From: Michael Altizer (mialtize) Date: Wed, 4 Dec 2019 17:14:29 +0000 (+0000) Subject: Merge pull request #1876 in SNORT/snort3 from ~MSTEPANE/snort3:build_266 to master X-Git-Tag: 3.0.0-266 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3474d7e29f3aab70dbdd3dcaf4557955b90dfa2d;p=thirdparty%2Fsnort3.git Merge pull request #1876 in SNORT/snort3 from ~MSTEPANE/snort3:build_266 to master Squashed commit of the following: commit aec79dac54f6b8ad5fa28d8c0343de252858564e Author: Mike Stepanek Date: Wed Dec 4 08:34:24 2019 -0500 build: generate and tag build 266 --- diff --git a/ChangeLog b/ChangeLog index 4d6ac2c2b..e167abb6a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,37 @@ +19/12/04 - build 266 + +-- appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs +-- appid: Enabling host cache for unknown SSL flows +-- appid: Fix for better classification on pinholed data session and control session for + rshell/rexec +-- appid: Format detected apps stats in columns akin to file stats +-- appid: Handle memcap during reload_config using RRT +-- appid: Minor cleanup +-- cmake: Cache static DAQ module info in FindDAQ +-- file_api: Fixed eventing when FILE_SIG_DEPTH failed when store files enabled +-- flow: Add ability to defer whitelist verdict +-- flow: Clean up unit test compiler warnings +-- flow: Disabling the inspection if the Flow state is BLOCK +-- http2_inspect: Generate status lines for responses and be more lenient on RFC violations +-- http2_inspect: Implement hpack dynamic index lookups +-- http_inspect: Implement show method for verbose config output +-- http_inspect: Update user manual for detained inspection +-- hyperscan: Select max scratch from among all compiler threads +-- ips: Add support for parallel fast-pattern MPSE FSM compilation +-- ips: Only use multiple threads for rule group compilation at startup +-- ips: Support 2 rule vars same as Snort 2 +-- mpse: Only hyperscan currently supports parallel compilation +-- port_scan: Only update scanner for ICMP if we have one +-- profiler: Fix module profile for multithreaded runs +-- search_engine: Ensure configured search_method is applied to search tools +-- search_engine: Process intermediate fast-pattern matches in batches of 32 same as Snort 2 +-- search_engine: Raise an error if any MPSE compilation fails +-- sfip: Replace copy setter with implicit copy constructor +-- stats: Removal of mallinfo as it only support 32bit +-- stream_tcp: Move and update the libtcp source files to the tcp source directory to consolidate + the stream tcp code into one component (libtcp goes away) +-- stream_tcp: Updates from PR review comments + 19/11/22 - build 265 -- analyzer_command: support resource tuning on reload @@ -12,12 +46,15 @@ -- main: Improve performance of control connection polling -- plugin_manager: allow loading individual plugin files in plugin-path -- reject: Setting defaults for reset and control options --- snort: update reload resource tuner to return status indicating if there is work to be done in the packet thread --- stream: register reload resource tuner unconditionally. move checks for config changes to the tuner tinit method +-- snort: update reload resource tuner to return status indicating if there is work to be done in + the packet thread +-- stream: register reload resource tuner unconditionally. move checks for config changes to the + tuner tinit method -- stream_tcp: fix state machine instantiation -- wizard: handle NBSS startup in dce_smb_curse 19/11/06 - build 264 + -- appid: Handle DNS responses with compression pointers at last record -- dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only -- detection: negated fast patterns are last choice @@ -37,6 +74,7 @@ -- telnet: fix check_encrypted help string 19/10/31 - build 263 + -- appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id was not not found -- appid: check inferred services in host cache only if there were updates diff --git a/doc/snort_manual.html b/doc/snort_manual.html index d9c4d8c68..106b4aa74 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 264)
+o"  )~   Version 3.0.0 (Build 266)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
@@ -5262,15 +5262,14 @@ depth parameter entirely because that is the default.
processing.

-
accelerated_blocking
-

Accelerated blocking is an experimental feature currently under -development. It enables Snort to more quickly detect and block response -messages containing malicious JavaScript. As this feature involves -actively blocking traffic it is designed for use with inline mode -operation (-Q).

+
detained_inspection
+

Detained inspection is an experimental feature currently under development. +It enables Snort to more quickly detect and block response messages +containing malicious JavaScript. As this feature involves actively blocking +traffic it is designed for use with inline mode operation (-Q).

