The Snort Team
Revision History
-Revision 3.1.5.0 2021-05-20 14:02:39 EDT TST
+Revision 3.1.6.0 2021-06-16 07:30:59 EDT TST
---------------------------------------------------------------------
3.7. esp
3.8. eth
3.9. fabricpath
- 3.10. gre
- 3.11. gtp
- 3.12. icmp4
- 3.13. icmp6
- 3.14. igmp
- 3.15. ipv4
- 3.16. ipv6
- 3.17. llc
- 3.18. mpls
- 3.19. pbb
- 3.20. pgm
- 3.21. pppoe
- 3.22. tcp
- 3.23. token_ring
- 3.24. udp
- 3.25. vlan
- 3.26. wlan
+ 3.10. geneve
+ 3.11. gre
+ 3.12. gtp
+ 3.13. icmp4
+ 3.14. icmp6
+ 3.15. igmp
+ 3.16. ipv4
+ 3.17. ipv6
+ 3.18. llc
+ 3.19. mpls
+ 3.20. pbb
+ 3.21. pgm
+ 3.22. pppoe
+ 3.23. tcp
+ 3.24. token_ring
+ 3.25. udp
+ 3.26. vlan
+ 3.27. wlan
4. Connector Modules
7.44. gtp_info
7.45. gtp_type
7.46. gtp_version
- 7.47. http2_decoded_header
- 7.48. http2_frame_header
- 7.49. http_client_body
- 7.50. http_cookie
- 7.51. http_header
- 7.52. http_method
- 7.53. http_param
- 7.54. http_raw_body
- 7.55. http_raw_cookie
- 7.56. http_raw_header
- 7.57. http_raw_request
- 7.58. http_raw_status
- 7.59. http_raw_trailer
- 7.60. http_raw_uri
- 7.61. http_stat_code
- 7.62. http_stat_msg
- 7.63. http_trailer
- 7.64. http_true_ip
- 7.65. http_uri
- 7.66. http_version
- 7.67. icmp_id
- 7.68. icmp_seq
- 7.69. icode
- 7.70. id
- 7.71. iec104_apci_type
- 7.72. iec104_asdu_func
- 7.73. ip_proto
- 7.74. ipopts
- 7.75. isdataat
- 7.76. itype
- 7.77. md5
- 7.78. metadata
- 7.79. modbus_data
- 7.80. modbus_func
- 7.81. modbus_unit
- 7.82. msg
- 7.83. mss
- 7.84. pcre
- 7.85. pkt_data
- 7.86. pkt_num
- 7.87. priority
- 7.88. raw_data
- 7.89. reference
- 7.90. regex
- 7.91. rem
- 7.92. replace
- 7.93. rev
- 7.94. rpc
- 7.95. s7commplus_content
- 7.96. s7commplus_func
- 7.97. s7commplus_opcode
- 7.98. script_data
- 7.99. sd_pattern
- 7.100. seq
- 7.101. service
- 7.102. sha256
- 7.103. sha512
- 7.104. sid
- 7.105. sip_body
- 7.106. sip_header
- 7.107. sip_method
- 7.108. sip_stat_code
- 7.109. so
- 7.110. soid
- 7.111. ssl_state
- 7.112. ssl_version
- 7.113. stream_reassemble
- 7.114. stream_size
- 7.115. tag
- 7.116. target
- 7.117. tos
- 7.118. ttl
- 7.119. urg
- 7.120. window
- 7.121. wscale
+ 7.47. http_client_body
+ 7.48. http_cookie
+ 7.49. http_header
+ 7.50. http_method
+ 7.51. http_param
+ 7.52. http_raw_body
+ 7.53. http_raw_cookie
+ 7.54. http_raw_header
+ 7.55. http_raw_request
+ 7.56. http_raw_status
+ 7.57. http_raw_trailer
+ 7.58. http_raw_uri
+ 7.59. http_stat_code
+ 7.60. http_stat_msg
+ 7.61. http_trailer
+ 7.62. http_true_ip
+ 7.63. http_uri
+ 7.64. http_version
+ 7.65. icmp_id
+ 7.66. icmp_seq
+ 7.67. icode
+ 7.68. id
+ 7.69. iec104_apci_type
+ 7.70. iec104_asdu_func
+ 7.71. ip_proto
+ 7.72. ipopts
+ 7.73. isdataat
+ 7.74. itype
+ 7.75. md5
+ 7.76. metadata
+ 7.77. modbus_data
+ 7.78. modbus_func
+ 7.79. modbus_unit
+ 7.80. msg
+ 7.81. mss
+ 7.82. pcre
+ 7.83. pkt_data
+ 7.84. pkt_num
+ 7.85. priority
+ 7.86. raw_data
+ 7.87. reference
+ 7.88. regex
+ 7.89. rem
+ 7.90. replace
+ 7.91. rev
+ 7.92. rpc
+ 7.93. s7commplus_content
+ 7.94. s7commplus_func
+ 7.95. s7commplus_opcode
+ 7.96. script_data
+ 7.97. sd_pattern
+ 7.98. seq
+ 7.99. service
+ 7.100. sha256
+ 7.101. sha512
+ 7.102. sid
+ 7.103. sip_body
+ 7.104. sip_header
+ 7.105. sip_method
+ 7.106. sip_stat_code
+ 7.107. so
+ 7.108. soid
+ 7.109. ssl_state
+ 7.110. ssl_version
+ 7.111. stream_reassemble
+ 7.112. stream_size
+ 7.113. tag
+ 7.114. target
+ 7.115. tos
+ 7.116. ttl
+ 7.117. urg
+ 7.118. window
+ 7.119. wscale
8. Search Engine Modules
9. SO Rule Modules
* snort.reload_hosts(filename): load a new hosts table
* snort.pause(): suspend packet processing
* snort.resume(pkt_num): continue packet processing. If number of
- packet is specified, will resume for n packets and pause
- * snort.detach(): exit shell w/o shutdown
+ packets is specified, will resume for n packets and pause
+ * snort.detach(): detach from control shell (without shutting down)
