From: Russ Combs (rucombs) Date: Tue, 21 Sep 2021 13:38:42 +0000 (+0000) Subject: Merge pull request #3063 in SNORT/snort3 from ~RUCOMBS/snort3:builtin_updates to... X-Git-Tag: 3.1.13.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f1a0364865a60076537985ad2c903684da731e3;p=thirdparty%2Fsnort3.git Merge pull request #3063 in SNORT/snort3 from ~RUCOMBS/snort3:builtin_updates to master Squashed commit of the following: commit 508f5f6fbdfa23164de04e2bb8d3a1b1891fff5f Author: russ Date: Thu Sep 16 10:45:23 2021 -0400 doc: update reference for 2:1 and 129:13 commit b8faac492d0600066d96313ab7dc3d311f47c376 Author: russ Date: Thu Sep 16 09:58:56 2021 -0400 doc: add support for details on builtin rules in the reference commit bb770ef86631a810a1daf4881a6b076915d04486 Author: russ Date: Thu Sep 16 06:24:36 2021 -0400 output: adopt the orphaned tag alert (2:1) commit a513ffe9a47e639314c1e57745ad75f415e6abd1 Author: russ Date: Fri Sep 10 13:48:22 2021 -0400 builtins: add --dump-builtin-options The unused, hard-coded rev and priority are removed from the dumped stubs. This new option provides a way to append arbitrary metadata to the stub. If used, it must precede --dump-builtin-rules. commit 96524d4fe55040df783a5119a433bae176de6d46 Author: russ Date: Fri Sep 10 11:03:33 2021 -0400 cip, iec104: update stub rule messages for consistent format --- diff --git a/doc/reference/CMakeLists.txt b/doc/reference/CMakeLists.txt index 6150f26d3..ff26f0172 100644 --- a/doc/reference/CMakeLists.txt +++ b/doc/reference/CMakeLists.txt @@ -13,7 +13,6 @@ set ( set ( LIST_SOURCES - builtin.txt gids.txt ) @@ -33,6 +32,7 @@ set ( UNBUILT_SOURCES appendix.txt building.txt + builtin_stubs.txt enviro.txt snort_reference.txt ) @@ -84,6 +84,14 @@ add_custom_command ( ) list ( APPEND BUILT_SOURCES version.txt ) +add_custom_command ( + OUTPUT builtin.txt + COMMAND ${CMAKE_CURRENT_LIST_DIR}/scripts/generate_builtin.sh $ $ENV{SNORT_PLUGIN_PATH} ${CMAKE_CURRENT_LIST_DIR}/builtin_stubs.txt builtin.txt + DEPENDS snort + COMMENT "Documents: building builtin.txt" +) +list ( APPEND BUILT_SOURCES builtin.txt ) + foreach ( file_name ${BUILT_SOURCES} ) list ( APPEND diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt new file mode 100644 index 000000000..8dfa985b5 --- /dev/null +++ b/doc/reference/builtin_stubs.txt @@ -0,0 +1,2430 @@ +2:1 + +A tagged packet was logged. + +105:1 + +(back_orifice) BO traffic detected + +105:2 + +(back_orifice) BO client traffic detected + +105:3 + +(back_orifice) BO server traffic detected + +105:4 + +(back_orifice) BO Snort buffer attack + +106:1 + +(rpc_decode) fragmented RPC records + +106:2 + +(rpc_decode) multiple RPC records + +106:3 + +(rpc_decode) large RPC record fragment + +106:4 + +(rpc_decode) incomplete RPC segment + +106:5 + +(rpc_decode) zero-length RPC fragment + +112:1 + +(arp_spoof) unicast ARP request + +112:2 + +(arp_spoof) ethernet/ARP mismatch request for source + +112:3 + +(arp_spoof) ethernet/ARP mismatch request for destination + +112:4 + +(arp_spoof) attempted ARP cache overwrite attack + +116:1 + +(ipv4) not IPv4 datagram + +116:2 + +(ipv4) IPv4 header length < minimum + +116:3 + +(ipv4) IPv4 datagram length < header field + +116:4 + +(ipv4) IPv4 options found with bad lengths + +116:5 + +(ipv4) truncated IPv4 options + +116:6 + +(ipv4) IPv4 datagram length > captured length + +116:45 + +(tcp) TCP packet length is smaller than 20 bytes + +116:46 + +(tcp) TCP data offset is less than 5 + +116:47 + +(tcp) TCP header length exceeds packet length + +116:54 + +(tcp) TCP options found with bad lengths + +116:55 + +(tcp) truncated TCP options + +116:56 + +(tcp) T/TCP detected + +116:57 + +(tcp) obsolete TCP options found + +116:58 + +(tcp) experimental TCP options found + +116:59 + +(tcp) TCP window scale option found with length > 14 + +116:95 + +(udp) truncated UDP header + +116:96 + +(udp) invalid UDP header, length field < 8 + +116:97 + +(udp) short UDP packet, length field > payload length + +116:98 + +(udp) long UDP packet, length field < payload length + +116:105 + +(icmp4) ICMP header truncated + +116:106 + +(icmp4) ICMP timestamp header truncated + +116:107 + +(icmp4) ICMP address header truncated + +116:109 + +(arp) truncated ARP + +116:110 + +(eapol) truncated EAP header + +116:111 + +(eapol) EAP key truncated + +116:112 + +(eapol) EAP header truncated + +116:120 + +(pppoe) bad PPPOE frame detected + +116:130 + +(vlan) bad VLAN frame + +116:131 + +(llc) bad LLC header + +116:132 + +(llc) bad extra LLC info + +116:133 + +(wlan) bad 802.11 LLC header + +116:134 + +(wlan) bad 802.11 extra LLC info + +116:140 + +(token_ring) bad Token Ring header + +116:141 + +(token_ring) bad Token Ring ETHLLC header + +116:142 + +(token_ring) bad Token Ring MRLEN header + +116:143 + +(token_ring) bad Token Ring MR header + +116:150 + +(decode) loopback IP + +116:151 + +(decode) same src/dst IP + +116:160 + +(gre) GRE header length > payload length + +116:161 + +(gre) multiple encapsulations in packet + +116:162 + +(gre) invalid GRE version + +116:163 + +(gre) invalid GRE header + +116:164 + +(gre) invalid GRE v.1 PPTP header + +116:165 + +(gre) GRE trans header length > payload length + +116:170 + +(mpls) bad MPLS frame + +116:171 + +(mpls) MPLS label 0 appears in bottom header when not decoding as ip4 + +116:172 + +(mpls) MPLS label 1 appears in bottom header + +116:173 + +(mpls) MPLS label 2 appears in bottom header when not decoding as ip6 + +116:174 + +(mpls) MPLS label 3 appears in header + +116:175 + +(mpls) MPLS label 4, 5,.. or 15 appears in header + +116:176 + +(mpls) too many MPLS headers + +116:180 + +(geneve) insufficient room for geneve header + +116:181 + +(geneve) invalid version + +116:182 + +(geneve) invalid header + +116:183 + +(geneve) invalid flags + +116:184 + +(geneve) invalid options + +116:250 + +(icmp4) ICMP original IP header truncated + +116:251 + +(icmp4) ICMP version and original IP header versions differ + +116:252 + +(icmp4) ICMP original datagram length < original IP header length + +116:253 + +(icmp4) ICMP original IP payload < 64 bits + +116:254 + +(icmp4) ICMP original IP payload > 576 bytes + +116:255 + +(icmp4) ICMP original IP fragmented and offset not 0 + +116:270 + +(ipv6) IPv6 packet below TTL limit + +116:271 + +(ipv6) IPv6 header claims to not be IPv6 + +116:272 + +(ipv6) IPv6 truncated extension header + +116:273 + +(ipv6) IPv6 truncated header + +116:274 + +(ipv6) IPv6 datagram length < header field + +116:275 + +(ipv6) IPv6 datagram length > captured length + +116:276 + +(ipv6) IPv6 packet with destination address ::0 + +116:277 + +(ipv6) IPv6 packet with multicast source address + +116:278 + +(ipv6) IPv6 packet with reserved multicast destination address + +116:279 + +(ipv6) IPv6 header includes an undefined option type + +116:280 + +(ipv6) IPv6 address includes an unassigned multicast scope value + +116:281 + +(ipv6) IPv6 header includes an invalid value for the 'next header' field + +116:282 + +(ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header + +116:283 + +(ipv6) IPv6 header includes two routing extension headers + +116:285 + +(icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < 1280 + +116:286 + +(icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code + +116:287 + +(icmp6) ICMPv6 router solicitation packet with a code not equal to 0 + +116:288 + +(icmp6) ICMPv6 router advertisement packet with a code not equal to 0 + +116:289 + +(icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0 + +116:290 + +(icmp6) ICMPv6 router advertisement packet with the reachable time field set > 1 hour + +116:291 + +(ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack + +116:292 + +(ipv6) IPv6 header has destination options followed by a routing header + +116:293 + +(decode) two or more IP (v4 and/or v6) encapsulation layers present + +116:294 + +(esp) truncated encapsulated security payload header + +116:295 + +(ipv6) IPv6 header includes an option which is too big for the containing header + +116:296 + +(ipv6) IPv6 packet includes