<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 254) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 256) from 2.9.11\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
<div class="paragraph"><p>You can use both approaches together.</p></div>\r
</div>\r
<div class="sect3">\r
+<h4 id="_includes">Includes</h4>\r
+<div class="paragraph"><p>Your configuration file file may include other files, either directly via Lua or via\r
+various parameters. Snort will find relative includes in the following order:</p></div>\r
+<div class="olist arabic"><ol class="arabic">\r
+<li>\r
+<p>\r
+If you specify --include-path, this directory will be tried first.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Snort will try the directory containing the including file.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Snort will try the directory containing the -c configuration file.\r
+</p>\r
+</li>\r
+</ol></div>\r
+<div class="paragraph"><p>Some things to keep in mind:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+If you use the Lua dofile function, then you must specify absolute paths\r
+ or paths relative to your working directory since Lua will execute the\r
+ include before Snort sees the file contents.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+For best results, use include in place of dofile. This function is\r
+ provided to follow Snort’s include logic.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+As of now, appid and reputation paths must be absolute or relative to the\r
+ working directory. These will be updated in a future release.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
<h4 id="_converting_your_2_x_configuration">Converting Your 2.X Configuration</h4>\r
<div class="paragraph"><p>If you have a working 2.X configuration snort2lua makes it easy to get up\r
and running with Snort 3. This tool will convert your configuration and/or\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong><code>daq.module_dirs[].str</code></strong>: string parameter\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>daq.input_spec</strong>: input specification\r
+string <strong><code>daq.module_dirs[].path</code></strong>: directory path\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.module</strong>: DAQ module to use\r
+string <strong><code>daq.inputs[].input</code></strong>: input source\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>daq.variables[].str</code></strong>: string parameter\r
+int <strong>daq.snaplen</strong> = 1518: set snap length (same as -s) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong><code>daq.instances[].id</code></strong>: instance ID (required) { 0:max32 }\r
+int <strong>daq.batch_size</strong> = 64: set receive batch size (same as --daq-batch-size) { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>daq.instances[].input_spec</code></strong>: input specification\r
+string <strong><code>daq.modules[].name</code></strong>: DAQ module name (required)\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>daq.instances[].variables[].str</code></strong>: string parameter\r
+enum <strong><code>daq.modules[].mode</code></strong> = passive: DAQ module mode { passive | inline | read-file }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
+string <strong><code>daq.modules[].variables[].variable</code></strong>: DAQ module variable (foo[=bar])\r
</p>\r
</li>\r
</ul></div>\r
<div class="paragraph"><p>What: general decoder rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>decode.trace</strong>: mask for enabling debug traces in module { 0:max53 }\r
+</p>\r
+</li>\r
+</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>event_filter.no_memory_local</strong>: number of times event filter ran out of local memory (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>event_filter.no_memory_global</strong>: number of times event filter ran out of global memory (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_event_queue">event_queue</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { false | true | inherit }\r
+enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { no | yes | inherit }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.include</strong>: legacy snort rules and includes\r
+string <strong>ips.include</strong>: snort rules and includes\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>ips.includer</strong>: for internal use; where includes are included from { (optional) }\r
</p>\r
</li>\r
<li>\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>rate_filter.no_memory</strong>: number of times rate filter ran out of memory (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_references">references</h3>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.([0-9]+):([0-9]+)[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit }\r
+enum <strong><code>rule_state.([0-9]+):([0-9]+)[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--daq-batch-size</strong> = 64: <size> set the DAQ receive batch size { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>snort.--daq-mode</strong>: <mode> select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--daq-var</strong>: <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1:maxSZ }\r
+int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1024:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--daq-batch-size</strong> <size> set the DAQ receive batch size (1:)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--daq-dir</strong> <dir> tell snort where to find desired DAQ\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--daq-mode</strong> <mode> select DAQ module operating mode (overrides automatic selection) (passive | inline | read-file)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--daq-var</strong> <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.input_spec</strong>: input specification\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong><code>daq.instances[].id</code></strong>: instance ID (required) { 0:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>daq.instances[].input_spec</code></strong>: input specification\r
