From: Michael Altizer (mialtize) Date: Thu, 12 Mar 2020 18:28:08 +0000 (+0000) Subject: Merge pull request #2074 in SNORT/snort3 from ~MIALTIZE/snort3:build_269 to master X-Git-Tag: 3.0.0-269 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13580ef9f6aa047b24d9cd8fac940d3a4d963f73;p=thirdparty%2Fsnort3.git Merge pull request #2074 in SNORT/snort3 from ~MIALTIZE/snort3:build_269 to master Squashed commit of the following: commit 08d5b15a1d4a8eedc4628bbed0a36f2e0bb8ed9d Author: Michael Altizer Date: Thu Mar 12 10:40:14 2020 -0400 build: generate and tag build 269 --- diff --git a/ChangeLog b/ChangeLog index 58c232bed..b100b58b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,78 @@ -20/02/21 - build 268 +2020/03/12 - build 269 + +-- active: Add ability to inject resets and payload via IOCTLs +-- appid: Add support for third-party reload on midstream session +-- appid: detect apps using x-working-with http field in response header +-- appid: Enhance ssl appid lookup api to store SNI and CN provided by SSL for app detection +-- appid: fix thread-safety issues in mdns detector +-- appid: handle CERTIFICATE STATUS handshake type in SSL detector +-- appid: move client/service pattern detectors and service discovery manager to odp context +-- appid: Support third-party reload when snort is running with multiple packet threads +-- base64_decode: use standard detection context data buffer +-- build: fix build on big-endian systems +-- build: Fix LibUUID detection on OS X +-- build: Fix various build issues on FreeBSD and OS X +-- build: refactor trace logs +-- build: tweak includes +-- build: use const and auto references where possible +-- byte_math: Snort2 bug fix port of integer over and under flow detection +-- classifications: update implementation with unordered map +-- classifications: use consistent variable names +-- cmake: Fix building without lzma library +-- detection: added support for trace config option to take a list of strings with verbosity level + instead of bitmask +-- detection: refactoring updates to detection, moved DetectionModule into a separate file +-- flow: added initiator bytes/packets onto flow +-- flow: Add missing time.h include for struct timeval +-- flow: free the flow data before deleting the actual flow +-- flow: turn off deferred whitelist on DONE if no whitelist was seen +-- flow_cache: fix memory deallocation bug due to inverted return value from hash release node +-- framework: add generic conversion of trace strings to bitmaks +-- ftp: Whitelist ftp session after max sig depth reached +-- ghash: fix thread race condition with GHash member variables when a GHash instance is global +-- hash: add unit tests for new HashLruCache class +-- hash: delete unused sfmemcap.[h|cc] and remove unnecessary includes +-- http2_inspect: abort for nhi errors +-- http2_inspect: send data frames to http - full frames only in a single flush +-- http_inspect: change http_uri to only include path and query for absolute and absolute path uris +-- http_inspect: improve precautions for stream interactions +-- http_inspect: Properly mock HttpModule::peg_counts in http_transaction_test +-- main: do FileService::post_init after inspectors are configured +-- parser: remove legacy parsing code +-- plugin_manager: add support for reload so_rule plugins +-- pub_sub: add http2 info to http pub messages +-- reference: update implementation with unordered map +-- reload: add description of reload error to the response message of the reload_config command +-- reputation: remove reputation monitor flag from packet, track verdict on flow +-- rules: add constructors for references and classifications +-- rules: fix warnings and startup counts for duplicates +-- rules: remove cruft +-- rules: simplify implementation of services, classifications, and references by using std::string +-- rules: update --gen-msg-map to include all configured rules with references +-- service_inspectors: added counters to track total number of data bytes processed in SMTP, POP, + SSH and FTP +-- service: update implementation to vector +-- sfdaq: convert parsing related error messages in DAQ init to ParseErrors +-- sfdaq: Made get_stats public for plugins +-- smb: Fix malware over size 131kb not being detected in SMBv2/SMBv3 +-- snort_config: footprint REG_TEST, no check for stream inspector add/rm, etc. +-- stats: update shutdown timing stats +-- stream: Addressing inconsistent stream stats and some data races +-- stream_ip: added counters to track total number of data bytes processed +-- stream_tcp: no_ack applies only to ips mode +-- stream_udp: added counters to track total number of data bytes processed +-- style: remove tabs and too long lines +-- utils: add unit tests for MemCapAllocator class +-- utils: create memory allocation class based on sfmemcap functionality +-- utils: handle out-of-range time +-- xhash: refactor XHash and HashFnc to eliminate c-style callbacks and simplify ctor options +-- xhash: rename hashfcn.[cc|h] to hash_keys.[cc|h] +-- xhash/zhash: refactor duplicated code into a common base class, xhash/zhash will subclass this + new base class +-- zhash: make zhash a subclass of xhash, eliminate duplicate code +-- zhash: refactor to use hash_lru_cache and hash_key_operations classes + +2020/02/21 - build 268 -- appid: Adding support for appid detection on decrypted SSL sessions -- appid: Adding support for wildcard ports in static host port cache @@ -113,7 +187,7 @@ -- tweaks: update per new normalizer defaults -- tweaks: update policy configs to better align with Snort 2 -19/12/20 - build 267 +2019/12/20 - build 267 -- appid: Adding command for third-party reload -- appid: cleanup unused code @@ -155,7 +229,7 @@ -- time: Convert periodic and stopwatch unit tests to standalone Catch -- utils: Convert bitop unit tests to standalone Catch -19/12/04 - build 266 +2019/12/04 - build 266 -- appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs -- appid: Enabling host cache for unknown SSL flows @@ -189,7 +263,7 @@ the stream tcp code into one component (libtcp goes away) -- stream_tcp: Updates from PR review comments -19/11/22 - build 265 +2019/11/22 - build 265 -- analyzer_command: support resource tuning on reload -- appid: Adding Lua-C API to handle midstream traffic @@ -210,7 +284,7 @@ -- stream_tcp: fix state machine instantiation -- wizard: handle NBSS startup in dce_smb_curse -19/11/06 - build 264 +2019/11/06 - build 264 -- appid: Handle DNS responses with compression pointers at last record -- dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only @@ -230,7 +304,7 @@ needed when the stream 'max_flows' configuration option changes -- telnet: fix check_encrypted help string -19/10/31 - build 263 +2019/10/31 - build 263 -- appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id was not not found @@ -268,7 +342,7 @@ -- stream_tcp: fix stability issues -- stream_tcp: If no-ack is on, rewrite ACK value to be the expected ACK. -19/10/09 - build 262 +2019/10/09 - build 262 -- analyzer: move setting pkth to nullptr to after publishing finalize event -- analyzer: publish other message event for unknown DAQ messages @@ -325,7 +399,7 @@ -- unit-tests: fix compiler warnings that snuck into CppUTest unit tests -- utils: prevent integer overflow/underflow when reading BER elements -19/09/12 - build 261 +2019/09/12 - build 261 -- analyzer: Process retry queue and onloads when no DAQ messages are received -- appid: Enabled API for SSL to lookup appid @@ -347,7 +421,7 @@ -- stream: fix problem with accelerated blocking partial inspection -- style: update link for google c++ style guide -19/08/28 - build 260 +2019/08/28 - build 260 -- appid: handle 'change cipher spec' in 'server hello' to allow some app detection for tls 1.3 traffic @@ -360,7 +434,7 @@ -- rna: Support for rna unified2 logging -- stream_tcp: clear consecutive small segs count upon non-small segs only -19/08/21 - build 259 +2019/08/21 - build 259 -- analyzer_command: Import into snort namespace and add the ability to retrieve the DAQ instance from an Analyzer @@ -409,7 +483,7 @@ -- wizard: Avoid host cache service insertion since we are using flow service -- xhash: Ported sfxhash_change_memcap() from snort2 to snort3 -19/07/17 - build 258 +2019/07/17 - build 258 -- analyzer: 1024 contexts max is a better default until configurable -- appid: fix header order in appid_session @@ -448,7 +522,7 @@ -- stream_tcp: fix non-deep detect profile exclusion -- talos.lua: various fixes for command line usage -19/06/19 - build 257 +2019/06/19 - build 257 -- analyzer: publish finalize packet event before calling finalize_message. -- appid: Protocol based detection for non-TCP non-UDP traffic. @@ -480,7 +554,7 @@ -- stream: Do not validate timestamp until peer timestamp is set -- stream_ip: Checking null inspector while updating session -19/05/22 - build 256 +2019/05/22 - build 256 -- DAQng: Port Snort and its DAQ modules to DAQ3 - Massive refactoring of the Analyzer thread @@ -510,12 +584,12 @@ -- snort2lua: Remove sticky buffer duplicates -- stream: disable inspection of flow on reset -19/05/03 - build 255 +2019/05/03 - build 255 -- ips: add includer for better relative path support -- module_manager: Fix potential null deref in module parameter dumping -19/04/26 - build 254 +2019/04/26 - build 254 -- analyzer: Print pause indicator from analyzer threads -- appid: remove inspector reference from detectors @@ -533,7 +607,7 @@ -- stream_tcp: Try to work with a cleaner Packet when purging at shutdown -- test: remove cruft -19/04/17 - build 253 +2019/04/17 - build 253 -- build: delete unused code called out by cppcheck -- doc: remove mention of obsolete LUA_PATH, SNORT_LUA_PATH, and required snort_config library @@ -548,7 +622,7 @@ -- parser: update include file handling -- parser: fix defaults for alerts.order and network.checksum_eval -19/04/10 - build 252 +2019/04/10 - build 252 -- appid: Fix NetworkSet compilation on big-endian systems -- appid: Reduce variable scope in service_mdns @@ -614,7 +688,7 @@ -- stream_tcp: Fix shadowed variable when profiling deeply -- u2spewfoo: update due to re-ording of retry action. -19/03/31 - build 251 +2019/03/31 - build 251 -- ActionManager: actions are tracked per packet for accurate packet suspension -- DetectionEngine: make onload safe for reentrance @@ -810,7 +884,7 @@ -- stream_udp: ensure all flows are cleared fully -- time: Adding timersub_ms function to return timersub in milliseconds -18/12/06 - build 250 +2018/12/06 - build 250 -- actions: Fix incorrect order of IPS reject unreachable codes and adding forward option -- active: added peg count for injects @@ -872,7 +946,7 @@ -- tools: Install appid-detector-builder.sh with the other tools; thanks to Jonathan McDowell for reporting the issue -18/11/07 - build 249 +2018/11/07 - build 249 -- appid: Fixing profiler data race and registration issues -- appid: make third party appid stats configurable @@ -940,7 +1014,7 @@ -- thread_idle: call timeout flows with packet time for pcap replay -- utils: fixed deprecation build warning on register keyword -18/09/26 - build 248 +2018/09/26 - build 248 -- appid: adding detector builder and fixing stats to recognize custom appid thanks to Wang Jun for reporting the issue @@ -972,7 +1046,7 @@ -- reputation: early return on parsing error causing uninitialized id -- reputation: fix SI doesn't block traffic if Any Zone is specified -18/08/27 - build 247 - Beta +2018/08/27 - build 247 - Beta -- appid: change map to unordered map -- appid: declare SMTPS early in STARTTLS state on success response code @@ -984,7 +1058,7 @@ -- stream_tcp: avoid duplicating split sement data -- build: removing use of u_char and u_short macros (github #53) -18/08/13 - build 246 +2018/08/13 - build 246 -- active: Add an upper limit of 255 to min_interval -- appid: Avoid snort crash upon lua file errors @@ -1056,7 +1130,7 @@ -- stream_tcp: back out fin handling changes for bug not relevant to snort3 -- tcp_connector_test: fixed version-sensitive build problem -18/05/21 - build 245 +2018/05/21 - build 245 -- CodecManager: removed unused code -- DataBus: fixed creating DataHandler when one doesn't exist @@ -1218,7 +1292,7 @@ -- wizard: Fix UBSAN out-of-bounds access runtime error -- zhash: cleanup cruftiness -18/03/15 - build 244 +2018/03/15 - build 244 -- appid: unit-tests for http detector plugins -- build: address compiler warnings, spell check and static analyzer issues @@ -1244,7 +1318,7 @@ -- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace -18/02/12 - build 243 +2018/02/12 - build 243 -- build: enable gdb debugging info by default -- build: fix cppcheck warnings @@ -1267,7 +1341,7 @@ when service groups are present -- wizard: count user scans and hits separate from tcp -18/01/29 - build 242 +2018/01/29 - build 242 -- build: add STATIC to add_library call of port_scan to build it statically otherwise link will fail (Makefile.am already build only the static version) @@ -1292,7 +1366,7 @@ -- unit tests: added ability to run Catch tests from dynamic modules -- utils, flatbuffers: added a uniform interface for 64-bit endian swaps -17/12/15 - build 241 +2017/12/15 - build 241 -- add back the ref count for file config -- alert_csv: various fixes to match alert_json @@ -1389,7 +1463,7 @@ -- wizard: activate profiler support -- wizard: usage is inspect -17/10/31 - build 240 +2017/10/31 - build 240 -- active: fix packet modify vs resize handling -- alert_csv: rename dgm_len to pkt_len @@ -1504,7 +1578,7 @@ -- unified2: log buffers as cooked packets with legacy events -- wscale: add extra rule option to check tcp window scaling -17/07/25 - build 239 +2017/07/25 - build 239 -- rules: remove sample.rules; Talos will publish Snort 3 rules on snort.org -- logging: fix handling of out of range timeval @@ -1512,7 +1586,7 @@ -- wizard: fix direction issue -- wizard: fix imap spell -17/07/24 - build 238 +2017/07/24 - build 238 -- check: update hyperscan and regex tests -- cpputests: clean up some header include issues @@ -1549,7 +1623,7 @@ -- u2: remove obsolete configurations -- u2: support mixed IP versions -17/07/13 - build 237 +2017/07/13 - build 237 -- build: add support for appending EXTRABUILD to the BUILD string -- build: Clean up some ICC 2017 warnings @@ -1583,7 +1657,7 @@ -- snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments -- snort2lua: update for port_scan -17/06/15 - build 236 +2017/06/15 - build 236 -- appid: clean up shutdown stats -- appid: fix memory leak @@ -1601,7 +1675,7 @@ -- ssl: use stop-and-wait splitter (protocol aware splitter is next) -- stream_ip: fix 123:7 -17/06/01 - build 235 +2017/06/01 - build 235 -- http_inspect: improve handling of improper bare \r separator -- appid: fix bug where TNS detector corrupted the flow data object @@ -1616,7 +1690,7 @@ -- doc: update differences section -- doc: update README -17/05/21 - build 234 +2017/05/21 - build 234 -- byte_math: port rule option from 2X and add feature documentation -- pgm: don't calculate checksum if header length is not divisible by 4 @@ -1627,7 +1701,7 @@ -- cmg: revamp hex buffer dump format with 16 or 20 bytes per line -- rules: reject positional parameters containing spaces -17/05/11 - build 233 +2017/05/11 - build 233 -- packet manager: ensure ether type proto ids don't masquerade as ip proto ids thanks to Bhargava Shastry for reporting the issue @@ -1645,7 +1719,7 @@ -- cleanup: fix typos in source code string literals and comments -- doc: fix typos -17/04/28 - build 232 +2017/04/28 - build 232 -- build: clean up Intel compiler warnings and remarks -- build: fix FreeBSD compilation issues @@ -1664,13 +1738,13 @@ -- flatbuffers: add version to banner if present -- loggers: build alert_sf_socket on all platforms -17/04/07 - build 231 +2017/04/07 - build 231 -- add decode of MPLS in IP -- add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack) -- cleanup: remove dead code -17/03/27 - build 230 +2017/03/27 - build 230 -- require hyperscan >= 4.4.0, check runtime support thanks to justin.viiret@intel.com for submitting the patch @@ -1686,7 +1760,7 @@ -- add regex.fast_pattern; do not use for fast pattern unless explicitly indicated -- update copyrights to 2017 -17/03/17 - build 229 +2017/03/17 - build 229 -- fixed mpse to ensure all search methods return consistent results -- updated search tool to use fast pattern config's search method @@ -1696,7 +1770,7 @@ -- http_inspect: added alert 119:82 for bad Content-Length value -- http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace -17/03/02 - build 228 - Alpha 4 +2017/03/02 - build 228 - Alpha 4 -- update hypercsan mpse: print error message and erroneous pattern when compilation fails -- update rule parser: add multiple byte orders warning @@ -1709,14 +1783,14 @@ -- doc: move LibDAQ README to Reference, update, and fix typos -- doc: update default manuals -17/02/24 - build 227 +2017/02/24 - build 227 -- allow arbitrary / unused gids in text rules -- support DAQs w/o explicit sources (nfq, ipfw) -- fix up peg help (remove _) -- fix u2 logging of PDUs -17/02/16 - build 226 +2017/02/16 - build 226 -- add PDF/SWF decompression to http_inspect -- add connectors to generated reference parts of manual @@ -1740,7 +1814,7 @@ -- snort2lua - changes to add file_id when smb file inspection is on -- snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic -17/02/01 - build 225 +2017/02/01 - build 225 -- implement RPC over HTTP by adding dce_http_server and dce_http_proxy -- port disable_replace option from snort 2.x and add snort2lua support @@ -1765,7 +1839,7 @@ -- normalize peg names to lower snake_case -- update default manuals -17/01/17 - build 224 +2017/01/17 - build 224 -- fix various stream_tcp flush issues -- fix various cmake issues @@ -1784,7 +1858,7 @@ -- added CPP flags used to build Snort to snort.pc for extras and other plugins to use -16/21/16 - build 223 +2016/21/16 - build 223 -- port 2983 smb active response updates -- fix reload crash with file inspector @@ -1804,7 +1878,7 @@ -- improve http_inspect Field class -- refactor plugin loading -16/12/16 - build 222 +2016/12/16 - build 222 -- add JavaScript Normalization to http_inspect -- fix appid service check dispatch list @@ -1819,7 +1893,7 @@ -- refactor user manual for clarity -- update default user manuals -16/12/09 - build 221 +2016/12/09 - build 221 -- fix appid handling of sip inspection events -- fix wizard to prevent use-after-free of service name @@ -1830,7 +1904,7 @@ -- update manual for dce_* inspectors -- refactor IP address handling -16/12/01 - build 220 +2016/12/01 - build 220 -- fixed uu and qp decode issue -- fixed file signature calculation for ftp @@ -1848,7 +1922,7 @@ -- document sensitive data use -- user manual refactoring and updates -16/11/21 - build 219 +2016/11/21 - build 219 -- add dce auto detect to wizard -- add MIME file processing to new http_inspect @@ -1868,7 +1942,7 @@ -- create pid file after dropping privileges -- improve detection and use of CppUTest in non-standard locations -16/11/04 - build 218 +2016/11/04 - build 218 -- fix shutdown stats -- fix misc appid issues @@ -1876,7 +1950,7 @@ -- add sip inspector events for appid -- update default manuals -16/10/28 - build 217 +2016/10/28 - build 217 -- update appid to 2983 -- add inspector events from http_inspect to appid @@ -1885,7 +1959,7 @@ -- fix release of blocked flow -- fix 129:16 false positive -16/10/21 - build 216 +2016/10/21 - build 216 -- add build configuration for thread sanitizer -- port dce_udp fragments @@ -1894,7 +1968,7 @@ -- fix -Wmaybe-uninitialized issues -- fix related to appid name with space and SSL position -16/10/13 - build 215 +2016/10/13 - build 215 -- added module trace facility -- port block malware over ftp for clients/servers that support REST command @@ -1906,7 +1980,7 @@ -- fix file hash pruning issue -- fix rate_filter action config and apply_to clean up -16/10/07 - build 214 +2016/10/07 - build 214 -- updated DAQ - you *must* use DAQ 2.2.1 -- add libDAQ version to snort -V output @@ -1939,14 +2013,14 @@ -- change default latency actions to none -- deleted non-functional extra decoder for i4l_rawip -16/09/27 - build 213 +2016/09/27 - build 213 -- ported full retransmit changes from snort 2X -- fixed carved smb2 filenames -- fixed multithread hyperscan mpse -- fixed sd_pattern iterative validation -16/09/24 - build 212 +2016/09/24 - build 212 -- add dce udp snort2lua -- add file detection when they are transferred in segments in SMB2 @@ -1967,14 +2041,14 @@ -- build: remove SPARC support -- build: clean up some DAQ header inclusion creep. -16/09/22 - build 211 +2016/09/22 - build 211 -- fix hyperscan detection with nocase -- fix shutdown sequence -- fix --dirty-pig -- fix FreeBSD build re appid / service_rpc -16/09/20 - build 210 +2016/09/20 - build 210 -- started dce_udp porting -- added HA details to stream/* dev_notes @@ -1985,7 +2059,7 @@ -- fixed double counting of ip and udp timeouts and prunes -- fixed clearing of SYN - RST flows -16/09/14 - build 209 +2016/09/14 - build 209 -- add dce iface fast pattern for tcp -- add --enable-tsc-clock to build/use TSC register (on x86) @@ -1996,7 +2070,7 @@ -- fix most bogus gap counts -- unit test fixes for high availability, hyperscan, and regex -16/09/09 - build 208 +2016/09/09 - build 208 -- fixed for TCP high availability -- fixed install of file_decomp.h for consistency between Snort and extras @@ -2005,7 +2079,7 @@ -- ported mpls encode fixes from 2983 -- cleaned up compiler warnings -16/09/02 - build 207 +2016/09/02 - build 207 -- ported smb file processing -- ported the 2.9.8 ciscometadata decoder @@ -2023,7 +2097,7 @@ -- fixed http_inspect and tcp valgrind errors -- fixed extra auto build from dist -16/08/10 - build 206 +2016/08/10 - build 206 -- ported appid rule option as "appids" -- moved http_inspect (old) to http_server (in extras) @@ -2033,7 +2107,7 @@ -- fixed event queue buffer log size -- fixed make distcheck; thanks to jack jackson for reporting the issue -16/08/05 - build 205 +2016/08/05 - build 205 -- ported smb segmentation support -- converted sd_pattern to use hyperscan @@ -2041,21 +2115,21 @@ -- fixed endianness issues with rule options seq and win -- fixed rule option session binary vs all -16/07/29 - build 204 +2016/07/29 - build 204 -- fixed issue with icmp_seq and icmp_id field matching -- fixed off-by-1 line number in rule parsing errors -- fix cmake make check issue with new_http_inspect -- added new_http_inspect unbounded POST alert -16/07/22 - build 203 +2016/07/22 - build 203 -- add oversize directory alert to new_http_inspect -- add appid counts for mdns, timbuktu, battlefield, bgp, and netbios services -- continue smb port - write and close command, deprecated dialect check, smb fingerprint -- fix outstanding strndup calls -16/07/15 - build 202 +2016/07/15 - build 202 -- fix dynamic build of new_http_inspect -- fix static analysis issues @@ -2065,7 +2139,7 @@ -- snort2lua updates for new_http_inspect -- code refactoring and cleanup -16/06/22 - build 201 +2016/06/22 - build 201 -- initial appid port - in progress -- add configure --enable-hardened-build @@ -2085,7 +2159,7 @@ -- miscellaneous cmake and auto tools build fixes -- openssl is now a mandatory dependency -16/06/10 - build 200 +2016/06/10 - build 200 -- continued porting of dce_rpc - smb transaction processing -- tweaked autotools build foo @@ -2095,7 +2169,7 @@ -- fix static analysis issues -- fix handling of bpf file failures -16/06/03 - build 199 +2016/06/03 - build 199 -- add new http_inspect alerts abusive content-length and transfer-encodings -- add \b matching to sensitive data @@ -2104,7 +2178,7 @@ -- fix link with dynamic DAQ -- convert legacy allocations to memory manager for better memory profiling -16/05/27 - build 198 +2016/05/27 - build 198 -- add double-decoding to new_http_inspect -- add obfuscation support for cmg and unified2 @@ -2115,12 +2189,12 @@ -- additional unit tests for high availability -- fix multi-DAQ instance configuration -16/05/02 - build 197 +2016/05/02 - build 197 -- fix build of extras -- fix unit tests -16/04/29 - build 196 +2016/04/29 - build 196 -- overhaul cmake foo -- update extras to better serve as examples @@ -2129,7 +2203,7 @@ -- continued dce2 port -- more static analysis memory leak fixes -16/04/22 - build 195 +2016/04/22 - build 195 -- added packet_capture module -- initial high availability for UDP @@ -2143,7 +2217,7 @@ -- perf_monitor refactoring -- unicode map file for new_http_inspect -16/04/08 - build 194 +2016/04/08 - build 194 -- added iterative pruning for out of memory condition -- added preemptive pruning to memory manager @@ -2161,7 +2235,7 @@ -- fixed memory leaks (more to go) -- clean up hyperscan pkg-config and cmake logic -16/03/28 - build 193 +2016/03/28 - build 193 -- fix session parsing abort handling -- fix shutdown memory leaks @@ -2178,7 +2252,7 @@ -- add configure --enable-code-coverage -- memory manager updates -16/03/18 - build 192 +2016/03/18 - build 192 -- use hwloc for CPU affinity -- fix process stats output @@ -2192,13 +2266,13 @@ -- miscellaneous warning and lint cleanup -- snort2Lua updates for preproc sensitive_data and sd_pattern option -16/03/07 - build 191 +2016/03/07 - build 191 -- fix perf_monitor stats output at shutdown -- initial port of sensitive data as a rule option -- fix doc/online_manual.sh for linux -16/03/04 - build 190 +2016/03/04 - build 190 -- fix console close and remote control disconnect issues -- added per-thread memcap calculation @@ -2207,7 +2281,7 @@ -- format string cleanup for parser logging -- fix conf reload by signal -16/02/26 - build 189 +2016/02/26 - build 189 -- snort2lua for dce2 port (in progress) -- replace ppm with latency @@ -2219,7 +2293,7 @@ -- fix linux + clang build errors -- trough rewrite -16/02/22 - build 188 +2016/02/22 - build 188 -- added delete/delete[] replacements for nothrow overload thanks to Ramya Potluri for reporting the issue @@ -2232,7 +2306,7 @@ -- packet latency updates -- perfmon updates -16/02/12 - build 187 +2016/02/12 - build 187 -- file capture added - initial version writes from packet thread -- added support for http 0.9 to new_http_inspect @@ -2248,7 +2322,7 @@ -- refactoring updates to tcp session -- refactoring updates to profiler -16/02/02 - build 186 +2016/02/02 - build 186 -- update copyright to 2016, add missing license blocks -- fix xcode builds @@ -2259,7 +2333,7 @@ -- start dce2 port - 1st of many updates -- remove --enable-ppm - always enabled -16/01/25 - build 185 +2016/01/25 - build 185 -- initial host_tracker for new integrated netmap -- new_http_inspect refactoring for time and space considerations @@ -2267,18 +2341,18 @@ -- fatal on failed IP rep segment allocation - thanks to Bill Parker -- tweaked style guide wrt class declarations -16/01/08 - build 184 +2016/01/08 - build 184 -- added new_http_inpsect rule options -- fixed build issue with Clang and thread_local -- continued tcp session refactoring -- fixed rule option string unescape issue -15/12/11 - build 183 +2015/12/11 - build 183 -- circumvent asymmetric flow handling issue -15/12/11 - build 182 - Alpha 3 +2015/12/11 - build 182 - Alpha 3 -- added memory profiling feature -- added regex fast pattern support @@ -2288,14 +2362,14 @@ -- removed PPM_TEST -- build and memory leak fixes -15/12/04 - build 181 +2015/12/04 - build 181 -- perf profiling enhancements -- fixed build issues and memory leaks -- continued pattern match refactoring -- fix spurious sip_method matching -15/11/25 - build 180 +2015/11/25 - build 180 -- ported dnp3 preprocessor and rule options from 2.X -- fixed various valgrind issues with stats from sip, imap, pop, and smtp @@ -2306,7 +2380,7 @@ -- squelch repeated ip6 ooo extensions and bad options per packet -- fixed arp inspection bug -15/11/20 - build 179 +2015/11/20 - build 179 -- user manaul updates -- fix perf_monitor.max_file_size default to work on 32-bit systems, thanks @@ -2321,7 +2395,7 @@ -- fix arp inspection -- search engine refactoring -15/11/13 - build 178 +2015/11/13 - build 178 -- document runtime link issue with hyperscan on osx -- fix pathname generation for event trace file @@ -2329,7 +2403,7 @@ -- remove --enable-ppm-test -- sync up auto tools and cmake build options -15/11/05 - build 177 +2015/11/05 - build 177 -- idle processing cleanup -- fixed teredo payload detection @@ -2341,14 +2415,14 @@ -- fix ppm config -- miscellanous code cleanup -15/10/30 - build 176 +2015/10/30 - build 176 -- tcp reassembly refactoring -- profiler rewrite -- added gzip support to new_http_inspect -- added regex rule option based on hyperscan -15/10/23 - build 175 +2015/10/23 - build 175 -- ported gtp preprocessor and rule options from 2.X -- ported modbus preprocessor and rule options from 2.X @@ -2356,7 +2430,7 @@ -- added unit test build for cmake (already in autotools builds) -- fixed dynamic builds (187 plugins, 138 dynamic) -15/10/16 - build 174 +2015/10/16 - build 174 -- legacy daemonization cleanup -- decouple -D, -M, -q @@ -2370,7 +2444,7 @@ -- perfmonitor fixes -- ssl stats updates -15/10/09 - build 173 +2015/10/09 - build 173 -- added pkt_num rule option to extras -- fix final -> finalize changes for extras @@ -2387,7 +2461,7 @@ packets may have ip6 next proto -- update default manuals -15/10/01 - build 172 +2015/10/01 - build 172 -- check for bool value before setting fastpath config option in PPM -- update manual related to liblzma @@ -2397,7 +2471,7 @@ -- enable active response without flow -- update bug list -15/09/25 - build 171 +2015/09/25 - build 171 -- fix metadata:service to work like 2x -- fixed issues when building with LINUX_SMP @@ -2408,7 +2482,7 @@ -- add cpputest for unit testing -- don't apply cooked verdicts to raw packets -15/09/17 - build 170 +2015/09/17 - build 170 -- removed unused control socket defines from cmake -- fixed build error with valgrind build option @@ -2422,7 +2496,7 @@ -- fix detection of stream_user and stream_file data -- log innermost proto for type of broken packets -15/09/10 - build 169 +2015/09/10 - build 169 -- fix chunked manual install -- add event direction bug @@ -2431,7 +2505,7 @@ -- code cleanup -- fix dev guide builds from top_srcdir -15/09/04 - build 168 +2015/09/04 - build 168 -- fixed build of chunked manual (thanks to Bill Parker for reporting the issue) -- const cleanup @@ -2446,11 +2520,11 @@ -- DNS bug fix for TCP -- added --catch-tags [footag],[bartag] for unit test selection -15/08/31 - build 167 +2015/08/31 - build 167 -- fix xcode warnings -15/08/21 - build 166 +2015/08/21 - build 166 -- fix link error with g++ 4.8.3 -- support multiple script-path args and single files @@ -2461,7 +2535,7 @@ -- fixed rpc_decode sequence number handling and buffer setup -- perf_monitor fixes for file output -15/08/14 - build 165 +2015/08/14 - build 165 -- flow depth support for new_http_inspect -- TCP session refactoring and create libtcp @@ -2473,7 +2547,7 @@ -- run catch unit tests after check unit tests -- fix documentation errors in users manual -15/08/07 - build 164 +2015/08/07 - build 164 -- add range and default to command line args -- fix unit test build on osx @@ -2484,7 +2558,7 @@ thanks to Siti Farhana Binti Lokman for reporting the issue -15/07/30 - build 163 +2015/07/30 - build 163 -- numerous piglet fixes and enhancements -- BitOp rewrite @@ -2493,7 +2567,7 @@ -- fixed endianness in private IP address check -- fix build of dynamic plugins -15/07/22 - build 162 +2015/07/22 - build 162 -- enable build dependency tracking -- cleanup automake and cmake foo @@ -2504,7 +2578,7 @@ -- dev guide - convert snort includes into links -- fixup includes -15/07/15 - build 161 +2015/07/15 - build 161 -- added piglet plugin test harness -- added piglet_scripts with codec and inspector examples @@ -2512,7 +2586,7 @@ -- added dev_notes.txt in each src/ subdir -- scrubbed headers -15/07/06 - build 160 - Alpha 2 +2015/07/06 - build 160 - Alpha 2 -- fixed duplicate patterns in file_magic.lua -- warn about rules with no fast pattern @@ -2527,7 +2601,7 @@ -- fix valgrind issues -- fix xcode analyzer issues -15/07/02 - build 159 +2015/07/02 - build 159 -- added file processing to new_http_inspect -- ported sip preprocessor @@ -2537,7 +2611,7 @@ -- tweak style guide -- fix hosts table parsing -15/06/19 - build 158 +2015/06/19 - build 158 -- nhttp splitter updates -- nhttp handle white space after chunk length @@ -2548,7 +2622,7 @@ -- fix ssl assertion -- cleanup cache config -15/06/11 - build 157 +2015/06/11 - build 157 -- port ssl from snort -- fix stream_tcp so call splitter finish only if scan was called @@ -2559,14 +2633,14 @@ -- refactored active module -- updated snort2lua -15/06/04 - build 156 +2015/06/04 - build 156 -- new_http_inspect switch to bitset for event tracking -- fixed stream tcp handling of paf abort -- fixed stream tcp cleanup on reset -- fixed sequence of flush and flow data cleanup for new http inspect -15/05/31 - build 155 +2015/05/31 - build 155 -- update default manuals -- fix autotools build of manual wrt plugins @@ -2575,7 +2649,7 @@ -- add file magic lua -- xcode analyzer cleanup -15/05/28 - build 154 +2015/05/28 - build 154 -- new_http_inspect parsing and event handling updates -- initial port of file capture from Snort @@ -2592,7 +2666,7 @@ -- cleanup logging -- stream_tcp refactoring and cleanup -15/05/22 - build 153 +2015/05/22 - build 153 -- new_http_inspect parsing updates -- use buckets for user seglist @@ -2603,19 +2677,19 @@ -- added stream_user for payload processing -- added stream_file for file processing -15/05/15 - build 152 +2015/05/15 - build 152 -- fixed config error for inspection of rebuilt packets -- ported smtp inspector from Snort -- static analysis fix for new_http_inspect -15/05/08 - build 151 +2015/05/08 - build 151 -- doc tweaks -- new_http_inspect message parsing updates -- misc bug fixes -15/04/30 - build 150 +2015/04/30 - build 150 -- fixed xcode static analysis issues -- updated default manuals @@ -2628,11 +2702,11 @@ -- ensure unknown sources are analyzed -- pop and imap inspectors ported -15/04/28 - build 149 +2015/04/28 - build 149 -- fixed build issue with extras -15/04/28 - build 148 +2015/04/28 - build 148 -- fixed default validation issue reported by Sancho Panza -- refactored snort and snort_config modules @@ -2640,17 +2714,17 @@ -- added publish-subscribe handling of data events -- added data_log plugin example for pub-sub -15/04/23 - build 147 +2015/04/23 - build 147 -- change PT_DATA to IT_PASSIVE; supports named instances, reload, and consumers -15/04/16 - build 146 +2015/04/16 - build 146 -- added build of snort_manual.text if w3m is installed -- added default_snort_manual.text w/o w3m -- add Flow pointer to StreamSplitter::finish() -15/04/10 - build 145 +2015/04/10 - build 145 -- nhttp clear() and related changes -- abort PAF in current direction only @@ -2661,13 +2735,13 @@ -- new http changes - events from splitter -- fix dns assertion; remove unused variables -15/03/31 - build 144 +2015/03/31 - build 144 -- reworked autotools generation of api_options.h -- updated default manuals -- ported dns inspector -15/03/26 - build 143 +2015/03/26 - build 143 -- ported ssh inspector -- apply service from hosts when inspector already bound to flow @@ -2677,7 +2751,7 @@ -- eliminate dedicated nhttp chunk buffer -- minor nhttp cleanup in StreamSplitter -15/03/18 - build 142 +2015/03/18 - build 142 -- fixed host lookup issue -- folded classification.lua and reference.lua into snort_defaults.lua @@ -2689,28 +2763,28 @@ -- fix ip and icmp flow client/server ip init -- added logging examples to usage -15/03/11 - build 141 +2015/03/11 - build 141 -- added build foo for lzma; refactored configure.ac -- enhancements for checking compatibility of external plugins -- added doc/usage.txt -15/02/27 - build 140 +2015/02/27 - build 140 -- uncrustify, see crusty.cfg -- updated documentation on new HTTP inspector, binder, and wizard -15/02/26 - build 139 +2015/02/26 - build 139 -- additional http_inspect cleanup -- documented gotcha regarding rule variable definitions in Lua -- sync 297 http xff, swf, and pdf updates -15/02/20 - build 138 +2015/02/20 - build 138 -- sync ftp with 297; replace stream event callbacks with FlowData virtuals -15/02/12 - build 137 +2015/02/12 - build 137 -- updated manual from blog posts and emails -- normalization refactoring, renaming @@ -2719,20 +2793,20 @@ Codec methods -- 297 sync of active and codecs -15/02/05 - build 136 +2015/02/05 - build 136 -- fix up encoders -- sync stream with 297 -- fix encoder check for ip6 extensions -- sync normalizations with 297 -15/01/29 - build 135 +2015/01/29 - build 135 -- fixed freebsd build error -- fix default hi profile name -- updated default snort manuals -15/01/26 - build 134 +2015/01/26 - build 134 -- sync Mpse to 297, add SearchTool -- 297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based @@ -2742,7 +2816,7 @@ -- added md5, sha256, and sha512 rule options based on Snort 2.X protected_content -15/01/20 - build 133 +2015/01/20 - build 133 -- fixes for large file support on 32-bit Linux systems (reported by Y M) -- changed u2 base file name to unified2.log @@ -2755,7 +2829,7 @@ -- added pflog codecs -- fixed stream_size rule option -15/01/05 - build 132 +2015/01/05 - build 132 -- added this change log -- initial partial sync with Snort 297 including bug fixes and variable @@ -2764,7 +2838,7 @@ -- updated source copyrights for 2015 and reformatted license foo for consistency -14/12/16 - build 131 +2014/12/16 - build 131 -- fix asciidoc formatting and update default manuals -- updates to doc to better explain github builds @@ -2776,7 +2850,7 @@ -- add missing sanity checks reported by bill parker -- tweak READMEs -14/12/11 - build 130 +2014/12/11 - build 130 -- alpha 1 release diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 7712cf40d..2331aed8e 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 268)
+o"  )~   Version 3.0.0 (Build 269)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
@@ -5568,6 +5568,13 @@ scheme: normally "http" or "https" but others are possible such as "ftp"
 is the scheme, "www.samplehost.com" is the host, "287" is the port,
 "/basic/example/of/path" is the path, "with-query" is the query, and
 "and-fragment" is the fragment.
+

