set (VERSION_MAJOR 3)
set (VERSION_MINOR 5)
-set (VERSION_PATCH 0)
+set (VERSION_PATCH 1)
set (VERSION_SUBLEVEL 0)
set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
+2024-11-06: 3.5.1.0
+
+* appid: add new api to check if service is over quic
+* appid: add tls_version capture in appid_session
+* appid: implement an API that allows users to specify values for data items used in lua detectors
+* appid: unit-test added for is_service_over_quic
+* doc: add details regarding RTN evaluation
+* flow: new allowlist LRU
+* http2_inspect: handle multiple cookie header fields
+* js_norm: add cross-PDU PDF token reassembly
+* side_channel: fix compiler warning in side channel formatting test
+* smtp: fixing the processing of SMTP response in case of encrypted traffic
+* stream: add thread instance number to dump_flows control command output
+* stream_tcp: pass tracker and seglist to TcpReassembler\* as refs, define dummy tracker & seglist for use by TcpReassemblerIgnore
+* stream_tcp: when queue limit thresholds are exceeded in IDS mode on asymmetric connections only skip a hole at the beginning of the seglist before flushing
+
2024-10-20: 3.5.0.0
* connectors: fix tsan warning in tcp connector
The Snort Team
Revision History
-Revision 3.5.0.0 2024-10-20 23:28:19 EDT TST
+Revision 3.5.1.0 2024-11-06 12:04:16 EST TST
---------------------------------------------------------------------
being eligible for pruning { 1:max32 }
* int stream.require_3whs = -1: don’t track midstream TCP sessions
after given seconds from start up; -1 tracks all { -1:max31 }
+ * bool stream.allowlist_cache.enable = false: enable allowlist
+ cache
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
memcap (sum)
* stream.pdu_memcap_prunes: number of PDU flows pruned due to
memcap (sum)
+ * stream.allowlist_memcap_prunes: number of allowlist flows pruned
+ due to memcap (sum)
+ * stream.allowlist_flows: number of flows moved to the allow list
+ (now)
* stream.current_flows: current number of flows in cache (now)
* stream.uni_flows: number of uni flows in cache (now)
* stream.uni_ip_flows: number of uni ip flows in cache (now)
* int stream_tcp.queue_limit.max_segments = 3072: don’t queue more
than given segments per session and direction, 0 = unlimited {
0:max32 }
+ * int stream_tcp.queue_limit.asymmetric_ids_flush_threshold =
+ 3145728: max bytes queued on asymmetric flow before flush in IDS
+ mode { 1:max31 }
* int stream_tcp.small_segments.count = 0: number of consecutive
(in the received order) TCP small segments considered to be
excessive (129:12) { 0:2048 }
timeout { 1:max31 }
* int stream_tcp.idle_timeout = 3600: session deletion on idle {
1:max31 }
- * int stream_tcp.asymmetric_ids_flush_threshold = 65535: max bytes
- queued on asymmetric flow before flush in IDS mode { 1:max31 }
Rules:
* implied ssl_version.!tls1.2: check for records that are not
tls1.2
* implied ssl_version.tls1.2: check for tls1.2
+ * bool stream.allowlist_cache.enable = false: enable allowlist
+ cache
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
direction(s) { either|to_server|to_client|both }
* interval stream_size.~range: check if the stream size is in the
given range { 0: }
- * int stream_tcp.asymmetric_ids_flush_threshold = 65535: max bytes
- queued on asymmetric flow before flush in IDS mode { 1:max31 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream_tcp.embryonic_timeout = 30: Non-established connection
characteristics like reassembly { first | last | linux |
old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 |
windows | win_2003 | vista | proxy | asymmetric }
+ * int stream_tcp.queue_limit.asymmetric_ids_flush_threshold =
+ 3145728: max bytes queued on asymmetric flow before flush in IDS
+ mode { 1:max31 }
* int stream_tcp.queue_limit.max_bytes = 4194304: don’t queue more
than given bytes per session and direction, 0 = unlimited {
