<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 258)\r
+o" )~ Version 3.0.0 (Build 259)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
<strong>detection.offload_suspends</strong>: fast pattern search suspends due to offload context chains (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>detection.pcre_match_limit</strong>: total number of times pcre hit the match limit (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.pcre_recursion_limit</strong>: total number of times pcre hit the recursion limit (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.pcre_error</strong>: total number of times pcre returns error (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_replaces</strong>: lru cache replaced existing entry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
</p>\r
</li>\r
<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>host_cache.lru_cache_clears</strong>: lru cache clear API calls (sum)\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-addr <strong><code>host_tracker[].ip</code></strong> = 0.0.0.0/32: hosts address / cidr\r
+addr <strong><code>host_tracker[].ip</code></strong>: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>host_tracker[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>host_tracker[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>host_tracker[].services[].name</code></strong>: service identifier\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>host_tracker[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
+port <strong><code>host_tracker[].services[].port</code></strong>: port number\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong><code>host_tracker[].services[].port</code></strong>: port number\r
+enum <strong><code>host_tracker[].services[].proto</code></strong>: IP protocol { ip | tcp | udp }\r
</p>\r
</li>\r
</ul></div>\r
<strong>host_tracker.service_finds</strong>: host service finds (sum)\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-<strong>host_tracker.service_removes</strong>: host service removes (sum)\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
int <strong>finalize_packet.end_pdu</strong> = 0: Deregister for finalize packet events on this PDU { 0:max32 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>finalize_packet.modify.pdu</strong> = 0: Modify verdict in finalize packet for this PDU { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>finalize_packet.modify.verdict</strong>: output format for stats { pass | block | replace | whitelist | blacklist | ignore | retry }\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="paragraph"><p>What: The regression test service inspector is used by regression tests that require custom service inspector support.</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>rt_service.memcap</strong>: cap on amount of memory used\r
+</p>\r
+</li>\r
+</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
+int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
+int <strong>stream.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.ip_flows</strong>: total ip sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip_total_prunes</strong>: total ip sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip_idle_prunes</strong>: ip sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip_excess_prunes</strong>: ip sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip_uni_prunes</strong>: ip uni sessions pruned (sum)\r
+<strong>stream.flows</strong>: total sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_preemptive_prunes</strong>: ip sessions pruned during preemptive pruning (sum)\r
+<strong>stream.total_prunes</strong>: total sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_memcap_prunes</strong>: ip sessions pruned due to memcap (sum)\r
+<strong>stream.idle_prunes</strong>: sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_ha_prunes</strong>: ip sessions pruned by high availability sync (sum)\r
+<strong>stream.excess_prunes</strong>: sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_flows</strong>: total icmp sessions (sum)\r
+<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_total_prunes</strong>: total icmp sessions pruned (sum)\r
+<strong>stream.preemptive_prunes</strong>: sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_idle_prunes</strong>: icmp sessions pruned due to timeout (sum)\r
+<strong>stream.memcap_prunes</strong>: sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_excess_prunes</strong>: icmp sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_uni_prunes</strong>: icmp uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_preemptive_prunes</strong>: icmp sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_memcap_prunes</strong>: icmp sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_ha_prunes</strong>: icmp sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_flows</strong>: total tcp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_total_prunes</strong>: total tcp sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_idle_prunes</strong>: tcp sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_excess_prunes</strong>: tcp sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_uni_prunes</strong>: tcp uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_preemptive_prunes</strong>: tcp sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_memcap_prunes</strong>: tcp sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_ha_prunes</strong>: tcp sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_flows</strong>: total udp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_total_prunes</strong>: total udp sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_idle_prunes</strong>: udp sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_excess_prunes</strong>: udp sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_uni_prunes</strong>: udp uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_preemptive_prunes</strong>: udp sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_memcap_prunes</strong>: udp sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_ha_prunes</strong>: udp sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_flows</strong>: total user sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_total_prunes</strong>: total user sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_idle_prunes</strong>: user sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_excess_prunes</strong>: user sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_uni_prunes</strong>: user uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_preemptive_prunes</strong>: user sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_memcap_prunes</strong>: user sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_ha_prunes</strong>: user sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_flows</strong>: total file sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_total_prunes</strong>: total file sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_idle_prunes</strong>: file sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_excess_prunes</strong>: file sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_uni_prunes</strong>: file uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_preemptive_prunes</strong>: file sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_memcap_prunes</strong>: file sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_ha_prunes</strong>: file sessions pruned by high availability sync (sum)\r
