From: Steve Chew (stechew) Date: Wed, 22 Sep 2021 18:19:00 +0000 (+0000) Subject: Merge pull request #3071 in SNORT/snort3 from ~STECHEW/snort3:build_3.1.13.0 to master X-Git-Tag: 3.1.13.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47f81b7a7abaa382ecdd54a159d0fa6bc32c0425;p=thirdparty%2Fsnort3.git Merge pull request #3071 in SNORT/snort3 from ~STECHEW/snort3:build_3.1.13.0 to master Squashed commit of the following: commit 074c6b13a6ce3dc156013a217a934ef402e95b0a Author: Steve Chew Date: Wed Sep 22 08:57:19 2021 -0400 build: generate and tag 3.1.13.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index d4673fad1..8a6036a94 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 12) +set (VERSION_PATCH 13) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index 1a559c42f..7a2441474 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,38 @@ +2021/09/22 - 3.1.13.0 + +appid: prioritize appid's client detection over third-party +appid: stay in success state after RPC is detected. +builtins: add --dump-builtin-options +catch: enable benchmarking +cip, iec104: update stub rule messages for consistent format +control: explicitly include ctime header in control.h +detection: add fast patterns only once per service group +doc: add support for details on builtin rules in the reference +doc: update reference for 2:1 and 129:13 +doc: update the documentation of "replace" option and "rewrite" action +doc: update user tutorial with '--enable-benchmark-tests' option +file_api: new api added for url +file_api: revert store processing flow in context +flow: don't do memcap pruning if pruning is in progress +host_cache: Avoid data race in cache size access +host_tracker: Removing unused methods +http_inspect: http_raw_trailer fast pattern +http_inspect: pass file_api the uri with the filename and extract the filename from the uri path +http_inspect: remove memrchr for portability +netflow: use device ip and template id to ensure that the template cache keys are unique +output: adopt the orphaned tag alert (2:1) +rna: Avoid data races in vlan and mac address +rna: Avoid infinite loop in ICMPv6 options +smb: added a null check when current_flow is not present +snort2lua: Fixed version output (issue #213). Thanks to A-Pisani for the fix. +stream: change session_timeout default for tcp, ip, icmp and user +stream: fix session timeout of expired flows +trough: Avoid data race in file count +utils: add benchmark tests for JSNormalizer +utils: add reference and description for ClamAV test cases +utils: avoid using pubsetbuf which is STL implementation dependent +utils: fix typo in js_normalizer_test + 2021/09/08 - 3.1.12.0 decoder: icmp6 - use source and destination addresses from packet to compute icmp6 checksum when NAT is in effect diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index dfdad4630..476f40358 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.12.0 2021-09-08 07:41:47 EDT TST +Revision 3.1.13.0 2021-09-22 09:11:00 EDT TST --------------------------------------------------------------------- @@ -1054,6 +1054,10 @@ Configuration: * bool output.wide_hex_dump = false: output 20 bytes per lines instead of 16 when dumping buffers +Rules: + + * 2:1 (output) tagged packet + 2.20. packet_tracer @@ -1414,6 +1418,8 @@ Configuration: * string snort.--daq-var: specify extra DAQ configuration variable * implied snort.--dirty-pig: don’t flush packets on shutdown + * string snort.--dump-builtin-options: additional options to + include with --dump-builtin-rules stubs * string snort.--dump-builtin-rules: [] output stub rules for selected modules { (optional) } * select snort.--dump-config: dump config in json format { all | @@ -2602,12 +2608,12 @@ Configuration: Rules: - * 148:1 (cip) CIP data is malformed. - * 148:2 (cip) CIP data is non-conforming to ODVA standard. + * 148:1 (cip) CIP data is malformed + * 148:2 (cip) CIP data is non-conforming to ODVA standard * 148:3 (cip) CIP connection limit exceeded. Least recently used - connection removed. + connection removed * 148:4 (cip) CIP unconnected request limit exceeded. Oldest - request removed. + request removed Peg counts: @@ -3952,120 +3958,113 @@ Instance Type: multiton Rules: - * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does - not match the length needed for the given IEC104 ASDU type id. - * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match - 0x68. - * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use. - * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field - contains a non-default value. - * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set - to an invalid value. - * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field - contains a non-default value. - * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set - to zero. - * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU - that does not support the feature. - * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set - to greater than one on an ASDU that does not support the feature. - * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of - Initialization set to a reserved value. - * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Interrogation Command set to a reserved value. - * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter - Interrogation Command request parameter set to a reserved value. - * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter of Measured Values kind of parameter set to a reserved - value. - * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter of Measured Values local parameter change set to a - technically valid but unused value. - * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter of Measured Values parameter option set to a - technically valid but unused value. - * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter Activation set to a reserved value. - * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command - set to a reserved value. - * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset - Process set to a reserved value. - * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier - set to a reserved value. - * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready - Qualifier set to a reserved value. - * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call - Qualifier set to a reserved value. - * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or - Segment Qualifier set to a reserved value. - * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or - Section Qualifier set to a reserved value. - * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier - set on a message where it should have no effect. - * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point - Information Reserved field contains a non-default value. - * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point - Information Reserved field contains a non-default value. - * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission - set to a reserved value. - * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission - set to a value not allowed for the ASDU. - * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet - common address value detected. - * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor - Structure Reserved field contains a non-default value. - * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor - for Events of Protection Equipment Structure Reserved field - contains a non-default value. - * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value - results in NaN. - * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value - results in infinity. - * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of - Protection Equipment Structure Reserved field contains a - non-default value. - * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of + * 151:1 (iec104) Length in IEC104 APCI header does not match the + length needed for the given IEC104 ASDU type id + * 151:2 (iec104) IEC104 Start byte does not match 0x68 + * 151:3 (iec104) Reserved IEC104 ASDU type id in use + * 151:4 (iec104) IEC104 APCI U Reserved field contains a + non-default value + * 151:5 (iec104) IEC104 APCI U message type was set to an invalid + value + * 151:6 (iec104) IEC104 APCI S Reserved field contains a + non-default value + * 151:7 (iec104) IEC104 APCI I number of elements set to zero + * 151:8 (iec104) IEC104 APCI I SQ bit set on an ASDU that does not + support the feature + * 151:9 (iec104) IEC104 APCI I number of elements set to greater + than one on an ASDU that does not support the feature + * 151:10 (iec104) IEC104 APCI I Cause of Initialization set to a + reserved value + * 151:11 (iec104) IEC104 APCI I Qualifier of Interrogation Command + set to a reserved value + * 151:12 (iec104) IEC104 APCI I Qualifier of Counter Interrogation + Command request parameter set to a reserved value + * 151:13 (iec104) IEC104 APCI I Qualifier of Parameter of Measured + Values kind of parameter set to a reserved value + * 151:14 (iec104) IEC104 APCI I Qualifier of Parameter of Measured + Values local parameter change set to a technically valid but + unused value + * 151:15 (iec104) IEC104 APCI I Qualifier of Parameter of Measured + Values parameter option set to a technically valid but unused + value + * 151:16 (iec104) IEC104 APCI I Qualifier of Parameter Activation + set to a reserved value + * 151:17 (iec104) IEC104 APCI I Qualifier of Command set to a + reserved value + * 151:18 (iec104) IEC104 APCI I Qualifier of Reset Process set to a + reserved value + * 151:19 (iec104) IEC104 APCI I File Ready Qualifier set to a + reserved value + * 151:20 (iec104) IEC104 APCI I Section Ready Qualifier set to a + reserved value + * 151:21 (iec104) IEC104 APCI I Select and Call Qualifier set to a + reserved value + * 151:22 (iec104) IEC104 APCI I Last Section or Segment Qualifier + set to a reserved value + * 151:23 (iec104) IEC104 APCI I Acknowledge File or Section + Qualifier set to a reserved value + * 151:24 (iec104) IEC104 APCI I Structure Qualifier set on a + message where it should have no effect + * 151:25 (iec104) IEC104 APCI I Single Point Information Reserved + field contains a non-default value + * 151:26 (iec104) IEC104 APCI I Double Point Information Reserved + field contains a non-default value + * 151:27 (iec104) IEC104 APCI I Cause of Transmission set to a + reserved value + * 151:28 (iec104) IEC104 APCI I Cause of Transmission set to a + value not allowed for the ASDU + * 151:29 (iec104) IEC104 APCI I invalid two octet common address + value detected + * 151:30 (iec104) IEC104 APCI I Quality Descriptor Structure + Reserved field contains a non-default value + * 151:31 (iec104) IEC104 APCI I Quality Descriptor for Events of Protection Equipment Structure Reserved field contains a - non-default value. - * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit - Information Structure Reserved field contains a non-default - value. - * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test - Bit Pattern detected. - * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command - Structure Reserved field contains a non-default value. - * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command - Structure contains an invalid value. - * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step - Command Structure Reserved field contains a non-default value. - * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond - set outside of the allowable range. - * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set - outside of the allowable range. - * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute - Reserved field contains a non-default value. - * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set - outside of the allowable range. - * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved - field contains a non-default value. - * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month - set outside of the allowable range. - * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set - outside of the allowable range. - * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved - field contains a non-default value. - * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set - outside of the allowable range. - * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved - field contains a non-default value. - * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of - Segment value has been detected. - * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of - Segment value has been detected. - * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to - a reserved value. - * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set - Point Command ql field set to a reserved value. + non-default value + * 151:32 (iec104) IEC104 APCI I IEEE STD 754 value results in NaN + * 151:33 (iec104) IEC104 APCI I IEEE STD 754 value results in + infinity + * 151:34 (iec104) IEC104 APCI I Single Event of Protection + Equipment Structure Reserved field contains a non-default value + * 151:35 (iec104) IEC104 APCI I Start Event of Protection Equipment + Structure Reserved field contains a non-default value + * 151:36 (iec104) IEC104 APCI I Output Circuit Information + Structure Reserved field contains a non-default value + * 151:37 (iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern + detected + * 151:38 (iec104) IEC104 APCI I Single Command Structure Reserved + field contains a non-default value + * 151:39 (iec104) IEC104 APCI I Double Command Structure contains + an invalid value + * 151:40 (iec104) IEC104 APCI I Regulating Step Command Structure + Reserved field contains a non-default value + * 151:41 (iec104) IEC104 APCI I Time2a Millisecond set outside of + the allowable range + * 151:42 (iec104) IEC104 APCI I Time2a Minute set outside of the + allowable range + * 151:43 (iec104) IEC104 APCI I Time2a Minute Reserved field + contains a non-default value + * 151:44 (iec104) IEC104 APCI I Time2a Hours set outside of the + allowable range + * 151:45 (iec104) IEC104 APCI I Time2a Hours Reserved field + contains a non-default value + * 151:46 (iec104) IEC104 APCI I Time2a Day of Month set outside of + the allowable range + * 151:47 (iec104) IEC104 APCI I Time2a Month set outside of the + allowable range + * 151:48 (iec104) IEC104 APCI I Time2a Month Reserved field + contains a non-default value + * 151:49 (iec104) IEC104 APCI I Time2a Year set outside of the + allowable range + * 151:50 (iec104) IEC104 APCI I Time2a Year Reserved field contains + a non-default value + * 151:51 (iec104) IEC104 APCI I a null Length of Segment value has + been detected + * 151:52 (iec104) IEC104 APCI I an invalid Length of Segment value + has been detected + * 151:53 (iec104) IEC104 APCI I Status of File set to a reserved + value + * 151:54 (iec104) IEC104 APCI I Qualifier of Set Point Command ql + field set to a reserved value Peg counts: @@ -5399,7 +5398,7 @@ Instance Type: multiton Configuration: - * int stream_icmp.session_timeout = 30: session tracking timeout { + * int stream_icmp.session_timeout = 60: session tracking timeout { 1:max31 } Peg counts: @@ -5436,7 +5435,7 @@ Configuration: minimum { 1:255 } * enum stream_ip.policy = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris } - * int stream_ip.session_timeout = 30: session tracking timeout { + * int stream_ip.session_timeout = 60: session tracking timeout { 1:max31 } Rules: @@ -5530,7 +5529,7 @@ Configuration: TCP small segments considered to be excessive (129:12) { 0:2048 } * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 } - * int stream_tcp.session_timeout = 30: session tracking timeout { + * int stream_tcp.session_timeout = 180: session tracking timeout { 1:max31 } * bool stream_tcp.track_only = false: disable reassembly if true @@ -5700,7 +5699,7 @@ Instance Type: multiton Configuration: - * int stream_user.session_timeout = 30: session tracking timeout { + * int stream_user.session_timeout = 60: session tracking timeout { 1:max31 } @@ -7438,7 +7437,8 @@ Configuration: -------------- -Help: rule option to overwrite payload data; use with rewrite action +Help: rule option to overwrite payload data; use with "rewrite" +action; works for raw packets only Type: ips_option @@ -8349,6 +8349,8 @@ these libraries see the Getting Started section of the manual. automatic selection) (passive | inline | read-file) * --daq-var specify extra DAQ configuration variable * --dirty-pig don’t flush packets on shutdown + * --dump-builtin-options additional options to include with + --dump-builtin-rules stubs * --dump-builtin-rules [] output stub rules for selected modules (optional) * --dump-config dump config in json format (all | top) @@ -10034,6 +10036,8 @@ these libraries see the Getting Started section of the manual. * implied snort.