The Snort Team
Revision History
-Revision 3.1.1.0 2021-01-28 10:50:42 EST TST
+Revision 3.1.2.0 2021-03-11 14:57:04 EST TST
---------------------------------------------------------------------
5.22. gtp_inspect
5.23. http2_inspect
5.24. http_inspect
- 5.25. imap
- 5.26. mem_test
- 5.27. modbus
- 5.28. netflow
- 5.29. normalizer
- 5.30. null_trace_logger
- 5.31. packet_capture
- 5.32. perf_monitor
- 5.33. pop
- 5.34. port_scan
- 5.35. reputation
- 5.36. rna
- 5.37. rpc_decode
- 5.38. s7commplus
- 5.39. sip
- 5.40. smtp
- 5.41. so_proxy
- 5.42. ssh
- 5.43. ssl
- 5.44. stream
- 5.45. stream_file
- 5.46. stream_icmp
- 5.47. stream_ip
- 5.48. stream_tcp
- 5.49. stream_udp
- 5.50. stream_user
- 5.51. telnet
- 5.52. wizard
+ 5.25. iec104
+ 5.26. imap
+ 5.27. mem_test
+ 5.28. modbus
+ 5.29. netflow
+ 5.30. normalizer
+ 5.31. null_trace_logger
+ 5.32. packet_capture
+ 5.33. perf_monitor
+ 5.34. pop
+ 5.35. port_scan
+ 5.36. reputation
+ 5.37. rna
+ 5.38. rpc_decode
+ 5.39. s7commplus
+ 5.40. sip
+ 5.41. smtp
+ 5.42. so_proxy
+ 5.43. ssh
+ 5.44. ssl
+ 5.45. stream
+ 5.46. stream_file
+ 5.47. stream_icmp
+ 5.48. stream_ip
+ 5.49. stream_tcp
+ 5.50. stream_udp
+ 5.51. stream_user
+ 5.52. telnet
+ 5.53. wizard
6. IPS Action Modules
7.68. icmp_seq
7.69. icode
7.70. id
- 7.71. ip_proto
- 7.72. ipopts
- 7.73. isdataat
- 7.74. itype
- 7.75. md5
- 7.76. metadata
- 7.77. modbus_data
- 7.78. modbus_func
- 7.79. modbus_unit
- 7.80. msg
- 7.81. mss
- 7.82. pcre
- 7.83. pkt_data
- 7.84. pkt_num
- 7.85. priority
- 7.86. raw_data
- 7.87. reference
- 7.88. regex
- 7.89. rem
- 7.90. replace
- 7.91. rev
- 7.92. rpc
- 7.93. s7commplus_content
- 7.94. s7commplus_func
- 7.95. s7commplus_opcode
- 7.96. sd_pattern
- 7.97. seq
- 7.98. service
- 7.99. sha256
- 7.100. sha512
- 7.101. sid
- 7.102. sip_body
- 7.103. sip_header
- 7.104. sip_method
- 7.105. sip_stat_code
- 7.106. so
- 7.107. soid
- 7.108. ssl_state
- 7.109. ssl_version
- 7.110. stream_reassemble
- 7.111. stream_size
- 7.112. tag
- 7.113. target
- 7.114. tos
- 7.115. ttl
- 7.116. urg
- 7.117. window
- 7.118. wscale
+ 7.71. iec104_apci_type
+ 7.72. iec104_asdu_func
+ 7.73. ip_proto
+ 7.74. ipopts
+ 7.75. isdataat
+ 7.76. itype
+ 7.77. md5
+ 7.78. metadata
+ 7.79. modbus_data
+ 7.80. modbus_func
+ 7.81. modbus_unit
+ 7.82. msg
+ 7.83. mss
+ 7.84. pcre
+ 7.85. pkt_data
+ 7.86. pkt_num
+ 7.87. priority
+ 7.88. raw_data
+ 7.89. reference
+ 7.90. regex
+ 7.91. rem
+ 7.92. replace
+ 7.93. rev
+ 7.94. rpc
+ 7.95. s7commplus_content
+ 7.96. s7commplus_func
+ 7.97. s7commplus_opcode
+ 7.98. sd_pattern
+ 7.99. seq
+ 7.100. service
+ 7.101. sha256
+ 7.102. sha512
+ 7.103. sid
+ 7.104. sip_body
+ 7.105. sip_header
+ 7.106. sip_method
+ 7.107. sip_stat_code
+ 7.108. so
+ 7.109. soid
+ 7.110. ssl_state
+ 7.111. ssl_version
+ 7.112. stream_reassemble
+ 7.113. stream_size
+ 7.114. tag
+ 7.115. target
+ 7.116. tos
+ 7.117. ttl
+ 7.118. urg
+ 7.119. window
+ 7.120. wscale
8. Search Engine Modules
9. SO Rule Modules
before stopping (0 is unlimited) { 0:max53 }
* int packets.skip = 0: number of packets to skip before before
processing { 0:max53 }
- * bool packets.vlan_agnostic = false: determines whether VLAN info
- is used to track fragments and connections
+ * bool packets.mpls_agnostic = true: determines whether MPLS labels
+ are used to track fragments and connections
+ * bool packets.vlan_agnostic = false: determines whether VLAN tags
+ are used to track fragments and connections
2.22. payload_injector
line starting with END is read
* implied snort.--talos: enable Talos tweak (same as --tweaks
talos)
- * implied snort.--treat-drop-as-alert: converts drop, block, and
- reset rules into alert rules when loaded
- * implied snort.--treat-drop-as-ignore: use drop, block, and reset
- rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* snort.delete_inspector(inspector): delete an inspector from the
default policy
* snort.dump_stats(): show summary statistics
+ * snort.reset_stats(): clear summary statistics
* snort.rotate_stats(): roll perfmonitor log files
* snort.reload_config(filename): load new configuration
* snort.reload_policy(filename): reload part or all of the default
* int trace.modules.dpx.all: enable all trace options { 0:255 }
* int trace.modules.gtp_inspect.all: enable all trace options {
0:255 }
+ * int trace.modules.iec104.all: enable all trace options { 0:255 }
+ * int trace.modules.iec104.identification: enable IEC104 APDU
+ identification trace logging { 0:255 }
* int trace.modules.latency.all: enable all trace options { 0:255 }
* int trace.modules.react.all: enable all trace options { 0:255 }
* int trace.modules.rna.all: enable all trace options { 0:255 }
Configuration:
- * bool mpls.enable_mpls_multicast = false: enables support for MPLS
- multicast
- * bool mpls.enable_mpls_overlapping_ip = false: enable if private
- network addresses overlap and must be differentiated by MPLS
- label(s)
- * int mpls.max_mpls_stack_depth = -1: set MPLS stack depth { -1:255
- }
- * enum mpls.mpls_payload_type = ip4: set encapsulated payload type
- { eth | ip4 | ip6 }
+ * int mpls.max_stack_depth = -1: set maximum MPLS stack depth {
+ -1:255 }
+ * enum mpls.payload_type = auto: force encapsulated payload type {
+ auto | eth | ip4 | ip6 }
Rules:
* 116:170 (mpls) bad MPLS frame
- * 116:171 (mpls) MPLS label 0 appears in non-bottom header
+ * 116:171 (mpls) MPLS label 0 appears in bottom header when not
+ decoding as ip4
* 116:172 (mpls) MPLS label 1 appears in bottom header
- * 116:173 (mpls) MPLS label 2 appears in non-bottom header
+ * 116:173 (mpls) MPLS label 2 appears in bottom header when not
+ decoding as ip6
* 116:174 (mpls) MPLS label 3 appears in header
* 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
* 116:176 (mpls) too many MPLS headers
-Peg counts:
-
- * mpls.total_packets: total mpls labeled packets processed (sum)
- * mpls.total_bytes: total mpls labeled bytes processed (sum)
-
3.19. pbb
time
* 121:26 (http2_inspect) invalid parameter value sent in HTTP/2
settings frame
+ * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams
+ * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame
+ * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid
+ time
Peg counts:
transfers per HTTP/2 connection (max)
* http2_inspect.total_bytes: total HTTP/2 data bytes inspected
(sum)
+ * http2_inspect.max_concurrent_streams: maximum concurrent streams
+ per HTTP/2 connection (max)
+ * http2_inspect.flows_over_stream_limit: HTTP/2 flows exceeding 100
+ concurrent streams (sum)
5.24. http_inspect
response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
- * bool http_inspect.detained_inspection = false: store-and-forward
- as necessary to effectively block alerting JavaScript
+ * bool http_inspect.detained_inspection = false: obsolete, do not
+ configure
* bool http_inspect.script_detection = false: inspect JavaScript
immediately upon script end
* bool http_inspect.normalize_javascript = false: normalize
* 119:2 (http_inspect) double decoding attack
* 119:3 (http_inspect) u encoding
* 119:4 (http_inspect) bare byte unicode encoding
- * 119:5 (http_inspect) obsolete event—deleted
* 119:6 (http_inspect) UTF-8 encoding
* 119:7 (http_inspect) unicode map code point encoding in URI
* 119:8 (http_inspect) multi_slash encoding
CR
* 119:14 (http_inspect) non-RFC defined char
* 119:15 (http_inspect) oversize request-uri directory
