From: Mike Stepanek (mstepane) Date: Wed, 15 Dec 2021 14:10:35 +0000 (+0000) Subject: Pull request #3221: build: generate and tag 3.1.19.0 X-Git-Tag: 3.1.19.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=528cccd443fbaf22544a76b03166ae212ef31e85;p=thirdparty%2Fsnort3.git Pull request #3221: build: generate and tag 3.1.19.0 Merge in SNORT/snort3 from ~MSTEPANE/snort3:build_3.1.19.0 to master Squashed commit of the following: commit e76365d934a248a4053e7e6c0d503f09d87ef6af Author: Mike Stepanek Date: Wed Dec 15 05:37:21 2021 -0500 build: generate and tag 3.1.19.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 073d7e633..3a9886b52 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 18) +set (VERSION_PATCH 19) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index b71e63173..f8dcd0639 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,37 @@ +2021/12/15 - 3.1.19.0 + +appid,ssh: roll AppId's SSH detector into SSH service inspector +appid: remove hard-coded SSH client patterns which are available as part of ODP +build: add cppcheck suppressions for unusedFunctions +build: clean up some cppcheck style issues +build: move flex options to the template file +cmake: fix CMP0115 Warning +daq: sort --daq-list output by module name +dce_smb: add new smb counters +file_api: add null check for user file data +file_api: handle file_data +framework,appid: generate NO_SERVICE event when no inspector can be attached to a flow; wait for the event in appid before declaring service as unknown for the flow +http_inspect,http2_inspect: refuse midstream pickups +http_inspect: add JavaScript builtin de-aliasing +http_inspect: rename js normalization options +http_inspect: use correct detect_length for partial inspection cleanup +loggers: fix truncated alert_syslog messages +lua: configure a list of JS ignored IDs in default_http_inspect table +managers: continue inspectors probe when packet has disable_inspect flag +mime: add the support for vba macro data extraction of MS office files transferred over mime protocols +parser: fix missing-prototypes warning in parse_ports.cc +parser: fix parsing of portsets +rpc: remove RpcSplitter altogether and use LogSplitter instead +snort2lua: fix conversion of variable sets +stream: add PKT_MORE_TO_FLUSH flag and use it in TcpReassembler::scan_data_post_ack() to signal AtomSplitter whether to flush or not +stream: fix issue with atom splitter not returning FLUSH +stream_tcp: remove unnecessary special adjustment methods +utils: (JSTokenizer) fix braces initialization compilation error (gcc5) +utils: fix state adjustment in JS Tokenizer +utils: place init/deinit routine under a single function +utils: update JS normalizer unit tests +vlan: implement vlan encode function + 2021/12/01 - 3.1.18.0 alert_sf_socket: remove obselete logger diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index d2b507455..d5ca6f2a7 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.18.0 2021-12-01 10:40:58 EST TST +Revision 3.1.19.0 2021-12-15 06:07:48 EST TST --------------------------------------------------------------------- @@ -2994,6 +2994,10 @@ Peg counts: * dce_smb.concurrent_sessions: total concurrent sessions (now) * dce_smb.max_concurrent_sessions: maximum concurrent sessions (max) + * dce_smb.total_smb1_sessions: total smb1 sessions (sum) + * dce_smb.total_smb2_sessions: total smb2 sessions (sum) + * dce_smb.total_encrypted_sessions: total encrypted sessions (sum) + * dce_smb.total_mc_sessions: total multichannel sessions (sum) 5.12. dce_tcp @@ -3724,7 +3728,7 @@ Configuration: immediately upon script end * bool http_inspect.normalize_javascript = false: use legacy normalizer to normalize JavaScript in response bodies - * int http_inspect.js_normalization_depth = -1: number of input + * int http_inspect.js_norm_bytes_depth = -1: number of input JavaScript bytes to normalize (-1 unlimited) { -1:max53 } * int http_inspect.js_norm_identifier_depth = 65536: max number of unique JavaScript identifiers to normalize { 0:65536 } @@ -3737,8 +3741,8 @@ Configuration: * int http_inspect.js_norm_max_scope_depth = 256: maximum depth of scope nesting that enhanced JavaScript normalizer will process { 1:65535 } - * string http_inspect.js_norm_built_in_ident[].ident_name: name of - built-in identifier + * string http_inspect.js_norm_ident_ignore[].ident_name: name of + the identifier to ignore * int http_inspect.max_javascript_whitespaces = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 } @@ -4174,6 +4178,8 @@ Configuration: attachments * bool imap.decompress_zip = false: decompress zip files in MIME attachments + * bool imap.decompress_vba = false: decompress MS Office Visual + Basic for Applications macro files in MIME attachments * int imap.qp_decode_depth = -1: quoted Printable decoding depth (-1 no limit) { -1:65535 } * int imap.