The Snort Team
Revision History
-Revision 3.1.32.0 2022-06-15 10:02:53 EDT TST
+Revision 3.1.33.0 2022-06-30 07:50:31 EDT TST
---------------------------------------------------------------------
7.34. enip_req
7.35. enip_rsp
7.36. file_data
- 7.37. file_type
- 7.38. flags
- 7.39. flow
- 7.40. flowbits
- 7.41. fragbits
- 7.42. fragoffset
- 7.43. gid
- 7.44. gtp_info
- 7.45. gtp_type
- 7.46. gtp_version
- 7.47. http_client_body
- 7.48. http_cookie
- 7.49. http_header
- 7.50. http_header_test
- 7.51. http_method
- 7.52. http_num_headers
- 7.53. http_num_trailers
- 7.54. http_param
- 7.55. http_raw_body
- 7.56. http_raw_cookie
- 7.57. http_raw_header
- 7.58. http_raw_request
- 7.59. http_raw_status
- 7.60. http_raw_trailer
- 7.61. http_raw_uri
- 7.62. http_stat_code
- 7.63. http_stat_msg
- 7.64. http_trailer
- 7.65. http_trailer_test
- 7.66. http_true_ip
- 7.67. http_uri
- 7.68. http_version
- 7.69. http_version_match
- 7.70. icmp_id
- 7.71. icmp_seq
- 7.72. icode
- 7.73. id
- 7.74. iec104_apci_type
- 7.75. iec104_asdu_func
- 7.76. ip_proto
- 7.77. ipopts
- 7.78. isdataat
- 7.79. itype
- 7.80. js_data
- 7.81. md5
- 7.82. metadata
- 7.83. mms_data
- 7.84. mms_func
- 7.85. modbus_data
- 7.86. modbus_func
- 7.87. modbus_unit
- 7.88. msg
- 7.89. mss
- 7.90. pcre
- 7.91. pkt_data
- 7.92. pkt_num
- 7.93. priority
- 7.94. raw_data
- 7.95. reference
- 7.96. regex
- 7.97. rem
- 7.98. replace
- 7.99. rev
- 7.100. rpc
- 7.101. s7commplus_content
- 7.102. s7commplus_func
- 7.103. s7commplus_opcode
- 7.104. sd_pattern
- 7.105. seq
- 7.106. service
- 7.107. sha256
- 7.108. sha512
- 7.109. sid
- 7.110. sip_body
- 7.111. sip_header
- 7.112. sip_method
- 7.113. sip_stat_code
- 7.114. so
- 7.115. soid
- 7.116. ssl_state
- 7.117. ssl_version
- 7.118. stream_reassemble
- 7.119. stream_size
- 7.120. tag
- 7.121. target
- 7.122. tos
- 7.123. ttl
- 7.124. urg
- 7.125. vba_data
- 7.126. window
- 7.127. wscale
+ 7.37. file_meta
+ 7.38. file_type
+ 7.39. flags
+ 7.40. flow
+ 7.41. flowbits
+ 7.42. fragbits
+ 7.43. fragoffset
+ 7.44. gid
+ 7.45. gtp_info
+ 7.46. gtp_type
+ 7.47. gtp_version
+ 7.48. http_client_body
+ 7.49. http_cookie
+ 7.50. http_header
+ 7.51. http_header_test
+ 7.52. http_method
+ 7.53. http_num_headers
+ 7.54. http_num_trailers
+ 7.55. http_param
+ 7.56. http_raw_body
+ 7.57. http_raw_cookie
+ 7.58. http_raw_header
+ 7.59. http_raw_request
+ 7.60. http_raw_status
+ 7.61. http_raw_trailer
+ 7.62. http_raw_uri
+ 7.63. http_stat_code
+ 7.64. http_stat_msg
+ 7.65. http_trailer
+ 7.66. http_trailer_test
+ 7.67. http_true_ip
+ 7.68. http_uri
+ 7.69. http_version
+ 7.70. http_version_match
+ 7.71. icmp_id
+ 7.72. icmp_seq
+ 7.73. icode
+ 7.74. id
+ 7.75. iec104_apci_type
+ 7.76. iec104_asdu_func
+ 7.77. ip_proto
+ 7.78. ipopts
+ 7.79. isdataat
+ 7.80. itype
+ 7.81. js_data
+ 7.82. md5
+ 7.83. metadata
+ 7.84. mms_data
+ 7.85. mms_func
+ 7.86. modbus_data
+ 7.87. modbus_func
+ 7.88. modbus_unit
+ 7.89. msg
+ 7.90. mss
+ 7.91. pcre
+ 7.92. pkt_data
+ 7.93. pkt_num
+ 7.94. priority
+ 7.95. raw_data
+ 7.96. reference
+ 7.97. regex
+ 7.98. rem
+ 7.99. replace
+ 7.100. rev
+ 7.101. rpc
+ 7.102. s7commplus_content
+ 7.103. s7commplus_func
+ 7.104. s7commplus_opcode
+ 7.105. sd_pattern
+ 7.106. seq
+ 7.107. service
+ 7.108. sha256
+ 7.109. sha512
+ 7.110. sid
+ 7.111. sip_body
+ 7.112. sip_header
+ 7.113. sip_method
+ 7.114. sip_stat_code
+ 7.115. so