+<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
</ul></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_ber_data">ber_data</h3>\r
+<div class="paragraph"><p>What: rule option to move to the data for a specified BER element</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>ber_data.~type</strong>: move to the data for the specified BER element type { 0:255 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_ber_skip">ber_skip</h3>\r
+<div class="paragraph"><p>What: rule option to skip BER element</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+int <strong>ber_skip.~type</strong>: BER element type to skip { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ber_skip.optional</strong>: match even if the specified BER type is not found\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_bufferlen">bufferlen</h3>\r
<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
</li>\r
<li>\r
<p>\r
+int <strong>ber_data.~type</strong>: move to the data for the specified BER element type { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>ber_skip.optional</strong>: match even if the specified BER type is not found\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>ber_skip.~type</strong>: BER element type to skip { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>finalize_packet.modify.pdu</strong> = 0: Modify verdict in finalize packet for this PDU { 0:max32 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>finalize_packet.modify.verdict</strong>: output format for stats { pass | block | replace | whitelist | blacklist | ignore | retry }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>finalize_packet.start_pdu</strong> = 0: Register to receive finalize packet event starting on this PDU { 0:max32 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>host_tracker[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-addr <strong><code>host_tracker[].ip</code></strong> = 0.0.0.0/32: hosts address / cidr\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong><code>host_tracker[].services[].name</code></strong>: service identifier\r
+addr <strong><code>host_tracker[].ip</code></strong>: hosts address / cidr\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>host_tracker[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong><code>host_tracker[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }\r
+enum <strong><code>host_tracker[].services[].proto</code></strong>: IP protocol { ip | tcp | udp }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>rt_service.memcap</strong>: cap on amount of memory used\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong><code>rule_state.([0-9]+):([0-9]+)[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>stream_file.upload</strong> = false: indicate file transfer direction\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.icmp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>stream.ip_frags_only</strong> = false: don’t process non-frag flows\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
+int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }\r
+int <strong>stream.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session\r
+enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>stream_reassemble.noalert</strong>: don’t alert when rule matches\r
+enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }\r
+implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session\r
</p>\r
</li>\r
<li>\r
<p>\r
-interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }\r
+implied <strong>stream_reassemble.noalert</strong>: don’t alert when rule matches\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
+enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }\r
+interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
+int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.tcp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
+int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-int <strong>stream.user_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:max31 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>detection.pcre_error</strong>: total number of times pcre returns error (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.pcre_match_limit</strong>: total number of times pcre hit the match limit (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>detection.pcre_recursion_limit</strong>: total number of times pcre hit the recursion limit (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_clears</strong>: lru cache clear API calls (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_replaces</strong>: lru cache replaced existing entry (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>host_tracker.service_adds</strong>: host service adds (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service_removes</strong>: host service removes (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_excess_prunes</strong>: file sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_flows</strong>: total file sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_ha_prunes</strong>: file sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_idle_prunes</strong>: file sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_memcap_prunes</strong>: file sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.file_preemptive_prunes</strong>: file sessions pruned during preemptive pruning (sum)\r
+<strong>stream.excess_prunes</strong>: sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_total_prunes</strong>: total file sessions pruned (sum)\r
+<strong>stream.flows</strong>: total sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_uni_prunes</strong>: file uni sessions pruned (sum)\r
