From: Steve Chew (stechew) Date: Thu, 20 Oct 2022 15:21:45 +0000 (+0000) Subject: Pull request #3626: build: generate and tag 3.1.44.0 X-Git-Tag: 3.1.45.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02c049a887e7140e02a398e4e6d27430416faab6;p=thirdparty%2Fsnort3.git Pull request #3626: build: generate and tag 3.1.44.0 Merge in SNORT/snort3 from ~STECHEW/snort3:build_3.1.44.0 to master Squashed commit of the following: commit cc0cda03fe812924cc365ea30aff312e945cb367 Author: Steve Chew Date: Thu Oct 20 09:11:36 2022 -0400 build: generate and tag 3.1.44.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 02f48ea4c..39d755d46 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 43) +set (VERSION_PATCH 44) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index cf1738815..68210320a 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,19 @@ +2022-10-20: 3.1.44.0 + +* appid: return APP_ID_NONE only if hsession is not present for http3 +* detection: add stateful signature evaluation +* flow, reputation, protocols: remove reputation information from packet and flow +* http_inspect: inspect multiple MIME attachments per message section +* http_inspect: maximum_pipelined_requests +* http_inspect: MIME partial inspections +* http_inspect: remove rule option timing features +* lua: add sensitive data rules +* reputation: added profiling to the event handlers +* reputation: fix for array indexing error when searching for reputation file entries +* reputation: refactor event generation for matches +* s7commplus: adding wizard support for s7commplus +* utils: add possibility to process keywords as identifiers + 2022-10-05: 3.1.43.0 * actions: fix action logging for suppressed events diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index c847499fc..b436bd59c 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.43.0 2022-10-05 15:21:03 EDT TST +Revision 3.1.44.0 2022-10-20 09:37:25 EDT TST --------------------------------------------------------------------- @@ -644,6 +644,20 @@ Peg counts: the recursion limit (sum) * detection.pcre_error: total number of times pcre returns error (sum) + * detection.cont_creations: total number of continuations created + (sum) + * detection.cont_recalls: total number of continuations recalled + (sum) + * detection.cont_flows: total number of flows using continuation + (sum) + * detection.cont_evals: total number of condition-met continuations + (sum) + * detection.cont_matches: total number of continuations matched + (sum) + * detection.cont_mismatches: total number of continuations + mismatched (sum) + * detection.cont_max_num: peak number of simultaneous continuations + per flow (max) 2.8. event_filter @@ -3722,6 +3736,8 @@ Configuration: length of a header exceeds this value { 0:65535 } * int http_inspect.maximum_headers = 200: alert when the number of headers in a message exceeds this value { 0:65535 } + * int http_inspect.maximum_pipelined_requests = 99: alert when the + number of pipelined requests exceeds this value { 0:99 } * bool http_inspect.normalize_utf = true: normalize charset utf encodings in response bodies * bool http_inspect.decompress_pdf = false: decompress pdf files in @@ -3732,6 +3748,9 @@ Configuration: response bodies * bool http_inspect.decompress_vba = false: decompress MS Office Visual Basic for Applications macro files in response bodies + * int http_inspect.max_mime_attach = 5: maximum number of mime + attachments that will be inspected in a section of a request + message { 1:65535 } * bool http_inspect.script_detection = false: inspect JavaScript immediately upon script end * bool http_inspect.normalize_javascript = false: use legacy @@ -3844,8 +3863,9 @@ Rules: known as HTTP/0.9 * 119:33 (http_inspect) HTTP request URI has space character that is not percent-encoded - * 119:34 (http_inspect) HTTP connection has more than 100 - simultaneous pipelined requests that have not been answered + * 119:34 (http_inspect) HTTP connection has more than + maximum_pipelined_requests simultaneous pipelined requests that + have not been answered * 119:102 (http_inspect) invalid status code in HTTP response * 119:104 (http_inspect) HTTP response has UTF character set that failed to normalize @@ -4049,6 +4069,8 @@ Peg counts: identifiers processed (sum) * http_inspect.js_identifier_overflows: total number of unique JavaScript identifier limit overflows (sum) + * http_inspect.skip_mime_attach: total number of HTTP requests with + too many MIME attachments to inspect (sum) 5.26. iec104 @@ -5924,7 +5946,8 @@ Configuration: * string wizard.spells[].to_client[].spell: sequence of data with wild cards (*) * multi wizard.curses: enable service identification based on - internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 } + internal algorithm { dce_smb | dce_udp | dce_tcp | mms | + s7commplus | sslv2 } * int wizard.max_search_depth = 8192: maximum scan depth per flow { 0:65535 } @@ -6854,12 +6877,12 @@ Configuration: * implied http_cookie.request: match against the cookie from the request message even when examining the response - * implied http_cookie.with_header: this rule is limited to - examining HTTP message headers - * implied http_cookie.with_body: parts of this rule examine HTTP - message body - * implied http_cookie.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_cookie.with_header: option is no longer used and + will be removed in a future release + * implied http_cookie.with_body: option is no longer used and will + be removed in a future release + * implied http_cookie.with_trailer: option is no longer used and + will be removed in a future release 7.50. http_header @@ -6879,12 +6902,12 @@ Configuration: is case insensitive. * implied http_header.request: match against the headers from the request message even when examining the response - * implied http_header.with_header: this rule is limited to - examining HTTP message headers - * implied http_header.with_body: parts of this rule examine HTTP - message body - * implied http_header.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_header.with_header: option is no longer used and + will be removed in a future release + * implied http_header.with_body: option is no longer used and will + be removed in a future release + * implied http_header.with_trailer: option is no longer used and + will be removed in a future release 7.51. http_header_test @@ -6904,12 +6927,12 @@ Configuration: name is case insensitive. * implied http_header_test.request: match against the headers from the request message even when examining the response - * implied http_header_test.with_header: this rule is limited to - examining HTTP message headers - * implied http_header_test.with_body: parts of this rule examine - HTTP message body - * implied http_header_test.