out-of-order extension headers + +116:297 + +(gtp) two or more GTP encapsulation layers present + +116:298 + +(gtp) GTP header length is invalid + +116:400 + +(tcp) XMAS attack detected + +116:401 + +(tcp) Nmap XMAS attack detected + +116:402 + +(tcp) DOS NAPTHA vulnerability detected + +116:403 + +(tcp) SYN to multicast address + +116:404 + +(ipv4) IPv4 packet with zero TTL + +116:405 + +(ipv4) IPv4 packet with bad frag bits (both MF and DF set) + +116:406 + +(udp) invalid IPv6 UDP packet, checksum zero + +116:407 + +(ipv4) IPv4 packet frag offset + length exceed maximum + +116:408 + +(ipv4) IPv4 packet from 'current net' source address + +116:409 + +(ipv4) IPv4 packet to 'current net' dest address + +116:410 + +(ipv4) IPv4 packet from multicast source address + +116:411 + +(ipv4) IPv4 packet from reserved source address + +116:412 + +(ipv4) IPv4 packet to reserved dest address + +116:413 + +(ipv4) IPv4 packet from broadcast source address + +116:414 + +(ipv4) IPv4 packet to broadcast dest address + +116:415 + +(icmp4) ICMP4 packet to multicast dest address + +116:416 + +(icmp4) ICMP4 packet to broadcast dest address + +116:418 + +(icmp4) ICMP4 type other + +116:419 + +(tcp) TCP urgent pointer exceeds payload length or no payload + +116:420 + +(tcp) TCP SYN with FIN + +116:421 + +(tcp) TCP SYN with RST + +116:422 + +(tcp) TCP PDU missing ack for established session + +116:423 + +(tcp) TCP has no SYN, ACK, or RST + +116:424 + +(eth) truncated ethernet header + +116:424 + +(pbb) truncated ethernet header + +116:425 + +(ipv4) truncated IPv4 header + +116:426 + +(icmp4) truncated ICMP4 header + +116:427 + +(icmp6) truncated ICMPv6 header + +116:428 + +(ipv4) IPv4 packet below TTL limit + +116:429 + +(ipv6) IPv6 packet has zero hop limit + +116:430 + +(ipv4) IPv4 packet both DF and offset set + +116:431 + +(icmp6) ICMPv6 type not decoded + +116:432 + +(icmp6) ICMPv6 packet to multicast address + +116:433 + +(tcp) DDOS shaft SYN flood + +116:434 + +(icmp4) ICMP ping Nmap + +116:435 + +(icmp4) ICMP icmpenum v1.1.1 + +116:436 + +(icmp4) ICMP redirect host + +116:437 + +(icmp4) ICMP redirect net + +116:438 + +(icmp4) ICMP traceroute ipopts + +116:439 + +(icmp4) ICMP source quench + +116:440 + +(icmp4) broadscan smurf scanner + +116:441 + +(icmp4) ICMP destination unreachable communication administratively prohibited + +116:442 + +(icmp4) ICMP destination unreachable communication with destination host is administratively prohibited + +116:443 + +(icmp4) ICMP destination unreachable communication with destination network is administratively prohibited + +116:444 + +(ipv4) IPv4 option set + +116:445 + +(udp) large UDP packet (> 4000 bytes) + +116:446 + +(tcp) TCP port 0 traffic + +116:447 + +(udp) UDP port 0 traffic + +116:448 + +(ipv4) IPv4 reserved bit set + +116:449 + +(decode) unassigned/reserved IP protocol + +116:450 + +(decode) bad IP protocol + +116:451 + +(icmp4) ICMP path MTU denial of service attempt + +116:452 + +(icmp4) Linux ICMP header DOS attempt + +116:453 + +(ipv6) ISATAP-addressed IPv6 traffic spoofing attempt + +116:454 + +(pgm) PGM nak list overflow attempt + +116:455 + +(igmp) DOS IGMP IP options validation attempt + +116:456 + +(ipv6) too many IPv6 extension headers + +116:457 + +(icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code + +116:458 + +(ipv6) bogus fragmentation packet, possible BSD attack + +116:459 + +(decode) fragment with zero length + +116:460 + +(icmp6) ICMPv6 node info query/response packet with a code greater than 2 + +116:461 + +(ipv6) IPv6 routing type 0 extension header + +116:462 + +(erspan2) ERSpan header version mismatch + +116:463 + +(erspan2) captured length < ERSpan type2 header length + +116:464 + +(erspan3) captured < ERSpan type3 header length + +116:465 + +(auth) truncated authentication header + +116:466 + +(auth) bad authentication header length + +116:467 + +(fabricpath) truncated FabricPath header + +116:468 + +(ciscometadata) truncated Cisco Metadata header + +116:469 + +(ciscometadata) invalid Cisco Metadata option length + +116:470 + +(ciscometadata) invalid Cisco Metadata option type + +116:471 + +(ciscometadata) invalid Cisco Metadata security group tag + +116:472 + +(decode) too many protocols present + +116:473 + +(decode) ether type out of range + +116:474 + +(icmp6) ICMPv6 not encapsulated in IPv6 + +116:475 + +(ipv6) IPv6 mobility header includes an invalid value for the 'payload protocol' field + +119:1 + +(http_inspect) ascii encoding + +119:2 + +(http_inspect) double decoding attack + +119:3 + +(http_inspect) u encoding + +119:4 + +(http_inspect) bare byte unicode encoding + +119:6 + +(http_inspect) UTF-8 encoding + +119:7 + +(http_inspect) unicode map code point encoding in URI + +119:8 + +(http_inspect) multi_slash encoding + +119:9 + +(http_inspect) backslash used in URI path + +119:10 + +(http_inspect) self directory traversal + +119:11 + +(http_inspect) directory traversal + +119:12 + +(http_inspect) apache whitespace (tab) + +119:13 + +(http_inspect) HTTP header line terminated by LF without a CR + +119:14 + +(http_inspect) non-RFC defined char + +119:15 + +(http_inspect) oversize request-uri directory + +119:16 + +(http_inspect) oversize chunk encoding + +119:18 + +(http_inspect) webroot directory traversal + +119:19 + +(http_inspect) long header + +119:20 + +(http_inspect) max header fields + +119:21 + +(http_inspect) multiple content length + +119:24 + +(http_inspect) Host header field appears more than once or has multiple values + +119:25 + +(http_inspect) Host header value is too long + +119:28 + +(http_inspect) POST or PUT w/o content-length or chunks + +119:31 + +(http_inspect) unknown method + +119:32 + +(http_inspect) simple request + +119:33 + +(http_inspect) unescaped space in HTTP URI + +119:34 + +(http_inspect) too many pipelined requests + +119:102 + +(http_inspect) invalid status code in HTTP response + +119:104 + +(http_inspect) HTTP response has UTF charset that failed to normalize + +119:105 + +(http_inspect) HTTP response has UTF-7 charset + +119:109 + +(http_inspect) javascript obfuscation levels exceeds 1 + +119:110 + +(http_inspect) javascript whitespaces exceeds max allowed + +119:111 + +(http_inspect) multiple encodings within javascript obfuscated data + +119:112 + +(http_inspect) SWF file zlib decompression failure + +119:113 + +(http_inspect) SWF file LZMA decompression failure + +119:114 + +(http_inspect) PDF file deflate decompression failure + +119:115 + +(http_inspect) PDF file unsupported compression type + +119:116 + +(http_inspect) PDF file cascaded compression + +119:117 + +(http_inspect) PDF file parse failure + +119:201 + +(http_inspect) not HTTP traffic + +119:202 + +(http_inspect) chunk length has excessive leading zeros + +119:203 + +(http_inspect) white space before or between messages + +119:204 + +(http_inspect) request message without URI + +119:205 + +(http_inspect) control character in reason phrase + +119:206 + +(http_inspect) illegal extra whitespace in start line + +119:207 + +(http_inspect) corrupted HTTP version + +119:208 + +(http_inspect) unknown HTTP version + +119:209 + +(http_inspect) format error in HTTP header + +119:210 + +(http_inspect) chunk header options present + +119:211 + +(http_inspect) URI badly formatted + +119:212 + +(http_inspect) unrecognized type of percent encoding in URI + +119:213 + +(http_inspect) HTTP chunk misformatted + +119:214 + +(http_inspect) white space adjacent to chunk length + +119:215 + +(http_inspect) white space within header name + +119:216 + +(http_inspect) excessive gzip compression + +119:217 + +(http_inspect) gzip decompression failed + +119:218 + +(http_inspect) HTTP 0.9 requested followed by another request + +119:219 + +(http_inspect) HTTP 0.9 request following a normal request + +119:220 + +(http_inspect) message has both Content-Length and Transfer-Encoding + +119:221 + +(http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length + +119:222 + +(http_inspect) Transfer-Encoding not ending with chunked + +119:223 + +(http_inspect) Transfer-Encoding with encodings before chunked + +119:224 + +(http_inspect) misformatted HTTP traffic + +119:225 + +(http_inspect) unsupported Content-Encoding used + +119:226 + +(http_inspect) unknown Content-Encoding used + +119:227 + +(http_inspect) multiple Content-Encodings applied + +119:228 + +(http_inspect) server response before client request + +119:229 + +(http_inspect) PDF/SWF/ZIP decompression of server response too big + +119:230 + +(http_inspect) nonprinting character in HTTP message header name + +119:231 + +(http_inspect) bad Content-Length value in HTTP header + +119:232 + +(http_inspect) HTTP header line wrapped + +119:233 + +(http_inspect) HTTP header line terminated by CR without a LF + +119:234 + +(http_inspect) chunk terminated by nonstandard separator + +119:235 + +(http_inspect) chunk length terminated by LF without CR + +119:236 + +(http_inspect) more than one response with 100 status code + +119:237 + +(http_inspect) 100 status code not in response to Expect header + +119:238 + +(http_inspect) 1XX status code other than 100 or 101 + +119:239 + +(http_inspect) Expect header sent without a message body + +119:240 + +(http_inspect) HTTP 1.0 message with Transfer-Encoding header + +119:241 + +(http_inspect) Content-Transfer-Encoding used as HTTP header + +119:242 + +(http_inspect) illegal field in chunked message trailers + +119:243 + +(http_inspect) header field inappropriately appears twice or has two values + +119:244 + +(http_inspect) invalid value chunked in Content-Encoding header + +119:245 + +(http_inspect) 206 response sent to a request without a Range header + +119:246 + +(http_inspect) 'HTTP' in version field not all upper case + +119:247 + +(http_inspect) white space embedded in critical header value + +119:248 + +(http_inspect) gzip compressed data followed by unexpected non-gzip data + +119:249 + +(http_inspect) excessive HTTP parameter key repeats + +119:250 + +(http_inspect) HTTP/2 Transfer-Encoding header other than identity + +119:251 + +(http_inspect) HTTP/2 message body overruns Content-Length header value + +119:252 + +(http_inspect) HTTP/2 message body smaller than Content-Length header value + +119:253 + +(http_inspect) HTTP CONNECT request with a message body + +119:254 + +(http_inspect) HTTP client-to-server traffic after CONNECT request but before CONNECT response + +119:255 + +(http_inspect) HTTP CONNECT 2XX response with Content-Length header + +119:256 + +(http_inspect) HTTP CONNECT 2XX response with Transfer-Encoding header + +119:257 + +(http_inspect) HTTP CONNECT response with 1XX status code + +119:258 + +(http_inspect) HTTP CONNECT response before request message completed + +119:259 + +(http_inspect) malformed HTTP Content-Disposition filename parameter + +119:260 + +(http_inspect) HTTP Content-Length message body was truncated + +119:261 + +(http_inspect) HTTP chunked message body was truncated + +119:262 + +(http_inspect) HTTP URI scheme longer than 10 characters + +119:263 + +(http_inspect) HTTP/1 client requested HTTP/2 upgrade + +119:264 + +(http_inspect) HTTP/1 server granted HTTP/2 upgrade + +119:265 + +(http_inspect) bad token in JavaScript + +119:266 + +(http_inspect) unexpected script opening tag in JavaScript + +119:267 + +(http_inspect) unexpected script closing tag in JavaScript + +119:268 + +(http_inspect) JavaScript code under the external script tags + +119:269 + +(http_inspect) script opening tag in a short form + +119:270 + +(http_inspect) max number of unique JavaScript identifiers reached + +119:271 + +(http_inspect) JavaScript template literal nesting is over capacity + +119:272 + +(http_inspect) Consecutive commas in HTTP Accept-Encoding header + +121:1 + +(http2_inspect) invalid flag set on HTTP/2 frame + +121:2 + +(http2_inspect) HPACK integer value has leading zeros + +121:3 + +(http2_inspect) HTTP/2 stream initiated with invalid stream id + +121:4 + +(http2_inspect) missing HTTP/2 continuation frame + +121:5 + +(http2_inspect) unexpected HTTP/2 continuation frame + +121:6 + +(http2_inspect) misformatted HTTP/2 traffic + +121:7 + +(http2_inspect) HTTP/2 connection preface does not match + +121:8 + +(http2_inspect) HTTP/2 request missing required header field + +121:9 + +(http2_inspect) HTTP/2 response has no status code + +121:10 + +(http2_inspect) HTTP/2 CONNECT request with scheme or path + +121:11 + +(http2_inspect) error in HTTP/2 settings frame + +121:12 + +(http2_inspect) unknown parameter in HTTP/2 settings frame + +121:13 + +(http2_inspect) invalid HTTP/2 frame sequence + +121:14 + +(http2_inspect) HTTP/2 dynamic table size limit exceeded + +121:15 + +(http2_inspect) HTTP/2 push promise frame with invalid promised stream id + +121:16 + +(http2_inspect) HTTP/2 padding length is bigger than frame data size + +121:17 + +(http2_inspect) HTTP/2 pseudo-header after regular header + +121:18 + +(http2_inspect) HTTP/2 pseudo-header in trailers + +121:19 + +(http2_inspect) invalid HTTP/2 pseudo-header + +121:20 + +(http2_inspect) HTTP/2 trailers without END_STREAM bit + +121:21 + +(http2_inspect) HTTP/2 push promise frame sent when prohibited by receiver + +121:22 + +(http2_inspect) padding flag set on HTTP/2 frame with zero length + +121:23 + +(http2_inspect) HTTP/2 push promise frame in c2s direction + +121:24 + +(http2_inspect) invalid HTTP/2 push promise frame + +121:25 + +(http2_inspect) HTTP/2 push promise frame sent at invalid time + +121:26 + +(http2_inspect) invalid parameter value sent in HTTP/2 settings frame + +121:27 + +(http2_inspect) excessive concurrent HTTP/2 streams + +121:28 + +(http2_inspect) invalid HTTP/2 rst stream frame + +121:29 + +(http2_inspect) HTTP/2 rst stream frame sent at invalid time + +121:30 + +(http2_inspect) uppercase HTTP/2 header field name + +121:31 + +(http2_inspect) invalid HTTP/2 window update frame + +121:32 + +(http2_inspect) HTTP/2 window update frame with zero increment + +121:33 + +(http2_inspect) HTTP/2 request without a method + +121:34 + +(http2_inspect) HTTP/2 HPACK table size update not at the start of a header block + +121:35 + +(http2_inspect) More than two HTTP/2 HPACK table size updates in a single header block + +121:36 + +(http2_inspect) HTTP/2 HPACK table size update exceeds max value set by decoder in SETTINGS frame + +122:1 + +(port_scan) TCP portscan + +122:2 + +(port_scan) TCP decoy portscan + +122:3 + +(port_scan) TCP portsweep + +122:4 + +(port_scan) TCP distributed portscan + +122:5 + +(port_scan) TCP filtered portscan + +122:6 + +(port_scan) TCP filtered decoy portscan + +122:7 + +(port_scan) TCP filtered portsweep + +122:8 + +(port_scan) TCP filtered distributed portscan + +122:9 + +(port_scan) IP protocol scan + +122:10 + +(port_scan) IP decoy protocol scan + +122:11 + +(port_scan) IP protocol sweep + +122:12 + +(port_scan) IP distributed protocol scan + +122:13 + +(port_scan) IP filtered protocol scan + +122:14 + +(port_scan) IP filtered decoy protocol scan + +122:15 + +(port_scan) IP filtered protocol sweep + +122:16 + +(port_scan) IP filtered distributed protocol scan + +122:17 + +(port_scan) UDP portscan + +122:18 + +(port_scan) UDP decoy portscan + +122:19 + +(port_scan) UDP portsweep + +122:20 + +(port_scan) UDP distributed portscan + +122:21 + +(port_scan) UDP filtered portscan + +122:22 + +(port_scan) UDP filtered decoy portscan + +122:23 + +(port_scan) UDP filtered portsweep + +122:24 + +(port_scan) UDP filtered distributed portscan + +122:25 + +(port_scan) ICMP sweep + +122:26 + +(port_scan) ICMP filtered sweep + +122:27 + +(port_scan) open port + +123:1 + +(stream_ip) inconsistent IP options on fragmented packets + +123:2 + +(stream_ip) teardrop attack + +123:3 + +(stream_ip) short fragment, possible DOS attempt + +123:4 + +(stream_ip) fragment packet ends after defragmented packet + +123:5 + +(stream_ip) zero-byte fragment packet + +123:6 + +(stream_ip) bad fragment size, packet size is negative + +123:7 + +(stream_ip) bad fragment size, packet size is greater than 65536 + +123:8 + +(stream_ip) fragmentation