set (VERSION_MAJOR 3)
set (VERSION_MINOR 1)
-set (VERSION_PATCH 27)
+set (VERSION_PATCH 28)
set (VERSION_SUBLEVEL 0)
set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
+2022/04/25 - 3.1.28.0
+
+appid: add bytes_in_use and items_in_use peg counts
+appid: ssl service detection for segmented server hello done
+binder: add binder actions to flow reassignment. Thanks to Meridoff for the original report of the issue.
+bufferlen: add missing relative override
+conf: add cip and s7commplus to the default snort.lua
+content: auto no-case non-alpha patterns
+dce_rpc: Handling only named ioctls for smb
+detection: add missing fast pattern buffer translations
+detection: make CursorActionType generic
+detection: map buffers to services
+detection: rearrange startup rule counts
+detection: remove now obsolete get buf support
+doc: add clarification on default bindings in developer notes and user notes
+events: add action logging to the event
+flow, managers, binder: only publish flow state reloaded event from internal execute
+flow: only select policies when deleting flow data if there is a policy selector
+flow, snort_config: change service back to a pointer and add a method to return a non-volatile pointer for service
+flow: use a flag instead off shared pointer use count for has service check
+framework: make Cursor SO_PUBLIC
+ftp: fix FTP response parsing
+ftp: flush FTP cmds ending in just carriage return
+host_cache: bytes_in_use and items_in_use peg counts
+host_cache: fix unit test broken on some platforms
+inspectors: add / update api buffer lists
+ips: eliminate direct dependence on get_fp_buf of all ibt (by using rule options)
+ips: eliminate PM_TYPE_* to make fast pattern buffers generic
+ips: further limit port group rules
+ips_options: eliminate obsolete RULE_OPTION_TYPE_BUFFER_*
+ips_options: fix cursor action type overrides
+main: check policy exists instead of index when setting network policy by id
+mime: handle MIME header lines split between inspection sections and improve folded header line processing
+mms: add check that BerElement argument isn't null before calling BerReader::read
+mms: adding manual updates for the new service inspector for the IEC61850 MMS protocol
+mms: adding new service inspector for the IEC61850 MMS protocol
+mms_data: make a fast pattern buffer
+mms: moved creation of TpktFlowData inspector ID to process init
+module_manager: fix memory pegs display issue during packet processing, while also correctly computing the memory pegs in Analyzer::term
+netflow: framework for netflow V5 and V9 events
+packet_io: add rewrite action logging
+parser: update dev notes
+raw_data: only search pkt_data if no alt buffer or raw_data rules included in group
+service inspectors: update fast pattern access
+sfip: improve warning suppression
+smtp: SMTPData initialization changed from memset to constructor
+smtp: STARTTLS command injection event processing
+stream: add can_set_no_ack() api to check if policy allows no-ack mode
+stream: add current_flows, uni_flows and uni_ip_flows peg counts
+utils: limit JS regex stack size
+utils: track groups and escaped symbols in JavaScript regex literals
+
2022/04/07 - 3.1.27.0
ac_full: refactor api access
The Snort Team
Revision History
-Revision 3.1.27.0 2022-04-07 13:35:35 EDT TST
+Revision 3.1.28.0 2022-04-25 10:44:49 EDT TST
---------------------------------------------------------------------
5.26. iec104
5.27. imap
5.28. mem_test
- 5.29. modbus
- 5.30. netflow
- 5.31. normalizer
- 5.32. null_trace_logger
- 5.33. packet_capture
- 5.34. perf_monitor
- 5.35. pop
- 5.36. port_scan
- 5.37. reputation
- 5.38. rna
- 5.39. rpc_decode
- 5.40. s7commplus
- 5.41. sip
- 5.42. smtp
- 5.43. so_proxy
- 5.44. ssh
- 5.45. ssl
- 5.46. stream
- 5.47. stream_file
- 5.48. stream_icmp
- 5.49. stream_ip
- 5.50. stream_tcp
- 5.51. stream_udp
- 5.52. stream_user
- 5.53. telnet
- 5.54. wizard
+ 5.29. mms
+ 5.30. modbus
+ 5.31. netflow
+ 5.32. normalizer
+ 5.33. null_trace_logger
+ 5.34. packet_capture
+ 5.35. perf_monitor
+ 5.36. pop
+ 5.37. port_scan
+ 5.38. reputation
+ 5.39. rna
+ 5.40. rpc_decode
+ 5.41. s7commplus
+ 5.42. sip
+ 5.43. smtp
+ 5.44. so_proxy
+ 5.45. ssh
+ 5.46. ssl
+ 5.47. stream
+ 5.48. stream_file
+ 5.49. stream_icmp
+ 5.50. stream_ip
+ 5.51. stream_tcp
+ 5.52. stream_udp
+ 5.53. stream_user
+ 5.54. telnet
+ 5.55. wizard
6. IPS Action Modules
7.80. js_data
7.81. md5
7.82. metadata
- 7.83. modbus_data
- 7.84. modbus_func
- 7.85. modbus_unit
- 7.86. msg
- 7.87. mss
- 7.88. pcre
- 7.89. pkt_data
- 7.90. pkt_num
- 7.91. priority
- 7.92. raw_data
- 7.93. reference
- 7.94. regex
- 7.95. rem
- 7.96. replace
- 7.97. rev
- 7.98. rpc
- 7.99. s7commplus_content
- 7.100. s7commplus_func
- 7.101. s7commplus_opcode
- 7.102. sd_pattern
- 7.103. seq
- 7.104. service
- 7.105. sha256
- 7.106. sha512
- 7.107. sid
- 7.108. sip_body
- 7.109. sip_header
- 7.110. sip_method
- 7.111. sip_stat_code
- 7.112. so
- 7.113. soid
- 7.114. ssl_state
- 7.115. ssl_version
- 7.116. stream_reassemble
- 7.117. stream_size
- 7.118. tag
- 7.119. target
- 7.120. tos
- 7.121. ttl
- 7.122. urg
- 7.123. vba_data
- 7.124. window
- 7.125. wscale
+ 7.83. mms_data
+ 7.84. mms_func
+ 7.85. modbus_data