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_header_test.with_header: option is no longer used + and will be removed in a future release + * implied http_header_test.with_body: option is no longer used and + will be removed in a future release + * implied http_header_test.with_trailer: option is no longer used + and will be removed in a future release * interval http_header_test.check: range check to perform on header value { 0:999999999999999999 } * bool http_header_test.numeric: header value is a number @@ -6965,12 +6988,12 @@ Usage: detect Configuration: - * implied http_method.with_header: this rule is limited to - examining HTTP message headers - * implied http_method.with_body: parts of this rule examine HTTP - message body - * implied http_method.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_method.with_header: option is no longer used and + will be removed in a future release + * implied http_method.with_body: option is no longer used and will + be removed in a future release + * implied http_method.with_trailer: option is no longer used and + will be removed in a future release 7.55. http_num_cookies @@ -7007,12 +7030,12 @@ Configuration: current buffer are in given range { 0:65535 } * implied http_num_headers.request: match against the version from the request message even when examining the response - * implied http_num_headers.with_header: this rule is limited to - examining HTTP message headers - * implied http_num_headers.with_body: parts of this rule examine - HTTP message body - * implied http_num_headers.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_num_headers.with_header: option is no longer used + and will be removed in a future release + * implied http_num_headers.with_body: option is no longer used and + will be removed in a future release + * implied http_num_headers.with_trailer: option is no longer used + and will be removed in a future release 7.57. http_num_trailers @@ -7031,12 +7054,12 @@ Configuration: of current buffer are in given range { 0:65535 } * implied http_num_trailers.request: match against the version from the request message even when examining the response - * implied http_num_trailers.with_header: this rule is limited to - examining HTTP message headers - * implied http_num_trailers.with_body: parts of this rule examine - HTTP message body - * implied http_num_trailers.with_trailer: parts of this rule - examine HTTP message trailers + * implied http_num_trailers.with_header: option is no longer used + and will be removed in a future release + * implied http_num_trailers.with_body: option is no longer used and + will be removed in a future release + * implied http_num_trailers.with_trailer: option is no longer used + and will be removed in a future release 7.58. http_param @@ -7083,12 +7106,12 @@ Configuration: * implied http_raw_cookie.request: match against the cookie from the request message even when examining the response - * implied http_raw_cookie.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_cookie.with_body: parts of this rule examine - HTTP message body - * implied http_raw_cookie.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_cookie.with_header: option is no longer used and + will be removed in a future release + * implied http_raw_cookie.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_cookie.with_trailer: option is no longer used + and will be removed in a future release 7.61. http_raw_header @@ -7108,12 +7131,12 @@ Configuration: name is case insensitive. * implied http_raw_header.request: match against the headers from the request message even when examining the response - * implied http_raw_header.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_header.with_body: parts of this rule examine - HTTP message body - * implied http_raw_header.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_header.with_header: option is no longer used and + will be removed in a future release + * implied http_raw_header.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_header.with_trailer: option is no longer used + and will be removed in a future release 7.62. http_raw_request @@ -7129,12 +7152,12 @@ Usage: detect Configuration: - * implied http_raw_request.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_request.with_body: parts of this rule examine - HTTP message body - * implied http_raw_request.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_request.with_header: option is no longer used + and will be removed in a future release + * implied http_raw_request.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_request.with_trailer: option is no longer used + and will be removed in a future release 7.63. http_raw_status @@ -7150,10 +7173,10 @@ Usage: detect Configuration: - * implied http_raw_status.with_body: parts of this rule examine - HTTP message body - * implied http_raw_status.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_status.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_status.with_trailer: option is no longer used + and will be removed in a future release 7.64. http_raw_trailer @@ -7173,10 +7196,10 @@ Configuration: name is case insensitive. * implied http_raw_trailer.request: match against the trailers from the request message even when examining the response - * implied http_raw_trailer.with_header: parts of this rule examine - HTTP response message headers (must be combined with request) - * implied http_raw_trailer.with_body: parts of this rule examine - HTTP response message body (must be combined with request) + * implied http_raw_trailer.with_header: option is no longer used + and will be removed in a future release + * implied http_raw_trailer.with_body: option is no longer used and + will be removed in a future release 7.65. http_raw_uri @@ -7191,12 +7214,12 @@ Usage: detect Configuration: - * implied http_raw_uri.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_uri.with_body: parts of this rule examine HTTP - message body - * implied http_raw_uri.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_uri.with_header: option is no longer used and + will be removed in a future release + * implied http_raw_uri.with_body: option is no longer used and will + be removed in a future release + * implied http_raw_uri.with_trailer: option is no longer used and + will be removed in a future release * implied http_raw_uri.scheme: match against scheme section of URI only * implied http_raw_uri.host: match against host section of URI only @@ -7220,10 +7243,10 @@ Usage: detect Configuration: - * implied http_stat_code.with_body: parts of this rule examine HTTP - message body - * implied http_stat_code.