+ 7.116. soid
+ 7.117. ssl_state
+ 7.118. ssl_version
+ 7.119. stream_reassemble
+ 7.120. stream_size
+ 7.121. tag
+ 7.122. target
+ 7.123. tos
+ 7.124. ttl
+ 7.125. urg
+ 7.126. vba_data
+ 7.127. window
+ 7.128. wscale
8. Search Engine Modules
9. SO Rule Modules
tripping { 0:max32 }
* int rate_filter[].seconds = 1: count interval { 0:max32 }
* dynamic rate_filter[].new_action = alert: take this action on
- future hits until timeout { alert | block | drop | log | pass |
- react | reject | rewrite }
+ future hits until timeout { alert | block | drop | file_id | log
+ | pass | react | reject | rewrite }
* int rate_filter[].timeout = 1: count interval { 0:max32 }
* string rate_filter[].apply_to: restrict filter to these addresses
according to track
able to be concurrently processed per flow { 1:max53 }
* int file_id.show_data_depth = 100: print this many octets {
0:max53 }
- * int file_id.file_rules[].rev = 0: rule revision { 0:max32 }
- * string file_id.file_rules[].msg: information about the file type
- * string file_id.file_rules[].type: file type name
- * int file_id.file_rules[].id = 0: file type id { 0:max32 }
- * string file_id.file_rules[].category: file type category
- * string file_id.file_rules[].group: comma separated list of groups
- associated with file type
- * string file_id.file_rules[].version: file type version
- * string file_id.file_rules[].magic[].content: file magic content
- * int file_id.file_rules[].magic[].offset = 0: file magic offset {
- 0:max32 }
+ * string file_id.rules_file: name of file with IPS rules for file
+ identification
* bool file_id.trace_type = false: enable runtime dump of type info
* bool file_id.trace_signature = false: enable runtime dump of
signature info
body not expected
* 121:38 (http2_inspect) HTTP/2 non-Data frame longer than 63780
bytes
+ * 121:39 (http2_inspect) not HTTP/2 traffic or unrecoverable HTTP/2
+ protocol error
Peg counts:
* 119:222 (http_inspect) Transfer-Encoding not ending with chunked
* 119:223 (http_inspect) Transfer-Encoding with encodings before
chunked
- * 119:224 (http_inspect) misformatted HTTP traffic
* 119:225 (http_inspect) unsupported Content-Encoding used
* 119:226 (http_inspect) unknown Content-Encoding used
* 119:227 (http_inspect) multiple Content-Encodings applied
* 119:277 (http_inspect) HTTP version in start line is higher than
1
* 119:278 (http_inspect) HTTP gzip body with the FEXTRA flag set
+ * 119:279 (http_inspect) invalid status line
+ * 119:280 (http_inspect) HTTP message headers longer than 63780
+ bytes
+ * 119:281 (http_inspect) invalid request line
+ * 119:282 (http_inspect) too many white space characters when start
+ line is expected
+ * 119:283 (http_inspect) HTTP message status line longer than 63780
+ bytes
+ * 119:284 (http_inspect) partial start line
+ * 119:285 (http_inspect) HTTP message request line longer than
+ 63780 bytes
+ * 119:286 (http_inspect) HTTP/2 preface received instead of an HTTP
+ /1 method
Peg counts:
Configuration:
* string wizard.hexes[].service: name of service
- * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
+ * select wizard.hexes[].proto = any: protocol to scan { tcp | udp |
+ any }
* bool wizard.hexes[].client_first = true: which end initiates data
transfer
* string wizard.hexes[].to_server[].hex: sequence of data with wild
* string wizard.hexes[].to_client[].hex: sequence of data with wild
chars (?)