This feature only functions with response_depth = -1 (unlimited). This limitation will be removed in a future version.

-

This feature is off by default. accelerated_blocking = true will activate +

This feature is off by default. detained_inspection = true will activate it.

@@ -8272,7 +8271,7 @@ bool output.obfuscate = false: obfuscate the logged IP addresse

  • -bool output.wide_hex_dump = true: output 20 bytes per lines instead of 16 when dumping buffers +bool output.wide_hex_dump = false: output 20 bytes per lines instead of 16 when dumping buffers

    • @@ -9144,11 +9143,6 @@ implied snort.--pause: wait for resume/quit command before proc

  • -int snort.--pause-after-n: <count> pause after count packets { 1:max53 } -

    -
    • -
  • -

    string snort.--pcap-file: <file> file that contains a list of pcaps to read - read mode is implied

    • @@ -9194,11 +9188,6 @@ implied snort.--pedantic: warnings are fatal

  • -implied snort.--piglet: enable piglet test harness mode -

    -
    • -
  • -

    string snort.--plugin-path: <path> a colon separated list of directories or plugin libraries

    • @@ -9289,11 +9278,6 @@ string snort.--tweaks: tune configuration

  • -string snort.--catch-test: comma separated list of cat unit test tags or all -

    -
    • -
  • -

    implied snort.--version: show version number (same as -V)

    • @@ -10758,11 +10742,6 @@ protocols beyond basic decoding.

    • -int appid.first_decrypted_packet_debug = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 } -

      -
      • -
    • -

      int appid.memcap = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }

      • @@ -10877,6 +10856,21 @@ int appid.trace: mask for enabling debug traces in module { 0:m appid.appid_unknown: count of sessions where appid could not be determined (sum)

      +
    • +

      +appid.service_cache_prunes: number of times the service cache was pruned (sum) +

      +
      • +
    • +

      +appid.service_cache_adds: number of times an entry was added to the service cache (sum) +

      +
      • +
    • +

      +appid.service_cache_removes: number of times an item was removed from the service cache (sum) +

      +
    @@ -13019,74 +13013,56 @@ int gtp_inspect.trace: mask for enabling debug traces in module

    What: HTTP/2 inspector

    Type: inspector

    Usage: inspect

    -

    Configuration:

    +

    Rules:

    • -bool http2_inspect.test_input = false: read HTTP/2 messages from text file -

      -
      • -
    • -

      -bool http2_inspect.test_output = false: print out HTTP section data -

      -
      • -
    • -

      -int http2_inspect.print_amount = 1200: number of characters to print from a Field { 1:max53 } -

      -
      • -
    • -

      -bool http2_inspect.print_hex = false: nonprinting characters printed in [HH] format instead of using an asterisk +121:1 (http2_inspect) error in HPACK integer value

    • -bool http2_inspect.show_pegs = true: display peg counts with test output +121:2 (http2_inspect) HPACK integer value has leading zeros

    • -bool http2_inspect.show_scan = false: display scanned segments +121:3 (http2_inspect) error in HPACK string value

      • -
    -

    Rules:

    -

    • -121:1 (http2_inspect) error in HPACK integer value +121:4 (http2_inspect) missing HTTP/2 continuation frame

    • -121:2 (http2_inspect) integer value has leading zeros +121:5 (http2_inspect) unexpected HTTP/2 continuation frame

    • -121:3 (http2_inspect) error in HPACK string value +121:6 (http2_inspect) misformatted HTTP/2 traffic

    • -121:4 (http2_inspect) missing continuation frame +121:7 (http2_inspect) HTTP/2 connection preface does not match

    • -121:5 (http2_inspect) unexpected continuation frame +121:9 (http2_inspect) HTTP/2 request missing required header field

    • -121:6 (http2_inspect) misformatted HTTP/2 traffic +121:10 (http2_inspect) HTTP/2 response has no status code

    • -121:7 (http2_inspect) HTTP/2 connection preface does not match +121:11 (http2_inspect) invalid HTTP/2 header field

    @@ -13231,36 +13207,6 @@ bool http_inspect.plus_to_space = true: replace + with <sp&g bool http_inspect.simplify_path = true: reduce URI directory path to simplest form