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_stat_code.with_body: option is no longer used and + will be removed in a future release + * implied http_stat_code.with_trailer: option is no longer used and + will be removed in a future release 7.67. http_stat_msg @@ -7239,10 +7262,10 @@ Usage: detect Configuration: - * implied http_stat_msg.with_body: parts of this rule examine HTTP - message body - * implied http_stat_msg.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_stat_msg.with_body: option is no longer used and + will be removed in a future release + * implied http_stat_msg.with_trailer: option is no longer used and + will be removed in a future release 7.68. http_trailer @@ -7261,10 +7284,10 @@ Configuration: * string http_trailer.field: restrict to given trailer * implied http_trailer.request: match against the trailers from the request message even when examining the response - * implied http_trailer.with_header: parts of this rule examine HTTP - response message headers (must be combined with request) - * implied http_trailer.with_body: parts of this rule examine HTTP - message body (must be combined with request) + * implied http_trailer.with_header: option is no longer used and + will be removed in a future release + * implied http_trailer.with_body: option is no longer used and will + be removed in a future release 7.69. http_trailer_test @@ -7284,10 +7307,10 @@ Configuration: Trailer name is case insensitive. * implied http_trailer_test.request: match against the trailers from the request message even when examining the response - * implied http_trailer_test.with_header: parts of this rule examine - HTTP headers - * implied http_trailer_test.with_body: parts of this rule examine - HTTP message body + * implied http_trailer_test.with_header: option is no longer used + and will be removed in a future release + * implied http_trailer_test.with_body: option is no longer used and + will be removed in a future release * interval http_trailer_test.check: range check to perform on trailer value { 0:999999999999999999 } * bool http_trailer_test.numeric: trailer value is a number @@ -7307,12 +7330,12 @@ Usage: detect Configuration: - * implied http_true_ip.with_header: this rule is limited to - examining HTTP message headers - * implied http_true_ip.with_body: parts of this rule examine HTTP - message body - * implied http_true_ip.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_true_ip.with_header: option is no longer used and + will be removed in a future release + * implied http_true_ip.with_body: option is no longer used and will + be removed in a future release + * implied http_true_ip.with_trailer: option is no longer used and + will be removed in a future release 7.71. http_uri @@ -7328,12 +7351,12 @@ Usage: detect Configuration: - * implied http_uri.with_header: this rule is limited to examining - HTTP message headers - * implied http_uri.with_body: parts of this rule examine HTTP - message body - * implied http_uri.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_uri.with_header: option is no longer used and will + be removed in a future release + * implied http_uri.with_body: option is no longer used and will be + removed in a future release + * implied http_uri.with_trailer: option is no longer used and will + be removed in a future release * implied http_uri.scheme: match against scheme section of URI only * implied http_uri.host: match against host section of URI only * implied http_uri.port: match against port section of URI only @@ -7357,12 +7380,12 @@ Configuration: * implied http_version.request: match against the version from the request message even when examining the response - * implied http_version.with_header: this rule is limited to - examining HTTP message headers - * implied http_version.with_body: parts of this rule examine HTTP - message body - * implied http_version.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_version.with_header: option is no longer used and + will be removed in a future release + * implied http_version.with_body: option is no longer used and will + be removed in a future release + * implied http_version.with_trailer: option is no longer used and + will be removed in a future release 7.73. http_version_match @@ -7381,12 +7404,12 @@ Configuration: versions to match * implied http_version_match.request: match against the version from the request message even when examining the response - * implied http_version_match.with_header: this rule is limited to - examining HTTP message headers - * implied http_version_match.with_body: parts of this rule examine - HTTP message body - * implied http_version_match.with_trailer: parts of this rule - examine HTTP message trailers + * implied http_version_match.with_header: option is no longer used + and will be removed in a future release + * implied http_version_match.with_body: option is no longer used + and will be removed in a future release + * implied http_version_match.with_trailer: option is no longer used + and will be removed in a future release 7.74. icmp_id @@ -8051,7 +8074,7 @@ Usage: detect -------------- -Help: detection option for sip stat code +Help: detection option for sip method Type: ips_option @@ -9488,12 +9511,12 @@ libraries see the Getting Started section of the manual. } * implied http_cookie.request: match against the cookie from the request message even when examining the response - * implied http_cookie.with_body: parts of this rule examine HTTP - message body - * implied http_cookie.with_header: this rule is limited to - examining HTTP message headers - * implied http_cookie.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_cookie.with_body: option is no longer used and will + be removed in a future release + * implied http_cookie.with_header: option is no longer used and + will be removed in a future release + * implied http_cookie.with_trailer: option is no longer used and + will be removed in a future release * string http_header.field: restrict to given header. Header name is case insensitive. * implied http_header.request: match against the headers from the @@ -9506,18 +9529,18 @@ libraries see the Getting Started section of the manual. * bool http_header_test.numeric: header value is a number * implied http_header_test.request: match against the headers from the request message even when examining the response - * implied http_header_test.with_body: parts of this rule examine - HTTP message body - * implied http_header_test.with_header: this rule is limited to - examining HTTP message headers - * implied http_header_test.with_trailer: parts of this rule examine - HTTP message trailers - * implied http_header.with_body: parts of this rule examine HTTP - message body - * implied http_header.with_header: this rule is limited to - examining HTTP message headers - * implied http_header.