From: Mike Stepanek (mstepane) Date: Wed, 28 Jul 2021 13:26:35 +0000 (+0000) Subject: Merge pull request #3000 in SNORT/snort3 from ~MSTEPANE/snort3:build_3.1.9.0 to master X-Git-Tag: 3.1.9.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3823052ba9c20ca95877ec2b6b7ed0279937b54f;p=thirdparty%2Fsnort3.git Merge pull request #3000 in SNORT/snort3 from ~MSTEPANE/snort3:build_3.1.9.0 to master Squashed commit of the following: commit b68d4a2da45b3c27f5ceab8bec0d64d359a27a71 Author: Mike Stepanek Date: Wed Jul 28 06:18:02 2021 -0400 build: generate and tag 3.1.9.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index ca5dc010c..542395af8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 8) +set (VERSION_PATCH 9) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index c5f348deb..160e2198a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,23 @@ +2021/07/28 - 3.1.9.0 + +actions: allow session data to stay accessible for loggers for reject rule action +byte_options: address compiler warnings +control: add idle expire removal to control channels +dump_stats: direct output back to command channel +events: use instance_id to make event_id unique across threads +file_api: handle file_cache inspection for non-zero offset +http2_inspect: change xor to or in assert that was failing due to uninitialized variable +http2_inspect: fix HPACK dynamic table size update management +http2_inspect: remove unused variables +http_inspect: add peg count for script bytes processed +http_inspect: add rule option http_raw_header_complete +http_inspect: don't allocate 0-length partial inspection buffer +ips_options: add catch tests for byte_test, byte_jump, byte_math, byte_extract +ips_options: address compiler warnings +ips_options: refactor byte_extract, byte_test, byte_math, byte_jump and related tests +lua: update HTTP/2 default_wizard hex with S2C pattern match +stats: update file and appid stats to use Log functions provided from stats.cc + 2021/07/15 - 3.1.8.0 appid: support SSH client detection through lua detector diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index fa728ae39..9a4d7db3b 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.8.0 2021-07-15 06:38:22 EDT TST +Revision 3.1.9.0 2021-07-28 06:22:26 EDT TST --------------------------------------------------------------------- @@ -201,71 +201,72 @@ Table of Contents 7.52. http_raw_body 7.53. http_raw_cookie 7.54. http_raw_header - 7.55. http_raw_request - 7.56. http_raw_status - 7.57. http_raw_trailer - 7.58. http_raw_uri - 7.59. http_stat_code - 7.60. http_stat_msg - 7.61. http_trailer - 7.62. http_true_ip - 7.63. http_uri - 7.64. http_version - 7.65. icmp_id - 7.66. icmp_seq - 7.67. icode - 7.68. id - 7.69. iec104_apci_type - 7.70. iec104_asdu_func - 7.71. ip_proto - 7.72. ipopts - 7.73. isdataat - 7.74. itype - 7.75. md5 - 7.76. metadata - 7.77. modbus_data - 7.78. modbus_func - 7.79. modbus_unit - 7.80. msg - 7.81. mss - 7.82. pcre - 7.83. pkt_data - 7.84. pkt_num - 7.85. priority - 7.86. raw_data - 7.87. reference - 7.88. regex - 7.89. rem - 7.90. replace - 7.91. rev - 7.92. rpc - 7.93. s7commplus_content - 7.94. s7commplus_func - 7.95. s7commplus_opcode - 7.96. script_data - 7.97. sd_pattern - 7.98. seq - 7.99. service - 7.100. sha256 - 7.101. sha512 - 7.102. sid - 7.103. sip_body - 7.104. sip_header - 7.105. sip_method - 7.106. sip_stat_code - 7.107. so - 7.108. soid - 7.109. ssl_state - 7.110. ssl_version - 7.111. stream_reassemble - 7.112. stream_size - 7.113. tag - 7.114. target - 7.115. tos - 7.116. ttl - 7.117. urg - 7.118. window - 7.119. wscale + 7.55. http_raw_header_complete + 7.56. http_raw_request + 7.57. http_raw_status + 7.58. http_raw_trailer + 