<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 242) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 243) from 2.9.11\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
- Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.\r
+ Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.\r
Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>\r
</div></div>\r
<div id="toc">\r
<div class="olist loweralpha"><ol class="loweralpha">\r
<li>\r
<p>\r
-To build with autotools, simply do the usual from the top level directory:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>./configure --prefix=$my_path\r
-make -j 8\r
-make install</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
To build with cmake and make, run configure_cmake.sh. It will\r
automatically create and populate a new subdirectory named <em>build</em>.\r
</p>\r
</li>\r
<li>\r
<p>\r
-byte_jump: offset\r
+byte_jump: offset, post_offset\r
</p>\r
</li>\r
<li>\r
content:"bad stuff", offset str_offset, depth str_depth;\r
msg:"Bad Stuff detected within field";)</code></pre>\r
</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;\r
+ byte_jump:1, 3, relative, post_offset myvar;\r
+ content:"END", distance 6, within 3;\r
+ msg: "byte_jump - pass variable to post_offset";)</code></pre>\r
+</div></div>\r
<div class="paragraph"><p>This example uses two variables.</p></div>\r
<div class="paragraph"><p>The first variable keeps the offset of a string, read from a byte at offset 0.\r
The second variable keeps the depth of a string, read from a byte at offset 1.\r
</div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_ftp">FTP</h3>\r
+<div class="paragraph"><p>Given an FTP command channel buffer, FTP will interpret the data,\r
+identifying FTP commands and parameters, as well as FTP response codes\r
+and messages. It will enforce correctness of the parameters, determine\r
+when an FTP command connection is encrypted, and determine when an FTP\r
+data channel is opened.</p></div>\r
+<div class="sect3">\r
+<h4 id="_configuring_the_inspector_to_block_exploits_and_attacks">Configuring the inspector to block exploits and attacks</h4>\r
+<div class="sect4">\r
+<h5 id="_ftp_server_configuration">ftp_server configuration</h5>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+ftp_cmds\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This specifies additional FTP commands outside of those checked by\r
+default within the inspector. The inspector may be configured\r
+to generate an alert when it sees a command it does not recognize.</p></div>\r
+<div class="paragraph"><p>Aside from the default commands recognized, it may be necessary to\r
+allow the use of the "X" commands, specified in RFC 775. To do so, use\r
+the following ftp_cmds option. Since these are rarely used by FTP\r
+client implementations, they are not included in the defaults.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ftp_cmds = [[ XPWD XCWD XCUP XMKD XRMD ]]</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+def_max_param_len\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This specifies the default maximum parameter length for all commands\r
+in bytes. If the parameter for an FTP command exceeds that length,\r
+and the inspector is configured to do so, an alert will be generated.\r
+This is used to check for buffer overflow exploits within FTP servers.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+cmd_validity\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This specifies the valid format and length for parameters of a given command.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+cmd_validity[].len\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This specifies the maximum parameter length for the specified command\r
+in bytes, overriding the default. If the parameter for that FTP command\r
+exceeds that length, and the inspector is configured to do so, an\r
+alert will be generated. It can be used to restrict specific commands to\r
+small parameter values. For example the USER command — usernames may\r
+be no longer than 16 bytes, so the appropriate configuration would be:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>cmd_validity =\r
+{\r
+ {\r
+ command = 'USER',\r
+ length = 16,\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+cmd_validity[].format\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>format is as follows:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>int Param must be an integer\r
+number Param must be an integer between 1 and 255\r
+char <chars> Param must be a single char, and one of <chars>\r
+date <datefmt> Param follows format specified where\r
+ # = Number, C=Char, []=optional, |=OR, {}=choice,\r
+ anything else=literal (i.e., .+- )\r
+string Param is string (effectively unrestricted)\r
+host_port Param must a host port specifier, per RFC 959.\r
+long_host_port Parameter must be a long host port specified, per RFC 1639\r
+extended_host_port Parameter must be an extended host port specified, per RFC 2428</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Examples of the cmd_validity option are shown below. These examples\r
+are the default checks (per RFC 959 and others) performed by the\r
+inspector.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>cmd_validity =\r
+{\r
+ {\r
+ command = 'CWD',\r
+ length = 200,\r
+ },\r
+ {\r
+ command = 'MODE',\r
+ format = '< char SBC >',\r
+ },\r
+ {\r
+ command = 'STRU',\r
+ format = '< char FRP >',\r
+ },\r
+ {\r
+ command = 'ALLO',\r
+ format = '< int [ char R int ] >',\r
+ },\r
+ {\r
+ command = 'TYPE',\r
+ format = [[ < { char AE [ char NTC ] | char I | char L [ number ]\r
+ } > ]],\r
+ },\r
+ {\r
+ command = 'PORT',\r
+ format = '< host_port >',\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>A cmd_validity entry in the configuration can be used to override these\r
+defaults and/or add a check for other commands. A few examples follow.</p></div>\r
+<div class="paragraph"><p>This allows additional modes, including mode Z which allows for\r
+zip-style compression:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>cmd_validity =\r
+{\r
+ {\r
+ command = 'MODE',\r
+ format = '< char ASBCZ >',\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Allow for a date in the MDTM command:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>cmd_validity =\r
+{\r
+ {\r
+ command = 'MDTM',\r
+ format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >',\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>MDTM is an odd case that is worth discussing…</p></div>\r
+<div class="paragraph"><p>While not part of an established standard, certain FTP servers accept\r
+MDTM commands that set the modification time on a file. The most common\r
+among servers that do, accept a format using YYYYMMDDHHmmss[.uuu]. Some\r
+others accept a format using YYYYMMDDHHmmss[+|-]TZ format. The example\r
+above is for the first case (time format as specified in\r
+<a href="https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16">https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16</a>)</p></div>\r
+<div class="paragraph"><p>To check validity for a server that uses the TZ format, use the following:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>cmd_validity =\r
+{\r
+ {\r
+ command = 'MDTM',\r
+ format = '< [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string >',\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+chk_str_fmt\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This causes the inspector to check for string format attacks on\r
+the specified commands.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+telnet_cmds\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Detect and alert when telnet cmds are seen on the FTP command channel.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+ignore_telnet_erase_cmds\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This option allows Snort to ignore telnet escape sequences for erase character\r
+(TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some\r
+FTP servers do not process those telnet escape sequences.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+ignore_data_chan\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>When set to true, causes the FTP inspector to force the rest of snort\r
+to ignore the FTP data channel connections. NO INSPECTION other than state\r
+(inspector AND rules) will be performed on that data channel. It can\r
+be turned on to improve performance — especially with respect to large\r
+file transfers from a trusted source — by ignoring traffic. If your rule\r
+set includes virus-type rules, it is recommended that this option not be used.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_ftp_client_configuration">ftp_client configuration</h5>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+max_resp_len\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This specifies the maximum length for all response messages in bytes.\r
+If the message for an FTP response (everything after the 3 digit code)\r
+exceeds that length, and the inspector is configured to do so, an\r
+alert will be generated. This is used to check for buffer overflow\r
+exploits within FTP clients.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+telnet_cmds\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Detect and alert when telnet cmds are seen on the FTP command channel.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+ignore_telnet_erase_cmds\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>This option allows Snort to ignore telnet escape sequences for erase character\r
+(TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some\r
+FTP clients do not process those telnet escape sequences.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_ftp_data">ftp_data</h5>\r
+<div class="paragraph"><p>In order to enable file inspection for ftp, the following should be added to the\r
+configuration:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ftp_data = {}</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http_inspector">HTTP Inspector</h3>\r
<div class="paragraph"><p>One of the major undertakings for Snort 3 is developing a completely new\r
HTTP inspector.</p></div>\r
</div></div>\r
<div class="paragraph"><p>to your snort.lua configuration file. Or you can read about it in the\r
source code under src/service_inspectors/http_inspect.</p></div>\r
-<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release\r
-under extra. It has been renamed http_server. Be sure not to configure\r
-both old and new HTTP inspectors at the same time.</p></div>\r
<div class="paragraph"><p>So why a new HTTP inspector?</p></div>\r
<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain\r
this software. But it should also be really nice for open-source\r
</div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http_2_inspector">HTTP/2 Inspector</h3>\r
+<div class="paragraph"><p>Snort 3 is developing an inspector for HTTP/2.</p></div>\r
+<div class="paragraph"><p>You can configure it by adding:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>http2_inspect = {}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>to your snort.lua configuration file.</p></div>\r
+<div class="paragraph"><p>Everything has a beginning and for http2_inspect this is the beginning of\r
+the beginning. Most of the protocol including HPACK decompression is not\r
+implemented yet.</p></div>\r
+<div class="paragraph"><p>Currently http2_inspect will divide an HTTP/2 connection into individual\r
+frames and make them available for detection. Two new rule options are\r
+available for looking at HTTP/2 frames: http2_frame_header provides the\r
+9-octet frame header and http2_frame_data provides the frame content.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp any any -> any any (msg:"Frame type"; flow:established,\r
+to_client; http2_frame_header; content:"|06|", offset 3, depth 1;\r
+sid:1; rev:1; )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This will match if the Type byte of the frame header is 6 (PING).</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp any any -> any any ( msg:"Content of HTTP/2 frame";\r
+flow:established, to_client; http2_frame_data; content:"peppermint";\r
+sid:2; rev:1; )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>This will look for peppermint in the frame data but not the frame header.</p></div>\r
+<div class="paragraph"><p>These can be combined:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alert tcp any any -> any any ( msg:"Search in message bodies";\r
+flow:established, to_client;\r
+http2_frame_header; content:"|00|", offset 3, depth 1;\r
+http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Frame type 0 is DATA which carries the HTTP message body. This rule will\r
+search for MaLwArE inside an HTTP message body.</p></div>\r
+<div class="paragraph"><p>In the future, http2_inspect will support HPACK header decompression and\r
+be fully integrated with http_inspect to provide full inspection of the\r
+individual HTTP/1.1 streams.</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_performance_monitor">Performance Monitor</h3>\r
<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