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no @@ -4572,6 +4578,8 @@ Configuration: attachments * bool pop.decompress_zip = false: decompress zip files in MIME attachments + * bool pop.decompress_vba = false: decompress MS Office Visual + Basic for Applications macro files in MIME attachments * int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 } * int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no @@ -5172,6 +5180,8 @@ Configuration: attachments * bool smtp.decompress_zip = false: decompress zip files in MIME attachments + * bool smtp.decompress_vba = false: decompress MS Office Visual + Basic for Applications macro files in MIME attachments * int smtp.email_hdrs_log_depth = 1464: depth for logging email headers { 0:20480 } * bool smtp.ignore_data = false: ignore data section of mail @@ -9286,12 +9296,12 @@ these libraries see the Getting Started section of the manual. mapping to normalize characters * string http_inspect.iis_unicode_map_file: file containing code points for IIS unicode. { (optional) } - * int http_inspect.js_normalization_depth = -1: number of input + * int http_inspect.js_norm_bytes_depth = -1: number of input JavaScript bytes to normalize (-1 unlimited) { -1:max53 } - * string http_inspect.js_norm_built_in_ident[].ident_name: name of - built-in identifier * int http_inspect.js_norm_identifier_depth = 65536: max number of unique JavaScript identifiers to normalize { 0:65536 } + * string http_inspect.js_norm_ident_ignore[].ident_name: name of + the identifier to ignore * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth of bracket nesting that enhanced JavaScript normalizer will process { 1:65535 } @@ -9458,6 +9468,8 @@ these libraries see the Getting Started section of the manual. attachments * bool imap.decompress_swf = false: decompress swf files in MIME attachments + * bool imap.decompress_vba = false: decompress MS Office Visual + Basic for Applications macro files in MIME attachments * bool imap.decompress_zip = false: decompress zip files in MIME attachments * int imap.qp_decode_depth = -1: quoted Printable decoding depth @@ -9721,6 +9733,8 @@ these libraries see the Getting Started section of the manual. attachments * bool pop.decompress_swf = false: decompress swf files in MIME attachments + * bool pop.decompress_vba = false: decompress MS Office Visual + Basic for Applications macro files in MIME attachments * bool pop.decompress_zip = false: decompress zip files in MIME attachments * int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1 @@ -10131,6 +10145,8 @@ these libraries see the Getting Started section of the manual. attachments * bool smtp.decompress_swf = false: decompress swf files in MIME attachments + * bool smtp.decompress_vba = false: decompress MS Office Visual + Basic for Applications macro files in MIME attachments * bool smtp.decompress_zip = false: decompress zip files in MIME attachments * int smtp.email_hdrs_log_depth = 1464: depth for logging email @@ -10794,6 +10810,10 @@ these libraries see the Getting Started section of the manual. reassembled (sum) * dce_smb.smb_server_segs_reassembled: total smb server segments reassembled (sum) + * dce_smb.total_encrypted_sessions: total encrypted sessions (sum) + * dce_smb.total_mc_sessions: total multichannel sessions (sum) + * dce_smb.total_smb1_sessions: total smb1 sessions (sum) + * dce_smb.total_smb2_sessions: total smb2 sessions (sum) * dce_smb.v2_bad_next_cmd_offset: total number of SMBv2 packets seen with invalid next command offset (sum) * dce_smb.v2_cls_err_resp: total number of SMBv2 close error diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 908b9e756..1681a8ddb 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.18.0 2021-12-01 10:40:47 EST TST +Revision 3.1.19.0 2021-12-15 06:07:38 EST TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 8c5ed8c2f..d3a09535e 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.18.0 2021-12-01 10:40:47 EST TST +Revision 3.1.19.0 2021-12-15 06:07:38 EST TST --------------------------------------------------------------------- @@ -3870,17 +3870,16 @@ Having ips option js_data in the rules automatically enables