].gid = 1: rule generator ID { 1: }
+ * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
* string alerts.order = pass drop alert log: change the order of
rule action application
* int alerts.rate_filter_memcap = 1048576: set available memory for
(note: rule action still taken)
* string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
for GTP|Teredo|6in4|4in6 traffic
+ * enum alert_syslog.facility = auth: part of priority applied to
+ each message { auth | authpriv | daemon | user | local0 | local1
+ | local2 | local3 | local4 | local5 | local6 | local7 }
+ * enum alert_syslog.level = info: part of priority applied to each
+ message { emerg | alert | crit | err | warning | notice | info |
+ debug }
+ * multi alert_syslog.options: used to open the syslog connection {
+ cons | ndelay | perror | pid }
* string appid.app_detector_dir: directory to load AppId detectors
from
* string appid.app_stats_filename: Filename for logging AppId
what this is { 0: }
* int appid.memcap = 268435456: time period for collecting and
logging AppId statistics { 1048576:3221225472 }
+ * string appids.~: appid option
* string appid.thirdparty_appid_dir: directory to load thirdparty
AppId detectors from
- * string appids.~: appid option
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
* int asn1.absolute_offset: Absolute offset from the beginning of
* int byte_extract.align = 0: round the number of converted bytes
up to the next 2- or 4-byte boundary { 0:4 }
* implied byte_extract.big: big endian
+ * int byte_extract.~count: number of bytes to pick up from the
+ buffer { 1:10 }
* implied byte_extract.dce: dcerpc2 determines endianness
* implied byte_extract.dec: convert from decimal string
* implied byte_extract.hex: convert from hex string
* implied byte_extract.little: little endian
* int byte_extract.multiplier = 1: scale extracted value by given
amount { 1:65535 }
- * implied byte_extract.oct: convert from octal string
- * implied byte_extract.relative: offset from cursor instead of
- start of buffer
- * implied byte_extract.string: convert from string
- * int byte_extract.~count: number of bytes to pick up from the
- buffer { 1:10 }
* string byte_extract.~name: name of the variable that will be used
in other rule options
+ * implied byte_extract.oct: convert from octal string
* int byte_extract.~offset: number of bytes into the buffer to
start processing { -65535:65535 }
+ * implied byte_extract.relative: offset from cursor instead of
+ start of buffer
+ * implied byte_extract.string: convert from string
* int byte_jump.align = 0: round the number of converted bytes up
to the next 2- or 4-byte boundary { 0:4 }
* implied byte_jump.big: big endian
+ * int byte_jump.~count: number of bytes to pick up from the buffer
+ { 1:10 }
* implied byte_jump.dce: dcerpc2 determines endianness
* implied byte_jump.dec: convert from decimal string
* implied byte_jump.from_beginning: jump from start of buffer
* int byte_jump.multiplier = 1: scale extracted value by given
amount { 1:65535 }
* implied byte_jump.oct: convert from octal string
+ * string byte_jump.~offset: variable name or number of bytes into
+ the buffer to start processing
* int byte_jump.post_offset = 0: also skip forward or backwards
(positive of negative value) this number of bytes { -65535:65535
}
* implied byte_jump.relative: offset from cursor instead of start
of buffer
* implied byte_jump.string: convert from string
- * int byte_jump.~count: number of bytes to pick up from the buffer
- { 1:10 }
- * string byte_jump.~offset: variable name or number of bytes into
- the buffer to start processing
* implied byte_test.big: big endian
+ * string byte_test.~compare: variable name or value to test the
+ converted result against
+ * int byte_test.~count: number of bytes to pick up from the buffer
+ { 1:10 }
* implied byte_test.dce: dcerpc2 determines endianness
* implied byte_test.dec: convert from decimal string
* implied byte_test.hex: convert from hex string
* implied byte_test.little: little endian
* implied byte_test.oct: convert from octal string
- * implied byte_test.relative: offset from cursor instead of start
- of buffer
- * implied byte_test.string: convert from string
- * string byte_test.~compare: variable name or value to test the
- converted result against
- * int byte_test.~count: number of bytes to pick up from the buffer
- { 1:10 }
* string byte_test.~offset: variable name or number of bytes into
the payload to start processing
* string byte_test.~operator: variable name or number of bytes into
the buffer to start processing
+ * implied byte_test.relative: offset from cursor instead of start
+ of buffer
+ * implied byte_test.string: convert from string
* string classifications[].name: name used with classtype rule
option
* int classifications[].priority = 1: default priority for class {
0: }
* string classifications[].text: description of class
* string classtype.~: classification for this rule
+ * string content.~data: data to match
* string content.depth: var or maximum number of bytes to search
from beginning of buffer
* string content.distance: var or number of bytes from cursor to
start search
- * implied content.fast_pattern: use this content in the fast
- pattern matcher instead of the content selected by default
* int content.fast_pattern_length: maximum number of characters
from this content the fast pattern matcher should use { 1: }
* int content.fast_pattern_offset = 0: number of leading characters
of this content the fast pattern matcher should exclude { 0: }
+ * implied content.fast_pattern: use this content in the fast
+ pattern matcher instead of the content selected by default
* implied content.nocase: case insensitive match
* string content.offset: var or number of bytes from start of
buffer to start search
* string content.within: var or maximum number of bytes to search
from cursor
- * string content.~data: data to match
* implied cvs.invalid-entry: looks for an invalid Entry string
* string daq.input_spec: input specification
* int daq.instances[].id: instance ID (required) { 0: }
* int dce_tcp.reassemble_threshold = 0: Minimum bytes received
before performing reassembly { 0:65535 }
* int detection.asn1 = 256: maximum decode nodes { 1: }
- * bool detection.pcre_enable = true: disable pcre pattern matching
- * int detection.pcre_match_limit = 1500: limit pcre backtracking,
- -1 = max, 0 = off { -1:1000000 }
- * int detection.pcre_match_limit_recursion = 1500: limit pcre stack
- consumption, -1 = max, 0 = off { -1:10000 }
* int detection_filter.count: hits in interval before allowing the
rule to fire { 1: }
* int detection_filter.seconds: length of interval to count hits {
1: }
* enum detection_filter.track: track hits by source or destination
IP address { by_src | by_dst }
+ * bool detection.pcre_enable = true: disable pcre pattern matching
+ * int detection.pcre_match_limit = 1500: limit pcre backtracking,
+ -1 = max, 0 = off { -1:1000000 }
+ * int detection.pcre_match_limit_recursion = 1500: limit pcre stack
+ consumption, -1 = max, 0 = off { -1:10000 }
* bool dnp3.check_crc = false: validate checksums in DNP3 link
layer frames
* string dnp3_func.~: match dnp3 function code or name
* string file_type.~: list of file type IDs to match
* string flags.~mask_flags: these flags are don’t cares
* string flags.~test_flags: these flags are tested
+ * string flowbits.~arg1: bits or group
+ * string flowbits.~arg2: group if arg1 is bits
+ * string flowbits.~command: set|reset|isset|etc.
* implied flow.established: match only during data transfer phase
* implied flow.from_client: same as to_server
* implied flow.from_server: same as to_client
* implied flow.stateless: match regardless of stream state
* implied flow.to_client: match on server responses
* implied flow.to_server: match on client requests
- * string flowbits.~arg1: bits or group
- * string flowbits.~arg2: group if arg1 is bits
- * string flowbits.~command: set|reset|isset|etc.
* string fragbits.~flags: these flags are tested
* string fragoffset.~range: check if ip fragment offset value is
value | min<>max | <max | >min
* bit_list high_availability.ports: side channel message port list
{ 65535 }
* int host_cache[].size: size of host cache
+ * enum hosts[].frag_policy: defragmentation policy { first | linux
+ | bsd | bsd_right | last | windows | solaris }
+ * addr hosts[].ip = 0.0.0.0/32: hosts address / cidr
+ * string hosts[].services[].name: service identifier
+ * port hosts[].services[].port: port number
+ * enum hosts[].services[].proto = tcp: ip protocol { tcp | udp }
+ * enum hosts[].tcp_policy: tcp reassembly policy { first | last |
+ linux | old_linux | bsd | macos | solaris | irix | hpux11 |
+ hpux10 | windows | win_2003 | vista | proxy }
* enum host_tracker[].frag_policy: defragmentation policy { first |
linux | bsd | bsd_right | last | windows | solaris }
* addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
* enum host_tracker[].tcp_policy: tcp reassembly policy { first |
last | linux | old_linux | bsd | macos | solaris | irix | hpux11
| hpux10 | windows | win_2003 | vista | proxy }
- * enum hosts[].frag_policy: defragmentation policy { first | linux
- | bsd | bsd_right | last | windows | solaris }
- * addr hosts[].ip = 0.0.0.0/32: hosts address / cidr
- * string hosts[].services[].name: service identifier
- * port hosts[].services[].port: port number
- * enum hosts[].services[].proto = tcp: ip protocol { tcp | udp }
- * enum hosts[].tcp_policy: tcp reassembly policy { first | last |
- linux | old_linux | bsd | macos | solaris | irix | hpux11 |
- hpux10 | windows | win_2003 | vista | proxy }
* implied http_cookie.request: Match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: Parts of this rule examine HTTP
tilde, and minus. { (optional) }
* bool http_inspect.iis_double_decode = false: perform double
decoding of percent encodings to normalize characters
- * bool http_inspect.iis_unicode = false: use IIS unicode code point
- mapping to normalize characters
* int http_inspect.iis_unicode_code_page = 1252: code page to use
from the IIS unicode map file { 0:65535 }
+ * bool http_inspect.iis_unicode = false: use IIS unicode code point
+ mapping to normalize characters
* string http_inspect.iis_unicode_map_file: file containing code
points for IIS unicode. { (optional) }
+ * bool http_inspect.normalize_utf = true: normalize charset utf
+ encodings
* int http_inspect.oversize_dir_length = 300: maximum length for
URL directory { 1:65535 }
* bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
- * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
- characters to a single byte
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
character normalization include bytes that were not percent
encoded
+ * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
+ characters to a single byte
* implied http_method.with_body: Parts of this rule examine HTTP
message body
* implied http_method.with_trailer: Parts of this rule examine HTTP
{ -1:65535 }
* int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
-1:65535 }
- * string ip_proto.~proto: [!|>|<] name or number
* select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
lsrre|ssrr|satid|any }
+ * string ip_proto.~proto: [!|>|<] name or number
* bool ips.enable_builtin_rules = false: enable events from builtin
rules w/o stubs
* int ips.id = 0: correlate unified2 events with configuration {
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
+ * string isdataat.~length: num | !num
* implied isdataat.relative: offset from cursor instead of start of
buffer
- * string isdataat.~length: num | !num
* string itype.~range: check if icmp type is type | min<>max | <max
| >min
* enum latency.packet.action = alert_and_log: event action if
* int log_hext.width = 20: set line width (0 is unlimited) { 0: }
* int log_pcap.limit = 0: set limit (0 is unlimited) { 0: }
* enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * string md5.~hash: data to match
* int md5.length: number of octets in plain text { 1:65535 }
* string md5.offset: var or number of bytes from start of buffer to
start search
* implied md5.relative = false: offset from cursor instead of start
of buffer
- * string md5.~hash: data to match
* int memory.cap = 0: set the per-packet-thread cap on memory
(bytes, 0 to disable) { 0: }
* bool memory.soft = false: always succeed in allocating memory,
starting at link layer (same as -X)
* int output.event_trace.max_data = 0: maximum amount of packet
data to capture { 0:65535 }
+ * string output.logdir = .: where to put log files (same as -l)
* bool output.log_ipv6_extra_data = false: log IPv6 source and
destination addresses as unified2 extra data records
- * string output.logdir = .: where to put log files (same as -l)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
* bool output.obfuscate_pii = false: Mask all but the last 4
-1:65535 }
* int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
-1:65535 }
+ * int port_scan_global.memcap = 1048576: maximum tracker memory {
+ 1: }
* string port_scan.ignore_scanned: list of CIDRs with optional
ports to ignore if the destination of scan alerts
* string port_scan.ignore_scanners: list of CIDRs with optional
detection { low | medium | high }
* string port_scan.watch_ip: list of CIDRs with optional ports to
watch
- * int port_scan_global.memcap = 1048576: maximum tracker memory {
- 1: }
* int priority.~: relative severity level; 1 is highest priority {
1: }
* string process.chroot: set chroot directory (same as -t)
* implied regex.multiline: ^ and $ anchors match any newlines in
data
* implied regex.nocase: case insensitive match
+ * string regex.~re: hyperscan regular expression
* implied regex.relative: start search from end of last match
instead of start of buffer
- * string regex.~re: hyperscan regular expression
* enum reject.control: send icmp unreachable(s) { network|host|port
|all }
* enum reject.reset: send tcp reset to one or both ends { source|
is a decision conflict during run-time { blacklist|whitelist }
* bool reputation.scan_local = false: inspect local address defined
in RFC 1918
+ * string reputation.whitelist: whitelist file name with ip lists
* enum reputation.white = unblack: specify the meaning of whitelist
{ unblack|trust }
- * string reputation.whitelist: whitelist file name with ip lists
* int rev.~: revision { 1: }
- * string rpc.~app: application number
- * string rpc.~proc: procedure number or * for any
- * string rpc.~ver: version number or * for any
+ * int rpc.~app: application number
+ * int rpc.proc: procedure number or * for any
+ * int rpc.ver: version number or * for any
* bool rule_state.enable = true: enable or disable rule in all
policies
* int rule_state.gid = 0: rule generator ID { 0: }
* int rule_state.sid = 0: rule signature ID { 0: }
- * int sd_pattern.threshold: number of matches before alerting { 1 }
* string sd_pattern.~pattern: The pattern to search for
+ * int sd_pattern.threshold: number of matches before alerting { 1 }
* int search_engine.bleedover_port_limit = 1024: maximum ports in
rule before demotion to any-any port group { 1: }
* bool search_engine.bleedover_warnings_enabled = false: print
* string seq.~range: check if tcp sequence number value is value |
min<>max | <max | >min
* enum session.~mode: output format { printable|binary|all }
+ * string sha256.~hash: data to match
* int sha256.length: number of octets in plain text { 1:65535 }
* string sha256.offset: var or number of bytes from start of buffer
to start search
* implied sha256.relative = false: offset from cursor instead of
start of buffer
- * string sha256.~hash: data to match
+ * string sha512.~hash: data to match
* int sha512.length: number of octets in plain text { 1:65535 }
* string sha512.offset: var or number of bytes from start of buffer
to start search
* implied sha512.relative = false: offset from cursor instead of
start of buffer
- * string sha512.~hash: data to match
- * int sid.~: signature id { 1: }
+ * string side_channel.connector: connector handle
* string side_channel.connectors[].connector: connector handle
* bit_list side_channel.ports: side channel message port list {
65535 }
+ * int sid.~: signature id { 1: }
* bool sip.ignore_call_channel = false: enables the support for
ignoring audio/video data channel
* int sip.max_call_id_len = 256: maximum call id field size {
* int sip.max_uri_len = 256: maximum request uri field size {
0:65535 }
* int sip.max_via_len = 1024: maximum via field size { 0:65535 }
+ * string sip_method.*method: sip method
* string sip.methods = invite cancel ack bye register options: list
of methods to check in sip messages
- * string sip_method.*method: sip method
* int sip_stat_code.*code: stat code { 1:999 }
* string smtp.alt_max_command_line_len[].command: command string
* int smtp.alt_max_command_line_len[].length = 0: specify
0:65535 }
* int smtp.max_response_line_len = 0: max SMTP response line {
0:65535 }
+ * string smtp.normalize_cmds: list of commands to normalize
* enum smtp.normalize = none: turns on/off normalization { none |
cmds | all }
- * string smtp.normalize_cmds: list of commands to normalize
* int smtp.qp_decode_depth = 25: quoted-Printable decoding depth {
-1:65535 }
* int smtp.uu_decode_depth = 25: unix-to-Unix decoding depth {
disable | alert | drop }
* implied snort.--alert-before-pass: process alert, drop, sdrop, or
reject before pass; default is pass before alert, drop,…
+ * string snort.-A: <mode> set alert mode: none, cmg, or alert_*
+ * addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP
+ addresses in alerts and packet dumps using CIDR mask
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
* string snort.--catch-test: comma separated list of cat unit test
tags or all
+ * string snort.-c: <conf> use this configuration
+ * implied snort.-C: print out payloads with character data only (no
+ hex)
* implied snort.--create-pidfile: create PID file, even when not in
Daemon mode
- * string snort.--daq: <type> select packet acquisition module
- (default is pcap)
* string snort.--daq-dir: <dir> tell snort where to find desired
DAQ
* implied snort.--daq-list: list packet acquisition modules
available in optional dir, default is static modules only
+ * string snort.--daq: <type> select packet acquisition module
+ (default is pcap)
* string snort.--daq-var: <name=value> specify extra DAQ
configuration variable
+ * implied snort.-d: dump the Application Layer
* implied snort.--dirty-pig: don’t flush packets on shutdown
+ * implied snort.-D: run Snort in background (daemon) mode
* implied snort.--dump-builtin-rules: [<module prefix>] output stub
rules for selected modules
* string snort.--dump-defaults: [<module prefix>] output module
loaded rules libraries
* implied snort.--dump-version: output the version, the whole
version, and only the version
+ * implied snort.-e: display the second layer header info
* implied snort.--enable-inline-test: enable Inline-Test Mode
Operation
- * implied snort.--help: list command line options
+ * implied snort.-f: turn off fflush() calls after binary log writes
+ * int snort.-G: <0xid> (same as --logid) { 0:65535 }
+ * string snort.-g: <gname> run snort gid as <gname> group (or gid)
+ after initialization
* string snort.--help-commands: [<module prefix>] output matching
commands { (optional) }
* string snort.--help-config: [<module prefix>] output matching
config options { (optional) }
* string snort.--help-counts: [<module prefix>] output matching peg
counts { (optional) }
+ * implied snort.--help: list command line options
* string snort.--help-module: <module> output description of given
module
* implied snort.--help-modules: list all available modules with
* implied snort.--help-plugins: list all available plugins with
brief help
* implied snort.--help-signals: dump available control signals
+ * implied snort.-H: make hash tables deterministic
* implied snort.--id-subdir: create/use instance subdirectories in
logdir instead of instance filename prefix
* implied snort.--id-zero: use id prefix / subdirectory even with
one packet thread
+ * string snort.-i: <iface>… list of interfaces
+ * port snort.-j: <port> to listen for telnet connections
+ * enum snort.-k = all: <mode> checksum mode; default is all { all|
+ noip|notcp|noudp|noicmp|none }
* implied snort.--list-buffers: output available inspection buffers
* string snort.--list-builtin: <module prefix> output matching
builtin rules { (optional) }
* string snort.--list-modules: [<module type>] list all known
modules of given type { (optional) }
* implied snort.--list-plugins: list all known plugins
+ * string snort.-l: <logdir> log to this directory instead of
+ current directory
+ * string snort.-L: <mode> logging mode (none, dump, pcap, or log_*)
* int snort.--logid: <0xid> log Identifier to uniquely id events
for multiple snorts (same as -G) { 0:65535 }
* string snort.--lua: <chunk> extend/override conf with chunk; may
* implied snort.--markup: output help in asciidoc compatible format
* int snort.--max-packet-threads = 1: <count> configure maximum
number of packet threads (same as -z) { 0: }
+ * implied snort.-M: log messages to syslog (not alerts)
+ * int snort.-m: <umask> set umask = <umask> { 0: }
+ * int snort.-n: <count> stop after count packets { 0: }
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--nostamps: don’t include timestamps in log file
names
+ * implied snort.-O: obfuscate the logged IP addresses
+ * string snort.-?: <option prefix> output matching command line
+ option quick help (same as --help-options) { (optional) }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> where to find plugins
* implied snort.--process-all-events: process all action groups
+ * implied snort.-Q: enable inline mode operation
+ * implied snort.-q: quiet mode - Don’t show banner and status
+ report
+ * string snort.-r: <pcap>… (same as --pcap-list)
+ * string snort.-R: <rules> include this rules file in the default
+ policy
* string snort.--rule: <rules> to be added to configuration; may be
repeated
* implied snort.--rule-to-hex: output so rule header to stdout for
* implied snort.--rule-to-text: output plain so rule header to
stdout for text rule on stdin
* string snort.--run-prefix: <pfx> prepend this to each output file
+ * int snort.-s = 1514: <snap> (same as --snaplen); default is 1514
+ { 68:65535 }
* string snort.--script-path: <path> to a luajit script or
directory containing luajit scripts
* implied snort.--shell: enable the interactive command line
-s) { 68:65535 }
* implied snort.--stdin-rules: read rules from stdin until EOF or a
line starting with END is read
+ * string snort.-S: <x=v> set config variable x equal to value v
+ * string snort.-t: <dir> chroots process to <dir> after
+ initialization
* implied snort.--treat-drop-as-alert: converts drop, sdrop, and
reject rules into alert rules during startup
* implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
rules to ignore session traffic when not inline
+ * implied snort.-T: test and report on the current Snort
+ configuration
+ * string snort.-u: <uname> run snort as <uname> or <uid> after
+ initialization
+ * implied snort.-U: use UTC for timestamps
+ * implied snort.-v: be verbose
* implied snort.--version: show version number (same as -V)
+ * implied snort.-V: (same as --version)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
* implied snort.--warn-daq: warn about DAQ issues, usually related
Lua config
* implied snort.--warn-vars: warn about variable definition and
usage issues
+ * implied snort.-w: dump 802.11 management and control frames
+ * implied snort.-W: lists available interfaces
* int snort.--x2c: output ASCII char for given hex (see also --c2x)
* string snort.--x2s: output ASCII string for given byte code (see
also --x2c)
- * string snort.-?: <option prefix> output matching command line
- option quick help (same as --help-options) { (optional) }
- * string snort.-A: <mode> set alert mode: none, cmg, or alert_*
- * addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP
- addresses in alerts and packet dumps using CIDR mask
- * implied snort.-C: print out payloads with character data only (no
- hex)
- * implied snort.-D: run Snort in background (daemon) mode
- * int snort.-G: <0xid> (same as --logid) { 0:65535 }
- * implied snort.-H: make hash tables deterministic
- * string snort.-L: <mode> logging mode (none, dump, pcap, or log_*)
- * implied snort.-M: log messages to syslog (not alerts)
- * implied snort.-O: obfuscate the logged IP addresses
- * implied snort.-Q: enable inline mode operation
- * string snort.-R: <rules> include this rules file in the default
- policy
- * string snort.-S: <x=v> set config variable x equal to value v
- * implied snort.-T: test and report on the current Snort
- configuration
- * implied snort.-U: use UTC for timestamps
- * implied snort.-V: (same as --version)
- * implied snort.-W: lists available interfaces
* implied snort.-X: dump the raw packet data starting at the link
layer
- * string snort.-c: <conf> use this configuration
- * implied snort.-d: dump the Application Layer
- * implied snort.-e: display the second layer header info
- * implied snort.-f: turn off fflush() calls after binary log writes
- * string snort.-g: <gname> run snort gid as <gname> group (or gid)
- after initialization
- * string snort.-i: <iface>… list of interfaces
- * port snort.-j: <port> to listen for telnet connections
- * enum snort.-k = all: <mode> checksum mode; default is all { all|
- noip|notcp|noudp|noicmp|none }
- * string snort.-l: <logdir> log to this directory instead of
- current directory
- * int snort.-m: <umask> set umask = <umask> { 0: }
- * int snort.-n: <count> stop after count packets { 0: }
- * implied snort.-q: quiet mode - Don’t show banner and status
- report
- * string snort.-r: <pcap>… (same as --pcap-list)
- * int snort.-s = 1514: <snap> (same as --snaplen); default is 1514
- { 68:65535 }
- * string snort.-t: <dir> chroots process to <dir> after
- initialization
- * string snort.-u: <uname> run snort as <uname> or <uid> after
- initialization
- * implied snort.-v: be verbose
- * implied snort.-w: dump 802.11 management and control frames
* implied snort.-x: same as --pedantic
* implied snort.-y: include year in timestamp in the alert and log
files
secure CRT server version string overflow { 0:255 }
* int ssl.max_heartbeat_length = 0: maximum length of heartbeat
record allowed { 0:65535 }
- * bool ssl.trust_servers = false: disables requirement that
- application (encrypted) data must be observed on both sides
+ * implied ssl_state.client_hello: check for client hello
* implied ssl_state.!client_hello: check for records that are not
client hello
+ * implied ssl_state.client_keyx: check for client keyx
* implied ssl_state.!client_keyx: check for records that are not
client keyx
* implied ssl_state.!server_hello: check for records that are not
server hello
+ * implied ssl_state.server_hello: check for server hello
* implied ssl_state.!server_keyx: check for records that are not
server keyx
+ * implied ssl_state.server_keyx: check for server keyx
* implied ssl_state.!unknown: check for records that are not
unknown
- * implied ssl_state.client_hello: check for client hello
- * implied ssl_state.client_keyx: check for client keyx
- * implied ssl_state.server_hello: check for server hello
- * implied ssl_state.server_keyx: check for server keyx
* implied ssl_state.unknown: check for unknown record
+ * bool ssl.trust_servers = false: disables requirement that
+ application (encrypted) data must be observed on both sides
* implied ssl_version.!sslv2: check for records that are not sslv2
+ * implied ssl_version.sslv2: check for sslv2
* implied ssl_version.!sslv3: check for records that are not sslv3
+ * implied ssl_version.sslv3: check for sslv3
* implied ssl_version.!tls1.0: check for records that are not
tls1.0
+ * implied ssl_version.tls1.0: check for tls1.0
* implied ssl_version.!tls1.1: check for records that are not
tls1.1
+ * implied ssl_version.tls1.1: check for tls1.1
* implied ssl_version.!tls1.2: check for records that are not
tls1.2
- * implied ssl_version.sslv2: check for sslv2
- * implied ssl_version.sslv3: check for sslv3
- * implied ssl_version.tls1.0: check for tls1.0
- * implied ssl_version.tls1.1: check for tls1.1
* implied ssl_version.tls1.2: check for tls1.2
* int stream.file_cache.cleanup_pct = 5: percent of cache to clean
when max_sessions is reached { 1:100 }
sessions tracked before pruning { 2: }
* int stream.file_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * bool stream_file.upload = false: indicate file transfer direction
* int stream.icmp_cache.cleanup_pct = 5: percent of cache to clean
when max_sessions is reached { 1:100 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
sessions tracked before pruning { 2: }
* int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
+ * int stream_icmp.session_timeout = 30: session tracking timeout {
+ 1:86400 }
* int stream.ip_cache.cleanup_pct = 5: percent of cache to clean
when max_sessions is reached { 1:100 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
sessions tracked before pruning { 2: }
* int stream.ip_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
- * int stream.tcp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
- * int stream.tcp_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.tcp_cache.max_sessions = 131072: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.udp_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
- * int stream.udp_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.udp_cache.max_sessions = 65536: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * int stream.user_cache.cleanup_pct = 5: percent of cache to clean
- when max_sessions is reached { 1:100 }
- * int stream.user_cache.idle_timeout = 180: maximum inactive time
- before retiring session tracker { 1: }
- * int stream.user_cache.max_sessions = 1024: maximum simultaneous
- sessions tracked before pruning { 2: }
- * int stream.user_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1: }
- * bool stream_file.upload = false: indicate file transfer direction
- * int stream_icmp.session_timeout = 30: session tracking timeout {
- 1:86400 }
* int stream_ip.max_frags = 8192: maximum number of simultaneous
fragments being tracked { 1: }
* int stream_ip.max_overlaps = 0: maximum allowed overlaps per
* enum stream_size.~direction: compare applies to the given
direction(s) { either|to_server|to_client|both }
* string stream_size.~range: size for comparison
+ * int stream.tcp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
+ * int stream.tcp_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.tcp_cache.max_sessions = 131072: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in
segment size after given number of non-decreasing segments { 0: }
* int stream_tcp.footprint = 0: use zero for production, non-zero
segments queued { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: limit number of
small segments queued { 0:2048 }
+ * int stream.udp_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
+ * int stream.udp_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.udp_cache.max_sessions = 65536: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
* bool stream_udp.ignore_any_rules = false: process udp content
rules w/o ports only if rules with ports are present
* int stream_udp.session_timeout = 30: session tracking timeout {
1:86400 }
+ * int stream.user_cache.cleanup_pct = 5: percent of cache to clean
+ when max_sessions is reached { 1:100 }
+ * int stream.user_cache.idle_timeout = 180: maximum inactive time
+ before retiring session tracker { 1: }
+ * int stream.user_cache.max_sessions = 1024: maximum simultaneous
+ sessions tracked before pruning { 2: }
+ * int stream.user_cache.pruning_timeout = 30: minimum inactive time
+ before being eligible for pruning { 1: }
* int stream_user.session_timeout = 30: session tracking timeout {
1:86400 }
* int suppress[].gid = 0: rule generator ID { 0: }
* enum suppress[].track: suppress only matching source or
destination addresses { by_src | by_dst }
* int tag.bytes: tag for this many bytes { 1: }
- * int tag.packets: tag this many packets { 1: }
- * int tag.seconds: tag for this many seconds { 1: }
* enum tag.~: log all packets in session or all packets to or from
host { session|host_src|host_dst }
+ * int tag.packets: tag this many packets { 1: }
+ * int tag.seconds: tag for this many seconds { 1: }
+ * string tcp_connector.address: address
+ * port tcp_connector.base_port: base port number
+ * string tcp_connector.connector: connector name
+ * enum tcp_connector.setup: stream establishment { call | answer }
* int telnet.ayt_attack_thresh = -1: alert on this number of
consecutive telnet AYT commands { -1: }
* bool telnet.check_encrypted = false: check for end of encryption
16.10. Counts
-------------
+--------------
* appid.battlefield_flows: count of battle field flows discovered
by appid
appid
* appid.packets: count of packets processed by appid
* appid.pop_flows: count of pop service flows discovered by appid