</div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_telnet">Telnet</h3>\r
+<div class="paragraph"><p>Given a telnet data buffer, Telnet will normalize the buffer with\r
+respect to telnet commands and option negotiation, eliminating telnet\r
+command sequences per RFC 854. It will also determine when a\r
+telnet connection is encrypted, per the use of the telnet encryption\r
+option per RFC 2946.</p></div>\r
+<div class="sect3">\r
+<h4 id="_configuring_the_inspector_to_block_exploits_and_attacks_2">Configuring the inspector to block exploits and attacks</h4>\r
+<div class="paragraph"><p>ayt_attack_thresh number</p></div>\r
+<div class="paragraph"><p>Detect and alert on consecutive are you there [AYT] commands beyond the\r
+threshold number specified. This addresses a few specific vulnerabilities\r
+relating to bsd-based implementations of telnet.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_wizard">Wizard</h3>\r
<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of\r
malware command and control channels. If the wizard is bound to a session, it\r
bool <strong>output.enable_packet_trace</strong> = false: enable summary output of state that determined packet verdict\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+enum <strong>output.packet_trace_output</strong> = console: select where to send packet trace { console | file }\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }\r
+dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin\r
+string <strong>snort.--rule-to-text</strong> = [SnortFoo]: output plain so rule header to stdout for text rule on stdin { 16 }\r
</p>\r
</li>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_ftp_data">ftp_data</h3>\r
+<h3 id="_ftp_data_2">ftp_data</h3>\r
<div class="paragraph"><p>What: FTP data channel handler</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http2_inspect">http2_inspect</h3>\r
+<div class="paragraph"><p>What: HTTP/2 inspector</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>http2_inspect.flows</strong>: HTTP connections inspected (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http_inspect">http_inspect</h3>\r
<div class="paragraph"><p>What: HTTP inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
</li>\r
<li>\r
<p>\r
-<strong>119:65</strong> (http_inspect) white space following chunk length\r
+<strong>119:65</strong> (http_inspect) white space adjacent to chunk length\r
</p>\r
</li>\r
<li>\r
<h3 id="_packet_capture">packet_capture</h3>\r
<div class="paragraph"><p>What: raw packet dumping facility</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_perf_monitor">perf_monitor</h3>\r
<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_port_scan_2">port_scan</h3>\r
<div class="paragraph"><p>What: detect various ip, icmp, tcp, and udp port or protocol scans</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
-<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_telnet">telnet</h3>\r
+<h3 id="_telnet_2">telnet</h3>\r
<div class="paragraph"><p>What: telnet inspection and normalization</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: inspect</p></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }\r
+string <strong>byte_jump.post_offset</strong>: skip forward or backward (positive or negative value) by variable name or number of bytes after the other jump options have been applied\r
</p>\r
</li>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http2_frame_data">http2_frame_data</h3>\r
+<div class="paragraph"><p>What: rule option to see HTTP/2 frame body</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_http2_frame_header">http2_frame_header</h3>\r
+<div class="paragraph"><p>What: rule option to see 9-octet HTTP/2 frame header</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http_client_body_2">http_client_body</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
<div class="content">\r
<pre><code>$packet <addr> <port> -> <addr> <port></code></pre>\r
</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>$sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>\r
+$eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol></code></pre>\r
+</div></div>\r
<div class="paragraph"><p>Client and server are determined as follows. $packet → client indicates\r
to the client (from server) and $packet → server indicates a packet to the\r
server (from client). $packet followed by a 4-tuple uses the heuristic\r
-that the client is the side with the lower port number.</p></div>\r
+that the client is the side with the greater port number.</p></div>\r
<div class="paragraph"><p>The default client and server are 192.168.1.1 12345 and 10.1.2.3 80\r
respectively. $packet commands with a 4-tuple do not change client and\r
server set with the other $packet commands.</p></div>\r
combination of hex and strings. Data for a packet ends with the next\r
command or a blank line. Data after a blank line will start another packet\r
with the same tuple as the prior one.</p></div>\r
+<div class="paragraph"><p>$sof and $eof commands generate Start of Flow and End of Flow metapackets\r
+respectively. They are followed by a definition of a Flow_Stats_t data structure\r
+which will be fed into Snort via the metadata callback.</p></div>\r
<div class="paragraph"><p>Strings may contain the following escape sequences:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>--alert-before-pass</strong> process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
+<strong>-?</strong> <option prefix> output matching command line option quick help (same as --help-options) (optional)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>--bpf</strong> <filter options> are standard BPF options, as seen in TCPDump\r
+<strong>-C</strong> print out payloads with character data only (no hex)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--c2x</strong> output hex for given char (see also --x2c)\r
+<strong>-c</strong> <conf> use this configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
+<strong>-D</strong> run Snort in background (daemon) mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-c</strong> <conf> use this configuration\r
+<strong>-d</strong> dump the Application Layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--control-socket</strong> <file> to create unix socket\r
+<strong>-e</strong> display the second layer header info\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-C</strong> print out payloads with character data only (no hex)\r
+<strong>-f</strong> turn off fflush() calls after binary log writes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode\r
+<strong>-G</strong> <0xid> (same as --logid) (0:65535)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--daq-dir</strong> <dir> tell snort where to find desired DAQ\r
+<strong>-g</strong> <gname> run snort gid as <gname> group (or gid) after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--daq-list</strong> list packet acquisition modules available in optional dir, default is static modules only\r
+<strong>-H</strong> make hash tables deterministic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--daq</strong> <type> select packet acquisition module (default is pcap)\r
+<strong>-i</strong> <iface>… list of interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--daq-var</strong> <name=value> specify extra DAQ configuration variable\r
+<strong>-j</strong> <port> to listen for Telnet connections\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-d</strong> dump the Application Layer\r
+<strong>-k</strong> <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--dirty-pig</strong> don’t flush packets on shutdown\r
+<strong>-L</strong> <mode> logging mode (none, dump, pcap, or log_*)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-D</strong> run Snort in background (daemon) mode\r
+<strong>-l</strong> <logdir> log to this directory instead of current directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--dump-builtin-rules</strong> [<module prefix>] output stub rules for selected modules (optional)\r
+<strong>-M</strong> log messages to syslog (not alerts)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--dump-defaults</strong> [<module prefix>] output module defaults in Lua format (optional)\r
+<strong>-m</strong> <umask> set umask = <umask> (0:)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--dump-dynamic-rules</strong> output stub rules for all loaded rules libraries\r
+<strong>-n</strong> <count> stop after count packets (0:)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--dump-version</strong> output the version, the whole version, and only the version\r
+<strong>-O</strong> obfuscate the logged IP addresses\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-e</strong> display the second layer header info\r
+<strong>-Q</strong> enable inline mode operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--enable-inline-test</strong> enable Inline-Test Mode Operation\r
+<strong>-q</strong> quiet mode - Don’t show banner and status report\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-f</strong> turn off fflush() calls after binary log writes\r
+<strong>-R</strong> <rules> include this rules file in the default policy\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-G</strong> <0xid> (same as --logid) (0:65535)\r
+<strong>-r</strong> <pcap>… (same as --pcap-list)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--gen-msg-map</strong> dump builtin rules in gen-msg.map format for use by other tools\r
+<strong>-S</strong> <x=v> set config variable x equal to value v\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-g</strong> <gname> run snort gid as <gname> group (or gid) after initialization\r
+<strong>-s</strong> <snap> (same as --snaplen); default is 1514 (68:65535)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-commands</strong> [<module prefix>] output matching commands (optional)\r
+<strong>-T</strong> test and report on the current Snort configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-config</strong> [<module prefix>] output matching config options (optional)\r
+<strong>-t</strong> <dir> chroots process to <dir> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-counts</strong> [<module prefix>] output matching peg counts (optional)\r
+<strong>-U</strong> use UTC for timestamps\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help</strong> list command line options\r
+<strong>-u</strong> <uname> run snort as <uname> or <uid> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-module</strong> <module> output description of given module\r
+<strong>-V</strong> (same as --version)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-modules</strong> list all available modules with brief help\r
+<strong>-v</strong> be verbose\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-options</strong> [<option prefix>] output matching command line option quick help (same as -?) (optional)\r
+<strong>-W</strong> lists available interfaces\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-plugins</strong> list all available plugins with brief help\r
+<strong>-X</strong> dump the raw packet data starting at the link layer\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-signals</strong> dump available control signals\r
+<strong>-x</strong> same as --pedantic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-H</strong> make hash tables deterministic\r
+<strong>-y</strong> include year in timestamp in the alert and log files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--id-offset</strong> offset to add to instance IDs when logging to files (0:65535)\r
+<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix\r
+<strong>--alert-before-pass</strong> process alert, drop, sdrop, or reject before pass; default is pass before alert, drop,…\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--id-zero</strong> use id prefix / subdirectory even with one packet thread\r
+<strong>--bpf</strong> <filter options> are standard BPF options, as seen in TCPDump\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-i</strong> <iface>… list of interfaces\r
+<strong>--c2x</strong> output hex for given char (see also --x2c)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-j</strong> <port> to listen for Telnet connections\r
+<strong>--control-socket</strong> <file> to create unix socket\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-k</strong> <mode> checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)\r
+<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--list-buffers</strong> output available inspection buffers\r
+<strong>--daq</strong> <type> select packet acquisition module (default is pcap)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--list-builtin</strong> [<module prefix>] output matching builtin rules (optional)\r
+<strong>--daq-dir</strong> <dir> tell snort where to find desired DAQ\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--list-gids</strong> [<module prefix>] output matching generators (optional)\r
+<strong>--daq-list</strong> list packet acquisition modules available in optional dir, default is static modules only\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--list-modules</strong> [<module type>] list all known modules of given type (optional)\r