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_header_test.with_body: option is no longer used and + will be removed in a future release + * implied http_header_test.with_header: option is no longer used + and will be removed in a future release + * implied http_header_test.with_trailer: option is no longer used + and will be removed in a future release + * implied http_header.with_body: option is no longer used and will + be removed in a future release + * implied http_header.with_header: option is no longer used and + will be removed in a future release + * implied http_header.with_trailer: option is no longer used and + will be removed in a future release * string http_inspect.allowed_methods: list of allowed methods * bool http_inspect.backslash_to_slash = true: replace \ with / when normalizing URIs @@ -9570,9 +9593,14 @@ libraries see the Getting Started section of the manual. headers in a message exceeds this value { 0:65535 } * int http_inspect.maximum_host_length = -1: maximum allowed length for Host header value (-1 no limit) { -1:max53 } + * int http_inspect.maximum_pipelined_requests = 99: alert when the + number of pipelined requests exceeds this value { 0:99 } * int http_inspect.max_javascript_whitespaces = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 } + * int http_inspect.max_mime_attach = 5: maximum number of mime + attachments that will be inspected in a section of a request + message { 1:65535 } * bool http_inspect.normalize_javascript = false: use legacy normalizer to normalize JavaScript in response bodies * bool http_inspect.normalize_utf = true: normalize charset utf @@ -9612,12 +9640,12 @@ libraries see the Getting Started section of the manual. current trailer is in given range { 0:65535 } * implied http_max_trailer_line.request: match against the version from the request message even when examining the response - * implied http_method.with_body: parts of this rule examine HTTP - message body - * implied http_method.with_header: this rule is limited to - examining HTTP message headers - * implied http_method.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_method.with_body: option is no longer used and will + be removed in a future release + * implied http_method.with_header: option is no longer used and + will be removed in a future release + * implied http_method.with_trailer: option is no longer used and + will be removed in a future release * interval http_num_cookies.~range: check that number of cookies of current header are in given range { 0:65535 } * implied http_num_cookies.request: match against the version from @@ -9626,60 +9654,60 @@ libraries see the Getting Started section of the manual. current buffer are in given range { 0:65535 } * implied http_num_headers.request: match against the version from the request message even when examining the response - * implied http_num_headers.with_body: parts of this rule examine - HTTP message body - * implied http_num_headers.with_header: this rule is limited to - examining HTTP message headers - * implied http_num_headers.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_num_headers.with_body: option is no longer used and + will be removed in a future release + * implied http_num_headers.with_header: option is no longer used + and will be removed in a future release + * implied http_num_headers.with_trailer: option is no longer used + and will be removed in a future release * interval http_num_trailers.~range: check that number of headers of current buffer are in given range { 0:65535 } * implied http_num_trailers.request: match against the version from the request message even when examining the response - * implied http_num_trailers.with_body: parts of this rule examine - HTTP message body - * implied http_num_trailers.with_header: this rule is limited to - examining HTTP message headers - * implied http_num_trailers.with_trailer: parts of this rule - examine HTTP message trailers + * implied http_num_trailers.with_body: option is no longer used and + will be removed in a future release + * implied http_num_trailers.with_header: option is no longer used + and will be removed in a future release + * implied http_num_trailers.with_trailer: option is no longer used + and will be removed in a future release * implied http_param.nocase: case insensitive match * string http_param.~param: parameter to match * implied http_raw_cookie.request: match against the cookie from the request message even when examining the response - * implied http_raw_cookie.with_body: parts of this rule examine - HTTP message body - * implied http_raw_cookie.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_cookie.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_cookie.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_cookie.with_header: option is no longer used and + will be removed in a future release + * implied http_raw_cookie.with_trailer: option is no longer used + and will be removed in a future release * string http_raw_header.field: restrict to given header. Header name is case insensitive. * implied http_raw_header.request: match against the headers from the request message even when examining the response - * implied http_raw_header.with_body: parts of this rule examine - HTTP message body - * implied http_raw_header.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_header.with_trailer: parts of this rule examine - HTTP message trailers - * implied http_raw_request.with_body: parts of this rule examine - HTTP message body - * implied http_raw_request.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_request.with_trailer: parts of this rule examine - HTTP message trailers - * implied http_raw_status.with_body: parts of this rule examine - HTTP message body - * implied http_raw_status.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_header.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_header.with_header: option is no longer used and + will be removed in a future release + * implied http_raw_header.with_trailer: option is no longer used + and will be removed in a future release + * implied http_raw_request.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_request.with_header: option is no longer used + and will be removed in a future release + * implied http_raw_request.with_trailer: option is no longer used + and will be removed in a future release + * implied http_raw_status.