+ * appid.rsync_flows: count of rsync service flows discovered by
+ appid
* appid.smtp_flows: count of smtp flows discovered by appid
* appid.smtps_flows: count of smtps flows discovered by appid
* appid.ssh_clients: count of ssh clients discovered by appid
* daq.replace: total replace verdicts
* daq.skipped: packets skipped at startup
* daq.whitelist: total whitelist verdicts
+ * dce_smb.aborted sessions: total aborted sessions
* dce_smb.Alter context responses: total connection-oriented alter
context responses
* dce_smb.Alter contexts: total connection-oriented alter contexts
* dce_smb.Auth3s: total connection-oriented auth3s
+ * dce_smb.bad autodetects: total bad autodetects
* dce_smb.Bind acks: total connection-oriented binds acks
* dce_smb.Bind naks: total connection-oriented bind naks
* dce_smb.Binds: total connection-oriented binds
segments reassembled
* dce_smb.Client segs reassembled: total smb client segments
reassembled
+ * dce_smb.events: total events
* dce_smb.Faults: total connection-oriented faults
* dce_smb.Files processed: total smb files processed
- * dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
- to send RPC over HTTP
* dce_smb.Max outstanding requests: total smb maximum outstanding
requests
+ * dce_smb.MS RPC/HTTP PDUs: total connection-oriented MS requests
+ to send RPC over HTTP
* dce_smb.Orphaned: total connection-oriented orphaned
* dce_smb.Other requests: total connection-oriented other requests
* dce_smb.Other responses: total connection-oriented other
responses
- * dce_smb.PDUs: total connection-oriented PDUs
* dce_smb.Packets: total smb packets
+ * dce_smb.PDUs: total connection-oriented PDUs
* dce_smb.Rejects: total connection-oriented rejects
* dce_smb.Request fragments: total connection-oriented request
fragments
reassembled
* dce_smb.Sessions: total smb sessions
* dce_smb.Shutdowns: total connection-oriented shutdowns
- * dce_smb.aborted sessions: total aborted sessions
- * dce_smb.bad autodetects: total bad autodetects
- * dce_smb.events: total events
+ * dce_tcp.aborted sessions: total aborted sessions
* dce_tcp.Alter context responses: total connection-oriented alter
context responses
* dce_tcp.Alter contexts: total connection-oriented alter contexts
* dce_tcp.Auth3s: total connection-oriented auth3s
+ * dce_tcp.bad autodetects: total bad autodetects
* dce_tcp.Bind acks: total connection-oriented binds acks
* dce_tcp.Bind naks: total connection-oriented bind naks
* dce_tcp.Binds: total connection-oriented binds
minimum fragment size
* dce_tcp.Client segs reassembled: total connection-oriented client
segments reassembled
+ * dce_tcp.events: total events
* dce_tcp.Faults: total connection-oriented faults
* dce_tcp.MS RPC/HTTP PDUs: total connection-oriented MS requests
to send RPC over HTTP
* dce_tcp.Server segs reassembled: total connection-oriented server
segments reassembled
* dce_tcp.Shutdowns: total connection-oriented shutdowns
- * dce_tcp.aborted sessions: total aborted sessions
- * dce_tcp.bad autodetects: total bad autodetects
- * dce_tcp.events: total events
* dce_tcp.tcp packets: total tcp packets
* dce_tcp.tcp sessions: total tcp sessions
* detection.alert limit: events previously triggered on same PDU
* detection.file searches: fast pattern searches in file buffer
* detection.header searches: fast pattern searches in header buffer
* detection.key searches: fast pattern searches in key buffer
- * detection.log limit: events queued but not logged
* detection.logged: logged packets
+ * detection.log limit: events queued but not logged
* detection.match limit: fast pattern matches not processed
* detection.passed: passed packets
* detection.pkt searches: fast pattern searches in packet data
* host_tracker.service adds: host service adds
* host_tracker.service finds: host service finds
* host_tracker.service removes: host service removes
+ * http_inspect.chunked: chunked message bodies
* http_inspect.CONNECT requests: CONNECT requests inspected
* http_inspect.DELETE requests: DELETE requests inspected
+ * http_inspect.flows: HTTP connections inspected
* http_inspect.GET requests: GET requests inspected
* http_inspect.HEAD requests: HEAD requests inspected
+ * http_inspect.inspections: total message sections inspected
* http_inspect.OPTIONS requests: OPTIONS requests inspected
+ * http_inspect.other requests: other request methods inspected
* http_inspect.POST requests: POST requests inspected
* http_inspect.PUT requests: PUT requests inspected
- * http_inspect.TRACE requests: TRACE requests inspected
- * http_inspect.URI coding: URIs with character coding problems
- * http_inspect.URI normalizations: URIs needing to be normalization
- * http_inspect.URI path: URIs with path problems
- * http_inspect.chunked: chunked message bodies
- * http_inspect.flows: HTTP connections inspected
- * http_inspect.inspections: total message sections inspected
- * http_inspect.other requests: other request methods inspected
* http_inspect.reassembles: TCP segments combined into HTTP
messages
* http_inspect.request bodies: POST, PUT, and other requests with
* http_inspect.responses: HTTP response messages inspected
* http_inspect.scans: TCP segments scanned looking for HTTP
messages
+ * http_inspect.TRACE requests: TRACE requests inspected
+ * http_inspect.URI coding: URIs with character coding problems
+ * http_inspect.URI normalizations: URIs needing to be normalization
+ * http_inspect.URI path: URIs with path problems
* icmp4.bad checksum: non-zero icmp checksums
* icmp6.bad checksum (ip4): nonzero ipcm4 checksums
* icmp6.bad checksum (ip6): nonzero ipcm6 checksums
* stream.file total prunes: total file sessions pruned
* stream.file uni prunes: file uni sessions pruned
* stream.file user prunes: file sessions pruned for other reasons
+ * stream_icmp.created: icmp session trackers created
* stream.icmp excess prunes: icmp sessions pruned due to excess
* stream.icmp flows: total icmp sessions
+ * stream_icmp.max: max icmp sessions
* stream.icmp memcap prunes: icmp sessions pruned due to memcap
* stream.icmp preemptive prunes: icmp sessions pruned during
preemptive pruning
- * stream.icmp timeout prunes: icmp sessions pruned due to timeout
- * stream.icmp total prunes: total icmp sessions pruned
- * stream.icmp uni prunes: icmp uni sessions pruned
- * stream.icmp user prunes: icmp sessions pruned for other reasons
- * stream.ip excess prunes: ip sessions pruned due to excess
- * stream.ip flows: total ip sessions
- * stream.ip memcap prunes: ip sessions pruned due to memcap
- * stream.ip preemptive prunes: ip sessions pruned during preemptive
- pruning
- * stream.ip timeout prunes: ip sessions pruned due to timeout
- * stream.ip total prunes: total ip sessions pruned
- * stream.ip uni prunes: ip uni sessions pruned
- * stream.ip user prunes: ip sessions pruned for other reasons
- * stream.tcp excess prunes: tcp sessions pruned due to excess
- * stream.tcp flows: total tcp sessions
- * stream.tcp memcap prunes: tcp sessions pruned due to memcap
- * stream.tcp preemptive prunes: tcp sessions pruned during
- preemptive pruning
- * stream.tcp timeout prunes: tcp sessions pruned due to timeout
- * stream.tcp total prunes: total tcp sessions pruned
- * stream.tcp uni prunes: tcp uni sessions pruned
- * stream.tcp user prunes: tcp sessions pruned for other reasons
- * stream.udp excess prunes: udp sessions pruned due to excess
- * stream.udp flows: total udp sessions
- * stream.udp memcap prunes: udp sessions pruned due to memcap
- * stream.udp preemptive prunes: udp sessions pruned during
- preemptive pruning
- * stream.udp timeout prunes: udp sessions pruned due to timeout
- * stream.udp total prunes: total udp sessions pruned
- * stream.udp uni prunes: udp uni sessions pruned
- * stream.udp user prunes: udp sessions pruned for other reasons
- * stream.user excess prunes: user sessions pruned due to excess
- * stream.user flows: total user sessions
- * stream.user memcap prunes: user sessions pruned due to memcap
- * stream.user preemptive prunes: user sessions pruned during
- preemptive pruning
- * stream.user timeout prunes: user sessions pruned due to timeout
- * stream.user total prunes: total user sessions pruned
- * stream.user uni prunes: user uni sessions pruned
- * stream.user user prunes: user sessions pruned for other reasons
- * stream_icmp.created: icmp session trackers created
- * stream_icmp.max: max icmp sessions
* stream_icmp.prunes: icmp session prunes
* stream_icmp.released: icmp session trackers released
* stream_icmp.sessions: total icmp sessions
+ * stream.icmp timeout prunes: icmp sessions pruned due to timeout
* stream_icmp.timeouts: icmp session timeouts
+ * stream.icmp total prunes: total icmp sessions pruned
+ * stream.icmp uni prunes: icmp uni sessions pruned
+ * stream.icmp user prunes: icmp sessions pruned for other reasons
* stream_ip.alerts: alerts generated
* stream_ip.anomalies: anomalies detected
* stream_ip.created: ip session trackers created
* stream_ip.current: current fragments
* stream_ip.discards: fragments discarded
* stream_ip.drops: fragments dropped
- * stream_ip.frag timeouts: datagrams abandoned
+ * stream.ip excess prunes: ip sessions pruned due to excess
+ * stream.ip flows: total ip sessions
* stream_ip.fragmented bytes: total fragmented bytes
+ * stream_ip.frag timeouts: datagrams abandoned
* stream_ip.max frags: max fragments
* stream_ip.max: max ip sessions
+ * stream.ip memcap prunes: ip sessions pruned due to memcap
* stream_ip.memory used: current memory usage in bytes
* stream_ip.nodes deleted: fragments deleted from tracker
* stream_ip.nodes inserted: fragments added to tracker
* stream_ip.overlaps: overlapping fragments
+ * stream.ip preemptive prunes: ip sessions pruned during preemptive
+ pruning
* stream_ip.prunes: ip session prunes
* stream_ip.reassembled bytes: total reassembled bytes
* stream_ip.reassembled: reassembled datagrams
* stream_ip.released: ip session trackers released
* stream_ip.sessions: total ip sessions
+ * stream.ip timeout prunes: ip sessions pruned due to timeout
* stream_ip.timeouts: ip session timeouts
+ * stream.ip total prunes: total ip sessions pruned
* stream_ip.total: total fragments
* stream_ip.trackers added: datagram trackers created
* stream_ip.trackers cleared: datagram trackers cleared
* stream_ip.trackers completed: datagram trackers completed
* stream_ip.trackers freed: datagram trackers released
+ * stream.ip uni prunes: ip uni sessions pruned
+ * stream.ip user prunes: ip sessions pruned for other reasons
* stream_tcp.3way trackers: tcp session tracking started on ack
* stream_tcp.client cleanups: number of times data from server was
flushed when session released
* stream_tcp.discards: tcp packets discarded
* stream_tcp.established: number of sessions currently established
* stream_tcp.events: events generated
+ * stream.tcp excess prunes: tcp sessions pruned due to excess
+ * stream.tcp flows: total tcp sessions
* stream_tcp.gaps: missing data between PDUs
* stream_tcp.ignored: tcp packets ignored
* stream_tcp.initializing: number of sessions currently
* stream_tcp.internal events: 135:X events generated
* stream_tcp.max bytes: number of times the maximum queued byte
limit was reached
+ * stream_tcp.max: max tcp sessions
* stream_tcp.max segs: number of times the maximum queued segment
limit was reached
- * stream_tcp.max: max tcp sessions
+ * stream.tcp memcap prunes: tcp sessions pruned due to memcap
* stream_tcp.memory: current memory in use
* stream_tcp.overlaps: overlapping segments queued
+ * stream.tcp preemptive prunes: tcp sessions pruned during
+ preemptive pruning
* stream_tcp.prunes: tcp session prunes
* stream_tcp.rebuilt buffers: rebuilt PDU sections
* stream_tcp.rebuilt bytes: total rebuilt bytes
* stream_tcp.server cleanups: number of times data from client was
flushed when session released
* stream_tcp.sessions: total tcp sessions
- * stream_tcp.syn trackers: tcp session tracking started on syn
* stream_tcp.syn-ack trackers: tcp session tracking started on
syn-ack
+ * stream_tcp.syn trackers: tcp session tracking started on syn
+ * stream.tcp timeout prunes: tcp sessions pruned due to timeout
* stream_tcp.timeouts: tcp session timeouts
+ * stream.tcp total prunes: total tcp sessions pruned
+ * stream.tcp uni prunes: tcp uni sessions pruned
* stream_tcp.untracked: tcp packets not tracked
+ * stream.tcp user prunes: tcp sessions pruned for other reasons
* stream_udp.created: udp session trackers created
+ * stream.udp excess prunes: udp sessions pruned due to excess
+ * stream.udp flows: total udp sessions
* stream_udp.max: max udp sessions
+ * stream.udp memcap prunes: udp sessions pruned due to memcap
+ * stream.udp preemptive prunes: udp sessions pruned during
+ preemptive pruning
* stream_udp.prunes: udp session prunes
* stream_udp.released: udp session trackers released
* stream_udp.sessions: total udp sessions
+ * stream.udp timeout prunes: udp sessions pruned due to timeout
* stream_udp.timeouts: udp session timeouts
+ * stream.udp total prunes: total udp sessions pruned
+ * stream.udp uni prunes: udp uni sessions pruned
+ * stream.udp user prunes: udp sessions pruned for other reasons
+ * stream.user excess prunes: user sessions pruned due to excess
+ * stream.user flows: total user sessions
+ * stream.user memcap prunes: user sessions pruned due to memcap
+ * stream.user preemptive prunes: user sessions pruned during
+ preemptive pruning
+ * stream.user timeout prunes: user sessions pruned due to timeout
+ * stream.user total prunes: total user sessions pruned
+ * stream.user uni prunes: user uni sessions pruned
+ * stream.user user prunes: user sessions pruned for other reasons
* tcp.bad checksum (ip4): nonzero tcp over ip checksums
* tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
+ * tcp_connector.messages: total messages
* telnet.packets: total packets
* udp.bad checksum (ip4): nonzero udp over ipv4 checksums
* udp.bad checksum (ip6): nonzero udp over ipv6 checksums
16.11. Generators
-------------
+--------------
* 105: back_orifice
* 106: rpc_decode
* 112: arp_spoof
* 116: arp
* 116: auth
+ * 116: ciscometadata
* 116: decode
* 116: erspan2
* 116: erspan3
16.12. Builtin Rules
-------------
+--------------
* 105:1 (back_orifice) BO traffic detected
* 105:2 (back_orifice) BO client traffic detected
* 116:465 (auth) truncated authentication header
* 116:466 (auth) bad authentication header length
* 116:467 (fabricpath) truncated FabricPath header
- * 116:468 (decode) too many protocols present
+ * 116:468 (ciscometadata) truncated Cisco Metadata header
+ * 116:469 (ciscometadata) invalid Cisco Metadata option length
+ * 116:470 (ciscometadata) invalid Cisco Metadata option type
+ * 116:471 (ciscometadata) invalid Cisco Metadata SGT
+ * 116:472 (decode) too many protocols present
* 119:1 (http_inspect) ascii encoding
* 119:2 (http_inspect) double decoding attack
* 119:3 (http_inspect) u encoding
* 119:73 (http_inspect) Transfer-Encoding did not end with chunked
* 119:74 (http_inspect) Transfer-Encoding with chunked not at end
* 119:75 (http_inspect) Misformatted HTTP traffic
+ * 119:76 (http_inspect) Unsupported Transfer-Encoding or
+ Content-Encoding used
+ * 119:77 (http_inspect) Unknown Transfer-Encoding or
+ Content-Encoding used
+ * 119:78 (http_inspect) Multiple layers of compression encodings
+ applied
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
16.13. Command Set
-------------
+--------------
* packet_capture.disable(): stop packet dump
* packet_capture.enable(filter): dump raw packets
16.14. Signals
-------------
+--------------
Important
Signal numbers are for the system that generated this documentation
and are not applicable elsewhere.
- * hosts(16): reload hosts file
+ * hosts(23): reload hosts file
* int(2): shutdown normally
* quit(3): shutdown as if started with --dirty-pig
* reload(1): reload config file
- * rotate(31): rotate stats files
- * stats(30): dump stats to stdout
+ * rotate(12): rotate stats files
+ * stats(10): dump stats to stdout
* term(15): shutdown normally
16.15. Configuration Changes
-------------
+--------------
change -> dynamicdetection ==> 'snort.--plugin_path=<path>'
change -> dynamicengine ==> 'snort.--plugin_path=<path>'
16.16. Module Listing
-------------
+--------------
* ack (ips_option): rule option to match on TCP ack numbers
* active (basic): configure responses
* alert_csv (logger): output event in csv format
* alert_fast (logger): output event with brief text format
* alert_full (logger): output event with full packet dump
+ * alert_sfsocket (logger): output event over socket
* alert_syslog (logger): output event to syslog
* alerts (basic): configure alerts
* appid (inspector): application and service identification
* byte_jump (ips_option): rule option to move the detection cursor
* byte_test (ips_option): rule option to convert data to integer
and compare
+ * ciscometadata (codec): support for cisco metadata
* classifications (basic): define rule categories with priority
* classtype (ips_option): general rule option for rule
classification
* suppress (basic): configure event suppressions
* tag (ips_option): rule option to log additional packets
* tcp (codec): support for transmission control protocol
+ * tcp_connector (connector): implement the tcp stream connector
* telnet (inspector): telnet inspection and normalization
* tos (ips_option): rule option to check type of service field
* ttl (ips_option): rule option to check time to live field
* codec::arp: support for address resolution protocol
* codec::auth: support for IP authentication header
+ * codec::ciscometadata: support for cisco metadata
* codec::erspan2: support for encapsulated remote switched port
analyzer - type 2
* codec::erspan3: support for encapsulated remote switched port
* codec::user: support for user sessions (DLT 230)
* codec::vlan: support for local area network
* connector::file_connector: implement the file based connector
+ * connector::tcp_connector: implement the tcp stream connector
* inspector::appid: application and service identification
* inspector::arp_spoof: detect ARP attacks and anomalies
* inspector::back_orifice: back orifice detection
* logger::alert_csv: output event in csv format
* logger::alert_fast: output event with brief text format
* logger::alert_full: output event with full packet dump
+ * logger::alert_sfsocket: output event over socket
* logger::alert_syslog: output event to syslog
* logger::log_codecs: log protocols in packet by layer
* logger::log_hext: output payload suitable for daq hext
=== New Http Inspector
One of the major undertakings for Snort 3.0 is developing a completely new
-HTTP inspector. It is incomplete right now but you can examine the
-work-in-progress. You can configure it by adding:
+HTTP inspector. You can configure it by adding:
- new_http_inspect = {}
+ http_inspect = {}
to your snort.lua configuration file. Or you can read it in the source code
-under src/service_inspectors/nhttp_inspect.
+under src/service_inspectors/http_inspect.
-The classic HTTP preprocessor is still available in the alpha release as
-http_inspect. It’s probably the better choice for now if you just want to
-do some work and do not feel like experimenting. Be sure not to configure
- both old and new HTTP inspectors at the same time.
+The classic HTTP preprocessor is still available in the alpha release under
+extra. It has been renamed http_server. Be sure not to configure both old
+and new HTTP inspectors at the same time.
So why a new HTTP inspector?
tables where it can be easily reviewed and modified. Many significant
changes can be made just by updating these tables.
-New_http_inspect is the first inspector written specifically for the new
+Http_inspect is the first inspector written specifically for the new
Snort 3.0 architecture. That provides access to one of the very best
-features of Snort 3.0: purely PDU-based inspection. Classic http_inspect
+features of Snort 3.0: purely PDU-based inspection. The classic preprocessor
processes HTTP messages, but even while doing so it is constantly aware of
IP packets and how they divide up the TCP data stream. The same HTTP
message might be processed differently depending on how the sender (bad
guy) divided it up into IP packets.
-New_http_inspect is free of this burden and can focus exclusively on HTTP.
-That makes it much more simple, easier to test, and less prone to false
+Http_inspect is free of this burden and can focus exclusively on HTTP.
+That makes it much simpler, easier to test, and less prone to false
positives. It also greatly reduces the opportunity for adversaries to probe
the inspector for weak spots by adjusting packet boundaries to disguise bad
behavior.
Dealing solely with HTTP messages also opens the door for developing major
-new features. The new_http_inspect design supports true stateful
+new features. The http_inspect design supports true stateful
processing. Want to ask questions that involve both the client request and
the server response? Or different requests in the same session? These
things are possible.
HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and
on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture
because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but
-not any underlying packets. Exactly what the new_http_inspect wants to
-input.
+not any underlying packets. Exactly what http_inspect wants to input.
-New_http_inspect is taking a very different approach to HTTP header fields.
-Classic http_inspect divides all the HTTP headers following the start line
+Http_inspect is taking a very different approach to HTTP header fields.
+The classic preprocessor divides all the HTTP headers following the start line
into cookies and everything else. It normalizes the two pieces using a
generic process and puts them in buffers that one can write rules against.
There is some limited support for examining individual headers within the
=== Binder and Wizard
-One of the fundamental differences between Snort and Snort++ concerns configuration related to networks and ports. Here is a brief review of Snort's configuration for network and service related components:
+One of the fundamental differences between Snort and Snort++ concerns configuration
+related to networks and ports. Here is a brief review of Snort's configuration for
+network and service related components:
* Snort's configuration has a default policy and optional policies selected by
VLAN or network (with config binding).
back_orifice
dns
ftp_telnet
- nhttp_inspect
+ http_inspect
rpc_decode
sip
ssh
service_inspectors/ftp_telnet/libftp_telnet.a \
service_inspectors/gtp/libgtp_inspect.a \
service_inspectors/modbus/libmodbus.a \
-service_inspectors/nhttp_inspect/libnhttp_inspect.a \
+service_inspectors/http_inspect/libhttp_inspect.a \
service_inspectors/rpc_decode/librpc_decode.a \
service_inspectors/sip/libsip.a \
service_inspectors/ssh/libssh.a \
SEARCH_SUPPORT_TYPE_UNKNOWN,
};
-// FIXIT-M J probable duplication from nhttp
+// FIXIT-M J probable duplication from new http_inspect
enum HTTP_FIELD_ID
{
REQ_AGENT_FID = 0,
../../../service_inspectors/ftp_telnet/libftp_telnet.a \
../../../service_inspectors/gtp/libgtp_inspect.a \
../../../service_inspectors/modbus/libmodbus.a \
-../../../service_inspectors/nhttp_inspect/libnhttp_inspect.a \
+../../../service_inspectors/http_inspect/libhttp_inspect.a \
../../../service_inspectors/rpc_decode/librpc_decode.a \
../../../service_inspectors/sip/libsip.a \
../../../service_inspectors/ssh/libssh.a \
add_subdirectory(gtp)
add_subdirectory(imap)
add_subdirectory(modbus)
-add_subdirectory(nhttp_inspect)
+add_subdirectory(http_inspect)
add_subdirectory(pop)
add_subdirectory(rpc_decode)
add_subdirectory(sip)
gtp_inspect
imap
modbus
- nhttp_inspect
+ http_inspect
pop
rpc_decode
sip
#libservice_inspectors_a_LIBADD = \
#back_orifice/libback_orifice.a \
#ftp_telnet/libftp_telnet.a \
-#nhttp_inspect/libnhttp_inspect.a \
+#http_inspect/libhttp_inspect.a \
#rpc_decode/librpc_decode.a
#wizard/libwizard.a
gtp \
imap \
modbus \
-nhttp_inspect \
+http_inspect \
pop \
rpc_decode \
sip \
--- /dev/null
+
+set (FILE_LIST
+ ips_http.cc
+ ips_http.h
+ http_inspect.cc
+ http_inspect.h
+ http_msg_section.cc
+ http_msg_section.h
+ http_msg_start.cc
+ http_msg_start.h
+ http_msg_request.cc
+ http_msg_request.h
+ http_msg_status.cc
+ http_msg_status.h
+ http_msg_head_shared.cc
+ http_msg_head_shared_util.cc
+ http_msg_head_shared.h
+ http_msg_header.cc
+ http_msg_header.h
+ http_msg_body.cc
+ http_msg_body.h
+ http_msg_body_chunk.cc
+ http_msg_body_chunk.h
+ http_msg_body_cl.cc
+ http_msg_body_cl.h
+ http_msg_body_old.cc
+ http_msg_body_old.h
+ http_msg_trailer.cc
+ http_msg_trailer.h
+ http_head_norm.cc
+ http_head_norm.h
+ http_uri.cc
+ http_uri.h
+ http_uri_norm.cc
+ http_uri_norm.h
+ http_normalizers.cc
+ http_normalizers.h
+ http_str_to_code.cc
+ http_str_to_code.h
+ http_api.cc
+ http_api.h
+ http_tables.cc
+ http_module.cc
+ http_module.h
+ http_test_input.cc
+ http_test_input.h
+ http_flow_data.cc
+ http_flow_data.h
+ http_transaction.cc
+ http_transaction.h
+ http_test_manager.cc
+ http_test_manager.h
+ http_enum.h
+ http_field.cc
+ http_field.h
+ http_stream_splitter_reassemble.cc
+ http_stream_splitter_scan.cc
+ http_stream_splitter.h
+ http_cutter.cc
+ http_cutter.h
+ http_infractions.h
+ http_event_gen.h
+)
+
+if (STATIC_INSPECTORS)
+ add_library(http_inspect STATIC ${FILE_LIST})
+
+else(STATIC_INSPECTORS)
+ add_shared_library(http_inspect inspectors ${FILE_LIST})
+
+endif(STATIC_INSPECTORS)
+
+add_subdirectory ( test )
+
--- /dev/null
+file_list = \
+http_inspect.cc http_inspect.h \
+http_msg_section.cc http_msg_section.h \
+http_msg_start.cc http_msg_start.h \
+http_msg_request.cc http_msg_request.h \
+http_msg_status.cc http_msg_status.h \
+http_msg_head_shared.cc http_msg_head_shared_util.cc http_msg_head_shared.h \
+http_msg_header.cc http_msg_header.h \
+http_msg_body.cc http_msg_body.h \
+http_msg_body_cl.cc http_msg_body_cl.h \
+http_msg_body_chunk.cc http_msg_body_chunk.h \
+http_msg_body_old.cc http_msg_body_old.h \
+http_msg_trailer.cc http_msg_trailer.h \
+http_head_norm.cc http_head_norm.h \
+http_uri.cc http_uri.h \
+http_uri_norm.cc http_uri_norm.h \
+http_normalizers.cc http_normalizers.h \
+http_str_to_code.cc http_str_to_code.h \
+http_api.cc http_api.h \
+http_tables.cc \
+http_module.cc http_module.h \
+http_test_input.cc http_test_input.h \
+http_flow_data.cc http_flow_data.h \
+http_transaction.cc http_transaction.h \
+http_stream_splitter_reassemble.cc http_stream_splitter_scan.cc http_stream_splitter.h \
+http_cutter.cc http_cutter.h \
+http_enum.h \
+http_test_manager.cc http_test_manager.h \
+http_field.cc http_field.h \
+http_infractions.h \
+http_event_gen.h \
+ips_http.cc ips_http.h
+
+if STATIC_INSPECTORS
+noinst_LIBRARIES = libhttp_inspect.a
+libhttp_inspect_a_SOURCES = $(file_list)
+
+else
+shlibdir = $(pkglibdir)/inspectors
+shlib_LTLIBRARIES = libhttp_inspect.la
+libhttp_inspect_la_CXXFLAGS = $(AM_CXXFLAGS) -DBUILDING_SO
+libhttp_inspect_la_LDFLAGS = $(AM_LDFLAGS) -export-dynamic -shared
+libhttp_inspect_la_SOURCES = $(file_list)
+
+endif
+
+if BUILD_CPPUTESTS
+SUBDIRS = test
+endif
+
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_api.cc author Tom Peters <thopeter@cisco.com>
+// http_api.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
-#include "nhttp_enum.h"
-#include "nhttp_inspect.h"
-#include "nhttp_api.h"
+#include "http_enum.h"
+#include "http_inspect.h"
+#include "http_api.h"
-const char* NHttpApi::nhttp_my_name = NHTTP_NAME;
-const char* NHttpApi::nhttp_help = "the new HTTP inspector!";
+const char* HttpApi::http_my_name = HTTP_NAME;
+const char* HttpApi::http_help = "the new HTTP inspector!";
-Inspector* NHttpApi::nhttp_ctor(Module* mod)
+Inspector* HttpApi::http_ctor(Module* mod)
{
- NHttpModule* const nhttp_mod = (NHttpModule*)mod;
- return new NHttpInspect(nhttp_mod->get_once_params());
+ HttpModule* const http_mod = (HttpModule*)mod;
+ return new HttpInspect(http_mod->get_once_params());
}
-const char* NHttpApi::classic_buffer_names[] =
+const char* HttpApi::classic_buffer_names[] =
{
"http_client_body",
"http_cookie",
nullptr
};
-const InspectApi NHttpApi::nhttp_api =
+const InspectApi HttpApi::http_api =
{
{
PT_INSPECTOR,
0,
API_RESERVED,
API_OPTIONS,
- NHttpApi::nhttp_my_name,
- NHttpApi::nhttp_help,
- NHttpApi::nhttp_mod_ctor,
- NHttpApi::nhttp_mod_dtor
+ HttpApi::http_my_name,
+ HttpApi::http_help,
+ HttpApi::http_mod_ctor,
+ HttpApi::http_mod_dtor
},
IT_SERVICE,
(uint16_t)PktType::PDU,
classic_buffer_names,
"http",
- NHttpApi::nhttp_init,
- NHttpApi::nhttp_term,
- NHttpApi::nhttp_tinit,
- NHttpApi::nhttp_tterm,
- NHttpApi::nhttp_ctor,
- NHttpApi::nhttp_dtor,
+ HttpApi::http_init,
+ HttpApi::http_term,
+ HttpApi::http_tinit,
+ HttpApi::http_tterm,
+ HttpApi::http_ctor,
+ HttpApi::http_dtor,
nullptr,
nullptr
};
SO_PUBLIC const BaseApi* snort_plugins[] =
{
- &NHttpApi::nhttp_api.base,
+ &HttpApi::http_api.base,
ips_http_uri,
ips_http_client_body,
ips_http_method,
nullptr
};
#else
-const BaseApi* sin_nhttp = &NHttpApi::nhttp_api.base;
+const BaseApi* sin_http = &HttpApi::http_api.base;
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_api.h author Tom Peters <thopeter@cisco.com>
+// http_api.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_API_H
-#define NHTTP_API_H
+#ifndef HTTP_API_H
+#define HTTP_API_H
#include "framework/parameter.h"
#include "framework/module.h"
#include "framework/inspector.h"
-#include "nhttp_module.h"
-#include "nhttp_flow_data.h"
+#include "http_module.h"
+#include "http_flow_data.h"
-class NHttpApi
+class HttpApi
{
public:
- static const InspectApi nhttp_api;
+ static const InspectApi http_api;
static const char* classic_buffer_names[];
private:
- NHttpApi() = delete;
- static Module* nhttp_mod_ctor() { return new NHttpModule; }
- static void nhttp_mod_dtor(Module* m) { delete m; }
- static const char* nhttp_my_name;
- static const char* nhttp_help;
- static void nhttp_init() { NHttpFlowData::init(); }
- static void nhttp_term() { }
- static Inspector* nhttp_ctor(Module* mod);
- static void nhttp_dtor(Inspector* p) { delete p; }
- static void nhttp_tinit() { }
- static void nhttp_tterm() { }
+ HttpApi() = delete;
+ static Module* http_mod_ctor() { return new HttpModule; }
+ static void http_mod_dtor(Module* m) { delete m; }
+ static const char* http_my_name;
+ static const char* http_help;
+ static void http_init() { HttpFlowData::init(); }
+ static void http_term() { }
+ static Inspector* http_ctor(Module* mod);
+ static void http_dtor(Inspector* p) { delete p; }
+ static void http_tinit() { }
+ static void http_tterm() { }
};
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_cutter.cc author Tom Peters <thopeter@cisco.com>
+// http_cutter.cc author Tom Peters <thopeter@cisco.com>
-#include "nhttp_cutter.h"
+#include "http_cutter.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-ScanResult NHttpStartCutter::cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t, uint32_t)
+ScanResult HttpStartCutter::cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t, uint32_t)
{
for (uint32_t k = 0; k < length; k++)
{
return SCAN_NOTFOUND;
}
-NHttpStartCutter::ValidationResult NHttpRequestCutter::validate(uint8_t octet)
+HttpStartCutter::ValidationResult HttpRequestCutter::validate(uint8_t octet)
{
// Request line must begin with a method. There is no list of all possible methods because
// extension is allowed, so there is no absolute way to tell whether something is a method.
return V_TBD;
}
-NHttpStartCutter::ValidationResult NHttpStatusCutter::validate(uint8_t octet)
+HttpStartCutter::ValidationResult HttpStatusCutter::validate(uint8_t octet)
{
// Status line must begin "HTTP/"
static const int match_size = 5;
return V_TBD;
}
-ScanResult NHttpHeaderCutter::cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t, uint32_t)
+ScanResult HttpHeaderCutter::cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t, uint32_t)
{
// Header separators: leading \r\n, leading \n, nonleading \r\n\r\n, nonleading \n\r\n,
// nonleading \r\n\n, and nonleading \n\n. The separator itself becomes num_excess which is
return SCAN_NOTFOUND;
}
-ScanResult NHttpBodyClCutter::cut(const uint8_t*, uint32_t length, NHttpInfractions&,
- NHttpEventGen&, uint32_t flow_target, uint32_t flow_max)
+ScanResult HttpBodyClCutter::cut(const uint8_t*, uint32_t length, HttpInfractions&,
+ HttpEventGen&, uint32_t flow_target, uint32_t flow_max)
{
assert(remaining > 0);
}
}
-ScanResult NHttpBodyOldCutter::cut(const uint8_t*, uint32_t, NHttpInfractions&, NHttpEventGen&,
+ScanResult HttpBodyOldCutter::cut(const uint8_t*, uint32_t, HttpInfractions&, HttpEventGen&,
uint32_t flow_target, uint32_t)
{
if (flow_target == 0)
return SCAN_FOUND_PIECE;
}
-ScanResult NHttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t flow_target, uint32_t)
+ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t flow_target, uint32_t)
{
// Are we skipping through the rest of this chunked body to the trailers and the next message?