+int <strong>daq.batch_size</strong> = 64: set receive batch size (same as --daq-batch-size) { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>daq.instances[].variables[].str</code></strong>: string parameter\r
+string <strong><code>daq.inputs[].input</code></strong>: input source\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>daq.module</strong>: DAQ module to use\r
+string <strong><code>daq.module_dirs[].path</code></strong>: directory path\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>daq.module_dirs[].str</code></strong>: string parameter\r
+enum <strong><code>daq.modules[].mode</code></strong> = passive: DAQ module mode { passive | inline | read-file }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into promiscuous mode\r
+string <strong><code>daq.modules[].name</code></strong>: DAQ module name (required)\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }\r
+string <strong><code>daq.modules[].variables[].variable</code></strong>: DAQ module variable (foo[=bar])\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong><code>daq.variables[].str</code></strong>: string parameter\r
+int <strong>daq.snaplen</strong> = 1518: set snap length (same as -s) { 0:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { false | true | inherit }\r
+enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { no | yes | inherit }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>ips.include</strong>: legacy snort rules and includes\r
+string <strong>ips.includer</strong>: for internal use; where includes are included from { (optional) }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>ips.include</strong>: snort rules and includes\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1:maxSZ }\r
+int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1024:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.([0-9]+):([0-9]+)[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit }\r
+enum <strong><code>rule_state.([0-9]+):([0-9]+)[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--daq-batch-size</strong> = 64: <size> set the DAQ receive batch size { 1: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--daq-dir</strong>: <dir> tell snort where to find desired DAQ\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>snort.--daq-mode</strong>: <mode> select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--daq</strong>: <type> select packet acquisition module (default is pcap)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>event_filter.no_memory_global</strong>: number of times event filter ran out of global memory (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>event_filter.no_memory_local</strong>: number of times event filter ran out of local memory (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>file_connector.messages</strong>: total messages (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>rate_filter.no_memory</strong>: number of times rate filter ran out of memory (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>reg_test.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'\r
change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic'\r
change -> config ' checksum_mode' ==> ' network. checksum_eval'\r
-change -> config ' daq' ==> ' daq. module'\r
change -> config ' daq_dir' ==> ' daq. module_dirs, true'\r
-change -> config ' daq_var' ==> ' daq. variables, true'\r
change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap'\r
change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection'\r
change -> config ' event_filter' ==> ' alerts. event_filter_memcap'\r
change -> csv: 'tcpseq' ==> 'tcp_seq'\r
change -> csv: 'tcpwindow' ==> 'tcp_win'\r
change -> csv: 'udplength' ==> 'udp_len'\r
+change -> daq: 'config daq:' ==> 'name'\r
+change -> daq_mode: 'config daq_mode:' ==> 'mode'\r
+change -> daq_var: 'config daq_var:' ==> 'variables'\r
change -> detection: 'ac' ==> 'ac_full'\r
change -> detection: 'ac-banded' ==> 'ac_banded'\r
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'\r
deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'\r
deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'\r
deleted -> config ' cs_dir'\r
-deleted -> config ' daq_mode'\r
deleted -> config ' decode_data_link'\r
deleted -> config ' disable_attribute_reload_thread'\r
deleted -> config ' disable_decode_alerts'\r
deleted -> config ' interface'\r
deleted -> config ' layer2resets'\r
deleted -> config ' log_ipv6_extra_data'\r
+deleted -> config ' no_promisc'\r
deleted -> config ' nolog'\r
deleted -> config ' protected_content'\r
deleted -> config ' sidechannel'\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-04-26 17:06:59 EDT\r
+ 2019-05-22 13:47:52 EDT\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 254) from 2.9.11
+o" )~ Version 3.0.0 (Build 256) from 2.9.11
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
You can use both approaches together.
-1.2.4. Converting Your 2.X Configuration
+1.2.4. Includes
+
+Your configuration file file may include other files, either directly
+via Lua or via various parameters. Snort will find relative includes
+in the following order:
+
+ 1. If you specify --include-path, this directory will be tried
+ first.
+ 2. Snort will try the directory containing the including file.
+ 3. Snort will try the directory containing the -c configuration
+ file.
+
+Some things to keep in mind:
+
+ * If you use the Lua dofile function, then you must specify
+ absolute paths or paths relative to your working directory since
+ Lua will execute the include before Snort sees the file contents.
+ * For best results, use include in place of dofile. This function
+ is provided to follow Snort’s include logic.
+ * As of now, appid and reputation paths must be absolute or
+ relative to the working directory. These will be updated in a
+ future release.
