The Snort Team
Revision History
-Revision 3.1.39.0 2022-08-10 12:15:07 EDT TST
+Revision 3.1.40.0 2022-08-25 09:58:14 EDT TST
---------------------------------------------------------------------
7.50. http_header
7.51. http_header_test
7.52. http_method
- 7.53. http_num_headers
- 7.54. http_num_trailers
- 7.55. http_param
- 7.56. http_raw_body
- 7.57. http_raw_cookie
- 7.58. http_raw_header
- 7.59. http_raw_request
- 7.60. http_raw_status
- 7.61. http_raw_trailer
- 7.62. http_raw_uri
- 7.63. http_stat_code
- 7.64. http_stat_msg
- 7.65. http_trailer
- 7.66. http_trailer_test
- 7.67. http_true_ip
- 7.68. http_uri
- 7.69. http_version
- 7.70. http_version_match
- 7.71. icmp_id
- 7.72. icmp_seq
- 7.73. icode
- 7.74. id
- 7.75. iec104_apci_type
- 7.76. iec104_asdu_func
- 7.77. ip_proto
- 7.78. ipopts
- 7.79. isdataat
- 7.80. itype
- 7.81. js_data
- 7.82. md5
- 7.83. metadata
- 7.84. mms_data
- 7.85. mms_func
- 7.86. modbus_data
- 7.87. modbus_func
- 7.88. modbus_unit
- 7.89. msg
- 7.90. mss
- 7.91. pcre
- 7.92. pkt_data
- 7.93. pkt_num
- 7.94. priority
- 7.95. raw_data
- 7.96. reference
- 7.97. regex
- 7.98. rem
- 7.99. replace
- 7.100. rev
- 7.101. rpc
- 7.102. s7commplus_content
- 7.103. s7commplus_func
- 7.104. s7commplus_opcode
- 7.105. sd_pattern
- 7.106. seq
- 7.107. service
- 7.108. sha256
- 7.109. sha512
- 7.110. sid
- 7.111. sip_body
- 7.112. sip_header
- 7.113. sip_method
- 7.114. sip_stat_code
- 7.115. so
- 7.116. soid
- 7.117. ssl_state
- 7.118. ssl_version
- 7.119. stream_reassemble
- 7.120. stream_size
- 7.121. tag
- 7.122. target
- 7.123. tos
- 7.124. ttl
- 7.125. urg
- 7.126. vba_data
- 7.127. window
- 7.128. wscale
+ 7.53. http_num_cookies
+ 7.54. http_num_headers
+ 7.55. http_num_trailers
+ 7.56. http_param
+ 7.57. http_raw_body
+ 7.58. http_raw_cookie
+ 7.59. http_raw_header
+ 7.60. http_raw_request
+ 7.61. http_raw_status
+ 7.62. http_raw_trailer
+ 7.63. http_raw_uri
+ 7.64. http_stat_code
+ 7.65. http_stat_msg
+ 7.66. http_trailer
+ 7.67. http_trailer_test
+ 7.68. http_true_ip
+ 7.69. http_uri
+ 7.70. http_version
+ 7.71. http_version_match
+ 7.72. icmp_id
+ 7.73. icmp_seq
+ 7.74. icode
+ 7.75. id
+ 7.76. iec104_apci_type
+ 7.77. iec104_asdu_func
+ 7.78. ip_proto
+ 7.79. ipopts
+ 7.80. isdataat
+ 7.81. itype
+ 7.82. js_data
+ 7.83. md5
+ 7.84. metadata
+ 7.85. mms_data
+ 7.86. mms_func
+ 7.87. modbus_data
+ 7.88. modbus_func
+ 7.89. modbus_unit
+ 7.90. msg
+ 7.91. mss
+ 7.92. pcre
+ 7.93. pkt_data
+ 7.94. pkt_num
+ 7.95. priority
+ 7.96. raw_data
+ 7.97. reference
+ 7.98. regex
+ 7.99. rem
+ 7.100. replace
+ 7.101. rev
+ 7.102. rpc
+ 7.103. s7commplus_content
+ 7.104. s7commplus_func
+ 7.105. s7commplus_opcode
+ 7.106. sd_pattern
+ 7.107. seq
+ 7.108. service
+ 7.109. sha256
+ 7.110. sha512
+ 7.111. sid
+ 7.112. sip_body
+ 7.113. sip_header
+ 7.114. sip_method
+ 7.115. sip_stat_code
+ 7.116. so
+ 7.117. soid
+ 7.118. ssl_state
+ 7.119. ssl_version
+ 7.120. stream_reassemble
+ 7.121. stream_size
+ 7.122. tag
+ 7.123. target
+ 7.124. tos
+ 7.125. ttl
+ 7.126. urg
+ 7.127. vba_data
+ 7.128. window
+ 7.129. wscale
8. Search Engine Modules
9. SO Rule Modules
Configuration:
- * int event_filter[].gid = 1: rule generator ID { 0:max32 }
+ * int event_filter[].gid = 1: rule generator ID { 0:8129 }
* int event_filter[].sid = 1: rule signature ID { 0:max32 }
* enum event_filter[].type: 1st count events | every count events |
once after count events { limit | threshold | both }
Configuration:
- * int rate_filter[].gid = 1: rule generator ID { 0:max32 }
+ * int rate_filter[].gid = 1: rule generator ID { 0:8129 }
* int rate_filter[].sid = 1: rule signature ID { 0:max32 }
* enum rate_filter[].track = by_src: filter only matching source or