+ 7.86. modbus_func
+ 7.87. modbus_unit
+ 7.88. msg
+ 7.89. mss
+ 7.90. pcre
+ 7.91. pkt_data
+ 7.92. pkt_num
+ 7.93. priority
+ 7.94. raw_data
+ 7.95. reference
+ 7.96. regex
+ 7.97. rem
+ 7.98. replace
+ 7.99. rev
+ 7.100. rpc
+ 7.101. s7commplus_content
+ 7.102. s7commplus_func
+ 7.103. s7commplus_opcode
+ 7.104. sd_pattern
+ 7.105. seq
+ 7.106. service
+ 7.107. sha256
+ 7.108. sha512
+ 7.109. sid
+ 7.110. sip_body
+ 7.111. sip_header
+ 7.112. sip_method
+ 7.113. sip_stat_code
+ 7.114. so
+ 7.115. soid
+ 7.116. ssl_state
+ 7.117. ssl_version
+ 7.118. stream_reassemble
+ 7.119. stream_size
+ 7.120. tag
+ 7.121. target
+ 7.122. tos
+ 7.123. ttl
+ 7.124. urg
+ 7.125. vba_data
+ 7.126. window
+ 7.127. wscale
8. Search Engine Modules
9. SO Rule Modules
(sum)
* detection.alt_searches: alt fast pattern searches in packet data
(sum)
- * detection.key_searches: fast pattern searches in key buffer (sum)
- * detection.header_searches: fast pattern searches in header buffer
- (sum)
- * detection.body_searches: fast pattern searches in body buffer
+ * detection.pdu_searches: fast pattern searches in service buffers
(sum)
* detection.file_searches: fast pattern searches in file buffer
(sum)
- * detection.raw_key_searches: fast pattern searches in raw key
- buffer (sum)
- * detection.raw_header_searches: fast pattern searches in raw
- header buffer (sum)
- * detection.method_searches: fast pattern searches in method buffer
- (sum)
- * detection.stat_code_searches: fast pattern searches in status
- code buffer (sum)
- * detection.stat_msg_searches: fast pattern searches in status
- message buffer (sum)
- * detection.cookie_searches: fast pattern searches in cookie buffer
- (sum)
- * detection.js_data_searches: fast pattern searches in js_data
- buffer (sum)
- * detection.vba_searches: fast pattern searches in MS Office Visual
- Basic for Applications buffer (sum)
* detection.offloads: fast pattern searches that were offloaded
(sum)
* detection.alerts: alerts not including IP reputation (sum)
* host_cache.adds: lru cache added new entry (sum)
* host_cache.alloc_prunes: lru cache pruned entry to make space for
new entry (sum)
+ * host_cache.bytes_in_use: current number of bytes in use (now)
+ * host_cache.items_in_use: current number of items in the cache
+ (now)
* host_cache.find_hits: lru cache found entry in cache (sum)
* host_cache.find_misses: lru cache did not find entry in cache
(sum)
open detector package is reloaded (sum)
* appid.tp_reload_ignored_pkts: count of packets ignored after
third-party module is reloaded (sum)
+ * appid.bytes_in_use: number of bytes in use in the cache (now)
+ * appid.items_in_use: items in use in the cache (now)
5.2. appid_listener
* mem_test.packets: total packets (sum)
-5.29. modbus
+5.29. mms
+
+--------------
+
+Help: mms inspection
+
+Type: inspector (service)
+
+Usage: inspect
+
+Instance Type: multiton
+
+Rules:
+
+no match
+
+Peg counts:
+
+ * mms.sessions: total sessions processed (sum)
+ * mms.frames: total MMS messages (sum)
+ * mms.concurrent_sessions: total concurrent MMS sessions (now)
+ * mms.max_concurrent_sessions: maximum concurrent MMS sessions
+ (max)
+
+
+5.30. modbus
--------------
sessions (max)
-5.30. netflow
+5.31. netflow
--------------
(sum)
-5.31. normalizer
+5.32. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-5.32. null_trace_logger
+5.33. null_trace_logger
--------------
Instance Type: global
-5.33. packet_capture
+5.34. packet_capture
--------------
filter (sum)
-5.34. perf_monitor
+5.35. perf_monitor
--------------
by new flows (sum)
-5.35. pop
+5.36. pop
--------------
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-5.36. port_scan
+5.37. port_scan
--------------
to reduced memcap (sum)
-5.37. reputation
+5.38. reputation
--------------
monitored (sum)
-5.38. rna
+5.39. rna
--------------
* rna.dhcp_data: count of DHCP data events received (sum)
* rna.dhcp_info: count of new DHCP lease events received (sum)
* rna.smb: count of new SMB events received (sum)
+ * rna.netflow_record: count of netflow record events received (sum)
-5.39. rpc_decode
+5.40. rpc_decode
--------------
sessions (max)
-5.40. s7commplus
+5.41. s7commplus
--------------
sessions (max)
-5.41. sip
+5.42. sip
--------------
* sip.code_9xx: 9xx (sum)
-5.42. smtp
+5.43. smtp
--------------
* 124:14 (smtp) Cyrus SASL authentication attack
* 124:15 (smtp) attempted authentication command buffer overflow
* 124:16 (smtp) file decompression failed
+ * 124:17 (smtp) STARTTLS command injection attempt
Peg counts:
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-5.43. so_proxy
+5.44. so_proxy
--------------
Instance Type: global
-5.44. ssh
+5.45. ssh
--------------
(max)
-5.45. ssl
+5.46. ssl
--------------
(max)
-5.46. stream
+5.47. stream
--------------
config reloads (sum)
* stream.reload_offloaded_deletes: number of offloaded flows
deleted by config reloads (sum)
+ * stream.current_flows: current number of flows in cache (now)
+ * stream.uni_flows: number of uni flows in cache (now)
+ * stream.uni_ip_flows: number of uni ip flows in cache (now)
-5.47. stream_file
+5.48. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-5.48. stream_icmp