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_status.with_trailer: option is no longer used + and will be removed in a future release * string http_raw_trailer.field: restrict to given trailer. Trailer name is case insensitive. * implied http_raw_trailer.request: match against the trailers from the request message even when examining the response - * implied http_raw_trailer.with_body: parts of this rule examine - HTTP response message body (must be combined with request) - * implied http_raw_trailer.with_header: parts of this rule examine - HTTP response message headers (must be combined with request) + * implied http_raw_trailer.with_body: option is no longer used and + will be removed in a future release + * implied http_raw_trailer.with_header: option is no longer used + and will be removed in a future release * implied http_raw_uri.fragment: match against fragment section of URI only * implied http_raw_uri.host: match against host section of URI only @@ -9689,20 +9717,20 @@ libraries see the Getting Started section of the manual. only * implied http_raw_uri.scheme: match against scheme section of URI only - * implied http_raw_uri.with_body: parts of this rule examine HTTP - message body - * implied http_raw_uri.with_header: this rule is limited to - examining HTTP message headers - * implied http_raw_uri.with_trailer: parts of this rule examine - HTTP message trailers - * implied http_stat_code.with_body: parts of this rule examine HTTP - message body - * implied http_stat_code.with_trailer: parts of this rule examine - HTTP message trailers - * implied http_stat_msg.with_body: parts of this rule examine HTTP - message body - * implied http_stat_msg.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_raw_uri.with_body: option is no longer used and will + be removed in a future release + * implied http_raw_uri.with_header: option is no longer used and + will be removed in a future release + * implied http_raw_uri.with_trailer: option is no longer used and + will be removed in a future release + * implied http_stat_code.with_body: option is no longer used and + will be removed in a future release + * implied http_stat_code.with_trailer: option is no longer used and + will be removed in a future release + * implied http_stat_msg.with_body: option is no longer used and + will be removed in a future release + * implied http_stat_msg.with_trailer: option is no longer used and + will be removed in a future release * string http_trailer.field: restrict to given trailer * implied http_trailer.request: match against the trailers from the request message even when examining the response @@ -9714,20 +9742,20 @@ libraries see the Getting Started section of the manual. * bool http_trailer_test.numeric: trailer value is a number * implied http_trailer_test.request: match against the trailers from the request message even when examining the response - * implied http_trailer_test.with_body: parts of this rule examine - HTTP message body - * implied http_trailer_test.with_header: parts of this rule examine - HTTP headers - * implied http_trailer.with_body: parts of this rule examine HTTP - message body (must be combined with request) - * implied http_trailer.with_header: parts of this rule examine HTTP - response message headers (must be combined with request) - * implied http_true_ip.with_body: parts of this rule examine HTTP - message body - * implied http_true_ip.with_header: this rule is limited to - examining HTTP message headers - * implied http_true_ip.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_trailer_test.with_body: option is no longer used and + will be removed in a future release + * implied http_trailer_test.with_header: option is no longer used + and will be removed in a future release + * implied http_trailer.with_body: option is no longer used and will + be removed in a future release + * implied http_trailer.with_header: option is no longer used and + will be removed in a future release + * implied http_true_ip.with_body: option is no longer used and will + be removed in a future release + * implied http_true_ip.with_header: option is no longer used and + will be removed in a future release + * implied http_true_ip.with_trailer: option is no longer used and + will be removed in a future release * implied http_uri.fragment: match against fragment section of URI only * implied http_uri.host: match against host section of URI only @@ -9735,30 +9763,30 @@ libraries see the Getting Started section of the manual. * implied http_uri.port: match against port section of URI only * implied http_uri.query: match against query section of URI only * implied http_uri.scheme: match against scheme section of URI only - * implied http_uri.with_body: parts of this rule examine HTTP - message body - * implied http_uri.with_header: this rule is limited to examining - HTTP message headers - * implied http_uri.with_trailer: parts of this rule examine HTTP - message trailers + * implied http_uri.with_body: option is no longer used and will be + removed in a future release + * implied http_uri.with_header: option is no longer used and will + be removed in a future release + * implied http_uri.with_trailer: option is no longer used and will + be removed in a future release * implied http_version_match.request: match against the version from the request message even when examining the response * string http_version_match.~version_list: space-separated list of versions to match - * implied http_version_match.with_body: parts of this rule examine - HTTP message body - * implied http_version_match.with_header: this rule is limited to - examining HTTP message headers - * implied http_version_match.with_trailer: parts of this rule - examine HTTP message trailers + * implied http_version_match.with_body: option is no longer used + and will be removed in a future release + * implied http_version_match.with_header: option is no longer used + and will be removed in a future release + * implied http_version_match.with_trailer: option is no longer used + and will be removed in a future release * implied http_version.request: match against the version from the request message even when examining the response - * implied http_version.with_body: parts of this rule examine HTTP - message body - * implied http_version.with_header: this rule is limited to - examining HTTP message headers - * implied http_version.with_trailer: parts of this rule examine - HTTP message trailers + * implied http_version.with_body: option is no longer used and will + be removed in a future release + * implied http_version.with_header: option is no longer used and + will be removed in a future release + * implied http_version.with_trailer: option is no longer used and + will be removed in a future release * interval icmp_id.~range: check if ICMP ID is in given range { 0:65535 } * interval icmp_seq.~range: check if ICMP sequence number is in @@ -10905,7 +10933,8 @@ libraries see the Getting Started section of the manual. * interval window.