7.59. http_raw_uri + 7.60. http_stat_code + 7.61. http_stat_msg + 7.62. http_trailer + 7.63. http_true_ip + 7.64. http_uri + 7.65. http_version + 7.66. icmp_id + 7.67. icmp_seq + 7.68. icode + 7.69. id + 7.70. iec104_apci_type + 7.71. iec104_asdu_func + 7.72. ip_proto + 7.73. ipopts + 7.74. isdataat + 7.75. itype + 7.76. md5 + 7.77. metadata + 7.78. modbus_data + 7.79. modbus_func + 7.80. modbus_unit + 7.81. msg + 7.82. mss + 7.83. pcre + 7.84. pkt_data + 7.85. pkt_num + 7.86. priority + 7.87. raw_data + 7.88. reference + 7.89. regex + 7.90. rem + 7.91. replace + 7.92. rev + 7.93. rpc + 7.94. s7commplus_content + 7.95. s7commplus_func + 7.96. s7commplus_opcode + 7.97. script_data + 7.98. sd_pattern + 7.99. seq + 7.100. service + 7.101. sha256 + 7.102. sha512 + 7.103. sid + 7.104. sip_body + 7.105. sip_header + 7.106. sip_method + 7.107. sip_stat_code + 7.108. so + 7.109. soid + 7.110. ssl_state + 7.111. ssl_version + 7.112. stream_reassemble + 7.113. stream_size + 7.114. tag + 7.115. target + 7.116. tos + 7.117. ttl + 7.118. urg + 7.119. window + 7.120. wscale 8. Search Engine Modules 9. SO Rule Modules @@ -3608,6 +3609,12 @@ Rules: * 121:32 (http2_inspect) HTTP/2 window update frame with zero increment * 121:33 (http2_inspect) HTTP/2 request without a method + * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the + start of a header block + * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size + updates in a single header block + * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max + value set by decoder in SETTINGS frame Peg counts: @@ -3896,6 +3903,8 @@ Peg counts: JavaScripts processed (sum) * http_inspect.js_external_scripts: total number of external JavaScripts processed (sum) + * http_inspect.js_bytes: total number of JavaScript bytes processed + (sum) 5.25. iec104 @@ -6764,7 +6773,30 @@ Configuration: HTTP message trailers -7.55. http_raw_request +7.55. http_raw_header_complete + +-------------- + +Help: rule option to set the detection cursor to the unnormalized +headers including cookies + +Type: ips_option + +Usage: detect + +Configuration: + + * implied http_raw_header_complete.request: match against the + headers from the request message even when examining the response + * implied http_raw_header_complete.with_header: this rule is + limited to examining HTTP message headers + * implied http_raw_header_complete.with_body: parts of this rule + examine HTTP message body + * implied http_raw_header_complete.with_trailer: parts of this rule + examine HTTP message trailers + + +7.56. http_raw_request -------------- @@ -6785,7 +6817,7 @@ Configuration: HTTP message trailers -7.56. http_raw_status +7.57. http_raw_status -------------- @@ -6804,7 +6836,7 @@ Configuration: HTTP message trailers -7.57. http_raw_trailer +7.58. http_raw_trailer -------------- @@ -6825,7 +6857,7 @@ Configuration: HTTP response message body (must be combined with request) -7.58. http_raw_uri +7.59. http_raw_uri -------------- @@ -6854,7 +6886,7 @@ Configuration: URI only -7.59. http_stat_code +7.60. http_stat_code -------------- @@ -6872,7 +6904,7 @@ Configuration: HTTP message trailers -7.60. http_stat_msg +7.61. http_stat_msg -------------- @@ -6891,7 +6923,7 @@ Configuration: HTTP message trailers -7.61. http_trailer +7.62. http_trailer -------------- @@ -6913,7 +6945,7 @@ Configuration: message body (must be combined with request) -7.62. http_true_ip +7.63. http_true_ip -------------- @@ -6934,7 +6966,7 @@ Configuration: HTTP message trailers -7.63. http_uri +7.64. http_uri -------------- @@ -6962,7 +6994,7 @@ Configuration: only -7.64. http_version +7.65. http_version -------------- @@ -6984,7 +7016,7 @@ Configuration: HTTP message trailers -7.65. icmp_id +7.66. icmp_id -------------- @@ -7000,7 +7032,7 @@ Configuration: 0:65535 } -7.66. icmp_seq +7.67. icmp_seq -------------- @@ -7016,7 +7048,7 @@ Configuration: given range { 0:65535 } -7.67. icode +7.68. icode -------------- @@ -7032,7 +7064,7 @@ Configuration: 0:255 } -7.68. id +7.69. id -------------- @@ -7048,7 +7080,7 @@ Configuration: } -7.69. iec104_apci_type +7.70. iec104_apci_type -------------- @@ -7063,7 +7095,7 @@ Configuration: * string iec104_apci_type.