http_uri represents the normalized uri, normalization of components depends +on uri type. If the uri is of type absolute (contains all six components) or +absolute path (contains path, query and fragment) then the path and query +components are normalized. In these cases, http_uri represents the normalized +path and query (/path?query). If the uri is of type authority (host and port), +the host is normalized and http_uri represents the normalized host with the port +number. In all other cases http_uri is the same as http_raw_uri.

Note: this section uses informal language to explain some things. Nothing here is intended to conflict with the technical language of the HTTP RFCs and the implementation follows the RFCs.

@@ -5818,12 +5825,10 @@ received. Headers may be combined with later items but the body cannot.

to your snort.lua configuration file.

Everything has a beginning and for http2_inspect this is the beginning of -the beginning. Most of the protocol including HPACK decompression is not -implemented yet.

+the beginning.

Currently http2_inspect will divide an HTTP/2 connection into individual -frames and make them available for detection. Two new rule options are -available for looking at HTTP/2 frames: http2_frame_header provides the -9-octet frame header and http2_frame_data provides the frame content.

+frames. Two new rule options are available for looking at HTTP/2 frames: +http2_frame_header provides the 9-octet frame header.

alert tcp any any -> any any (msg:"Frame type"; flow:established,
@@ -5831,23 +5836,6 @@ to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
 sid:1; rev:1; )

This will match if the Type byte of the frame header is 6 (PING).

-
-
-
alert tcp any any -> any any ( msg:"Content of HTTP/2 frame";
-flow:established, to_client; http2_frame_data; content:"peppermint";
-sid:2; rev:1; )
-
-

This will look for peppermint in the frame data but not the frame header.

-

These can be combined:

-
-
-
alert tcp any any -> any any ( msg:"Search in message bodies";
-flow:established, to_client;
-http2_frame_header; content:"|00|", offset 3, depth 1;
-http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )
-
-

Frame type 0 is DATA which carries the HTTP message body. This rule will -search for MaLwArE inside an HTTP message body.

To smooth the transition to inspecting HTTP/2, rules that specify service:http will be treated as if they also specify service:http2. Thus:

@@ -5871,9 +5859,8 @@ flows but not HTTP/1 flows.

large numbers of existing rules. New rules should explicitly specify "service http,http2;" if that is the desired behavior. Eventually support for http implies http2 may be deprecated and removed.

-

In the future, http2_inspect will support HPACK header decompression and -be fully integrated with http_inspect to provide full inspection of the -individual HTTP/1.1 streams.

+

In the future, http2_inspect will be fully integrated with http_inspect to +provide full inspection of the individual HTTP/1.1 streams.

Module Trace

@@ -7074,7 +7061,22 @@ int active.min_interval = 255: minimum number of seconds betwee

  • -active.injects: total crafted packets injected (sum) +active.injects: total crafted packets encoded and injected (sum) +

    +
    • +
  • +

    +active.failed_injects: total crafted packet encode + injects that failed (sum) +

    +
    • +
  • +

    +active.direct_injects: total crafted packets directly injected (sum) +

    +
    • +
  • +

    +active.failed_direct_injects: total crafted packet direct injects that failed (sum)

@@ -7372,7 +7374,7 @@ string daq.modules[].variables[].variable: DAQ mod

  • -int decode.trace: mask for enabling debug traces in module { 0:max53 } +int decode.trace.all = 0: enabling traces in module { 0:max32 }

@@ -7489,7 +7491,47 @@ bool detection.enable_address_anomaly_checks = false: enable ch

  • -int detection.trace: mask for enabling debug traces in module { 0:max53 } +int detection.trace.detect_engine = 0: enable detection engine trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.rule_eval = 0: enable rule evaluation trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.buf_min = 0: enable min buffer trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.buf_verbose = 0: enable verbose buffer trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.rule_vars = 0: enable rule variables trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.fp_search = 0: enable fast pattern search trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.pkt_detect = 0: enable packet detection trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.opt_tree = 0: enable tree option trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.tag = 0: enable tag trace logging { 0:max53 }

    • @@ -9061,7 +9103,7 @@ implied snort.--enable-inline-test: enable Inline-Test Mode Ope

  • -implied snort.--gen-msg-map: dump builtin rules in gen-msg.map format for use by other tools +implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools

  • @@ -9416,7 +9458,7 @@ implied snort.--trace: turn on main loop debug trace

  • -int snort.trace: mask for enabling debug traces in module { 0:max53 } +int snort.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -10880,7 +10922,7 @@ bool appid.log_all_sessions = false: enable logging of all appi

  • -int appid.trace: mask for enabling debug traces in module { 0:max53 } +int appid.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -11399,7 +11441,7 @@ bool dce_smb.smb_legacy_mode = false: inspect only SMBv1

  • -int dce_smb.trace: mask for enabling debug traces in module { 0:max53 } +int dce_smb.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -12119,7 +12161,7 @@ int dce_udp.max_frag_len = 65535: maximum fragment size for def

  • -int dce_udp.trace: mask for enabling debug traces in module { 0:max53 } +int dce_udp.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -12748,7 +12790,22 @@ enum finalize_packet.modify.verdict: output format for stats {

  • -bool finalize_packet.switch_to_wizard = false: switch to wizard on first finalize event +bool finalize_packet.switch_to_wizard = false: Switch to wizard on first finalize event +

    +
    • +
  • +

    +bool finalize_packet.use_direct_inject = false: Use ioctl to do payload and reset injects +

    +
    • +
  • +

    +bool finalize_packet.defer_whitelist = false: Turn on defer whitelist until we switch to wizard +

    +
    • +
  • +

    +bool finalize_packet.force_whitelist = false: Set ignore direction to both so that flow will be whitelisted

    • @@ -12999,6 +13056,11 @@ bool ftp_server.telnet_cmds = false: detect Telnet escape seque

  • +ftp_server.total_bytes: total number of bytes processed (sum) +

    +
    • +
  • +

    ftp_server.concurrent_sessions: total concurrent FTP sessions (now)

    • @@ -13048,7 +13110,7 @@ int gtp_inspect[].infos[].length = 0: information

  • -int gtp_inspect.trace: mask for enabling debug traces in module { 0:max53 } +int gtp_inspect.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -13186,6 +13248,16 @@ int gtp_inspect.trace: mask for enabling debug traces in module 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded

    +
  • +

    +121:15 (http2_inspect) invalid HTTP/2 start line +

    +
    • +
  • +

    +121:16 (http2_inspect) HTTP/2 padding length is bigger than frame data size +

    +

    • Peg counts:

      @@ -14736,17 +14808,22 @@ bool perf_monitor.summary = false: output summary at shutdown

    • -perf_monitor.total_frees: total flows pruned or freed by performance monitor (sum) +perf_monitor.flow_tracker_creates: total number of flow trackers created (sum)

    • -perf_monitor.reload_frees: flows freed on reload with changed memcap (sum) +perf_monitor.flow_tracker_total_deletes: flow trackers deleted to stay below memcap limit (sum)

    • -perf_monitor.alloc_prunes: flows pruned on allocation of IP flows (sum) +perf_monitor.flow_tracker_reload_deletes: flow trackers deleted due to memcap change on config reload (sum) +

      +
      • +
    • +

      +perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse by new flows (sum)

    @@ -14836,6 +14913,11 @@ int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 n

  • +pop.total_bytes: total number of bytes processed (sum) +

    +
    • +
  • +

    pop.sessions: total pop sessions (sum)

    • @@ -16370,6 +16452,11 @@ enum smtp.xlink2state = alert: enable/disable xlink2state alert

  • +smtp.total_bytes: total number of bytes processed (sum) +

    +
    • +
  • +

    smtp.sessions: total smtp sessions (sum)

    • @@ -16490,6 +16577,11 @@ int ssh.max_server_version_len = 80: limit before alerting on s

  • +ssh.total_bytes: total number of bytes processed (sum) +

    +
    • +
  • +

    ssh.concurrent_sessions: total concurrent ssh sessions (now)

    • @@ -16654,11 +16746,6 @@ int ssl.max_heartbeat_length = 0: maximum length of heartbeat r

    • -int stream.footprint = 0: use zero for production, non-zero for testing at given size (for TCP and user) { 0:max32 } -

      -
      • -
    • -

      bool stream.ip_frags_only = false: don’t process non-frag flows

      • @@ -16734,7 +16821,7 @@ int stream.file_cache.cap_weight = 32: additional bytes to trac

    • -int stream.trace: mask for enabling debug traces in module { 0:max53 } +int stream.trace.all = 0: enabling traces in module { 0:max32 }

    @@ -16800,6 +16887,11 @@ int stream.trace: mask for enabling debug traces in module { 0:

  • +stream.stale_prunes: sessions pruned due to stale connection (sum) +

    +
    • +
  • +

    stream.expected_flows: total expected flows created within snort (sum)

    • @@ -16960,7 +17052,7 @@ int stream_ip.session_timeout = 30: session tracking timeout {

  • -int stream_ip.trace: mask for enabling debug traces in module { 0:max53 } +int stream_ip.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -17056,6 +17148,11 @@ int stream_ip.trace: mask for enabling debug traces in module {

  • +stream_ip.total_bytes: total number of bytes processed (sum) +

    +
    • +
  • +

    stream_ip.total_frags: total fragments (sum)

    • @@ -17628,6 +17725,11 @@ int stream_udp.session_timeout = 30: session tracking timeout {

  • +stream_udp.total_bytes: total number of bytes processed (sum) +

    +
    • +
  • +

    stream_udp.ignored: udp packets ignored (sum)

    • @@ -17647,7 +17749,7 @@ int stream_user.session_timeout = 30: session tracking timeout

  • -int stream_user.trace: mask for enabling debug traces in module { 0:max53 } +int stream_user.trace.all = 0: enabling traces in module { 0:max32 }

    • @@ -18792,17 +18894,17 @@ implied flow.only_frag: match on defragmented packets only

    • -string flowbits.~command: set|reset|isset|etc. +string flowbits.~op: set|reset|isset|etc.

    • -string flowbits.~arg1: bits or group +string flowbits.~bits: bits or group

    • -string flowbits.~arg2: group if arg1 is bits +string flowbits.~group: group if arg1 is bits

    @@ -18898,12 +19000,6 @@ int gtp_version.~: version to match { 0:2 }

    Usage: detect

    -

    http2_frame_data

    -

    What: rule option to set detection cursor to the HTTP/2 frame body

    -

    Type: ips_option

    -

    Usage: detect

    -
    -

    http2_frame_header

    What: rule option to set detection cursor to the 9-octet HTTP/2 frame header

    Type: ips_option

    @@ -19688,12 +19784,7 @@ int priority.~: relative severity level; 1 is highest priority

    • -string reference.~scheme: reference scheme -

      -
      • -
    • -

      -string reference.~id: reference id +string reference.~ref: reference: <scheme>,<id>

    @@ -20377,7 +20468,7 @@ bool alert_csv.file = false: output to alert_csv.txt instead of

  • -multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

  • @@ -20463,7 +20554,7 @@ bool alert_json.file = false: output to alert_json.txt instead

  • -multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

  • @@ -24632,7 +24723,7 @@ these libraries see the Getting Started section of the manual.