    -
  • -

    -bool http_inspect.test_input = false: read HTTP messages from text file -

    -
    • -
  • -

    -bool http_inspect.test_output = false: print out HTTP section data -

    -
    • -
  • -

    -int http_inspect.print_amount = 1200: number of characters to print from a Field { 1:max53 } -

    -
    • -
  • -

    -bool http_inspect.print_hex = false: nonprinting characters printed in [HH] format instead of using an asterisk -

    -
    • -
  • -

    -bool http_inspect.show_pegs = true: display peg counts with test output -

    -
    • -
  • -

    -bool http_inspect.show_scan = false: display scanned segments -

    -

    • Rules:

      @@ -21952,12 +21898,6 @@ options into a Snort++ configuration file

  • ---print-binding-order - Print sorting priority used when generating binder table -

    -
    • -
  • -

    --print-differences Same as -d. output the differences, and only the differences, between the Snort and Snort++ configurations to the <out_file> @@ -24604,11 +24544,6 @@ these libraries see the Getting Started section of the manual.

  • ---pause-after-n <count> pause after count packets (1:max53) -

    -
    • -
  • -

    --pcap-file <file> file that contains a list of pcaps to read - read mode is implied

    • @@ -24654,11 +24589,6 @@ these libraries see the Getting Started section of the manual.

  • ---piglet enable piglet test harness mode -

    -
    • -
  • -

    --plugin-path <path> a colon separated list of directories or plugin libraries

    • @@ -24749,11 +24679,6 @@ these libraries see the Getting Started section of the manual.

  • ---catch-test comma separated list of cat unit test tags or all -

    -
    • -
  • -

    --version show version number (same as -V)

    • @@ -25034,11 +24959,6 @@ bool appid.dump_ports = false: enable dump of appid port inform

  • -int appid.first_decrypted_packet_debug = 0: the first packet of an already decrypted SSL flow (debug single session only) { 0:max32 } -

    -
    • -
  • -

    int appid.instance_id = 0: instance id - ignored { 0:max32 }

    • @@ -26639,36 +26559,6 @@ enum host_tracker[].services[].proto: IP protocol

  • -int http2_inspect.print_amount = 1200: number of characters to print from a Field { 1:max53 } -

    -
    • -
  • -

    -bool http2_inspect.print_hex = false: nonprinting characters printed in [HH] format instead of using an asterisk -

    -
    • -
  • -

    -bool http2_inspect.show_pegs = true: display peg counts with test output -

    -
    • -
  • -

    -bool http2_inspect.show_scan = false: display scanned segments -

    -
    • -
  • -

    -bool http2_inspect.test_input = false: read HTTP/2 messages from text file -

    -
    • -
  • -

    -bool http2_inspect.test_output = false: print out HTTP section data -

    -
    • -
  • -

    implied http_cookie.request: match against the cookie from the request message even when examining the response

    • @@ -26799,16 +26689,6 @@ bool http_inspect.plus_to_space = true: replace + with <sp&g

  • -int http_inspect.print_amount = 1200: number of characters to print from a Field { 1:max53 } -

    -
    • -
  • -

    -bool http_inspect.print_hex = false: nonprinting characters printed in [HH] format instead of using an asterisk -

    -
    • -
  • -

    int http_inspect.request_depth = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }

    • @@ -26819,31 +26699,11 @@ int http_inspect.response_depth = -1: maximum response message

  • -bool http_inspect.show_pegs = true: display peg counts with test output -

    -
    • -
  • -

    -bool http_inspect.show_scan = false: display scanned segments -

    -
    • -
  • -

    bool http_inspect.simplify_path = true: reduce URI directory path to simplest form

  • -bool http_inspect.test_input = false: read HTTP messages from text file -

    -
    • -
  • -

    -bool http_inspect.test_output = false: print out HTTP section data -

    -
    • -
  • -

    bool http_inspect.unzip = true: decompress gzip and deflate message bodies

    • @@ -27639,7 +27499,7 @@ bool output.verbose = false: be verbose (same as -v)

  • -bool output.wide_hex_dump = true: output 20 bytes per lines instead of 16 when dumping buffers +bool output.wide_hex_dump = false: output 20 bytes per lines instead of 16 when dumping buffers

  • @@ -28879,11 +28739,6 @@ string snort.--c2x: output hex for given char (see also --x2c)

  • -string snort.--catch-test: comma separated list of cat unit test tags or all -