* snort.quit(): shutdown and dump-stats
* snort.help(): this output
Configuration:
* int trace.modules.all: enable trace for all modules { 0:255 }
- * int trace.modules.appid.all: enable all trace options { 0:255 }
- * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
- * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
- * int trace.modules.decode.all: enable all trace options { 0:255 }
- * int trace.modules.detection.all: enable all trace options { 0:255
- }
- * int trace.modules.detection.detect_engine: enable detection
- engine trace logging { 0:255 }
- * int trace.modules.detection.rule_eval: enable rule evaluation
- trace logging { 0:255 }
- * int trace.modules.detection.buffer: enable buffer trace logging {
- 0:255 }
- * int trace.modules.detection.rule_vars: enable rule variables
- trace logging { 0:255 }
- * int trace.modules.detection.fp_search: enable fast pattern search
- trace logging { 0:255 }
- * int trace.modules.detection.pkt_detect: enable packet detection
- trace logging { 0:255 }
- * int trace.modules.detection.opt_tree: enable tree option trace
- logging { 0:255 }
- * int trace.modules.detection.tag: enable tag trace logging { 0:255
- }
* int trace.modules.dpx.all: enable all trace options { 0:255 }
- * int trace.modules.gtp_inspect.all: enable all trace options {
- 0:255 }
- * int trace.modules.iec104.all: enable all trace options { 0:255 }
- * int trace.modules.iec104.identification: enable IEC104 APDU
- identification trace logging { 0:255 }
- * int trace.modules.latency.all: enable all trace options { 0:255 }
- * int trace.modules.react.all: enable all trace options { 0:255 }
- * int trace.modules.rna.all: enable all trace options { 0:255 }
* int trace.modules.snort.all: enable all trace options { 0:255 }
- * int trace.modules.snort.main: enable main trace logging { 0:255 }
* int trace.modules.snort.inspector_manager: enable inspector
manager trace logging { 0:255 }
- * int trace.modules.stream.all: enable all trace options { 0:255 }
- * int trace.modules.stream_ip.all: enable all trace options { 0:255
- }
- * int trace.modules.stream_tcp.all: enable all trace options {
- 0:255 }
- * int trace.modules.stream_tcp.segments: enable stream TCP segments
- trace logging { 0:255 }
- * int trace.modules.stream_tcp.state: enable stream TCP state trace
- logging { 0:255 }
- * int trace.modules.stream_user.all: enable all trace options {
- 0:255 }
* int trace.modules.wizard.all: enable all trace options { 0:255 }
* int trace.constraints.ip_proto: numerical IP protocol ID filter {
0:255 }
* 116:467 (fabricpath) truncated FabricPath header
-3.10. gre
+3.10. geneve
+
+--------------
+
+Help: support for Geneve: Generic Network Virtualization
+Encapsulation
+
+Type: codec
+
+Usage: context
+
+Rules:
+
+ * 116:180 (geneve) insufficient room for geneve header
+ * 116:181 (geneve) invalid version
+ * 116:182 (geneve) invalid header
+ * 116:183 (geneve) invalid flags
+ * 116:184 (geneve) invalid options
+
+
+3.11. gre
--------------
* 116:165 (gre) GRE trans header length > payload length
-3.11. gtp
+3.12. gtp
--------------
* 116:298 (gtp) GTP header length is invalid
-3.12. icmp4
+3.13. icmp4
--------------
* icmp4.checksum_bypassed: checksum calculations bypassed (sum)
-3.13. icmp6
+3.14. icmp6
--------------
* icmp6.checksum_bypassed: checksum calculations bypassed (sum)
-3.14. igmp
+3.15. igmp
--------------
* 116:455 (igmp) DOS IGMP IP options validation attempt
-3.15. ipv4
+3.16. ipv4
--------------
* ipv4.checksum_bypassed: checksum calculations bypassed (sum)
-3.16. ipv6
+3.17. ipv6
--------------
the payload protocol field
-3.17. llc
+3.18. llc
--------------
* 116:132 (llc) bad extra LLC info
-3.18. mpls
+3.19. mpls
--------------
* 116:176 (mpls) too many MPLS headers
-3.19. pbb
+3.20. pbb
--------------
* 116:424 (pbb) truncated ethernet header
-3.20. pgm
+3.21. pgm
--------------
* 116:454 (pgm) PGM nak list overflow attempt