+<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_excess_prunes</strong>: icmp sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_flows</strong>: total icmp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_ha_prunes</strong>: icmp sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_idle_prunes</strong>: icmp sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_icmp.max</strong>: max icmp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_memcap_prunes</strong>: icmp sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_preemptive_prunes</strong>: icmp sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_total_prunes</strong>: total icmp sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.icmp_uni_prunes</strong>: icmp uni sessions pruned (sum)\r
+<strong>stream.idle_prunes</strong>: sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_excess_prunes</strong>: ip sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip_flows</strong>: total ip sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_ha_prunes</strong>: ip sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.ip_idle_prunes</strong>: ip sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.max_frags</strong>: max fragments (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_memcap_prunes</strong>: ip sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_preemptive_prunes</strong>: ip sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.prunes</strong>: ip session prunes (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_total_prunes</strong>: total ip sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_uni_prunes</strong>: ip uni sessions pruned (sum)\r
+<strong>stream.memcap_prunes</strong>: sessions pruned due to memcap (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.preemptive_prunes</strong>: sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_excess_prunes</strong>: tcp sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.fins</strong>: number of fin packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_flows</strong>: total tcp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_ha_prunes</strong>: tcp sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.held_packet_limit_exceeded</strong>: number of times limit of max held packets exceeded (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_idle_prunes</strong>: tcp sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_memcap_prunes</strong>: tcp sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.memory</strong>: current memory in use (now)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_preemptive_prunes</strong>: tcp sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_total_prunes</strong>: total tcp sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.tcp_uni_prunes</strong>: tcp uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_excess_prunes</strong>: udp sessions pruned due to excess (sum)\r
+<strong>stream.total_prunes</strong>: total sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_flows</strong>: total udp sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_ha_prunes</strong>: udp sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_idle_prunes</strong>: udp sessions pruned due to timeout (sum)\r
+<strong>stream_udp.created</strong>: udp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_memcap_prunes</strong>: udp sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_preemptive_prunes</strong>: udp sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_udp.prunes</strong>: udp session prunes (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_total_prunes</strong>: total udp sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.udp_uni_prunes</strong>: udp uni sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_excess_prunes</strong>: user sessions pruned due to excess (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_flows</strong>: total user sessions (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_ha_prunes</strong>: user sessions pruned by high availability sync (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_idle_prunes</strong>: user sessions pruned due to timeout (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_memcap_prunes</strong>: user sessions pruned due to memcap (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_preemptive_prunes</strong>: user sessions pruned during preemptive pruning (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_total_prunes</strong>: total user sessions pruned (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>stream.user_uni_prunes</strong>: user uni sessions pruned (sum)\r
+<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
change -> ssh: 'server_ports' ==> 'bindings'\r
change -> ssl: 'ports' ==> 'bindings'\r
change -> stream5_global: 'max_active_responses' ==> 'max_responses'\r
-change -> stream5_global: 'max_icmp' ==> 'max_sessions'\r
-change -> stream5_global: 'max_ip' ==> 'max_sessions'\r
-change -> stream5_global: 'max_tcp' ==> 'max_sessions'\r
-change -> stream5_global: 'max_udp' ==> 'max_sessions'\r
change -> stream5_global: 'min_response_seconds' ==> 'min_interval'\r
-change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'pruning_timeout'\r
-change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout'\r
+change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout'\r
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'\r
-change -> stream5_global: 'udp_cache_pruning_timeout' ==> 'pruning_timeout'\r
change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'\r
change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'\r
change -> stream5_ha: 'stream5_ha' ==> 'high_availability'\r
</li>\r
<li>\r
<p>\r
+<strong>ber_data</strong> (ips_option): rule option to move to the data for a specified BER element\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ber_skip</strong> (ips_option): rule option to skip BER element\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>binder</strong> (inspector): configure processing based on CIDRs, ports, services, etc.\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::ber_data</strong>: rule option to move to the data for a specified BER element\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ips_option::ber_skip</strong>: rule option to skip BER element\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::bufferlen</strong>: rule option to check length of current buffer\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-07-17 09:38:43 EDT\r
+ 2019-08-21 14:26:59 EDT\r
</div>\r
</div>\r
</body>\r
11.2. appids
11.3. asn1
11.4. base64_decode
- 11.5. bufferlen
- 11.6. byte_extract
- 11.7. byte_jump
- 11.8. byte_math
- 11.9. byte_test
- 11.10. classtype
- 11.11. content
- 11.12. cvs
- 11.13. dce_iface
- 11.14. dce_opnum
- 11.15. dce_stub_data
- 11.16. detection_filter
- 11.17. dnp3_data
- 11.18. dnp3_func
- 11.19. dnp3_ind
- 11.20. dnp3_obj
- 11.21. dsize