- * 119:16 (http_inspect) oversize chunk encoding
- * 119:17 (http_inspect) unauthorized proxy use detected
* 119:18 (http_inspect) webroot directory traversal
* 119:19 (http_inspect) long header
* 119:20 (http_inspect) max header fields
* 119:21 (http_inspect) multiple content length
- * 119:22 (http_inspect) obsolete event—deleted
- * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
- * 119:24 (http_inspect) multiple host hdrs detected
- * 119:25 (http_inspect) hostname exceeds 255 characters
- * 119:26 (http_inspect) too much whitespace in header (not
- implemented yet)
- * 119:27 (http_inspect) client consecutive small chunk sizes
+ * 119:24 (http_inspect) Host header field appears more than once or
+ has multiple values
* 119:28 (http_inspect) POST or PUT w/o content-length or chunks
- * 119:29 (http_inspect) multiple true ips in a session
- * 119:30 (http_inspect) both true-client-IP and XFF hdrs present
* 119:31 (http_inspect) unknown method
* 119:32 (http_inspect) simple request
* 119:33 (http_inspect) unescaped space in HTTP URI
* 119:34 (http_inspect) too many pipelined requests
- * 119:101 (http_inspect) obsolete event—deleted
* 119:102 (http_inspect) invalid status code in HTTP response
- * 119:103 (http_inspect) unused event number—should not appear
* 119:104 (http_inspect) HTTP response has UTF charset that failed
to normalize
* 119:105 (http_inspect) HTTP response has UTF-7 charset
- * 119:106 (http_inspect) HTTP response gzip decompression failed
- * 119:107 (http_inspect) server consecutive small chunk sizes
- * 119:108 (http_inspect) unused event number—should not appear
* 119:109 (http_inspect) javascript obfuscation levels exceeds 1
* 119:110 (http_inspect) javascript whitespaces exceeds max allowed
* 119:111 (http_inspect) multiple encodings within javascript
(now)
* http_inspect.max_concurrent_sessions: maximum concurrent http
sessions (max)
- * http_inspect.detains_requested: packet hold requests for detained
- inspection (sum)
* http_inspect.script_detections: early inspections of scripts in
HTTP responses (sum)
- * http_inspect.partial_inspections: pre-inspections for detained
- inspection (sum)
+ * http_inspect.partial_inspections: early inspections done for
+ script detection (sum)
* http_inspect.excess_parameters: repeat parameters exceeding max
(sum)
* http_inspect.parameters: HTTP parameters inspected (sum)
* http_inspect.total_bytes: total HTTP data bytes inspected (sum)
-5.25. imap
+5.25. iec104
+
+--------------
+
+Help: iec104 inspection
+
+Type: inspector (service)
+
+Usage: inspect
+
+Instance Type: multiton
+
+Rules:
+
+ * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does
+ not match the length needed for the given IEC104 ASDU type id.
+ * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match
+ 0x68.
+ * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use.
+ * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field
+ contains a non-default value.
+ * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set
+ to an invalid value.
+ * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field
+ contains a non-default value.
+ * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set
+ to zero.
+ * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU
+ that does not support the feature.
+ * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set
+ to greater than one on an ASDU that does not support the feature.
+ * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of
+ Initialization set to a reserved value.
+ * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Interrogation Command set to a reserved value.
+ * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter
+ Interrogation Command request parameter set to a reserved value.
+ * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter of Measured Values kind of parameter set to a reserved
+ value.
+ * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter of Measured Values local parameter change set to a
+ technically valid but unused value.
+ * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter of Measured Values parameter option set to a
+ technically valid but unused value.
+ * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter Activation set to a reserved value.
+ * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command
+ set to a reserved value.
+ * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset
+ Process set to a reserved value.
+ * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier
+ set to a reserved value.
+ * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready
+ Qualifier set to a reserved value.
+ * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call
+ Qualifier set to a reserved value.
+ * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or
+ Segment Qualifier set to a reserved value.
+ * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or
+ Section Qualifier set to a reserved value.
+ * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier
+ set on a message where it should have no effect.
+ * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point
+ Information Reserved field contains a non-default value.
+ * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point
+ Information Reserved field contains a non-default value.
+ * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
+ set to a reserved value.
+ * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
+ set to a value not allowed for the ASDU.
+ * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet
+ common address value detected.
+ * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
+ Structure Reserved field contains a non-default value.
+ * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
+ for Events of Protection Equipment Structure Reserved field
+ contains a non-default value.
+ * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
+ results in NaN.
+ * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
+ results in infinity.
+ * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of
+ Protection Equipment Structure Reserved field contains a
+ non-default value.
+ * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of
+ Protection Equipment Structure Reserved field contains a
+ non-default value.
+ * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit
+ Information Structure Reserved field contains a non-default
+ value.
+ * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test
+ Bit Pattern detected.
+ * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command
+ Structure Reserved field contains a non-default value.
+ * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command
+ Structure contains an invalid value.
+ * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step
+ Command Structure Reserved field contains a non-default value.
+ * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond
+ set outside of the allowable range.
+ * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set
+ outside of the allowable range.
+ * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute
+ Reserved field contains a non-default value.
+ * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set
+ outside of the allowable range.
+ * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved
+ field contains a non-default value.
+ * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month
+ set outside of the allowable range.
+ * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set
+ outside of the allowable range.
+ * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved
+ field contains a non-default value.
+ * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set
+ outside of the allowable range.
+ * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved
+ field contains a non-default value.
+ * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of
+ Segment value has been detected.
+ * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of
+ Segment value has been detected.
+ * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to
+ a reserved value.
+ * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set
+ Point Command ql field set to a reserved value.
+
+Peg counts:
+
+ * iec104.sessions: total sessions processed (sum)
+ * iec104.frames: total IEC104 messages (sum)
+ * iec104.concurrent_sessions: total concurrent IEC104 sessions
+ (now)
+ * iec104.max_concurrent_sessions: maximum concurrent IEC104
+ sessions (max)
+
+
+5.26. imap
--------------
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-5.26. mem_test
+5.27. mem_test
--------------
* mem_test.packets: total packets (sum)
-5.27. modbus
+5.28. modbus
--------------
sessions (max)
-5.28. netflow
+5.29. netflow
--------------
* netflow.unique_flows: count of unique netflow flows (sum)
-5.29. normalizer
+5.30. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-5.30. null_trace_logger
+5.31. null_trace_logger
--------------
Instance Type: global
-5.31. packet_capture
+5.32. packet_capture
--------------
* bool packet_capture.enable = false: initially enable packet
dumping
* string packet_capture.filter: bpf filter to use for packet dump
+ * int packet_capture.group = -1: group filter to use for the packet
+ dump { -1:32767 }
Commands:
- * packet_capture.enable(filter): dump raw packets
+ * packet_capture.enable(filter, group): dump raw packets
* packet_capture.disable(): stop packet dump
Peg counts:
filter (sum)
-5.32. perf_monitor
+5.33. perf_monitor
--------------
by new flows (sum)
-5.33. pop
+5.34. pop
--------------
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-5.34. port_scan
+5.35. port_scan
--------------
to reduced memcap (sum)
-5.35. reputation
+5.36. reputation
--------------
Configuration:
* string reputation.blocklist: blocklist file name with IP lists
- * string reputation.blacklist: blacklist file name with IP lists
* string reputation.list_dir: directory for IP lists and manifest
file
* int reputation.memcap = 500: maximum total MB of memory allocated
* enum reputation.nested_ip = inner: IP to use when there is IP
encapsulation { inner|outer|all }
* enum reputation.priority = allowlist: defines priority when there
- is a decision conflict during run-time { blocklist|allowlist|
- blacklist|whitelist }
+ is a decision conflict during run-time { blocklist|allowlist }
* bool reputation.scan_local = false: inspect local address defined
in RFC 1918
* enum reputation.allow = do_not_block: specify the meaning of
- allowlist { do_not_block|trust|unblack }
- * enum reputation.white = do_not_block: specify the meaning of
- whitelist { do_not_block|trust|unblack }
+ allowlist { do_not_block|trust }
* string reputation.allowlist: allowlist file name with IP lists
- * string reputation.whitelist: whitelist file name with IP lists
Rules:
* reputation.trusted: number of packets trusted (sum)
* reputation.monitored: number of packets monitored (sum)
* reputation.memory_allocated: total memory allocated (sum)
+ * reputation.total_alerts: total alerts triggered (sum)
-5.36. rna
+5.37. rna
--------------
* rna.dhcp_info: count of new DHCP lease events received (sum)
-5.37. rpc_decode
+5.38. rpc_decode
--------------
sessions (max)
-5.38. s7commplus
+5.39. s7commplus
--------------
sessions (max)
-5.39. sip
+5.40. sip
--------------
* sip.code_9xx: 9xx (sum)
-5.40. smtp
+5.41. smtp
--------------
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-5.41. so_proxy
+5.42. so_proxy
--------------
Instance Type: global
-5.42. ssh
+5.43. ssh
--------------
(max)
-5.43. ssl
+5.44. ssl
--------------
(max)
-5.44. stream
+5.45. stream
--------------
deleted by config reloads (sum)
-5.45. stream_file
+5.46. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-5.46. stream_icmp
+5.47. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-5.47. stream_ip
+5.48. stream_ip
--------------
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-5.48. stream_tcp
+5.49. stream_tcp
--------------
service stream splitter (sum)
-5.49. stream_udp
+5.50. stream_udp
--------------
* stream_udp.ignored: udp packets ignored (sum)
-5.50. stream_user
+5.51. stream_user
--------------
1:max31 }
-5.51. telnet
+5.52. telnet
--------------
sessions (max)
-5.52. wizard
+5.53. wizard
--------------
* string wizard.spells[].to_client[].spell: sequence of data with
wild cards (*)
* multi wizard.curses: enable service identification based on
- internal algorithm { dce_smb | dce_udp | dce_tcp }
+ internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 }
Peg counts:
}
-7.71. ip_proto
+7.71. iec104_apci_type
+
+--------------
+
+Help: rule option to check iec104 apci type
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string iec104_apci_type.~: APCI type to match
+
+
+7.72. iec104_asdu_func
+
+--------------
+
+Help: rule option to check iec104 function code
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * string iec104_asdu_func.~: function code to match
+
+
+7.73. ip_proto
--------------
* string ip_proto.~proto: [!|>|<] name or number
-7.72. ipopts
+7.74. ipopts
--------------
lsrre|ssrr|satid|any }
-7.73. isdataat
+7.75. isdataat
--------------
buffer
-7.74. itype
+7.76. itype
--------------
0:255 }
-7.75. md5
+7.77. md5
--------------
of buffer
-7.76. metadata
+7.78. metadata
--------------
pairs
-7.77. modbus_data
+7.79. modbus_data
--------------
Usage: detect
-7.78. modbus_func
+7.80. modbus_func
--------------
* string modbus_func.~: function code to match
-7.79. modbus_unit
+7.81. modbus_unit
--------------
* int modbus_unit.~: Modbus unit ID { 0:255 }
-7.80. msg
+7.82. msg
--------------
* string msg.~: message describing rule
-7.81. mss
+7.83. mss
--------------
}
-7.82. pcre
+7.84. pcre
--------------
* pcre.pcre_negated: total pcre rules using negation syntax (sum)
-7.83. pkt_data
+7.85. pkt_data
--------------
Usage: detect
-7.84. pkt_num
+7.86. pkt_num
--------------
{ 1: }
-7.85. priority
+7.87. priority
--------------
1:max31 }
-7.86. raw_data
+7.88. raw_data
--------------
Usage: detect
-7.87. reference
+7.89. reference
--------------
* string reference.~ref: reference: <scheme>,<id>
-7.88. regex
+7.90. regex
--------------
instead of start of buffer
-7.89. rem
+7.91. rem
--------------
* string rem.~: comment
-7.90. replace
+7.92. replace
--------------
* string replace.~: byte code to replace with
-7.91. rev
+7.93. rev
--------------
* int rev.~: revision { 1:max32 }
-7.92. rpc
+7.94. rpc
--------------
* string rpc.~proc: procedure number or * for any
-7.93. s7commplus_content
+7.95. s7commplus_content
--------------
Usage: detect
-7.94. s7commplus_func
+7.96. s7commplus_func
--------------
* string s7commplus_func.~: function code to match