* string wizard.spells[].service: name of service
- * select wizard.spells[].proto = tcp: protocol to scan { tcp | udp
- }
+ * select wizard.spells[].proto = any: protocol to scan { tcp | udp
+ | any }
* bool wizard.spells[].client_first = true: which end initiates
data transfer
* string wizard.spells[].to_server[].spell: sequence of data with
Usage: detect
-7.37. file_type
+7.37. file_meta
+
+--------------
+
+Help: rule option to set file metadata (file type and id)
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string file_meta.type: file type to set
+ * int file_meta.id: file type id { 1:1023 }
+ * string file_meta.category: file type category
+ * string file_meta.group: comma separated list of groups associated
+ with file type
+ * string file_meta.version: file type version
+
+
+7.38. file_type
--------------
* string file_type.~: list of file type IDs to match
-7.38. flags
+7.39. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-7.39. flow
+7.40. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-7.40. flowbits
+7.41. flowbits
--------------
* string flowbits.~bits: bit [|bit]* or bit [&bit]*
-7.41. fragbits
+7.42. fragbits
--------------
* string fragbits.~flags: these flags are tested
-7.42. fragoffset
+7.43. fragoffset
--------------
given range { 0:8192 }
-7.43. gid
+7.44. gid
--------------
* int gid.~: generator id { 1:max32 }
-7.44. gtp_info
+7.45. gtp_info
--------------
* string gtp_info.~: info element to match
-7.45. gtp_type
+7.46. gtp_type
--------------
* string gtp_type.~: list of types to match
-7.46. gtp_version
+7.47. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-7.47. http_client_body
+7.48. http_client_body
--------------
Usage: detect
-7.48. http_cookie
+7.49. http_cookie
--------------
message trailers
-7.49. http_header
+7.50. http_header
--------------
message trailers
-7.50. http_header_test
+7.51. http_header_test
--------------
* implied http_header_test.absent: header is absent
-7.51. http_method
+7.52. http_method
--------------
message trailers
-7.52. http_num_headers
+7.53. http_num_headers
--------------
HTTP message trailers
-7.53. http_num_trailers
+7.54. http_num_trailers
--------------
examine HTTP message trailers
-7.54. http_param
+7.55. http_param
--------------
* implied http_param.nocase: case insensitive match
-7.55. http_raw_body
+7.56. http_raw_body
--------------
Usage: detect
-7.56. http_raw_cookie
+7.57. http_raw_cookie
--------------
HTTP message trailers
-7.57. http_raw_header
+7.58. http_raw_header
--------------
HTTP message trailers
-7.58. http_raw_request
+7.59. http_raw_request
--------------
HTTP message trailers
-7.59. http_raw_status
+7.60. http_raw_status
--------------
HTTP message trailers
-7.60. http_raw_trailer
+7.61. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.61. http_raw_uri
+7.62. http_raw_uri
--------------
URI only
-7.62. http_stat_code
+7.63. http_stat_code
--------------
HTTP message trailers
-7.63. http_stat_msg
+7.64. http_stat_msg
--------------
HTTP message trailers
-7.64. http_trailer
+7.65. http_trailer
--------------
message body (must be combined with request)
-7.65. http_trailer_test
+7.66. http_trailer_test
--------------
* implied http_trailer_test.absent: trailer is absent
-7.66. http_true_ip
+7.67. http_true_ip
--------------
HTTP message trailers
-7.67. http_uri
+7.68. http_uri
--------------
only
-7.68. http_version
+7.69. http_version
--------------
HTTP message trailers
-7.69. http_version_match
+7.70. http_version_match
--------------
examine HTTP message trailers
-7.70. icmp_id
+7.71. icmp_id
--------------
0:65535 }
-7.71. icmp_seq
+7.72. icmp_seq
--------------
given range { 0:65535 }
-7.72. icode
+7.73. icode
--------------
0:255 }
-7.73. id
+7.74. id
--------------
}
-7.74. iec104_apci_type
+7.75. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.75. iec104_asdu_func
+7.76. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.76. ip_proto
+7.77. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.77. ipopts
+7.78. ipopts
--------------
lsrre|ssrr|satid|any }
-7.78. isdataat
+7.79. isdataat
--------------
buffer
-7.79. itype
+7.80. itype
--------------
0:255 }
-7.80. js_data
+7.81. js_data
--------------
Usage: detect
-7.81. md5
+7.82. md5
--------------
of buffer
-7.82. metadata
+7.83. metadata
--------------
pairs
-7.83. mms_data
+7.84. mms_data
--------------
Usage: detect
-7.84. mms_func
+7.85. mms_func
--------------
* string mms_func.~: func to match
-7.85. modbus_data
+7.86. modbus_data
--------------
Usage: detect
-7.86. modbus_func
+7.87. modbus_func
--------------
* string modbus_func.~: function code to match
-7.87. modbus_unit
+7.88. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.88. msg
+7.89. msg
--------------
* string msg.~: message describing rule
-7.89. mss
+7.90. mss
--------------
}
-7.90. pcre
+7.91. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.91. pkt_data
+7.92. pkt_data
--------------
Usage: detect
-7.92. pkt_num
+7.93. pkt_num
--------------
{ 1: }
-7.93. priority
+7.94. priority