- 11.22. file_data
- 11.23. file_type
- 11.24. flags
- 11.25. flow
- 11.26. flowbits
- 11.27. fragbits
- 11.28. fragoffset
- 11.29. gid
- 11.30. gtp_info
- 11.31. gtp_type
- 11.32. gtp_version
- 11.33. http2_frame_data
- 11.34. http2_frame_header
- 11.35. http_client_body
- 11.36. http_cookie
- 11.37. http_header
- 11.38. http_method
- 11.39. http_raw_body
- 11.40. http_raw_cookie
- 11.41. http_raw_header
- 11.42. http_raw_request
- 11.43. http_raw_status
- 11.44. http_raw_trailer
- 11.45. http_raw_uri
- 11.46. http_stat_code
- 11.47. http_stat_msg
- 11.48. http_trailer
- 11.49. http_true_ip
- 11.50. http_uri
- 11.51. http_version
- 11.52. icmp_id
- 11.53. icmp_seq
- 11.54. icode
- 11.55. id
- 11.56. ip_proto
- 11.57. ipopts
- 11.58. isdataat
- 11.59. itype
- 11.60. md5
- 11.61. metadata
- 11.62. modbus_data
- 11.63. modbus_func
- 11.64. modbus_unit
- 11.65. msg
- 11.66. mss
- 11.67. pcre
- 11.68. pkt_data
- 11.69. pkt_num
- 11.70. priority
- 11.71. raw_data
- 11.72. reference
- 11.73. regex
- 11.74. rem
- 11.75. replace
- 11.76. rev
- 11.77. rpc
- 11.78. sd_pattern
- 11.79. seq
- 11.80. service
- 11.81. session
- 11.82. sha256
- 11.83. sha512
- 11.84. sid
- 11.85. sip_body
- 11.86. sip_header
- 11.87. sip_method
- 11.88. sip_stat_code
- 11.89. so
- 11.90. soid
- 11.91. ssl_state
- 11.92. ssl_version
- 11.93. stream_reassemble
- 11.94. stream_size
- 11.95. tag
- 11.96. target
- 11.97. tos
- 11.98. ttl
- 11.99. urg
- 11.100. window
- 11.101. wscale
+ 11.5. ber_data
+ 11.6. ber_skip
+ 11.7. bufferlen
+ 11.8. byte_extract
+ 11.9. byte_jump
+ 11.10. byte_math
+ 11.11. byte_test
+ 11.12. classtype
+ 11.13. content
+ 11.14. cvs
+ 11.15. dce_iface
+ 11.16. dce_opnum
+ 11.17. dce_stub_data
+ 11.18. detection_filter
+ 11.19. dnp3_data
+ 11.20. dnp3_func
+ 11.21. dnp3_ind
+ 11.22. dnp3_obj
+ 11.23. dsize
+ 11.24. file_data
+ 11.25. file_type
+ 11.26. flags
+ 11.27. flow
+ 11.28. flowbits
+ 11.29. fragbits
+ 11.30. fragoffset
+ 11.31. gid
+ 11.32. gtp_info
+ 11.33. gtp_type
+ 11.34. gtp_version
+ 11.35. http2_frame_data
+ 11.36. http2_frame_header
+ 11.37. http_client_body
+ 11.38. http_cookie
+ 11.39. http_header
+ 11.40. http_method
+ 11.41. http_raw_body
+ 11.42. http_raw_cookie
+ 11.43. http_raw_header
+ 11.44. http_raw_request
+ 11.45. http_raw_status
+ 11.46. http_raw_trailer
+ 11.47. http_raw_uri
+ 11.48. http_stat_code
+ 11.49. http_stat_msg
+ 11.50. http_trailer
+ 11.51. http_true_ip
+ 11.52. http_uri
+ 11.53. http_version
+ 11.54. icmp_id
+ 11.55. icmp_seq
+ 11.56. icode
+ 11.57. id
+ 11.58. ip_proto
+ 11.59. ipopts
+ 11.60. isdataat
+ 11.61. itype
+ 11.62. md5
+ 11.63. metadata
+ 11.64. modbus_data
+ 11.65. modbus_func
+ 11.66. modbus_unit
+ 11.67. msg
+ 11.68. mss
+ 11.69. pcre
+ 11.70. pkt_data
+ 11.71. pkt_num
+ 11.72. priority
+ 11.73. raw_data
+ 11.74. reference
+ 11.75. regex
+ 11.76. rem
+ 11.77. replace
+ 11.78. rev
+ 11.79. rpc
+ 11.80. sd_pattern
+ 11.81. seq
+ 11.82. service
+ 11.83. session
+ 11.84. sha256
+ 11.85. sha512
+ 11.86. sid
+ 11.87. sip_body
+ 11.88. sip_header
+ 11.89. sip_method
+ 11.90. sip_stat_code
+ 11.91. so
+ 11.92. soid
+ 11.93. ssl_state
+ 11.94. ssl_version
+ 11.95. stream_reassemble
+ 11.96. stream_size
+ 11.97. tag
+ 11.98. target
+ 11.99. tos
+ 11.100. ttl
+ 11.101. urg
+ 11.102. window
+ 11.103. wscale
12. Search Engine Modules
13. SO Rule Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 258)
+o" )~ Version 3.0.0 (Build 259)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
(sum)
* detection.offload_suspends: fast pattern search suspends due to
offload context chains (sum)
+ * detection.pcre_match_limit: total number of times pcre hit the
+ match limit (sum)
+ * detection.pcre_recursion_limit: total number of times pcre hit
+ the recursion limit (sum)
+ * detection.pcre_error: total number of times pcre returns error
+ (sum)
6.8. event_filter
Peg counts:
* host_cache.lru_cache_adds: lru cache added new entry (sum)
- * host_cache.lru_cache_replaces: lru cache replaced existing entry
- (sum)
* host_cache.lru_cache_prunes: lru cache pruned entry to make space
for new entry (sum)
* host_cache.lru_cache_find_hits: lru cache found entry in cache
cache (sum)
* host_cache.lru_cache_removes: lru cache found entry and removed
it (sum)
- * host_cache.lru_cache_clears: lru cache clear API calls (sum)
6.12. host_tracker
Configuration:
- * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
- * enum host_tracker[].frag_policy: defragmentation policy { first |
- linux | bsd | bsd_right | last | windows | solaris }
- * enum host_tracker[].tcp_policy: TCP reassembly policy { first |
- last | linux | old_linux | bsd | macos | solaris | irix | hpux11
- | hpux10 | windows | win_2003 | vista | proxy }
- * string host_tracker[].services[].name: service identifier
- * enum host_tracker[].services[].proto = tcp: IP protocol { tcp |
- udp }
+ * addr host_tracker[].ip: hosts address / cidr
* port host_tracker[].services[].port: port number
+ * enum host_tracker[].services[].proto: IP protocol { ip | tcp |
+ udp }
Peg counts:
* host_tracker.service_adds: host service adds (sum)
* host_tracker.service_finds: host service finds (sum)
- * host_tracker.service_removes: host service removes (sum)
6.13. hosts
packet event starting on this PDU { 0:max32 }
* int finalize_packet.end_pdu = 0: Deregister for finalize packet
events on this PDU { 0:max32 }
+ * int finalize_packet.modify.pdu = 0: Modify verdict in finalize
+ packet for this PDU { 0:max32 }
+ * enum finalize_packet.modify.verdict: output format for stats {
+ pass | block | replace | whitelist | blacklist | ignore | retry }
Peg counts:
Usage: context
+Configuration:
+
+ * int rt_service.memcap: cap on amount of memory used
+
Peg counts:
* rt_service.packets: total packets (sum)
* int stream.footprint = 0: use zero for production, non-zero for
testing at given size (for TCP and user) { 0:max32 }
* bool stream.ip_frags_only = false: don’t process non-frag flows
- * int stream.ip_cache.max_sessions = 16384: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.ip_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
+ * int stream.max_flows = 476288: maximum simultaneous flows tracked
+ before pruning { 2:max32 }
+ * int stream.pruning_timeout = 30: minimum inactive time before
+ being eligible for pruning { 1:max32 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.ip_cache.cap_weight = 64: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.icmp_cache.cap_weight = 8: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.tcp_cache.cap_weight = 11500: additional bytes to
track per flow for better estimation against cap { 0:65535 }
- * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.udp_cache.cap_weight = 128: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.user_cache.max_sessions = 1024: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.user_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.user_cache.cap_weight = 256: additional bytes to track
per flow for better estimation against cap { 0:65535 }
- * int stream.file_cache.max_sessions = 128: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.file_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* int stream.file_cache.cap_weight = 32: additional bytes to track
Peg counts:
- * stream.ip_flows: total ip sessions (sum)
- * stream.ip_total_prunes: total ip sessions pruned (sum)
- * stream.ip_idle_prunes: ip sessions pruned due to timeout (sum)
- * stream.ip_excess_prunes: ip sessions pruned due to excess (sum)
- * stream.ip_uni_prunes: ip uni sessions pruned (sum)
- * stream.ip_preemptive_prunes: ip sessions pruned during preemptive
+ * stream.flows: total sessions (sum)
+ * stream.total_prunes: total sessions pruned (sum)
+ * stream.idle_prunes: sessions pruned due to timeout (sum)
+ * stream.excess_prunes: sessions pruned due to excess (sum)
+ * stream.uni_prunes: uni sessions pruned (sum)
+ * stream.preemptive_prunes: sessions pruned during preemptive
pruning (sum)
- * stream.ip_memcap_prunes: ip sessions pruned due to memcap (sum)
- * stream.ip_ha_prunes: ip sessions pruned by high availability sync
- (sum)
- * stream.icmp_flows: total icmp sessions (sum)
- * stream.icmp_total_prunes: total icmp sessions pruned (sum)
- * stream.icmp_idle_prunes: icmp sessions pruned due to timeout
- (sum)
- * stream.icmp_excess_prunes: icmp sessions pruned due to excess
- (sum)
- * stream.icmp_uni_prunes: icmp uni sessions pruned (sum)
- * stream.icmp_preemptive_prunes: icmp sessions pruned during
- preemptive pruning (sum)
- * stream.icmp_memcap_prunes: icmp sessions pruned due to memcap
- (sum)
- * stream.icmp_ha_prunes: icmp sessions pruned by high availability
- sync (sum)
- * stream.tcp_flows: total tcp sessions (sum)
- * stream.tcp_total_prunes: total tcp sessions pruned (sum)
- * stream.tcp_idle_prunes: tcp sessions pruned due to timeout (sum)
- * stream.tcp_excess_prunes: tcp sessions pruned due to excess (sum)
- * stream.tcp_uni_prunes: tcp uni sessions pruned (sum)
- * stream.tcp_preemptive_prunes: tcp sessions pruned during
- preemptive pruning (sum)
- * stream.tcp_memcap_prunes: tcp sessions pruned due to memcap (sum)
- * stream.tcp_ha_prunes: tcp sessions pruned by high availability
- sync (sum)
- * stream.udp_flows: total udp sessions (sum)
- * stream.udp_total_prunes: total udp sessions pruned (sum)
- * stream.udp_idle_prunes: udp sessions pruned due to timeout (sum)
- * stream.udp_excess_prunes: udp sessions pruned due to excess (sum)
- * stream.udp_uni_prunes: udp uni sessions pruned (sum)
- * stream.udp_preemptive_prunes: udp sessions pruned during
- preemptive pruning (sum)
- * stream.udp_memcap_prunes: udp sessions pruned due to memcap (sum)
- * stream.udp_ha_prunes: udp sessions pruned by high availability
- sync (sum)
- * stream.user_flows: total user sessions (sum)
- * stream.user_total_prunes: total user sessions pruned (sum)
- * stream.user_idle_prunes: user sessions pruned due to timeout
- (sum)
- * stream.user_excess_prunes: user sessions pruned due to excess
- (sum)
- * stream.user_uni_prunes: user uni sessions pruned (sum)
- * stream.user_preemptive_prunes: user sessions pruned during
- preemptive pruning (sum)
- * stream.user_memcap_prunes: user sessions pruned due to memcap
- (sum)
- * stream.user_ha_prunes: user sessions pruned by high availability
- sync (sum)
- * stream.file_flows: total file sessions (sum)
- * stream.file_total_prunes: total file sessions pruned (sum)
- * stream.file_idle_prunes: file sessions pruned due to timeout
- (sum)
- * stream.file_excess_prunes: file sessions pruned due to excess
- (sum)
- * stream.file_uni_prunes: file uni sessions pruned (sum)
- * stream.file_preemptive_prunes: file sessions pruned during
- preemptive pruning (sum)
- * stream.file_memcap_prunes: file sessions pruned due to memcap
- (sum)
- * stream.file_ha_prunes: file sessions pruned by high availability
- sync (sum)
+ * stream.memcap_prunes: sessions pruned due to memcap (sum)
+ * stream.ha_prunes: sessions pruned by high availability sync (sum)
9.42. stream_file
start of buffer
-11.5. bufferlen
+11.5. ber_data
+
+--------------
+
+What: rule option to move to the data for a specified BER element
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * int ber_data.~type: move to the data for the specified BER
+ element type { 0:255 }
+
+
+11.6. ber_skip
+
+--------------
+
+What: rule option to skip BER element
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * int ber_skip.~type: BER element type to skip { 0:255 }
+ * implied ber_skip.optional: match even if the specified BER type
+ is not found
+
+
+11.7. bufferlen
--------------
in given range { 0:65535 }
-11.6. byte_extract
+11.8. byte_extract
--------------
value before storage in name { 0x1:0xFFFFFFFF }
-11.7. byte_jump
+11.9. byte_jump
--------------
0x1:0xFFFFFFFF }
-11.8. byte_math
+11.10. byte_math
--------------
value before storage in name { 0x1:0xFFFFFFFF }
-11.9. byte_test
+11.11. byte_test
--------------
0x1:0xFFFFFFFF }
-11.10. classtype
+11.12. classtype
--------------
* string classtype.~: classification for this rule
-11.11. content
+11.13. content
--------------
from cursor
-11.12. cvs
+11.14. cvs
--------------
* implied cvs.invalid-entry: looks for an invalid Entry string
-11.13. dce_iface
+11.15. dce_iface
--------------
* implied dce_iface.any_frag: match on any fragment
-11.14. dce_opnum
+11.16. dce_opnum
--------------
list
-11.15. dce_stub_data
+11.17. dce_stub_data
--------------
Usage: detect
-11.16. detection_filter
+11.18. detection_filter
--------------
1:max32 }
-11.17. dnp3_data
+11.19. dnp3_data
--------------
Usage: detect
-11.18. dnp3_func
+11.20. dnp3_func
--------------
* string dnp3_func.~: match DNP3 function code or name
-11.19. dnp3_ind
+11.21. dnp3_ind
--------------
* string dnp3_ind.~: match given DNP3 indicator flags
-11.20. dnp3_obj
+11.22. dnp3_obj
--------------
}
-11.21. dsize
+11.23. dsize
--------------
given range { 0:65535 }
-11.22. file_data
+11.24. file_data
--------------
Usage: detect
-11.23. file_type
+11.25. file_type
--------------
* string file_type.~: list of file type IDs to match
-11.24. flags
+11.26. flags
--------------
* string flags.~mask_flags: these flags are don’t cares
-11.25. flow
+11.27. flow
--------------
* implied flow.only_frag: match on defragmented packets only
-11.26. flowbits
+11.28. flowbits
--------------
* string flowbits.~arg2: group if arg1 is bits
-11.27. fragbits
+11.29. fragbits
--------------
* string fragbits.~flags: these flags are tested