0:max32 }
* ssl.server_key_exchange: total server key exchanges (sum)
* ssl.sessions_ignored: total sessions ignore (sum)
* ssl.unrecognized_records: total unrecognized records (sum)
+ * stream.allowlist_flows: number of flows moved to the allow list
+ (now)
+ * stream.allowlist_memcap_prunes: number of allowlist flows pruned
+ due to memcap (sum)
* stream.current_flows: current number of flows in cache (now)
* stream.excess_prunes: sessions pruned due to excess (sum)
* stream.expected_flows: total expected flows created within snort
The Snort Team
Revision History
-Revision 3.5.0.0 2024-10-20 23:28:54 EDT TST
+Revision 3.5.1.0 2024-11-06 12:04:56 EST TST
---------------------------------------------------------------------
The Snort Team
Revision History
-Revision 3.5.0.0 2024-10-20 23:28:30 EDT TST
+Revision 3.5.1.0 2024-11-06 12:04:30 EST TST
---------------------------------------------------------------------
significantly more memory, use ac_full. For best performance and
reasonable memory, download the hyperscan source from Intel.
+Rule group summary is printed at start up under "port rule counts"
+and "service rule counts" sections.
+
2.7.2. Fast Patterns
Fast patterns are content strings that have the fast_pattern option
patterns are so important. Rule evaluation aborts on the first
non-matching option.
+For a port-based rule, all components of the rule header have to
+match before the rule fires. For a service-based rule, evaluation of
+the header is skipped. A rule becomes service-based in the following
+cases:
+
+ * "service" IPS option is present in the rule body
+ * a service specific IPS option is present (like http_param,
+ file_data, dnp3_data)
+ * a service protocol is defined in the rule header
+
+Examples:
+
+# Port group - protocol and ports are evaluated in any case
+alert tcp any 90 -> any 5321 (msg: "Port group rule";)
+
+# "any" port group - protocol and ports are evaluated in any case
+alert tcp (msg: "Port group rule with default header";)
+
+# "service" option puts the rule to SMTP group and port group.
+# If the SMTP service is assigned on flow, "tcp" proto and port "90" have no effect.
+# In other case, header is evaluated - since matched as a part of port group
+alert tcp any 90 -> any any (service: smtp; msg: "SMTP and port group";)
+
+# DNP3 service is detected automatically, DNP3 group only.
+# In a fact, "tcp" proto and port "90" has no effect at all.
+alert tcp any 90 -> any any (dnp3_data; msg: "DNP3 group";)
+
+# Service protocol in the header puts the rule to DNP3 group.
+# In a fact, "tcp" proto and port "90" has no effect at all.
+alert dnp3 any 90 -> any any (msg: "DNP3 group";)
+
+Note that detection module can extend a rule with more services. For
+details, check detection.service_extension option.
+
+In case you need to match the service-based rule with regard to
+specific protocol, take a look at IPS option "ip_proto" - it
+guarantees that specified protocol is used.
+
+Example when such explicit check is required:
+
+# Since the rule is added to both "any" port-group and "igmp" service group,
+# to decrease false-positive due to "any" port-group, ip_proto:2 is used.
+alert ip ( ip_proto:2; content:"foo"; service:igmp; )
+
When rule evaluation takes place, the fast pattern match will
automatically be skipped if possible. Note that this differs from
Snort 2 which provided the fast_pattern:only option to designate such
1. pkt_data — as a sequence of TCP session bytes with respect to
their direction (client-to-server, server-to-client)
- 2. js_data — normalized JavaScript text from the same data transfer
- session
- 3. file_data — the same file bytes, e.g. flows from different files
+ 2. file_data — the same file bytes, e.g. flows from different files
do not overlap
projects / thirdparty / snort3.git / commitdiff