destination addresses { by_src | by_dst | by_rule }
Configuration:
- * int suppress[].gid = 0: rule generator ID { 0:max32 }
+ * int suppress[].gid = 0: rule generator ID { 0:8129 }
* int suppress[].sid = 0: rule signature ID { 0:max32 }
* enum suppress[].track: suppress only matching source or
destination addresses { by_src | by_dst }
Usage: context
+Configuration:
+
+ * int_list vlan.extra_tpid_ether_types = 0x9100 0x9200: set
+ non-standard QinQ ether types { 65535 }
+
Rules:
* 116:130 (vlan) bad VLAN frame
Configuration:
- * select data_log.key = http_request_header_event : name of the
+ * select data_log.key = 'http_request_header_event ': name of the
event to log { http_request_header_event |
http_response_header_event }
* int data_log.limit = 0: set maximum size in MB before rollover (0
for Host header value (-1 no limit) { -1:max53 }
* int http_inspect.maximum_chunk_length = 4294967295: maximum
allowed length for a message body chunk { 0:4294967295 }
+ * int http_inspect.maximum_header_length = 4096: alert when the
+ length of a header exceeds this value { 0:65535 }
+ * int http_inspect.maximum_headers = 200: alert when the number of
+ headers in a message exceeds this value { 0:65535 }
* bool http_inspect.normalize_utf = true: normalize charset utf
encodings in response bodies
* bool http_inspect.decompress_pdf = false: decompress pdf files in
maximum_chunk_length
* 119:18 (http_inspect) URI path includes /../ that goes above the
root directory
- * 119:19 (http_inspect) HTTP header line exceeds 4096 bytes
- * 119:20 (http_inspect) HTTP message has more than 200 header
- fields
+ * 119:19 (http_inspect) HTTP header line exceeds
+ maximum_header_length option bytes
+ * 119:20 (http_inspect) HTTP message has more than maximum_headers
+ option header fields
* 119:21 (http_inspect) HTTP message has more than one
Content-Length header value
* 119:24 (http_inspect) Host header field appears more than once or
Help: reputation inspection
-Type: inspector (first)
+Type: inspector (passive)
Usage: context
Configuration:
- * int gid.~: generator id { 1:max32 }
+ * int gid.~: generator id { 1:8129 }
7.45. gtp_info
message trailers
-7.53. http_num_headers
+7.53. http_num_cookies
+
+--------------
+
+Help: rule option to perform range check on number of cookies
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval http_num_cookies.~range: check that number of cookies of
+ current header are in given range { 0:65535 }
+ * implied http_num_cookies.request: match against the version from
+ the request message even when examining the response
+
+
+7.54. http_num_headers
--------------
Configuration:
* interval http_num_headers.~range: check that number of headers of
- current buffer are in given range { 0:200 }
+ current buffer are in given range { 0:65535 }
* implied http_num_headers.request: match against the version from
the request message even when examining the response
* implied http_num_headers.with_header: this rule is limited to
HTTP message trailers
-7.54. http_num_trailers
+7.55. http_num_trailers
--------------
Configuration:
* interval http_num_trailers.~range: check that number of headers
- of current buffer are in given range { 0:200 }
+ of current buffer are in given range { 0:65535 }
* implied http_num_trailers.request: match against the version from
the request message even when examining the response
* implied http_num_trailers.with_header: this rule is limited to
examine HTTP message trailers
-7.55. http_param
+7.56. http_param
--------------
* implied http_param.nocase: case insensitive match
-7.56. http_raw_body
+7.57. http_raw_body
--------------
Usage: detect
-7.57. http_raw_cookie
