The Snort Team
Revision History
-Revision 3.0.2 (Build 2) 2020-07-23 11:20:26 EDT TST
+Revision 3.0.2 (Build 4) 2020-08-06 08:06:49 EDT TST
---------------------------------------------------------------------
* enum hosts[].services[].proto = tcp: IP protocol { tcp | udp }
* port hosts[].services[].port: port number
+Peg counts:
+
+ * hosts.total_hosts: maximum number of entries in the host
+ attribute table (max)
+ * hosts.hosts_pruned: number of LRU hosts pruned due to configured
+ resource limits (sum)
+ * hosts.dynamic_host_adds: number of host additions after initial
+ host file load (sum)
+ * hosts.dynamic_service_adds: number of service additions after
+ initial host file load (sum)
+ * hosts.dynamic_service_updates: number of service updates after
+ initial host file load (sum)
+ * hosts.service_list_overflows: number of service additions that
+ failed due to configured resource limits (sum)
+
2.14. inspection
rules too)
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
+ * string ips.variables.$var: IPS policy variable
2.16. latency
thresholding (usec) { 0:max53 }
* bool latency.packet.fastpath = false: fastpath expensive packets
(max_time exceeded)
- * bool latency.packet.test_timeout = false: timeout on every packet
* int latency.rule.max_time = 500: set timeout for rule evaluation
(usec) { 0:max53 }
* bool latency.rule.suspend = false: temporarily suspend expensive
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
- * bool latency.rule.test_timeout = false: timeout on every rule
- evaluation
Rules:
* bool output.verbose = false: be verbose (same as -v)
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
- * bool output.wide_hex_dump = true: output 20 bytes per lines
+ * bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
* payload_injector.http_injects: total number of http injections
(sum)
+ * payload_injector.http2_injects: total number of http2 injections
+ (sum)
2.23. process
* implied snort.--dirty-pig: don’t flush packets on shutdown
* string snort.--dump-builtin-rules: [<module prefix>] output stub
rules for selected modules { (optional) }
+ * implied snort.--dump-config-text: dump config in text format
* implied snort.--dump-dynamic-rules: output stub rules for all
loaded rules libraries
* string snort.--dump-defaults: [<module prefix>] output module
logdir instead of instance filename prefix
* implied snort.--id-zero: use id prefix / subdirectory even with
one packet thread
- * implied snort.--ignore-warn-flowbits: ignore warnings about
- flowbits that are checked but not set and vice-versa
- * implied snort.--ignore-warn-rules: ignore warnings about
- duplicate rules and rule parsing issues
* string snort.--include-path: <path> where to find Lua and rule
included files; searched before current or config directories
* implied snort.--list-buffers: output available inspection buffers
* implied snort.--nostamps: don’t include timestamps in log file
names
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
+ * implied snort.--no-warn-flowbits: ignore warnings about flowbits
+ that are checked but not set and vice-versa
+ * implied snort.--no-warn-rules: ignore warnings about duplicate
+ rules and rule parsing issues
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
- * int snort.--pause-after-n: <count> pause after count packets {
- 1:max53 }
* string snort.--pcap-file: <file> file that contains a list of
pcaps to read - read mode is implied
* string snort.--pcap-list: <list> a space separated list of pcaps
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> a colon separated list of
directories or plugin libraries
* implied snort.--process-all-events: process all action groups
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
rules to ignore session traffic when not inline
* string snort.--tweaks: tune configuration
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
* implied snort.--version: show version number (same as -V)
* implied snort.--warn-all: enable all warnings
* implied snort.--warn-conf: warn about configuration issues
{ 0x00:0xFF }
* string snort.--x2s: output ASCII string for given byte code (see
also --x2c)
- * implied snort.--trace: turn on main loop debug trace
Commands:
Configuration:
- * int trace.modules.latency.all: enable all trace options { 0:255 }
- * int trace.modules.snort.all: enable all trace options { 0:255 }
- * int trace.modules.snort.main: enable main trace logging { 0:255 }
- * int trace.modules.snort.inspector_manager: enable inspector
- manager trace logging { 0:255 }
+ * int trace.modules.appid.all: enable all trace options { 0:255 }
+ * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
+ * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
+ * int trace.modules.decode.all: enable all trace options { 0:255 }
* int trace.modules.detection.all: enable all trace options { 0:255
}
* int trace.modules.detection.detect_engine: enable detection
logging { 0:255 }
* int trace.modules.detection.tag: enable tag trace logging { 0:255
}
+ * int trace.modules.gtp_inspect.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.latency.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.all: enable all trace options { 0:255 }
+ * int trace.modules.snort.main: enable main trace logging { 0:255 }
+ * int trace.modules.snort.inspector_manager: enable inspector
+ manager trace logging { 0:255 }
+ * int trace.modules.stream.all: enable all trace options { 0:255 }
* int trace.modules.stream_ip.all: enable all trace options { 0:255
}
* int trace.modules.stream_user.all: enable all trace options {
0:255 }
* int trace.modules.wizard.all: enable all trace options { 0:255 }
- * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
- * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
- * int trace.modules.decode.all: enable all trace options { 0:255 }
