+19/10/09 - build 262
+
+-- analyzer: move setting pkth to nullptr to after publishing finalize event
+-- analyzer: publish other message event for unknown DAQ messages
+-- appid: add support for bittorrent detection over standard ports
+-- appid: add support for Lua detector callback mechanism
+-- appid: add support for wildcard ports in host tracker
+-- appid: extract forward ip from http tunneled traffic and use it for dynamic host cache lookup
+-- appid: fix populating dns_query for DNS traffic
+-- binder: allow binder to support global level service inspectors
+-- binder: remove global check for stream inspectors and revert module_map changes
+-- codecs: fix checksumming a single byte of unaligned data
+-- codecs: use checksum validation from DAQ packet decode data when available
+-- detection: consistently prefer service rules over port rules
+-- detection: do not split service groups by ip proto to avoid extra searches
+-- detection: map file rules to services
+-- detection: non-service rules must match on rule header proto
+-- detection: remove cruft from match accumulator
+-- detection: remove more cruft from match tracker
+-- detection: remove the inappropriate match tracker from mpse batch setup
+-- detection: remove unnecessary match data from eval context
+-- detection: support alert file rules w/o optional services
+-- detection: update trace to indicate eval task
+-- detection: use reference for signature eval data
+-- doc: add Snort2Lua note on ips rule action rewrite
+-- flow: check if control packet has a valid daq instance before setting up daq expected flow and
+ add pegcounts for expected flows
+-- flow: patch to allocate Flow objects individually on demand. Once allocated the Flow objects are
+ reused until snort exits or reload changes the max_flows setting
+-- flow: when walking uni_list stop before reaching head
+-- helpers: discovery filter support for zone matching
+-- helpers: implement port exclusion in discovery filter
+-- http2_inspect: cut headers from frame_data buffer
+-- http2_inspect: parse hpack header representations and decode string literals
+-- http2_inspect: validate connection preface
+-- ips_options: minor code style changes
+-- libtcp: turn off no-ack mode if packet is out of order
+-- lua: added move constructor and move assignment operator to Lua::State to fix segv
+-- lua: fixed whitespace to match style guidelines
+-- managers: add null check in reload_module to prevent crash when trying to reload module that has
+ not been configured
+-- profiler: increase width of checks and alloc fields so values don't run together
+-- protocols: remove reference to obsolete DAQ_PKT_FLAG_HW_TCP_CS_GOOD flag
+-- pub_sub: replace DaqMetaEvent and OtherMessageEvent with DaqMessageEvent
+-- reputation: prevent reload module crash when reputation is not configured in lua at startup
+-- reputation: SIDs for source and destination-triggered events added
+-- snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured
+ in wizard and add --bind-port option to enable port bindings conversion
+-- snort2lua: remove identity related options from firewall
+-- snort2lua: reset the sticky buffer name while converting unchanged sticky rule options and
+ file_data
+-- stream: clean up cppcheck warnings
+-- stream: clean up update_direction
+-- stream: code cleanup and dead-code removal
+-- unit-tests: fix compiler warnings that snuck into CppUTest unit tests
+-- utils: prevent integer overflow/underflow when reading BER elements
+
19/09/12 - build 261
-- analyzer: Process retry queue and onloads when no DAQ messages are received
<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 261)\r
+o" )~ Version 3.0.0 (Build 262)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.\r
</li>\r
<li>\r
<p>\r
+<strong>daq.expected_flows</strong>: expected flows created in DAQ (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>daq.retries_queued</strong>: messages queued for retry (sum)\r
</p>\r
</li>\r
<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>daq.sof_messages</strong>: start of flow messages received from DAQ (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.eof_messages</strong>: end of flow messages received from DAQ (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.other_messages</strong>: messages received from DAQ with unrecognized message type (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }\r
</p>\r
</li>\r
<li>\r
<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>icmp4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>icmp6.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>ipv4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>tcp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>udp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<strong>finalize_packet.events</strong>: total events seen (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>finalize_packet.other_messages</strong>: total other message seen (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<strong>121:5</strong> (http2_inspect) unexpected continuation frame\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>121:6</strong> (http2_inspect) misformatted HTTP/2 traffic\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:7</strong> (http2_inspect) HTTP/2 connection preface does not match\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted\r