    -
    • -
  • -

    string snort.-c: <conf> use this configuration

    • @@ -29184,11 +29039,6 @@ string snort.-?: <option prefix> output matching command

  • -int snort.--pause-after-n: <count> pause after count packets { 1:max53 } -

    -
    • -
  • -

    implied snort.--pause: wait for resume/quit command before processing packets/terminating

    • @@ -29239,11 +29089,6 @@ implied snort.--pedantic: warnings are fatal

  • -implied snort.--piglet: enable piglet test harness mode -

    -
    • -
  • -

    string snort.--plugin-path: <path> a colon separated list of directories or plugin libraries

    • @@ -30104,6 +29949,21 @@ interval wscale.~range: check if TCP window scale is in given r

  • +appid.service_cache_adds: number of times an entry was added to the service cache (sum) +

    +
    • +
  • +

    +appid.service_cache_prunes: number of times the service cache was pruned (sum) +

    +
    • +
  • +

    +appid.service_cache_removes: number of times an item was removed from the service cache (sum) +

    +
    • +
  • +

    appid.total_sessions: count of sessions created (sum)

    • @@ -34829,7 +34689,7 @@ interval wscale.~range: check if TCP window scale is in given r

  • -121:2 (http2_inspect) integer value has leading zeros +121:2 (http2_inspect) HPACK integer value has leading zeros

  • @@ -34839,12 +34699,12 @@ interval wscale.~range: check if TCP window scale is in given r

  • -121:4 (http2_inspect) missing continuation frame +121:4 (http2_inspect) missing HTTP/2 continuation frame

  • -121:5 (http2_inspect) unexpected continuation frame +121:5 (http2_inspect) unexpected HTTP/2 continuation frame

  • @@ -34859,6 +34719,21 @@ interval wscale.~range: check if TCP window scale is in given r

  • +121:9 (http2_inspect) HTTP/2 request missing required header field +

    +
    • +
  • +

    +121:10 (http2_inspect) HTTP/2 response has no status code +

    +
    • +
  • +

    +121:11 (http2_inspect) invalid HTTP/2 header field +

    +
    • +
  • +

    122:1 (port_scan) TCP portscan

    • @@ -38925,46 +38800,6 @@ deleted -> unified2: 'vlan_event_types'

  • -piglet::pp_codec: Codec piglet -

    -
    • -
  • -

    -piglet::pp_inspector: Inspector piglet -

    -
    • -
  • -

    -piglet::pp_ips_action: Ips action piglet -

    -
    • -
  • -

    -piglet::pp_ips_option: Ips option piglet -

    -
    • -
  • -

    -piglet::pp_logger: Logger piglet -

    -
    • -
  • -

    -piglet::pp_search_engine: Search engine piglet -

    -
    • -
  • -

    -piglet::pp_so_rule: SO rule piglet -

    -
    • -
  • -

    -piglet::pp_test: Test piglet -

    -
    • -
  • -

    search_engine::ac_banded: Aho-Corasick Banded (high memory, moderate performance)