+5.49. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-5.49. stream_ip
+5.50. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-5.50. stream_tcp
+5.51. stream_tcp
--------------
(sum)
-5.51. stream_udp
+5.52. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-5.52. stream_user
+5.53. stream_user
--------------
1:max31 }
-5.53. telnet
+5.54. telnet
--------------
sessions (max)
-5.54. wizard
+5.55. wizard
--------------
* string wizard.spells[].to_client[].spell: sequence of data with
wild cards (*)
* multi wizard.curses: enable service identification based on
- internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 }
+ internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 }
* int wizard.max_search_depth = 8192: maximum scan depth per flow {
0:65535 }
pairs
-7.83. modbus_data
+7.83. mms_data
+
+--------------
+
+Help: rule option to set cursor to MMS data
+
+Type: ips_option
+
+Usage: detect
+
+
+7.84. mms_func
+
+--------------
+
+Help: rule option to check MMS function
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string mms_func.~: func to match
+
+
+7.85. modbus_data
--------------
Usage: detect
-7.84. modbus_func
+7.86. modbus_func
--------------
* string modbus_func.~: function code to match
-7.85. modbus_unit
+7.87. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.86. msg
+7.88. msg
--------------
* string msg.~: message describing rule
-7.87. mss
+7.89. mss
--------------
}
-7.88. pcre
+7.90. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.89. pkt_data
+7.91. pkt_data
--------------
Usage: detect
-7.90. pkt_num
+7.92. pkt_num
--------------
{ 1: }
-7.91. priority
+7.93. priority
--------------
1:max31 }
-7.92. raw_data
+7.94. raw_data
--------------
Usage: detect
-7.93. reference
+7.95. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.94. regex
+7.96. regex
--------------
instead of start of buffer
-7.95. rem
+7.97. rem
--------------
* string rem.~: comment
-7.96. replace
+7.98. replace
--------------
* string replace.~: byte code to replace with
-7.97. rev
+7.99. rev
--------------
* int rev.~: revision { 1:max32 }
-7.98. rpc
+7.100. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.99. s7commplus_content
+7.101. s7commplus_content
--------------
Usage: detect
-7.100. s7commplus_func
+7.102. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.101. s7commplus_opcode
+7.103. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.102. sd_pattern
+7.104. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.103. seq
+7.105. seq
--------------
range { 0: }
-7.104. service
+7.106. service
--------------
* string service.*: one or more comma-separated service names
-7.105. sha256
+7.107. sha256
--------------
start of buffer
-7.106. sha512
+7.108. sha512
--------------
start of buffer
-7.107. sid
+7.109. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.108. sip_body
+7.110. sip_body
--------------
Usage: detect
-7.109. sip_header
+7.111. sip_header
--------------
Usage: detect
-7.110. sip_method
+7.112. sip_method
--------------
* string sip_method.*method: sip method
-7.111. sip_stat_code
+7.113. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.112. so
+7.114. so
--------------
buffer
-7.113. soid
+7.115. soid
--------------
like 3_45678_9
-7.114. ssl_state
+7.116. ssl_state
--------------
unknown
-7.115. ssl_version
+7.117. ssl_version
--------------
tls1.2
-7.116. stream_reassemble
+7.118. stream_reassemble
--------------
remainder of the session
-7.117. stream_size
+7.119. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.118. tag
+7.120. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.119. target
+7.121. target
--------------
dst_ip }
-7.120. tos
+7.122. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.121. ttl
+7.123. ttl
--------------
0:255 }
-7.122. urg
+7.124. urg
--------------
{ 0:65535 }
-7.123. vba_data
+7.125. vba_data
--------------
Usage: detect
-7.124. window
+7.126. window
--------------
range { 0:65535 }
-7.125. wscale
+7.127. wscale
--------------
overhead { 1:100 }
* string metadata.*: comma-separated list of arbitrary name value
pairs
+ * string mms_func.~: func to match
* string modbus_func.~: function code to match
* int modbus_unit.~: Modbus unit ID { 0:255 }
* int mpls.max_stack_depth = -1: set maximum MPLS stack depth {
* interval window.~range: check if TCP window size is in given
range { 0:65535 }
* multi wizard.curses: enable service identification based on
- internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 }
+ internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 }
* bool wizard.hexes[].client_first = true: which end initiates data
transfer
* select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
* address_space_selector.no_match: selection evaluations that had
no matches (sum)
* address_space_selector.packets: packets evaluated (sum)
+ * appid.bytes_in_use: number of bytes in use in the cache (now)
* appid.ignored_packets: count of packets ignored (sum)
+ * appid.items_in_use: items in use in the cache (now)
* appid.odp_reload_ignored_pkts: count of packets ignored after
open detector package is reloaded (sum)
* appid.packets: count of packets received (sum)
* detection.alt_searches: alt fast pattern searches in packet data