--------------
1:max31 }
-7.94. raw_data
+7.95. raw_data
--------------
Usage: detect
-7.95. reference
+7.96. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.96. regex
+7.97. regex
--------------
instead of start of buffer
-7.97. rem
+7.98. rem
--------------
* string rem.~: comment
-7.98. replace
+7.99. replace
--------------
* string replace.~: byte code to replace with
-7.99. rev
+7.100. rev
--------------
* int rev.~: revision { 1:max32 }
-7.100. rpc
+7.101. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.101. s7commplus_content
+7.102. s7commplus_content
--------------
Usage: detect
-7.102. s7commplus_func
+7.103. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.103. s7commplus_opcode
+7.104. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.104. sd_pattern
+7.105. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.105. seq
+7.106. seq
--------------
range { 0: }
-7.106. service
+7.107. service
--------------
* string service.*: one or more comma-separated service names
-7.107. sha256
+7.108. sha256
--------------
start of buffer
-7.108. sha512
+7.109. sha512
--------------
start of buffer
-7.109. sid
+7.110. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.110. sip_body
+7.111. sip_body
--------------
Usage: detect
-7.111. sip_header
+7.112. sip_header
--------------
Usage: detect
-7.112. sip_method
+7.113. sip_method
--------------
* string sip_method.*method: sip method
-7.113. sip_stat_code
+7.114. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.114. so
+7.115. so
--------------
buffer
-7.115. soid
+7.116. soid
--------------
like 3_45678_9
-7.116. ssl_state
+7.117. ssl_state
--------------
unknown
-7.117. ssl_version
+7.118. ssl_version
--------------
tls1.2
-7.118. stream_reassemble
+7.119. stream_reassemble
--------------
remainder of the session
-7.119. stream_size
+7.120. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.120. tag
+7.121. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.121. target
+7.122. target
--------------
dst_ip }
-7.122. tos
+7.123. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.123. ttl
+7.124. ttl
--------------
0:255 }
-7.124. urg
+7.125. urg
--------------
{ 0:65535 }
-7.125. vba_data
+7.126. vba_data
--------------
Usage: detect
-7.126. window
+7.127. window
--------------
range { 0:65535 }
-7.127. wscale
+7.128. wscale
--------------
less than this { 0:max53 }
* int file_id.decompress_buffer_size = 100000: file decompression
buffer size { 1024:max31 }
- * string file_id.file_rules[].category: file type category
- * string file_id.file_rules[].group: comma separated list of groups
- associated with file type
- * int file_id.file_rules[].id = 0: file type id { 0:max32 }
- * string file_id.file_rules[].magic[].content: file magic content
- * int file_id.file_rules[].magic[].offset = 0: file magic offset {
- 0:max32 }
- * string file_id.file_rules[].msg: information about the file type
- * int file_id.file_rules[].rev = 0: rule revision { 0:max32 }
- * string file_id.file_rules[].type: file type name
- * string file_id.file_rules[].version: file type version
* int file_id.lookup_timeout = 2: give up on lookup after this many
seconds { 0:max31 }
* int file_id.max_files_cached = 65536: maximal number of files
cached in memory { 8:max53 }
* int file_id.max_files_per_flow = 128: maximal number of files
able to be concurrently processed per flow { 1:max53 }
+ * string file_id.rules_file: name of file with IPS rules for file
+ identification
* int file_id.show_data_depth = 100: print this many octets {
0:max53 }
* int file_id.signature_depth = 10485760: stop signature at this
generated
* bool file_log.log_sys_time = false: log the system time when
event generated
+ * string file_meta.category: file type category
+ * string file_meta.group: comma separated list of groups associated
+ with file type
+ * int file_meta.id: file type id { 1:1023 }
+ * string file_meta.type: file type to set
+ * string file_meta.version: file type version
* bool file_policy.enable_capture = false: enable file capture
* bool file_policy.enable_signature = false: enable signature
calculation
tripping { 0:max32 }
* int rate_filter[].gid = 1: rule generator ID { 0:max32 }
* dynamic rate_filter[].new_action = alert: take this action on
- future hits until timeout { alert | block | drop | log | pass |
- react | reject | rewrite }
+ future hits until timeout { alert | block | drop | file_id | log
+ | pass | react | reject | rewrite }
* int rate_filter[].seconds = 1: count interval { 0:max32 }
* int rate_filter[].sid = 1: rule signature ID { 0:max32 }
* int rate_filter[].timeout = 1: count interval { 0:max32 }
internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 }
* bool wizard.hexes[].client_first = true: which end initiates data
transfer
- * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
+ * select wizard.hexes[].proto = any: protocol to scan { tcp | udp |
+ any }
* string wizard.hexes[].service: name of service
* string wizard.hexes[].to_client[].hex: sequence of data with wild
chars (?)
