+2020/03/25 - build 270
+
+-- active: Base hold_packet() decision on DAQ message pool usage
+-- active: Fix direction of RST packet being sent to server
+-- active: Move packet hold realization for Stream detainment to verdict handling
+-- active: Send entire buffer at once when send_data uses ioctl
+-- appid: Adding UT for client_app_aim_test
+-- appid: Fix SMB session data memory leak
+-- appid: Include DNS over TLS port for classification
+-- appid: Restart service detection on start of decryption
+-- appid: Support appid detection for outer protocol service
+-- appid: Support detection for first stream in http/2 session
+-- binder: Ignore the network_policy binding
+-- build: Bump the C++ compiler supported feature set requirement to C++14
+-- build: Don't try to use libuuid headers/libraries when not found.
+ Thanks to James Lay <jlay@slave-tothe-box.net> for reporting the issue.
+-- build: Refactor included headers
+-- codecs: Add new proto bit for udp tunneled traffic
+-- codecs: Add vxlan codec
+-- dce_rpc: Inspect midstream sessions for file inspection
+-- file_api: Reading the new data for the overlapped file_data
+-- filters: Update threshold tracking functions
+-- flow: Allow the ExpectCache to force prune, so that we can always make room when the cache is
+ full
+-- flow: Change the ExpectCache prune logic to only remove a specified number of oldest entries,
+ regardless of node expiration time
+-- flow: Do away altogether with the loop in ExpectCache::prune, just remove one, only when the
+ cache is full
+-- http2_inspect: Refactor data cutter - preparation for multi packet processing
+-- http2_inspect: Support single data frame sent to http, multiple flushes
+-- http2_inspect: Update dev notes with memory calculations
+-- http_inspect: Create http2 message body type
+-- http_inspect: Gzip detained inspection
+-- http_inspect: Refactor print_section for message bodies
+-- loggers: Update usage to GLOBAL for all loggers
+-- lua: Enable a rewrite plugin in a default config
+-- main: Check if flow state is blocked while applying verdicts
+-- main: Setting higher maximum pruning when idle
+-- snort2lua: Convert a replace option to a rewrite plugin/action
+-- snort2lua: Don't print out network_policy binding
+-- stream: Short-circuit stream when handling retry packets in no-ack mode
+-- stream_tcp: Cancel hold requests on the current packet when flushing
+-- stream_tcp: Finalize held packets in TcpSession::clear_session()
+-- stream_tcp: Moved retry check to TcpSession::process
+
2020/03/12 - build 269
-- active: Add ability to inject resets and payload via IOCTLs
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 269)\r
+o" )~ Version 3.0.0 (Build 270)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-cmake to build from source\r
+a compiler that supports the C++14 feature set\r
</p>\r
</li>\r
<li>\r
<p>\r
-daq from <a href="https://github.com/snort3/libdaq">https://github.com/snort3/libdaq</a> for packet IO\r
+cmake to build from source\r
</p>\r
</li>\r
<li>\r
<p>\r
-g++ >= 4.8 or other recent C++11 compiler\r
+daq from <a href="https://github.com/snort3/libdaq">https://github.com/snort3/libdaq</a> for packet IO\r
</p>\r
</li>\r
<li>\r
<strong>active.failed_direct_injects</strong>: total crafted packet direct injects that failed (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>active.holds_denied</strong>: total number of packet hold requests denied (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.holds_canceled</strong>: total number of packet hold requests canceled (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic\r
+string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_rate_filter">rate_filter</h3>\r
<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_suppress">suppress</h3>\r
<div class="paragraph"><p>What: configure event suppressions</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
-<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations\r
+bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
+bit_list <strong>udp.vxlan_ports</strong> = 4789: set VXLAN ports { 65535 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file\r
+string <strong><code>binder[].use.network_policy</code></strong>: deprecated, ignored by binder\r
</p>\r
</li>\r
<li>\r
<strong>rt_service.search_requests</strong>: total splitter search requests (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>rt_service.send_data_requests</strong>: total send data via daq inject requests (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rt_service.send_data_direct_requests</strong>: total send data via direct inject requests (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.held_packet_limit_exceeded</strong>: number of times limit of max held packets exceeded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.partial_flushes</strong>: number of partial flushes initiated (sum)\r
</p>\r
</li>\r
<h3 id="_alert_csv">alert_csv</h3>\r
<div class="paragraph"><p>What: output event in csv format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_fast">alert_fast</h3>\r
<div class="paragraph"><p>What: output event with brief text format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_full">alert_full</h3>\r
<div class="paragraph"><p>What: output event with full packet dump</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_json">alert_json</h3>\r
<div class="paragraph"><p>What: output event in json format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_sfsocket">alert_sfsocket</h3>\r
<div class="paragraph"><p>What: output event over socket</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_syslog">alert_syslog</h3>\r
<div class="paragraph"><p>What: output event to syslog</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_talos">alert_talos</h3>\r
<div class="paragraph"><p>What: output event in Talos alert format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_alert_unixsock">alert_unixsock</h3>\r
<div class="paragraph"><p>What: output event over unix socket</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_log_codecs">log_codecs</h3>\r