overlap + +123:11 + +(stream_ip) TTL value less than configured minimum, not using for reassembly + +123:12 + +(stream_ip) excessive fragment overlap + +123:13 + +(stream_ip) tiny fragment + +124:1 + +(smtp) attempted command buffer overflow + +124:2 + +(smtp) attempted data header buffer overflow + +124:3 + +(smtp) attempted response buffer overflow + +124:4 + +(smtp) attempted specific command buffer overflow + +124:5 + +(smtp) unknown command + +124:6 + +(smtp) illegal command + +124:7 + +(smtp) attempted header name buffer overflow + +124:8 + +(smtp) attempted X-Link2State command buffer overflow + +124:10 + +(smtp) base64 decoding failed + +124:11 + +(smtp) quoted-printable decoding failed + +124:13 + +(smtp) Unix-to-Unix decoding failed + +124:14 + +(smtp) Cyrus SASL authentication attack + +124:15 + +(smtp) attempted authentication command buffer overflow + +124:16 + +(smtp) file decompression failed + +125:1 + +(ftp_server) TELNET cmd on FTP command channel + +125:2 + +(ftp_server) invalid FTP command + +125:3 + +(ftp_server) FTP command parameters were too long + +125:4 + +(ftp_server) FTP command parameters were malformed + +125:5 + +(ftp_server) FTP command parameters contained potential string format + +125:6 + +(ftp_server) FTP response message was too long + +125:7 + +(ftp_server) FTP traffic encrypted + +125:8 + +(ftp_server) FTP bounce attempt + +125:9 + +(ftp_server) evasive (incomplete) TELNET cmd on FTP command channel + +126:1 + +(telnet) consecutive Telnet AYT commands beyond threshold + +126:2 + +(telnet) Telnet traffic encrypted + +126:3 + +(telnet) Telnet subnegotiation begin command without subnegotiation end + +128:1 + +(ssh) challenge-response overflow exploit + +128:2 + +(ssh) SSH1 CRC32 exploit + +128:3 + +(ssh) server version string overflow + +128:5 + +(ssh) bad message direction + +128:6 + +(ssh) payload size incorrect for the given payload + +128:7 + +(ssh) failed to detect SSH version string + +129:1 + +(stream_tcp) SYN on established session + +129:2 + +(stream_tcp) data on SYN packet + +129:3 + +(stream_tcp) data sent on stream not accepting data + +129:4 + +(stream_tcp) TCP timestamp is outside of PAWS window + +129:5 + +(stream_tcp) bad segment, adjusted size <= 0 (deprecated) + +129:6 + +(stream_tcp) window size (after scaling) larger than policy allows + +129:7 + +(stream_tcp) limit on number of overlapping TCP packets reached + +129:8 + +(stream_tcp) data sent on stream after TCP reset sent + +129:9 + +(stream_tcp) TCP client possibly hijacked, different ethernet address + +129:10 + +(stream_tcp) TCP server possibly hijacked, different ethernet address + +129:11 + +(stream_tcp) TCP data with no TCP flags set + +129:12 + +(stream_tcp) consecutive TCP small segments exceeding threshold + +129:13 + +stream_tcp detected a 4-way handshake, which includes a TCP SYN (without ACK) in response to +the initiating client SYN. stream_tcp.require_3whs = 0 should be set to ensure this can be +detected in all cases. + +129:14 + +(stream_tcp) TCP timestamp is missing + +129:15 + +(stream_tcp) reset outside window + +129:16 + +(stream_tcp) FIN number is greater than prior FIN + +129:17 + +(stream_tcp) ACK number is greater than prior FIN + +129:18 + +(stream_tcp) data sent on stream after TCP reset received + +129:19 + +(stream_tcp) TCP window closed before receiving data + +129:20 + +(stream_tcp) TCP session without 3-way handshake + +131:1 + +(dns) obsolete DNS RR types + +131:2 + +(dns) experimental DNS RR types + +131:3 + +(dns) DNS client rdata txt overflow + +133:2 + +(dce_smb) SMB - bad NetBIOS session service session type + +133:3 + +(dce_smb) SMB - bad SMB message type + +133:4 + +(dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2) + +133:5 + +(dce_smb) SMB - bad word count or structure size + +133:6 + +(dce_smb) SMB - bad byte count + +133:7 + +(dce_smb) SMB - bad format type + +133:8 + +(dce_smb) SMB - bad offset + +133:9 + +(dce_smb) SMB - zero total data count + +133:10 + +(dce_smb) SMB - NetBIOS data length less than SMB header length + +133:11 + +(dce_smb) SMB - remaining NetBIOS data length less than command length + +133:12 + +(dce_smb) SMB - remaining NetBIOS data length less than command byte count + +133:13 + +(dce_smb) SMB - remaining NetBIOS data length less than command data size + +133:14 + +(dce_smb) SMB - remaining total data count less than this command data size + +133:15 + +(dce_smb) SMB - total data sent (STDu64) greater than command total data expected + +133:16 + +(dce_smb) SMB - byte count less than command data size (STDu64) + +133:17 + +(dce_smb) SMB - invalid command data size for byte count + +133:18 + +(dce_smb) SMB - excessive tree connect requests with pending tree connect responses + +133:19 + +(dce_smb) SMB - excessive read requests with pending read responses + +133:20 + +(dce_smb) SMB - excessive command chaining + +133:21 + +(dce_smb) SMB - Multiple chained login requests + +133:22 + +(dce_smb) SMB - Multiple chained tree connect requests + +133:23 + +(dce_smb) SMB - chained/compounded login followed by logoff + +133:24 + +(dce_smb) SMB - chained/compounded tree connect followed by tree disconnect + +133:25 + +(dce_smb) SMB - chained/compounded open pipe followed by close pipe + +133:26 + +(dce_smb) SMB - invalid share access + +133:27 + +(dce_tcp) connection oriented DCE/RPC - invalid major version + +133:28 + +(dce_tcp) connection oriented DCE/RPC - invalid minor version + +133:29 + +(dce_tcp) connection-oriented DCE/RPC - invalid PDU type + +133:30 + +(dce_tcp) connection-oriented DCE/RPC - fragment length less than header size + +133:31 + +(dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed + +133:32 + +(dce_tcp) connection-oriented DCE/RPC - no context items specified + +133:33 + +(dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified + +133:34 + +(dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client + +133:35 + +(dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size + +133:36 + +(dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind + +133:37 + +(dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request + +133:38 + +(dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request + +133:39 + +(dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request + +133:40 + +(dce_udp) connection-less DCE/RPC - invalid major version + +133:41 + +(dce_udp) connection-less DCE/RPC - invalid PDU type + +133:42 + +(dce_udp) connection-less DCE/RPC - data length less than header size + +133:43 + +(dce_udp) connection-less DCE/RPC - bad sequence number + +133:44 + +(dce_smb) SMB - invalid SMB version 1 seen + +133:45 + +(dce_smb) SMB - invalid SMB version 2 seen + +133:46 + +(dce_smb) SMB - invalid user, tree connect, file binding + +133:47 + +(dce_smb) SMB - excessive command compounding + +133:48 + +(dce_smb) SMB - zero data count + +133:50 + +(dce_smb) SMB - maximum number of outstanding requests exceeded + +133:51 + +(dce_smb) SMB - outstanding requests with same MID + +133:52 + +(dce_smb) SMB - deprecated dialect negotiated + +133:53 + +(dce_smb) SMB - deprecated command used + +133:54 + +(dce_smb) SMB - unusual command used + +133:55 + +(dce_smb) SMB - invalid setup count for command + +133:56 + +(dce_smb) SMB - client attempted multiple dialect negotiations on session + +133:57 + +(dce_smb) SMB - client attempted to create or set a file's attributes to readonly/hidden/system + +133:58 + +(dce_smb) SMB - file offset provided is greater than file size specified + +133:59 + +(dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary + +134:1 + +(latency) rule tree suspended due to latency + +134:2 + +(latency) rule tree re-enabled after suspend timeout + +134:3 + +(latency) packet fastpathed due to latency + +135:1 + +(stream) TCP SYN received + +135:2 + +(stream) TCP session established + +135:3 + +(stream) TCP session cleared + +136:1 + +(reputation) packets blocked based on source + +136:2 + +(reputation) packets trusted based on source + +136:3 + +(reputation) packets monitored based