-3.21. pppoe
+3.22. pppoe
--------------
* 116:120 (pppoe) bad PPPOE frame detected
-3.22. tcp
+3.23. tcp
--------------
* tcp.checksum_bypassed: checksum calculations bypassed (sum)
-3.23. token_ring
+3.24. token_ring
--------------
* 116:143 (token_ring) bad Token Ring MR header
-3.24. udp
+3.25. udp
--------------
UDP ports (default is only 3544)
* bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
* bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 }
+ * bit_list udp.geneve_ports = 6081: set Geneve ports { 65535 }
Rules:
* udp.checksum_bypassed: checksum calculations bypassed (sum)
-3.25. vlan
+3.26. vlan
--------------
* 116:130 (vlan) bad VLAN frame
-3.26. wlan
+3.27. wlan
--------------
* 121:31 (http2_inspect) invalid HTTP/2 window update frame
* 121:32 (http2_inspect) HTTP/2 window update frame with zero
increment
+ * 121:33 (http2_inspect) HTTP/2 request without a method
Peg counts:
* string http_inspect.xff_headers = x-forwarded-for true-client-ip:
specifies the xff type headers to parse and consider in the same
order of preference as defined
+ * bool http_inspect.request_body_app_detection = false: make HTTP/2
+ request message bodies available for application detection
+ (detection requires AppId)
Rules:
* 119:115 (http_inspect) PDF file unsupported compression type
* 119:116 (http_inspect) PDF file cascaded compression
* 119:117 (http_inspect) PDF file parse failure
- * 119:118 (http_inspect) unexpected script tag within inline
- javascript
* 119:201 (http_inspect) not HTTP traffic
* 119:202 (http_inspect) chunk length has excessive leading zeros
* 119:203 (http_inspect) white space before or between messages
* 119:262 (http_inspect) HTTP URI scheme longer than 10 characters
* 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade
* 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade
+ * 119:265 (http_inspect) bad token in JavaScript
+ * 119:266 (http_inspect) unexpected script opening tag in
+ JavaScript
+ * 119:267 (http_inspect) unexpected script closing tag in
+ JavaScript
+ * 119:268 (http_inspect) JavaScript code under the external script
+ tags
Peg counts:
* http_inspect.total_bytes: total HTTP data bytes inspected (sum)
* http_inspect.js_inline_scripts: total number of inline
JavaScripts processed (sum)
+ * http_inspect.js_external_scripts: total number of external
+ JavaScripts processed (sum)
5.25. iec104
* int gtp_version.~: version to match { 0:2 }
-7.47. http2_decoded_header
-
---------------
-
-Help: rule option to set detection cursor to the decoded HTTP/2
-header
-
-Type: ips_option
-
-Usage: detect
-
-
-7.48. http2_frame_header
-
---------------
-
-Help: rule option to set detection cursor to the 9-octet HTTP/2 frame
-header
-
-Type: ips_option
-
-Usage: detect
-
-
-7.49. http_client_body
+7.47. http_client_body
--------------
Usage: detect
-7.50. http_cookie
+7.48. http_cookie
--------------
message trailers
-7.51. http_header
+7.49. http_header
--------------
message trailers
-7.52. http_method
+7.50. http_method
--------------
message trailers
-7.53. http_param
+7.51. http_param
--------------
* implied http_param.nocase: case insensitive match
-7.54. http_raw_body
+7.52. http_raw_body
--------------
Usage: detect
-7.55. http_raw_cookie
+7.53. http_raw_cookie
--------------
HTTP message trailers
-7.56. http_raw_header
+7.54. http_raw_header
--------------
HTTP message trailers
-7.57. http_raw_request
+7.55. http_raw_request
--------------
HTTP message trailers
-7.58. http_raw_status
+7.56. http_raw_status
--------------
HTTP message trailers
-7.59. http_raw_trailer
+7.57. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.60. http_raw_uri
+7.58. http_raw_uri
--------------
URI only
-7.61. http_stat_code
+7.59. http_stat_code
--------------
HTTP message trailers
-7.62. http_stat_msg
+7.60. http_stat_msg
--------------
HTTP message trailers
-7.63. http_trailer
+7.61. http_trailer