const bool discard_mode = (flow_target == 0);
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_cutter.h author Tom Peters <thopeter@cisco.com>
+// http_cutter.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_CUTTER_H
-#define NHTTP_CUTTER_H
+#ifndef HTTP_CUTTER_H
+#define HTTP_CUTTER_H
#include <assert.h>
-#include "nhttp_enum.h"
-#include "nhttp_infractions.h"
-#include "nhttp_event_gen.h"
+#include "http_enum.h"
+#include "http_infractions.h"
+#include "http_event_gen.h"
//-------------------------------------------------------------------------
-// NHttpCutter class and subclasses
+// HttpCutter class and subclasses
//-------------------------------------------------------------------------
-class NHttpCutter
+class HttpCutter
{
public:
- virtual ~NHttpCutter() = default;
- virtual NHttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t flow_target,
+ virtual ~HttpCutter() = default;
+ virtual HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t flow_target,
uint32_t flow_max) = 0;
uint32_t get_num_flush() const { return num_flush; }
uint32_t get_octets_seen() const { return octets_seen; }
uint32_t num_flush = 0;
};
-class NHttpStartCutter : public NHttpCutter
+class HttpStartCutter : public HttpCutter
{
public:
- NHttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t, uint32_t) override;
+ HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t, uint32_t) override;
uint32_t get_num_excess() const override { return (num_flush > 0) ? num_crlf : 0; }
protected:
bool validated = false;
};
-class NHttpRequestCutter : public NHttpStartCutter
+class HttpRequestCutter : public HttpStartCutter
{
private:
uint32_t octets_checked = 0;
ValidationResult validate(uint8_t octet) override;
};
-class NHttpStatusCutter : public NHttpStartCutter
+class HttpStatusCutter : public HttpStartCutter
{
private:
uint32_t octets_checked = 0;
ValidationResult validate(uint8_t octet) override;
};
-class NHttpHeaderCutter : public NHttpCutter
+class HttpHeaderCutter : public HttpCutter
{
public:
- NHttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t, uint32_t) override;
+ HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t, uint32_t) override;
uint32_t get_num_excess() const override { return (num_flush > 0) ? num_crlf : 0; }
uint32_t get_num_head_lines() const override { return num_head_lines; }
int32_t num_head_lines = 0;
};
-class NHttpBodyClCutter : public NHttpCutter
+class HttpBodyClCutter : public HttpCutter
{
public:
- explicit NHttpBodyClCutter(int64_t expected_length) : remaining(expected_length)
+ explicit HttpBodyClCutter(int64_t expected_length) : remaining(expected_length)
{ assert(remaining > 0); }
- NHttpEnums::ScanResult cut(const uint8_t*, uint32_t length, NHttpInfractions&, NHttpEventGen&,
+ HttpEnums::ScanResult cut(const uint8_t*, uint32_t length, HttpInfractions&, HttpEventGen&,
uint32_t flow_target, uint32_t flow_max) override;
private:
int64_t remaining;
};
-class NHttpBodyOldCutter : public NHttpCutter
+class HttpBodyOldCutter : public HttpCutter
{
public:
- NHttpEnums::ScanResult cut(const uint8_t*, uint32_t, NHttpInfractions&, NHttpEventGen&,
+ HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions&, HttpEventGen&,
uint32_t flow_target, uint32_t) override;
};
-class NHttpBodyChunkCutter : public NHttpCutter
+class HttpBodyChunkCutter : public HttpCutter
{
public:
- NHttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
- NHttpInfractions& infractions, NHttpEventGen& events, uint32_t flow_target, uint32_t)
+ HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
+ HttpInfractions& infractions, HttpEventGen& events, uint32_t flow_target, uint32_t)
override;
- bool get_is_broken_chunk() const override { return curr_state == NHttpEnums::CHUNK_BAD; }
+ bool get_is_broken_chunk() const override { return curr_state == HttpEnums::CHUNK_BAD; }
uint32_t get_num_good_chunks() const override { return num_good_chunks; }
private:
uint32_t data_seen = 0;
- NHttpEnums::ChunkState curr_state = NHttpEnums::CHUNK_ZEROS;
+ HttpEnums::ChunkState curr_state = HttpEnums::CHUNK_ZEROS;
uint32_t expected = 0;
uint32_t num_zeros = 0;
uint32_t digits_seen = 0;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_enum.h author Tom Peters <thopeter@cisco.com>
+// http_enum.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_ENUM_H
-#define NHTTP_ENUM_H
+#ifndef HTTP_ENUM_H
+#define HTTP_ENUM_H
#include <stdint.h>
-namespace NHttpEnums
+namespace HttpEnums
{
static const int MAX_OCTETS = 65535;
static const int DATA_BLOCK_SIZE = 16384;
static const int GZIP_BLOCK_SIZE = 2048;
static const int FINAL_GZIP_BLOCK_SIZE = 2304; // compromise value, too big causes gzip overruns
// too small leaves too many little end sections
-static const uint32_t NHTTP_GID = 119;
+static const uint32_t HTTP_GID = 119;
static const int GZIP_WINDOW_BITS = 31;
static const int DEFLATE_WINDOW_BITS = 15;
static const int MAX_FIELD_NAME_LENGTH = 100;
SEC_BODY_OLD };
// Message buffers available to clients
-// This enum must remain synchronized with NHttpApi::classic_buffer_names[]
-enum NHTTP_BUFFER { NHTTP_BUFFER_CLIENT_BODY = 1, NHTTP_BUFFER_COOKIE, NHTTP_BUFFER_HEADER,
- NHTTP_BUFFER_METHOD, NHTTP_BUFFER_RAW_COOKIE, NHTTP_BUFFER_RAW_HEADER, NHTTP_BUFFER_RAW_URI,
- NHTTP_BUFFER_STAT_CODE, NHTTP_BUFFER_STAT_MSG, NHTTP_BUFFER_URI, NHTTP_BUFFER_VERSION,
- NHTTP_BUFFER_TRAILER, NHTTP_BUFFER_RAW_TRAILER, NHTTP_BUFFER_RAW_REQUEST,
- NHTTP_BUFFER_RAW_STATUS, NHTTP_BUFFER_MAX };
+// This enum must remain synchronized with HttpApi::classic_buffer_names[]
+enum HTTP_BUFFER { HTTP_BUFFER_CLIENT_BODY = 1, HTTP_BUFFER_COOKIE, HTTP_BUFFER_HEADER,
+ HTTP_BUFFER_METHOD, HTTP_BUFFER_RAW_COOKIE, HTTP_BUFFER_RAW_HEADER, HTTP_BUFFER_RAW_URI,
+ HTTP_BUFFER_STAT_CODE, HTTP_BUFFER_STAT_MSG, HTTP_BUFFER_URI, HTTP_BUFFER_VERSION,
+ HTTP_BUFFER_TRAILER, HTTP_BUFFER_RAW_TRAILER, HTTP_BUFFER_RAW_REQUEST,
+ HTTP_BUFFER_RAW_STATUS, HTTP_BUFFER_MAX };
// Peg counts
-// This enum must remain synchronized with NHttpModule::peg_names[] in nhttp_tables.cc
+// This enum must remain synchronized with HttpModule::peg_names[] in http_tables.cc
enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUEST, PEG_RESPONSE,
PEG_GET, PEG_HEAD, PEG_POST, PEG_PUT, PEG_DELETE, PEG_CONNECT, PEG_OPTIONS, PEG_TRACE,
PEG_OTHER_METHOD, PEG_REQUEST_BODY, PEG_CHUNKED, PEG_URI_NORM, PEG_URI_PATH, PEG_URI_CODING,
extern const int8_t as_hex[256];
extern const bool token_char[256];
extern const bool is_sp_tab[256];
-} // end namespace NHttpEnums
+} // end namespace HttpEnums
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_event_gen.h author Tom Peters <thopeter@cisco.com>
+// http_event_gen.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_EVENT_GEN_H
-#define NHTTP_EVENT_GEN_H
+#ifndef HTTP_EVENT_GEN_H
+#define HTTP_EVENT_GEN_H
#include <assert.h>
#include <bitset>
#include "events/event_queue.h"
-#include "nhttp_enum.h"
+#include "http_enum.h"
#include "utils/util.h"
//-------------------------------------------------------------------------
// Event generator class
//-------------------------------------------------------------------------
-class NHttpEventGen
+class HttpEventGen
{
public:
- virtual ~NHttpEventGen() = default;
+ virtual ~HttpEventGen() = default;
void reset() { events_generated = 0; }
- virtual void create_event(NHttpEnums::EventSid sid)
+ virtual void create_event(HttpEnums::EventSid sid)
{
assert(((int)sid > 0) && ((int)sid <= MAX));
if (!events_generated[sid-1])
{
- SnortEventqAdd(NHttpEnums::NHTTP_GID, (uint32_t)sid);
+ SnortEventqAdd(HttpEnums::HTTP_GID, (uint32_t)sid);
events_generated[sid-1] = true;
}
}
void generate_misformatted_http(const uint8_t* buffer, uint32_t length)
{
if ( SnortStrnStr((const char*)buffer, length, "HTTP/") != nullptr )
- create_event(NHttpEnums::EVENT_MISFORMATTED_HTTP);
+ create_event(HttpEnums::EVENT_MISFORMATTED_HTTP);
else
- create_event(NHttpEnums::EVENT_LOSS_OF_SYNC);
+ create_event(HttpEnums::EVENT_LOSS_OF_SYNC);
}
// The following methods are for convenience of debug and test output only!
((events_generated >> 64) & std::bitset<MAX>(0xFFFFFFFFFFFFFFFF)).to_ulong(); }
private:
- static const int MAX = NHttpEnums::EVENT__MAX_VALUE;
+ static const int MAX = HttpEnums::EVENT__MAX_VALUE;
std::bitset<MAX> events_generated = 0;
};
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_field.cc author Tom Peters <thopeter@cisco.com>
+// http_field.cc author Tom Peters <thopeter@cisco.com>
#include <sys/types.h>
#include <stdio.h>
#include "main/snort_types.h"
-#include "nhttp_enum.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_field.h"
+#include "http_enum.h"
+#include "http_test_manager.h"
+#include "http_field.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
const Field Field::FIELD_NULL { STAT_NO_SOURCE };
void Field::set(int32_t length_, const uint8_t* start_)
return;
}
// Limit the amount of data printed
- const int32_t print_length = (length <= NHttpTestManager::get_print_amount()) ? length :
- NHttpTestManager::get_print_amount();
+ const int32_t print_length = (length <= HttpTestManager::get_print_amount()) ? length :
+ HttpTestManager::get_print_amount();
for (int32_t k=0; k < print_length; k++)
{
if ((start[k] >= 0x20) && (start[k] <= 0x7E))
fprintf(output, "~");
else if (start[k] == 0xA)
fprintf(output, "^");
- else if (NHttpTestManager::get_print_hex())
+ else if (HttpTestManager::get_print_hex())
fprintf(output, "[%.2x]", (uint8_t)start[k]);
else
fprintf(output, "*");
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_field.h author Tom Peters <thopeter@cisco.com>
+// http_field.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_FIELD_H
-#define NHTTP_FIELD_H
+#ifndef HTTP_FIELD_H
+#define HTTP_FIELD_H
#include <stdint.h>
#include <stdio.h>
#include <assert.h>
-#include "nhttp_enum.h"
+#include "http_enum.h"
// Individual pieces of the message found during parsing.
// Length values <= 0 are StatusCode values and imply that the start pointer is meaningless.
class Field
{
public:
- int32_t length = NHttpEnums::STAT_NOT_COMPUTE;
+ int32_t length = HttpEnums::STAT_NOT_COMPUTE;
const uint8_t* start = nullptr;
static const Field FIELD_NULL;
Field() = default;
void set(int32_t length_, const uint8_t* start_);
void set(const Field& f);
- void set(NHttpEnums::StatusCode stat_code);
- void set(int32_t length) { set(static_cast<NHttpEnums::StatusCode>(length)); }
+ void set(HttpEnums::StatusCode stat_code);
+ void set(int32_t length) { set(static_cast<HttpEnums::StatusCode>(length)); }
// Only call this method if the field owns the dynamically allocated buffer you are deleting.
// This method is a convenience but you still must know where the buffer came from. Many fields
// refer to static buffers or a subfield of someone else's buffer.
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_flow_data.cc author Tom Peters <thopeter@cisco.com>
+// http_flow_data.cc author Tom Peters <thopeter@cisco.com>
-#include "nhttp_enum.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_flow_data.h"
-#include "nhttp_transaction.h"
+#include "http_enum.h"
+#include "http_test_manager.h"
+#include "http_flow_data.h"
+#include "http_transaction.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-unsigned NHttpFlowData::nhttp_flow_id = 0;
+unsigned HttpFlowData::http_flow_id = 0;
#ifdef REG_TEST
-uint64_t NHttpFlowData::instance_count = 0;
+uint64_t HttpFlowData::instance_count = 0;
#endif
-NHttpFlowData::NHttpFlowData() : FlowData(nhttp_flow_id)
+HttpFlowData::HttpFlowData() : FlowData(http_flow_id)
{
#ifdef REG_TEST
- if (NHttpTestManager::use_test_output())
+ if (HttpTestManager::use_test_output())
{
seq_num = ++instance_count;
- if (!NHttpTestManager::use_test_input())
+ if (!HttpTestManager::use_test_input())
{
printf("Flow Data construct %" PRIu64 "\n", seq_num);
fflush(nullptr);
#endif
}
-NHttpFlowData::~NHttpFlowData()
+HttpFlowData::~HttpFlowData()
{
#ifdef REG_TEST
- if (!NHttpTestManager::use_test_input() && NHttpTestManager::use_test_output())
+ if (!HttpTestManager::use_test_input() && HttpTestManager::use_test_output())
{
printf("Flow Data destruct %" PRIu64 "\n", seq_num);
fflush(nullptr);
(section_type[k] != SEC_BODY_OLD))
// Body sections are reassembled in a static buffer
delete[] section_buffer[k];
- NHttpTransaction::delete_transaction(transaction[k]);
+ HttpTransaction::delete_transaction(transaction[k]);
delete cutter[k];
if (compress_stream[k] != nullptr)
{
delete_pipeline();
}
-void NHttpFlowData::half_reset(SourceId source_id)
+void HttpFlowData::half_reset(SourceId source_id)
{
assert((source_id == SRC_CLIENT) || (source_id == SRC_SERVER));
}
}
-void NHttpFlowData::trailer_prep(SourceId source_id)
+void HttpFlowData::trailer_prep(SourceId source_id)
{
type_expected[source_id] = SEC_TRAILER;
compression[source_id] = CMP_NONE;
events[source_id].reset();
}
-bool NHttpFlowData::add_to_pipeline(NHttpTransaction* latest)
+bool HttpFlowData::add_to_pipeline(HttpTransaction* latest)
{
if (pipeline == nullptr)
{
- pipeline = new NHttpTransaction*[MAX_PIPELINE];
+ pipeline = new HttpTransaction*[MAX_PIPELINE];
}
assert(!pipeline_overflow && !pipeline_underflow);
int new_back = (pipeline_back+1) % MAX_PIPELINE;
return true;
}
-NHttpTransaction* NHttpFlowData::take_from_pipeline()
+HttpTransaction* HttpFlowData::take_from_pipeline()
{
assert(!pipeline_underflow);
if (pipeline_back == pipeline_front)
return pipeline[old_front];
}
-void NHttpFlowData::delete_pipeline()
+void HttpFlowData::delete_pipeline()
{
for (int k=pipeline_front; k != pipeline_back; k = (k+1) % MAX_PIPELINE)
{
- NHttpTransaction::delete_transaction(pipeline[k]);
+ HttpTransaction::delete_transaction(pipeline[k]);
}
delete[] pipeline;
}
#ifdef REG_TEST
-void NHttpFlowData::show(FILE* out_file) const
+void HttpFlowData::show(FILE* out_file) const
{
assert(out_file != nullptr);
- fprintf(out_file, "Diagnostic output from NHttpFlowData (Client/Server):\n");
+ fprintf(out_file, "Diagnostic output from HttpFlowData (Client/Server):\n");
fprintf(out_file, "Version ID: %d/%d\n", version_id[0], version_id[1]);
fprintf(out_file, "Method ID: %d\n", method_id);
fprintf(out_file, "Status code: %d\n", status_code_num);
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_flow_data.h author Tom Peters <thopeter@cisco.com>
+// http_flow_data.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_FLOW_DATA_H
-#define NHTTP_FLOW_DATA_H
+#ifndef HTTP_FLOW_DATA_H
+#define HTTP_FLOW_DATA_H
#include <stdio.h>
#include <zlib.h>
#include "mime/file_mime_process.h"
#include "utils/util_utf.h"
-#include "nhttp_cutter.h"
-#include "nhttp_infractions.h"
-#include "nhttp_event_gen.h"
+#include "http_cutter.h"
+#include "http_infractions.h"
+#include "http_event_gen.h"
-class NHttpTransaction;
+class HttpTransaction;
-class NHttpFlowData : public FlowData
+class HttpFlowData : public FlowData
{
public:
- NHttpFlowData();
- ~NHttpFlowData();
- static unsigned nhttp_flow_id;
- static void init() { nhttp_flow_id = FlowData::get_flow_id(); }
-
- friend class NHttpInspect;
- friend class NHttpMsgSection;
- friend class NHttpMsgStart;
- friend class NHttpMsgRequest;
- friend class NHttpMsgStatus;
- friend class NHttpMsgHeader;
- friend class NHttpMsgHeadShared;
- friend class NHttpMsgTrailer;
- friend class NHttpMsgBody;
- friend class NHttpMsgBodyChunk;
- friend class NHttpMsgBodyCl;
- friend class NHttpMsgBodyOld;
- friend class NHttpStreamSplitter;
- friend class NHttpTransaction;
+ HttpFlowData();
+ ~HttpFlowData();
+ static unsigned http_flow_id;
+ static void init() { http_flow_id = FlowData::get_flow_id(); }
+
+ friend class HttpInspect;
+ friend class HttpMsgSection;
+ friend class HttpMsgStart;
+ friend class HttpMsgRequest;
+ friend class HttpMsgStatus;
+ friend class HttpMsgHeader;
+ friend class HttpMsgHeadShared;
+ friend class HttpMsgTrailer;
+ friend class HttpMsgBody;
+ friend class HttpMsgBodyChunk;
+ friend class HttpMsgBodyCl;
+ friend class HttpMsgBodyOld;
+ friend class HttpStreamSplitter;
+ friend class HttpTransaction;
#ifdef REG_TEST
- friend class NHttpUnitTestSetup;
+ friend class HttpUnitTestSetup;
#endif
private:
// Convenience routines
- void half_reset(NHttpEnums::SourceId source_id);
- void trailer_prep(NHttpEnums::SourceId source_id);
+ void half_reset(HttpEnums::SourceId source_id);
+ void trailer_prep(HttpEnums::SourceId source_id);
// 0 element refers to client request, 1 element refers to server response
// *** StreamSplitter internal data - scan()
- NHttpCutter* cutter[2] = { nullptr, nullptr };
+ HttpCutter* cutter[2] = { nullptr, nullptr };
// *** StreamSplitter internal data - reassemble()
uint8_t* section_buffer[2] = { nullptr, nullptr };
uint32_t section_offset[2] = { 0, 0 };
- NHttpEnums::ChunkState chunk_state[2] = { NHttpEnums::CHUNK_NUMBER, NHttpEnums::CHUNK_NUMBER };
+ HttpEnums::ChunkState chunk_state[2] = { HttpEnums::CHUNK_NUMBER, HttpEnums::CHUNK_NUMBER };
uint32_t chunk_expected_length[2] = { 0, 0 };
// *** StreamSplitter internal data - scan() => reassemble()
uint32_t num_good_chunks[2] = { 0, 0 };
// *** StreamSplitter => Inspector (facts about the most recent message section)
- NHttpEnums::SectionType section_type[2] = { NHttpEnums::SEC__NOT_COMPUTE,
- NHttpEnums::SEC__NOT_COMPUTE };
+ HttpEnums::SectionType section_type[2] = { HttpEnums::SEC__NOT_COMPUTE,
+ HttpEnums::SEC__NOT_COMPUTE };
bool tcp_close[2] = { false, false };
- NHttpInfractions infractions[2];
- NHttpEventGen events[2];
- int32_t num_head_lines[2] = { NHttpEnums::STAT_NOT_PRESENT, NHttpEnums::STAT_NOT_PRESENT };
+ HttpInfractions infractions[2];
+ HttpEventGen events[2];
+ int32_t num_head_lines[2] = { HttpEnums::STAT_NOT_PRESENT, HttpEnums::STAT_NOT_PRESENT };
// *** Inspector => StreamSplitter (facts about the message section that is coming next)
- NHttpEnums::SectionType type_expected[2] = { NHttpEnums::SEC_REQUEST, NHttpEnums::SEC_STATUS };
+ HttpEnums::SectionType type_expected[2] = { HttpEnums::SEC_REQUEST, HttpEnums::SEC_STATUS };
// length of the data from Content-Length field
- int64_t data_length[2] = { NHttpEnums::STAT_NOT_PRESENT, NHttpEnums::STAT_NOT_PRESENT };
+ int64_t data_length[2] = { HttpEnums::STAT_NOT_PRESENT, HttpEnums::STAT_NOT_PRESENT };
uint32_t section_size_target[2] = { 0, 0 };
uint32_t section_size_max[2] = { 0, 0 };
- NHttpEnums::CompressId compression[2] = { NHttpEnums::CMP_NONE, NHttpEnums::CMP_NONE };
+ HttpEnums::CompressId compression[2] = { HttpEnums::CMP_NONE, HttpEnums::CMP_NONE };
z_stream* compress_stream[2] = { nullptr, nullptr };
uint64_t zero_nine_expected = 0;
// *** Inspector's internal data about the current message
- NHttpEnums::VersionId version_id[2] = { NHttpEnums::VERS__NOT_PRESENT,
- NHttpEnums::VERS__NOT_PRESENT };
- NHttpEnums::MethodId method_id = NHttpEnums::METH__NOT_PRESENT;
- int32_t status_code_num = NHttpEnums::STAT_NOT_PRESENT;
- int64_t file_depth_remaining[2] = { NHttpEnums::STAT_NOT_PRESENT,
- NHttpEnums::STAT_NOT_PRESENT };
- int64_t detect_depth_remaining[2] = { NHttpEnums::STAT_NOT_PRESENT,
- NHttpEnums::STAT_NOT_PRESENT };
+ HttpEnums::VersionId version_id[2] = { HttpEnums::VERS__NOT_PRESENT,
+ HttpEnums::VERS__NOT_PRESENT };
+ HttpEnums::MethodId method_id = HttpEnums::METH__NOT_PRESENT;
+ int32_t status_code_num = HttpEnums::STAT_NOT_PRESENT;
+ int64_t file_depth_remaining[2] = { HttpEnums::STAT_NOT_PRESENT,
+ HttpEnums::STAT_NOT_PRESENT };
+ int64_t detect_depth_remaining[2] = { HttpEnums::STAT_NOT_PRESENT,
+ HttpEnums::STAT_NOT_PRESENT };
MimeSession* mime_state = nullptr; // SRC_CLIENT only
UtfDecodeSession* utf_state = nullptr; //SRC_SERVER only
uint64_t expected_trans_num[2] = { 1, 1 };
// number of user data octets seen so far (regular body or chunks)
- int64_t body_octets[2] = { NHttpEnums::STAT_NOT_PRESENT, NHttpEnums::STAT_NOT_PRESENT };
+ int64_t body_octets[2] = { HttpEnums::STAT_NOT_PRESENT, HttpEnums::STAT_NOT_PRESENT };
// Transaction management including pipelining
// FIXIT-L pipeline deserves to be its own class
- NHttpTransaction* transaction[2] = { nullptr, nullptr };
+ HttpTransaction* transaction[2] = { nullptr, nullptr };
static const int MAX_PIPELINE = 100; // requests seen - responses seen <= MAX_PIPELINE
- NHttpTransaction** pipeline = nullptr;
+ HttpTransaction** pipeline = nullptr;
int pipeline_front = 0;
int pipeline_back = 0;
bool pipeline_overflow = false;
bool pipeline_underflow = false;
- bool add_to_pipeline(NHttpTransaction* latest);
- NHttpTransaction* take_from_pipeline();
+ bool add_to_pipeline(HttpTransaction* latest);
+ HttpTransaction* take_from_pipeline();
void delete_pipeline();
#ifdef REG_TEST
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_head_norm.cc author Tom Peters <thopeter@cisco.com>
+// http_head_norm.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <string.h>
#include "main/snort_types.h"
-#include "nhttp_enum.h"
-#include "nhttp_str_to_code.h"
-#include "nhttp_head_norm.h"
+#include "http_enum.h"
+#include "http_str_to_code.h"
+#include "http_head_norm.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
// This derivation removes embedded CRLFs (wrapping), omits leading and trailing linear white
// space, and replaces internal strings of <SP> and <LF> with a single <SP>
// This method normalizes the header field value for headId.
void HeaderNormalizer::normalize(const HeaderId head_id, const int count,
- NHttpInfractions& infractions, NHttpEventGen& events, const HeaderId header_name_id[],
+ HttpInfractions& infractions, HttpEventGen& events, const HeaderId header_name_id[],
const Field header_value[], const int32_t num_headers, Field& result_field) const
{
if (result_field.length != STAT_NOT_COMPUTE)
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_head_norm.h author Tom Peters <thopeter@cisco.com>
+// http_head_norm.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_HEAD_NORM_H
-#define NHTTP_HEAD_NORM_H
+#ifndef HTTP_HEAD_NORM_H
+#define HTTP_HEAD_NORM_H
-#include "nhttp_field.h"
-#include "nhttp_infractions.h"
-#include "nhttp_normalizers.h"
+#include "http_field.h"
+#include "http_infractions.h"
+#include "http_normalizers.h"
//-------------------------------------------------------------------------
// HeaderNormalizer class
num_normalizers((f1 != nullptr) + (f1 != nullptr)*(f2 != nullptr) + (f1 != nullptr)*(f2 !=
nullptr)*(f3 != nullptr)) { }
- void normalize(const NHttpEnums::HeaderId head_id, const int count,
- NHttpInfractions& infractions, NHttpEventGen& events,
- const NHttpEnums::HeaderId header_name_id[], const Field header_value[],
+ void normalize(const HttpEnums::HeaderId head_id, const int count,
+ HttpInfractions& infractions, HttpEventGen& events,
+ const HttpEnums::HeaderId header_name_id[], const Field header_value[],
const int32_t num_headers, Field& result_field) const;
private:
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_infractions.h author Tom Peters <thopeter@cisco.com>
+// http_infractions.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_INFRACTIONS_H
-#define NHTTP_INFRACTIONS_H
+#ifndef HTTP_INFRACTIONS_H
+#define HTTP_INFRACTIONS_H
#include <assert.h>
#include <bitset>
-#include "nhttp_enum.h"
+#include "http_enum.h"
//-------------------------------------------------------------------------
// Infractions class
//-------------------------------------------------------------------------
-class NHttpInfractions
+class HttpInfractions
{
public:
- NHttpInfractions() { }
- NHttpInfractions(int inf) { assert((inf >= 0) && (inf < MAX)); infractions[inf] = true; }
+ HttpInfractions() { }
+ HttpInfractions(int inf) { assert((inf >= 0) && (inf < MAX)); infractions[inf] = true; }
void reset() { infractions = 0; }
bool none_found() const { return infractions == 0; }
- NHttpInfractions& operator+=(const NHttpInfractions& rhs)
+ HttpInfractions& operator+=(const HttpInfractions& rhs)
{ infractions |= rhs.infractions; return *this; }
- friend NHttpInfractions operator+(NHttpInfractions lhs, const NHttpInfractions& rhs)
+ friend HttpInfractions operator+(HttpInfractions lhs, const HttpInfractions& rhs)
{ lhs += rhs; return lhs; }
- friend bool operator&(const NHttpInfractions& lhs, const NHttpInfractions& rhs)
+ friend bool operator&(const HttpInfractions& lhs, const HttpInfractions& rhs)
{ return (lhs.infractions & rhs.infractions) != 0; }
// The following methods are for convenience of debug and test output only!
((infractions >> 64) & std::bitset<MAX>(0xFFFFFFFFFFFFFFFF)).to_ulong(); }
private:
- static const int MAX = NHttpEnums::INF__MAX_VALUE;
+ static const int MAX = HttpEnums::INF__MAX_VALUE;
std::bitset<MAX> infractions = 0;
};
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_inspect.cc author Tom Peters <thopeter@cisco.com>
+// http_inspect.cc author Tom Peters <thopeter@cisco.com>
-#include "nhttp_inspect.h"
+#include "http_inspect.h"
#include <assert.h>
#include <stdio.h>
#include "main/snort_types.h"
#include "stream/stream_api.h"
-#include "nhttp_enum.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_status.h"
-#include "nhttp_msg_header.h"
-#include "nhttp_msg_body.h"
-#include "nhttp_msg_body_chunk.h"
-#include "nhttp_msg_body_cl.h"
-#include "nhttp_msg_body_old.h"
-#include "nhttp_msg_trailer.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_field.h"
-
-using namespace NHttpEnums;
-
-NHttpInspect::NHttpInspect(const NHttpParaList* params_) : params(params_)
+#include "http_enum.h"
+#include "http_msg_request.h"
+#include "http_msg_status.h"
+#include "http_msg_header.h"
+#include "http_msg_body.h"
+#include "http_msg_body_chunk.h"
+#include "http_msg_body_cl.h"
+#include "http_msg_body_old.h"
+#include "http_msg_trailer.h"
+#include "http_test_manager.h"
+#include "http_field.h"
+
+using namespace HttpEnums;
+
+HttpInspect::HttpInspect(const HttpParaList* params_) : params(params_)
{
#ifdef REG_TEST
if (params->test_input)
{
- NHttpTestManager::activate_test_input();
+ HttpTestManager::activate_test_input();
}
if (params->test_output)
{
- NHttpTestManager::activate_test_output();
+ HttpTestManager::activate_test_output();
}
- NHttpTestManager::set_print_amount(params->print_amount);
- NHttpTestManager::set_print_hex(params->print_hex);
- NHttpTestManager::set_show_pegs(params->show_pegs);
+ HttpTestManager::set_print_amount(params->print_amount);
+ HttpTestManager::set_print_hex(params->print_hex);
+ HttpTestManager::set_show_pegs(params->show_pegs);
#endif
}
-THREAD_LOCAL uint8_t NHttpInspect::body_buffer[MAX_OCTETS];
+THREAD_LOCAL uint8_t HttpInspect::body_buffer[MAX_OCTETS];
-SO_PUBLIC THREAD_LOCAL NHttpMsgSection* NHttpInspect::latest_section = nullptr;
+THREAD_LOCAL HttpMsgSection* HttpInspect::latest_section = nullptr;
-NHttpEnums::InspectSection NHttpInspect::get_latest_is()
+HttpEnums::InspectSection HttpInspect::get_latest_is()
{
return (latest_section != nullptr) ?
