* Autogenerate reference documentation
* Provide better cross platform support
* Facilitate component testing
+* Use a shared network map
Additional features on the roadmap include:
-* Use a shared network map
* Support pipelining of packet processing
* Support hardware offload and data plane integration
* Support proxy mode
# RUN SNORT
-Here are some examples.
+Here are some examples. If you are using Talos rules and/or configs, you
+should first set any needed variables at the top of snort.lua and
+snort_defaults.lua.
* Snort++ provides lots of help from the command line, including:
# SQUEAL
`o")~`
-We hope you are as excited about Snort++ as we are. Although a lot of work
-remains, we wanted to give you a chance to try it out and let us know what
-you think on the snort-users list. In the meantime, we'll keep our snout
-to the grindstone.
+We hope you are as excited about Snort++ as we are. Let us know what you
+think on the snort-users list. In the meantime, we'll keep our snout to
+the grindstone.
option ( ENABLE_COREFILES "Prevent Snort from generating core files" ON )
option ( ENABLE_LARGE_PCAP "Enable support for pcaps larger than 2 GB" OFF )
option ( ENABLE_STDLOG "Use file descriptor 3 instead of stdout for alerts" OFF )
-option ( ENABLE_TSC_CLOCK "Use timestamp counter register clock (x86 only)" OFF )
+option ( ENABLE_TSC_CLOCK "Use timestamp counter register clock (x86 and arm only)" OFF )
# documentation
option ( MAKE_HTML_DOC "Create the HTML documentation" ON )
--enable-shell enable command line shell support
--enable-large-pcap enable support for pcaps larger than 2 GB
--enable-stdlog use file descriptor 3 instead of stdout for alerts
- --enable-tsc-clock use timestamp counter register clock (x86 only)
+ --enable-tsc-clock use timestamp counter register clock (x86 and arm only)
--enable-debug-msgs enable debug printing options (bugreports and
developers only)
--enable-debug enable debugging options (bugreports and developers
reputation =
{
-- configure one or both of these, then uncomment reputation
+ -- (see also related path vars at the top of snort_defaults.lua)
+
--blacklist = 'blacklist file name with ip lists'
--whitelist = 'whitelist file name with ip lists'
}
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
- --include = 'snort3-community.rules',
+ -- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables
}
---------------------------------------------------------------------------
-- Snort++ defaults
---
--- include in your snort.lua with a dofile statement
+---------------------------------------------------------------------------
+
+-- this file defines the external defaults for Snort. all simple scalar
+-- types have a builtin default, including those in list items, however
+-- lists defaults are provided here instead of compiling them into the
+-- binary. this makes it easier to copy and paste or edit for your
+-- environment.
+
+-- include in your snort.lua
-- after you set HOME_NET and EXTERNAL_NET
---
+
-- use these by assignment, eg
-- ftp_server = default_ftp_server
----------------------------------------------------------------------------
---------------------------------------------------------------------------
--- Set paths, ports, and nets:
---
--- variables with 'PATH' in the name are vars
--- variables with 'PORT' in the name are portvars
--- variables with 'NET' in the name are ipvars
--- variables with 'SERVER' in the name are ipvars
+-- default paths - used in Talos configs
---------------------------------------------------------------------------
----------------------------------------------------------------------------
--- default paths
----------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)
-
RULE_PATH = '../rules'
BUILTIN_RULE_PATH = '../builtin_rules'
PLUGIN_RULE_PATH = '../so_rules'
BLACK_LIST_PATH = '../lists'
---------------------------------------------------------------------------
--- default networks
+-- default networks - used in Talos rules
---------------------------------------------------------------------------
+-- define servers on your network you want to protect
--- List of DNS servers on your network
DNS_SERVERS = HOME_NET
-
--- List of ftp servers on your network
FTP_SERVERS = HOME_NET
-
--- List of web servers on your network
HTTP_SERVERS = HOME_NET
-
--- List of sip servers on your network
SIP_SERVERS = HOME_NET
-
--- List of SMTP servers on your network
SMTP_SERVERS = HOME_NET
-
--- List of sql servers on your network
SQL_SERVERS = HOME_NET
-
--- List of ssh servers on your network
SSH_SERVERS = HOME_NET
-
--- List of telnet servers on your network
TELNET_SERVERS = HOME_NET
---------------------------------------------------------------------------
-- default ports - used in Talos rules
---------------------------------------------------------------------------
+-- define ports on your network you want to protect
+-- where possible, use the wizard for inspection instead of explicit port
+-- bindings. this gives you some port independence and allows you find c&c
+-- channels hard port bindings would miss. Talos rules will still use these
+-- ports if there is no match on service.