--------------
message body (must be combined with request)
-7.64. http_true_ip
+7.62. http_true_ip
--------------
HTTP message trailers
-7.65. http_uri
+7.63. http_uri
--------------
only
-7.66. http_version
+7.64. http_version
--------------
HTTP message trailers
-7.67. icmp_id
+7.65. icmp_id
--------------
0:65535 }
-7.68. icmp_seq
+7.66. icmp_seq
--------------
given range { 0:65535 }
-7.69. icode
+7.67. icode
--------------
0:255 }
-7.70. id
+7.68. id
--------------
}
-7.71. iec104_apci_type
+7.69. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.72. iec104_asdu_func
+7.70. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.73. ip_proto
+7.71. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.74. ipopts
+7.72. ipopts
--------------
lsrre|ssrr|satid|any }
-7.75. isdataat
+7.73. isdataat
--------------
buffer
-7.76. itype
+7.74. itype
--------------
0:255 }
-7.77. md5
+7.75. md5
--------------
of buffer
-7.78. metadata
+7.76. metadata
--------------
pairs
-7.79. modbus_data
+7.77. modbus_data
--------------
Usage: detect
-7.80. modbus_func
+7.78. modbus_func
--------------
* string modbus_func.~: function code to match
-7.81. modbus_unit
+7.79. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.82. msg
+7.80. msg
--------------
* string msg.~: message describing rule
-7.83. mss
+7.81. mss
--------------
}
-7.84. pcre
+7.82. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.85. pkt_data
+7.83. pkt_data
--------------
Usage: detect
-7.86. pkt_num
+7.84. pkt_num
--------------
{ 1: }
-7.87. priority
+7.85. priority
--------------
1:max31 }
-7.88. raw_data
+7.86. raw_data
--------------
Usage: detect
-7.89. reference
+7.87. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.90. regex
+7.88. regex
--------------
instead of start of buffer
-7.91. rem
+7.89. rem
--------------
* string rem.~: comment
-7.92. replace
+7.90. replace
--------------
* string replace.~: byte code to replace with
-7.93. rev
+7.91. rev
--------------
* int rev.~: revision { 1:max32 }
-7.94. rpc
+7.92. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.95. s7commplus_content
+7.93. s7commplus_content
--------------
Usage: detect
-7.96. s7commplus_func
+7.94. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.97. s7commplus_opcode
+7.95. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.98. script_data
+7.96. script_data
--------------
Usage: detect
-7.99. sd_pattern
+7.97. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.100. seq
+7.98. seq
--------------
range { 0: }
-7.101. service
+7.99. service
--------------
* string service.*: one or more comma-separated service names
-7.102. sha256
+7.100. sha256
--------------
start of buffer
-7.103. sha512
+7.101. sha512
--------------
start of buffer
-7.104. sid
+7.102. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.105. sip_body
+7.103. sip_body
--------------
Usage: detect
-7.106. sip_header
+7.104. sip_header
--------------
Usage: detect
-7.107. sip_method
+7.105. sip_method
--------------
* string sip_method.*method: sip method
-7.108. sip_stat_code
+7.106. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.109. so
+7.107. so
--------------
buffer
-7.110. soid
+7.108. soid
--------------
like 3_45678_9
-7.111. ssl_state
+7.109. ssl_state
--------------
unknown
-7.112. ssl_version
+7.110. ssl_version
--------------
tls1.2
-7.113. stream_reassemble
+7.111. stream_reassemble
--------------
remainder of the session
-7.114. stream_size
+7.112. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.115. tag
+7.113. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.116. target
+7.114. target
--------------
dst_ip }
-7.117. tos
+7.115. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.118. ttl
+7.116. ttl
--------------
0:255 }
-7.119. urg
+7.117. urg
--------------
{ 0:65535 }
-7.120. window
+7.118. window
--------------
range { 0:65535 }
-7.121. wscale
+7.119. wscale
--------------
