From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Wed, 24 Nov 2021 16:21:01 +0000 (+0000)
Subject: Pull request #3175: Wizard Updates for Talos
X-Git-Tag: 3.1.18.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32271679e7ad7dfb28b0fcf20635786f104efe9b;p=thirdparty%2Fsnort3.git

Pull request #3175: Wizard Updates for Talos

Merge in SNORT/snort3 from ~RUCOMBS/snort3:ff_ff to master

Squashed commit of the following:

commit 472d7f7b3c90c3229ee7f9ef1a4750e1bd26ae06
Author: russ <rucombs@cisco.com>
Date:   Sun Nov 21 08:05:51 2021 -0500

    wizard: add patterns to match unknown HTTP and SIP methods

commit 494a587f21fcfbceb8b95bb859082dad8290013e
Author: russ <rucombs@cisco.com>
Date:   Fri Nov 19 11:07:32 2021 -0500

    wizard: remove telnet IAC pattern
---

diff --git a/lua/snort_defaults.lua b/lua/snort_defaults.lua
index 547cd3781..e6eacb5ff 100644
--- a/lua/snort_defaults.lua
+++ b/lua/snort_defaults.lua
@@ -315,7 +315,11 @@ default_smtp =
 -- default wizard
 ---------------------------------------------------------------------------
 
-http_methods =  -- build from default_http_methods
+-- some HTTP and SIP methods match the whole start line to disambiguate
+-- between them or, in the case of ACK, from another protocol
+-- the * * patterns match unknown methods
+
+http_methods =
 {
     'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'TRACE', 'CONNECT',
     'VERSION_CONTROL', 'REPORT', 'CHECKOUT', 'CHECKIN', 'UNCHECKOUT',
@@ -325,13 +329,15 @@ http_methods =  -- build from default_http_methods
     'UPDATEREDIRECTREF', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'COPY',
     'MOVE', 'LOCK', 'UNLOCK', 'SEARCH', 'BCOPY', 'BDELETE', 'BMOVE',
     'BPROPFIND', 'BPROPPATCH', 'POLL', 'UNSUBSCRIBE', 'X_MS_ENUMATTS',
-    'NOTIFY * HTTP/', 'SUBSCRIBE * HTTP/', 'UPDATE * HTTP/', 'OPTIONS * HTTP/'
+    'NOTIFY * HTTP/', 'OPTIONS * HTTP/', 'SUBSCRIBE * HTTP/', 'UPDATE * HTTP/',
+    '* * HTTP/'
 }
 
 sip_requests =
 {
     'INVITE', 'CANCEL', 'BYE', 'REGISTER', 'PRACK', 'PUBLISH', 'REFER', 'INFO', 'MESSAGE',
-    'ACK * SIP/', 'SUBSCRIBE * SIP/', 'UPDATE * SIP/', 'NOTIFY * SIP/', 'OPTIONS * SIP/'
+    'NOTIFY * SIP/', 'OPTIONS * SIP/', 'SUBSCRIBE * SIP/', 'UPDATE * SIP/',
+    'ACK * SIP/', '* * SIP/'
 }
 
 telnet_commands =
@@ -339,7 +345,7 @@ telnet_commands =
     '|FF F0|', '|FF F1|', '|FF F2|', '|FF F3|',
     '|FF F4|', '|FF F5|', '|FF F6|', '|FF F7|',
     '|FF F8|', '|FF F9|', '|FF FA|', '|FF FB|',
-    '|FF FC|', '|FF FD|', '|FF FE|', '|FF FF|'
+    '|FF FC|', '|FF FD|', '|FF FE|'
 }