-11.28. fragoffset
+11.30. fragoffset
--------------
given range { 0:8192 }
-11.29. gid
+11.31. gid
--------------
* int gid.~: generator id { 1:max32 }
-11.30. gtp_info
+11.32. gtp_info
--------------
* string gtp_info.~: info element to match
-11.31. gtp_type
+11.33. gtp_type
--------------
* string gtp_type.~: list of types to match
-11.32. gtp_version
+11.34. gtp_version
--------------
* int gtp_version.~: version to match { 0:2 }
-11.33. http2_frame_data
+11.35. http2_frame_data
--------------
Usage: detect
-11.34. http2_frame_header
+11.36. http2_frame_header
--------------
Usage: detect
-11.35. http_client_body
+11.37. http_client_body
--------------
Usage: detect
-11.36. http_cookie
+11.38. http_cookie
--------------
message trailers
-11.37. http_header
+11.39. http_header
--------------
message trailers
-11.38. http_method
+11.40. http_method
--------------
message trailers
-11.39. http_raw_body
+11.41. http_raw_body
--------------
Usage: detect
-11.40. http_raw_cookie
+11.42. http_raw_cookie
--------------
HTTP message trailers
-11.41. http_raw_header
+11.43. http_raw_header
--------------
HTTP message trailers
-11.42. http_raw_request
+11.44. http_raw_request
--------------
HTTP message trailers
-11.43. http_raw_status
+11.45. http_raw_status
--------------
HTTP message trailers
-11.44. http_raw_trailer
+11.46. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-11.45. http_raw_uri
+11.47. http_raw_uri
--------------
URI only
-11.46. http_stat_code
+11.48. http_stat_code
--------------
HTTP message trailers
-11.47. http_stat_msg
+11.49. http_stat_msg
--------------
HTTP message trailers
-11.48. http_trailer
+11.50. http_trailer
--------------
message body (must be combined with request)
-11.49. http_true_ip
+11.51. http_true_ip
--------------
HTTP message trailers
-11.50. http_uri
+11.52. http_uri
--------------
only
-11.51. http_version
+11.53. http_version
--------------
HTTP message trailers
-11.52. icmp_id
+11.54. icmp_id
--------------
0:65535 }
-11.53. icmp_seq
+11.55. icmp_seq
--------------
given range { 0:65535 }
-11.54. icode
+11.56. icode
--------------
0:255 }
-11.55. id
+11.57. id
--------------
}
-11.56. ip_proto
+11.58. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-11.57. ipopts
+11.59. ipopts
--------------
lsrre|ssrr|satid|any }
-11.58. isdataat
+11.60. isdataat
--------------
buffer
-11.59. itype
+11.61. itype
--------------
0:255 }
-11.60. md5
+11.62. md5
--------------
of buffer
-11.61. metadata
+11.63. metadata
--------------
pairs
-11.62. modbus_data
+11.64. modbus_data
--------------
Usage: detect
-11.63. modbus_func
+11.65. modbus_func
--------------
* string modbus_func.~: function code to match
-11.64. modbus_unit
+11.66. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-11.65. msg
+11.67. msg
--------------
* string msg.~: message describing rule
-11.66. mss
+11.68. mss
--------------
}
-11.67. pcre
+11.69. pcre
--------------
* string pcre.~re: Snort regular expression
-11.68. pkt_data
+11.70. pkt_data
--------------
Usage: detect
-11.69. pkt_num
+11.71. pkt_num
--------------
{ 1: }
-11.70. priority
+11.72. priority
--------------
1:max31 }
-11.71. raw_data
+11.73. raw_data
--------------
Usage: detect
-11.72. reference
+11.74. reference
--------------
* string reference.~id: reference id
-11.73. regex
+11.75. regex
--------------
instead of start of buffer
-11.74. rem
+11.76. rem
--------------
* string rem.~: comment
-11.75. replace
+11.77. replace
--------------
* string replace.~: byte code to replace with
-11.76. rev
+11.78. rev
--------------
* int rev.~: revision { 1:max32 }
-11.77. rpc
+11.79. rpc
--------------
* string rpc.~proc: procedure number or * for any
-11.78. sd_pattern
+11.80. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-11.79. seq
+11.81. seq
--------------
range { 0: }
-11.80. service
+11.82. service
--------------
* string service.*: one or more comma-separated service names
-11.81. session
+11.83. session
--------------
* enum session.~mode: output format { printable|binary|all }
-11.82. sha256
+11.84. sha256
--------------
start of buffer
-11.83. sha512
+11.85. sha512
--------------
start of buffer
-11.84. sid
+11.86. sid
--------------
* int sid.~: signature id { 1:max32 }
-11.85. sip_body
+11.87. sip_body
--------------
Usage: detect
-11.86. sip_header
+11.88. sip_header
--------------
Usage: detect
-11.87. sip_method
+11.89. sip_method
--------------
* string sip_method.*method: sip method
-11.88. sip_stat_code
+11.90. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-11.89. so
+11.91. so
--------------
buffer
-11.90. soid
+11.92. soid
--------------
like 3_45678_9
-11.91. ssl_state
+11.93. ssl_state
--------------
unknown
-11.92. ssl_version
+11.94. ssl_version
--------------
tls1.2
-11.93. stream_reassemble
+11.95. stream_reassemble
--------------
remainder of the session
-11.94. stream_size
+11.96. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-11.95. tag
+11.97. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-11.96. target
+11.98. target
--------------
dst_ip }
-11.97. tos
+11.99. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-11.98. ttl
+11.100. ttl
--------------
0:255 }
-11.99. urg
+11.101. urg
--------------
{ 0:65535 }
-11.100. window
+11.102. window
--------------
range { 0:65535 }
-11.101. wscale
+11.103. wscale
--------------
decoding { 0:max32 }
* implied base64_decode.relative: apply offset to cursor instead of
start of buffer
+ * int ber_data.~type: move to the data for the specified BER
+ element type { 0:255 }
+ * implied ber_skip.optional: match even if the specified BER type
+ is not found
+ * int ber_skip.~type: BER element type to skip { 0:255 }
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
* string file_type.~: list of file type IDs to match
* int finalize_packet.end_pdu = 0: Deregister for finalize packet
events on this PDU { 0:max32 }
+ * int finalize_packet.modify.pdu = 0: Modify verdict in finalize
+ packet for this PDU { 0:max32 }
+ * enum finalize_packet.modify.verdict: output format for stats {
+ pass | block | replace | whitelist | blacklist | ignore | retry }
* int finalize_packet.start_pdu = 0: Register to receive finalize
packet event starting on this PDU { 0:max32 }
* string flags.~mask_flags: these flags are don’t cares
* enum hosts[].tcp_policy: TCP reassembly policy { first | last |
linux | old_linux | bsd | macos | solaris | irix | hpux11 |
hpux10 | windows | win_2003 | vista | proxy }
- * enum host_tracker[].frag_policy: defragmentation policy { first |
- linux | bsd | bsd_right | last | windows | solaris }
- * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
- * string host_tracker[].services[].name: service identifier