+<strong>136:1</strong> (reputation) packets blacklisted based on source\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>136:2</strong> (reputation) packets whitelisted based on source\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>136:3</strong> (reputation) packets monitored based on source\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>136:4</strong> (reputation) packets blacklisted based on destination\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:2</strong> (reputation) packets whitelisted\r
+<strong>136:5</strong> (reputation) packets whitelisted based on destination\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:3</strong> (reputation) packets monitored\r
+<strong>136:6</strong> (reputation) packets monitored based on destination\r
</p>\r
</li>\r
</ul></div>\r
<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_flows</strong>: total expected flows created within snort (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_realized</strong>: number of expected flows realized (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_pruned</strong>: number of expected flows pruned (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_overflows</strong>: number of expected cache overflows (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }\r
+int <strong>stream_tcp.small_segments.count</strong> = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }\r
+int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--bind-port</strong> Convert port bindings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--conf-file</strong> Same as <em>-c</em>. A Snort <snort_conf> file which will be\r
converted\r
</p>\r
into one output.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+If the original configuration contains a replace rule with alert action,\r
+ Snort2Lua won’t translate the rule from alert to rewrite action. It will\r
+ keep the action as alert, which does not actually replace the content in\r
+ Snort 3. To replace content, the rule action needs to be rewrite, which\r
+ can be added manually or by tooling.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }\r
+enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }\r
+int <strong>stream_tcp.small_segments.count</strong> = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }\r
+int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>daq.eof_messages</strong>: end of flow messages received from DAQ (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.expected_flows</strong>: expected flows created in DAQ (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>daq.filtered</strong>: packets filtered out (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>daq.other_messages</strong>: messages received from DAQ with unrecognized message type (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>daq.outstanding</strong>: packets unprocessed (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>daq.sof_messages</strong>: start of flow messages received from DAQ (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>daq.whitelist</strong>: total whitelist verdicts (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>finalize_packet.other_messages</strong>: total other message seen (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>finalize_packet.pdus</strong>: total PDUs seen (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>icmp4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
+<strong>icmp6.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ipv4.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream.expected_flows</strong>: total expected flows created within snort (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_overflows</strong>: number of expected cache overflows (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_pruned</strong>: number of expected flows pruned (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream.expected_realized</strong>: number of expected flows realized (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream.flows</strong>: total sessions (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>tcp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>tcp_connector.messages</strong>: total messages (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>udp.checksum_bypassed</strong>: checksum calculations bypassed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>wizard.tcp_hits</strong>: tcp identifications (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>121:6</strong> (http2_inspect) misformatted HTTP/2 traffic\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>121:7</strong> (http2_inspect) HTTP/2 connection preface does not match\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>122:1</strong> (port_scan) TCP portscan\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>136:1</strong> (reputation) packets blacklisted\r
+<strong>136:1</strong> (reputation) packets blacklisted based on source\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>136:2</strong> (reputation) packets whitelisted based on source\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>136:3</strong> (reputation) packets monitored based on source\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>136:4</strong> (reputation) packets blacklisted based on destination\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:2</strong> (reputation) packets whitelisted\r
+<strong>136:5</strong> (reputation) packets whitelisted based on destination\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>136:3</strong> (reputation) packets monitored\r
+<strong>136:6</strong> (reputation) packets monitored based on destination\r
