From: Tom Peters (thopeter) Date: Tue, 5 Jun 2018 19:21:17 +0000 (-0400) Subject: Merge pull request #1255 in SNORT/snort3 from doc_known_problems to master X-Git-Tag: 3.0.0-246~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a52ef48feea548ba66a9fd8dcbd8f0ce40a13f5;p=thirdparty%2Fsnort3.git Merge pull request #1255 in SNORT/snort3 from doc_known_problems to master Squashed commit of the following: commit 4b570699a3e28b3f61ca5efadfd93d5561e9a590 Author: Tom Peters Date: Mon Jun 4 12:46:55 2018 -0400 snort_manual: known problems --- diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 3e2967488..774f156c0 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -36,7 +36,6 @@ if ( MAKE_DOC ) active.txt appid.txt binder.txt - bugs.txt building.txt byte_extract.txt byte_jump.txt diff --git a/doc/bugs.txt b/doc/bugs.txt deleted file mode 100644 index eef6c3aac..000000000 --- a/doc/bugs.txt +++ /dev/null @@ -1,85 +0,0 @@ -==== Build - -* Enabling large pcap may erroneously affect the number of packets processed - from pcaps. - -* Enabling debug messages may erroneously affect the number of packets - processed from pcaps. - -* Building with clang and autotools on Linux will show the following - warning many times. Please ignore. - - clang: warning: argument unused during compilation: '-pthread' - - -==== Config - -* Parsing issue with IP lists. can't parse rules with $EXTERNAL_NET - defined as below because of the space between ! and 10. - - HOME_NET = [[ 10.0.17.0/24 10.0.14.0/24 10.247.0.0/16 10.246.0.0/16 ]] - EXTERNAL_NET = '! ' .. HOME_NET - -* Multiple versions of luajit scripts are not handled correctly. The - first loaded version will always be executed even though plugin manager - saves the correct version. - -* When using -c and -L together, the last on the command line wins (-c -L - will dump; -L -c will analyze). - -* Modules instantiated by command line only will not get default settings - unless hard-coded. This notably applies to -A and -L options. - -* --lua can only be used in addition to, not in place of, a -c config. - Ideally, --lua could be used in lieu of -c. - - -==== Rules - -* metdata:service foo; metadata:service foo; won't cause a duplicate service - warning as does metadata:service foo, service foo; - -* ip_proto doesn't work properly with reassembled packets so it can't be - used to restrict the protocol of service rules. - - -==== snort2lua - -* uricontent:"foo"; content:"bar"; -> http_uri; content:"foo"; content:"bar"; - (missing pkt_data) - -* stream_tcp ports and protocols both go into a single binder.when; this is - incorrect as the when fields are logically anded together (ie must all be - true). Should create 2 separate bindings. - -* There is a bug in pps_stream_tcp.cc.. when stream_tcp: is specified - without any arguments, snort2lua doesn't convert it. Same for - stream_udp. - -* Loses the ip list delimiters [ ]; change to ( ) - - in snort.conf: var HOME_NET [A,B,C] - in snort.lua: HOME_NET = [[A B C]] - -* Won't convert packet rules (alert tcp etc.) to service rules (alert http - etc.). - -* alert_fast and alert_full: output configuration includes "file = - 'foo.bar'", but file is a bool and you cannot specify an output file name - in the configuration. - -==== Runtime - -* -B feature does not work. It does ordinary IP address obfuscation - instead of using the mask. - -* Obfuscation does not work for csv format. - -* The hext DAQ will append a newline to text lines (starting with '"'). - -* The hext DAQ does not support embedded quotes in text lines (use hex - lines as a workaround). - -* stream_tcp alert squash mechanism incorrectly squashes alerts for - different TCP packets. - diff --git a/doc/differences.txt b/doc/differences.txt index 1a7e762b1..f8bd47011 100644 --- a/doc/differences.txt +++ b/doc/differences.txt @@ -226,6 +226,8 @@ Some things Snort++ can do today that Snort can not do as well: * nets and/or ports may be omitted from rule headers (matches any) * parse all rules and output all errors before quitting * read rules from conf, separate rules file, or stdin +* The symbol =< in a byte test is recognized as a syntax error. The correct + symbol is \<=. === Output @@ -260,3 +262,24 @@ replacement in Snort 3.X. This is because the rule offered no additional value over gid:138 rules and was difficult to interpret the result of. For more information, See Features > Sensitive Data Filtering for details. + +=== Features Not Yet Supported by Snort 3 + +* Support in http_inspect for Original Client IP is limited to the + X-Forwarded-For and True-Client-IP headers in that order. It is not + possible to configure additional custom headers to search for Original + Client IP. + +* The -n option does not work properly when perf_monitor is configured. The + number of packets processed from the pcap is likely to be more than the + number specified with the -n option. + +* When a file is transferred via SMB2 it may be allowed even though + according to file policy it should be blocked. This occurs when the + create and read requests are sent together and then the read and create + responses are sent together. Blocking is done correctly if the create and + read requests are sent separately or if the file is large enough to + require two read responses. + +* This user manual is incomplete and does not fully cover many Snort 2.X + features that are also supported by Snort 3. diff --git a/doc/reference.txt b/doc/reference.txt index 7e2c8ccfd..ff64ed2af 100644 --- a/doc/reference.txt +++ b/doc/reference.txt @@ -51,10 +51,6 @@ include::modules.txt[] include::plugins.txt[] -=== Bugs - -include::bugs.txt[] - === LibDAQ and DAQ Modules include::daq_readme.txt[]