<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0 (Build 243) from 2.9.11\r
+o" )~ Version 3.0.0 (Build 246) from 2.9.11\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.\r
<li>\r
<p>\r
hyperscan >= 4.4.0 from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new\r
- the regex and sd_pattern rule options and hyperscan search engine\r
+ the regex and sd_pattern rule options and hyperscan search engine.\r
+ Hyperscan is large so it recommended to follow their instructions for\r
+ building it as a shared library.\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-A nil key in a table will not caught. Neither will a nil value in a\r
+A nil key in a table will not be caught. Neither will a nil value in a\r
table. Neither of the following will cause errors, nor will they\r
- actually set http_server.post_depth:\r
+ actually set http_inspect.request_depth:\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>http_server = { post_depth }\r
-http_server = { post_depth = undefined_symbol }</code></pre>\r
+<pre><code>http_inspect = { request_depth }\r
+http_inspect = { request_depth = undefined_symbol }</code></pre>\r
</div></div>\r
</li>\r
<li>\r
</p>\r
<div class="literalblock">\r
<div class="content">\r
-<pre><code>http_server =\r
+<pre><code>http_inspect =\r
{\r
- post_depth = 1234,\r
- post_depth = 4321\r
+ request_depth = 1234,\r
+ request_depth = 4321\r
}</code></pre>\r
</div></div>\r
</li>\r
error but it will tell you the fully qualified name.\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_known_issues">Known Issues</h3>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
The dump DAQ will not work with multiple threads unless you use --daq-var\r
- file=/dev/null. This will be fixed in at some point to use the Snort log\r
+ output=none. This will be fixed at some point to use the Snort log\r
directory, etc.\r
</p>\r
</li>\r
<li>\r
<p>\r
-configure will use clang<code> by default if it is installed. To compile\r
- with g</code> instead:\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>export CXX=g++</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
If you build with hyperscan on OS X and see:\r
</p>\r
<div class="literalblock">\r
/path-to/libhs.4.0.dylib src/snort</code></pre>\r
</div></div>\r
</li>\r
+<li>\r
+<p>\r
+Snort built with tcmalloc support (--enable-tcmalloc) on Ubuntu 17.04/18.04\r
+ crashes immediately.\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>Workaround:\r
+Uninstall gperftools 2.5 provided by the distribution and install gperftools\r
+2.7 before building Snort.</code></pre>\r
+</div></div>\r
+</li>\r
</ul></div>\r
</div>\r
</div>\r
<div class="sectionbody">\r
<div class="paragraph"><p>This section explains how to use key features of Snort.</p></div>\r
<div class="sect2">\r
+<h3 id="_active_response">Active Response</h3>\r
+<div class="paragraph"><p>Snort can take more active role in securing network by sending active\r
+responses to shutdown offending sessions. When active responses is\r
+enabled, snort will send TCP RST or ICMP unreachable when dropping a\r
+session.</p></div>\r
+<div class="sect3">\r
+<h4 id="_changes_from_snort_2_9">Changes from Snort 2.9</h4>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+stream5_global:max_active_responses and min_response_seconds are now\r
+active.max_responses and active.min_interval.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+Response actions were removed from IPS rule body to the rule action\r
+in the header. This includes react, reject, and rewrite (split out of\r
+replace which now just does the detection part). These IPS actions are\r
+plugins.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+drop and block are synonymous in Snort 2.9 but in Snort 3.0 drop means\r
+don’t forward the current packet only whereas block means don’t forward\r
+this or any following packet on the flow.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_configure_active">Configure Active</h4>\r
+<div class="paragraph"><p>Active response is enabled by configuring one of following IPS action\r
+plugins:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>react = { }\r
+reject = { }\r
+rewrite = { }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Active responses will be performed for reject, react or rewrite IPS rule\r
+actions, and response packets are encoded based on the triggering packet.\r
+TTL will be set to the value captured at session pickup.</p></div>\r
+<div class="paragraph"><p>Configure the number of attempts to land a TCP RST within the session’s\r
+current window (so that it is accepted by the receiving TCP). This\r
+sequence "strafing" is really only useful in passive mode. In inline mode\r
+the reset is put straight into the stream in lieu of the triggering packet\r
+so strafing is not necessary.</p></div>\r
+<div class="paragraph"><p>Each attempt (sent in rapid succession) has a different sequence number.\r
+Each active response will actually cause this number of TCP resets to be\r
+sent. TCP data is multiplied similarly. At most 1 ICMP unreachable is sent,\r
+iff attempts > 0.</p></div>\r
+<div class="paragraph"><p>Device IP will perform network layer injection. It is probably a better\r
+choice to specify an interface and avoid kernel routing tables, etc.</p></div>\r
+<div class="paragraph"><p>dst_mac will change response destination MAC address, if the device is\r
+eth0, eth1, eth2 etc. Otherwise, response destination MAC address is\r
+derived from packet.</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>active =\r
+{\r
+ attempts = 2,\r
+ device = "eth0",\r
+ dst_mac = "00:06:76:DD:5F:E3",\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_reject">Reject</h4>\r
+<div class="paragraph"><p>IPS action reject perform active response to shutdown hostile network\r
+session by injecting TCP resets (TCP connections) or ICMP unreachable\r
+packets.</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>reject = { reset = "both", control = "all" }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>local_rules =\r
+[[\r
+reject tcp ( msg:"hostile connection"; flow:established, to_server;\r
+content:"HACK!"; sid:1; )\r
+]]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ips =\r
+{\r
+ rules = local_rules,\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_react">React</h4>\r
+<div class="paragraph"><p>IPS action react enables sending an HTML page on a session and then\r
+resetting it.</p></div>\r
+<div class="paragraph"><p>The page to be sent can be read from a file:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>react = { page = "custmized_block_page.html", }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>or else the default is used:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code><default_page> ::= \\r
+ "HTTP/1.1 403 Forbidden\r\n"\r
+ "Connection: close\r\n"\r
+ "Content-Type: text/html; charset=utf-8\r\n"\r
+ "\r\n"\r
+ "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \\r
+ " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \\r
+ "<html xmlns=\"http://www.w3.org/1999/xhtml\"\r
+ xml:lang=\"en\">\r\n" \\r
+ "<head>\r\n" \\r
+ "<meta http-equiv=\"Content-Type\" content=\"text/html;\r
+ charset=UTF-8\" />\r\n" \\r
+ "<title>Access Denied</title>\r\n" \\r
+ "</head>\r\n" \\r
+ "<body>\r\n" \\r
+ "<h1>Access Denied</h1>\r\n" \\r
+ "<p>%s</p>\r\n" \\r
+ "</body>\r\n" \\r
+ "</html>\r\n";</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Note that the file must contain the entire response, including any HTTP\r
+headers. In fact, the response isn’t strictly limited to HTTP. You could\r
+craft a binary payload of arbitrary content.</p></div>\r
+<div class="paragraph"><p>When the rule is configured, the page is loaded and the %s is replaced\r
+with the selected message, which defaults to:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>"You are attempting to access a forbidden site.<br />" \\r
+"Consult your system administrator for details."</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Additional formatting operators beyond a single %s are prohibited,\r
+including %d, %x, %s, as well as any URL encodings such as as %20 (space)\r
+that may be within a reference URL.</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>react = { page = "my_block_page.html" }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>local_rules =\r
+[[\r
+react http ( msg:"Unauthorized Access Prohibited!"; flow:established,\r
+to_server; http_method; content:"GET"; sid:1; )\r
+]]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ips =\r
+{\r
+ rules = local_rules,\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_rewrite">Rewrite</h4>\r
+<div class="paragraph"><p>IPS action rewrite enables overwrite packet contents based on "replace"\r
+option in the rules.</p></div>\r
+<div class="paragraph"><p>For example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>rewrite = { }\r
+local_rules =\r
+[[\r
+rewrite tcp 10.1.1.87 any -> 10.1.1.0/24 80\r
+(\r
+ sid:1000002;\r
+ msg:"test replace rule";\r
+ content:"index.php", nocase;\r
+ replace:"indax.php";\r
+)\r
+]]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>ips =\r
+{\r
+ rules = local_rules,\r
+}</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>this rule replaces "index.php" with "indax.php", and rewrite action\r
+updates that packet.</p></div>\r
+<div class="paragraph"><p>to enable rewrite action:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>rewrite = { }</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>the replace operation can be disabled by changing the configuration:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>rewrite = { disable_replace = true }</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_appid">AppId</h3>\r
<div class="paragraph"><p>Network administrators need application awareness in order to fine tune\r
their management of the ever-growing number of applications passing traffic\r
http://www.lorenzobettini.it\r
http://www.gnu.org/software/src-highlite -->\r
<pre><tt><span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="color: #990000">(</span>data <span style="color: #990000">&</span> value<span style="color: #990000">)</span> <span style="color: #FF0000">{</span> <span style="font-weight: bold"><span style="color: #000000">do_something</span></span><span style="color: #990000">();</span> <span style="color: #FF0000">}</span></tt></pre></div></div>\r
+<div class="paragraph"><p><em>!</em> operator negates the results from the base check. <em>!<oper></em> is\r
+considered as</p></div>\r
+<div class="listingblock">\r
+<div class="content"><!-- Generator: GNU source-highlight 3.1.8\r
+by Lorenzo Bettini\r
+http://www.lorenzobettini.it\r
+http://www.gnu.org/software/src-highlite -->\r
+<pre><tt><span style="color: #990000">!(</span>data <span style="color: #990000"><</span>oper<span style="color: #990000">></span> value<span style="color: #990000">)</span></tt></pre></div></div>\r
<div class="paragraph"><p>Note:\r
The bitmask option applies bitwise AND operator on the bytes\r
converted. The result will be right-shifted by the number of bits\r
MDTM commands that set the modification time on a file. The most common\r
among servers that do, accept a format using YYYYMMDDHHmmss[.uuu]. Some\r
others accept a format using YYYYMMDDHHmmss[+|-]TZ format. The example\r
-above is for the first case (time format as specified in\r
-<a href="https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16">https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16</a>)</p></div>\r
+above is for the first case.</p></div>\r
<div class="paragraph"><p>To check validity for a server that uses the TZ format, use the following:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
individual HTTP/1.1 streams.</p></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_module_trace">Module Trace</h3>\r
+<div class="paragraph"><p>Snort 3 retired the different flavors of debug macros that used to be set\r
+through environment variable SNORT_DEBUG. It was replaced by a module specific\r
+trace. Trace is turned on by setting the module-specific trace bitmask in\r
+snort.lua. As before, in order to enable it, snort has to be configured and\r
+built with --enable-debug-msgs.</p></div>\r
+<div class="sect3">\r
+<h4 id="_debugging_rules_using_detection_trace">Debugging rules using detection trace</h4>\r
+<div class="paragraph"><p>Detection engine is responsible for rule evaluation. Turning on the\r
+trace for it can help with debugging new rules.</p></div>\r
+<div class="paragraph"><p>The relevant options for detection are as follow (represented as hex):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>0x2 - follow rule evaluation\r
+0x4 - print evaluated buffer if it changed\r
+0x8 - print evaluated buffer at every step\r
+0x10 - print value of ips rule options vars\r
+0x20 - print information on fast pattern search</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Buffer print is useful, but in case the buffer is very big can be too verbose.\r
+Choose between 0x4, 0x8 or no buffer trace accordingly.</p></div>\r
+<div class="paragraph"><p>0x10 is useful when the rule is using ips rule options vars.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_rule_evaluation_traces">Example - rule evaluation traces:</h4>\r
+<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>\r
+<div class="paragraph"><p>detection = {trace = 0x20 + 0x10 + 0x2 + 0x4}</p></div>\r
+<div class="paragraph"><p>The pcap has a single packet with payload:\r
+10.AAAAAAAfoobar</p></div>\r
+<div class="paragraph"><p>Evaluated on rules:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code># byte_math + oper with byte extract and content\r
+# VAL = 1, byte_math = 0 + 10\r
+alert tcp ( byte_extract: 1, 0, VAL, string, dec;\r
+byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;\r
+content:"foo", offset var1; sid:3)</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>#This rule should not trigger\r
+alert tcp (content:"AAAAA"; byte_jump:2,0,relative;\r
+content:"foo", within 3; sid:2)</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678\r
+detection: Fast pattern search\r
+detection: 1 fp packet[16]</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[16]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: Processing pattern match #1\r
+detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )\r
+detection: Starting tree eval\r
+detection: Evaluating option content, cursor name pkt_data, cursor position 0</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[16]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: Rule options variables:\r
+var[0]=0 var[1]=0 var[2]=0\r
+detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[8]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+41 41 66 6F 6F 62 61 72 AAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: no match\r
+detection: Rule options variables:\r
+var[0]=0 var[1]=0 var[2]=0\r
+detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[7]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+41 66 6F 6F 62 61 72 Afoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: no match\r
+detection: Rule options variables:\r
+var[0]=0 var[1]=0 var[2]=0\r
+detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[6]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+66 6F 6F 62 61 72 foobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: no match\r
+detection: no match\r
+detection: Processing pattern match #2\r
+detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )\r
+detection: Starting tree eval\r
+detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[16]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: Rule options variables:\r
+var[0]=1 var[1]=0 var[2]=0\r
+detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[15]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: Rule options variables:\r
+var[0]=1 var[1]=10 var[2]=0\r
+detection: Evaluating option content, cursor name pkt_data, cursor position 2</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[14]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: Rule options variables:\r
+var[0]=1 var[1]=10 var[2]=0\r
+detection: Reached leaf, cursor name pkt_data, cursor position 13</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort.raw[3]:\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+62 61 72 bar\r
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r
+detection: Matched rule gid:sid:rev 1:3:0\r
+detection: Rule options variables:\r
+var[0]=1 var[1]=10 var[2]=0\r
+04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_protocols_decoding_trace">Protocols decoding trace</h4>\r
+<div class="paragraph"><p>Turning on decode trace will print out information about the packets decoded\r
+protocols. Can be useful in case of tunneling.</p></div>\r
+<div class="paragraph"><p>Example for a icmpv4-in-ipv6 packet:</p></div>\r
+<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>\r
+<div class="paragraph"><p>decode = { trace = 1 }</p></div>\r
+<div class="paragraph"><p>The output:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14\r
+decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40\r
+decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8\r
+decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_other_available_traces">Other available traces</h4>\r
+<div class="paragraph"><p>There are more trace options supported by detection:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>0x1 - prints statistics about the engine\r
+0x40 - prints a message when disabling content detect for packet\r
+0x80 - prints option tree data structure\r
+0x100 - prints a message when a new tag is added</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Detection is the only module that support multiple options for trace.</p></div>\r
+<div class="paragraph"><p>The rest support only 1 option, and can be turned on by adding trace = 1 to\r
+their lua config.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+stream module trace:\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>When turned on prints a message in case inspection is stopped on a flow.\r
+Example for output:</p></div>\r
+<div class="paragraph"><p>stream: stop inspection on flow, dir BOTH</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+stream_ip, stream_user: trace will output general processing messages\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Other modules that support trace have messages as seemed fit to the developer.\r
+Some are for corner cases, other for complex data structures prints. Current\r
+list of additional modules supporting trace: appid, dce_smb, gtp_inspect and\r
+dce_udp.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_performance_monitor">Performance Monitor</h3>\r
<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by\r
too many flows? perf_monitor! Why are certain TCP segments being dropped without\r
<div class="sect3">\r
<h4 id="_configuration_5">Configuration</h4>\r
<div class="paragraph"><p>POP inspector and IMAP inspector offer same set of configuration options\r
-for MIME decoding depth:</p></div>\r
+for MIME decoding depth. These depths range from 0 to 65535 bytes. Setting\r
+the value to 0 ("do none") turns the feature off. Alternatively the value\r
+-1 means an unlimited amount of data should be decoded. If you do not\r
+specify the default value is 1460 bytes.</p></div>\r
+<div class="paragraph"><p>The depth limits apply per attachment. They are:</p></div>\r
<div class="sect4">\r
<h5 id="_b64_decode_depth">b64_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the base64 decoding depth\r
-used to decode the base64 encoded MIME attachments. The value ranges from\r
--1 to 65535. A value of -1 turns off the base64 decoding of MIME\r
-attachments. The value of 0 sets the decoding of base64 encoded MIME\r
-attachments to unlimited. A value other than 0 or -1 restricts the\r
-decoding of base64 MIME attachments, and applies per attachment. The\r
-default value is 1460.</p></div>\r
+<div class="paragraph"><p>Set the base64 decoding depth used to decode the base64-encoded MIME\r
+attachments.</p></div>\r
</div>\r
<div class="sect4">\r
<h5 id="_qp_decode_depth">qp_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the Quoted-Printable\r
-decoding depth used to decode the Quoted-Printable(QP) encoded MIME\r
-attachments. The value ranges from -1 to 65535. A value of -1 turns off\r
-the QP decoding of MIME attachments.\r
-The value of 0 sets the decoding of QP encoded MIME attachments to\r
-unlimited. A value other than 0 or -1 restricts the decoding of QP MIME\r
-attachments, and applies per attachment.</p></div>\r
+<div class="paragraph"><p>Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded\r
+MIME attachments.</p></div>\r
</div>\r
<div class="sect4">\r
<h5 id="_bitenc_decode_depth">bitenc_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the non-encoded MIME\r
-extraction depth used to extract the non-encoded MIME attachments. The\r
-value ranges from -1 to 65535. A value of -1 turns off the extraction of\r
-these MIME attachments.\r
-The value of 0 sets the extraction of these MIME attachments to unlimited.\r
-A value other than 0 or -1 restricts the extraction of these MIME\r
-attachments, and applies per attachment.</p></div>\r
+<div class="paragraph"><p>Set the non-encoded MIME extraction depth used for non-encoded MIME\r
+attachments.</p></div>\r
</div>\r
<div class="sect4">\r
<h5 id="_uu_decode_depth">uu_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the Unix-to-Unix decoding\r
-depth used to decode the Unix-to-Unix(UU) encoded attachments. The value\r
-ranges from -1 to 65535. A value of -1 turns off the UU decoding of POP\r
-attachments.\r
-The value of 0 sets the decoding of UU encoded POP attachments to\r
-unlimited. A value other than 0 or -1 restricts the decoding of UU POP\r
-attachments, and applies per attachment.</p></div>\r
+<div class="paragraph"><p>Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded\r
+attachments.</p></div>\r
</div>\r
<div class="sect4">\r
<h5 id="_examples_5">Examples</h5>\r
<div class="content">\r
<pre><code>imap =\r
{\r
- qp_decode_depth = 15,\r
+ qp_decode_depth = 500,\r
}</code></pre>\r
</div></div>\r
<div class="literalblock">\r
<div class="content">\r
<pre><code>pop =\r
{\r
- qp_decode_depth = 0,\r
- b64_decode_depth = 10,\r
+ qp_decode_depth = -1,\r
+ b64_decode_depth = 3000,\r
}</code></pre>\r
</div></div>\r
</div>\r
See CVE-2005-0560 for a description of the vulnerability.</p></div>\r
</div>\r
<div class="sect4">\r
-<h5 id="_b64_decode_depth_2">b64_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the base64 decoding depth\r
-used to decode the base64 encoded MIME attachments. The value ranges from\r
--1 to 65535. A value of -1 turns off the base64 decoding of MIME\r
-attachments. The value of 0\r
-sets the decoding of base64 encoded MIME attachments to unlimited. A value\r
-other than 0 or -1 restricts the decoding of base64 MIME attachments, and\r
-applies per attachment.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_qp_decode_depth_2">qp_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the Quoted-Printable\r
-decoding depth used to decode the Quoted-Printable(QP) encoded MIME\r
-attachments. The value ranges from -1 to 65535. A value of -1 turns off\r
-the QP decoding of MIME attachments.\r
-The value of 0 sets the decoding of QP encoded MIME attachments to\r
-unlimited. A value other than 0 or -1 restricts the decoding of QP MIME\r
-attachments, and applies per attachment.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_bitenc_decode_depth_default_to_25">bitenc_decode_depth * default to 25</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the non-encoded MIME\r
-extraction depth used to extract the non-encoded MIME attachments. The\r
-value ranges from -1 to 65535. A value of -1 turns off the extraction of\r
-these MIME attachments.\r
-The value of 0 sets the extraction of these MIME attachments to unlimited.\r
-A value other than 0 or -1 restricts the extraction of these MIME\r
-attachments, and applies per attachment.</p></div>\r
-</div>\r
-<div class="sect4">\r
-<h5 id="_uu_decode_depth_2">uu_decode_depth</h5>\r
-<div class="paragraph"><p>This config option is used to turn off/on or set the Unix-to-Unix decoding\r
-depth used to decode the Unix-to-Unix(UU) encoded attachments. The value\r
-ranges from -1 to 65535. A value of -1 turns off the UU decoding of SMTP\r
-attachments.\r
-The value of 0 sets the decoding of UU encoded SMTP attachments to\r
-unlimited. A value other than 0 or -1 restricts the decoding of UU SMTP\r
-attachments, and applies per attachment.</p></div>\r
+<h5 id="_mime_processing_depth_parameters">MIME processing depth parameters</h5>\r
+<div class="paragraph"><p>These four MIME processing depth parameters are identical to their POP and\r
+IMAP counterparts. See that section for further details.</p></div>\r
+<div class="paragraph"><p>b64_decode_depth\r
+qp_decode_depth\r
+bitenc_decode_depth\r
+uu_decode_depth</p></div>\r
</div>\r
<div class="sect4">\r
<h5 id="_log_options">Log Options</h5>\r
</li>\r
<li>\r
<p>\r
-int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1: }\r
+int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1:255 }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed (sum)\r
+<strong>daq.pcaps</strong>: total files and interfaces processed (max)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.trace</strong>: mask for enabling debug traces in module\r
</p>\r
</li>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>ips.invalid_policy_ids</strong>: Number of times an invalid policy ID was provided (sum)\r
-</p>\r
-</li>\r
-</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_latency">latency</h3>\r
bool <strong>output.wide_hex_dump</strong> = true: output 20 bytes per lines instead of 16 when dumping buffers\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_packet_tracer">packet_tracer</h3>\r
+<div class="paragraph"><p>What: generate debug trace messages for packets</p></div>\r