  • ---gen-msg-map dump builtin rules in gen-msg.map format for use by other tools +--gen-msg-map dump configured rules in gen-msg.map format for use by other tools

  • @@ -25022,7 +25113,7 @@ int active.min_interval = 255: minimum number of seconds betwee

  • -multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

  • @@ -25072,7 +25163,7 @@ int alert_full.limit = 0: set maximum size in MB before rollove

  • -multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

  • @@ -25242,7 +25333,7 @@ bool appid.tp_appid_stats_enable: enable collection of stats an

  • -int appid.trace: mask for enabling debug traces in module { 0:max53 } +int appid.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -25967,7 +26058,7 @@ int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255

  • -int dce_smb.trace: mask for enabling debug traces in module { 0:max53 } +int dce_smb.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -26017,12 +26108,12 @@ int dce_udp.max_frag_len = 65535: maximum fragment size for def

  • -int dce_udp.trace: mask for enabling debug traces in module { 0:max53 } +int dce_udp.trace.all = 0: enabling traces in module { 0:max32 }

  • -int decode.trace: mask for enabling debug traces in module { 0:max53 } +int decode.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -26102,7 +26193,47 @@ bool detection.pcre_to_regex = false: enable the use of regex i

  • -int detection.trace: mask for enabling debug traces in module { 0:max53 } +int detection.trace.buf_min = 0: enable min buffer trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.buf_verbose = 0: enable verbose buffer trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.detect_engine = 0: enable detection engine trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.fp_search = 0: enable fast pattern search trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.opt_tree = 0: enable tree option trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.pkt_detect = 0: enable packet detection trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.rule_eval = 0: enable rule evaluation trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.rule_vars = 0: enable rule variables trace logging { 0:max53 } +

    +
    • +
  • +

    +int detection.trace.tag = 0: enable tag trace logging { 0:max53 }

  • @@ -26432,11 +26563,21 @@ string file_type.~: list of file type IDs to match

  • +bool finalize_packet.defer_whitelist = false: Turn on defer whitelist until we switch to wizard +

    +
    • +
  • +

    int finalize_packet.end_pdu = 0: Deregister for finalize packet events on this PDU { 0:max32 }

  • +bool finalize_packet.force_whitelist = false: Set ignore direction to both so that flow will be whitelisted +

    +
    • +
  • +

    int finalize_packet.modify.pdu = 0: Modify verdict in finalize packet for this PDU { 0:max32 }

    • @@ -26452,7 +26593,12 @@ int finalize_packet.start_pdu = 0: Register to receive finalize

  • -bool finalize_packet.switch_to_wizard = false: switch to wizard on first finalize event +bool finalize_packet.switch_to_wizard = false: Switch to wizard on first finalize event +

    +
    • +
  • +

    +bool finalize_packet.use_direct_inject = false: Use ioctl to do payload and reset injects

  • @@ -26467,17 +26613,17 @@ string flags.~test_flags: these flags are tested

  • -string flowbits.~arg1: bits or group +string flowbits.~bits: bits or group

  • -string flowbits.~arg2: group if arg1 is bits +string flowbits.~group: group if arg1 is bits

  • -string flowbits.~command: set|reset|isset|etc. +string flowbits.~op: set|reset|isset|etc.

  • @@ -26722,7 +26868,7 @@ int gtp_inspect[].messages[].type = 0: message typ

  • -int gtp_inspect.trace: mask for enabling debug traces in module { 0:max53 } +int gtp_inspect.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -28412,12 +28558,7 @@ string react.page: file containing HTTP response (headers and b

  • -string reference.~id: reference id -

    -
    • -
  • -

    -string reference.~scheme: reference scheme +string reference.~ref: reference: <scheme>,<id>

  • @@ -29117,7 +29258,7 @@ int snort.-G: <0xid> (same as --logid) { 0:65535 }

  • -implied snort.--gen-msg-map: dump builtin rules in gen-msg.map format for use by other tools +implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools

  • @@ -29477,7 +29618,7 @@ string snort.-t: <dir> chroots process to <dir> aft

  • -int snort.trace: mask for enabling debug traces in module { 0:max53 } +int snort.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -29772,11 +29913,6 @@ bool stream_file.upload = false: indicate file transfer directi

  • -int stream.footprint = 0: use zero for production, non-zero for testing at given size (for TCP and user) { 0:max32 } -

    -
    • -
  • -

    int stream.icmp_cache.cap_weight = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }

    • @@ -29837,7 +29973,7 @@ int stream_ip.session_timeout = 30: session tracking timeout {

  • -int stream_ip.trace: mask for enabling debug traces in module { 0:max53 } +int stream_ip.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -29967,7 +30103,7 @@ bool stream_tcp.track_only = false: disable reassembly if true

  • -int stream.trace: mask for enabling debug traces in module { 0:max53 } +int stream.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -30002,7 +30138,7 @@ int stream_user.session_timeout = 30: session tracking timeout

  • -int stream_user.trace: mask for enabling debug traces in module { 0:max53 } +int stream_user.trace.all = 0: enabling traces in module { 0:max32 }

  • @@ -30207,7 +30343,22 @@ interval wscale.~range: check if TCP window scale is in given r

    • -active.injects: total crafted packets injected (sum) +active.direct_injects: total crafted packets directly injected (sum) +

      +
      • +
    • +

      +active.failed_direct_injects: total crafted packet direct injects that failed (sum) +

      +
      • +
    • +

      +active.failed_injects: total crafted packet encode + injects that failed (sum) +

      +
      • +
    • +

      +active.injects: total crafted packets encoded and injected (sum)

    • @@ -31257,6 +31408,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +ftp_server.total_bytes: total number of bytes processed (sum) +

      +
      • +
    • +

      ftp_server.total_packets: total packets (sum)

      • @@ -32067,22 +32223,27 @@ interval wscale.~range: check if TCP window scale is in given r

    • -perf_monitor.alloc_prunes: flows pruned on allocation of IP flows (sum) +perf_monitor.flow_tracker_creates: total number of flow trackers created (sum)

    • -perf_monitor.packets: total packets processed by performance monitor (sum) +perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse by new flows (sum)

    • -perf_monitor.reload_frees: flows freed on reload with changed memcap (sum) +perf_monitor.flow_tracker_reload_deletes: flow trackers deleted due to memcap change on config reload (sum)

    • -perf_monitor.total_frees: total flows pruned or freed by performance monitor (sum) +perf_monitor.flow_tracker_total_deletes: flow trackers deleted to stay below memcap limit (sum) +

      +
      • +
    • +

      +perf_monitor.packets: total packets processed by performance monitor (sum)

    • @@ -32137,6 +32298,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +pop.total_bytes: total number of bytes processed (sum) +

      +
      • +
    • +

      pop.uu_attachments: total uu attachments decoded (sum)

      • @@ -32602,6 +32768,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +smtp.total_bytes: total number of bytes processed (sum) +

      +
      • +
    • +

      smtp.uu_attachments: total uu attachments decoded (sum)

      • @@ -32672,6 +32843,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +ssh.total_bytes: total number of bytes processed (sum) +

      +
      • +
    • +

      ssl.alert: total ssl alert records (sum)

      • @@ -32937,6 +33113,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream_ip.total_bytes: total number of bytes processed (sum) +

      +
      • +
    • +

      stream_ip.total_frags: total fragments (sum)

      • @@ -33012,6 +33193,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream.stale_prunes: sessions pruned due to stale connection (sum) +

      +
      • +
    • +

      stream_tcp.client_cleanups: number of times data from server was flushed when session released (sum)

      • @@ -33297,6 +33483,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream_udp.total_bytes: total number of bytes processed (sum) +

      +
      • +
    • +

      stream.uni_prunes: uni sessions pruned (sum)

      • @@ -35132,6 +35323,16 @@ interval wscale.~range: check if TCP window scale is in given r

    • +121:15 (http2_inspect) invalid HTTP/2 start line +

      +
      • +
    • +

      +121:16 (http2_inspect) HTTP/2 padding length is bigger than frame data size +

      +
      • +
    • +

      122:1 (port_scan) TCP portscan

      • @@ -37313,11 +37514,6 @@ deleted -> unified2: 'vlan_event_types'

    • -http2_frame_data (ips_option): rule option to set detection cursor to the HTTP/2 frame body -

      -
      • -
    • -

      http2_frame_header (ips_option): rule option to set detection cursor to the 9-octet HTTP/2 frame header

      • @@ -38793,11 +38989,6 @@ deleted -> unified2: 'vlan_event_types'

    • -ips_option::http2_frame_data: rule option to set detection cursor to the HTTP/2 frame body -

      -
      • -
    • -

      ips_option::http2_frame_header: rule option to set detection cursor to the 9-octet HTTP/2 frame header

