From: Steve Chew (stechew) Date: Sun, 4 Feb 2024 18:25:21 +0000 (+0000) Subject: Pull request #4193: build: generate and tag 3.1.79.0 X-Git-Tag: 3.1.79.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40d9b8738ea85d7812477b5e2cf4dacac17ec498;p=thirdparty%2Fsnort3.git Pull request #4193: build: generate and tag 3.1.79.0 Merge in SNORT/snort3 from ~STECHEW/snort3:build_3.1.79.0 to master Squashed commit of the following: commit abfb35c9cb81fbaca5f7e99129a0fa548d6adf8b Author: Steve Chew Date: Thu Feb 1 14:57:35 2024 -0500 build: generate and tag 3.1.79.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 525e51113..9550a2771 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 78) +set (VERSION_PATCH 79) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index d344206bd..0ca91c845 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,27 @@ +2024-02-01: 3.1.79.0 + +appid: add tenants filter for appid debug +appid: process organization unit instead of organization name +appid: return false in is_appid_inspecting_session for quic if not decrypting +appid: update peg counts to be thread safe +coverity: fix for stream and hash +filters: make rate_filter multithreaded + some cleanup +kaizen: add dev_notes.txt +kaizen: change default value of uri_depth to -1 +kaizen: change kaizen gid to 411 +kaizen: extend mock object with simple matching mechanism +kaizen: make kaizen configurable per policy +kaizen: register module only when LibML present or REG_TEST defined +kaizen: update copyright +mercury: updating alpn info without sni in 7.6 +network_inspectors: add kaizen ML based exploit detector +packet_tracer: add tenants to filters +profiler: improve multithread rule percentage calculation +ssl: heap overflow issue when processing handshake records +stream_tcp: correct labeling of in-sequence and out-of-sequence packets +stream_tcp: persist disable_reassembly in Flow +stream_tcp: set packet direction flag based on direction saved in reassembly state + 2024-01-16: 3.1.78.0 * appid: print odp version and odp detector count on startup diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 1f532313d..d9ec71add 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.78.0 2024-01-16 01:22:50 EST TST +Revision 3.1.79.0 2024-02-01 19:30:03 UTC TST --------------------------------------------------------------------- @@ -16,7 +16,6 @@ Table of Contents 1. Help 2. Basic Modules - 2.1. active 2.2. alerts 2.3. attribute_table @@ -50,9 +49,7 @@ Table of Contents 2.31. snort 2.32. suppress 2.33. trace - 3. Codec Modules - 3.1. arp 3.2. auth 3.3. ciscometadata @@ -80,14 +77,10 @@ Table of Contents 3.25. udp 3.26. vlan 3.27. wlan - 4. Connector Modules - 4.1. file_connector 4.2. tcp_connector - 5. Inspector Modules - 5.1. appid 5.2. appid_listener 5.3. arp_spoof @@ -143,14 +136,10 @@ Table of Contents 5.53. stream_user 5.54. telnet 5.55. wizard - 6. IPS Action Modules - 6.1. react 6.2. reject - 7. IPS Option Modules - 7.1. ack 7.2. appids 7.3. base64_decode @@ -281,11 +270,9 @@ Table of Contents 7.128. vba_data 7.129. window 7.130. wscale - 8. Search Engine Modules 9. SO Rule Modules 10. Logger Modules - 10.1. alert_csv 10.2. alert_ex 10.3. alert_fast @@ -298,9 +285,7 @@ Table of Contents 10.10. log_hext 10.11. log_pcap 10.12. unified2 - 11. Appendix - 11.1. Build Options 11.2. Environment Variables 11.3. Command Line Options @@ -1216,8 +1201,8 @@ Configuration: Commands: - * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port): - enable packet tracer debugging + * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port, + tenants): enable packet tracer debugging * packet_tracer.disable(): disable packet tracer @@ -2593,8 +2578,8 @@ Configuration: Commands: - * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): - enable appid debugging + * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port, + tenants): enable appid debugging * appid.disable_debug(): disable appid debugging * appid.reload_third_party(): reload appid third-party module * appid.reload_detectors(): reload appid detectors @@ -13007,12 +12992,12 @@ session. The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST flag set. -116:424 (pbb) truncated ethernet header +116:424 (eth) truncated ethernet header The packet length is less than the minimum ethernet header size (14 bytes) -116:424 (pbb) truncated ethernet header +116:424 (eth) truncated ethernet header A truncated ethernet header was detected. @@ -15707,8 +15692,8 @@ alert is raised by the enhanced JavaScript normalizer. -------------- - * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): - enable appid debugging + * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port, + tenants): enable appid debugging * appid.disable_debug(): disable appid debugging * appid.reload_third_party(): reload appid third-party module * appid.reload_detectors(): reload appid detectors @@ -15729,8 +15714,8 @@ alert is raised by the enhanced JavaScript normalizer. the user policy id * packet_capture.enable(filter, group): dump raw packets * packet_capture.disable(): stop packet dump - * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port): - enable packet tracer debugging + * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port, + tenants): enable packet tracer debugging * packet_tracer.disable(): disable packet tracer * perf_monitor.enable_flow_ip_profiling(seconds, packets): enable statistics on host pairs diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 35d2eec6f..d768fbf07 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,22 +8,19 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.78.0 2024-01-16 01:23:57 EST TST +Revision 3.1.79.0 2024-02-01 19:29:51 UTC TST --------------------------------------------------------------------- Table of Contents 1. Overview - 1.1. Efficacy 1.2. Performance 1.3. Scalability 1.4. Usability 1.5. Extensibility - 2. Snort 3 vs Snort 2 - 2.1. Features New to Snort 3 2.2. Features Improved over Snort 2 2.3. Build Options @@ -33,13 +30,10 @@ Table of Contents 2.7. Output 2.8. Sensitive Data 2.9. Features Not Yet Supported by Snort 3 - 3. Snort2Lua - 3.1. Snort2Lua Command Line 3.2. Known Problems 3.3. Usage - 4. Configuration Changes @@ -826,7 +820,6 @@ change -> config 'checksum_mode' ==> 'network.checksum_eval' change -> config 'daq_dir' ==> 'daq.module_dirs' change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' -change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' change -> config 'event_filter' ==> 'alerts.event_filter_memcap' change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' @@ -866,17 +859,17 @@ change -> daq: 'config daq:' ==> 'name' change -> daq_mode: 'config daq_mode:' ==> 'mode' change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' -change -> detection: 'ac-banded' ==> 'ac_full' +change -> detection: 'ac-banded' ==> 'ac_banded' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' change -> detection: 'ac-nq' ==> 'ac_full' change -> detection: 'ac-q' ==> 'ac_full' -change -> detection: 'ac-sparsebands' ==> 'ac_full' +change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' change -> detection: 'ac-split' ==> 'ac_full' change -> detection: 'ac-split' ==> 'split_any_any' -change -> detection: 'ac-std' ==> 'ac_full' -change -> detection: 'acs' ==> 'ac_full' +change -> detection: 'ac-std' ==> 'ac_std' +change -> detection: 'acs' ==> 'ac_sparse' change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' change -> detection: 'intel-cpm' ==> 'hyperscan' @@ -885,6 +878,7 @@ change -> detection: 'lowmem-q' ==> 'lowmem' change -> detection: 'max-pattern-len' ==> 