--- List of ports you run ftp servers on
FTP_PORTS = ' 21 2100 3535'
--- List of ports you run web servers on
HTTP_PORTS =
[[
80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128
50002 55555
]]
--- List of ports you run mail servers on
MAIL_PORTS = ' 110 143'
--- List of ports you might see oracle attacks on
ORACLE_PORTS = ' 1024:'
--- List of ports you run SIP servers on
SIP_PORTS = ' 5060 5061 5600'
--- List of ports you want to look for SSH connections on
SSH_PORTS = ' 22'
--- List of ports for file inspection
FILE_DATA_PORTS = HTTP_PORTS .. MAIL_PORTS
---------------------------------------------------------------------------
-- default variables
---------------------------------------------------------------------------
-default_variables = {
- nets = {
+default_variables =
+{
+ nets =
+ {
HOME_NET = HOME_NET,
EXTERNAL_NET = EXTERNAL_NET,
DNS_SERVERS = DNS_SERVERS,
SSH_SERVERS = SSH_SERVERS,
TELNET_SERVERS = TELNET_SERVERS,
},
- paths = {
+ paths =
+ {
RULE_PATH = RULE_PATH,
BUILTIN_RULE_PATH = BUILTIN_RULE_PATH,
PLUGIN_RULE_PATH = PLUGIN_RULE_PATH,
WHITE_LIST_PATH = WHITE_LIST_PATH,
BLACK_LIST_PATH = BLACK_LIST_PATH,
},
- ports = {
+ ports =
+ {
FTP_PORTS = FTP_PORTS,
HTTP_PORTS = HTTP_PORTS,
MAIL_PORTS = MAIL_PORTS,
/*
** We return whether we logged events or not. We've add a eventq user
** structure so we can track whether the events logged were rule events
-** or preprocessor/decoder events. The reason being that we don't want
-** to flush a TCP stream for preprocessor/decoder events, and cause
+** or builtin events. The reason being that we don't want
+** to flush a TCP stream for builtin events, and cause
** early flushing of the stream.
*/
int DetectionEngine::log_events(Packet* p)
}
/* If this packet has been passed based on detection rules,
- * check the decoder/preprocessor events (they have been added to Event queue already).
+ * check the builtin events (they have been added to Event queue already).
* If its order is lower than 'pass', it should have been passed.
* This is consistent with other detection rules */
const SnortConfig* sc = p->context->conf;
**
** Notes:
** 11/1/05 Updates to add support for rules for all events in
-** decoders and preprocessors and the detection engine.
+** decoders and inspectors and the detection engine.
** Added support for rule by rule flushing control via
** metadata. Also added code to check for an otn for every
** event (gid,sid pair). This is now required to get events
-** to be logged. The decoders and preprocessors are still
+** to be logged. The decoders and inspectors are still
** configured independently, which allows them to inspect and
** call the alerting functions DetectionEngine::queue_event.
**
** Any event that has no otn associated with it's gid,sid pair
-** will/should not alert, even if the preprocessor or decoder is
+** will/should not alert, even if the inspector or decoder is
** configured to detect an alertable event.
**
** In the future, preporcessor may have an api that gets called
if ( gid >= SFRF_MAX_GENID )
return status; /* bogus gid */
- // Some events (like 'TCP connection closed' raised by preprocessor may
+ // Some events (like 'TCP connection closed' raised by inspector may
// not have any configured threshold but may impact thresholds for other
// events (like 'TCP connection opened'
_updateDependentThresholds(config, gid, sid, sip, dip, curTime);
/**Either expect or expect future session.