-d: dump the Application Layer * implied snort.--dirty-pig: don’t flush packets on shutdown * implied snort.-D: run Snort in background (daemon) mode + * string snort.--dump-builtin-options: additional options to + include with --dump-builtin-rules stubs * string snort.--dump-builtin-rules: [] output stub rules for selected modules { (optional) } * select snort.--dump-config: dump config in json format { all | @@ -10281,7 +10285,7 @@ these libraries see the Getting Started section of the manual. per flow for better estimation against cap { 0:65535 } * int stream.icmp_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } - * int stream_icmp.session_timeout = 30: session tracking timeout { + * int stream_icmp.session_timeout = 60: session tracking timeout { 1:max31 } * int stream.ip_cache.cap_weight = 0: additional bytes to track per flow for better estimation against cap { 0:65535 } @@ -10298,7 +10302,7 @@ these libraries see the Getting Started section of the manual. minimum { 1:255 } * enum stream_ip.policy = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris } - * int stream_ip.session_timeout = 30: session tracking timeout { + * int stream_ip.session_timeout = 60: session tracking timeout { 1:max31 } * int stream.max_flows = 476288: maximum simultaneous flows tracked before pruning { 2:max32 } @@ -10344,7 +10348,7 @@ these libraries see the Getting Started section of the manual. reassembly before traffic is seen in both directions * int stream_tcp.require_3whs = -1: don’t track midstream sessions after given seconds from start up; -1 tracks all { -1:max31 } - * int stream_tcp.session_timeout = 30: session tracking timeout { + * int stream_tcp.session_timeout = 180: session tracking timeout { 1:max31 } * bool stream_tcp.show_rebuilt_packets = false: enable cmg like output of reassembled packets @@ -10363,7 +10367,7 @@ these libraries see the Getting Started section of the manual. per flow for better estimation against cap { 0:65535 } * int stream.user_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } - * int stream_user.session_timeout = 30: session tracking timeout { + * int stream_user.session_timeout = 60: session tracking timeout { 1:max31 } * int suppress[].gid = 0: rule generator ID { 0:max32 } * string suppress[].ip: restrict suppression to these addresses @@ -11589,6 +11593,7 @@ these libraries see the Getting Started section of the manual. -------------- + * 2: output * 105: back_orifice * 106: rpc_decode * 112: arp_spoof @@ -11657,801 +11662,2682 @@ these libraries see the Getting Started section of the manual. -------------- - * 105:1 (back_orifice) BO traffic detected - * 105:2 (back_orifice) BO client traffic detected - * 105:3 (back_orifice) BO server traffic detected - * 105:4 (back_orifice) BO Snort buffer attack - * 106:1 (rpc_decode) fragmented RPC records - * 106:2 (rpc_decode) multiple RPC records - * 106:3 (rpc_decode) large RPC record fragment - * 106:4 (rpc_decode) incomplete RPC segment - * 106:5 (rpc_decode) zero-length RPC fragment - * 112:1 (arp_spoof) unicast ARP request - * 112:2 (arp_spoof) ethernet/ARP mismatch request for source - * 112:3 (arp_spoof) ethernet/ARP mismatch request for destination - * 112:4 (arp_spoof) attempted ARP cache overwrite attack - * 116:1 (ipv4) not IPv4 datagram - * 116:2 (ipv4) IPv4 header length < minimum - * 116:3 (ipv4) IPv4 datagram length < header field - * 116:4 (ipv4) IPv4 options found with bad lengths - * 116:5 (ipv4) truncated IPv4 options - * 116:6 (ipv4) IPv4 datagram length > captured length - * 116:45 (tcp) TCP packet length is smaller than 20 bytes - * 116:46 (tcp) TCP data offset is less than 5 - * 116:47 (tcp) TCP header length exceeds packet length - * 116:54 (tcp) TCP options found with bad lengths - * 116:55 (tcp) truncated TCP options - * 116:56 (tcp) T/TCP detected - * 116:57 (tcp) obsolete TCP options found - * 116:58 (tcp) experimental TCP options found - * 116:59 (tcp) TCP window scale option found with length > 14 - * 116:95 (udp) truncated UDP header - * 116:96 (udp) invalid UDP header, length field < 8 - * 116:97 (udp) short UDP packet, length field > payload length - * 116:98 (udp) long UDP packet, length field < payload length - * 116:105 (icmp4) ICMP header truncated - * 116:106 (icmp4) ICMP timestamp header truncated - * 116:107 (icmp4) ICMP address header truncated - * 116:109 (arp) truncated ARP - * 116:110 (eapol) truncated EAP header - * 116:111 (eapol) EAP key truncated - * 116:112 (eapol) EAP header truncated - * 116:120 (pppoe) bad PPPOE frame detected - * 116:130 (vlan) bad VLAN frame - * 116:131 (llc) bad LLC header - * 116:132 (llc) bad extra LLC info - * 116:133 (wlan) bad 802.11 LLC header - * 116:134 (wlan) bad 802.11 extra LLC info - * 116:140 (token_ring) bad Token Ring header - * 116:141 (token_ring) bad Token Ring ETHLLC header - * 116:142 (token_ring) bad Token Ring MRLEN header - * 116:143 (token_ring) bad Token Ring MR header - * 116:150 (decode) loopback IP - * 116:151 (decode) same src/dst IP - * 116:160 (gre) GRE header length > payload length - * 116:161 (gre) multiple encapsulations in packet - * 116:162 (gre) invalid GRE version - * 116:163 (gre) invalid GRE header - * 116:164 (gre) invalid GRE v.1 PPTP header - * 116:165 (gre) GRE trans header length > payload length - * 116:170 (mpls) bad MPLS frame - * 116:171 (mpls) MPLS label 0 appears in bottom header when not - decoding as ip4 - * 116:172 (mpls) MPLS label 1 appears in bottom header - * 116:173 (mpls) MPLS label 2 appears in bottom header when not - decoding as ip6 - * 116:174 (mpls) MPLS label 3 appears in header - * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header - * 116:176 (mpls) too many MPLS headers - * 116:180 (geneve) insufficient room for geneve header - * 116:181 (geneve) invalid version - * 116:182 (geneve) invalid header - * 116:183 (geneve) invalid flags - * 116:184 (geneve) invalid options - * 116:250 (icmp4) ICMP original IP header truncated - * 116:251 (icmp4) ICMP version and original IP header versions - differ - * 116:252 (icmp4) ICMP original datagram length < original IP - header length - * 116:253 (icmp4) ICMP original IP payload < 64 bits - * 116:254 (icmp4) ICMP original IP payload > 576 bytes - * 116:255 (icmp4) ICMP original IP fragmented and offset not 0 - * 116:270 (ipv6) IPv6 packet below TTL limit - * 116:271 (ipv6) IPv6 header claims to not be IPv6 - * 116:272 (ipv6) IPv6 truncated extension header - * 116:273 (ipv6) IPv6 truncated header - * 116:274 (ipv6) IPv6 datagram length < header field - * 116:275 (ipv6) IPv6 datagram length > captured length - * 116:276 (ipv6) IPv6 packet with destination address ::0 - * 116:277 (ipv6) IPv6 packet with multicast source address - * 116:278 (ipv6) IPv6 packet with reserved multicast destination - address - * 116:279 (ipv6) IPv6 header includes an undefined option type - * 116:280 (ipv6) IPv6 address includes an unassigned multicast - scope value - * 116:281 (ipv6) IPv6 header includes an invalid value for the next - header field - * 116:282 (ipv6) IPv6 header includes a routing extension header - followed by a hop-by-hop header - * 116:283 (ipv6) IPv6 header includes two routing extension headers - * 116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with - MTU field < 1280 - * 116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable) - with non-RFC 2463 code - * 116:287 (icmp6) ICMPv6 router solicitation packet with a code not - equal to 0 - * 116:288 (icmp6) ICMPv6 router advertisement packet with a code - not equal to 0 - * 116:289 (icmp6) ICMPv6 router solicitation packet with the - reserved field not equal to 0 - * 116:290 (icmp6) ICMPv6 router advertisement packet with the - reachable time field set > 1 hour - * 116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, - possible Linux kernel attack - * 116:292 (ipv6) IPv6 header has destination options followed by a - routing header - * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation - layers present - * 116:294 (esp) truncated encapsulated security payload header - * 116:295 (ipv6) IPv6 header includes an option which is too big - for the containing header - * 116:296 (ipv6) IPv6 packet includes out-of-order extension - headers - * 116:297 (gtp) two or more GTP encapsulation layers present - * 116:298 (gtp) GTP header length is invalid - * 116:400 (tcp) XMAS attack detected - * 116:401 (tcp) Nmap XMAS attack detected - * 116:402 (tcp) DOS NAPTHA vulnerability detected - * 116:403 (tcp) SYN to multicast address - * 116:404 (ipv4) IPv4 packet with zero TTL - * 116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF - set) - * 116:406 (udp) invalid IPv6 UDP packet, checksum zero - * 116:407 (ipv4) IPv4 packet frag offset + length exceed maximum - * 116:408 (ipv4) IPv4 packet from current net source address - * 116:409 (ipv4) IPv4 packet to current net dest address - * 116:410 (ipv4) IPv4 packet from multicast source address - * 116:411 (ipv4) IPv4 packet from reserved source address - * 116:412 (ipv4) IPv4 packet to reserved dest address - * 116:413 (ipv4) IPv4 packet from broadcast source address - * 116:414 (ipv4) IPv4 packet to broadcast dest address - * 116:415 (icmp4) ICMP4 packet to multicast dest address - * 116:416 (icmp4) ICMP4 packet to broadcast dest address - * 116:418 (icmp4) ICMP4 type other - * 116:419 (tcp) TCP urgent pointer exceeds payload length or no - payload - * 116:420 (tcp) TCP SYN with FIN - * 116:421 (tcp) TCP SYN with RST - * 116:422 (tcp) TCP PDU missing ack for established session - * 116:423 (tcp) TCP has no SYN, ACK, or RST - * 116:424 (eth) truncated ethernet header - * 116:424 (pbb) truncated ethernet header - * 116:425 (ipv4) truncated IPv4 header - * 116:426 (icmp4) truncated ICMP4 header - * 116:427 (icmp6) truncated ICMPv6 header - * 116:428 (ipv4) IPv4 packet below TTL limit - * 116:429 (ipv6) IPv6 packet has zero hop limit - * 116:430 (ipv4) IPv4 packet both DF and offset set - * 116:431 (icmp6) ICMPv6 type not decoded - * 116:432 (icmp6) ICMPv6 packet to multicast address - * 116:433 (tcp) DDOS shaft SYN flood - * 116:434 (icmp4) ICMP ping Nmap - * 116:435 (icmp4) ICMP icmpenum v1.1.1 - * 116:436 (icmp4) ICMP redirect host - * 116:437 (icmp4) ICMP redirect net - * 116:438 (icmp4) ICMP traceroute ipopts - * 116:439 (icmp4) ICMP source quench - * 116:440 (icmp4) broadscan smurf scanner - * 116:441 (icmp4) ICMP destination unreachable communication - administratively prohibited - * 116:442 (icmp4) ICMP destination unreachable communication with - destination host is administratively prohibited - * 116:443 (icmp4) ICMP destination unreachable communication with - destination network is administratively prohibited - * 116:444 (ipv4) IPv4 option set - * 116:445 (udp) large UDP packet (> 4000 bytes) - * 116:446 (tcp) TCP port 0 traffic - * 116:447 (udp) UDP port 0 traffic - * 116:448 (ipv4) IPv4 reserved bit set - * 116:449 (decode) unassigned/reserved IP protocol - * 116:450 (decode) bad IP protocol - * 116:451 (icmp4) ICMP path MTU denial of service attempt - * 116:452 (icmp4) Linux ICMP header DOS attempt - * 116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt - * 116:454 (pgm) PGM nak list overflow attempt - * 116:455 (igmp) DOS IGMP IP options validation attempt - * 116:456 (ipv6) too many IPv6 extension headers - * 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable) - with non-RFC 4443 code - * 116:458 (ipv6) bogus fragmentation packet, possible BSD attack - * 116:459 (decode) fragment with zero length - * 116:460 (icmp6) ICMPv6 node info query/response packet with a - code greater than 2 - * 116:461 (ipv6) IPv6 routing type 0 extension header - * 116:462 (erspan2) ERSpan header version mismatch - * 116:463 (erspan2) captured length < ERSpan type2 header length - * 116:464 (erspan3) captured < ERSpan type3 header length - * 116:465 (auth) truncated authentication header - * 116:466 (auth) bad authentication header length - * 116:467 (fabricpath) truncated FabricPath header - * 116:468 (ciscometadata) truncated Cisco Metadata header - * 116:469 (ciscometadata) invalid Cisco Metadata option length - * 116:470 (ciscometadata) invalid Cisco Metadata option type - * 116:471 (ciscometadata) invalid Cisco Metadata security group tag - * 116:472 (decode) too many protocols present - * 116:473 (decode) ether type out of range - * 116:474 (icmp6) ICMPv6 not encapsulated in IPv6 - * 116:475 (ipv6) IPv6 mobility header includes an invalid value for - the payload protocol field - * 119:1 (http_inspect) ascii encoding - * 119:2 (http_inspect) double decoding attack - * 119:3 (http_inspect) u encoding - * 119:4 (http_inspect) bare byte unicode encoding - * 119:6 (http_inspect) UTF-8 encoding - * 119:7 (http_inspect) unicode map code point encoding in URI - * 119:8 (http_inspect) multi_slash encoding - * 119:9 (http_inspect) backslash used in URI path - * 119:10 (http_inspect) self directory traversal - * 119:11 (http_inspect) directory traversal - * 119:12 (http_inspect) apache whitespace (tab) - * 119:13 (http_inspect) HTTP header line terminated by LF without a - CR - * 119:14 (http_inspect) non-RFC defined char - * 119:15 (http_inspect) oversize request-uri directory - * 119:16 (http_inspect) oversize chunk encoding - * 119:18 (http_inspect) webroot directory traversal - * 119:19 (http_inspect) long header - * 119:20 (http_inspect) max header fields - * 119:21 (http_inspect) multiple content length - * 119:24 (http_inspect) Host header field appears more than once or - has multiple values - * 119:25 (http_inspect) Host header value is too long - * 119:28 (http_inspect) POST or PUT w/o content-length or chunks - * 119:31 (http_inspect) unknown method - * 119:32 (http_inspect) simple request - * 119:33 (http_inspect) unescaped space in HTTP URI - * 119:34 (http_inspect) too many pipelined requests - * 119:102 (http_inspect) invalid status code in HTTP response - * 119:104 (http_inspect) HTTP response has UTF charset that failed - to normalize - * 119:105 (http_inspect) HTTP response has UTF-7 charset - * 119:109 (http_inspect) javascript obfuscation levels exceeds 1 - * 119:110 (http_inspect) javascript whitespaces exceeds max allowed - * 119:111 (http_inspect) multiple encodings within javascript - obfuscated data - * 119:112 (http_inspect) SWF file zlib decompression failure - * 119:113 (http_inspect) SWF file LZMA decompression failure - * 119:114 (http_inspect) PDF file deflate decompression failure - * 119:115 (http_inspect) PDF file unsupported compression type - * 119:116 (http_inspect) PDF file cascaded compression - * 119:117 (http_inspect) PDF file parse failure - * 119:201 (http_inspect) not HTTP traffic - * 119:202 (http_inspect) chunk length has excessive leading zeros - * 119:203 (http_inspect) white space before or between messages - * 119:204 (http_inspect) request message without URI - * 119:205 (http_inspect) control character in reason phrase - * 119:206 (http_inspect) illegal extra whitespace in start line - * 119:207 (http_inspect) corrupted HTTP version - * 119:208 (http_inspect) unknown HTTP version - * 119:209 (http_inspect) format error in HTTP header - * 119:210 (http_inspect) chunk header options present - * 119:211 (http_inspect) URI badly formatted - * 119:212 (http_inspect) unrecognized type of percent encoding in - URI - * 119:213 (http_inspect) HTTP chunk misformatted - * 119:214 (http_inspect) white space adjacent to chunk length - * 119:215 (http_inspect) white space within header name - * 119:216 (http_inspect) excessive gzip compression - * 119:217 (http_inspect) gzip decompression failed - * 119:218 (http_inspect) HTTP 0.9 requested followed by another - request - * 119:219 (http_inspect) HTTP 0.9 request following a normal - request - * 119:220 (http_inspect) message has both Content-Length and - Transfer-Encoding - * 119:221 (http_inspect) status code implying no body combined with - Transfer-Encoding or nonzero Content-Length - * 119:222 (http_inspect) Transfer-Encoding not ending with chunked - * 119:223 (http_inspect) Transfer-Encoding with encodings before - chunked - * 119:224 (http_inspect) misformatted HTTP traffic - * 119:225 (http_inspect) unsupported Content-Encoding used - * 119:226 (http_inspect) unknown Content-Encoding used - * 119:227 (http_inspect) multiple Content-Encodings applied - * 119:228 (http_inspect) server response before client request - * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server - response too big - * 119:230 (http_inspect) nonprinting character in HTTP message - header name - * 119:231 (http_inspect) bad Content-Length value in HTTP header - * 119:232 (http_inspect) HTTP header line wrapped - * 119:233 (http_inspect) HTTP header line terminated by CR without - a LF - * 119:234 (http_inspect) chunk terminated by nonstandard separator - * 119:235 (http_inspect) chunk length terminated by LF without CR - * 119:236 (http_inspect) more than one response with 100 status - code - * 119:237 (http_inspect) 100 status code not in response to Expect - header - * 119:238 (http_inspect) 1XX status code other than 100 or 101 - * 119:239 (http_inspect) Expect header sent without a message body - * 119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding - header - * 119:241 (http_inspect) Content-Transfer-Encoding used as HTTP - header - * 119:242 (http_inspect) illegal field in chunked message trailers - * 119:243 (http_inspect) header field inappropriately appears twice - or has two values - * 119:244 (http_inspect) invalid value chunked in Content-Encoding - header - * 119:245 (http_inspect) 206 response sent to a request without a - Range header - * 119:246 (http_inspect) HTTP in version field not all upper case - * 119:247 (http_inspect) white space embedded in critical header - value - * 119:248 (http_inspect) gzip compressed data followed by - unexpected non-gzip data - * 119:249 (http_inspect) excessive HTTP parameter key repeats - * 119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than - identity - * 119:251 (http_inspect) HTTP/2 message body overruns - Content-Length header value - * 119:252 (http_inspect) HTTP/2 message body smaller than - Content-Length header value - * 119:253 (http_inspect) HTTP CONNECT request with a message body - * 119:254 (http_inspect) HTTP client-to-server traffic after - CONNECT request but before CONNECT response - * 119:255 (http_inspect) HTTP CONNECT 2XX response with - Content-Length header - * 119:256 (http_inspect) HTTP CONNECT 2XX response with - Transfer-Encoding header - * 119:257 (http_inspect) HTTP CONNECT response with 1XX status code - * 119:258 (http_inspect) HTTP CONNECT response before request - message completed - * 119:259 (http_inspect) malformed HTTP Content-Disposition - filename parameter - * 119:260 (http_inspect) HTTP Content-Length message body was - truncated - * 119:261 (http_inspect) HTTP chunked message body was truncated - * 119:262 (http_inspect) HTTP URI scheme longer than 10 characters - * 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade - * 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade - * 119:265 (http_inspect) bad token in JavaScript - * 119:266 (http_inspect) unexpected script opening tag in - JavaScript - * 119:267 (http_inspect) unexpected script closing tag in - JavaScript - * 119:268 (http_inspect) JavaScript code under the external script - tags - * 119:269 (http_inspect) script opening tag in a short form - * 119:270 (http_inspect) max number of unique JavaScript - identifiers reached - * 119:271 (http_inspect) JavaScript template literal nesting is - over capacity - * 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding - header - * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame - * 121:2 (http2_inspect) HPACK integer value has leading zeros - * 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream - id - * 121:4 (http2_inspect) missing HTTP/2 continuation frame - * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame - * 121:6 (http2_inspect) misformatted HTTP/2 traffic - * 121:7 (http2_inspect) HTTP/2 connection preface does not match - * 121:8 (http2_inspect) HTTP/2 request missing required header - field - * 121:9 (http2_inspect) HTTP/2 response has no status code - * 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path - * 121:11 (http2_inspect) error in HTTP/2 settings frame - * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame - * 121:13 (http2_inspect) invalid HTTP/2 frame sequence - * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded - * 121:15 (http2_inspect) HTTP/2 push promise frame with invalid - promised stream id - * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame - data size - * 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header - * 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers - * 121:19 (http2_inspect) invalid HTTP/2 pseudo-header - * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit - * 121:21 (http2_inspect) HTTP/2 push promise frame sent when - prohibited by receiver - * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero - length - * 121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction - * 121:24 (http2_inspect) invalid HTTP/2 push promise frame - * 121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid - time - * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2 - settings frame - * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams - * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame - * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid - time - * 121:30 (http2_inspect) uppercase HTTP/2 header field name - * 121:31 (http2_inspect) invalid HTTP/2 window update frame - * 121:32 (http2_inspect) HTTP/2 window update frame with zero - increment - * 121:33 (http2_inspect) HTTP/2 request without a method - * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the - start of a header block - * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size - updates in a single header block - * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max - value set by decoder in SETTINGS frame - * 122:1 (port_scan) TCP portscan - * 122:2 (port_scan) TCP decoy portscan - * 122:3 (port_scan) TCP portsweep - * 122:4 (port_scan) TCP distributed portscan - * 122:5 (port_scan) TCP filtered portscan - * 122:6 (port_scan) TCP filtered decoy portscan - * 122:7 (port_scan) TCP filtered portsweep - * 122:8 (port_scan) TCP filtered distributed portscan - * 122:9 (port_scan) IP protocol scan - * 122:10 (port_scan) IP decoy protocol scan - * 122:11 (port_scan) IP protocol sweep - * 122:12 (port_scan) IP distributed protocol scan - * 122:13 (port_scan) IP filtered protocol scan - * 122:14 (port_scan) IP filtered decoy protocol scan - * 122:15 (port_scan) IP filtered protocol sweep - * 122:16 (port_scan) IP filtered distributed protocol scan - * 122:17 (port_scan) UDP portscan - * 122:18 (port_scan) UDP decoy portscan - * 122:19 (port_scan) UDP portsweep - * 122:20 (port_scan) UDP distributed portscan - * 122:21 (port_scan) UDP filtered portscan - * 122:22 (port_scan) UDP filtered decoy portscan - * 122:23 (port_scan) UDP filtered portsweep - * 122:24 (port_scan) UDP filtered distributed portscan - * 122:25 (port_scan) ICMP sweep - * 122:26 (port_scan) ICMP filtered sweep - * 122:27 (port_scan) open port - * 123:1 (stream_ip) inconsistent IP options on fragmented packets - * 123:2 (stream_ip) teardrop attack - * 123:3 (stream_ip) short fragment, possible DOS attempt - * 123:4 (stream_ip) fragment packet ends after defragmented packet - * 123:5 (stream_ip) zero-byte fragment packet - * 123:6 (stream_ip) bad fragment size, packet size is negative - * 123:7 (stream_ip) bad fragment size, packet size is greater than - 65536 - * 123:8 (stream_ip) fragmentation overlap - * 123:11 (stream_ip) TTL value less than configured minimum, not - using for reassembly - * 123:12 (stream_ip) excessive fragment overlap - * 123:13 (stream_ip) tiny fragment - * 124:1 (smtp) attempted command buffer overflow - * 124:2 (smtp) attempted data header buffer overflow - * 124:3 (smtp) attempted response buffer overflow - * 124:4 (smtp) attempted specific command buffer overflow - * 124:5 (smtp) unknown command - * 124:6 (smtp) illegal command - * 124:7 (smtp) attempted header name buffer overflow - * 124:8 (smtp) attempted X-Link2State command buffer overflow - * 124:10 (smtp) base64 decoding failed - * 124:11 (smtp) quoted-printable decoding failed - * 124:13 (smtp) Unix-to-Unix decoding failed - * 124:14 (smtp) Cyrus SASL authentication attack - * 124:15 (smtp) attempted authentication command buffer overflow - * 124:16 (smtp) file decompression failed - * 125:1 (ftp_server) TELNET cmd on FTP command channel - * 125:2 (ftp_server) invalid FTP command - * 125:3 (ftp_server) FTP command parameters were too long - * 125:4 (ftp_server) FTP command parameters were malformed - * 125:5 (ftp_server) FTP command parameters contained potential - string format - * 125:6 (ftp_server) FTP response message was too long - * 125:7 (ftp_server) FTP traffic encrypted - * 125:8 (ftp_server) FTP bounce attempt - * 125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command - channel - * 126:1 (telnet) consecutive Telnet AYT commands beyond threshold - * 126:2 (telnet) Telnet traffic encrypted - * 126:3 (telnet) Telnet subnegotiation begin command without - subnegotiation end - * 128:1 (ssh) challenge-response overflow exploit - * 128:2 (ssh) SSH1 CRC32 exploit - * 128:3 (ssh) server version string overflow - * 128:5 (ssh) bad message direction - * 128:6 (ssh) payload size incorrect for the given payload - * 128:7 (ssh) failed to detect SSH version string - * 129:1 (stream_tcp) SYN on established session - * 129:2 (stream_tcp) data on SYN packet - * 129:3 (stream_tcp) data sent on stream not accepting data - * 129:4 (stream_tcp) TCP timestamp is outside of PAWS window - * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated) - * 129:6 (stream_tcp) window size (after scaling) larger than policy - allows - * 129:7 (stream_tcp) limit on number of overlapping TCP packets - reached - * 129:8 (stream_tcp) data sent on stream after TCP reset sent - * 129:9 (stream_tcp) TCP client possibly hijacked, different - ethernet address - * 129:10 (stream_tcp) TCP server possibly hijacked, different - ethernet address - * 129:11 (stream_tcp) TCP data with no TCP flags set - * 129:12 (stream_tcp) consecutive TCP small segments exceeding - threshold - * 129:13 (stream_tcp) 4-way handshake detected - * 129:14 (stream_tcp) TCP timestamp is missing - * 129:15 (stream_tcp) reset outside window - * 129:16 (stream_tcp) FIN number is greater than prior FIN - * 129:17 (stream_tcp) ACK number is greater than prior FIN - * 129:18 (stream_tcp) data sent on stream after TCP reset received - * 129:19 (stream_tcp) TCP window closed before receiving data - * 129:20 (stream_tcp) TCP session without 3-way handshake - * 131:1 (dns) obsolete DNS RR types - * 131:2 (dns) experimental DNS RR types - * 131:3 (dns) DNS client rdata txt overflow - * 133:2 (dce_smb) SMB - bad NetBIOS session service session type - * 133:3 (dce_smb) SMB - bad SMB message type - * 133:4 (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \ - xfeSMB for SMB2) - * 133:5 (dce_smb) SMB - bad word count or structure size - * 133:6 (dce_smb) SMB - bad byte count - * 133:7 (dce_smb) SMB - bad format type - * 133:8 (dce_smb) SMB - bad offset - * 133:9 (dce_smb) SMB - zero total data count - * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header - length - * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than - command length - * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than - command byte count - * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than - command data size - * 133:14 (dce_smb) SMB - remaining total data count less than this - command data size - * 133:15 (dce_smb) SMB - total data sent (STDu64) greater than - command total data expected - * 133:16 (dce_smb) SMB - byte count less than command data size - (STDu64) - * 133:17 (dce_smb) SMB - invalid command data size for byte count - * 133:18 (dce_smb) SMB - excessive tree connect requests with - pending tree connect responses - * 133:19 (dce_smb) SMB - excessive read requests with pending read - responses - * 133:20 (dce_smb) SMB - excessive command chaining - * 133:21 (dce_smb) SMB - Multiple chained login requests - * 133:22 (dce_smb) SMB - Multiple chained tree connect requests - * 133:23 (dce_smb) SMB - chained/compounded login followed by - logoff - * 133:24 (dce_smb) SMB - chained/compounded tree connect followed - by tree disconnect - * 133:25 (dce_smb) SMB - chained/compounded open pipe followed by - close pipe - * 133:26 (dce_smb) SMB - invalid share access - * 133:27 (dce_tcp) connection oriented DCE/RPC - invalid major - version - * 133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor - version - * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type - * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length - less than header size - * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment - length less than size needed - * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items - specified - * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer - syntaxes specified - * 133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on - non-last fragment less than maximum negotiated fragment transmit - size for client - * 133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length - greater than maximum negotiated fragment transmit size - * 133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte - order different from bind - * 133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non - first/last fragment different from call id established for - fragmented request - * 133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first - /last fragment different from opnum established for fragmented - request - * 133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non - first/last fragment different from context id established for - fragmented request - * 133:40 (dce_udp) connection-less DCE/RPC - invalid major version - * 133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type - * 133:42 (dce_udp) connection-less DCE/RPC - data length less than - header size - * 133:43 (dce_udp) connection-less DCE/RPC - bad sequence number - * 133:44 (dce_smb) SMB - invalid SMB version 1 seen - * 133:45 (dce_smb) SMB - invalid SMB version 2 seen - * 133:46 (dce_smb) SMB - invalid user, tree connect, file binding - * 133:47 (dce_smb) SMB - excessive command compounding - * 133:48 (dce_smb) SMB - zero data count - * 133:50 (dce_smb) SMB - maximum number of outstanding requests - exceeded - * 133:51 (dce_smb) SMB - outstanding requests with same MID - * 133:52 (dce_smb) SMB - deprecated dialect negotiated - * 133:53 (dce_smb) SMB - deprecated command used - * 133:54 (dce_smb) SMB - unusual command used - * 133:55 (dce_smb) SMB - invalid setup count for command - * 133:56 (dce_smb) SMB - client attempted multiple dialect - negotiations on session - * 133:57 (dce_smb) SMB - client attempted to create or set a file’s - attributes to readonly/hidden/system - * 133:58 (dce_smb) SMB - file offset provided is greater than file - size specified - * 133:59 (dce_smb) SMB - next command specified in SMB2 header is - beyond payload boundary - * 134:1 (latency) rule tree suspended due to latency - * 134:2 (latency) rule tree re-enabled after suspend timeout - * 134:3 (latency) packet fastpathed due to latency - * 135:1 (stream) TCP SYN received - * 135:2 (stream) TCP session established - * 135:3 (stream) TCP session cleared - * 136:1 (reputation) packets blocked based on source - * 136:2 (reputation) packets trusted based on source - * 136:3 (reputation) packets monitored based on source - * 136:4 (reputation) packets blocked based on destination - * 136:5 (reputation) packets trusted based on destination - * 136:6 (reputation) packets monitored based on destination - * 137:1 (ssl) invalid client HELLO after server HELLO detected - * 137:2 (ssl) invalid server HELLO without client HELLO detected - * 137:3 (ssl) heartbeat read overrun attempt detected - * 137:4 (ssl) large heartbeat response detected - * 140:2 (sip) empty request URI - * 140:3 (sip) URI is too long - * 140:4 (sip) empty call-Id - * 140:5 (sip) Call-Id is too long - * 140:6 (sip) CSeq number is too large or negative - * 140:7 (sip) request name in CSeq is too long - * 140:8 (sip) empty From header - * 140:9 (sip) From header is too long - * 140:10 (sip) empty To header - * 140:11 (sip) To header is too long - * 140:12 (sip) empty Via header - * 140:13 (sip) Via header is too long - * 140:14 (sip) empty Contact - * 140:15 (sip) contact is too long - * 140:16 (sip) content length is too large or negative - * 140:17 (sip) multiple SIP messages in a packet - * 140:18 (sip) content