Enhanced Normalizer. The Enhanced Normalizer can normalize inline/external scripts. It supports scripts over multiple PDUs. It is a stateful JavaScript whitespace and identifiers normalizer. All JavaScript -identifier names, except those, are from the list of built-in -identifiers, will be substituted to unified names with the following -format: var_0000 → var_ffff. Moreover, Normalizer validates the -syntax concerning ECMA-262 Standard, including scope tracking, and -checks for restrictions for contents of script elements (since it is -HTML-embedded JavaScript). For more information on how additionally -configure Enhanced Normalizer check the following http_inspect -options: js_normalization_depth, js_norm_identifier_depth, -js_norm_max_tmpl_nest, js_norm_max_bracket_depth, -js_norm_max_scope_depth, js_norm_built_in_ident. Eventually Enhanced -Normalizer will completely replace Legacy Normalizer. +identifier names, except those from the ignore list, will be +substituted with unified names in the following format: var_0000 → +var_ffff. Moreover, Normalizer validates the syntax concerning +ECMA-262 Standard, including scope tracking and restrictions for +script elements. For more information on how additionally configure +Enhanced Normalizer check with the following configuration options: +js_norm_bytes_depth, js_norm_identifier_depth, js_norm_max_tmpl_nest, +js_norm_max_bracket_depth, js_norm_max_scope_depth, +js_norm_ident_ignore. Eventually Enhanced Normalizer will completely +replace Legacy Normalizer. 5.10.3. Configuration @@ -3991,12 +3990,12 @@ http_inspect also replaces consecutive whitespaces with a single space and normalizes the plus by concatenating the strings. Such normalizations refer to basic JavaScript normalization. -5.10.3.9. js_normalization_depth +5.10.3.9. js_norm_bytes_depth -js_normalization_depth = N {-1 : max53} will set a number of input +js_norm_bytes_depth = N {-1 : max53} will set a number of input JavaScript bytes to normalize. When the depth is reached, normalization will be stopped. It’s implemented per-script. By -default js_normalization_depth = -1, will set unlimited depth. The +default js_norm_bytes_depth = -1, will set unlimited depth. The enhanced normalizer provides more precise whitespace normalization of JavaScript, that removes all redundant whitespaces and line terminators from the JavaScript syntax point of view (between @@ -4047,17 +4046,16 @@ program scope such as the global one, function scope, if block, loops, code block, object scope, etc. This option is present to limit the amount of memory dedicated to this tracking. -5.10.3.14. js_norm_built_in_ident +5.10.3.14. js_norm_ident_ignore -js_norm_built_in_ident = {}. The default list is present in "snort_defaults.lua". +js_norm_ident_ignore = {}. The default +list is present in "snort_defaults.lua". -The built-in JavaScript identifiers will be placed as is, without -substitution. Normalizer tracks built-in identifier expressions based -on the configured list of built-in names. The built-in identifier -expression is the built-in name (function or object) and the chain of -dot and bracket accessors after it, including the function calls. For -example: +The Normalizer does not substitute ignored identifiers, keeping their +name unchanged. Additionally, the Normalizer tracks expressions with +ignored identifiers, so the subsequent identifiers are not +substituted in the chain of dots, bracket accessors and function +calls. For example: console.log("bar") document.getElementById("id").text @@ -4066,7 +4064,7 @@ foo["bar"] The list must contain object and function names only. For example: -http_inspect.js_norm_built_in_ident = { 'console', 'document', 'eval', 'foo' } +http_inspect.js_norm_ident_ignore = { 'console', 'document', 'eval', 'foo' } 5.10.3.15. xff_headers @@ -4495,10 +4493,10 @@ decompress_pdf, decompress_swf, and normalize_javascript. The js_data contains normalized JavaScript text collected from the whole PDU (inline or external scripts). It requires the Enhanced -Normalizer enabled: http_inspect = { js_normalization_depth = N }, -js_normalization_depth option is described above. Despite what -js_data has, file_data still contains the whole HTTP body with an -original JavaScript in it. +Normalizer enabled: http_inspect = { js_norm_bytes_depth = N }, +js_norm_bytes_depth option is described above. Despite what js_data +has, file_data still contains the whole HTTP body with an original +JavaScript in it. 5.10.6.15. vba_data