*
- * Preprocessors may add sessions to be expected altogether or to be associated
- * with some data. For example, FTP preprocessor may add data channel that
- * should be expected. Alternatively, FTP preprocessor may add session with
+ * Inspectors may add sessions to be expected altogether or to be associated
+ * with some data. For example, FTP inspector may add data channel that
+ * should be expected. Alternatively, FTP inspector may add session with
* snort protocol ID FTP-DATA.
*
* It is assumed that only one of cliPort or srvPort should be known (!0). This
* therefore acceptable design optimization.
*
* Also, snort_protocol_id is assumed to be consistent between different
- * preprocessors. Each session can be assigned only one snort protocol ID.
+ * inspectors. Each session can be assigned only one snort protocol ID.
* When new snort_protocol_id mismatches existing snort_protocol_id, new
* snort_protocol_id and associated data is not stored.
*
* <value> and skip forward that number of bytes
* ["big"]: process data as big endian (default)
* ["little"]: process data as little endian
- * ["dce"]: let the DCE/RPC 2 preprocessor determine the byte order of the
+ * ["dce"]: let the DCE/RPC 2 inspector determine the byte order of the
* value to be converted
* ["string"]: converted bytes represented as a string needing conversion
* ["hex"]: converted string data is represented in hexadecimal
syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
}
-/*
- * Function: LogMessage(const char *, ...)
- *
- * Purpose: Print a message to stdout or with logfacility.
- *
- * Arguments: format => the formatted error string to print out
- * ... => format commands/fillers
- *
- * Returns: void function
- */
+// print an info message to stdout or syslog
void LogMessage(const char* format,...)
{
if ( SnortConfig::log_quiet() )
va_end(ap);
}
-/*
- * Function: WarningMessage(const char *, ...)
- *
- * Purpose: Print a message to stderr or with logfacility.
- *
- * Arguments: format => the formatted error string to print out
- * ... => format commands/fillers
- *
- * Returns: void function
- */
+// print a warning message to stderr or syslog
void WarningMessage(const char* format,...)
{
va_list ap;
va_end(ap);
}
-/*
- * Function: ErrorMessage(const char *, ...)
- *
- * Purpose: Print a message to stderr.
- *
- * Arguments: format => the formatted error string to print out
- * ... => format commands/fillers
- *
- * Returns: void function
- */
+// print a warning message to stderr or syslog
void ErrorMessage(const char* format,...)
{
va_list ap;
va_end(ap);
}
-/*
- * Function: FatalError(const char *, ...)
- *
- * Purpose: When a fatal error occurs, this function prints the error message
- * and cleanly shuts down the program
- *
- * Arguments: format => the formatted error string to print out
- * ... => format commands/fillers
- *
- * Returns: void function
- */
+// when a fatal error occurs, this function prints the error message
+// and cleanly shuts down the program
[[noreturn]] void FatalError(const char* format,...)
{
char buf[STD_BUF+1];
static std::string get_action_string(Actions::Type);
static Actions::Type get_action_type(const char*);
- static Actions::Type get_max_action_types(void);
+ static Actions::Type get_max_action_types();
static std::string get_action_priorities(bool);
static void thread_init(const snort::SnortConfig*);
if (newAppId <= APP_ID_NONE or newAppId >= SF_APPID_MAX)
return;
- // Certain AppIds are not useful to identifying snort preprocessor choices
+ // Certain AppIds are not useful to identifying snort inspector choices
switch (newAppId)
{
case APP_ID_FTPS:
(Stream::get_snort_protocol_id(p->flow) ==
asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA]))
{
- // If we see SSL on an FTP data channel set tpAppId back
- // to APP_ID_NONE so the FTP preprocessor picks up the flow.
+ // If we see SSL on an FTP data channel set tpAppId back
+ // to APP_ID_NONE so the FTP inspector picks up the flow.
tp_app_id = APP_ID_NONE;
}
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-/* Snort ARPspoof Preprocessor Plugin
+/* Snort ARPspoof Plugin
* by Jeff Nathan <jeff@snort.org>
* Version 0.1.4
*
* Purpose:
*
- * This preprocessor looks for anomalies in ARP traffic and attempts to
+ * This inspector looks for anomalies in ARP traffic and attempts to
* maliciously overwrite ARP cache information on hosts.