length mismatch - * 140:19 (sip) request name is invalid - * 140:20 (sip) Invite replay attack - * 140:21 (sip) illegal session information modification - * 140:22 (sip) response status code is not a 3 digit number - * 140:23 (sip) empty Content-type header - * 140:24 (sip) SIP version is invalid - * 140:25 (sip) mismatch in METHOD of request and the CSEQ header - * 140:26 (sip) method is unknown - * 140:27 (sip) maximum dialogs within a session reached - * 141:1 (imap) unknown IMAP3 command - * 141:2 (imap) unknown IMAP3 response - * 141:4 (imap) base64 decoding failed - * 141:5 (imap) quoted-printable decoding failed - * 141:7 (imap) Unix-to-Unix decoding failed - * 141:8 (imap) file decompression failed - * 142:1 (pop) unknown POP3 command - * 142:2 (pop) unknown POP3 response - * 142:4 (pop) base64 decoding failed - * 142:5 (pop) quoted-printable decoding failed - * 142:7 (pop) Unix-to-Unix decoding failed - * 142:8 (pop) file decompression failed - * 143:1 (gtp_inspect) message length is invalid - * 143:2 (gtp_inspect) information element length is invalid - * 143:3 (gtp_inspect) information elements are out of order - * 143:4 (gtp_inspect) TEID is missing - * 144:1 (modbus) length in Modbus MBAP header does not match the - length needed for the given function - * 144:2 (modbus) Modbus protocol ID is non-zero - * 144:3 (modbus) reserved Modbus function code in use - * 145:1 (dnp3) DNP3 link-layer frame contains bad CRC - * 145:2 (dnp3) DNP3 link-layer frame was dropped - * 145:3 (dnp3) DNP3 transport-layer segment was dropped during - reassembly - * 145:4 (dnp3) DNP3 reassembly buffer was cleared without - reassembling a complete message - * 145:5 (dnp3) DNP3 link-layer frame uses a reserved address - * 145:6 (dnp3) DNP3 application-layer fragment uses a reserved - function code - * 148:1 (cip) CIP data is malformed. - * 148:2 (cip) CIP data is non-conforming to ODVA standard. - * 148:3 (cip) CIP connection limit exceeded. Least recently used - connection removed. - * 148:4 (cip) CIP unconnected request limit exceeded. Oldest - request removed. - * 149:1 (s7commplus) length in S7commplus MBAP header does not - match the length needed for the given S7commplus function - * 149:2 (s7commplus) S7commplus protocol ID is non-zero - * 149:3 (s7commplus) reserved S7commplus function code in use - * 150:1 (file_id) file not processed due to per flow limit - * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does - not match the length needed for the given IEC104 ASDU type id. - * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match - 0x68. - * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use. - * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field - contains a non-default value. - * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set - to an invalid value. - * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field - contains a non-default value. - * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set - to zero. - * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU - that does not support the feature. - * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set - to greater than one on an ASDU that does not support the feature. - * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of - Initialization set to a reserved value. - * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Interrogation Command set to a reserved value. - * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter - Interrogation Command request parameter set to a reserved value. - * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter of Measured Values kind of parameter set to a reserved - value. - * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter of Measured Values local parameter change set to a - technically valid but unused value. - * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter of Measured Values parameter option set to a - technically valid but unused value. - * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of - Parameter Activation set to a reserved value. - * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command - set to a reserved value. - * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset - Process set to a reserved value. - * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier - set to a reserved value. - * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready - Qualifier set to a reserved value. - * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call - Qualifier set to a reserved value. - * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or - Segment Qualifier set to a reserved value. - * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or - Section Qualifier set to a reserved value. - * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier - set on a message where it should have no effect. - * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point - Information Reserved field contains a non-default value. - * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point - Information Reserved field contains a non-default value. - * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission - set to a reserved value. - * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission - set to a value not allowed for the ASDU. - * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet - common address value detected. - * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor - Structure Reserved field contains a non-default value. - * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor - for Events of Protection Equipment Structure Reserved field - contains a non-default value. - * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value - results in NaN. - * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value - results in infinity. - * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of - Protection Equipment Structure Reserved field contains a - non-default value. - * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of - Protection Equipment Structure Reserved field contains a - non-default value. - * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit - Information Structure Reserved field contains a non-default - value. - * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test - Bit Pattern detected. - * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command - Structure Reserved field contains a non-default value. - * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command - Structure contains an invalid value. - * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step - Command Structure Reserved field contains a non-default value. - * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond - set outside of the allowable range. - * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set - outside of the allowable range. - * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute - Reserved field contains a non-default value. - * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set - outside of the allowable range. - * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved - field contains a non-default value. - * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month - set outside of the allowable range. - * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set - outside of the allowable range. - * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved - field contains a non-default value. - * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set - outside of the allowable range. - * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved - field contains a non-default value. - * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of - Segment value has been detected. - * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of - Segment value has been detected. - * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to - a reserved value. - * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set - Point Command ql field set to a reserved value. - * 175:1 (domain_filter) configured domain detected - * 256:1 (dpx) too much data sent to port +2:1 (output) tagged packet + +A tagged packet was logged. + +105:1 (back_orifice) BO traffic detected + +(back_orifice) BO traffic detected + +105:2 (back_orifice) BO client traffic detected + +(back_orifice) BO client traffic detected + +105:3 (back_orifice) BO server traffic detected + +(back_orifice) BO server traffic detected + +105:4 (back_orifice) BO Snort buffer attack + +(back_orifice) BO Snort buffer attack + +106:1 (rpc_decode) fragmented RPC records + +(rpc_decode) fragmented RPC records + +106:2 (rpc_decode) multiple RPC records + +(rpc_decode) multiple RPC records + +106:3 (rpc_decode) large RPC record fragment + +(rpc_decode) large RPC record fragment + +106:4 (rpc_decode) incomplete RPC segment + +(rpc_decode) incomplete RPC segment + +106:5 (rpc_decode) zero-length RPC fragment + +(rpc_decode) zero-length RPC fragment + +112:1 (arp_spoof) unicast ARP request + +(arp_spoof) unicast ARP request + +112:2 (arp_spoof) ethernet/ARP mismatch request for source + +(arp_spoof) ethernet/ARP mismatch request for source + +112:3 (arp_spoof) ethernet/ARP mismatch request for destination + +(arp_spoof) ethernet/ARP mismatch request for destination + +112:4 (arp_spoof) attempted ARP cache overwrite attack + +(arp_spoof) attempted ARP cache overwrite attack + +116:1 (ipv4) not IPv4 datagram + +(ipv4) not IPv4 datagram + +116:2 (ipv4) IPv4 header length < minimum + +(ipv4) IPv4 header length < minimum + +116:3 (ipv4) IPv4 datagram length < header field + +(ipv4) IPv4 datagram length < header field + +116:4 (ipv4) IPv4 options found with bad lengths + +(ipv4) IPv4 options found with bad lengths + +116:5 (ipv4) truncated IPv4 options + +(ipv4) truncated IPv4 options + +116:6 (ipv4) IPv4 datagram length > captured length + +(ipv4) IPv4 datagram length > captured length + +116:45 (tcp) TCP packet length is smaller than 20 bytes + +(tcp) TCP packet length is smaller than 20 bytes + +116:46 (tcp) TCP data offset is less than 5 + +(tcp) TCP data offset is less than 5 + +116:47 (tcp) TCP header length exceeds packet length + +(tcp) TCP header length exceeds packet length + +116:54 (tcp) TCP options found with bad lengths + +(tcp) TCP options found with bad lengths + +116:55 (tcp) truncated TCP options + +(tcp) truncated TCP options + +116:56 (tcp) T/TCP detected + +(tcp) T/TCP detected + +116:57 (tcp) obsolete TCP options found + +(tcp) obsolete TCP options found + +116:58 (tcp) experimental TCP options found + +(tcp) experimental TCP options found + +116:59 (tcp) TCP window scale option found with length > 14 + +(tcp) TCP window scale option found with length > 14 + +116:95 (udp) truncated UDP header + +(udp) truncated UDP header + +116:96 (udp) invalid UDP header, length field < 8 + +(udp) invalid UDP header, length field < 8 + +116:97 (udp) short UDP packet, length field > payload length + +(udp) short UDP packet, length field > payload length + +116:98 (udp) long UDP packet, length field < payload length + +(udp) long UDP packet, length field < payload length + +116:105 (icmp4) ICMP header truncated + +(icmp4) ICMP header truncated + +116:106 (icmp4) ICMP timestamp header truncated + +(icmp4) ICMP timestamp header truncated + +116:107 (icmp4) ICMP address header truncated + +(icmp4) ICMP address header truncated + +116:109 (arp) truncated ARP + +(arp) truncated ARP + +116:110 (eapol) truncated EAP header + +(eapol) truncated EAP header + +116:111 (eapol) EAP key truncated + +(eapol) EAP key truncated + +116:112 (eapol) EAP header truncated + +(eapol) EAP header truncated + +116:120 (pppoe) bad PPPOE frame detected + +(pppoe) bad PPPOE frame detected + +116:130 (vlan) bad VLAN frame + +(vlan) bad VLAN frame + +116:131 (llc) bad LLC header + +(llc) bad LLC header + +116:132 (llc) bad extra LLC info + +(llc) bad extra LLC info + +116:133 (wlan) bad 802.11 LLC header + +(wlan) bad 802.11 LLC header + +116:134 (wlan) bad 802.11 extra LLC info + +(wlan) bad 802.11 extra LLC info + +116:140 (token_ring) bad Token Ring header + +(token_ring) bad Token Ring header + +116:141 (token_ring) bad Token Ring ETHLLC header + +(token_ring) bad Token Ring ETHLLC header + +116:142 (token_ring) bad Token Ring MRLEN header + +(token_ring) bad Token Ring MRLEN header + +116:143 (token_ring) bad Token Ring MR header + +(token_ring) bad Token Ring MR header + +116:150 (decode) loopback IP + +(decode) loopback IP + +116:151 (decode) same src/dst IP + +(decode) same src/dst IP + +116:160 (gre) GRE header length > payload length + +(gre) GRE header length > payload length + +116:161 (gre) multiple encapsulations in packet + +(gre) multiple encapsulations in packet + +116:162 (gre) invalid GRE version + +(gre) invalid GRE version + +116:163 (gre) invalid GRE header + +(gre) invalid GRE header + +116:164 (gre) invalid GRE v.1 PPTP header + +(gre) invalid GRE v.1 PPTP header + +116:165 (gre) GRE trans header length > payload length + +(gre) GRE trans header length > payload length + +116:170 (mpls) bad MPLS frame + +(mpls) bad MPLS frame + +116:171 (mpls) MPLS label 0 appears in bottom header when not +decoding as ip4 + +(mpls) MPLS label 0 appears in bottom header when not decoding as ip4 + +116:172 (mpls) MPLS label 1 appears in bottom header + +(mpls) MPLS label 1 appears in bottom header + +116:173 (mpls) MPLS label 2 appears in bottom header when not +decoding as ip6 + +(mpls) MPLS label 2 appears in bottom header when not decoding as ip6 + +116:174 (mpls) MPLS label 3 appears in header + +(mpls) MPLS label 3 appears in header + +116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header + +(mpls) MPLS label 4, 5,.. or 15 appears in header + +116:176 (mpls) too many MPLS headers + +(mpls) too many MPLS headers + +116:180 (geneve) insufficient room for geneve header + +(geneve) insufficient room for geneve header + +116:181 (geneve) invalid version + +(geneve) invalid version + +116:182 (geneve) invalid header + +(geneve) invalid header + +116:183 (geneve) invalid flags + +(geneve) invalid flags + +116:184 (geneve) invalid options + +(geneve) invalid options + +116:250 (icmp4) ICMP original IP header truncated + +(icmp4) ICMP original IP header truncated + +116:251 (icmp4) ICMP version and original IP header versions differ + +(icmp4) ICMP version and original IP header versions differ + +116:252 (icmp4) ICMP original datagram length < original IP header +length + +(icmp4) ICMP original datagram length < original IP header length + +116:253 (icmp4) ICMP original IP payload < 64 bits + +(icmp4) ICMP original IP payload < 64 bits + +116:254 (icmp4) ICMP original IP payload > 576 bytes + +(icmp4) ICMP original IP payload > 576 bytes + +116:255 (icmp4) ICMP original IP fragmented and offset not 0 + +(icmp4) ICMP original IP fragmented and offset not 0 + +116:270 (ipv6) IPv6 packet below TTL limit + +(ipv6) IPv6 packet below TTL limit + +116:271 (ipv6) IPv6 header claims to not be IPv6 + +(ipv6) IPv6 header claims to not be IPv6 + +116:272 (ipv6) IPv6 truncated extension header + +(ipv6) IPv6 truncated extension header + +116:273 (ipv6) IPv6 truncated header + +(ipv6) IPv6 truncated header + +116:274 (ipv6) IPv6 datagram length < header field + +(ipv6) IPv6 datagram length < header field + +116:275 (ipv6) IPv6 datagram length > captured length + +(ipv6) IPv6 datagram length > captured length + +116:276 (ipv6) IPv6 packet with destination address ::0 + +(ipv6) IPv6 packet with destination address ::0 + +116:277 (ipv6) IPv6 packet with multicast source address + +(ipv6) IPv6 packet with multicast source address + +116:278 (ipv6) IPv6 packet with reserved multicast destination +address + +(ipv6) IPv6 packet with reserved multicast destination address + +116:279 (ipv6) IPv6 header includes an undefined option type + +(ipv6) IPv6 header includes an undefined option type + +116:280 (ipv6) IPv6 address includes an unassigned multicast scope +value + +(ipv6) IPv6 address includes an unassigned multicast scope value + +116:281 (ipv6) IPv6 header includes an invalid value for the next +header field + +(ipv6) IPv6 header includes an invalid value for the next header +field + +116:282 (ipv6) IPv6 header includes a routing extension header +followed by a hop-by-hop header + +(ipv6) IPv6 header includes a routing extension header followed by a +hop-by-hop header + +116:283 (ipv6) IPv6 header includes two routing extension headers + +(ipv6) IPv6 header includes two routing extension headers + +116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with