-7.95. s7commplus_opcode
+7.97. s7commplus_opcode
--------------
* string s7commplus_opcode.~: opcode code to match
-7.96. sd_pattern
+7.98. sd_pattern
--------------
* sd_pattern.terminated: hyperscan terminated (sum)
-7.97. seq
+7.99. seq
--------------
range { 0: }
-7.98. service
+7.100. service
--------------
* string service.*: one or more comma-separated service names
-7.99. sha256
+7.101. sha256
--------------
start of buffer
-7.100. sha512
+7.102. sha512
--------------
start of buffer
-7.101. sid
+7.103. sid
--------------
* int sid.~: signature id { 1:max32 }
-7.102. sip_body
+7.104. sip_body
--------------
Usage: detect
-7.103. sip_header
+7.105. sip_header
--------------
Usage: detect
-7.104. sip_method
+7.106. sip_method
--------------
* string sip_method.*method: sip method
-7.105. sip_stat_code
+7.107. sip_stat_code
--------------
* int sip_stat_code.*code: status code { 1:999 }
-7.106. so
+7.108. so
--------------
buffer
-7.107. soid
+7.109. soid
--------------
like 3_45678_9
-7.108. ssl_state
+7.110. ssl_state
--------------
unknown
-7.109. ssl_version
+7.111. ssl_version
--------------
tls1.2
-7.110. stream_reassemble
+7.112. stream_reassemble
--------------
remainder of the session
-7.111. stream_size
+7.113. stream_size
--------------
direction(s) { either|to_server|to_client|both }
-7.112. tag
+7.114. tag
--------------
* int tag.bytes: tag for this many bytes { 1:max32 }
-7.113. target
+7.115. target
--------------
dst_ip }
-7.114. tos
+7.116. tos
--------------
* interval tos.~range: check if IP TOS is in given range { 0:255 }
-7.115. ttl
+7.117. ttl
--------------
0:255 }
-7.116. urg
+7.118. urg
--------------
{ 0:65535 }
-7.117. window
+7.119. window
--------------
range { 0:65535 }
-7.118. wscale
+7.120. wscale
--------------
* --stdin-rules read rules from stdin until EOF or a line starting
with END is read
* --talos enable Talos tweak (same as --tweaks talos)
- * --treat-drop-as-alert converts drop, block, and reset rules into
- alert rules when loaded
- * --treat-drop-as-ignore use drop, block, and reset rules to ignore
- session traffic when not inline
* --tweaks tune configuration
* --version show version number (same as -V)
* --warn-all enable all warnings
response bodies
* bool http_inspect.decompress_zip = false: decompress zip files in
response bodies
- * bool http_inspect.detained_inspection = false: store-and-forward
- as necessary to effectively block alerting JavaScript
+ * bool http_inspect.detained_inspection = false: obsolete, do not
+ configure
* string http_inspect.ignore_unreserved: do not alert when the
specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
0:255 }
* interval id.~range: check if the IP ID is in the given range { 0:
}
+ * string iec104_apci_type.~: APCI type to match
+ * string iec104_asdu_func.~: function code to match
* int imap.b64_decode_depth = -1: base64 decoding depth (-1 no
limit) { -1:65535 }
* int imap.bitenc_decode_depth = -1: non-Encoded MIME attachment
pairs
* string modbus_func.~: function code to match
* int modbus_unit.~: Modbus unit ID { 0:255 }
- * bool mpls.enable_mpls_multicast = false: enables support for MPLS
- multicast
- * bool mpls.enable_mpls_overlapping_ip = false: enable if private
- network addresses overlap and must be differentiated by MPLS
- label(s)
- * int mpls.max_mpls_stack_depth = -1: set MPLS stack depth { -1:255
- }
- * enum mpls.mpls_payload_type = ip4: set encapsulated payload type
- { eth | ip4 | ip6 }
+ * int mpls.max_stack_depth = -1: set maximum MPLS stack depth {
+ -1:255 }
+ * enum mpls.payload_type = auto: force encapsulated payload type {
+ auto | eth | ip4 | ip6 }
* string msg.~: message describing rule
* interval mss.~range: check if TCP MSS is in given range { 0:65535
}
* bool packet_capture.enable = false: initially enable packet
dumping
* string packet_capture.filter: bpf filter to use for packet dump
+ * int packet_capture.group = -1: group filter to use for the packet
+ dump { -1:32767 }
* bool packets.address_space_agnostic = false: determines whether
DAQ address space info is used to track fragments and connections
* string packets.bpf_file: file with BPF to select traffic for
Snort
* int packets.limit = 0: maximum number of packets to process
before stopping (0 is unlimited) { 0:max53 }
+ * bool packets.mpls_agnostic = true: determines whether MPLS labels
+ are used to track fragments and connections
* int packets.skip = 0: number of packets to skip before before
processing { 0:max53 }
- * bool packets.vlan_agnostic = false: determines whether VLAN info
- is used to track fragments and connections
+ * bool packets.vlan_agnostic = false: determines whether VLAN tags
+ are used to track fragments and connections
* bool packet_tracer.enable = false: enable summary output of state
that determined packet verdict
* enum packet_tracer.output = console: select where to send packet
* string rem.~: comment
* string replace.~: byte code to replace with
* enum reputation.allow = do_not_block: specify the meaning of
- allowlist { do_not_block|trust|unblack }
+ allowlist { do_not_block|trust }
* string reputation.allowlist: allowlist file name with IP lists
- * string reputation.blacklist: blacklist file name with IP lists
* string reputation.blocklist: blocklist file name with IP lists
* string reputation.list_dir: directory for IP lists and manifest
file
* enum reputation.nested_ip = inner: IP to use when there is IP
encapsulation { inner|outer|all }
* enum reputation.priority = allowlist: defines priority when there
- is a decision conflict during run-time { blocklist|allowlist|
- blacklist|whitelist }
+ is a decision conflict during run-time { blocklist|allowlist }
* bool reputation.scan_local = false: inspect local address defined
in RFC 1918
- * enum reputation.white = do_not_block: specify the meaning of
- whitelist { do_not_block|trust|unblack }
- * string reputation.whitelist: whitelist file name with IP lists
* int rev.~: revision { 1:max32 }
* bool rewrite.disable_replace = false: disable replace of packet
contents with rewrite rules
talos)
* string snort.-t: <dir> chroots process to <dir> after
initialization
- * implied snort.--treat-drop-as-alert: converts drop, block, and
- reset rules into alert rules when loaded
- * implied snort.--treat-drop-as-ignore: use drop, block, and reset
- rules to ignore session traffic when not inline
* implied snort.-T: test and report on the current Snort
configuration
* string snort.--tweaks: tune configuration
* int trace.modules.dpx.all: enable all trace options { 0:255 }
* int trace.modules.gtp_inspect.all: enable all trace options {
0:255 }
+ * int trace.modules.iec104.all: enable all trace options { 0:255 }
+ * int trace.modules.iec104.identification: enable IEC104 APDU
+ identification trace logging { 0:255 }
* int trace.modules.latency.all: enable all trace options { 0:255 }
* int trace.modules.react.all: enable all trace options { 0:255 }
* int trace.modules.rna.all: enable all trace options { 0:255 }
* interval window.~range: check if TCP window size is in given
range { 0:65535 }
* multi wizard.curses: enable service identification based on
- internal algorithm { dce_smb | dce_udp | dce_tcp }
+ internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 }
* bool wizard.hexes[].client_first = true: which end initiates data
transfer