*
* Arguments:
// cip_definitions.h author RA/Cisco
-/* Description: Common types for the CIP preprocessor. */
+/* Description: Common types for the CIP inspector. */
#ifndef CIP_DEFINITIONS_H
#define CIP_DEFINITIONS_H
#define MSEC_PER_SEC (1000)
#define USEC_PER_SEC (1000000)
-// CIP preprocessor configuration
+// CIP inspector configuration
struct CipProtoConf
{
// Unconnected timeout, seconds.
// cip_paf.cc author RA/Cisco
-/* Description: Protocol-Aware Flushing (PAF) code for the CIP preprocessor.*/
+/* Description: Protocol-Aware Flushing (PAF) code for the CIP inspector. */
#ifdef HAVE_CONFIG_H
#include "config.h"
// cip_paf.h author RA/Cisco
-/* Description: Protocol-Aware Flushing (PAF) code for the CIP preprocessor. */
+/* Description: Protocol-Aware Flushing (PAF) code for the CIP inspector. */
#ifndef CIP_PAF_H
#define CIP_PAF_H
// ips_cip_attribute.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_class.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_connpathclass.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_enipcommand.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_enipreq.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_eniprsp.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_instance.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_req.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_rsp.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_service.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
// ips_cip_status.cc author Jian Wu <jiawu2@cisco.com>
-/* Description: Rule options for CIP preprocessor */
+/* Description: Rule options for CIP inspector */
#ifdef HAVE_CONFIG_H
#include "config.h"
/****************************************************************************
* Provides list, queue and stack data structures and methods for use
- * with the preprocessor.
+ * with the inspector.
*
* 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com>
*
/****************************************************************************
* Provides list, queue and stack data structures and methods for use
-* with the preprocessor.
+* with the inspector.
*
* 8/17/2008 - Initial implementation ... Todd Wease <twease@sourcefire.com>
*
memory::MemoryCap::update_allocations(sizeof(*this));
}
-Dce2Smb2SessionData::~Dce2Smb2SessionData(void)
+Dce2Smb2SessionData::~Dce2Smb2SessionData()
{
session_data_mutex.lock();
for (auto it_session : connected_sessions)
return true;
}
-Dce2Smb2FileTracker::~Dce2Smb2FileTracker(void)
+Dce2Smb2FileTracker::~Dce2Smb2FileTracker()
{
if (smb_module_is_up and (is_packet_thread()))
{
}
// Session Tracker is created and destroyed only from session cache
-Dce2Smb2SessionTracker::~Dce2Smb2SessionTracker(void)
+Dce2Smb2SessionTracker::~Dce2Smb2SessionTracker()
{
if (smb_module_is_up and (snort::is_packet_thread()))
{
remove_request(message_id, current_flow_key);
}
-Dce2Smb2TreeTracker::~Dce2Smb2TreeTracker(void)
+Dce2Smb2TreeTracker::~Dce2Smb2TreeTracker()
{
if (smb_module_is_up and (is_packet_thread()))
{
// functionality for tracking sub-sessions or activities within a
// connectionless conversation and for tracking and reassembling fragments
// within each activity. Also sets appropriate data for use with
-// preprocessor rule options.
+// inspector rule options.
#ifdef HAVE_CONFIG_H
#include "config.h"
const char* DCE2_UuidToStr(
const Uuid*, DceRpcBoFlag, char (&buf)[DCE2_UUID_BUF_SIZE]);
-/********************************************************************
- * Function: DCE2_IsSpaceChar()
- *
- * Determines if the character passed in is a character that
- * the preprocessor considers a to be a space character.
- *
- * Arguments:
- * const char
- * The character to make the determination on.
- *
- * Returns:
- * bool
- * true if a valid space character.
- * false if not a valid space character.