</p>\r
</li>\r
<li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2019-09-12 19:44:55 EDT\r
+ 2019-10-09 08:46:08 EDT\r
</div>\r
</div>\r
</body>\r
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 261)
+o" )~ Version 3.0.0 (Build 262)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
* daq.idle: attempts to acquire from DAQ without available packets
(sum)
* daq.rx_bytes: total bytes received (sum)
+ * daq.expected_flows: expected flows created in DAQ (sum)
* daq.retries_queued: messages queued for retry (sum)
* daq.retries_dropped: messages dropped when overrunning the retry
queue (sum)
(sum)
* daq.retries_discarded: messages discarded when purging the retry
queue (sum)
+ * daq.sof_messages: start of flow messages received from DAQ (sum)
+ * daq.eof_messages: end of flow messages received from DAQ (sum)
+ * daq.other_messages: messages received from DAQ with unrecognized
+ message type (sum)
6.6. decode
* enum rule_state.$gid_sid[].action = inherit: apply action if rule
matches or inherit from rule definition { log | pass | alert |
- drop | block | reset | inherit }
+ drop | block | reset | react | reject | rewrite | inherit }
* enum rule_state.$gid_sid[].enable = inherit: enable or disable
rule in current ips policy or use default defined by ips policy {
no | yes | inherit }
Peg counts:
* icmp4.bad_checksum: non-zero icmp checksums (sum)
+ * icmp4.checksum_bypassed: checksum calculations bypassed (sum)
7.13. icmp6
Peg counts:
* icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
+ * icmp6.checksum_bypassed: checksum calculations bypassed (sum)
7.14. igmp
Peg counts:
* ipv4.bad_checksum: nonzero ip checksums (sum)
+ * ipv4.checksum_bypassed: checksum calculations bypassed (sum)
7.16. ipv6
* tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
* tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
+ * tcp.checksum_bypassed: checksum calculations bypassed (sum)
7.23. token_ring
* udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
* udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
+ * udp.checksum_bypassed: checksum calculations bypassed (sum)
7.25. vlan
* finalize_packet.pdus: total PDUs seen (sum)
* finalize_packet.events: total events seen (sum)
+ * finalize_packet.other_messages: total other message seen (sum)
9.18. ftp_client
* 121:3 (http2_inspect) error in HPACK string value
* 121:4 (http2_inspect) missing continuation frame
* 121:5 (http2_inspect) unexpected continuation frame
+ * 121:6 (http2_inspect) misformatted HTTP/2 traffic
+ * 121:7 (http2_inspect) HTTP/2 connection preface does not match
Peg counts:
Rules:
- * 136:1 (reputation) packets blacklisted
- * 136:2 (reputation) packets whitelisted
- * 136:3 (reputation) packets monitored
+ * 136:1 (reputation) packets blacklisted based on source
+ * 136:2 (reputation) packets whitelisted based on source
+ * 136:3 (reputation) packets monitored based on source
+ * 136:4 (reputation) packets blacklisted based on destination
+ * 136:5 (reputation) packets whitelisted based on destination
+ * 136:6 (reputation) packets monitored based on destination
Peg counts:
pruning (sum)
* stream.memcap_prunes: sessions pruned due to memcap (sum)
* stream.ha_prunes: sessions pruned by high availability sync (sum)
+ * stream.expected_flows: total expected flows created within snort
+ (sum)
+ * stream.expected_realized: number of expected flows realized (sum)
+ * stream.expected_pruned: number of expected flows pruned (sum)
+ * stream.expected_overflows: number of expected cache overflows
+ (sum)
9.43. stream_file
than given bytes per session and direction { 0:max32 }
* int stream_tcp.queue_limit.max_segments = 2621: don’t queue more
than given segments per session and direction { 0:max32 }
- * int stream_tcp.small_segments.count = 0: limit number of small
- segments queued { 0:2048 }
- * int stream_tcp.small_segments.maximum_size = 0: limit number of
- small segments queued { 0:2048 }
+ * int stream_tcp.small_segments.count = 0: number of consecutive
+ TCP small segments considered to be excessive (129:12) { 0:2048 }
+ * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
+ a TCP segment not to be considered small (129:12) { 0:2048 }
* int stream_tcp.session_timeout = 30: session tracking timeout {
1:max31 }
* bool stream_tcp.track_only = false: disable reassembly if true
provided
* -V Print the current Snort2Lua version
* --bind-wizard Add default wizard to bindings
+ * --bind-port Convert port bindings
* --conf-file Same as -c. A Snort <snort_conf> file which will be
converted
* --dont-parse-includes Same as -p. if <snort_conf> file contains
will output the number of rejects for the binding file in
addition to the number of rejects in the main file. The two
numbers will eventually be combined into one output.
+ * If the original configuration contains a replace rule with alert
+ action, Snort2Lua won’t translate the rule from alert to rewrite
+ action. It will keep the action as alert, which does not actually
+ replace the content in Snort 3. To replace content, the rule
+ action needs to be rewrite, which can be added manually or by
+ tooling.
17.3. Usage
whose data starts with A
* enum rule_state.$gid_sid[].action = inherit: apply action if rule
matches or inherit from rule definition { log | pass | alert |
- drop | block | reset | inherit }
+ drop | block | reset | react | reject | rewrite | inherit }
* enum rule_state.$gid_sid[].enable = inherit: enable or disable
rule in current ips policy or use default defined by ips policy {