~: APCI type to match -7.70. iec104_asdu_func +7.71. iec104_asdu_func -------------- @@ -7078,7 +7110,7 @@ Configuration: * string iec104_asdu_func.~: function code to match -7.71. ip_proto +7.72. ip_proto -------------- @@ -7093,7 +7125,7 @@ Configuration: * string ip_proto.~proto: [!|>|<] name or number -7.72. ipopts +7.73. ipopts -------------- @@ -7109,7 +7141,7 @@ Configuration: lsrre|ssrr|satid|any } -7.73. isdataat +7.74. isdataat -------------- @@ -7126,7 +7158,7 @@ Configuration: buffer -7.74. itype +7.75. itype -------------- @@ -7142,7 +7174,7 @@ Configuration: 0:255 } -7.75. md5 +7.76. md5 -------------- @@ -7162,7 +7194,7 @@ Configuration: of buffer -7.76. metadata +7.77. metadata -------------- @@ -7179,7 +7211,7 @@ Configuration: pairs -7.77. modbus_data +7.78. modbus_data -------------- @@ -7190,7 +7222,7 @@ Type: ips_option Usage: detect -7.78. modbus_func +7.79. modbus_func -------------- @@ -7205,7 +7237,7 @@ Configuration: * string modbus_func.~: function code to match -7.79. modbus_unit +7.80. modbus_unit -------------- @@ -7220,7 +7252,7 @@ Configuration: * int modbus_unit.~: Modbus unit ID { 0:255 } -7.80. msg +7.81. msg -------------- @@ -7235,7 +7267,7 @@ Configuration: * string msg.~: message describing rule -7.81. mss +7.82. mss -------------- @@ -7251,7 +7283,7 @@ Configuration: } -7.82. pcre +7.83. pcre -------------- @@ -7273,7 +7305,7 @@ Peg counts: * pcre.pcre_negated: total pcre rules using negation syntax (sum) -7.83. pkt_data +7.84. pkt_data -------------- @@ -7285,7 +7317,7 @@ Type: ips_option Usage: detect -7.84. pkt_num +7.85. pkt_num -------------- @@ -7301,7 +7333,7 @@ Configuration: { 1: } -7.85. priority +7.86. priority -------------- @@ -7317,7 +7349,7 @@ Configuration: 1:max31 } -7.86. raw_data +7.87. raw_data -------------- @@ -7328,7 +7360,7 @@ Type: ips_option Usage: detect -7.87. reference +7.88. reference -------------- @@ -7343,7 +7375,7 @@ Configuration: * string reference.~ref: reference: , -7.88. regex +7.89. regex -------------- @@ -7367,7 +7399,7 @@ Configuration: instead of start of buffer -7.89. rem +7.90. rem -------------- @@ -7382,7 +7414,7 @@ Configuration: * string rem.~: comment -7.90. replace +7.91. replace -------------- @@ -7397,7 +7429,7 @@ Configuration: * string replace.~: byte code to replace with -7.91. rev +7.92. rev -------------- @@ -7412,7 +7444,7 @@ Configuration: * int rev.~: revision { 1:max32 } -7.92. rpc +7.93. rpc -------------- @@ -7429,7 +7461,7 @@ Configuration: * string rpc.~proc: procedure number or * for any -7.93. s7commplus_content +7.94. s7commplus_content -------------- @@ -7440,7 +7472,7 @@ Type: ips_option Usage: detect -7.94. s7commplus_func +7.95. s7commplus_func -------------- @@ -7455,7 +7487,7 @@ Configuration: * string s7commplus_func.~: function code to match -7.95. s7commplus_opcode +7.96. s7commplus_opcode -------------- @@ -7470,7 +7502,7 @@ Configuration: * string s7commplus_opcode.~: opcode code to match -7.96. script_data +7.97. script_data -------------- @@ -7481,7 +7513,7 @@ Type: ips_option Usage: detect -7.97. sd_pattern +7.98. sd_pattern -------------- @@ -7505,7 +7537,7 @@ Peg counts: * sd_pattern.terminated: hyperscan terminated (sum) -7.98. seq +7.99. seq -------------- @@ -7521,7 +7553,7 @@ Configuration: range { 0: } -7.99. service +7.100. service -------------- @@ -7536,7 +7568,7 @@ Configuration: * string service.