- * int trace.modules.stream.all: enable all trace options { 0:255 }
- * int trace.modules.gtp_inspect.all: enable all trace options {
- 0:255 }
- * int trace.modules.appid.all: enable all trace options { 0:255 }
* int trace.constraints.ip_proto: numerical IP protocol ID filter {
0:255 }
* string trace.constraints.src_ip: source IP address filter
Configuration:
- * int appid.first_decrypted_packet_debug = 0: the first packet of
- an already decrypted SSL flow (debug single session only) {
- 0:max32 }
* int appid.memcap = 1048576: max size of the service cache before
we start pruning the cache { 1024:maxSZ }
* bool appid.log_stats = false: enable logging of appid statistics
on startup
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
- * bool appid.load_odp_detectors_in_ctrl = false: load odp detectors
- in control thread
Commands:
enable appid debugging
* appid.disable_debug(): disable appid debugging
* appid.reload_third_party(): reload appid third-party module
+ * appid.reload_odp(): reload appid open detector package
Peg counts:
the service cache (sum)
* appid.service_cache_removes: number of times an item was removed
from the service cache (sum)
+ * appid.odp_reload_ignored_pkts: count of packets ignored after
+ open detector package is reloaded (sum)
+ * appid.tp_reload_ignored_pkts: count of packets ignored after
+ third-party module is reloaded (sum)
5.2. appid_listener
Usage: inspect
-Configuration:
-
- * bool http2_inspect.test_input = false: read HTTP/2 messages from
- text file
- * bool http2_inspect.test_output = false: print out HTTP section
- data
- * int http2_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http2_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http2_inspect.show_pegs = true: display peg counts with test
- output
- * bool http2_inspect.show_scan = false: display scanned segments
-
Rules:
* 121:1 (http2_inspect) error in HPACK integer value
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
- * bool http_inspect.show_scan = false: display scanned segments
Rules:
Configuration:
- * int stream.footprint = 0: use zero for production, non-zero for
- testing at given size (for TCP and user) { 0:max32 }
* bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
* --dirty-pig don’t flush packets on shutdown
* --dump-builtin-rules [<module prefix>] output stub rules for
selected modules (optional)
+ * --dump-config-text dump config in text format
* --dump-dynamic-rules output stub rules for all loaded rules
libraries
* --dump-defaults [<module prefix>] output module defaults in Lua
of instance filename prefix
* --id-zero use id prefix / subdirectory even with one packet
thread
- * --ignore-warn-flowbits ignore warnings about flowbits that are
- checked but not set and vice-versa
- * --ignore-warn-rules ignore warnings about duplicate rules and
- rule parsing issues
* --include-path <path> where to find Lua and rule included files;
searched before current or config directories
* --list-buffers output available inspection buffers
string in metadata if set
* --nostamps don’t include timestamps in log file names
* --nolock-pidfile do not try to lock Snort PID file
+ * --no-warn-flowbits ignore warnings about flowbits that are
+ checked but not set and vice-versa
+ * --no-warn-rules ignore warnings about duplicate rules and rule
+ parsing issues
* --pause wait for resume/quit command before processing packets/
terminating
- * --pause-after-n <count> pause after count packets (1:max53)
* --pcap-file <file> file that contains a list of pcaps to read -
read mode is implied
* --pcap-list <list> a space separated list of pcaps to read - read
file or directory
* --pcap-show print a line saying what pcap is currently being read
* --pedantic warnings are fatal
- * --piglet enable piglet test harness mode
* --plugin-path <path> a colon separated list of directories or
plugin libraries
* --process-all-events process all action groups
* --treat-drop-as-ignore use drop, block, and reset rules to ignore
session traffic when not inline
* --tweaks tune configuration
- * --catch-test comma separated list of cat unit test tags or all
* --version show version number (same as -V)
* --warn-all enable all warnings
* --warn-conf warn about configuration issues
* --x2c output ASCII char for given hex (see also --c2x)
(0x00:0xFF)
* --x2s output ASCII string for given byte code (see also --x2c)
- * --trace turn on main loop debug trace
11.4. Configuration
logging appid statistics { 1:max32 }
* int appid.app_stats_rollover_size = 20971520: max file size for
appid stats before rolling over the log file { 0:max32 }
- * int appid.first_decrypted_packet_debug = 0: the first packet of
- an already decrypted SSL flow (debug single session only) {
- 0:max32 }
* bool appid.list_odp_detectors = false: enable logging of odp
detectors statistics
- * bool appid.load_odp_detectors_in_ctrl = false: load odp detectors
- in control thread
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* bool appid.log_stats = false: enable logging of appid statistics
* port host_tracker[].services[].port: port number
* enum host_tracker[].services[].proto: IP protocol { ip | tcp |
udp }
- * int http2_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http2_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
- * bool http2_inspect.show_pegs = true: display peg counts with test
- output
- * bool http2_inspect.show_scan = false: display scanned segments
- * bool http2_inspect.test_input = false: read HTTP/2 messages from
- text file
- * bool http2_inspect.test_output = false: print out HTTP section
- data
* implied http_cookie.request: match against the cookie from the
request message even when examining the response
* implied http_cookie.with_body: parts of this rule examine HTTP
encodings
* bool http_inspect.plus_to_space = true: replace + with <sp> when
normalizing URIs
- * int http_inspect.print_amount = 1200: number of characters to
- print from a Field { 1:max53 }
- * bool http_inspect.print_hex = false: nonprinting characters
- printed in [HH] format instead of using an asterisk
* int http_inspect.request_depth = -1: maximum request message body
bytes to examine (-1 no limit) { -1:max53 }
* int http_inspect.response_depth = -1: maximum response message
body bytes to examine (-1 no limit) { -1:max53 }
- * bool http_inspect.show_pegs = true: display peg counts with test
- output
- * bool http_inspect.show_scan = false: display scanned segments
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
- * bool http_inspect.test_input = false: read HTTP messages from
- text file
- * bool http_inspect.test_output = false: print out HTTP section
- data
* bool http_inspect.unzip = true: decompress gzip and deflate
message bodies
* bool http_inspect.utf8_bare_byte = false: when doing UTF-8
rules too)
* string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
policy uuid
+ * string ips.variables.$var: IPS policy variable
* string isdataat.~length: num | !num
* implied isdataat.relative: offset from cursor instead of start of
buffer
(max_time exceeded)
* int latency.packet.max_time = 500: set timeout for packet latency
thresholding (usec) { 0:max53 }
- * bool latency.packet.test_timeout = false: timeout on every packet
* int latency.rule.max_suspend_time = 30000: set max time for
suspending a rule (ms, 0 means permanently disable rule) {
0:max32 }
rules
* int latency.rule.suspend_threshold = 5: set threshold for number
of timeouts before suspending a rule { 1:max32 }
- * bool latency.rule.test_timeout = false: timeout on every rule
- evaluation
* bool log_codecs.file = false: output to log_codecs.txt instead of
stdout
* bool log_codecs.msg = false: include alert msg
* int output.tagged_packet_limit = 256: maximum number of packets
tagged for non-packet metrics { 0:max32 }
* bool output.verbose = false: be verbose (same as -v)
- * bool output.wide_hex_dump = true: output 20 bytes per lines
+ * bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
* bool packet_capture.enable = false: initially enable packet
dumping
* string snort.--bpf: <filter options> are standard BPF options, as
seen in TCPDump
* string snort.--c2x: output hex for given char (see also --x2c)
- * string snort.--catch-test: comma separated list of cat unit test
- tags or all
* string snort.-c: <conf> use this configuration
* string snort.--control-socket: <file> to create unix socket
* implied snort.-C: print out payloads with character data only (no
* implied snort.-D: run Snort in background (daemon) mode
* string snort.--dump-builtin-rules: [<module prefix>] output stub
rules for selected modules { (optional) }
+ * implied snort.--dump-config-text: dump config in text format
* string snort.--dump-defaults: [<module prefix>] output module
defaults in Lua format { (optional) }
* implied snort.--dump-dynamic-rules: output stub rules for all
logdir instead of instance filename prefix
* implied snort.--id-zero: use id prefix / subdirectory even with
one packet thread
- * implied snort.--ignore-warn-flowbits: ignore warnings about
- flowbits that are checked but not set and vice-versa
- * implied snort.--ignore-warn-rules: ignore warnings about
- duplicate rules and rule parsing issues
* string snort.-i: <iface>… list of interfaces
* string snort.--include-path: <path> where to find Lua and rule
included files; searched before current or config directories
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
* implied snort.--nostamps: don’t include timestamps in log file
names
+ * implied snort.--no-warn-flowbits: ignore warnings about flowbits
+ that are checked but not set and vice-versa
+ * implied snort.--no-warn-rules: ignore warnings about duplicate
+ rules and rule parsing issues
* implied snort.-O: obfuscate the logged IP addresses
* string snort.-?: <option prefix> output matching command line
option quick help (same as --help-options) { (optional) }
- * int snort.--pause-after-n: <count> pause after count packets {
- 1:max53 }
* implied snort.--pause: wait for resume/quit command before
processing packets/terminating
* string snort.--pcap-dir: <dir> a directory to recurse to look for
* implied snort.--pcap-show: print a line saying what pcap is
currently being read
* implied snort.--pedantic: warnings are fatal
- * implied snort.--piglet: enable piglet test harness mode
* string snort.--plugin-path: <path> a colon separated list of
directories or plugin libraries
* implied snort.--process-all-events: process all action groups
talos)
* string snort.-t: <dir> chroots process to <dir> after
initialization
- * implied snort.--trace: turn on main loop debug trace
* implied snort.--treat-drop-as-alert: converts drop, block, and
reset rules into alert rules when loaded
* implied snort.--treat-drop-as-ignore: use drop, block, and reset
* int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction
- * int stream.footprint = 0: use zero for production, non-zero for
- testing at given size (for TCP and user) { 0:max32 }
* int stream.held_packet_timeout = 1000: timeout in milliseconds
for held packets { 1:max32 }
* int stream.icmp_cache.cap_weight = 0: additional bytes to track
* appid.appid_unknown: count of sessions where appid could not be
determined (sum)
* appid.ignored_packets: count of packets ignored (sum)
+ * appid.odp_reload_ignored_pkts: count of packets ignored after
+ open detector package is reloaded (sum)
* appid.packets: count of packets received (sum)
* appid.processed_packets: count of packets processed (sum)
* appid.service_cache_adds: number of times an entry was added to
* appid.service_cache_removes: number of times an item was removed
from the service cache (sum)
* appid.total_sessions: count of sessions created (sum)
+ * appid.tp_reload_ignored_pkts: count of packets ignored after
+ third-party module is reloaded (sum)
* arp_spoof.packets: total packets (sum)
* back_orifice.packets: total packets (sum)
* binder.allows: allow bindings (sum)
during reload (sum)
* host_cache.removes: lru cache found entry and removed it (sum)
* host_cache.replaced: lru cache found entry and replaced it (sum)
+ * hosts.dynamic_host_adds: number of host additions after initial
+ host file load (sum)
+ * hosts.dynamic_service_adds: number of service additions after
+ initial host file load (sum)
+ * hosts.dynamic_service_updates: number of service updates after
+ initial host file load (sum)
+ * hosts.hosts_pruned: number of LRU hosts pruned due to configured
+ resource limits (sum)
+ * hosts.service_list_overflows: number of service additions that
+ failed due to configured resource limits (sum)
+ * hosts.total_hosts: maximum number of entries in the host
+ attribute table (max)
* host_tracker.service_adds: host service adds (sum)
* host_tracker.service_finds: host service finds (sum)
* http2_inspect.concurrent_sessions: total concurrent HTTP/2
* packet_capture.captured: packets matching dumped after matching
filter (sum)
* packet_capture.processed: packets processed against filter (sum)
+ * payload_injector.http2_injects: total number of http2 injections
+ (sum)
* payload_injector.http_injects: total number of http injections
(sum)
* pcre.pcre_native: total pcre rules compiled by pcre engine (sum)
enable appid debugging
* appid.disable_debug(): disable appid debugging
* appid.reload_third_party(): reload appid third-party module
+ * appid.reload_odp(): reload appid open detector package
* host_cache.dump(file_name): dump host cache
* packet_capture.enable(filter): dump raw packets
* packet_capture.disable(): stop packet dump
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
- * piglet::pp_codec: Codec piglet
- * piglet::pp_inspector: Inspector piglet
- * piglet::pp_ips_action: Ips action piglet
- * piglet::pp_ips_option: Ips option piglet
- * piglet::pp_logger: Logger piglet
- * piglet::pp_search_engine: Search engine piglet
- * piglet::pp_so_rule: SO rule piglet
- * piglet::pp_test: Test piglet
* search_engine::ac_banded: Aho-Corasick Banded (high memory,
moderate performance)
* search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
The Snort Team
Revision History
-Revision 3.0.2 (Build 2) 2020-07-23 11:19:59 EDT TST
+Revision 3.0.2 (Build 4) 2020-08-06 08:06:38 EDT TST
---------------------------------------------------------------------
5.2. AppId
5.3. Binder
5.4. Byte rule options
- 5.5. DCE Inspectors
- 5.6. File Processing
- 5.7. High Availability
- 5.8. FTP
- 5.9. HTTP Inspector
- 5.10. HTTP/2 Inspector
- 5.11. Performance Monitor
- 5.12. POP and IMAP
- 5.13. Port Scan
- 5.14. Sensitive Data Filtering
- 5.15. SMTP
- 5.16. Telnet
- 5.17. Trace
- 5.18. Wizard
+ 5.5. Consolidated Config
+ 5.6. DCE Inspectors
+ 5.7. File Processing
+ 5.8. High Availability
+ 5.9. FTP
+ 5.10. HTTP Inspector
+ 5.11. HTTP/2 Inspector
+ 5.12. Performance Monitor
+ 5.13. POP and IMAP
+ 5.14. Port Scan
+ 5.15. Sensitive Data Filtering
+ 5.16. SMTP
+ 5.17. Telnet
+ 5.18. Trace
+ 5.19. Wizard
6. DAQ Configuration and Modules
byte_test:4,>,200,36;
-5.5. DCE Inspectors
+5.5. Consolidated Config
+
+--------------
+
+Using Consolidated Config output enables troubleshooting of
+configuration issues. The output contains applied configurations (
+defaults and configured ) and is printed for the main config and all
+included policies. So far, Snort supports output in text format.
+
+5.5.1. Text Format
+
+The --dump-config-text option verifies the configuration and dumps it
+to stdout in text format.
+
+Example:
+
+consolidated config for snort.lua
+binder[0].when.ips_policy_id=0
+binder[0].when.role='any'
+binder[0].when.nets='10.1.2.0/24'
+binder[0].use.action='inspect'
+binder[1].when.ips_policy_id=0
+binder[1].when.role='any'
+binder[1].when.nets='192.168.2.0/24'
+binder[1].use.action='inspect'
+host_cache.memcap=8.38861e+06
+network.checksum_drop='none'
+network.checksum_eval='all'
+network.max_ip_layers=0
+process.daemon=false
+process.dirty_pig=false
+process.utc=false
+stream_tcp.flush_factor=0
+stream_tcp.max_window=0
+stream_tcp.overlap_limit=0
+stream_tcp.max_pdu=16384
+stream.footprint=0
+stream.ip_frags_only=false
+trace.modules.appid.all=1
+trace.modules.detection.opt_tree=2
+trace.modules.detection.fp_search=4
+trace.modules.detection.rule_eval=1
+trace.modules.wizard.all=1
+trace.constraints.match=true
+trace.constraints.dst_ip='10.1.1.2'
+trace.constraints.dst_port=200
+trace.constraints.src_port=100
+trace.constraints.ip_proto=17
+trace.output='stdout'
+wizard.spells[0].proto='tcp'
+wizard.spells[0].client_first=true
+wizard.spells[0].service='http'
+wizard.spells[0].to_client[0].spell='HTTP/'
+wizard.spells[0].to_server[0].spell='GET'
+wizard.spells[1].proto='tcp'
+wizard.spells[1].client_first=true
+wizard.spells[1].service='sip'
+wizard.spells[1].to_server[0].spell='INVITE'
+
+For lists, the index next to the option name designates an element
+parsing order.
+
+
+5.6. DCE Inspectors
--------------
and DCE/RPC defragmentation to avoid rule evasion using these
techniques.
-5.5.1. Overview
+5.6.1. Overview
The following transports are supported for DCE/RPC: SMB, TCP, and
UDP. New rule options have been implemented to improve performance,
address/port mapping is handled by the binder. Autodetect
functionality is replaced by wizard curses.
-5.5.2. Quick Guide
+5.6.2. Quick Guide
A typical dcerpce configuration looks like this:
In this example, it defines smb, tcp and udp inspectors based on
port. All the configurations are default.
-5.5.3. Target Based
+5.6.3. Target Based
There are enough important differences between Windows and Samba
versions that a target based approach has been implemented. Some
* Samba-3.0.22
* Samba-3.0.20
-5.5.4. Reassembling
+5.6.4. Reassembling
Both SMB inspector and TCP inspector support reassemble. Reassemble
threshold specifies a minimum number of bytes in the DCE/RPC
argument to this option will, in effect, disable this option. Default
is disabled.
-5.5.5. SMB
+5.6.5. SMB
SMB inspector is one of the most complex inspectors. In addition to
supporting rule options and lots of inspector rule events, it also
supports file processing for both SMB version 1, 2, and 3.
-5.5.5.1. Finger Print Policy
+5.6.5.1. Finger Print Policy
In the initial phase of an SMB session, the client needs to
authenticate with a SessionSetupAndX. Both the request and response
inspector to dynamically set the policy for a session which allows
for better protection against Windows and Samba specific evasions.
-5.5.5.2. File Inspection
+5.6.5.2. File Inspection
SMB inspector supports file inspection. A typical configuration looks
like this:
unlimited. Default is "off", i.e. no SMB file inspection is done in
the inspector.
-5.5.6. TCP
+5.6.6. TCP
dce_tcp inspector supports defragmentation, reassembling, and policy
that is similar to SMB.
-5.5.7. UDP
+5.6.7. UDP
dce_udp is a very simple inspector that only supports defragmentation
-5.5.8. Rule Options
+5.6.8. Rule Options
New rule options are supported by enabling the dcerpc2 inspectors:
* byte_test: dce
* byte_jump: dce
-5.5.8.1. dce_iface
+5.6.8.1. dce_iface
For DCE/RPC based rules it has been necessary to set flow-bits based
on a client bind to a service to avoid false positives. It is
fast_pattern rule option, it will unequivocally be used over the
above mentioned patterns.
-5.5.8.2. dce_opnum
+5.6.8.2. dce_opnum
The opnum represents a specific function call to an interface. After
is has been determined that a client has bound to a specific
specified with this option. This option matches if any one of the
opnums specified match the opnum of the DCE/RPC request.
-5.5.8.3. dce_stub_data
+5.6.8.3. dce_stub_data
Since most DCE/RPC based rules had to do protocol decoding only to
get to the DCE/RPC stub data, i.e. the remote procedure call or
start of the stub data buffer. To leave the stub data buffer and
return to the main payload buffer, use the "pkt_data" rule option.
-5.5.8.4. byte_test and byte_jump
+5.6.8.4. byte_test and byte_jump
A DCE/RPC request can specify whether numbers are represented in big
or little endian. These rule options will take as a new argument
"hex", "dec", "oct" and "from_beginning"
-5.6. File Processing
+5.7. File Processing
--------------
will provide file type identification, file signature creation, and
file capture capabilities to help users deal with those challenges.
-5.6.1. Overview
+5.7.1. Overview
There are two parts of file services: file APIs and file policy. File
APIs provides all the file inspection functionalities, such as file
* Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
* Supported file signature calculation: SHA256
-5.6.2. Quick Guide
+5.7.2. Quick Guide
A very simple configuration has been included in lua/snort.lua file.
A typical file configuration looks like this:
* At last, enable file_log to get detailed information about file
event
-5.6.3. Pre-packaged File Magic Rules
+5.7.3. Pre-packaged File Magic Rules
A set of file magic rules is packaged with Snort. They can be located
at "lua/file_magic.lua". To use this feature, it is recommended that
In this case, two magics look at the beginning of the file. You can
use character if it is printable or hex value in between "|".
-5.6.4. File Policy
+5.7.4. File Policy
You can enabled file type, file signature, or file capture by
configuring file_id. In addition, you can enable trace to see file
* For all file types identified, they will be logged with
signature, and also captured onto log folder.
-5.6.5. File Capture
+5.7.5. File Capture
File can be captured and stored to log folder. We use SHA as file
name instead of actual file name to avoid conflicts. You can capture
The above rule will enable PDF file capture.
-5.6.6. File Events
+5.7.6. File Events
File inspect preprocessor also works as a dynamic output plugin for
file events. It logs basic information about file. The log file is in
[Size: 1039328]
-5.7. High Availability
+5.8. High Availability
--------------
High Availability includes the HA flow synchronization and the
SideChannel messaging subsystems.
-5.7.1. HA
+5.8.1. HA
HighAvailability (or HA) is a Snort module that provides state
coherency between two partner snort instances. It uses SideChannel
messages while the ancillary module content is only present when
requested via a status change request.
-5.7.2. Connector
+5.8.2. Connector
Connectors are a set of modules that are used to exchange
message-oriented data among Snort threads and the external world. A
Connectors are a Snort plugin type.
-5.7.2.1. Connector (parent plugin class)
+5.8.2.1. Connector (parent plugin class)
Connectors may either be a simplex channel and perform unidirectional
communications. Or may be duplex and perform bidirectional
* FileConnector - Write messages to files and read messages from
files.
-5.7.2.2. TcpConnector
+5.8.2.2. TcpConnector
TcpConnector is a subclass of Connector and implements a DUPLEX type
Connector, able to send and receive messages over a tcp session.
},
}
-5.7.2.3. FileConnector
+5.8.2.3. FileConnector
FileConnector implements a Connector that can either read from files
or write to files. FileConnector’s are simplex and must be configured
},
}
-5.7.3. Side Channel
+5.8.3. Side Channel
SideChannel is a Snort module that uses Connectors to implement a
messaging infrastructure that is used to communicate between Snort
}
-5.8. FTP
+5.9. FTP
--------------
determine when an FTP command connection is encrypted, and determine
when an FTP data channel is opened.
-5.8.1. Configuring the inspector to block exploits and attacks
+5.9.1. Configuring the inspector to block exploits and attacks
-5.8.1.1. ftp_server configuration
+5.9.1.1. ftp_server configuration
* ftp_cmds
If your rule set includes virus-type rules, it is recommended that
this option not be used.
-5.8.1.2. ftp_client configuration
+5.9.1.2. ftp_client configuration
* max_resp_len
command channel. Some FTP clients do not process those telnet escape
sequences.
-5.8.1.3. ftp_data
+5.9.1.3. ftp_data
In order to enable file inspection for ftp, the following should be
added to the configuration:
ftp_data = {}
-5.9. HTTP Inspector
+5.10. HTTP Inspector
--------------
One of the major undertakings for Snort 3 is developing a completely
new HTTP inspector.
-5.9.1. Overview
+5.10.1. Overview
You can configure it by adding:
to be a date then normalization means put that date in a standard
format.
-5.9.2. Configuration
+5.10.2. Configuration
Configuration can be as simple as adding:
that provide extra features, tweak how things are done, or conserve
resources by doing less.
-5.9.2.1. request_depth and response_depth
+5.10.2.1. request_depth and response_depth
These replace the flow depth parameters used by the old HTTP
inspector but they work differently.
These limits have no effect on how much data is forwarded to file
processing.
-5.9.2.2. detained_inspection
+5.10.2.2. detained_inspection
Detained inspection is an experimental feature currently under
development. It enables Snort to more quickly detect and block
This feature is off by default. detained_inspection = true will
activate it.
-5.9.2.3. gzip
+5.10.2.3. gzip
http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip =
meaningful inspection of message bodies will be possible. Effectively
HTTP processing would be limited to the headers.
-5.9.2.4. normalize_utf
+5.10.2.4. normalize_utf
http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
and utf-32be in response message bodies based on the Content-Type
header. This feature is on by default: normalize_utf = false will
deactivate it.
-5.9.2.5. decompress_pdf
+5.10.2.5. decompress_pdf
decompress_pdf = true will enable decompression of compressed
portions of PDF files encountered in a response body. http_inspect
content is decompressed and made available through the file data rule
option.
-5.9.2.6. decompress_swf
+5.10.2.6. decompress_swf
decompress_swf = true will enable decompression of compressed SWF
(Adobe Flash content) files encountered in a response body. The
through the file data rule option. The compressed SWF file signature
is converted to FWS to indicate an uncompressed file.
-5.9.2.7. normalize_javascript
+5.10.2.7. normalize_javascript
normalize_javascript = true will enable normalization of JavaScript
within the HTTP response body. http_inspect looks for JavaScript by
replaces consecutive whitespaces with a single space and normalizes
the plus by concatenating the strings.
-5.9.2.8. URI processing
+5.10.2.8. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
backslash_to_slash is turned on by default. It replaces all the
backslashes with slashes during normalization.
-5.9.3. CONNECT processing
+5.10.3. CONNECT processing
The HTTP CONNECT method is used by a client to establish a tunnel to
a destination via an HTTP proxy server. If the connection is
any early client-to-server traffic, but will continue normal HTTP
processing of the flow regardless of the eventual server response.
-5.9.4. Detection rules
+5.10.4. Detection rules
http_inspect parses HTTP messages into their components and makes
them available to the detection engine through rule options. Let’s
In addition to the headers there are rule options for virtually every
part of the HTTP message.
-5.9.4.1. http_uri and http_raw_uri
+5.10.4.1. http_uri and http_raw_uri
These provide the URI of the request message. The raw form is exactly
as it appeared in the message and the normalized form is determined
Nothing here is intended to conflict with the technical language of
the HTTP RFCs and the implementation follows the RFCs.
-5.9.4.2. http_header and http_raw_header
+5.10.4.2. http_header and http_raw_header
These cover all the header lines except the first one. You may
specify an individual header by name using the field option as shown
and accurate rule. It is recommended that new rules be written using
individual headers whenever possible.
-5.9.4.3. http_trailer and http_raw_trailer
+5.10.4.3. http_trailer and http_raw_trailer
HTTP permits header lines to appear after a chunked body ends.
Typically they contain information about the message content that was
rule to inspect both kinds of headers you need to write two rules,
one using header and one using trailer.
-5.9.4.4. http_cookie and http_raw_cookie
+5.10.4.4. http_cookie and http_raw_cookie
These provide the value of the Cookie header for a request message
and the Set-Cookie for a response message. If multiple cookies are
Normalization for http_cookie is the same URI-style normalization
applied to http_header when no specific header is specified.
-5.9.4.5. http_true_ip
+5.10.4.5. http_true_ip
This provides the original IP address of the client sending the
request as it was stored by a proxy in the request message headers.
or True-Client-IP header. If both headers are present the former is
used.
-5.9.4.6. http_client_body
+5.10.4.6. http_client_body
This is the body of a request message such as POST or PUT.
Normalization for http_client_body is the same URI-like normalization
applied to http_header when no specific header is specified.
-5.9.4.7. http_raw_body
+5.10.4.7. http_raw_body
This is the body of a request or response message. It will be
dechunked and unzipped if applicable but will not be normalized in
header, but http_raw_body is limited to the message body. Thus the
latter is more efficient and more accurate for most uses.
-5.9.4.8. http_method
+5.10.4.8. http_method
The method field of a request message. Common values are "GET",
"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
-5.9.4.9. http_stat_code
+5.10.4.9. http_stat_code
The status code field of a response message. This is normally a
3-digit number between 100 and 599. In this example it is 200.
HTTP/1.1 200 OK
-5.9.4.10. http_stat_msg
+5.10.4.10. http_stat_msg
The reason phrase field of a response message. This is the
human-readable text following the status code. "OK" in the previous
example.
-5.9.4.11. http_version
+5.10.4.11. http_version
The protocol version information that appears on the first line of an
HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
-5.9.4.12. http_raw_request and http_raw_status
+5.10.4.12. http_raw_request and http_raw_status
These are the unmodified first header line of the HTTP request and
response messages respectively. These rule options are a safety valve
http_raw_uri, and http_version. For a response message those are
http_version, http_stat_code, and http_stat_msg.
-5.9.4.13. file_data and packet data
+5.10.4.13. file_data and packet data
file_data contains the normalized message body. This is the
normalization described above under gzip, normalize_utf,
The unnormalized message content is available in the packet data. If
gzip is configured the packet data will be unzipped.
-5.9.5. Timing issues and combining rule options
+5.10.5. Timing issues and combining rule options
HTTP inspector is stateful. That means it is aware of a bigger
picture than the packet in front of it. It knows what all the pieces
cannot.
-5.10. HTTP/2 Inspector
+5.11. HTTP/2 Inspector
--------------
streams.
-5.11. Performance Monitor
+5.12. Performance Monitor
--------------
being dropped without hitting a rule? perf_monitor! Why is a sensor
leaking water? Not perf_monitor, check with stream…
-5.11.1. Overview
+5.12.1. Overview
The Snort performance monitor is the built-in utility for monitoring
system and traffic statistics. All statistics are separated by
processing thread. perf_monitor supports several trackers for
monitoring such data:
-5.11.2. Base Tracker
+5.12.2. Base Tracker
The base tracker is used to gather running statistics about Snort and
its running modules. All Snort modules gather, at the very least,
Note: Event stats from prior Snorts are now located within base
statistics.
-5.11.3. Flow Tracker
+5.12.3. Flow Tracker
Flow tracks statistics regarding traffic and L3/L4 protocol
distributions. This data can be used to build a profile of traffic
perf_monitor = { flow = true }
-5.11.4. FlowIP Tracker
+5.12.4. FlowIP Tracker
FlowIP provides statistics for individual hosts within a network.
This data can be used for identifying communication habits, such as
perf_monitor = { flow_ip = true }
-5.11.5. CPU Tracker
+5.12.5. CPU Tracker
This tracker monitors the CPU and wall time spent by a given
processing thread.
perf_monitor = { cpu = true }
-5.11.6. Formatters
+5.12.6. Formatters
Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats,
monitor or the code provided for fbstreamer.
-5.12. POP and IMAP
+5.13. POP and IMAP
--------------
POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol.
-5.12.1. Overview
+5.13.1. Overview
POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command,
appropriately. The pop and imap also identify and whitelist the pop
and imap traffic.
-5.12.2. Configuration
+5.13.2. Configuration
POP inspector and IMAP inspector offer same set of configuration
options for MIME decoding depth. These depths range from 0 to 65535
The depth limits apply per attachment. They are:
-5.12.2.1. b64_decode_depth
+5.13.2.1. b64_decode_depth
Set the base64 decoding depth used to decode the base64-encoded MIME
attachments.
-5.12.2.2. qp_decode_depth
+5.13.2.2. qp_decode_depth
Set the Quoted-Printable (QP) decoding depth used to decode
QP-encoded MIME attachments.
-5.12.2.3. bitenc_decode_depth
+5.13.2.3. bitenc_decode_depth
Set the non-encoded MIME extraction depth used for non-encoded MIME
attachments.
-5.12.2.4. uu_decode_depth
+5.13.2.4. uu_decode_depth
Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
attachments.
-5.12.2.5. Examples
+5.13.2.5. Examples
stream = { }
}
-5.13. Port Scan
+5.14. Port Scan
--------------
A module to detect port scanning
-5.13.1. Overview
+5.14.1. Overview
This module is designed to detect the first phase in a network
attack: Reconnaissance. In the Reconnaissance phase, an attacker
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.
-5.13.2. Scan levels
+5.14.2. Scan levels
There are 3 default scan levels that can be set.
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.
-5.13.3. Tuning Portscan
+5.14.3. Tuning Portscan
The most important aspect in detecting portscans is tuning the
detection engine for your network(s). Here are some tuning tips:
filtered scans, since these are more prone to false positives.
-5.14. Sensitive Data Filtering
+5.15. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-5.14.1. Hyperscan
+5.15.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see https://intel.github.io
/hyperscan/dev-reference/
-5.14.2. Syntax
+5.15.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-5.14.2.1. Pattern
+5.15.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-5.14.2.2. Threshold
+5.15.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-5.14.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.15.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-5.14.3. Example
+5.15.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-5.14.4. Caveats
+5.15.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-5.15. SMTP
+5.16. SMTP
--------------
SMTP inspector is a service inspector for SMTP protocol.
-5.15.1. Overview
+5.16.1. Overview
The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections,
SMTP inspector logs the filename, email addresses, attachment names
when configured.
-5.15.2. Configuration
+5.16.2. Configuration
SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance. In
The configuration options are described below:
-5.15.2.1. normalize and normalize_cmds
+5.16.2.1. normalize and normalize_cmds
Normalization checks for more than one space character after a
command. Space characters are defined as space (ASCII 0x20) or tab
smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
-5.15.2.2. ignore_data
+5.16.2.2. ignore_data
Set it to true to ignore data section of mail (except for mail
headers) when processing rules.
-5.15.2.3. ignore_tls_data
+5.16.2.3. ignore_tls_data
Set it to true to ignore TLS-encrypted data when processing rules.
-5.15.2.4. max_command_line_len
+5.16.2.4. max_command_line_len
Alert if an SMTP command line is longer than this value. Absence of
this option or a "0" means never alert on command line length. RFC
2821 recommends 512 as a maximum command line length.
-5.15.2.5. max_header_line_len
+5.16.2.5. max_header_line_len
Alert if an SMTP DATA header line is longer than this value. Absence
of this option or a "0" means never alert on data header line length.
RFC 2821 recommends 1024 as a maximum data header line length.
-5.15.2.6. max_response_line_len
+5.16.2.6. max_response_line_len
Alert if an SMTP response line is longer than this value. Absence of
this option or a "0" means never alert on response line length. RFC
2821 recommends 512 as a maximum response line length.
-5.15.2.7. alt_max_command_line_len
+5.16.2.7. alt_max_command_line_len
Overrides max_command_line_len for specific commands For example:
},
}
-5.15.2.8. invalid_cmds
+5.16.2.8. invalid_cmds
Alert if this command is sent from client side.
-5.15.2.9. valid_cmds
+5.16.2.9. valid_cmds
List of valid commands. We do not alert on commands in this list.
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
-5.15.2.10. data_cmds
+5.16.2.10. data_cmds
List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 - "
<CRLF>.<CRLF>".
-5.15.2.11. binary_data_cmds
+5.16.2.11. binary_data_cmds
List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar
to that of the BDAT command per RFC 3030.
-5.15.2.12. auth_cmds
+5.16.2.12. auth_cmds
List of commands that initiate an authentication exchange between
client and server.
-5.15.2.13. xlink2state
+5.16.2.13. xlink2state
Enable/disable xlink2state alert, options are {disable | alert |
drop}. See CVE-2005-0560 for a description of the vulnerability.
-5.15.2.14. MIME processing depth parameters
+5.16.2.14. MIME processing depth parameters
These four MIME processing depth parameters are identical to their
POP and IMAP counterparts. See that section for further details.
b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
-5.15.2.15. Log Options
+5.16.2.15. Log Options
Following log options allow SMTP inspector to log email addresses and
filenames. Please note, this is logged only with the unified2 output
allowed range for this option is 0 - 20480. A value of 0 will disable
email headers logging. The default value for this option is 1464.
-5.15.3. Example
+5.16.3. Example
smtp =
{
}
-5.16. Telnet
+5.17. Telnet
--------------
connection is encrypted, per the use of the telnet encryption option
per RFC 2946.
-5.16.1. Configuring the inspector to block exploits and attacks
+5.17.1. Configuring the inspector to block exploits and attacks
ayt_attack_thresh number
vulnerabilities relating to bsd-based implementations of telnet.
-5.17. Trace
+5.18. Trace
--------------
wizard and snort.inspector_manager) are providing non-debug trace
messages in normal production builds.
-5.17.1. Trace module
+5.18.1. Trace module
The trace module is responsible for configuring traces and supports
the following parameters:
set or clear modules traces and packet filter constraints via the
control channel command.
-5.17.2. Trace module - configuring traces
+5.18.2. Trace module - configuring traces
The trace module has the modules option - a table with trace
configuration for specific modules. The following lines placed in
}
}
-5.17.3. Trace module - configuring packet filter constraints for
+5.18.3. Trace module - configuring packet filter constraints for
packet related trace messages
There is a capability to filter traces by the packet constraints. The
}
}
-5.17.4. Trace module - configuring trace output method
+5.18.4. Trace module - configuring trace output method
There is a capability to configure the output method for trace
messages. The trace module has the output option with two acceptable
As a result, each trace message will be printed into syslog (the
Snort run-mode will be ignored).
-5.17.5. Configuring traces via control channel command
+5.18.5. Configuring traces via control channel command
There is a capability to configure module trace options and packet
constraints via the control channel command by using a Snort shell.
trace.set({}) - disable traces and constraints (set to empty)
-5.17.6. Trace messages format
+5.18.6. Trace messages format
Each tracing message has a standard format:
Possible thread types: C – main (control) thread P – packet thread O
– other thread
-5.17.7. Example - Debugging rules using detection trace
+5.18.7. Example - Debugging rules using detection trace
The detection engine is responsible for rule evaluation. Turning on
the trace for it can help with debugging new rules.
detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
-5.17.8. Example - Protocols decoding trace
+5.18.8. Example - Protocols decoding trace
Turning on decode trace will print out information about the packets
decoded protocols. Can be useful in case of tunneling.
decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
-5.17.9. Example - Track the time packet spends in each inspector
+5.18.9. Example - Track the time packet spends in each inspector
There is a capability to track which inspectors evaluate a packet,
and how much time the inspector consumes doing so. These trace
snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
snort:main:1: [0] Destroying completed command RUN
-5.17.10. Example - trace filtering by packet constraints:
+5.18.10. Example - trace filtering by packet constraints:
In snort.lua, the following lines were added:
The trace messages for two last packets (numbers 5 and 6) weren’t
printed.
-5.17.11. Example - configuring traces via trace.set() command
+5.18.11. Example - configuring traces via trace.set() command
In snort.lua, the following lines were added:
filtered because they don’t include a packet (a packet isn’t
well-formed at the point when the message is printing).
-5.17.12. Other available traces
+5.18.12. Other available traces
There are more trace options supported by detection:
structures.
-5.18. Wizard
+5.19. Wizard
--------------
projects / thirdparty / snort3.git / commitdiff
