From: Russ Combs (rucombs) Date: Thu, 20 May 2021 20:36:00 +0000 (+0000) Subject: Merge pull request #2895 in SNORT/snort3 from ~RUCOMBS/snort3:build_3.1.5.0 to master X-Git-Tag: 3.1.5.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=039359ee0e1cfe0dccd1db6aa734477e54ccdd88;p=thirdparty%2Fsnort3.git Merge pull request #2895 in SNORT/snort3 from ~RUCOMBS/snort3:build_3.1.5.0 to master Squashed commit of the following: commit b637ab5f94cd7a24fdae969509bb183f3fa2a6c8 Author: Russ Combs Date: Thu May 20 13:55:40 2021 -0400 build: Generate and tag 3.1.5.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 82e949c6a..c63c31efb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 4) +set (VERSION_PATCH 5) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index 615644c1b..b444c7faa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,41 @@ +2021/05/20 - 3.1.5.0 + +appid: Publish an event when appid debug command is issued +appid: do memory accounting of api stash object, dns/tls/third-party sessions +appid: mark payload detection as done after either http request or response is inspected +appid: set monitor flags on future flows +dce_rpc: fix expected session protocol id +dce_rpc: update memory tracking for smb session data +dce_rpc: use find_else_insert in smb session cache to avoid deadlock +file_api: fix spell source error +flow: Adding stash API to save auxiliary IP +flow: Enhancing APIs to stash auxiliary IP +flow: memory tracking updates +hash: add new insert method in lru_cache_shared +http2_inspect: add assert in clear +http2_inspect: concurrent streams limit is configurable +http2_inspect: fix non-standard c++ +http2_inspect: handle trailer after reaching flow depth +http2_inspect: implement window_update frame +http2_inspect: optimize processing after reaching flow depth +http2_inspect: track stream memory incrementally instead of all up front +http2_inspect: update discard print +http2_inspect: update state and delete streams after reaching flow depth +http_inspect: IP reputation support +http_inspect: don't disable detection for flow if it's an HTTP/2 flow +ips_options: fix relative base64_decode +memory: free_space cleanup +netflow: additional check before v5/v9 decode +netflow: version 9 decoding and filtering +packet_tracer: IPS daq trace log +packet_tracer: file daq trace log +parser: Remove rule merge in dump mode +parser: reduce RTNs only after states applied +reputation: track monitor ID via flow; minor code cleanup +shell: exit gracefully when sanbox lua is misconfigured +stream_tcp: Deleting session when both talker and listener are closed +stream_tcp: Using window base for reset validation + 2021/04/21 - 3.1.4.0 -- appid: (fix style) Local variable 'version' shadows outer variable diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index f36b14456..f20a8cca8 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.4.0 2021-04-21 12:58:32 EDT TST +Revision 3.1.5.0 2021-05-20 14:02:39 EDT TST --------------------------------------------------------------------- @@ -873,6 +873,9 @@ Configuration: * string inspection.uuid: correlate events by uuid * enum inspection.mode = inline-test: set policy mode { inline | inline-test } + * int inspection.max_aux_ip = 16: maximum number of auxiliary IPs + per flow to detect and save (-1 = disable, 0 = detect but don’t + save, 1+ = save in FIFO manner) { -1:127 } 2.15. ips @@ -3573,6 +3576,12 @@ Usage: inspect Instance Type: multiton +Configuration: + + * int http2_inspect.concurrent_streams_limit = 100: Maximum number + of concurrent streams allowed in a single HTTP/2 flow { 100:1000 + } + Rules: * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame @@ -3614,6 +3623,9 @@ Rules: * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time * 121:30 (http2_inspect) uppercase HTTP/2 header field name + * 121:31 (http2_inspect) invalid HTTP/2 window update frame + * 121:32 (http2_inspect) HTTP/2 window update frame with zero + increment Peg counts: @@ -3747,6 +3759,8 @@ Rules: * 119:115 (http_inspect) PDF file unsupported compression type * 119:116 (http_inspect) PDF file cascaded compression * 119:117 (http_inspect) PDF file parse failure + * 119:118 (http_inspect) unexpected script tag within inline + javascript * 119:201 (http_inspect) not HTTP traffic * 119:202 (http_inspect) chunk length has excessive leading zeros * 119:203 (http_inspect) white space before or between messages @@ -3887,6 +3901,8 @@ Peg counts: * http_inspect.pipelined_requests: total requests placed in a pipeline (sum) * http_inspect.total_bytes: total HTTP data bytes inspected (sum) + * http_inspect.js_inline_scripts: total number of inline + JavaScripts processed (sum) 5.25. iec104 @@ -4169,15 +4185,20 @@ Configuration: Peg counts: + * netflow.invalid_netflow_record: count of invalid netflow records + (sum) * netflow.packets: total packets processed (sum) * netflow.records: total records found in netflow data (sum) + * netflow.unique_flows: count of unique netflow flows (sum) + * netflow.v9_missing_template: count of data records that are + missing templates (sum) + * netflow.v9_options_template: count of options template flowset + (sum) + * netflow.v9_templates: count of total version 9 templates (sum) * netflow.version_5: count of netflow version 5 packets received (sum) * netflow.version_9: count of netflow version 9 packets received (sum) - * netflow.invalid_netflow_pkts: count of invalid netflow packets - (sum) - * netflow.unique_flows: count of unique netflow flows (sum) 5.30. normalizer @@ -4702,6 +4723,12 @@ Peg counts: * reputation.trusted: number of packets trusted (sum) * reputation.monitored: number of packets monitored (sum) * reputation.memory_allocated: total memory allocated (sum) + * reputation.aux_ip_blocked: number of auxiliary ip packets blocked + (sum) + * reputation.aux_ip_trusted: number of auxiliary ip packets trusted + (sum) + * reputation.aux_ip_monitored: number of auxiliary ip packets + monitored (sum) 5.37. rna @@ -9061,6 +9088,9 @@ these libraries see the Getting Started section of the manual. * port host_tracker[].services[].port: port number * enum host_tracker[].services[].proto: IP protocol { ip | tcp | udp } + * int http2_inspect.concurrent_streams_limit = 100: Maximum number + of concurrent streams allowed in a single HTTP/2 flow { 100:1000 + } * implied http_cookie.request: match against the cookie from the request message even when examining the response * implied http_cookie.with_body: parts of this rule examine HTTP @@ -9258,6 +9288,9 @@ these libraries see the Getting Started section of the manual. limit) { -1:65535 } * int inspection.id = 0: correlate policy and events with other items in configuration { 0:65535 } + * int inspection.max_aux_ip = 16: maximum number of auxiliary IPs + per flow to detect and save (-1 = disable, 0 = detect but don’t + save, 1+ = save in FIFO manner) { -1:127 } * enum inspection.mode = inline-test: set policy mode { inline | inline-test } * string inspection.uuid: correlate events by uuid @@ -10954,6 +10987,8 @@ these libraries see the Getting Started section of the manual. * http_inspect.get_requests: GET requests inspected (sum) * http_inspect.head_requests: HEAD requests inspected (sum) * http_inspect.inspections: total message sections inspected (sum) + * http_inspect.js_inline_scripts: total number of inline + JavaScripts processed (sum) * http_inspect.max_concurrent_sessions: maximum concurrent http sessions (max) * http_inspect.options_requests: OPTIONS requests inspected (sum) @@ -11040,11 +11075,16 @@ these libraries see the Getting Started section of the manual. * modbus.max_concurrent_sessions: maximum concurrent modbus sessions (max) * modbus.sessions: total sessions processed (sum) - * netflow.invalid_netflow_pkts: count of invalid netflow packets + * netflow.invalid_netflow_record: count of invalid netflow records (sum) * netflow.packets: total packets processed (sum) * netflow.records: total records found in netflow data (sum) * netflow.unique_flows: count of unique netflow flows (sum) + * netflow.v9_missing_template: count of data records that are + missing templates (sum) + * netflow.v9_options_template: count of options template flowset + (sum) + * netflow.v9_templates: count of total version 9 templates (sum) * netflow.version_5: count of netflow version 5 packets received (sum) * netflow.version_9: count of netflow version 9 packets received @@ -11181,6 +11221,12 @@ these libraries see the Getting Started section of the manual. (sum) * rate_filter.no_memory: number of times rate filter ran out of memory (sum) + * reputation.aux_ip_blocked: number of auxiliary ip packets blocked + (sum) + * reputation.aux_ip_monitored: number of auxiliary ip packets + monitored (sum) + * reputation.aux_ip_trusted: number of auxiliary ip packets trusted + (sum) * reputation.blocked: number of packets blocked (sum) * reputation.memory_allocated: total memory allocated (sum) * reputation.monitored: number of packets monitored (sum) @@ -11824,6 +11870,8 @@ these libraries see the Getting Started section of the manual. * 119:115 (http_inspect) PDF file unsupported compression type * 119:116 (http_inspect) PDF file cascaded compression * 119:117 (http_inspect) PDF file parse failure + * 119:118 (http_inspect) unexpected script tag within inline + javascript * 119:201 (http_inspect) not HTTP traffic * 119:202 (http_inspect) chunk length has excessive leading zeros * 119:203 (http_inspect) white space before or between messages @@ -11954,6 +12002,9 @@ these libraries see the Getting Started section of the manual. * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time * 121:30 (http2_inspect) uppercase HTTP/2 header field name + * 121:31 (http2_inspect) invalid HTTP/2 window update frame + * 121:32 (http2_inspect) HTTP/2 window update frame with zero + increment * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 2c01c26d4..46ab37de7 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.4.0 2021-04-21 12:58:19 EDT TST +Revision 3.1.5.0 2021-05-20 14:02:30 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index e3e799c12..26378ad37 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.4.0 2021-04-21 12:58:20 EDT TST +Revision 3.1.5.0 2021-05-20 14:02:00 EDT TST ---------------------------------------------------------------------