+ * addr host_tracker[].ip: hosts address / cidr
* port host_tracker[].services[].port: port number
- * enum host_tracker[].services[].proto = tcp: IP protocol { tcp |
+ * enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
- * enum host_tracker[].tcp_policy: TCP reassembly policy { first |
- last | linux | old_linux | bsd | macos | solaris | irix | hpux11
- | hpux10 | windows | win_2003 | vista | proxy }
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
* string rpc.~ver: version number or * for any
* bool rt_packet.test_daq_retry = true: test daq packet retry
feature
+ * int rt_service.memcap: cap on amount of memory used
* enum rule_state.([0-9]+):([0-9]+)[].action = inherit: apply
action if rule matches or inherit from rule definition { log |
pass | alert | drop | block | reset | inherit }
per flow for better estimation against cap { 0:65535 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream.file_cache.max_sessions = 128: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.file_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
* int stream.footprint = 0: use zero for production, non-zero for
testing at given size (for TCP and user) { 0:max32 }
per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream_icmp.session_timeout = 30: session tracking timeout {
1:max31 }
* int stream.ip_cache.cap_weight = 64: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream.ip_cache.max_sessions = 16384: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.ip_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream_ip.max_frags = 8192: maximum number of simultaneous
fragments being tracked { 1:max32 }
1:max31 }
* int stream_ip.trace: mask for enabling debug traces in module {
0:max53 }
+ * int stream.max_flows = 476288: maximum simultaneous flows tracked
+ before pruning { 2:max32 }
+ * int stream.pruning_timeout = 30: minimum inactive time before
+ being eligible for pruning { 1:max32 }
* enum stream_reassemble.action: stop or start stream reassembly {
disable|enable }
* enum stream_reassemble.direction: action applies to the given
track per flow for better estimation against cap { 0:65535 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in
segment size after given number of non-decreasing segments {
0:65535 }
per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream_udp.session_timeout = 30: session tracking timeout {
1:max31 }
* int stream.user_cache.cap_weight = 256: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream.user_cache.max_sessions = 1024: maximum simultaneous
- sessions tracked before pruning { 2:max32 }
- * int stream.user_cache.pruning_timeout = 30: minimum inactive time
- before being eligible for pruning { 1:max32 }
* int stream_user.session_timeout = 30: session tracking timeout {
1:max31 }
* int stream_user.trace: mask for enabling debug traces in module {
* detection.onload_waits: times processing waited for onload to
complete (sum)
* detection.passed: passed packets (sum)
+ * detection.pcre_error: total number of times pcre returns error
+ (sum)
+ * detection.pcre_match_limit: total number of times pcre hit the
+ match limit (sum)
+ * detection.pcre_recursion_limit: total number of times pcre hit
+ the recursion limit (sum)
* detection.pkt_searches: fast pattern searches in packet data
(sum)
* detection.queue_limit: events not queued because queue full (sum)
* high_availability.update_msgs_recv: update messages received
(sum)
* host_cache.lru_cache_adds: lru cache added new entry (sum)
- * host_cache.lru_cache_clears: lru cache clear API calls (sum)
* host_cache.lru_cache_find_hits: lru cache found entry in cache
(sum)
* host_cache.lru_cache_find_misses: lru cache did not find entry in
for new entry (sum)
* host_cache.lru_cache_removes: lru cache found entry and removed
it (sum)
- * host_cache.lru_cache_replaces: lru cache replaced existing entry
- (sum)
* host_tracker.service_adds: host service adds (sum)
* host_tracker.service_finds: host service finds (sum)
- * host_tracker.service_removes: host service removes (sum)
* http2_inspect.concurrent_sessions: total concurrent HTTP/2
sessions (now)
* http2_inspect.flows: HTTP connections inspected (sum)
* ssl.server_key_exchange: total server key exchanges (sum)
* ssl.sessions_ignored: total sessions ignore (sum)
* ssl.unrecognized_records: total unrecognized records (sum)
- * stream.file_excess_prunes: file sessions pruned due to excess
- (sum)
- * stream.file_flows: total file sessions (sum)
- * stream.file_ha_prunes: file sessions pruned by high availability
- sync (sum)
- * stream.file_idle_prunes: file sessions pruned due to timeout
- (sum)
- * stream.file_memcap_prunes: file sessions pruned due to memcap
- (sum)
- * stream.file_preemptive_prunes: file sessions pruned during
- preemptive pruning (sum)
- * stream.file_total_prunes: total file sessions pruned (sum)
- * stream.file_uni_prunes: file uni sessions pruned (sum)
+ * stream.excess_prunes: sessions pruned due to excess (sum)
+ * stream.flows: total sessions (sum)
+ * stream.ha_prunes: sessions pruned by high availability sync (sum)
* stream_icmp.created: icmp session trackers created (sum)
- * stream.icmp_excess_prunes: icmp sessions pruned due to excess
- (sum)
- * stream.icmp_flows: total icmp sessions (sum)
- * stream.icmp_ha_prunes: icmp sessions pruned by high availability
- sync (sum)
- * stream.icmp_idle_prunes: icmp sessions pruned due to timeout
- (sum)
* stream_icmp.max: max icmp sessions (max)
- * stream.icmp_memcap_prunes: icmp sessions pruned due to memcap
- (sum)
- * stream.icmp_preemptive_prunes: icmp sessions pruned during
- preemptive pruning (sum)
* stream_icmp.prunes: icmp session prunes (sum)
* stream_icmp.released: icmp session trackers released (sum)
* stream_icmp.sessions: total icmp sessions (sum)
* stream_icmp.timeouts: icmp session timeouts (sum)
- * stream.icmp_total_prunes: total icmp sessions pruned (sum)
- * stream.icmp_uni_prunes: icmp uni sessions pruned (sum)
+ * stream.idle_prunes: sessions pruned due to timeout (sum)
* stream_ip.alerts: alerts generated (sum)
* stream_ip.anomalies: anomalies detected (sum)
* stream_ip.created: ip session trackers created (sum)
* stream_ip.current_frags: current fragments (now)
* stream_ip.discards: fragments discarded (sum)
* stream_ip.drops: fragments dropped (sum)
- * stream.ip_excess_prunes: ip sessions pruned due to excess (sum)
- * stream.ip_flows: total ip sessions (sum)
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
* stream_ip.frag_timeouts: datagrams abandoned (sum)
- * stream.ip_ha_prunes: ip sessions pruned by high availability sync
- (sum)
- * stream.ip_idle_prunes: ip sessions pruned due to timeout (sum)
* stream_ip.max_frags: max fragments (sum)
* stream_ip.max: max ip sessions (max)