on source + +136:4 + +(reputation) packets blocked based on destination + +136:5 + +(reputation) packets trusted based on destination + +136:6 + +(reputation) packets monitored based on destination + +137:1 + +(ssl) invalid client HELLO after server HELLO detected + +137:2 + +(ssl) invalid server HELLO without client HELLO detected + +137:3 + +(ssl) heartbeat read overrun attempt detected + +137:4 + +(ssl) large heartbeat response detected + +140:2 + +(sip) empty request URI + +140:3 + +(sip) URI is too long + +140:4 + +(sip) empty call-Id + +140:5 + +(sip) Call-Id is too long + +140:6 + +(sip) CSeq number is too large or negative + +140:7 + +(sip) request name in CSeq is too long + +140:8 + +(sip) empty From header + +140:9 + +(sip) From header is too long + +140:10 + +(sip) empty To header + +140:11 + +(sip) To header is too long + +140:12 + +(sip) empty Via header + +140:13 + +(sip) Via header is too long + +140:14 + +(sip) empty Contact + +140:15 + +(sip) contact is too long + +140:16 + +(sip) content length is too large or negative + +140:17 + +(sip) multiple SIP messages in a packet + +140:18 + +(sip) content length mismatch + +140:19 + +(sip) request name is invalid + +140:20 + +(sip) Invite replay attack + +140:21 + +(sip) illegal session information modification + +140:22 + +(sip) response status code is not a 3 digit number + +140:23 + +(sip) empty Content-type header + +140:24 + +(sip) SIP version is invalid + +140:25 + +(sip) mismatch in METHOD of request and the CSEQ header + +140:26 + +(sip) method is unknown + +140:27 + +(sip) maximum dialogs within a session reached + +141:1 + +(imap) unknown IMAP3 command + +141:2 + +(imap) unknown IMAP3 response + +141:4 + +(imap) base64 decoding failed + +141:5 + +(imap) quoted-printable decoding failed + +141:7 + +(imap) Unix-to-Unix decoding failed + +141:8 + +(imap) file decompression failed + +142:1 + +(pop) unknown POP3 command + +142:2 + +(pop) unknown POP3 response + +142:4 + +(pop) base64 decoding failed + +142:5 + +(pop) quoted-printable decoding failed + +142:7 + +(pop) Unix-to-Unix decoding failed + +142:8 + +(pop) file decompression failed + +143:1 + +(gtp_inspect) message length is invalid + +143:2 + +(gtp_inspect) information element length is invalid + +143:3 + +(gtp_inspect) information elements are out of order + +143:4 + +(gtp_inspect) TEID is missing + +144:1 + +(modbus) length in Modbus MBAP header does not match the length needed for the given function + +144:2 + +(modbus) Modbus protocol ID is non-zero + +144:3 + +(modbus) reserved Modbus function code in use + +145:1 + +(dnp3) DNP3 link-layer frame contains bad CRC + +145:2 + +(dnp3) DNP3 link-layer frame was dropped + +145:3 + +(dnp3) DNP3 transport-layer segment was dropped during reassembly + +145:4 + +(dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message + +145:5 + +(dnp3) DNP3 link-layer frame uses a reserved address + +145:6 + +(dnp3) DNP3 application-layer fragment uses a reserved function code + +148:1 + +(cip) CIP data is malformed + +148:2 + +(cip) CIP data is non-conforming to ODVA standard + +148:3 + +(cip) CIP connection limit exceeded. Least recently used connection removed + +148:4 + +(cip) CIP unconnected request limit exceeded. Oldest request removed + +149:1 + +(s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function + +149:2 + +(s7commplus) S7commplus protocol ID is non-zero + +149:3 + +(s7commplus) reserved S7commplus function code in use + +150:1 + +(file_id) file not processed due to per flow limit + +151:1 + +(iec104) Length in IEC104 APCI header does not match the length needed for the given IEC104 ASDU type id + +151:2 + +(iec104) IEC104 Start byte does not match 0x68 + +151:3 + +(iec104) Reserved IEC104 ASDU type id in use + +151:4 + +(iec104) IEC104 APCI U Reserved field contains a non-default value + +151:5 + +(iec104) IEC104 APCI U message type was set to an invalid value + +151:6 + +(iec104) IEC104 APCI S Reserved field contains a non-default value + +151:7 + +(iec104) IEC104 APCI I number of elements set to zero + +151:8 + +(iec104) IEC104 APCI I SQ bit set on an ASDU that does not support the feature + +151:9 + +(iec104) IEC104 APCI I number of elements set to greater than one on an ASDU that does not support the feature + +151:10 + +(iec104) IEC104 APCI I Cause of Initialization set to a reserved value + +151:11 + +(iec104) IEC104 APCI I Qualifier of Interrogation Command set to a reserved value + +151:12 + +(iec104) IEC104 APCI I Qualifier of Counter Interrogation Command request parameter set to a reserved value + +151:13 + +(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values kind of parameter set to a reserved value + +151:14 + +(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values local parameter change set to a technically valid but unused value + +151:15 + +(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values parameter option set to a technically valid but unused value + +151:16 + +(iec104) IEC104 APCI I Qualifier of Parameter Activation set to a reserved value + +151:17 + +(iec104) IEC104 APCI I Qualifier of Command set to a reserved value + +151:18 + +(iec104) IEC104 APCI I Qualifier of Reset Process set to a reserved value + +151:19 + +(iec104) IEC104 APCI I File Ready Qualifier set to a reserved value + +151:20 + +(iec104) IEC104 APCI I Section Ready Qualifier set to a reserved value + +151:21 + +(iec104) IEC104 APCI I Select and Call Qualifier set to a reserved value + +151:22 + +(iec104) IEC104 APCI I Last Section or Segment Qualifier set to a reserved value + +151:23 + +(iec104) IEC104 APCI I Acknowledge File or Section Qualifier set to a reserved value + +151:24 + +(iec104) IEC104 APCI I Structure Qualifier set on a message where it should have no effect + +151:25 + +(iec104) IEC104 APCI I Single Point Information Reserved field contains a non-default value + +151:26 + +(iec104) IEC104 APCI I Double Point Information Reserved field contains a non-default value + +151:27 + +(iec104) IEC104 APCI I Cause of Transmission set to a reserved value + +151:28 + +(iec104) IEC104 APCI I Cause of Transmission set to a value not allowed for the ASDU + +151:29 + +(iec104) IEC104 APCI I invalid two octet common address value detected + +151:30 + +(iec104) IEC104 APCI I Quality Descriptor Structure Reserved field contains a non-default value + +151:31 + +(iec104) IEC104 APCI I Quality Descriptor for Events of Protection Equipment Structure Reserved field contains a non-default value + +151:32 + +(iec104) IEC104 APCI I IEEE STD 754 value results in NaN + +151:33 + +(iec104) IEC104 APCI I IEEE STD 754 value results in infinity + +151:34 + +(iec104) IEC104 APCI I Single Event of Protection Equipment Structure Reserved field contains a non-default value + +151:35 + +(iec104) IEC104 APCI I Start Event of Protection Equipment Structure Reserved field contains a non-default value + +151:36 + +(iec104) IEC104 APCI I Output Circuit Information Structure Reserved field contains a non-default value + +151:37 + +(iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern detected + +151:38 + +(iec104) IEC104 APCI I Single Command Structure Reserved field contains a non-default value + +151:39 + +(iec104) IEC104 APCI I Double Command Structure contains an invalid value + +151:40 + +(iec104) IEC104 APCI I Regulating Step Command Structure Reserved field contains a non-default value + +151:41 + +(iec104) IEC104 APCI I Time2a Millisecond set outside of the allowable range + +151:42 + +(iec104) IEC104 APCI I Time2a Minute set outside of the allowable range + +151:43 + +(iec104) IEC104 APCI I Time2a Minute Reserved field contains a non-default value + +151:44 + +(iec104) IEC104 APCI I Time2a Hours set outside of the allowable range + +151:45 + +(iec104) IEC104 APCI I Time2a Hours Reserved field contains a non-default value + +151:46 + +(iec104) IEC104 APCI I Time2a Day of Month set outside of the allowable range + +151:47 + +(iec104) IEC104 APCI I Time2a Month set outside of the allowable range + +151:48 + +(iec104) IEC104 APCI I Time2a Month Reserved field contains a non-default value + +151:49 + +(iec104) IEC104 APCI I Time2a Year set outside of the allowable range + +151:50 + +(iec104) IEC104 APCI I Time2a Year Reserved field contains a non-default value + +151:51 + +(iec104) IEC104 APCI I a null Length of Segment value has been detected + +151:52 + +(iec104) IEC104 APCI I an invalid Length of Segment value has been detected + +151:53 + +(iec104) IEC104 APCI I Status of File set to a reserved value + +151:54 + +(iec104) IEC104 APCI I Qualifier of Set Point Command ql field set to a reserved value + +175:1 + +(domain_filter) configured domain detected + +256:1 + +(dpx) too much data sent to port + diff --git a/doc/reference/scripts/generate_builtin.sh b/doc/reference/scripts/generate_builtin.sh new file mode 100755 index 000000000..ab2281c0a --- /dev/null +++ b/doc/reference/scripts/generate_builtin.