<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.1 (Build 4)\r
+o" )~ Version 3.0.1 (Build 5)\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.\r
provide full inspection of the individual HTTP/1.1 streams.</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_module_trace">Module Trace</h3>\r
-<div class="paragraph"><p>Snort 3 retired the different flavors of debug macros that used to be set\r
-through environment variable SNORT_DEBUG. It was replaced by a module specific\r
-trace. Trace is turned on by setting the module-specific trace bitmask in\r
-snort.lua. As before, in order to enable it, snort has to be configured and\r
-built with --enable-debug-msgs.</p></div>\r
-<div class="sect3">\r
-<h4 id="_debugging_rules_using_detection_trace">Debugging rules using detection trace</h4>\r
-<div class="paragraph"><p>Detection engine is responsible for rule evaluation. Turning on the\r
-trace for it can help with debugging new rules.</p></div>\r
-<div class="paragraph"><p>The relevant options for detection are as follow (represented as hex):</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>0x2 - follow rule evaluation\r
-0x4 - print evaluated buffer if it changed\r
-0x8 - print evaluated buffer at every step\r
-0x10 - print value of ips rule options vars\r
-0x20 - print information on fast pattern search</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Buffer print is useful, but in case the buffer is very big can be too verbose.\r
-Choose between 0x4, 0x8 or no buffer trace accordingly.</p></div>\r
-<div class="paragraph"><p>0x10 is useful when the rule is using ips rule options vars.</p></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_example_rule_evaluation_traces">Example - rule evaluation traces:</h4>\r
-<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>\r
-<div class="paragraph"><p>detection = {trace = 0x20 + 0x10 + 0x2 + 0x4}</p></div>\r
-<div class="paragraph"><p>The pcap has a single packet with payload:\r
-10.AAAAAAAfoobar</p></div>\r
-<div class="paragraph"><p>Evaluated on rules:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code># byte_math + oper with byte extract and content\r
-# VAL = 1, byte_math = 0 + 10\r
-alert tcp ( byte_extract: 1, 0, VAL, string, dec;\r
-byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;\r
-content:"foo", offset var1; sid:3)</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>#This rule should not trigger\r
-alert tcp (content:"AAAAA"; byte_jump:2,0,relative;\r
-content:"foo", within 3; sid:2)</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>The output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678\r
-detection: Fast pattern search\r
-detection: 1 fp packet[16]</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[16]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: Processing pattern match #1\r
-detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )\r
-detection: Starting tree eval\r
-detection: Evaluating option content, cursor name pkt_data, cursor position 0</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[16]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: Rule options variables:\r
-var[0]=0 var[1]=0 var[2]=0\r
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[8]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-41 41 66 6F 6F 62 61 72 AAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: no match\r
-detection: Rule options variables:\r
-var[0]=0 var[1]=0 var[2]=0\r
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[7]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-41 66 6F 6F 62 61 72 Afoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: no match\r
-detection: Rule options variables:\r
-var[0]=0 var[1]=0 var[2]=0\r
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[6]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-66 6F 6F 62 61 72 foobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: no match\r
-detection: no match\r
-detection: Processing pattern match #2\r
-detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )\r
-detection: Starting tree eval\r
-detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[16]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: Rule options variables:\r
-var[0]=1 var[1]=0 var[2]=0\r
-detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[15]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: Rule options variables:\r
-var[0]=1 var[1]=10 var[2]=0\r
-detection: Evaluating option content, cursor name pkt_data, cursor position 2</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[14]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: Rule options variables:\r
-var[0]=1 var[1]=10 var[2]=0\r
-detection: Reached leaf, cursor name pkt_data, cursor position 13</code></pre>\r
-</div></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>snort.raw[3]:\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-62 61 72 bar\r
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
-detection: Matched rule gid:sid:rev 1:3:0\r
-detection: Rule options variables:\r
-var[0]=1 var[1]=10 var[2]=0\r
-04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_protocols_decoding_trace">Protocols decoding trace</h4>\r
-<div class="paragraph"><p>Turning on decode trace will print out information about the packets decoded\r
-protocols. Can be useful in case of tunneling.</p></div>\r
-<div class="paragraph"><p>Example for a icmpv4-in-ipv6 packet:</p></div>\r
-<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>\r
-<div class="paragraph"><p>decode = { trace = 1 }</p></div>\r
-<div class="paragraph"><p>The output:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14\r
-decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40\r
-decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8\r
-decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0</code></pre>\r
-</div></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_other_available_traces">Other available traces</h4>\r
-<div class="paragraph"><p>There are more trace options supported by detection:</p></div>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>0x1 - prints statistics about the engine\r
-0x40 - prints a message when disabling content detect for packet\r
-0x80 - prints option tree data structure\r
-0x100 - prints a message when a new tag is added</code></pre>\r
-</div></div>\r
-<div class="paragraph"><p>Detection is the only module that support multiple options for trace.</p></div>\r
-<div class="paragraph"><p>The rest support only 1 option, and can be turned on by adding trace = 1 to\r
-their lua config.</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-stream module trace:\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>When turned on prints a message in case inspection is stopped on a flow.\r
-Example for output:</p></div>\r
-<div class="paragraph"><p>stream: stop inspection on flow, dir BOTH</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-stream_ip, stream_user: trace will output general processing messages\r
-</p>\r
-</li>\r
-</ul></div>\r
-<div class="paragraph"><p>Other modules that support trace have messages as seemed fit to the developer.\r
-Some are for corner cases, other for complex data structures prints. Current\r
-list of additional modules supporting trace: appid, dce_smb, gtp_inspect and\r
-dce_udp.</p></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_performance_monitor">Performance Monitor</h3>\r
<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
</div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_trace">Trace</h3>\r
+<div class="paragraph"><p>Snort 3 retired the different flavors of debug macros that used to be set\r
+through the SNORT_DEBUG environment variable. It was replaced by per-module\r
+trace functionality. Trace is turned on by setting the specific trace module\r
+configuration in snort.lua. As before, to enable debug tracing, Snort must be\r
+configured at build time with --enable-debug-msgs. However, a growing number\r
+of modules (such as wizard and snort.inspector_manager) are providing non-debug\r
+trace messages in normal production builds.</p></div>\r
+<div class="sect3">\r
+<h4 id="_trace_module">Trace module</h4>\r
+<div class="paragraph"><p>The trace module is responsible for configuring traces and supports the\r
+following parameters:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>output - configure the output method for trace messages\r
+modules - trace configuration for specific modules\r
+constraints - filter traces by the packet constraints</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The following lines, added in snort.lua, will enable trace messages for\r
+detection and codec modules. The messages will be printed to syslog if\r
+the packet filtering constraints match.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ output = "syslog",\r
+ modules =\r
+ {\r
+ detection = { detect_engine = 1 },\r
+ decode = { all = 1 }\r
+ },\r
+ constraints =\r
+ {\r
+ ip_proto = 17,\r
+ dst_ip = "10.1.1.2",\r
+ src_port = 100,\r
+ dst_port = 200\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The trace module supports config reloading. Also, it’s possible to set or clear\r
+modules traces and packet filter constraints via the control channel command.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_trace_module_configuring_traces">Trace module - configuring traces</h4>\r
+<div class="paragraph"><p>The trace module has the <strong>modules</strong> option - a table with trace configuration\r
+for specific modules. The following lines placed in snort.lua will enable trace\r
+messages for detection, codec and wizard modules:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ detection = { all = 1 },\r
+ decode = { all = 1 },\r
+ wizard = { all = 1 }\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The detection and snort modules are currently the only modules to support\r
+multiple trace options. Others have only the default <strong>all</strong> option, which will\r
+enable or disable all traces in a given module. It’s available for multi-option\r
+modules also and works as a global switcher:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ detection = { all = 1 } -- set each detection option to level 1\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ detection = { all = 1, tag = 2 } -- set each detection option to level 1 but the 'tag' to level 2\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The full list of available trace parameters is placed into\r
+the "Basic Modules.trace" chapter.</p></div>\r
+<div class="paragraph"><p>Each option must be assigned an integer value between 0 and 255 to specify\r
+a level of verbosity for that option:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>0 - turn off trace messages printing for the option\r
+1 - print most significant trace messages for the option\r
+255 - print all available trace messages for the option</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Tracing is disabled by default (verbosity level equals 0). The verbosity level\r