dir src_ap dst_ap rule action: selected fields will be output in
given order left to right { action | class | b64_data |
client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
- eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
- icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
- proto | rev | rule | seconds | server_bytes | server_pkts |
- service | sgt| sid | src_addr | src_ap | src_port | target |
- tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp |
- tos | ttl | udp_len | vlan }
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time |
+ geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | seconds | server_bytes |
+ server_pkts | service | sgt| sid | src_addr | src_ap | src_port |
+ target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win |
+ timestamp | tos | ttl | udp_len | vlan }
* int alert_csv.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
* string alert_csv.separator = , : separate fields with this
dir src_ap dst_ap rule action: selected fields will be output in
given order left to right { action | class | b64_data |
client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
- eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
- icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
- proto | rev | rule | seconds | server_bytes | server_pkts |
- service | sgt| sid | src_addr | src_ap | src_port | target |
- tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp |
- tos | ttl | udp_len | vlan }
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time |
+ geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | seconds | server_bytes |
+ server_pkts | service | sgt| sid | src_addr | src_ap | src_port |
+ target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win |
+ timestamp | tos | ttl | udp_len | vlan }
* int alert_json.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
* string alert_json.separator = , : separate fields with this
dir src_ap dst_ap rule action: selected fields will be output in
given order left to right { action | class | b64_data |
client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
- eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
- icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
- proto | rev | rule | seconds | server_bytes | server_pkts |
- service | sgt| sid | src_addr | src_ap | src_port | target |
- tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp |
- tos | ttl | udp_len | vlan }
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time |
+ geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | seconds | server_bytes |
+ server_pkts | service | sgt| sid | src_addr | src_ap | src_port |
+ target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win |
+ timestamp | tos | ttl | udp_len | vlan }
* bool alert_csv.file = false: output to alert_csv.txt instead of
stdout
* int alert_csv.limit = 0: set maximum size in MB before rollover
dir src_ap dst_ap rule action: selected fields will be output in
given order left to right { action | class | b64_data |
client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port |
- eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid |
- icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority |
- proto | rev | rule | seconds | server_bytes | server_pkts |
- service | sgt| sid | src_addr | src_ap | src_port | target |
- tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp |
- tos | ttl | udp_len | vlan }
+ eth_dst | eth_len | eth_src | eth_type | flowstart_time |
+ geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | seconds | server_bytes |
+ server_pkts | service | sgt| sid | src_addr | src_ap | src_port |
+ target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win |
+ timestamp | tos | ttl | udp_len | vlan }
* bool alert_json.file = false: output to alert_json.txt instead of
stdout
* int alert_json.limit = 0: set maximum size in MB before rollover
