From: Michael Altizer (mialtize) Date: Fri, 20 Dec 2019 19:39:41 +0000 (+0000) Subject: Merge pull request #1902 in SNORT/snort3 from ~MIALTIZE/snort3:build_267 to master X-Git-Tag: 3.0.0-267 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5dd2afc059f215aed5001a540f949d9866fedcae;p=thirdparty%2Fsnort3.git Merge pull request #1902 in SNORT/snort3 from ~MIALTIZE/snort3:build_267 to master Squashed commit of the following: commit 7e4b25ffb40817f3efb272ea62c94f2db92f905b Author: Michael Altizer Date: Fri Dec 20 13:09:16 2019 -0500 build: generate and tag build 267 --- diff --git a/ChangeLog b/ChangeLog index e167abb6a..2e8be1bcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,45 @@ +19/12/20 - build 267 + +-- appid: Adding command for third-party reload +-- appid: cleanup unused code +-- binder: assitant gadget support. +-- build: Const-ify reference arguments as suggested by cppcheck +-- catch: Add infrastructure for standalone Catch unit tests +-- catch: Update to Catch v2.11.0 +-- codec: Added GRE::encode method +-- control: Convert IdleProcessing unit tests to standalone Catch +-- dce_rpc: Convert HTTP proxy and server splitter unit tests to standalone Catch +-- file_api: When multiple files are processed simultaneously per flow, store the files on the + flow, not in the cache. Don't cache files until the signature has been computed +-- file_magic: add file magic for .jar, .rar, .alz, .egg, .hwp and .swf files +-- framework: Convert parameter and range unit tests to standalone Catch +-- gtp: alerts should be raised for missing TEID in gtp msg +-- helpers: Convert Base64Encoder unit tests to standalone Catch +-- http2_inspect: add Stream class +-- http2_inspect: parse settings frames +-- http_inspect: support limited response depth +-- ips: do not use includer for any rules file includes +-- ips: fix --show-file-codes for inclusion from -c file +-- lru_cache_shared: added find_else_insert to add user managed objects to the cache +-- lua: Convert LuaStack unit tests to standalone Catch +-- lua: Link lua_stack_test against libdl to handle the static luajit case +-- packet_capture: ignore PDUs and defragged packets, include non-IP packets +-- perf_monitor: Convert CSV, FBS, and JSON formatter unit tests to standalone Catch +-- perf_monitor: tuning for flow_ip_memcap on reload +-- profiler: Convert MemoryContext and ProfilerStatsTable unit tests to standalone Catch +-- reload: fix issue where resource tuning was not being called when in idle context +-- rule_state: allow empty tables +-- search_engine: fix expected count of MPSEs when offloading +-- sfip: Convert SfIp unit tests to standalone Catch +-- sfip: Use REG_TEST-style IP stringification for standalone Catch tests +-- stream_tcp: fix TcpState post increment operator to stop increment at max value (and use + correct max value) +-- stream_tcp: refactor stream_tcp initialization to create reassemblers during plugin init +-- stream_tcp: refactor to initialize tcp normalizers during plugin init +-- stream/tcp: Remove some unused Catch includes +-- time: Convert periodic and stopwatch unit tests to standalone Catch +-- utils: Convert bitop unit tests to standalone Catch + 19/12/04 - build 266 -- appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 106b4aa74..adf59bb00 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2);
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 266)
+o"  )~   Version 3.0.0 (Build 267)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
@@ -5267,8 +5267,6 @@ processing.

It enables Snort to more quickly detect and block response messages containing malicious JavaScript. As this feature involves actively blocking traffic it is designed for use with inline mode operation (-Q).

-

This feature only functions with response_depth = -1 (unlimited). This -limitation will be removed in a future version.

This feature is off by default. detained_inspection = true will activate it.

@@ -10828,6 +10826,11 @@ int appid.trace: mask for enabling debug traces in module { 0:m appid.disable_debug(): disable appid debugging

+
  • +

    +appid.reload_third_party(): reload appid third-party module +

    +
  • Peg counts:

      @@ -12463,6 +12466,11 @@ int file_id.max_files_cached = 65536: maximal number of files c
    • +int file_id.max_files_per_flow = 32: maximal number of files able to be concurrently processed per flow { 1:max53 } +

      +
    • +
    • +

      bool file_id.enable_type = true: enable type ID

    • @@ -12577,6 +12585,14 @@ int file_id.verdict_delay = 0: number of queries to return fina

    +

    Rules:

    +
      +
    • +

      +150:1 (file_id) file not processed due to per flow limit +

      +
    • +

    Peg counts:

    • @@ -12594,6 +12610,16 @@ int file_id.verdict_delay = 0: number of queries to return fina file_id.cache_failures: number of file cache add failures (sum)

    • +
    • +

      +file_id.files_not_processed: number of files not processed due to per-flow limit (sum) +

      +
    • +
    • +

      +file_id.max_concurrent_files: maximum files processed concurrently on a flow (max) +

      +
    @@ -12973,6 +12999,11 @@ int gtp_inspect.trace: mask for enabling debug traces in module 143:3 (gtp_inspect) information elements are out of order

    +
  • +

    +143:4 (gtp_inspect) TEID is missing +

    +
  • Peg counts:

      @@ -13052,17 +13083,27 @@ int gtp_inspect.trace: mask for enabling debug traces in module
    • -121:9 (http2_inspect) HTTP/2 request missing required header field +121:8 (http2_inspect) HTTP/2 request missing required header field +

      +
    • +
    • +

      +121:9 (http2_inspect) HTTP/2 response has no status code +

      +
    • +
    • +

      +121:10 (http2_inspect) invalid HTTP/2 header field

    • -121:10 (http2_inspect) HTTP/2 response has no status code +121:11 (http2_inspect) error in HTTP/2 settings frame

    • -121:11 (http2_inspect) invalid HTTP/2 header field +121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame

    @@ -14590,7 +14631,22 @@ bool perf_monitor.summary = false: output summary at shutdown
    • -perf_monitor.packets: total packets (sum) +perf_monitor.packets: total packets processed by performance monitor (sum) +

      +
    • +
    • +

      +perf_monitor.total_frees: total flows pruned or freed by performance monitor (sum) +

      +
    • +
    • +

      +perf_monitor.reload_frees: flows freed on reload with changed memcap (sum) +

      +
    • +
    • +

      +perf_monitor.alloc_prunes: flows pruned on allocation of IP flows (sum)

    @@ -16649,6 +16705,16 @@ int stream.trace: mask for enabling debug traces in module { 0:
  • +stream.reload_tuning_idle: number of times stream resource tuner called while idle (sum) +

    +
  • +
  • +

    +stream.reload_tuning_packets: number of times stream resource tuner called while processing packets (sum) +

    +
  • +
  • +

    stream.reload_total_adds: number of flows added by config reloads (sum)

  • @@ -26119,6 +26185,11 @@ int file_id.max_files_cached = 65536: maximal number of files c
  • +int file_id.max_files_per_flow = 32: maximal number of files able to be concurrently processed per flow { 1:max53 } +

    +
  • +
  • +

    int file_id.show_data_depth = 100: print this many octets { 0:max53 }

  • @@ -30919,6 +30990,16 @@ interval wscale.~range: check if TCP window scale is in given r
  • +file_id.files_not_processed: number of files not processed due to per-flow limit (sum) +

    +
  • +
  • +

    +file_id.max_concurrent_files: maximum files processed concurrently on a flow (max) +

    +
  • +
  • +

    file_id.total_file_data: number of file data bytes processed (sum)

  • @@ -31734,7 +31815,22 @@ interval wscale.~range: check if TCP window scale is in given r
  • -perf_monitor.packets: total packets (sum) +perf_monitor.alloc_prunes: flows pruned on allocation of IP flows (sum) +

    +
  • +
  • +

    +perf_monitor.packets: total packets processed by performance monitor (sum) +

    +
  • +
  • +

    +perf_monitor.reload_frees: flows freed on reload with changed memcap (sum) +

    +
  • +
  • +

    +perf_monitor.total_frees: total flows pruned or freed by performance monitor (sum)

  • @@ -32639,6 +32735,16 @@ interval wscale.~range: check if TCP window scale is in given r
  • +stream.reload_tuning_idle: number of times stream resource tuner called while idle (sum) +

    +
  • +
  • +

    +stream.reload_tuning_packets: number of times stream resource tuner called while processing packets (sum) +

    +
  • +
  • +

    stream_tcp.client_cleanups: number of times data from server was flushed when session released (sum)

  • @@ -33289,17 +33395,17 @@ interval wscale.~range: check if TCP window scale is in given r
  • -146: file_id +148: cip

  • -148: cip +149: s7commplus

  • -149: s7commplus +150: file_id

  • @@ -34719,17 +34825,27 @@ interval wscale.~range: check if TCP window scale is in given r
  • -121:9 (http2_inspect) HTTP/2 request missing required header field +121:8 (http2_inspect) HTTP/2 request missing required header field