+
+1.2.5. Converting Your 2.X Configuration
If you have a working 2.X configuration snort2lua makes it easy to
get up and running with Snort 3. This tool will convert your
Configuration:
- * string daq.module_dirs[].str: string parameter
- * string daq.input_spec: input specification
- * string daq.module: DAQ module to use
- * string daq.variables[].str: string parameter
- * int daq.instances[].id: instance ID (required) { 0:max32 }
- * string daq.instances[].input_spec: input specification
- * string daq.instances[].variables[].str: string parameter
- * int daq.snaplen: set snap length (same as -s) { 0:65535 }
- * bool daq.no_promisc = false: whether to put DAQ device into
- promiscuous mode
+ * string daq.module_dirs[].path: directory path
+ * string daq.inputs[].input: input source
+ * int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 }
+ * int daq.batch_size = 64: set receive batch size (same as
+ --daq-batch-size) { 1: }
+ * string daq.modules[].name: DAQ module name (required)
+ * enum daq.modules[].mode = passive: DAQ module mode { passive |
+ inline | read-file }
+ * string daq.modules[].variables[].variable: DAQ module variable
+ (foo[=bar])
Peg counts:
Usage: context
+Configuration:
+
+ * int decode.trace: mask for enabling debug traces in module {
+ 0:max53 }
+
Rules:
* 116:450 (decode) bad IP protocol
* string event_filter[].ip: restrict filter to these addresses
according to track
+Peg counts:
+
+ * event_filter.no_memory_local: number of times event filter ran
+ out of local memory (sum)
+ * event_filter.no_memory_global: number of times event filter ran
+ out of global memory (sum)
+
6.9. event_queue
Configuration:
* enum ips.default_rule_state = inherit: enable or disable ips
- rules { false | true | inherit }
+ rules { no | yes | inherit }
* bool ips.enable_builtin_rules = false: enable events from builtin
rules w/o stubs
* int ips.id = 0: correlate unified2 events with configuration {
0:65535 }
- * string ips.include: legacy snort rules and includes
+ * string ips.include: snort rules and includes
+ * string ips.includer: for internal use; where includes are
+ included from { (optional) }
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
* bool ips.obfuscate_pii = false: mask all but the last 4
* string rate_filter[].apply_to: restrict filter to these addresses
according to track
+Peg counts:
+
+ * rate_filter.no_memory: number of times rate filter ran out of
+ memory (sum)
+
6.25. references
pass | alert | drop | block | reset | inherit }
* enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or
disable rule in current ips policy or use default defined by ips
- policy { false | true | inherit }
+ policy { no | yes | inherit }
6.27. search_engine
Daemon mode
* string snort.--daq: <type> select packet acquisition module
(default is pcap)
+ * int snort.--daq-batch-size = 64: <size> set the DAQ receive batch
+ size { 1: }
* string snort.--daq-dir: <dir> tell snort where to find desired
DAQ
* implied snort.--daq-list: list packet acquisition modules
available in optional dir, default is static modules only
+ * enum snort.--daq-mode: <mode> select DAQ module operating mode
+ (overrides automatic selection) { passive | inline | read-file }
* string snort.--daq-var: <name=value> specify extra DAQ
configuration variable
* implied snort.--dirty-pig: don’t flush packets on shutdown
Configuration:
* int port_scan.memcap = 1048576: maximum tracker memory in bytes {
- 1:maxSZ }
+ 1024:maxSZ }
* multi port_scan.protos = all: choose the protocols to monitor {
tcp | udp | icmp | ip | all }
* multi port_scan.scan_types = all: choose type of scans to look
* --control-socket <file> to create unix socket
* --create-pidfile create PID file, even when not in Daemon mode
* --daq <type> select packet acquisition module (default is pcap)
+ * --daq-batch-size <size> set the DAQ receive batch size (1:)
* --daq-dir <dir> tell snort where to find desired DAQ
* --daq-list list packet acquisition modules available in optional
dir, default is static modules only
+ * --daq-mode <mode> select DAQ module operating mode (overrides
+ automatic selection) (passive | inline | read-file)
* --daq-var <name=value> specify extra DAQ configuration variable
* --dirty-pig don’t flush packets on shutdown
* --dump-builtin-rules [<module prefix>] output stub rules for
* string content.within: var or maximum number of bytes to search
from cursor
* implied cvs.invalid-entry: looks for an invalid Entry string
- * string daq.input_spec: input specification
- * int daq.instances[].id: instance ID (required) { 0:max32 }
- * string daq.instances[].input_spec: input specification
- * string daq.instances[].variables[].str: string parameter
- * string daq.module: DAQ module to use
- * string daq.module_dirs[].str: string parameter
- * bool daq.no_promisc = false: whether to put DAQ device into
- promiscuous mode
- * int daq.snaplen: set snap length (same as -s) { 0:65535 }
- * string daq.variables[].str: string parameter
