From: Mike Stepanek (mstepane) Date: Wed, 9 Feb 2022 14:31:27 +0000 (+0000) Subject: Pull request #3265: build: Generate and tag 3.1.23.0 X-Git-Tag: 3.1.23.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=786000d7b1d1d9e0c0aeefd449af0f82595ce6c6;p=thirdparty%2Fsnort3.git Pull request #3265: build: Generate and tag 3.1.23.0 Merge in SNORT/snort3 from ~MSTEPANE/snort3:build_3.1.23.0 to master Squashed commit of the following: commit 78bbb97046191e8d2bf3fe40b8d87f3c75a747f9 Author: Mike Stepanek Date: Wed Feb 9 05:02:03 2022 -0500 build: Generate and tag 3.1.23.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 9c8607ab0..06eadce29 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 22) +set (VERSION_PATCH 23) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index 5f517b94c..98abff49f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,22 @@ +2022/02/09 - 3.1.23.0 + +detection: add dir abort check in skip_raw_tcp +doc: add notes about CLI/Lua precedence +doc: fix incorrect http builtin rule sid +event: make apis SO_PUBLIC to access in .so +filters: allow detection filter to sum events across threads +http_inspect: HttpStreamSplitter::reassemble verifies gzip file magic and checks for FEXTRA flag +main: ignore Snort module's option if it duplicates CLI option +main: parse snort module before others +main: remove default values for other-module parameters in snort module +main: stop with error on include(nil) attempt +packet_io: decrease daq module's parameters priority +stream: defer flush_queued_segments() if flow->clouseau +stream_tcp: better place for setting delayed_finish_flag +stream_tcp: fix a bug in which in some cases we did not call splitter finish() in each direction, by calling flush_queued_segments() in perform_fin_recv_flush() on FIN with data packets +stream_tcp: introduce TcpStreamTracker::delayed_finish_flag and call splitter finish from flush_on_data_policy if delayed_finish_flag is true +stream_tcp: wrap flow->clouseau in searching_for_service() + 2022/01/31 - 3.1.22.0 appid: give priority to custom process to app mappings over ODP mappings diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 39d91a86c..3bc4cbe82 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.22.0 2022-01-31 06:12:49 EST TST +Revision 3.1.23.0 2022-02-09 05:15:12 EST TST --------------------------------------------------------------------- @@ -1420,8 +1420,8 @@ Configuration: * string snort.-R: include this rules file in the default policy * string snort.-r: … (same as --pcap-list) - * int snort.-s = 1518: (same as --snaplen); default is 1518 - { 68:65535 } + * int snort.-s: (same as --snaplen); default is 1518 { + 0:65535 } * implied snort.-T: test and report on the current Snort configuration * string snort.-t: chroots process to after @@ -1449,8 +1449,8 @@ Configuration: Daemon mode * string snort.--daq: select packet acquisition module (default is pcap) - * int snort.--daq-batch-size = 64: set the DAQ receive batch - size { 1: } + * int snort.--daq-batch-size: set the DAQ receive batch + size; default is 64 { 1: } * string snort.--daq-dir: tell snort where to find desired DAQ * implied snort.--daq-list: list packet acquisition modules @@ -1551,8 +1551,8 @@ Configuration: to read - read mode is implied * string snort.--pcap-dir: a directory to recurse to look for pcaps - read mode is implied - * string snort.--pcap-filter = .*cap: filter to apply when - getting pcaps from file or directory + * string snort.--pcap-filter: filter to apply when getting + pcaps from file or directory * int snort.--pcap-loop: read all pcaps times; 0 will read until Snort is terminated { 0:max32 } * implied snort.--pcap-no-filter: reset to use no filter when @@ -1580,8 +1580,8 @@ Configuration: directory, including file, and config file respectively * implied snort.--show-plugins: list module and plugin versions * int snort.--skip: skip 1st n packets { 0:max53 } - * int snort.--snaplen = 1518: set snaplen of packet (same as - -s) { 68:65535 } + * int snort.--snaplen: set snaplen of packet (same as -s) { + 0:65535 } * implied snort.--stdin-rules: read rules from stdin until EOF or a line starting with END is read * implied snort.--talos: enable Talos tweak (same as --tweaks @@ -3979,6 +3979,7 @@ Rules: * 119:276 (http_inspect) HTTP version in start line is 0 * 119:277 (http_inspect) HTTP version in start line is higher than 1 + * 119:278 (http_inspect) HTTP gzip body with the FEXTRA flag set Peg counts: @@ -8485,7 +8486,7 @@ these libraries see the Getting Started section of the manual. * -q quiet mode - suppress normal logging on stdout * -R include this rules file in the default policy * -r … (same as --pcap-list) - * -s (same as --snaplen); default is 1518 (68:65535) + * -s (same as --snaplen); default is 1518 (0:65535) * -T test and report on the current Snort configuration * -t chroots process to after initialization * -U use UTC for timestamps @@ -8506,7 +8507,8 @@ these libraries see the Getting Started section of the manual. * --control-socket to create unix socket * --create-pidfile create PID file, even when not in Daemon mode * --daq select packet acquisition module (default is pcap) - * --daq-batch-size set the DAQ receive batch size (1:) + * --daq-batch-size set the DAQ receive batch size; default + is 64 (1:) * --daq-dir tell snort where to find desired DAQ * --daq-list list packet acquisition modules available in optional dir, default is static modules only @@ -8622,7 +8624,7 @@ these libraries see the Getting Started section of the manual. file, and config file respectively * --show-plugins list module and plugin versions * --skip skip 1st n packets (0:max53) - * --snaplen set snaplen of packet (same as -s) (68:65535) + * --snaplen set snaplen of packet (same as -s) (0:65535) * --stdin-rules read rules from stdin until EOF or a line starting with END is read * --talos enable Talos tweak (same as --tweaks talos) @@ -10233,8 +10235,8 @@ these libraries see the Getting Started section of the manual. hex) * implied snort.