+<strong>--daq-var</strong> <name=value> specify extra DAQ configuration variable\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--list-plugins</strong> list all known plugins\r
+<strong>--dirty-pig</strong> don’t flush packets on shutdown\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-l</strong> <logdir> log to this directory instead of current directory\r
+<strong>--dump-builtin-rules</strong> [<module prefix>] output stub rules for selected modules (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-L</strong> <mode> logging mode (none, dump, pcap, or log_*)\r
+<strong>--dump-dynamic-rules</strong> output stub rules for all loaded rules libraries\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--logid</strong> <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)\r
+<strong>--dump-defaults</strong> [<module prefix>] output module defaults in Lua format (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--lua</strong> <chunk> extend/override conf with chunk; may be repeated\r
+<strong>--dump-version</strong> output the version, the whole version, and only the version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--markup</strong> output help in asciidoc compatible format\r
+<strong>--enable-inline-test</strong> enable Inline-Test Mode Operation\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--max-packet-threads</strong> <count> configure maximum number of packet threads (same as -z) (0:)\r
+<strong>--gen-msg-map</strong> dump builtin rules in gen-msg.map format for use by other tools\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--mem-check</strong> like -T but also compile search engines\r
+<strong>--help</strong> list command line options\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-M</strong> log messages to syslog (not alerts)\r
+<strong>--help-commands</strong> [<module prefix>] output matching commands (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-m</strong> <umask> set umask = <umask> (0:)\r
+<strong>--help-config</strong> [<module prefix>] output matching config options (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-n</strong> <count> stop after count packets (0:)\r
+<strong>--help-counts</strong> [<module prefix>] output matching peg counts (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--nolock-pidfile</strong> do not try to lock Snort PID file\r
+<strong>--help-module</strong> <module> output description of given module\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--nostamps</strong> don’t include timestamps in log file names\r
+<strong>--help-modules</strong> list all available modules with brief help\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-O</strong> obfuscate the logged IP addresses\r
+<strong>--help-options</strong> [<option prefix>] output matching command line option quick help (same as -?) (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-?</strong> <option prefix> output matching command line option quick help (same as --help-options) (optional)\r
+<strong>--help-plugins</strong> list all available plugins with brief help\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--parsing-follows-files</strong> parse relative paths from the perspective of the current configuration file\r
+<strong>--help-signals</strong> dump available control signals\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pause</strong> wait for resume/quit command before processing packets/terminating\r
+<strong>--id-offset</strong> offset to add to instance IDs when logging to files (0:65535)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-dir</strong> <dir> a directory to recurse to look for pcaps - read mode is implied\r
+<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
+<strong>--id-zero</strong> use id prefix / subdirectory even with one packet thread\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-filter</strong> <filter> filter to apply when getting pcaps from file or directory\r
+<strong>--list-buffers</strong> output available inspection buffers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-list</strong> <list> a space separated list of pcaps to read - read mode is implied\r
+<strong>--list-builtin</strong> [<module prefix>] output matching builtin rules (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-loop</strong> <count> read all pcaps <count> times; 0 will read until Snort is terminated (-1:)\r
+<strong>--list-gids</strong> [<module prefix>] output matching generators (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-no-filter</strong> reset to use no filter when getting pcaps from file or directory\r
+<strong>--list-modules</strong> [<module type>] list all known modules of given type (optional)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-reload</strong> if reading multiple pcaps, reload snort config between pcaps\r
+<strong>--list-plugins</strong> list all known plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pcap-show</strong> print a line saying what pcap is currently being read\r
+<strong>--lua</strong> <chunk> extend/override conf with chunk; may be repeated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--pedantic</strong> warnings are fatal\r
+<strong>--logid</strong> <0xid> log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--piglet</strong> enable piglet test harness mode\r
+<strong>--markup</strong> output help in asciidoc compatible format\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--plugin-path</strong> <path> where to find plugins\r
+<strong>--max-packet-threads</strong> <count> configure maximum number of packet threads (same as -z) (0:)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--process-all-events</strong> process all action groups\r
+<strong>--mem-check</strong> like -T but also compile search engines\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-Q</strong> enable inline mode operation\r
+<strong>--nostamps</strong> don’t include timestamps in log file names\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-q</strong> quiet mode - Don’t show banner and status report\r
+<strong>--nolock-pidfile</strong> do not try to lock Snort PID file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-r</strong> <pcap>… (same as --pcap-list)\r
+<strong>--pause</strong> wait for resume/quit command before processing packets/terminating\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-R</strong> <rules> include this rules file in the default policy\r
+<strong>--parsing-follows-files</strong> parse relative paths from the perspective of the current configuration file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--rule</strong> <rules> to be added to configuration; may be repeated\r
+<strong>--pcap-file</strong> <file> file that contains a list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--rule-to-hex</strong> output so rule header to stdout for text rule on stdin\r
+<strong>--pcap-list</strong> <list> a space separated list of pcaps to read - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--rule-to-text</strong> output plain so rule header to stdout for text rule on stdin\r
+<strong>--pcap-dir</strong> <dir> a directory to recurse to look for pcaps - read mode is implied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--run-prefix</strong> <pfx> prepend this to each output file\r
+<strong>--pcap-filter</strong> <filter> filter to apply when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--script-path</strong> <path> to a luajit script or directory containing luajit scripts\r
+<strong>--pcap-loop</strong> <count> read all pcaps <count> times; 0 will read until Snort is terminated (-1:)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--shell</strong> enable the interactive command line\r
+<strong>--pcap-no-filter</strong> reset to use no filter when getting pcaps from file or directory\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--show-plugins</strong> list module and plugin versions\r
+<strong>--pcap-reload</strong> if reading multiple pcaps, reload snort config between pcaps\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--skip</strong> <n> skip 1st n packets (0:)\r
+<strong>--pcap-show</strong> print a line saying what pcap is currently being read\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--snaplen</strong> <snap> set snaplen of packet (same as -s) (68:65535)\r
+<strong>--pedantic</strong> warnings are fatal\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-s</strong> <snap> (same as --snaplen); default is 1514 (68:65535)\r
+<strong>--plugin-path</strong> <path> where to find plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read\r
+<strong>--process-all-events</strong> process all action groups\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-S</strong> <x=v> set config variable x equal to value v\r
+<strong>--rule</strong> <rules> to be added to configuration; may be repeated\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-t</strong> <dir> chroots process to <dir> after initialization\r
+<strong>--rule-to-hex</strong> output so rule header to stdout for text rule on stdin\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup\r
+<strong>--rule-to-text</strong> output plain so rule header to stdout for text rule on stdin (16)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--treat-drop-as-ignore</strong> use drop, sdrop, and reject rules to ignore session traffic when not inline\r
+<strong>--run-prefix</strong> <pfx> prepend this to each output file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-T</strong> test and report on the current Snort configuration\r
+<strong>--script-path</strong> <path> to a luajit script or directory containing luajit scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-u</strong> <uname> run snort as <uname> or <uid> after initialization\r
+<strong>--shell</strong> enable the interactive command line\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-U</strong> use UTC for timestamps\r
+<strong>--piglet</strong> enable piglet test harness mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-v</strong> be verbose\r
+<strong>--show-plugins</strong> list module and plugin versions\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--version</strong> show version number (same as -V)\r
+<strong>--skip</strong> <n> skip 1st n packets (0:)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-V</strong> (same as --version)\r
+<strong>--snaplen</strong> <snap> set snaplen of packet (same as -s) (68:65535)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-all</strong> enable all warnings\r
+<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-conf</strong> warn about configuration issues\r
+<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode\r
+<strong>--treat-drop-as-ignore</strong> use drop, sdrop, and reject rules to ignore session traffic when not inline\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa\r
+<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-hosts</strong> warn about host table issues\r
+<strong>--version</strong> show version number (same as -V)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading\r
+<strong>--warn-all</strong> enable all warnings\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
+<strong>--warn-conf</strong> warn about configuration issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
+<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
+<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--warn-vars</strong> warn about variable definition and usage issues\r
+<strong>--warn-hosts</strong> warn about host table issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-W</strong> lists available interfaces\r
+<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)\r
+<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
+<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-X</strong> dump the raw packet data starting at the link layer\r
+<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-x</strong> same as --pedantic\r
+<strong>--warn-vars</strong> warn about variable definition and usage issues\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-y</strong> include year in timestamp in the alert and log files\r
+<strong>--x2c</strong> output ASCII char for given hex (see also --c2x)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>-z</strong> <count> maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:)\r
+<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-int <strong>byte_jump.post_offset</strong> = 0: also skip forward or backwards (positive of negative value) this number of bytes { -65535:65535 }\r
+string <strong>byte_jump.post_offset</strong>: skip forward or backward (positive or negative value) by variable name or number of bytes after the other jump options have been applied\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>output.packet_trace_output</strong> = console: select where to send packet trace { console | file }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin\r