    • @@ -39228,7 +39063,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index 370f60269..973b3e1e7 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index 578fad4d7..731d9a7df 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -410,7 +410,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 264) +o" )~ Version 3.0.0 (Build 266) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. @@ -3791,9 +3791,9 @@ omit the depth parameter entirely because that is the default. These limits have no effect on how much data is forwarded to file processing. -5.9.2.2. accelerated_blocking +5.9.2.2. detained_inspection -Accelerated blocking is an experimental feature currently under +Detained inspection is an experimental feature currently under development. It enables Snort to more quickly detect and block response messages containing malicious JavaScript. As this feature involves actively blocking traffic it is designed for use with inline @@ -3802,7 +3802,7 @@ mode operation (-Q). This feature only functions with response_depth = -1 (unlimited). This limitation will be removed in a future version. -This feature is off by default. accelerated_blocking = true will +This feature is off by default. detained_inspection = true will activate it. 5.9.2.3. gzip @@ -6010,7 +6010,7 @@ Configuration: * bool output.verbose = false: be verbose (same as -v) * bool output.obfuscate = false: obfuscate the logged IP addresses (same as -O) - * bool output.wide_hex_dump = true: output 20 bytes per lines + * bool output.wide_hex_dump = false: output 20 bytes per lines instead of 16 when dumping buffers @@ -6427,8 +6427,6 @@ Configuration: * implied snort.--nolock-pidfile: do not try to lock Snort PID file * implied snort.--pause: wait for resume/quit command before processing packets/terminating - * int snort.--pause-after-n: pause after count packets { - 1:max53 } * string snort.--pcap-file: file that contains a list of pcaps to read - read mode is implied * string snort.--pcap-list: a space separated list of pcaps @@ -6446,7 +6444,6 @@ Configuration: * implied snort.--pcap-show: print a line saying what pcap is currently being read * implied snort.--pedantic: warnings are fatal - * implied snort.--piglet: enable piglet test harness mode * string snort.--plugin-path: a colon separated list of directories or plugin libraries * implied snort.--process-all-events: process all action groups @@ -6478,8 +6475,6 @@ Configuration: * implied snort.--treat-drop-as-ignore: use drop, block, and reset rules to ignore session traffic when not inline * string snort.--tweaks: tune configuration - * string snort.--catch-test: comma separated list of cat unit test - tags or all * implied snort.--version: show version number (same as -V) * implied snort.--warn-all: enable all warnings * implied snort.--warn-conf: warn about configuration issues @@ -7248,9 +7243,6 @@ Usage: context Configuration: - * int appid.first_decrypted_packet_debug = 0: the first packet of - an already decrypted SSL flow (debug single session only) { - 0:max32 } * int appid.memcap = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ } * bool appid.log_stats = false: enable logging of appid statistics @@ -7294,6 +7286,12 @@ Peg counts: * appid.total_sessions: count of sessions created (sum) * appid.appid_unknown: count of sessions where appid could not be determined (sum) + * appid.service_cache_prunes: number of times the service cache was + pruned (sum) + * appid.service_cache_adds: number of times an entry was added to + the service cache (sum) + * appid.service_cache_removes: number of times an item was removed + from the service cache (sum) 9.2. arp_spoof @@ -8248,29 +8246,19 @@ Type: inspector Usage: inspect -Configuration: - - * bool http2_inspect.test_input = false: read HTTP/2 messages from - text file - * bool http2_inspect.test_output = false: print out HTTP section - data - * int http2_inspect.print_amount = 1200: number of characters to - print from a Field { 1:max53 } - * bool http2_inspect.print_hex = false: nonprinting characters - printed in [HH] format instead of using an asterisk - * bool http2_inspect.show_pegs = true: display peg counts with test - output - * bool http2_inspect.show_scan = false: display scanned segments - Rules: * 121:1 (http2_inspect) error in HPACK integer value - * 121:2 (http2_inspect) integer value has leading zeros + * 121:2 (http2_inspect) HPACK integer value has leading zeros * 121:3 (http2_inspect) error in HPACK string value - * 121:4 (http2_inspect) missing continuation frame - * 121:5 (http2_inspect) unexpected continuation frame + * 121:4 (http2_inspect) missing HTTP/2 continuation frame + * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame * 121:6 (http2_inspect) misformatted HTTP/2 traffic * 121:7 (http2_inspect) HTTP/2 connection preface does not match + * 121:9 (http2_inspect) HTTP/2 request missing required header + field + * 121:10 (http2_inspect) HTTP/2 response has no status code + * 121:11 (http2_inspect) invalid HTTP/2 header field Peg counts: @@ -8343,17 +8331,6 @@ Configuration: normalizing URIs * bool http_inspect.simplify_path = true: reduce URI directory path to simplest form - * bool http_inspect.test_input = false: read HTTP messages from - text file - * bool http_inspect.test_output = false: print out HTTP section - data - * int http_inspect.print_amount = 1200: number of characters to - print from a Field { 1:max53 } - * bool http_inspect.print_hex = false: nonprinting