<div class="paragraph"><p>What: log protocols in packet by layer</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_log_hext">log_hext</h3>\r
<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_log_pcap">log_pcap</h3>\r
<div class="paragraph"><p>What: log packet in pcap format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_unified2">unified2</h3>\r
<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,\r
- warning, perf, high, med, or low priority. Place A and W comments on the\r
- exact warning line so we can match up comments and build output. Supporting\r
- comments can be added above.\r
+Presently using FIXIT-X where X = A | W | P | H | M | L | D, indicating\r
+ analysis, warning, perf, high, med, low priority, or deprecated. Place A and\r
+ W comments on the exact warning line so we can match up comments and build\r
+ output. Supporting comments can be added above.\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic\r
+string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file\r
+string <strong><code>binder[].use.network_policy</code></strong>: deprecated, ignored by binder\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations\r
+bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }\r
+bit_list <strong>udp.vxlan_ports</strong> = 4789: set VXLAN ports { 65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>active.holds_canceled</strong>: total number of packet hold requests canceled (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>active.holds_denied</strong>: total number of packet hold requests denied (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>active.injects</strong>: total crafted packets encoded and injected (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>rt_service.send_data_direct_requests</strong>: total send data via direct inject requests (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rt_service.send_data_requests</strong>: total send data via daq inject requests (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>s7commplus.concurrent_sessions</strong>: total concurrent s7commplus sessions (now)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.held_packet_limit_exceeded</strong>: number of times limit of max held packets exceeded (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.held_packet_rexmits</strong>: number of retransmits of held packets (sum)\r
</p>\r
</li>\r
deleted -> config ' enable_decode_drops'\r
deleted -> config ' enable_decode_oversized_alerts'\r
deleted -> config ' enable_decode_oversized_drops'\r
+deleted -> config ' enable_gtp'\r
deleted -> config ' enable_ipopt_drops'\r
deleted -> config ' enable_tcpopt_drops'\r
deleted -> config ' enable_tcpopt_experimental_drops'\r
</li>\r
<li>\r
<p>\r
+<strong>codec::vxlan</strong>: support for Virtual Extensible LAN\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>codec::wlan</strong>: support for wireless local area network protocol (DLT 105)\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2020-03-12 10:44:10 EDT\r
+ 2020-03-25 09:21:03 EDT\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 269)
+o" )~ Version 3.0.0 (Build 270)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Required:
+ * a compiler that supports the C++14 feature set
* cmake to build from source
* daq from https://github.com/snort3/libdaq for packet IO
- * g++ >= 4.8 or other recent C++11 compiler
* dnet from https://github.com/dugsong/libdnet.git for network
utility functions
* hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU
(sum)
* active.failed_direct_injects: total crafted packet direct injects
that failed (sum)
+ * active.holds_denied: total number of packet hold requests denied
+ (sum)
+ * active.holds_canceled: total number of packet hold requests
+ canceled (sum)
6.2. alerts
* bool alerts.stateful = false: don’t alert w/o established session
(note: rule action still taken)
* string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
- for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic
+ for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic
6.3. attribute_table
Type: basic
-Usage: detect
+Usage: context
Configuration:
Type: basic
-Usage: detect
+Usage: context
Configuration:
* bool udp.deep_teredo_inspection = false: look for Teredo on all
UDP ports (default is only 3544)
- * bool udp.enable_gtp = false: decode GTP encapsulations
* bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
+ * bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 }
Rules:
* string binder[].use.inspection_policy: use inspection policy from
given file
* string binder[].use.ips_policy: use ips policy from given file
- * string binder[].use.network_policy: use network policy from given
- file
+ * string binder[].use.network_policy: deprecated, ignored by binder
* string binder[].use.service: override automatic service
identification
* string binder[].use.type: select module for binding
* rt_service.flush_requests: total splitter flush requests (sum)
* rt_service.hold_requests: total splitter hold requests (sum)
* rt_service.search_requests: total splitter search requests (sum)
+ * rt_service.send_data_requests: total send data via daq inject
+ requests (sum)
+ * rt_service.send_data_direct_requests: total send data via direct
+ inject requests (sum)
9.39. s7commplus
(now)
* stream_tcp.max_packets_held: maximum number of packets held
simultaneously (max)
- * stream_tcp.held_packet_limit_exceeded: number of times limit of
- max held packets exceeded (sum)
* stream_tcp.partial_flushes: number of partial flushes initiated
(sum)
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
14.9. alert_unixsock
Type: logger
-Usage: context
+Usage: global
14.10. log_codecs
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
Type: logger
-Usage: context
+Usage: global
Configuration:
* Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
for a day or even just a minute. That way we can find them easily
and won’t lose track of them.