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
+ * bool http_inspect.request_body_app_detection = false: make HTTP/2
+ request message bodies available for application detection
+ (detection requires AppId)
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
* string trace.constraints.src_ip: source IP address filter
* int trace.constraints.src_port: source port filter { 0:65535 }
* int trace.modules.all: enable trace for all modules { 0:255 }
- * int trace.modules.appid.all: enable all trace options { 0:255 }
- * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
- * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
- * int trace.modules.decode.all: enable all trace options { 0:255 }
- * int trace.modules.detection.all: enable all trace options { 0:255
- }
- * int trace.modules.detection.buffer: enable buffer trace logging {
- 0:255 }
- * int trace.modules.detection.detect_engine: enable detection
- engine trace logging { 0:255 }
- * int trace.modules.detection.fp_search: enable fast pattern search
- trace logging { 0:255 }
- * int trace.modules.detection.opt_tree: enable tree option trace
- logging { 0:255 }
- * int trace.modules.detection.pkt_detect: enable packet detection
- trace logging { 0:255 }
- * int trace.modules.detection.rule_eval: enable rule evaluation
- trace logging { 0:255 }
- * int trace.modules.detection.rule_vars: enable rule variables
- trace logging { 0:255 }
- * int trace.modules.detection.tag: enable tag trace logging { 0:255
- }
* int trace.modules.dpx.all: enable all trace options { 0:255 }
- * int trace.modules.gtp_inspect.all: enable all trace options {
- 0:255 }
- * int trace.modules.iec104.all: enable all trace options { 0:255 }
- * int trace.modules.iec104.identification: enable IEC104 APDU
- identification trace logging { 0:255 }
- * int trace.modules.latency.all: enable all trace options { 0:255 }
- * int trace.modules.react.all: enable all trace options { 0:255 }
- * int trace.modules.rna.all: enable all trace options { 0:255 }
* int trace.modules.snort.all: enable all trace options { 0:255 }
* int trace.modules.snort.inspector_manager: enable inspector
manager trace logging { 0:255 }
- * int trace.modules.snort.main: enable main trace logging { 0:255 }
- * int trace.modules.stream.all: enable all trace options { 0:255 }
- * int trace.modules.stream_ip.all: enable all trace options { 0:255
- }
- * int trace.modules.stream_tcp.all: enable all trace options {
- 0:255 }
- * int trace.modules.stream_tcp.segments: enable stream TCP segments
- trace logging { 0:255 }
- * int trace.modules.stream_tcp.state: enable stream TCP state trace
- logging { 0:255 }
- * int trace.modules.stream_user.all: enable all trace options {
- 0:255 }
* int trace.modules.wizard.all: enable all trace options { 0:255 }
* bool trace.ntuple = false: print packet n-tuple info with trace
messages
0:255 }
* bool udp.deep_teredo_inspection = false: look for Teredo on all
UDP ports (default is only 3544)
+ * bit_list udp.geneve_ports = 6081: set Geneve ports { 65535 }
* bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
* bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 }
* bool unified2.legacy_events = false: generate Snort 2.X style
* http_inspect.get_requests: GET requests inspected (sum)
* http_inspect.head_requests: HEAD requests inspected (sum)
* http_inspect.inspections: total message sections inspected (sum)
+ * http_inspect.js_external_scripts: total number of external
+ JavaScripts processed (sum)
* http_inspect.js_inline_scripts: total number of inline
JavaScripts processed (sum)
* http_inspect.max_concurrent_sessions: maximum concurrent http
* 116: esp
* 116: eth
* 116: fabricpath
+ * 116: geneve
* 116: gre
* 116: gtp
* 116: icmp4
* 116:174 (mpls) MPLS label 3 appears in header
* 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
* 116:176 (mpls) too many MPLS headers
+ * 116:180 (geneve) insufficient room for geneve header