      • @@ -39396,7 +39587,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index fb22e0c9c..f8fdabf36 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index a815de0da..4ebbd6c1a 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -249,79 +249,78 @@ Table of Contents 11.45. gtp_type 11.46. gtp_version 11.47. http2_decoded_header - 11.48. http2_frame_data - 11.49. http2_frame_header - 11.50. http_client_body - 11.51. http_cookie - 11.52. http_header - 11.53. http_method - 11.54. http_param - 11.55. http_raw_body - 11.56. http_raw_cookie - 11.57. http_raw_header - 11.58. http_raw_request - 11.59. http_raw_status - 11.60. http_raw_trailer - 11.61. http_raw_uri - 11.62. http_stat_code - 11.63. http_stat_msg - 11.64. http_trailer - 11.65. http_true_ip - 11.66. http_uri - 11.67. http_version - 11.68. icmp_id - 11.69. icmp_seq - 11.70. icode - 11.71. id - 11.72. ip_proto - 11.73. ipopts - 11.74. isdataat - 11.75. itype - 11.76. md5 - 11.77. metadata - 11.78. modbus_data - 11.79. modbus_func - 11.80. modbus_unit - 11.81. msg - 11.82. mss - 11.83. pcre - 11.84. pkt_data - 11.85. pkt_num - 11.86. priority - 11.87. raw_data - 11.88. reference - 11.89. regex - 11.90. rem - 11.91. replace - 11.92. rev - 11.93. rpc - 11.94. s7commplus_content - 11.95. s7commplus_func - 11.96. s7commplus_opcode - 11.97. sd_pattern - 11.98. seq - 11.99. service - 11.100. session - 11.101. sha256 - 11.102. sha512 - 11.103. sid - 11.104. sip_body - 11.105. sip_header - 11.106. sip_method - 11.107. sip_stat_code - 11.108. so - 11.109. soid - 11.110. ssl_state - 11.111. ssl_version - 11.112. stream_reassemble - 11.113. stream_size - 11.114. tag - 11.115. target - 11.116. tos - 11.117. ttl - 11.118. urg - 11.119. window - 11.120. wscale + 11.48. http2_frame_header + 11.49. http_client_body + 11.50. http_cookie + 11.51. http_header + 11.52. http_method + 11.53. http_param + 11.54. http_raw_body + 11.55. http_raw_cookie + 11.56. http_raw_header + 11.57. http_raw_request + 11.58. http_raw_status + 11.59. http_raw_trailer + 11.60. http_raw_uri + 11.61. http_stat_code + 11.62. http_stat_msg + 11.63. http_trailer + 11.64. http_true_ip + 11.65. http_uri + 11.66. http_version + 11.67. icmp_id + 11.68. icmp_seq + 11.69. icode + 11.70. id + 11.71. ip_proto + 11.72. ipopts + 11.73. isdataat + 11.74. itype + 11.75. md5 + 11.76. metadata + 11.77. modbus_data + 11.78. modbus_func + 11.79. modbus_unit + 11.80. msg + 11.81. mss + 11.82. pcre + 11.83. pkt_data + 11.84. pkt_num + 11.85. priority + 11.86. raw_data + 11.87. reference + 11.88. regex + 11.89. rem + 11.90. replace + 11.91. rev + 11.92. rpc + 11.93. s7commplus_content + 11.94. s7commplus_func + 11.95. s7commplus_opcode + 11.96. sd_pattern + 11.97. seq + 11.98. service + 11.99. session + 11.100. sha256 + 11.101. sha512 + 11.102. sid + 11.103. sip_body + 11.104. sip_header + 11.105. sip_method + 11.106. sip_stat_code + 11.107. so + 11.108. soid + 11.109. ssl_state + 11.110. ssl_version + 11.111. stream_reassemble + 11.112. stream_size + 11.113. tag + 11.114. target + 11.115. tos + 11.116. ttl + 11.117. urg + 11.118. window + 11.119. wscale 12. Search Engine Modules 13. SO Rule Modules @@ -411,7 +410,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 268) +o" )~ Version 3.0.0 (Build 269) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. @@ -4083,6 +4082,15 @@ The URI is everything between the first space and the last space. port, "/basic/example/of/path" is the path, "with-query" is the query, and "and-fragment" is the fragment. +http_uri represents the normalized uri, normalization of components +depends on uri type. If the uri is of type absolute (contains all six +components) or absolute path (contains path, query and fragment) then +the path and query components are normalized. In these cases, +http_uri represents the normalized path and query (/path?query). If +the uri is of type authority (host and port), the host is normalized +and http_uri represents the normalized host with the port number. In +all other cases http_uri is the same as http_raw_uri. + Note: this section uses informal language to explain some things. Nothing here is intended to conflict with the technical language of the HTTP RFCs and the implementation follows the RFCs. @@ -4322,14 +4330,11 @@ http2_inspect = {} to your snort.lua configuration file. Everything has a beginning and for http2_inspect this is the -beginning of the beginning. Most of the protocol including HPACK -decompression is not implemented yet. +beginning of the beginning. Currently http2_inspect will divide an HTTP/2 connection into -individual frames and make them available for detection. Two new rule -options are available for looking at HTTP/2 frames: -http2_frame_header provides the 9-octet frame header and -http2_frame_data provides the frame content. +individual frames. Two new rule options are available for looking at +HTTP/2 frames: http2_frame_header provides the 9-octet frame header. alert tcp any any -> any any (msg:"Frame type"; flow:established, to_client; http2_frame_header; content:"|06|", offset 3, depth 1; @@ -4337,23 +4342,6 @@ sid:1; rev:1; ) This will match if the Type byte of the frame header is 6 (PING). -alert tcp any any -> any any ( msg:"Content of HTTP/2 frame"; -flow:established, to_client; http2_frame_data; content:"peppermint"; -sid:2; rev:1; ) - -This will look for peppermint in the frame data but not the frame -header. - -These can be combined: - -alert tcp any any -> any any ( msg:"Search in message bodies"; -flow:established, to_client; -http2_frame_header; content:"|00|", offset 3, depth 1; -http2_frame_data; content:"MaLwArE"; sid:3; rev:1; ) - -Frame type 0 is DATA which carries the HTTP message body. This rule -will search for MaLwArE inside an HTTP message body. - To smooth the transition to inspecting HTTP/2, rules that specify service:http will be treated as if they also specify service:http2. Thus: @@ -4379,9 +4367,9 @@ large numbers of existing rules. New rules should explicitly specify "service http,http2;" if that is the desired behavior. Eventually support for http implies http2 may be deprecated and removed. -In the future, http2_inspect will support HPACK header decompression -and be fully integrated with http_inspect to provide full inspection -of the individual HTTP/1.1 streams. +In the future, http2_inspect will be fully integrated with +http_inspect to provide full inspection of the individual HTTP/1.1 +streams. 5.11. Module Trace @@ -5434,7 +5422,13 @@ Configuration: Peg counts: - * active.injects: total crafted packets injected (sum) + * active.injects: total crafted packets encoded and injected (sum) + * active.failed_injects: total crafted packet encode + injects that + failed (sum) + * active.direct_injects: total crafted packets directly injected + (sum) + * active.failed_direct_injects: total crafted packet direct injects + that failed (sum) 6.2. alerts @@ -5581,8 +5575,7 @@ Usage: context Configuration: - * int decode.trace: mask for enabling debug traces in module { - 0:max53 } + * int decode.trace.all = 0: enabling traces in module { 0:max32 } Rules: @@ -5631,8 +5624,23 @@ Configuration: instead of pcre for compatible expressions * bool detection.enable_address_anomaly_checks = false: enable check and alerting of address anomalies - * int detection.trace: mask for enabling debug traces in module { - 0:max53 } + * int detection.trace.detect_engine = 0: enable detection engine + trace logging { 0:max53 } + * int detection.trace.rule_eval = 0: enable rule evaluation trace + logging { 0:max53 } + * int detection.trace.buf_min = 0: enable min buffer trace logging + { 0:max53 } + * int detection.trace.buf_verbose = 0: enable verbose buffer trace + logging { 0:max53 } + * int detection.trace.rule_vars = 0: enable rule variables trace + logging { 0:max53 } + * int detection.trace.fp_search = 0: enable fast pattern search + trace logging { 0:max53 } + * int detection.trace.pkt_detect = 0: enable packet detection trace + logging { 0:max53 } + * int detection.trace.opt_tree = 0: enable tree option trace + logging { 0:max53 } + * int detection.trace.tag = 0: enable tag trace logging { 0:max53 } Peg counts: @@ -6425,7 +6433,7 @@ Configuration: version, and only the version * implied snort.--enable-inline-test: enable Inline-Test Mode Operation - * implied snort.--gen-msg-map: dump builtin rules in gen-msg.map + * implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools * implied snort.--help: list command line options * string snort.--help-commands: [] output matching @@ -6550,8 +6558,7 @@ Configuration: * string snort.--x2s: output ASCII string for given byte code (see also --x2c) * implied snort.--trace: turn on main loop debug trace - * int snort.trace: mask for enabling debug traces in module { - 0:max53 } + * int snort.trace.all = 0: enabling traces in module { 0:max32 } Commands: @@ -7321,8 +7328,7 @@ Configuration: on startup * bool appid.log_all_sessions = false: enable logging of all appid sessions - * int appid.trace: mask for enabling debug traces in module { - 0:max53 } + * int appid.trace.all = 0: enabling traces in module { 0:max32 } Commands: @@ -7581,8 +7587,7 @@ Configuration: (-1 = disabled, 0 = unlimited) { -1:32767 } * string dce_smb.smb_invalid_shares: SMB shares to alert on * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1 - * int dce_smb.trace: mask for enabling debug traces in module { - 0:max53 } + * int dce_smb.trace.all = 0: enabling traces in module { 0:max32 } Rules: @@ -7844,8 +7849,7 @@ Configuration: defragmentation * int dce_udp.max_frag_len = 65535: maximum fragment size for defragmentation { 1514:65535 } - * int dce_udp.trace: mask for enabling debug traces in module { - 0:max53 } + * int dce_udp.trace.all = 0: enabling traces in module { 0:max32 } Rules: @@ -8131,8 +8135,14 @@ Configuration: packet for this PDU { 0:max32 } * enum finalize_packet.modify.verdict: output format for stats { pass | block | replace | whitelist | blacklist | ignore | retry } - * bool finalize_packet.switch_to_wizard = false: switch to wizard + * bool finalize_packet.switch_to_wizard = false: Switch to wizard on first finalize event + * bool finalize_packet.use_direct_inject = false: Use ioctl to do + payload and reset injects + * bool finalize_packet.defer_whitelist = false: Turn on defer + whitelist until we switch to wizard + * bool finalize_packet.force_whitelist = false: Set ignore + direction to both so that flow will be whitelisted Peg counts: @@ -8251,6 +8261,7 @@ Rules: Peg counts: * ftp_server.total_packets: total packets (sum) + * ftp_server.total_bytes: total number of bytes processed (sum) * ftp_server.concurrent_sessions: total concurrent FTP sessions (now) * ftp_server.max_concurrent_sessions: maximum concurrent FTP @@ -8278,8 +8289,8 @@ Configuration: * string gtp_inspect[].infos[].name: information element name * int gtp_inspect[].infos[].length = 0: information element type code { 0:255 } - * int gtp_inspect.trace: mask for enabling debug traces in module { - 0:max53 } + * int gtp_inspect.trace.all = 0: enabling traces in module { + 0:max32 } Rules: @@ -8327,6 +8338,9 @@ Rules: * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame * 121:13 (http2_inspect) invalid HTTP/2 frame sequence * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded + * 121:15 (http2_inspect) invalid HTTP/2 start line + * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame + data size Peg counts: @@ -8868,12 +8882,14 @@ Peg counts: * perf_monitor.packets: total packets processed by performance monitor (sum) - * perf_monitor.total_frees: total flows pruned or freed by - performance monitor (sum) - * perf_monitor.reload_frees: flows freed on reload with changed - memcap (sum) - * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows - (sum) + * perf_monitor.flow_tracker_creates: total number of flow trackers + created (sum) + * perf_monitor.flow_tracker_total_deletes: flow trackers deleted to + stay below memcap limit (sum) + * perf_monitor.flow_tracker_reload_deletes: flow trackers deleted + due to memcap change on config reload (sum) + * perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse + by new flows (sum) 9.31. pop @@ -8915,6 +8931,7 @@ Rules: Peg counts: * pop.packets: total packets processed (sum) + * pop.total_bytes: total number of bytes processed (sum) * pop.sessions: total pop sessions (sum) * pop.concurrent_sessions: total concurrent pop sessions (now) * pop.max_concurrent_sessions: maximum concurrent pop sessions @@ -9492,6 +9509,7 @@ Rules: Peg counts: * smtp.packets: total packets processed (sum) + * smtp.total_bytes: total number of bytes processed (sum) * smtp.sessions: total smtp sessions (sum) * smtp.concurrent_sessions: total concurrent smtp sessions (now) * smtp.max_concurrent_sessions: maximum concurrent smtp sessions @@ -9540,6 +9558,7 @@ Rules: Peg counts: * ssh.packets: total packets (sum) + * ssh.total_bytes: total number of bytes processed (sum) * ssh.concurrent_sessions: total concurrent ssh sessions (now) * ssh.max_concurrent_sessions: maximum concurrent ssh sessions (max) @@ -9606,8 +9625,6 @@ Usage: global Configuration: - * int stream.footprint = 0: use zero for production, non-zero for - testing at given size (for TCP and user) { 0:max32 } * bool stream.ip_frags_only = false: don’t process non-frag flows * int stream.max_flows = 476288: maximum simultaneous flows tracked before pruning { 2:max32 } @@ -9637,8 +9654,7 @@ Configuration: before retiring session tracker { 1:max32 } * int stream.file_cache.cap_weight = 32: additional bytes to track per flow for better estimation against cap { 0:65535 } - * int stream.trace: mask for enabling debug traces in module { - 0:max53 } + * int stream.trace.all = 0: enabling traces in module { 0:max32 } Rules: @@ -9657,6 +9673,8 @@ Peg counts: pruning (sum) * stream.memcap_prunes: sessions pruned due to memcap (sum) * stream.ha_prunes: sessions pruned by high availability sync (sum) + * stream.stale_prunes: sessions pruned due to stale connection + (sum) * stream.expected_flows: total expected flows created within snort (sum) * stream.expected_realized: number of expected flows realized (sum) @@ -9745,8 +9763,8 @@ Configuration: | linux | bsd | bsd_right | last | windows | solaris } * int stream_ip.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_ip.trace: mask for enabling debug traces in module { - 0:max53 } + * int stream_ip.trace.all = 0: enabling traces in module { 0:max32 + } Rules: @@ -9772,6 +9790,7 @@ Peg counts: * stream_ip.released: ip session trackers released (sum) * stream_ip.timeouts: ip session timeouts (sum) * stream_ip.prunes: ip session prunes (sum) + * stream_ip.total_bytes: total number of bytes processed (sum) * stream_ip.total_frags: total fragments (sum) * stream_ip.current_frags: current fragments (now) * stream_ip.max_frags: max fragments (sum) @@ -9961,6 +9980,7 @@ Peg counts: * stream_udp.released: udp session trackers released (sum) * stream_udp.timeouts: udp session timeouts (sum) * stream_udp.prunes: udp session prunes (sum) + * stream_udp.total_bytes: total number of bytes processed (sum) * stream_udp.ignored: udp packets ignored (sum) @@ -9978,8 +9998,8 @@ Configuration: * int stream_user.