- *
- ********************************************************************/
+// Determines if the character passed in is a character that
+// the inspector considers a to be a space character.
+
inline bool DCE2_IsSpaceChar(const char c)
{
if (isspace((int)c))
return false;
}
-/********************************************************************
- * Function: DCE2_IsConfigEndChar()
- *
- * Determines if the character passed in is a character that
- * the preprocessor considers a to be an end of configuration
- * character.
- *
- * Arguments:
- * const char
- * The character to make the determination on.
- *
- * Returns:
- * bool
- * true if a valid end of configuration character.
- * false if not a valid end of configuration character.
- *
- ********************************************************************/
+// Determines if the character passed in is a character that
+// the inspector considers a to be an end of configuration
+// character.
+
inline bool DCE2_IsConfigEndChar(const char c)
{
if (c == DCE2_CFG_TOK__END)
return false;
}
-/********************************************************************
- * Function: DCE2_PruneWhiteSpace()
- *
- * Prunes whitespace surrounding string.
- * String must be 0 terminated.
- *
- * Arguments:
- * char *
- * null terminated string to prune.
- * int
- * length of string
- *
- * Returns:
- * char * - Pointer to the pruned string. Note that the pointer
- * still points within the original string.
- *
- * Side effects: Spaces at the end of the string passed in as an
- * argument are replaced by null bytes.
- *
- ********************************************************************/
+// Prunes whitespace surrounding string.
+// String must be 0 terminated.
+
inline char* DCE2_PruneWhiteSpace(char* str)
{
char* end;
return str;
}
-/********************************************************************
- * Function: DCE2_IsEmptyStr()
- *
- * Checks if string is null, empty or just spaces.
- * String must be 0 terminated.
- *
- * Arguments: None
- * char * - string to check
- *
- * Returns:
- * true if string is null, empty or just spaces
- * false otherwise
- *
- ********************************************************************/
+// Checks if string is null, empty or just spaces.
+// String must be 0 terminated.
+
inline bool DCE2_IsEmptyStr(char* str)
{
char* end;
* Function: DCE2_IsOpnumChar()
*
* Determines if the character passed in is a character that
- * the preprocessor considers a to be a valid character for a
+ * the inspector considers a to be a valid character for a
* DCE/RPC opnum.
*
* Arguments:
* Function: DCE2_SmbInspect()
*
* Purpose:
- * Determines whether the SMB command is something the preprocessor
+ * Determines whether the SMB command is something the inspector
* needs to inspect.
* This function returns a DCE2_SmbRequestTracker which tracks command
* requests / responses.
DCE2_SmbSetValidWordCount((uint8_t)com, SMB_TYPE__REQUEST, 16);
// \PIPE\LANMAN
- // Not something the preprocessor is looking at as it
+ // Not something the inspector is looking at as it
// doesn't carry DCE/RPC but don't want to false positive
- // on the preprocessor event.
+ // on the inspector event.
DCE2_SmbSetValidWordCount((uint8_t)com, SMB_TYPE__REQUEST, 14);
// Word count depends on setup count
else
dnp3_sess->direction = DNP3_SERVER;
- /* Do preprocessor-specific detection stuff here */
if (p->has_tcp_data())
{
++dnp3_stats.tcp_pdus;
if ( !Stream::is_stream_sequenced(p->flow, SSN_DIR_FROM_CLIENT) )
return;
-
- // If we're waiting on stream reassembly, don't process this packet.
- if ( p->packet_flags & PKT_STREAM_INSERT )
- return;
}
// Get the direction of the packet.
#define DNS_RESP_STATE_ADD_RR 0x60
// Per-session data block containing current state
-// of the DNS preprocessor for the session.
+// of the DNS inspector for the session.
struct DNSData
{
uint32_t state; // The current state of the session.
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-/* pp_ftp.c
- *
- * Purpose: FTP sessions contain commands and responses. Certain
- * commands are vectors of attack. This module checks
- * those FTP client commands and their parameter values, as
- * well as the server responses per the configuration.