no | yes | inherit }
1:max31 }
* bool stream_tcp.show_rebuilt_packets = false: enable cmg like
output of reassembled packets
- * int stream_tcp.small_segments.count = 0: limit number of small
- segments queued { 0:2048 }
- * int stream_tcp.small_segments.maximum_size = 0: limit number of
- small segments queued { 0:2048 }
+ * int stream_tcp.small_segments.count = 0: number of consecutive
+ TCP small segments considered to be excessive (129:12) { 0:2048 }
+ * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
+ a TCP segment not to be considered small (129:12) { 0:2048 }
* bool stream_tcp.track_only = false: disable reassembly if true
* int stream.trace: mask for enabling debug traces in module {
0:max53 }
* daq.blacklist: total blacklist verdicts (sum)
* daq.block: total block verdicts (sum)
* daq.dropped: packets dropped (sum)
+ * daq.eof_messages: end of flow messages received from DAQ (sum)
+ * daq.expected_flows: expected flows created in DAQ (sum)
* daq.filtered: packets filtered out (sum)
* daq.idle: attempts to acquire from DAQ without available packets
(sum)
lack of DAQ support (sum)
* daq.internal_whitelist: packets whitelisted internally due to
lack of DAQ support (sum)
+ * daq.other_messages: messages received from DAQ with unrecognized
+ message type (sum)
* daq.outstanding: packets unprocessed (sum)
* daq.pcaps: total files and interfaces processed (max)
* daq.received: total packets received from DAQ (sum)
* daq.retry: total retry verdicts (sum)
* daq.rx_bytes: total bytes received (sum)
* daq.skipped: packets skipped at startup (sum)
+ * daq.sof_messages: start of flow messages received from DAQ (sum)
* daq.whitelist: total whitelist verdicts (sum)
* data_log.packets: total packets (sum)
* dce_http_proxy.http_proxy_session_failures: failed http proxy
* file_id.total_files: number of files processed (sum)
* file_log.total_events: total file events (sum)
* finalize_packet.events: total events seen (sum)
+ * finalize_packet.other_messages: total other message seen (sum)
* finalize_packet.pdus: total PDUs seen (sum)
* ftp_data.packets: total packets (sum)
* ftp_server.concurrent_sessions: total concurrent FTP sessions
(sum)
* http_inspect.uri_path: URIs with path problems (sum)
* icmp4.bad_checksum: non-zero icmp checksums (sum)
+ * icmp4.checksum_bypassed: checksum calculations bypassed (sum)
* icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
+ * icmp6.checksum_bypassed: checksum calculations bypassed (sum)
* imap.b64_attachments: total base64 attachments decoded (sum)
* imap.b64_decoded_bytes: total base64 decoded bytes (sum)
* imap.concurrent_sessions: total concurrent imap sessions (now)
* imap.uu_attachments: total uu attachments decoded (sum)
* imap.uu_decoded_bytes: total uu decoded bytes (sum)
* ipv4.bad_checksum: nonzero ip checksums (sum)
+ * ipv4.checksum_bypassed: checksum calculations bypassed (sum)
* latency.max_usecs: maximum usecs elapsed (sum)
* latency.packet_timeouts: packets that timed out (sum)
* latency.rule_eval_timeouts: rule evals that timed out (sum)
* ssl.sessions_ignored: total sessions ignore (sum)
* ssl.unrecognized_records: total unrecognized records (sum)
* stream.excess_prunes: sessions pruned due to excess (sum)
+ * stream.expected_flows: total expected flows created within snort
+ (sum)
+ * stream.expected_overflows: number of expected cache overflows
+ (sum)
+ * stream.expected_pruned: number of expected flows pruned (sum)
+ * stream.expected_realized: number of expected flows realized (sum)
* stream.flows: total sessions (sum)
* stream.ha_prunes: sessions pruned by high availability sync (sum)
* stream_icmp.created: icmp session trackers created (sum)
* stream.uni_prunes: uni sessions pruned (sum)
* tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
* tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
+ * tcp.checksum_bypassed: checksum calculations bypassed (sum)
* tcp_connector.messages: total messages (sum)
* telnet.concurrent_sessions: total concurrent Telnet sessions
(now)
* telnet.total_packets: total packets (sum)
* udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
* udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
+ * udp.checksum_bypassed: checksum calculations bypassed (sum)
* wizard.tcp_hits: tcp identifications (sum)
* wizard.tcp_scans: tcp payload scans (sum)
* wizard.udp_hits: udp identifications (sum)
* 121:3 (http2_inspect) error in HPACK string value
* 121:4 (http2_inspect) missing continuation frame
* 121:5 (http2_inspect) unexpected continuation frame
+ * 121:6 (http2_inspect) misformatted HTTP/2 traffic
+ * 121:7 (http2_inspect) HTTP/2 connection preface does not match
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* 135:1 (stream) TCP SYN received
* 135:2 (stream) TCP session established
* 135:3 (stream) TCP session cleared
- * 136:1 (reputation) packets blacklisted
- * 136:2 (reputation) packets whitelisted
- * 136:3 (reputation) packets monitored
+ * 136:1 (reputation) packets blacklisted based on source
+ * 136:2 (reputation) packets whitelisted based on source
+ * 136:3 (reputation) packets monitored based on source
+ * 136:4 (reputation) packets blacklisted based on destination
+ * 136:5 (reputation) packets whitelisted based on destination
+ * 136:6 (reputation) packets monitored based on destination
* 137:1 (ssl) invalid client HELLO after server HELLO detected
* 137:2 (ssl) invalid server HELLO without client HELLO detected
* 137:3 (ssl) heartbeat read overrun attempt detected
projects / thirdparty / snort3.git / commitdiff