~range: check if TCP window size is in given range { 0:65535 } * multi wizard.curses: enable service identification based on - internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 } + internal algorithm { dce_smb | dce_udp | dce_tcp | mms | + s7commplus | sslv2 } * bool wizard.hexes[].client_first = true: which end initiates data transfer (deprecated) * select wizard.hexes[].proto = any: protocol to scan { tcp | udp | @@ -11296,8 +11325,22 @@ libraries see the Getting Started section of the manual. * detection.alt_searches: alt fast pattern searches in packet data (sum) * detection.analyzed: total packets processed (now) + * detection.cont_creations: total number of continuations created + (sum) + * detection.cont_evals: total number of condition-met continuations + (sum) * detection.context_stalls: times processing stalled to wait for an available context (sum) + * detection.cont_flows: total number of flows using continuation + (sum) + * detection.cont_matches: total number of continuations matched + (sum) + * detection.cont_max_num: peak number of simultaneous continuations + per flow (max) + * detection.cont_mismatches: total number of continuations + mismatched (sum) + * detection.cont_recalls: total number of continuations recalled + (sum) * detection.cooked_searches: fast pattern searches in cooked packet data (sum) * detection.event_limit: events filtered (sum) @@ -11501,6 +11544,8 @@ libraries see the Getting Started section of the manual. messages (sum) * http_inspect.script_detections: early inspections of scripts in HTTP responses (sum) + * http_inspect.skip_mime_attach: total number of HTTP requests with + too many MIME attachments to inspect (sum) * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned too soon (sum) * http_inspect.total_bytes: total HTTP data bytes inspected (sum) @@ -12718,12 +12763,12 @@ session. The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST flag set. -116:424 (eth) truncated ethernet header +116:424 (pbb) truncated ethernet header The packet length is less than the minimum ethernet header size (14 bytes) -116:424 (eth) truncated ethernet header +116:424 (pbb) truncated ethernet header A truncated ethernet header was detected. @@ -13107,11 +13152,12 @@ not percent-encoded HTTP request URI has space character that is not percent-encoded. -119:34 (http_inspect) HTTP connection has more than 100 simultaneous -pipelined requests that have not been answered +119:34 (http_inspect) HTTP connection has more than +maximum_pipelined_requests simultaneous pipelined requests that have +not been answered -HTTP connection has more than 100 simultaneous pipelined requests -that have not been answered. +HTTP connection has more than maximum_pipelined_requests simultaneous +pipelined requests that have not been answered. 119:102 (http_inspect) invalid status code in HTTP response @@ -15785,7 +15831,7 @@ and are not applicable elsewhere. the request body * sip_header (ips_option): rule option to set the detection cursor to the SIP header buffer - * sip_method (ips_option): detection option for sip stat code + * sip_method (ips_option): detection option for sip method * sip_stat_code (ips_option): detection option for sip stat code * smtp (inspector): smtp inspection * snort (basic): command line configuration and shell commands @@ -16168,7 +16214,7 @@ and are not applicable elsewhere. the request body * ips_option::sip_header: rule option to set the detection cursor to the SIP header buffer - * ips_option::sip_method: detection option for sip stat code + * ips_option::sip_method: detection option for sip method * ips_option::sip_stat_code: detection option for sip stat code * ips_option::so: rule option to call custom eval function * ips_option::soid: rule option to specify a shared object rule ID diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 453b5b9ab..476633f4b 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.43.0 2022-10-05 15:22:07 EDT TST +Revision 3.1.44.0 2022-10-20 09:37:11 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 0e63f37ad..34f104486 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.43.0 2022-10-05 15:21:24 EDT TST +Revision 3.1.44.0 2022-10-20 09:37:11 EDT TST --------------------------------------------------------------------- @@ -972,6 +972,28 @@ automatically be skipped if possible. Note that this differs from Snort 2 which provided the fast_pattern:only option to designate such cases. This is one less thing for the rule writer to worry about. +2.7.3.1. Stateful Evaluation + +When data forms a kind of stream, e.g. contiguous byte flow (like a +file transferred over the network or byte sequence from TCP session +packets), the point of interest may be in a signature which spans +across packets (its parts lies in different data blocks). In this +case, the stateful evaluation becomes handy. + +If rule evaluation starts in a packet and the cursor position is +moved beyond the current packet boundary, then the evaluation gets +paused and will resume later when more data become available to +finish the process. + +Stateful evaluation is supported for the following buffers: + + 1. pkt_data — as a sequence of TCP session bytes with respect to + their direction (client-to-server, server-to-client) + 2. js_data — normalized JavaScript text from the same data transfer + session + 3. file_data — the same file bytes, e.g. flows from different files + do not overlap + --------------------------------------------------------------------- @@ -4029,7 +4051,16 @@ Linking and Embedding) file embedded with the files containing RLE compressed vba macro data. The decompressed vba macro data is then made available through the vba_data ips rule option. -5.10.3.10. normalize_javascript +5.10.3.10. max_mime_attach + +HTTP request message bodies may be in MIME format. Each file +attachment is separately incorporated in the file_data rule option. +When a request contains many small file attachments these inspections +may consume a lot of processing power. This parameter limits the +number of files from one message that are inspected. The default +value is 5. + +5.10.3.11. normalize_javascript normalize_javascript = true will enable legacy normalizer of JavaScript within the HTTP response body. http_inspect looks for @@ -4042,7 +4073,7 @@ http_inspect also replaces consecutive whitespaces with a single space and normalizes the plus by concatenating the strings. Such normalizations refer to basic JavaScript normalization. -5.10.3.11. js_norm_bytes_depth +5.10.3.12. js_norm_bytes_depth js_norm_bytes_depth = N {-1 : max53} will set a number of input JavaScript bytes to normalize. When the depth is reached, @@ -4058,7 +4089,7 @@ unique names with unified names representation: var_0000:var_ffff. The identifiers are variables and function names. The normalized data is available through the js_data rule option. -5.10.3.12. js_norm_identifier_depth +5.10.3.13. js_norm_identifier_depth js_norm_identifier_depth = N {0 : 65536} will set