+<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>packet_tracer.enable</strong> = false: enable summary output of state that determined packet verdict\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>packet_tracer.output</strong> = console: select where to send packet trace { console | file }\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>output.enable_packet_trace</strong> = false: enable summary output of state that determined packet verdict\r
+<strong>packet_tracer.enable</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>output.packet_trace_output</strong> = console: select where to send packet trace { console | file }\r
+<strong>packet_tracer.disable</strong>(): disable packet tracer\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.detect_raw_tcp</strong> = true: detect on TCP payload before reassembly\r
+bool <strong>search_engine.detect_raw_tcp</strong> = false: detect on TCP payload before reassembly\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--talos</strong>: enable Talos inline rule test mode (same as --tweaks talos -Q -q)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--tweaks</strong>: tune configuration\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.--catch-test</strong>: comma separated list of cat unit test tags or <em>all</em>\r
</p>\r
</li>\r
string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+implied <strong>snort.--trace</strong>: turn on main loop debug trace\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>snort.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Commands:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
+<strong>snort.reload_module</strong>(module): reload module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.reload_daq</strong>(): reload daq module\r
</p>\r
</li>\r
</div>\r
<div class="sect2">\r
<h3 id="_ipv4">ipv4</h3>\r
-<div class="paragraph"><p>What: support for Internet protocol v4</p></div>\r
+<div class="paragraph"><p>What: support for Internet protocol v4 (DLT 228)</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_ipv6">ipv6</h3>\r
-<div class="paragraph"><p>What: support for Internet protocol v6</p></div>\r
+<div class="paragraph"><p>What: support for Internet protocol v6 (DLT 229)</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source IP address in CIDR format\r
+string <strong>appid.tp_appid_path</strong>: path to third party appid dynamic library\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination IP address in CIDR format\r
+string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }\r
+bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions\r
</p>\r
</li>\r
<li>\r
<p>\r
-port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }\r
+int <strong>appid.trace</strong>: mask for enabling debug traces in module\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Commands:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>appid.session_log_filter.protocol</strong>: IP protocol\r
+<strong>appid.enable_debug</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions\r
+<strong>appid.disable_debug</strong>(): disable appid debugging\r
</p>\r
</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions\r
+<strong>appid.packets</strong>: count of packets received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.processed_packets</strong>: count of packets processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ignored_packets</strong>: count of packets ignored (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.total_sessions</strong>: count of sessions created (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)\r
</p>\r
</li>\r
</ul></div>\r
bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
int <strong>dce_udp.max_frag_len</strong> = 65535: Maximum fragment size for defragmentation { 1514:65535 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>dce_udp.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_domain_filter">domain_filter</h3>\r
+<div class="paragraph"><p>What: alert on configured HTTP domains</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>domain_filter.file</strong>: file with list of domains identifying hosts to be filtered\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>domain_filter.hosts</strong>: list of domains identifying hosts to be filtered\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>175:1</strong> (domain_filter) configured domain detected\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>domain_filter.checked</strong>: domains checked (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>domain_filter.filtered</strong>: domains filtered (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_dpx">dpx</h3>\r
<div class="paragraph"><p>What: dynamic inspector example</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>119:35</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+<strong>119:101</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:102</strong> (http_inspect) invalid status code in HTTP response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:103</strong> (http_inspect) unused event number—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:36</strong> (http_inspect) invalid status code in HTTP response\r
+<strong>119:104</strong> (http_inspect) HTTP response has UTF charset that failed to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:37</strong> (http_inspect) unused event number—should not appear\r
+<strong>119:105</strong> (http_inspect) HTTP response has UTF-7 charset\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:38</strong> (http_inspect) HTTP response has UTF charset that failed to normalize\r
+<strong>119:106</strong> (http_inspect) HTTP response gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:39</strong> (http_inspect) HTTP response has UTF-7 charset\r
+<strong>119:107</strong> (http_inspect) server consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:40</strong> (http_inspect) HTTP response gzip decompression failed\r
+<strong>119:108</strong> (http_inspect) unused event number—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:41</strong> (http_inspect) server consecutive small chunk sizes\r
+<strong>119:109</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:42</strong> (http_inspect) unused event number—should not appear\r
+<strong>119:110</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:43</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
+<strong>119:111</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:44</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
+<strong>119:112</strong> (http_inspect) SWF file zlib decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:45</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>119:113</strong> (http_inspect) SWF file LZMA decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:46</strong> (http_inspect) SWF file zlib decompression failure\r
+<strong>119:114</strong> (http_inspect) PDF file deflate decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:47</strong> (http_inspect) SWF file LZMA decompression failure\r
+<strong>119:115</strong> (http_inspect) PDF file unsupported compression type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:48</strong> (http_inspect) PDF file deflate decompression failure\r
+<strong>119:116</strong> (http_inspect) PDF file cascaded compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:49</strong> (http_inspect) PDF file unsupported compression type\r
+<strong>119:117</strong> (http_inspect) PDF file parse failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:50</strong> (http_inspect) PDF file cascaded compression\r
+<strong>119:201</strong> (http_inspect) not HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:51</strong> (http_inspect) PDF file parse failure\r
+<strong>119:202</strong> (http_inspect) chunk length has excessive leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:52</strong> (http_inspect) not HTTP traffic\r
+<strong>119:203</strong> (http_inspect) white space before or between messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:53</strong> (http_inspect) chunk length has excessive leading zeros\r
+<strong>119:204</strong> (http_inspect) request message without URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:54</strong> (http_inspect) white space before or between messages\r
+<strong>119:205</strong> (http_inspect) control character in reason phrase\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:55</strong> (http_inspect) request message without URI\r
+<strong>119:206</strong> (http_inspect) illegal extra whitespace in start line\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:56</strong> (http_inspect) control character in reason phrase\r
+<strong>119:207</strong> (http_inspect) corrupted HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:57</strong> (http_inspect) illegal extra whitespace in start line\r
+<strong>119:208</strong> (http_inspect) unknown HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:58</strong> (http_inspect) corrupted HTTP version\r
+<strong>119:209</strong> (http_inspect) format error in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:59</strong> (http_inspect) unknown HTTP version\r
+<strong>119:210</strong> (http_inspect) chunk header options present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:60</strong> (http_inspect) format error in HTTP header\r
+<strong>119:211</strong> (http_inspect) URI badly formatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:61</strong> (http_inspect) chunk header options present\r
+<strong>119:212</strong> (http_inspect) unrecognized type of percent encoding in URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:62</strong> (http_inspect) URI badly formatted\r
+<strong>119:213</strong> (http_inspect) HTTP chunk misformatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:63</strong> (http_inspect) unrecognized type of percent encoding in URI\r
+<strong>119:214</strong> (http_inspect) white space adjacent to chunk length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:64</strong> (http_inspect) HTTP chunk misformatted\r
+<strong>119:215</strong> (http_inspect) white space within header name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:65</strong> (http_inspect) white space adjacent to chunk length\r
+<strong>119:216</strong> (http_inspect) excessive gzip compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:66</strong> (http_inspect) white space within header name\r
+<strong>119:217</strong> (http_inspect) gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:67</strong> (http_inspect) excessive gzip compression\r
+<strong>119:218</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:68</strong> (http_inspect) gzip decompression failed\r
+<strong>119:219</strong> (http_inspect) HTTP 0.9 request following a normal request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:69</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
+<strong>119:220</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:70</strong> (http_inspect) HTTP 0.9 request following a normal request\r
+<strong>119:221</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:71</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
+<strong>119:222</strong> (http_inspect) Transfer-Encoding not ending with chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:72</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
+<strong>119:223</strong> (http_inspect) Transfer-Encoding with encodings before chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:73</strong> (http_inspect) Transfer-Encoding not ending with chunked\r
+<strong>119:224</strong> (http_inspect) misformatted HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:74</strong> (http_inspect) Transfer-Encoding with encodings before chunked\r
+<strong>119:225</strong> (http_inspect) unsupported Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:75</strong> (http_inspect) misformatted HTTP traffic\r
+<strong>119:226</strong> (http_inspect) unknown Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:76</strong> (http_inspect) unsupported Content-Encoding used\r
+<strong>119:227</strong> (http_inspect) multiple Content-Encodings applied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:77</strong> (http_inspect) unknown Content-Encoding used\r
+<strong>119:228</strong> (http_inspect) server response before client request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:78</strong> (http_inspect) multiple Content-Encodings applied\r
+<strong>119:229</strong> (http_inspect) PDF/SWF decompression of server response too big\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:79</strong> (http_inspect) server response before client request\r
+<strong>119:230</strong> (http_inspect) nonprinting character in HTTP message header name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:80</strong> (http_inspect) PDF/SWF decompression of server response too big\r
+<strong>119:231</strong> (http_inspect) bad Content-Length value in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:81</strong> (http_inspect) nonprinting character in HTTP message header name\r
+<strong>119:232</strong> (http_inspect) HTTP header line wrapped\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:82</strong> (http_inspect) bad Content-Length value in HTTP header\r
+<strong>119:233</strong> (http_inspect) HTTP header line terminated by CR without a LF\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:83</strong> (http_inspect) HTTP header line wrapped\r
+<strong>119:234</strong> (http_inspect) chunk terminated by nonstandard separator\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:84</strong> (http_inspect) HTTP header line terminated by CR without a LF\r
+<strong>119:235</strong> (http_inspect) chunk length terminated by LF without CR\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:85</strong> (http_inspect) chunk terminated by nonstandard separator\r
+<strong>119:236</strong> (http_inspect) more than one response with 100 status code\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:86</strong> (http_inspect) chunk length terminated by LF without CR\r
+<strong>119:237</strong> (http_inspect) 100 status code not in response to Expect header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:87</strong> (http_inspect) more than one response with 100 status code\r
+<strong>119:238</strong> (http_inspect) 1XX status code other than 100 or 101\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:88</strong> (http_inspect) 100 status code not in response to Expect header\r
+<strong>119:239</strong> (http_inspect) Expect header sent without a message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:89</strong> (http_inspect) 1XX status code other than 100 or 101\r
+<strong>119:240</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:90</strong> (http_inspect) Expect header sent without a message body\r
+<strong>119:241</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:91</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header\r
+<strong>119:242</strong> (http_inspect) illegal field in chunked message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:92</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header\r
+<strong>119:243</strong> (http_inspect) header field inappropriately appears twice or has two values\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:93</strong> (http_inspect) illegal field in chunked message trailers\r
+<strong>119:244</strong> (http_inspect) invalid value chunked in Content-Encoding header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:94</strong> (http_inspect) header field inappropriately appears twice or has two values\r
+<strong>119:245</strong> (http_inspect) 206 response sent to a request without a Range header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:95</strong> (http_inspect) invalid value chunked in Content-Encoding header\r
+<strong>119:246</strong> (http_inspect) <em>HTTP</em> in version field not all upper case\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:96</strong> (http_inspect) 206 response sent to a request without a Range header\r
+<strong>119:247</strong> (http_inspect) white space embedded in critical header value\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:97</strong> (http_inspect) <em>HTTP</em> in version field not all upper case\r
+<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth { -1:65535 }\r
+int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth { -1:65535 }\r
+int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+string <strong>reputation.list_dir</strong>: directory for IP lists and manifest file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
+int <strong>smtp.b64_decode_depth</strong> = 1460: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }\r
+string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }\r
+int <strong>smtp.bitenc_decode_depth</strong> = 1460: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }\r
+int <strong>smtp.qp_decode_depth</strong> = 1460: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>smtp.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+int <strong>stream.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>135:1</strong> (stream) TCP SYN received\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>135:2</strong> (stream) TCP session established\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>135:3</strong> (stream) TCP session cleared\r
+</p>\r
+</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory_used</strong>: current memory usage in bytes (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_tcp.ignore_any_rules</strong> = false: process TCP content rules w/o ports only if rules with ports are present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream_tcp.max_window</strong> = 0: maximum allowed TCP window { 0:1073725440 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream_tcp.setups</strong>: session initializations (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>stream_tcp.restarts</strong>: sessions restarted (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)\r
</p>\r
</li>\r
int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:86400 }\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-bool <strong>stream_udp.ignore_any_rules</strong> = false: process UDP content rules w/o ports only if rules with ports are present\r
-</p>\r
-</li>\r
</ul></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
parser. For the reject rule, you can set reject = { } to get the rule to\r
parse.</p></div>\r
<div class="sect2">\r
-<h3 id="_react">react</h3>\r
+<h3 id="_react_2">react</h3>\r
<div class="paragraph"><p>What: send response to client and terminate session</p></div>\r
<div class="paragraph"><p>Type: ips_action</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_reject">reject</h3>\r
+<h3 id="_reject_2">reject</h3>\r
<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>\r
<div class="paragraph"><p>Type: ips_action</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_rewrite">rewrite</h3>\r
+<h3 id="_rewrite_2">rewrite</h3>\r
<div class="paragraph"><p>What: overwrite packet contents</p></div>\r
<div class="paragraph"><p>Type: ips_action</p></div>\r
<div class="paragraph"><p>Usage: detect</p></div>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing\r
+string <strong>byte_test.~operator</strong>: operation to perform to test the value\r
</p>\r
</li>\r
<li>\r
<li>\r
<p>\r
changed fast_pattern:<offset>,<length> to\r
- fastpattern_offset: <offset>, fast_pattern_length <length>\r
+ fast_pattern,fast_pattern_offset <offset>,fast_pattern_length <length>\r
</p>\r
</li>\r
<li>\r
read rules from conf, separate rules file, or stdin\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+The symbol =< in a byte test is recognized as a syntax error. The correct\r
+ symbol is <=.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
value over gid:138 rules and was difficult to interpret the result of.</p></div>\r
<div class="paragraph"><p>For more information, See Features > Sensitive Data Filtering for details.</p></div>\r
</div>\r
+<div class="sect2">\r
+<h3 id="_features_not_yet_supported_by_snort_3">Features Not Yet Supported by Snort 3</h3>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+Support in http_inspect for Original Client IP is limited to the\r
+ X-Forwarded-For and True-Client-IP headers in that order. It is not\r
+ possible to configure additional custom headers to search for Original\r
+ Client IP.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+The -n option does not work properly when perf_monitor is configured. The\r
+ number of packets processed from the pcap is likely to be more than the\r
+ number specified with the -n option.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+When a file is transferred via SMB2 it may be allowed even though\r
+ according to file policy it should be blocked. This occurs when the\r
+ create and read requests are sent together and then the read and create\r
+ responses are sent together. Blocking is done correctly if the create and\r
+ read requests are sent separately or if the file is large enough to\r
+ require two read responses.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+This user manual is incomplete and does not fully cover many Snort 2.X\r
+ features that are also supported by Snort 3.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
</div>\r
</div>\r
<div class="sect1">\r
</li>\r
<li>\r
<p>\r
+<strong>--talos</strong> enable Talos inline rule test mode (same as --tweaks talos -Q -q)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--treat-drop-as-alert</strong> converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--tweaks</strong> tune configuration\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--catch-test</strong> comma separated list of cat unit test tags or <em>all</em>\r
</p>\r
</li>\r
<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>--trace</strong> turn on main loop debug trace\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
-int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1: }\r
+int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>appid.first_decrypted_packet_debug</strong> = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination IP address in CIDR format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions\r
+string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>appid.session_log_filter.protocol</strong>: IP protocol\r
+string <strong>appid.tp_appid_path</strong>: path to third party appid dynamic library\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source IP address in CIDR format\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }\r
+int <strong>appid.trace</strong>: mask for enabling debug traces in module\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>byte_test.~operator</strong>: variable name or number of bytes into the buffer to start processing\r
+string <strong>byte_test.~operator</strong>: operation to perform to test the value\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
multi <strong>dce_smb.valid_smb_versions</strong> = all: Valid SMB versions { v1 | v2 | all }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>dce_udp.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>decode.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
+bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1: }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>domain_filter.file</strong>: file with list of domains identifying hosts to be filtered\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>domain_filter.hosts</strong>: list of domains identifying hosts to be filtered\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>gtp_inspect[].version</strong> = 2: GTP version { 0:2 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth { -1:65535 }\r
+int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth { -1:65535 }\r
+int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.enable_packet_trace</strong> = false: enable summary output of state that determined packet verdict\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>output.packet_trace_output</strong> = console: select where to send packet trace { console | file }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>packet_tracer.enable</strong> = false: enable summary output of state that determined packet verdict\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+enum <strong>packet_tracer.output</strong> = console: select where to send packet trace { console | file }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>pcre.~re</strong>: Snort regular expression\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth { -1:65535 }\r
+int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth { -1:65535 }\r
+int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth { -1:65535 }\r
+int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>reputation.list_dir</strong>: directory for IP lists and manifest file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.detect_raw_tcp</strong> = true: detect on TCP payload before reassembly\r
+bool <strong>search_engine.detect_raw_tcp</strong> = false: detect on TCP payload before reassembly\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.b64_decode_depth</strong> = 25: depth used to decode the base64 encoded MIME attachments { -1:65535 }\r
+int <strong>smtp.b64_decode_depth</strong> = 1460: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.bitenc_decode_depth</strong> = 25: depth used to extract the non-encoded MIME attachments { -1:65535 }\r
+int <strong>smtp.bitenc_decode_depth</strong> = 1460: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.qp_decode_depth</strong> = 25: quoted-Printable decoding depth { -1:65535 }\r
+int <strong>smtp.qp_decode_depth</strong> = 1460: quoted-Printable decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>smtp.uu_decode_depth</strong> = 25: unix-to-Unix decoding depth { -1:65535 }\r