+is treated as a threshold, so specifying a higher value will result in all\r
+messages with a lower level being printed as well. For example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ decode = { all = 3 } -- messages with levels 1, 2, and 3 will be printed\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_trace_module_configuring_packet_filter_constraints_for_packet_related_trace_messages">Trace module - configuring packet filter constraints for packet related trace messages</h4>\r
+<div class="paragraph"><p>There is a capability to filter traces by the packet constraints. The trace\r
+module has the <strong>constraints</strong> option - a table with filtering configuration that\r
+will be applied to all trace messages that include a packet. Filtering is done\r
+on a flow that packet is related. By default filtering is disabled.</p></div>\r
+<div class="paragraph"><p>Available constraints options:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ip_proto - numerical IP protocol ID\r
+src_ip - match all packets with a flow that has this client IP address (passed as a string)\r
+src_port - match all packets with a flow that has this source port\r
+dst_ip - match all packets with a flow that has this server IP address (passed as a string)\r
+dst_port - match all packets with a flow that has this destination port</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The following lines placed in snort.lua will enable all trace messages for\r
+detection filtered by ip_proto, dst_ip, src_port and dst_port:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ detection = { all = 1 }\r
+ },\r
+ constraints =\r
+ {\r
+ ip_proto = 6, -- tcp\r
+ dst_ip = "10.1.1.10",\r
+ src_port = 150,\r
+ dst_port = 250\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_trace_module_configuring_trace_output_method">Trace module - configuring trace output method</h4>\r
+<div class="paragraph"><p>There is a capability to configure the output method for trace messages.\r
+The trace module has the <strong>output</strong> option with two acceptable values:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>"stdout" - printing to stdout\r
+"syslog" - printing to syslog</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>By default, the output method will be set based on the Snort run mode. Normally\r
+it will use stdout, but if -D (daemon mode) and/or -M (alert-syslog mode)\r
+are set, it will instead use syslog.</p></div>\r
+<div class="paragraph"><p>Example - set output method as syslog:</p></div>\r
+<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ output = "syslog",\r
+ modules =\r
+ {\r
+ detection = { all = 1 }\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>As a result, each trace message will be printed into syslog\r
+(the Snort run-mode will be ignored).</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_configuring_traces_via_control_channel_command">Configuring traces via control channel command</h4>\r
+<div class="paragraph"><p>There is a capability to configure module trace options and packet constraints\r
+via the control channel command by using a Snort shell. In order to enable\r
+shell, Snort has to be configured and built with --enable-shell.</p></div>\r
+<div class="paragraph"><p>The trace control channel command is a way how to configure module trace\r
+options and/or packet filter constraints directly during Snort run and\r
+without reloading the entire config.</p></div>\r
+<div class="paragraph"><p>After entering the Snort shell, there are two commands available for\r
+the trace module:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry)</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace.clear() - clear modules traces and constraints</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Also, it’s possible to omit tables in the trace.set() command:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace.set({}) - disable traces and constraints (set to empty)</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_trace_messages_format">Trace messages format</h4>\r
+<div class="paragraph"><p>Each tracing message has a standard format:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><module_name>:<option_name>:<message_log_level>: <particular_message></code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_debugging_rules_using_detection_trace">Example - Debugging rules using detection trace</h4>\r
+<div class="paragraph"><p>The detection engine is responsible for rule evaluation. Turning on the\r
+trace for it can help with debugging new rules.</p></div>\r
+<div class="paragraph"><p>The relevant options for detection are as follow:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>rule_eval - follow rule evaluation\r
+buffer - print evaluated buffer if it changed (level 1) or at every step (level 5)\r
+rule_vars - print value of ips rule options vars\r
+fp_search - print information on fast pattern search</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Buffer print is useful, but in case the buffer is very big can be too verbose.\r
+Choose between verbosity levels 1, 5, or no buffer trace accordingly.</p></div>\r
+<div class="paragraph"><p>rule_vars is useful when the rule is using ips rule options vars.</p></div>\r
+<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ detection =\r
+ {\r
+ rule_eval = 1,\r
+ buffer = 1,\r
+ rule_vars = 1,\r
+ fp_search = 1\r
+ }\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The pcap has a single packet with payload:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>10.AAAAAAAfoobar</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Evaluated on rules:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code># byte_math + oper with byte extract and content\r
+# VAL = 1, byte_math = 0 + 10\r
+alert tcp ( byte_extract: 1, 0, VAL, string, dec;\r
+byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;\r
+content:"foo", offset var1; sid:3)</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>#This rule should not trigger\r
+alert tcp (content:"AAAAA"; byte_jump:2,0,relative;\r
+content:"foo", within 3; sid:2)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns)\r
+detection:rule_eval:1: Fast pattern search\r
+detection:fp_search:1: 1 fp packet[16]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[16]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_eval:1: Processing pattern match #1\r
+detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )\r
+detection:rule_eval:1: Starting tree eval\r
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[16]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0\r
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[8]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+41 41 66 6F 6F 62 61 72 AAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_eval:1: no match\r
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0\r
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[7]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+41 66 6F 6F 62 61 72 Afoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_eval:1: no match\r
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0\r
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[6]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+66 6F 6F 62 61 72 foobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_eval:1: no match\r
+detection:rule_eval:1: no match\r
+detection:rule_eval:1: Processing pattern match #2\r
+detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )\r
+detection:rule_eval:1: Starting tree eval\r
+detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[16]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0\r
+detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[15]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0\r
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[14]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0\r
+detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[3]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+62 61 72 bar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0\r
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0\r
+04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_protocols_decoding_trace">Example - Protocols decoding trace</h4>\r
+<div class="paragraph"><p>Turning on decode trace will print out information about the packets decoded\r
+protocols. Can be useful in case of tunneling.</p></div>\r
+<div class="paragraph"><p>Example for a icmpv4-in-ipv6 packet:</p></div>\r
+<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ decode = { all = 1 }\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14\r
+decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40\r
+decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8\r
+decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_track_the_time_packet_spends_in_each_inspector">Example - Track the time packet spends in each inspector</h4>\r
+<div class="paragraph"><p>There is a capability to track which inspectors evaluate a packet, and how much\r
+time the inspector consumes doing so. These trace messages could be enabled by\r
+the Snort module trace options:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>main - command execution traces (main trace logging)\r
+inspector_manager - inspectors execution and time tracking traces</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Example for a single packet with payload:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>10.AAAAAAAfoobar</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ snort =\r
+ {\r
+ -- could be replaced by 'all = 1'\r
+ main = 1,\r
+ inspector_manager = 1\r
+ }\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort:main:1: [0] Queuing command START for execution (refcount 1)\r
+snort:main:1: [0] Queuing command RUN for execution (refcount 1)\r
+snort:main:1: [0] Destroying completed command START\r
+snort:inspector_manager:1: start inspection, raw, packet 1, context 1\r
+snort:inspector_manager:1: enter stream\r
+snort:inspector_manager:1: exit stream, elapsed time: 2 usec\r
+snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec\r
+snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1\r
+snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec\r
+snort:main:1: [0] Destroying completed command RUN</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_trace_filtering_by_packet_constraints">Example - trace filtering by packet constraints:</h4>\r
+<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ips =\r
+{\r
+ rules =\r
+ [[\r
+ alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )\r
+ alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )\r
+ ]]\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ modules =\r
+ {\r
+ detection = { rule_eval = 1 }\r
+ },\r
+ constraints =\r
+ {\r
+ ip_proto = 17, -- udp\r
+ dst_ip = "10.1.1.2",\r
+ src_port = 100,\r
+ dst_port = 200\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The processed traffic was next:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>d ( stack="eth:ip4:udp" )</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )\r