- latest_section->get_inspection_section() : NHttpEnums::IS_NONE;
+ latest_section->get_inspection_section() : HttpEnums::IS_NONE;
}
-bool NHttpInspect::get_buf(InspectionBuffer::Type ibt, Packet*, InspectionBuffer& b)
+bool HttpInspect::get_buf(InspectionBuffer::Type ibt, Packet*, InspectionBuffer& b)
{
switch (ibt)
{
case InspectionBuffer::IBT_KEY:
- return nhttp_get_buf(NHTTP_BUFFER_URI, 0, 0, nullptr, b);
+ return http_get_buf(HTTP_BUFFER_URI, 0, 0, nullptr, b);
case InspectionBuffer::IBT_HEADER:
if (get_latest_is() == IS_TRAILER)
- return nhttp_get_buf(NHTTP_BUFFER_TRAILER, 0, 0, nullptr, b);
+ return http_get_buf(HTTP_BUFFER_TRAILER, 0, 0, nullptr, b);
else
- return nhttp_get_buf(NHTTP_BUFFER_HEADER, 0, 0, nullptr, b);
+ return http_get_buf(HTTP_BUFFER_HEADER, 0, 0, nullptr, b);
case InspectionBuffer::IBT_BODY:
- return nhttp_get_buf(NHTTP_BUFFER_CLIENT_BODY, 0, 0, nullptr, b);
+ return http_get_buf(HTTP_BUFFER_CLIENT_BODY, 0, 0, nullptr, b);
default:
return false;
}
}
-SO_PUBLIC bool NHttpInspect::nhttp_get_buf(unsigned id, uint64_t sub_id, uint64_t form, Packet*,
+bool HttpInspect::http_get_buf(unsigned id, uint64_t sub_id, uint64_t form, Packet*,
InspectionBuffer& b)
{
if (latest_section == nullptr)
return true;
}
-bool NHttpInspect::get_fp_buf(InspectionBuffer::Type ibt, Packet*, InspectionBuffer& b)
+bool HttpInspect::get_fp_buf(InspectionBuffer::Type ibt, Packet*, InspectionBuffer& b)
{
// Fast pattern buffers only supplied at specific times
switch (ibt)
return get_buf(ibt, nullptr, b);
}
-const Field& NHttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const flow,
+const Field& HttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const flow,
SourceId source_id, bool buf_owner) const
{
- NHttpFlowData* session_data = (NHttpFlowData*)flow->get_application_data(
- NHttpFlowData::nhttp_flow_id);
+ HttpFlowData* session_data = (HttpFlowData*)flow->get_application_data(
+ HttpFlowData::http_flow_id);
assert(session_data != nullptr);
- NHttpModule::increment_peg_counts(PEG_INSPECT);
+ HttpModule::increment_peg_counts(PEG_INSPECT);
switch (session_data->section_type[source_id])
{
case SEC_REQUEST:
- latest_section = new NHttpMsgRequest(
+ latest_section = new HttpMsgRequest(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_STATUS:
- latest_section = new NHttpMsgStatus(
+ latest_section = new HttpMsgStatus(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_HEADER:
- latest_section = new NHttpMsgHeader(
+ latest_section = new HttpMsgHeader(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_BODY_CL:
- latest_section = new NHttpMsgBodyCl(
+ latest_section = new HttpMsgBodyCl(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_BODY_OLD:
- latest_section = new NHttpMsgBodyOld(
+ latest_section = new HttpMsgBodyOld(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_BODY_CHUNK:
- latest_section = new NHttpMsgBodyChunk(
+ latest_section = new HttpMsgBodyChunk(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
case SEC_TRAILER:
- latest_section = new NHttpMsgTrailer(
+ latest_section = new HttpMsgTrailer(
data, dsize, session_data, source_id, buf_owner, flow, params);
break;
default:
latest_section->update_flow();
#ifdef REG_TEST
- if (NHttpTestManager::use_test_output())
+ if (HttpTestManager::use_test_output())
{
- latest_section->print_section(NHttpTestManager::get_output_file());
- fflush(NHttpTestManager::get_output_file());
- if (NHttpTestManager::use_test_input())
+ latest_section->print_section(HttpTestManager::get_output_file());
+ fflush(HttpTestManager::get_output_file());
+ if (HttpTestManager::use_test_input())
{
printf("Finished processing section from test %" PRIi64 "\n",
- NHttpTestManager::get_test_number());
+ HttpTestManager::get_test_number());
}
fflush(stdout);
}
return latest_section->get_detect_buf();
}
-void NHttpInspect::clear(Packet* p)
+void HttpInspect::clear(Packet* p)
{
latest_section = nullptr;
- NHttpFlowData* session_data =
- (NHttpFlowData*)p->flow->get_application_data(NHttpFlowData::nhttp_flow_id);
+ HttpFlowData* session_data =
+ (HttpFlowData*)p->flow->get_application_data(HttpFlowData::http_flow_id);
if (session_data == nullptr)
return;
clear(session_data, source_id);
}
-void NHttpInspect::clear(NHttpFlowData* session_data, SourceId source_id)
+void HttpInspect::clear(HttpFlowData* session_data, SourceId source_id)
{
latest_section = nullptr;
if ((source_id == SRC_SERVER) && (session_data->type_expected[SRC_SERVER] == SEC_STATUS) &&
session_data->transaction[SRC_SERVER]->final_response())
{
- NHttpTransaction::delete_transaction(session_data->transaction[SRC_SERVER]);
+ HttpTransaction::delete_transaction(session_data->transaction[SRC_SERVER]);
session_data->transaction[SRC_SERVER] = nullptr;
}
else
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_inspect.h author Tom Peters <thopeter@cisco.com>
+// http_inspect.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_INSPECT_H
-#define NHTTP_INSPECT_H
+#ifndef HTTP_INSPECT_H
+#define HTTP_INSPECT_H
//-------------------------------------------------------------------------
-// NHttpInspect class
+// HttpInspect class
//-------------------------------------------------------------------------
#include "log/messages.h"
-#include "nhttp_enum.h"
-#include "nhttp_field.h"
-#include "nhttp_module.h"
-#include "nhttp_msg_section.h"
-#include "nhttp_stream_splitter.h"
+#include "http_enum.h"
+#include "http_field.h"
+#include "http_module.h"
+#include "http_msg_section.h"
+#include "http_stream_splitter.h"
-class NHttpApi;
+class HttpApi;
-class NHttpInspect : public Inspector
+class HttpInspect : public Inspector
{
public:
- static THREAD_LOCAL uint8_t body_buffer[NHttpEnums::MAX_OCTETS];
+ static THREAD_LOCAL uint8_t body_buffer[HttpEnums::MAX_OCTETS];
- NHttpInspect(const NHttpParaList* params_);
- ~NHttpInspect() { delete params; }
+ HttpInspect(const HttpParaList* params_);
+ ~HttpInspect() { delete params; }
bool get_buf(InspectionBuffer::Type ibt, Packet*, InspectionBuffer& b) override;
- bool nhttp_get_buf(unsigned id, uint64_t sub_id, uint64_t form, Packet*, InspectionBuffer& b);
+ bool http_get_buf(unsigned id, uint64_t sub_id, uint64_t form, Packet*, InspectionBuffer& b);
bool get_fp_buf(InspectionBuffer::Type ibt, Packet*, InspectionBuffer& b) override;
bool configure(SnortConfig*) override { return true; }
- void show(SnortConfig*) override { LogMessage("NHttpInspect\n"); }
+ void show(SnortConfig*) override { LogMessage("HttpInspect\n"); }
void eval(Packet*) override { }
void clear(Packet* p) override;
void tinit() override { }
void tterm() override { }
- NHttpStreamSplitter* get_splitter(bool is_client_to_server) override
+ HttpStreamSplitter* get_splitter(bool is_client_to_server) override
{
- return new NHttpStreamSplitter(is_client_to_server, this);
+ return new HttpStreamSplitter(is_client_to_server, this);
}
- SO_PUBLIC static NHttpEnums::InspectSection get_latest_is();
+ static HttpEnums::InspectSection get_latest_is();
private:
- friend NHttpApi;
- friend NHttpStreamSplitter;
+ friend HttpApi;
+ friend HttpStreamSplitter;
const Field& process(const uint8_t* data, const uint16_t dsize, Flow* const flow,
- NHttpEnums::SourceId source_id_, bool buf_owner) const;
- void clear(NHttpFlowData* session_data, NHttpEnums::SourceId source_id);
- static NHttpEnums::SourceId get_latest_src() { return (latest_section != nullptr) ?
- latest_section->get_source_id() : NHttpEnums::SRC__NOT_COMPUTE; }
+ HttpEnums::SourceId source_id_, bool buf_owner) const;
+ void clear(HttpFlowData* session_data, HttpEnums::SourceId source_id);
+ static HttpEnums::SourceId get_latest_src() { return (latest_section != nullptr) ?
+ latest_section->get_source_id() : HttpEnums::SRC__NOT_COMPUTE; }
- static THREAD_LOCAL NHttpMsgSection* latest_section;
+ static THREAD_LOCAL HttpMsgSection* latest_section;
- const NHttpParaList* const params;
+ const HttpParaList* const params;
};
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_module.cc author Tom Peters <thopeter@cisco.com>
+// http_module.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include "log/messages.h"
-#include "nhttp_uri_norm.h"
-#include "nhttp_module.h"
+#include "http_uri_norm.h"
+#include "http_module.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-const Parameter NHttpModule::nhttp_params[] =
+const Parameter HttpModule::http_params[] =
{
{ "request_depth", Parameter::PT_INT, "-1:", "-1",
"maximum request message body bytes to examine (-1 no limit)" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-THREAD_LOCAL PegCount NHttpModule::peg_counts[PEG_COUNT_MAX] = { 0 };
+THREAD_LOCAL PegCount HttpModule::peg_counts[PEG_COUNT_MAX] = { 0 };
-bool NHttpModule::begin(const char*, int, SnortConfig*)
+bool HttpModule::begin(const char*, int, SnortConfig*)
{
delete params;
- params = new NHttpParaList;
+ params = new HttpParaList;
return true;
}
-bool NHttpModule::set(const char*, Value& val, SnortConfig*)
+bool HttpModule::set(const char*, Value& val, SnortConfig*)
{
if (val.is("request_depth"))
{
return true;
}
-bool NHttpModule::end(const char*, int, SnortConfig*)
+bool HttpModule::end(const char*, int, SnortConfig*)
{
if (!params->uri_param.utf8 && params->uri_param.utf8_bare_byte)
{
}
// Some values in these tables may be changed by configuration parameters.
-NHttpParaList::UriParam::UriParam() :
+HttpParaList::UriParam::UriParam() :
// Characters that should not be percent-encoded
// 0-9, a-z, A-Z, tilde, period, underscore, and minus
// Initializer string for std::bitset is in reverse order. The first character is element 255
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_module.h author Tom Peters <thopeter@cisco.com>
+// http_module.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MODULE_H
-#define NHTTP_MODULE_H
+#ifndef HTTP_MODULE_H
+#define HTTP_MODULE_H
#include <string>
#include <bitset>
#include "framework/module.h"
-#include "nhttp_enum.h"
+#include "http_enum.h"
-#define NHTTP_NAME "http_inspect"
-#define NHTTP_HELP "HTTP inspector"
+#define HTTP_NAME "http_inspect"
+#define HTTP_HELP "HTTP inspector"
-struct NHttpParaList
+struct HttpParaList
{
public:
long request_depth;
bool simplify_path = true;
std::bitset<256> bad_characters;
std::bitset<256> unreserved_char;
- NHttpEnums::CharAction uri_char[256];
+ HttpEnums::CharAction uri_char[256];
};
UriParam uri_param;
#ifdef REG_TEST
#endif
};
-class NHttpModule : public Module
+class HttpModule : public Module
{
public:
- NHttpModule() : Module(NHTTP_NAME, NHTTP_HELP, nhttp_params) { }
- ~NHttpModule() { delete params; }
+ HttpModule() : Module(HTTP_NAME, HTTP_HELP, http_params) { }
+ ~HttpModule() { delete params; }
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
bool set(const char*, Value&, SnortConfig*) override;
- unsigned get_gid() const override { return NHttpEnums::NHTTP_GID; }
- const RuleMap* get_rules() const override { return nhttp_events; }
- const NHttpParaList* get_once_params()
+ unsigned get_gid() const override { return HttpEnums::HTTP_GID; }
+ const RuleMap* get_rules() const override { return http_events; }
+ const HttpParaList* get_once_params()
{
- NHttpParaList* ret_val = params;
+ HttpParaList* ret_val = params;
params = nullptr;
return ret_val;
}
const PegInfo* get_pegs() const override { return peg_names; }
PegCount* get_counts() const override { return peg_counts; }
- static void increment_peg_counts(NHttpEnums::PEG_COUNT counter)
+ static void increment_peg_counts(HttpEnums::PEG_COUNT counter)
{ peg_counts[counter]++; return; }
#ifdef REG_TEST
static const PegCount* get_peg_counts() { return peg_counts; }
static void reset_peg_counts()
{
- for (unsigned k=0; k < NHttpEnums::PEG_COUNT_MAX; peg_counts[k++] = 0);
+ for (unsigned k=0; k < HttpEnums::PEG_COUNT_MAX; peg_counts[k++] = 0);
}
#endif
private:
- static const Parameter nhttp_params[];
- static const RuleMap nhttp_events[];
- NHttpParaList* params = nullptr;
+ static const Parameter http_params[];
+ static const RuleMap http_events[];
+ HttpParaList* params = nullptr;
static const PegInfo peg_names[];
static THREAD_LOCAL PegCount peg_counts[];
};
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_body.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include "file_api/file_flows.h"
#include "mime/file_mime_process.h"
-#include "nhttp_enum.h"
-#include "nhttp_api.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_body.h"
+#include "http_enum.h"
+#include "http_api.h"
+#include "http_msg_request.h"
+#include "http_msg_body.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpMsgBody::NHttpMsgBody(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_) :
- NHttpMsgSection(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
+HttpMsgBody::HttpMsgBody(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_) :
+ HttpMsgSection(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
body_octets(session_data->body_octets[source_id]),
detection_section((body_octets == 0) && (session_data->detect_depth_remaining[source_id] > 0))
{
transaction->set_body(this);
}
-NHttpMsgBody::~NHttpMsgBody()
+HttpMsgBody::~HttpMsgBody()
{
if (classic_client_body_alloc)
classic_client_body.delete_buffer();
decoded_body.delete_buffer();
}
-void NHttpMsgBody::analyze()
+void HttpMsgBody::analyze()
{
do_utf_decoding(msg_text, decoded_body, decoded_body_alloc);
if ( decoded_body_alloc )
body_octets += msg_text.length;
}
-void NHttpMsgBody::do_utf_decoding(const Field& input, Field& output, bool& decoded_alloc)
+void HttpMsgBody::do_utf_decoding(const Field& input, Field& output, bool& decoded_alloc)
{
if (!params->normalize_utf || source_id == SRC_CLIENT )
}
-void NHttpMsgBody::do_file_processing()
+void HttpMsgBody::do_file_processing()
{
// Using the trick that cutter is deleted when regular or chunked body is complete
const bool front = (body_octets == 0);
// With the first piece of the file we must provide the "name" which means URI
if (front)
{
- NHttpMsgRequest* request = transaction->get_request();
+ HttpMsgRequest* request = transaction->get_request();
if (request != nullptr)
{
const Field& tranaction_uri = request->get_uri_norm_classic();
}
}
-const Field& NHttpMsgBody::get_classic_client_body()
+const Field& HttpMsgBody::get_classic_client_body()
{
return classic_normalize(detect_data, classic_client_body, classic_client_body_alloc,
params->uri_param);
#ifdef REG_TEST
// Common elements of print_section() for body sections
-void NHttpMsgBody::print_body_section(FILE* output)
+void HttpMsgBody::print_body_section(FILE* output)
{
detect_data.print(output, "Detect data");
- get_classic_buffer(NHTTP_BUFFER_CLIENT_BODY, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_CLIENT_BODY-1]);
+ get_classic_buffer(HTTP_BUFFER_CLIENT_BODY, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_CLIENT_BODY-1]);
if (g_file_data.len > 0)
{
Field(g_file_data.len, g_file_data.data).print(output, "file_data");
}
- NHttpMsgSection::print_section_wrapup(output);
+ HttpMsgSection::print_section_wrapup(output);
}
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body.h author Tom Peters <thopeter@cisco.com>
+// http_msg_body.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_BODY_H
-#define NHTTP_MSG_BODY_H
+#ifndef HTTP_MSG_BODY_H
+#define HTTP_MSG_BODY_H
-#include "nhttp_msg_section.h"
-#include "nhttp_field.h"
+#include "http_msg_section.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgBody class
+// HttpMsgBody class
//-------------------------------------------------------------------------
-class NHttpMsgBody : public NHttpMsgSection
+class HttpMsgBody : public HttpMsgSection
{
public:
- virtual ~NHttpMsgBody();
+ virtual ~HttpMsgBody();
void analyze() override;
const Field& get_detect_buf() const override { return detect_data; }
- NHttpEnums::InspectSection get_inspection_section() const override
- { return detection_section ? NHttpEnums::IS_DETECTION : NHttpEnums::IS_BODY; }
+ HttpEnums::InspectSection get_inspection_section() const override
+ { return detection_section ? HttpEnums::IS_DETECTION : HttpEnums::IS_BODY; }
const Field& get_classic_client_body();
protected:
- NHttpMsgBody(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_);
+ HttpMsgBody(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_);
int64_t body_octets;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body_chunk.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_body_chunk.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include "mime/file_mime_process.h"
-#include "nhttp_enum.h"
-#include "nhttp_msg_body_chunk.h"
+#include "http_enum.h"
+#include "http_msg_body_chunk.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-void NHttpMsgBodyChunk::update_flow()
+void HttpMsgBodyChunk::update_flow()
{
// Cutter deleted when zero-length chunk received
if (session_data->cutter[source_id] == nullptr)
}
#ifdef REG_TEST
-void NHttpMsgBodyChunk::print_section(FILE* output)
+void HttpMsgBodyChunk::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "chunked body");
+ HttpMsgSection::print_section_title(output, "chunked body");
fprintf(output, "Cumulative octets %" PRIi64 "\n", body_octets);
print_body_section(output);
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body_chunk.h author Tom Peters <thopeter@cisco.com>
+// http_msg_body_chunk.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_BODY_CHUNK_H
-#define NHTTP_MSG_BODY_CHUNK_H
+#ifndef HTTP_MSG_BODY_CHUNK_H
+#define HTTP_MSG_BODY_CHUNK_H
-#include "nhttp_msg_body.h"
+#include "http_msg_body.h"
//-------------------------------------------------------------------------
-// NHttpMsgBodyChunk class
+// HttpMsgBodyChunk class
//-------------------------------------------------------------------------
-class NHttpMsgBodyChunk : public NHttpMsgBody
+class HttpMsgBodyChunk : public HttpMsgBody
{
public:
- NHttpMsgBodyChunk(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const NHttpParaList* params_)
- : NHttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_) {}
+ HttpMsgBodyChunk(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const HttpParaList* params_)
+ : HttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_) {}
void update_flow() override;
#ifdef REG_TEST
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body_cl.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_body_cl.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include "file_api/file_flows.h"
#include "mime/file_mime_process.h"
-#include "nhttp_enum.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_body_cl.h"
+#include "http_enum.h"
+#include "http_msg_request.h"
+#include "http_msg_body_cl.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-void NHttpMsgBodyCl::update_flow()
+void HttpMsgBodyCl::update_flow()
{
if (session_data->cutter[source_id] != nullptr)
{
}
#ifdef REG_TEST
-void NHttpMsgBodyCl::print_section(FILE* output)
+void HttpMsgBodyCl::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "Content-Length body");
+ HttpMsgSection::print_section_title(output, "Content-Length body");
fprintf(output, "Content-Length %" PRIi64 ", octets seen %" PRIi64 "\n", data_length,
body_octets);
print_body_section(output);
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body_cl.h author Tom Peters <thopeter@cisco.com>
+// http_msg_body_cl.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_BODY_CL_H
-#define NHTTP_MSG_BODY_CL_H
+#ifndef HTTP_MSG_BODY_CL_H
+#define HTTP_MSG_BODY_CL_H
-#include "nhttp_msg_section.h"
-#include "nhttp_msg_body.h"
-#include "nhttp_field.h"
+#include "http_msg_section.h"
+#include "http_msg_body.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgBodyCl class
+// HttpMsgBodyCl class
//-------------------------------------------------------------------------
-class NHttpMsgBodyCl : public NHttpMsgBody
+class HttpMsgBodyCl : public HttpMsgBody
{
public:
- NHttpMsgBodyCl(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const NHttpParaList* params_)
- : NHttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
+ HttpMsgBodyCl(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const HttpParaList* params_)
+ : HttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
data_length(session_data->data_length[source_id]) {}
void update_flow() override;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body_old.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_body_old.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include "file_api/file_flows.h"
#include "mime/file_mime_process.h"
-#include "nhttp_enum.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_body_old.h"
+#include "http_enum.h"
+#include "http_msg_request.h"
+#include "http_msg_body_old.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-void NHttpMsgBodyOld::update_flow()
+void HttpMsgBodyOld::update_flow()
{
// Always more body expected
session_data->body_octets[source_id] = body_octets;
}
#ifdef REG_TEST
-void NHttpMsgBodyOld::print_section(FILE* output)
+void HttpMsgBodyOld::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "old-style body");
+ HttpMsgSection::print_section_title(output, "old-style body");
fprintf(output, "octets seen %" PRIi64 "\n", body_octets);
print_body_section(output);
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_body_old.h author Tom Peters <thopeter@cisco.com>
+// http_msg_body_old.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_BODY_OLD_H
-#define NHTTP_MSG_BODY_OLD_H
+#ifndef HTTP_MSG_BODY_OLD_H
+#define HTTP_MSG_BODY_OLD_H
-#include "nhttp_msg_section.h"
-#include "nhttp_msg_body.h"
-#include "nhttp_field.h"
+#include "http_msg_section.h"
+#include "http_msg_body.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgBodyOld class
+// HttpMsgBodyOld class
//-------------------------------------------------------------------------
-class NHttpMsgBodyOld : public NHttpMsgBody
+class HttpMsgBodyOld : public HttpMsgBody
{
public:
- NHttpMsgBodyOld(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const NHttpParaList* params_)
- : NHttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
+ HttpMsgBodyOld(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const HttpParaList* params_)
+ : HttpMsgBody(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
data_length(session_data->data_length[source_id]) {}
void update_flow() override;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_head_shared.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_head_shared.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
-#include "nhttp_enum.h"
-#include "nhttp_normalizers.h"
-#include "nhttp_uri_norm.h"
-#include "nhttp_msg_head_shared.h"
+#include "http_enum.h"
+#include "http_normalizers.h"
+#include "http_uri_norm.h"
+#include "http_msg_head_shared.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpMsgHeadShared::~NHttpMsgHeadShared()
+HttpMsgHeadShared::~HttpMsgHeadShared()
{
delete[] header_line;
delete[] header_name;
}
// All the header processing that is done for every message (i.e. not just-in-time) is done here.
-void NHttpMsgHeadShared::analyze()
+void HttpMsgHeadShared::analyze()
{
parse_header_block();
parse_header_lines();
create_norm_head_list();
}
-void NHttpMsgHeadShared::create_norm_head_list()
+void HttpMsgHeadShared::create_norm_head_list()
{
// This function does not do the actual JIT normalization of header values. It converts the
// header names into numeric IDs and creates a linked list of all the different headers that
}
// Divide up the block of header fields into individual header field lines.
-void NHttpMsgHeadShared::parse_header_block()
+void HttpMsgHeadShared::parse_header_block()
{
int32_t bytes_used = 0;
num_headers = 0;
//
// FIXIT-M Need to generate EVENT_EXCEEDS_SPACES for excessive white space within a header
-uint32_t NHttpMsgHeadShared::find_header_end(const uint8_t* buffer, int32_t length, int& num_seps)
+uint32_t HttpMsgHeadShared::find_header_end(const uint8_t* buffer, int32_t length, int& num_seps)
{
// k=1 because the splitter would not give us a header consisting solely of LF.
for (int32_t k=1; k < length; k++)
}
// Divide header field lines into field name and field value
-void NHttpMsgHeadShared::parse_header_lines()
+void HttpMsgHeadShared::parse_header_lines()
{
header_name = new Field[num_headers];
header_value = new Field[num_headers];
}
}
-void NHttpMsgHeadShared::derive_header_name_id(int index)
+void HttpMsgHeadShared::derive_header_name_id(int index)
{
const int32_t& length = header_name[index].length;
const uint8_t*& buffer = header_name[index].start;
delete[] lower_name;
}
-NHttpMsgHeadShared::NormalizedHeader* NHttpMsgHeadShared::get_header_node(HeaderId header_id) const
+HttpMsgHeadShared::NormalizedHeader* HttpMsgHeadShared::get_header_node(HeaderId header_id) const
{
if (!headers_present[header_id])
return nullptr;
return (list_ptr);
}
-int NHttpMsgHeadShared::get_header_count(HeaderId header_id) const
+int HttpMsgHeadShared::get_header_count(HeaderId header_id) const
{
NormalizedHeader* node = get_header_node(header_id);
return (node != nullptr) ? node->count : 0;
}
-const Field& NHttpMsgHeadShared::get_classic_raw_header()
+const Field& HttpMsgHeadShared::get_classic_raw_header()
{
if (classic_raw_header.length != STAT_NOT_COMPUTE)
return classic_raw_header;
return classic_raw_header;
}
-const Field& NHttpMsgHeadShared::get_classic_norm_header()
+const Field& HttpMsgHeadShared::get_classic_norm_header()
{
return classic_normalize(get_classic_raw_header(), classic_norm_header,
classic_norm_header_alloc, params->uri_param);
}
-const Field& NHttpMsgHeadShared::get_classic_raw_cookie()
+const Field& HttpMsgHeadShared::get_classic_raw_cookie()
{
HeaderId cookie_head = (source_id == SRC_CLIENT) ? HEAD_COOKIE : HEAD_SET_COOKIE;
return get_header_value_norm(cookie_head);
}
-const Field& NHttpMsgHeadShared::get_classic_norm_cookie()
+const Field& HttpMsgHeadShared::get_classic_norm_cookie()
{
return classic_normalize(get_classic_raw_cookie(), classic_norm_cookie,
classic_norm_cookie_alloc, params->uri_param);
}
-const Field& NHttpMsgHeadShared::get_header_value_norm(HeaderId header_id)
+const Field& HttpMsgHeadShared::get_header_value_norm(HeaderId header_id)
{
NormalizedHeader* node = get_header_node(header_id);
if (node == nullptr)
}
#ifdef REG_TEST
-void NHttpMsgHeadShared::print_headers(FILE* output)
+void HttpMsgHeadShared::print_headers(FILE* output)
{
char title_buf[100];
if (num_headers != STAT_NO_SOURCE)
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_head_shared.h author Tom Peters <thopeter@cisco.com>
+// http_msg_head_shared.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_HEAD_SHARED_H
-#define NHTTP_MSG_HEAD_SHARED_H
+#ifndef HTTP_MSG_HEAD_SHARED_H
+#define HTTP_MSG_HEAD_SHARED_H
#include <bitset>
-#include "nhttp_str_to_code.h"
-#include "nhttp_head_norm.h"
-#include "nhttp_msg_section.h"
-#include "nhttp_field.h"
+#include "http_str_to_code.h"
+#include "http_head_norm.h"
+#include "http_msg_section.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgHeadShared class
+// HttpMsgHeadShared class
//-------------------------------------------------------------------------
-class NHttpMsgHeadShared : public NHttpMsgSection
+class HttpMsgHeadShared : public HttpMsgSection
{
public:
void analyze() override;
const Field& get_header_line(int k) const { return header_line[k]; }
const Field& get_header_name(int k) const { return header_name[k]; }
const Field& get_header_value(int k) const { return header_value[k]; }
- NHttpEnums::HeaderId get_header_name_id(int k) const { return header_name_id[k]; }
- const Field& get_header_value_norm(NHttpEnums::HeaderId header_id);
- int get_header_count(NHttpEnums::HeaderId header_id) const;
+ HttpEnums::HeaderId get_header_name_id(int k) const { return header_name_id[k]; }
+ const Field& get_header_value_norm(HttpEnums::HeaderId header_id);
+ int get_header_count(HttpEnums::HeaderId header_id) const;
// Tables of header field names and header value names
static const StrCode header_list[];
static const StrCode charset_code_opt_list[];
protected:
- NHttpMsgHeadShared(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_)
- : NHttpMsgSection(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
+ HttpMsgHeadShared(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_)
+ : HttpMsgSection(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
{ }
- ~NHttpMsgHeadShared();
+ ~HttpMsgHeadShared();
// Get the next item in a comma-separated header value and convert it to an enum value
static int32_t get_next_code(const Field& field, int32_t& offset, const StrCode table[]);
#endif
private:
- static const int MAX = NHttpEnums::HEAD__MAX_VALUE;
+ static const int MAX = HttpEnums::HEAD__MAX_VALUE;
// Header normalization strategies. There should be one defined for every different way we can
// process a header field value.
void derive_header_name_id(int index);
std::bitset<MAX> headers_present = 0;
- int32_t num_headers = NHttpEnums::STAT_NOT_COMPUTE;
+ int32_t num_headers = HttpEnums::STAT_NOT_COMPUTE;
Field* header_line = nullptr;
Field* header_name = nullptr;
- NHttpEnums::HeaderId* header_name_id = nullptr;
+ HttpEnums::HeaderId* header_name_id = nullptr;
Field* header_value = nullptr;
Field classic_raw_header; // raw headers with cookies spliced out
struct NormalizedHeader
{
- NHttpEnums::HeaderId id;
+ HttpEnums::HeaderId id;
int count;
Field norm;
NormalizedHeader* next;
};
NormalizedHeader* norm_heads = nullptr;
- NormalizedHeader* get_header_node(NHttpEnums::HeaderId k) const;
+ NormalizedHeader* get_header_node(HttpEnums::HeaderId k) const;
};
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_head_shared_util.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_head_shared_util.cc author Tom Peters <thopeter@cisco.com>
-#include "nhttp_msg_head_shared.h"
+#include "http_msg_head_shared.h"
-int32_t NHttpMsgHeadShared::get_next_code(const Field& field, int32_t& offset,
+int32_t HttpMsgHeadShared::get_next_code(const Field& field, int32_t& offset,
const StrCode table[])
{
assert(field.length > 0);
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_header.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_header.cc author Tom Peters <thopeter@cisco.com>
#include <cstring>
#include <cstdio>
#include "file_api/file_service.h"
#include "file_api/file_flows.h"
-#include "nhttp_module.h"
-#include "nhttp_api.h"
-#include "nhttp_normalizers.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_header.h"
+#include "http_module.h"
+#include "http_api.h"
+#include "http_normalizers.h"
+#include "http_msg_request.h"
+#include "http_msg_header.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpMsgHeader::NHttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_) :
- NHttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
+HttpMsgHeader::HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_) :
+ HttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
{
transaction->set_header(this, source_id);
}
-void NHttpMsgHeader::update_flow()
+void HttpMsgHeader::update_flow()
{
session_data->section_type[source_id] = SEC__NOT_COMPUTE;
events.create_event(EVENT_CHUNKED_BEFORE_END);
}
if (norm_last_token_code(get_header_value_norm(HEAD_TRANSFER_ENCODING),
- NHttpMsgHeadShared::trans_code_list) == TRANSCODE_CHUNKED)
+ HttpMsgHeadShared::trans_code_list) == TRANSCODE_CHUNKED)
{
// Chunked body
session_data->type_expected[source_id] = SEC_BODY_CHUNK;
- NHttpModule::increment_peg_counts(PEG_CHUNKED);
+ HttpModule::increment_peg_counts(PEG_CHUNKED);
prepare_body();
return;
}
}
// Common activities of preparing for upcoming regular body or chunked body
-void NHttpMsgHeader::prepare_body()
+void HttpMsgHeader::prepare_body()
{
session_data->body_octets[source_id] = 0;
const int64_t& depth = (source_id == SRC_CLIENT) ? params->request_depth :
session_data->events[source_id].reset();
if (source_id == SRC_CLIENT)
{
- NHttpModule::increment_peg_counts(PEG_REQUEST_BODY);
+ HttpModule::increment_peg_counts(PEG_REQUEST_BODY);
}
}
-void NHttpMsgHeader::setup_file_processing()
+void HttpMsgHeader::setup_file_processing()
{
// FIXIT-M Bidirectional file processing is problematic so we don't do it. When the library
// fully supports it remove the outer if statement that prevents it from being done.