MTU +field < 1280 + +(icmp6) ICMPv6 packet of type 2 (message too big) with MTU field < +1280 + +116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable) +with non-RFC 2463 code + +(icmp6) ICMPv6 packet of type 1 (destination unreachable) with +non-RFC 2463 code + +116:287 (icmp6) ICMPv6 router solicitation packet with a code not +equal to 0 + +(icmp6) ICMPv6 router solicitation packet with a code not equal to 0 + +116:288 (icmp6) ICMPv6 router advertisement packet with a code not +equal to 0 + +(icmp6) ICMPv6 router advertisement packet with a code not equal to 0 + +116:289 (icmp6) ICMPv6 router solicitation packet with the reserved +field not equal to 0 + +(icmp6) ICMPv6 router solicitation packet with the reserved field not +equal to 0 + +116:290 (icmp6) ICMPv6 router advertisement packet with the reachable +time field set > 1 hour + +(icmp6) ICMPv6 router advertisement packet with the reachable time +field set > 1 hour + +116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, +possible Linux kernel attack + +(ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux +kernel attack + +116:292 (ipv6) IPv6 header has destination options followed by a +routing header + +(ipv6) IPv6 header has destination options followed by a routing +header + +116:293 (decode) two or more IP (v4 and/or v6) encapsulation layers +present + +(decode) two or more IP (v4 and/or v6) encapsulation layers present + +116:294 (esp) truncated encapsulated security payload header + +(esp) truncated encapsulated security payload header + +116:295 (ipv6) IPv6 header includes an option which is too big for +the containing header + +(ipv6) IPv6 header includes an option which is too big for the +containing header + +116:296 (ipv6) IPv6 packet includes out-of-order extension headers + +(ipv6) IPv6 packet includes out-of-order extension headers + +116:297 (gtp) two or more GTP encapsulation layers present + +(gtp) two or more GTP encapsulation layers present + +116:298 (gtp) GTP header length is invalid + +(gtp) GTP header length is invalid + +116:400 (tcp) XMAS attack detected + +(tcp) XMAS attack detected + +116:401 (tcp) Nmap XMAS attack detected + +(tcp) Nmap XMAS attack detected + +116:402 (tcp) DOS NAPTHA vulnerability detected + +(tcp) DOS NAPTHA vulnerability detected + +116:403 (tcp) SYN to multicast address + +(tcp) SYN to multicast address + +116:404 (ipv4) IPv4 packet with zero TTL + +(ipv4) IPv4 packet with zero TTL + +116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF set) + +(ipv4) IPv4 packet with bad frag bits (both MF and DF set) + +116:406 (udp) invalid IPv6 UDP packet, checksum zero + +(udp) invalid IPv6 UDP packet, checksum zero + +116:407 (ipv4) IPv4 packet frag offset + length exceed maximum + +(ipv4) IPv4 packet frag offset + length exceed maximum + +116:408 (ipv4) IPv4 packet from current net source address + +(ipv4) IPv4 packet from current net source address + +116:409 (ipv4) IPv4 packet to current net dest address + +(ipv4) IPv4 packet to current net dest address + +116:410 (ipv4) IPv4 packet from multicast source address + +(ipv4) IPv4 packet from multicast source address + +116:411 (ipv4) IPv4 packet from reserved source address + +(ipv4) IPv4 packet from reserved source address + +116:412 (ipv4) IPv4 packet to reserved dest address + +(ipv4) IPv4 packet to reserved dest address + +116:413 (ipv4) IPv4 packet from broadcast source address + +(ipv4) IPv4 packet from broadcast source address + +116:414 (ipv4) IPv4 packet to broadcast dest address + +(ipv4) IPv4 packet to broadcast dest address + +116:415 (icmp4) ICMP4 packet to multicast dest address + +(icmp4) ICMP4 packet to multicast dest address + +116:416 (icmp4) ICMP4 packet to broadcast dest address + +(icmp4) ICMP4 packet to broadcast dest address + +116:418 (icmp4) ICMP4 type other + +(icmp4) ICMP4 type other + +116:419 (tcp) TCP urgent pointer exceeds payload length or no payload + +(tcp) TCP urgent pointer exceeds payload length or no payload + +116:420 (tcp) TCP SYN with FIN + +(tcp) TCP SYN with FIN + +116:421 (tcp) TCP SYN with RST + +(tcp) TCP SYN with RST + +116:422 (tcp) TCP PDU missing ack for established session + +(tcp) TCP PDU missing ack for established session + +116:423 (tcp) TCP has no SYN, ACK, or RST + +(tcp) TCP has no SYN, ACK, or RST + +116:424 (pbb) truncated ethernet header + +(eth) truncated ethernet header + +116:424 (pbb) truncated ethernet header + +(pbb) truncated ethernet header + +116:425 (ipv4) truncated IPv4 header + +(ipv4) truncated IPv4 header + +116:426 (icmp4) truncated ICMP4 header + +(icmp4) truncated ICMP4 header + +116:427 (icmp6) truncated ICMPv6 header + +(icmp6) truncated ICMPv6 header + +116:428 (ipv4) IPv4 packet below TTL limit + +(ipv4) IPv4 packet below TTL limit + +116:429 (ipv6) IPv6 packet has zero hop limit + +(ipv6) IPv6 packet has zero hop limit + +116:430 (ipv4) IPv4 packet both DF and offset set + +(ipv4) IPv4 packet both DF and offset set + +116:431 (icmp6) ICMPv6 type not decoded + +(icmp6) ICMPv6 type not decoded + +116:432 (icmp6) ICMPv6 packet to multicast address + +(icmp6) ICMPv6 packet to multicast address + +116:433 (tcp) DDOS shaft SYN flood + +(tcp) DDOS shaft SYN flood + +116:434 (icmp4) ICMP ping Nmap + +(icmp4) ICMP ping Nmap + +116:435 (icmp4) ICMP icmpenum v1.1.1 + +(icmp4) ICMP icmpenum v1.1.1 + +116:436 (icmp4) ICMP redirect host + +(icmp4) ICMP redirect host + +116:437 (icmp4) ICMP redirect net + +(icmp4) ICMP redirect net + +116:438 (icmp4) ICMP traceroute ipopts + +(icmp4) ICMP traceroute ipopts + +116:439 (icmp4) ICMP source quench + +(icmp4) ICMP source quench + +116:440 (icmp4) broadscan smurf scanner + +(icmp4) broadscan smurf scanner + +116:441 (icmp4) ICMP destination unreachable communication +administratively prohibited + +(icmp4) ICMP destination unreachable communication administratively +prohibited + +116:442 (icmp4) ICMP destination unreachable communication with +destination host is administratively prohibited + +(icmp4) ICMP destination unreachable communication with destination +host is administratively prohibited + +116:443 (icmp4) ICMP destination unreachable communication with +destination network is administratively prohibited + +(icmp4) ICMP destination unreachable communication with destination +network is administratively prohibited + +116:444 (ipv4) IPv4 option set + +(ipv4) IPv4 option set + +116:445 (udp) large UDP packet (> 4000 bytes) + +(udp) large UDP packet (> 4000 bytes) + +116:446 (tcp) TCP port 0 traffic + +(tcp) TCP port 0 traffic + +116:447 (udp) UDP port 0 traffic + +(udp) UDP port 0 traffic + +116:448 (ipv4) IPv4 reserved bit set + +(ipv4) IPv4 reserved bit set + +116:449 (decode) unassigned/reserved IP protocol + +(decode) unassigned/reserved IP protocol + +116:450 (decode) bad IP protocol + +(decode) bad IP protocol + +116:451 (icmp4) ICMP path MTU denial of service attempt + +(icmp4) ICMP path MTU denial of service attempt + +116:452 (icmp4) Linux ICMP header DOS attempt + +(icmp4) Linux ICMP header DOS attempt + +116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt + +(ipv6) ISATAP-addressed IPv6 traffic spoofing attempt + +116:454 (pgm) PGM nak list overflow attempt + +(pgm) PGM nak list overflow attempt + +116:455 (igmp) DOS IGMP IP options validation attempt + +(igmp) DOS IGMP IP options validation attempt + +116:456 (ipv6) too many IPv6 extension headers + +(ipv6) too many IPv6 extension headers + +116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable) +with non-RFC 4443 code + +(icmp6) ICMPv6 packet of type 1 (destination unreachable) with +non-RFC 4443 code + +116:458 (ipv6) bogus fragmentation packet, possible BSD attack + +(ipv6) bogus fragmentation packet, possible BSD attack + +116:459 (decode) fragment with zero length + +(decode) fragment with zero length + +116:460 (icmp6) ICMPv6 node info query/response packet with a code +greater than 2 + +(icmp6) ICMPv6 node info query/response packet with a code greater +than 2 + +116:461 (ipv6) IPv6 routing type 0 extension header + +(ipv6) IPv6 routing type 0 extension header + +116:462 (erspan2) ERSpan header version mismatch + +(erspan2) ERSpan header version mismatch + +116:463 (erspan2) captured length < ERSpan type2 header length + +(erspan2) captured length < ERSpan type2 header length + +116:464 (erspan3) captured < ERSpan type3 header length + +(erspan3) captured < ERSpan type3 header length + +116:465 (auth) truncated authentication header + +(auth) truncated authentication header + +116:466 (auth) bad authentication header length + +(auth) bad authentication header length + +116:467 (fabricpath) truncated FabricPath header + +(fabricpath) truncated FabricPath header + +116:468 (ciscometadata) truncated Cisco Metadata header + +(ciscometadata) truncated Cisco Metadata header + +116:469 (ciscometadata) invalid Cisco Metadata option length + +(ciscometadata) invalid Cisco Metadata option length + +116:470 (ciscometadata) invalid Cisco Metadata option type + +(ciscometadata) invalid Cisco Metadata option type + +116:471 (ciscometadata) invalid Cisco Metadata security group tag + +(ciscometadata) invalid Cisco Metadata security group tag + +116:472 (decode) too many protocols present + +(decode) too many protocols present + +116:473 (decode) ether type out of range + +(decode) ether type out of range + +116:474 (icmp6) ICMPv6 not encapsulated in IPv6 + +(icmp6) ICMPv6 not encapsulated in IPv6 + +116:475 (ipv6) IPv6 mobility header includes an invalid value for the +payload protocol field + +(ipv6) IPv6 mobility header includes an invalid value for the payload +protocol field + +119:1 (http_inspect) ascii encoding + +(http_inspect) ascii encoding + +119:2 (http_inspect) double decoding attack + +(http_inspect) double decoding attack + +119:3 (http_inspect) u encoding + +(http_inspect) u encoding + +119:4 (http_inspect) bare byte unicode encoding + +(http_inspect) bare byte unicode encoding + +119:6 (http_inspect) UTF-8 encoding + +(http_inspect) UTF-8 encoding + +119:7 (http_inspect) unicode map code point encoding in URI + +(http_inspect) unicode map code point encoding in URI + +119:8 (http_inspect) multi_slash encoding + +(http_inspect) multi_slash encoding + +119:9 (http_inspect) backslash used in URI path + +(http_inspect) backslash used in URI path + +119:10 (http_inspect) self directory traversal + +(http_inspect) self directory traversal + +119:11 (http_inspect) directory traversal + +(http_inspect) directory traversal + +119:12 (http_inspect) apache whitespace (tab) + +(http_inspect) apache whitespace (tab) + +119:13 (http_inspect) HTTP header line terminated by LF without a CR + +(http_inspect) HTTP header line terminated by LF without a CR + +119:14 (http_inspect) non-RFC defined char + +(http_inspect) non-RFC defined char + +119:15 (http_inspect) oversize request-uri directory + +(http_inspect) oversize request-uri directory + +119:16 (http_inspect) oversize chunk encoding + +(http_inspect) oversize chunk encoding + +119:18 (http_inspect) webroot directory traversal + +(http_inspect) webroot directory traversal + +119:19 (http_inspect) long header + +(http_inspect) long header + +119:20 (http_inspect) max header fields + +(http_inspect) max header fields + +119:21 (http_inspect) multiple content length + +(http_inspect) multiple content length + +119:24 (http_inspect) Host header field appears more than once or has +multiple values + +(http_inspect) Host header field appears more than once or has +multiple values + +119:25 (http_inspect) Host header value is too long + +(http_inspect) Host header value is too long + +119:28 (http_inspect) POST or PUT w/o content-length or chunks + +(http_inspect) POST or PUT w/o content-length or chunks + +119:31 (http_inspect) unknown method + +(http_inspect) unknown method + +119:32 (http_inspect) simple request + +(http_inspect) simple request + +119:33 (http_inspect) unescaped space in HTTP URI + +(http_inspect) unescaped space in HTTP URI + +119:34 (http_inspect) too many pipelined requests + +(http_inspect) too many pipelined requests + +119:102 (http_inspect) invalid status code in HTTP response + +(http_inspect) invalid status code in HTTP response + +119:104 (http_inspect) HTTP response has UTF charset that failed to +normalize + +(http_inspect) HTTP response has UTF charset that failed to normalize + +119:105 (http_inspect) HTTP response has UTF-7 charset + +(http_inspect) HTTP response has UTF-7 charset + +119:109 (http_inspect) javascript obfuscation levels exceeds 1 + +(http_inspect) javascript obfuscation levels exceeds 1 + +119:110 (http_inspect) javascript whitespaces exceeds max allowed + +(http_inspect) javascript whitespaces exceeds max allowed + +119:111 (http_inspect) multiple encodings within javascript +obfuscated data + +(http_inspect) multiple encodings within javascript obfuscated data + +119:112 (http_inspect) SWF file zlib decompression failure + +(http_inspect) SWF file zlib decompression failure + +119:113 (http_inspect) SWF file LZMA decompression failure + +(http_inspect) SWF file LZMA decompression failure + +119:114 (http_inspect) PDF file deflate decompression failure + +(http_inspect) PDF file deflate decompression failure + +119:115 (http_inspect) PDF file unsupported compression type + +(http_inspect) PDF file unsupported compression type + +119:116 (http_inspect) PDF file cascaded compression + +(http_inspect) PDF file cascaded compression + +119:117 (http_inspect) PDF file parse failure + +(http_inspect) PDF file parse failure + +119:201 (http_inspect) not HTTP traffic + +(http_inspect) not HTTP traffic + +119:202 (http_inspect) chunk length has excessive leading zeros + +(http_inspect) chunk length has excessive leading zeros + +119:203 (http_inspect) white space before or between messages + +(http_inspect) white space before or between messages + +119:204 (http_inspect) request message without URI + +(http_inspect) request message without URI + +119:205 (http_inspect) control character in reason phrase + +(http_inspect) control character in reason phrase + +119:206 (http_inspect) illegal extra whitespace in start line + +(http_inspect) illegal extra whitespace in start line + +119:207 (http_inspect) corrupted HTTP version + +(http_inspect) corrupted HTTP version + +119:208 (http_inspect) unknown HTTP version + +(http_inspect) unknown HTTP version + +119:209 (http_inspect) format error in HTTP header + +(http_inspect) format error in HTTP header + +119:210 (http_inspect) chunk header options present + +(http_inspect) chunk header options present + +119:211 (http_inspect) URI badly formatted + +(http_inspect) URI badly formatted + +119:212 (http_inspect) unrecognized type of percent encoding in URI + +(http_inspect) unrecognized type of percent encoding in URI + +119:213 (http_inspect) HTTP chunk misformatted + +(http_inspect) HTTP chunk misformatted + +119:214 (http_inspect) white space adjacent to chunk length + +(http_inspect) white space adjacent to chunk length + +119:215 (http_inspect) white space within header name + +(http_inspect) white space within header name + +119:216 (http_inspect) excessive gzip compression + +(http_inspect) excessive gzip compression + +119:217 (http_inspect) gzip decompression failed + +(http_inspect) gzip decompression failed + +119:218 (http_inspect) HTTP 0.9 requested followed by another request + +(http_inspect) HTTP 0.9 requested followed by another request + +119:219 (http_inspect) HTTP 0.9 request following a normal request + +(http_inspect) HTTP 0.9 request following a normal request + +119:220 (http_inspect) message has both Content-Length and +Transfer-Encoding + +(http_inspect) message has both Content-Length and Transfer-Encoding + +119:221 (http_inspect) status code implying no body combined with +Transfer-Encoding or nonzero Content-Length + +(http_inspect) status code implying no body combined with +Transfer-Encoding or nonzero Content-Length + +119:222 (http_inspect) Transfer-Encoding not ending with chunked + +(http_inspect) Transfer-Encoding not ending with chunked + +119:223 (http_inspect) Transfer-Encoding with encodings before +chunked + +(http_inspect) Transfer-Encoding with encodings before chunked + +119:224 (http_inspect) misformatted HTTP traffic + +(http_inspect) misformatted HTTP traffic + +119:225 (http_inspect) unsupported Content-Encoding used + +(http_inspect) unsupported Content-Encoding used + +119:226 (http_inspect) unknown Content-Encoding used + +(http_inspect) unknown Content-Encoding used + +119:227 (http_inspect) multiple