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +SNORT_BINARY="$1" +PLUGIN_PATH="$2" +INPUT_FILE="$3" +OUTPUT_FILE="$4" + +PLUGIN_ARGS= + +if [ -n "${PLUGIN_PATH}" ] ; then + PLUGIN_ARGS="--plugin-path=${PLUGIN_PATH}" +fi + +cp ${INPUT_FILE} ${OUTPUT_FILE} + +${SNORT_BINARY} ${PLUGIN_ARGS} --list-builtin | while read line ; do \ + gidsid="${line/ *}"; \ + msg="${line#* }"; \ + msg="${msg//\//\\/}"; \ + sed -i -e "s/^$gidsid\$/\*$gidsid $msg\*/" ${OUTPUT_FILE}; \ +done + diff --git a/doc/reference/scripts/generate_help.sh b/doc/reference/scripts/generate_help.sh index b6b704777..68d6d4a92 100755 --- a/doc/reference/scripts/generate_help.sh +++ b/doc/reference/scripts/generate_help.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash SNORT_BINARY="$1" OUTPUT_FILE="$2" diff --git a/doc/reference/scripts/generate_list.sh b/doc/reference/scripts/generate_list.sh index 6cbc62fce..0c0cb3d47 100755 --- a/doc/reference/scripts/generate_list.sh +++ b/doc/reference/scripts/generate_list.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash SNORT_BINARY="$1" OUTPUT_FILE="$2" diff --git a/doc/reference/scripts/generate_module.sh b/doc/reference/scripts/generate_module.sh index 119810421..52ec5c661 100755 --- a/doc/reference/scripts/generate_module.sh +++ b/doc/reference/scripts/generate_module.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash SNORT_BINARY="$1" OUTPUT_FILE="$2" diff --git a/doc/user/online_manual.sh b/doc/user/online_manual.sh index fe347d0ea..5027c0014 100755 --- a/doc/user/online_manual.sh +++ b/doc/user/online_manual.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash # run this from build/doc/ to create an all in one html manual # with embedded images in base64 format for use in places where diff --git a/src/detection/tag.cc b/src/detection/tag.cc index fa7ed05f3..d8e315dfd 100644 --- a/src/detection/tag.cc +++ b/src/detection/tag.cc @@ -54,9 +54,6 @@ using namespace snort; #define TAG_PRUNE_QUANTUM 300 #define TAG_MEMCAP 4194304 /* 4MB */ -#define GID_TAG 2 -#define TAG_LOG_PKT 1 - /* D A T A S T R U C T U R E S **********************************/ /**Key used for identifying a session or host. */ @@ -543,8 +540,9 @@ int CheckTagList(Packet* p, Event& event, void** log_list) if ( create_event ) { - /* set the event info */ - event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, p->context->conf->get_event_log_id(), returned->event_time); + event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, + p->context->conf->get_event_log_id(), returned->event_time); + *log_list = returned->log_list; } diff --git a/src/detection/tag.h b/src/detection/tag.h index fee782e79..bc044ffb3 100644 --- a/src/detection/tag.h +++ b/src/detection/tag.h @@ -37,6 +37,9 @@ struct Packet; struct OptTreeNode; struct Event; +#define GID_TAG 2 +#define TAG_LOG_PKT 1 + #define TAG_SESSION 1 #define TAG_HOST 2 #define TAG_HOST_SRC 3 diff --git a/src/main/help.cc b/src/main/help.cc index 2b1461e66..6b6975716 100644 --- a/src/main/help.cc +++ b/src/main/help.cc @@ -151,7 +151,8 @@ enum HelpType HT_IPS, HT_LST, HT_MOD, HT_PEG, HT_PLG }; -[[noreturn]] static void show_help(SnortConfig* sc, const char* val, HelpType ht) +[[noreturn]] static void show_help( + SnortConfig* sc, const char* val, HelpType ht, const char* opts = nullptr) { SnortConfig::set_conf(new SnortConfig); ScriptManager::load_scripts(sc->script_paths); @@ -171,7 +172,7 @@ enum HelpType ModuleManager::show_commands(val); break; case HT_DBR: - ModuleManager::dump_rules(val); + ModuleManager::dump_rules(val, opts); break; case HT_DDR: SoManager::dump_rule_stubs(val, sc); @@ -308,9 +309,9 @@ void config_markup(SnortConfig*, const char*) show_help(sc, val, HT_DFL); } -[[noreturn]] void dump_builtin_rules(SnortConfig* sc, const char* val) +[[noreturn]] void dump_builtin_rules(SnortConfig* sc, const char* val, const char* opts) { - show_help(sc, val, HT_DBR); + show_help(sc, val, HT_DBR, opts); } [[noreturn]] void dump_dynamic_rules(SnortConfig* sc, const char* val) diff --git a/src/main/help.h b/src/main/help.h index 6d14a9734..e6caf9f3d 100644 --- a/src/main/help.h +++ b/src/main/help.h @@ -53,7 +53,7 @@ void help_args(const char* pfx); [[noreturn]] void list_modules(snort::SnortConfig* sc, const char*); [[noreturn]] void list_plugins(snort::SnortConfig* sc, const char*); -[[noreturn]] void dump_builtin_rules(snort::SnortConfig* sc, const char*); +[[noreturn]] void dump_builtin_rules(snort::SnortConfig* sc, const char*, const char*); [[noreturn]] void dump_defaults(snort::SnortConfig* sc, const char*); [[noreturn]] void dump_dynamic_rules(snort::SnortConfig* sc, const char*); [[noreturn]] void dump_rule_hex(snort::SnortConfig* sc, const char*); diff --git a/src/main/modules.cc b/src/main/modules.cc index d3d8abb82..75edfb4f6 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -30,6 +30,7 @@ #include "detection/detection_module.h" #include "detection/fp_config.h" #include "detection/rules.h" +#include "detection/tag.h" #include "filters/detection_filter.h" #include "filters/rate_filter.h" #include "filters/sfrf.h" @@ -749,6 +750,12 @@ static const Parameter output_params[] = #define output_help \ "configure general output parameters" +static const RuleMap output_rules[] = +{ + { TAG_LOG_PKT, "tagged packet" }, + { 0, nullptr } +}; + class OutputModule : public Module { public: @@ -757,6 +764,12 @@ public: Usage get_usage() const override { return GLOBAL; } + + unsigned get_gid() const override + { return GID_TAG; } + + const RuleMap* get_rules() const override + { return output_rules; } }; bool OutputModule::set(const char*, Value& v, SnortConfig* sc) diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index 247cfa1d5..724c8a58d 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -24,6 +24,8 @@ #include "snort_module.h" +#include + #include "detection/detect.h" #include "detection/fp_detect.h" #include "framework/module.h" @@ -347,6 +349,9 @@ static const Parameter s_params[] = { "--dirty-pig", Parameter::PT_IMPLIED, nullptr, nullptr, "don't flush packets on shutdown" }, + { "--dump-builtin-options", Parameter::PT_STRING, nullptr, nullptr, + "additional options to include with --dump-builtin-rules stubs" }, + { "--dump-builtin-rules", Parameter::PT_STRING, "(optional)", nullptr, "[] output stub rules for selected modules" }, @@ -671,6 +676,7 @@ private: SFDAQModuleConfig* module_config; bool no_warn_flowbits = false; bool no_warn_rules = false; + std::string stub_opts; }; void SnortModule::set_trace(const Trace* trace) const @@ -875,8 +881,11 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc) else if ( v.is("--dirty-pig") ) sc->set_dirty_pig(true); + else if ( v.is("--dump-builtin-options") ) + stub_opts = v.get_string(); + else if ( v.is("--dump-builtin-rules") ) - dump_builtin_rules(sc, v.get_string()); + dump_builtin_rules(sc, v.get_string(), stub_opts.c_str()); else if ( v.is("--dump-config") ) { diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc index 932c67b69..f8cc24419 100644 --- a/src/managers/module_manager.cc +++ b/src/managers/module_manager.cc @@ -1316,14 +1316,16 @@ void ModuleManager::load_commands(Shell* sh) // (but