set (LUA_SCRIPTS
+ balanced.lua
+ connectivity.lua
file_magic.lua
inline.lua
+ max_detect.lua
+ security.lua
snort.lua
snort_defaults.lua
talos.lua
--- /dev/null
+---------------------------------------------------------------------------
+-- balanced connectivity and security policy
+-- use with -c snort.lua --tweaks balanced
+---------------------------------------------------------------------------
+
+http_inspect.request_depth = 300
+http_inspect.response_depth = 500
+
+normalizer.tcp =
+{
+ ips = false,
+ rsv = false,
+ pad = false,
+ req_urg = false,
+ req_pay = false,
+ req_urp = false,
+ block = false,
+}
+
+port_scan = nil
+
--- /dev/null
+---------------------------------------------------------------------------
+-- reduced security policy that favors connectivity
+-- use with -c snort.lua --tweaks connectivity
+---------------------------------------------------------------------------
+
+http_inspect.request_depth = 300
+http_inspect.response_depth = 500
+
+http_inspect.unzip = false
+http_inspect.utf8 = false
+
+normalizer.tcp =
+{
+ ips = false,
+ rsv = false,
+ pad = false,
+ req_urg = false,
+ req_pay = false,
+ req_urp = false,
+ block = false,
+}
+
+port_scan = nil
+
--- /dev/null
+---------------------------------------------------------------------------
+-- maximum detection policy
+-- this will yield lowest throughput
+-- use with -c snort.lua --tweaks max_detect
+---------------------------------------------------------------------------
+
+ftp_server.check_encrypted = true
+
+http_inspect.detained_inspection = true
+http_inspect.decompress_pdf = true
+http_inspect.decompress_swf = true
+http_inspect.decompress_zip = true
+http_inspect.percent_u = true
+http_inspect.normalize_javascript = true
+
+imap.decompress_pdf = true
+imap.decompress_swf = true
+imap.decompress_zip = true
+
+pop.decompress_pdf = true
+pop.decompress_swf = true
+pop.decompress_zip = true
+
+port_scan = nil
+
+search_engine.detect_raw_tcp = true
+search_engine.queue_limit = 0
+
+smtp.decompress_pdf = true
+smtp.decompress_swf = true
+smtp.decompress_zip = true
+
+stream_tcp.require_3whs = 0
+
+stream_tcp.small_segments =
+{
+ count = 3,
+ maximum_size = 150,
+}
+
+telnet.check_encrypted = true
+telnet.normalize = true
+
--- /dev/null
+---------------------------------------------------------------------------
+-- enhanced security policy
+-- use with -c snort.lua --tweaks security
+---------------------------------------------------------------------------
+
+ftp_server.check_encrypted = true
+
+http_inspect.decompress_pdf = true
+http_inspect.decompress_swf = true
+http_inspect.decompress_zip = true
+
+imap.decompress_pdf = true
+imap.decompress_swf = true
+imap.decompress_zip = true
+
+pop.decompress_pdf = true
+pop.decompress_swf = true
+pop.decompress_zip = true
+
+port_scan = nil
+
+smtp.decompress_pdf = true
+smtp.decompress_swf = true
+smtp.decompress_zip = true
+
+stream_tcp.require_3whs = 180
+
+stream_tcp.small_segments =
+{
+ count = 3,
+ maximum_size = 150,
+}
+
+telnet.check_encrypted = true
+telnet.normalize = true
+
---------------------------------------------------------------------------
-- use latency to monitor / enforce packet and rule thresholds
-latency =
-{
- packet = { max_time = 1500 },
- rule = { max_time = 200 },
-}
+--latency = { }
-- use these to capture perf data for analysis and tuning
--profiler = { }
snaplen = 65535
}
-normalizer = { tcp = { ips = true } }
-
snort = { }
snort['-Q'] = true
pattern_length = pmd->pattern_size;
}