Content-Encodings applied + +(http_inspect) multiple Content-Encodings applied + +119:228 (http_inspect) server response before client request + +(http_inspect) server response before client request + +119:229 (http_inspect) PDF/SWF/ZIP decompression of server response +too big + +(http_inspect) PDF/SWF/ZIP decompression of server response too big + +119:230 (http_inspect) nonprinting character in HTTP message header +name + +(http_inspect) nonprinting character in HTTP message header name + +119:231 (http_inspect) bad Content-Length value in HTTP header + +(http_inspect) bad Content-Length value in HTTP header + +119:232 (http_inspect) HTTP header line wrapped + +(http_inspect) HTTP header line wrapped + +119:233 (http_inspect) HTTP header line terminated by CR without a LF + +(http_inspect) HTTP header line terminated by CR without a LF + +119:234 (http_inspect) chunk terminated by nonstandard separator + +(http_inspect) chunk terminated by nonstandard separator + +119:235 (http_inspect) chunk length terminated by LF without CR + +(http_inspect) chunk length terminated by LF without CR + +119:236 (http_inspect) more than one response with 100 status code + +(http_inspect) more than one response with 100 status code + +119:237 (http_inspect) 100 status code not in response to Expect +header + +(http_inspect) 100 status code not in response to Expect header + +119:238 (http_inspect) 1XX status code other than 100 or 101 + +(http_inspect) 1XX status code other than 100 or 101 + +119:239 (http_inspect) Expect header sent without a message body + +(http_inspect) Expect header sent without a message body + +119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding header + +(http_inspect) HTTP 1.0 message with Transfer-Encoding header + +119:241 (http_inspect) Content-Transfer-Encoding used as HTTP header + +(http_inspect) Content-Transfer-Encoding used as HTTP header + +119:242 (http_inspect) illegal field in chunked message trailers + +(http_inspect) illegal field in chunked message trailers + +119:243 (http_inspect) header field inappropriately appears twice or +has two values + +(http_inspect) header field inappropriately appears twice or has two +values + +119:244 (http_inspect) invalid value chunked in Content-Encoding +header + +(http_inspect) invalid value chunked in Content-Encoding header + +119:245 (http_inspect) 206 response sent to a request without a Range +header + +(http_inspect) 206 response sent to a request without a Range header + +119:246 (http_inspect) HTTP in version field not all upper case + +(http_inspect) HTTP in version field not all upper case + +119:247 (http_inspect) white space embedded in critical header value + +(http_inspect) white space embedded in critical header value + +119:248 (http_inspect) gzip compressed data followed by unexpected +non-gzip data + +(http_inspect) gzip compressed data followed by unexpected non-gzip +data + +119:249 (http_inspect) excessive HTTP parameter key repeats + +(http_inspect) excessive HTTP parameter key repeats + +119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than +identity + +(http_inspect) HTTP/2 Transfer-Encoding header other than identity + +119:251 (http_inspect) HTTP/2 message body overruns Content-Length +header value + +(http_inspect) HTTP/2 message body overruns Content-Length header +value + +119:252 (http_inspect) HTTP/2 message body smaller than +Content-Length header value + +(http_inspect) HTTP/2 message body smaller than Content-Length header +value + +119:253 (http_inspect) HTTP CONNECT request with a message body + +(http_inspect) HTTP CONNECT request with a message body + +119:254 (http_inspect) HTTP client-to-server traffic after CONNECT +request but before CONNECT response + +(http_inspect) HTTP client-to-server traffic after CONNECT request +but before CONNECT response + +119:255 (http_inspect) HTTP CONNECT 2XX response with Content-Length +header + +(http_inspect) HTTP CONNECT 2XX response with Content-Length header + +119:256 (http_inspect) HTTP CONNECT 2XX response with +Transfer-Encoding header + +(http_inspect) HTTP CONNECT 2XX response with Transfer-Encoding +header + +119:257 (http_inspect) HTTP CONNECT response with 1XX status code + +(http_inspect) HTTP CONNECT response with 1XX status code + +119:258 (http_inspect) HTTP CONNECT response before request message +completed + +(http_inspect) HTTP CONNECT response before request message completed + +119:259 (http_inspect) malformed HTTP Content-Disposition filename +parameter + +(http_inspect) malformed HTTP Content-Disposition filename parameter + +119:260 (http_inspect) HTTP Content-Length message body was truncated + +(http_inspect) HTTP Content-Length message body was truncated + +119:261 (http_inspect) HTTP chunked message body was truncated + +(http_inspect) HTTP chunked message body was truncated + +119:262 (http_inspect) HTTP URI scheme longer than 10 characters + +(http_inspect) HTTP URI scheme longer than 10 characters + +119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade + +(http_inspect) HTTP/1 client requested HTTP/2 upgrade + +119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade + +(http_inspect) HTTP/1 server granted HTTP/2 upgrade + +119:265 (http_inspect) bad token in JavaScript + +(http_inspect) bad token in JavaScript + +119:266 (http_inspect) unexpected script opening tag in JavaScript + +(http_inspect) unexpected script opening tag in JavaScript + +119:267 (http_inspect) unexpected script closing tag in JavaScript + +(http_inspect) unexpected script closing tag in JavaScript + +119:268 (http_inspect) JavaScript code under the external script tags + +(http_inspect) JavaScript code under the external script tags + +119:269 (http_inspect) script opening tag in a short form + +(http_inspect) script opening tag in a short form + +119:270 (http_inspect) max number of unique JavaScript identifiers +reached + +(http_inspect) max number of unique JavaScript identifiers reached + +119:271 (http_inspect) JavaScript template literal nesting is over +capacity + +(http_inspect) JavaScript template literal nesting is over capacity + +119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding +header + +(http_inspect) Consecutive commas in HTTP Accept-Encoding header + +121:1 (http2_inspect) invalid flag set on HTTP/2 frame + +(http2_inspect) invalid flag set on HTTP/2 frame + +121:2 (http2_inspect) HPACK integer value has leading zeros + +(http2_inspect) HPACK integer value has leading zeros + +121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream id + +(http2_inspect) HTTP/2 stream initiated with invalid stream id + +121:4 (http2_inspect) missing HTTP/2 continuation frame + +(http2_inspect) missing HTTP/2 continuation frame + +121:5 (http2_inspect) unexpected HTTP/2 continuation frame + +(http2_inspect) unexpected HTTP/2 continuation frame + +121:6 (http2_inspect) misformatted HTTP/2 traffic + +(http2_inspect) misformatted HTTP/2 traffic + +121:7 (http2_inspect) HTTP/2 connection preface does not match + +(http2_inspect) HTTP/2 connection preface does not match + +121:8 (http2_inspect) HTTP/2 request missing required header field + +(http2_inspect) HTTP/2 request missing required header field + +121:9 (http2_inspect) HTTP/2 response has no status code + +(http2_inspect) HTTP/2 response has no status code + +121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path + +(http2_inspect) HTTP/2 CONNECT request with scheme or path + +121:11 (http2_inspect) error in HTTP/2 settings frame + +(http2_inspect) error in HTTP/2 settings frame + +121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame + +(http2_inspect) unknown parameter in HTTP/2 settings frame + +121:13 (http2_inspect) invalid HTTP/2 frame sequence + +(http2_inspect) invalid HTTP/2 frame sequence + +121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded + +(http2_inspect) HTTP/2 dynamic table size limit exceeded + +121:15 (http2_inspect) HTTP/2 push promise frame with invalid +promised stream id + +(http2_inspect) HTTP/2 push promise frame with invalid promised +stream id + +121:16 (http2_inspect) HTTP/2 padding length is bigger than frame +data size + +(http2_inspect) HTTP/2 padding length is bigger than frame data size + +121:17 (http2_inspect) HTTP/2 pseudo-header after regular header + +(http2_inspect) HTTP/2 pseudo-header after regular header + +121:18 (http2_inspect) HTTP/2 pseudo-header in trailers + +(http2_inspect) HTTP/2 pseudo-header in trailers + +121:19 (http2_inspect) invalid HTTP/2 pseudo-header + +(http2_inspect) invalid HTTP/2 pseudo-header + +121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit + +(http2_inspect) HTTP/2 trailers without END_STREAM bit + +121:21 (http2_inspect) HTTP/2 push promise frame sent when prohibited +by receiver + +(http2_inspect) HTTP/2 push promise frame sent when prohibited by +receiver + +121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero +length + +(http2_inspect) padding flag set on HTTP/2 frame with zero length + +121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction + +(http2_inspect) HTTP/2 push promise frame in c2s direction + +121:24 (http2_inspect) invalid HTTP/2 push promise frame + +(http2_inspect) invalid HTTP/2 push promise frame + +121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid time + +(http2_inspect) HTTP/2 push promise frame sent at invalid time + +121:26 (http2_inspect) invalid parameter value sent in HTTP/2 +settings frame + +(http2_inspect) invalid parameter value sent in HTTP/2 settings frame + +121:27 (http2_inspect) excessive concurrent HTTP/2 streams + +(http2_inspect) excessive concurrent HTTP/2 streams + +121:28 (http2_inspect) invalid HTTP/2 rst stream frame + +(http2_inspect) invalid HTTP/2 rst stream frame + +121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time + +(http2_inspect) HTTP/2 rst stream frame sent at invalid time + +121:30 (http2_inspect) uppercase HTTP/2 header field name + +(http2_inspect) uppercase HTTP/2 header field name + +121:31 (http2_inspect) invalid HTTP/2 window update frame + +(http2_inspect) invalid HTTP/2 window update frame + +121:32 (http2_inspect) HTTP/2 window update frame with zero increment + +(http2_inspect) HTTP/2 window update frame with zero increment + +121:33 (http2_inspect) HTTP/2 request without a method + +(http2_inspect) HTTP/2 request without a method + +121:34 (http2_inspect) HTTP/2 HPACK table size update not at the +start of a header block + +(http2_inspect) HTTP/2 HPACK table size update not at the start of a +header block + +121:35 (http2_inspect) More than two HTTP/2 HPACK table size updates +in a single header block + +(http2_inspect) More than two HTTP/2 HPACK table size updates in a +single header block + +121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max +value set by decoder in SETTINGS frame + +(http2_inspect) HTTP/2 HPACK table size update exceeds max value set +by decoder in SETTINGS frame + +122:1 (port_scan) TCP portscan + +(port_scan) TCP portscan + +122:2 (port_scan) TCP decoy portscan + +(port_scan) TCP decoy portscan + +122:3 (port_scan) TCP portsweep + +(port_scan) TCP portsweep + +122:4 (port_scan) TCP distributed portscan + +(port_scan) TCP distributed portscan + +122:5 (port_scan) TCP filtered portscan + +(port_scan) TCP filtered portscan + +122:6 (port_scan) TCP filtered decoy portscan + +(port_scan) TCP filtered decoy portscan + +122:7 (port_scan) TCP filtered portsweep + +(port_scan) TCP filtered portsweep + +122:8 (port_scan) TCP filtered distributed portscan + +(port_scan) TCP filtered distributed portscan + +122:9 (port_scan) IP protocol scan + +(port_scan) IP protocol scan + +122:10 (port_scan) IP decoy protocol scan + +(port_scan) IP decoy protocol scan + +122:11 (port_scan) IP protocol sweep + +(port_scan) IP protocol sweep + +122:12 (port_scan) IP distributed protocol scan + +(port_scan) IP distributed protocol scan + +122:13 (port_scan) IP filtered protocol scan + +(port_scan) IP filtered protocol scan + +122:14 (port_scan) IP filtered decoy protocol scan + +(port_scan) IP filtered decoy protocol scan + +122:15 (port_scan) IP filtered protocol sweep + +(port_scan) IP filtered protocol sweep + +122:16 (port_scan) IP filtered distributed protocol scan + +(port_scan) IP filtered distributed protocol scan + +122:17 (port_scan) UDP portscan + +(port_scan) UDP portscan + +122:18 (port_scan) UDP decoy portscan + +(port_scan) UDP decoy portscan + +122:19 (port_scan) UDP portsweep + +(port_scan) UDP portsweep + +122:20 (port_scan) UDP distributed portscan + +(port_scan) UDP distributed portscan + +122:21 (port_scan) UDP filtered portscan + +(port_scan) UDP filtered portscan + +122:22 (port_scan) UDP filtered decoy portscan + +(port_scan) UDP filtered decoy portscan + +122:23 (port_scan) UDP filtered portsweep + +(port_scan) UDP filtered portsweep + +122:24 (port_scan) UDP filtered distributed portscan + +(port_scan) UDP filtered distributed portscan + +122:25 (port_scan) ICMP sweep + +(port_scan) ICMP sweep + +122:26 (port_scan) ICMP filtered sweep + +(port_scan) ICMP filtered sweep + +122:27 (port_scan) open port + +(port_scan) open port + +123:1 (stream_ip) inconsistent IP options on fragmented packets + +(stream_ip) inconsistent IP options on fragmented packets + +123:2 (stream_ip) teardrop attack + +(stream_ip) teardrop attack + +123:3 (stream_ip) short fragment, possible DOS attempt + +(stream_ip) short fragment, possible DOS attempt + +123:4 (stream_ip) fragment packet ends after defragmented packet + +(stream_ip) fragment packet ends after defragmented packet + +123:5 (stream_ip) zero-byte fragment packet + +(stream_ip) zero-byte fragment packet + +123:6 (stream_ip) bad fragment size, packet size is negative + +(stream_ip) bad fragment size, packet size is negative + +123:7 (stream_ip) bad fragment size, packet size is greater than +65536 + +(stream_ip) bad fragment size, packet size is greater than 65536 + +123:8 (stream_ip) fragmentation overlap + +(stream_ip) fragmentation overlap + +123:11 (stream_ip) TTL value less than configured minimum, not using +for reassembly + +(stream_ip) TTL value less than configured minimum, not using for +reassembly + +123:12 (stream_ip) excessive fragment overlap + +(stream_ip) excessive fragment overlap + +123:13 (stream_ip) tiny fragment + +(stream_ip) tiny fragment + +124:1 (smtp) attempted command buffer overflow + +(smtp) attempted command buffer overflow + +124:2 (smtp) attempted data header buffer overflow + +(smtp) attempted data header buffer overflow + +124:3 (smtp) attempted response buffer overflow + +(smtp) attempted response buffer overflow + +124:4 (smtp) attempted specific command buffer overflow + +(smtp) attempted specific command buffer overflow + +124:5 (smtp) unknown command + +(smtp) unknown command + +124:6 (smtp) illegal command + +(smtp) illegal command + +124:7 (smtp) attempted header name buffer overflow + +(smtp) attempted header name buffer overflow + +124:8 (smtp) attempted X-Link2State command buffer overflow + +(smtp) attempted X-Link2State command buffer overflow + +124:10 (smtp) base64 decoding failed + +(smtp) base64 decoding failed + +124:11 (smtp) quoted-printable decoding failed + +(smtp) quoted-printable decoding failed + +124:13 (smtp) Unix-to-Unix decoding failed + +(smtp) Unix-to-Unix decoding failed + +124:14 (smtp) Cyrus SASL authentication attack + +(smtp) Cyrus SASL authentication attack + +124:15 (smtp) attempted authentication command buffer overflow + +(smtp) attempted authentication command buffer overflow + +124:16 (smtp) file decompression failed + +(smtp) file decompression failed + +125:1 (ftp_server) TELNET cmd on FTP command channel + +(ftp_server) TELNET cmd on FTP command channel + +125:2 (ftp_server) invalid FTP command + +(ftp_server) invalid FTP command + +125:3 (ftp_server) FTP command parameters were too long + +(ftp_server) FTP command parameters were too long + +125:4 (ftp_server) FTP command parameters were malformed + +(ftp_server) FTP command parameters were malformed + +125:5 (ftp_server) FTP command parameters contained potential string +format + +(ftp_server) FTP command parameters contained potential string format + +125:6 (ftp_server) FTP response message was too long + +(ftp_server) FTP response message was too long + +125:7 (ftp_server) FTP traffic encrypted + +(ftp_server) FTP traffic encrypted + +125:8 (ftp_server) FTP bounce attempt + +(ftp_server) FTP bounce attempt + +125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command +channel + +(ftp_server) evasive (incomplete) TELNET cmd on FTP