+string <strong>snort.--rule-to-text</strong> = [SnortFoo]: output plain so rule header to stdout for text rule on stdin { 16 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_inspect.flows</strong>: HTTP connections inspected (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_inspect.chunked</strong>: chunked message bodies (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>219</strong>: http2_inspect\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>256</strong>: dpx\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:65</strong> (http_inspect) white space following chunk length\r
+<strong>119:65</strong> (http_inspect) white space adjacent to chunk length\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>packet_capture.disable</strong>(): stop packet dump\r
+<strong>packet_capture.enable</strong>(filter): dump raw packets\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>packet_capture.enable</strong>(filter): dump raw packets\r
+<strong>packet_capture.disable</strong>(): stop packet dump\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy\r
+<strong>snort.show_plugins</strong>(): show available plugins\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.detach</strong>(): exit shell w/o shutdown\r
+<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.help</strong>(): this output\r
+<strong>snort.rotate_stats</strong>(): roll perfmonitor log files\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.pause</strong>(): suspend packet processing\r
+<strong>snort.reload_config</strong>(filename): load new configuration\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.quit</strong>(): shutdown and dump-stats\r
+<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.reload_config</strong>(filename): load new configuration\r
+<strong>snort.reload_daq</strong>(): reload daq module\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.reload_daq</strong>(): reload daq module\r
+<strong>snort.reload_hosts</strong>(filename): load a new hosts table\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.reload_hosts</strong>(filename): load a new hosts table\r
+<strong>snort.pause</strong>(): suspend packet processing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy\r
+<strong>snort.resume</strong>(): continue packet processing\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.resume</strong>(): continue packet processing\r
+<strong>snort.detach</strong>(): exit shell w/o shutdown\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.rotate_stats</strong>(): roll perfmonitor log files\r
+<strong>snort.quit</strong>(): shutdown and dump-stats\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.show_plugins</strong>(): show available plugins\r
+<strong>snort.help</strong>(): this output\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>hosts</strong>(23): reload hosts file\r
+<strong>term</strong>(15): shutdown normally\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>reload</strong>(1): reload config file\r
+<strong>stats</strong>(10): dump stats to stdout\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stats</strong>(10): dump stats to stdout\r
+<strong>reload</strong>(1): reload config file\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>term</strong>(15): shutdown normally\r
+<strong>hosts</strong>(23): reload hosts file\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>http2_frame_data</strong> (ips_option): rule option to see HTTP/2 frame body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_frame_header</strong> (ips_option): rule option to see 9-octet HTTP/2 frame header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http2_inspect</strong> (inspector): HTTP/2 inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_client_body</strong> (ips_option): rule option to set the detection cursor to the request body\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::http2_inspect</strong>: the HTTP/2 inspector\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::http_inspect</strong>: the new HTTP inspector!\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http2_frame_data</strong>: rule option to see HTTP/2 frame body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::http2_frame_header</strong>: rule option to see 9-octet HTTP/2 frame header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::http_client_body</strong>: rule option to set the detection cursor to the request body\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2018-02-10 00:01:09 EST\r
+Last updated 2018-03-15 02:27:21 EDT\r
</div>\r
</div>\r
</body>\r
5.4. DCE Inspectors
5.5. File Processing
5.6. High Availability
- 5.7. HTTP Inspector
- 5.8. Performance Monitor
- 5.9. POP and IMAP
- 5.10. Port Scan
- 5.11. Sensitive Data Filtering
- 5.12. SMTP
- 5.13. Wizard
+ 5.7. FTP
+ 5.8. HTTP Inspector
+ 5.9. HTTP/2 Inspector
+ 5.10. Performance Monitor
+ 5.11. POP and IMAP
+ 5.12. Port Scan
+ 5.13. Sensitive Data Filtering
+ 5.14. SMTP
+ 5.15. Telnet
+ 5.16. Wizard
6. Basic Modules
9.17. ftp_data
9.18. ftp_server
9.19. gtp_inspect
- 9.20. http_inspect
- 9.21. imap
- 9.22. modbus
- 9.23. normalizer
- 9.24. packet_capture
- 9.25. perf_monitor
- 9.26. pop
- 9.27. port_scan
- 9.28. reg_test
- 9.29. reputation
- 9.30. rpc_decode
- 9.31. sip
- 9.32. smtp
- 9.33. ssh
- 9.34. ssl
- 9.35. stream
- 9.36. stream_file
- 9.37. stream_icmp
- 9.38. stream_ip
- 9.39. stream_tcp
- 9.40. stream_udp
- 9.41. stream_user
- 9.42. telnet
- 9.43. wizard
+ 9.20. http2_inspect
+ 9.21. http_inspect
+ 9.22. imap
+ 9.23. modbus
+ 9.24. normalizer
+ 9.25. packet_capture
+ 9.26. perf_monitor
+ 9.27. pop
+ 9.28. port_scan
+ 9.29. reg_test
+ 9.30. reputation
+ 9.31. rpc_decode
+ 9.32. sip
+ 9.33. smtp
+ 9.34. ssh
+ 9.35. ssl
+ 9.36. stream
+ 9.37. stream_file
+ 9.38. stream_icmp
+ 9.39. stream_ip
+ 9.40. stream_tcp
+ 9.41. stream_udp
+ 9.42. stream_user
+ 9.43. telnet
+ 9.44. wizard
10. IPS Action Modules
11.30. gtp_info
11.31. gtp_type
11.32. gtp_version
- 11.33. http_client_body
- 11.34. http_cookie
- 11.35. http_header
- 11.36. http_method
- 11.37. http_raw_body
- 11.38. http_raw_cookie
- 11.39. http_raw_header
- 11.40. http_raw_request
- 11.41. http_raw_status
- 11.42. http_raw_trailer
- 11.43. http_raw_uri
- 11.44. http_stat_code
- 11.45. http_stat_msg
- 11.46. http_trailer
- 11.47. http_true_ip
- 11.48. http_uri
- 11.49. http_version
- 11.50. icmp_id
- 11.51. icmp_seq
- 11.52. icode
- 11.53. id
- 11.54. ip_proto
- 11.55. ipopts
- 11.56. isdataat
- 11.57. itype
- 11.58. md5
- 11.59. metadata
- 11.60. modbus_data
- 11.61. modbus_func
- 11.62. modbus_unit
- 11.63. msg
- 11.64. mss
- 11.65. pcre
- 11.66. pkt_data
- 11.67. pkt_num
- 11.68. priority
- 11.69. raw_data
- 11.70. reference
- 11.71. regex
- 11.72. rem
- 11.73. replace
- 11.74. rev
- 11.75. rpc
- 11.76. sd_pattern
- 11.77. seq
- 11.78. service
- 11.79. session
- 11.80. sha256
- 11.81. sha512
- 11.82. sid
- 11.83. sip_body
- 11.84. sip_header
- 11.85. sip_method
- 11.86. sip_stat_code
- 11.87. so
- 11.88. soid
- 11.89. ssl_state
- 11.90. ssl_version
- 11.91. stream_reassemble
- 11.92. stream_size
- 11.93. tag
- 11.94. target
- 11.95. tos
- 11.96. ttl
- 11.97. urg
- 11.98. window
- 11.99. wscale
+ 11.33. http2_frame_data
+ 11.34. http2_frame_header
+ 11.35. http_client_body
+ 11.36. http_cookie
+ 11.37. http_header
+ 11.38. http_method
+ 11.39. http_raw_body
+ 11.40. http_raw_cookie
+ 11.41. http_raw_header
+ 11.42. http_raw_request
+ 11.43. http_raw_status
+ 11.44. http_raw_trailer
+ 11.45. http_raw_uri
+ 11.46. http_stat_code
+ 11.47. http_stat_msg
+ 11.48. http_trailer
+ 11.49. http_true_ip
+ 11.50. http_uri
+ 11.51. http_version
+ 11.52. icmp_id
+ 11.53. icmp_seq
+ 11.54. icode
+ 11.55. id
+ 11.56. ip_proto
+ 11.57. ipopts
+ 11.58. isdataat
+ 11.59. itype
+ 11.60. md5
+ 11.61. metadata
+ 11.62. modbus_data
+ 11.63. modbus_func
+ 11.64. modbus_unit
+ 11.65. msg
+ 11.66. mss
+ 11.67. pcre
+ 11.68. pkt_data
+ 11.69. pkt_num
+ 11.70. priority
+ 11.71. raw_data
+ 11.72. reference
+ 11.73. regex
+ 11.74. rem
+ 11.75. replace
+ 11.76. rev
+ 11.77. rpc
+ 11.78. sd_pattern
+ 11.79. seq
+ 11.80. service
+ 11.81. session
+ 11.82. sha256
+ 11.83. sha512
+ 11.84. sid
+ 11.85. sip_body
+ 11.86. sip_header
+ 11.87. sip_method
+ 11.88. sip_stat_code
+ 11.89. so
+ 11.90. soid
+ 11.91. ssl_state
+ 11.92. ssl_version
+ 11.93. stream_reassemble
+ 11.94. stream_size
+ 11.95. tag
+ 11.96. target
+ 11.97. tos
+ 11.98. ttl
+ 11.99. urg
+ 11.100. window
+ 11.101. wscale
12. Search Engine Modules
13. SO Rule Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 242) from 2.9.11
+o" )~ Version 3.0.0 (Build 243) from 2.9.11
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
- Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
+ Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
* Now do one of the following:
- a. To build with autotools, simply do the usual from the top
- level directory:
-
- ./configure --prefix=$my_path
- make -j 8
- make install
-
- b. To build with cmake and make, run configure_cmake.sh. It will
+ a. To build with cmake and make, run configure_cmake.sh. It will
automatically create and populate a new subdirectory named
build.
make install
ln -s $my_path/conf $my_path/etc
- c. You can also specify a cmake project generator:
+ b. You can also specify a cmake project generator:
./configure_cmake.sh --generator=Xcode --prefix=$my_path
- d. Or use ccmake directly to configure and generate from an
+ c. Or use ccmake directly to configure and generate from an
arbitrary build directory like one of these:
ccmake -G Xcode /path/to/Snort++/tree
* content/uricontent: offset, depth, distance, within
* byte_test: offset, value
- * byte_jump: offset
+ * byte_jump: offset, post_offset
* isdataat: offset
5.3.3.2. Examples
content:"bad stuff", offset str_offset, depth str_depth;
msg:"Bad Stuff detected within field";)
+alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;
+ byte_jump:1, 3, relative, post_offset myvar;
+ content:"END", distance 6, within 3;
+ msg: "byte_jump - pass variable to post_offset";)
+
This example uses two variables.
The first variable keeps the offset of a string, read from a byte at
}
-5.7. HTTP Inspector
+5.7. FTP
+
+--------------
+
+Given an FTP command channel buffer, FTP will interpret the data,
+identifying FTP commands and parameters, as well as FTP response
+codes and messages. It will enforce correctness of the parameters,
+determine when an FTP command connection is encrypted, and determine
+when an FTP data channel is opened.
+
+5.7.1. Configuring the inspector to block exploits and attacks
+
+5.7.1.1. ftp_server configuration
+
+ * ftp_cmds
+
+This specifies additional FTP commands outside of those checked by
+default within the inspector. The inspector may be configured to
+generate an alert when it sees a command it does not recognize.
+
+Aside from the default commands recognized, it may be necessary to
+allow the use of the "X" commands, specified in RFC 775. To do so,
+use the following ftp_cmds option. Since these are rarely used by FTP
+client implementations, they are not included in the defaults.
+
+ftp_cmds = [[ XPWD XCWD XCUP XMKD XRMD ]]
+
+ * def_max_param_len
+
+This specifies the default maximum parameter length for all commands
+in bytes. If the parameter for an FTP command exceeds that length,
+and the inspector is configured to do so, an alert will be generated.
+This is used to check for buffer overflow exploits within FTP
+servers.
+
+ * cmd_validity
+
+This specifies the valid format and length for parameters of a given
+command.
+
+ * cmd_validity[].len
+
+This specifies the maximum parameter length for the specified command
+in bytes, overriding the default. If the parameter for that FTP
+command exceeds that length, and the inspector is configured to do
+so, an alert will be generated. It can be used to restrict specific
+commands to small parameter values. For example the USER
+command — usernames may be no longer than 16 bytes, so the
+appropriate configuration would be:
+
+cmd_validity =
+{
+ {
+ command = 'USER',
+ length = 16,
+ }
+}
+
+ * cmd_validity[].format
+
+format is as follows:
+
+int Param must be an integer
+number Param must be an integer between 1 and 255
+char <chars> Param must be a single char, and one of <chars>
+date <datefmt> Param follows format specified where
+ # = Number, C=Char, []=optional, |=OR, {}=choice,
+ anything else=literal (i.e., .+- )
+string Param is string (effectively unrestricted)
+host_port Param must a host port specifier, per RFC 959.
+long_host_port Parameter must be a long host port specified, per RFC 1639
+extended_host_port Parameter must be an extended host port specified, per RFC 2428
+
+Examples of the cmd_validity option are shown below. These examples
+are the default checks (per RFC 959 and others) performed by the
+inspector.
+
+cmd_validity =
+{
+ {
+ command = 'CWD',
+ length = 200,
+ },
+ {
+ command = 'MODE',
+ format = '< char SBC >',
+ },
+ {
+ command = 'STRU',
+ format = '< char FRP >',
+ },
+ {
+ command = 'ALLO',
+ format = '< int [ char R int ] >',
+ },
+ {
+ command = 'TYPE',
+ format = [[ < { char AE [ char NTC ] | char I | char L [ number ]
+ } > ]],
+ },
+ {
+ command = 'PORT',
+ format = '< host_port >',
+ },
+}
+
+A cmd_validity entry in the configuration can be used to override
+these defaults and/or add a check for other commands. A few examples
+follow.