* select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp }
* http2_inspect.concurrent_sessions: total concurrent HTTP/2
sessions (now)
* http2_inspect.flows: HTTP/2 connections inspected (sum)
+ * http2_inspect.flows_over_stream_limit: HTTP/2 flows exceeding 100
+ concurrent streams (sum)
* http2_inspect.max_concurrent_files: maximum concurrent file
transfers per HTTP/2 connection (max)
* http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
sessions (max)
+ * http2_inspect.max_concurrent_streams: maximum concurrent streams
+ per HTTP/2 connection (max)
* http2_inspect.max_table_entries: maximum entries in an HTTP/2
dynamic table (max)
* http2_inspect.total_bytes: total HTTP/2 data bytes inspected
* http_inspect.connect_tunnel_cutovers: CONNECT tunnel flow
cutovers to wizard (sum)
* http_inspect.delete_requests: DELETE requests inspected (sum)
- * http_inspect.detains_requested: packet hold requests for detained
- inspection (sum)
* http_inspect.excess_parameters: repeat parameters exceeding max
(sum)
* http_inspect.flows: HTTP connections inspected (sum)
* http_inspect.other_requests: other request methods inspected
(sum)
* http_inspect.parameters: HTTP parameters inspected (sum)
- * http_inspect.partial_inspections: pre-inspections for detained
- inspection (sum)
+ * http_inspect.partial_inspections: early inspections done for
+ script detection (sum)
* http_inspect.pipelined_flows: total HTTP connections containing
pipelined requests (sum)
* http_inspect.pipelined_requests: total requests placed in a
* icmp4.checksum_bypassed: checksum calculations bypassed (sum)
* icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
* icmp6.checksum_bypassed: checksum calculations bypassed (sum)
+ * iec104.concurrent_sessions: total concurrent IEC104 sessions
+ (now)
+ * iec104.frames: total IEC104 messages (sum)
+ * iec104.max_concurrent_sessions: maximum concurrent IEC104
+ sessions (max)
+ * iec104.sessions: total sessions processed (sum)
* imap.b64_attachments: total base64 attachments decoded (sum)
* imap.b64_decoded_bytes: total base64 decoded bytes (sum)
* imap.concurrent_sessions: total concurrent imap sessions (now)
* modbus.max_concurrent_sessions: maximum concurrent modbus
sessions (max)
* modbus.sessions: total sessions processed (sum)
- * mpls.total_bytes: total mpls labeled bytes processed (sum)
- * mpls.total_packets: total mpls labeled packets processed (sum)
* netflow.invalid_netflow_pkts: count of invalid netflow packets
(sum)
* netflow.packets: total packets processed (sum)
* reputation.memory_allocated: total memory allocated (sum)
* reputation.monitored: number of packets monitored (sum)
* reputation.packets: total packets processed (sum)
+ * reputation.total_alerts: total alerts triggered (sum)
* reputation.trusted: number of packets trusted (sum)
* rna.appid_change: count of appid change events received (sum)
* rna.change_host_update: count number of change host update events
* 148: cip
* 149: s7commplus
* 150: file_id
+ * 151: iec104
* 175: domain_filter
* 256: dpx
* 116:164 (gre) invalid GRE v.1 PPTP header
* 116:165 (gre) GRE trans header length > payload length
* 116:170 (mpls) bad MPLS frame
- * 116:171 (mpls) MPLS label 0 appears in non-bottom header
+ * 116:171 (mpls) MPLS label 0 appears in bottom header when not
+ decoding as ip4
* 116:172 (mpls) MPLS label 1 appears in bottom header
- * 116:173 (mpls) MPLS label 2 appears in non-bottom header
+ * 116:173 (mpls) MPLS label 2 appears in bottom header when not
+ decoding as ip6
* 116:174 (mpls) MPLS label 3 appears in header
* 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
* 116:176 (mpls) too many MPLS headers
* 119:2 (http_inspect) double decoding attack
* 119:3 (http_inspect) u encoding
* 119:4 (http_inspect) bare byte unicode encoding
- * 119:5 (http_inspect) obsolete event—deleted
* 119:6 (http_inspect) UTF-8 encoding
* 119:7 (http_inspect) unicode map code point encoding in URI
* 119:8 (http_inspect) multi_slash encoding
CR
* 119:14 (http_inspect) non-RFC defined char
* 119:15 (http_inspect) oversize request-uri directory
- * 119:16 (http_inspect) oversize chunk encoding
- * 119:17 (http_inspect) unauthorized proxy use detected
* 119:18 (http_inspect) webroot directory traversal
* 119:19 (http_inspect) long header
* 119:20 (http_inspect) max header fields
* 119:21 (http_inspect) multiple content length
- * 119:22 (http_inspect) obsolete event—deleted
- * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
- * 119:24 (http_inspect) multiple host hdrs detected
- * 119:25 (http_inspect) hostname exceeds 255 characters
- * 119:26 (http_inspect) too much whitespace in header (not
- implemented yet)
- * 119:27 (http_inspect) client consecutive small chunk sizes
+ * 119:24 (http_inspect) Host header field appears more than once or
+ has multiple values
* 119:28 (http_inspect) POST or PUT w/o content-length or chunks
- * 119:29 (http_inspect) multiple true ips in a session
- * 119:30 (http_inspect) both true-client-IP and XFF hdrs present
* 119:31 (http_inspect) unknown method
* 119:32 (http_inspect) simple request
* 119:33 (http_inspect) unescaped space in HTTP URI
* 119:34 (http_inspect) too many pipelined requests
- * 119:101 (http_inspect) obsolete event—deleted
* 119:102 (http_inspect) invalid status code in HTTP response
- * 119:103 (http_inspect) unused event number—should not appear
* 119:104 (http_inspect) HTTP response has UTF charset that failed
to normalize
* 119:105 (http_inspect) HTTP response has UTF-7 charset
- * 119:106 (http_inspect) HTTP response gzip decompression failed
- * 119:107 (http_inspect) server consecutive small chunk sizes
- * 119:108 (http_inspect) unused event number—should not appear
* 119:109 (http_inspect) javascript obfuscation levels exceeds 1
* 119:110 (http_inspect) javascript whitespaces exceeds max allowed
* 119:111 (http_inspect) multiple encodings within javascript
time
* 121:26 (http2_inspect) invalid parameter value sent in HTTP/2
settings frame
+ * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams
+ * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame
+ * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid
+ time
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* 149:2 (s7commplus) S7commplus protocol ID is non-zero
* 149:3 (s7commplus) reserved S7commplus function code in use
* 150:1 (file_id) file not processed due to per flow limit
+ * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does
+ not match the length needed for the given IEC104 ASDU type id.
+ * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match
+ 0x68.
+ * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use.
+ * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field
+ contains a non-default value.
+ * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set
+ to an invalid value.
+ * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field
+ contains a non-default value.
+ * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set
+ to zero.
+ * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU
+ that does not support the feature.
+ * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set
+ to greater than one on an ASDU that does not support the feature.
+ * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of
+ Initialization set to a reserved value.
+ * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Interrogation Command set to a reserved value.
+ * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter
+ Interrogation Command request parameter set to a reserved value.
+ * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter of Measured Values kind of parameter set to a reserved
+ value.
+ * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter of Measured Values local parameter change set to a
+ technically valid but unused value.
+ * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter of Measured Values parameter option set to a
+ technically valid but unused value.
+ * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
+ Parameter Activation set to a reserved value.
+ * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command
+ set to a reserved value.
+ * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset
+ Process set to a reserved value.
+ * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier
+ set to a reserved value.
+ * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready
+ Qualifier set to a reserved value.
+ * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call
+ Qualifier set to a reserved value.
+ * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or
+ Segment Qualifier set to a reserved value.
+ * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or
+ Section Qualifier set to a reserved value.
+ * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier
+ set on a message where it should have no effect.
+ * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point
+ Information Reserved field contains a non-default value.
+ * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point
+ Information Reserved field contains a non-default value.
+ * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
+ set to a reserved value.
+ * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
+ set to a value not allowed for the ASDU.
+ * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet
+ common address value detected.
+ * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
+ Structure Reserved field contains a non-default value.
+ * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
+ for Events of Protection Equipment Structure Reserved field
+ contains a non-default value.
+ * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
+ results in NaN.
+ * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
+ results in infinity.
+ * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of
+ Protection Equipment Structure Reserved field contains a
+ non-default value.
+ * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of
+ Protection Equipment Structure Reserved field contains a
+ non-default value.
+ * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit
+ Information Structure Reserved field contains a non-default
+ value.
+ * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test
+ Bit Pattern detected.
+ * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command
+ Structure Reserved field contains a non-default value.
+ * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command
+ Structure contains an invalid value.
+ * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step
+ Command Structure Reserved field contains a non-default value.
+ * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond
+ set outside of the allowable range.
+ * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set
+ outside of the allowable range.
+ * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute
+ Reserved field contains a non-default value.
+ * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set
+ outside of the allowable range.
+ * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved
+ field contains a non-default value.
+ * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month
+ set outside of the allowable range.
+ * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set
+ outside of the allowable range.
+ * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved
+ field contains a non-default value.
+ * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set
+ outside of the allowable range.
+ * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved
+ field contains a non-default value.
+ * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of
+ Segment value has been detected.
+ * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of
+ Segment value has been detected.
+ * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to
+ a reserved value.
+ * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set
+ Point Command ql field set to a reserved value.
* 175:1 (domain_filter) configured domain detected
* 256:1 (dpx) too much data sent to port
* host_cache.delete_client(host_ip, id, service, version): delete
client from host
* host_cache.get_stats(): get current host cache usage and pegs
- * packet_capture.enable(filter): dump raw packets
+ * packet_capture.enable(filter, group): dump raw packets
* packet_capture.disable(): stop packet dump
* packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port):
enable packet tracer debugging
* snort.delete_inspector(inspector): delete an inspector from the
default policy
* snort.dump_stats(): show summary statistics
+ * snort.reset_stats(): clear summary statistics
* snort.rotate_stats(): roll perfmonitor log files
* snort.reload_config(filename): load new configuration
* snort.reload_policy(filename): reload part or all of the default
* icmp_seq (ips_option): rule option to check ICMP sequence number
* icode (ips_option): rule option to check ICMP code
* id (ips_option): rule option to check the IP ID field
+ * iec104 (inspector): iec104 inspection
+ * iec104_apci_type (ips_option): rule option to check iec104 apci
+ type
+ * iec104_asdu_func (ips_option): rule option to check iec104
+ function code
* igmp (codec): support for Internet group management protocol
* imap (inspector): imap inspection
* inspection (basic): configure basic inspection policy parameters
* inspector::gtp_inspect: gtp control channel inspection
* inspector::http2_inspect: the HTTP/2 inspector
* inspector::http_inspect: the new HTTP inspector!
+ * inspector::iec104: iec104 inspection
* inspector::imap: imap inspection
* inspector::mem_test: for testing memory management
* inspector::modbus: modbus inspection
* ips_option::icmp_seq: rule option to check ICMP sequence number
* ips_option::icode: rule option to check ICMP code
* ips_option::id: rule option to check the IP ID field
+ * ips_option::iec104_apci_type: rule option to check iec104 apci
+ type
+ * ips_option::iec104_asdu_func: rule option to check iec104
+ function code
* ips_option::ip_proto: rule option to check the IP protocol number
* ips_option::ipopts: rule option to check for IP options
* ips_option::isdataat: rule option to check for the presence of
The Snort Team
Revision History
-Revision 3.1.1.0 2021-01-28 10:50:32 EST TST
+Revision 3.1.2.0 2021-03-11 14:56:53 EST TST
---------------------------------------------------------------------
6.9. FTP
6.10. HTTP Inspector
6.11. HTTP/2 Inspector
- 6.12. Performance Monitor
- 6.13. POP and IMAP
- 6.14. Port Scan
- 6.15. Sensitive Data Filtering
- 6.16. SMTP
- 6.17. Telnet
- 6.18. Trace
- 6.19. Wizard
+ 6.12. IEC104 Inspector
+ 6.13. Performance Monitor
+ 6.14. POP and IMAP
+ 6.15. Port Scan
+ 6.16. Sensitive Data Filtering
+ 6.17. SMTP
+ 6.18. Telnet
+ 6.19. Trace
+ 6.20. Wizard
7. DAQ Configuration and Modules
* Use --lua to specify one or more rules as a command line
argument.
+Ips states are similar to ips rules, except that they are parsed
+after the rules. That way rules can be overwritten in custom
+policies.
+
+States without the enable option are loaded as stub rules with
+default gid:0, sid:0. A user should specify gid, sid, enable options
+to avoid dummy rules.
+
Output Files
To make it simple to configure outputs when you run with multiple
These limits have no effect on how much data is forwarded to file
processing.
-6.10.2.2. detained_inspection
-
-Detained inspection is an experimental feature currently under
-development. It enables Snort to more quickly detect and block
-response messages containing malicious JavaScript. As this feature
-involves actively blocking traffic it is designed for use with inline
-mode operation (-Q).
-
-This feature is off by default. detained_inspection = true will
-activate it.
-
-6.10.2.3. script_detection
+6.10.2.2. script_detection
-Script detection is an alternative to detained inspection. When
-http_inspect detects the end of a script it immediately forwards the
-available part of the message body for early detection. This enables
-malicious Javascripts to be detected more quickly but consumes
-somewhat more of the sensor’s resources.
+Script detection is a feature that enables Snort to more quickly
+detect and block response messages containing malicious JavaScript.
+When http_inspect detects the end of a script it immediately forwards
+the available part of the message body for early detection. This
+enables malicious Javascripts to be detected more quickly but
+consumes somewhat more of the sensor’s resources.
This feature is off by default. script_detection = true will activate
it.
-6.10.2.4. gzip
+6.10.2.3. gzip
http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip =
meaningful inspection of message bodies will be possible. Effectively
HTTP processing would be limited to the headers.
-6.10.2.5. normalize_utf
+6.10.2.4. normalize_utf
http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
and utf-32be in response message bodies based on the Content-Type
header. This feature is on by default: normalize_utf = false will
deactivate it.