}
}
-void NHttpMsgHeader::setup_decompression()
+void HttpMsgHeader::setup_decompression()
{
if (!params->unzip)
return;
while (norm_content_encoding.length > cont_offset)
{
const Contentcoding content_code = (Contentcoding)get_next_code(norm_content_encoding,
- cont_offset, NHttpMsgHeadShared::content_code_list);
+ cont_offset, HttpMsgHeadShared::content_code_list);
if ((compression != CMP_NONE) && (content_code != CONTENTCODE_IDENTITY))
{
infractions += INF_STACKED_ENCODINGS;
while (norm_transfer_encoding.length > trans_offset)
{
const Transcoding transfer_code = (Transcoding)get_next_code(norm_transfer_encoding,
- trans_offset, NHttpMsgHeadShared::trans_code_list);
+ trans_offset, HttpMsgHeadShared::trans_code_list);
if ((compression != CMP_NONE) &&
!((transfer_code == TRANSCODE_IDENTITY) || (transfer_code == TRANSCODE_CHUNKED)))
{
}
}
-void NHttpMsgHeader::setup_utf_decoding()
+void HttpMsgHeader::setup_utf_decoding()
{
Field last_token;
CharsetCode charset_code;
else
{
- charset_code = (CharsetCode)str_to_code(last_token.start, last_token.length, NHttpMsgHeadShared::charset_code_list);
+ charset_code = (CharsetCode)str_to_code(last_token.start, last_token.length, HttpMsgHeadShared::charset_code_list);
if( charset_code == CHARSET_OTHER )
{
- charset_code = (CharsetCode)substr_to_code(last_token.start, last_token.length, NHttpMsgHeadShared::charset_code_opt_list);
+ charset_code = (CharsetCode)substr_to_code(last_token.start, last_token.length, HttpMsgHeadShared::charset_code_opt_list);
if( charset_code != CHARSET_UNKNOWN )
return;
#ifdef REG_TEST
-void NHttpMsgHeader::print_section(FILE* output)
+void HttpMsgHeader::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "header");
- NHttpMsgHeadShared::print_headers(output);
- get_classic_buffer(NHTTP_BUFFER_COOKIE, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_COOKIE-1]);
- get_classic_buffer(NHTTP_BUFFER_HEADER, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_HEADER-1]);
- get_classic_buffer(NHTTP_BUFFER_RAW_COOKIE, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_RAW_COOKIE-1]);
- get_classic_buffer(NHTTP_BUFFER_RAW_HEADER, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_RAW_HEADER-1]);
- NHttpMsgSection::print_section_wrapup(output);
+ HttpMsgSection::print_section_title(output, "header");
+ HttpMsgHeadShared::print_headers(output);
+ get_classic_buffer(HTTP_BUFFER_COOKIE, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_COOKIE-1]);
+ get_classic_buffer(HTTP_BUFFER_HEADER, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_HEADER-1]);
+ get_classic_buffer(HTTP_BUFFER_RAW_COOKIE, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_COOKIE-1]);
+ get_classic_buffer(HTTP_BUFFER_RAW_HEADER, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_HEADER-1]);
+ HttpMsgSection::print_section_wrapup(output);
}
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_header.h author Tom Peters <thopeter@cisco.com>
+// http_msg_header.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_HEADER_H
-#define NHTTP_MSG_HEADER_H
+#ifndef HTTP_MSG_HEADER_H
+#define HTTP_MSG_HEADER_H
#include "file_api/file_api.h"
-#include "nhttp_enum.h"
-#include "nhttp_msg_head_shared.h"
+#include "http_enum.h"
+#include "http_msg_head_shared.h"
//-------------------------------------------------------------------------
-// NHttpMsgHeader class
+// HttpMsgHeader class
//-------------------------------------------------------------------------
-class NHttpMsgHeader : public NHttpMsgHeadShared
+class HttpMsgHeader : public HttpMsgHeadShared
{
public:
- NHttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_);
- NHttpEnums::InspectSection get_inspection_section() const override
- { return detection_section ? NHttpEnums::IS_DETECTION : NHttpEnums::IS_NONE; }
+ HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_);
+ HttpEnums::InspectSection get_inspection_section() const override
+ { return detection_section ? HttpEnums::IS_DETECTION : HttpEnums::IS_NONE; }
void update_flow() override;
private:
// Dummy configurations to support MIME processing
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_request.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_request.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <string.h>
#include "detection/detection_util.h"
-#include "nhttp_enum.h"
-#include "nhttp_api.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_header.h"
+#include "http_enum.h"
+#include "http_api.h"
+#include "http_msg_request.h"
+#include "http_msg_header.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpMsgRequest::NHttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_) :
- NHttpMsgStart(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
+HttpMsgRequest::HttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_) :
+ HttpMsgStart(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
{
transaction->set_request(this);
}
-void NHttpMsgRequest::parse_start_line()
+void HttpMsgRequest::parse_start_line()
{
// Check the version field
if ((start_line.length < 10) || !is_sp_tab[start_line.start[start_line.length-9]] ||
return;
}
- NHttpModule::increment_peg_counts(PEG_REQUEST);
+ HttpModule::increment_peg_counts(PEG_REQUEST);
// The splitter guarantees there will be a non-whitespace at octet 1 and a whitespace within
// octets 2-81. The following algorithm uses those assumptions.
switch (method_id)
{
- case METH_GET: NHttpModule::increment_peg_counts(PEG_GET); break;
- case METH_HEAD: NHttpModule::increment_peg_counts(PEG_HEAD); break;
- case METH_POST: NHttpModule::increment_peg_counts(PEG_POST); break;
- case METH_PUT: NHttpModule::increment_peg_counts(PEG_PUT); break;
- case METH_DELETE: NHttpModule::increment_peg_counts(PEG_DELETE); break;
- case METH_CONNECT: NHttpModule::increment_peg_counts(PEG_CONNECT); break;
- case METH_OPTIONS: NHttpModule::increment_peg_counts(PEG_OPTIONS); break;
- case METH_TRACE: NHttpModule::increment_peg_counts(PEG_TRACE); break;
- default: NHttpModule::increment_peg_counts(PEG_OTHER_METHOD); break;
+ case METH_GET: HttpModule::increment_peg_counts(PEG_GET); break;
+ case METH_HEAD: HttpModule::increment_peg_counts(PEG_HEAD); break;
+ case METH_POST: HttpModule::increment_peg_counts(PEG_POST); break;
+ case METH_PUT: HttpModule::increment_peg_counts(PEG_PUT); break;
+ case METH_DELETE: HttpModule::increment_peg_counts(PEG_DELETE); break;
+ case METH_CONNECT: HttpModule::increment_peg_counts(PEG_CONNECT); break;
+ case METH_OPTIONS: HttpModule::increment_peg_counts(PEG_OPTIONS); break;
+ case METH_TRACE: HttpModule::increment_peg_counts(PEG_TRACE); break;
+ default: HttpModule::increment_peg_counts(PEG_OTHER_METHOD); break;
}
version.start = start_line.start + (start_line.length - 8);
if (first_end < last_begin)
{
- uri = new NHttpUri(start_line.start + first_end + 1, last_begin - first_end - 1,
+ uri = new HttpUri(start_line.start + first_end + 1, last_begin - first_end - 1,
method_id, params->uri_param, infractions, events);
}
else
}
}
-bool NHttpMsgRequest::handle_zero_nine()
+bool HttpMsgRequest::handle_zero_nine()
{
// 0.9 request line is supposed to be "GET <URI>\r\n"
if ((start_line.length >= 3) &&
{
int32_t uri_end;
for (uri_end = start_line.length - 1; is_sp_tab[start_line.start[uri_end]]; uri_end--);
- uri = new NHttpUri(start_line.start + uri_begin, uri_end - uri_begin + 1, method_id,
+ uri = new HttpUri(start_line.start + uri_begin, uri_end - uri_begin + 1, method_id,
params->uri_param, infractions, events);
}
else
return false;
}
-const Field& NHttpMsgRequest::get_uri()
+const Field& HttpMsgRequest::get_uri()
{
if (uri != nullptr)
{
return Field::FIELD_NULL;
}
-const Field& NHttpMsgRequest::get_uri_norm_classic()
+const Field& HttpMsgRequest::get_uri_norm_classic()
{
if (uri != nullptr)
{
return Field::FIELD_NULL;
}
-void NHttpMsgRequest::gen_events()
+void HttpMsgRequest::gen_events()
{
if (infractions & INF_BAD_REQ_LINE)
return;
}
}
-void NHttpMsgRequest::update_flow()
+void HttpMsgRequest::update_flow()
{
if (infractions & INF_BAD_REQ_LINE)
{
#ifdef REG_TEST
-void NHttpMsgRequest::print_section(FILE* output)
+void HttpMsgRequest::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "request line");
+ HttpMsgSection::print_section_title(output, "request line");
fprintf(output, "Version Id: %d\n", version_id);
fprintf(output, "Method Id: %d\n", method_id);
if (uri != nullptr)
uri->get_fragment().print(output, "Fragment");
uri->get_norm_fragment().print(output, "Normalized Fragment");
}
- get_classic_buffer(NHTTP_BUFFER_METHOD, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_METHOD-1]);
- get_classic_buffer(NHTTP_BUFFER_RAW_URI, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_RAW_URI-1]);
- get_classic_buffer(NHTTP_BUFFER_URI, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_URI-1]);
- get_classic_buffer(NHTTP_BUFFER_VERSION, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_VERSION-1]);
- get_classic_buffer(NHTTP_BUFFER_RAW_REQUEST, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_RAW_REQUEST-1]);
- NHttpMsgSection::print_section_wrapup(output);
+ get_classic_buffer(HTTP_BUFFER_METHOD, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_METHOD-1]);
+ get_classic_buffer(HTTP_BUFFER_RAW_URI, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_URI-1]);
+ get_classic_buffer(HTTP_BUFFER_URI, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_URI-1]);
+ get_classic_buffer(HTTP_BUFFER_VERSION, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_VERSION-1]);
+ get_classic_buffer(HTTP_BUFFER_RAW_REQUEST, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_REQUEST-1]);
+ HttpMsgSection::print_section_wrapup(output);
}
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_request.h author Tom Peters <thopeter@cisco.com>
+// http_msg_request.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_REQUEST_H
-#define NHTTP_MSG_REQUEST_H
+#ifndef HTTP_MSG_REQUEST_H
+#define HTTP_MSG_REQUEST_H
-#include "nhttp_str_to_code.h"
-#include "nhttp_uri.h"
-#include "nhttp_uri_norm.h"
-#include "nhttp_msg_start.h"
-#include "nhttp_field.h"
+#include "http_str_to_code.h"
+#include "http_uri.h"
+#include "http_uri_norm.h"
+#include "http_msg_start.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgRequest class
+// HttpMsgRequest class
//-------------------------------------------------------------------------
-class NHttpMsgRequest : public NHttpMsgStart
+class HttpMsgRequest : public HttpMsgStart
{
public:
- NHttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_);
- ~NHttpMsgRequest() { delete uri; }
+ HttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_);
+ ~HttpMsgRequest() { delete uri; }
void gen_events() override;
void update_flow() override;
const Field& get_method() { return method; }
const Field& get_uri();
const Field& get_uri_norm_classic();
- NHttpUri* get_nhttp_uri() { return uri; }
+ HttpUri* get_http_uri() { return uri; }
#ifdef REG_TEST
void print_section(FILE* output) override;
bool handle_zero_nine();
Field method;
- NHttpUri* uri = nullptr;
+ HttpUri* uri = nullptr;
};
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_section.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_section.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
-#include "nhttp_enum.h"
-#include "nhttp_transaction.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_msg_section.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_status.h"
-#include "nhttp_msg_head_shared.h"
-#include "nhttp_msg_header.h"
-#include "nhttp_msg_trailer.h"
-#include "nhttp_msg_body.h"
-
-using namespace NHttpEnums;
-
-NHttpMsgSection::NHttpMsgSection(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_) :
+#include "http_enum.h"
+#include "http_transaction.h"
+#include "http_test_manager.h"
+#include "http_msg_section.h"
+#include "http_msg_request.h"
+#include "http_msg_status.h"
+#include "http_msg_head_shared.h"
+#include "http_msg_header.h"
+#include "http_msg_trailer.h"
+#include "http_msg_body.h"
+
+using namespace HttpEnums;
+
+HttpMsgSection::HttpMsgSection(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_) :
msg_text(buf_size, buffer),
session_data(session_data_),
source_id(source_id_),
flow(flow_),
trans_num(session_data->expected_trans_num[source_id]),
params(params_),
- transaction(NHttpTransaction::attach_my_transaction(session_data, source_id)),
+ transaction(HttpTransaction::attach_my_transaction(session_data, source_id)),
tcp_close(session_data->tcp_close[source_id]),
infractions(session_data->infractions[source_id]),
events(session_data->events[source_id]),
delete_msg_on_destruct(buf_owner)
{ }
-void NHttpMsgSection::update_depth() const
+void HttpMsgSection::update_depth() const
{
const int64_t& depth = (session_data->file_depth_remaining[source_id] >=
session_data->detect_depth_remaining[source_id]) ?
}
}
-const Field& NHttpMsgSection::classic_normalize(const Field& raw, Field& norm, bool& norm_alloc,
- const NHttpParaList::UriParam& uri_param)
+const Field& HttpMsgSection::classic_normalize(const Field& raw, Field& norm, bool& norm_alloc,
+ const HttpParaList::UriParam& uri_param)
{
if (norm.length != STAT_NOT_COMPUTE)
return norm;
return norm;
}
-const Field& NHttpMsgSection::get_classic_buffer(unsigned id, uint64_t sub_id, uint64_t form)
+const Field& HttpMsgSection::get_classic_buffer(unsigned id, uint64_t sub_id, uint64_t form)
{
// buffer_side replaces source_id for buffers that support the request option
const SourceId buffer_side = (form & FORM_REQUEST) ? SRC_CLIENT : source_id;
switch (id)
{
- case NHTTP_BUFFER_CLIENT_BODY:
+ case HTTP_BUFFER_CLIENT_BODY:
{
if (source_id != SRC_CLIENT)
return Field::FIELD_NULL;
- NHttpMsgBody* body = transaction->get_body();
+ HttpMsgBody* body = transaction->get_body();
return (body != nullptr) ? body->get_classic_client_body() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_COOKIE:
- case NHTTP_BUFFER_RAW_COOKIE:
+ case HTTP_BUFFER_COOKIE:
+ case HTTP_BUFFER_RAW_COOKIE:
{
- NHttpMsgHeader* header = transaction->get_header(buffer_side);
+ HttpMsgHeader* header = transaction->get_header(buffer_side);
if (header == nullptr)
return Field::FIELD_NULL;
- return (id == NHTTP_BUFFER_COOKIE) ? header->get_classic_norm_cookie() :
+ return (id == HTTP_BUFFER_COOKIE) ? header->get_classic_norm_cookie() :
header->get_classic_raw_cookie();
}
- case NHTTP_BUFFER_HEADER:
- case NHTTP_BUFFER_TRAILER:
+ case HTTP_BUFFER_HEADER:
+ case HTTP_BUFFER_TRAILER:
{
// FIXIT-L Someday want to be able to return field name or raw field value
- NHttpMsgHeadShared* const header = (id == NHTTP_BUFFER_HEADER) ?
- (NHttpMsgHeadShared*)transaction->get_header(buffer_side) :
- (NHttpMsgHeadShared*)transaction->get_trailer(buffer_side);
+ HttpMsgHeadShared* const header = (id == HTTP_BUFFER_HEADER) ?
+ (HttpMsgHeadShared*)transaction->get_header(buffer_side) :
+ (HttpMsgHeadShared*)transaction->get_trailer(buffer_side);
if (header == nullptr)
return Field::FIELD_NULL;
if (sub_id == 0)
return header->get_classic_norm_header();
return header->get_header_value_norm((HeaderId)sub_id);
}
- case NHTTP_BUFFER_METHOD:
+ case HTTP_BUFFER_METHOD:
{
- NHttpMsgRequest* request = transaction->get_request();
+ HttpMsgRequest* request = transaction->get_request();
return (request != nullptr) ? request->get_method() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_RAW_HEADER:
+ case HTTP_BUFFER_RAW_HEADER:
{
- NHttpMsgHeader* header = transaction->get_header(buffer_side);
+ HttpMsgHeader* header = transaction->get_header(buffer_side);
return (header != nullptr) ? header->get_classic_raw_header() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_STAT_CODE:
+ case HTTP_BUFFER_STAT_CODE:
{
- NHttpMsgStatus* status = transaction->get_status();
+ HttpMsgStatus* status = transaction->get_status();
return (status != nullptr) ? status->get_status_code() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_STAT_MSG:
+ case HTTP_BUFFER_STAT_MSG:
{
- NHttpMsgStatus* status = transaction->get_status();
+ HttpMsgStatus* status = transaction->get_status();
return (status != nullptr) ? status->get_reason_phrase() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_RAW_URI:
- case NHTTP_BUFFER_URI:
+ case HTTP_BUFFER_RAW_URI:
+ case HTTP_BUFFER_URI:
{
- const bool raw = (id == NHTTP_BUFFER_RAW_URI);
- NHttpMsgRequest* request = transaction->get_request();
+ const bool raw = (id == HTTP_BUFFER_RAW_URI);
+ HttpMsgRequest* request = transaction->get_request();
if (request == nullptr)
return Field::FIELD_NULL;
if (sub_id == 0)
return raw ? request->get_uri() : request->get_uri_norm_classic();
- NHttpUri* const uri = request->get_nhttp_uri();
+ HttpUri* const uri = request->get_http_uri();
if (uri == nullptr)
return Field::FIELD_NULL;
switch ((UriComponent)sub_id)
assert(false);
return Field::FIELD_NULL;
}
- case NHTTP_BUFFER_VERSION:
+ case HTTP_BUFFER_VERSION:
{
- NHttpMsgStart* start = (buffer_side == SRC_CLIENT) ?
- (NHttpMsgStart*)transaction->get_request() : (NHttpMsgStart*)transaction->get_status();
+ HttpMsgStart* start = (buffer_side == SRC_CLIENT) ?
+ (HttpMsgStart*)transaction->get_request() : (HttpMsgStart*)transaction->get_status();
return (start != nullptr) ? start->get_version() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_RAW_REQUEST:
+ case HTTP_BUFFER_RAW_REQUEST:
{
- NHttpMsgRequest* request = transaction->get_request();
+ HttpMsgRequest* request = transaction->get_request();
return (request != nullptr) ? request->get_detect_buf() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_RAW_STATUS:
+ case HTTP_BUFFER_RAW_STATUS:
{
- NHttpMsgStatus* status = transaction->get_status();
+ HttpMsgStatus* status = transaction->get_status();
return (status != nullptr) ? status->get_detect_buf() : Field::FIELD_NULL;
}
- case NHTTP_BUFFER_RAW_TRAILER:
+ case HTTP_BUFFER_RAW_TRAILER:
{
- NHttpMsgTrailer* trailer = transaction->get_trailer(buffer_side);
+ HttpMsgTrailer* trailer = transaction->get_trailer(buffer_side);
return (trailer != nullptr) ? trailer->get_classic_raw_header() : Field::FIELD_NULL;
}
default:
#ifdef REG_TEST
-void NHttpMsgSection::print_section_title(FILE* output, const char* title) const
+void HttpMsgSection::print_section_title(FILE* output, const char* title) const
{
fprintf(output, "HTTP message %" PRIu64 " %s:\n", trans_num, title);
msg_text.print(output, "Input");
}
-void NHttpMsgSection::print_section_wrapup(FILE* output) const
+void HttpMsgSection::print_section_wrapup(FILE* output) const
{
fprintf(output, "Infractions: %016" PRIx64 " %016" PRIx64 ", Events: %016" PRIx64 " %016"
PRIx64 ", TCP Close: %s\n\n", infractions.get_raw2(), infractions.get_raw(),
events.get_raw2(), events.get_raw(), tcp_close ? "True" : "False");
- if (NHttpTestManager::get_show_pegs())
+ if (HttpTestManager::get_show_pegs())
{
print_peg_counts(output);
}
fprintf(output, "\n");
}
-void NHttpMsgSection::print_peg_counts(FILE* output) const
+void HttpMsgSection::print_peg_counts(FILE* output) const
{
- const PegInfo* const peg_names = NHttpModule::get_peg_names();
- const PegCount* const peg_counts = NHttpModule::get_peg_counts();
+ const PegInfo* const peg_names = HttpModule::get_peg_names();
+ const PegCount* const peg_counts = HttpModule::get_peg_counts();
fprintf(output, "Peg Counts\n");
for (unsigned k = 0; k < PEG_COUNT_MAX; k++)
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_section.h author Tom Peters <thopeter@cisco.com>
+// http_msg_section.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_SECTION_H
-#define NHTTP_MSG_SECTION_H
+#ifndef HTTP_MSG_SECTION_H
+#define HTTP_MSG_SECTION_H
#include "stream/stream_api.h"
#include "detection/detection_util.h"
-#include "nhttp_field.h"
-#include "nhttp_module.h"
-#include "nhttp_flow_data.h"
-#include "nhttp_transaction.h"
-#include "nhttp_infractions.h"
+#include "http_field.h"
+#include "http_module.h"
+#include "http_flow_data.h"
+#include "http_transaction.h"
+#include "http_infractions.h"
//-------------------------------------------------------------------------
-// NHttpMsgSection class
+// HttpMsgSection class
//-------------------------------------------------------------------------
-class NHttpMsgSection
+class HttpMsgSection
{
public:
- virtual ~NHttpMsgSection() { if (delete_msg_on_destruct) delete[] msg_text.start; }
- virtual NHttpEnums::InspectSection get_inspection_section() const
- { return NHttpEnums::IS_NONE; }
- NHttpEnums::SourceId get_source_id() { return source_id; }
+ virtual ~HttpMsgSection() { if (delete_msg_on_destruct) delete[] msg_text.start; }
+ virtual HttpEnums::InspectSection get_inspection_section() const
+ { return HttpEnums::IS_NONE; }
+ HttpEnums::SourceId get_source_id() { return source_id; }
// Minimum necessary processing for every message
virtual void analyze() = 0;
// Provide buffer to be sent to detection
virtual const Field& get_detect_buf() const { return msg_text; }
- NHttpEnums::MethodId get_method_id() const { return method_id; }
+ HttpEnums::MethodId get_method_id() const { return method_id; }
#ifdef REG_TEST
// Test tool prints all derived message parts
#endif
protected:
- NHttpMsgSection(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const NHttpParaList*
+ HttpMsgSection(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const HttpParaList*
params_);
const Field msg_text;
- NHttpFlowData* const session_data;
- const NHttpEnums::SourceId source_id;
+ HttpFlowData* const session_data;
+ const HttpEnums::SourceId source_id;
Flow* const flow;
uint64_t trans_num;
- const NHttpParaList* const params;
- NHttpTransaction* const transaction;
+ const HttpParaList* const params;
+ HttpTransaction* const transaction;
const bool tcp_close;
- NHttpInfractions infractions;
- NHttpEventGen events;
- NHttpEnums::VersionId version_id;
- NHttpEnums::MethodId method_id;
+ HttpInfractions infractions;
+ HttpEventGen events;
+ HttpEnums::VersionId version_id;
+ HttpEnums::MethodId method_id;
int32_t status_code_num;
// Convenience methods shared by multiple subclasses
void update_depth() const;
static const Field& classic_normalize(const Field& raw, Field& norm, bool& norm_alloc,
- const NHttpParaList::UriParam& uri_param);
+ const HttpParaList::UriParam& uri_param);
#ifdef REG_TEST
void print_section_title(FILE* output, const char* title) const;
void print_section_wrapup(FILE* output) const;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_start.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_start.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
-#include "nhttp_enum.h"
-#include "nhttp_msg_start.h"
+#include "http_enum.h"
+#include "http_msg_start.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-void NHttpMsgStart::analyze()
+void HttpMsgStart::analyze()
{
start_line.start = msg_text.start;
start_line.length = msg_text.length;
gen_events();
}
-void NHttpMsgStart::derive_version_id()
+void HttpMsgStart::derive_version_id()
{
if (version.start[6] != '.')
{
{
// Real 0.9 traffic would never be labeled HTTP/0.9 because 0.9 is older than the version
// system. Aside from the possibility that someone might do this to make trouble,
- // NHttpStreamSplitter::reassemble() converts 0.9 responses to a simple form of 1.0 format
+ // HttpStreamSplitter::reassemble() converts 0.9 responses to a simple form of 1.0 format
// to allow us to process 0.9 without a lot of extra development. Such responses are
// labeled 0.9.
version_id = VERS_0_9;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_start.h author Tom Peters <thopeter@cisco.com>
+// http_msg_start.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_START_H
-#define NHTTP_MSG_START_H
+#ifndef HTTP_MSG_START_H
+#define HTTP_MSG_START_H
-#include "nhttp_msg_section.h"
-#include "nhttp_field.h"
+#include "http_msg_section.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgStart class
+// HttpMsgStart class
//-------------------------------------------------------------------------
-class NHttpMsgStart : public NHttpMsgSection
+class HttpMsgStart : public HttpMsgSection
{
public:
void analyze() override;
const Field& get_version() const { return version; }
protected:
- NHttpMsgStart(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const NHttpParaList* params_)
- : NHttpMsgSection(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
+ HttpMsgStart(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_, const HttpParaList* params_)
+ : HttpMsgSection(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
{ }
virtual void parse_start_line() = 0;
virtual void gen_events() = 0;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_status.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_status.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <string.h>
#include "detection/detection_util.h"
-#include "nhttp_enum.h"
-#include "nhttp_api.h"
-#include "nhttp_msg_status.h"
-#include "nhttp_msg_header.h"
+#include "http_enum.h"
+#include "http_api.h"
+#include "http_msg_status.h"
+#include "http_msg_header.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpMsgStatus::NHttpMsgStatus(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_) :
- NHttpMsgStart(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
+HttpMsgStatus::HttpMsgStatus(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_) :
+ HttpMsgStart(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
{
transaction->set_status(this);
}
-void NHttpMsgStatus::parse_start_line()
+void HttpMsgStatus::parse_start_line()
{
// Splitter guarantees line begins with "HTTP/"
return;
}
- NHttpModule::increment_peg_counts(PEG_RESPONSE);
+ HttpModule::increment_peg_counts(PEG_RESPONSE);
version.start = start_line.start;
version.length = 8;
}
}
-void NHttpMsgStatus::derive_status_code_num()
+void HttpMsgStatus::derive_status_code_num()
{
if ((status_code.start[0] < '0') || (status_code.start[0] > '9') || (status_code.start[1] <
'0') || (status_code.start[1] > '9') ||
}
}
-void NHttpMsgStatus::gen_events()
+void HttpMsgStatus::gen_events()
{
if (infractions & INF_BAD_STAT_LINE)
return;
}
}
-void NHttpMsgStatus::update_flow()
+void HttpMsgStatus::update_flow()
{
if (infractions & INF_BAD_STAT_LINE)
{
}
#ifdef REG_TEST
-void NHttpMsgStatus::print_section(FILE* output)
+void HttpMsgStatus::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "status line");
+ HttpMsgSection::print_section_title(output, "status line");
fprintf(output, "Version Id: %d\n", version_id);
fprintf(output, "Status Code Num: %d\n", status_code_num);
reason_phrase.print(output, "Reason Phrase");
- get_classic_buffer(NHTTP_BUFFER_STAT_CODE, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_STAT_CODE-1]);
- get_classic_buffer(NHTTP_BUFFER_STAT_MSG, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_STAT_MSG-1]);
- get_classic_buffer(NHTTP_BUFFER_VERSION, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_VERSION-1]);
- get_classic_buffer(NHTTP_BUFFER_RAW_STATUS, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_RAW_STATUS-1]);
- NHttpMsgSection::print_section_wrapup(output);
+ get_classic_buffer(HTTP_BUFFER_STAT_CODE, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_STAT_CODE-1]);
+ get_classic_buffer(HTTP_BUFFER_STAT_MSG, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_STAT_MSG-1]);
+ get_classic_buffer(HTTP_BUFFER_VERSION, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_VERSION-1]);
+ get_classic_buffer(HTTP_BUFFER_RAW_STATUS, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_STATUS-1]);
+ HttpMsgSection::print_section_wrapup(output);
}
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_status.h author Tom Peters <thopeter@cisco.com>
+// http_msg_status.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_STATUS_H
-#define NHTTP_MSG_STATUS_H
+#ifndef HTTP_MSG_STATUS_H
+#define HTTP_MSG_STATUS_H
-#include "nhttp_msg_start.h"
-#include "nhttp_field.h"
+#include "http_msg_start.h"
+#include "http_field.h"
//-------------------------------------------------------------------------
-// NHttpMsgStatus class
+// HttpMsgStatus class
//-------------------------------------------------------------------------
-class NHttpMsgStatus : public NHttpMsgStart
+class HttpMsgStatus : public HttpMsgStart
{
public:
- NHttpMsgStatus(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_);
+ HttpMsgStatus(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_);
void gen_events() override;
void update_flow() override;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_trailer.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_trailer.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
#include "detection/detection_util.h"
-#include "nhttp_enum.h"
-#include "nhttp_api.h"
-#include "nhttp_msg_trailer.h"
+#include "http_enum.h"
+#include "http_api.h"
+#include "http_msg_trailer.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpMsgTrailer::NHttpMsgTrailer(const uint8_t* buffer, const uint16_t buf_size,
- NHttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_) :
- NHttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
+HttpMsgTrailer::HttpMsgTrailer(const uint8_t* buffer, const uint16_t buf_size,
+ HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_) :
+ HttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
{
transaction->set_trailer(this, source_id);
}
-void NHttpMsgTrailer::update_flow()
+void HttpMsgTrailer::update_flow()
{
session_data->half_reset(source_id);
session_data->section_type[source_id] = SEC__NOT_COMPUTE;
}
#ifdef REG_TEST
-void NHttpMsgTrailer::print_section(FILE* output)
+void HttpMsgTrailer::print_section(FILE* output)
{
- NHttpMsgSection::print_section_title(output, "trailer");
- NHttpMsgHeadShared::print_headers(output);
- get_classic_buffer(NHTTP_BUFFER_TRAILER, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_TRAILER-1]);
- get_classic_buffer(NHTTP_BUFFER_RAW_TRAILER, 0, 0).print(output,
- NHttpApi::classic_buffer_names[NHTTP_BUFFER_RAW_TRAILER-1]);
- NHttpMsgSection::print_section_wrapup(output);
+ HttpMsgSection::print_section_title(output, "trailer");
+ HttpMsgHeadShared::print_headers(output);
+ get_classic_buffer(HTTP_BUFFER_TRAILER, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_TRAILER-1]);
+ get_classic_buffer(HTTP_BUFFER_RAW_TRAILER, 0, 0).print(output,
+ HttpApi::classic_buffer_names[HTTP_BUFFER_RAW_TRAILER-1]);
+ HttpMsgSection::print_section_wrapup(output);
}
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_trailer.h author Tom Peters <thopeter@cisco.com>
+// http_msg_trailer.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_MSG_TRAILER_H
-#define NHTTP_MSG_TRAILER_H
+#ifndef HTTP_MSG_TRAILER_H
+#define HTTP_MSG_TRAILER_H
-#include "nhttp_msg_head_shared.h"
+#include "http_msg_head_shared.h"
//-------------------------------------------------------------------------
-// NHttpMsgTrailer class
+// HttpMsgTrailer class
//-------------------------------------------------------------------------
-class NHttpMsgTrailer : public NHttpMsgHeadShared
+class HttpMsgTrailer : public HttpMsgHeadShared
{
public:
- NHttpMsgTrailer(const uint8_t* buffer, const uint16_t buf_size, NHttpFlowData* session_data_,
- NHttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
- const NHttpParaList* params_);
- NHttpEnums::InspectSection get_inspection_section() const override
- { return NHttpEnums::IS_TRAILER; }
+ HttpMsgTrailer(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
+ HttpEnums::SourceId source_id_, bool buf_owner, Flow* flow_,
+ const HttpParaList* params_);
+ HttpEnums::InspectSection get_inspection_section() const override
+ { return HttpEnums::IS_TRAILER; }
void update_flow() override;
#ifdef REG_TEST
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_normalizers.cc author Tom Peters <thopeter@cisco.com>
+// http_normalizers.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include <sys/types.h>
-#include "nhttp_enum.h"
-#include "nhttp_str_to_code.h"
-#include "nhttp_normalizers.h"
+#include "http_enum.h"
+#include "http_str_to_code.h"
+#include "http_normalizers.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
// Collection of stock normalization functions. This will probably grow throughout the life of the
// software. New functions must follow the standard signature. The void* at the end is for any
// special configuration data the function requires.
int32_t norm_to_lower(const uint8_t* in_buf, int32_t in_length, uint8_t* out_buf,
- NHttpInfractions&, NHttpEventGen&)
+ HttpInfractions&, HttpEventGen&)
{
for (int32_t k=0; k < in_length; k++)
{
// Remove all space and tab characters (known as LWS or linear white space in the RFC)
int32_t norm_remove_lws(const uint8_t* in_buf, int32_t in_length, uint8_t* out_buf,
- NHttpInfractions&, NHttpEventGen&)
+ HttpInfractions&, HttpEventGen&)
{
int32_t length = 0;
for (int32_t k = 0; k < in_length; k++)
}
//FIXIT - norm_remove_lws and norm_remove_quotes_lws could be combined into one function
int32_t norm_remove_quotes_lws(const uint8_t* in_buf, int32_t in_length, uint8_t* out_buf,
- NHttpInfractions&, NHttpEventGen&)
+ HttpInfractions&, HttpEventGen&)
{
int32_t length = 0;
for (int32_t k=0; k < in_length; k++)
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_normalizers.h author Tom Peters <thopeter@cisco.com>
+// http_normalizers.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_NORMALIZERS_H
-#define NHTTP_NORMALIZERS_H
+#ifndef HTTP_NORMALIZERS_H
+#define HTTP_NORMALIZERS_H
-#include "nhttp_infractions.h"
-#include "nhttp_event_gen.h"
-#include "nhttp_field.h"
-#include "nhttp_str_to_code.h"
+#include "http_infractions.h"
+#include "http_event_gen.h"
+#include "http_field.h"
+#include "http_str_to_code.h"
// There are currently no normalization functions that make header values bigger. Changes are
// required to HeaderNormalizer::normalize() to allocate more space before you can introduce a
//
// Normalization functions must return an output buffer with nonnegative length. Status codes are
// not acceptable.