+ * int daq.batch_size = 64: set receive batch size (same as
+ --daq-batch-size) { 1: }
+ * string daq.inputs[].input: input source
+ * string daq.module_dirs[].path: directory path
+ * enum daq.modules[].mode = passive: DAQ module mode { passive |
+ inline | read-file }
+ * string daq.modules[].name: DAQ module name (required)
+ * string daq.modules[].variables[].variable: DAQ module variable
+ (foo[=bar])
+ * int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 }
* select data_log.key = http_request_header_event : name of the
event to log { http_request_header_event |
http_response_header_event }
lsrre|ssrr|satid|any }
* string ip_proto.~proto: [!|>|<] name or number
* enum ips.default_rule_state = inherit: enable or disable ips
- rules { false | true | inherit }
+ rules { no | yes | inherit }
* bool ips.enable_builtin_rules = false: enable events from builtin
rules w/o stubs
* int ips.id = 0: correlate unified2 events with configuration {
0:65535 }
- * string ips.include: legacy snort rules and includes
+ * string ips.includer: for internal use; where includes are
+ included from { (optional) }
+ * string ips.include: snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* bool ips.obfuscate_pii = false: mask all but the last 4
characters of credit card and social security numbers
* int port_scan.ip_window = 0: detection interval for all IP scans
{ 0:max32 }
* int port_scan.memcap = 1048576: maximum tracker memory in bytes {
- 1:maxSZ }
+ 1024:maxSZ }
* multi port_scan.protos = all: choose the protocols to monitor {
tcp | udp | icmp | ip | all }
* multi port_scan.scan_types = all: choose type of scans to look
pass | alert | drop | block | reset | inherit }
* enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or
disable rule in current ips policy or use default defined by ips
- policy { false | true | inherit }
+ policy { no | yes | inherit }
* string sd_pattern.~pattern: The pattern to search for
* int sd_pattern.threshold = 1: number of matches before alerting {
1:max32 }
hex)
* implied snort.--create-pidfile: create PID file, even when not in
Daemon mode
+ * int snort.--daq-batch-size = 64: <size> set the DAQ receive batch
+ size { 1: }
* string snort.--daq-dir: <dir> tell snort where to find desired
DAQ
* implied snort.--daq-list: list packet acquisition modules
available in optional dir, default is static modules only
+ * enum snort.--daq-mode: <mode> select DAQ module operating mode
+ (overrides automatic selection) { passive | inline | read-file }
* string snort.--daq: <type> select packet acquisition module
(default is pcap)
* string snort.--daq-var: <name=value> specify extra DAQ
* domain_filter.checked: domains checked (sum)
* domain_filter.filtered: domains filtered (sum)
* dpx.packets: total packets (sum)
+ * event_filter.no_memory_global: number of times event filter ran
+ out of global memory (sum)
+ * event_filter.no_memory_local: number of times event filter ran
+ out of local memory (sum)
* file_connector.messages: total messages (sum)
* file_id.cache_failures: number of file cache add failures (sum)
* file_id.total_file_data: number of file data bytes processed
* pop.uu_attachments: total uu attachments decoded (sum)
* pop.uu_decoded_bytes: total uu decoded bytes (sum)
* port_scan.packets: total packets (sum)
+ * rate_filter.no_memory: number of times rate filter ran out of
+ memory (sum)
* reg_test.packets: total packets (sum)
* reg_test.retry_packets: total retried packets received (sum)
* reg_test.retry_requests: total retry packets requested (sum)
change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'
change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic'
change -> config ' checksum_mode' ==> ' network. checksum_eval'
-change -> config ' daq' ==> ' daq. module'
change -> config ' daq_dir' ==> ' daq. module_dirs, true'
-change -> config ' daq_var' ==> ' daq. variables, true'
change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap'
change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection'
change -> config ' event_filter' ==> ' alerts. event_filter_memcap'
change -> csv: 'tcpseq' ==> 'tcp_seq'
change -> csv: 'tcpwindow' ==> 'tcp_win'
change -> csv: 'udplength' ==> 'udp_len'
+change -> daq: 'config daq:' ==> 'name'
+change -> daq_mode: 'config daq_mode:' ==> 'mode'
+change -> daq_var: 'config daq_var:' ==> 'variables'
change -> detection: 'ac' ==> 'ac_full'
change -> detection: 'ac-banded' ==> 'ac_banded'
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'
deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'
deleted -> config ' cs_dir'
-deleted -> config ' daq_mode'
deleted -> config ' decode_data_link'
deleted -> config ' disable_attribute_reload_thread'
deleted -> config ' disable_decode_alerts'
deleted -> config ' interface'
deleted -> config ' layer2resets'
deleted -> config ' log_ipv6_extra_data'
+deleted -> config ' no_promisc'
deleted -> config ' nolog'
deleted -> config ' protected_content'
deleted -> config ' sidechannel'
projects / thirdparty / snort3.git / commitdiff
