From: Steve Chew (stechew) Date: Fri, 9 Sep 2022 06:35:57 +0000 (+0000) Subject: Pull request #3584: build: generate and tag 3.1.41.0 X-Git-Tag: 3.1.41.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1233e40041525e039fc25b1c91248e767cd0504a;p=thirdparty%2Fsnort3.git Pull request #3584: build: generate and tag 3.1.41.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.1.41.0 to master Squashed commit of the following: commit c2679ae40b120ee4d17b04612422d1bcbd5093d1 Author: Priyanka Gurudev Date: Wed Sep 7 15:34:40 2022 -0400 build: generate and tag 3.1.41.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 767615610..308c588c2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 40) +set (VERSION_PATCH 41) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index 5c577788b..5440e0022 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,16 @@ +2022-09-07: 3.1.41.0 + +* appid: send intermediate messages for appid reload commands to the socket +* file_api: corrected the formatting of File Statistics output +* file_id: Update Office Documents rules +* flow: update flow statistics before processing a flow +* framework, rna, pub_sub: make data bus get_packet method a const +* netflow: log even when not all info is present +* sd_pattern: add and improve built-in patterns +* stream: free flow data, if flow is blocked +* stream: use a const packet to populate the flow key +* utils: refactor JS normalizer unit tests + 2022-08-25: 3.1.40.0 * appid: activate appid debug object before printing logs from http event handler diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 4671f5ac0..e017de8f9 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.40.0 2022-08-25 09:58:14 EDT TST +Revision 3.1.41.0 2022-09-08 16:39:43 EDT TST --------------------------------------------------------------------- diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 29250b47a..823966156 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.40.0 2022-08-25 09:59:02 EDT TST +Revision 3.1.41.0 2022-09-08 16:40:51 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 54cc1c5e6..19bf38823 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.40.0 2022-08-25 09:57:58 EDT TST +Revision 3.1.41.0 2022-09-08 16:40:05 EDT TST --------------------------------------------------------------------- @@ -5537,9 +5537,9 @@ filtered scans, since these are more prone to false positives. The sd_pattern IPS option provides detection and filtering of Personally Identifiable Information (PII). This information includes -credit card numbers, U.S. Social Security numbers, and email -addresses. A rich regular expression syntax is available for defining -your own PII. +credit card numbers, U.S. Social Security numbers, phone numbers, and +email addresses. A rich regular expression syntax is available for +defining your own PII. 5.17.1. Hyperscan @@ -5558,25 +5558,37 @@ sd_pattern: ""[, threshold ]; 5.17.2.1. Pattern Pattern is the most important and is the only required parameter to -sd_pattern. It supports 3 built in patterns which are configured by -name: "credit_card", "us_social" and "us_social_nodashes", as well as -user defined regular expressions of the Hyperscan dialect (see https: -//intel.github.io/hyperscan/dev-reference/compilation.html# -pattern-support). +sd_pattern. It supports 5 built-in patterns which are configured by +name: "credit_card", "us_social", "us_social_nodashes", "email", and +"us_phone" as well as user defined regular expressions of the +Hyperscan dialect (see https://intel.github.io/hyperscan/ +dev-reference/compilation.html#pattern-support). sd_pattern:"credit_card"; When configured, Snort will replace the pattern credit_card with the -built in pattern. In addition to pattern matching, Snort will +built-in pattern. In addition to pattern matching, Snort will validate that the matched digits will pass the Luhn-check algorithm. -Currently the only pattern that performs extra verification. sd_pattern:"us_social"; sd_pattern:"us_social_nodashes"; -These special patterns will also be replaced with a built in pattern. +These special patterns will also be replaced with a built-in pattern. Naturally, "us_social" is a pattern of 9 digits separated by -'s in -the canonical form. +the canonical form. For this pattern, some validation of compliance +with the Social Security Numbers randomization rules is also +performed. + +sd_pattern:"email"; + +This pattern will be replaced with a built-in pattern created to +match email. The regex implements the “preferred” syntax from RFC +1035 which is one of the recommendations in RFC 5322. + +sd_pattern:"us_phone"; + +This pattern will match U.S. phone numbers in different formats with +or without country code. sd_pattern:"\b\w+@ourdomain\.com\b" @@ -5595,7 +5607,7 @@ many correctly formatted emails. 5.17.2.2. Threshold -Threshold is an optional parameter allowing you to change built in +Threshold is an optional parameter allowing you to change built-in default value (default value is 1). The following two instances are identical. The first will assume the default value of 1 the second declaration explicitly sets the threshold to 1. @@ -5611,13 +5623,13 @@ This example requires 300 matches of the pattern "This is a string literal" to qualify as a positive match. That is, if the string only occurred 299 times in a packet, you will not see an event. -5.17.2.3. Obfuscating Credit Cards and Social Security Numbers +5.17.2.3. Obfuscating built-in patterns -Snort provides discreet logging for the built in patterns -"credit_card", "us_social" and "us_social_nodashes". Enabling -ips.obfuscate_pii makes Snort obfuscate the suspect packet payload -which was matched by the patterns. This configuration is disabled by -default. +Snort provides discreet logging for the built-in patterns +"credit_card", "us_social", "us_social_nodashes", "us_phone" and +"email". Enabling ips.obfuscate_pii makes Snort obfuscate the suspect +packet payload which was matched by the patterns. This configuration +is disabled by default. ips = { @@ -5651,8 +5663,8 @@ Logged output when running Snort in "cmg" alert format. 2. Log obfuscation is only applicable to CMG and Unified2 logging formats. 3. Log obfuscation doesn’t support user defined PII patterns. It is - currently only supported for the built in patterns for Credit - Cards and US Social Security numbers. + currently only supported for the built-in patterns for Credit + Cards and U.S. Social Security numbers. 4. Log obfuscation doesn’t work with stream rebuilt packet payloads. (This is a known bug).