- * Presently using FIXIT-X where X = A | W | P | H | M | L,
- indicating analysis, warning, perf, high, med, or low priority.
- Place A and W comments on the exact warning line so we can match
- up comments and build output. Supporting comments can be added
- above.
+ * Presently using FIXIT-X where X = A | W | P | H | M | L | D,
+ indicating analysis, warning, perf, high, med, low priority, or
+ deprecated. Place A and W comments on the exact warning line so
+ we can match up comments and build output. Supporting comments
+ can be added above.
* Put the copyright(s) and license in a comment block at the top of
each source file (.h and .cc). Don’t bother with trivial scripts
and make foo. Some interesting Lua code should get a comment
* bool alerts.stateful = false: don’t alert w/o established session
(note: rule action still taken)
* string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
- for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic
+ for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic
* enum alert_syslog.facility = auth: part of priority applied to
each message { auth | authpriv | daemon | user | local0 | local1
| local2 | local3 | local4 | local5 | local6 | local7 }
given file
* string binder[].use.ips_policy: use ips policy from given file
* string binder[].use.name: symbol name (defaults to type)
- * string binder[].use.network_policy: use network policy from given
- file
+ * string binder[].use.network_policy: deprecated, ignored by binder
* string binder[].use.service: override automatic service
identification
* string binder[].use.type: select module for binding
0:255 }
* bool udp.deep_teredo_inspection = false: look for Teredo on all
UDP ports (default is only 3544)
- * bool udp.enable_gtp = false: decode GTP encapsulations
* bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
+ * bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 }
* bool unified2.legacy_events = false: generate Snort 2.X style
events for barnyard2 compatibility
* int unified2.limit = 0: set maximum size in MB before rollover (0
that failed (sum)
* active.failed_injects: total crafted packet encode + injects that
failed (sum)
+ * active.holds_canceled: total number of packet hold requests
+ canceled (sum)
+ * active.holds_denied: total number of packet hold requests denied
+ (sum)
* active.injects: total crafted packets encoded and injected (sum)
* appid.appid_unknown: count of sessions where appid could not be
determined (sum)
* rt_service.hold_requests: total splitter hold requests (sum)
* rt_service.packets: total packets (sum)
* rt_service.search_requests: total splitter search requests (sum)
+ * rt_service.send_data_direct_requests: total send data via direct
+ inject requests (sum)
+ * rt_service.send_data_requests: total send data via daq inject
+ requests (sum)
* s7commplus.concurrent_sessions: total concurrent s7commplus
sessions (now)
* s7commplus.frames: total S7commplus messages (sum)
segment limit was reached (sum)
* stream_tcp.fins: number of fin packets (sum)
* stream_tcp.gaps: missing data between PDUs (sum)
- * stream_tcp.held_packet_limit_exceeded: number of times limit of
- max held packets exceeded (sum)
* stream_tcp.held_packet_rexmits: number of retransmits of held
packets (sum)
* stream_tcp.held_packets_dropped: number of held packets dropped
deleted -> config ' enable_decode_drops'
deleted -> config ' enable_decode_oversized_alerts'
deleted -> config ' enable_decode_oversized_drops'
+deleted -> config ' enable_gtp'
deleted -> config ' enable_ipopt_drops'
deleted -> config ' enable_tcpopt_drops'
deleted -> config ' enable_tcpopt_experimental_drops'
* codec::udp: support for user datagram protocol
* codec::user: support for user sessions (DLT 230)
* codec::vlan: support for local area network
+ * codec::vxlan: support for Virtual Extensible LAN
* codec::wlan: support for wireless local area network protocol
(DLT 105)
* connector::file_connector: implement the file based connector
projects / thirdparty / snort3.git / commitdiff