*: one or more comma-separated service names -7.100. sha256 +7.101. sha256 -------------- @@ -7556,7 +7588,7 @@ Configuration: start of buffer -7.101. sha512 +7.102. sha512 -------------- @@ -7576,7 +7608,7 @@ Configuration: start of buffer -7.102. sid +7.103. sid -------------- @@ -7591,7 +7623,7 @@ Configuration: * int sid.~: signature id { 1:max32 } -7.103. sip_body +7.104. sip_body -------------- @@ -7602,7 +7634,7 @@ Type: ips_option Usage: detect -7.104. sip_header +7.105. sip_header -------------- @@ -7614,7 +7646,7 @@ Type: ips_option Usage: detect -7.105. sip_method +7.106. sip_method -------------- @@ -7629,7 +7661,7 @@ Configuration: * string sip_method.*method: sip method -7.106. sip_stat_code +7.107. sip_stat_code -------------- @@ -7644,7 +7676,7 @@ Configuration: * int sip_stat_code.*code: status code { 1:999 } -7.107. so +7.108. so -------------- @@ -7661,7 +7693,7 @@ Configuration: buffer -7.108. soid +7.109. soid -------------- @@ -7677,7 +7709,7 @@ Configuration: like 3_45678_9 -7.109. ssl_state +7.110. ssl_state -------------- @@ -7706,7 +7738,7 @@ Configuration: unknown -7.110. ssl_version +7.111. ssl_version -------------- @@ -7733,7 +7765,7 @@ Configuration: tls1.2 -7.111. stream_reassemble +7.112. stream_reassemble -------------- @@ -7754,7 +7786,7 @@ Configuration: remainder of the session -7.112. stream_size +7.113. stream_size -------------- @@ -7772,7 +7804,7 @@ Configuration: direction(s) { either|to_server|to_client|both } -7.113. tag +7.114. tag -------------- @@ -7791,7 +7823,7 @@ Configuration: * int tag.bytes: tag for this many bytes { 1:max32 } -7.114. target +7.115. target -------------- @@ -7807,7 +7839,7 @@ Configuration: dst_ip } -7.115. tos +7.116. tos -------------- @@ -7822,7 +7854,7 @@ Configuration: * interval tos.~range: check if IP TOS is in given range { 0:255 } -7.116. ttl +7.117. ttl -------------- @@ -7838,7 +7870,7 @@ Configuration: 0:255 } -7.117. urg +7.118. urg -------------- @@ -7854,7 +7886,7 @@ Configuration: { 0:65535 } -7.118. window +7.119. window -------------- @@ -7870,7 +7902,7 @@ Configuration: range { 0:65535 } -7.119. wscale +7.120. wscale -------------- @@ -9154,6 +9186,14 @@ these libraries see the Getting Started section of the manual. examining HTTP message headers * implied http_raw_cookie.with_trailer: parts of this rule examine HTTP message trailers + * implied http_raw_header_complete.request: match against the + headers from the request message even when examining the response + * implied http_raw_header_complete.with_body: parts of this rule + examine HTTP message body + * implied http_raw_header_complete.with_header: this rule is + limited to examining HTTP message headers + * implied http_raw_header_complete.with_trailer: parts of this rule + examine HTTP message trailers * implied http_raw_header.request: match against the headers from the request message even when examining the response * implied http_raw_header.with_body: parts of this rule examine @@ -10922,6 +10962,8 @@ these libraries see the Getting Started section of the manual. * http_inspect.get_requests: GET requests inspected (sum) * http_inspect.head_requests: HEAD requests inspected (sum) * http_inspect.inspections: total message sections inspected (sum) + * http_inspect.js_bytes: total number of JavaScript bytes processed + (sum) * http_inspect.js_external_scripts: total number of external JavaScripts processed (sum) * http_inspect.js_inline_scripts: total number of inline @@ -11955,6 +11997,12 @@ these