-6.10.2.6. decompress_pdf
+6.10.2.5. decompress_pdf
decompress_pdf = true will enable decompression of compressed
portions of PDF files encountered in a response body. http_inspect
content is decompressed and made available through the file data rule
option.
-6.10.2.7. decompress_swf
+6.10.2.6. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
(Adobe Flash content) files encountered in a response body. The
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-6.10.2.8. normalize_javascript
+6.10.2.7. normalize_javascript
normalize_javascript = true will enable normalization of JavaScript
within the HTTP response body. http_inspect looks for JavaScript by
replaces consecutive whitespaces with a single space and normalizes
the plus by concatenating the strings.
-6.10.2.9. xff_headers
+6.10.2.8. xff_headers
This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the
"true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space.
-6.10.2.10. URI processing
+6.10.2.9. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
streams.
-6.12. Performance Monitor
+6.12. IEC104 Inspector
+
+--------------
+
+iec104 inspector is a service inspector for the IEC 60870-5-104
+protocol.
+
+6.12.1. Overview
+
+IEC 60870-5-104 (iec104) is a protocol distributed by the
+International Electrotechnical Commission (IEC) that provides a
+standardized method of sending telecontrol messages between central
+stations and outstations, typically running on TCP port 2404.
+
+It is used in combination with the companion specifications in the
+IEC 60870-5 family, most notably IEC 60870-5-101, to provide reliable
+transport via TCP/IP.
+
+An iec104 Application Protocol Data Unit (APDU) consists of one of
+three Application Protocol Control Information (APCI) structures,
+each beginning with the start byte 0x68. In the case of an
+Information Transfer APCI, an Application Service Data Unit (ASDU)
+follows the APCI.
+
+The iec104 inspector decodes the iec104 protocol and provides rule
+options to access certain protocol fields and data content. This
+allows the user to write rules for iec104 packets without decoding
+the protocol.
+
+6.12.2. Configuration
+
+iec104 messages can be normalized to either combine a message spread
+across multiple frames, or to split apart multiple messages within
+one frame. No manual configuration is necessary to leverage this
+functionality.
+
+6.12.3. Quick Guide
+
+A typical iec104 configuration looks like this:
+
+binder =
+{
+ {
+ when =
+ {
+ proto = 'tcp',
+ ports = '2404'
+ },
+ use =
+ {
+ type = 'iec104'
+ },
+ },
+}
+
+iec104 = { }
+
+In this example, the tcp inspector is defined based on port. All
+configurations are default.
+
+Debug logging can be enabled with the following additional
+configuration:
+
+trace =
+{
+ modules =
+ {
+ iec104 =
+ {
+ all = 1
+ }
+ }
+}
+
+6.12.4. Rule Options
+
+New rule options are supported by enabling the iec104 inspector:
+
+ * iec104_apci_type
+ * iec104_asdu_func
+
+6.12.4.1. iec104_apci_type
+
+Determining the APCI type of an iec104 message involves checking the
+state of one to two bits in the message’s first control field octet.
+This can be completed with a byte_test in a plaintext rule, however
+it adds unnecessary complexity to the rule. Since most rules
+inspecting iec104 traffic will target APCI Type I messages, this
+option was created to alleviate the need to manually check the type
+and subsequently reduce the complexity of the rule.
+
+This option takes one argument with three acceptable configurations.
+
+Examples:
+
+iec104_apci_type:unnumbered_control_function;
+iec104_apci_type:S;
+iec104_apci_type:i;
+
+This option is used to verify that the message being processed is of
+the specified type. The argument passed to this rule option can be
+specified in one of three ways: the full type name, the lowercase
+type abbreviation, or the uppercase type abbreviation.
+
+6.12.4.2. iec104_asdu_func
+
+Determining the ASDU function of an iec104 message can be completed
+with a plaintext rule that checks a single byte in the message,
+however it also requires verifying that the message’s APCI is of Type
+I. Since a rule writer may not necessarily know that this additional
+check must be made, this option was created to simplify the process
+of verifying the function type and subsequently reduce the complexity
+of the rule.
+
+This option takes one argument with two acceptable configurations.
+
+Examples:
+
+iec104_asdu_func:M_SP_NA_1;
+iec104_asdu_func:m_ps_na_1;
+
+This option is used to verify that the message being processed is
+using the specified ASDU function. The argument passed to this rule
+option can be specified in one of two ways: the uppercase function
+name, or the lowercase function name.
+
+
+6.13. Performance Monitor
--------------
being dropped without hitting a rule? perf_monitor! Why is a sensor
leaking water? Not perf_monitor, check with stream…
-6.12.1. Overview
+6.13.1. Overview
The Snort performance monitor is the built-in utility for monitoring
system and traffic statistics. All statistics are separated by
processing thread. perf_monitor supports several trackers for
monitoring such data:
-6.12.2. Base Tracker
+6.13.2. Base Tracker
The base tracker is used to gather running statistics about Snort and
its running modules. All Snort modules gather, at the very least,
Note: Event stats from prior Snorts are now located within base
statistics.
-6.12.3. Flow Tracker
+6.13.3. Flow Tracker
Flow tracks statistics regarding traffic and L3/L4 protocol
distributions. This data can be used to build a profile of traffic
perf_monitor = { flow = true }
-6.12.4. FlowIP Tracker
+6.13.4. FlowIP Tracker
FlowIP provides statistics for individual hosts within a network.
This data can be used for identifying communication habits, such as
perf_monitor = { flow_ip = true }
-6.12.5. CPU Tracker
+6.13.5. CPU Tracker
This tracker monitors the CPU and wall time spent by a given
processing thread.
perf_monitor = { cpu = true }
-6.12.6. Formatters
+6.13.6. Formatters
Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats,
monitor or the code provided for fbstreamer.
-6.13. POP and IMAP
+6.14. POP and IMAP
--------------
POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol.
-6.13.1. Overview
+6.14.1. Overview
POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command,
appropriately. The pop and imap also identify and whitelist the pop
and imap traffic.
-6.13.2. Configuration
+6.14.2. Configuration
POP inspector and IMAP inspector offer same set of configuration
options for MIME decoding depth. These depths range from 0 to 65535
The depth limits apply per attachment. They are:
-6.13.2.1. b64_decode_depth
+6.14.2.1. b64_decode_depth
Set the base64 decoding depth used to decode the base64-encoded MIME
attachments.
-6.13.2.2. qp_decode_depth
+6.14.2.2. qp_decode_depth
Set the Quoted-Printable (QP) decoding depth used to decode
QP-encoded MIME attachments.
-6.13.2.3. bitenc_decode_depth
+6.14.2.3. bitenc_decode_depth
Set the non-encoded MIME extraction depth used for non-encoded MIME
attachments.
-6.13.2.4. uu_decode_depth
+6.14.2.4. uu_decode_depth
Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
attachments.
-6.13.2.5. Examples
+6.14.2.5. Examples
stream = { }
}
-6.14. Port Scan
+6.15. Port Scan
--------------
A module to detect port scanning
-6.14.1. Overview
+6.15.1. Overview
This module is designed to detect the first phase in a network
attack: Reconnaissance. In the Reconnaissance phase, an attacker
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.