+
+This allows additional modes, including mode Z which allows for
+zip-style compression:
+
+cmd_validity =
+{
+ {
+ command = 'MODE',
+ format = '< char ASBCZ >',
+ },
+}
+
+Allow for a date in the MDTM command:
+
+cmd_validity =
+{
+ {
+ command = 'MDTM',
+ format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >',
+ },
+}
+
+MDTM is an odd case that is worth discussing…
+
+While not part of an established standard, certain FTP servers accept
+MDTM commands that set the modification time on a file. The most
+common among servers that do, accept a format using YYYYMMDDHHmmss
+[.uuu]. Some others accept a format using YYYYMMDDHHmmss[+|-]TZ
+format. The example above is for the first case (time format as
+specified in https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16)
+
+To check validity for a server that uses the TZ format, use the
+following:
+
+cmd_validity =
+{
+ {
+ command = 'MDTM',
+ format = '< [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string >',
+ },
+}
+
+ * chk_str_fmt
+
+This causes the inspector to check for string format attacks on the
+specified commands.
+
+ * telnet_cmds
+
+Detect and alert when telnet cmds are seen on the FTP command
+channel.
+
+ * ignore_telnet_erase_cmds
+
+This option allows Snort to ignore telnet escape sequences for erase
+character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
+command channel. Some FTP servers do not process those telnet escape
+sequences.
+
+ * ignore_data_chan
+
+When set to true, causes the FTP inspector to force the rest of snort
+to ignore the FTP data channel connections. NO INSPECTION other than
+state (inspector AND rules) will be performed on that data channel.
+It can be turned on to improve performance — especially with respect
+to large file transfers from a trusted source — by ignoring traffic.
+If your rule set includes virus-type rules, it is recommended that
+this option not be used.
+
+5.7.1.2. ftp_client configuration
+
+ * max_resp_len
+
+This specifies the maximum length for all response messages in bytes.
+If the message for an FTP response (everything after the 3 digit
+code) exceeds that length, and the inspector is configured to do so,
+an alert will be generated. This is used to check for buffer overflow
+exploits within FTP clients.
+
+ * telnet_cmds
+
+Detect and alert when telnet cmds are seen on the FTP command
+channel.
+
+ * ignore_telnet_erase_cmds
+
+This option allows Snort to ignore telnet escape sequences for erase
+character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
+command channel. Some FTP clients do not process those telnet escape
+sequences.
+
+5.7.1.3. ftp_data
+
+In order to enable file inspection for ftp, the following should be
+added to the configuration:
+
+ftp_data = {}
+
+
+5.8. HTTP Inspector
--------------
One of the major undertakings for Snort 3 is developing a completely
new HTTP inspector.
-5.7.1. Overview
+5.8.1. Overview
You can configure it by adding:
to your snort.lua configuration file. Or you can read about it in the
source code under src/service_inspectors/http_inspect.
-The classic HTTP preprocessor is still available in the alpha release
-under extra. It has been renamed http_server. Be sure not to
-configure both old and new HTTP inspectors at the same time.
-
So why a new HTTP inspector?
For starters it is object-oriented. That’s good for us because we
to be a date then normalization means put that date in a standard
format.
-5.7.2. Configuration
+5.8.2. Configuration
Configuration can be as simple as adding:
that provide extra features, tweak how things are done, or conserve
resources by doing less.
-5.7.2.1. request_depth and response_depth
+5.8.2.1. request_depth and response_depth
These replace the flow depth parameters used by the old HTTP
inspector but they work differently.
These limits have no effect on how much data is forwarded to file
processing.
-5.7.2.2. gzip
+5.8.2.2. gzip
http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip =
meaningful inspection of message bodies will be possible. Effectively
HTTP processing would be limited to the headers.
-5.7.2.3. normalize_utf
+5.8.2.3. normalize_utf
http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
and utf-32be in response message bodies based on the Content-Type
header. This feature is on by default: normalize_utf = false will
deactivate it.
-5.7.2.4. decompress_pdf
+5.8.2.4. decompress_pdf
decompress_pdf = true will enable decompression of compressed
portions of PDF files encountered in a response body. http_inspect
content is decompressed and made available through the file data rule
option.
-5.7.2.5. decompress_swf
+5.8.2.5. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
(Adobe Flash content) files encountered in a response body. The
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-5.7.2.6. normalize_javascript
+5.8.2.6. normalize_javascript
normalize_javascript = true will enable normalization of JavaScript
within the HTTP response body. http_inspect looks for JavaScript by
replaces consecutive whitespaces with a single space and normalizes
the plus by concatenating the strings.
-5.7.2.7. URI processing
+5.8.2.7. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
such a server then set backslash_to_slash = true and all the
backslashes will be replaced with slashes during normalization.
-5.7.3. Detection rules
+5.8.3. Detection rules
http_inspect parses HTTP messages into their components and makes
them available to the detection engine through rule options. Let’s
In addition to the headers there are rule options for virtually every
part of the HTTP message.
-5.7.3.1. http_uri and http_raw_uri
+5.8.3.1. http_uri and http_raw_uri
These provide the URI of the request message. The raw form is exactly
as it appeared in the message and the normalized form is determined
Nothing here is intended to conflict with the technical language of
the HTTP RFCs and the implementation follows the RFCs.
-5.7.3.2. http_header and http_raw_header
+5.8.3.2. http_header and http_raw_header
These cover all the header lines except the first one. You may
specify an individual header by name using the field option as shown
and accurate rule. It is recommended that new rules be written using
individual headers whenever possible.
-5.7.3.3. http_trailer and http_raw_trailer
+5.8.3.3. http_trailer and http_raw_trailer
HTTP permits header lines to appear after a chunked body ends.
Typically they contain information about the message content that was
rule to inspect both kinds of headers you need to write two rules,
one using header and one using trailer.
-5.7.3.4. http_cookie and http_raw_cookie
+5.8.3.4. http_cookie and http_raw_cookie
These provide the value of the Cookie header for a request message
and the Set-Cookie for a response message. If multiple cookies are
Normalization for http_cookie is the same URI-style normalization
applied to http_header when no specific header is specified.
-5.7.3.5. http_true_ip
+5.8.3.5. http_true_ip
This provides the original IP address of the client sending the
request as it was stored by a proxy in the request message headers.
or True-Client-IP header. If both headers are present the former is
used.
-5.7.3.6. http_client_body
+5.8.3.6. http_client_body
This is the body of a request message such as POST or PUT.
Normalization for http_client_body is the same URI-like normalization
applied to http_header when no specific header is specified.
-5.7.3.7. http_raw_body
+5.8.3.7. http_raw_body
This is the body of a request or response message. It will be
dechunked and unzipped if applicable but will not be normalized in
header, but http_raw_body is limited to the message body. Thus the
latter is more efficient and more accurate for most uses.
-5.7.3.8. http_method
+5.8.3.8. http_method
The method field of a request message. Common values are "GET",
"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
-5.7.3.9. http_stat_code
+5.8.3.9. http_stat_code
The status code field of a response message. This is normally a
3-digit number between 100 and 599. In this example it is 200.
HTTP/1.1 200 OK
-5.7.3.10. http_stat_msg
+5.8.3.10. http_stat_msg
The reason phrase field of a response message. This is the
human-readable text following the status code. "OK" in the previous
example.
-5.7.3.11. http_version
+5.8.3.11. http_version
The protocol version information that appears on the first line of an
HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
-5.7.3.12. http_raw_request and http_raw_status
+5.8.3.12. http_raw_request and http_raw_status
These are the unmodified first header line of the HTTP request and
response messages respectively. These rule options are a safety valve
http_raw_uri, and http_version. For a response message those are
http_version, http_stat_code, and http_stat_msg.
-5.7.3.13. file_data and packet data
+5.8.3.13. file_data and packet data
file_data contains the normalized message body. This is the
normalization described above under gzip, normalize_utf,
The unnormalized message content is available in the packet data. If
gzip is configured the packet data will be unzipped.
-5.7.4. Timing issues and combining rule options
+5.8.4. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
picture than the packet in front of it. It knows what all the pieces
cannot.
-5.8. Performance Monitor
+5.9. HTTP/2 Inspector
+
+--------------
+
+Snort 3 is developing an inspector for HTTP/2.
+
+You can configure it by adding:
+
+http2_inspect = {}
+
+to your snort.lua configuration file.
+
+Everything has a beginning and for http2_inspect this is the
+beginning of the beginning. Most of the protocol including HPACK
+decompression is not implemented yet.
+
+Currently http2_inspect will divide an HTTP/2 connection into
+individual frames and make them available for detection. Two new rule
+options are available for looking at HTTP/2 frames:
+http2_frame_header provides the 9-octet frame header and
+http2_frame_data provides the frame content.
+
+alert tcp any any -> any any (msg:"Frame type"; flow:established,
+to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
+sid:1; rev:1; )
+
+This will match if the Type byte of the frame header is 6 (PING).
+
+alert tcp any any -> any any ( msg:"Content of HTTP/2 frame";
+flow:established, to_client; http2_frame_data; content:"peppermint";
+sid:2; rev:1; )
+
+This will look for peppermint in the frame data but not the frame
+header.
+
+These can be combined:
+
+alert tcp any any -> any any ( msg:"Search in message bodies";
+flow:established, to_client;
+http2_frame_header; content:"|00|", offset 3, depth 1;
+http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )
+
+Frame type 0 is DATA which carries the HTTP message body. This rule
+will search for MaLwArE inside an HTTP message body.
+
+In the future, http2_inspect will support HPACK header decompression
+and be fully integrated with http_inspect to provide full inspection
+of the individual HTTP/1.1 streams.
+
+
+5.10. Performance Monitor
--------------
being dropped without hitting a rule? perf_monitor! Why is a sensor
leaking water? Not perf_monitor, check with stream…
-5.8.1. Overview
+5.10.1. Overview
The Snort performance monitor is the built-in utility for monitoring
system and traffic statistics. All statistics are separated by
processing thread. perf_monitor supports several trackers for
monitoring such data:
-5.8.2. Base Tracker
+5.10.2. Base Tracker
The base tracker is used to gather running statistics about Snort and
its running modules. All Snort modules gather, at the very least,
Note: Event stats from prior Snorts are now located within base
statistics.
-5.8.3. Flow Tracker
+5.10.3. Flow Tracker
Flow tracks statistics regarding traffic and L3/L4 protocol
distributions. This data can be used to build a profile of traffic
perf_monitor = { flow = true }
-5.8.4. FlowIP Tracker
+5.10.4. FlowIP Tracker
FlowIP provides statistics for individual hosts within a network.
This data can be used for identifying communication habits, such as
perf_monitor = { flow_ip = true }
-5.8.5. CPU Tracker
+5.10.5. CPU Tracker
This tracker monitors the CPU and wall time spent by a given
processing thread.
perf_monitor = { cpu = true }
-5.8.6. Formatters
+5.10.6. Formatters
Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats,
monitor or the code provided for fbstreamer.
-5.9. POP and IMAP
+5.11. POP and IMAP
--------------
POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol.