+int <strong>smtp.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--talos</strong>: enable Talos inline rule test mode (same as --tweaks talos -Q -q)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.-t</strong>: <dir> chroots process to <dir> after initialization\r
</p>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.trace</strong>: mask for enabling debug traces in module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>snort.--trace</strong>: turn on main loop debug trace\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, sdrop, and reject rules into alert rules during startup\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>snort.--tweaks</strong>: tune configuration\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.-u</strong>: <uname> run snort as <uname> or <uid> after initialization\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_tcp.ignore_any_rules</strong> = false: process TCP content rules w/o ports only if rules with ports are present\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
+int <strong>stream.trace</strong>: mask for enabling debug traces in module\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
+int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
+int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>stream_udp.ignore_any_rules</strong> = false: process UDP content rules w/o ports only if rules with ports are present\r
+int <strong>stream.udp_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.ignored_packets</strong>: count of packets ignored (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.packets</strong>: count of packets received (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.processed_packets</strong>: count of packets processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.total_sessions</strong>: count of sessions created (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>arp_spoof.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed (sum)\r
+<strong>daq.pcaps</strong>: total files and interfaces processed (max)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>domain_filter.checked</strong>: domains checked (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>domain_filter.filtered</strong>: domains filtered (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dpx.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ips.invalid_policy_ids</strong>: Number of times an invalid policy ID was provided (sum)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory_used</strong>: current memory usage in bytes (now)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.restarts</strong>: sessions restarted (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>stream_tcp.setups</strong>: session initializations (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>135</strong>: stream\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>136</strong>: reputation\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>146</strong>: file_id\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>175</strong>: domain_filter\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>219</strong>: http2_inspect\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:35</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+<strong>119:101</strong> (http_inspect) anomalous http server on undefined HTTP port\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:102</strong> (http_inspect) invalid status code in HTTP response\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>119:103</strong> (http_inspect) unused event number—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:36</strong> (http_inspect) invalid status code in HTTP response\r
+<strong>119:104</strong> (http_inspect) HTTP response has UTF charset that failed to normalize\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:37</strong> (http_inspect) unused event number—should not appear\r
+<strong>119:105</strong> (http_inspect) HTTP response has UTF-7 charset\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:38</strong> (http_inspect) HTTP response has UTF charset that failed to normalize\r
+<strong>119:106</strong> (http_inspect) HTTP response gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:39</strong> (http_inspect) HTTP response has UTF-7 charset\r
+<strong>119:107</strong> (http_inspect) server consecutive small chunk sizes\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:40</strong> (http_inspect) HTTP response gzip decompression failed\r
+<strong>119:108</strong> (http_inspect) unused event number—should not appear\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:41</strong> (http_inspect) server consecutive small chunk sizes\r
+<strong>119:109</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:42</strong> (http_inspect) unused event number—should not appear\r
+<strong>119:110</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:43</strong> (http_inspect) javascript obfuscation levels exceeds 1\r
+<strong>119:111</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:44</strong> (http_inspect) javascript whitespaces exceeds max allowed\r
+<strong>119:112</strong> (http_inspect) SWF file zlib decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:45</strong> (http_inspect) multiple encodings within javascript obfuscated data\r
+<strong>119:113</strong> (http_inspect) SWF file LZMA decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:46</strong> (http_inspect) SWF file zlib decompression failure\r
+<strong>119:114</strong> (http_inspect) PDF file deflate decompression failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:47</strong> (http_inspect) SWF file LZMA decompression failure\r
+<strong>119:115</strong> (http_inspect) PDF file unsupported compression type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:48</strong> (http_inspect) PDF file deflate decompression failure\r
+<strong>119:116</strong> (http_inspect) PDF file cascaded compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:49</strong> (http_inspect) PDF file unsupported compression type\r
+<strong>119:117</strong> (http_inspect) PDF file parse failure\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:50</strong> (http_inspect) PDF file cascaded compression\r
+<strong>119:201</strong> (http_inspect) not HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:51</strong> (http_inspect) PDF file parse failure\r
+<strong>119:202</strong> (http_inspect) chunk length has excessive leading zeros\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:52</strong> (http_inspect) not HTTP traffic\r
+<strong>119:203</strong> (http_inspect) white space before or between messages\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:53</strong> (http_inspect) chunk length has excessive leading zeros\r
+<strong>119:204</strong> (http_inspect) request message without URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:54</strong> (http_inspect) white space before or between messages\r
+<strong>119:205</strong> (http_inspect) control character in reason phrase\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:55</strong> (http_inspect) request message without URI\r
+<strong>119:206</strong> (http_inspect) illegal extra whitespace in start line\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:56</strong> (http_inspect) control character in reason phrase\r
+<strong>119:207</strong> (http_inspect) corrupted HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:57</strong> (http_inspect) illegal extra whitespace in start line\r
+<strong>119:208</strong> (http_inspect) unknown HTTP version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:58</strong> (http_inspect) corrupted HTTP version\r
+<strong>119:209</strong> (http_inspect) format error in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:59</strong> (http_inspect) unknown HTTP version\r
+<strong>119:210</strong> (http_inspect) chunk header options present\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:60</strong> (http_inspect) format error in HTTP header\r
+<strong>119:211</strong> (http_inspect) URI badly formatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:61</strong> (http_inspect) chunk header options present\r
+<strong>119:212</strong> (http_inspect) unrecognized type of percent encoding in URI\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:62</strong> (http_inspect) URI badly formatted\r
+<strong>119:213</strong> (http_inspect) HTTP chunk misformatted\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:63</strong> (http_inspect) unrecognized type of percent encoding in URI\r
+<strong>119:214</strong> (http_inspect) white space adjacent to chunk length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:64</strong> (http_inspect) HTTP chunk misformatted\r
+<strong>119:215</strong> (http_inspect) white space within header name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:65</strong> (http_inspect) white space adjacent to chunk length\r
+<strong>119:216</strong> (http_inspect) excessive gzip compression\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:66</strong> (http_inspect) white space within header name\r
+<strong>119:217</strong> (http_inspect) gzip decompression failed\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:67</strong> (http_inspect) excessive gzip compression\r
+<strong>119:218</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:68</strong> (http_inspect) gzip decompression failed\r
+<strong>119:219</strong> (http_inspect) HTTP 0.9 request following a normal request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:69</strong> (http_inspect) HTTP 0.9 requested followed by another request\r
+<strong>119:220</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:70</strong> (http_inspect) HTTP 0.9 request following a normal request\r
+<strong>119:221</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:71</strong> (http_inspect) message has both Content-Length and Transfer-Encoding\r
+<strong>119:222</strong> (http_inspect) Transfer-Encoding not ending with chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:72</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length\r
+<strong>119:223</strong> (http_inspect) Transfer-Encoding with encodings before chunked\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:73</strong> (http_inspect) Transfer-Encoding not ending with chunked\r
+<strong>119:224</strong> (http_inspect) misformatted HTTP traffic\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:74</strong> (http_inspect) Transfer-Encoding with encodings before chunked\r
+<strong>119:225</strong> (http_inspect) unsupported Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:75</strong> (http_inspect) misformatted HTTP traffic\r
+<strong>119:226</strong> (http_inspect) unknown Content-Encoding used\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:76</strong> (http_inspect) unsupported Content-Encoding used\r
+<strong>119:227</strong> (http_inspect) multiple Content-Encodings applied\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:77</strong> (http_inspect) unknown Content-Encoding used\r
+<strong>119:228</strong> (http_inspect) server response before client request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:78</strong> (http_inspect) multiple Content-Encodings applied\r
+<strong>119:229</strong> (http_inspect) PDF/SWF decompression of server response too big\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:79</strong> (http_inspect) server response before client request\r
+<strong>119:230</strong> (http_inspect) nonprinting character in HTTP message header name\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:80</strong> (http_inspect) PDF/SWF decompression of server response too big\r
+<strong>119:231</strong> (http_inspect) bad Content-Length value in HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:81</strong> (http_inspect) nonprinting character in HTTP message header name\r
+<strong>119:232</strong> (http_inspect) HTTP header line wrapped\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:82</strong> (http_inspect) bad Content-Length value in HTTP header\r
+<strong>119:233</strong> (http_inspect) HTTP header line terminated by CR without a LF\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:83</strong> (http_inspect) HTTP header line wrapped\r
+<strong>119:234</strong> (http_inspect) chunk terminated by nonstandard separator\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:84</strong> (http_inspect) HTTP header line terminated by CR without a LF\r
+<strong>119:235</strong> (http_inspect) chunk length terminated by LF without CR\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:85</strong> (http_inspect) chunk terminated by nonstandard separator\r
+<strong>119:236</strong> (http_inspect) more than one response with 100 status code\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:86</strong> (http_inspect) chunk length terminated by LF without CR\r
+<strong>119:237</strong> (http_inspect) 100 status code not in response to Expect header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:87</strong> (http_inspect) more than one response with 100 status code\r
+<strong>119:238</strong> (http_inspect) 1XX status code other than 100 or 101\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:88</strong> (http_inspect) 100 status code not in response to Expect header\r
+<strong>119:239</strong> (http_inspect) Expect header sent without a message body\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:89</strong> (http_inspect) 1XX status code other than 100 or 101\r
+<strong>119:240</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:90</strong> (http_inspect) Expect header sent without a message body\r
+<strong>119:241</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:91</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header\r
+<strong>119:242</strong> (http_inspect) illegal field in chunked message trailers\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:92</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header\r
+<strong>119:243</strong> (http_inspect) header field inappropriately appears twice or has two values\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:93</strong> (http_inspect) illegal field in chunked message trailers\r
+<strong>119:244</strong> (http_inspect) invalid value chunked in Content-Encoding header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:94</strong> (http_inspect) header field inappropriately appears twice or has two values\r
+<strong>119:245</strong> (http_inspect) 206 response sent to a request without a Range header\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:95</strong> (http_inspect) invalid value chunked in Content-Encoding header\r
+<strong>119:246</strong> (http_inspect) <em>HTTP</em> in version field not all upper case\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:96</strong> (http_inspect) 206 response sent to a request without a Range header\r
+<strong>119:247</strong> (http_inspect) white space embedded in critical header value\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>119:97</strong> (http_inspect) <em>HTTP</em> in version field not all upper case\r
+<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>135:1</strong> (stream) TCP SYN received\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>135:2</strong> (stream) TCP session established\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>135:3</strong> (stream) TCP session cleared\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>136:1</strong> (reputation) packets blacklisted\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>175:1</strong> (domain_filter) configured domain detected\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>256:1</strong> (dpx) too much data sent to port\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
+<strong>appid.enable_debug</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>appid.disable_debug</strong>(): disable appid debugging\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>packet_capture.enable</strong>(filter): dump raw packets\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>packet_tracer.enable</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>packet_tracer.disable</strong>(): disable packet tracer\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.show_plugins</strong>(): show available plugins\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>snort.reload_module</strong>(module): reload module\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.reload_daq</strong>(): reload daq module\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>domain_filter</strong> (inspector): alert on configured HTTP domains\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>dpx</strong> (inspector): dynamic inspector example\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>ipv4</strong> (codec): support for Internet protocol v4\r
+<strong>ipv4</strong> (codec): support for Internet protocol v4 (DLT 228)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ipv6</strong> (codec): support for Internet protocol v6\r
+<strong>ipv6</strong> (codec): support for Internet protocol v6 (DLT 229)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>packet_tracer</strong> (basic): generate debug trace messages for packets\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>packets</strong> (basic): configure basic packet handling\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::ipv4</strong>: support for Internet protocol v4\r
+<strong>codec::ipv4</strong>: support for Internet protocol v4 (DLT 228)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::ipv6</strong>: support for Internet protocol v6\r
+<strong>codec::ipv6</strong>: support for Internet protocol v6 (DLT 229)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>codec::raw4</strong>: support for unencapsulated IPv4 (DLT 12) (DLT 228)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>codec::raw6</strong>: support for unencapsulated IPv6 (DLT 229)\r
+<strong>codec::raw</strong>: support for raw IP (DLT 12)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::domain_filter</strong>: alert on configured HTTP domains\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::dpx</strong>: dynamic inspector example\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_bugs">Bugs</h3>\r
-<div class="sect3">\r
-<h4 id="_build">Build</h4>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Enabling large pcap may erroneously affect the number of packets processed\r
- from pcaps.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Enabling debug messages may erroneously affect the number of packets\r
- processed from pcaps.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Building with clang and autotools on Linux will show the following\r
- warning many times. Please ignore.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>clang: warning: argument unused during compilation: '-pthread'</code></pre>\r
-</div></div>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_config">Config</h4>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET\r
- defined as below because of the space between ! and 10.\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]\r
-EXTERNAL_NET = '! ' .. HOME_NET</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Multiple versions of luajit scripts are not handled correctly. The\r
- first loaded version will always be executed even though plugin manager\r
- saves the correct version.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-When using -c and -L together, the last on the command line wins (-c -L\r
- will dump; -L -c will analyze).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Modules instantiated by command line only will not get default settings\r
- unless hard-coded. This notably applies to -A and -L options.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
---lua can only be used in addition to, not in place of, a -c config.\r
- Ideally, --lua could be used in lieu of -c.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_rules_4">Rules</h4>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-metdata:service foo; metadata:service foo; won’t cause a duplicate service\r
- warning as does metadata:service foo, service foo;\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-ip_proto doesn’t work properly with reassembled packets so it can’t be\r
- used to restrict the protocol of service rules.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_snort2lua_2">snort2lua</h4>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-uricontent:"foo"; content:"bar"; → http_uri; content:"foo"; content:"bar";\r
- (missing pkt_data)\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream_tcp ports and protocols both go into a single binder.when; this is\r
- incorrect as the when fields are logically anded together (ie must all be\r
- true). Should create 2 separate bindings.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-There is a bug in pps_stream_tcp.cc.. when stream_tcp: is specified\r
- without any arguments, snort2lua doesn’t convert it. Same for\r
- stream_udp.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Loses the ip list delimiters [ ]; change to ( )\r
-</p>\r
-<div class="literalblock">\r
-<div class="content">\r
-<pre><code>in snort.conf: var HOME_NET [A,B,C]\r
-in snort.lua: HOME_NET = [[A B C]]</code></pre>\r
-</div></div>\r
-</li>\r
-<li>\r
-<p>\r
-Won’t convert packet rules (alert tcp etc.) to service rules (alert http\r
- etc.).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-alert_fast and alert_full: output configuration includes "file =\r
- <em>foo.bar</em>", but file is a bool and you cannot specify an output file name\r
- in the configuration.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-<div class="sect3">\r
-<h4 id="_runtime">Runtime</h4>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
--B <mask> feature does not work. It does ordinary IP address obfuscation\r
- instead of using the mask.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-Obfuscation does not work for csv format.\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The hext DAQ will append a newline to text lines (starting with <em>"</em>).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-The hext DAQ does not support embedded quotes in text lines (use hex\r
- lines as a workaround).\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-stream_tcp alert squash mechanism incorrectly squashes alerts for\r
- different TCP packets.\r
-</p>\r
-</li>\r
-</ul></div>\r
-</div>\r
-</div>\r
-<div class="sect2">\r
<h3 id="_libdaq_and_daq_modules">LibDAQ and DAQ Modules</h3>\r
<div class="paragraph"><p>Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The\r
DAQ replaces direct calls to libpcap functions with an abstraction layer that\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2018-03-15 02:27:21 EDT\r
+Last updated 2018-08-19 02:32:12 EDT\r
</div>\r
</div>\r
</body>\r
3.5. Help
3.6. Common Errors
3.7. Gotchas
+ 3.8. Known Issues
4. Usage
5. Features
- 5.1. AppId
- 5.2. Binder
- 5.3. Byte rule options
- 5.4. DCE Inspectors
- 5.5. File Processing
- 5.6. High Availability
- 5.7. FTP
- 5.8. HTTP Inspector
- 5.9. HTTP/2 Inspector
- 5.10. Performance Monitor
- 5.11. POP and IMAP
- 5.12. Port Scan
- 5.13. Sensitive Data Filtering
- 5.14. SMTP
- 5.15. Telnet
- 5.16. Wizard
+ 5.1. Active Response
+ 5.2. AppId
+ 5.3. Binder
+ 5.4. Byte rule options
+ 5.5. DCE Inspectors
+ 5.6. File Processing
+ 5.7. High Availability
+ 5.8. FTP
+ 5.9. HTTP Inspector
+ 5.10. HTTP/2 Inspector
+ 5.11. Module Trace
+ 5.12. Performance Monitor
+ 5.13. POP and IMAP
+ 5.14. Port Scan
+ 5.15. Sensitive Data Filtering
+ 5.16. SMTP
+ 5.17. Telnet
+ 5.18. Wizard
6. Basic Modules
6.17. memory
6.18. network
6.19. output
- 6.20. packets
- 6.21. process
- 6.22. profiler
- 6.23. rate_filter
- 6.24. references
- 6.25. rule_state
- 6.26. search_engine
- 6.27. side_channel
- 6.28. snort
- 6.29. suppress
+ 6.20. packet_tracer
+ 6.21. packets
+ 6.22. process
+ 6.23. profiler
+ 6.24. rate_filter
+ 6.25. references
+ 6.26. rule_state
+ 6.27. search_engine
+ 6.28. side_channel
+ 6.29. snort
+ 6.30. suppress
7. Codec Modules
9.10. dce_udp
9.11. dnp3
9.12. dns
- 9.13. dpx
- 9.14. file_id
- 9.15. file_log
- 9.16. ftp_client
- 9.17. ftp_data
- 9.18. ftp_server
- 9.19. gtp_inspect
- 9.20. http2_inspect
- 9.21. http_inspect
- 9.22. imap
- 9.23. modbus
- 9.24. normalizer
- 9.25. packet_capture
- 9.26. perf_monitor
- 9.27. pop
- 9.28. port_scan
- 9.29. reg_test
- 9.30. reputation
- 9.31. rpc_decode
- 9.32. sip
- 9.33. smtp
- 9.34. ssh
- 9.35. ssl
- 9.36. stream
- 9.37. stream_file
- 9.38. stream_icmp
- 9.39. stream_ip
- 9.40. stream_tcp
- 9.41. stream_udp
- 9.42. stream_user
- 9.43. telnet
- 9.44. wizard
+ 9.13. domain_filter
+ 9.14. dpx
+ 9.15. file_id
+ 9.16. file_log
+ 9.17. ftp_client
+ 9.18. ftp_data
+ 9.19. ftp_server
+ 9.20. gtp_inspect
+ 9.21. http2_inspect
+ 9.22. http_inspect
+ 9.23. imap
+ 9.24. modbus
+ 9.25. normalizer
+ 9.26. packet_capture
+ 9.27. perf_monitor
+ 9.28. pop
+ 9.29. port_scan
+ 9.30. reg_test
+ 9.31. reputation
+ 9.32. rpc_decode
+ 9.33. sip
+ 9.34. smtp
+ 9.35. ssh
+ 9.36. ssl
+ 9.37. stream
+ 9.38. stream_file
+ 9.39. stream_icmp
+ 9.40. stream_ip
+ 9.41. stream_tcp
+ 9.42. stream_udp
+ 9.43. stream_user
+ 9.44. telnet
+ 9.45. wizard
10. IPS Action Modules
16.6. Rules
16.7. Output
16.8. Sensitive Data
+ 16.9. Features Not Yet Supported by Snort 3
17. Snort2Lua
20.10. Configuration Changes
20.11. Module Listing
20.12. Plugin Listing
- 20.13. Bugs
- 20.14. LibDAQ and DAQ Modules
+ 20.13. LibDAQ and DAQ Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 243) from 2.9.11
+o" )~ Version 3.0.0 (Build 246) from 2.9.11
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
enabling the flatbuffers serialization format
* hyperscan >= 4.4.0 from https://github.com/01org/hyperscan to
build new the regex and sd_pattern rule options and hyperscan
- search engine
+ search engine. Hyperscan is large so it recommended to follow
+ their instructions for building it as a shared library.