- if ( fp->get_debug_print_fast_patterns() )
+ if ( fp->get_debug_print_fast_patterns() and !otn->soid )
print_fp_info(s_group, otn, pmd, pattern, pattern_length);
PMX* pmx = (PMX*)snort_calloc(sizeof(PMX));
}
}
+ if ( max and ( count == max ) )
+ {
+ pmqs.tot_inq_overruns++;
+ return true;
+ }
+
if ( !max or ( count < max ) )
{
Node node;
count++;
}
- if ( max and ( count == max ) )
- {
- pmqs.tot_inq_overruns++;
- return true;
- }
-
return false;
}
{
MpseStash* stash = ((IpsContext*)context)->stash;
- stash->push(user, tree, index, list);
- return 0;
+ return stash->push(user, tree, index, list) ? 1 : 0;
}
static inline int batch_search(
if ( !pmd->is_negated() && rhs.pmd->is_negated() )
return true;
+ if ( pmd->is_negated() && !rhs.pmd->is_negated() )
+ return false;
+
if ( size > rhs.size )
return true;
#define GID_DEFAULT 1
#define GID_SESSION 135
+#define GID_BUILTIN_MIN 100
+#define GID_BUILTIN_MAX 999
+
+// should be revoked in the future
+#define GID_EXCEPTION_SDF 138
+
#define SESSION_EVENT_SYN_RX 1
#define SESSION_EVENT_SETUP 2
#define SESSION_EVENT_CLEAR 3
add_dynamic_module(ips_ber_data ips_options ips_ber_data.cc)
add_dynamic_module(ips_ber_skip ips_options ips_ber_skip.cc)
add_dynamic_module(ips_bufferlen ips_options ips_bufferlen.cc)
- add_dynamic_module(ips_byte_test ips_options ips_byte_test.cc)
- add_dynamic_module(ips_byte_jump ips_options ips_byte_jump.cc)
add_dynamic_module(ips_byte_extract ips_options ips_byte_extract.cc)
+ add_dynamic_module(ips_byte_jump ips_options ips_byte_jump.cc)
add_dynamic_module(ips_byte_math ips_options ips_byte_math.cc)
+ add_dynamic_module(ips_byte_test ips_options ips_byte_test.cc)
add_dynamic_module(ips_cvs ips_options ips_cvs.cc)
+ add_dynamic_module(ips_enable ips_options ips_enable.cc)
add_dynamic_module(ips_file_type ips_options ips_file_type.cc)
add_dynamic_module(ips_flags ips_options ips_flags.cc)
add_dynamic_module(ips_fragbits ips_options ips_fragbits.cc)
{ "urp", Parameter::PT_BOOL, nullptr, "true",
"adjust urgent pointer if beyond segment length" },
- { "ips", Parameter::PT_BOOL, nullptr, "false",
+ { "ips", Parameter::PT_BOOL, nullptr, "true",
"ensure consistency in retransmitted data" },
{ "ecn", Parameter::PT_SELECT, "off | packet | stream", "off",
static const Parameter ps_params[] =
{
- { "memcap", Parameter::PT_INT, "1024:maxSZ", "1048576",
+ { "memcap", Parameter::PT_INT, "1024:maxSZ", "10485760",
"maximum tracker memory in bytes" },
{ "protos", Parameter::PT_MULTI, protos, "all",
OtnFree(otn);
}
+static bool is_builtin(uint32_t gid)
+{
+ if ( ModuleManager::gid_in_use(gid) )
+ return true;
+
+ // the builtin range prevents unloaded sids from firing on every packet
+ if ( gid < GID_BUILTIN_MIN or gid > GID_BUILTIN_MAX )
+ return false;
+
+ // not builtin but may get used and abused by snort2lua
+ // should be deleted at some point
+ return gid != GID_EXCEPTION_SDF;
+}
+
void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn)
{
if ( s_ignore )
otn->sigInfo.builtin = false;
so_rule_count++;
}
- else if ( ModuleManager::gid_in_use(otn->sigInfo.gid) )
+ else if ( is_builtin(otn->sigInfo.gid) )
{
if ( otn->num_detection_opts )
ParseError("%u:%u builtin rules do not support detection options",
#include "file_api/file_service.h"
#include "protocols/packet.h"
#include "utils/util.h"
-#include "packet_io/active.h"
#include "dce_context_data.h"
#include "dce_smb_commands.h"
Dce2Smb::Dce2Smb(const dce2SmbProtoConf& pc)
{
config = pc;
- if ((config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY)