-5.9.1. Overview
+5.11.1. Overview
POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command,
appropriately. The pop and imap also identify and whitelist the pop
and imap traffic.
-5.9.2. Configuration
+5.11.2. Configuration
POP inspector and IMAP inspector offer same set of configuration
options for MIME decoding depth:
-5.9.2.1. b64_decode_depth
+5.11.2.1. b64_decode_depth
This config option is used to turn off/on or set the base64 decoding
depth used to decode the base64 encoded MIME attachments. The value
restricts the decoding of base64 MIME attachments, and applies per
attachment. The default value is 1460.
-5.9.2.2. qp_decode_depth
+5.11.2.2. qp_decode_depth
This config option is used to turn off/on or set the Quoted-Printable
decoding depth used to decode the Quoted-Printable(QP) encoded MIME
than 0 or -1 restricts the decoding of QP MIME attachments, and
applies per attachment.
-5.9.2.3. bitenc_decode_depth
+5.11.2.3. bitenc_decode_depth
This config option is used to turn off/on or set the non-encoded MIME
extraction depth used to extract the non-encoded MIME attachments.
0 or -1 restricts the extraction of these MIME attachments, and
applies per attachment.
-5.9.2.4. uu_decode_depth
+5.11.2.4. uu_decode_depth
This config option is used to turn off/on or set the Unix-to-Unix
decoding depth used to decode the Unix-to-Unix(UU) encoded
than 0 or -1 restricts the decoding of UU POP attachments, and
applies per attachment.
-5.9.2.5. Examples
+5.11.2.5. Examples
stream = { }
}
-5.10. Port Scan
+5.12. Port Scan
--------------
A module to detect port scanning
-5.10.1. Overview
+5.12.1. Overview
This module is designed to detect the first phase in a network
attack: Reconnaissance. In the Reconnaissance phase, an attacker
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.
-5.10.2. Scan levels
+5.12.2. Scan levels
There are 3 default scan levels that can be set.
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.
-5.10.3. Tuning Portscan
+5.12.3. Tuning Portscan
The most important aspect in detecting portscans is tuning the
detection engine for your network(s). Here are some tuning tips:
filtered scans, since these are more prone to false positives.
-5.11. Sensitive Data Filtering
+5.13. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-5.11.1. Hyperscan
+5.13.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see http://01org.github.io/
hyperscan/dev-reference/
-5.11.2. Syntax
+5.13.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-5.11.2.1. Pattern
+5.13.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-5.11.2.2. Threshold
+5.13.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-5.11.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.13.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-5.11.3. Example
+5.13.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-5.11.4. Caveats
+5.13.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-5.12. SMTP
+5.14. SMTP
--------------
SMTP inspector is a service inspector for SMTP protocol.
-5.12.1. Overview
+5.14.1. Overview
The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections,
SMTP inspector logs the filename, email addresses, attachment names
when configured.
-5.12.2. Configuration
+5.14.2. Configuration
SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In
The configuration options are described below:
-5.12.2.1. normalize and normalize_cmds
+5.14.2.1. normalize and normalize_cmds
Normalization checks for more than one space character after a
command. Space characters are defined as space (ASCII 0x20) or tab
smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-5.12.2.2. ignore_data
+5.14.2.2. ignore_data
Set it to true to ignore data section of mail (except for mail
headers) when processing rules.
-5.12.2.3. ignore_tls_data
+5.14.2.3. ignore_tls_data
Set it to true to ignore TLS-encrypted data when processing rules.
-5.12.2.4. max_command_line_len
+5.14.2.4. max_command_line_len
Alert if an SMTP command line is longer than this value. Absence of
this option or a "0" means never alert on command line length. RFC
2821 recommends 512 as a maximum command line length.
-5.12.2.5. max_header_line_len
+5.14.2.5. max_header_line_len
Alert if an SMTP DATA header line is longer than this value. Absence
of this option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
-5.12.2.6. max_response_line_len
+5.14.2.6. max_response_line_len
Alert if an SMTP response line is longer than this value. Absence of
this option or a "0" means never alert on response line length. RFC
2821 recommends 512 as a maximum response line length.
-5.12.2.7. alt_max_command_line_len
+5.14.2.7. alt_max_command_line_len
Overrides max_command_line_len for specific commands For example:
},
}
-5.12.2.8. invalid_cmds
+5.14.2.8. invalid_cmds
Alert if this command is sent from client side.
-5.12.2.9. valid_cmds
+5.14.2.9. valid_cmds
List of valid commands. We do not alert on commands in this list.
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-5.12.2.10. data_cmds
+5.14.2.10. data_cmds
List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 - "
<CRLF>.<CRLF>".
-5.12.2.11. binary_data_cmds
+5.14.2.11. binary_data_cmds
List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar
to that of the BDAT command per RFC 3030.
-5.12.2.12. auth_cmds
+5.14.2.12. auth_cmds
List of commands that initiate an authentication exchange between
client and server.
-5.12.2.13. xlink2state
+5.14.2.13. xlink2state
Enable/disable xlink2state alert, options are {disable | alert |
drop}. See CVE-2005-0560 for a description of the vulnerability.
-5.12.2.14. b64_decode_depth
+5.14.2.14. b64_decode_depth
This config option is used to turn off/on or set the base64 decoding
depth used to decode the base64 encoded MIME attachments. The value
restricts the decoding of base64 MIME attachments, and applies per
attachment.
-5.12.2.15. qp_decode_depth
+5.14.2.15. qp_decode_depth
This config option is used to turn off/on or set the Quoted-Printable
decoding depth used to decode the Quoted-Printable(QP) encoded MIME
than 0 or -1 restricts the decoding of QP MIME attachments, and
applies per attachment.
-5.12.2.16. bitenc_decode_depth * default to 25
+5.14.2.16. bitenc_decode_depth * default to 25
This config option is used to turn off/on or set the non-encoded MIME
extraction depth used to extract the non-encoded MIME attachments.
0 or -1 restricts the extraction of these MIME attachments, and
applies per attachment.
-5.12.2.17. uu_decode_depth
+5.14.2.17. uu_decode_depth
This config option is used to turn off/on or set the Unix-to-Unix
decoding depth used to decode the Unix-to-Unix(UU) encoded
than 0 or -1 restricts the decoding of UU SMTP attachments, and
applies per attachment.
-5.12.2.18. Log Options
+5.14.2.18. Log Options
Following log options allow SMTP inspector to log email addresses and
filenames. Please note, this is logged only with the unified2 output
allowed range for this option is 0 - 20480. A value of 0 will disable
email headers logging. The default value for this option is 1464.
-5.12.3. Example
+5.14.3. Example
smtp =
{
}
-5.13. Wizard
+5.15. Telnet
+
+--------------
+
+Given a telnet data buffer, Telnet will normalize the buffer with
+respect to telnet commands and option negotiation, eliminating telnet
+command sequences per RFC 854. It will also determine when a telnet
+connection is encrypted, per the use of the telnet encryption option
+per RFC 2946.
+
+5.15.1. Configuring the inspector to block exploits and attacks
+
+ayt_attack_thresh number
+
+Detect and alert on consecutive are you there [AYT] commands beyond
+the threshold number specified. This addresses a few specific
+vulnerabilities relating to bsd-based implementations of telnet.
+
+
+5.16. Wizard
--------------
instead of 16 when dumping buffers
* bool output.enable_packet_trace = false: enable summary output of
state that determined packet verdict
+ * enum output.packet_trace_output = console: select where to send
+ packet trace { console | file }
6.20. packets
before reassembly
* dynamic search_engine.search_method = ac_bnfa: set fast pattern
algorithm - choose available search engine { ac_banded | ac_bnfa
- | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
+ | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
+ lowmem }
* bool search_engine.search_optimize = true: tweak state machine
construction for better performance
* bool search_engine.show_fast_patterns = false: print fast pattern
repeated
* implied snort.--rule-to-hex: output so rule header to stdout for
text rule on stdin
- * implied snort.--rule-to-text: output plain so rule header to
- stdout for text rule on stdin
+ * string snort.--rule-to-text = [SnortFoo]: output plain so rule
+ header to stdout for text rule on stdin { 16 }
* string snort.--run-prefix: <pfx> prepend this to each output file
* string snort.--script-path: <path> to a luajit script or
directory containing luajit scripts
* gtp_inspect.unknown_infos: unknown information elements (sum)
-9.20. http_inspect
+9.20. http2_inspect
+
+--------------
+
+What: HTTP/2 inspector
+
+Type: inspector
+
+Usage: inspect
+
+Rules:
+
+Peg counts:
+
+ * http2_inspect.flows: HTTP connections inspected (sum)
+ * http2_inspect.concurrent_sessions: total concurrent HTTP/2
+ sessions (now)
+ * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
+ sessions (max)
+
+
+9.21. http_inspect
--------------
* 119:63 (http_inspect) unrecognized type of percent encoding in
URI
* 119:64 (http_inspect) HTTP chunk misformatted
- * 119:65 (http_inspect) white space following chunk length
+ * 119:65 (http_inspect) white space adjacent to chunk length
* 119:66 (http_inspect) white space within header name
* 119:67 (http_inspect) excessive gzip compression
* 119:68 (http_inspect) gzip decompression failed
sessions (max)
-9.21. imap
+9.22. imap
--------------
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.22. modbus
+9.23. modbus
--------------
sessions (max)
-9.23. normalizer
+9.24. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-9.24. packet_capture
+9.25. packet_capture
--------------
Type: inspector
-Usage: context
+Usage: global
Configuration:
filter (sum)
-9.25. perf_monitor
+9.26. perf_monitor
--------------
Type: inspector
-Usage: context
+Usage: global
Configuration:
* perf_monitor.packets: total packets (sum)
-9.26. pop
+9.27. pop
--------------
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.27. port_scan
+9.28. port_scan
--------------
Type: inspector
-Usage: context
+Usage: global
Configuration:
* port_scan.packets: total packets (sum)
-9.28. reg_test
+9.29. reg_test
--------------
* reg_test.retry_packets: total retried packets received (sum)
-9.29. reputation
+9.30. reputation
--------------
* reputation.memory_allocated: total memory allocated (sum)
-9.30. rpc_decode
+9.31. rpc_decode
--------------
sessions (max)
-9.31. sip
+9.32. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.32. smtp
+9.33. smtp
--------------
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.33. ssh
+9.34. ssh
--------------
(max)
-9.34. ssl
+9.35. ssl
--------------
(max)
-9.35. stream
+9.36. stream
--------------
sync (sum)