(sum)
* detection.analyzed: total packets processed (now)
- * detection.body_searches: fast pattern searches in body buffer
- (sum)
* detection.context_stalls: times processing stalled to wait for an
available context (sum)
* detection.cooked_searches: fast pattern searches in cooked packet
data (sum)
- * detection.cookie_searches: fast pattern searches in cookie buffer
- (sum)
* detection.event_limit: events filtered (sum)
* detection.file_searches: fast pattern searches in file buffer
(sum)
* detection.hard_evals: non-fast pattern rule evaluations (sum)
- * detection.header_searches: fast pattern searches in header buffer
- (sum)
- * detection.js_data_searches: fast pattern searches in js_data
- buffer (sum)
- * detection.key_searches: fast pattern searches in key buffer (sum)
* detection.logged: logged packets (sum)
* detection.log_limit: events queued but not logged (sum)
* detection.match_limit: fast pattern matches not processed (sum)
- * detection.method_searches: fast pattern searches in method buffer
- (sum)
* detection.offload_busy: times offload was not available (sum)
* detection.offload_failures: fast pattern offload search failures
(sum)
match limit (sum)
* detection.pcre_recursion_limit: total number of times pcre hit
the recursion limit (sum)
+ * detection.pdu_searches: fast pattern searches in service buffers
+ (sum)
* detection.pkt_searches: fast pattern searches in packet data
(sum)
* detection.queue_limit: events not queued because queue full (sum)
- * detection.raw_header_searches: fast pattern searches in raw
- header buffer (sum)
- * detection.raw_key_searches: fast pattern searches in raw key
- buffer (sum)
* detection.raw_searches: fast pattern searches in raw packet data
(sum)
- * detection.stat_code_searches: fast pattern searches in status
- code buffer (sum)
- * detection.stat_msg_searches: fast pattern searches in status
- message buffer (sum)
* detection.total_alerts: alerts including IP reputation (sum)
- * detection.vba_searches: fast pattern searches in MS Office Visual
- Basic for Applications buffer (sum)
* dnp3.concurrent_sessions: total concurrent dnp3 sessions (now)
* dnp3.dnp3_application_pdus: total dnp3 application pdus (sum)
* dnp3.dnp3_link_layer_frames: total dnp3 link layer frames (sum)
* host_cache.adds: lru cache added new entry (sum)
* host_cache.alloc_prunes: lru cache pruned entry to make space for
new entry (sum)
+ * host_cache.bytes_in_use: current number of bytes in use (now)
* host_cache.find_hits: lru cache found entry in cache (sum)
* host_cache.find_misses: lru cache did not find entry in cache
(sum)
+ * host_cache.items_in_use: current number of items in the cache
+ (now)
* host_cache.reload_prunes: lru cache pruned entry for lower memcap
during reload (sum)
* host_cache.removes: lru cache found entry and removed it (sum)
* memory.reap_attempts: attempts to reclaim memory (now)
* memory.reap_failures: failures to reclaim memory (now)
* mem_test.packets: total packets (sum)
+ * mms.concurrent_sessions: total concurrent MMS sessions (now)
+ * mms.frames: total MMS messages (sum)
+ * mms.max_concurrent_sessions: maximum concurrent MMS sessions
+ (max)
+ * mms.sessions: total sessions processed (sum)
* modbus.concurrent_sessions: total concurrent modbus sessions
(now)
* modbus.frames: total Modbus messages (sum)
* rna.icmp_new: count of new ICMP flows received (sum)
* rna.ip_bidirectional: count of bidirectional IP received (sum)
* rna.ip_new: count of new IP flows received (sum)
+ * rna.netflow_record: count of netflow record events received (sum)
* rna.other_packets: count of packets received without session
tracking (sum)
* rna.smb: count of new SMB events received (sum)
* ssl.server_key_exchange: total server key exchanges (sum)
* ssl.sessions_ignored: total sessions ignore (sum)
* ssl.unrecognized_records: total unrecognized records (sum)
+ * stream.current_flows: current number of flows in cache (now)
* stream.excess_prunes: sessions pruned due to excess (sum)
* stream.expected_flows: total expected flows created within snort
(sum)
* stream_udp.sessions: total udp sessions (sum)
* stream_udp.timeouts: udp session timeouts (sum)
* stream_udp.total_bytes: total number of bytes processed (sum)
+ * stream.uni_flows: number of uni flows in cache (now)
+ * stream.uni_ip_flows: number of uni ip flows in cache (now)
* stream.uni_prunes: uni sessions pruned (sum)
* tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
* tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
* 149: s7commplus
* 150: file_id
* 151: iec104
+ * 152: mms
* 175: domain_filter
* 256: dpx
* memory (basic): memory management configuration
* metadata (ips_option): rule option for conveying arbitrary
comma-separated name, value data within the rule text
+ * mms (inspector): mms inspection
+ * mms_data (ips_option): rule option to set cursor to MMS data
+ * mms_func (ips_option): rule option to check MMS function
* modbus (inspector): modbus inspection
* modbus_data (ips_option): rule option to set cursor to modbus
data
* inspector::iec104: iec104 inspection
* inspector::imap: imap inspection
* inspector::mem_test: for testing memory management
+ * inspector::mms: mms inspection