- || (config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ON))
- {
- Active::set_enabled();
- }
}
Dce2Smb::~Dce2Smb()
{
bool is_ipc = (share_type != SMB2_SHARE_TYPE_DISK);
- if (!is_ipc && (!DCE2_ScSmbFileInspection((dce2SmbProtoConf*)ssd->sd.config)
- || ((ssd->max_file_depth == -1) && DCE2_ScSmbFileDepth(
- (dce2SmbProtoConf*)ssd->sd.config) == -1)))
+ if ( !is_ipc and
+ ssd->max_file_depth == -1 and DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1 )
{
trace_logf(dce_smb, "Not inserting TID (%u) because it's "
"not IPC and not inspecting normal file data.\n", tid);
const Smb2CreateRequestHdr* smb_create_hdr,const uint8_t* end)
{
uint16_t name_offset = alignedNtohs(&(smb_create_hdr->name_offset));
-
+
DCE2_Smb2InitFileTracker(&ssd->ftracker, false, 0);
if (name_offset > SMB2_HEADER_LENGTH)
{
uint64_t fileId_persistent;
uint64_t file_size = UNKNOWN_FILE_SIZE;
-
+
fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_create_hdr->fileId_persistent)));
ssd->ftracker.fid_v2 = fileId_persistent;
if (smb_create_hdr->end_of_file)
{
- file_size = alignedNtohq((const uint64_t*)(&(smb_create_hdr->end_of_file)));
+ file_size = alignedNtohq((const uint64_t*)(&(smb_create_hdr->end_of_file)));
ssd->ftracker.tracker.file.file_size = file_size;
}
{
uint64_t message_id, offset;
uint64_t fileId_persistent;
-
+
message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id)));
offset = alignedNtohq((const uint64_t*)(&(smb_read_hdr->offset)));
fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_read_hdr->fileId_persistent)));
{
uint64_t message_id;
Smb2Request* request;
-
+
message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id)));
request = DCE2_Smb2GetRequest(ssd, message_id);
if (!request)
{ "valid_smb_versions", Parameter::PT_MULTI, "v1 | v2 | all", "all",
"valid SMB versions" },
- { "smb_file_inspection", Parameter::PT_ENUM, "off | on | only", "off",
- "SMB file inspection" },
+ { "smb_file_inspection", Parameter::PT_ENUM, "off | on | only", nullptr,
+ "deprecated (not used): file inspection controlled by smb_file_depth" },
{ "smb_file_depth", Parameter::PT_INT, "-1:32767", "16384",
- "SMB file depth for file data" },
+ "SMB file depth for file data (-1 = disabled, 0 = unlimited)" },
{ "smb_invalid_shares", Parameter::PT_STRING, nullptr, nullptr,
"SMB shares to alert on " },
set_smb_versions_mask(config,v.get_string());
else if ( v.is("smb_file_inspection") )
- config.smb_file_inspection = (dce2SmbFileInspection)v.get_uint8();
+ ParseWarning(WARN_CONF, "smb_file_inspection is deprecated (not used): use smb_file_depth");
else if ( v.is("smb_file_depth") )
config.smb_file_depth = v.get_int16();
else
LogMessage(" Maximum SMB compounded requests: %u\n", config.smb_max_compound);
- if (config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_OFF)
- {
- LogMessage(" SMB file inspection: Disabled\n");
- }
+ if (config.smb_file_depth == -1)
+ LogMessage(" SMB file depth: Disabled\n");
+ else if (config.smb_file_depth == 0)
+ LogMessage(" SMB file depth: Unlimited\n");
else
- {
- if (config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY)
- LogMessage(" SMB file inspection: Only\n");
- else
- LogMessage(" SMB file inspection: Enabled\n");
-
- if (config.smb_file_depth == -1)
- LogMessage(" SMB file depth: Disabled\n");
- else if (config.smb_file_depth == 0)
- LogMessage(" SMB file depth: Unlimited\n");
- else
- LogMessage(" SMB file depth: %d\n",config.smb_file_depth);
- }
+ LogMessage(" SMB file depth: %d\n",config.smb_file_depth);
if (config.smb_valid_versions_mask == DCE2_VALID_SMB_VERSION_FLAG_V1)