-9.36. stream_file
+9.37. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.37. stream_icmp
+9.38. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.38. stream_ip
+9.39. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.39. stream_tcp
+9.40. stream_tcp
--------------
* stream_tcp.fins: number of fin packets (sum)
-9.40. stream_udp
+9.41. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.41. stream_user
+9.42. stream_user
--------------
* int stream_user.trace: mask for enabling debug traces in module
-9.42. telnet
+9.43. telnet
--------------
sessions (max)
-9.43. wizard
+9.44. wizard
--------------
amount { 1:65535 }
* int byte_jump.align = 0: round the number of converted bytes up
to the next 2- or 4-byte boundary { 0:4 }
- * int byte_jump.post_offset = 0: also skip forward or backwards
- (positive of negative value) this number of bytes { -65535:65535
- }
+ * string byte_jump.post_offset: skip forward or backward (positive
+ or negative value) by variable name or number of bytes after the
+ other jump options have been applied
* implied byte_jump.big: big endian
* implied byte_jump.little: little endian
* implied byte_jump.dce: dcerpc2 determines endianness
* int gtp_version.~: version to match { 0:2 }
-11.33. http_client_body
+11.33. http2_frame_data
+
+--------------
+
+What: rule option to see HTTP/2 frame body
+
+Type: ips_option
+
+Usage: detect
+
+
+11.34. http2_frame_header
+
+--------------
+
+What: rule option to see 9-octet HTTP/2 frame header
+
+Type: ips_option
+
+Usage: detect
+
+
+11.35. http_client_body
--------------
Usage: detect
-11.34. http_cookie
+11.36. http_cookie
--------------
message trailers
-11.35. http_header
+11.37. http_header
--------------
message trailers
-11.36. http_method
+11.38. http_method
--------------
message trailers
-11.37. http_raw_body
+11.39. http_raw_body
--------------
Usage: detect
-11.38. http_raw_cookie
+11.40. http_raw_cookie
--------------
HTTP message trailers
-11.39. http_raw_header
+11.41. http_raw_header
--------------
HTTP message trailers
-11.40. http_raw_request
+11.42. http_raw_request
--------------
HTTP message trailers
-11.41. http_raw_status
+11.43. http_raw_status
--------------
HTTP message trailers
-11.42. http_raw_trailer
+11.44. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.43. http_raw_uri
+11.45. http_raw_uri
--------------
URI only
-11.44. http_stat_code
+11.46. http_stat_code
--------------
HTTP message trailers
-11.45. http_stat_msg
+11.47. http_stat_msg
--------------
HTTP message trailers
-11.46. http_trailer
+11.48. http_trailer
--------------
message body (must be combined with request)
-11.47. http_true_ip
+11.49. http_true_ip
--------------
HTTP message trailers
-11.48. http_uri
+11.50. http_uri
--------------
only
-11.49. http_version
+11.51. http_version
--------------
HTTP message trailers
-11.50. icmp_id
+11.52. icmp_id
--------------
0:65535 }
-11.51. icmp_seq
+11.53. icmp_seq
--------------
given range { 0:65535 }
-11.52. icode
+11.54. icode
--------------
0:255 }
-11.53. id
+11.55. id
--------------
}
-11.54. ip_proto
+11.56. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.55. ipopts
+11.57. ipopts
--------------
lsrre|ssrr|satid|any }
-11.56. isdataat
+11.58. isdataat
--------------
buffer
-11.57. itype
+11.59. itype
--------------
0:255 }
-11.58. md5
+11.60. md5
--------------
of buffer
-11.59. metadata
+11.61. metadata
--------------
pairs
-11.60. modbus_data
+11.62. modbus_data
--------------
Usage: detect
-11.61. modbus_func
+11.63. modbus_func
--------------
* string modbus_func.~: function code to match
-11.62. modbus_unit
+11.64. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.63. msg
+11.65. msg
--------------
* string msg.~: message describing rule
-11.64. mss
+11.66. mss
--------------
}
-11.65. pcre
+11.67. pcre
--------------
* string pcre.~re: Snort regular expression
-11.66. pkt_data
+11.68. pkt_data
--------------
Usage: detect
-11.67. pkt_num
+11.69. pkt_num
--------------
{ 1: }
-11.68. priority
+11.70. priority
--------------
1: }
-11.69. raw_data
+11.71. raw_data
--------------
Usage: detect
-11.70. reference
+11.72. reference
--------------
* string reference.~id: reference id
-11.71. regex
+11.73. regex
--------------
instead of start of buffer
-11.72. rem
+11.74. rem
--------------
* string rem.~: comment
-11.73. replace
+11.75. replace
--------------
* string replace.~: byte code to replace with
-11.74. rev
+11.76. rev
--------------
* int rev.~: revision { 1: }
-11.75. rpc
+11.77. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.76. sd_pattern
+11.78. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.77. seq
+11.79. seq
--------------
range { 0: }
-11.78. service
+11.80. service
--------------
* string service.*: one or more comma-separated service names
-11.79. session
+11.81. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.80. sha256
+11.82. sha256
--------------
start of buffer
-11.81. sha512
+11.83. sha512
--------------
start of buffer
-11.82. sid
+11.84. sid
--------------
* int sid.~: signature id { 1: }
-11.83. sip_body
+11.85. sip_body
--------------
Usage: detect
-11.84. sip_header
+11.86. sip_header
--------------
Usage: detect
-11.85. sip_method
+11.87. sip_method
--------------
* string sip_method.*method: sip method
-11.86. sip_stat_code
+11.88. sip_stat_code
--------------
* int sip_stat_code.*code: stat code { 1:999 }
-11.87. so
+11.89. so
--------------
* string so.~func: name of eval function
-11.88. soid
+11.90. soid
--------------
like 3_45678_9
-11.89. ssl_state
+11.91. ssl_state
--------------
unknown
-11.90. ssl_version
+11.92. ssl_version
--------------
tls1.2
-11.91. stream_reassemble
+11.93. stream_reassemble
--------------
remainder of the session
-11.92. stream_size
+11.94. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.93. tag
+11.95. tag
--------------
* int tag.bytes: tag for this many bytes { 1: }
-11.94. target
+11.96. target
--------------
dst_ip }
-11.95. tos
+11.97. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.96. ttl
+11.98. ttl
--------------
0:255 }
-11.97. urg
+11.99. urg
--------------
{ 0:65535 }
-11.98. window
+11.100. window
--------------
range { 0:65535 }
-11.99. wscale
+11.101. wscale
--------------
$packet <addr> <port> -> <addr> <port>
+$sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
+$eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
+
Client and server are determined as follows. $packet → client
indicates to the client (from server) and $packet → server indicates
a packet to the server (from client). $packet followed by a 4-tuple
-uses the heuristic that the client is the side with the lower port
+uses the heuristic that the client is the side with the greater port
number.
The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
next command or a blank line. Data after a blank line will start
another packet with the same tuple as the prior one.
+$sof and $eof commands generate Start of Flow and End of Flow
+metapackets respectively. They are followed by a definition of a
+Flow_Stats_t data structure which will be fed into Snort via the
+metadata callback.
+
Strings may contain the following escape sequences:
\r = 0x0D = carriage return
--------------
- * --alert-before-pass process alert, drop, sdrop, or reject before
- pass; default is pass before alert, drop,…
+ * -? <option prefix> output matching command line option quick help
+ (same as --help-options) (optional)
* -A <mode> set alert mode: none, cmg, or alert_*
* -B <mask> obfuscated IP addresses in alerts and packet dumps
using CIDR mask
+ * -C print out payloads with character data only (no hex)
+ * -c <conf> use this configuration
+ * -D run Snort in background (daemon) mode
+ * -d dump the Application Layer
+ * -e display the second layer header info
+ * -f turn off fflush() calls after binary log writes
+ * -G <0xid> (same as --logid) (0:65535)
+ * -g <gname> run snort gid as <gname> group (or gid) after
+ initialization
+ * -H make hash tables deterministic
+ * -i <iface>… list of interfaces
+ * -j <port> to listen for Telnet connections
+ * -k <mode> checksum mode; default is all (all|noip|notcp|noudp|
+ noicmp|none)
+ * -L <mode> logging mode (none, dump, pcap, or log_*)
+ * -l <logdir> log to this directory instead of current directory
+ * -M log messages to syslog (not alerts)
+ * -m <umask> set umask = <umask> (0:)
+ * -n <count> stop after count packets (0:)
+ * -O obfuscate the logged IP addresses
+ * -Q enable inline mode operation
+ * -q quiet mode - Don’t show banner and status report
+ * -R <rules> include this rules file in the default policy
+ * -r <pcap>… (same as --pcap-list)
+ * -S <x=v> set config variable x equal to value v
+ * -s <snap> (same as --snaplen); default is 1514 (68:65535)
+ * -T test and report on the current Snort configuration
+ * -t <dir> chroots process to <dir> after initialization
+ * -U use UTC for timestamps
+ * -u <uname> run snort as <uname> or <uid> after initialization
+ * -V (same as --version)
+ * -v be verbose
+ * -W lists available interfaces
+ * -X dump the raw packet data starting at the link layer
+ * -x same as --pedantic
+ * -y include year in timestamp in the alert and log files
+ * -z <count> maximum number of packet threads (same as
+ --max-packet-threads); 0 gets the number of CPU cores reported by
+ the system; default is 1 (0:)
+ * --alert-before-pass process alert, drop, sdrop, or reject before
+ pass; default is pass before alert, drop,…
* --bpf <filter options> are standard BPF options, as seen in
TCPDump
* --c2x output hex for given char (see also --x2c)
- * --catch-test comma separated list of cat unit test tags or all
- * -c <conf> use this configuration
* --control-socket <file> to create unix socket
- * -C print out payloads with character data only (no hex)
* --create-pidfile create PID file, even when not in Daemon mode
+ * --daq <type> select packet acquisition module (default is pcap)
* --daq-dir <dir> tell snort where to find desired DAQ
* --daq-list list packet acquisition modules available in optional
dir, default is static modules only
- * --daq <type> select packet acquisition module (default is pcap)
* --daq-var <name=value> specify extra DAQ configuration variable
- * -d dump the Application Layer
* --dirty-pig don’t flush packets on shutdown
- * -D run Snort in background (daemon) mode
* --dump-builtin-rules [<module prefix>] output stub rules for
selected modules (optional)
- * --dump-defaults [<module prefix>] output module defaults in Lua
- format (optional)
* --dump-dynamic-rules output stub rules for all loaded rules
libraries
+ * --dump-defaults [<module prefix>] output module defaults in Lua
+ format (optional)
* --dump-version output the version, the whole version, and only
the version
- * -e display the second layer header info
* --enable-inline-test enable Inline-Test Mode Operation
- * -f turn off fflush() calls after binary log writes
- * -G <0xid> (same as --logid) (0:65535)
* --gen-msg-map dump builtin rules in gen-msg.map format for use by
other tools
- * -g <gname> run snort gid as <gname> group (or gid) after
- initialization
+ * --help list command line options