* iconv from https://ftp.gnu.org/pub/gnu/libiconv/ for converting
UTF16-LE filenames to UTF8 (usually included in glibc)
* lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
--------------
- * A nil key in a table will not caught. Neither will a nil value in
- a table. Neither of the following will cause errors, nor will
- they actually set http_server.post_depth:
+ * A nil key in a table will not be caught. Neither will a nil value
+ in a table. Neither of the following will cause errors, nor will
+ they actually set http_inspect.request_depth:
- http_server = { post_depth }
- http_server = { post_depth = undefined_symbol }
+ http_inspect = { request_depth }
+ http_inspect = { request_depth = undefined_symbol }
* It is not an error to set a value multiple times. The actual
value applied may not be the last in the table either. It is best
to avoid such cases.
- http_server =
+ http_inspect =
{
- post_depth = 1234,
- post_depth = 4321
+ request_depth = 1234,
+ request_depth = 4321
}
* Snort can’t tell you the exact filename or line number of a
semantic error but it will tell you the fully qualified name.
- * The dump DAQ will not work with multiple threads unless you use
- --daq-var file=/dev/null. This will be fixed in at some point to
- use the Snort log directory, etc.
- * configure will use clang by default if it is installed. To
- compile with g instead:
- export CXX=g++
+3.8. Known Issues
+
+--------------
+
+ * The dump DAQ will not work with multiple threads unless you use
+ --daq-var output=none. This will be fixed at some point to use
+ the Snort log directory, etc.
* If you build with hyperscan on OS X and see:
dyld: Library not loaded: @rpath/libhs.4.0.dylib
install_name_tool -change @rpath/libhs.4.0.dylib \
/path-to/libhs.4.0.dylib src/snort
+ * Snort built with tcmalloc support (--enable-tcmalloc) on Ubuntu
+ 17.04/18.04 crashes immediately.
+
+ Workaround:
+ Uninstall gperftools 2.5 provided by the distribution and install gperftools
+ 2.7 before building Snort.
+
---------------------------------------------------------------------
This section explains how to use key features of Snort.
-5.1. AppId
+5.1. Active Response
+
+--------------
+
+Snort can take more active role in securing network by sending active
+responses to shutdown offending sessions. When active responses is
+enabled, snort will send TCP RST or ICMP unreachable when dropping a
+session.
+
+5.1.1. Changes from Snort 2.9
+
+ * stream5_global:max_active_responses and min_response_seconds are
+ now active.max_responses and active.min_interval.
+ * Response actions were removed from IPS rule body to the rule
+ action in the header. This includes react, reject, and rewrite
+ (split out of replace which now just does the detection part).
+ These IPS actions are plugins.
+ * drop and block are synonymous in Snort 2.9 but in Snort 3.0 drop
+ means don’t forward the current packet only whereas block means
+ don’t forward this or any following packet on the flow.
+
+5.1.2. Configure Active
+
+Active response is enabled by configuring one of following IPS action
+plugins:
+
+react = { }
+reject = { }
+rewrite = { }
+
+Active responses will be performed for reject, react or rewrite IPS
+rule actions, and response packets are encoded based on the
+triggering packet. TTL will be set to the value captured at session
+pickup.
+
+Configure the number of attempts to land a TCP RST within the
+session’s current window (so that it is accepted by the receiving
+TCP). This sequence "strafing" is really only useful in passive mode.
+In inline mode the reset is put straight into the stream in lieu of
+the triggering packet so strafing is not necessary.
+
+Each attempt (sent in rapid succession) has a different sequence
+number. Each active response will actually cause this number of TCP
+resets to be sent. TCP data is multiplied similarly. At most 1 ICMP
+unreachable is sent, iff attempts > 0.
+
+Device IP will perform network layer injection. It is probably a
+better choice to specify an interface and avoid kernel routing
+tables, etc.
+
+dst_mac will change response destination MAC address, if the device
+is eth0, eth1, eth2 etc. Otherwise, response destination MAC address
+is derived from packet.
+
+Example:
+
+active =
+{
+ attempts = 2,
+ device = "eth0",
+ dst_mac = "00:06:76:DD:5F:E3",
+}
+
+5.1.3. Reject
+
+IPS action reject perform active response to shutdown hostile network
+session by injecting TCP resets (TCP connections) or ICMP unreachable
+packets.
+
+Example:
+
+reject = { reset = "both", control = "all" }
+
+local_rules =
+[[
+reject tcp ( msg:"hostile connection"; flow:established, to_server;
+content:"HACK!"; sid:1; )
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+5.1.4. React
+
+IPS action react enables sending an HTML page on a session and then
+resetting it.
+
+The page to be sent can be read from a file:
+
+react = { page = "custmized_block_page.html", }
+
+or else the default is used:
+
+<default_page> ::= \
+ "HTTP/1.1 403 Forbidden\r\n"
+ "Connection: close\r\n"
+ "Content-Type: text/html; charset=utf-8\r\n"
+ "\r\n"
+ "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
+ " \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \
+ "<html xmlns=\"http://www.w3.org/1999/xhtml\"
+ xml:lang=\"en\">\r\n" \
+ "<head>\r\n" \
+ "<meta http-equiv=\"Content-Type\" content=\"text/html;
+ charset=UTF-8\" />\r\n" \
+ "<title>Access Denied</title>\r\n" \
+ "</head>\r\n" \
+ "<body>\r\n" \
+ "<h1>Access Denied</h1>\r\n" \
+ "<p>%s</p>\r\n" \
+ "</body>\r\n" \
+ "</html>\r\n";
+
+Note that the file must contain the entire response, including any
+HTTP headers. In fact, the response isn’t strictly limited to HTTP.
+You could craft a binary payload of arbitrary content.
+
+When the rule is configured, the page is loaded and the %s is
+replaced with the selected message, which defaults to:
+
+"You are attempting to access a forbidden site.<br />" \
+"Consult your system administrator for details."
+
+Additional formatting operators beyond a single %s are prohibited,
+including %d, %x, %s, as well as any URL encodings such as as %20
+(space) that may be within a reference URL.
+
+Example:
+
+react = { page = "my_block_page.html" }
+
+local_rules =
+[[
+react http ( msg:"Unauthorized Access Prohibited!"; flow:established,
+to_server; http_method; content:"GET"; sid:1; )
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+5.1.5. Rewrite
+
+IPS action rewrite enables overwrite packet contents based on
+"replace" option in the rules.
+
+For example:
+
+rewrite = { }
+local_rules =
+[[
+rewrite tcp 10.1.1.87 any -> 10.1.1.0/24 80
+(
+ sid:1000002;
+ msg:"test replace rule";
+ content:"index.php", nocase;
+ replace:"indax.php";
+)
+]]
+
+ips =
+{
+ rules = local_rules,
+}
+
+this rule replaces "index.php" with "indax.php", and rewrite action
+updates that packet.
+
+to enable rewrite action:
+
+rewrite = { }
+
+the replace operation can be disabled by changing the configuration:
+
+rewrite = { disable_replace = true }
+
+
+5.2. AppId
--------------
business. The rules can be used to take action based on the
application, such as block, allow or alert.
-5.1.1. Overview
+5.2.1. Overview
The AppId inspector provides an application level view when managing
networks by providing the following features:
detectors are provided by the Snort team and can be downloaded
from snort.org.
-5.1.2. Dependency Requirements
+5.2.2. Dependency Requirements
For proper functioning of the AppId inspector, at a minimum stream
flow tracking must be enabled. In addition, to identify TCP-based or
the data needed. It uses that data to help determine the application
ID.
-5.1.3. Configuration
+5.2.3. Configuration
The AppId feature can be enabled via configuration. To enable it with
the default settings use:
rules = local_rules,
}
-5.1.4. Session Application Identifiers
+5.2.4. Session Application Identifiers
There are up to four AppIds stored in a session as defined below:
with one exception. The order of matching is changed to make
serviceAppId come before clientAppId.
-5.1.5. AppId Usage Statistics
+5.2.5. AppId Usage Statistics
The AppId inspector prints application network usage periodically in
the snort log directory in unified2 format. File name, time interval
for statistic and file rollover are controlled by appId inspection
configuration.
-5.1.6. Open Detector Package (ODP) Installation
+5.2.6. Open Detector Package (ODP) Installation
Application detectors from Snort team will be delivered in a separate
package called the Open Detector Package (ODP) that can be downloaded
* odp/lua //Cisco Lua detectors
* odp/libs //Cisco Lua modules
-5.1.7. User Created Application Detectors
+5.2.7. User Created Application Detectors
Users can detect new applications by adding detectors in the Lua
language. A document will be posted on the Snort Website with details
None of the directories below /usr/local/lib/openappid/ would be
added for you.
-5.1.8. Application Detector Creation Tool
+5.2.8. Application Detector Creation Tool
For rudimentary Lua detectors, there is a tool provided called
appid_detector_builder.sh. This is a simple, menu-driven bash script
called "User Created Application Detectors"
-5.2. Binder
+5.3. Binder
--------------
action, config file, or inspector configuration.
-5.3. Byte rule options
+5.4. Byte rule options
--------------
-5.3.1. byte_test
+5.4.1. byte_test
This rule option tests a byte field against a specific value (with
operator). Capable of testing binary values or converting
if (data & value) { do_something(); }
+! operator negates the results from the base check. !<oper> is
+considered as
+
+!(data <oper> value)
+
Note: The bitmask option applies bitwise AND operator on the bytes
converted. The result will be right-shifted by the number of bits
equal to the number of trailing zeros in the mask. This applies for
the other rule options as well.
-5.3.1.1. Examples
+5.4.1.1. Examples
alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)
alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;
msg:"got DEADBEEF!";)
-5.3.2. byte_jump
+5.4.2. byte_jump
The byte_jump rule option allows rules to be written for length
encoded protocols trivially. By having an option that reads the
length-encoded protocols and perform detection in very specific
locations.
-5.3.2.1. Examples
+5.4.2.1. Examples
alert tcp (content:"Begin";
byte_jump:0, 0, from_end, post_offset -6;
byte_test:2, =, 968, 0, relative;
msg:"Bitmask applied on the 2 bytes extracted for byte_jump";)
-5.3.3. byte_extract
+5.4.3. byte_extract
The byte_extract keyword is another useful option for writing rules
against length-encoded protocols. It reads in some number of bytes
can be referenced later in the rule, instead of using hard-coded
values.
-5.3.3.1. Other options which use byte_extract variables
+5.4.3.1. Other options which use byte_extract variables
A byte_extract rule option detects nothing by itself. Its use is in
extracting packet data for use in other rule options.
* byte_jump: offset, post_offset
* isdataat: offset
-5.3.3.2. Examples
+5.4.3.2. Examples
alert tcp (byte_extract:1, 0, str_offset;
byte_extract:1, 1, str_depth;
byte_test: 2, =, var_match, 2, relative;
msg:"Test value match, after applying bitmask on bytes extracted";)
-5.3.4. byte_math
+5.4.4. byte_math
Perform a mathematical operation on an extracted value and a
specified value or existing variable, and store the outcome in a new
writing a rule it should be taken into consideration to avoid wrap
around.
-5.3.4.1. Examples
+5.4.4.1. Examples
alert tcp ( byte_math: bytes 2, offset 0, oper *, rvalue 10, result area;
byte_test:2,>,area,16;)
Result variable area is 50 ( 5 * 10 ). Area variable can be used in
either byte_test offset/value options.
-5.3.5. Testing Numerical Values
+5.4.5. Testing Numerical Values
The rule options byte_test and byte_jump were written to support
writing rules for protocols that have length encoded data. RPC was
byte_test:4,>,200,36;
-5.4. DCE Inspectors
+5.5. DCE Inspectors
--------------
and DCE/RPC defragmentation to avoid rule evasion using these
techniques.
-5.4.1. Overview
+5.5.1. Overview
The following transports are supported for DCE/RPC: SMB, TCP, and
UDP. New rule options have been implemented to improve performance,
address/port mapping is handled by the binder. Autodetect
functionality is replaced by wizard curses.
-5.4.2. Quick Guide
+5.5.2. Quick Guide
A typical dcerpce configuration looks like this:
In this example, it defines smb, tcp and udp inspectors based on
port. All the configurations are default.
-5.4.3. Target Based
+5.5.3. Target Based
There are enough important differences between Windows and Samba
versions that a target based approach has been implemented. Some
* Samba-3.0.22
* Samba-3.0.20
-5.4.4. Reassembling
+5.5.4. Reassembling
Both SMB inspector and TCP inspector support reassemble. Reassemble
threshold specifies a minimum number of bytes in the DCE/RPC
argument to this option will, in effect, disable this option. Default
is disabled.
-5.4.5. SMB
+5.5.5. SMB
SMB inspector is one of the most complex inspectors. In addition to
supporting rule options and lots of inspector rule events, it also
supports file processing for both SMB version 1, 2, and 3.
-5.4.5.1. Finger Print Policy
+5.5.5.1. Finger Print Policy
In the initial phase of an SMB session, the client needs to
authenticate with a SessionSetupAndX. Both the request and response
inspector to dynamically set the policy for a session which allows
for better protection against Windows and Samba specific evasions.
-5.4.5.2. File Inspection
+5.5.5.2. File Inspection
SMB inspector supports file inspection. A typical configuration looks
like this:
unlimited. Default is "off", i.e. no SMB file inspection is done in
the inspector.
-5.4.6. TCP
+5.5.6. TCP
dce_tcp inspector supports defragmentation, reassembling, and policy
that is similar to SMB.
-5.4.7. UDP
+5.5.7. UDP
dce_udp is a very simple inspector that only supports defragmentation
-5.4.8. Rule Options
+5.5.8. Rule Options
New rule options are supported by enabling the dcerpc2 inspectors:
* byte_test: dce
* byte_jump: dce
-5.4.8.1. dce_iface
+5.5.8.1. dce_iface
For DCE/RPC based rules it has been necessary to set flow-bits based
on a client bind to a service to avoid false positives. It is
fast_pattern rule option, it will unequivocally be used over the
above mentioned patterns.
-5.4.8.2. dce_opnum
+5.5.8.2. dce_opnum
The opnum represents a specific function call to an interface. After
is has been determined that a client has bound to a specific
specified with this option. This option matches if any one of the
opnums specified match the opnum of the DCE/RPC request.
-5.4.8.3. dce_stub_data
+5.5.8.3. dce_stub_data
Since most DCE/RPC based rules had to do protocol decoding only to
get to the DCE/RPC stub data, i.e. the remote procedure call or
start of the stub data buffer. To leave the stub data buffer and
return to the main payload buffer, use the "pkt_data" rule option.
-5.4.8.4. byte_test and byte_jump
+5.5.8.4. byte_test and byte_jump
A DCE/RPC request can specify whether numbers are represented in big
or little endian. These rule options will take as a new argument
"hex", "dec", "oct" and "from_beginning"
-5.5. File Processing
+5.6. File Processing
--------------
will provide file type identification, file signature creation, and
file capture capabilities to help users deal with those challenges.
-5.5.1. Overview
+5.6.1. Overview
There are two parts of file services: file APIs and file policy. File
APIs provides all the file inspection functionalities, such as file
* Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
* Supported file signature calculation: SHA256
-5.5.2. Quick Guide
+5.6.2. Quick Guide
A very simple configuration has been included in lua/snort.lua file.
A typical file configuration looks like this:
* At last, enable file_log to get detailed information about file
event
-5.5.3. Pre-packaged File Magic Rules
+5.6.3. Pre-packaged File Magic Rules
A set of file magic rules is packaged with Snort. They can be located
at "lua/file_magic.lua". To use this feature, it is recommended that
In this case, two magics look at the beginning of the file. You can
use character if it is printable or hex value in between "|".
-5.5.4. File Policy
+5.6.4. File Policy
You can enabled file type, file signature, or file capture by
configuring file_id. In addition, you can enable trace to see file
* For all file types identified, they will be logged with
signature, and also captured onto log folder.
-5.5.5. File Capture
+5.6.5. File Capture
File can be captured and stored to log folder. We use SHA as file
name instead of actual file name to avoid conflicts. You can capture
The above rule will enable PDF file capture.
-5.5.6. File Events
+5.6.6. File Events
File inspect preprocessor also works as a dynamic output plugin for
file events. It logs basic information about file. The log file is in
[Size: 1039328]
-5.6. High Availability
+5.7. High Availability
--------------
High Availability includes the HA flow synchronization and the
SideChannel messaging subsystems.
-5.6.1. HA
+5.7.1. HA
HighAvailability (or HA) is a Snort module that provides state
coherency between two partner snort instances. It uses SideChannel
messages while the ancillary module content is only present when
requested via a status change request.
-5.6.2. Connector
+5.7.2. Connector
Connectors are a set of modules that are used to exchange
message-oriented data among Snort threads and the external world. A
Connectors are a Snort plugin type.
-5.6.2.1. Connector (parent plugin class)
+5.7.2.1. Connector (parent plugin class)
Connectors may either be a simplex channel and perform unidirectional
communications. Or may be duplex and perform bidirectional
* FileConnector - Write messages to files and read messages from
files.
-5.6.2.2. TcpConnector
+5.7.2.2. TcpConnector
TcpConnector is a subclass of Connector and implements a DUPLEX type
Connector, able to send and receive messages over a tcp session.
},
}
-5.6.2.3. FileConnector
+5.7.2.3. FileConnector
FileConnector implements a Connector that can either read from files
or write to files. FileConnector’s are simplex and must be configured
},
}
-5.6.3. Side Channel
+5.7.3. Side Channel
SideChannel is a Snort module that uses Connectors to implement a
messaging infrastructure that is used to communicate between Snort
}
-5.7. FTP
+5.8. FTP
--------------
determine when an FTP command connection is encrypted, and determine
when an FTP data channel is opened.
-5.7.1. Configuring the inspector to block exploits and attacks
+5.8.1. Configuring the inspector to block exploits and attacks
-5.7.1.1. ftp_server configuration
+5.8.1.1. ftp_server configuration
* ftp_cmds
MDTM commands that set the modification time on a file. The most
common among servers that do, accept a format using YYYYMMDDHHmmss
[.uuu]. Some others accept a format using YYYYMMDDHHmmss[+|-]TZ
-format. The example above is for the first case (time format as
-specified in https://tools.ietf.org/html/draft-ietf-ftpext-mlst-16)
+format. The example above is for the first case.
To check validity for a server that uses the TZ format, use the
following:
If your rule set includes virus-type rules, it is recommended that
this option not be used.
-5.7.1.2. ftp_client configuration
+5.8.1.2. ftp_client configuration
* max_resp_len
command channel. Some FTP clients do not process those telnet escape
sequences.
-5.7.1.3. ftp_data
+5.8.1.3. ftp_data
In order to enable file inspection for ftp, the following should be
added to the configuration:
ftp_data = {}
-5.8. HTTP Inspector
+5.9. HTTP Inspector
--------------
One of the major undertakings for Snort 3 is developing a completely
new HTTP inspector.