  • -121:10 (http2_inspect) HTTP/2 response has no status code +121:9 (http2_inspect) HTTP/2 response has no status code

  • -121:11 (http2_inspect) invalid HTTP/2 header field +121:10 (http2_inspect) invalid HTTP/2 header field +

    +
  • +
  • +

    +121:11 (http2_inspect) error in HTTP/2 settings frame +

    +
  • +
  • +

    +121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame

  • @@ -35769,6 +35885,11 @@ interval wscale.~range: check if TCP window scale is in given r
  • +143:4 (gtp_inspect) TEID is missing +

    +
  • +
  • +

    144:1 (modbus) length in Modbus MBAP header does not match the length needed for the given function

  • @@ -35849,6 +35970,11 @@ interval wscale.~range: check if TCP window scale is in given r
  • +150:1 (file_id) file not processed due to per flow limit +

    +
  • +
  • +

    175:1 (domain_filter) configured domain detected

  • @@ -35874,6 +36000,11 @@ interval wscale.~range: check if TCP window scale is in given r
  • +appid.reload_third_party(): reload appid third-party module +

    +
  • +
  • +

    host_cache.dump(file_name): dump host cache

  • @@ -39063,7 +39194,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index 973b3e1e7..f076d26c0 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index 731d9a7df..1203383fa 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -410,7 +410,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 266) +o" )~ Version 3.0.0 (Build 267) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. @@ -3799,9 +3799,6 @@ response messages containing malicious JavaScript. As this feature involves actively blocking traffic it is designed for use with inline mode operation (-Q). -This feature only functions with response_depth = -1 (unlimited). -This limitation will be removed in a future version. - This feature is off by default. detained_inspection = true will activate it. @@ -7277,6 +7274,7 @@ Commands: * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging * appid.disable_debug(): disable appid debugging + * appid.reload_third_party(): reload appid third-party module Peg counts: @@ -7982,6 +7980,8 @@ Configuration: in bytes { 8:max53 } * int file_id.max_files_cached = 65536: maximal number of files cached in memory { 8:max53 } + * int file_id.max_files_per_flow = 32: maximal number of files able + to be concurrently processed per flow { 1:max53 } * bool file_id.enable_type = true: enable type ID * bool file_id.enable_signature = true: enable signature calculation @@ -8018,12 +8018,20 @@ Configuration: * int file_id.verdict_delay = 0: number of queries to return final verdict { 0:max53 } +Rules: + + * 150:1 (file_id) file not processed due to per flow limit + Peg counts: * file_id.total_files: number of files processed (sum) * file_id.total_file_data: number of file data bytes processed (sum) * file_id.cache_failures: number of file cache add failures (sum) + * file_id.files_not_processed: number of files not processed due to + per-flow limit (sum) + * file_id.max_concurrent_files: maximum files processed + concurrently on a flow (max) 9.17. file_log @@ -8223,6 +8231,7 @@ Rules: * 143:1 (gtp_inspect) message length is invalid * 143:2 (gtp_inspect) information element length is invalid * 143:3 (gtp_inspect) information elements are out of order + * 143:4 (gtp_inspect) TEID is missing Peg counts: @@ -8255,10 +8264,12 @@ Rules: * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame * 121:6 (http2_inspect) misformatted HTTP/2 traffic * 121:7 (http2_inspect) HTTP/2 connection preface does not match - * 121:9 (http2_inspect) HTTP/2 request missing required header + * 121:8 (http2_inspect) HTTP/2 request missing required header field - * 121:10 (http2_inspect) HTTP/2 response has no status code - * 121:11 (http2_inspect) invalid HTTP/2 header field + * 121:9 (http2_inspect) HTTP/2 response has no status code + * 121:10 (http2_inspect) invalid HTTP/2 header field + * 121:11 (http2_inspect) error in HTTP/2 settings frame + * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame Peg counts: @@ -8792,7 +8803,14 @@ Configuration: Peg counts: - * perf_monitor.packets: total packets (sum) + * perf_monitor.packets: total packets processed by performance + monitor (sum) + * perf_monitor.total_frees: total flows pruned or freed by + performance monitor (sum) + * perf_monitor.reload_frees: flows freed on reload with changed + memcap (sum) + * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows + (sum) 9.31. pop @@ -9576,6 +9594,10 @@ Peg counts: * stream.expected_pruned: number of expected flows pruned (sum) * stream.expected_overflows: number of expected cache overflows (sum) + * stream.reload_tuning_idle: number of times stream resource tuner + called while idle (sum) + * stream.reload_tuning_packets: number of times stream resource + tuner called while processing packets (sum) * stream.reload_total_adds: number of flows added by config reloads (sum) * stream.reload_total_deletes: number of flows deleted by config @@ -15070,6 +15092,8 @@ these libraries see the Getting Started section of the manual. seconds { 0:max31 } * int file_id.max_files_cached = 65536: maximal number of files cached in memory { 8:max53 } + * int file_id.max_files_per_flow = 32: maximal number of files able + to be concurrently processed per flow { 1:max53 } * int file_id.show_data_depth = 100: print this many octets { 0:max53 } * int file_id.signature_depth = 10485760: stop signature at this @@ -16684,6 +16708,10 @@ these libraries see the Getting Started section of the manual. out of local memory (sum) * file_connector.messages: total messages (sum) * file_id.cache_failures: number of file cache add failures (sum) + * file_id.files_not_processed: number of files not processed due to + per-flow limit (sum) + * file_id.max_concurrent_files: maximum files processed + concurrently on a flow (max) * file_id.total_file_data: number of file data bytes processed (sum) * file_id.total_files: number of files processed (sum) @@ -16904,7 +16932,14 @@ these libraries see the Getting Started section of the manual. * packet_capture.captured: packets matching dumped after matching filter (sum) * packet_capture.processed: packets processed against filter (sum) - * perf_monitor.packets: total packets (sum) + * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows + (sum) + * perf_monitor.packets: total packets processed by performance + monitor (sum) + * perf_monitor.reload_frees: flows freed on reload with changed + memcap (sum) + * perf_monitor.total_frees: total flows pruned or freed by + performance monitor (sum) * pop.b64_attachments: total base64 attachments decoded (sum) * pop.b64_decoded_bytes: total base64 decoded bytes (sum) * pop.concurrent_sessions: total concurrent pop sessions (now) @@ -17122,6 +17157,10 @@ these libraries see the Getting Started section of the manual. (sum) * stream.reload_total_deletes: number of flows deleted by config reloads (sum) + * stream.reload_tuning_idle: number of times stream resource tuner + called while idle (sum) + * stream.reload_tuning_packets: number of times stream resource + tuner called while processing packets (sum) * stream_tcp.client_cleanups: number of times data from server was flushed when session released (sum) * stream_tcp.closing: number of sessions currently closing (now) @@ -17278,9 +17317,9 @@ these libraries see the Getting Started section of the manual. * 143: gtp_inspect * 144: modbus * 145: dnp3 - * 146: file_id * 148: cip * 149: s7commplus + * 150: file_id * 175: domain_filter * 256: dpx @@ -17616,10 +17655,12 @@ these libraries see the Getting Started section of the manual. * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame * 121:6 (http2_inspect) misformatted HTTP/2 traffic * 121:7 (http2_inspect) HTTP/2 connection preface does not match - * 121:9 (http2_inspect) HTTP/2 request missing required header + * 121:8 (http2_inspect) HTTP/2 request missing required header field - * 121:10 (http2_inspect) HTTP/2 response has no status code - * 121:11 (http2_inspect) invalid HTTP/2 header field + * 121:9 (http2_inspect) HTTP/2 response has no status code + * 121:10 (http2_inspect) invalid HTTP/2 header field + * 121:11 (http2_inspect) error in HTTP/2 settings frame + * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -17872,6 +17913,7 @@ these libraries see the Getting Started section of the manual. * 143:1 (gtp_inspect) message length is invalid * 143:2 (gtp_inspect) information element length is invalid * 143:3 (gtp_inspect) information elements are out of order + * 143:4 (gtp_inspect) TEID is missing * 144:1 (modbus) length in Modbus MBAP header does not match the length needed for the given function * 144:2 (modbus) Modbus protocol ID is non-zero @@ -17895,6 +17937,7 @@ these libraries see the Getting Started section of the manual. match the length needed for the given S7commplus function * 149:2 (s7commplus) S7commplus protocol ID is non-zero * 149:3 (s7commplus) reserved S7commplus function code in use + * 150:1 (file_id) file not processed due to per flow limit * 175:1 (domain_filter) configured domain detected * 256:1 (dpx) too much data sent to port @@ -17906,6 +17949,7 @@ these libraries see the Getting Started section of the manual. * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging * appid.disable_debug(): disable appid debugging + * appid.reload_third_party(): reload appid third-party module * host_cache.dump(file_name): dump host cache * packet_capture.enable(filter): dump raw packets * packet_capture.disable(): stop packet dump diff --git a/src/main/build.h b/src/main/build.h index 3422cb379..f9190e66c 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 266 +#define BUILD_NUMBER 267 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)