* --help-commands [<module prefix>] output matching commands
(optional)
* --help-config [<module prefix>] output matching config options
(optional)
* --help-counts [<module prefix>] output matching peg counts
(optional)
- * --help list command line options
* --help-module <module> output description of given module
* --help-modules list all available modules with brief help
* --help-options [<option prefix>] output matching command line
option quick help (same as -?) (optional)
* --help-plugins list all available plugins with brief help
* --help-signals dump available control signals
- * -H make hash tables deterministic
* --id-offset offset to add to instance IDs when logging to files
(0:65535)
* --id-subdir create/use instance subdirectories in logdir instead
of instance filename prefix
* --id-zero use id prefix / subdirectory even with one packet
thread
- * -i <iface>… list of interfaces
- * -j <port> to listen for Telnet connections
- * -k <mode> checksum mode; default is all (all|noip|notcp|noudp|
- noicmp|none)
* --list-buffers output available inspection buffers
* --list-builtin [<module prefix>] output matching builtin rules
(optional)
* --list-modules [<module type>] list all known modules of given
type (optional)
* --list-plugins list all known plugins
- * -l <logdir> log to this directory instead of current directory
- * -L <mode> logging mode (none, dump, pcap, or log_*)
+ * --lua <chunk> extend/override conf with chunk; may be repeated
* --logid <0xid> log Identifier to uniquely id events for multiple
snorts (same as -G) (0:65535)
- * --lua <chunk> extend/override conf with chunk; may be repeated
* --markup output help in asciidoc compatible format
* --max-packet-threads <count> configure maximum number of packet
threads (same as -z) (0:)
* --mem-check like -T but also compile search engines
- * -M log messages to syslog (not alerts)
- * -m <umask> set umask = <umask> (0:)
- * -n <count> stop after count packets (0:)
- * --nolock-pidfile do not try to lock Snort PID file
* --nostamps don’t include timestamps in log file names
- * -O obfuscate the logged IP addresses
- * -? <option prefix> output matching command line option quick help
- (same as --help-options) (optional)
- * --parsing-follows-files parse relative paths from the perspective
- of the current configuration file
+ * --nolock-pidfile do not try to lock Snort PID file
* --pause wait for resume/quit command before processing packets/
terminating
- * --pcap-dir <dir> a directory to recurse to look for pcaps - read
- mode is implied
+ * --parsing-follows-files parse relative paths from the perspective
+ of the current configuration file
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
- * --pcap-filter <filter> filter to apply when getting pcaps from
- file or directory
* --pcap-list <list> a space separated list of pcaps to read - read
mode is implied
+ * --pcap-dir <dir> a directory to recurse to look for pcaps - read
+ mode is implied
+ * --pcap-filter <filter> filter to apply when getting pcaps from
+ file or directory
* --pcap-loop <count> read all pcaps <count> times; 0 will read
until Snort is terminated (-1:)
* --pcap-no-filter reset to use no filter when getting pcaps from
between pcaps
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
- * --piglet enable piglet test harness mode
* --plugin-path <path> where to find plugins
* --process-all-events process all action groups
- * -Q enable inline mode operation
- * -q quiet mode - Don’t show banner and status report
- * -r <pcap>… (same as --pcap-list)
- * -R <rules> include this rules file in the default policy
* --rule <rules> to be added to configuration; may be repeated
* --rule-to-hex output so rule header to stdout for text rule on
stdin
* --rule-to-text output plain so rule header to stdout for text
- rule on stdin
+ rule on stdin (16)
* --run-prefix <pfx> prepend this to each output file
* --script-path <path> to a luajit script or directory containing
luajit scripts
* --shell enable the interactive command line
+ * --piglet enable piglet test harness mode
* --show-plugins list module and plugin versions
* --skip <n> skip 1st n packets (0:)
* --snaplen <snap> set snaplen of packet (same as -s) (68:65535)
- * -s <snap> (same as --snaplen); default is 1514 (68:65535)
* --stdin-rules read rules from stdin until EOF or a line starting
with END is read
- * -S <x=v> set config variable x equal to value v
- * -t <dir> chroots process to <dir> after initialization
* --treat-drop-as-alert converts drop, sdrop, and reject rules into
alert rules during startup
* --treat-drop-as-ignore use drop, sdrop, and reject rules to
ignore session traffic when not inline
- * -T test and report on the current Snort configuration
- * -u <uname> run snort as <uname> or <uid> after initialization
- * -U use UTC for timestamps
- * -v be verbose
+ * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
- * -V (same as --version)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* --warn-daq warn about DAQ issues, usually related to mode
scripts
* --warn-symbols warn about unknown symbols in your Lua config
* --warn-vars warn about variable definition and usage issues
- * -W lists available interfaces
* --x2c output ASCII char for given hex (see also --c2x)
* --x2s output ASCII string for given byte code (see also --x2c)
- * -X dump the raw packet data starting at the link layer
- * -x same as --pedantic
- * -y include year in timestamp in the alert and log files
- * -z <count> maximum number of packet threads (same as
- --max-packet-threads); 0 gets the number of CPU cores reported by
- the system; default is 1 (0:)
20.4. Configuration
* implied byte_jump.oct: convert from octal string
* string byte_jump.~offset: variable name or number of bytes into
the buffer to start processing
- * int byte_jump.post_offset = 0: also skip forward or backwards
- (positive of negative value) this number of bytes { -65535:65535
- }
+ * string byte_jump.post_offset: skip forward or backward (positive
+ or negative value) by variable name or number of bytes after the
+ other jump options have been applied
* implied byte_jump.relative: offset from cursor instead of start
of buffer
* implied byte_jump.string: convert from string
(same as -O)
* bool output.obfuscate_pii = false: mask all but the last 4
characters of credit card and social security numbers
+ * enum output.packet_trace_output = console: select where to send
+ packet trace { console | file }
* bool output.quiet = false: suppress non-fatal information (still
show alerts, same as -q)
* bool output.show_year = false: include year in timestamp in the
repeated
* implied snort.--rule-to-hex: output so rule header to stdout for
text rule on stdin
- * implied snort.--rule-to-text: output plain so rule header to
- stdout for text rule on stdin
+ * string snort.--rule-to-text = [SnortFoo]: output plain so rule
+ header to stdout for text rule on stdin { 16 }
* string snort.--run-prefix: <pfx> prepend this to each output file
* int snort.-s = 1514: <snap> (same as --snaplen); default is 1514
{ 68:65535 }
* host_tracker.service_adds: host service adds (sum)
* host_tracker.service_finds: host service finds (sum)
* host_tracker.service_removes: host service removes (sum)
+ * http2_inspect.concurrent_sessions: total concurrent HTTP/2
+ sessions (now)
+ * http2_inspect.flows: HTTP connections inspected (sum)
+ * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
+ sessions (max)
* http_inspect.chunked: chunked message bodies (sum)
* http_inspect.concurrent_sessions: total concurrent http sessions
(now)
* 143: gtp_inspect
* 144: modbus
* 145: dnp3
+ * 219: http2_inspect
* 256: dpx
* 119:63 (http_inspect) unrecognized type of percent encoding in
URI
* 119:64 (http_inspect) HTTP chunk misformatted
- * 119:65 (http_inspect) white space following chunk length
+ * 119:65 (http_inspect) white space adjacent to chunk length
* 119:66 (http_inspect) white space within header name
* 119:67 (http_inspect) excessive gzip compression
* 119:68 (http_inspect) gzip decompression failed
--------------
- * packet_capture.disable(): stop packet dump
* packet_capture.enable(filter): dump raw packets
+ * packet_capture.disable(): stop packet dump
+ * snort.show_plugins(): show available plugins
* snort.delete_inspector(inspector): delete an inspector from the
default policy
- * snort.detach(): exit shell w/o shutdown
* snort.dump_stats(): show summary statistics
- * snort.help(): this output
- * snort.pause(): suspend packet processing
- * snort.quit(): shutdown and dump-stats
+ * snort.rotate_stats(): roll perfmonitor log files
* snort.reload_config(filename): load new configuration
- * snort.reload_daq(): reload daq module
- * snort.reload_hosts(filename): load a new hosts table
* snort.reload_policy(filename): reload part or all of the default
policy
+ * snort.reload_daq(): reload daq module
+ * snort.reload_hosts(filename): load a new hosts table
+ * snort.pause(): suspend packet processing
* snort.resume(): continue packet processing
- * snort.rotate_stats(): roll perfmonitor log files
- * snort.show_plugins(): show available plugins
+ * snort.detach(): exit shell w/o shutdown
+ * snort.quit(): shutdown and dump-stats
+ * snort.help(): this output
20.9. Signals
Signal numbers are for the system that generated this documentation
and are not applicable elsewhere.
- * hosts(23): reload hosts file
+ * term(15): shutdown normally
* int(2): shutdown normally
* quit(3): shutdown as if started with --dirty-pig
- * reload(1): reload config file
- * rotate(12): rotate stats files
* stats(10): dump stats to stdout
- * term(15): shutdown normally
+ * rotate(12): rotate stats files
+ * reload(1): reload config file
+ * hosts(23): reload hosts file
20.10. Configuration Changes
* host_cache (basic): configure hosts
* host_tracker (basic): configure hosts
* hosts (basic): configure hosts
+ * http2_frame_data (ips_option): rule option to see HTTP/2 frame
+ body
+ * http2_frame_header (ips_option): rule option to see 9-octet HTTP/
+ 2 frame header
+ * http2_inspect (inspector): HTTP/2 inspector
* http_client_body (ips_option): rule option to set the detection
cursor to the request body
* http_cookie (ips_option): rule option to set the detection cursor
* inspector::ftp_data: FTP data channel handler
* inspector::ftp_server: FTP inspector server module
* inspector::gtp_inspect: gtp control channel inspection
+ * inspector::http2_inspect: the HTTP/2 inspector
* inspector::http_inspect: the new HTTP inspector!
* inspector::imap: imap inspection
* inspector::modbus: modbus inspection
* ips_option::gtp_info: rule option to check gtp info element
* ips_option::gtp_type: rule option to check gtp types
* ips_option::gtp_version: rule option to check GTP version
+ * ips_option::http2_frame_data: rule option to see HTTP/2 frame
+ body
+ * ips_option::http2_frame_header: rule option to see 9-octet HTTP/2
+ frame header
* ips_option::http_client_body: rule option to set the detection
cursor to the request body
* ips_option::http_cookie: rule option to set the detection cursor
projects / thirdparty / snort3.git / commitdiff