-5.8.1. Overview
+5.9.1. Overview
You can configure it by adding:
to be a date then normalization means put that date in a standard
format.
-5.8.2. Configuration
+5.9.2. Configuration
Configuration can be as simple as adding:
that provide extra features, tweak how things are done, or conserve
resources by doing less.
-5.8.2.1. request_depth and response_depth
+5.9.2.1. request_depth and response_depth
These replace the flow depth parameters used by the old HTTP
inspector but they work differently.
These limits have no effect on how much data is forwarded to file
processing.
-5.8.2.2. gzip
+5.9.2.2. gzip
http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip =
meaningful inspection of message bodies will be possible. Effectively
HTTP processing would be limited to the headers.
-5.8.2.3. normalize_utf
+5.9.2.3. normalize_utf
http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
and utf-32be in response message bodies based on the Content-Type
header. This feature is on by default: normalize_utf = false will
deactivate it.
-5.8.2.4. decompress_pdf
+5.9.2.4. decompress_pdf
decompress_pdf = true will enable decompression of compressed
portions of PDF files encountered in a response body. http_inspect
content is decompressed and made available through the file data rule
option.
-5.8.2.5. decompress_swf
+5.9.2.5. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
(Adobe Flash content) files encountered in a response body. The
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-5.8.2.6. normalize_javascript
+5.9.2.6. normalize_javascript
normalize_javascript = true will enable normalization of JavaScript
within the HTTP response body. http_inspect looks for JavaScript by
replaces consecutive whitespaces with a single space and normalizes
the plus by concatenating the strings.
-5.8.2.7. URI processing
+5.9.2.7. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
such a server then set backslash_to_slash = true and all the
backslashes will be replaced with slashes during normalization.
-5.8.3. Detection rules
+5.9.3. Detection rules
http_inspect parses HTTP messages into their components and makes
them available to the detection engine through rule options. Let’s
In addition to the headers there are rule options for virtually every
part of the HTTP message.
-5.8.3.1. http_uri and http_raw_uri
+5.9.3.1. http_uri and http_raw_uri
These provide the URI of the request message. The raw form is exactly
as it appeared in the message and the normalized form is determined
Nothing here is intended to conflict with the technical language of
the HTTP RFCs and the implementation follows the RFCs.
-5.8.3.2. http_header and http_raw_header
+5.9.3.2. http_header and http_raw_header
These cover all the header lines except the first one. You may
specify an individual header by name using the field option as shown
and accurate rule. It is recommended that new rules be written using
individual headers whenever possible.
-5.8.3.3. http_trailer and http_raw_trailer
+5.9.3.3. http_trailer and http_raw_trailer
HTTP permits header lines to appear after a chunked body ends.
Typically they contain information about the message content that was
rule to inspect both kinds of headers you need to write two rules,
one using header and one using trailer.
-5.8.3.4. http_cookie and http_raw_cookie
+5.9.3.4. http_cookie and http_raw_cookie
These provide the value of the Cookie header for a request message
and the Set-Cookie for a response message. If multiple cookies are
Normalization for http_cookie is the same URI-style normalization
applied to http_header when no specific header is specified.
-5.8.3.5. http_true_ip
+5.9.3.5. http_true_ip
This provides the original IP address of the client sending the
request as it was stored by a proxy in the request message headers.
or True-Client-IP header. If both headers are present the former is
used.
-5.8.3.6. http_client_body
+5.9.3.6. http_client_body
This is the body of a request message such as POST or PUT.
Normalization for http_client_body is the same URI-like normalization
applied to http_header when no specific header is specified.
-5.8.3.7. http_raw_body
+5.9.3.7. http_raw_body
This is the body of a request or response message. It will be
dechunked and unzipped if applicable but will not be normalized in
header, but http_raw_body is limited to the message body. Thus the
latter is more efficient and more accurate for most uses.
-5.8.3.8. http_method
+5.9.3.8. http_method
The method field of a request message. Common values are "GET",
"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
-5.8.3.9. http_stat_code
+5.9.3.9. http_stat_code
The status code field of a response message. This is normally a
3-digit number between 100 and 599. In this example it is 200.
HTTP/1.1 200 OK
-5.8.3.10. http_stat_msg
+5.9.3.10. http_stat_msg
The reason phrase field of a response message. This is the
human-readable text following the status code. "OK" in the previous
example.
-5.8.3.11. http_version
+5.9.3.11. http_version
The protocol version information that appears on the first line of an
HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
-5.8.3.12. http_raw_request and http_raw_status
+5.9.3.12. http_raw_request and http_raw_status
These are the unmodified first header line of the HTTP request and
response messages respectively. These rule options are a safety valve
http_raw_uri, and http_version. For a response message those are
http_version, http_stat_code, and http_stat_msg.
-5.8.3.13. file_data and packet data
+5.9.3.13. file_data and packet data
file_data contains the normalized message body. This is the
normalization described above under gzip, normalize_utf,
The unnormalized message content is available in the packet data. If
gzip is configured the packet data will be unzipped.
-5.8.4. Timing issues and combining rule options
+5.9.4. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
picture than the packet in front of it. It knows what all the pieces
cannot.
-5.9. HTTP/2 Inspector
+5.10. HTTP/2 Inspector
--------------
of the individual HTTP/1.1 streams.
-5.10. Performance Monitor
+5.11. Module Trace
+
+--------------
+
+Snort 3 retired the different flavors of debug macros that used to be
+set through environment variable SNORT_DEBUG. It was replaced by a
+module specific trace. Trace is turned on by setting the
+module-specific trace bitmask in snort.lua. As before, in order to
+enable it, snort has to be configured and built with
+--enable-debug-msgs.
+
+5.11.1. Debugging rules using detection trace
+
+Detection engine is responsible for rule evaluation. Turning on the
+trace for it can help with debugging new rules.
+
+The relevant options for detection are as follow (represented as
+hex):
+
+0x2 - follow rule evaluation
+0x4 - print evaluated buffer if it changed
+0x8 - print evaluated buffer at every step
+0x10 - print value of ips rule options vars
+0x20 - print information on fast pattern search
+
+Buffer print is useful, but in case the buffer is very big can be too
+verbose. Choose between 0x4, 0x8 or no buffer trace accordingly.
+
+0x10 is useful when the rule is using ips rule options vars.
+
+5.11.2. Example - rule evaluation traces:
+
+In snort.lua, the following line was added:
+
+detection = {trace = 0x20 + 0x10 + 0x2 + 0x4}
+
+The pcap has a single packet with payload: 10.AAAAAAAfoobar
+
+Evaluated on rules:
+
+# byte_math + oper with byte extract and content
+# VAL = 1, byte_math = 0 + 10
+alert tcp ( byte_extract: 1, 0, VAL, string, dec;
+byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
+content:"foo", offset var1; sid:3)
+
+#This rule should not trigger
+alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
+content:"foo", within 3; sid:2)
+
+The output:
+
+detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678
+detection: Fast pattern search
+detection: 1 fp packet[16]
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: Processing pattern match #1
+detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
+detection: Starting tree eval
+detection: Evaluating option content, cursor name pkt_data, cursor position 0
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: Rule options variables:
+var[0]=0 var[1]=0 var[2]=0
+detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
+
+snort.raw[8]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+41 41 66 6F 6F 62 61 72 AAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: no match
+detection: Rule options variables:
+var[0]=0 var[1]=0 var[2]=0
+detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
+
+snort.raw[7]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+41 66 6F 6F 62 61 72 Afoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: no match
+detection: Rule options variables:
+var[0]=0 var[1]=0 var[2]=0
+detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
+
+snort.raw[6]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+66 6F 6F 62 61 72 foobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: no match
+detection: no match
+detection: Processing pattern match #2
+detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
+detection: Starting tree eval
+detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
+
+snort.raw[16]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: Rule options variables:
+var[0]=1 var[1]=0 var[2]=0
+detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1
+
+snort.raw[15]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: Rule options variables:
+var[0]=1 var[1]=10 var[2]=0
+detection: Evaluating option content, cursor name pkt_data, cursor position 2
+
+snort.raw[14]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: Rule options variables:
+var[0]=1 var[1]=10 var[2]=0
+detection: Reached leaf, cursor name pkt_data, cursor position 13
+
+snort.raw[3]:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+62 61 72 bar
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+detection: Matched rule gid:sid:rev 1:3:0
+detection: Rule options variables:
+var[0]=1 var[1]=10 var[2]=0
+04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
+
+5.11.3. Protocols decoding trace
+
+Turning on decode trace will print out information about the packets
+decoded protocols. Can be useful in case of tunneling.
+
+Example for a icmpv4-in-ipv6 packet:
+
+In snort.lua, the following line was added:
+
+decode = { trace = 1 }
+
+The output:
+
+decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
+decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
+decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
+decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
+
+5.11.4. Other available traces
+
+There are more trace options supported by detection:
+
+0x1 - prints statistics about the engine
+0x40 - prints a message when disabling content detect for packet
+0x80 - prints option tree data structure
+0x100 - prints a message when a new tag is added
+
+Detection is the only module that support multiple options for trace.
+
+The rest support only 1 option, and can be turned on by adding trace
+= 1 to their lua config.
+
+ * stream module trace:
+
+When turned on prints a message in case inspection is stopped on a
+flow. Example for output:
+
+stream: stop inspection on flow, dir BOTH
+
+ * stream_ip, stream_user: trace will output general processing
+ messages
+
+Other modules that support trace have messages as seemed fit to the
+developer. Some are for corner cases, other for complex data
+structures prints. Current list of additional modules supporting
+trace: appid, dce_smb, gtp_inspect and dce_udp.
+
+
+5.12. Performance Monitor
--------------
being dropped without hitting a rule? perf_monitor! Why is a sensor
leaking water? Not perf_monitor, check with stream…
-5.10.1. Overview
+5.12.1. Overview
The Snort performance monitor is the built-in utility for monitoring
system and traffic statistics. All statistics are separated by
processing thread. perf_monitor supports several trackers for
monitoring such data:
-5.10.2. Base Tracker
+5.12.2. Base Tracker
The base tracker is used to gather running statistics about Snort and
its running modules. All Snort modules gather, at the very least,
Note: Event stats from prior Snorts are now located within base
statistics.
-5.10.3. Flow Tracker
+5.12.3. Flow Tracker
Flow tracks statistics regarding traffic and L3/L4 protocol
distributions. This data can be used to build a profile of traffic
perf_monitor = { flow = true }
-5.10.4. FlowIP Tracker
+5.12.4. FlowIP Tracker
FlowIP provides statistics for individual hosts within a network.
This data can be used for identifying communication habits, such as
perf_monitor = { flow_ip = true }
-5.10.5. CPU Tracker
+5.12.5. CPU Tracker
This tracker monitors the CPU and wall time spent by a given
processing thread.
perf_monitor = { cpu = true }
-5.10.6. Formatters
+5.12.6. Formatters
Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats,
monitor or the code provided for fbstreamer.
-5.11. POP and IMAP
+5.13. POP and IMAP
--------------
POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol.
-5.11.1. Overview
+5.13.1. Overview
POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command,
appropriately. The pop and imap also identify and whitelist the pop
and imap traffic.
-5.11.2. Configuration
+5.13.2. Configuration
POP inspector and IMAP inspector offer same set of configuration
-options for MIME decoding depth:
-
-5.11.2.1. b64_decode_depth
-
-This config option is used to turn off/on or set the base64 decoding
-depth used to decode the base64 encoded MIME attachments. The value
-ranges from -1 to 65535. A value of -1 turns off the base64 decoding
-of MIME attachments. The value of 0 sets the decoding of base64
-encoded MIME attachments to unlimited. A value other than 0 or -1
-restricts the decoding of base64 MIME attachments, and applies per
-attachment. The default value is 1460.
-
-5.11.2.2. qp_decode_depth
-
-This config option is used to turn off/on or set the Quoted-Printable
-decoding depth used to decode the Quoted-Printable(QP) encoded MIME
-attachments. The value ranges from -1 to 65535. A value of -1 turns
-off the QP decoding of MIME attachments. The value of 0 sets the
-decoding of QP encoded MIME attachments to unlimited. A value other
-than 0 or -1 restricts the decoding of QP MIME attachments, and
-applies per attachment.
-
-5.11.2.3. bitenc_decode_depth
-
-This config option is used to turn off/on or set the non-encoded MIME
-extraction depth used to extract the non-encoded MIME attachments.
-The value ranges from -1 to 65535. A value of -1 turns off the
-extraction of these MIME attachments. The value of 0 sets the
-extraction of these MIME attachments to unlimited. A value other than
-0 or -1 restricts the extraction of these MIME attachments, and
-applies per attachment.
-
-5.11.2.4. uu_decode_depth
-
-This config option is used to turn off/on or set the Unix-to-Unix
-decoding depth used to decode the Unix-to-Unix(UU) encoded
-attachments. The value ranges from -1 to 65535. A value of -1 turns
-off the UU decoding of POP attachments. The value of 0 sets the
-decoding of UU encoded POP attachments to unlimited. A value other
-than 0 or -1 restricts the decoding of UU POP attachments, and
-applies per attachment.
-
-5.11.2.5. Examples
+options for MIME decoding depth. These depths range from 0 to 65535
+bytes. Setting the value to 0 ("do none") turns the feature off.
+Alternatively the value -1 means an unlimited amount of data should
+be decoded. If you do not specify the default value is 1460 bytes.
+
+The depth limits apply per attachment. They are:
+
+5.13.2.1. b64_decode_depth
+
+Set the base64 decoding depth used to decode the base64-encoded MIME
+attachments.
+
+5.13.2.2. qp_decode_depth
+
+Set the Quoted-Printable (QP) decoding depth used to decode
+QP-encoded MIME attachments.
+
+5.13.2.3. bitenc_decode_depth
+
+Set the non-encoded MIME extraction depth used for non-encoded MIME
+attachments.
+
+5.13.2.4. uu_decode_depth
+
+Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
+attachments.
+
+5.13.2.5. Examples
stream = { }
imap =
{
- qp_decode_depth = 15,
+ qp_decode_depth = 500,
}
pop =
{
- qp_decode_depth = 0,
- b64_decode_depth = 10,
+ qp_decode_depth = -1,
+ b64_decode_depth = 3000,
}
-5.12. Port Scan
+5.14. Port Scan
--------------
A module to detect port scanning
-5.12.1. Overview
+5.14.1. Overview
This module is designed to detect the first phase in a network
attack: Reconnaissance. In the Reconnaissance phase, an attacker
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.
-5.12.2. Scan levels
+5.14.2. Scan levels
There are 3 default scan levels that can be set.
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.
-5.12.3. Tuning Portscan
+5.14.3. Tuning Portscan
The most important aspect in detecting portscans is tuning the
detection engine for your network(s). Here are some tuning tips:
filtered scans, since these are more prone to false positives.
-5.13. Sensitive Data Filtering
+5.15. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-5.13.1. Hyperscan
+5.15.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
-compatible. To learn more about Hyperscan see http://01org.github.io/
-hyperscan/dev-reference/
+compatible. To learn more about Hyperscan see https://intel.github.io
+/hyperscan/dev-reference/
-5.13.2. Syntax
+5.15.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-5.13.2.1. Pattern
+5.15.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
name: "credit_card", "us_social" and "us_social_nodashes", as well as
-user defined regular expressions of the Hyperscan dialect (see http:/
-/01org.github.io/hyperscan/dev-reference/compilation.html#
+user defined regular expressions of the Hyperscan dialect (see https:
+//intel.github.io/hyperscan/dev-reference/compilation.html#
pattern-support).
sd_pattern:"credit_card";
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-5.13.2.2. Threshold
+5.15.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-5.13.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.15.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-5.13.3. Example
+5.15.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-5.13.4. Caveats
+5.15.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-5.14. SMTP
+5.16. SMTP
--------------
SMTP inspector is a service inspector for SMTP protocol.
-5.14.1. Overview
+5.16.1. Overview
The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections,
SMTP inspector logs the filename, email addresses, attachment names
when configured.
-5.14.2. Configuration
+5.16.2. Configuration
SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In
The configuration options are described below:
-5.14.2.1. normalize and normalize_cmds
+5.16.2.1. normalize and normalize_cmds
Normalization checks for more than one space character after a
command. Space characters are defined as space (ASCII 0x20) or tab
smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-5.14.2.2. ignore_data
+5.16.2.2. ignore_data
Set it to true to ignore data section of mail (except for mail
headers) when processing rules.
-5.14.2.3. ignore_tls_data
+5.16.2.3. ignore_tls_data
Set it to true to ignore TLS-encrypted data when processing rules.
-5.14.2.4. max_command_line_len
+5.16.2.4. max_command_line_len
Alert if an SMTP command line is longer than this value. Absence of
this option or a "0" means never alert on command line length. RFC
2821 recommends 512 as a maximum command line length.
-5.14.2.5. max_header_line_len
+5.16.2.5. max_header_line_len
Alert if an SMTP DATA header line is longer than this value. Absence
of this option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
-5.14.2.6. max_response_line_len
+5.16.2.6. max_response_line_len
Alert if an SMTP response line is longer than this value. Absence of
this option or a "0" means never alert on response line length. RFC
2821 recommends 512 as a maximum response line length.
-5.14.2.7. alt_max_command_line_len
+5.16.2.7. alt_max_command_line_len
Overrides max_command_line_len for specific commands For example:
},
}
-5.14.2.8. invalid_cmds
+5.16.2.8. invalid_cmds
Alert if this command is sent from client side.
-5.14.2.9. valid_cmds
+5.16.2.9. valid_cmds
List of valid commands. We do not alert on commands in this list.
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-5.14.2.10. data_cmds
+5.16.2.10. data_cmds
List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 - "
<CRLF>.<CRLF>".
-5.14.2.11. binary_data_cmds
+5.16.2.11. binary_data_cmds
List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar
to that of the BDAT command per RFC 3030.
-5.14.2.12. auth_cmds
+5.16.2.12. auth_cmds
List of commands that initiate an authentication exchange between
client and server.
-5.14.2.13. xlink2state
+5.16.2.13. xlink2state
Enable/disable xlink2state alert, options are {disable | alert |
drop}. See CVE-2005-0560 for a description of the vulnerability.
-5.14.2.14. b64_decode_depth
-
-This config option is used to turn off/on or set the base64 decoding
-depth used to decode the base64 encoded MIME attachments. The value
-ranges from -1 to 65535. A value of -1 turns off the base64 decoding
-of MIME attachments. The value of 0 sets the decoding of base64
-encoded MIME attachments to unlimited. A value other than 0 or -1
-restricts the decoding of base64 MIME attachments, and applies per
-attachment.
-
-5.14.2.15. qp_decode_depth
-
-This config option is used to turn off/on or set the Quoted-Printable
-decoding depth used to decode the Quoted-Printable(QP) encoded MIME
-attachments. The value ranges from -1 to 65535. A value of -1 turns
-off the QP decoding of MIME attachments. The value of 0 sets the
-decoding of QP encoded MIME attachments to unlimited. A value other
-than 0 or -1 restricts the decoding of QP MIME attachments, and
-applies per attachment.
-
-5.14.2.16. bitenc_decode_depth * default to 25
+5.16.2.14. MIME processing depth parameters
-This config option is used to turn off/on or set the non-encoded MIME
-extraction depth used to extract the non-encoded MIME attachments.
-The value ranges from -1 to 65535. A value of -1 turns off the
-extraction of these MIME attachments. The value of 0 sets the
-extraction of these MIME attachments to unlimited. A value other than
-0 or -1 restricts the extraction of these MIME attachments, and
-applies per attachment.
+These four MIME processing depth parameters are identical to their
+POP and IMAP counterparts. See that section for further details.
-5.14.2.17. uu_decode_depth
+b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
-This config option is used to turn off/on or set the Unix-to-Unix
-decoding depth used to decode the Unix-to-Unix(UU) encoded
-attachments. The value ranges from -1 to 65535. A value of -1 turns
-off the UU decoding of SMTP attachments. The value of 0 sets the
-decoding of UU encoded SMTP attachments to unlimited. A value other
-than 0 or -1 restricts the decoding of UU SMTP attachments, and
-applies per attachment.
-
-5.14.2.18. Log Options
+5.16.2.15. Log Options
Following log options allow SMTP inspector to log email addresses and
filenames. Please note, this is logged only with the unified2 output
allowed range for this option is 0 - 20480. A value of 0 will disable
email headers logging. The default value for this option is 1464.
-5.14.3. Example
+5.16.3. Example
smtp =
{
}
-5.15. Telnet
+5.17. Telnet
--------------
connection is encrypted, per the use of the telnet encryption option
per RFC 2946.
-5.15.1. Configuring the inspector to block exploits and attacks
+5.17.1. Configuring the inspector to block exploits and attacks
ayt_attack_thresh number
vulnerabilities relating to bsd-based implementations of telnet.
-5.16. Wizard
+5.18. Wizard
--------------
* string active.dst_mac: use format 01:23:45:67:89:ab
* int active.max_responses = 0: maximum number of responses { 0: }
* int active.min_interval = 255: minimum number of seconds between
- responses { 1: }
+ responses { 1:255 }
6.2. alerts
Peg counts:
- * daq.pcaps: total files and interfaces processed (sum)
+ * daq.pcaps: total files and interfaces processed (max)
* daq.received: total packets received from DAQ (sum)
* daq.analyzed: total packets analyzed from DAQ (sum)
* daq.dropped: packets dropped (sum)
-1 = max, 0 = off { -1:1000000 }
* int detection.pcre_match_limit_recursion = 1500: limit pcre stack
consumption, -1 = max, 0 = off { -1:10000 }
+ * bool detection.enable_address_anomaly_checks = false: enable
+ check and alerting of address anomalies
* int detection.trace: mask for enabling debug traces in module
Peg counts:
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
-Peg counts:
-
- * ips.invalid_policy_ids: Number of times an invalid policy ID was
- provided (sum)
-
6.16. latency
* bool output.verbose = false: be verbose (same as -v)
* bool output.wide_hex_dump = true: output 20 bytes per lines
instead of 16 when dumping buffers
- * bool output.enable_packet_trace = false: enable summary output of
- state that determined packet verdict
- * enum output.packet_trace_output = console: select where to send
- packet trace { console | file }
-6.20. packets
+6.20. packet_tracer
+
+--------------
+
+What: generate debug trace messages for packets
+
+Type: basic
+
+Usage: global
+
+Configuration:
+
+ * bool packet_tracer.enable = false: enable summary output of state
+ that determined packet verdict
+ * enum packet_tracer.output = console: select where to send packet
+ trace { console | file }
+
+Commands:
+
+ * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port):
+ enable packet tracer debugging
+ * packet_tracer.disable(): disable packet tracer
+
+
+6.21. packets
--------------
is used to track fragments and connections
-6.21. process
+6.22. process
--------------
timestamps
-6.22. profiler
+6.23. profiler
--------------
avg_match | avg_no_match }
-6.23. rate_filter
+6.24. rate_filter
--------------
according to track
-6.24. references
+6.25. references
--------------
* string references[].url: where this reference is defined
-6.25. rule_state
+6.26. rule_state
--------------
policies
-6.26. search_engine
+6.27. search_engine
--------------
compiling into state machine (0 means no maximum) { 0: }
* int search_engine.max_queue_events = 5: maximum number of
matching fast pattern states to queue per packet { 2:100 }
- * bool search_engine.detect_raw_tcp = true: detect on TCP payload
+ * bool search_engine.detect_raw_tcp = false: detect on TCP payload
before reassembly
* dynamic search_engine.search_method = ac_bnfa: set fast pattern
algorithm - choose available search engine { ac_banded | ac_bnfa
* search_engine.searched_bytes: total bytes searched (sum)
-6.27. side_channel
+6.28. side_channel
--------------
* side_channel.packets: total packets (sum)
-6.28. snort
+6.29. snort
--------------
-s) { 68:65535 }
* implied snort.--stdin-rules: read rules from stdin until EOF or a
line starting with END is read
+ * implied snort.--talos: enable Talos inline rule test mode (same
+ as --tweaks talos -Q -q)
* implied snort.--treat-drop-as-alert: converts drop, sdrop, and
reject rules into alert rules during startup
* implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
rules to ignore session traffic when not inline
+ * string snort.--tweaks: tune configuration
* string snort.--catch-test: comma separated list of cat unit test
tags or all
* implied snort.--version: show version number (same as -V)
* int snort.--x2c: output ASCII char for given hex (see also --c2x)
* string snort.--x2s: output ASCII string for given byte code (see
also --x2c)
+ * implied snort.--trace: turn on main loop debug trace
+ * int snort.trace: mask for enabling debug traces in module
Commands:
* snort.reload_config(filename): load new configuration
* snort.reload_policy(filename): reload part or all of the default
policy
+ * snort.reload_module(module): reload module
* snort.reload_daq(): reload daq module
* snort.reload_hosts(filename): load a new hosts table
* snort.pause(): suspend packet processing
* snort.attribute_table_hosts: total number of hosts in table (sum)
-6.29. suppress
+6.30. suppress
--------------
--------------
-What: support for Internet protocol v4
+What: support for Internet protocol v4 (DLT 228)
Type: codec
--------------
-What: support for Internet protocol v6
+What: support for Internet protocol v6 (DLT 229)
Type: codec
Configuration:
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) { 0: }
* int appid.memcap = 0: disregard - not implemented { 0: }
* bool appid.log_stats = false: enable logging of appid statistics
* int appid.app_stats_period = 300: time period for collecting and
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
- * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source IP
- address in CIDR format
- * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination IP
- address in CIDR format
- * port appid.session_log_filter.src_port: source port { 1: }
- * port appid.session_log_filter.dst_port: destination port { 1: }
- * string appid.session_log_filter.protocol: IP protocol
- * bool appid.session_log_filter.log_all_sessions = false: enable
- logging for all appid sessions
+ * string appid.tp_appid_path: path to third party appid dynamic
+ library
+ * string appid.tp_appid_config: path to third party appid
+ configuration file
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
+ * int appid.trace: mask for enabling debug traces in module
+
+Commands:
+
+ * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port):
+ enable appid debugging
+ * appid.disable_debug(): disable appid debugging
+
+Peg counts:
+
+ * appid.packets: count of packets received (sum)
+ * appid.processed_packets: count of packets processed (sum)
+ * appid.ignored_packets: count of packets ignored (sum)
+ * appid.total_sessions: count of sessions created (sum)
+ * appid.appid_unknown: count of sessions where appid could not be
+ determined (sum)
9.2. arp_spoof
{ -1: }
* string dce_smb.smb_invalid_shares: SMB shares to alert on
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
+ * int dce_smb.trace: mask for enabling debug traces in module
Rules:
defragmentation
* int dce_udp.max_frag_len = 65535: Maximum fragment size for
defragmentation { 1514:65535 }
+ * int dce_udp.trace: mask for enabling debug traces in module
Rules:
(max)
-9.13. dpx
+9.13. domain_filter
+
+--------------
+
+What: alert on configured HTTP domains
+
+Type: inspector
+
+Usage: inspect
+
+Configuration:
+
+ * string domain_filter.file: file with list of domains identifying
+ hosts to be filtered
+ * string domain_filter.hosts: list of domains identifying hosts to
+ be filtered
+
+Rules:
+
+ * 175:1 (domain_filter) configured domain detected
+
+Peg counts:
+
+ * domain_filter.checked: domains checked (sum)
+ * domain_filter.filtered: domains filtered (sum)
+
+
+9.14. dpx
--------------
* dpx.packets: total packets (sum)
-9.14. file_id
+9.15. file_id
--------------
* file_id.cache_failures: number of file cache add failures (sum)
-9.15. file_log
+9.16. file_log
--------------
* file_log.total_events: total file events (sum)
-9.16. ftp_client
+9.17. ftp_client
--------------
sequences on FTP control channel
-9.17. ftp_data
+9.18. ftp_data
--------------
* ftp_data.packets: total packets (sum)
-9.18. ftp_server
+9.19. ftp_server
--------------
sessions (max)
-9.19. gtp_inspect
+9.20. gtp_inspect
--------------
* string gtp_inspect[].infos[].name: information element name
* int gtp_inspect[].infos[].length = 0: information element type
code { 0:255 }
+ * int gtp_inspect.trace: mask for enabling debug traces in module
Rules:
* gtp_inspect.unknown_infos: unknown information elements (sum)
-9.20. http2_inspect
+9.21. http2_inspect
--------------
sessions (max)
-9.21. http_inspect
+9.22. http_inspect
--------------
* 119:32 (http_inspect) simple request
* 119:33 (http_inspect) unescaped space in HTTP URI
* 119:34 (http_inspect) too many pipelined requests
- * 119:35 (http_inspect) anomalous http server on undefined HTTP
+ * 119:101 (http_inspect) anomalous http server on undefined HTTP
port
- * 119:36 (http_inspect) invalid status code in HTTP response
- * 119:37 (http_inspect) unused event number—should not appear
- * 119:38 (http_inspect) HTTP response has UTF charset that failed
+ * 119:102 (http_inspect) invalid status code in HTTP response
+ * 119:103 (http_inspect) unused event number—should not appear
+ * 119:104 (http_inspect) HTTP response has UTF charset that failed
to normalize
- * 119:39 (http_inspect) HTTP response has UTF-7 charset
- * 119:40 (http_inspect) HTTP response gzip decompression failed
- * 119:41 (http_inspect) server consecutive small chunk sizes
- * 119:42 (http_inspect) unused event number—should not appear
- * 119:43 (http_inspect) javascript obfuscation levels exceeds 1
- * 119:44 (http_inspect) javascript whitespaces exceeds max allowed
- * 119:45 (http_inspect) multiple encodings within javascript
+ * 119:105 (http_inspect) HTTP response has UTF-7 charset
+ * 119:106 (http_inspect) HTTP response gzip decompression failed
+ * 119:107 (http_inspect) server consecutive small chunk sizes
+ * 119:108 (http_inspect) unused event number—should not appear
+ * 119:109 (http_inspect) javascript obfuscation levels exceeds 1
+ * 119:110 (http_inspect) javascript whitespaces exceeds max allowed
+ * 119:111 (http_inspect) multiple encodings within javascript
obfuscated data
- * 119:46 (http_inspect) SWF file zlib decompression failure
- * 119:47 (http_inspect) SWF file LZMA decompression failure
- * 119:48 (http_inspect) PDF file deflate decompression failure
- * 119:49 (http_inspect) PDF file unsupported compression type
- * 119:50 (http_inspect) PDF file cascaded compression
- * 119:51 (http_inspect) PDF file parse failure
- * 119:52 (http_inspect) not HTTP traffic
- * 119:53 (http_inspect) chunk length has excessive leading zeros
- * 119:54 (http_inspect) white space before or between messages
- * 119:55 (http_inspect) request message without URI
- * 119:56 (http_inspect) control character in reason phrase
- * 119:57 (http_inspect) illegal extra whitespace in start line
- * 119:58 (http_inspect) corrupted HTTP version
- * 119:59 (http_inspect) unknown HTTP version
- * 119:60 (http_inspect) format error in HTTP header
- * 119:61 (http_inspect) chunk header options present
- * 119:62 (http_inspect) URI badly formatted
- * 119:63 (http_inspect) unrecognized type of percent encoding in
+ * 119:112 (http_inspect) SWF file zlib decompression failure
+ * 119:113 (http_inspect) SWF file LZMA decompression failure
+ * 119:114 (http_inspect) PDF file deflate decompression failure
+ * 119:115 (http_inspect) PDF file unsupported compression type
+ * 119:116 (http_inspect) PDF file cascaded compression
+ * 119:117 (http_inspect) PDF file parse failure
+ * 119:201 (http_inspect) not HTTP traffic
+ * 119:202 (http_inspect) chunk length has excessive leading zeros
+ * 119:203 (http_inspect) white space before or between messages
+ * 119:204 (http_inspect) request message without URI
+ * 119:205 (http_inspect) control character in reason phrase
+ * 119:206 (http_inspect) illegal extra whitespace in start line
+ * 119:207 (http_inspect) corrupted HTTP version
+ * 119:208 (http_inspect) unknown HTTP version
+ * 119:209 (http_inspect) format error in HTTP header
+ * 119:210 (http_inspect) chunk header options present
+ * 119:211 (http_inspect) URI badly formatted
+ * 119:212 (http_inspect) unrecognized type of percent encoding in
URI
- * 119:64 (http_inspect) HTTP chunk misformatted
- * 119:65 (http_inspect) white space adjacent to chunk length
- * 119:66 (http_inspect) white space within header name
- * 119:67 (http_inspect) excessive gzip compression
- * 119:68 (http_inspect) gzip decompression failed
- * 119:69 (http_inspect) HTTP 0.9 requested followed by another
+ * 119:213 (http_inspect) HTTP chunk misformatted
+ * 119:214 (http_inspect) white space adjacent to chunk length
+ * 119:215 (http_inspect) white space within header name
+ * 119:216 (http_inspect) excessive gzip compression
+ * 119:217 (http_inspect) gzip decompression failed
+ * 119:218 (http_inspect) HTTP 0.9 requested followed by another
request
- * 119:70 (http_inspect) HTTP 0.9 request following a normal request
- * 119:71 (http_inspect) message has both Content-Length and
+ * 119:219 (http_inspect) HTTP 0.9 request following a normal
+ request
+ * 119:220 (http_inspect) message has both Content-Length and
Transfer-Encoding
- * 119:72 (http_inspect) status code implying no body combined with
+ * 119:221 (http_inspect) status code implying no body combined with
Transfer-Encoding or nonzero Content-Length
- * 119:73 (http_inspect) Transfer-Encoding not ending with chunked
- * 119:74 (http_inspect) Transfer-Encoding with encodings before
+ * 119:222 (http_inspect) Transfer-Encoding not ending with chunked
+ * 119:223 (http_inspect) Transfer-Encoding with encodings before
chunked
- * 119:75 (http_inspect) misformatted HTTP traffic
- * 119:76 (http_inspect) unsupported Content-Encoding used
- * 119:77 (http_inspect) unknown Content-Encoding used
- * 119:78 (http_inspect) multiple Content-Encodings applied
- * 119:79 (http_inspect) server response before client request
- * 119:80 (http_inspect) PDF/SWF decompression of server response
+ * 119:224 (http_inspect) misformatted HTTP traffic
+ * 119:225 (http_inspect) unsupported Content-Encoding used
+ * 119:226 (http_inspect) unknown Content-Encoding used
+ * 119:227 (http_inspect) multiple Content-Encodings applied
+ * 119:228 (http_inspect) server response before client request
+ * 119:229 (http_inspect) PDF/SWF decompression of server response
too big
- * 119:81 (http_inspect) nonprinting character in HTTP message
+ * 119:230 (http_inspect) nonprinting character in HTTP message
header name
- * 119:82 (http_inspect) bad Content-Length value in HTTP header
- * 119:83 (http_inspect) HTTP header line wrapped
- * 119:84 (http_inspect) HTTP header line terminated by CR without a
- LF
- * 119:85 (http_inspect) chunk terminated by nonstandard separator
- * 119:86 (http_inspect) chunk length terminated by LF without CR
- * 119:87 (http_inspect) more than one response with 100 status code
- * 119:88 (http_inspect) 100 status code not in response to Expect
+ * 119:231 (http_inspect) bad Content-Length value in HTTP header
+ * 119:232 (http_inspect) HTTP header line wrapped
+ * 119:233 (http_inspect) HTTP header line terminated by CR without
+ a LF
+ * 119:234 (http_inspect) chunk terminated by nonstandard separator
+ * 119:235 (http_inspect) chunk length terminated by LF without CR
+ * 119:236 (http_inspect) more than one response with 100 status
+ code
+ * 119:237 (http_inspect) 100 status code not in response to Expect
header
- * 119:89 (http_inspect) 1XX status code other than 100 or 101
- * 119:90 (http_inspect) Expect header sent without a message body
- * 119:91 (http_inspect) HTTP 1.0 message with Transfer-Encoding
+ * 119:238 (http_inspect) 1XX status code other than 100 or 101
+ * 119:239 (http_inspect) Expect header sent without a message body
+ * 119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding
header
- * 119:92 (http_inspect) Content-Transfer-Encoding used as HTTP
+ * 119:241 (http_inspect) Content-Transfer-Encoding used as HTTP
header
- * 119:93 (http_inspect) illegal field in chunked message trailers
- * 119:94 (http_inspect) header field inappropriately appears twice
+ * 119:242 (http_inspect) illegal field in chunked message trailers
+ * 119:243 (http_inspect) header field inappropriately appears twice
or has two values
- * 119:95 (http_inspect) invalid value chunked in Content-Encoding
+ * 119:244 (http_inspect) invalid value chunked in Content-Encoding
header
- * 119:96 (http_inspect) 206 response sent to a request without a
+ * 119:245 (http_inspect) 206 response sent to a request without a
Range header
- * 119:97 (http_inspect) HTTP in version field not all upper case
+ * 119:246 (http_inspect) HTTP in version field not all upper case
+ * 119:247 (http_inspect) white space embedded in critical header
+ value
+ * 119:248 (http_inspect) gzip compressed data followed by
+ unexpected non-gzip data
Peg counts:
sessions (max)
-9.22. imap
+9.23. imap
--------------
Configuration:
- * int imap.b64_decode_depth = 1460: base64 decoding depth {
- -1:65535 }
+ * int imap.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ limit) { -1:65535 }
* int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
- extraction depth { -1:65535 }
+ extraction depth (-1 no limit) { -1:65535 }
* int imap.qp_decode_depth = 1460: quoted Printable decoding depth
- { -1:65535 }
- * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
- -1:65535 }
+ (-1 no limit) { -1:65535 }
+ * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
Rules:
* imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.23. modbus
+9.24. modbus
--------------
sessions (max)
-9.24. normalizer
+9.25. normalizer
--------------
* normalizer.tcp_block: blocked segments (sum)
-9.25. packet_capture
+9.26. packet_capture
--------------
filter (sum)
-9.26. perf_monitor
+9.27. perf_monitor
--------------
* perf_monitor.packets: total packets (sum)
-9.27. pop
+9.28. pop
--------------
Configuration:
- * int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
- }
+ * int pop.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ limit) { -1:65535 }
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
- extraction depth { -1:65535 }
- * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth {
- -1:65535 }
- * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
- -1:65535 }
+ extraction depth (-1 no limit) { -1:65535 }
+ * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
+ (-1 no limit) { -1:65535 }
+ * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
Rules:
* pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.28. port_scan
+9.29. port_scan
--------------
* port_scan.packets: total packets (sum)
-9.29. reg_test
+9.30. reg_test
--------------
* reg_test.retry_packets: total retried packets received (sum)
-9.30. reputation
+9.31. reputation
--------------
Configuration:
* string reputation.blacklist: blacklist file name with IP lists
+ * string reputation.list_dir: directory for IP lists and manifest
+ file
* int reputation.memcap = 500: maximum total MB of memory allocated
{ 1:4095 }
* enum reputation.nested_ip = inner: IP to use when there is IP
* reputation.memory_allocated: total memory allocated (sum)
-9.31. rpc_decode
+9.32. rpc_decode
--------------
sessions (max)
-9.32. sip
+9.33. sip
--------------
* sip.code_9xx: 9xx (sum)
-9.33. smtp
+9.34. smtp
--------------
non-default maximum for command { 0: }
* string smtp.auth_cmds: commands that initiate an authentication
exchange
+ * int smtp.b64_decode_depth = 1460: depth used to decode the base64
+ encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.binary_data_cmds: commands that initiate sending of
data and use a length value after the command
- * int smtp.bitenc_decode_depth = 25: depth used to extract the
- non-encoded MIME attachments { -1:65535 }
- * int smtp.b64_decode_depth = 25: depth used to decode the base64
- encoded MIME attachments { -1:65535 }
+ * int smtp.bitenc_decode_depth = 1460: depth used to extract the
+ non-encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.data_cmds: commands that initiate sending of data
with an end of data delimiter
* int smtp.email_hdrs_log_depth = 1464: depth for logging email
* enum smtp.normalize = none: turns on/off normalization { none |
cmds | all }
* string smtp.normalize_cmds: list of commands to normalize
- * int smtp.qp_decode_depth = 25: quoted-Printable decoding depth {
- -1:65535 }
- * int smtp.uu_decode_depth = 25: unix-to-Unix decoding depth {
- -1:65535 }
+ * int smtp.qp_decode_depth = 1460: quoted-Printable decoding depth
+ (-1 no limit) { -1:65535 }
+ * int smtp.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
* string smtp.valid_cmds: list of valid commands
* enum smtp.xlink2state = alert: enable/disable xlink2state alert {
disable | alert | drop }
* smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.34. ssh
+9.35. ssh
--------------
(max)
-9.35. ssl
+9.36. ssl
--------------
(max)
-9.36. stream
+9.37. stream
--------------
before being eligible for pruning { 1: }
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
+ * int stream.trace: mask for enabling debug traces in module
+
+Rules:
+
+ * 135:1 (stream) TCP SYN received
+ * 135:2 (stream) TCP session established
+ * 135:3 (stream) TCP session cleared
Peg counts:
sync (sum)
-9.37. stream_file
+9.38. stream_file
--------------
* bool stream_file.upload = false: indicate file transfer direction
-9.38. stream_icmp
+9.39. stream_icmp
--------------
* stream_icmp.prunes: icmp session prunes (sum)
-9.39. stream_ip
+9.40. stream_ip
--------------
* stream_ip.trackers_completed: datagram trackers completed (sum)
* stream_ip.nodes_inserted: fragments added to tracker (sum)
* stream_ip.nodes_deleted: fragments deleted from tracker (sum)
- * stream_ip.memory_used: current memory usage in bytes (now)
* stream_ip.reassembled_bytes: total reassembled bytes (sum)
* stream_ip.fragmented_bytes: total fragmented bytes (sum)
-9.40. stream_tcp
+9.41. stream_tcp
--------------
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in
segment size after given number of non-decreasing segments { 0: }
- * bool stream_tcp.ignore_any_rules = false: process TCP content
- rules w/o ports only if rules with ports are present
* int stream_tcp.max_window = 0: maximum allowed TCP window {
0:1073725440 }
* int stream_tcp.overlap_limit = 0: maximum number of allowed
* stream_tcp.released: tcp session trackers released (sum)
* stream_tcp.timeouts: tcp session timeouts (sum)
* stream_tcp.prunes: tcp session prunes (sum)
+ * stream_tcp.instantiated: new sessions instantiated (sum)
+ * stream_tcp.setups: session initializations (sum)
+ * stream_tcp.restarts: sessions restarted (sum)
* stream_tcp.resyns: SYN received on established session (sum)
* stream_tcp.discards: tcp packets discarded (sum)
* stream_tcp.events: events generated (sum)
* stream_tcp.fins: number of fin packets (sum)
-9.41. stream_udp
+9.42. stream_udp
--------------
* int stream_udp.session_timeout = 30: session tracking timeout {
1:86400 }
- * bool stream_udp.ignore_any_rules = false: process UDP content
- rules w/o ports only if rules with ports are present
Peg counts:
* stream_udp.ignored: udp packets ignored (sum)
-9.42. stream_user
+9.43. stream_user
--------------
* int stream_user.trace: mask for enabling debug traces in module
-9.43. telnet
+9.44. telnet
--------------
sessions (max)
-9.44. wizard
+9.45. wizard
--------------
* int byte_test.~count: number of bytes to pick up from the buffer
{ 1:10 }
- * string byte_test.~operator: variable name or number of bytes into
- the buffer to start processing
+ * string byte_test.~operator: operation to perform to test the
+ value
* string byte_test.~compare: variable name or value to test the
converted result against
* string byte_test.~offset: variable name or number of bytes into
doesn’t care about metadata internal structure / syntax)
* deleted fast_pattern:only; use fast_pattern, nocase (option is
not added to detection tree if not required)
- * changed fast_pattern:<offset>,<length> to fastpattern_offset:
- <offset>, fast_pattern_length <length>
+ * changed fast_pattern:<offset>,<length> to
+ fast_pattern,fast_pattern_offset <offset>,fast_pattern_length
+ <length>
* fast pattern sensitive data with sd_pattern using hyperscan
* hyperscan regex fast patterns with regex:"<regex>", fast_pattern;
* no ; separated content suboptions
* nets and/or ports may be omitted from rule headers (matches any)
* parse all rules and output all errors before quitting
* read rules from conf, separate rules file, or stdin
+ * The symbol =< in a byte test is recognized as a syntax error. The
+ correct symbol is <=.
16.7. Output
details.
+16.9. Features Not Yet Supported by Snort 3
+
+--------------
+
+ * Support in http_inspect for Original Client IP is limited to the
+ X-Forwarded-For and True-Client-IP headers in that order. It is
+ not possible to configure additional custom headers to search for
+ Original Client IP.
+ * The -n option does not work properly when perf_monitor is
+ configured. The number of packets processed from the pcap is
+ likely to be more than the number specified with the -n option.
+ * When a file is transferred via SMB2 it may be allowed even though
+ according to file policy it should be blocked. This occurs when
+ the create and read requests are sent together and then the read
+ and create responses are sent together. Blocking is done
+ correctly if the create and read requests are sent separately or
+ if the file is large enough to require two read responses.
+ * This user manual is incomplete and does not fully cover many
+ Snort 2.X features that are also supported by Snort 3.
+
+
---------------------------------------------------------------------
17. Snort2Lua
* --snaplen <snap> set snaplen of packet (same as -s) (68:65535)
* --stdin-rules read rules from stdin until EOF or a line starting
with END is read
+ * --talos enable Talos inline rule test mode (same as --tweaks
+ talos -Q -q)
* --treat-drop-as-alert converts drop, sdrop, and reject rules into
alert rules during startup
* --treat-drop-as-ignore use drop, sdrop, and reject rules to
ignore session traffic when not inline
+ * --tweaks tune configuration
* --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-vars warn about variable definition and usage issues
* --x2c output ASCII char for given hex (see also --c2x)
* --x2s output ASCII string for given byte code (see also --x2c)
+ * --trace turn on main loop debug trace
20.4. Configuration
* string active.dst_mac: use format 01:23:45:67:89:ab
* int active.max_responses = 0: maximum number of responses { 0: }
* int active.min_interval = 255: minimum number of seconds between
- responses { 1: }
+ responses { 1:255 }
* multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
given order left to right { action | class | b64_data | dir |
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
+ * int appid.first_decrypted_packet_debug = 0: the first packet of
+ an already decrypted SSL flow (debug single session only) { 0: }
* int appid.instance_id = 0: instance id - ignored { 0: }
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* bool appid.log_stats = false: enable logging of appid statistics
* int appid.memcap = 0: disregard - not implemented { 0: }
* string appids.~: comma separated list of application names
- * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination IP
- address in CIDR format
- * port appid.session_log_filter.dst_port: destination port { 1: }
- * bool appid.session_log_filter.log_all_sessions = false: enable
- logging for all appid sessions
- * string appid.session_log_filter.protocol: IP protocol
- * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source IP
- address in CIDR format
- * port appid.session_log_filter.src_port: source port { 1: }
+ * string appid.tp_appid_config: path to third party appid
+ configuration file
+ * string appid.tp_appid_path: path to third party appid dynamic
+ library
+ * int appid.trace: mask for enabling debug traces in module
* ip4 arp_spoof.hosts[].ip: host ip address
* mac arp_spoof.hosts[].mac: host mac address
* int asn1.absolute_offset: absolute offset from the beginning of
* implied byte_test.oct: convert from octal string
* string byte_test.~offset: variable name or number of bytes into
the payload to start processing
- * string byte_test.~operator: variable name or number of bytes into
- the buffer to start processing
+ * string byte_test.~operator: operation to perform to test the
+ value
* implied byte_test.relative: offset from cursor instead of start
of buffer
* implied byte_test.string: convert from string
* bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
* int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 }
* int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 }
+ * int dce_smb.trace: mask for enabling debug traces in module
* multi dce_smb.valid_smb_versions = all: Valid SMB versions { v1 |
v2 | all }
* bool dce_tcp.disable_defrag = false: Disable DCE/RPC
defragmentation
* int dce_udp.max_frag_len = 65535: Maximum fragment size for
defragmentation { 1514:65535 }
+ * int dce_udp.trace: mask for enabling debug traces in module
+ * int decode.trace: mask for enabling debug traces in module
* int detection.asn1 = 256: maximum decode nodes { 1: }
+ * bool detection.enable_address_anomaly_checks = false: enable
+ check and alerting of address anomalies
* int detection_filter.count: hits in interval before allowing the
rule to fire { 1: }
* int detection_filter.seconds: length of interval to count hits {
0:255 }
* int dnp3_obj.var = 0: match given DNP3 object header var { 0:255
}
+ * string domain_filter.file: file with list of domains identifying
+ hosts to be filtered
+ * string domain_filter.hosts: list of domains identifying hosts to
+ be filtered
* int dpx.max = 0: maximum payload before alert { 0:65535 }
* port dpx.port: port to check
* interval dsize.~range: check if packet payload size is in the
* string gtp_inspect[].messages[].name: message name
* int gtp_inspect[].messages[].type = 0: message type code { 0:255
}
+ * int gtp_inspect.trace: mask for enabling debug traces in module
* int gtp_inspect[].version = 2: GTP version { 0:2 }
* string gtp_type.~: list of types to match
* int gtp_version.~: version to match { 0:2 }
0:255 }
* interval id.~range: check if the IP ID is in the given range { 0:
}
- * int imap.b64_decode_depth = 1460: base64 decoding depth {
- -1:65535 }
+ * int imap.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ limit) { -1:65535 }
* int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
- extraction depth { -1:65535 }
+ extraction depth (-1 no limit) { -1:65535 }
* int imap.qp_decode_depth = 1460: quoted Printable decoding depth
- { -1:65535 }
- * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
- -1:65535 }
+ (-1 no limit) { -1:65535 }
+ * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
* int inspection.id = 0: correlate policy and events with other
items in configuration { 0:65535 }
* enum inspection.mode = inline-test: set policy mode { inline |
as -d)
* bool output.dump_payload_verbose = false: dumps raw packet
starting at link layer (same as -X)
- * bool output.enable_packet_trace = false: enable summary output of
- state that determined packet verdict
* int output.event_trace.max_data = 0: maximum amount of packet
data to capture { 0:65535 }
* string output.logdir = .: where to put log files (same as -l)
(same as -O)
* bool output.obfuscate_pii = false: mask all but the last 4
characters of credit card and social security numbers
- * enum output.packet_trace_output = console: select where to send
- packet trace { console | file }
* bool output.quiet = false: suppress non-fatal information (still
show alerts, same as -q)
* bool output.show_year = false: include year in timestamp in the
processing { 0: }
* bool packets.vlan_agnostic = false: determines whether VLAN info
is used to track fragments and connections
+ * bool packet_tracer.enable = false: enable summary output of state
+ that determined packet verdict
+ * enum packet_tracer.output = console: select where to send packet
+ trace { console | file }
* string pcre.~re: Snort regular expression
* bool perf_monitor.base = true: enable base statistics { nullptr }
* bool perf_monitor.cpu = false: enable cpu statistics { nullptr }
* bool perf_monitor.summary = false: output summary at shutdown
* interval pkt_num.~range: check if packet number is in given range
{ 1: }
- * int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
- }
+ * int pop.b64_decode_depth = 1460: base64 decoding depth (-1 no
+ limit) { -1:65535 }
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
- extraction depth { -1:65535 }
- * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth {
- -1:65535 }
- * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {
- -1:65535 }
+ extraction depth (-1 no limit) { -1:65535 }
+ * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
+ (-1 no limit) { -1:65535 }
+ * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
* bool port_scan.alert_all = false: alert on all events over
threshold within window if true; else alert on first only
* int port_scan.icmp_sweep.nets = 25: number of times address
* string rem.~: comment
* string replace.~: byte code to replace with
* string reputation.blacklist: blacklist file name with IP lists
+ * string reputation.list_dir: directory for IP lists and manifest
+ file
* int reputation.memcap = 500: maximum total MB of memory allocated
{ 1:4095 }
* enum reputation.nested_ip = inner: IP to use when there is IP
prints compiled rule group information
* bool search_engine.debug_print_rule_groups_uncompiled = false:
prints uncompiled rule group information
- * bool search_engine.detect_raw_tcp = true: detect on TCP payload
+ * bool search_engine.detect_raw_tcp = false: detect on TCP payload
before reassembly
* bool search_engine.enable_single_rule_group = false: put all
rules into one group
non-default maximum for command { 0: }
* string smtp.auth_cmds: commands that initiate an authentication
exchange
- * int smtp.b64_decode_depth = 25: depth used to decode the base64
- encoded MIME attachments { -1:65535 }
+ * int smtp.b64_decode_depth = 1460: depth used to decode the base64
+ encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.binary_data_cmds: commands that initiate sending of
data and use a length value after the command
- * int smtp.bitenc_decode_depth = 25: depth used to extract the
- non-encoded MIME attachments { -1:65535 }
+ * int smtp.bitenc_decode_depth = 1460: depth used to extract the
+ non-encoded MIME attachments (-1 no limit) { -1:65535 }
* string smtp.data_cmds: commands that initiate sending of data
with an end of data delimiter
* int smtp.email_hdrs_log_depth = 1464: depth for logging email
* string smtp.normalize_cmds: list of commands to normalize
* enum smtp.normalize = none: turns on/off normalization { none |
cmds | all }
- * int smtp.qp_decode_depth = 25: quoted-Printable decoding depth {
- -1:65535 }
- * int smtp.uu_decode_depth = 25: unix-to-Unix decoding depth {
- -1:65535 }
+ * int smtp.qp_decode_depth = 1460: quoted-Printable decoding depth
+ (-1 no limit) { -1:65535 }
+ * int smtp.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
+ no limit) { -1:65535 }
* string smtp.valid_cmds: list of valid commands
* enum smtp.xlink2state = alert: enable/disable xlink2state alert {
disable | alert | drop }
* implied snort.--stdin-rules: read rules from stdin until EOF or a
line starting with END is read
* string snort.-S: <x=v> set config variable x equal to value v
+ * implied snort.--talos: enable Talos inline rule test mode (same
+ as --tweaks talos -Q -q)
* string snort.-t: <dir> chroots process to <dir> after
initialization
+ * int snort.trace: mask for enabling debug traces in module
+ * implied snort.--trace: turn on main loop debug trace
* implied snort.--treat-drop-as-alert: converts drop, sdrop, and
reject rules into alert rules during startup
* implied snort.--treat-drop-as-ignore: use drop, sdrop, and reject
rules to ignore session traffic when not inline
* implied snort.-T: test and report on the current Snort
configuration
+ * string snort.--tweaks: tune configuration
* string snort.-u: <uname> run snort as <uname> or <uid> after
initialization
* implied snort.-U: use UTC for timestamps
before being eligible for pruning { 1: }
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in
segment size after given number of non-decreasing segments { 0: }
- * bool stream_tcp.ignore_any_rules = false: process TCP content
- rules w/o ports only if rules with ports are present
* int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
1460:32768 }
* int stream_tcp.max_window = 0: maximum allowed TCP window {
segments queued { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: limit number of
small segments queued { 0:2048 }
+ * int stream.trace: mask for enabling debug traces in module
* int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.udp_cache.max_sessions = 131072: maximum simultaneous
sessions tracked before pruning { 2: }
* int stream.udp_cache.pruning_timeout = 30: minimum inactive time
before being eligible for pruning { 1: }
- * bool stream_udp.ignore_any_rules = false: process UDP content
- rules w/o ports only if rules with ports are present
* int stream_udp.session_timeout = 30: session tracking timeout {
1:86400 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
--------------
+ * appid.appid_unknown: count of sessions where appid could not be
+ determined (sum)
+ * appid.ignored_packets: count of packets ignored (sum)
+ * appid.packets: count of packets received (sum)
+ * appid.processed_packets: count of packets processed (sum)
+ * appid.total_sessions: count of sessions created (sum)
* arp_spoof.packets: total packets (sum)
* back_orifice.packets: total packets (sum)
* binder.allows: allow bindings (sum)
* daq.internal_whitelist: packets whitelisted internally due to
lack of DAQ support (sum)
* daq.outstanding: packets unprocessed (sum)
- * daq.pcaps: total files and interfaces processed (sum)
+ * daq.pcaps: total files and interfaces processed (max)
* daq.received: total packets received from DAQ (sum)
* daq.replace: total replace verdicts (sum)
* daq.retry: total retry verdicts (sum)
* dns.packets: total packets processed (sum)
* dns.requests: total dns requests (sum)
* dns.responses: total dns responses (sum)
+ * domain_filter.checked: domains checked (sum)
+ * domain_filter.filtered: domains filtered (sum)
* dpx.packets: total packets (sum)
* file_connector.messages: total messages (sum)
* file_id.cache_failures: number of file cache add failures (sum)
* imap.sessions: total imap sessions (sum)
* imap.uu_attachments: total uu attachments decoded (sum)
* imap.uu_decoded_bytes: total uu decoded bytes (sum)
- * ips.invalid_policy_ids: Number of times an invalid policy ID was
- provided (sum)
* ipv4.bad_checksum: nonzero ip checksums (sum)
* latency.max_usecs: maximum usecs elapsed (sum)
* latency.packet_timeouts: packets that timed out (sum)
* stream_ip.max_frags: max fragments (sum)
* stream_ip.max: max ip sessions (max)
* stream.ip_memcap_prunes: ip sessions pruned due to memcap (sum)
- * stream_ip.memory_used: current memory usage in bytes (now)
* stream_ip.nodes_deleted: fragments deleted from tracker (sum)
* stream_ip.nodes_inserted: fragments added to tracker (sum)
* stream_ip.overlaps: overlapping fragments (sum)
* stream_tcp.ignored: tcp packets ignored (sum)
* stream_tcp.initializing: number of sessions currently
initializing (now)
+ * stream_tcp.instantiated: new sessions instantiated (sum)
* stream_tcp.internal_events: 135:X events generated (sum)
* stream_tcp.max: max tcp sessions (max)
* stream.tcp_memcap_prunes: tcp sessions pruned due to memcap (sum)
* stream_tcp.rebuilt_packets: total reassembled PDUs (sum)
* stream_tcp.released: tcp session trackers released (sum)
* stream_tcp.resets: number of reset packets (sum)
+ * stream_tcp.restarts: sessions restarted (sum)
* stream_tcp.resyns: SYN received on established session (sum)
* stream_tcp.segs_queued: total segments queued (sum)
* stream_tcp.segs_released: total segments released (sum)
* stream_tcp.server_cleanups: number of times data from client was
flushed when session released (sum)
* stream_tcp.sessions: total tcp sessions (sum)
+ * stream_tcp.setups: session initializations (sum)
* stream_tcp.syn_acks: number of syn-ack packets (sum)
* stream_tcp.syn_ack_trackers: tcp session tracking started on
syn-ack (sum)
* 133: dce_tcp
* 133: dce_udp
* 134: latency
+ * 135: stream
* 136: reputation
* 137: ssl
* 140: sip
* 143: gtp_inspect
* 144: modbus
* 145: dnp3
+ * 146: file_id
+ * 175: domain_filter
* 219: http2_inspect
* 256: dpx
* 119:32 (http_inspect) simple request
* 119:33 (http_inspect) unescaped space in HTTP URI
* 119:34 (http_inspect) too many pipelined requests
- * 119:35 (http_inspect) anomalous http server on undefined HTTP
+ * 119:101 (http_inspect) anomalous http server on undefined HTTP
port
- * 119:36 (http_inspect) invalid status code in HTTP response
- * 119:37 (http_inspect) unused event number—should not appear
- * 119:38 (http_inspect) HTTP response has UTF charset that failed
+ * 119:102 (http_inspect) invalid status code in HTTP response
+ * 119:103 (http_inspect) unused event number—should not appear
+ * 119:104 (http_inspect) HTTP response has UTF charset that failed
to normalize
- * 119:39 (http_inspect) HTTP response has UTF-7 charset
- * 119:40 (http_inspect) HTTP response gzip decompression failed
- * 119:41 (http_inspect) server consecutive small chunk sizes
- * 119:42 (http_inspect) unused event number—should not appear
- * 119:43 (http_inspect) javascript obfuscation levels exceeds 1
- * 119:44 (http_inspect) javascript whitespaces exceeds max allowed
- * 119:45 (http_inspect) multiple encodings within javascript
+ * 119:105 (http_inspect) HTTP response has UTF-7 charset
+ * 119:106 (http_inspect) HTTP response gzip decompression failed