+7.58. http_raw_cookie
--------------
HTTP message trailers
-7.58. http_raw_header
+7.59. http_raw_header
--------------
HTTP message trailers
-7.59. http_raw_request
+7.60. http_raw_request
--------------
HTTP message trailers
-7.60. http_raw_status
+7.61. http_raw_status
--------------
HTTP message trailers
-7.61. http_raw_trailer
+7.62. http_raw_trailer
--------------
HTTP response message body (must be combined with request)
-7.62. http_raw_uri
+7.63. http_raw_uri
--------------
URI only
-7.63. http_stat_code
+7.64. http_stat_code
--------------
HTTP message trailers
-7.64. http_stat_msg
+7.65. http_stat_msg
--------------
HTTP message trailers
-7.65. http_trailer
+7.66. http_trailer
--------------
message body (must be combined with request)
-7.66. http_trailer_test
+7.67. http_trailer_test
--------------
* implied http_trailer_test.absent: trailer is absent
-7.67. http_true_ip
+7.68. http_true_ip
--------------
HTTP message trailers
-7.68. http_uri
+7.69. http_uri
--------------
only
-7.69. http_version
+7.70. http_version
--------------
HTTP message trailers
-7.70. http_version_match
+7.71. http_version_match
--------------
examine HTTP message trailers
-7.71. icmp_id
+7.72. icmp_id
--------------
0:65535 }
-7.72. icmp_seq
+7.73. icmp_seq
--------------
given range { 0:65535 }
-7.73. icode
+7.74. icode
--------------
0:255 }
-7.74. id
+7.75. id
--------------
}
-7.75. iec104_apci_type
+7.76. iec104_apci_type
--------------
* string iec104_apci_type.~: APCI type to match
-7.76. iec104_asdu_func
+7.77. iec104_asdu_func
--------------
* string iec104_asdu_func.~: function code to match
-7.77. ip_proto
+7.78. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.78. ipopts
+7.79. ipopts
--------------
lsrre|ssrr|satid|any }
-7.79. isdataat
+7.80. isdataat
--------------
buffer
-7.80. itype
+7.81. itype
--------------
0:255 }
-7.81. js_data
+7.82. js_data
--------------
Usage: detect
-7.82. md5
+7.83. md5
--------------
of buffer
-7.83. metadata
+7.84. metadata
--------------
pairs
-7.84. mms_data
+7.85. mms_data
--------------
Usage: detect
-7.85. mms_func
+7.86. mms_func
--------------
* string mms_func.~: func to match
-7.86. modbus_data
+7.87. modbus_data
--------------
Usage: detect
-7.87. modbus_func
+7.88. modbus_func
--------------
* string modbus_func.~: function code to match
-7.88. modbus_unit
+7.89. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.89. msg
+7.90. msg
--------------
* string msg.~: message describing rule
-7.90. mss
+7.91. mss
--------------
}
-7.91. pcre
+7.92. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.92. pkt_data
+7.93. pkt_data
--------------
Usage: detect
-7.93. pkt_num
+7.94. pkt_num
--------------
{ 1: }
-7.94. priority
+7.95. priority
--------------
1:max31 }
-7.95. raw_data
+7.96. raw_data
--------------
Usage: detect
-7.96. reference
+7.97. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.97. regex
+7.98. regex
--------------
instead of start of buffer
-7.98. rem
+7.99. rem
--------------
* string rem.~: comment
-7.99. replace
+7.100. replace
--------------
* string replace.~: byte code to replace with
-7.100. rev
+7.101. rev
--------------
* int rev.~: revision { 1:max32 }
-7.101. rpc
+7.102. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.102. s7commplus_content
+7.103. s7commplus_content
--------------
Usage: detect
-7.103. s7commplus_func
+7.104. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.104. s7commplus_opcode
+7.105. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.105. sd_pattern
+7.106. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.106. seq
+7.107. seq
--------------
range { 0: }
-7.107. service
+7.108. service
--------------