-6.14.2. Scan levels
+6.15.2. Scan levels
There are 3 default scan levels that can be set.
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.
-6.14.3. Tuning Portscan
+6.15.3. Tuning Portscan
The most important aspect in detecting portscans is tuning the
detection engine for your network(s). Here are some tuning tips:
filtered scans, since these are more prone to false positives.
-6.15. Sensitive Data Filtering
+6.16. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-6.15.1. Hyperscan
+6.16.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see https://intel.github.io
/hyperscan/dev-reference/
-6.15.2. Syntax
+6.16.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-6.15.2.1. Pattern
+6.16.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-6.15.2.2. Threshold
+6.16.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-6.15.2.3. Obfuscating Credit Cards and Social Security Numbers
+6.16.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-6.15.3. Example
+6.16.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-6.15.4. Caveats
+6.16.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-6.16. SMTP
+6.17. SMTP
--------------
SMTP inspector is a service inspector for SMTP protocol.
-6.16.1. Overview
+6.17.1. Overview
The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections,
SMTP inspector logs the filename, email addresses, attachment names
when configured.
-6.16.2. Configuration
+6.17.2. Configuration
SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In
The configuration options are described below:
-6.16.2.1. normalize and normalize_cmds
+6.17.2.1. normalize and normalize_cmds
Normalization checks for more than one space character after a
command. Space characters are defined as space (ASCII 0x20) or tab
smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-6.16.2.2. ignore_data
+6.17.2.2. ignore_data
Set it to true to ignore data section of mail (except for mail
headers) when processing rules.
-6.16.2.3. ignore_tls_data
+6.17.2.3. ignore_tls_data
Set it to true to ignore TLS-encrypted data when processing rules.
-6.16.2.4. max_command_line_len
+6.17.2.4. max_command_line_len
Alert if an SMTP command line is longer than this value. Absence of
this option or a "0" means never alert on command line length. RFC
2821 recommends 512 as a maximum command line length.
-6.16.2.5. max_header_line_len
+6.17.2.5. max_header_line_len
Alert if an SMTP DATA header line is longer than this value. Absence
of this option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
-6.16.2.6. max_response_line_len
+6.17.2.6. max_response_line_len
Alert if an SMTP response line is longer than this value. Absence of
this option or a "0" means never alert on response line length. RFC
2821 recommends 512 as a maximum response line length.
-6.16.2.7. alt_max_command_line_len
+6.17.2.7. alt_max_command_line_len
Overrides max_command_line_len for specific commands For example:
},
}
-6.16.2.8. invalid_cmds
+6.17.2.8. invalid_cmds
Alert if this command is sent from client side.
-6.16.2.9. valid_cmds
+6.17.2.9. valid_cmds
List of valid commands. We do not alert on commands in this list.
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-6.16.2.10. data_cmds
+6.17.2.10. data_cmds
List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 - "
<CRLF>.<CRLF>".
-6.16.2.11. binary_data_cmds
+6.17.2.11. binary_data_cmds
List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar
to that of the BDAT command per RFC 3030.
-6.16.2.12. auth_cmds
+6.17.2.12. auth_cmds
List of commands that initiate an authentication exchange between
client and server.
-6.16.2.13. xlink2state
+6.17.2.13. xlink2state
Enable/disable xlink2state alert, options are {disable | alert |
drop}. See CVE-2005-0560 for a description of the vulnerability.
-6.16.2.14. MIME processing depth parameters
+6.17.2.14. MIME processing depth parameters
These four MIME processing depth parameters are identical to their
POP and IMAP counterparts. See that section for further details.
b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
-6.16.2.15. Log Options
+6.17.2.15. Log Options
Following log options allow SMTP inspector to log email addresses and
filenames. Please note, this is logged only with the unified2 output
allowed range for this option is 0 - 20480. A value of 0 will disable
email headers logging. The default value for this option is 1464.
-6.16.3. Example
+6.17.3. Example
smtp =
{
}
-6.17. Telnet
+6.18. Telnet
--------------
connection is encrypted, per the use of the telnet encryption option
per RFC 2946.
-6.17.1. Configuring the inspector to block exploits and attacks
+6.18.1. Configuring the inspector to block exploits and attacks
ayt_attack_thresh number
vulnerabilities relating to bsd-based implementations of telnet.
-6.18. Trace
+6.19. Trace
--------------
wizard and snort.inspector_manager) are providing non-debug trace
messages in normal production builds.
-6.18.1. Trace module
+6.19.1. Trace module
The trace module is responsible for configuring traces and supports
the following parameters:
set or clear modules traces and packet filter constraints via the
control channel command.
-6.18.2. Trace module - configuring traces
+6.19.2. Trace module - configuring traces
The trace module has the modules option - a table with trace
configuration for specific modules. The following lines placed in
}
}
-6.18.3. Trace module - configuring packet filter constraints for
+6.19.3. Trace module - configuring packet filter constraints for
packet related trace messages
There is a capability to filter traces by the packet constraints. The
}
}
-6.18.4. Trace module - configuring trace output method
+6.19.4. Trace module - configuring trace output method
There is a capability to configure the output method for trace
messages. The trace module has the output option with two acceptable
As a result, each trace message will be printed into syslog (the
Snort run-mode will be ignored).
-6.18.5. Configuring traces via control channel command
+6.19.5. Configuring traces via control channel command
There is a capability to configure module trace options and packet
constraints via the control channel command by using a Snort shell.
trace.set({}) - disable traces and constraints (set to empty)
-6.18.6. Trace messages format
+6.19.6. Trace messages format
Each tracing message has a standard format:
s – seconds
S – milliseconds
-6.18.7. Example - Debugging rules using detection trace
+6.19.7. Example - Debugging rules using detection trace
The detection engine is responsible for rule evaluation. Turning on
the trace for it can help with debugging new rules.
detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
-6.18.8. Example - Protocols decoding trace
+6.19.8. Example - Protocols decoding trace
Turning on decode trace will print out information about the packets
decoded protocols. Can be useful in case of tunneling.
decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
-6.18.9. Example - Track the time packet spends in each inspector
+6.19.9. Example - Track the time packet spends in each inspector
There is a capability to track which inspectors evaluate a packet,
and how much time the inspector consumes doing so. These trace
snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
snort:main:1: [0] Destroying completed command RUN
-6.18.10. Example - trace filtering by packet constraints:
+6.19.10. Example - trace filtering by packet constraints:
In snort.lua, the following lines were added:
The trace messages for two last packets (numbers 5 and 6) weren’t
printed.
-6.18.11. Example - configuring traces via trace.set() command
+6.19.11. Example - configuring traces via trace.set() command
In snort.lua, the following lines were added:
filtered because they don’t include a packet (a packet isn’t
well-formed at the point when the message is printing).
-6.18.12. Other available traces
+6.19.12. Other available traces
There are more trace options supported by detection:
structures.
-6.19. Wizard
+6.20. Wizard
--------------
$sof and $eof commands generate Start of Flow and End of Flow
metapackets respectively. They are followed by a definition of a
-Flow_Stats_t data structure which will be fed into Snort via the
+DAQ_FlowStats_t data structure which will be fed into Snort via the
metadata callback.
Strings may contain the following escape sequences:
projects / thirdparty / snort3.git / commitdiff