ip winds up in all others) // FIXIT-L if msg has C escaped embedded quotes, we break //ss << "alert tcp any any -> any any ( "; -static void make_rule(ostream& os, const Module* m, const RuleMap* r) +static void make_rule(ostream& os, const Module* m, const RuleMap* r, const char* opts = nullptr) { os << "alert ( "; os << "gid:" << m->get_gid() << "; "; os << "sid:" << r->sid << "; "; - os << "rev:1; priority:3; "; os << "msg:\"" << "(" << m->get_name() << ") "; - os << r->msg << "\"; )"; + os << r->msg << "\";"; + if ( opts and *opts ) + os << " " << opts; + os << " )"; os << endl; } @@ -1350,7 +1352,8 @@ void ModuleManager::load_rules(SnortConfig* sc) while ( r->msg ) { ss.str(""); - make_rule(ss, m, r); + const char* historical_opts = "rev:1; priority:3;"; + make_rule(ss, m, r, historical_opts); // note: you can NOT do ss.str().c_str() here const string& rule = ss.str(); @@ -1590,12 +1593,12 @@ static std::vector get_rules(const char* pfx, bool exact = false) return rule_set; } -void ModuleManager::dump_rules(const char* pfx) +void ModuleManager::dump_rules(const char* pfx, const char* opts) { std::vector rule_set = get_rules(pfx); for ( auto rp : rule_set ) - make_rule(cout, rp.mod, rp.rule); + make_rule(cout, rp.mod, rp.rule, opts); if ( !rule_set.size() ) cout << "no match" << endl; diff --git a/src/managers/module_manager.h b/src/managers/module_manager.h index cd35fabe6..4bb78b325 100644 --- a/src/managers/module_manager.h +++ b/src/managers/module_manager.h @@ -69,7 +69,7 @@ public: static void show_pegs(const char* = nullptr, bool exact = false); static void show_rules(const char* = nullptr, bool exact = false); - static void dump_rules(const char* = nullptr); + static void dump_rules(const char* = nullptr, const char* opts = nullptr); static void dump_defaults(const char* = nullptr); static void load_params(); diff --git a/src/service_inspectors/cip/cip_module.cc b/src/service_inspectors/cip/cip_module.cc index ede280bed..ce4d76dd4 100644 --- a/src/service_inspectors/cip/cip_module.cc +++ b/src/service_inspectors/cip/cip_module.cc @@ -31,11 +31,11 @@ using namespace snort; using namespace std; -#define CIP_MALFORMED_STR "CIP data is malformed." -#define CIP_NON_CONFORMING_STR "CIP data is non-conforming to ODVA standard." +#define CIP_MALFORMED_STR "CIP data is malformed" +#define CIP_NON_CONFORMING_STR "CIP data is non-conforming to ODVA standard" #define CIP_CONNECTION_LIMIT_STR \ - "CIP connection limit exceeded. Least recently used connection removed." -#define CIP_REQUEST_LIMIT_STR "CIP unconnected request limit exceeded. Oldest request removed." + "CIP connection limit exceeded. Least recently used connection removed" +#define CIP_REQUEST_LIMIT_STR "CIP unconnected request limit exceeded. Oldest request removed" static const Parameter c_params[] = { diff --git a/src/service_inspectors/iec104/iec104_module.h b/src/service_inspectors/iec104/iec104_module.h index bf25f598b..8a78a6ea7 100644 --- a/src/service_inspectors/iec104/iec104_module.h +++ b/src/service_inspectors/iec104/iec104_module.h @@ -121,60 +121,60 @@ public: #define IEC104_RESERVED_SOF 53 #define IEC104_RESERVED_QOS 54 -#define IEC104_BAD_LENGTH_STR "(spp_iec104): Length in IEC104 APCI header does not match the length needed for the given IEC104 ASDU type id." -#define IEC104_BAD_START_STR "(spp_iec104): IEC104 Start byte does not match 0x68." -#define IEC104_RESERVED_ASDU_TYPE_STR "(spp_iec104): Reserved IEC104 ASDU type id in use." -#define IEC104_APCIU_RESERVED_FIELD_IN_USE_STR "(spp_iec104): IEC104 APCI U Reserved field contains a non-default value." -#define IEC104_APCIU_INVALID_MESSAGE_TYPE_STR "(spp_iec104): IEC104 APCI U message type was set to an invalid value." -#define IEC104_APCIS_RESERVED_FIELD_IN_USE_STR "(spp_iec104): IEC104 APCI S Reserved field contains a non-default value." -#define IEC104_APCII_NUM_ELEMENTS_SET_TO_ZERO_STR "(spp_iec104): IEC104 APCI I number of elements set to zero." -#define IEC104_APCII_INVALID_SQ_VALUE_STR "(spp_iec104): IEC104 APCI I SQ bit set on an ASDU that does not support the feature." -#define IEC104_APCII_INVALID_NUM_ELEMENTS_VALUE_STR "(spp_iec104): IEC104 APCI I number of elements set to greater than one on an ASDU that does not support the feature." -#define IEC104_RESERVED_COI_STR "(spp_iec104): IEC104 APCI I Cause of Initialization set to a reserved value." -#define IEC104_RESERVED_QOI_STR "(spp_iec104): IEC104 APCI I Qualifier of Interrogation Command set to a reserved value." -#define IEC104_RESERVED_QCC_STR "(spp_iec104): IEC104 APCI I Qualifier of Counter Interrogation Command request parameter set to a reserved value." -#define IEC104_RESERVED_QPM_KPA_STR "(spp_iec104): IEC104 APCI I Qualifier of Parameter of Measured Values kind of parameter set to a reserved value." -#define IEC104_ABNORMAL_QPM_LPC_STR "(spp_iec104): IEC104 APCI I Qualifier of Parameter of Measured Values local parameter change set to a technically valid but unused value." -#define IEC104_ABNORMAL_QPM_POP_STR "(spp_iec104): IEC104 APCI I Qualifier of Parameter of Measured Values parameter option set to a technically valid but unused value." -#define IEC104_RESERVED_QPA_STR "(spp_iec104): IEC104 APCI I Qualifier of Parameter Activation set to a reserved value." -#define IEC104_RESERVED_QOC_STR "(spp_iec104): IEC104 APCI I Qualifier of Command set to a reserved value." -#define IEC104_RESERVED_QRP_STR "(spp_iec104): IEC104 APCI I Qualifier of Reset Process set to a reserved value." -#define IEC104_RESERVED_FRQ_STR "(spp_iec104): IEC104 APCI I File Ready Qualifier set to a reserved value." -#define IEC104_RESERVED_SRQ_STR "(spp_iec104): IEC104 APCI I Section Ready Qualifier set to a reserved value." -#define IEC104_RESERVED_SCQ_STR "(spp_iec104): IEC104 APCI I Select and Call Qualifier set to a reserved value." -#define IEC104_RESERVED_LSQ_STR "(spp_iec104): IEC104 APCI I Last Section or Segment Qualifier set to a reserved value." -#define IEC104_RESERVED_AFQ_STR "(spp_iec104): IEC104 APCI I Acknowledge File or Section Qualifier set to a reserved value." -#define IEC104_VSQ_ABNORMAL_SQ_STR "(spp_iec104): IEC104 APCI I Structure Qualifier set on a message where it should have no effect." -#define IEC104_RESERVED_CAUSE_TX_STR "(spp_iec104): IEC104 APCI I Cause of Transmission set to a reserved value." -#define IEC104_INVALID_CAUSE_TX_STR "(spp_iec104): IEC104 APCI I Cause of Transmission set to a value not allowed for the ASDU." -#define IEC104_INVALID_COMMON_ADDRESS_STR "(spp_iec104): IEC104 APCI I invalid two octet common address value detected." -#define IEC104_RESERVED_SIQ_STR "(spp_iec104): IEC104 APCI I Single Point Information Reserved field contains a non-default value." -#define IEC104_RESERVED_DIQ_STR "(spp_iec104): IEC104 APCI I Double Point Information Reserved field contains a non-default value." -#define IEC104_RESERVED_QDS_STR "(spp_iec104): IEC104 APCI I Quality Descriptor Structure Reserved field contains a non-default value." -#define IEC104_RESERVED_QDP_STR "(spp_iec104): IEC104 APCI I Quality Descriptor for Events of Protection Equipment Structure Reserved field contains a non-default value." -#define IEC104_RESERVED_IEEE_STD_754_NAN_STR "(spp_iec104): IEC104 APCI I IEEE STD 754 value results in NaN." -#define IEC104_RESERVED_IEEE_STD_754_INFINITY_STR "(spp_iec104): IEC104 APCI I IEEE STD 754 value results in infinity." -#define IEC104_RESERVED_SEP_STR "(spp_iec104): IEC104 APCI I Single Event of Protection Equipment Structure Reserved field contains a non-default value." -#define IEC104_RESERVED_SPE_STR "(spp_iec104): IEC104 APCI I Start Event of Protection Equipment Structure Reserved field contains a non-default value." -#define IEC104_RESERVED_OCI_STR "(spp_iec104): IEC104 APCI I Output Circuit Information Structure Reserved field contains a non-default value." -#define IEC104_INVALID_FBP_STR "(spp_iec104): IEC104 APCI I Abnormal Fixed Test Bit Pattern detected." -#define IEC104_RESERVED_SCO_STR "(spp_iec104): IEC104 APCI I Single Command Structure Reserved field contains a non-default value." -#define IEC104_INVALID_DCO_STR "(spp_iec104): IEC104 APCI I Double Command Structure contains an invalid value." -#define IEC104_RESERVED_RCO_STR "(spp_iec104): IEC104 APCI I Regulating Step Command Structure Reserved field contains a non-default value." -#define IEC104_INVALID_MS_IN_MINUTE_STR "(spp_iec104): IEC104 APCI I Time2a Millisecond set outside of the allowable range." -#define IEC104_INVALID_MINS_IN_HOUR_STR "(spp_iec104): IEC104 APCI I Time2a Minute set outside of the allowable range." -#define IEC104_RESERVED_MINS_IN_HOUR_STR "(spp_iec104): IEC104 APCI I Time2a Minute Reserved field contains a non-default value." -#define IEC104_INVALID_HOURS_IN_DAY_STR "(spp_iec104): IEC104 APCI I Time2a Hours set outside of the allowable range." -#define IEC104_RESERVED_HOURS_IN_DAY_STR "(spp_iec104): IEC104 APCI I Time2a Hours Reserved field contains a non-default value." -#define IEC104_INVALID_DAY_OF_MONTH_STR "(spp_iec104): IEC104 APCI I Time2a Day of Month set outside of the allowable range." -#define IEC104_INVALID_MONTH_STR "(spp_iec104): IEC104 APCI I Time2a Month set outside of the allowable range." -#define IEC104_RESERVED_MONTH_STR "(spp_iec104): IEC104 APCI I Time2a Month Reserved field contains a non-default value." -#define IEC104_INVALID_YEAR_STR "(spp_iec104): IEC104 APCI I Time2a Year set outside of the allowable range." -#define IEC104_NULL_LOS_VALUE_STR "(spp_iec104): IEC104 APCI I a null Length of Segment value has been detected." -#define IEC104_INVALID_LOS_VALUE_STR "(spp_iec104): IEC104 APCI I an invalid Length of Segment value has been detected." -#define IEC104_RESERVED_YEAR_STR "(spp_iec104): IEC104 APCI I Time2a Year Reserved field contains a non-default value." -#define IEC104_RESERVED_SOF_STR "(spp_iec104): IEC104 APCI I Status of File set to a reserved value." -#define IEC104_RESERVED_QOS_STR "(spp_iec104): IEC104 APCI I Qualifier of Set Point Command ql field set to a reserved value." +#define IEC104_BAD_LENGTH_STR "Length in IEC104 APCI header does not match the length needed for the given IEC104 ASDU type id" +#define IEC104_BAD_START_STR "IEC104 Start byte does not match 0x68" +#define IEC104_RESERVED_ASDU_TYPE_STR "Reserved IEC104 ASDU type id in use" +#define IEC104_APCIU_RESERVED_FIELD_IN_USE_STR "IEC104 APCI U Reserved field contains a non-default value" +#define IEC104_APCIU_INVALID_MESSAGE_TYPE_STR "IEC104 APCI U message type was set to an invalid value" +#define IEC104_APCIS_RESERVED_FIELD_IN_USE_STR "IEC104 APCI S Reserved field contains a non-default value" +#define IEC104_APCII_NUM_ELEMENTS_SET_TO_ZERO_STR "IEC104 APCI I number of elements set to zero" +#define IEC104_APCII_INVALID_SQ_VALUE_STR "IEC104 APCI I SQ bit set on an ASDU that does not support the feature" +#define IEC104_APCII_INVALID_NUM_ELEMENTS_VALUE_STR "IEC104 APCI I number of elements set to greater than one on an ASDU that does not support the feature" +#define IEC104_RESERVED_COI_STR "IEC104 APCI I Cause of Initialization set to a reserved value" +#define IEC104_RESERVED_QOI_STR "IEC104 APCI I Qualifier of Interrogation Command set to a reserved value" +#define IEC104_RESERVED_QCC_STR "IEC104 APCI I Qualifier of Counter Interrogation Command request parameter set to a reserved value" +#define IEC104_RESERVED_QPM_KPA_STR "IEC104 APCI I Qualifier of Parameter of Measured Values kind of parameter set to a reserved value" +#define IEC104_ABNORMAL_QPM_LPC_STR "IEC104 APCI I Qualifier of Parameter of Measured Values local parameter change set to a technically valid but unused value" +#define IEC104_ABNORMAL_QPM_POP_STR "IEC104 APCI I Qualifier of Parameter of Measured Values parameter option set to a technically valid but unused value" +#define IEC104_RESERVED_QPA_STR "IEC104 APCI I Qualifier of Parameter Activation set to a reserved value" +#define IEC104_RESERVED_QOC_STR "IEC104 APCI I Qualifier of Command set to a reserved value" +#define IEC104_RESERVED_QRP_STR "IEC104 APCI I Qualifier of Reset Process set to a reserved value" +#define IEC104_RESERVED_FRQ_STR "IEC104 APCI I File Ready Qualifier set to a reserved value" +#define IEC104_RESERVED_SRQ_STR "IEC104 APCI I Section Ready Qualifier set to a reserved value" +#define IEC104_RESERVED_SCQ_STR "IEC104 APCI I Select and Call Qualifier set to a reserved value" +#define IEC104_RESERVED_LSQ_STR "IEC104 APCI I Last Section or Segment Qualifier set to a reserved value" +#define IEC104_RESERVED_AFQ_STR "IEC104 APCI I Acknowledge File or Section Qualifier set to a reserved value" +#define IEC104_VSQ_ABNORMAL_SQ_STR "IEC104 APCI I Structure Qualifier set on a message where it should have no effect" +#define IEC104_RESERVED_CAUSE_TX_STR "IEC104 APCI I Cause of Transmission set to a reserved value" +#define IEC104_INVALID_CAUSE_TX_STR "IEC104 APCI I Cause of Transmission set to a value not allowed for the ASDU" +#define IEC104_INVALID_COMMON_ADDRESS_STR "IEC104 APCI I invalid two octet common address value detected" +#define IEC104_RESERVED_SIQ_STR "IEC104 APCI I Single Point Information Reserved field contains a non-default value" +#define IEC104_RESERVED_DIQ_STR "IEC104 APCI I Double Point Information Reserved field contains a non-default value" +#define IEC104_RESERVED_QDS_STR "IEC104 APCI I Quality Descriptor Structure Reserved field contains a non-default value" +#define IEC104_RESERVED_QDP_STR "IEC104 APCI I Quality Descriptor for Events of Protection Equipment Structure Reserved field contains a non-default value" +#define IEC104_RESERVED_IEEE_STD_754_NAN_STR "IEC104 APCI I IEEE STD 754 value results in NaN" +#define IEC104_RESERVED_IEEE_STD_754_INFINITY_STR "IEC104 APCI I IEEE STD 754 value results in infinity" +#define IEC104_RESERVED_SEP_STR "IEC104 APCI I Single Event of Protection Equipment Structure Reserved field contains a non-default value" +#define IEC104_RESERVED_SPE_STR "IEC104 APCI I Start Event of Protection Equipment Structure Reserved field contains a non-default value" +#define IEC104_RESERVED_OCI_STR "IEC104 APCI I Output Circuit Information Structure Reserved field contains a non-default value" +#define IEC104_INVALID_FBP_STR "IEC104 APCI I Abnormal Fixed Test Bit Pattern detected" +#define IEC104_RESERVED_SCO_STR "IEC104 APCI I Single Command Structure Reserved field contains a non-default value" +#define IEC104_INVALID_DCO_STR "IEC104 APCI I Double Command Structure contains an invalid value" +#define IEC104_RESERVED_RCO_STR "IEC104 APCI I Regulating Step Command Structure Reserved field contains a non-default value" +#define IEC104_INVALID_MS_IN_MINUTE_STR "IEC104 APCI I Time2a Millisecond set outside of the allowable range" +#define IEC104_INVALID_MINS_IN_HOUR_STR "IEC104 APCI I Time2a Minute set outside of the allowable range" +#define IEC104_RESERVED_MINS_IN_HOUR_STR "IEC104 APCI I Time2a Minute Reserved field contains a non-default value" +#define IEC104_INVALID_HOURS_IN_DAY_STR "IEC104 APCI I Time2a Hours set outside of the allowable range" +#define IEC104_RESERVED_HOURS_IN_DAY_STR "IEC104 APCI I Time2a Hours Reserved field contains a non-default value" +#define IEC104_INVALID_DAY_OF_MONTH_STR "IEC104 APCI I Time2a Day of Month set outside of the allowable range" +#define IEC104_INVALID_MONTH_STR "IEC104 APCI I Time2a Month set outside of the allowable range" +#define IEC104_RESERVED_MONTH_STR "IEC104 APCI I Time2a Month Reserved field contains a non-default value" +#define IEC104_INVALID_YEAR_STR "IEC104 APCI I Time2a Year set outside of the allowable range" +#define IEC104_NULL_LOS_VALUE_STR "IEC104 APCI I a null Length of Segment value has been detected" +#define IEC104_INVALID_LOS_VALUE_STR "IEC104 APCI I an invalid Length of Segment value has been detected" +#define IEC104_RESERVED_YEAR_STR "IEC104 APCI I Time2a Year Reserved field contains a non-default value" +#define IEC104_RESERVED_SOF_STR "IEC104 APCI I Status of File set to a reserved value" +#define IEC104_RESERVED_QOS_STR "IEC104 APCI I Qualifier of Set Point Command ql field set to a reserved value" #endif