* string service.*: one or more comma-separated service names
-7.108. sha256
+7.109. sha256
--------------
start of buffer
-7.109. sha512
+7.110. sha512
--------------
start of buffer
-7.110. sid
+7.111. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.111. sip_body
+7.112. sip_body
--------------
Usage: detect
-7.112. sip_header
+7.113. sip_header
--------------
Usage: detect
-7.113. sip_method
+7.114. sip_method
--------------
* string sip_method.*method: sip method
-7.114. sip_stat_code
+7.115. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.115. so
+7.116. so
--------------
buffer
-7.116. soid
+7.117. soid
--------------
like 3_45678_9
-7.117. ssl_state
+7.118. ssl_state
--------------
unknown
-7.118. ssl_version
+7.119. ssl_version
--------------
tls1.2
-7.119. stream_reassemble
+7.120. stream_reassemble
--------------
remainder of the session
-7.120. stream_size
+7.121. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.121. tag
+7.122. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.122. target
+7.123. target
--------------
dst_ip }
-7.123. tos
+7.124. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.124. ttl
+7.125. ttl
--------------
0:255 }
-7.125. urg
+7.126. urg
--------------
{ 0:65535 }
-7.126. vba_data
+7.127. vba_data
--------------
Usage: detect
-7.127. window
+7.128. window
--------------
range { 0:65535 }
-7.128. wscale
+7.129. wscale
--------------
timestamp | tos | ttl | udp_len | vlan }
* int alert_csv.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
- * string alert_csv.separator = , : separate fields with this
+ * string alert_csv.separator = ', ': separate fields with this
character sequence
timestamp | tos | ttl | udp_len | vlan }
* int alert_json.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
- * string alert_json.separator = , : separate fields with this
+ * string alert_json.separator = ', ': separate fields with this
character sequence
stdout
* int alert_csv.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
- * string alert_csv.separator = , : separate fields with this
+ * string alert_csv.separator = ', ': separate fields with this
character sequence
* bool alert_ex.upper = false: true/false → convert to upper/lower
case
stdout
* int alert_json.limit = 0: set maximum size in MB before rollover
(0 is unlimited) { 0:maxSZ }
- * string alert_json.separator = , : separate fields with this
+ * string alert_json.separator = ', ': separate fields with this
character sequence
* bool alerts.alert_with_interface_name = false: include interface
in alert info (fast, full, or syslog only)
* string daq.modules[].variables[].variable: DAQ module variable
(foo[=bar])
* int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 }
- * select data_log.key = http_request_header_event : name of the
+ * select data_log.key = 'http_request_header_event ': name of the
event to log { http_request_header_event |
http_response_header_event }
* int data_log.limit = 0: set maximum size in MB before rollover (0
that has authentication but not encryption
* int event_filter[].count = 0: number of events in interval before
tripping; -1 to disable { -1:max31 }
- * int event_filter[].gid = 1: rule generator ID { 0:max32 }
+ * int event_filter[].gid = 1: rule generator ID { 0:8129 }
* string event_filter[].ip: restrict filter to these addresses
according to track
* int event_filter[].seconds = 0: count interval { 0:max32 }
on start up
* bool ftp_server.telnet_cmds = false: detect Telnet escape
sequences of FTP control channel
- * int gid.~: generator id { 1:max32 }
+ * int gid.~: generator id { 1:8129 }
* string gtp_info.~: info element to match
* int gtp_inspect[].infos[].length = 0: information element type