{
#define DCE2_VALID_SMB_VERSION_FLAG_V1 1
#define DCE2_VALID_SMB_VERSION_FLAG_V2 2
-enum dce2SmbFileInspection
-{
- DCE2_SMB_FILE_INSPECTION_OFF = 0,
- DCE2_SMB_FILE_INSPECTION_ON,
- DCE2_SMB_FILE_INSPECTION_ONLY
-};
-
enum dce2SmbFingerprintPolicy
{
DCE2_SMB_FINGERPRINT_POLICY_NONE = 0,
uint8_t smb_max_chain;
uint8_t smb_max_compound;
uint16_t smb_valid_versions_mask;
- dce2SmbFileInspection smb_file_inspection;
int16_t smb_file_depth;
DCE2_List* smb_invalid_shares;
bool legacy_mode;
void print_dce2_smb_conf(dce2SmbProtoConf& config);
-inline bool DCE2_ScSmbFileInspection(const dce2SmbProtoConf* sc)
-{
- if (sc == nullptr)
- return false;
- return ((sc->smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ON)
- || (sc->smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY));
-}
-
-inline bool DCE2_ScSmbFileInspectionOnly(const dce2SmbProtoConf* sc)
-{
- if (sc == nullptr)
- return false;
- return sc->smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY;
-}
-
inline int64_t DCE2_ScSmbFileDepth(const dce2SmbProtoConf* sc)
{
- if (!DCE2_ScSmbFileInspection(sc))
- return -1;
return sc->smb_file_depth;
}
void DCE2_SmbInsertTid(DCE2_SmbSsnData* ssd,
const uint16_t tid, const bool is_ipc)
{
- if (!is_ipc && (!DCE2_ScSmbFileInspection((dce2SmbProtoConf*)ssd->sd.config)
- || ((ssd->max_file_depth == -1) && DCE2_ScSmbFileDepth(
- (dce2SmbProtoConf*)ssd->sd.config) == -1)))
+ if ( !is_ipc and
+ ssd->max_file_depth == -1 and DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1 )
{
trace_logf(dce_smb, "Not inserting TID (%hu) "
"because it's not IPC and not inspecting normal file "
return;
}
- if (is_ipc && DCE2_ScSmbFileInspectionOnly((dce2SmbProtoConf*)ssd->sd.config))
- {
- trace_logf(dce_smb, "Not inserting TID (%hu) "
- "because it's IPC and only inspecting normal file "
- "data.\n", tid);
- return;
- }
-
int insert_tid = (int)tid;
// Set a bit so as to distinguish between IPC and non-IPC TIDs
if (!is_ipc)
"check for end of encryption" },
{ "encrypted_traffic", Parameter::PT_BOOL, nullptr, "false",
- "check for encrypted Telnet and FTP" },
+ "check for encrypted Telnet" },
{ "normalize", Parameter::PT_BOOL, nullptr, "false",
"eliminate escape sequences" },
unexpectedly).
The nature of splitting allows packets to be forwarded before they are aggregated into a message
-section and inspected. Accelerated blocking is a feature that allows the splitter to designate
+section and inspected. Detained inspection is a feature that allows the splitter to designate
to Stream packets that are too risky to forward without being inspected. These packets are detained
until such time as inspection is completed. The design is based on the principle that detaining
one packet in a TCP stream effectively blocks all subsequent packets from being reassembled and
if (octets_seen + length < flow_target)
{
octets_seen += length;
- return need_accelerated_blocking(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND;
+ return need_detained_inspection(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND;
}
if (!stretch)
num_flush = flow_target - octets_seen;
if (remaining > 0)
{
- need_accelerated_blocking(buffer, num_flush);
+ need_detained_inspection(buffer, num_flush);
return SCAN_FOUND_PIECE;
}
else
else
num_flush = flow_target - octets_seen;
remaining -= octets_seen + num_flush;
- need_accelerated_blocking(buffer, num_flush);
+ need_detained_inspection(buffer, num_flush);
return SCAN_FOUND_PIECE;
}
// Cannot stretch to the end of the message body. Cut at the original target.