-typedef int32_t (NormFunc)(const uint8_t*, int32_t, uint8_t*, NHttpInfractions&, NHttpEventGen&);
+typedef int32_t (NormFunc)(const uint8_t*, int32_t, uint8_t*, HttpInfractions&, HttpEventGen&);
NormFunc norm_to_lower;
NormFunc norm_remove_lws;
NormFunc norm_remove_quotes_lws;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_str_to_code.cc author Tom Peters <thopeter@cisco.com>
+// http_str_to_code.cc author Tom Peters <thopeter@cisco.com>
#include <string.h>
#include "main/snort_types.h"
-#include "nhttp_enum.h"
-#include "nhttp_str_to_code.h"
+#include "http_enum.h"
+#include "http_str_to_code.h"
// Need to replace this simple algorithm for better performance FIXIT-P
-SO_PUBLIC int32_t str_to_code(const uint8_t* text, const int32_t text_len, const StrCode table[])
+int32_t str_to_code(const uint8_t* text, const int32_t text_len, const StrCode table[])
{
for (int32_t k=0; table[k].name != nullptr; k++)
{
return table[k].code;
}
}
- return NHttpEnums::STAT_OTHER;
+ return HttpEnums::STAT_OTHER;
}
-SO_PUBLIC int32_t substr_to_code(const uint8_t* text, const int32_t text_len, const StrCode table[])
+int32_t substr_to_code(const uint8_t* text, const int32_t text_len, const StrCode table[])
{
for (int32_t k=0; table[k].name != nullptr; k++)
{
return table[k].code;
}
}
- return NHttpEnums::STAT_OTHER;
+ return HttpEnums::STAT_OTHER;
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_str_to_code.h author Tom Peters <thopeter@cisco.com>
+// http_str_to_code.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_STR_TO_CODE_H
-#define NHTTP_STR_TO_CODE_H
+#ifndef HTTP_STR_TO_CODE_H
+#define HTTP_STR_TO_CODE_H
struct StrCode
{
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_stream_splitter.h author Tom Peters <thopeter@cisco.com>
+// http_stream_splitter.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_STREAM_SPLITTER_H
-#define NHTTP_STREAM_SPLITTER_H
+#ifndef HTTP_STREAM_SPLITTER_H
+#define HTTP_STREAM_SPLITTER_H
#include <zlib.h>
#include "stream/stream_splitter.h"
-#include "nhttp_flow_data.h"
-#include "nhttp_test_manager.h"
+#include "http_flow_data.h"
+#include "http_test_manager.h"
-class NHttpInspect;
+class HttpInspect;
-class NHttpStreamSplitter : public StreamSplitter
+class HttpStreamSplitter : public StreamSplitter
{
public:
- NHttpStreamSplitter(bool is_client_to_server, NHttpInspect* my_inspector_) :
+ HttpStreamSplitter(bool is_client_to_server, HttpInspect* my_inspector_) :
StreamSplitter(is_client_to_server),
- source_id(is_client_to_server ? NHttpEnums::SRC_CLIENT : NHttpEnums::SRC_SERVER),
+ source_id(is_client_to_server ? HttpEnums::SRC_CLIENT : HttpEnums::SRC_SERVER),
my_inspector(my_inspector_) { }
Status scan(Flow* flow, const uint8_t* data, uint32_t length, uint32_t not_used,
uint32_t* flush_offset) override;
uint8_t* data, unsigned len, uint32_t flags, unsigned& copied) override;
bool finish(Flow* flow) override;
bool is_paf() override { return true; }
- unsigned max(Flow*) override { return NHttpEnums::MAX_OCTETS; }
+ unsigned max(Flow*) override { return HttpEnums::MAX_OCTETS; }
private:
- void prepare_flush(NHttpFlowData* session_data, uint32_t* flush_offset, NHttpEnums::SectionType
+ void prepare_flush(HttpFlowData* session_data, uint32_t* flush_offset, HttpEnums::SectionType
section_type, uint32_t num_flushed, uint32_t num_excess, int32_t num_head_lines,
bool is_broken_chunk, uint32_t num_good_chunks) const;
- NHttpCutter* get_cutter(NHttpEnums::SectionType type, const NHttpFlowData* session) const;
- void chunk_spray(NHttpFlowData* session_data, uint8_t* buffer, const uint8_t* data,
+ HttpCutter* get_cutter(HttpEnums::SectionType type, const HttpFlowData* session) const;
+ void chunk_spray(HttpFlowData* session_data, uint8_t* buffer, const uint8_t* data,
unsigned length) const;
static void decompress_copy(uint8_t* buffer, uint32_t& offset, const uint8_t* data,
- uint32_t length, NHttpEnums::CompressId& compression, z_stream*& compress_stream,
- bool at_start, NHttpInfractions& infractions, NHttpEventGen& events);
+ uint32_t length, HttpEnums::CompressId& compression, z_stream*& compress_stream,
+ bool at_start, HttpInfractions& infractions, HttpEventGen& events);
- const NHttpEnums::SourceId source_id;
- NHttpInspect* const my_inspector;
+ const HttpEnums::SourceId source_id;
+ HttpInspect* const my_inspector;
};
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_stream_splitter_reassemble.cc author Tom Peters <thopeter@cisco.com>
+// http_stream_splitter_reassemble.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <sys/types.h>
#include "file_api/file_flows.h"
-#include "nhttp_enum.h"
-#include "nhttp_field.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_test_input.h"
-#include "nhttp_inspect.h"
-#include "nhttp_stream_splitter.h"
+#include "http_enum.h"
+#include "http_field.h"
+#include "http_test_manager.h"
+#include "http_test_input.h"
+#include "http_inspect.h"
+#include "http_stream_splitter.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-void NHttpStreamSplitter::chunk_spray(NHttpFlowData* session_data, uint8_t* buffer,
+void HttpStreamSplitter::chunk_spray(HttpFlowData* session_data, uint8_t* buffer,
const uint8_t* data, unsigned length) const
{
ChunkState& curr_state = session_data->chunk_state[source_id];
}
}
-void NHttpStreamSplitter::decompress_copy(uint8_t* buffer, uint32_t& offset, const uint8_t* data,
- uint32_t length, NHttpEnums::CompressId& compression, z_stream*& compress_stream,
- bool at_start, NHttpInfractions& infractions, NHttpEventGen& events)
+void HttpStreamSplitter::decompress_copy(uint8_t* buffer, uint32_t& offset, const uint8_t* data,
+ uint32_t length, HttpEnums::CompressId& compression, z_stream*& compress_stream,
+ bool at_start, HttpInfractions& infractions, HttpEventGen& events)
{
if ((compression == CMP_GZIP) || (compression == CMP_DEFLATE))
{
offset += length;
}
-const StreamBuffer* NHttpStreamSplitter::reassemble(Flow* flow, unsigned total, unsigned,
+const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, unsigned,
const uint8_t* data, unsigned len, uint32_t flags, unsigned& copied)
{
- static THREAD_LOCAL StreamBuffer nhttp_buf;
+ static THREAD_LOCAL StreamBuffer http_buf;
copied = len;
assert(total <= MAX_OCTETS);
- NHttpFlowData* session_data = (NHttpFlowData*)flow->get_application_data(
- NHttpFlowData::nhttp_flow_id);
+ HttpFlowData* session_data = (HttpFlowData*)flow->get_application_data(
+ HttpFlowData::http_flow_id);
assert(session_data != nullptr);
#ifdef REG_TEST
- if (NHttpTestManager::use_test_output())
+ if (HttpTestManager::use_test_output())
{
- if (NHttpTestManager::use_test_input())
+ if (HttpTestManager::use_test_input())
{
if (!(flags & PKT_PDU_TAIL))
{
}
bool tcp_close;
uint8_t* test_buffer;
- NHttpTestManager::get_test_input_source()->reassemble(&test_buffer, len, source_id,
+ HttpTestManager::get_test_input_source()->reassemble(&test_buffer, len, source_id,
tcp_close);
if (tcp_close)
{
return nullptr;
}
- // FIXIT-P stream should be enhanced to do discarding for us. For now flush-then-discard here
+ // FIXIT-P stream should be ehanced to do discarding for us. For now flush-then-discard here
// is how scan() handles things we don't need to examine.
if (session_data->section_type[source_id] == SEC_DISCARD)
{
#ifdef REG_TEST
- if (NHttpTestManager::use_test_output())
+ if (HttpTestManager::use_test_output())
{
- fprintf(NHttpTestManager::get_output_file(), "Discarded %u octets\n\n", len);
- fflush(NHttpTestManager::get_output_file());
+ fprintf(HttpTestManager::get_output_file(), "Discarded %u octets\n\n", len);
+ fflush(HttpTestManager::get_output_file());
}
#endif
if (flags & PKT_PDU_TAIL)
return nullptr;
}
- NHttpModule::increment_peg_counts(PEG_REASSEMBLE);
+ HttpModule::increment_peg_counts(PEG_REASSEMBLE);
uint8_t*& buffer = session_data->section_buffer[source_id];
{
// The type of buffer used is based on section type. All body sections reuse a single
// static buffer. Other sections use a dynamic buffer that may be saved for a while.
- // Changes here must be mirrored below where the buffer is passed to NHttpInspect::process
- // and in ~NHttpFlowData where the buffer will be deleted if it has not been processed.
+ // Changes here must be mirrored below where the buffer is passed to HttpInspect::process
+ // and in ~HttpFlowData where the buffer will be deleted if it has not been processed.
if (is_body)
{
- buffer = NHttpInspect::body_buffer;
+ buffer = HttpInspect::body_buffer;
}
else
{
const Field& send_to_detection = my_inspector->process(buffer,
session_data->section_offset[source_id] - session_data->num_excess[source_id], flow,
source_id, !is_body);
- // delete[] not necessary because NHttpMsgSection is now responsible.
+ // delete[] not necessary because HttpMsgSection is now responsible.
buffer = nullptr;
session_data->section_offset[source_id] = 0;
// framework and forwarded to detection even if it is empty. Other body sections and the
// trailer section are only forwarded if nonempty. The start line section and header
// sections other than the detection section are never forwarded.
- if (((send_to_detection.length > 0) && (NHttpInspect::get_latest_is() != IS_NONE)) ||
- ((send_to_detection.length == 0) && (NHttpInspect::get_latest_is() == IS_DETECTION)))
+ if (((send_to_detection.length > 0) && (HttpInspect::get_latest_is() != IS_NONE)) ||
+ ((send_to_detection.length == 0) && (HttpInspect::get_latest_is() == IS_DETECTION)))
{
// FIXIT-M kludge until we work out issues with returning an empty buffer
if (send_to_detection.length > 0)
{
- nhttp_buf.data = send_to_detection.start;
- nhttp_buf.length = send_to_detection.length;
+ http_buf.data = send_to_detection.start;
+ http_buf.length = send_to_detection.length;
}
else
{
- nhttp_buf.data = (const uint8_t*)"";
- nhttp_buf.length = 1;
+ http_buf.data = (const uint8_t*)"";
+ http_buf.length = 1;
}
#ifdef REG_TEST
- if (NHttpTestManager::use_test_output())
+ if (HttpTestManager::use_test_output())
{
- fprintf(NHttpTestManager::get_output_file(), "Sent to detection %u octets\n\n",
- nhttp_buf.length);
- fflush(NHttpTestManager::get_output_file());
+ fprintf(HttpTestManager::get_output_file(), "Sent to detection %u octets\n\n",
+ http_buf.length);
+ fflush(HttpTestManager::get_output_file());
}
#endif
- return &nhttp_buf;
+ return &http_buf;
}
my_inspector->clear(session_data, source_id);
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_stream_splitter_scan.cc author Tom Peters <thopeter@cisco.com>
+// http_stream_splitter_scan.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <sys/types.h>
#include "file_api/file_flows.h"
-#include "nhttp_enum.h"
-#include "nhttp_field.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_test_input.h"
-#include "nhttp_cutter.h"
-#include "nhttp_inspect.h"
-#include "nhttp_stream_splitter.h"
+#include "http_enum.h"
+#include "http_field.h"
+#include "http_test_manager.h"
+#include "http_test_input.h"
+#include "http_cutter.h"
+#include "http_inspect.h"
+#include "http_stream_splitter.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
// Convenience function. All housekeeping that must be done before we can return FLUSH to stream.
-void NHttpStreamSplitter::prepare_flush(NHttpFlowData* session_data, uint32_t* flush_offset,
+void HttpStreamSplitter::prepare_flush(HttpFlowData* session_data, uint32_t* flush_offset,
SectionType section_type, uint32_t num_flushed, uint32_t num_excess, int32_t num_head_lines,
bool is_broken_chunk, uint32_t num_good_chunks) const
{
session_data->num_good_chunks[source_id] = num_good_chunks;
#ifdef REG_TEST
- if (NHttpTestManager::use_test_input())
+ if (HttpTestManager::use_test_input())
{
- NHttpTestManager::get_test_input_source()->flush(num_flushed);
+ HttpTestManager::get_test_input_source()->flush(num_flushed);
}
else
#endif
*flush_offset = num_flushed;
}
-NHttpCutter* NHttpStreamSplitter::get_cutter(SectionType type,
- const NHttpFlowData* session_data) const
+HttpCutter* HttpStreamSplitter::get_cutter(SectionType type,
+ const HttpFlowData* session_data) const
{
switch (type)
{
case SEC_REQUEST:
- return (NHttpCutter*)new NHttpRequestCutter;
+ return (HttpCutter*)new HttpRequestCutter;
case SEC_STATUS:
- return (NHttpCutter*)new NHttpStatusCutter;
+ return (HttpCutter*)new HttpStatusCutter;
case SEC_HEADER:
case SEC_TRAILER:
- return (NHttpCutter*)new NHttpHeaderCutter;
+ return (HttpCutter*)new HttpHeaderCutter;
case SEC_BODY_CL:
- return (NHttpCutter*)new NHttpBodyClCutter(session_data->data_length[source_id]);
+ return (HttpCutter*)new HttpBodyClCutter(session_data->data_length[source_id]);
case SEC_BODY_CHUNK:
- return (NHttpCutter*)new NHttpBodyChunkCutter;
+ return (HttpCutter*)new HttpBodyChunkCutter;
case SEC_BODY_OLD:
- return (NHttpCutter*)new NHttpBodyOldCutter;
+ return (HttpCutter*)new HttpBodyOldCutter;
default:
assert(false);
return nullptr;
}
}
-StreamSplitter::Status NHttpStreamSplitter::scan(Flow* flow, const uint8_t* data, uint32_t length,
+StreamSplitter::Status HttpStreamSplitter::scan(Flow* flow, const uint8_t* data, uint32_t length,
uint32_t, uint32_t* flush_offset)
{
assert(length <= MAX_OCTETS);
- // This is the session state information we share with NHttpInspect and store with stream. A
+ // This is the session state information we share with HttpInspect and store with stream. A
// session is defined by a TCP connection. Since scan() is the first to see a new TCP
// connection the new flow data object is created here.
- NHttpFlowData* session_data = (NHttpFlowData*)flow->get_application_data(
- NHttpFlowData::nhttp_flow_id);
+ HttpFlowData* session_data = (HttpFlowData*)flow->get_application_data(
+ HttpFlowData::http_flow_id);
if (session_data == nullptr)
{
- flow->set_application_data(session_data = new NHttpFlowData);
- NHttpModule::increment_peg_counts(PEG_FLOW);
+ flow->set_application_data(session_data = new HttpFlowData);
+ HttpModule::increment_peg_counts(PEG_FLOW);
}
SectionType type = session_data->type_expected[source_id];
return StreamSplitter::ABORT;
#ifdef REG_TEST
- if (NHttpTestManager::use_test_input())
+ if (HttpTestManager::use_test_input())
{
// This block substitutes a completely new data buffer supplied by the test tool in place
// of the "real" data. It also rewrites the buffer length.
*flush_offset = length;
uint8_t* test_data = nullptr;
- NHttpTestManager::get_test_input_source()->scan(test_data, length, source_id,
+ HttpTestManager::get_test_input_source()->scan(test_data, length, source_id,
session_data->seq_num);
if (length == 0)
return StreamSplitter::FLUSH;
data = test_data;
}
- else if (NHttpTestManager::use_test_output())
+ else if (HttpTestManager::use_test_output())
{
printf("Scan from flow data %" PRIu64 " direction %d length %u\n", session_data->seq_num,
source_id, length);
assert(!session_data->tcp_close[source_id]);
- NHttpModule::increment_peg_counts(PEG_SCAN);
+ HttpModule::increment_peg_counts(PEG_SCAN);
// Check for 0.9 response message
if ((type == SEC_STATUS) &&
(session_data->expected_trans_num[SRC_SERVER] == session_data->zero_nine_expected))
{
- // 0.9 response is a body that runs to connection end with no headers. NHttpInspect does
+ // 0.9 response is a body that runs to connection end with no headers. HttpInspect does
// not support no headers. Processing this imaginary status line and empty headers allows
// us to overcome this limitation and reuse the entire HTTP infrastructure.
type = SEC_BODY_OLD;
my_inspector->process((const uint8_t*)"", 0, flow, SRC_SERVER, false);
}
- NHttpCutter*& cutter = session_data->cutter[source_id];
+ HttpCutter*& cutter = session_data->cutter[source_id];
if (cutter == nullptr)
{
cutter = get_cutter(type, session_data);
}
// Incomplete headers wait patiently for more data
#ifdef REG_TEST
- if (NHttpTestManager::use_test_input())
+ if (HttpTestManager::use_test_input())
return StreamSplitter::FLUSH;
else
#endif
}
}
-bool NHttpStreamSplitter::finish(Flow* flow)
+bool HttpStreamSplitter::finish(Flow* flow)
{
- NHttpFlowData* session_data = (NHttpFlowData*)flow->get_application_data(
- NHttpFlowData::nhttp_flow_id);
+ HttpFlowData* session_data = (HttpFlowData*)flow->get_application_data(
+ HttpFlowData::http_flow_id);
assert(session_data != nullptr);
#ifdef REG_TEST
- if (NHttpTestManager::use_test_output() && !NHttpTestManager::use_test_input())
+ if (HttpTestManager::use_test_output() && !HttpTestManager::use_test_input())
{
printf("Finish from flow data %" PRIu64 " direction %d\n", session_data->seq_num,
source_id);
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_tables.cc author Tom Peters <thopeter@cisco.com>
+// http_tables.cc author Tom Peters <thopeter@cisco.com>
#ifdef HAVE_CONFIG_H
#include "config.h"
#include "utils/util_utf.h"
-#include "nhttp_enum.h"
-#include "nhttp_str_to_code.h"
-#include "nhttp_normalizers.h"
-#include "nhttp_head_norm.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_header.h"
-#include "nhttp_module.h"
-#include "nhttp_uri_norm.h"
-#include "nhttp_cutter.h"
+#include "http_enum.h"
+#include "http_str_to_code.h"
+#include "http_normalizers.h"
+#include "http_head_norm.h"
+#include "http_msg_request.h"
+#include "http_msg_header.h"
+#include "http_module.h"
+#include "http_uri_norm.h"
+#include "http_cutter.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-const StrCode NHttpMsgRequest::method_list[] =
+const StrCode HttpMsgRequest::method_list[] =
{
{ METH_OPTIONS, "OPTIONS" },
{ METH_GET, "GET" },
{ 0, nullptr }
};
-SO_PUBLIC const StrCode NHttpMsgHeadShared::header_list[] =
+const StrCode HttpMsgHeadShared::header_list[] =
{
{ HEAD_CACHE_CONTROL, "cache-control" },
{ HEAD_CONNECTION, "connection" },
{ 0, nullptr }
};
-const StrCode NHttpMsgHeadShared::trans_code_list[] =
+const StrCode HttpMsgHeadShared::trans_code_list[] =
{
{ TRANSCODE_CHUNKED, "chunked" },
{ TRANSCODE_GZIP, "gzip" },
{ 0, nullptr }
};
-const StrCode NHttpMsgHeadShared::content_code_list[] =
+const StrCode HttpMsgHeadShared::content_code_list[] =
{
{ CONTENTCODE_GZIP, "gzip" },
{ CONTENTCODE_DEFLATE, "deflate" },
{ 0, nullptr }
};
-const StrCode NHttpMsgHeadShared::charset_code_list[] =
+const StrCode HttpMsgHeadShared::charset_code_list[] =
{
{ CHARSET_DEFAULT, "charset=utf-8" },
{ CHARSET_UTF7, "charset=utf-7" },
{ 0, nullptr }
};
-const StrCode NHttpMsgHeadShared::charset_code_opt_list[] =
+const StrCode HttpMsgHeadShared::charset_code_opt_list[] =
{
{ CHARSET_UNKNOWN, "charset=utf-" },
{ CHARSET_IRRELEVANT, "charset=" },
{ 0, nullptr }
};
-const HeaderNormalizer NHttpMsgHeadShared::NORMALIZER_BASIC
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_BASIC
{ false, nullptr, nullptr, nullptr };
-const HeaderNormalizer NHttpMsgHeadShared::NORMALIZER_NUMBER
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_NUMBER
{ false, norm_remove_lws, nullptr, nullptr };
-const HeaderNormalizer NHttpMsgHeadShared::NORMALIZER_TOKEN_LIST
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_TOKEN_LIST
{ true, norm_remove_lws, norm_to_lower, nullptr };
-const HeaderNormalizer NHttpMsgHeadShared::NORMALIZER_CHARSET
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_CHARSET
{ true, norm_remove_quotes_lws, norm_to_lower, nullptr };
-const HeaderNormalizer NHttpMsgHeadShared::NORMALIZER_CAT
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_CAT
{ true, norm_remove_lws, nullptr, nullptr };
-const HeaderNormalizer NHttpMsgHeadShared::NORMALIZER_COOKIE
+const HeaderNormalizer HttpMsgHeadShared::NORMALIZER_COOKIE
{ true, nullptr, nullptr, nullptr };
#if defined(__clang__)
#endif
/* *INDENT-OFF* */
-const HeaderNormalizer* const NHttpMsgHeadShared::header_norms[HEAD__MAX_VALUE] = {
+const HeaderNormalizer* const HttpMsgHeadShared::header_norms[HEAD__MAX_VALUE] = {
[0] = &NORMALIZER_BASIC,
[HEAD__OTHER] = &NORMALIZER_BASIC,
[HEAD_CACHE_CONTROL] = &NORMALIZER_BASIC,
#pragma clang diagnostic pop
#endif
-const RuleMap NHttpModule::nhttp_events[] =
+const RuleMap HttpModule::http_events[] =
{
{ EVENT_ASCII, "ascii encoding" },
{ EVENT_DOUBLE_DECODE, "double decoding attack" },
{ 0, nullptr }
};
-const PegInfo NHttpModule::peg_names[PEG_COUNT_MAX+1] =
+const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
{
{ "flows", "HTTP connections inspected" },
{ "scans", "TCP segments scanned looking for HTTP messages" },
{ nullptr, nullptr }
};
-const int8_t NHttpEnums::as_hex[256] =
+const int8_t HttpEnums::as_hex[256] =
{
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
};
-const bool NHttpEnums::token_char[256] =
+const bool HttpEnums::token_char[256] =
{
false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false
};
-const bool NHttpEnums::is_sp_tab[256] =
+const bool HttpEnums::is_sp_tab[256] =
{
false, false, false, false, false, false, false, false, false, true, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false,
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_test_input.cc author Tom Peters <thopeter@cisco.com>
+// http_test_input.cc author Tom Peters <thopeter@cisco.com>
#ifdef REG_TEST
#include <assert.h>
#include <stdexcept>
-#include "nhttp_module.h"
-#include "nhttp_test_manager.h"
-#include "nhttp_test_input.h"
+#include "http_module.h"
+#include "http_test_manager.h"
+#include "http_test_input.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
static unsigned convert_num_octets(char buffer[], unsigned length)
{
return amount;
}
-NHttpTestInput::NHttpTestInput(const char* file_name)
+HttpTestInput::HttpTestInput(const char* file_name)
{
if ((test_data_file = fopen(file_name, "r")) == nullptr)
throw std::runtime_error("Cannot open test input file");
}
-void NHttpTestInput::reset()
+void HttpTestInput::reset()
{
flushed = false;
last_source_id = SRC_CLIENT;
}
// Each test needs separate peg counts
- NHttpModule::reset_peg_counts();
+ HttpModule::reset_peg_counts();
}
// Read from the test data file and present to StreamSplitter. In the process we may need to skip
// comments, execute simple commands, and handle escape sequences. The best way to understand this
// function is to read dev_notes.txt.
-void NHttpTestInput::scan(uint8_t*& data, uint32_t& length, SourceId source_id, uint64_t seq_num)
+void HttpTestInput::scan(uint8_t*& data, uint32_t& length, SourceId source_id, uint64_t seq_num)
{
bool skip_to_break = false;
if (seq_num != curr_seq_num)
{
test_number = test_number * 10 + (command_value[j] - '0');
}
- NHttpTestManager::update_test_number(test_number);
+ HttpTestManager::update_test_number(test_number);
}
else
{
return;
}
-void NHttpTestInput::flush(uint32_t num_octets)
+void HttpTestInput::flush(uint32_t num_octets)
{
flush_octets = previous_offset + num_octets;
assert(flush_octets <= MAX_OCTETS);
flushed = true;
}
-void NHttpTestInput::reassemble(uint8_t** buffer, unsigned& length, SourceId source_id,
+void HttpTestInput::reassemble(uint8_t** buffer, unsigned& length, SourceId source_id,
bool& tcp_close)
{
*buffer = nullptr;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_test_input.h author Tom Peters <thopeter@cisco.com>
+// http_test_input.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_TEST_INPUT_H
-#define NHTTP_TEST_INPUT_H
+#ifndef HTTP_TEST_INPUT_H
+#define HTTP_TEST_INPUT_H
#ifdef REG_TEST
#include <stdio.h>
-#include "nhttp_enum.h"
-#include "nhttp_flow_data.h"
+#include "http_enum.h"
+#include "http_flow_data.h"
-class NHttpTestInput
+class HttpTestInput
{
public:
- NHttpTestInput(const char* fileName);
- void scan(uint8_t*& data, uint32_t& length, NHttpEnums::SourceId source_id, uint64_t seq_num);
+ HttpTestInput(const char* fileName);
+ void scan(uint8_t*& data, uint32_t& length, HttpEnums::SourceId source_id, uint64_t seq_num);
void flush(uint32_t num_octets);
- void reassemble(uint8_t** buffer, unsigned& length, NHttpEnums::SourceId source_id,
+ void reassemble(uint8_t** buffer, unsigned& length, HttpEnums::SourceId source_id,
bool& tcp_close);
private:
FILE* test_data_file;
- uint8_t msg_buf[2 * NHttpEnums::MAX_OCTETS];
+ uint8_t msg_buf[2 * HttpEnums::MAX_OCTETS];
FILE* include_file = nullptr;
// break command has been read and we are waiting for a new flow to start
bool flushed = false;
// current direction of traffic flow. Toggled by commands in file.