code { 0:255 }
object property to ignore
* int http_inspect.maximum_chunk_length = 4294967295: maximum
allowed length for a message body chunk { 0:4294967295 }
+ * int http_inspect.maximum_header_length = 4096: alert when the
+ length of a header exceeds this value { 0:65535 }
+ * int http_inspect.maximum_headers = 200: alert when the number of
+ headers in a message exceeds this value { 0:65535 }
* int http_inspect.maximum_host_length = -1: maximum allowed length
for Host header value (-1 no limit) { -1:max53 }
* int http_inspect.max_javascript_whitespaces = 200: maximum
examining HTTP message headers
* implied http_method.with_trailer: parts of this rule examine HTTP
message trailers
+ * interval http_num_cookies.~range: check that number of cookies of
+ current header are in given range { 0:65535 }
+ * implied http_num_cookies.request: match against the version from
+ the request message even when examining the response
* interval http_num_headers.~range: check that number of headers of
- current buffer are in given range { 0:200 }
+ current buffer are in given range { 0:65535 }
* implied http_num_headers.request: match against the version from
the request message even when examining the response
* implied http_num_headers.with_body: parts of this rule examine
* implied http_num_headers.with_trailer: parts of this rule examine
HTTP message trailers
* interval http_num_trailers.~range: check that number of headers
- of current buffer are in given range { 0:200 }
+ of current buffer are in given range { 0:65535 }
* implied http_num_trailers.request: match against the version from
the request message even when examining the response
* implied http_num_trailers.with_body: parts of this rule examine
according to track
* int rate_filter[].count = 1: number of events in interval before
tripping { 0:max32 }
- * int rate_filter[].gid = 1: rule generator ID { 0:max32 }
+ * int rate_filter[].gid = 1: rule generator ID { 0:8129 }
* dynamic rate_filter[].new_action = alert: take this action on
future hits until timeout { alert | block | drop | file_id | log
| pass | react | reject | rewrite }
before retiring session tracker { 1:max32 }
* int stream_user.session_timeout = 60: session tracking timeout {
1:max31 }
- * int suppress[].gid = 0: rule generator ID { 0:max32 }
+ * int suppress[].gid = 0: rule generator ID { 0:8129 }
* string suppress[].ip: restrict suppression to these addresses
according to track
* int suppress[].sid = 0: rule signature ID { 0:max32 }
(in Unix Epoch format)
* interval urg.~range: check if tcp urgent offset is in given range
{ 0:65535 }
+ * int_list vlan.extra_tpid_ether_types = 0x9100 0x9200: set
+ non-standard QinQ ether types { 65535 }
* interval window.~range: check if TCP window size is in given
range { 0:65535 }
* multi wizard.curses: enable service identification based on
not under the root directory /. This alert can only be generated if
the simplify_path option is configured.
-119:19 (http_inspect) HTTP header line exceeds 4096 bytes
+119:19 (http_inspect) HTTP header line exceeds maximum_header_length
+option bytes
-HTTP header line exceeds 4096 bytes. This does not apply to the start
-line. Header line length includes both header field name and value.
+HTTP header line exceeds maximum_header_length option bytes. This
+does not apply to the start line. Header line length includes both
+header field name and value.
-119:20 (http_inspect) HTTP message has more than 200 header fields
+119:20 (http_inspect) HTTP message has more than maximum_headers
+option header fields
-HTTP message has more than 200 header fields.
+HTTP message has more than maximum_headers option header fields.