+a ( pay="pass" )\r
+b ( pay="pass" )</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>c ( ip4:a="10.2.1.1" )\r
+a ( pay="pass" )\r
+b ( pay="pass" )</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>c ( udp:a=101 )\r
+a ( pay="block" )\r
+b ( pay="block" )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)\r
+detection:rule_eval:1: Fast pattern processing - no matches found\r
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)\r
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns)\r
+detection:rule_eval:1: Fast pattern processing - no matches found\r
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns)\r
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns)\r
+detection:rule_eval:1: Fast pattern processing - no matches found\r
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns)\r
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns)\r
+detection:rule_eval:1: Fast pattern processing - no matches found\r
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The trace messages for two last packets (numbers 5 and 6) weren’t printed.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_configuring_traces_via_trace_set_command">Example - configuring traces via trace.set() command</h4>\r
+<div class="paragraph"><p>In snort.lua, the following lines were added:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ips =\r
+{\r
+ rules =\r
+ [[\r
+ alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )\r
+ alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )\r
+ ]]\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace =\r
+{\r
+ constraints =\r
+ {\r
+ ip_proto = 17, -- udp\r
+ dst_ip = "10.1.1.2",\r
+ src_port = 100,\r
+ dst_port = 200\r
+ },\r
+ modules =\r
+ {\r
+ detection = { rule_eval = 1 }\r
+ }\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The processed traffic was next:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code># Flow 1\r
+d ( stack="eth:ip4:udp" )\r
+c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )\r
+a ( data="udp packet 1" )\r
+a ( data="udp packet 2" )</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code># Flow 2\r
+d ( stack="eth:ip4:tcp" )\r
+c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 )\r
+a ( syn )\r
+b ( syn, ack )\r
+a ( ack )\r
+a ( ack, data="tcp packet 1" )\r
+a ( ack, data="tcp packet 2" )\r
+a ( fin, ack )\r
+b ( fin, ack )</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>After 1 packet, entering shell and pass the trace.set() command as follows:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } })</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The output (not full, only descriptive lines):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)\r
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)\r
+decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)\r
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)\r
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)\r
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20\r
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)\r
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The new configuration was applied. <strong>decode:all:1</strong> messages aren’t filtered\r
+because they don’t include a packet (a packet isn’t well-formed at the point\r
+when the message is printing).</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_other_available_traces">Other available traces</h4>\r
+<div class="paragraph"><p>There are more trace options supported by detection:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>detect_engine - prints statistics about the engine\r
+pkt_detect - prints a message when disabling content detect for packet\r
+opt_tree - prints option tree data structure\r
+tag - prints a message when a new tag is added</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The rest support only 1 option, and can be turned on by adding all = 1 to\r
+their table in trace lua config.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+stream module trace:\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>When turned on prints a message in case inspection is stopped on a flow.\r
+Example for output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>stream:all:1: stop inspection on flow, dir BOTH</code></pre>\r
+</div></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+stream_ip, stream_user: trace will output general processing messages\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Other modules that support trace have messages as seemed fit to the developer.\r
+Some are for corner cases, others for complex data structures.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_wizard">Wizard</h3>\r
<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of\r
malware command and control channels. If the wizard is bound to a session, it\r
</li>\r
<li>\r
<p>\r
-int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:max32 }\r
+int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:maxSZ }\r
</p>\r
</li>\r
</ul></div>\r
<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>host_cache.replaced</strong>: lru cache found entry and replaced it (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_trace">trace</h3>\r
+<h3 id="_trace_2">trace</h3>\r
<div class="paragraph"><p>What: configure trace log messages</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
<div class="paragraph"><p>Usage: global</p></div>\r
</li>\r
<li>\r
<p>\r
+int <strong>trace.modules.snort.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.snort.main</strong>: enable main trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.snort.inspector_manager</strong>: enable inspector manager trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>trace.modules.dce_smb.all</strong>: enable all trace options { 0:255 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>trace.constraints.ip_proto</strong>: numerical IP protocol ID filter { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>trace.constraints.src_ip</strong>: source IP address filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.constraints.src_port</strong>: source port filter { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>trace.constraints.dst_ip</strong>: destination IP address filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.constraints.dst_port</strong>: destination port filter { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>trace.output</strong>: output method for trace log messages { stdout | syslog }\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>trace.set</strong>(modules, constraints): set modules traces and constraints\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>trace.clear</strong>(): clear modules traces and constraints\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
</div>\r
</div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_appid_listener">appid_listener</h3>\r
+<div class="paragraph"><p>What: log selected published data to appid_listener.log</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_arp_spoof">arp_spoof</h3>\r
<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_tcp.tcp_expected_sessions</strong>: total tcp dynamic endpoint expected sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.tcp_expected_realized</strong>: total tcp dynamic endpoint expected realized sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.enable_signature</strong> = true: enable signature calculation\r
+bool <strong>file_id.enable_signature</strong> = false: enable signature calculation\r
</p>\r
</li>\r
<li>\r
int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0:max53 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>file_id.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>file_id.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>file_id.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
bool <strong>rt_global.empty_ips</strong> = false: ips policy with no rules\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+bool <strong>rt_global.init_drop_reason</strong> = false: populate drop reason map\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.held_packet_purges</strong>: number of held packets that were purged without flushing (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.cur_packets_held</strong>: number of packets currently held (now)\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>react.msg</strong> = false: use rule msg in response page instead of default message\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>react.page</strong>: file containing HTTP response (headers and body)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.b64_decode_depth</strong> = -1: base64 decoding depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>file_id.bitenc_decode_depth</strong> = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0:max31 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>file_id.decompress_pdf</strong> = false: decompress pdf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>file_id.decompress_swf</strong> = false: decompress swf files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bool <strong>file_id.decompress_zip</strong> = false: decompress zip files in MIME attachments\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bool <strong>file_id.enable_capture</strong> = false: enable file capture\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>file_id.enable_signature</strong> = true: enable signature calculation\r
+bool <strong>file_id.enable_signature</strong> = false: enable signature calculation\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.qp_decode_depth</strong> = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>file_id.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:max32 }\r
+int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:maxSZ }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>react.msg</strong> = false: use rule msg in response page instead of default message\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
string <strong>react.page</strong>: file containing HTTP response (headers and body)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>rt_global.init_drop_reason</strong> = false: populate drop reason map\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>rt_global.memcap</strong> = 2048: cap on amount of memory used (0 is disabled) { 0:max53 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>trace.constraints.dst_ip</strong>: destination IP address filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.constraints.dst_port</strong>: destination port filter { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.constraints.ip_proto</strong>: numerical IP protocol ID filter { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>trace.constraints.src_ip</strong>: source IP address filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.constraints.src_port</strong>: source port filter { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>trace.modules.appid.all</strong>: enable all trace options { 0:255 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>trace.modules.snort.all</strong>: enable all trace options { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.snort.inspector_manager</strong>: enable inspector manager trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>trace.modules.snort.main</strong>: enable main trace logging { 0:255 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>trace.modules.stream.all</strong>: enable all trace options { 0:255 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>dce_tcp.tcp_expected_realized</strong>: total tcp dynamic endpoint expected realized sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.tcp_expected_sessions</strong>: total tcp dynamic endpoint expected sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>host_cache.replaced</strong>: lru cache found entry and replaced it (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>host_tracker.service_adds</strong>: host service adds (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.held_packet_purges</strong>: number of held packets that were purged without flushing (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.held_packet_rexmits</strong>: number of retransmits of held packets (sum)\r
</p>\r
</li>\r
<strong>snort.help</strong>(): this output\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>trace.set</strong>(modules, constraints): set modules traces and constraints\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>trace.clear</strong>(): clear modules traces and constraints\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
deleted -> pop: 'max_mime_mem'\r
deleted -> pop: 'memcap'\r
deleted -> ppm: 'debug-pkts'\r
-deleted -> react: 'block'\r
-deleted -> react: 'warn'\r
deleted -> reputation: 'shared_max_instances'\r
deleted -> reputation: 'shared_refresh'\r
deleted -> rpc_decode: 'alert_fragments'\r
</li>\r
<li>\r
<p>\r
+<strong>appid_listener</strong> (inspector): log selected published data to appid_listener.log\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>appids</strong> (ips_option): detection option for application ids\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::appid_listener</strong>: log selected published data to appid_listener.log\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::arp_spoof</strong>: detect ARP attacks and anomalies\r
</p>\r
</li>\r
<div id="footer">\r
<div id="footer-text">\r
Last updated\r
- 2020-05-20 08:20:56 EDT\r
+ 2020-06-18 08:11:48 EDT\r
</div>\r
</div>\r
</body>\r
5.8. FTP
5.9. HTTP Inspector
5.10. HTTP/2 Inspector
- 5.11. Module Trace
- 5.12. Performance Monitor
- 5.13. POP and IMAP
- 5.14. Port Scan
- 5.15. Sensitive Data Filtering
- 5.16. SMTP
- 5.17. Telnet
+ 5.11. Performance Monitor
+ 5.12. POP and IMAP
+ 5.13. Port Scan
+ 5.14. Sensitive Data Filtering
+ 5.15. SMTP
+ 5.16. Telnet
+ 5.17. Trace
5.18. Wizard
6. Basic Modules
9. Inspector Modules
9.1. appid
- 9.2. arp_spoof
- 9.3. back_orifice
- 9.4. binder
- 9.5. cip
- 9.6. data_log
- 9.7. dce_http_proxy
- 9.8. dce_http_server
- 9.9. dce_smb
- 9.10. dce_tcp
- 9.11. dce_udp
- 9.12. dnp3
- 9.13. dns
- 9.14. domain_filter
- 9.15. dpx
- 9.16. file_id
- 9.17. file_log
- 9.18. finalize_packet
- 9.19. ftp_client
- 9.20. ftp_data
- 9.21. ftp_server
- 9.22. gtp_inspect
- 9.23. http2_inspect
- 9.24. http_inspect
- 9.25. imap
- 9.26. mem_test
- 9.27. modbus
- 9.28. normalizer
- 9.29. packet_capture
- 9.30. perf_monitor
- 9.31. pop
- 9.32. port_scan
- 9.33. reputation
- 9.34. rna
- 9.35. rpc_decode
- 9.36. rt_global
- 9.37. rt_packet
- 9.38. rt_service
- 9.39. s7commplus
- 9.40. sip
- 9.41. smtp
- 9.42. so_proxy
- 9.43. ssh
- 9.44. ssl
- 9.45. stream
- 9.46. stream_file
- 9.47. stream_icmp
- 9.48. stream_ip
- 9.49. stream_tcp
- 9.50. stream_udp
- 9.51. stream_user
- 9.52. telnet
- 9.53. wizard
+ 9.2. appid_listener
+ 9.3. arp_spoof
+ 9.4. back_orifice
+ 9.5. binder
+ 9.6. cip
+ 9.7. data_log
+ 9.8. dce_http_proxy
+ 9.9. dce_http_server
+ 9.10. dce_smb
+ 9.11. dce_tcp
+ 9.12. dce_udp
+ 9.13. dnp3
+ 9.14. dns
+ 9.15. domain_filter
+ 9.16. dpx
+ 9.17. file_id
+ 9.18. file_log
+ 9.19. finalize_packet
+ 9.20. ftp_client
+ 9.21. ftp_data
+ 9.22. ftp_server
+ 9.23. gtp_inspect
+ 9.24. http2_inspect
+ 9.25. http_inspect
+ 9.26. imap
+ 9.27. mem_test
+ 9.28. modbus
+ 9.29. normalizer
+ 9.30. packet_capture
+ 9.31. perf_monitor
+ 9.32. pop
+ 9.33. port_scan
+ 9.34. reputation
+ 9.35. rna
+ 9.36. rpc_decode
+ 9.37. rt_global
+ 9.38. rt_packet
+ 9.39. rt_service
+ 9.40. s7commplus
+ 9.41. sip
+ 9.42. smtp
+ 9.43. so_proxy
+ 9.44. ssh
+ 9.45. ssl
+ 9.46. stream
+ 9.47. stream_file
+ 9.48. stream_icmp
+ 9.49. stream_ip
+ 9.50. stream_tcp
+ 9.51. stream_udp
+ 9.52. stream_user
+ 9.53. telnet
+ 9.54. wizard
10. IPS Action Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.1 (Build 4)
+o" )~ Version 3.0.1 (Build 5)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
streams.
-5.11. Module Trace
-
---------------
-
-Snort 3 retired the different flavors of debug macros that used to be
-set through environment variable SNORT_DEBUG. It was replaced by a
-module specific trace. Trace is turned on by setting the
-module-specific trace bitmask in snort.lua. As before, in order to
-enable it, snort has to be configured and built with
---enable-debug-msgs.
-
-5.11.1. Debugging rules using detection trace
-
-Detection engine is responsible for rule evaluation. Turning on the
-trace for it can help with debugging new rules.
-
-The relevant options for detection are as follow (represented as
-hex):
-
-0x2 - follow rule evaluation
-0x4 - print evaluated buffer if it changed
-0x8 - print evaluated buffer at every step
-0x10 - print value of ips rule options vars
-0x20 - print information on fast pattern search
-
-Buffer print is useful, but in case the buffer is very big can be too
-verbose. Choose between 0x4, 0x8 or no buffer trace accordingly.
-
-0x10 is useful when the rule is using ips rule options vars.
-
-5.11.2. Example - rule evaluation traces:
-
-In snort.lua, the following line was added:
-
-detection = {trace = 0x20 + 0x10 + 0x2 + 0x4}
-
-The pcap has a single packet with payload: 10.AAAAAAAfoobar
-
-Evaluated on rules:
-
-# byte_math + oper with byte extract and content
-# VAL = 1, byte_math = 0 + 10
-alert tcp ( byte_extract: 1, 0, VAL, string, dec;
-byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
-content:"foo", offset var1; sid:3)
-
-#This rule should not trigger
-alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
-content:"foo", within 3; sid:2)
-
-The output:
-
-detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678
-detection: Fast pattern search
-detection: 1 fp packet[16]
-
-snort.raw[16]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: Processing pattern match #1
-detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
-detection: Starting tree eval
-detection: Evaluating option content, cursor name pkt_data, cursor position 0
-
-snort.raw[16]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: Rule options variables:
-var[0]=0 var[1]=0 var[2]=0
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
-
-snort.raw[8]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-41 41 66 6F 6F 62 61 72 AAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: no match
-detection: Rule options variables:
-var[0]=0 var[1]=0 var[2]=0
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
-
-snort.raw[7]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-41 66 6F 6F 62 61 72 Afoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: no match
-detection: Rule options variables:
-var[0]=0 var[1]=0 var[2]=0
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
-
-snort.raw[6]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-66 6F 6F 62 61 72 foobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: no match
-detection: no match
-detection: Processing pattern match #2
-detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
-detection: Starting tree eval
-detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
-
-snort.raw[16]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: Rule options variables:
-var[0]=1 var[1]=0 var[2]=0
-detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1
-
-snort.raw[15]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: Rule options variables:
-var[0]=1 var[1]=10 var[2]=0
-detection: Evaluating option content, cursor name pkt_data, cursor position 2
-
-snort.raw[14]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: Rule options variables:
-var[0]=1 var[1]=10 var[2]=0
-detection: Reached leaf, cursor name pkt_data, cursor position 13
-
-snort.raw[3]:
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-62 61 72 bar
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-detection: Matched rule gid:sid:rev 1:3:0
-detection: Rule options variables:
-var[0]=1 var[1]=10 var[2]=0
-04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
-
-5.11.3. Protocols decoding trace
-
-Turning on decode trace will print out information about the packets
-decoded protocols. Can be useful in case of tunneling.
-
-Example for a icmpv4-in-ipv6 packet:
-
-In snort.lua, the following line was added:
-
-decode = { trace = 1 }
-
-The output:
-
-decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
-decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
-decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
-decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
-
-5.11.4. Other available traces
-
-There are more trace options supported by detection:
-
-0x1 - prints statistics about the engine
-0x40 - prints a message when disabling content detect for packet
-0x80 - prints option tree data structure
-0x100 - prints a message when a new tag is added
-
-Detection is the only module that support multiple options for trace.
-
-The rest support only 1 option, and can be turned on by adding trace
-= 1 to their lua config.
-
- * stream module trace:
-
-When turned on prints a message in case inspection is stopped on a
-flow. Example for output:
-
-stream: stop inspection on flow, dir BOTH
-
- * stream_ip, stream_user: trace will output general processing
- messages
-
-Other modules that support trace have messages as seemed fit to the
-developer. Some are for corner cases, other for complex data
-structures prints. Current list of additional modules supporting
-trace: appid, dce_smb, gtp_inspect and dce_udp.
-
-
-5.12. Performance Monitor
+5.11. Performance Monitor
--------------
being dropped without hitting a rule? perf_monitor! Why is a sensor
leaking water? Not perf_monitor, check with stream…
-5.12.1. Overview
+5.11.1. Overview
The Snort performance monitor is the built-in utility for monitoring
system and traffic statistics. All statistics are separated by
processing thread. perf_monitor supports several trackers for
monitoring such data:
-5.12.2. Base Tracker
+5.11.2. Base Tracker
The base tracker is used to gather running statistics about Snort and
its running modules. All Snort modules gather, at the very least,
Note: Event stats from prior Snorts are now located within base
statistics.
-5.12.3. Flow Tracker
+5.11.3. Flow Tracker
Flow tracks statistics regarding traffic and L3/L4 protocol
distributions. This data can be used to build a profile of traffic
perf_monitor = { flow = true }
-5.12.4. FlowIP Tracker
+5.11.4. FlowIP Tracker
FlowIP provides statistics for individual hosts within a network.
This data can be used for identifying communication habits, such as
perf_monitor = { flow_ip = true }
-5.12.5. CPU Tracker
+5.11.5. CPU Tracker
This tracker monitors the CPU and wall time spent by a given
processing thread.
perf_monitor = { cpu = true }
-5.12.6. Formatters
+5.11.6. Formatters
Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats,
monitor or the code provided for fbstreamer.
-5.13. POP and IMAP
+5.12. POP and IMAP
--------------
POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol.
-5.13.1. Overview
+5.12.1. Overview
POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command,
appropriately. The pop and imap also identify and whitelist the pop
and imap traffic.
-5.13.2. Configuration
+5.12.2. Configuration
POP inspector and IMAP inspector offer same set of configuration
options for MIME decoding depth. These depths range from 0 to 65535
The depth limits apply per attachment. They are:
-5.13.2.1. b64_decode_depth
+5.12.2.1. b64_decode_depth
Set the base64 decoding depth used to decode the base64-encoded MIME
attachments.
-5.13.2.2. qp_decode_depth
+5.12.2.2. qp_decode_depth
Set the Quoted-Printable (QP) decoding depth used to decode
QP-encoded MIME attachments.
-5.13.2.3. bitenc_decode_depth
+5.12.2.3. bitenc_decode_depth
Set the non-encoded MIME extraction depth used for non-encoded MIME
attachments.
-5.13.2.4. uu_decode_depth
+5.12.2.4. uu_decode_depth
Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
attachments.
-5.13.2.5. Examples
+5.12.2.5. Examples
stream = { }
}
-5.14. Port Scan
+5.13. Port Scan
--------------
A module to detect port scanning
-5.14.1. Overview
+5.13.1. Overview
This module is designed to detect the first phase in a network
attack: Reconnaissance. In the Reconnaissance phase, an attacker
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.
-5.14.2. Scan levels
+5.13.2. Scan levels
There are 3 default scan levels that can be set.
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.
-5.14.3. Tuning Portscan
+5.13.3. Tuning Portscan
The most important aspect in detecting portscans is tuning the
detection engine for your network(s). Here are some tuning tips:
filtered scans, since these are more prone to false positives.
-5.15. Sensitive Data Filtering
+5.14. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-5.15.1. Hyperscan
+5.14.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see https://intel.github.io
/hyperscan/dev-reference/
-5.15.2. Syntax
+5.14.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-5.15.2.1. Pattern
+5.14.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-5.15.2.2. Threshold
+5.14.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-5.15.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.14.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-5.15.3. Example
+5.14.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-5.15.4. Caveats
+5.14.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-5.16. SMTP
+5.15. SMTP
--------------
SMTP inspector is a service inspector for SMTP protocol.
-5.16.1. Overview
+5.15.1. Overview
The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections,
SMTP inspector logs the filename, email addresses, attachment names
when configured.
-5.16.2. Configuration
+5.15.2. Configuration
SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In
The configuration options are described below:
-5.16.2.1. normalize and normalize_cmds
+5.15.2.1. normalize and normalize_cmds
Normalization checks for more than one space character after a
command. Space characters are defined as space (ASCII 0x20) or tab
smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-5.16.2.2. ignore_data
+5.15.2.2. ignore_data
Set it to true to ignore data section of mail (except for mail
headers) when processing rules.
-5.16.2.3. ignore_tls_data
+5.15.2.3. ignore_tls_data
Set it to true to ignore TLS-encrypted data when processing rules.
-5.16.2.4. max_command_line_len
+5.15.2.4. max_command_line_len
Alert if an SMTP command line is longer than this value. Absence of
this option or a "0" means never alert on command line length. RFC
2821 recommends 512 as a maximum command line length.
-5.16.2.5. max_header_line_len
+5.15.2.5. max_header_line_len
Alert if an SMTP DATA header line is longer than this value. Absence
of this option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
-5.16.2.6. max_response_line_len
+5.15.2.6. max_response_line_len
Alert if an SMTP response line is longer than this value. Absence of
this option or a "0" means never alert on response line length. RFC
2821 recommends 512 as a maximum response line length.
-5.16.2.7. alt_max_command_line_len
+5.15.2.7. alt_max_command_line_len
Overrides max_command_line_len for specific commands For example:
},
}
-5.16.2.8. invalid_cmds
+5.15.2.8. invalid_cmds
Alert if this command is sent from client side.
-5.16.2.9. valid_cmds
+5.15.2.9. valid_cmds
List of valid commands. We do not alert on commands in this list.
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-5.16.2.10. data_cmds
+5.15.2.10. data_cmds
List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 - "
<CRLF>.<CRLF>".
-5.16.2.11. binary_data_cmds
+5.15.2.11. binary_data_cmds
List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar
to that of the BDAT command per RFC 3030.
-5.16.2.12. auth_cmds
+5.15.2.12. auth_cmds
List of commands that initiate an authentication exchange between
client and server.
-5.16.2.13. xlink2state
+5.15.2.13. xlink2state
Enable/disable xlink2state alert, options are {disable | alert |
drop}. See CVE-2005-0560 for a description of the vulnerability.
-5.16.2.14. MIME processing depth parameters
+5.15.2.14. MIME processing depth parameters
These four MIME processing depth parameters are identical to their
POP and IMAP counterparts. See that section for further details.
b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
-5.16.2.15. Log Options
+5.15.2.15. Log Options
Following log options allow SMTP inspector to log email addresses and
filenames. Please note, this is logged only with the unified2 output
allowed range for this option is 0 - 20480. A value of 0 will disable
email headers logging. The default value for this option is 1464.
-5.16.3. Example
+5.15.3. Example
smtp =
{
}
-5.17. Telnet
+5.16. Telnet
--------------
connection is encrypted, per the use of the telnet encryption option
per RFC 2946.
-5.17.1. Configuring the inspector to block exploits and attacks
+5.16.1. Configuring the inspector to block exploits and attacks
ayt_attack_thresh number
vulnerabilities relating to bsd-based implementations of telnet.
+5.17. Trace
+
+--------------
+
+Snort 3 retired the different flavors of debug macros that used to be
+set through the SNORT_DEBUG environment variable. It was replaced by
+per-module trace functionality. Trace is turned on by setting the
+specific trace module configuration in snort.lua. As before, to
+enable debug tracing, Snort must be configured at build time with
+--enable-debug-msgs. However, a growing number of modules (such as
+wizard and snort.inspector_manager) are providing non-debug trace
+messages in normal production builds.
+
+5.17.1. Trace module
+
+The trace module is responsible for configuring traces and supports
+the following parameters:
+
+output - configure the output method for trace messages
+modules - trace configuration for specific modules
+constraints - filter traces by the packet constraints
+
+The following lines, added in snort.lua, will enable trace messages
+for detection and codec modules. The messages will be printed to
+syslog if the packet filtering constraints match.
+
+trace =
+{
+ output = "syslog",
+ modules =
+ {
+ detection = { detect_engine = 1 },
+ decode = { all = 1 }
+ },
+ constraints =
+ {
+ ip_proto = 17,
+ dst_ip = "10.1.1.2",
+ src_port = 100,
+ dst_port = 200
+ }
+}
+
+The trace module supports config reloading. Also, it’s possible to
+set or clear modules traces and packet filter constraints via the
+control channel command.
+
+5.17.2. Trace module - configuring traces
+
+The trace module has the modules option - a table with trace
+configuration for specific modules. The following lines placed in
+snort.lua will enable trace messages for detection, codec and wizard
+modules:
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1 },
+ decode = { all = 1 },
+ wizard = { all = 1 }
+ }
+}
+
+The detection and snort modules are currently the only modules to
+support multiple trace options. Others have only the default all
+option, which will enable or disable all traces in a given module.
+It’s available for multi-option modules also and works as a global
+switcher:
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1 } -- set each detection option to level 1
+ }
+}
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1, tag = 2 } -- set each detection option to level 1 but the 'tag' to level 2
+ }
+}
+
+The full list of available trace parameters is placed into the "Basic
+Modules.trace" chapter.
+
+Each option must be assigned an integer value between 0 and 255 to
+specify a level of verbosity for that option:
+
+0 - turn off trace messages printing for the option
+1 - print most significant trace messages for the option
+255 - print all available trace messages for the option
+
+Tracing is disabled by default (verbosity level equals 0). The
+verbosity level is treated as a threshold, so specifying a higher
+value will result in all messages with a lower level being printed as
+well. For example:
+
+trace =
+{
+ modules =
+ {
+ decode = { all = 3 } -- messages with levels 1, 2, and 3 will be printed
+ }
+}
+
+5.17.3. Trace module - configuring packet filter constraints for
+packet related trace messages
+
+There is a capability to filter traces by the packet constraints. The
+trace module has the constraints option - a table with filtering
+configuration that will be applied to all trace messages that include
+a packet. Filtering is done on a flow that packet is related. By
+default filtering is disabled.
+
+Available constraints options:
+
+ip_proto - numerical IP protocol ID
+src_ip - match all packets with a flow that has this client IP address (passed as a string)
+src_port - match all packets with a flow that has this source port
+dst_ip - match all packets with a flow that has this server IP address (passed as a string)
+dst_port - match all packets with a flow that has this destination port
+
+The following lines placed in snort.lua will enable all trace
+messages for detection filtered by ip_proto, dst_ip, src_port and
+dst_port:
+
+trace =
+{
+ modules =
+ {
+ detection = { all = 1 }
+ },
+ constraints =
+ {
+ ip_proto = 6, -- tcp
+ dst_ip = "10.1.1.10",
+ src_port = 150,
+ dst_port = 250
+ }
+}
+
+5.17.4. Trace module - configuring trace output method
+
+There is a capability to configure the output method for trace
+messages. The trace module has the output option with two acceptable
+values:
+
+"stdout" - printing to stdout
+"syslog" - printing to syslog
+
+By default, the output method will be set based on the Snort run
+mode. Normally it will use stdout, but if -D (daemon mode) and/or -M
+(alert-syslog mode) are set, it will instead use syslog.
+
+Example - set output method as syslog:
+
+In snort.lua, the following lines were added:
+
+trace =
+{
+ output = "syslog",
+ modules =
+ {
+ detection = { all = 1 }
+ }
+}
+
+As a result, each trace message will be printed into syslog (the
+Snort run-mode will be ignored).
+
+5.17.5. Configuring traces via control channel command
+
+There is a capability to configure module trace options and packet
+constraints via the control channel command by using a Snort shell.
+In order to enable shell, Snort has to be configured and built with
+--enable-shell.
+
+The trace control channel command is a way how to configure module
+trace options and/or packet filter constraints directly during Snort
+run and without reloading the entire config.
+
+After entering the Snort shell, there are two commands available for
+the trace module:
+
+trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry)
+
+trace.clear() - clear modules traces and constraints
+
+Also, it’s possible to omit tables in the trace.set() command:
+
+trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces
+
+trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints
+
+trace.set({}) - disable traces and constraints (set to empty)
+
+5.17.6. Trace messages format
+
+Each tracing message has a standard format:
+
+<module_name>:<option_name>:<message_log_level>: <particular_message>
+
+5.17.7. Example - Debugging rules using detection trace
+
+The detection engine is responsible for rule evaluation. Turning on
+the trace for it can help with debugging new rules.
+
+The relevant options for detection are as follow:
+
+rule_eval - follow rule evaluation
+buffer - print evaluated buffer if it changed (level 1) or at every step (level 5)
+rule_vars - print value of ips rule options vars
+fp_search - print information on fast pattern search
+
+Buffer print is useful, but in case the buffer is very big can be too
+verbose. Choose between verbosity levels 1, 5, or no buffer trace
+accordingly.
+
+rule_vars is useful when the rule is using ips rule options vars.
+
+In snort.lua, the following lines were added:
+
+trace =
+{
+ modules =
+ {
+ detection =
+ {
+ rule_eval = 1,
+ buffer = 1,
+ rule_vars = 1,
+ fp_search = 1
+ }
+ }
+}
+
+The pcap has a single packet with payload:
+
+10.AAAAAAAfoobar
+
+Evaluated on rules:
+
+# byte_math + oper with byte extract and content
+# VAL = 1, byte_math = 0 + 10
+alert tcp ( byte_extract: 1, 0, VAL, string, dec;
+byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
+content:"foo", offset var1; sid:3)
+
+#This rule should not trigger
+alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
+content:"foo", within 3; sid:2)
+
+The output:
+
+detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns)
+detection:rule_eval:1: Fast pattern search
+detection:fp_search:1: 1 fp packet[16]
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: Processing pattern match #1
+detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
+detection:rule_eval:1: Starting tree eval
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
+
+snort.raw[8]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+41 41 66 6F 6F 62 61 72 AAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: no match
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
+
+snort.raw[7]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+41 66 6F 6F 62 61 72 Afoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: no match
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
+
+snort.raw[6]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+66 6F 6F 62 61 72 foobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: no match
+detection:rule_eval:1: no match
+detection:rule_eval:1: Processing pattern match #2
+detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
+detection:rule_eval:1: Starting tree eval
+detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1
+
+snort.raw[15]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2
+
+snort.raw[14]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13
+
+snort.raw[3]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+62 61 72 bar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
+
+5.17.8. Example - Protocols decoding trace
+
+Turning on decode trace will print out information about the packets
+decoded protocols. Can be useful in case of tunneling.
+
+Example for a icmpv4-in-ipv6 packet:
+
+In snort.lua, the following line was added:
+
+trace =
+{
+ modules =
+ {
+ decode = { all = 1 }
+ }
+}
+
+The output:
+
+decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
+decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
+decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
+decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
+
+5.17.9. Example - Track the time packet spends in each inspector
+
+There is a capability to track which inspectors evaluate a packet,
+and how much time the inspector consumes doing so. These trace
+messages could be enabled by the Snort module trace options:
+
+main - command execution traces (main trace logging)
+inspector_manager - inspectors execution and time tracking traces
+
+Example for a single packet with payload:
+
+10.AAAAAAAfoobar
+
+In snort.lua, the following lines were added:
+
+trace =
+{
+ modules =
+ {
+ snort =
+ {
+ -- could be replaced by 'all = 1'
+ main = 1,
+ inspector_manager = 1
+ }
+ }
+}
+
+The output:
+
+snort:main:1: [0] Queuing command START for execution (refcount 1)
+snort:main:1: [0] Queuing command RUN for execution (refcount 1)
+snort:main:1: [0] Destroying completed command START
+snort:inspector_manager:1: start inspection, raw, packet 1, context 1
+snort:inspector_manager:1: enter stream
+snort:inspector_manager:1: exit stream, elapsed time: 2 usec
+snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec
+snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1
+snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
+snort:main:1: [0] Destroying completed command RUN
+
+5.17.10. Example - trace filtering by packet constraints:
+
+In snort.lua, the following lines were added:
+
+ips =
+{
+ rules =
+ [[
+ alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
+ alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
+ ]]
+}
+
+trace =
+{
+ modules =
+ {
+ detection = { rule_eval = 1 }
+ },
+ constraints =
+ {
+ ip_proto = 17, -- udp
+ dst_ip = "10.1.1.2",
+ src_port = 100,
+ dst_port = 200
+ }
+}
+
+The processed traffic was next:
+
+d ( stack="eth:ip4:udp" )
+
+c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
+a ( pay="pass" )
+b ( pay="pass" )
+
+c ( ip4:a="10.2.1.1" )
+a ( pay="pass" )
+b ( pay="pass" )
+
+c ( udp:a=101 )
+a ( pay="block" )
+b ( pay="block" )
+
+The output:
+
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns)
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns)
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns)
+
+The trace messages for two last packets (numbers 5 and 6) weren’t
+printed.
+
+5.17.11. Example - configuring traces via trace.set() command
+
+In snort.lua, the following lines were added:
+
+ips =
+{
+ rules =
+ [[
+ alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
+ alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
+ ]]
+}
+
+trace =
+{
+ constraints =
+ {
+ ip_proto = 17, -- udp
+ dst_ip = "10.1.1.2",
+ src_port = 100,
+ dst_port = 200
+ },
+ modules =
+ {
+ detection = { rule_eval = 1 }
+ }
+}
+
+The processed traffic was next:
+
+# Flow 1
+d ( stack="eth:ip4:udp" )
+c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
+a ( data="udp packet 1" )
+a ( data="udp packet 2" )
+
+# Flow 2
+d ( stack="eth:ip4:tcp" )
+c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 )
+a ( syn )
+b ( syn, ack )
+a ( ack )
+a ( ack, data="tcp packet 1" )
+a ( ack, data="tcp packet 2" )
+a ( fin, ack )
+b ( fin, ack )
+
+After 1 packet, entering shell and pass the trace.set() command as
+follows:
+
+trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } })
+
+The output (not full, only descriptive lines):
+
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
+decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
+
+The new configuration was applied. decode:all:1 messages aren’t
+filtered because they don’t include a packet (a packet isn’t
+well-formed at the point when the message is printing).
+
+5.17.12. Other available traces
+
+There are more trace options supported by detection:
+
+detect_engine - prints statistics about the engine
+pkt_detect - prints a message when disabling content detect for packet
+opt_tree - prints option tree data structure
+tag - prints a message when a new tag is added
+
+The rest support only 1 option, and can be turned on by adding all =
+1 to their table in trace lua config.
+
+ * stream module trace:
+
+When turned on prints a message in case inspection is stopped on a
+flow. Example for output:
+
+stream:all:1: stop inspection on flow, dir BOTH
+
+ * stream_ip, stream_user: trace will output general processing
+ messages
+
+Other modules that support trace have messages as seemed fit to the
+developer. Some are for corner cases, others for complex data
+structures.
+
+
5.18. Wizard
--------------
* string host_cache.dump_file: file name to dump host cache on
shutdown; won’t dump by default
* int host_cache.memcap = 8388608: maximum host cache size in bytes
- { 512:max32 }
+ { 512:maxSZ }
Commands:
* host_cache.reload_prunes: lru cache pruned entry for lower memcap
during reload (sum)
* host_cache.removes: lru cache found entry and removed it (sum)
+ * host_cache.replaced: lru cache found entry and replaced it (sum)
6.12. host_tracker
* int trace.modules.stream_ip.all: enable all trace options { 0:255
}
* int trace.modules.stream.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.main: enable main trace logging { 0:255 }
+ * int trace.modules.snort.inspector_manager: enable inspector
+ manager trace logging { 0:255 }
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
* int trace.modules.dce_udp.all: enable all trace options { 0:255 }
* int trace.modules.latency.all: enable all trace options { 0:255 }
0:255 }
* int trace.modules.appid.all: enable all trace options { 0:255 }
* int trace.modules.decode.all: enable all trace options { 0:255 }
+ * int trace.constraints.ip_proto: numerical IP protocol ID filter {
+ 0:255 }
+ * string trace.constraints.src_ip: source IP address filter
+ * int trace.constraints.src_port: source port filter { 0:65535 }
+ * string trace.constraints.dst_ip: destination IP address filter
+ * int trace.constraints.dst_port: destination port filter { 0:65535
+ }
* enum trace.output: output method for trace log messages { stdout
| syslog }
+Commands:
+
+ * trace.set(modules, constraints): set modules traces and
+ constraints
+ * trace.clear(): clear modules traces and constraints
+
---------------------------------------------------------------------
from the service cache (sum)
-9.2. arp_spoof
+9.2. appid_listener
+
+--------------
+
+What: log selected published data to appid_listener.log
+
+Type: inspector
+
+Usage: context
+
+
+9.3. arp_spoof
--------------
* arp_spoof.packets: total packets (sum)
-9.3. back_orifice
+9.4. back_orifice
--------------
* back_orifice.packets: total packets (sum)
-9.4. binder
+9.5. binder
--------------
* binder.inspects: inspect bindings (sum)
-9.5. cip
+9.6. cip
--------------
(max)
-9.6. data_log
+9.7. data_log
--------------
* data_log.packets: total packets (sum)
-9.7. dce_http_proxy
+9.8. dce_http_proxy
--------------
sessions (sum)
-9.8. dce_http_server
+9.9. dce_http_server
--------------
sessions (sum)
-9.9. dce_smb
+9.10. dce_smb
--------------
(max)
-9.10. dce_tcp
+9.11. dce_tcp
--------------
* dce_tcp.server_frags_reassembled: total connection-oriented
server fragments reassembled (sum)
* dce_tcp.tcp_sessions: total tcp sessions (sum)
+ * dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint
+ expected sessions (sum)
+ * dce_tcp.tcp_expected_realized: total tcp dynamic endpoint
+ expected realized sessions (sum)
* dce_tcp.tcp_packets: total tcp packets (sum)
* dce_tcp.concurrent_sessions: total concurrent sessions (now)
* dce_tcp.max_concurrent_sessions: maximum concurrent sessions
(max)
-9.11. dce_udp
+9.12. dce_udp
--------------
(max)
-9.12. dnp3
+9.13. dnp3
--------------
(max)
-9.13. dns
+9.14. dns
--------------
(max)
-9.14. domain_filter
+9.15. domain_filter
--------------
* domain_filter.filtered: domains filtered (sum)
-9.15. dpx
+9.16. dpx
--------------
* dpx.packets: total packets (sum)
-9.16. file_id
+9.17. file_id
--------------
* int file_id.max_files_per_flow = 32: maximal number of files able
to be concurrently processed per flow { 1:max53 }
* bool file_id.enable_type = true: enable type ID
- * bool file_id.enable_signature = true: enable signature
+ * bool file_id.enable_signature = false: enable signature
calculation
* bool file_id.enable_capture = false: enable file capture
* int file_id.show_data_depth = 100: print this many octets {
data
* int file_id.verdict_delay = 0: number of queries to return final
verdict { 0:max53 }
+ * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no
+ limit) { -1:65535 }
+ * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment
+ extraction depth (-1 no limit) { -1:65535 }
+ * bool file_id.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool file_id.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool file_id.decompress_zip = false: decompress zip files in MIME
+ attachments
+ * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth
+ (-1 no limit) { -1:65535 }
+ * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
Rules:
concurrently on a flow (max)
-9.17. file_log
+9.18. file_log
--------------
* file_log.total_events: total file events (sum)
-9.18. finalize_packet
+9.19. finalize_packet
--------------
* finalize_packet.other_messages: total other message seen (sum)
-9.19. ftp_client
+9.20. ftp_client
--------------
sequences on FTP control channel
-9.20. ftp_data
+9.21. ftp_data
--------------
* ftp_data.packets: total packets (sum)
-9.21. ftp_server
+9.22. ftp_server
--------------
sessions (max)
-9.22. gtp_inspect
+9.23. gtp_inspect
--------------
* gtp_inspect.unknown_infos: unknown information elements (sum)
-9.23. http2_inspect
+9.24. http2_inspect
--------------
transfers per HTTP/2 connection (max)
-9.24. http_inspect
+9.25. http_inspect
--------------
cutovers to wizard (sum)
-9.25. imap
+9.26. imap
--------------
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.26. mem_test
+9.27. mem_test
--------------
* mem_test.packets: total packets (sum)
-9.27. modbus
+9.28. modbus
--------------
sessions (max)
-9.28. normalizer
+9.29. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-9.29. packet_capture
+9.30. packet_capture
--------------
filter (sum)
-9.30. perf_monitor
+9.31. perf_monitor
--------------
by new flows (sum)
-9.31. pop
+9.32. pop
--------------
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.32. port_scan
+9.33. port_scan
--------------
to reduced memcap (sum)
-9.33. reputation
+9.34. reputation
--------------
* reputation.memory_allocated: total memory allocated (sum)
-9.34. rna
+9.35. rna
--------------
(sum)
-9.35. rpc_decode
+9.36. rpc_decode
--------------
sessions (max)
-9.36. rt_global
+9.37. rt_global
--------------
* int rt_global.memcap = 2048: cap on amount of memory used (0 is
disabled) { 0:max53 }
* bool rt_global.empty_ips = false: ips policy with no rules
+ * bool rt_global.init_drop_reason = false: populate drop reason map
Peg counts:
* rt_global.packets: total packets (sum)
-9.37. rt_packet
+9.38. rt_packet
--------------
* rt_packet.retry_packets: total retried packets received (sum)
-9.38. rt_service
+9.39. rt_service
--------------
inject requests (sum)
-9.39. s7commplus
+9.40. s7commplus
--------------
sessions (max)
-9.40. sip
+9.41. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.41. smtp
+9.42. smtp
--------------
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.42. so_proxy
+9.43. so_proxy
--------------
Usage: global
-9.43. ssh
+9.44. ssh
--------------
(max)
-9.44. ssl
+9.45. ssl
--------------
(max)
-9.45. stream
+9.46. stream
--------------
deleted by config reloads (sum)
-9.46. stream_file
+9.47. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.47. stream_icmp
+9.48. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.48. stream_ip
+9.49. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.49. stream_tcp
+9.50. stream_tcp
--------------
(sum)
* stream_tcp.held_packet_timeouts: number of held packets that
timed out (sum)
+ * stream_tcp.held_packet_purges: number of held packets that were
+ purged without flushing (sum)
* stream_tcp.cur_packets_held: number of packets currently held
(now)
* stream_tcp.max_packets_held: maximum number of packets held
service stream splitter (sum)
-9.50. stream_udp
+9.51. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-9.51. stream_user
+9.52. stream_user
--------------
1:max31 }
-9.52. telnet
+9.53. telnet
--------------
sessions (max)
-9.53. wizard
+9.54. wizard
--------------
Configuration:
- * bool react.msg = false: use rule msg in response page instead of
- default message
* string react.page: file containing HTTP response (headers and
body)
duplex }
* enum file_connector.format: file format { binary | text }
* string file_connector.name: channel name
+ * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no
+ limit) { -1:65535 }
+ * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment
+ extraction depth (-1 no limit) { -1:65535 }
* int file_id.block_timeout = 86400: stop blocking after this many
seconds { 0:max31 }
* bool file_id.block_timeout_lookup = false: block if lookup times
megabytes { 0:max53 }
* int file_id.capture_min_size = 0: stop file capture if file size
less than this { 0:max53 }
+ * bool file_id.decompress_pdf = false: decompress pdf files in MIME
+ attachments
+ * bool file_id.decompress_swf = false: decompress swf files in MIME
+ attachments
+ * bool file_id.decompress_zip = false: decompress zip files in MIME
+ attachments
* bool file_id.enable_capture = false: enable file capture
- * bool file_id.enable_signature = true: enable signature
+ * bool file_id.enable_signature = false: enable signature
calculation
* bool file_id.enable_type = true: enable type ID
* bool file_id.file_policy[].use.enable_file_capture = false: true/
cached in memory { 8:max53 }
* int file_id.max_files_per_flow = 32: maximal number of files able
to be concurrently processed per flow { 1:max53 }
+ * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth
+ (-1 no limit) { -1:65535 }
* int file_id.show_data_depth = 100: print this many octets {
0:max53 }
* int file_id.signature_depth = 10485760: stop signature at this
* bool file_id.trace_type = false: enable runtime dump of type info
* int file_id.type_depth = 1460: stop type ID at this point {
0:max53 }
+ * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
* int file_id.verdict_delay = 0: number of queries to return final
verdict { 0:max53 }
* bool file_log.log_pkt_time = true: log the packet time when event
* string host_cache.dump_file: file name to dump host cache on
shutdown; won’t dump by default
* int host_cache.memcap = 8388608: maximum host cache size in bytes
- { 512:max32 }
+ { 512:maxSZ }
* enum hosts[].frag_policy: defragmentation policy { first | linux
| bsd | bsd_right | last | windows | solaris }
* addr hosts[].ip = 0.0.0.0/32: hosts address / CIDR
* int rate_filter[].timeout = 1: count interval { 0:max32 }
* enum rate_filter[].track = by_src: filter only matching source or
destination addresses { by_src | by_dst | by_rule }
- * bool react.msg = false: use rule msg in response page instead of
- default message
* string react.page: file containing HTTP response (headers and
body)
* string reference.~ref: reference: <scheme>,<id>
* int rt_global.downshift_packet = 0: attempt downshift at this
packet on flow (0 is disabled) { 0:max32 }
* bool rt_global.empty_ips = false: ips policy with no rules
+ * bool rt_global.init_drop_reason = false: populate drop reason map
* int rt_global.memcap = 2048: cap on amount of memory used (0 is
disabled) { 0:max53 }
* bool rt_packet.retry_all = false: request retry for all non-retry
* bool telnet.encrypted_traffic = false: check for encrypted Telnet
* bool telnet.normalize = false: eliminate escape sequences
* interval tos.~range: check if IP TOS is in given range { 0:255 }
+ * string trace.constraints.dst_ip: destination IP address filter
+ * int trace.constraints.dst_port: destination port filter { 0:65535
+ }
+ * int trace.constraints.ip_proto: numerical IP protocol ID filter {
+ 0:255 }
+ * string trace.constraints.src_ip: source IP address filter
+ * int trace.constraints.src_port: source port filter { 0:65535 }
* int trace.modules.appid.all: enable all trace options { 0:255 }
* int trace.modules.dce_smb.all: enable all trace options { 0:255 }
* int trace.modules.dce_udp.all: enable all trace options { 0:255 }
* int trace.modules.gtp_inspect.all: enable all trace options {
0:255 }
* int trace.modules.latency.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.inspector_manager: enable inspector
+ manager trace logging { 0:255 }
+ * int trace.modules.snort.main: enable main trace logging { 0:255 }
* int trace.modules.stream.all: enable all trace options { 0:255 }
* int trace.modules.stream_ip.all: enable all trace options { 0:255
}
* dce_tcp.server_segs_reassembled: total connection-oriented server
segments reassembled (sum)
* dce_tcp.shutdowns: total connection-oriented shutdowns (sum)
+ * dce_tcp.tcp_expected_realized: total tcp dynamic endpoint
+ expected realized sessions (sum)
+ * dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint
+ expected sessions (sum)
* dce_tcp.tcp_packets: total tcp packets (sum)
* dce_tcp.tcp_sessions: total tcp sessions (sum)
* dce_udp.acks: total connection-less acks (sum)
* host_cache.reload_prunes: lru cache pruned entry for lower memcap
during reload (sum)
* host_cache.removes: lru cache found entry and removed it (sum)
+ * host_cache.replaced: lru cache found entry and replaced it (sum)
* host_tracker.service_adds: host service adds (sum)
* host_tracker.service_finds: host service finds (sum)
* http2_inspect.concurrent_sessions: total concurrent HTTP/2
segment limit was reached (sum)
* stream_tcp.fins: number of fin packets (sum)
* stream_tcp.gaps: missing data between PDUs (sum)
+ * stream_tcp.held_packet_purges: number of held packets that were
+ purged without flushing (sum)
* stream_tcp.held_packet_rexmits: number of retransmits of held
packets (sum)
* stream_tcp.held_packets_dropped: number of held packets dropped
* snort.detach(): exit shell w/o shutdown
* snort.quit(): shutdown and dump-stats
* snort.help(): this output
+ * trace.set(modules, constraints): set modules traces and
+ constraints
+ * trace.clear(): clear modules traces and constraints
20.9. Signals
deleted -> pop: 'max_mime_mem'
deleted -> pop: 'memcap'
deleted -> ppm: 'debug-pkts'
-deleted -> react: 'block'
-deleted -> react: 'warn'
deleted -> reputation: 'shared_max_instances'
deleted -> reputation: 'shared_refresh'
deleted -> rpc_decode: 'alert_fragments'
* alert_unixsock (logger): output event over unix socket
* alerts (basic): configure alerts
* appid (inspector): application and service identification
+ * appid_listener (inspector): log selected published data to
+ appid_listener.log
* appids (ips_option): detection option for application ids
* arp (codec): support for address resolution protocol
* arp_spoof (inspector): detect ARP attacks and anomalies
* connector::file_connector: implement the file based connector
* connector::tcp_connector: implement the tcp stream connector
* inspector::appid: application and service identification
+ * inspector::appid_listener: log selected published data to
+ appid_listener.log
* inspector::arp_spoof: detect ARP attacks and anomalies
* inspector::back_orifice: back orifice detection
* inspector::binder: configure processing based on CIDRs, ports,
projects / thirdparty / snort3.git / commitdiff