num_flush = flow_target - octets_seen;
remaining -= flow_target;
- need_accelerated_blocking(buffer, num_flush);
+ need_detained_inspection(buffer, num_flush);
return SCAN_FOUND_PIECE;
}
{
// Not enough data yet to create a message section
octets_seen += length;
- return need_accelerated_blocking(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND;
+ return need_detained_inspection(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND;
}
else if (stretch && (octets_seen + length <= flow_target + MAX_SECTION_STRETCH))
{
// Cut the section at the end of this TCP segment to avoid splitting a packet
num_flush = length;
- need_accelerated_blocking(buffer, num_flush);
+ need_detained_inspection(buffer, num_flush);
return SCAN_FOUND_PIECE;
}
else
// Cut the section at the target length. Either stretching is not allowed or the end of
// the segment is too far away.
num_flush = flow_target - octets_seen;
- need_accelerated_blocking(buffer, num_flush);
+ need_detained_inspection(buffer, num_flush);
return SCAN_FOUND_PIECE;
}
}
}
if (!detain_this_packet)
- detain_this_packet = need_accelerated_blocking(buffer+k, skip_amount);
+ detain_this_packet = need_detained_inspection(buffer+k, skip_amount);
k += skip_amount - 1;
if ((expected -= skip_amount) == 0)
skip_amount = (skip_amount <= adjusted_target-data_seen) ? skip_amount :
adjusted_target-data_seen;
if (!detain_this_packet)
- detain_this_packet = need_accelerated_blocking(buffer+k, skip_amount);
+ detain_this_packet = need_detained_inspection(buffer+k, skip_amount);
k += skip_amount - 1;
if ((data_seen += skip_amount) == adjusted_target)
{
}
// This method searches the input stream looking for the beginning of a script or other dangerous
-// content that requires accelerated blocking. Exactly what we are looking for is encapsulated in
+// content that requires detained inspection. Exactly what we are looking for is encapsulated in
// dangerous().
//
// Return value true indicates a match and enables the packet that completes the matching sequence
// to be detained.
//
-// Once accelerated blocking is activated on a message body it never goes away. The first packet
+// Once detained inspection is activated on a message body it never goes away. The first packet
// of every subsequent message section must be detained (detention_required). Supporting this
// requirement requires that the calling routine submit all data including buffers that are about
// to be flushed.
-bool HttpBodyCutter::need_accelerated_blocking(const uint8_t* data, uint32_t length)
+bool HttpBodyCutter::need_detained_inspection(const uint8_t* data, uint32_t length)
{
- if (!accelerated_blocking || packet_detained)
+ if (!detained_inspection || packet_detained)
return false;
if (detention_required || dangerous(data, length))
{
return false;
}
-// Currently we do accelerated blocking when we see a javascript starting
+// Currently we do detained inspection when we see a javascript starting
bool HttpBodyCutter::dangerous(const uint8_t* data, uint32_t length)
{
static const uint8_t match_string[] = { '<', 's', 'c', 'r', 'i', 'p', 't' };
class HttpBodyCutter : public HttpCutter
{
public:
- HttpBodyCutter(bool accelerated_blocking_) : accelerated_blocking(accelerated_blocking_) {}
+ HttpBodyCutter(bool detained_inspection_) : detained_inspection(detained_inspection_) {}
void soft_reset() override { octets_seen = 0; packet_detained = false; }
void detain_ended() { packet_detained = false; }
protected:
- bool need_accelerated_blocking(const uint8_t* data, uint32_t length);
+ bool need_detained_inspection(const uint8_t* data, uint32_t length);
private:
bool dangerous(const uint8_t* data, uint32_t length);
- const bool accelerated_blocking;
+ const bool detained_inspection;
bool packet_detained = false;
uint8_t partial_match = 0;
bool detention_required = false;
class HttpBodyClCutter : public HttpBodyCutter
{
public:
- HttpBodyClCutter(int64_t expected_length, bool accelerated_blocking) :