libraries see the Getting Started section of the manual. * 121:32 (http2_inspect) HTTP/2 window update frame with zero increment * 121:33 (http2_inspect) HTTP/2 request without a method + * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the + start of a header block + * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size + updates in a single header block + * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max + value set by decoder in SETTINGS frame * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -12590,6 +12638,8 @@ and are not applicable elsewhere. cursor to the unnormalized cookie * http_raw_header (ips_option): rule option to set the detection cursor to the unnormalized headers + * http_raw_header_complete (ips_option): rule option to set the + detection cursor to the unnormalized headers including cookies * http_raw_request (ips_option): rule option to set the detection cursor to the unnormalized request line * http_raw_status (ips_option): rule option to set the detection @@ -13000,6 +13050,8 @@ and are not applicable elsewhere. cursor to the unnormalized cookie * ips_option::http_raw_header: rule option to set the detection cursor to the unnormalized headers + * ips_option::http_raw_header_complete: rule option to set the + detection cursor to the unnormalized headers including cookies * ips_option::http_raw_request: rule option to set the detection cursor to the unnormalized request line * ips_option::http_raw_status: rule option to set the detection diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 14fcd540a..a00f298b4 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.8.0 2021-07-15 06:38:10 EDT TST +Revision 3.1.9.0 2021-07-28 06:22:15 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index f18615cb2..c6b642ae1 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.8.0 2021-07-15 06:38:10 EDT TST +Revision 3.1.9.0 2021-07-28 06:22:15 EDT TST --------------------------------------------------------------------- @@ -4172,7 +4172,7 @@ Note: this section uses informal language to explain some things. Nothing here is intended to conflict with the technical language of the HTTP RFCs and the implementation follows the RFCs. -5.10.4.2. http_header and http_raw_header +5.10.4.2. http_header, http_raw_header, and http_raw_header_complete These cover all the header lines except the first one. You may specify an individual header by name using the field option as shown @@ -4189,14 +4189,16 @@ mixture of upper and lower case. With http_header the individual header value is normalized in a way that is appropriate for that header. -Specifying an individual header is not available for http_raw_header. +Specifying an individual header is not available for http_raw_header +and http_raw_header_complete. -If you don’t specify a header you get all of the headers except for -the cookie headers Cookie and Set-Cookie. http_raw_header includes -the unmodified header names and values as they appeared in the -original message. http_header is the same except percent encodings -are removed and paths are simplified exactly as if the headers were a -URI. +If you don’t specify a header you get all of the headers. +http_raw_header_complete includes cookie headers Cookie and +Set-Cookie. http_header and http_raw_header don’t. http_raw_header +and http_raw_header_complete include the unmodified header names and +values as they appeared in the original message. http_header is the +same except percent encodings are removed and paths are simplified +exactly as if the headers were a URI. In most cases specifying individual headers creates a more efficient and accurate rule. It is recommended that new rules be written using