* inspector::modbus: modbus inspection
* inspector::netflow: netflow inspection
* inspector::normalizer: packet scrubbing for inline mode
* ips_option::md5: payload rule option for hash matching
* ips_option::metadata: rule option for conveying arbitrary
comma-separated name, value data within the rule text
+ * ips_option::mms_data: rule option to set cursor to MMS data
+ * ips_option::mms_func: rule option to check MMS function
* ips_option::modbus_data: rule option to set cursor to modbus data
* ips_option::modbus_func: rule option to check modbus function
code
The Snort Team
Revision History
-Revision 3.1.27.0 2022-04-07 13:35:21 EDT TST
+Revision 3.1.28.0 2022-04-25 10:44:39 EDT TST
---------------------------------------------------------------------
change -> config 'daq_dir' ==> 'daq.module_dirs'
change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap'
change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection'
-change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic'
change -> config 'event_filter' ==> 'alerts.event_filter_memcap'
change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts'
change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host'
change -> daq_mode: 'config daq_mode:' ==> 'mode'
change -> daq_var: 'config daq_var:' ==> 'variables'
change -> detection: 'ac' ==> 'ac_full'
-change -> detection: 'ac-banded' ==> 'ac_full'
+change -> detection: 'ac-banded' ==> 'ac_banded'
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
change -> detection: 'ac-nq' ==> 'ac_full'
change -> detection: 'ac-q' ==> 'ac_full'
-change -> detection: 'ac-sparsebands' ==> 'ac_full'
+change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
change -> detection: 'ac-split' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'split_any_any'
-change -> detection: 'ac-std' ==> 'ac_full'
-change -> detection: 'acs' ==> 'ac_full'
+change -> detection: 'ac-std' ==> 'ac_std'
+change -> detection: 'acs' ==> 'ac_sparse'
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
change -> detection: 'intel-cpm' ==> 'hyperscan'
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
change -> detection: 'search-method' ==> 'search_method'
+change -> detection: 'search-optimize' ==> 'search_optimize'
change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
change -> detection: 'split-any-any' ==> 'split_any_any'
change -> dnp3: 'ports' ==> 'bindings'
change -> reputation: 'shared_mem' ==> 'list_dir'
change -> sfportscan: 'proto' ==> 'protos'
change -> sfportscan: 'scan_type' ==> 'scan_types'
-change -> sip: 'max_requestName_len' ==> 'max_request_name_len'
change -> sip: 'ports' ==> 'bindings'
change -> smtp: 'ports' ==> 'bindings'
change -> ssh: 'server_ports' ==> 'bindings'
deleted -> config 'disable_inline_init_failopen'
deleted -> config 'disable_ipopt_alerts'
deleted -> config 'disable_ipopt_drops'
-deleted -> config 'disable_replace'
deleted -> config 'disable_tcpopt_alerts'
deleted -> config 'disable_tcpopt_drops'
deleted -> config 'disable_tcpopt_experimental_alerts'
deleted -> config 'enable_decode_oversized_drops'
deleted -> config 'enable_gtp'
deleted -> config 'enable_ipopt_drops'
-deleted -> config 'enable_mpls_multicast'
deleted -> config 'enable_tcpopt_drops'
deleted -> config 'enable_tcpopt_experimental_drops'
deleted -> config 'enable_tcpopt_obsolete_drops'
deleted -> config 'sflog_unified2'
deleted -> config 'sidechannel'
deleted -> config 'so_rule_memcap'
-deleted -> config 'stateful'
deleted -> csv: '<filename> can no longer be specific'
deleted -> csv: 'default'
deleted -> csv: 'trheader'
deleted -> detection: 'mwm'
-deleted -> detection: 'search-optimize is always true'
deleted -> dnp3: 'disabled'
deleted -> dnp3: 'memcap'
deleted -> dns: 'enable_experimental_types'
deleted -> full: '<filename> can no longer be specific'
deleted -> http_inspect: 'detect_anomalous_servers'
deleted -> http_inspect: 'disabled'
-deleted -> http_inspect: 'fast_blocking'
-deleted -> http_inspect: 'normalize_random_nulls_in_text'
deleted -> http_inspect: 'proxy_alert'
deleted -> http_inspect_server: 'allow_proxy_use'
deleted -> http_inspect_server: 'enable_cookie'
deleted -> stream5_tcp: 'log_asymmetric_traffic'
deleted -> stream5_tcp: 'policy noack'
deleted -> stream5_tcp: 'policy unknown'
-deleted -> stream5_tcp: 'use_static_footprint_sizes'
deleted -> stream5_udp: 'ignore_any_rules'
deleted -> tcpdump: '<filename> can no longer be specific'
deleted -> test: 'file'
The Snort Team
Revision History
-Revision 3.1.27.0 2022-04-07 13:35:21 EDT TST
+Revision 3.1.28.0 2022-04-25 10:44:39 EDT TST
---------------------------------------------------------------------
5.10. HTTP Inspector
5.11. HTTP/2 Inspector
5.12. IEC104 Inspector
- 5.13. Performance Monitor
- 5.14. POP and IMAP
- 5.15. Port Scan
- 5.16. Sensitive Data Filtering
- 5.17. SMTP
- 5.18. Telnet
- 5.19. Trace
- 5.20. Wizard
+ 5.13. MMS Inspector
+ 5.14. Performance Monitor
+ 5.15. POP and IMAP
+ 5.16. Port Scan
+ 5.17. Sensitive Data Filtering
+ 5.18. SMTP
+ 5.19. Telnet
+ 5.20. Trace
+ 5.21. Wizard
6. DAQ Configuration and Modules
can contain any combination of criteria and binder.use can specify an
action, config file, or inspector configuration.