- * stream.ip_memcap_prunes: ip sessions pruned due to memcap (sum)
* stream_ip.nodes_deleted: fragments deleted from tracker (sum)
* stream_ip.nodes_inserted: fragments added to tracker (sum)
* stream_ip.overlaps: overlapping fragments (sum)
- * stream.ip_preemptive_prunes: ip sessions pruned during preemptive
- pruning (sum)
* stream_ip.prunes: ip session prunes (sum)
* stream_ip.reassembled_bytes: total reassembled bytes (sum)
* stream_ip.reassembled: reassembled datagrams (sum)
* stream_ip.sessions: total ip sessions (sum)
* stream_ip.timeouts: ip session timeouts (sum)
* stream_ip.total_frags: total fragments (sum)
- * stream.ip_total_prunes: total ip sessions pruned (sum)
* stream_ip.trackers_added: datagram trackers created (sum)
* stream_ip.trackers_cleared: datagram trackers cleared (sum)
* stream_ip.trackers_completed: datagram trackers completed (sum)
* stream_ip.trackers_freed: datagram trackers released (sum)
- * stream.ip_uni_prunes: ip uni sessions pruned (sum)
+ * stream.memcap_prunes: sessions pruned due to memcap (sum)
+ * stream.preemptive_prunes: sessions pruned during preemptive
+ pruning (sum)
* stream_tcp.client_cleanups: number of times data from server was
flushed when session released (sum)
* stream_tcp.closing: number of sessions currently closing (now)
byte limit was reached (sum)
* stream_tcp.exceeded_max_segs: number of times the maximum queued
segment limit was reached (sum)
- * stream.tcp_excess_prunes: tcp sessions pruned due to excess (sum)
* stream_tcp.fins: number of fin packets (sum)
- * stream.tcp_flows: total tcp sessions (sum)
* stream_tcp.gaps: missing data between PDUs (sum)
- * stream.tcp_ha_prunes: tcp sessions pruned by high availability
- sync (sum)
* stream_tcp.held_packet_limit_exceeded: number of times limit of
max held packets exceeded (sum)
* stream_tcp.held_packet_rexmits: number of retransmits of held
(sum)
* stream_tcp.held_packets_passed: number of held packets passed
(sum)
- * stream.tcp_idle_prunes: tcp sessions pruned due to timeout (sum)
* stream_tcp.ignored: tcp packets ignored (sum)
* stream_tcp.initializing: number of sessions currently
initializing (now)
* stream_tcp.max: max tcp sessions (max)
* stream_tcp.max_packets_held: maximum number of packets held
simultaneously (max)
- * stream.tcp_memcap_prunes: tcp sessions pruned due to memcap (sum)
* stream_tcp.memory: current memory in use (now)
* stream_tcp.overlaps: overlapping segments queued (sum)
* stream_tcp.packets_held: number of packets held (sum)
* stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
* stream_tcp.partial_flushes: number of partial flushes initiated
(sum)
- * stream.tcp_preemptive_prunes: tcp sessions pruned during
- preemptive pruning (sum)
* stream_tcp.prunes: tcp session prunes (sum)
* stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum)
* stream_tcp.rebuilt_bytes: total rebuilt bytes (sum)
* stream_tcp.three_way_trackers: tcp session tracking started on
ack (sum)
* stream_tcp.timeouts: tcp session timeouts (sum)
- * stream.tcp_total_prunes: total tcp sessions pruned (sum)
- * stream.tcp_uni_prunes: tcp uni sessions pruned (sum)
* stream_tcp.untracked: tcp packets not tracked (sum)
+ * stream.total_prunes: total sessions pruned (sum)
* stream_udp.created: udp session trackers created (sum)
- * stream.udp_excess_prunes: udp sessions pruned due to excess (sum)
- * stream.udp_flows: total udp sessions (sum)
- * stream.udp_ha_prunes: udp sessions pruned by high availability
- sync (sum)
- * stream.udp_idle_prunes: udp sessions pruned due to timeout (sum)
* stream_udp.ignored: udp packets ignored (sum)
* stream_udp.max: max udp sessions (max)
- * stream.udp_memcap_prunes: udp sessions pruned due to memcap (sum)
- * stream.udp_preemptive_prunes: udp sessions pruned during
- preemptive pruning (sum)
* stream_udp.prunes: udp session prunes (sum)
* stream_udp.released: udp session trackers released (sum)
* stream_udp.sessions: total udp sessions (sum)
* stream_udp.timeouts: udp session timeouts (sum)
- * stream.udp_total_prunes: total udp sessions pruned (sum)
- * stream.udp_uni_prunes: udp uni sessions pruned (sum)
- * stream.user_excess_prunes: user sessions pruned due to excess
- (sum)
- * stream.user_flows: total user sessions (sum)
- * stream.user_ha_prunes: user sessions pruned by high availability
- sync (sum)
- * stream.user_idle_prunes: user sessions pruned due to timeout
- (sum)
- * stream.user_memcap_prunes: user sessions pruned due to memcap
- (sum)
- * stream.user_preemptive_prunes: user sessions pruned during
- preemptive pruning (sum)
- * stream.user_total_prunes: total user sessions pruned (sum)
- * stream.user_uni_prunes: user uni sessions pruned (sum)
+ * stream.uni_prunes: uni sessions pruned (sum)
* tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
* tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
* tcp_connector.messages: total messages (sum)
change -> ssh: 'server_ports' ==> 'bindings'
change -> ssl: 'ports' ==> 'bindings'
change -> stream5_global: 'max_active_responses' ==> 'max_responses'
-change -> stream5_global: 'max_icmp' ==> 'max_sessions'
-change -> stream5_global: 'max_ip' ==> 'max_sessions'
-change -> stream5_global: 'max_tcp' ==> 'max_sessions'
-change -> stream5_global: 'max_udp' ==> 'max_sessions'
change -> stream5_global: 'min_response_seconds' ==> 'min_interval'
-change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'pruning_timeout'
-change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout'
+change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout'
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'
-change -> stream5_global: 'udp_cache_pruning_timeout' ==> 'pruning_timeout'
change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'
change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'
change -> stream5_ha: 'stream5_ha' ==> 'high_availability'
* back_orifice (inspector): back orifice detection
* base64_decode (ips_option): rule option to decode base64 data -
must be used with base64_data option
+ * ber_data (ips_option): rule option to move to the data for a
+ specified BER element
+ * ber_skip (ips_option): rule option to skip BER element
* binder (inspector): configure processing based on CIDRs, ports,
services, etc.
* bufferlen (ips_option): rule option to check length of current
data
* ips_option::base64_decode: rule option to decode base64 data -
must be used with base64_data option
+ * ips_option::ber_data: rule option to move to the data for a
+ specified BER element
+ * ips_option::ber_skip: rule option to skip BER element
* ips_option::bufferlen: rule option to check length of current
buffer
* ips_option::byte_extract: rule option to convert data to an
projects / thirdparty / snort3.git / commitdiff