command channel + +126:1 (telnet) consecutive Telnet AYT commands beyond threshold + +(telnet) consecutive Telnet AYT commands beyond threshold + +126:2 (telnet) Telnet traffic encrypted + +(telnet) Telnet traffic encrypted + +126:3 (telnet) Telnet subnegotiation begin command without +subnegotiation end + +(telnet) Telnet subnegotiation begin command without subnegotiation +end + +128:1 (ssh) challenge-response overflow exploit + +(ssh) challenge-response overflow exploit + +128:2 (ssh) SSH1 CRC32 exploit + +(ssh) SSH1 CRC32 exploit + +128:3 (ssh) server version string overflow + +(ssh) server version string overflow + +128:5 (ssh) bad message direction + +(ssh) bad message direction + +128:6 (ssh) payload size incorrect for the given payload + +(ssh) payload size incorrect for the given payload + +128:7 (ssh) failed to detect SSH version string + +(ssh) failed to detect SSH version string + +129:1 (stream_tcp) SYN on established session + +(stream_tcp) SYN on established session + +129:2 (stream_tcp) data on SYN packet + +(stream_tcp) data on SYN packet + +129:3 (stream_tcp) data sent on stream not accepting data + +(stream_tcp) data sent on stream not accepting data + +129:4 (stream_tcp) TCP timestamp is outside of PAWS window + +(stream_tcp) TCP timestamp is outside of PAWS window + +129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated) + +(stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated) + +129:6 (stream_tcp) window size (after scaling) larger than policy +allows + +(stream_tcp) window size (after scaling) larger than policy allows + +129:7 (stream_tcp) limit on number of overlapping TCP packets reached + +(stream_tcp) limit on number of overlapping TCP packets reached + +129:8 (stream_tcp) data sent on stream after TCP reset sent + +(stream_tcp) data sent on stream after TCP reset sent + +129:9 (stream_tcp) TCP client possibly hijacked, different ethernet +address + +(stream_tcp) TCP client possibly hijacked, different ethernet address + +129:10 (stream_tcp) TCP server possibly hijacked, different ethernet +address + +(stream_tcp) TCP server possibly hijacked, different ethernet address + +129:11 (stream_tcp) TCP data with no TCP flags set + +(stream_tcp) TCP data with no TCP flags set + +129:12 (stream_tcp) consecutive TCP small segments exceeding +threshold + +(stream_tcp) consecutive TCP small segments exceeding threshold + +129:13 (stream_tcp) 4-way handshake detected + +stream_tcp detected a 4-way handshake, which includes a TCP SYN +(without ACK) in response to the initiating client SYN. +stream_tcp.require_3whs = 0 should be set to ensure this can be +detected in all cases. + +129:14 (stream_tcp) TCP timestamp is missing + +(stream_tcp) TCP timestamp is missing + +129:15 (stream_tcp) reset outside window + +(stream_tcp) reset outside window + +129:16 (stream_tcp) FIN number is greater than prior FIN + +(stream_tcp) FIN number is greater than prior FIN + +129:17 (stream_tcp) ACK number is greater than prior FIN + +(stream_tcp) ACK number is greater than prior FIN + +129:18 (stream_tcp) data sent on stream after TCP reset received + +(stream_tcp) data sent on stream after TCP reset received + +129:19 (stream_tcp) TCP window closed before receiving data + +(stream_tcp) TCP window closed before receiving data + +129:20 (stream_tcp) TCP session without 3-way handshake + +(stream_tcp) TCP session without 3-way handshake + +131:1 (dns) obsolete DNS RR types + +(dns) obsolete DNS RR types + +131:2 (dns) experimental DNS RR types + +(dns) experimental DNS RR types + +131:3 (dns) DNS client rdata txt overflow + +(dns) DNS client rdata txt overflow + +133:2 (dce_smb) SMB - bad NetBIOS session service session type + +(dce_smb) SMB - bad NetBIOS session service session type + +133:3 (dce_smb) SMB - bad SMB message type + +(dce_smb) SMB - bad SMB message type + +133:4 (dce_smb) SMB - bad SMB Id (not xffSMB for SMB1 or not xfeSMB +for SMB2) + +(dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for +SMB2) + +133:5 (dce_smb) SMB - bad word count or structure size + +(dce_smb) SMB - bad word count or structure size + +133:6 (dce_smb) SMB - bad byte count + +(dce_smb) SMB - bad byte count + +133:7 (dce_smb) SMB - bad format type + +(dce_smb) SMB - bad format type + +133:8 (dce_smb) SMB - bad offset + +(dce_smb) SMB - bad offset + +133:9 (dce_smb) SMB - zero total data count + +(dce_smb) SMB - zero total data count + +133:10 (dce_smb) SMB - NetBIOS data length less than SMB header +length + +(dce_smb) SMB - NetBIOS data length less than SMB header length + +133:11 (dce_smb) SMB - remaining NetBIOS data length less than +command length + +(dce_smb) SMB - remaining NetBIOS data length less than command +length + +133:12 (dce_smb) SMB - remaining NetBIOS data length less than +command byte count + +(dce_smb) SMB - remaining NetBIOS data length less than command byte +count + +133:13 (dce_smb) SMB - remaining NetBIOS data length less than +command data size + +(dce_smb) SMB - remaining NetBIOS data length less than command data +size + +133:14 (dce_smb) SMB - remaining total data count less than this +command data size + +(dce_smb) SMB - remaining total data count less than this command +data size + +133:15 (dce_smb) SMB - total data sent (STDu64) greater than command +total data expected + +(dce_smb) SMB - total data sent (STDu64) greater than command total +data expected + +133:16 (dce_smb) SMB - byte count less than command data size +(STDu64) + +(dce_smb) SMB - byte count less than command data size (STDu64) + +133:17 (dce_smb) SMB - invalid command data size for byte count + +(dce_smb) SMB - invalid command data size for byte count + +133:18 (dce_smb) SMB - excessive tree connect requests with pending +tree connect responses + +(dce_smb) SMB - excessive tree connect requests with pending tree +connect responses + +133:19 (dce_smb) SMB - excessive read requests with pending read +responses + +(dce_smb) SMB - excessive read requests with pending read responses + +133:20 (dce_smb) SMB - excessive command chaining + +(dce_smb) SMB - excessive command chaining + +133:21 (dce_smb) SMB - Multiple chained login requests + +(dce_smb) SMB - Multiple chained login requests + +133:22 (dce_smb) SMB - Multiple chained tree connect requests + +(dce_smb) SMB - Multiple chained tree connect requests + +133:23 (dce_smb) SMB - chained/compounded login followed by logoff + +(dce_smb) SMB - chained/compounded login followed by logoff + +133:24 (dce_smb) SMB - chained/compounded tree connect followed by +tree disconnect + +(dce_smb) SMB - chained/compounded tree connect followed by tree +disconnect + +133:25 (dce_smb) SMB - chained/compounded open pipe followed by close +pipe + +(dce_smb) SMB - chained/compounded open pipe followed by close pipe + +133:26 (dce_smb) SMB - invalid share access + +(dce_smb) SMB - invalid share access + +133:27 (dce_tcp) connection oriented DCE/RPC - invalid major version + +(dce_tcp) connection oriented DCE/RPC - invalid major version + +133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor version + +(dce_tcp) connection oriented DCE/RPC - invalid minor version + +133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type + +(dce_tcp) connection-oriented DCE/RPC - invalid PDU type + +133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length less +than header size + +(dce_tcp) connection-oriented DCE/RPC - fragment length less than +header size + +133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment +length less than size needed + +(dce_tcp) connection-oriented DCE/RPC - remaining fragment length +less than size needed + +133:32 (dce_tcp) connection-oriented DCE/RPC - no context items +specified + +(dce_tcp) connection-oriented DCE/RPC - no context items specified + +133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes +specified + +(dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified + +133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on +non-last fragment less than maximum negotiated fragment transmit size +for client + +(dce_tcp) connection-oriented DCE/RPC - fragment length on non-last +fragment less than maximum negotiated fragment transmit size for +client + +133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length +greater than maximum negotiated fragment transmit size + +(dce_tcp) connection-oriented DCE/RPC - fragment length greater than +maximum negotiated fragment transmit size + +133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte +order different from bind + +(dce_tcp) connection-oriented DCE/RPC - alter context byte order +different from bind + +133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non first/ +last fragment different from call id established for fragmented +request + +(dce_tcp) connection-oriented DCE/RPC - call id of non first/last +fragment different from call id established for fragmented request + +133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first/ +last fragment different from opnum established for fragmented request + +(dce_tcp) connection-oriented DCE/RPC - opnum of non first/last +fragment different from opnum established for fragmented request + +133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non +first/last fragment different from context id established for +fragmented request + +(dce_tcp) connection-oriented DCE/RPC - context id of non first/last +fragment different from context id established for fragmented request + +133:40 (dce_udp) connection-less DCE/RPC - invalid major version + +(dce_udp) connection-less DCE/RPC - invalid major version + +133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type + +(dce_udp) connection-less DCE/RPC - invalid PDU type + +133:42 (dce_udp) connection-less DCE/RPC - data length less than +header size + +(dce_udp) connection-less DCE/RPC - data length less than header size + +133:43 (dce_udp) connection-less DCE/RPC - bad sequence number + +(dce_udp) connection-less DCE/RPC - bad sequence number + +133:44 (dce_smb) SMB - invalid SMB version 1 seen + +(dce_smb) SMB - invalid SMB version 1 seen + +133:45 (dce_smb) SMB - invalid SMB version 2 seen + +(dce_smb) SMB - invalid SMB version 2 seen + +133:46 (dce_smb) SMB - invalid user, tree connect, file binding + +(dce_smb) SMB - invalid user, tree connect, file binding + +133:47 (dce_smb) SMB - excessive command compounding + +(dce_smb) SMB - excessive command compounding + +133:48 (dce_smb) SMB - zero data count + +(dce_smb) SMB - zero data count + +133:50 (dce_smb) SMB - maximum number of outstanding requests +exceeded + +(dce_smb) SMB - maximum number of outstanding requests exceeded + +133:51 (dce_smb) SMB - outstanding requests with same MID + +(dce_smb) SMB - outstanding requests with same MID + +133:52 (dce_smb) SMB - deprecated dialect negotiated + +(dce_smb) SMB - deprecated dialect negotiated + +133:53 (dce_smb) SMB - deprecated command used + +(dce_smb) SMB - deprecated command used + +133:54 (dce_smb) SMB - unusual command used + +(dce_smb) SMB - unusual command used + +133:55 (dce_smb) SMB - invalid setup count for command + +(dce_smb) SMB - invalid setup count for command + +133:56 (dce_smb) SMB - client attempted multiple dialect negotiations +on session + +(dce_smb) SMB - client attempted multiple dialect negotiations on +session + +133:57 (dce_smb) SMB - client attempted to create or set a file’s +attributes to readonly/hidden/system + +(dce_smb) SMB - client attempted to create or set a file’s attributes +to readonly/hidden/system + +133:58 (dce_smb) SMB - file offset provided is greater than file size +specified + +(dce_smb) SMB - file offset provided is greater than file size +specified + +133:59 (dce_smb) SMB - next command specified in SMB2 header is +beyond payload boundary + +(dce_smb) SMB - next command specified in SMB2 header is beyond +payload boundary + +134:1 (latency) rule tree suspended due to latency + +(latency) rule tree suspended due to latency + +134:2 (latency) rule tree re-enabled after suspend timeout + +(latency) rule tree re-enabled after suspend timeout + +134:3 (latency) packet fastpathed due to latency + +(latency) packet fastpathed due to latency + +135:1 (stream) TCP SYN received + +(stream) TCP SYN received + +135:2 (stream) TCP session established + +(stream) TCP session established + +135:3 (stream) TCP session cleared + +(stream) TCP session cleared + +136:1 (reputation) packets blocked based on source + +(reputation) packets blocked based on source + +136:2 (reputation) packets trusted based on source + +(reputation) packets trusted based on source + +136:3 (reputation) packets monitored based on source + +(reputation) packets monitored based on source + +136:4 (reputation) packets blocked based on destination + +(reputation) packets blocked based on destination + +136:5 (reputation) packets trusted based on destination + +(reputation) packets trusted based on destination + +136:6 (reputation) packets monitored based on destination + +(reputation) packets monitored based on destination + +137:1 (ssl) invalid client HELLO after server HELLO detected + +(ssl) invalid client HELLO after server HELLO detected + +137:2 (ssl) invalid server HELLO without client HELLO detected + +(ssl) invalid server HELLO without client HELLO detected + +137:3 (ssl) heartbeat read overrun attempt detected + +(ssl) heartbeat read overrun attempt detected + +137:4 (ssl) large heartbeat response detected + +(ssl) large heartbeat response detected + +140:2 (sip) empty request URI + +(sip) empty request URI + +140:3 (sip) URI is too long + +(sip) URI is too long + +140:4 (sip) empty call-Id + +(sip) empty call-Id + +140:5 (sip) Call-Id is too long + +(sip) Call-Id is too long + +140:6 (sip) CSeq number is too large or negative + +(sip) CSeq number is too large or negative + +140:7 (sip) request name in CSeq is too long + +(sip) request name in CSeq is too long + +140:8 (sip) empty From header + +(sip) empty From header + +140:9 (sip) From header is too long + +(sip) From header is too long + +140:10 (sip) empty To header + +(sip) empty To header + +140:11 (sip) To header is too long + +(sip) To header is too long + +140:12 (sip) empty Via header + +(sip) empty Via header + +140:13 (sip) Via header is too long + +(sip) Via header is too long + +140:14 (sip) empty Contact + +(sip) empty Contact + +140:15 (sip) contact is too long + +(sip) contact is too long + +140:16 (sip) content length is too large or negative + +(sip) content length is too large or negative + +140:17 (sip) multiple SIP messages in a packet + +(sip) multiple SIP messages in a packet + +140:18 (sip) content length mismatch + +(sip) content length mismatch + +140:19 (sip) request name is invalid + +(sip) request name is invalid + +140:20 (sip) Invite replay attack + +(sip) Invite replay attack + +140:21 (sip) illegal session information modification + +(sip) illegal session information modification + +140:22 (sip) response status code is not a 3 digit number + +(sip) response status code is not a 3 digit number + +140:23 (sip) empty Content-type header + +(sip) empty Content-type header + +140:24 (sip) SIP version is invalid + +(sip) SIP version is invalid + +140:25 (sip) mismatch in METHOD of request and the CSEQ header + +(sip) mismatch in METHOD of request and the CSEQ header + +140:26 (sip) method is unknown + +(sip) method is unknown + +140:27 (sip) maximum dialogs within a session reached + +(sip) maximum dialogs within a session reached + +141:1 (imap) unknown IMAP3 command + +(imap) unknown IMAP3 command + +141:2 (imap) unknown IMAP3 response + +(imap) unknown IMAP3 response + +141:4 (imap) base64 decoding failed + +(imap) base64 decoding failed + +141:5 (imap) quoted-printable decoding failed + +(imap) quoted-printable decoding failed + +141:7 (imap) Unix-to-Unix decoding failed + +(imap) Unix-to-Unix decoding failed + +141:8 (imap) file decompression failed + +(imap) file decompression failed + +142:1 (pop) unknown POP3 command + +(pop) unknown POP3 command + +142:2 (pop) unknown POP3 response + +(pop) unknown POP3 response + +142:4 (pop) base64 decoding failed + +(pop) base64 decoding failed + +142:5 (pop) quoted-printable decoding failed + +(pop) quoted-printable decoding failed + +142:7 (pop) Unix-to-Unix decoding failed + +(pop) Unix-to-Unix decoding failed + +142:8 (pop) file decompression failed + +(pop) file decompression failed + +143:1 (gtp_inspect) message length is invalid + +(gtp_inspect) message length is invalid + +143:2 (gtp_inspect) information element length is invalid + +(gtp_inspect) information element