characters - printed in [HH] format instead of using an asterisk - * bool http_inspect.show_pegs = true: display peg counts with test - output - * bool http_inspect.show_scan = false: display scanned segments Rules: @@ -13212,8 +13189,6 @@ Converts the Snort configuration file specified by the -c or * --output-file= Same as -o. output the new Snort++ lua configuration to * --print-all Same as -a. default option. print all data - * --print-binding-order Print sorting priority used when generating - binder table * --print-differences Same as -d. output the differences, and only the differences, between the Snort and Snort++ configurations to the @@ -14555,7 +14530,6 @@ these libraries see the Getting Started section of the manual. * --nolock-pidfile do not try to lock Snort PID file * --pause wait for resume/quit command before processing packets/ terminating - * --pause-after-n pause after count packets (1:max53) * --pcap-file file that contains a list of pcaps to read - read mode is implied * --pcap-list a space separated list of pcaps to read - read @@ -14572,7 +14546,6 @@ these libraries see the Getting Started section of the manual. between pcaps * --pcap-show print a line saying what pcap is currently being read * --pedantic warnings are fatal - * --piglet enable piglet test harness mode * --plugin-path a colon separated list of directories or plugin libraries * --process-all-events process all action groups @@ -14601,7 +14574,6 @@ these libraries see the Getting Started section of the manual. * --treat-drop-as-ignore use drop, block, and reset rules to ignore session traffic when not inline * --tweaks tune configuration - * --catch-test comma separated list of cat unit test tags or all * --version show version number (same as -V) * --warn-all enable all warnings * --warn-conf warn about configuration issues @@ -14721,9 +14693,6 @@ these libraries see the Getting Started section of the manual. * bool appid.debug = false: enable appid debug logging * bool appid.dump_ports = false: enable dump of appid port information - * int appid.first_decrypted_packet_debug = 0: the first packet of - an already decrypted SSL flow (debug single session only) { - 0:max32 } * int appid.instance_id = 0: instance id - ignored { 0:max32 } * bool appid.log_all_sessions = false: enable logging of all appid sessions @@ -15241,17 +15210,6 @@ these libraries see the Getting Started section of the manual. * port host_tracker[].services[].port: port number * enum host_tracker[].services[].proto: IP protocol { ip | tcp | udp } - * int http2_inspect.print_amount = 1200: number of characters to - print from a Field { 1:max53 } - * bool http2_inspect.print_hex = false: nonprinting characters - printed in [HH] format instead of using an asterisk - * bool http2_inspect.show_pegs = true: display peg counts with test - output - * bool http2_inspect.show_scan = false: display scanned segments - * bool http2_inspect.test_input = false: read HTTP/2 messages from - text file - * bool http2_inspect.test_output = false: print out HTTP section - data * implied http_cookie.request: match against the cookie from the request message even when examining the response * implied http_cookie.with_body: parts of this rule examine HTTP @@ -15307,23 +15265,12 @@ these libraries see the Getting Started section of the manual. encodings * bool http_inspect.plus_to_space = true: replace + with when normalizing URIs - * int http_inspect.print_amount = 1200: number of characters to - print from a Field { 1:max53 } - * bool http_inspect.print_hex = false: nonprinting characters - printed in [HH] format instead of using an asterisk * int http_inspect.request_depth = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 } * int http_inspect.response_depth = -1: maximum response message body bytes to examine (-1 no limit) { -1:max53 } - * bool http_inspect.show_pegs = true: display peg counts with test - output - * bool http_inspect.show_scan = false: display scanned segments * bool http_inspect.simplify_path = true: reduce URI directory path to simplest form - * bool http_inspect.test_input = false: read HTTP messages from - text file - * bool http_inspect.test_output = false: print out HTTP section - data * bool http_inspect.unzip = true: decompress gzip and deflate message bodies * bool http_inspect.utf8_bare_byte = false: when doing UTF-8 @@ -15615,7 +15562,7 @@ these libraries see the Getting Started section of the manual. * int output.tagged_packet_limit = 256: maximum number of packets tagged for non-packet metrics { 0:max32 } * bool output.verbose = false: be verbose (same as -v) - * bool output.wide_hex_dump = true: output 20 bytes per lines + * bool output.wide_hex_dump = false: output 20 bytes per lines instead of 16 when dumping buffers * bool packet_capture.enable = false: initially enable packet dumping @@ -16046,8 +15993,6 @@ these libraries see the Getting Started section of the manual. * string snort.--bpf: are standard BPF options, as seen in TCPDump * string snort.--c2x: output hex for given char (see also --x2c) - * string snort.--catch-test: comma separated list of cat unit test - tags or all * string snort.-c: use this configuration * string snort.--control-socket: to create unix socket * implied snort.-C: print out payloads with character data only (no @@ -16147,8 +16092,6 @@ these libraries see the Getting Started section of the manual. * implied snort.-O: obfuscate the logged IP addresses * string snort.-?: