From: Priyanka Bangalore Gurudev (prbg) Date: Tue, 4 Feb 2025 21:07:47 +0000 (+0000) Subject: Pull request #4599: build: generate and tag 3.6.3.0 X-Git-Tag: 3.6.3.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46545be8b3588661a045b7010960146bce304540;p=thirdparty%2Fsnort3.git Pull request #4599: build: generate and tag 3.6.3.0 Merge in SNORT/snort3 from ~PRBG/snort3:build__3.6.3.0 to master Squashed commit of the following: commit 4aaa7b6507d312917138f91ea7df986827240d33 Author: Priyanka Gurudev Date: Mon Feb 3 23:31:51 2025 -0500 build: generate and tag 3.6.3.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index a7281960f..fcaab5524 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 6) -set (VERSION_PATCH 2) +set (VERSION_PATCH 3) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index b237d3e9e..e6f054bae 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,22 @@ +2025-02-03: 3.6.3.0 + +* appid: added check for brute force manager presence +* dump_config: implement dump config generation in a file +* extractor: add handling for connector creation failure +* extractor: support connection logs +* file: malware and file events when action changed from block malware to cloud malware lookup event +* file: retrying the packet when file cache is full +* flow: add command that dumps only flow summaries +* framework: remove inspector slot and use get_instance_id instead +* ftp_telnet: only add expected flows when the daq_msg field in the control packet is not null. +* hosts: added check to verify ip protocol match on hosts lookup +* main: add thread_id in instance_mapping output file +* main: acquire TSC time scale at the startup +* mercury: telemetry file changes for multiprocess snort +* packet_io: check the DAQ_Msg_h parameter on api calls and return an error code when it is a null pointer +* perf_monitor: update structure clearing to C++ method +* perf_monitor: update flow state value reset + 2025-01-19: 3.6.2.0 * appid: adding thresholds to brute-force detection diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 27e0187a9..a75befc68 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.6.2.0 2025-01-19 22:53:58 EST TST +Revision 3.6.3.0 2025-02-04 00:09:48 EST TST --------------------------------------------------------------------- @@ -1636,6 +1636,8 @@ Configuration: Operation * implied snort.--enable-test-features: enable features used in testing + * string snort.--gen-dump-config: dump configuration to + during startup and configuration reload * implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools * implied snort.--help: show help overview @@ -3590,7 +3592,7 @@ Configuration: csv | json } * string extractor.connector: output destination for extractor * enum extractor.protocols[].service: service to extract from { - http | ftp } + http | ftp | conn } * int extractor.protocols[].tenant_id = 0: tenant_id of target tenant { 0:max32 } * string extractor.protocols[].on_events: specify events to log @@ -5825,6 +5827,7 @@ Configuration: Commands: * stream.dump_flows(): dump the flow table + * stream.dump_flows_summary(): dump the flow summaries Rules: @@ -9302,6 +9305,8 @@ libraries see the Getting Started section of the manual. the version * --enable-inline-test enable Inline-Test Mode Operation * --enable-test-features enable features used in testing + * --gen-dump-config dump configuration to + during startup and configuration reload * --gen-msg-map dump configured rules in gen-msg.map format for use by other tools * --help show help overview @@ -9866,7 +9871,7 @@ libraries see the Getting Started section of the manual. * string extractor.protocols[].fields: specify fields to log * string extractor.protocols[].on_events: specify events to log * enum extractor.protocols[].service: service to extract from { - http | ftp } + http | ftp | conn } * int extractor.protocols[].tenant_id = 0: tenant_id of target tenant { 0:max32 } * string file_connector[].connector: connector name @@ -11120,6 +11125,8 @@ libraries see the Getting Started section of the manual. testing * implied snort.-f: turn off fflush() calls after binary log writes * int snort.-G: <0xid> (same as --logid) { 0:65535 } + * string snort.--gen-dump-config: dump configuration to + during startup and configuration reload * implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools * string snort.-g: run snort gid as group (or gid) @@ -16325,6 +16332,7 @@ alert is raised by the enhanced JavaScript normalizer. * snort.quit(): shutdown and dump-stats * snort.help(): this output * stream.dump_flows(): dump the flow table + * stream.dump_flows_summary(): dump the flow summaries * trace.set(modules, constraints, ntuple, timestamp): set modules traces, constraints, ntuple and timestamp options * trace.clear(): clear modules traces and constraints diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 2f3ec62dc..abe1dbe41 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.6.2.0 2025-01-19 22:55:16 EST TST +Revision 3.6.3.0 2025-02-04 00:10:40 EST TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 4ccc7061a..3a8a777b5 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.6.2.0 2025-01-19 22:54:24 EST TST +Revision 3.6.3.0 2025-02-04 00:10:05 EST TST --------------------------------------------------------------------- @@ -2761,6 +2761,10 @@ The dump mode is activated by the following options: --dump-config-text, --dump-config=all, --dump-config=top. They are described in detail below. +The --gen-dump-config option enables Snort to generate a dump +configuration file with a timestamp and config generation ID during +startup and reload. + The simple configuration is used in examples. The output contains applied configurations (defaults and configured). To simplify the output we show a brief list of default options. @@ -3041,6 +3045,18 @@ Example: snort -c snort.lua --dump-config=top | jq . }, } +5.5.3. Configuration Dump Generation During Startup and Reload + +The --gen-dump-config option dumps configuration in a file in +JSON format, similar to the --dump-config=all option. It creates a +file during startup and reload, with the specified name, timestamp +and config generation ID appended. + +Example: snort -c snort.lua --gen-dump-config dump_output + +After execution, the "dump_output__" file +will be generated. + 5.6. DCE Inspectors @@ -5843,7 +5859,8 @@ extractor = { { service = 'http', tenant_id = 1, on_events = 'eot', fields = 'ts, uri, host, method' }, { service = 'ftp', tenant_id = 1, on_events = 'request', fields = 'ts, command, arg' }, - { service = 'http', tenant_id = 2, on_events = 'eot', fields = 'ts, uri' } + { service = 'http', tenant_id = 2, on_events = 'eot', fields = 'ts, uri' }, + { service = 'conn', tenant_id = 1, on_events = 'eof', fields = 'ts, uid, service' } } } @@ -5860,6 +5877,9 @@ Services and their events: + response + eot (a session defined by the following commands: APPE, DELE, RETR, STOR, STOU, ACCT, PORT, PASV, EPRT, EPSV) + * connection (conn) + + + eof (end of flow) Common fields available for every service: @@ -5899,6 +5919,14 @@ Fields supported for FTP: * data_channel.resp_h - IP address of data channel receiving point * data_channel.resp_p - TCP port of data channel receiving point +Fields supported for connection: + + * duration - connection duration in seconds + * proto - transport layer protocol of the connection + * service - connection’s application protocol + * orig_pkts - number of packets originator sent + * resp_pkts - number of packets responder sent + 5.18.3. Example Adding the following lines to a default snort configuration (which