119:21 (http_inspect) HTTP message has more than one Content-Length
header value
* http_inspect (inspector): HTTP inspector
* http_method (ips_option): rule option to set the detection cursor
to the HTTP request method
+ * http_num_cookies (ips_option): rule option to perform range check
+ on number of cookies
* http_num_headers (ips_option): rule option to perform range check
on number of headers
* http_num_trailers (ips_option): rule option to perform range
if the field is absent
* ips_option::http_method: rule option to set the detection cursor
to the HTTP request method
+ * ips_option::http_num_cookies: rule option to perform range check
+ on number of cookies
* ips_option::http_num_headers: rule option to perform range check
on number of headers
* ips_option::http_num_trailers: rule option to perform range check
The Snort Team
Revision History
-Revision 3.1.39.0 2022-08-10 12:14:56 EDT TST
+Revision 3.1.40.0 2022-08-25 09:59:02 EDT TST
---------------------------------------------------------------------
change -> config 'daq_dir' ==> 'daq.module_dirs'
change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap'
change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection'
+change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic'
change -> config 'event_filter' ==> 'alerts.event_filter_memcap'
change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts'
change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host'
change -> daq_mode: 'config daq_mode:' ==> 'mode'
change -> daq_var: 'config daq_var:' ==> 'variables'
change -> detection: 'ac' ==> 'ac_full'
-change -> detection: 'ac-banded' ==> 'ac_banded'
+change -> detection: 'ac-banded' ==> 'ac_full'
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
change -> detection: 'ac-nq' ==> 'ac_full'
change -> detection: 'ac-q' ==> 'ac_full'
-change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
+change -> detection: 'ac-sparsebands' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'split_any_any'
-change -> detection: 'ac-std' ==> 'ac_std'
-change -> detection: 'acs' ==> 'ac_sparse'
+change -> detection: 'ac-std' ==> 'ac_full'
+change -> detection: 'acs' ==> 'ac_full'
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
change -> detection: 'intel-cpm' ==> 'hyperscan'
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
change -> detection: 'search-method' ==> 'search_method'
-change -> detection: 'search-optimize' ==> 'search_optimize'
change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
change -> detection: 'split-any-any' ==> 'split_any_any'
change -> dnp3: 'ports' ==> 'bindings'
change -> reputation: 'shared_mem' ==> 'list_dir'
change -> sfportscan: 'proto' ==> 'protos'
change -> sfportscan: 'scan_type' ==> 'scan_types'
+change -> sip: 'max_requestName_len' ==> 'max_request_name_len'
change -> sip: 'ports' ==> 'bindings'
change -> smtp: 'ports' ==> 'bindings'
change -> ssh: 'server_ports' ==> 'bindings'
deleted -> config 'disable_inline_init_failopen'
deleted -> config 'disable_ipopt_alerts'
deleted -> config 'disable_ipopt_drops'
+deleted -> config 'disable_replace'
deleted -> config 'disable_tcpopt_alerts'
deleted -> config 'disable_tcpopt_drops'
deleted -> config 'disable_tcpopt_experimental_alerts'
deleted -> config 'enable_decode_oversized_drops'
deleted -> config 'enable_gtp'
deleted -> config 'enable_ipopt_drops'
+deleted -> config 'enable_mpls_multicast'
deleted -> config 'enable_tcpopt_drops'
deleted -> config 'enable_tcpopt_experimental_drops'
deleted -> config 'enable_tcpopt_obsolete_drops'
deleted -> config 'sflog_unified2'
deleted -> config 'sidechannel'
deleted -> config 'so_rule_memcap'
+deleted -> config 'stateful'
deleted -> csv: '<filename> can no longer be specific'
deleted -> csv: 'default'
deleted -> csv: 'trheader'
deleted -> detection: 'mwm'
+deleted -> detection: 'search-optimize is always true'
deleted -> dnp3: 'disabled'
deleted -> dnp3: 'memcap'
deleted -> dns: 'enable_experimental_types'
deleted -> full: '<filename> can no longer be specific'
deleted -> http_inspect: 'detect_anomalous_servers'
deleted -> http_inspect: 'disabled'
+deleted -> http_inspect: 'fast_blocking'
+deleted -> http_inspect: 'normalize_random_nulls_in_text'
deleted -> http_inspect: 'proxy_alert'
deleted -> http_inspect_server: 'allow_proxy_use'
deleted -> http_inspect_server: 'enable_cookie'
deleted -> stream5_tcp: 'log_asymmetric_traffic'
deleted -> stream5_tcp: 'policy noack'
deleted -> stream5_tcp: 'policy unknown'
+deleted -> stream5_tcp: 'use_static_footprint_sizes'
deleted -> stream5_udp: 'ignore_any_rules'
deleted -> tcpdump: '<filename> can no longer be specific'
deleted -> test: 'file'
The Snort Team
Revision History
-Revision 3.1.39.0 2022-08-10 12:14:56 EDT TST
+Revision 3.1.40.0 2022-08-25 09:57:58 EDT TST
---------------------------------------------------------------------
./configure_cmake.sh --prefix=$my_path
cd build
- make -j
+ make -j $(nproc)
make install
ln -s $my_path/conf $my_path/etc
A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert.