+If binder is not explicitly configured (via file *.lua or option
+--lua), a default binder will be instantiated in which bindings will
+be created for all service inspectors configured. Some bindings may
+require a configured wizard to detect the service type.
+
5.4. Byte rule options
name, or the lowercase function name.
-5.13. Performance Monitor
+5.13. MMS Inspector
+
+--------------
+
+MMS inspector is a service inspector for the MMS protocol within the
+IEC 61850 specification.
+
+5.13.1. Overview
+
+IEC 61850 is a family of protocols, including MMS, distributed by the
+International Electrotechnical Commission (IEC) that provide a
+standardized method of sending service messages between various
+manufacturing and process control devices, typically running on TCP
+port 102.
+
+It is used in combination with various parts of the OSI model, most
+notably the TPKT, COTP, Session, Presentation, and ACSE layers, to
+provide reliable transport via TCP/IP.
+
+The MMS inspector decodes the OSI layers encapsulating the MMS
+protocol and provides rule writers access to certain protocol fields
+and data content through rule options. This allows the user to write
+rules for MMS messages without decoding the protocol.
+
+5.13.2. Configuration
+
+MMS messages can be sent in a variety of ways including multiple PDUs
+within one TCP packet, one PDU split across multiple TCP packets, or
+a combination of the two. It is the aim of the MMS service inspector
+to normalize the traffic such that only complete MMS messages are
+presented to the user. No manual configuration other than enabling
+the MMS service inspector is necessary to leverage this
+functionality.
+
+5.13.3. Quick Guide
+
+A typical MMS configuration looks like this:
+
+wizard = { curses = {'mms'}, }
+mms = { }
+
+binder =
+{
+ { when = { service = 'mms' }, use = { type = 'mms' } },
+ { use = { type = 'wizard' } }
+}
+
+In this example, the mms inspector is defined based on patterns known
+to be consistent with MMS messages.
+
+5.13.4. Rule Options
+
+New rule options are supported by enabling the MMS inspector:
+
+ * mms_data
+ * mms_func
+
+5.13.4.1. mms_data
+
+mms_data moves the cursor to the start of the MMS message, bypassing
+all of the OSI encapsulation layers and allowing subsequent rule
+options to start processing from the MMS PDU field.
+
+This option takes no arguments.
+
+In the following example, the rule is using the mms_data rule option
+to set the cursor position to the beginning of the MMS PDU, and then
+checking the byte at that position for the value indicative of an
+Initiate-Request message.
+
+alert tcp ( \
+ msg: "PROTOCOL-SCADA MMS Initiate-Request"; \
+ flow: to_server, established; \
+ mms_data; \
+ content:"|A8|", depth 1; \
+ sid:1000000; \
+)
+
+5.13.4.2. mms_func
+
+mms_func takes the supplied function name or number and compares it
+with the Confirmed Service Request/Response in the message being
+analyzed.
+
+This option takes one argument.
+
+In the following example the rule is using the mms_func rule option
+with a string argument containing the Confirmed Service Request
+service name on which to alert. This is combined with a content match
+for a Confirmed Service Request message (0xA0) to allow for use of
+the fast pattern matcher.
+
+alert tcp ( \
+ msg: "PROTOCOL-SCADA MMS svc get_name_list"; \
+ flow: to_server, established; \
+ content:"|A0|"; \
+ mms_func: get_name_list; \
+ sid:1000000; \
+)
+
+The following example also uses the mms_func rule option to alert on
+a GetNameList message, but this time an integer argument containing
+the function number is used.
+
+alert tcp ( \
+ msg: "PROTOCOL-SCADA MMS svc get_name_list"; \
+ flow: to_server, established; \
+ content:"|A0|"; \
+ mms_func:1; \
+ sid:1000001; \
+)
+
+
+5.14. Performance Monitor
--------------
being dropped without hitting a rule? perf_monitor! Why is a sensor
leaking water? Not perf_monitor, check with stream…
-5.13.1. Overview
+5.14.1. Overview
The Snort performance monitor is the built-in utility for monitoring
system and traffic statistics. All statistics are separated by
processing thread. perf_monitor supports several trackers for
monitoring such data:
-5.13.2. Base Tracker
+5.14.2. Base Tracker
The base tracker is used to gather running statistics about Snort and
its running modules. All Snort modules gather, at the very least,
Note: Event stats from prior Snorts are now located within base
statistics.