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_user.trace: mask for enabling debug traces in module { - 0:max53 } + * int stream_user.trace.all = 0: enabling traces in module { + 0:max32 } 9.51. telnet @@ -10850,9 +10870,9 @@ Usage: detect Configuration: - * string flowbits.~command: set|reset|isset|etc. - * string flowbits.~arg1: bits or group - * string flowbits.~arg2: group if arg1 is bits + * string flowbits.~op: set|reset|isset|etc. + * string flowbits.~bits: bits or group + * string flowbits.~group: group if arg1 is bits 11.41. fragbits @@ -10958,18 +10978,7 @@ Type: ips_option Usage: detect -11.48. http2_frame_data - --------------- - -What: rule option to set detection cursor to the HTTP/2 frame body - -Type: ips_option - -Usage: detect - - -11.49. http2_frame_header +11.48. http2_frame_header -------------- @@ -10981,7 +10990,7 @@ Type: ips_option Usage: detect -11.50. http_client_body +11.49. http_client_body -------------- @@ -10992,7 +11001,7 @@ Type: ips_option Usage: detect -11.51. http_cookie +11.50. http_cookie -------------- @@ -11014,7 +11023,7 @@ Configuration: message trailers -11.52. http_header +11.51. http_header -------------- @@ -11039,7 +11048,7 @@ Configuration: message trailers -11.53. http_method +11.52. http_method -------------- @@ -11060,7 +11069,7 @@ Configuration: message trailers -11.54. http_param +11.53. http_param -------------- @@ -11077,7 +11086,7 @@ Configuration: * implied http_param.nocase: case insensitive match -11.55. http_raw_body +11.54. http_raw_body -------------- @@ -11089,7 +11098,7 @@ Type: ips_option Usage: detect -11.56. http_raw_cookie +11.55. http_raw_cookie -------------- @@ -11112,7 +11121,7 @@ Configuration: HTTP message trailers -11.57. http_raw_header +11.56. http_raw_header -------------- @@ -11135,7 +11144,7 @@ Configuration: HTTP message trailers -11.58. http_raw_request +11.57. http_raw_request -------------- @@ -11156,7 +11165,7 @@ Configuration: HTTP message trailers -11.59. http_raw_status +11.58. http_raw_status -------------- @@ -11175,7 +11184,7 @@ Configuration: HTTP message trailers -11.60. http_raw_trailer +11.59. http_raw_trailer -------------- @@ -11196,7 +11205,7 @@ Configuration: HTTP response message body (must be combined with request) -11.61. http_raw_uri +11.60. http_raw_uri -------------- @@ -11225,7 +11234,7 @@ Configuration: URI only -11.62. http_stat_code +11.61. http_stat_code -------------- @@ -11243,7 +11252,7 @@ Configuration: HTTP message trailers -11.63. http_stat_msg +11.62. http_stat_msg -------------- @@ -11262,7 +11271,7 @@ Configuration: HTTP message trailers -11.64. http_trailer +11.63. http_trailer -------------- @@ -11284,7 +11293,7 @@ Configuration: message body (must be combined with request) -11.65. http_true_ip +11.64. http_true_ip -------------- @@ -11305,7 +11314,7 @@ Configuration: HTTP message trailers -11.66. http_uri +11.65. http_uri -------------- @@ -11333,7 +11342,7 @@ Configuration: only -11.67. http_version +11.66. http_version -------------- @@ -11355,7 +11364,7 @@ Configuration: HTTP message trailers -11.68. icmp_id +11.67. icmp_id -------------- @@ -11371,7 +11380,7 @@ Configuration: 0:65535 } -11.69. icmp_seq +11.68. icmp_seq -------------- @@ -11387,7 +11396,7 @@ Configuration: given range { 0:65535 } -11.70. icode +11.69. icode -------------- @@ -11403,7 +11412,7 @@ Configuration: 0:255 } -11.71. id +11.70. id -------------- @@ -11419,7 +11428,7 @@ Configuration: } -11.72. ip_proto +11.71. ip_proto -------------- @@ -11434,7 +11443,7 @@ Configuration: * string ip_proto.~proto: [!|>|<] name or number -11.73. ipopts +11.72. ipopts -------------- @@ -11450,7 +11459,7 @@ Configuration: lsrre|ssrr|satid|any } -11.74. isdataat +11.73. isdataat -------------- @@ -11467,7 +11476,7 @@ Configuration: buffer -11.75. itype +11.74. itype -------------- @@ -11483,7 +11492,7 @@ Configuration: 0:255 } -11.76. md5 +11.75. md5 -------------- @@ -11503,7 +11512,7 @@ Configuration: of buffer -11.77. metadata +11.76. metadata -------------- @@ -11520,7 +11529,7 @@ Configuration: pairs -11.78. modbus_data +11.77. modbus_data -------------- @@ -11531,7 +11540,7 @@ Type: ips_option Usage: detect -11.79. modbus_func +11.78. modbus_func -------------- @@ -11546,7 +11555,7 @@ Configuration: * string modbus_func.~: function code to match -11.80. modbus_unit +11.79. modbus_unit -------------- @@ -11561,7 +11570,7 @@ Configuration: * int modbus_unit.~: Modbus unit ID { 0:255 } -11.81. msg +11.80. msg -------------- @@ -11576,7 +11585,7 @@ Configuration: * string msg.~: message describing rule -11.82. mss +11.81. mss -------------- @@ -11592,7 +11601,7 @@ Configuration: } -11.83. pcre +11.82. pcre -------------- @@ -11614,7 +11623,7 @@ Peg counts: * pcre.pcre_negated: total pcre rules using negation syntax (sum) -11.84. pkt_data +11.83. pkt_data -------------- @@ -11626,7 +11635,7 @@ Type: ips_option Usage: detect -11.85. pkt_num +11.84. pkt_num -------------- @@ -11642,7 +11651,7 @@ Configuration: { 1: } -11.86. priority +11.85. priority -------------- @@ -11658,7 +11667,7 @@ Configuration: 1:max31 } -11.87. raw_data +11.86. raw_data -------------- @@ -11669,7 +11678,7 @@ Type: ips_option Usage: detect -11.88. reference +11.87. reference -------------- @@ -11681,11 +11690,10 @@ Usage: detect Configuration: - * string reference.~scheme: reference scheme - * string reference.~id: reference id + * string reference.~ref: reference: , -11.89. regex +11.88. regex -------------- @@ -11708,7 +11716,7 @@ Configuration: instead of start of buffer -11.90. rem +11.89. rem -------------- @@ -11723,7 +11731,7 @@ Configuration: * string rem.~: comment -11.91. replace +11.90. replace -------------- @@ -11738,7 +11746,7 @@ Configuration: * string replace.~: byte code to replace with -11.92. rev +11.91. rev -------------- @@ -11753,7 +11761,7 @@ Configuration: * int rev.~: revision { 1:max32 } -11.93. rpc +11.92. rpc -------------- @@ -11770,7 +11778,7 @@ Configuration: * string rpc.~proc: procedure number or * for any -11.94. s7commplus_content +11.93. s7commplus_content -------------- @@ -11781,7 +11789,7 @@ Type: ips_option Usage: detect -11.95. s7commplus_func +11.94. s7commplus_func -------------- @@ -11796,7 +11804,7 @@ Configuration: * string s7commplus_func.~: function code to match -11.96. s7commplus_opcode +11.95. s7commplus_opcode -------------- @@ -11811,7 +11819,7 @@ Configuration: * string s7commplus_opcode.~: opcode code to match -11.97. sd_pattern +11.96. sd_pattern -------------- @@ -11835,7 +11843,7 @@ Peg counts: * sd_pattern.terminated: hyperscan terminated (sum) -11.98. seq +11.97. seq -------------- @@ -11851,7 +11859,7 @@ Configuration: range { 0: } -11.99. service +11.98. service -------------- @@ -11866,7 +11874,7 @@ Configuration: * string service.*: one or more comma-separated service names -11.100. session +11.99. session -------------- @@ -11881,7 +11889,7 @@ Configuration: * enum session.~mode: output format { printable|binary|all } -11.101. sha256 +11.100. sha256 -------------- @@ -11901,7 +11909,7 @@ Configuration: start of buffer -11.102. sha512 +11.101. sha512 -------------- @@ -11921,7 +11929,7 @@ Configuration: start of buffer -11.103. sid +11.102. sid -------------- @@ -11936,7 +11944,7 @@ Configuration: * int sid.~: signature id { 1:max32 } -11.104. sip_body +11.103. sip_body -------------- @@ -11947,7 +11955,7 @@ Type: ips_option Usage: detect -11.105. sip_header +11.104. sip_header -------------- @@ -11959,7 +11967,7 @@ Type: ips_option Usage: detect -11.106. sip_method +11.105. sip_method -------------- @@ -11974,7 +11982,7 @@ Configuration: * string sip_method.*method: sip method -11.107. sip_stat_code +11.106. sip_stat_code -------------- @@ -11989,7 +11997,7 @@ Configuration: * int sip_stat_code.*code: status code { 1:999 } -11.108. so +11.107. so -------------- @@ -12006,7 +12014,7 @@ Configuration: buffer -11.109. soid +11.108. soid -------------- @@ -12022,7 +12030,7 @@ Configuration: like 3_45678_9 -11.110. ssl_state +11.109. ssl_state -------------- @@ -12051,7 +12059,7 @@ Configuration: unknown -11.111. ssl_version +11.110. ssl_version -------------- @@ -12078,7 +12086,7 @@ Configuration: tls1.2 -11.112. stream_reassemble +11.111. stream_reassemble -------------- @@ -12099,7 +12107,7 @@ Configuration: remainder of the session -11.113. stream_size +11.112. stream_size -------------- @@ -12117,7 +12125,7 @@ Configuration: direction(s) { either|to_server|to_client|both } -11.114. tag +11.113. tag -------------- @@ -12136,7 +12144,7 @@ Configuration: * int tag.bytes: tag for this many bytes { 1:max32 } -11.115. target +11.114. target -------------- @@ -12152,7 +12160,7 @@ Configuration: dst_ip } -11.116. tos +11.115. tos -------------- @@ -12167,7 +12175,7 @@ Configuration: * interval tos.~range: check if IP TOS is in given range { 0:255 } -11.117. ttl +11.116. ttl -------------- @@ -12183,7 +12191,7 @@ Configuration: 0:255 } -11.118. urg +11.117. urg -------------- @@ -12199,7 +12207,7 @@ Configuration: { 0:65535 } -11.119. window +11.118. window -------------- @@ -12215,7 +12223,7 @@ Configuration: range { 0:65535 } -11.120. wscale +11.119. wscale -------------- @@ -12279,14 +12287,15 @@ Configuration: stdout * multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in - given order left to right { action | class | b64_data | dir | - dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | - eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | - iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num - | priority | proto | rev | rule | seconds | service | sid | - src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | - tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | - vlan } + given order left to right { action | class | b64_data | + client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | + eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | + icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | + ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | + proto | rev | rule | seconds | server_bytes | server_pkts | + service | sid | src_addr | src_ap | src_port | target | tcp_ack | + tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | + udp_len | vlan } * int alert_csv.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ } * string alert_csv.separator = , : separate fields with this @@ -12362,14 +12371,15 @@ Configuration: stdout * multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in - given order left to right { action | class | b64_data | dir | - dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | - eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | - iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num - | priority | proto | rev | rule | seconds | service | sid | - src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | - tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | - vlan } + given order left to right { action | class | b64_data | + client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | + eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | + icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | + ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | + proto | rev | rule | seconds | server_bytes | server_pkts | + service | sid | src_addr | src_ap | src_port | target | tcp_ack | + tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | + udp_len | vlan } * int alert_json.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ } * string alert_json.separator = , : separate fields with this @@ -14604,8 +14614,8 @@ these libraries see the Getting Started section of the manual. * --dump-version output the version, the whole version, and only the version * --enable-inline-test enable Inline-Test Mode Operation - * --gen-msg-map dump builtin rules in gen-msg.map format for use by - other tools + * --gen-msg-map dump configured rules in gen-msg.map format for use + by other tools * --help list command line options * --help-commands [] output matching commands (optional) @@ -14732,14 +14742,15 @@ these libraries see the Getting Started section of the manual. responses { 1:255 } * multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in - given order left to right { action | class | b64_data | dir | - dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | - eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | - iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num - | priority | proto | rev | rule | seconds | service | sid | - src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | - tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | - vlan } + given order left to right { action | class | b64_data | + client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | + eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | + icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | + ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | + proto | rev | rule | seconds | server_bytes | server_pkts | + service | sid | src_addr | src_ap | src_port | target | tcp_ack | + tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | + udp_len | vlan } * bool alert_csv.file = false: output to alert_csv.txt instead of stdout * int alert_csv.limit = 0: set maximum size in MB before rollover @@ -14759,14 +14770,15 @@ these libraries see the Getting Started section of the manual. (0 is unlimited) { 0:maxSZ } * multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in - given order left to right { action | class | b64_data | dir | - dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | - eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | - iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num - | priority | proto | rev | rule | seconds | service | sid | - src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | - tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | - vlan } + given order left to right { action | class | b64_data | + client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | + eth_dst | eth_len | eth_src | eth_type | flowstart_time | gid | + icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | + ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | + proto | rev | rule | seconds | server_bytes | server_pkts | + service | sid | src_addr | src_ap | src_port | target | tcp_ack | + tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | + udp_len | vlan } * bool alert_json.file = false: output to alert_json.txt instead of stdout * int alert_json.limit = 0: set maximum size in MB before rollover @@ -14829,8 +14841,7 @@ these libraries see the Getting Started section of the manual. library * bool appid.tp_appid_stats_enable: enable collection of stats and print stats on exit in third party module - * int appid.trace: mask for enabling debug traces in module { - 0:max53 } + * int appid.trace.all = 0: enabling traces in module { 0:max32 } * ip4 arp_spoof.hosts[].ip: host ip address * mac arp_spoof.hosts[].mac: host mac address * int asn1.absolute_offset: absolute offset from the beginning of @@ -15057,8 +15068,7 @@ these libraries see the Getting Started section of the manual. * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1 * int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 } * int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 } - * int dce_smb.trace: mask for enabling debug traces in module { - 0:max53 } + * int dce_smb.trace.all = 0: enabling traces in module { 0:max32 } * multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 | v2 | all } * bool dce_tcp.disable_defrag = false: disable DCE/RPC @@ -15078,10 +15088,8 @@ these libraries see the Getting Started section of the manual. per signature per flow * int dce_udp.max_frag_len = 65535: maximum fragment size for defragmentation { 1514:65535 } - * int dce_udp.trace: mask for enabling debug traces in module { - 0:max53 } - * int decode.trace: mask for enabling debug traces in module { - 0:max53 } + * int dce_udp.trace.all = 0: enabling traces in module { 0:max32 } + * int decode.trace.all = 0: enabling traces in module { 0:max32 } * int detection.asn1 = 0: maximum decode nodes { 0:65535 } * bool detection.enable_address_anomaly_checks = false: enable check and alerting of address anomalies @@ -15110,8 +15118,23 @@ these libraries see the Getting Started section of the manual. overrides when pattern matching (ie ignore /O) * bool detection.pcre_to_regex = false: enable the use of regex instead of pcre for compatible expressions - * int detection.trace: mask for enabling debug traces in module { - 0:max53 } + * int detection.trace.buf_min = 0: enable min buffer trace logging + { 0:max53 } + * int detection.trace.buf_verbose = 0: enable verbose buffer trace + logging { 0:max53 } + * int detection.trace.detect_engine = 0: enable detection engine + trace logging { 0:max53 } + * int detection.trace.fp_search = 0: enable fast pattern search + trace logging { 0:max53 } + * int detection.trace.opt_tree = 0: enable tree option trace + logging { 0:max53 } + * int detection.trace.pkt_detect = 0: enable packet detection trace + logging { 0:max53 } + * int detection.trace.rule_eval = 0: enable rule evaluation trace + logging { 0:max53 } + * int detection.trace.rule_vars = 0: enable rule variables trace + logging { 0:max53 } + * int detection.trace.tag = 0: enable tag trace logging { 0:max53 } * bool dnp3.check_crc = false: validate checksums in DNP3 link layer frames * string dnp3_func.~: match DNP3 function code or name @@ -15219,21 +15242,27 @@ these libraries see the Getting Started section of the manual. * bool file_log.log_sys_time = false: log the system time when event generated * string file_type.~: list of file type IDs to match + * bool finalize_packet.defer_whitelist = false: Turn on defer + whitelist until we switch to wizard * int finalize_packet.end_pdu = 0: Deregister for finalize packet events on this PDU { 0:max32 } + * bool finalize_packet.force_whitelist = false: Set ignore + direction to both so that flow will be whitelisted * int finalize_packet.modify.pdu = 0: Modify verdict in finalize packet for this PDU { 0:max32 } * enum finalize_packet.modify.verdict: output format for stats { pass | block | replace | whitelist | blacklist | ignore | retry } * int finalize_packet.start_pdu = 0: Register to receive finalize packet event starting on this PDU { 0:max32 } - * bool finalize_packet.switch_to_wizard = false: switch to wizard + * bool finalize_packet.switch_to_wizard = false: Switch to wizard on first finalize event + * bool finalize_packet.use_direct_inject = false: Use ioctl to do + payload and reset injects * string flags.~mask_flags: these flags are don’t cares * string flags.~test_flags: these flags are tested - * string flowbits.~arg1: bits or group - * string flowbits.~arg2: group if arg1 is bits - * string flowbits.~command: set|reset|isset|etc. + * string flowbits.~bits: bits or group + * string flowbits.~group: group if arg1 is bits + * string flowbits.~op: set|reset|isset|etc. * implied flow.established: match only during data transfer phase * implied flow.from_client: same as to_server * implied flow.from_server: same as to_client @@ -15310,8 +15339,8 @@ these libraries see the Getting Started section of the manual. * string gtp_inspect[].messages[].name: message name * int gtp_inspect[].messages[].type = 0: message type code { 0:255 } - * int gtp_inspect.trace: mask for enabling debug traces in module { - 0:max53 } + * int gtp_inspect.trace.all = 0: enabling traces in module { + 0:max32 } * int gtp_inspect[].version = 2: GTP version { 0:2 } * string gtp_type.~: list of types to match * int gtp_version.~: version to match { 0:2 } @@ -15920,8 +15949,7 @@ these libraries see the Getting Started section of the manual. default message * string react.page: file containing HTTP response (headers and body) - * string reference.~id: reference id - * string reference.~scheme: reference scheme + * string reference.~ref: reference: , * string references[].name: name used with reference rule option * string references[].url: where this reference is defined * implied regex.dotall: matching a . will not exclude newlines @@ -16160,7 +16188,7 @@ these libraries see the Getting Started section of the manual. Operation * implied snort.-f: turn off fflush() calls after binary log writes * int snort.-G: <0xid> (same as --logid) { 0:65535 } - * implied snort.--gen-msg-map: dump builtin rules in gen-msg.map + * implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools * string snort.-g: run snort gid as group (or gid) after initialization @@ -16283,8 +16311,7 @@ these libraries see the Getting Started section of the manual. talos) * string snort.-t: chroots process to after initialization - * int snort.trace: mask for enabling debug traces in module { - 0:max53 } + * int snort.trace.all = 0: enabling traces in module { 0:max32 } * implied snort.--trace: turn on main loop debug trace * implied snort.--treat-drop-as-alert: converts drop, block, and reset rules into alert rules when loaded @@ -16379,8 +16406,6 @@ these libraries see the Getting Started section of the manual. * int stream.file_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * bool stream_file.upload = false: indicate file transfer direction - * int stream.footprint = 0: use zero for production, non-zero for - testing at given size (for TCP and user) { 0:max32 } * int stream.icmp_cache.cap_weight = 8: additional bytes to track per flow for better estimation against cap { 0:65535 } * int stream.icmp_cache.idle_timeout = 180: maximum inactive time @@ -16404,8 +16429,8 @@ these libraries see the Getting Started section of the manual. | linux | bsd | bsd_right | last | windows | solaris } * int stream_ip.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_ip.trace: mask for enabling debug traces in module { - 0:max53 } + * int stream_ip.trace.all = 0: enabling traces in module { 0:max32 + } * int stream.max_flows = 476288: maximum simultaneous flows tracked before pruning { 2:max32 } * int stream.pruning_timeout = 30: minimum inactive time before @@ -16457,8 +16482,7 @@ these libraries see the Getting Started section of the manual. * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 } * bool stream_tcp.track_only = false: disable reassembly if true - * int stream.trace: mask for enabling debug traces in module { - 0:max53 } + * int stream.trace.all = 0: enabling traces in module { 0:max32 } * int stream.udp_cache.cap_weight = 128: additional bytes to track per flow for better estimation against cap { 0:65535 } * int stream.udp_cache.idle_timeout = 180: maximum inactive time @@ -16471,8 +16495,8 @@ these libraries see the Getting Started section of the manual. before retiring session tracker { 1:max32 } * int stream_user.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_user.trace: mask for enabling debug traces in module { - 0:max53 } + * int stream_user.trace.all = 0: enabling traces in module { + 0:max32 } * int suppress[].gid = 0: rule generator ID { 0:max32 } * string suppress[].ip: restrict suppression to these addresses according to track @@ -16539,7 +16563,13 @@ these libraries see the Getting Started section of the manual. -------------- - * active.injects: total crafted packets injected (sum) + * active.direct_injects: total crafted packets directly injected + (sum) + * active.failed_direct_injects: total crafted packet direct injects + that failed (sum) + * active.failed_injects: total crafted packet encode + injects that + failed (sum) + * active.injects: total crafted packets encoded and injected (sum) * appid.appid_unknown: count of sessions where appid could not be determined (sum) * appid.ignored_packets: count of packets ignored (sum) @@ -16837,6 +16867,7 @@ these libraries see the Getting Started section of the manual. (now) * ftp_server.max_concurrent_sessions: maximum concurrent FTP sessions (max) + * ftp_server.total_bytes: total number of bytes processed (sum) * ftp_server.total_packets: total packets (sum) * gtp_inspect.concurrent_sessions: total concurrent gtp sessions (now) @@ -17054,14 +17085,16 @@ these libraries see the Getting Started section of the manual. * pcre.pcre_negated: total pcre rules using negation syntax (sum) * pcre.pcre_rules: total rules processed with pcre option (sum) * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum) - * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows - (sum) + * perf_monitor.flow_tracker_creates: total number of flow trackers + created (sum) + * perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse + by new flows (sum) + * perf_monitor.flow_tracker_reload_deletes: flow trackers deleted + due to memcap change on config reload (sum) + * perf_monitor.flow_tracker_total_deletes: flow trackers deleted to + stay below memcap limit (sum) * perf_monitor.packets: total packets processed by performance monitor (sum) - * perf_monitor.reload_frees: flows freed on reload with changed - memcap (sum) - * perf_monitor.total_frees: total flows pruned or freed by - performance monitor (sum) * pop.b64_attachments: total base64 attachments decoded (sum) * pop.b64_decoded_bytes: total base64 decoded bytes (sum) * pop.concurrent_sessions: total concurrent pop sessions (now) @@ -17075,6 +17108,7 @@ these libraries see the Getting Started section of the manual. (sum) * pop.qp_decoded_bytes: total quoted-printable decoded bytes (sum) * pop.sessions: total pop sessions (sum) + * pop.total_bytes: total number of bytes processed (sum) * pop.uu_attachments: total uu attachments decoded (sum) * pop.uu_decoded_bytes: total uu decoded bytes (sum) * port_scan.alloc_prunes: number of trackers pruned on allocation @@ -17189,6 +17223,7 @@ these libraries see the Getting Started section of the manual. (sum) * smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum) * smtp.sessions: total smtp sessions (sum) + * smtp.total_bytes: total number of bytes processed (sum) * smtp.uu_attachments: total uu attachments decoded (sum) * smtp.uu_decoded_bytes: total uu decoded bytes (sum) * snort.attribute_table_hosts: total number of hosts in table (sum) @@ -17209,6 +17244,7 @@ these libraries see the Getting Started section of the manual. * ssh.max_concurrent_sessions: maximum concurrent ssh sessions (max) * ssh.packets: total packets (sum) + * ssh.total_bytes: total number of bytes processed (sum) * ssl.alert: total ssl alert records (sum) * ssl.bad_handshakes: total bad handshakes (sum) * ssl.certificate: total ssl certificates (sum) @@ -17265,6 +17301,7 @@ these libraries see the Getting Started section of the manual. * stream_ip.released: ip session trackers released (sum) * stream_ip.sessions: total ip sessions (sum) * stream_ip.timeouts: ip session timeouts (sum) + * stream_ip.total_bytes: total number of bytes processed (sum) * stream_ip.total_frags: total fragments (sum) * stream_ip.trackers_added: datagram trackers created (sum) * stream_ip.trackers_cleared: datagram trackers cleared (sum) @@ -17289,6 +17326,8 @@ these libraries see the Getting Started section of the manual. called while idle (sum) * stream.reload_tuning_packets: number of times stream resource tuner called while processing packets (sum) + * stream.stale_prunes: sessions pruned due to stale connection + (sum) * stream_tcp.client_cleanups: number of times data from server was flushed when session released (sum) * stream_tcp.closing: number of sessions currently closing (now) @@ -17365,6 +17404,7 @@ these libraries see the Getting Started section of the manual. * stream_udp.released: udp session trackers released (sum) * stream_udp.sessions: total udp sessions (sum) * stream_udp.timeouts: udp session timeouts (sum) + * stream_udp.total_bytes: total number of bytes processed (sum) * stream.uni_prunes: uni sessions pruned (sum) * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) @@ -17792,6 +17832,9 @@ these libraries see the Getting Started section of the manual. * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame * 121:13 (http2_inspect) invalid HTTP/2 frame sequence * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded + * 121:15 (http2_inspect) invalid HTTP/2 start line + * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame + data size * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -18629,8 +18672,6 @@ deleted -> unified2: 'vlan_event_types' * hosts (basic): configure hosts * http2_decoded_header (ips_option): rule option to set detection cursor to the decoded HTTP/2 header - * http2_frame_data (ips_option): rule option to set detection - cursor to the HTTP/2 frame body * http2_frame_header (ips_option): rule option to set detection cursor to the 9-octet HTTP/2 frame header * http2_inspect (inspector): HTTP/2 inspector @@ -19038,8 +19079,6 @@ deleted -> unified2: 'vlan_event_types' * ips_option::gtp_version: rule option to check GTP version * ips_option::http2_decoded_header: rule option to set detection cursor to the decoded HTTP/2 header - * ips_option::http2_frame_data: rule option to set detection cursor - to the HTTP/2 frame body * ips_option::http2_frame_header: rule option to set detection cursor to the 9-octet HTTP/2 frame header * ips_option::http_client_body: rule option to set the detection diff --git a/src/main/build.h b/src/main/build.h index 6bb172a27..b9e6bf8a1 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 268 +#define BUILD_NUMBER 269 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)