0:65535 }
* bool wizard.spells[].client_first = true: which end initiates
data transfer
- * select wizard.spells[].proto = tcp: protocol to scan { tcp | udp
- }
+ * select wizard.spells[].proto = any: protocol to scan { tcp | udp
+ | any }
* string wizard.spells[].service: name of service
* string wizard.spells[].to_client[].spell: sequence of data with
wild cards (*)
The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST
flag set.
-116:424 (pbb) truncated ethernet header
+116:424 (eth) truncated ethernet header
The packet length is less than the minimum ethernet header size (14
bytes)
-116:424 (pbb) truncated ethernet header
+116:424 (eth) truncated ethernet header
A truncated ethernet header was detected.
An HTTP message includes a Transfer-Encoding header value that
specifies other encodings before "chunked."
-119:224 (http_inspect) misformatted HTTP traffic
-
-The traffic contains an HTTP version, but does not contain a
-recognizable start line. This conclusion applies only to one
-direction of the flow. The opposite direction may be OK.
-
119:225 (http_inspect) unsupported Content-Encoding used
The HTTP Content-Encoding header contains a coding other than gzip
The HTTP message body is gzip encoded and the FEXTRA flag is set in
the gzip header.
+119:279 (http_inspect) invalid status line
+
+HTTP Status-Line failed validation checks. Checks include minimum
+length, format, characters used, etc.
+
+119:280 (http_inspect) HTTP message headers longer than 63780 bytes
+
+HTTP message headers longer than 63780 bytes
+
+119:281 (http_inspect) invalid request line
+
+HTTP Request-Line failed validation checks. Checks include minimum
+length, format, characters used, etc.
+
+119:282 (http_inspect) too many white space characters when start
+line is expected
+
+Packet with more than 20 white space characters when an HTTP
+Start-Line is required.
+
+119:283 (http_inspect) HTTP message status line longer than 63780
+bytes
+
+HTTP message Status-Line longer than 63780 bytes
+
+119:284 (http_inspect) partial start line
+
+Connection closed in the middle of a Request-Line or Status-Line.
+
+119:285 (http_inspect) HTTP message request line longer than 63780
+bytes
+
+HTTP message Request-Line longer than 63780 bytes
+
+119:286 (http_inspect) HTTP/2 preface received instead of an HTTP/1
+method
+
+HTTP/2 preface received instead of an HTTP/1 method
+
121:1 (http2_inspect) invalid flag set on HTTP/2 frame
Invalid flag set on HTTP/2 frame header
HTTP/2 non-Data frame longer than 63780 bytes
+121:39 (http2_inspect) not HTTP/2 traffic or unrecoverable HTTP/2
+protocol error
+
+HTTP/2 inspector is unable to parse this flow. Either the connection
+is not actually using HTTP/2 or some sort of unrecoverable HTTP/2
+protocol error has occurred. This conclusion applies only to one
+direction of the flow. The opposite direction may be OK.
+
122:1 (port_scan) TCP portscan
Basic one host to one host TCP portscan where multiple TCP ports are
file data
* file_id (inspector): configure file identification
* file_log (inspector): log file event to file.log
+ * file_meta (ips_option): rule option to set file metadata (file
+ type and id)
* file_policy (basic): configure file policy
* file_type (ips_option): rule option to check file type
* flags (ips_option): rule option to test TCP control flags
* ips_action::block: block current packet and all the subsequent
packets in this flow
* ips_action::drop: drop the current packet
+ * ips_action::file_id: file_id file type id
* ips_action::log: log the current packet
* ips_action::pass: mark the current packet as passed
* ips_action::react: send response to client and terminate session
* ips_option::enip_rsp: detection option to match ENIP response
* ips_option::file_data: rule option to set detection cursor to
file data
+ * ips_option::file_meta: rule option to set file metadata (file
+ type and id)
* ips_option::file_type: rule option to check file type
* ips_option::flags: rule option to test TCP control flags
* ips_option::flow: rule option to check session properties
projects / thirdparty / snort3.git / commitdiff