- NHttpEnums::SourceId last_source_id = NHttpEnums::SRC_CLIENT;
+ HttpEnums::SourceId last_source_id = HttpEnums::SRC_CLIENT;
// reassemble() just completed and all flushed octets forwarded, time to resume scan()
bool just_flushed = true;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_test_manager.cc author Tom Peters <thopeter@cisco.com>
+// http_test_manager.cc author Tom Peters <thopeter@cisco.com>
#ifdef REG_TEST
#include <stdexcept>
-#include "nhttp_test_manager.h"
-#include "nhttp_test_input.h"
+#include "http_test_manager.h"
+#include "http_test_input.h"
-bool NHttpTestManager::test_input = false;
-bool NHttpTestManager::test_output = false;
-NHttpTestInput* NHttpTestManager::test_input_source = nullptr;
-const char* NHttpTestManager::test_output_prefix = "httpresults/testcase";
-int64_t NHttpTestManager::test_number = -1;
-FILE* NHttpTestManager::test_out = nullptr;
-long NHttpTestManager::print_amount = 1200;
-bool NHttpTestManager::print_hex = false;
-bool NHttpTestManager::show_pegs = true;
+bool HttpTestManager::test_input = false;
+bool HttpTestManager::test_output = false;
+HttpTestInput* HttpTestManager::test_input_source = nullptr;
+const char* HttpTestManager::test_output_prefix = "httpresults/testcase";
+int64_t HttpTestManager::test_number = -1;
+FILE* HttpTestManager::test_out = nullptr;
+long HttpTestManager::print_amount = 1200;
+bool HttpTestManager::print_hex = false;
+bool HttpTestManager::show_pegs = true;
-void NHttpTestManager::update_test_number(int64_t new_test_number)
+void HttpTestManager::update_test_number(int64_t new_test_number)
{
if (new_test_number != test_number)
{
}
}
-void NHttpTestManager::activate_test_input()
+void HttpTestManager::activate_test_input()
{
test_input = true;
if (test_input_source == nullptr)
{
- test_input_source = new NHttpTestInput("http_test_msgs.txt");
+ test_input_source = new HttpTestInput("http_test_msgs.txt");
}
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_test_manager.h author Tom Peters <thopeter@cisco.com>
+// http_test_manager.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_TEST_MANAGER_H
-#define NHTTP_TEST_MANAGER_H
+#ifndef HTTP_TEST_MANAGER_H
+#define HTTP_TEST_MANAGER_H
#ifdef REG_TEST
#include <stdio.h>
//-------------------------------------------------------------------------
-// NHttpTestManager class
+// HttpTestManager class
//-------------------------------------------------------------------------
-class NHttpTestInput;
+class HttpTestInput;
-class NHttpTestManager
+class HttpTestManager
{
public:
static bool use_test_input() { return test_input; }
static void activate_test_input();
static void activate_test_output() { test_output = true; }
- static NHttpTestInput* get_test_input_source() { return test_input_source; }
+ static HttpTestInput* get_test_input_source() { return test_input_source; }
static void update_test_number(int64_t new_test_number);
static bool use_test_output() { return test_output || test_input; }
static FILE* get_output_file() { return (test_out != nullptr) ? test_out : stdout; }
static bool get_show_pegs() { return show_pegs; }
private:
- NHttpTestManager() = delete;
+ HttpTestManager() = delete;
static bool test_input;
- static NHttpTestInput* test_input_source;
+ static HttpTestInput* test_input_source;
// Printing results of message processing
static bool test_output;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_transaction.cc author Tom Peters <thopeter@cisco.com>
+// http_transaction.cc author Tom Peters <thopeter@cisco.com>
#include <sys/types.h>
-#include "nhttp_enum.h"
-#include "nhttp_transaction.h"
-#include "nhttp_msg_request.h"
-#include "nhttp_msg_status.h"
-#include "nhttp_msg_header.h"
-#include "nhttp_msg_trailer.h"
-#include "nhttp_msg_body.h"
+#include "http_enum.h"
+#include "http_transaction.h"
+#include "http_msg_request.h"
+#include "http_msg_status.h"
+#include "http_msg_header.h"
+#include "http_msg_trailer.h"
+#include "http_msg_body.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpTransaction::~NHttpTransaction()
+HttpTransaction::~HttpTransaction()
{
delete request;
delete status;
delete latest_body;
}
-NHttpTransaction* NHttpTransaction::attach_my_transaction(NHttpFlowData* session_data, SourceId
+HttpTransaction* HttpTransaction::attach_my_transaction(HttpFlowData* session_data, SourceId
source_id)
{
// This factory method:
delete_transaction(session_data->transaction[SRC_CLIENT]);
}
}
- session_data->transaction[SRC_CLIENT] = new NHttpTransaction;
+ session_data->transaction[SRC_CLIENT] = new HttpTransaction;
}
// This transaction has more than one response. This is a new response which is replacing the
// interim response. The two responses cannot coexist so we must clean up the interim response.
if (session_data->pipeline_underflow)
{
// A previous underflow separated the two sides forever
- session_data->transaction[SRC_SERVER] = new NHttpTransaction;
+ session_data->transaction[SRC_SERVER] = new HttpTransaction;
}
else if ((session_data->transaction[SRC_SERVER] = session_data->take_from_pipeline()) ==
nullptr)
// Either there is no request at all or there is a request but a previous response
// already took it. Either way we have more responses than requests.
session_data->pipeline_underflow = true;
- session_data->transaction[SRC_SERVER] = new NHttpTransaction;
+ session_data->transaction[SRC_SERVER] = new HttpTransaction;
}
else if (session_data->type_expected[SRC_CLIENT] == SEC_REQUEST)
return session_data->transaction[source_id];
}
-void NHttpTransaction::delete_transaction(NHttpTransaction* transaction)
+void HttpTransaction::delete_transaction(HttpTransaction* transaction)
{
if (transaction != nullptr)
{
}
}
-void NHttpTransaction::set_body(NHttpMsgBody* latest_body_)
+void HttpTransaction::set_body(HttpMsgBody* latest_body_)
{
delete latest_body;
latest_body = latest_body_;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_transaction.h author Tom Peters <thopeter@cisco.com>
+// http_transaction.h author Tom Peters <thopeter@cisco.com>
#ifndef TRANSACTION_H
#define TRANSACTION_H
-#include "nhttp_enum.h"
-#include "nhttp_flow_data.h"
+#include "http_enum.h"
+#include "http_flow_data.h"
-class NHttpMsgRequest;
-class NHttpMsgStatus;
-class NHttpMsgHeader;
-class NHttpMsgTrailer;
-class NHttpMsgSection;
-class NHttpMsgBody;
-class NHttpMsgHeadShared;
+class HttpMsgRequest;
+class HttpMsgStatus;
+class HttpMsgHeader;
+class HttpMsgTrailer;
+class HttpMsgSection;
+class HttpMsgBody;
+class HttpMsgHeadShared;
-class NHttpTransaction
+class HttpTransaction
{
public:
- static NHttpTransaction* attach_my_transaction(NHttpFlowData* session_data,
- NHttpEnums::SourceId source_id);
- static void delete_transaction(NHttpTransaction* transaction);
+ static HttpTransaction* attach_my_transaction(HttpFlowData* session_data,
+ HttpEnums::SourceId source_id);
+ static void delete_transaction(HttpTransaction* transaction);
- NHttpMsgRequest* get_request() const { return request; }
- void set_request(NHttpMsgRequest* request_) { request = request_; }
+ HttpMsgRequest* get_request() const { return request; }
+ void set_request(HttpMsgRequest* request_) { request = request_; }
- NHttpMsgStatus* get_status() const { return status; }
- void set_status(NHttpMsgStatus* status_) { status = status_; }
+ HttpMsgStatus* get_status() const { return status; }
+ void set_status(HttpMsgStatus* status_) { status = status_; }
- NHttpMsgHeader* get_header(NHttpEnums::SourceId source_id) const { return header[source_id]; }
- void set_header(NHttpMsgHeader* header_, NHttpEnums::SourceId source_id)
+ HttpMsgHeader* get_header(HttpEnums::SourceId source_id) const { return header[source_id]; }
+ void set_header(HttpMsgHeader* header_, HttpEnums::SourceId source_id)
{ header[source_id] = header_; }
- NHttpMsgTrailer* get_trailer(NHttpEnums::SourceId source_id) const
+ HttpMsgTrailer* get_trailer(HttpEnums::SourceId source_id) const
{ return trailer[source_id]; }
- void set_trailer(NHttpMsgTrailer* trailer_, NHttpEnums::SourceId source_id)
+ void set_trailer(HttpMsgTrailer* trailer_, HttpEnums::SourceId source_id)
{ trailer[source_id] = trailer_; }
- NHttpMsgBody* get_body() const { return latest_body; }
- void set_body(NHttpMsgBody* latest_body_);
+ HttpMsgBody* get_body() const { return latest_body; }
+ void set_body(HttpMsgBody* latest_body_);
void second_response_coming() { assert(response_seen); second_response_expected = true; }
bool final_response() const { return !second_response_expected; }
private:
- NHttpTransaction() = default;
- ~NHttpTransaction();
-
- NHttpMsgRequest* request = nullptr;
- NHttpMsgStatus* status = nullptr;
- NHttpMsgHeader* header[2] = { nullptr, nullptr };
- NHttpMsgTrailer* trailer[2] = { nullptr, nullptr };
- NHttpMsgBody* latest_body = nullptr;
+ HttpTransaction() = default;
+ ~HttpTransaction();
+
+ HttpMsgRequest* request = nullptr;
+ HttpMsgStatus* status = nullptr;
+ HttpMsgHeader* header[2] = { nullptr, nullptr };
+ HttpMsgTrailer* trailer[2] = { nullptr, nullptr };
+ HttpMsgBody* latest_body = nullptr;
bool response_seen = false;
bool second_response_expected = false;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_uri.cc author Tom Peters <thopeter@cisco.com>
+// http_uri.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
-#include "nhttp_enum.h"
-#include "nhttp_module.h"
-#include "nhttp_uri.h"
+#include "http_enum.h"
+#include "http_module.h"
+#include "http_uri.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-NHttpUri::~NHttpUri()
+HttpUri::~HttpUri()
{
if (classic_norm_allocated)
delete[] classic_norm.start;
}
-void NHttpUri::parse_uri()
+void HttpUri::parse_uri()
{
// Four basic types of HTTP URI
// "*" means request does not apply to any specific resource
}
}
-void NHttpUri::parse_authority()
+void HttpUri::parse_authority()
{
if (authority.length <= 0)
{
port.length = STAT_NOT_PRESENT;
}
-void NHttpUri::parse_abs_path()
+void HttpUri::parse_abs_path()
{
// path?query#fragment
// path is always present in absolute path, while query and fragment are optional
}
}
-void NHttpUri::check_oversize_dir(Field uri_field)
+void HttpUri::check_oversize_dir(Field uri_field)
{
int32_t total_length = 0;
const uint8_t* last_dir = nullptr;
cur++;
}
}
-void NHttpUri::normalize()
+void HttpUri::normalize()
{
// Divide the URI up into its six components: scheme, host, port, path, query, and fragment
parse_uri();
return;
}
- NHttpModule::increment_peg_counts(PEG_URI_NORM);
+ HttpModule::increment_peg_counts(PEG_URI_NORM);
// Create a new buffer containing the normalized URI by normalizing each individual piece.
const uint32_t total_length = uri.length + UriNormalizer::URI_NORM_EXPANSION;
if ((infractions & INF_URI_MULTISLASH) || (infractions & INF_URI_SLASH_DOT) ||
(infractions & INF_URI_SLASH_DOT_DOT))
{
- NHttpModule::increment_peg_counts(PEG_URI_PATH);
+ HttpModule::increment_peg_counts(PEG_URI_PATH);
}
if ((infractions & INF_URI_U_ENCODE) || (infractions & INF_URI_UNKNOWN_PERCENT) ||
(infractions & INF_URI_PERCENT_UNRESERVED) || (infractions & INF_URI_PERCENT_UTF8_2B) ||
(infractions & INF_URI_PERCENT_UTF8_3B) || (infractions & INF_URI_DOUBLE_DECODE))
{
- NHttpModule::increment_peg_counts(PEG_URI_CODING);
+ HttpModule::increment_peg_counts(PEG_URI_CODING);
}
check_oversize_dir(path_norm);
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_uri.h author Tom Peters <thopeter@cisco.com>
+// http_uri.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_URI_H
-#define NHTTP_URI_H
+#ifndef HTTP_URI_H
+#define HTTP_URI_H
-#include "nhttp_str_to_code.h"
-#include "nhttp_module.h"
-#include "nhttp_uri_norm.h"
-#include "nhttp_field.h"
-#include "nhttp_infractions.h"
-#include "nhttp_event_gen.h"
+#include "http_str_to_code.h"
+#include "http_module.h"
+#include "http_uri_norm.h"
+#include "http_field.h"
+#include "http_infractions.h"
+#include "http_event_gen.h"
//-------------------------------------------------------------------------
-// NHttpUri class
+// HttpUri class
//-------------------------------------------------------------------------
-class NHttpUri
+class HttpUri
{
public:
- NHttpUri(const uint8_t* start, int32_t length, NHttpEnums::MethodId method_id_,
- const NHttpParaList::UriParam& uri_param_, NHttpInfractions& infractions_,
- NHttpEventGen& events_) :
+ HttpUri(const uint8_t* start, int32_t length, HttpEnums::MethodId method_id_,
+ const HttpParaList::UriParam& uri_param_, HttpInfractions& infractions_,
+ HttpEventGen& events_) :
uri(length, start), method_id(method_id_), uri_param(uri_param_),
infractions(infractions_), events(events_)
{ normalize(); }
- ~NHttpUri();
+ ~HttpUri();
const Field& get_uri() const { return uri; }
- NHttpEnums::UriType get_uri_type() { return uri_type; }
+ HttpEnums::UriType get_uri_type() { return uri_type; }
const Field& get_scheme() { return scheme; }
const Field& get_authority() { return authority; }
const Field& get_host() { return host; }
private:
const Field uri;
- const NHttpEnums::MethodId method_id;
- const NHttpParaList::UriParam& uri_param;
- NHttpInfractions& infractions;
- NHttpEventGen& events;
+ const HttpEnums::MethodId method_id;
+ const HttpParaList::UriParam& uri_param;
+ HttpInfractions& infractions;
+ HttpEventGen& events;
Field scheme;
Field authority;
Field query;
Field fragment;
- NHttpEnums::UriType uri_type = NHttpEnums::URI__NOT_COMPUTE;
+ HttpEnums::UriType uri_type = HttpEnums::URI__NOT_COMPUTE;
Field host_norm;
Field path_norm;
Field query_norm;
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_uri_norm.cc author Tom Peters <thopeter@cisco.com>
+// http_uri_norm.cc author Tom Peters <thopeter@cisco.com>
#include <assert.h>
#include <sys/types.h>
#include "log/messages.h"
-#include "nhttp_enum.h"
-#include "nhttp_uri_norm.h"
+#include "http_enum.h"
+#include "http_uri_norm.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
void UriNormalizer::normalize(const Field& input, Field& result, bool do_path, uint8_t* buffer,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions, HttpEventGen& events)
{
// Normalize percent encodings and similar escape sequences
int32_t data_length = norm_char_clean(input, buffer, uri_param, infractions, events);
}
bool UriNormalizer::need_norm(const Field& uri_component, bool do_path,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions, HttpEventGen& events)
{
bool need_it;
if (do_path && uri_param.simplify_path)
}
bool UriNormalizer::need_norm_no_path(const Field& uri_component,
- const NHttpParaList::UriParam& uri_param)
+ const HttpParaList::UriParam& uri_param)
{
const int32_t& length = uri_component.length;
const uint8_t* const & buf = uri_component.start;
}
bool UriNormalizer::need_norm_path(const Field& uri_component,
- const NHttpParaList::UriParam& uri_param)
+ const HttpParaList::UriParam& uri_param)
{
const int32_t& length = uri_component.length;
const uint8_t* const & buf = uri_component.start;
}
int32_t UriNormalizer::norm_char_clean(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions, HttpEventGen& events)
{
bool utf8_needed = false;
bool double_decoding_needed = false;
}
int32_t UriNormalizer::norm_percent_processing(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, bool& utf8_needed,
+ const HttpParaList::UriParam& uri_param, bool& utf8_needed,
std::vector<bool>& percent_encoded, bool& double_decoding_needed,
- NHttpInfractions& infractions, NHttpEventGen& events)
+ HttpInfractions& infractions, HttpEventGen& events)
{
int32_t length = 0;
for (int32_t k = 0; k < input.length; k++)
}
int32_t UriNormalizer::norm_utf8_processing(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, const std::vector<bool>& percent_encoded,
- bool& double_decoding_needed, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, const std::vector<bool>& percent_encoded,
+ bool& double_decoding_needed, HttpInfractions& infractions, HttpEventGen& events)
{
int32_t length = 0;
for (int32_t k=0; k < input.length; k++)
}
int32_t UriNormalizer::norm_double_decode(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events)
{
// Double decoding is limited to %hh and %u encoding cases
int32_t length = 0;
}
uint8_t UriNormalizer::reduce_to_eight_bits(uint16_t value,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions, HttpEventGen& events)
{
// FIXIT-M are values <= 0xFF subject to the unicode map?
if (value <= 0xFF)
}
void UriNormalizer::detect_bad_char(const Field& uri_component,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions, HttpEventGen& events)
{
// If the bad character detection feature is not configured we quit
if (uri_param.bad_characters.count() == 0)
// Replace backslash with slash and plus with space
void UriNormalizer::norm_substitute(uint8_t* buf, int32_t length,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions, NHttpEventGen& events)
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions, HttpEventGen& events)
{
if (uri_param.backslash_to_slash)
{
// Caution: worst case output length is one greater than input length
int32_t UriNormalizer::norm_path_clean(uint8_t* buf, const int32_t in_length,
- NHttpInfractions& infractions, NHttpEventGen& events)
+ HttpInfractions& infractions, HttpEventGen& events)
{
- // This is supposed to be the path portion of a URI. Read NHttpUri::parse_uri() for an
+ // This is supposed to be the path portion of a URI. Read HttpUri::parse_uri() for an
// explanation.
assert(buf[0] == '/');
// Provide traditional URI-style normalization for buffers that usually are not URIs
void UriNormalizer::classic_normalize(const Field& input, Field& result, uint8_t* buffer,
- const NHttpParaList::UriParam& uri_param)
+ const HttpParaList::UriParam& uri_param)
{
// The requirements for generating events related to these normalizations are unclear. It
// definitely doesn't seem right to generate standard URI events. For now we won't generate
// infraction logic with legacy problems. The following centralizes all the messiness here so
// that we can conveniently modify it as requirements are better understood.
- NHttpInfractions unused;
- NHttpDummyEventGen dummy_ev;
+ HttpInfractions unused;
+ HttpDummyEventGen dummy_ev;
// Normalize character escape sequences
int32_t data_length = norm_char_clean(input, buffer, uri_param, unused, dummy_ev);
}
bool UriNormalizer::classic_need_norm(const Field& uri_component, bool do_path,
- const NHttpParaList::UriParam& uri_param)
+ const HttpParaList::UriParam& uri_param)
{
- NHttpInfractions unused;
- NHttpDummyEventGen dummy_ev;
+ HttpInfractions unused;
+ HttpDummyEventGen dummy_ev;
return need_norm(uri_component, do_path, uri_param, unused, dummy_ev);
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_uri_norm.h author Tom Peters <thopeter@cisco.com>
+// http_uri_norm.h author Tom Peters <thopeter@cisco.com>
-#ifndef NHTTP_URI_NORM_H
-#define NHTTP_URI_NORM_H
+#ifndef HTTP_URI_NORM_H
+#define HTTP_URI_NORM_H
#include <vector>
#include <string>
-#include "nhttp_enum.h"
-#include "nhttp_field.h"
-#include "nhttp_module.h"
-#include "nhttp_infractions.h"
-#include "nhttp_event_gen.h"
+#include "http_enum.h"
+#include "http_field.h"
+#include "http_module.h"
+#include "http_infractions.h"
+#include "http_event_gen.h"
class UriNormalizer
{
static const unsigned URI_NORM_EXPANSION = 1;
static bool need_norm(const Field& uri_component, bool do_path,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events);
static void normalize(const Field& input, Field& result, bool do_path, uint8_t* buffer,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events);
static bool classic_need_norm(const Field& uri_component, bool do_path,
- const NHttpParaList::UriParam& uri_param);
+ const HttpParaList::UriParam& uri_param);
static void classic_normalize(const Field& input, Field& result, uint8_t* buffer,
- const NHttpParaList::UriParam& uri_param);
+ const HttpParaList::UriParam& uri_param);
static void load_default_unicode_map(uint8_t map[65536]);
static void load_unicode_map(uint8_t map[65536], const char* filename, int code_page);
private:
static bool need_norm_path(const Field& uri_component,
- const NHttpParaList::UriParam& uri_param);
+ const HttpParaList::UriParam& uri_param);
static bool need_norm_no_path(const Field& uri_component,
- const NHttpParaList::UriParam& uri_param);
+ const HttpParaList::UriParam& uri_param);
static int32_t norm_char_clean(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events);
static int32_t norm_percent_processing(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, bool& utf8_needed,
+ const HttpParaList::UriParam& uri_param, bool& utf8_needed,
std::vector<bool>& percent_encoded, bool& double_decoding_needed,
- NHttpInfractions& infractions, NHttpEventGen& events);
+ HttpInfractions& infractions, HttpEventGen& events);
static int32_t norm_utf8_processing(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, const std::vector<bool>& percent_encoded,
- bool& double_decoding_needed, NHttpInfractions& infractions, NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, const std::vector<bool>& percent_encoded,
+ bool& double_decoding_needed, HttpInfractions& infractions, HttpEventGen& events);
static int32_t norm_double_decode(const Field& input, uint8_t* out_buf,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events);
static void norm_substitute(uint8_t* buf, int32_t length,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events);
static int32_t norm_path_clean(uint8_t* buf, const int32_t in_length,
- NHttpInfractions& infractions, NHttpEventGen& events);
+ HttpInfractions& infractions, HttpEventGen& events);
static void detect_bad_char(const Field& uri_component,
- const NHttpParaList::UriParam& uri_param, NHttpInfractions& infractions,
- NHttpEventGen& events);
- static uint8_t reduce_to_eight_bits(uint16_t value, const NHttpParaList::UriParam& uri_param,
- NHttpInfractions& infractions, NHttpEventGen& events);
+ const HttpParaList::UriParam& uri_param, HttpInfractions& infractions,
+ HttpEventGen& events);
+ static uint8_t reduce_to_eight_bits(uint16_t value, const HttpParaList::UriParam& uri_param,
+ HttpInfractions& infractions, HttpEventGen& events);
static bool advance_to_code_page(FILE* file, int page_to_use);
static bool map_code_points(FILE* file, uint8_t* map);
static inline uint16_t extract_u_encoding(const Field& input, int32_t index);
// An artifice used by the classic normalization methods to disable event generation
- class NHttpDummyEventGen : public NHttpEventGen
+ class HttpDummyEventGen : public HttpEventGen
{
- void create_event(NHttpEnums::EventSid) override {}
+ void create_event(HttpEnums::EventSid) override {}
};
};
bool UriNormalizer::is_percent_encoding(const Field& input, int32_t index)
{
return (index+2 < input.length) &&
- (NHttpEnums::as_hex[input.start[index+1]] != -1) &&
- (NHttpEnums::as_hex[input.start[index+2]] != -1);
+ (HttpEnums::as_hex[input.start[index+1]] != -1) &&
+ (HttpEnums::as_hex[input.start[index+2]] != -1);
}
uint8_t UriNormalizer::extract_percent_encoding(const Field& input, int32_t index)
{
- return NHttpEnums::as_hex[input.start[index+1]] << 4 |
- NHttpEnums::as_hex[input.start[index+2]];
+ return HttpEnums::as_hex[input.start[index+1]] << 4 |
+ HttpEnums::as_hex[input.start[index+2]];
}
bool UriNormalizer::is_u_encoding(const Field& input, int32_t index)
{
return (index+5 < input.length) &&
((input.start[index+1] == 'u') || (input.start[index+1] == 'U')) &&
- (NHttpEnums::as_hex[input.start[index+2]] != -1) &&
- (NHttpEnums::as_hex[input.start[index+3]] != -1) &&
- (NHttpEnums::as_hex[input.start[index+4]] != -1) &&
- (NHttpEnums::as_hex[input.start[index+5]] != -1);
+ (HttpEnums::as_hex[input.start[index+2]] != -1) &&
+ (HttpEnums::as_hex[input.start[index+3]] != -1) &&
+ (HttpEnums::as_hex[input.start[index+4]] != -1) &&
+ (HttpEnums::as_hex[input.start[index+5]] != -1);
}
uint16_t UriNormalizer::extract_u_encoding(const Field& input, int32_t index)
{
- return (NHttpEnums::as_hex[input.start[index+2]] << 12) |
- (NHttpEnums::as_hex[input.start[index+3]] << 8) |
- (NHttpEnums::as_hex[input.start[index+4]] << 4) |
- NHttpEnums::as_hex[input.start[index+5]];
+ return (HttpEnums::as_hex[input.start[index+2]] << 12) |
+ (HttpEnums::as_hex[input.start[index+3]] << 8) |
+ (HttpEnums::as_hex[input.start[index+4]] << 4) |
+ HttpEnums::as_hex[input.start[index+5]];
}
#endif
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// ips_nhttp.cc author Tom Peters <thopeter@cisco.com>
+// ips_http.cc author Tom Peters <thopeter@cisco.com>
#include <array>
#include "hash/sfhashfcn.h"
#include "log/messages.h"
-#include "nhttp_inspect.h"
-#include "nhttp_msg_head_shared.h"
-#include "ips_nhttp.h"
+#include "http_inspect.h"
+#include "http_msg_head_shared.h"
+#include "ips_http.h"
-using namespace NHttpEnums;
+using namespace HttpEnums;
-THREAD_LOCAL std::array<ProfileStats, PSI_MAX> NHttpCursorModule::http_ps;
+THREAD_LOCAL std::array<ProfileStats, PSI_MAX> HttpCursorModule::http_ps;
-bool NHttpCursorModule::begin(const char*, int, SnortConfig*)
+bool HttpCursorModule::begin(const char*, int, SnortConfig*)
{
para_list.reset();
sub_id = 0;
form = 0;
switch (buffer_index)
{
- case NHTTP_BUFFER_URI:
- case NHTTP_BUFFER_RAW_URI:
- case NHTTP_BUFFER_STAT_CODE:
- case NHTTP_BUFFER_STAT_MSG:
- case NHTTP_BUFFER_VERSION:
- case NHTTP_BUFFER_METHOD:
- case NHTTP_BUFFER_HEADER:
- case NHTTP_BUFFER_RAW_HEADER:
- case NHTTP_BUFFER_COOKIE:
- case NHTTP_BUFFER_RAW_COOKIE:
- case NHTTP_BUFFER_RAW_REQUEST:
- case NHTTP_BUFFER_RAW_STATUS:
+ case HTTP_BUFFER_URI:
+ case HTTP_BUFFER_RAW_URI:
+ case HTTP_BUFFER_STAT_CODE:
+ case HTTP_BUFFER_STAT_MSG:
+ case HTTP_BUFFER_VERSION:
+ case HTTP_BUFFER_METHOD:
+ case HTTP_BUFFER_HEADER:
+ case HTTP_BUFFER_RAW_HEADER:
+ case HTTP_BUFFER_COOKIE:
+ case HTTP_BUFFER_RAW_COOKIE:
+ case HTTP_BUFFER_RAW_REQUEST:
+ case HTTP_BUFFER_RAW_STATUS:
inspect_section = IS_DETECTION;
break;
- case NHTTP_BUFFER_CLIENT_BODY:
+ case HTTP_BUFFER_CLIENT_BODY:
inspect_section = IS_BODY;
break;
- case NHTTP_BUFFER_TRAILER:
- case NHTTP_BUFFER_RAW_TRAILER:
+ case HTTP_BUFFER_TRAILER:
+ case HTTP_BUFFER_RAW_TRAILER:
inspect_section = IS_TRAILER;
break;
default:
return true;
}
-bool NHttpCursorModule::set(const char*, Value& v, SnortConfig*)
+bool HttpCursorModule::set(const char*, Value& v, SnortConfig*)
{
if (v.is("field"))
{
lower_name[k] = ((para_list.field[k] < 'A') || (para_list.field[k] > 'Z')) ?
para_list.field[k] : para_list.field[k] - ('A' - 'a');
}
- sub_id = str_to_code(lower_name, name_size, NHttpMsgHeadShared::header_list);
+ sub_id = str_to_code(lower_name, name_size, HttpMsgHeadShared::header_list);
if (sub_id == STAT_OTHER)
ParseError("Unrecognized header field name");
}
return true;
}
-bool NHttpCursorModule::end(const char*, int, SnortConfig*)
+bool HttpCursorModule::end(const char*, int, SnortConfig*)
{
// Check for option conflicts
if (para_list.with_header + para_list.with_body + para_list.with_trailer > 1)
ParseError("Only specify one with_ option. Use the one that happens last.");
- if (((buffer_index == NHTTP_BUFFER_TRAILER) || (buffer_index == NHTTP_BUFFER_RAW_TRAILER)) &&
+ if (((buffer_index == HTTP_BUFFER_TRAILER) || (buffer_index == HTTP_BUFFER_RAW_TRAILER)) &&
(para_list.with_header || para_list.with_body) &&
!para_list.request)
ParseError("Trailers with with_ option must also specify request");
return true;
}
-void NHttpCursorModule::NHttpRuleParaList::reset()
+void HttpCursorModule::HttpRuleParaList::reset()
{
field.clear();
request = false;
fragment = false;
}
-uint32_t NHttpIpsOption::hash() const
+uint32_t HttpIpsOption::hash() const
{
uint32_t a = IpsOption::hash();
uint32_t b = (uint32_t)inspect_section;
return f;
}
-bool NHttpIpsOption::operator==(const IpsOption& ips) const
+bool HttpIpsOption::operator==(const IpsOption& ips) const
{
- const NHttpIpsOption& nhio = static_cast<const NHttpIpsOption&>(ips);
+ const HttpIpsOption& hio = static_cast<const HttpIpsOption&>(ips);
return IpsOption::operator==(ips) &&
- inspect_section == nhio.inspect_section &&
- sub_id == nhio.sub_id &&
- form == nhio.form;
+ inspect_section == hio.inspect_section &&
+ sub_id == hio.sub_id &&
+ form == hio.form;
}
-int NHttpIpsOption::eval(Cursor& c, Packet* p)
+int HttpIpsOption::eval(Cursor& c, Packet* p)
{
- Profile profile(NHttpCursorModule::http_ps[psi]);
+ Profile profile(HttpCursorModule::http_ps[psi]);
if (!p->flow || !p->flow->gadget)
return DETECTION_OPTION_NO_MATCH;
- if (NHttpInspect::get_latest_is() != inspect_section)
+ if (HttpInspect::get_latest_is() != inspect_section)
{
// It is OK to provide a body buffer during the detection section. If there actually is
// a body buffer available then the detection section must also be the first body section.
- if (! ((inspect_section == IS_BODY) && (NHttpInspect::get_latest_is() == IS_DETECTION)) )
+ if (! ((inspect_section == IS_BODY) && (HttpInspect::get_latest_is() == IS_DETECTION)) )
return DETECTION_OPTION_NO_MATCH;
}
InspectionBuffer hb;
- if (! ((NHttpInspect*)(p->flow->gadget))->
- nhttp_get_buf((unsigned)buffer_index, sub_id, form, nullptr, hb))
+ if (! ((HttpInspect*)(p->flow->gadget))->
+ http_get_buf((unsigned)buffer_index, sub_id, form, nullptr, hb))
return DETECTION_OPTION_NO_MATCH;
c.set(key, hb.data, hb.len);
static Module* uri_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_URI, CAT_SET_KEY, PSI_URI,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_URI, CAT_SET_KEY, PSI_URI,
http_uri_params);
}
IPS_OPT,
IPS_HELP,
uri_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* client_body_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_CLIENT_BODY, CAT_SET_BODY,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_CLIENT_BODY, CAT_SET_BODY,
PSI_CLIENT_BODY);
}
IPS_OPT,
IPS_HELP,
client_body_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* method_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_METHOD, CAT_SET_OTHER, PSI_METHOD,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_METHOD, CAT_SET_OTHER, PSI_METHOD,
http_method_params);
}
IPS_OPT,
IPS_HELP,
method_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* cookie_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_COOKIE, CAT_SET_OTHER, PSI_COOKIE,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_COOKIE, CAT_SET_OTHER, PSI_COOKIE,
http_cookie_params);
}
IPS_OPT,
IPS_HELP,
cookie_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* stat_code_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_STAT_CODE, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_STAT_CODE, CAT_SET_OTHER,
PSI_STAT_CODE, http_stat_code_params);
}
IPS_OPT,
IPS_HELP,
stat_code_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* stat_msg_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_STAT_MSG, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_STAT_MSG, CAT_SET_OTHER,
PSI_STAT_MSG, http_stat_msg_params);
}
IPS_OPT,
IPS_HELP,
stat_msg_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* raw_uri_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_RAW_URI, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_URI, CAT_SET_OTHER,
PSI_RAW_URI, http_raw_uri_params);
}
IPS_OPT,
IPS_HELP,
raw_uri_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* raw_header_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_RAW_HEADER, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_HEADER, CAT_SET_OTHER,
PSI_RAW_HEADER, http_raw_header_params);
}
IPS_OPT,
IPS_HELP,
raw_header_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* raw_cookie_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_RAW_COOKIE, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_COOKIE, CAT_SET_OTHER,
PSI_RAW_COOKIE, http_raw_cookie_params);
}
IPS_OPT,
IPS_HELP,
raw_cookie_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* version_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_VERSION, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_VERSION, CAT_SET_OTHER,
PSI_VERSION, http_version_params);
}
IPS_OPT,
IPS_HELP,
version_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* header_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_HEADER, CAT_SET_HEADER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_HEADER, CAT_SET_HEADER,
PSI_HEADER, http_header_params);
}
IPS_OPT,
IPS_HELP,
header_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* trailer_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_TRAILER, CAT_SET_HEADER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_TRAILER, CAT_SET_HEADER,
PSI_TRAILER, http_trailer_params);
}
IPS_OPT,
IPS_HELP,
trailer_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* raw_trailer_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_RAW_TRAILER, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_TRAILER, CAT_SET_OTHER,
PSI_RAW_TRAILER, http_raw_trailer_params);
}
IPS_OPT,
IPS_HELP,
raw_trailer_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* raw_request_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_RAW_REQUEST, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_REQUEST, CAT_SET_OTHER,
PSI_RAW_REQUEST, http_raw_request_params);
}
IPS_OPT,
IPS_HELP,
raw_request_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
static Module* raw_status_mod_ctor()
{
- return new NHttpCursorModule(IPS_OPT, IPS_HELP, NHTTP_BUFFER_RAW_STATUS, CAT_SET_OTHER,
+ return new HttpCursorModule(IPS_OPT, IPS_HELP, HTTP_BUFFER_RAW_STATUS, CAT_SET_OTHER,
PSI_RAW_STATUS, http_raw_status_params);
}
IPS_OPT,
IPS_HELP,
raw_status_mod_ctor,
- NHttpCursorModule::mod_dtor
+ HttpCursorModule::mod_dtor
},
OPT_TYPE_DETECTION,
0, PROTO_BIT__TCP,
nullptr,
nullptr,
nullptr,
- NHttpIpsOption::opt_ctor,
- NHttpIpsOption::opt_dtor,
+ HttpIpsOption::opt_ctor,
+ HttpIpsOption::opt_dtor,
nullptr
};
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// ips_nhttp.h author Tom Peters <thopeter@cisco.com>
+// ips_http.h author Tom Peters <thopeter@cisco.com>
-#ifndef IPS_NHTTP_H
-#define IPS_NHTTP_H
+#ifndef IPS_HTTP_H
+#define IPS_HTTP_H
#ifdef HAVE_CONFIG_H
#include "config.h"
#include "framework/ips_option.h"
#include "framework/module.h"
-#include "nhttp_enum.h"
+#include "http_enum.h"
enum PsIdx { PSI_URI, PSI_CLIENT_BODY, PSI_METHOD, PSI_COOKIE, PSI_STAT_CODE, PSI_STAT_MSG,
PSI_RAW_URI, PSI_RAW_HEADER, PSI_RAW_COOKIE, PSI_HEADER, PSI_VERSION, PSI_TRAILER,
PSI_RAW_TRAILER, PSI_RAW_REQUEST, PSI_RAW_STATUS, PSI_MAX };
-class NHttpCursorModule : public Module
+class HttpCursorModule : public Module
{
public:
- NHttpCursorModule(const char* key_, const char* help, NHttpEnums::NHTTP_BUFFER buffer_index_,
+ HttpCursorModule(const char* key_, const char* help, HttpEnums::HTTP_BUFFER buffer_index_,
CursorActionType cat_, PsIdx psi_) : Module(key_, help), key(key_),
buffer_index(buffer_index_), cat(cat_), psi(psi_) {}
- NHttpCursorModule(const char* key_, const char* help, NHttpEnums::NHTTP_BUFFER buffer_index_,
+ HttpCursorModule(const char* key_, const char* help, HttpEnums::HTTP_BUFFER buffer_index_,
CursorActionType cat_, PsIdx psi_, const Parameter params[]) : Module(key_, help, params),
key(key_), buffer_index(buffer_index_), cat(cat_), psi(psi_) {}
ProfileStats* get_profile() const override { return &http_ps[psi]; }
bool end(const char*, int, SnortConfig*) override;
private:
- friend class NHttpIpsOption;
+ friend class HttpIpsOption;
static THREAD_LOCAL std::array<ProfileStats, PsIdx::PSI_MAX> http_ps;
- struct NHttpRuleParaList
+ struct HttpRuleParaList
{
public:
std::string field; // provide buffer containing specific header field
};
const char* const key;
- const NHttpEnums::NHTTP_BUFFER buffer_index;
+ const HttpEnums::HTTP_BUFFER buffer_index;
const CursorActionType cat;
const PsIdx psi;
- NHttpRuleParaList para_list;
- NHttpEnums::InspectSection inspect_section;
+ HttpRuleParaList para_list;
+ HttpEnums::InspectSection inspect_section;
uint64_t sub_id;
uint64_t form;
};
-class NHttpIpsOption : public IpsOption
+class HttpIpsOption : public IpsOption
{
public:
- NHttpIpsOption(const NHttpCursorModule* cm) :
+ HttpIpsOption(const HttpCursorModule* cm) :
IpsOption(cm->key, RULE_OPTION_TYPE_BUFFER_SET), key(cm->key),
buffer_index(cm->buffer_index), cat(cm->cat), psi(cm->psi),
inspect_section(cm->inspect_section), sub_id(cm->sub_id), form(cm->form) {}
uint32_t hash() const override;
bool operator==(const IpsOption& ips) const override;
static IpsOption* opt_ctor(Module* m, OptTreeNode*)
- { return new NHttpIpsOption((NHttpCursorModule*)m); }
+ { return new HttpIpsOption((HttpCursorModule*)m); }
static void opt_dtor(IpsOption* p) { delete p; }
private:
const char* const key;
- const NHttpEnums::NHTTP_BUFFER buffer_index;
+ const HttpEnums::HTTP_BUFFER buffer_index;
const CursorActionType cat;
const PsIdx psi;
- const NHttpEnums::InspectSection inspect_section;
+ const HttpEnums::InspectSection inspect_section;
const uint64_t sub_id;
const uint64_t form;
};
--- /dev/null
+add_cpputest(http_uri_norm_test http_inspect framework)
+add_cpputest(http_normalizers_test http_inspect framework)
+add_cpputest(http_module_test http_inspect framework)
+add_cpputest(http_msg_head_shared_util_test http_inspect framework)
+
+# FIXIT-M this doesn't link properly under cmake. Autotools version is working.