+ * 119:107 (http_inspect) server consecutive small chunk sizes
+ * 119:108 (http_inspect) unused event number—should not appear
+ * 119:109 (http_inspect) javascript obfuscation levels exceeds 1
+ * 119:110 (http_inspect) javascript whitespaces exceeds max allowed
+ * 119:111 (http_inspect) multiple encodings within javascript
obfuscated data
- * 119:46 (http_inspect) SWF file zlib decompression failure
- * 119:47 (http_inspect) SWF file LZMA decompression failure
- * 119:48 (http_inspect) PDF file deflate decompression failure
- * 119:49 (http_inspect) PDF file unsupported compression type
- * 119:50 (http_inspect) PDF file cascaded compression
- * 119:51 (http_inspect) PDF file parse failure
- * 119:52 (http_inspect) not HTTP traffic
- * 119:53 (http_inspect) chunk length has excessive leading zeros
- * 119:54 (http_inspect) white space before or between messages
- * 119:55 (http_inspect) request message without URI
- * 119:56 (http_inspect) control character in reason phrase
- * 119:57 (http_inspect) illegal extra whitespace in start line
- * 119:58 (http_inspect) corrupted HTTP version
- * 119:59 (http_inspect) unknown HTTP version
- * 119:60 (http_inspect) format error in HTTP header
- * 119:61 (http_inspect) chunk header options present
- * 119:62 (http_inspect) URI badly formatted
- * 119:63 (http_inspect) unrecognized type of percent encoding in
+ * 119:112 (http_inspect) SWF file zlib decompression failure
+ * 119:113 (http_inspect) SWF file LZMA decompression failure
+ * 119:114 (http_inspect) PDF file deflate decompression failure
+ * 119:115 (http_inspect) PDF file unsupported compression type
+ * 119:116 (http_inspect) PDF file cascaded compression
+ * 119:117 (http_inspect) PDF file parse failure
+ * 119:201 (http_inspect) not HTTP traffic
+ * 119:202 (http_inspect) chunk length has excessive leading zeros
+ * 119:203 (http_inspect) white space before or between messages
+ * 119:204 (http_inspect) request message without URI
+ * 119:205 (http_inspect) control character in reason phrase
+ * 119:206 (http_inspect) illegal extra whitespace in start line
+ * 119:207 (http_inspect) corrupted HTTP version
+ * 119:208 (http_inspect) unknown HTTP version
+ * 119:209 (http_inspect) format error in HTTP header
+ * 119:210 (http_inspect) chunk header options present
+ * 119:211 (http_inspect) URI badly formatted
+ * 119:212 (http_inspect) unrecognized type of percent encoding in
URI
- * 119:64 (http_inspect) HTTP chunk misformatted
- * 119:65 (http_inspect) white space adjacent to chunk length
- * 119:66 (http_inspect) white space within header name
- * 119:67 (http_inspect) excessive gzip compression
- * 119:68 (http_inspect) gzip decompression failed
- * 119:69 (http_inspect) HTTP 0.9 requested followed by another
+ * 119:213 (http_inspect) HTTP chunk misformatted
+ * 119:214 (http_inspect) white space adjacent to chunk length
+ * 119:215 (http_inspect) white space within header name
+ * 119:216 (http_inspect) excessive gzip compression
+ * 119:217 (http_inspect) gzip decompression failed
+ * 119:218 (http_inspect) HTTP 0.9 requested followed by another
+ request
+ * 119:219 (http_inspect) HTTP 0.9 request following a normal
request
- * 119:70 (http_inspect) HTTP 0.9 request following a normal request
- * 119:71 (http_inspect) message has both Content-Length and
+ * 119:220 (http_inspect) message has both Content-Length and
Transfer-Encoding
- * 119:72 (http_inspect) status code implying no body combined with
+ * 119:221 (http_inspect) status code implying no body combined with
Transfer-Encoding or nonzero Content-Length
- * 119:73 (http_inspect) Transfer-Encoding not ending with chunked
- * 119:74 (http_inspect) Transfer-Encoding with encodings before
+ * 119:222 (http_inspect) Transfer-Encoding not ending with chunked
+ * 119:223 (http_inspect) Transfer-Encoding with encodings before
chunked
- * 119:75 (http_inspect) misformatted HTTP traffic
- * 119:76 (http_inspect) unsupported Content-Encoding used
- * 119:77 (http_inspect) unknown Content-Encoding used
- * 119:78 (http_inspect) multiple Content-Encodings applied
- * 119:79 (http_inspect) server response before client request
- * 119:80 (http_inspect) PDF/SWF decompression of server response
+ * 119:224 (http_inspect) misformatted HTTP traffic
+ * 119:225 (http_inspect) unsupported Content-Encoding used
+ * 119:226 (http_inspect) unknown Content-Encoding used
+ * 119:227 (http_inspect) multiple Content-Encodings applied
+ * 119:228 (http_inspect) server response before client request
+ * 119:229 (http_inspect) PDF/SWF decompression of server response
too big
- * 119:81 (http_inspect) nonprinting character in HTTP message
+ * 119:230 (http_inspect) nonprinting character in HTTP message
header name
- * 119:82 (http_inspect) bad Content-Length value in HTTP header
- * 119:83 (http_inspect) HTTP header line wrapped
- * 119:84 (http_inspect) HTTP header line terminated by CR without a
- LF
- * 119:85 (http_inspect) chunk terminated by nonstandard separator
- * 119:86 (http_inspect) chunk length terminated by LF without CR
- * 119:87 (http_inspect) more than one response with 100 status code
- * 119:88 (http_inspect) 100 status code not in response to Expect
+ * 119:231 (http_inspect) bad Content-Length value in HTTP header
+ * 119:232 (http_inspect) HTTP header line wrapped
+ * 119:233 (http_inspect) HTTP header line terminated by CR without
+ a LF
+ * 119:234 (http_inspect) chunk terminated by nonstandard separator
+ * 119:235 (http_inspect) chunk length terminated by LF without CR
+ * 119:236 (http_inspect) more than one response with 100 status
+ code
+ * 119:237 (http_inspect) 100 status code not in response to Expect
header
- * 119:89 (http_inspect) 1XX status code other than 100 or 101
- * 119:90 (http_inspect) Expect header sent without a message body
- * 119:91 (http_inspect) HTTP 1.0 message with Transfer-Encoding
+ * 119:238 (http_inspect) 1XX status code other than 100 or 101
+ * 119:239 (http_inspect) Expect header sent without a message body
+ * 119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding
header
- * 119:92 (http_inspect) Content-Transfer-Encoding used as HTTP
+ * 119:241 (http_inspect) Content-Transfer-Encoding used as HTTP
header
- * 119:93 (http_inspect) illegal field in chunked message trailers
- * 119:94 (http_inspect) header field inappropriately appears twice
+ * 119:242 (http_inspect) illegal field in chunked message trailers
+ * 119:243 (http_inspect) header field inappropriately appears twice
or has two values
- * 119:95 (http_inspect) invalid value chunked in Content-Encoding
+ * 119:244 (http_inspect) invalid value chunked in Content-Encoding
header
- * 119:96 (http_inspect) 206 response sent to a request without a
+ * 119:245 (http_inspect) 206 response sent to a request without a
Range header
- * 119:97 (http_inspect) HTTP in version field not all upper case
+ * 119:246 (http_inspect) HTTP in version field not all upper case
+ * 119:247 (http_inspect) white space embedded in critical header
+ value
+ * 119:248 (http_inspect) gzip compressed data followed by
+ unexpected non-gzip data
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
* 134:1 (latency) rule tree suspended due to latency
* 134:2 (latency) rule tree re-enabled after suspend timeout
* 134:3 (latency) packet fastpathed due to latency
+ * 135:1 (stream) TCP SYN received
+ * 135:2 (stream) TCP session established
+ * 135:3 (stream) TCP session cleared
* 136:1 (reputation) packets blacklisted
* 136:2 (reputation) packets whitelisted
* 136:3 (reputation) packets monitored
* 145:5 (dnp3) DNP3 link-layer frame uses a reserved address
* 145:6 (dnp3) DNP3 application-layer fragment uses a reserved
function code
+ * 175:1 (domain_filter) configured domain detected
* 256:1 (dpx) too much data sent to port
--------------
+ * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port):
+ enable appid debugging
+ * appid.disable_debug(): disable appid debugging
* packet_capture.enable(filter): dump raw packets
* packet_capture.disable(): stop packet dump
+ * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port):
+ enable packet tracer debugging
+ * packet_tracer.disable(): disable packet tracer
* snort.show_plugins(): show available plugins
* snort.delete_inspector(inspector): delete an inspector from the
default policy
* snort.reload_config(filename): load new configuration
* snort.reload_policy(filename): reload part or all of the default
policy
+ * snort.reload_module(module): reload module
* snort.reload_daq(): reload daq module
* snort.reload_hosts(filename): load a new hosts table
* snort.pause(): suspend packet processing
* dnp3_obj (ips_option): detection option to check DNP3 object
headers
* dns (inspector): dns inspection
+ * domain_filter (inspector): alert on configured HTTP domains
* dpx (inspector): dynamic inspector example
* dsize (ips_option): rule option to test payload size
* eapol (codec): support for extensible authentication protocol
number
* ipopts (ips_option): rule option to check for IP options
* ips (basic): configure IPS rule processing
- * ipv4 (codec): support for Internet protocol v4
- * ipv6 (codec): support for Internet protocol v6
+ * ipv4 (codec): support for Internet protocol v4 (DLT 228)
+ * ipv6 (codec): support for Internet protocol v6 (DLT 229)
* isdataat (ips_option): rule option to check for the presence of
payload data
* itype (ips_option): rule option to check ICMP type
* normalizer (inspector): packet scrubbing for inline mode
* output (basic): configure general output parameters
* packet_capture (inspector): raw packet dumping facility
+ * packet_tracer (basic): generate debug trace messages for packets
* packets (basic): configure basic packet handling
* pbb (codec): support for 802.1ah protocol
* pcre (ips_option): rule option for matching payload data with
* codec::icmp6: support for Internet control message protocol v6
* codec::icmp6_ip: support for IP in ICMPv6
* codec::igmp: support for Internet group management protocol
- * codec::ipv4: support for Internet protocol v4
- * codec::ipv6: support for Internet protocol v6
+ * codec::ipv4: support for Internet protocol v4 (DLT 228)
+ * codec::ipv6: support for Internet protocol v6 (DLT 229)
* codec::ipv6_dst_opts: support for ipv6 destination options
* codec::ipv6_frag: support for IPv6 fragment decoding
* codec::ipv6_hop_opts: support for IPv6 hop options
* codec::ppp_encap: support for point-to-point encapsulation
* codec::pppoe_disc: support for point-to-point discovery
* codec::pppoe_sess: support for point-to-point session
- * codec::raw4: support for unencapsulated IPv4 (DLT 12) (DLT 228)
- * codec::raw6: support for unencapsulated IPv6 (DLT 229)
+ * codec::raw: support for raw IP (DLT 12)
* codec::slip: support for slip protocol (DLT 8)
* codec::tcp: support for transmission control protocol
* codec::teredo: support for teredo
* inspector::dce_udp: dce over udp inspection
* inspector::dnp3: dnp3 inspection
* inspector::dns: dns inspection
+ * inspector::domain_filter: alert on configured HTTP domains
* inspector::dpx: dynamic inspector example
* inspector::file_id: configure file identification
* inspector::file_log: log file event to file.log
* so_rule::3|18758: SO rule example
-20.13. Bugs
-
---------------
-
-20.13.1. Build
-
- * Enabling large pcap may erroneously affect the number of packets
- processed from pcaps.
- * Enabling debug messages may erroneously affect the number of
- packets processed from pcaps.
- * Building with clang and autotools on Linux will show the
- following warning many times. Please ignore.
-
- clang: warning: argument unused during compilation: '-pthread'
-
-20.13.2. Config
-
- * Parsing issue with IP lists. can’t parse rules with $EXTERNAL_NET
- defined as below because of the space between ! and 10.
-
- HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]]
- EXTERNAL_NET = '! ' .. HOME_NET
-
- * Multiple versions of luajit scripts are not handled correctly.
- The first loaded version will always be executed even though
- plugin manager saves the correct version.
- * When using -c and -L together, the last on the command line wins
- (-c -L will dump; -L -c will analyze).
- * Modules instantiated by command line only will not get default
- settings unless hard-coded. This notably applies to -A and -L
- options.
- * --lua can only be used in addition to, not in place of, a -c
- config. Ideally, --lua could be used in lieu of -c.
-
-20.13.3. Rules
-
- * metdata:service foo; metadata:service foo; won’t cause a
- duplicate service warning as does metadata:service foo, service
- foo;
- * ip_proto doesn’t work properly with reassembled packets so it
- can’t be used to restrict the protocol of service rules.
-
-20.13.4. snort2lua
-
- * uricontent:"foo"; content:"bar"; → http_uri; content:"foo";
- content:"bar"; (missing pkt_data)
- * stream_tcp ports and protocols both go into a single binder.when;
- this is incorrect as the when fields are logically anded together
- (ie must all be true). Should create 2 separate bindings.
- * There is a bug in pps_stream_tcp.cc.. when stream_tcp: is
- specified without any arguments, snort2lua doesn’t convert it.
- Same for stream_udp.
- * Loses the ip list delimiters [ ]; change to ( )
-
- in snort.conf: var HOME_NET [A,B,C]
- in snort.lua: HOME_NET = [[A B C]]
-
- * Won’t convert packet rules (alert tcp etc.) to service rules
- (alert http etc.).
- * alert_fast and alert_full: output configuration includes "file =
- foo.bar", but file is a bool and you cannot specify an output
- file name in the configuration.
-
-20.13.5. Runtime
-
- * -B <mask> feature does not work. It does ordinary IP address
- obfuscation instead of using the mask.
- * Obfuscation does not work for csv format.
- * The hext DAQ will append a newline to text lines (starting with "
- ).
- * The hext DAQ does not support embedded quotes in text lines (use
- hex lines as a workaround).
- * stream_tcp alert squash mechanism incorrectly squashes alerts for
- different TCP packets.
-
-
-20.14. LibDAQ and DAQ Modules
+20.13. LibDAQ and DAQ Modules
--------------
This README summarizes the important things you need to know to use
the DAQ.
-20.14.1. Building the DAQ Library and DAQ Modules
+20.13.1. Building the DAQ Library and DAQ Modules
The DAQ is bundled with Snort but must be built first using these
steps:
./configure --help
-20.14.2. PCAP Module
+20.13.2. PCAP Module
pcap is the default DAQ. If snort is run w/o any DAQ arguments, it
will operate as it always did using this module. These are
* The pcap DAQ does not count filtered packets. *
-20.14.3. AFPACKET Module
+20.13.3. AFPACKET Module
afpacket functions similar to the pcap DAQ but with better
performance:
DAQ module due to its dependency on both TPACKET v2 and
PACKET_TX_RING support.
-20.14.3.1. Fanout (Kernel Loadbalancing)
+20.13.3.1. Fanout (Kernel Loadbalancing)
More recent Linux kernel versions (3.1+) support various kernel-space
loadbalancing methods within AFPacket configured using the
kernel source for more details on the different fanout types and
modifier flags.
-20.14.4. NFQ Module
+20.13.4. NFQ Module
NFQ is the new and improved way to process iptables packets:
Notes on iptables are given below.
-20.14.5. IPQ Module
+20.13.5. IPQ Module
IPQ is the old way to process iptables packets. It replaces the
inline version available in pre-2.9 versions built with this:
Notes on iptables are given below.
-20.14.6. IPFW Module
+20.13.6. IPFW Module
IPFW is available for BSD systems. It replaces the inline version
available in pre-2.9 versions built with this:
Notes on FreeBSD and OpenBSD are given below.
-20.14.7. Dump Module
+20.13.7. Dump Module
The dump DAQ allows you to test the various inline mode features
available in 2.9 Snort like injection and normalization.
./snort -r <pcap> -Q --daq dump --daq-var load-mode=read-file
./snort -i <device> -Q --daq dump --daq-var load-mode=passive
-20.14.8. Netmap Module
+20.13.8. Netmap Module
The netmap project is a framework for very high speed packet I/O. It
is available on both FreeBSD and Linux with varying amounts of
function (ifconfig em1 up promisc). The DAQ module does not currently
do either of these configuration steps for itself.
-20.14.8.1. FreeBSD
+20.13.8.1. FreeBSD
In FreeBSD 10.0, netmap has been integrated into the core OS. In
order to use it, you must recompile your kernel with the line
added to your kernel config.
-20.14.8.2. Linux
+20.13.8.2. Linux
You will need to download the netmap source code from the project’s
repository:
TODO: - Support for attaching to only a single ring (queue) on a
network adapter. - Support for VALE and netmap pipes.
-20.14.9. Notes on iptables
+20.13.9. Notes on iptables
These notes are just a quick reminder that you need to set up
iptables to use the IPQ or NFQ DAQs. Doing so may cause problems with
These DAQs should be run with a snaplen of 65535 since the kernel
defrags the packets before queuing. Also, no need to configure frag3.
-20.14.10. Notes on FreeBSD::IPFW
+20.13.10. Notes on FreeBSD::IPFW
Check the online manual at:
# after the TCP "established" rule.
${fwcmd} add divert 8000 all from any to any in via ${oif}
-20.14.11. Notes on OpenBSD::IPFW
+20.13.11. Notes on OpenBSD::IPFW
OpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.
projects / thirdparty / snort3.git / commitdiff