length is invalid + +143:3 (gtp_inspect) information elements are out of order + +(gtp_inspect) information elements are out of order + +143:4 (gtp_inspect) TEID is missing + +(gtp_inspect) TEID is missing + +144:1 (modbus) length in Modbus MBAP header does not match the length +needed for the given function + +(modbus) length in Modbus MBAP header does not match the length +needed for the given function + +144:2 (modbus) Modbus protocol ID is non-zero + +(modbus) Modbus protocol ID is non-zero + +144:3 (modbus) reserved Modbus function code in use + +(modbus) reserved Modbus function code in use + +145:1 (dnp3) DNP3 link-layer frame contains bad CRC + +(dnp3) DNP3 link-layer frame contains bad CRC + +145:2 (dnp3) DNP3 link-layer frame was dropped + +(dnp3) DNP3 link-layer frame was dropped + +145:3 (dnp3) DNP3 transport-layer segment was dropped during +reassembly + +(dnp3) DNP3 transport-layer segment was dropped during reassembly + +145:4 (dnp3) DNP3 reassembly buffer was cleared without reassembling +a complete message + +(dnp3) DNP3 reassembly buffer was cleared without reassembling a +complete message + +145:5 (dnp3) DNP3 link-layer frame uses a reserved address + +(dnp3) DNP3 link-layer frame uses a reserved address + +145:6 (dnp3) DNP3 application-layer fragment uses a reserved function +code + +(dnp3) DNP3 application-layer fragment uses a reserved function code + +148:1 (cip) CIP data is malformed + +(cip) CIP data is malformed + +148:2 (cip) CIP data is non-conforming to ODVA standard + +(cip) CIP data is non-conforming to ODVA standard + +148:3 (cip) CIP connection limit exceeded. Least recently used +connection removed + +(cip) CIP connection limit exceeded. Least recently used connection +removed + +148:4 (cip) CIP unconnected request limit exceeded. Oldest request +removed + +(cip) CIP unconnected request limit exceeded. Oldest request removed + +149:1 (s7commplus) length in S7commplus MBAP header does not match +the length needed for the given S7commplus function + +(s7commplus) length in S7commplus MBAP header does not match the +length needed for the given S7commplus function + +149:2 (s7commplus) S7commplus protocol ID is non-zero + +(s7commplus) S7commplus protocol ID is non-zero + +149:3 (s7commplus) reserved S7commplus function code in use + +(s7commplus) reserved S7commplus function code in use + +150:1 (file_id) file not processed due to per flow limit + +(file_id) file not processed due to per flow limit + +151:1 (iec104) Length in IEC104 APCI header does not match the length +needed for the given IEC104 ASDU type id + +(iec104) Length in IEC104 APCI header does not match the length +needed for the given IEC104 ASDU type id + +151:2 (iec104) IEC104 Start byte does not match 0x68 + +(iec104) IEC104 Start byte does not match 0x68 + +151:3 (iec104) Reserved IEC104 ASDU type id in use + +(iec104) Reserved IEC104 ASDU type id in use + +151:4 (iec104) IEC104 APCI U Reserved field contains a non-default +value + +(iec104) IEC104 APCI U Reserved field contains a non-default value + +151:5 (iec104) IEC104 APCI U message type was set to an invalid value + +(iec104) IEC104 APCI U message type was set to an invalid value + +151:6 (iec104) IEC104 APCI S Reserved field contains a non-default +value + +(iec104) IEC104 APCI S Reserved field contains a non-default value + +151:7 (iec104) IEC104 APCI I number of elements set to zero + +(iec104) IEC104 APCI I number of elements set to zero + +151:8 (iec104) IEC104 APCI I SQ bit set on an ASDU that does not +support the feature + +(iec104) IEC104 APCI I SQ bit set on an ASDU that does not support +the feature + +151:9 (iec104) IEC104 APCI I number of elements set to greater than +one on an ASDU that does not support the feature + +(iec104) IEC104 APCI I number of elements set to greater than one on +an ASDU that does not support the feature + +151:10 (iec104) IEC104 APCI I Cause of Initialization set to a +reserved value + +(iec104) IEC104 APCI I Cause of Initialization set to a reserved +value + +151:11 (iec104) IEC104 APCI I Qualifier of Interrogation Command set +to a reserved value + +(iec104) IEC104 APCI I Qualifier of Interrogation Command set to a +reserved value + +151:12 (iec104) IEC104 APCI I Qualifier of Counter Interrogation +Command request parameter set to a reserved value + +(iec104) IEC104 APCI I Qualifier of Counter Interrogation Command +request parameter set to a reserved value + +151:13 (iec104) IEC104 APCI I Qualifier of Parameter of Measured +Values kind of parameter set to a reserved value + +(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values kind +of parameter set to a reserved value + +151:14 (iec104) IEC104 APCI I Qualifier of Parameter of Measured +Values local parameter change set to a technically valid but unused +value + +(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values +local parameter change set to a technically valid but unused value + +151:15 (iec104) IEC104 APCI I Qualifier of Parameter of Measured +Values parameter option set to a technically valid but unused value + +(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values +parameter option set to a technically valid but unused value + +151:16 (iec104) IEC104 APCI I Qualifier of Parameter Activation set +to a reserved value + +(iec104) IEC104 APCI I Qualifier of Parameter Activation set to a +reserved value + +151:17 (iec104) IEC104 APCI I Qualifier of Command set to a reserved +value + +(iec104) IEC104 APCI I Qualifier of Command set to a reserved value + +151:18 (iec104) IEC104 APCI I Qualifier of Reset Process set to a +reserved value + +(iec104) IEC104 APCI I Qualifier of Reset Process set to a reserved +value + +151:19 (iec104) IEC104 APCI I File Ready Qualifier set to a reserved +value + +(iec104) IEC104 APCI I File Ready Qualifier set to a reserved value + +151:20 (iec104) IEC104 APCI I Section Ready Qualifier set to a +reserved value + +(iec104) IEC104 APCI I Section Ready Qualifier set to a reserved +value + +151:21 (iec104) IEC104 APCI I Select and Call Qualifier set to a +reserved value + +(iec104) IEC104 APCI I Select and Call Qualifier set to a reserved +value + +151:22 (iec104) IEC104 APCI I Last Section or Segment Qualifier set +to a reserved value + +(iec104) IEC104 APCI I Last Section or Segment Qualifier set to a +reserved value + +151:23 (iec104) IEC104 APCI I Acknowledge File or Section Qualifier +set to a reserved value + +(iec104) IEC104 APCI I Acknowledge File or Section Qualifier set to a +reserved value + +151:24 (iec104) IEC104 APCI I Structure Qualifier set on a message +where it should have no effect + +(iec104) IEC104 APCI I Structure Qualifier set on a message where it +should have no effect + +151:25 (iec104) IEC104 APCI I Single Point Information Reserved field +contains a non-default value + +(iec104) IEC104 APCI I Single Point Information Reserved field +contains a non-default value + +151:26 (iec104) IEC104 APCI I Double Point Information Reserved field +contains a non-default value + +(iec104) IEC104 APCI I Double Point Information Reserved field +contains a non-default value + +151:27 (iec104) IEC104 APCI I Cause of Transmission set to a reserved +value + +(iec104) IEC104 APCI I Cause of Transmission set to a reserved value + +151:28 (iec104) IEC104 APCI I Cause of Transmission set to a value +not allowed for the ASDU + +(iec104) IEC104 APCI I Cause of Transmission set to a value not +allowed for the ASDU + +151:29 (iec104) IEC104 APCI I invalid two octet common address value +detected + +(iec104) IEC104 APCI I invalid two octet common address value +detected + +151:30 (iec104) IEC104 APCI I Quality Descriptor Structure Reserved +field contains a non-default value + +(iec104) IEC104 APCI I Quality Descriptor Structure Reserved field +contains a non-default value + +151:31 (iec104) IEC104 APCI I Quality Descriptor for Events of +Protection Equipment Structure Reserved field contains a non-default +value + +(iec104) IEC104 APCI I Quality Descriptor for Events of Protection +Equipment Structure Reserved field contains a non-default value + +151:32 (iec104) IEC104 APCI I IEEE STD 754 value results in NaN + +(iec104) IEC104 APCI I IEEE STD 754 value results in NaN + +151:33 (iec104) IEC104 APCI I IEEE STD 754 value results in infinity + +(iec104) IEC104 APCI I IEEE STD 754 value results in infinity + +151:34 (iec104) IEC104 APCI I Single Event of Protection Equipment +Structure Reserved field contains a non-default value + +(iec104) IEC104 APCI I Single Event of Protection Equipment Structure +Reserved field contains a non-default value + +151:35 (iec104) IEC104 APCI I Start Event of Protection Equipment +Structure Reserved field contains a non-default value + +(iec104) IEC104 APCI I Start Event of Protection Equipment Structure +Reserved field contains a non-default value + +151:36 (iec104) IEC104 APCI I Output Circuit Information Structure +Reserved field contains a non-default value + +(iec104) IEC104 APCI I Output Circuit Information Structure Reserved +field contains a non-default value + +151:37 (iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern +detected + +(iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern detected + +151:38 (iec104) IEC104 APCI I Single Command Structure Reserved field +contains a non-default value + +(iec104) IEC104 APCI I Single Command Structure Reserved field +contains a non-default value + +151:39 (iec104) IEC104 APCI I Double Command Structure contains an +invalid value + +(iec104) IEC104 APCI I Double Command Structure contains an invalid +value + +151:40 (iec104) IEC104 APCI I Regulating Step Command Structure +Reserved field contains a non-default value + +(iec104) IEC104 APCI I Regulating Step Command Structure Reserved +field contains a non-default value + +151:41 (iec104) IEC104 APCI I Time2a Millisecond set outside of the +allowable range + +(iec104) IEC104 APCI I Time2a Millisecond set outside of the +allowable range + +151:42 (iec104) IEC104 APCI I Time2a Minute set outside of the +allowable range + +(iec104) IEC104 APCI I Time2a Minute set outside of the allowable +range + +151:43 (iec104) IEC104 APCI I Time2a Minute Reserved field contains a +non-default value + +(iec104) IEC104 APCI I Time2a Minute Reserved field contains a +non-default value + +151:44 (iec104) IEC104 APCI I Time2a Hours set outside of the +allowable range + +(iec104) IEC104 APCI I Time2a Hours set outside of the allowable +range + +151:45 (iec104) IEC104 APCI I Time2a Hours Reserved field contains a +non-default value + +(iec104) IEC104 APCI I Time2a Hours Reserved field contains a +non-default value + +151:46 (iec104) IEC104 APCI I Time2a Day of Month set outside of the +allowable range + +(iec104) IEC104 APCI I Time2a Day of Month set outside of the +allowable range + +151:47 (iec104) IEC104 APCI I Time2a Month set outside of the +allowable range + +(iec104) IEC104 APCI I Time2a Month set outside of the allowable +range + +151:48 (iec104) IEC104 APCI I Time2a Month Reserved field contains a +non-default value + +(iec104) IEC104 APCI I Time2a Month Reserved field contains a +non-default value + +151:49 (iec104) IEC104 APCI I Time2a Year set outside of the +allowable range + +(iec104) IEC104 APCI I Time2a Year set outside of the allowable range + +151:50 (iec104) IEC104 APCI I Time2a Year Reserved field contains a +non-default value + +(iec104) IEC104 APCI I Time2a Year Reserved field contains a +non-default value + +151:51 (iec104) IEC104 APCI I a null Length of Segment value has been +detected + +(iec104) IEC104 APCI I a null Length of Segment value has been +detected + +151:52 (iec104) IEC104 APCI I an invalid Length of Segment value has +been detected + +(iec104) IEC104 APCI I an invalid Length of Segment value has been +detected + +151:53 (iec104) IEC104 APCI I Status of File set to a reserved value + +(iec104) IEC104 APCI I Status of File set to a reserved value + +151:54 (iec104) IEC104 APCI I Qualifier of Set Point Command ql field +set to a reserved value + +(iec104) IEC104 APCI I Qualifier of Set Point Command ql field set to +a reserved value + +175:1 (domain_filter) configured domain detected + +(domain_filter) configured domain detected + +256:1 (dpx) too much data sent to port + +(dpx) too much data sent to port 11.8. Command Set @@ -12799,7 +14685,7 @@ and are not applicable elsewhere. * rem (ips_option): rule option to convey an arbitrary comment in the rule body * replace (ips_option): rule option to overwrite payload data; use - with rewrite action + with "rewrite" action; works for raw packets only * reputation (inspector): reputation inspection * rev (ips_option): rule option to indicate current revision of signature @@ -13016,7 +14902,8 @@ and are not applicable elsewhere. * ips_action::react: send response to client and terminate session * ips_action::reject: terminate session with TCP reset or ICMP unreachable - * ips_action::rewrite: overwrite packet contents + * ips_action::rewrite: overwrite packet contents with the "replace" + option content * ips_option::ack: rule option to match on TCP ack numbers * ips_option::appids: detection option for application ids * ips_option::asn1: rule option for asn1 detection @@ -13161,7 +15048,7 @@ and are not applicable elsewhere. * ips_option::rem: rule option to convey an arbitrary comment in the rule body * ips_option::replace: rule option to overwrite payload data; use - with rewrite action + with "rewrite" action; works for raw packets only * ips_option::rev: rule option to indicate current revision of signature * ips_option::rpc: rule option to check SUNRPC CALL parameters diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 32df68939..b46b11be1 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.12.0 2021-09-08 07:41:38 EDT TST +Revision 3.1.13.0 2021-09-22 09:10:49 EDT TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 5ab2855f4..ce6b614f6 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.12.0 2021-09-08 07:41:38 EDT TST +Revision 3.1.13.0 2021-09-22 09:10:49 EDT TST --------------------------------------------------------------------- @@ -1141,6 +1141,10 @@ General Use --max-threads option. * Unit tests are configured with --enable-unit-tests. They can then be run with snort --catch-test [tags]|all. + * Benchmark tests are configured with --enable-benchmark-tests. + They can then be run with snort --catch-test [tags]|all or built + as a separate executable. It is also preferred to configure a + non-debug build with optimizations enabled. Lua Configuration @@ -1839,8 +1843,10 @@ trace = 5.1.5. Rewrite -IPS action rewrite enables overwrite packet contents based on -"replace" option in the rules. +IPS action "rewrite" enables overwrite packet contents based on +"replace" option in the rules. Note that using "rewrite" action +without "replace" option will raise corresponding rule alert, but +will not overwrite the packet payload. For example: @@ -1860,8 +1866,65 @@ ips = rules = local_rules, } -this rule replaces "index.php" with "indax.php", and rewrite action -updates that packet. +this rule replaces the first occurrence of "index.php" with +"indax.php", and "rewrite" action updates that packet. + +Content and replacement are aligned to the right side of the matching +content and are limited not by the size of the matching content, but +by the boundaries of the packet. + +Example: + +rewrite http any any -> any any +( + msg:"Small replace"; + content:"content"; + replace:"text"; + sid:1000002; +) + +this rule replaces "malicious content" to "malicious context". + +Example: + +rewrite http any any -> any any +( + msg:"Big replace"; + content:"content"; + replace:"y favorite page!"; + sid:1000002; +) + +this rule replaces "malicious content" to "my favorite page!". + +Be aware that after the match there should be enough room left for +the "replace" content in the matched packet. If there is not enough +space for the "replace" content the rule will not match. + +"replace" works for raw packets only. So, TCP data must either fit +under the "pkt_data" buffer requirements or one should enable +detection on TCP payload before reassembly: +search_engine.detect_raw_tcp=true. For example: + +Rule that does not require search_engine.detect_raw_tcp=true: + +rewrite udp any any -> any any +( + msg:"TEST 1"; + sid:1000002; + content:"attack"; + replace:"abc123"; +) + +Rule that does require search_engine.detect_raw_tcp=true: + +rewrite http any any -> any any +( + msg:"TEST 2"; + content:"/content.html"; + replace:"/replace.html"; + sid:1000002; +) 5.2. AppId