- HttpBodyCutter(accelerated_blocking), remaining(expected_length)
+ HttpBodyClCutter(int64_t expected_length, bool detained_inspection) :
+ HttpBodyCutter(detained_inspection), remaining(expected_length)
{ assert(remaining > 0); }
HttpEnums::ScanResult cut(const uint8_t*, uint32_t length, HttpInfractions*, HttpEventGen*,
uint32_t flow_target, bool stretch) override;
class HttpBodyOldCutter : public HttpBodyCutter
{
public:
- explicit HttpBodyOldCutter(bool accelerated_blocking) : HttpBodyCutter(accelerated_blocking) {}
+ explicit HttpBodyOldCutter(bool detained_inspection) : HttpBodyCutter(detained_inspection) {}
HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*,
uint32_t flow_target, bool stretch) override;
};
class HttpBodyChunkCutter : public HttpBodyCutter
{
public:
- explicit HttpBodyChunkCutter(bool accelerated_blocking) : HttpBodyCutter(accelerated_blocking)
+ explicit HttpBodyChunkCutter(bool detained_inspection) : HttpBodyCutter(detained_inspection)
{}
HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length,
HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch)
body_octets[source_id] = STAT_NOT_PRESENT;
section_size_target[source_id] = 0;
stretch_section_to_packet[source_id] = false;
- accelerated_blocking[source_id] = false;
+ detained_inspection[source_id] = false;
file_depth_remaining[source_id] = STAT_NOT_PRESENT;
detect_depth_remaining[source_id] = STAT_NOT_PRESENT;
detection_status[source_id] = DET_REACTIVATING;
HttpEnums::CompressId compression[2] = { HttpEnums::CMP_NONE, HttpEnums::CMP_NONE };
HttpEnums::DetectionStatus detection_status[2] = { HttpEnums::DET_ON, HttpEnums::DET_ON };
bool stretch_section_to_packet[2] = { false, false };
- bool accelerated_blocking[2] = { false, false };
+ bool detained_inspection[2] = { false, false };
// *** Inspector's internal data about the current message
struct FdCallbackContext
{ "decompress_zip", Parameter::PT_BOOL, nullptr, "false",
"decompress zip files in response bodies" },
- { "accelerated_blocking", Parameter::PT_BOOL, nullptr, "false",
- "inspect JavaScript in response messages as soon as possible" },
+ { "detained_inspection", Parameter::PT_BOOL, nullptr, "false",
+ "store-and-forward as necessary to effectively block alerting JavaScript" },
{ "normalize_javascript", Parameter::PT_BOOL, nullptr, "false",
"normalize JavaScript in response bodies" },
{
params->decompress_zip = val.get_bool();
}
- else if (val.is("accelerated_blocking"))
+ else if (val.is("detained_inspection"))
{
- params->accelerated_blocking = val.get_bool();
+ params->detained_inspection = val.get_bool();
}
else if (val.is("normalize_javascript"))
{
bool decompress_pdf = false;
bool decompress_swf = false;
bool decompress_zip = false;
- bool accelerated_blocking = false;
+ bool detained_inspection = false;
struct JsNormParam
{
setup_utf_decoding();
setup_file_decompression();
update_depth();
- // Limitations on accelerated blocking will be lifted as the feature is built out
- session_data->accelerated_blocking[source_id] = params->accelerated_blocking &&
+ // Limitations on detained inspection will be lifted as the feature is built out
+ session_data->detained_inspection[source_id] = params->detained_inspection &&
(source_id == SRC_SERVER) && (session_data->compression[source_id] == CMP_NONE) &&
(params->request_depth == -1);
if (source_id == SRC_CLIENT)
return (HttpCutter*)new HttpHeaderCutter;
case SEC_BODY_CL:
return (HttpCutter*)new HttpBodyClCutter(session_data->data_length[source_id],
- session_data->accelerated_blocking[source_id]);
+ session_data->detained_inspection[source_id]);
case SEC_BODY_CHUNK:
- return (HttpCutter*)new HttpBodyChunkCutter(session_data->accelerated_blocking[source_id]);
+ return (HttpCutter*)new HttpBodyChunkCutter(session_data->detained_inspection[source_id]);
case SEC_BODY_OLD:
- return (HttpCutter*)new HttpBodyOldCutter(session_data->accelerated_blocking[source_id]);