-5.13.3. Flow Tracker
+5.14.3. Flow Tracker
Flow tracks statistics regarding traffic and L3/L4 protocol
distributions. This data can be used to build a profile of traffic
perf_monitor = { flow = true }
-5.13.4. FlowIP Tracker
+5.14.4. FlowIP Tracker
FlowIP provides statistics for individual hosts within a network.
This data can be used for identifying communication habits, such as
perf_monitor = { flow_ip = true }
-5.13.5. CPU Tracker
+5.14.5. CPU Tracker
This tracker monitors the CPU and wall time spent by a given
processing thread.
perf_monitor = { cpu = true }
-5.13.6. Formatters
+5.14.6. Formatters
Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats,
monitor or the code provided for fbstreamer.
-5.14. POP and IMAP
+5.15. POP and IMAP
--------------
POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol.
-5.14.1. Overview
+5.15.1. Overview
POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command,
appropriately. The pop and imap also identify and whitelist the pop
and imap traffic.
-5.14.2. Configuration
+5.15.2. Configuration
POP inspector and IMAP inspector offer same set of configuration
options for MIME decoding depth. These depths range from 0 to 65535
The depth limits apply per attachment. They are:
-5.14.2.1. b64_decode_depth
+5.15.2.1. b64_decode_depth
Set the base64 decoding depth used to decode the base64-encoded MIME
attachments.
-5.14.2.2. qp_decode_depth
+5.15.2.2. qp_decode_depth
Set the Quoted-Printable (QP) decoding depth used to decode
QP-encoded MIME attachments.
-5.14.2.3. bitenc_decode_depth
+5.15.2.3. bitenc_decode_depth
Set the non-encoded MIME extraction depth used for non-encoded MIME
attachments.
-5.14.2.4. uu_decode_depth
+5.15.2.4. uu_decode_depth
Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
attachments.
-5.14.2.5. Examples
+5.15.2.5. Examples
stream = { }
}
-5.15. Port Scan
+5.16. Port Scan
--------------
A module to detect port scanning
-5.15.1. Overview
+5.16.1. Overview
This module is designed to detect the first phase in a network
attack: Reconnaissance. In the Reconnaissance phase, an attacker
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.
-5.15.2. Scan levels
+5.16.2. Scan levels
There are 3 default scan levels that can be set.
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.
-5.15.3. Tuning Portscan
+5.16.3. Tuning Portscan
The most important aspect in detecting portscans is tuning the
detection engine for your network(s). Here are some tuning tips:
filtered scans, since these are more prone to false positives.
-5.16. Sensitive Data Filtering
+5.17. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-5.16.1. Hyperscan
+5.17.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see https://intel.github.io
/hyperscan/dev-reference/
-5.16.2. Syntax
+5.17.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-5.16.2.1. Pattern
+5.17.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-5.16.2.2. Threshold
+5.17.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-5.16.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.17.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-5.16.3. Example
+5.17.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-5.16.4. Caveats
+5.17.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-5.17. SMTP
+5.18. SMTP
--------------
SMTP inspector is a service inspector for SMTP protocol.
-5.17.1. Overview
+5.18.1. Overview
The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections,
SMTP inspector logs the filename, email addresses, attachment names
when configured.
-5.17.2. Configuration
+5.18.2. Configuration
SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In
The configuration options are described below:
-5.17.2.1. normalize and normalize_cmds
+5.18.2.1. normalize and normalize_cmds
Normalization checks for more than one space character after a
command. Space characters are defined as space (ASCII 0x20) or tab
smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-5.17.2.2. ignore_data
+5.18.2.2. ignore_data
Set it to true to ignore data section of mail (except for mail
headers) when processing rules.
-5.17.2.3. ignore_tls_data
+5.18.2.3. ignore_tls_data
Set it to true to ignore TLS-encrypted data when processing rules.
-5.17.2.4. max_command_line_len
+5.18.2.4. max_command_line_len
Alert if an SMTP command line is longer than this value. Absence of
this option or a "0" means never alert on command line length. RFC
2821 recommends 512 as a maximum command line length.
-5.17.2.5. max_header_line_len
+5.18.2.5. max_header_line_len
Alert if an SMTP DATA header line is longer than this value. Absence
of this option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
-5.17.2.6. max_response_line_len
+5.18.2.6. max_response_line_len
Alert if an SMTP response line is longer than this value. Absence of
this option or a "0" means never alert on response line length. RFC
2821 recommends 512 as a maximum response line length.
-5.17.2.7. alt_max_command_line_len
+5.18.2.7. alt_max_command_line_len
Overrides max_command_line_len for specific commands For example:
},
}
-5.17.2.8. invalid_cmds
+5.18.2.8. invalid_cmds
Alert if this command is sent from client side.
-5.17.2.9. valid_cmds
+5.18.2.9. valid_cmds
List of valid commands. We do not alert on commands in this list.
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-5.17.2.10. data_cmds
+5.18.2.10. data_cmds
List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 - "
<CRLF>.<CRLF>".