- *
- * Arguments: None
- *
- * Effect: Alerts may be raised
- *
- * Comments:
- *
- */
-
-/* your preprocessor header file goes here */
+// FTP sessions contain commands and responses. Certain commands are
+// vectors of attack. This module checks those FTP client commands and
+// their parameter values, as well as the server responses per the
+// configuration.
#ifdef HAVE_CONFIG_H
#include "config.h"
#include "ftpp_si.h"
-/* list of function prototypes for this preprocessor */
extern int check_ftp(FTP_SESSION* session, snort::Packet* p, int iMode);
-
extern int initialize_ftp(FTP_SESSION* session, snort::Packet* p, int iMode);
#endif
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-/* Snort Preprocessor for Telnet Negotiation Normalization*/
-
-/* pp_telnet.c
- *
- * Purpose: Telnet sessions can contain telnet negotiation strings
- * that can disrupt pattern matching. This plugin detects
- * negotiation strings in stream and "normalizes" them much like
- * the http_decode preprocessor normalizes encoded URLs
- *
- *
- * official registry of options
- * http://www.iana.org/assignments/telnet-options
- *
- * Arguments: None
- *
- * Effect: The telnet negotiation data is removed from the data
- *
- * Comments:
- *
- */
-/* your preprocessor header file goes here */
+// Telnet sessions can contain telnet negotiation strings that can disrupt
+// pattern matching. This plugin detects negotiation strings in stream and
+// normalizes them much like the http_inspect normalizes encoded URLs.
+//
+// official registry of options
+// http://www.iana.org/assignments/telnet-options
#ifdef HAVE_CONFIG_H
#include "config.h"
return len ? buf.data : nullptr;
}
-/*
- * Function: normalize_telnet(Packet *)
- *
- * Purpose: Perform the preprocessor's intended function. This can be
- * simple (statistics collection) or complex (IP defragmentation)
- * as you like. Try not to destroy the performance of the whole
- * system by trying to do too much....
- *
- * Arguments: p => pointer to the current packet data struct
- *
- * Returns: void function
- *
- */
int normalize_telnet(
TELNET_SESSION* tnssn, Packet* p, DataBuffer& buf,
int iMode, char ignoreEraseCmds, bool on_ftp_channel)
#define FTPP_IGNORE_TNC_ERASE_CMDS 1
struct DataBuffer;
-/* list of function prototypes for this preprocessor */
-extern int normalize_telnet(TELNET_SESSION*, snort::Packet*, DataBuffer&, int iMode, char ignoreEraseCmd, bool on_ftp_channel);
+
+extern int normalize_telnet(
+ TELNET_SESSION*, snort::Packet*, DataBuffer&, int iMode, char ignoreEraseCmd, bool on_ftp_channel);
void reset_telnet_buffer(snort::Packet*);
const uint8_t* get_telnet_buffer(snort::Packet*, unsigned&);
//--------------------------------------------------------------------------
// gtp.cc author Hui Cao <hcao@sourcefire.com>
-// This is the main entry point for this preprocessor
+// This is the main entry point for this inspector
#ifdef HAVE_CONFIG_H
#include "config.h"
return pRopts;
}
-// Main runtime entry point for GTP preprocessor.
+// Main runtime entry point for GTP inspector.
void GTPmain(const GTPConfig& config, Packet* packetp)
{
/* Attempt to get a previously allocated GTP block. */
//--------------------------------------------------------------------------
// gtp_inspect.cc author Russ Combs <rucombs@cisco.com>
-// adapt 2x preprocessor code to 3x inspector
#ifdef HAVE_CONFIG_H
#include "config.h"
// modeled after modbus_paf.cc (author Ryan Jordan)
// modeled after s7comm_paf.cc (author Pradeep Damodharan <prdamodh@cisco.com>)
-// Protocol-Aware Flushing (PAF) code for the IEC104 preprocessor.
+// Protocol-Aware Flushing (PAF) code for the IEC104 inspector.
#ifdef HAVE_CONFIG_H
#include "config.h"
#ifndef IEC104_PAF__H
#define IEC104_PAF__H
-// Protocol-Aware Flushing (PAF) code for the IEC104 preprocessor.
+// Protocol-Aware Flushing (PAF) code for the IEC104 inspector.
#include "stream/stream_splitter.h"
}
}
-/* Main runtime entry point for IMAP preprocessor.
- * Analyzes IMAP packets for anomalies/exploits.
- *
- * PARAMETERS:
- *
- * p: Pointer to current packet to process.
- * contextp: Pointer to context block, not used.
- *
- * RETURNS: Nothing.
- */
+// Analyzes IMAP packets for anomalies/exploits.
+
static void snort_imap(IMAP_PROTO_CONF* config, Packet* p)
{
/* Attempt to get a previously allocated IMAP block. */
/* MEI Type 0x0E is covered under the Modbus spec as
"Read Device Identification". Type 0x0D is defined in
the spec as "CANopen General Reference Request and Response PDU"
- and falls outside the scope of the Modbus preprocessor.
+ and falls outside the scope of the Modbus inspector.
Other values are reserved.
*/
/* MEI Type 0x0E is covered under the Modbus spec as
"Read Device Identification". Type 0x0D is defined in
the spec as "CANopen General Reference Request and Response PDU"
- and falls outside the scope of the Modbus preprocessor.
+ and falls outside the scope of the Modbus inspector.
Other values are reserved.
*/
//--------------------------------------------------------------------------
// modbus_paf.cc author Ryan Jordan
-// Protocol-Aware Flushing (PAF) code for the Modbus preprocessor.
+// Protocol-Aware Flushing (PAF) code for the Modbus inspector.
#ifdef HAVE_CONFIG_H
#include "config.h"
#ifndef MODBUS_PAF__H
#define MODBUS_PAF__H
-// Protocol-Aware Flushing (PAF) code for the Modbus preprocessor.
+// Protocol-Aware Flushing (PAF) code for the Modbus inspector.
#include "stream/stream_splitter.h"
}
}
-/* Main runtime entry point for POP preprocessor.
- * Analyzes POP packets for anomalies/exploits.
- *
- * PARAMETERS:
- *
- * p: Pointer to current packet to process.
- * contextp: Pointer to context block, not used.
- *
- * RETURNS: Nothing.
- */
+// Analyzes POP packets for anomalies/exploits.
+
static void snort_pop(POP_PROTO_CONF* config, Packet* p)
{
/* Attempt to get a previously allocated POP block. */
*
* Purpose:
*
- * This preprocessor normalizes the RPC requests from remote machines by
+ * This inspector normalizes the RPC requests from remote machines by
* converting all fragments into one continuous stream.
* This is very useful for doing things like defeating hostile attackers
* trying to stealth themselves from IDSs by fragmenting the request so the
* The minimum "valid" packet for us is 8 fields * 4 bytes
*
* This decoder is ignorant of TCP state so we'll have to assume
- * that reassembled TCP stuff is reinjected to the preprocessor
+ * that reassembled TCP stuff is reinjected to the inspector
* chain
*
* This decoder is also ignorant of multiple RPC requests in a
// s7comm_paf.cc author Pradeep Damodharan <prdamodh@cisco.com>
// based on work by Jeffrey Gu <jgu@cisco.com>
-// Protocol-Aware Flushing (PAF) code for the S7commplus preprocessor.
+// Protocol-Aware Flushing (PAF) code for the S7commplus inspector.
#ifdef HAVE_CONFIG_H
#include "config.h"
#ifndef S7COMM_PAF__H
#define S7COMM_PAF__H
-// Protocol-Aware Flushing (PAF) code for the S7commplus preprocessor.
+// Protocol-Aware Flushing (PAF) code for the S7commplus inspector.
#include "stream/stream_splitter.h"
return status;
}
-/* Main runtime entry point for SIP preprocessor.
- * Analyzes SIP packets for anomalies/exploits.
- *
- * PARAMETERS:
- *
- * p: Pointer to current packet to process.
- * contextp: Pointer to context block, not used.
- *
- * RETURNS: Nothing.
- */
+// Main runtime entry point for SIP inspector.
+
static void snort_sip(SIP_PROTO_CONF* config, Packet* p)
{
Profile profile(sipPerfStats);
ConfigLogger::log_value("max_content_len", config->maxContentLen);
ConfigLogger::log_value("max_dialogs", config->maxNumDialogsInSession);
ConfigLogger::log_value("max_from_len", config->maxFromLen);
- ConfigLogger::log_value("max_requestName_len", config->maxRequestNameLen);
+ ConfigLogger::log_value("max_request_name_len", config->maxRequestNameLen);
ConfigLogger::log_value("max_to_len", config->maxToLen);
ConfigLogger::log_value("max_uri_len", config->maxUriLen);
ConfigLogger::log_value("max_via_len", config->maxViaLen);
{ "max_from_len", Parameter::PT_INT, "0:65535", "256",
"maximum from field size" },
- { "max_requestName_len", Parameter::PT_INT, "0:65535", "20",
+ { "max_request_name_len", Parameter::PT_INT, "0:65535", "20",
"maximum request name field size" },
+ { "max_requestName_len", Parameter::PT_INT, "0:65535", "20",
+ "deprecated - use max_request_name_len instead" },
+
{ "max_to_len", Parameter::PT_INT, "0:65535", "256",
"maximum to field size" },
else if ( v.is("max_from_len") )
conf->maxFromLen = v.get_uint16();
- else if ( v.is("max_requestName_len") )
+ // FIXIT-L max_requestName_len is deprecated - delete
+ else if ( v.is("max_request_name_len") or v.is("max_requestName_len") )
conf->maxRequestNameLen = v.get_uint16();
else if ( v.is("max_to_len") )
}
}
-/*
- * Entry point to snort preprocessor for each packet
- *
- * @param packet standard Packet structure
- *
- * @return none
- */
static void snort_smtp(SmtpProtoConf* config, Packet* p)
{
int pkt_dir;
//--------------------------------------------------------------------------
/*
- * SSH preprocessor
+ * SSH inspector
* Author: Chris Sherwin
* Contributors: Adam Keeton, Ryan Jordan
*/
return ssh_length;
}
-/* Main runtime entry point for SSH preprocessor.
- * Analyzes SSH packets for anomalies/exploits.
- *
- * PARAMETERS:
- *
- * p: Pointer to current packet to process.
- * contextp: Pointer to context block, not used.
- *
- * RETURNS: Nothing.
- */
+// Main runtime entry point for SSH inspector.
+
static void snort_ssh(SSH_PROTO_CONF* config, Packet* p)
{
Profile profile(sshPerfStats);
if (sessp->state_flags & SSH_FLG_MISSED_PACKETS)
return;
- // Make sure this preprocessor should run.
- // check if we're waiting on stream reassembly
- if ( p->packet_flags & PKT_STREAM_INSERT )
- return;
-
// If we picked up mid-stream or missed any packets (midstream pick up
// means we've already missed packets) set missed packets flag and make
// sure we don't do any more reassembly on this session
#define SSH_VERSION_2 (0x2)
// Per-session data block containing current state
-// of the SSH preprocessor for the session.
+// of the SSH inspector for the session.
struct SSHData
{
uint8_t version = SSH_VERSION_UNKNOWN; // Version of SSH detected for this session
}
}
-/* Main runtime entry point for SSL preprocessor.
- * Analyzes SSL packets for anomalies/exploits.
- *
- * PARAMETERS:
- *
- * p: Pointer to current packet to process.
- * contextp: Pointer to context block, not used.
- *
- * RETURNS: Nothing.
- */
+// Analyzes SSL packets for anomalies/exploits.
+
static void snort_ssl(SSL_PROTO_CONF* config, Packet* p)
{
Profile profile(sslPerfStats);
else if (keyword == "max_requestName_len")
{
- tmpval = parse_int_option("max_requestName_len", arg_stream, false);
+ tmpval = parse_int_option("max_request_name_len", arg_stream, false);
+ table_api.add_diff_option_comment("max_requestName_len", "max_request_name_len");
}
else if (keyword == "max_sessions")
projects / thirdparty / snort3.git / commitdiff