+ return (HttpCutter*)new HttpBodyOldCutter(session_data->detained_inspection[source_id]);
default:
assert(false);
return nullptr;
{ CountType::SUM, "uri_coding", "URIs with character coding problems" },
{ CountType::NOW, "concurrent_sessions", "total concurrent http sessions" },
{ CountType::MAX, "max_concurrent_sessions", "maximum concurrent http sessions" },
- { CountType::SUM, "detained_packets", "TCP packets delayed by accelerated blocking" },
- { CountType::SUM, "partial_inspections", "pre-inspections for accelerated blocking" },
+ { CountType::SUM, "detained_packets", "TCP packets delayed by detained inspection" },
+ { CountType::SUM, "partial_inspections", "pre-inspections for detained inspection" },
{ CountType::END, nullptr, nullptr }
};
// TCP connection directional close
bool tcp_closed = false;
- // partial flush requested, useful for testing accelerated blocking
+ // partial flush requested, useful for testing detained inspection
bool partial = false;
// number of octets that have been flushed and must be sent by reassemble
static const Parameter s_params[] =
{
- { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"base64 decoding depth (-1 no limit)" },
- { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"non-Encoded MIME attachment extraction depth (-1 no limit)" },
{ "decompress_pdf", Parameter::PT_BOOL, nullptr, "false",
{ "decompress_zip", Parameter::PT_BOOL, nullptr, "false",
"decompress zip files in MIME attachments" },
- { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"quoted Printable decoding depth (-1 no limit)" },
- { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"Unix-to-Unix decoding depth (-1 no limit)" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
static const Parameter s_params[] =
{
- { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"base64 decoding depth (-1 no limit)" },
- { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"Non-Encoded MIME attachment extraction depth (-1 no limit)" },
{ "decompress_pdf", Parameter::PT_BOOL, nullptr, "false",
{ "decompress_zip", Parameter::PT_BOOL, nullptr, "false",
"decompress zip files in MIME attachments" },
- { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"Quoted Printable decoding depth (-1 no limit)" },
- { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"Unix-to-Unix decoding depth (-1 no limit)" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
{ "auth_cmds", Parameter::PT_STRING, nullptr, nullptr,
"commands that initiate an authentication exchange" },
- { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"depth used to decode the base64 encoded MIME attachments (-1 no limit)" },
{ "binary_data_cmds", Parameter::PT_STRING, nullptr, nullptr,
"commands that initiate sending of data and use a length value after the command" },
- { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"depth used to extract the non-encoded MIME attachments (-1 no limit)" },
{ "data_cmds", Parameter::PT_STRING, nullptr, nullptr,
{ "normalize_cmds", Parameter::PT_STRING, nullptr, nullptr,
"list of commands to normalize" },
- { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"quoted-Printable decoding depth (-1 no limit)" },
- { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
"Unix-to-Unix decoding depth (-1 no limit)" },
{ "valid_cmds", Parameter::PT_STRING, nullptr, nullptr,
{
file_inspect.pop_back();
}
- tmpval = table_api.add_option("smb_file_inspection", file_inspect);
+ file_inspect = "smb_file_inspection: " + file_inspect;
+ tmpval = table_api.add_deleted_comment(file_inspect);
}
else
{
std::string arg = file_inspect.substr(1, pos-1);
// remove additional whitespaces
arg.erase(remove_if(arg.begin(), arg.end(), isspace), arg.end());
- tmpval = table_api.add_option("smb_file_inspection", arg);
+ arg = "smb_file_inspection: " + arg;
+ tmpval = table_api.add_deleted_comment(arg);
pos = file_inspect.find("file-depth");
if (pos == std::string::npos)
projects / thirdparty / snort3.git / commitdiff