-5.17.2.11. binary_data_cmds
+5.18.2.11. binary_data_cmds
List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar
to that of the BDAT command per RFC 3030.
-5.17.2.12. auth_cmds
+5.18.2.12. auth_cmds
List of commands that initiate an authentication exchange between
client and server.
-5.17.2.13. xlink2state
+5.18.2.13. xlink2state
Enable/disable xlink2state alert, options are {disable | alert |
drop}. See CVE-2005-0560 for a description of the vulnerability.
-5.17.2.14. MIME processing depth parameters
+5.18.2.14. MIME processing depth parameters
These four MIME processing depth parameters are identical to their
POP and IMAP counterparts. See that section for further details.
b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
-5.17.2.15. Log Options
+5.18.2.15. Log Options
Following log options allow SMTP inspector to log email addresses and
filenames. Please note, this is logged only with the unified2 output
allowed range for this option is 0 - 20480. A value of 0 will disable
email headers logging. The default value for this option is 1464.
-5.17.3. Example
+5.18.3. Example
smtp =
{
}
-5.18. Telnet
+5.19. Telnet
--------------
connection is encrypted, per the use of the telnet encryption option
per RFC 2946.
-5.18.1. Configuring the inspector to block exploits and attacks
+5.19.1. Configuring the inspector to block exploits and attacks
ayt_attack_thresh number
vulnerabilities relating to bsd-based implementations of telnet.
-5.19. Trace
+5.20. Trace
--------------
wizard and snort.inspector_manager) are providing non-debug trace
messages in normal production builds.
-5.19.1. Trace module
+5.20.1. Trace module
The trace module is responsible for configuring traces and supports
the following parameters:
set or clear modules traces and packet filter constraints via the
control channel command.
-5.19.2. Trace module - configuring traces
+5.20.2. Trace module - configuring traces
The trace module has the modules option - a table with trace
configuration for specific modules. The following lines placed in
}
}
-5.19.3. Trace module - configuring packet filter constraints for
+5.20.3. Trace module - configuring packet filter constraints for
packet related trace messages
There is a capability to filter traces by the packet constraints. The
}
}
-5.19.4. Trace module - configuring trace output method
+5.20.4. Trace module - configuring trace output method
There is a capability to configure the output method for trace
messages. The trace module has the output option with two acceptable
As a result, each trace message will be printed into syslog (the
Snort run-mode will be ignored).
-5.19.5. Configuring traces via control channel command
+5.20.5. Configuring traces via control channel command
There is a capability to configure module trace options and packet
constraints via the control channel command by using a Snort shell.
trace.set({}) - disable traces and constraints (set to empty)
-5.19.6. Trace messages format
+5.20.6. Trace messages format
Each tracing message has a standard format:
s – seconds
S – milliseconds
-5.19.7. Example - Debugging rules using detection trace
+5.20.7. Example - Debugging rules using detection trace
The detection engine is responsible for rule evaluation. Turning on
the trace for it can help with debugging new rules.
detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
-5.19.8. Example - Protocols decoding trace
+5.20.8. Example - Protocols decoding trace
Turning on decode trace will print out information about the packets
decoded protocols. Can be useful in case of tunneling.
decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
-5.19.9. Example - Track the time packet spends in each inspector
+5.20.9. Example - Track the time packet spends in each inspector
There is a capability to track which inspectors evaluate a packet,
and how much time the inspector consumes doing so. These trace
snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
snort:main:1: [0] Destroying completed command RUN
-5.19.10. Example - trace filtering by packet constraints:
+5.20.10. Example - trace filtering by packet constraints:
In snort.lua, the following lines were added:
The trace messages for two last packets (numbers 5 and 6) weren’t
printed.
-5.19.11. Example - configuring traces via trace.set() command
+5.20.11. Example - configuring traces via trace.set() command
In snort.lua, the following lines were added:
filtered because they don’t include a packet (a packet isn’t
well-formed at the point when the message is printing).
-5.19.12. Other available traces
+5.20.12. Other available traces
There are more trace options supported by detection:
structures.
-5.20. Wizard
+5.21. Wizard
--------------
wizard is still under development; if you find you need to tweak the
defaults please let us know.
-5.20.1. Wizard patterns
+5.21.1. Wizard patterns
Wizard supports 3 kinds of patterns:
matches that packet or wizard’s max_search_depth is reached, the
meta-flow is abandoned by wizard.
-5.20.2. Wizard patterns - Spells
+5.21.2. Wizard patterns - Spells
Spell is a text based pattern. The best area of usage - text
protocols: http, smtp, sip, etc. Spells are:
to_client = { '220*SMTP', '220*MAIL' }
}
-5.20.3. Wizard patterns - Hexes
+5.21.3. Wizard patterns - Hexes
Hexes can be used to match binary protocols: dnp3, http2, ssl, etc.
Hexes use hexadecimal representation of the data for pattern
to_client = { '|05 64|' }
}
-5.20.4. Wizard patterns - Curses
+5.21.4. Wizard patterns - Curses
Curses are internal algorithms of service identification. They are
implemented as state machines in C++ code and can have their own
A configuration which enables some curses:
curses = {'dce_udp', 'dce_tcp', 'dce_smb', 'sslv2'}
-5.20.5. Additional Details:
+5.21.5. Additional Details:
* Note that usually more specific patterns have higher precedence.
projects / thirdparty / snort3.git / commitdiff