'max_pattern_len' change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' change -> detection: 'search-method' ==> 'search_method' +change -> detection: 'search-optimize' ==> 'search_optimize' change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' change -> dnp3: 'ports' ==> 'bindings' @@ -962,7 +956,6 @@ change -> rate_filter: 'sig_id' ==> 'sid' change -> reputation: 'shared_mem' ==> 'list_dir' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' -change -> sip: 'max_requestName_len' ==> 'max_request_name_len' change -> sip: 'ports' ==> 'bindings' change -> smtp: 'ports' ==> 'bindings' change -> ssh: 'server_ports' ==> 'bindings' @@ -1028,7 +1021,6 @@ deleted -> config 'disable_decode_drops' deleted -> config 'disable_inline_init_failopen' deleted -> config 'disable_ipopt_alerts' deleted -> config 'disable_ipopt_drops' -deleted -> config 'disable_replace' deleted -> config 'disable_tcpopt_alerts' deleted -> config 'disable_tcpopt_drops' deleted -> config 'disable_tcpopt_experimental_alerts' @@ -1045,7 +1037,6 @@ deleted -> config 'enable_decode_oversized_alerts' deleted -> config 'enable_decode_oversized_drops' deleted -> config 'enable_gtp' deleted -> config 'enable_ipopt_drops' -deleted -> config 'enable_mpls_multicast' deleted -> config 'enable_tcpopt_drops' deleted -> config 'enable_tcpopt_experimental_drops' deleted -> config 'enable_tcpopt_obsolete_drops' @@ -1067,12 +1058,10 @@ deleted -> config 'sfalert_unified2' deleted -> config 'sflog_unified2' deleted -> config 'sidechannel' deleted -> config 'so_rule_memcap' -deleted -> config 'stateful' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' deleted -> detection: 'mwm' -deleted -> detection: 'search-optimize is always true' deleted -> dnp3: 'disabled' deleted -> dnp3: 'memcap' deleted -> dns: 'enable_experimental_types' @@ -1086,8 +1075,6 @@ deleted -> ftp_telnet_protocol: 'detect_anomalies' deleted -> full: ' can no longer be specific' deleted -> http_inspect: 'detect_anomalous_servers' deleted -> http_inspect: 'disabled' -deleted -> http_inspect: 'fast_blocking' -deleted -> http_inspect: 'normalize_random_nulls_in_text' deleted -> http_inspect: 'proxy_alert' deleted -> http_inspect_server: 'allow_proxy_use' deleted -> http_inspect_server: 'enable_cookie' @@ -1165,7 +1152,6 @@ deleted -> stream5_tcp: 'ignore_any_rules' deleted -> stream5_tcp: 'log_asymmetric_traffic' deleted -> stream5_tcp: 'policy noack' deleted -> stream5_tcp: 'policy unknown' -deleted -> stream5_tcp: 'use_static_footprint_sizes' deleted -> stream5_udp: 'ignore_any_rules' deleted -> tcpdump: ' can no longer be specific' deleted -> test: 'file' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index d289a376f..9f6574338 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,20 +8,17 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.78.0 2024-01-16 01:23:12 EST TST +Revision 3.1.79.0 2024-02-01 19:29:51 UTC TST --------------------------------------------------------------------- Table of Contents 1. Overview - 1.1. First Steps 1.2. Configuration 1.3. Output - 2. Concepts - 2.1. Terminology 2.2. Modules 2.3. Parameters @@ -29,9 +26,7 @@ Table of Contents 2.5. Operation 2.6. Rules 2.7. Pattern Matching - 3. Tutorial - 3.1. Dependencies 3.2. Building 3.3. Running @@ -39,9 +34,7 @@ Table of Contents 3.5. Common Errors 3.6. Gotchas 3.7. Known Issues - 4. Usage - 4.1. Help 4.2. Sniffing and Logging 4.3. Configuration @@ -52,9 +45,7 @@ Table of Contents 4.8. Logger Alternatives 4.9. Shell 4.10. Signals - 5. Features - 5.1. Active Response 5.2. AppId 5.3. Binder @@ -77,9 +68,7 @@ Table of Contents 5.20. Telnet 5.21. Trace 5.22. Wizard - 6. DAQ Configuration and Modules - 6.1. Building the DAQ Library and Its Bundled DAQ Modules 6.2. Configuration 6.3. Interaction With Multiple Packet Threads