a number of unique JavaScript identifiers to normalize. When the depth is reached, a @@ -4070,7 +4101,7 @@ response and not a single script. By default, the value is set to 65536, which is the max allowed number of unique identifiers. The generated names are in the range from var_0000 to var_ffff. -5.10.3.13. js_norm_max_tmpl_nest +5.10.3.14. js_norm_max_tmpl_nest js_norm_max_tmpl_nest = N {0 : 255} (default 32) is an option of the enhanced JavaScript normalizer that determines the deepest level of @@ -4082,7 +4113,7 @@ require keeping track of every layer for proper normalization. This option is present to limit the amount of memory dedicated to template nesting tracking. -5.10.3.14. js_norm_max_bracket_depth +5.10.3.15. js_norm_max_bracket_depth js_norm_max_bracket_depth = N {1 : 65535} (default 256) is an option of the enhanced JavaScript normalizer that determines the maximum @@ -4091,7 +4122,7 @@ brackets, nested within a matching pair, in any combination. This option is present to limit the amount of memory dedicated to bracket tracking. -5.10.3.15. js_norm_max_scope_depth +5.10.3.16. js_norm_max_scope_depth js_norm_max_scope_depth = N {1 : 65535} (default 256) is an option of the enhanced JavaScript normalizer that determines the deepest level @@ -4099,7 +4130,7 @@ of nested variable scope, i.e. functions, code blocks, etc. including the global scope. This option is present to limit the amount of memory dedicated to scope tracking. -5.10.3.16. js_norm_ident_ignore +5.10.3.17. js_norm_ident_ignore js_norm_ident_ignore = {} is an option of the enhanced JavaScript normalizer that defines a list of @@ -4149,7 +4180,7 @@ ought to be included in the ignore list. If for some reason the user wants to disable unescape related features, then removing function’s name from the ignore list does the trick. -5.10.3.17. js_norm_prop_ignore +5.10.3.18. js_norm_prop_ignore js_norm_prop_ignore = {} is an option of the enhanced JavaScript normalizer that defines a list of object @@ -4172,7 +4203,7 @@ out: "string".var_0000().split("").reverse().join(""); The default list of ignored properties is present in "snort_defaults.lua". -5.10.3.18. xff_headers +5.10.3.19. xff_headers This configuration supports defining custom x-forwarded-for type headers. In a multi-vendor world, it is quite possible that the @@ -4187,7 +4218,7 @@ they are defined, e.g "x-forwarded-for" will be preferred than "true-client-ip" if both headers are present in the stream. The header names should be delimited by a space. -5.10.3.19. maximum_host_length +5.10.3.20. maximum_host_length Setting maximum_host_length causes http_inspect to generate 119:25 if the Host header value including optional white space exceeds the @@ -4195,7 +4226,7 @@ specified length. In the abnormal case of multiple Host headers, the total length of the combined values is used. The default value is -1, meaning do not perform this check. -5.10.3.20. maximum_chunk_length +5.10.3.21. maximum_chunk_length http_inspect strictly limits individual chunks within a chunked message body to be less than four gigabytes. @@ -4203,17 +4234,27 @@ message body to be less than four gigabytes. A lower limit may be configured by setting maximum_chunk_length. Any chunk longer than maximum chunk length will generate a 119:16 alert. -5.10.3.21. maximum_header_length +5.10.3.22. maximum_header_length http_inspect generates 119:19 when the length of a header exceeds maximum_header_length = N {0 : 65535} (default 4096). -5.10.3.22. maximum_headers +5.10.3.23. maximum_headers http_inspect generates 119:20 when the number of headers exceeds maximum_headers = N {0 : 65535} (default 200). -5.10.3.23. URI processing +5.10.3.24. maximum_pipelined_requests + +http_inspect generates 119:34 when the number of pipelined requests +exceeds maximum_pipelined_requests = N {0 : 99} (default 99). This +number does not include the first request in a sequence of requests. +Setting maximum_pipelined_requests = 0, will not trigger an alert in +the case of an alternating sequence of requests and responses. It +will trigger the alert once the client issue a request before getting +the response to a previous request. + +5.10.3.25. URI processing Normalization and inspection of the URI in the HTTP request message is a key aspect of what http_inspect does. The best way to normalize @@ -4372,8 +4413,11 @@ http_inspect parses HTTP messages into their components and makes them available to the detection engine through rule options. Let’s start with an example: -alert tcp any any -> any any ( msg:"URI example"; flow:established, -to_server; http_uri; content:"chocolate"; sid:1; rev:1; ) +alert tcp any any -> any any ( + msg:"URI example"; + flow:established, to_server; + http_uri; content:"chocolate"; + sid:1; rev:1; ) This rule looks for chocolate in the URI portion of the request message. Specifically, the http_uri rule option is the normalized URI @@ -4388,15 +4432,20 @@ GET /%63%68$6F%63%6F%6C%61%74%65/%63%61%6B%65 HTTP/1.1 It is also possible to search the unnormalized URI -alert tcp any any -> any any ( msg:"Raw URI example"; flow:established, -to_server; http_raw_uri; content:"chocolate"; sid:2; rev:1; ) +alert tcp any any -> any any ( + msg:"Raw URI example"; + flow:established, to_server; + http_raw_uri; content:"chocolate"; + sid:2; rev:1; ) will match the first message but not the second. If you want to detect someone who is trying to hide his request for chocolate then -alert tcp any any -> any any ( msg:"Raw URI example"; flow:established, -to_server; http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65"; -sid:3; rev:1; ) +alert tcp any any -> any any ( + msg:"Raw URI example"; + flow:established, to_server; + http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65"; + sid:3; rev:1; ) will do the trick. @@ -4404,9 +4453,11 @@ Let’s look at possible ways of writing a rule to match HTTP response messages with the Content-Language header set to "da" (Danish). You could write: -alert tcp any any -> any any ( msg:"whole header search"; -flow:established, to_client; http_header; content: -"Content-Language: da", nocase; sid:4; rev:1; ) +alert tcp any any -> any any ( + msg:"whole header search"; + flow:established, to_client; + http_header; content:"Content-Language: da", nocase; + sid:4; rev:1; ) This rule leaves much to be desired. Modern headers are often thousands of bytes and seem to get longer every year. Searching all @@ -4424,9 +4475,11 @@ thwarted the match. A better way to write this rule is: -alert tcp any any -> any any ( msg:"individual header search"; -flow:established, to_client; http_header: field content-language; -content:"da", nocase; sid:4; rev:2; ) +alert tcp any any -> any any ( + msg:"individual header search"; + flow:established, to_client; + http_header: field content-language; content:"da", nocase; + sid:4; rev:2; ) The field option improves performance by narrowing the search to the Content-Language field of the header. Because it uses the header @@ -4484,8 +4537,11 @@ by the URI normalization options you selected. In addition to searching the entire URI there are six components that can be searched individually: -alert tcp any any -> any any ( msg:"URI path"; flow:established, -to_server; http_uri: path; content:"chocolate"; sid:1; rev:2; ) +alert tcp any any -> any any ( + msg:"URI path"; + flow:established, to_server; + http_uri: path; content:"chocolate"; + sid:1; rev:2; ) By specifying "path" the search is limited to the path portion of the URI. Informally this is the part consisting of the directory path and @@ -4542,9 +4598,11 @@ These cover all the header lines except the first one. You may specify an individual header by name using the field option as shown in this earlier example: -alert tcp any any -> any any ( msg:"individual header search"; -flow:established, to_client; http_header: field content-language; -content:"da", nocase; sid:4; rev:2; ) +alert tcp any any -> any any ( + msg:"individual header search"; + flow:established, to_client; + http_header: field content-language; content:"da", nocase; + sid:4; rev:2; ) This rule searches the value of the Content-Language header. Header names are not case sensitive and may be written in the rule in any @@ -4720,41 +4778,15 @@ next, which request message triggered which response message, pipelines, and how many messages have been sent over the current connection. -Some rules use a single rule option: - -alert tcp any any -> any any ( msg:"URI example"; flow:established, -to_server; http_uri; content:"chocolate"; sid:1; rev:1; ) - -Whenever a new URI is available this rule will be evaluated. Nothing -complicated about that, but suppose we use more than one rule option: - -alert tcp any any -> any any ( msg:"combined example"; flow:established, -to_server; http_uri: with_body; content:"chocolate"; file_data; -content:"sinister POST data"; sid:5; rev:1; ) - -The with_body option to http_uri causes the URI to be made available -with the message body. Use with_body for header-related rule options -in rules that also examine the message body. - -The with_trailer option is analogous and causes an earlier message -element to be made available at the end of the message when the -trailers following a chunked body arrive. +It is possible to write rules that examine both the client request +and the server response to it. -alert tcp any any -> any any ( msg:"double content-language"; -flow:established, to_client; http_header: with_trailer, field -content-language; content:"da", nocase; http_trailer: field -content-language; content:"en", nocase; sid:6; rev:1; ) - -This rule will alert if the Content-Language changes from Danish in -the headers to English in the trailers. The with_trailer option is -essential to make this rule work. - -It is also possible to write rules that examine both the client -request and the server response to it. - -alert tcp any any -> any any ( msg:"request and response example"; -flow:established, to_client; http_uri: with_body; content:"chocolate"; -file_data; content:"white chocolate"; sid:7; rev:1; ) +alert tcp any any -> any any ( + msg:"request and response example"; + flow:established, to_client; + http_uri; content:"chocolate"; + file_data; content:"white chocolate"; + sid:7; rev:1; ) This rule looks for white chocolate in a response message body where the URI of the request contained chocolate. Note that this is a @@ -4765,21 +4797,23 @@ be nonsense and not work. Snort cannot block a client request based on what the server response will be because that has not happened yet. -Another point is "with_body" for http_uri. This ensures the rule -works on the entire response body. If we were looking for white -chocolate in the response headers this would not be necessary. - Response messages do not have a URI so there was only one thing http_uri could have meant in the previous rule. It had to be referring to the request message. Sometimes that is not so clear. -alert tcp any any -> any any ( msg:"header ambiguity example 1"; -flow:established, to_client; http_header: with_body; content: -"chocolate"; file_data; content:"white chocolate"; sid:8; rev:1; ) +alert tcp any any -> any any ( + msg:"header ambiguity example 1"; + flow:established, to_client; + http_header; content:"chocolate"; + file_data; content:"white chocolate"; + sid:8; rev:1; ) -alert tcp any any -> any any ( msg:"header ambiguity example 2"; -flow:established, to_client; http_header: with_body, request; content: -"chocolate"; file_data; content:"white chocolate"; sid:8; rev:2; ) +alert tcp any any -> any any ( + msg:"header ambiguity example 2"; + flow:established, to_client; + http_header: request; content:"chocolate"; + file_data; content:"white chocolate"; + sid:8; rev:2; ) Our search for chocolate has moved from the URI to the message headers. Both the request and response messages have headers—which @@ -4791,31 +4825,17 @@ and white chocolate in the body. The second rule uses the "request" option to explicitly say that the http_header to be searched is the request header. -Let’s put all of this together. There are six opportunities to do -detection: - - 1. When the the request headers arrive. The request line and all of - the headers go through detection at the same time. - 2. When sections of the request message body arrive. If you want to - combine this with something from the request line or headers you - must use the with_body option. - 3. When the request trailers arrive. If you want to combine this - with something from the request line or headers you must use the - with_trailer option. - 4. When the response headers arrive. The status line and all of the - headers go through detection at the same time. These may be - combined with elements from the request line, request headers, or - request trailers. Where ambiguity arises use the request option. - 5. When sections of the response message body arrive. These may be - combined with the status line, response headers, request line, - request headers, or request trailers as described above. - 6. When the response trailers arrive. Again these may be combined as - described above. +Fast patterns are always searched in the current message. Rule +options using "request" option can’t be used as fast patterns. Message body sections can only go through detection at the time they are received. Headers may be combined with later items but the body cannot. +The sub-options "with_header", "with_body" and "with_trailer" are +deprecated, and no longer required when mixing the different +sections. + 5.11. HTTP/2 Inspector