-5.10.3.20. URI processing
+5.10.3.20. maximum_header_length
+
+http_inspect generates 119:19 when the length of a header exceeds
+maximum_header_length = N {0 : 65535} (default 4096).
+
+5.10.3.21. maximum_headers
+
+http_inspect generates 119:20 when the number of headers exceeds
+maximum_headers = N {0 : 65535} (default 200).
+
+5.10.3.22. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
In addition to the headers there are rule options for virtually every
part of the HTTP message.
+Occasionally one needs a rule that looks for the count of some
+variable. For example, to alert when a message has more than 100
+headers use this rule:
+
+alert tcp any any -> any any ( msg:"more that 100 headers";
+http_num_headers: > 100; sid:25; rev:1; )
+
+This is a range-based rule. It is matching when the expression in the
+rule option is true. The general format is "option operator value".
+To compare for equality, use operator "=". This is the default
+operator and may be omitted. Both rules below will alert when the
+message has 100 headers:
+
+alert tcp any any -> any any ( msg:"100 headers";
+http_num_headers: = 100; sid:26; rev:1; )
+
+alert tcp any any -> any any ( msg:"100 headers";
+http_num_headers: 100; sid:27; rev:1; )
+
+Compare for non-equality using operator "!" or "!=", compare for less
+than using operator "<", compare for greater than using operator ">",
+compare for less or equal using operator "⇐", and compare for greater
+or equal using operator ">=".
+
+To alert when a message has strictly more than 100 headers and
+strictly less than 200 headers use this rule:
+
+alert tcp any any -> any any ( msg:"between (100,200) headers";
+http_num_headers: 100<>200; sid:28; rev:1; )
+
+This is a range-based rule with an interval. The general format is
+"option value1 operator value2". Use operator "<>" to match if the
+option is in the interval excluding the endpoints, or operator "<⇒"
+to include the endpoints. This rule will alert when a message has 100
+headers or more and 200 headers or less:
+
+alert tcp any any -> any any ( msg:"between [100,200] headers";
+http_num_headers: 100<=>200; sid:95; rev:1; )
+
5.10.6.1. http_uri and http_raw_uri
These provide the URI of the request message. The raw form is exactly
5.10.6.16. http_num_headers and http_num_trailers
-These rule options are used to check the number of headers and
-trailers, respectively. Checks available: equal to "=" or just value,
-not "!" or "!=", less than "<", greater than ">", less or equal to
-"⇐", less or greater than ">=", in range "<>", in range or equal to "
-<⇒".
+These are range-based rule options used to check the number of
+headers and trailers, respectively.
+
+5.10.6.17. http_num_cookies
+
+This is a range-based rule option that checks the number of cookies.
+In a request all the individual cookies found in Cookie header are
+counted. For example, in this request there are 2 cookies:
+
+GET /send/in/some/cookies HTTP/1.1
+Host: www.cookie-store.com
+Cookie: SID=31d4d96e407aad42; lang=en-US
+
+In a response Set-Cookie headers are counted. For example, in this
+response there are 2 cookies:
+
+HTTP/1.0 540 Too much sugar
+Content-Length: 5
+Set-Cookie: lang=en-US; Path=/; Domain=example.com
+Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
-5.10.6.17. http_version_match
+5.10.6.18. http_version_match
Rule option that matches HTTP version to one of the listed version
values. Possible match values: 1.0, 1.1, 2.0, 0.9, other, and
http_version rule option is available to examine the actual bytes in
the version field.
-5.10.6.18. http_header_test and http_trailer_test
+5.10.6.19. http_header_test and http_trailer_test
Rule options that perform various tests against a specific header and
trailer field, respectively. It can perform a range test, check
projects / thirdparty / snort3.git / commitdiff