+# add_library(depends_on_lib_transaction ../http_transaction.cc ../http_flow_data.cc ../http_test_manager.cc ../http_test_input.cc)
+# add_cpputest(http_transaction_test depends_on_lib_transaction framework -lz)
+
--- /dev/null
+
+AM_DEFAULT_SOURCE_EXT = .cc
+
+check_PROGRAMS = \
+http_uri_norm_test \
+http_normalizers_test \
+http_module_test \
+http_transaction_test \
+http_msg_head_shared_util_test
+
+TESTS = $(check_PROGRAMS)
+
+http_uri_norm_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
+http_uri_norm_test_LDADD = \
+../http_uri_norm.o \
+../http_module.o \
+../http_test_manager.o \
+../http_test_input.o \
+../http_normalizers.o \
+../http_str_to_code.o \
+../http_field.o \
+../http_tables.o \
+../../../framework/module.o \
+@CPPUTEST_LDFLAGS@
+
+http_normalizers_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
+http_normalizers_test_LDADD = \
+../http_normalizers.o \
+../http_field.o \
+@CPPUTEST_LDFLAGS@
+
+http_module_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
+http_module_test_LDADD = \
+../http_module.o \
+../http_tables.o \
+../http_normalizers.o \
+../http_uri_norm.o \
+../http_field.o \
+../../../framework/module.o \
+@CPPUTEST_LDFLAGS@
+
+http_transaction_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
+http_transaction_test_LDADD = \
+../http_transaction.o \
+../http_flow_data.o \
+../http_test_manager.o \
+../http_test_input.o \
+@CPPUTEST_LDFLAGS@
+
+http_msg_head_shared_util_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
+http_msg_head_shared_util_test_LDADD = \
+../http_msg_head_shared_util.o \
+../http_field.o \
+../http_str_to_code.o \
+@CPPUTEST_LDFLAGS@
+
+
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_module_test.cc author Tom Peters <thopeter@cisco.com>
+// http_module_test.cc author Tom Peters <thopeter@cisco.com>
// unit test main
#include "log/messages.h"
#include "events/event_queue.h"
-#include "service_inspectors/nhttp_inspect/nhttp_module.h"
-#include "service_inspectors/nhttp_inspect/nhttp_test_manager.h"
-#include "service_inspectors/nhttp_inspect/nhttp_str_to_code.h"
+#include "service_inspectors/http_inspect/http_module.h"
+#include "service_inspectors/http_inspect/http_test_manager.h"
+#include "service_inspectors/http_inspect/http_str_to_code.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
#include <CppUTestExt/MockSupport.h>
-using namespace NHttpEnums;
+using namespace HttpEnums;
// Stubs whose sole purpose is to make the test code link
void ParseWarning(WarningGroup, const char*, ...) {}
int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
int32_t substr_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
-long NHttpTestManager::print_amount {};
-bool NHttpTestManager::print_hex {};
+long HttpTestManager::print_amount {};
+bool HttpTestManager::print_hex {};
-TEST_GROUP(nhttp_peg_count_test)
+TEST_GROUP(http_peg_count_test)
{
- NHttpModule mod;
+ HttpModule mod;
void setup()
{
}
};
-TEST(nhttp_peg_count_test, increment)
+TEST(http_peg_count_test, increment)
{
for (unsigned k=0; k < 13; k++)
{
- NHttpModule::increment_peg_counts(PEG_SCAN);
+ HttpModule::increment_peg_counts(PEG_SCAN);
}
for (unsigned k=0; k < 27816; k++)
{
- NHttpModule::increment_peg_counts(PEG_INSPECT);
+ HttpModule::increment_peg_counts(PEG_INSPECT);
}
PegCount* counts = mod.get_counts();
CHECK(counts[PEG_SCAN] == 13);
CHECK(counts[PEG_INSPECT] == 27816);
}
-TEST(nhttp_peg_count_test, zero_out)
+TEST(http_peg_count_test, zero_out)
{
for (unsigned k=0; k < 12; k++)
{
- NHttpModule::increment_peg_counts(PEG_INSPECT);
+ HttpModule::increment_peg_counts(PEG_INSPECT);
}
PegCount* counts = mod.get_counts();
CHECK(counts[PEG_INSPECT] == 12);
counts[PEG_INSPECT] = 0;
- NHttpModule::increment_peg_counts(PEG_INSPECT);
+ HttpModule::increment_peg_counts(PEG_INSPECT);
counts = mod.get_counts();
CHECK(counts[PEG_INSPECT] == 1);
}
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_msg_head_shared_util_test.cc author Tom Peters <thopeter@cisco.com>
+// http_msg_head_shared_util_test.cc author Tom Peters <thopeter@cisco.com>
// unit test main
-#include "service_inspectors/nhttp_inspect/nhttp_msg_head_shared.h"
-#include "service_inspectors/nhttp_inspect/nhttp_field.h"
-#include "service_inspectors/nhttp_inspect/nhttp_str_to_code.h"
-#include "service_inspectors/nhttp_inspect/nhttp_test_manager.h"
+#include "service_inspectors/http_inspect/http_msg_head_shared.h"
+#include "service_inspectors/http_inspect/http_field.h"
+#include "service_inspectors/http_inspect/http_str_to_code.h"
+#include "service_inspectors/http_inspect/http_test_manager.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
#include <CppUTestExt/MockSupport.h>
// Stubs whose sole purpose is to make the test code link
-long NHttpTestManager::print_amount {};
-bool NHttpTestManager::print_hex {};
+long HttpTestManager::print_amount {};
+bool HttpTestManager::print_hex {};
-TEST_GROUP(nhttp_msg_head_shared_util)
+TEST_GROUP(http_msg_head_shared_util)
{
enum Color { COLOR_OTHER=1, COLOR_GREEN, COLOR_BLUE, COLOR_RED, COLOR_YELLOW, COLOR_PURPLE };
int32_t offset = 0;
};
// This allows access to test a protected static member function
- class NHttpMsgHeadTest : public NHttpMsgHeadShared
+ class HttpMsgHeadTest : public HttpMsgHeadShared
{
public:
static int32_t get_next_code_test(const Field& field, int32_t& offset,
const StrCode table[])
{
- return NHttpMsgHeadShared::get_next_code(field, offset, table);
+ return HttpMsgHeadShared::get_next_code(field, offset, table);
}
};
};
-TEST(nhttp_msg_head_shared_util, basic)
+TEST(http_msg_head_shared_util, basic)
{
Field input(10, (const uint8_t*) "green,blue");
- Color color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ Color color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 6);
CHECK(color == COLOR_GREEN);
- color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 11);
CHECK(color == COLOR_BLUE);
}
-TEST(nhttp_msg_head_shared_util, single_token)
+TEST(http_msg_head_shared_util, single_token)
{
Field input(6, (const uint8_t*) "purple");
- Color color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ Color color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 7);
CHECK(color == COLOR_PURPLE);
}
-TEST(nhttp_msg_head_shared_util, unknown_token)
+TEST(http_msg_head_shared_util, unknown_token)
{
Field input(14, (const uint8_t*) "madeup,red,red");
- Color color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ Color color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 7);
CHECK(color == COLOR_OTHER);
}
-TEST(nhttp_msg_head_shared_util, null_token)
+TEST(http_msg_head_shared_util, null_token)
{
Field input(11, (const uint8_t*) "green,,blue");
- Color color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ Color color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 6);
CHECK(color == COLOR_GREEN);
- color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 7);
CHECK(color == COLOR_OTHER);
- color = (Color) NHttpMsgHeadTest::get_next_code_test(input, offset, color_table);
+ color = (Color) HttpMsgHeadTest::get_next_code_test(input, offset, color_table);
CHECK(offset == 12);
CHECK(color == COLOR_BLUE);
}
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_normalizers_test.cc author Tom Peters <thopeter@cisco.com>
+// http_normalizers_test.cc author Tom Peters <thopeter@cisco.com>
// unit test main
-#include "service_inspectors/nhttp_inspect/nhttp_msg_header.h"
-#include "service_inspectors/nhttp_inspect/nhttp_test_manager.h"
+#include "service_inspectors/http_inspect/http_msg_header.h"
+#include "service_inspectors/http_inspect/http_test_manager.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
// Stubs whose sole purpose is to make the test code link
int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
int32_t substr_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
-const bool NHttpEnums::is_sp_tab[256] {};
-long NHttpTestManager::print_amount {};
-bool NHttpTestManager::print_hex {};
+const bool HttpEnums::is_sp_tab[256] {};
+long HttpTestManager::print_amount {};
+bool HttpTestManager::print_hex {};
-TEST_GROUP(nhttp_chunked_before_end_test) {};
+TEST_GROUP(http_chunked_before_end_test) {};
-TEST(nhttp_chunked_before_end_test, examples)
+TEST(http_chunked_before_end_test, examples)
{
CHECK(!chunked_before_end(Field(11, (const uint8_t*)"foo,chunked")));
CHECK(chunked_before_end(Field(15, (const uint8_t*)"chunked,chunked")));
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_transaction_test.cc author Tom Peters <thopeter@cisco.com>
+// http_transaction_test.cc author Tom Peters <thopeter@cisco.com>
// unit test main
-#include "service_inspectors/nhttp_inspect/nhttp_transaction.h"
-#include "service_inspectors/nhttp_inspect/nhttp_module.h"
-#include "service_inspectors/nhttp_inspect/nhttp_flow_data.h"
-#include "service_inspectors/nhttp_inspect/nhttp_enum.h"
+#include "service_inspectors/http_inspect/http_transaction.h"
+#include "service_inspectors/http_inspect/http_module.h"
+#include "service_inspectors/http_inspect/http_flow_data.h"
+#include "service_inspectors/http_inspect/http_enum.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
#include <CppUTestExt/MockSupport.h>
-using namespace NHttpEnums;
+using namespace HttpEnums;
// Stubs whose sole purpose is to make the test code link
unsigned FlowData::flow_id = 0;
FlowData::FlowData(unsigned, Inspector*) {}
FlowData::~FlowData() {}
int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; }
-THREAD_LOCAL PegCount NHttpModule::peg_counts[1];
+THREAD_LOCAL PegCount HttpModule::peg_counts[1];
-class NHttpUnitTestSetup
+class HttpUnitTestSetup
{
public:
- static SectionType* get_section_type(NHttpFlowData* flow_data)
+ static SectionType* get_section_type(HttpFlowData* flow_data)
{ assert(flow_data!=nullptr); return flow_data->section_type; }
- static SectionType* get_type_expected(NHttpFlowData* flow_data)
+ static SectionType* get_type_expected(HttpFlowData* flow_data)
{ assert(flow_data!=nullptr); return flow_data->type_expected; }
};
-TEST_GROUP(nhttp_transaction_test)
+TEST_GROUP(http_transaction_test)
{
- NHttpFlowData* const flow_data = new NHttpFlowData;
- SectionType* const section_type = NHttpUnitTestSetup::get_section_type(flow_data);
- SectionType* const type_expected = NHttpUnitTestSetup::get_type_expected(flow_data);
+ HttpFlowData* const flow_data = new HttpFlowData;
+ SectionType* const section_type = HttpUnitTestSetup::get_section_type(flow_data);
+ SectionType* const type_expected = HttpUnitTestSetup::get_type_expected(flow_data);
void teardown()
{
}
};
-TEST(nhttp_transaction_test, simple_transaction)
+TEST(http_transaction_test, simple_transaction)
{
// This test is a request message with a chunked body and trailers followed by a similar
// response message. No overlap in time.
// Request
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_BODY_CHUNK;
section_type[SRC_CLIENT] = SEC_BODY_CHUNK;
for (unsigned k=0; k<100; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
}
type_expected[SRC_CLIENT] = SEC_TRAILER;
section_type[SRC_CLIENT] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
// Response
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<100; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, orphan_response)
+TEST(http_transaction_test, orphan_response)
{
// Response message without a request
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_SERVER] = SEC_STATUS;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
CHECK(trans != nullptr);
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<10; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, simple_pipeline)
+TEST(http_transaction_test, simple_pipeline)
{
// Pipeline with four requests followed by four responses
- NHttpTransaction* trans[4];
+ HttpTransaction* trans[4];
for (unsigned k=0; k < 4; k++)
{
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- trans[k] = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ trans[k] = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans[k] != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
for (unsigned j=0; j < k; j++)
{
CHECK(trans[k] != trans[j]);
for (unsigned k=0; k < 4; k++)
{
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CL;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
}
-TEST(nhttp_transaction_test, concurrent_request_response)
+TEST(http_transaction_test, concurrent_request_response)
{
// Response starts before request completes, request completes first
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_BODY_CHUNK;
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_CLIENT] = SEC_BODY_CHUNK;
for (unsigned k=0; k<4; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
}
type_expected[SRC_CLIENT] = SEC_TRAILER;
section_type[SRC_CLIENT] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<6; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, pipeline_underflow)
+TEST(http_transaction_test, pipeline_underflow)
{
// Underflow scenario with request, two responses, request, response
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_STATUS;
- trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
+ trans = HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
CHECK(trans != nullptr);
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans2 = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans2 = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK((trans2 != nullptr) && (trans2 != trans));
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans2 == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans2 == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_SERVER] = SEC_STATUS;
- trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
+ trans = HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
CHECK((trans != nullptr) && (trans != trans2));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, concurrent_request_response_underflow)
+TEST(http_transaction_test, concurrent_request_response_underflow)
{
// Response starts before request completes, response completes first, second response
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_BODY_CHUNK;
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<6; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_CLIENT] = SEC_BODY_CHUNK;
for (unsigned k=0; k<4; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
}
type_expected[SRC_CLIENT] = SEC_TRAILER;
section_type[SRC_CLIENT] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_SERVER] = SEC_STATUS;
- NHttpTransaction* trans2 = NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
+ HttpTransaction* trans2 = HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
CHECK((trans2 != nullptr) && (trans2 != trans));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans2 == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans2 == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<6; k++)
{
- CHECK(trans2 == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans2 == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans2 == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans2 == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, basic_continue)
+TEST(http_transaction_test, basic_continue)
{
// Request with interim response and final response
// Request headers
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_BODY_CHUNK;
// Interim response
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
trans->second_response_coming();
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
// Request body
section_type[SRC_CLIENT] = SEC_BODY_CHUNK;
for (unsigned k=0; k<4; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
}
type_expected[SRC_CLIENT] = SEC_TRAILER;
section_type[SRC_CLIENT] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
// Second response
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<6; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, multiple_continue)
+TEST(http_transaction_test, multiple_continue)
{
// Request with interim response and final response
// Request headers
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_BODY_CHUNK;
// Interim responses
for (unsigned k=0; k < 10; k++)
{
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
trans->second_response_coming();
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
// Request body
section_type[SRC_CLIENT] = SEC_BODY_CHUNK;
for (unsigned k=0; k<4; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
}
type_expected[SRC_CLIENT] = SEC_TRAILER;
section_type[SRC_CLIENT] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
type_expected[SRC_CLIENT] = SEC_REQUEST;
// Final response
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
for (unsigned k=0; k<6; k++)
{
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
-TEST(nhttp_transaction_test, multiple_orphan_continue)
+TEST(http_transaction_test, multiple_orphan_continue)
{
type_expected[SRC_CLIENT] = SEC_REQUEST;
// Repeated interim and final response messages without a request
{
// Interim response
section_type[SRC_SERVER] = SEC_STATUS;
- NHttpTransaction* trans = NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
+ HttpTransaction* trans = HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER);
CHECK(trans != nullptr);
trans->second_response_coming();
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
// Final response
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CHUNK;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_TRAILER;
- CHECK(trans == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
}
-TEST(nhttp_transaction_test, pipeline_continue_pipeline)
+TEST(http_transaction_test, pipeline_continue_pipeline)
{
// 3.5 requests in pipeline, 3 responses + continue response, body + 3 requests in pipeline,
// final response + 3 responses
- NHttpTransaction* trans[7];
+ HttpTransaction* trans[7];
// Four requests in pipeline, the final one will be continued later
for (unsigned k=0; k < 4; k++)
{
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- trans[k] = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ trans[k] = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans[k] != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
for (unsigned j=0; j < k; j++)
{
CHECK(trans[k] != trans[j]);
for (unsigned k=0; k < 3; k++)
{
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CL;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
// Interim response to fourth request
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans[3] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[3] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
trans[3]->second_response_coming();
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans[3] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[3] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
// Finish the fourth request
section_type[SRC_CLIENT] = SEC_BODY_CL;
- CHECK(trans[3] == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans[3] == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
// Requests 5-7 in pipeline
for (unsigned k=4; k < 7; k++)
{
type_expected[SRC_CLIENT] = SEC_REQUEST;
section_type[SRC_CLIENT] = SEC_REQUEST;
- trans[k] = NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
+ trans[k] = HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT);
CHECK(trans[k] != nullptr);
type_expected[SRC_CLIENT] = SEC_HEADER;
section_type[SRC_CLIENT] = SEC_HEADER;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_CLIENT));
for (unsigned j=5; j < k; j++)
{
CHECK(trans[k] != trans[j]);
for (unsigned k=3; k < 7; k++)
{
section_type[SRC_SERVER] = SEC_STATUS;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_HEADER;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
section_type[SRC_SERVER] = SEC_BODY_CL;
- CHECK(trans[k] == NHttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
+ CHECK(trans[k] == HttpTransaction::attach_my_transaction(flow_data, SRC_SERVER));
}
}
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// nhttp_uri_norm_test.cc author Tom Peters <thopeter@cisco.com>
+// http_uri_norm_test.cc author Tom Peters <thopeter@cisco.com>
// unit test main
#include "log/messages.h"
-#include "service_inspectors/nhttp_inspect/nhttp_uri_norm.h"
+#include "service_inspectors/http_inspect/http_uri_norm.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
void Value::get_bits(std::bitset<256ul>&) const {}
int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; }
-TEST_GROUP(nhttp_inspect_uri_norm)
+TEST_GROUP(http_inspect_uri_norm)
{
uint8_t buffer[1000];
- NHttpParaList::UriParam uri_param;
- NHttpInfractions infractions;
- NHttpEventGen events;
+ HttpParaList::UriParam uri_param;
+ HttpInfractions infractions;
+ HttpEventGen events;
};
-TEST(nhttp_inspect_uri_norm, normalize)
+TEST(http_inspect_uri_norm, normalize)
{
Field input(20, (const uint8_t*) "/uri//to/%6eormalize");
Field result;
CHECK(memcmp(result.start, "/uri/to/normalize", 17) == 0);
}
-TEST_GROUP(nhttp_double_decode_test)
+TEST_GROUP(http_double_decode_test)
{
uint8_t buffer[1000];
- NHttpParaList::UriParam uri_param;
- NHttpInfractions infractions;
- NHttpEventGen events;
+ HttpParaList::UriParam uri_param;
+ HttpInfractions infractions;
+ HttpEventGen events;
void setup()
{
}
};
-TEST(nhttp_double_decode_test, single)
+TEST(http_double_decode_test, single)
{
Field input(19, (const uint8_t*) "/uri/to%5Cnormalize");
Field result;
CHECK(memcmp(result.start, "/uri/to/normalize", 17) == 0);
}
-TEST(nhttp_double_decode_test, encoded_percent)
+TEST(http_double_decode_test, encoded_percent)
{
Field input(21, (const uint8_t*) "/uri/to%255Cnormalize");
Field result;
CHECK(memcmp(result.start, "/uri/to/normalize", 17) == 0);
}
-TEST(nhttp_double_decode_test, double_percent)
+TEST(http_double_decode_test, double_percent)
{
Field input(20, (const uint8_t*) "/uri/to%%5Cnormalize");
Field result;
CHECK(memcmp(result.start, "/uri/to/normalize", 17) == 0);
}
-TEST(nhttp_double_decode_test, encoded_all)
+TEST(http_double_decode_test, encoded_all)
{
Field input(25, (const uint8_t*) "/uri/to%25%35%43normalize");
Field result;
CHECK(memcmp(result.start, "/uri/to/normalize", 17) == 0);
}
-TEST(nhttp_double_decode_test, utf8_all)
+TEST(http_double_decode_test, utf8_all)
{
Field input(24, (const uint8_t*) "/uri/to\xE0\x80\xA5\xC0\xB5\xE0\x81\x83normalize");
Field result;
CHECK(memcmp(result.start, "/uri/to/normalize", 17) == 0);
}
-TEST(nhttp_double_decode_test, u_encode_percent)
+TEST(http_double_decode_test, u_encode_percent)
{
Field input(24, (const uint8_t*) "/%%uri/to%u005cnormalize");
Field result;
CHECK(memcmp(result.start, "/%uri/to/normalize", 17) == 0);
}
-TEST(nhttp_double_decode_test, u_encode_all)
+TEST(http_double_decode_test, u_encode_all)
{
Field input(52, (const uint8_t*) "/uri/to%u0025%U0075%u0030%U0030%u0035%U0063normalize");
Field result;
+++ /dev/null
-
-set (FILE_LIST
- ips_nhttp.cc
- ips_nhttp.h
- nhttp_inspect.cc
- nhttp_inspect.h
- nhttp_msg_section.cc
- nhttp_msg_section.h
- nhttp_msg_start.cc
- nhttp_msg_start.h
- nhttp_msg_request.cc
- nhttp_msg_request.h
- nhttp_msg_status.cc
- nhttp_msg_status.h
- nhttp_msg_head_shared.cc
- nhttp_msg_head_shared_util.cc
- nhttp_msg_head_shared.h
- nhttp_msg_header.cc
- nhttp_msg_header.h
- nhttp_msg_body.cc
- nhttp_msg_body.h
- nhttp_msg_body_chunk.cc
- nhttp_msg_body_chunk.h
- nhttp_msg_body_cl.cc
- nhttp_msg_body_cl.h
- nhttp_msg_body_old.cc
- nhttp_msg_body_old.h
- nhttp_msg_trailer.cc
- nhttp_msg_trailer.h
- nhttp_head_norm.cc
- nhttp_head_norm.h
- nhttp_uri.cc
- nhttp_uri.h
- nhttp_uri_norm.cc
- nhttp_uri_norm.h
- nhttp_normalizers.cc
- nhttp_normalizers.h
- nhttp_str_to_code.cc
- nhttp_str_to_code.h
- nhttp_api.cc nhttp_api.h
- nhttp_tables.cc
- nhttp_module.cc
- nhttp_module.h
- nhttp_test_input.cc
- nhttp_test_input.h
- nhttp_flow_data.cc
- nhttp_flow_data.h
- nhttp_transaction.cc
- nhttp_transaction.h
- nhttp_test_manager.cc
- nhttp_test_manager.h
- nhttp_enum.h
- nhttp_field.cc
- nhttp_field.h
- nhttp_stream_splitter_reassemble.cc
- nhttp_stream_splitter_scan.cc
- nhttp_stream_splitter.h
- nhttp_cutter.cc
- nhttp_cutter.h
- nhttp_infractions.h
- nhttp_event_gen.h
-)
-
-if (STATIC_INSPECTORS)
- add_library(nhttp_inspect STATIC ${FILE_LIST})
-
-else(STATIC_INSPECTORS)
- add_shared_library(nhttp_inspect inspectors ${FILE_LIST} ${IPS_FILE_LIST})
-
-endif(STATIC_INSPECTORS)
-
-add_subdirectory ( test )
-
+++ /dev/null
-file_list = \
-nhttp_inspect.cc nhttp_inspect.h \
-nhttp_msg_section.cc nhttp_msg_section.h \
-nhttp_msg_start.cc nhttp_msg_start.h \
-nhttp_msg_request.cc nhttp_msg_request.h \
-nhttp_msg_status.cc nhttp_msg_status.h \
-nhttp_msg_head_shared.cc nhttp_msg_head_shared_util.cc nhttp_msg_head_shared.h \
-nhttp_msg_header.cc nhttp_msg_header.h \
-nhttp_msg_body.cc nhttp_msg_body.h \
-nhttp_msg_body_cl.cc nhttp_msg_body_cl.h \
-nhttp_msg_body_chunk.cc nhttp_msg_body_chunk.h \
-nhttp_msg_body_old.cc nhttp_msg_body_old.h \
-nhttp_msg_trailer.cc nhttp_msg_trailer.h \
-nhttp_head_norm.cc nhttp_head_norm.h \
-nhttp_uri.cc nhttp_uri.h \
-nhttp_uri_norm.cc nhttp_uri_norm.h \
-nhttp_normalizers.cc nhttp_normalizers.h \
-nhttp_str_to_code.cc nhttp_str_to_code.h \
-nhttp_api.cc nhttp_api.h \
-nhttp_tables.cc \
-nhttp_module.cc nhttp_module.h \
-nhttp_test_input.cc nhttp_test_input.h \
-nhttp_flow_data.cc nhttp_flow_data.h \
-nhttp_transaction.cc nhttp_transaction.h \
-nhttp_stream_splitter_reassemble.cc nhttp_stream_splitter_scan.cc nhttp_stream_splitter.h \
-nhttp_cutter.cc nhttp_cutter.h \
-nhttp_enum.h \
-nhttp_test_manager.cc nhttp_test_manager.h \
-nhttp_field.cc nhttp_field.h \
-nhttp_infractions.h \
-nhttp_event_gen.h
-
-# FIXIT-L merge two file lists when OHI retired
-ips_file_list = ips_nhttp.cc ips_nhttp.h
-
-if STATIC_INSPECTORS
-noinst_LIBRARIES = libnhttp_inspect.a
-libnhttp_inspect_a_SOURCES = $(file_list) $(ips_file_list)
-
-else
-shlibdir = $(pkglibdir)/inspectors
-shlib_LTLIBRARIES = libnhttp_inspect.la
-libnhttp_inspect_la_CXXFLAGS = $(AM_CXXFLAGS) -DBUILDING_SO
-libnhttp_inspect_la_LDFLAGS = $(AM_LDFLAGS) -export-dynamic -shared
-libnhttp_inspect_la_SOURCES = $(file_list) $(ips_file_list)
-
-endif
-
-if BUILD_CPPUTESTS
-SUBDIRS = test
-endif
-
+++ /dev/null
-add_cpputest(nhttp_uri_norm_test nhttp_inspect framework)
-add_cpputest(nhttp_normalizers_test nhttp_inspect framework)
-add_cpputest(nhttp_module_test nhttp_inspect framework)
-add_cpputest(nhttp_transaction_test nhttp_inspect framework -lz)
-add_cpputest(nhttp_msg_head_shared_util_test nhttp_inspect framework)
-
+++ /dev/null
-
-AM_DEFAULT_SOURCE_EXT = .cc
-
-check_PROGRAMS = \
-nhttp_uri_norm_test \
-nhttp_normalizers_test \
-nhttp_module_test \
-nhttp_transaction_test \
-nhttp_msg_head_shared_util_test
-
-TESTS = $(check_PROGRAMS)
-
-nhttp_uri_norm_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-nhttp_uri_norm_test_LDADD = \
-../nhttp_uri_norm.o \
-../nhttp_module.o \
-../nhttp_test_manager.o \
-../nhttp_test_input.o \
-../nhttp_normalizers.o \
-../nhttp_str_to_code.o \
-../nhttp_field.o \
-../nhttp_tables.o \
-../../../framework/module.o \
-@CPPUTEST_LDFLAGS@
-
-nhttp_normalizers_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-nhttp_normalizers_test_LDADD = \
-../nhttp_normalizers.o \
-../nhttp_field.o \
-@CPPUTEST_LDFLAGS@
-
-nhttp_module_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-nhttp_module_test_LDADD = \
-../nhttp_module.o \
-../nhttp_tables.o \
-../nhttp_normalizers.o \
-../nhttp_uri_norm.o \
-../nhttp_field.o \
-../../../framework/module.o \
-@CPPUTEST_LDFLAGS@
-
-nhttp_transaction_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-nhttp_transaction_test_LDADD = \
-../nhttp_transaction.o \
-../nhttp_flow_data.o \
-../nhttp_test_manager.o \
-../nhttp_test_input.o \
-@CPPUTEST_LDFLAGS@
-
-nhttp_msg_head_shared_util_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-nhttp_msg_head_shared_util_test_LDADD = \
-../nhttp_msg_head_shared_util.o \
-../nhttp_field.o \
-../nhttp_str_to_code.o \
-@CPPUTEST_LDFLAGS@
-
-
extern const BaseApi* sin_ftp_data;
extern const BaseApi* sin_gtp;
extern const BaseApi* sin_modbus;
-extern const BaseApi* sin_nhttp;
+extern const BaseApi* sin_http;
extern const BaseApi* sin_rpc_decode;
extern const BaseApi* sin_sip;
extern const BaseApi* sin_ssh;
sin_ftp_data,
sin_gtp,
sin_modbus,
- sin_nhttp,
+ sin_http,
sin_rpc_decode,
sin_sip,
sin_ssh,
projects / thirdparty / snort3.git / commitdiff