+ * 116:181 (geneve) invalid version
+ * 116:182 (geneve) invalid header
+ * 116:183 (geneve) invalid flags
+ * 116:184 (geneve) invalid options
* 116:250 (icmp4) ICMP original IP header truncated
* 116:251 (icmp4) ICMP version and original IP header versions
differ
* 119:115 (http_inspect) PDF file unsupported compression type
* 119:116 (http_inspect) PDF file cascaded compression
* 119:117 (http_inspect) PDF file parse failure
- * 119:118 (http_inspect) unexpected script tag within inline
- javascript
* 119:201 (http_inspect) not HTTP traffic
* 119:202 (http_inspect) chunk length has excessive leading zeros
* 119:203 (http_inspect) white space before or between messages
* 119:262 (http_inspect) HTTP URI scheme longer than 10 characters
* 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade
* 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade
+ * 119:265 (http_inspect) bad token in JavaScript
+ * 119:266 (http_inspect) unexpected script opening tag in
+ JavaScript
+ * 119:267 (http_inspect) unexpected script closing tag in
+ JavaScript
+ * 119:268 (http_inspect) JavaScript code under the external script
+ tags
* 121:1 (http2_inspect) invalid flag set on HTTP/2 frame
* 121:2 (http2_inspect) HPACK integer value has leading zeros
* 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream
* 121:31 (http2_inspect) invalid HTTP/2 window update frame
* 121:32 (http2_inspect) HTTP/2 window update frame with zero
increment
+ * 121:33 (http2_inspect) HTTP/2 request without a method
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* snort.reload_hosts(filename): load a new hosts table
* snort.pause(): suspend packet processing
* snort.resume(pkt_num): continue packet processing. If number of
- packet is specified, will resume for n packets and pause
- * snort.detach(): exit shell w/o shutdown
+ packets is specified, will resume for n packets and pause
+ * snort.detach(): detach from control shell (without shutting down)
* snort.quit(): shutdown and dump-stats
* snort.help(): this output
* trace.set(modules, constraints, ntuple, timestamp): set modules
* ftp_data (inspector): FTP data channel handler
* ftp_server (inspector): main FTP module; ftp_client should also
be configured
+ * geneve (codec): support for Geneve: Generic Network
+ Virtualization Encapsulation
* gid (ips_option): rule option specifying rule generator
* gre (codec): support for generic routing encapsulation
* gtp (codec): support for general-packet-radio-service tunneling
hosts
* host_tracker (basic): configure hosts
* hosts (basic): configure hosts
- * http2_decoded_header (ips_option): rule option to set detection
- cursor to the decoded HTTP/2 header
- * http2_frame_header (ips_option): rule option to set detection
- cursor to the 9-octet HTTP/2 frame header
* http2_inspect (inspector): HTTP/2 inspector
* http_client_body (ips_option): rule option to set the detection
cursor to the request body
* codec::esp: support for encapsulating security payload
* codec::eth: support for ethernet protocol (DLT 1) (DLT 51)
* codec::fabricpath: support for fabricpath
+ * codec::geneve: support for Geneve: Generic Network Virtualization
+ Encapsulation
* codec::gre: support for generic routing encapsulation
* codec::gtp: support for general-packet-radio-service tunneling
protocol
* ips_option::gtp_info: rule option to check gtp info element
* ips_option::gtp_type: rule option to check gtp types
* ips_option::gtp_version: rule option to check GTP version
- * ips_option::http2_decoded_header: rule option to set detection
- cursor to the decoded HTTP/2 header
- * ips_option::http2_frame_header: rule option to set detection
- cursor to the 9-octet HTTP/2 frame header
* ips_option::http_client_body: rule option to set the detection
cursor to the request body
* ips_option::http_cookie: rule option to set the detection cursor
projects / thirdparty / snort3.git / commitdiff