--create-pidfile: create PID file, even when not in Daemon mode - * int snort.--daq-batch-size = 64: set the DAQ receive batch - size { 1: } + * int snort.--daq-batch-size: set the DAQ receive batch + size; default is 64 { 1: } * string snort.--daq-dir: tell snort where to find desired DAQ * implied snort.--daq-list: list packet acquisition modules @@ -10358,8 +10360,8 @@ these libraries see the Getting Started section of the manual. pcaps - read mode is implied * string snort.--pcap-file: file that contains a list of pcaps to read - read mode is implied - * string snort.--pcap-filter = .*cap: filter to apply when - getting pcaps from file or directory + * string snort.--pcap-filter: filter to apply when getting + pcaps from file or directory * string snort.--pcap-list: a space separated list of pcaps to read - read mode is implied * int snort.--pcap-loop: read all pcaps times; 0 @@ -10386,8 +10388,6 @@ these libraries see the Getting Started section of the manual. stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) { 16 } * string snort.--run-prefix: prepend this to each output file - * int snort.-s = 1518: (same as --snaplen); default is 1518 - { 68:65535 } * string snort.--script-path: to a luajit script or directory containing luajit scripts * implied snort.--shell: enable the interactive command line @@ -10396,8 +10396,10 @@ these libraries see the Getting Started section of the manual. directory, including file, and config file respectively * implied snort.--show-plugins: list module and plugin versions * int snort.--skip: skip 1st n packets { 0:max53 } - * int snort.--snaplen = 1518: set snaplen of packet (same as - -s) { 68:65535 } + * int snort.--snaplen: set snaplen of packet (same as -s) { + 0:65535 } + * int snort.-s: (same as --snaplen); default is 1518 { + 0:65535 } * implied snort.--stdin-rules: read rules from stdin until EOF or a line starting with END is read * implied snort.--talos: enable Talos tweak (same as --tweaks @@ -12467,12 +12469,12 @@ session. The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST flag set. -116:424 (pbb) truncated ethernet header +116:424 (eth) truncated ethernet header The packet length is less than the minimum ethernet header size (14 bytes) -116:424 (pbb) truncated ethernet header +116:424 (eth) truncated ethernet header A truncated ethernet header was detected. @@ -13399,6 +13401,11 @@ The HTTP version in the start line has a valid format but the version is higher than 1. This alert does not apply to HTTP/2 or HTTP/3 traffic. +119:278 (http_inspect) HTTP gzip body with the FEXTRA flag set + +The HTTP message body is gzip encoded and the FEXTRA flag is set in +the gzip header. + 121:1 (http2_inspect) invalid flag set on HTTP/2 frame Invalid flag set on HTTP/2 frame header diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 39d016cda..87b6bb783 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.22.0 2022-01-31 06:12:35 EST TST +Revision 3.1.23.0 2022-02-09 05:15:01 EST TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 4c5f2d828..2c35d5c59 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.22.0 2022-01-31 06:12:35 EST TST +Revision 3.1.23.0 2022-02-09 05:15:01 EST TST --------------------------------------------------------------------- @@ -266,8 +266,17 @@ the DAQ you use. -A cmg says to output intrusion events in "cmg" format, which has basic header details followed by the payload in hex and text. -Note that you add to and/or override anything in your configuration -file by using the --lua command line option. For example: +Command line options have precedence over Lua configuration files. +This can be used to make a custom run keeping all configuration files +unchanged: + +--daq-batch-size=32 + +will override daq.batch_size value. + +Notably, you can add to and/or override anything in your +configuration file by using the --lua command line option. For +example: --lua 'ips = { enable_builtin_rules = true }' @@ -683,7 +692,9 @@ additional information about the type and use of the parameter: * IPS rules may also have a wild card parameter, which is indicated by a *. Used for unquoted, comma-separated lists such as service and metadata. - * The snort module has command line options starting with a -. + * The snort module has command line options starting with a -. The + options passed from command line override the options configured + via snort module. * $ denotes variable names. Some additional details to note: @@ -1147,6 +1158,10 @@ General Use Lua Configuration + * Some parameters could be configured via a command line option or + snort module. In this case a command line option has the highest + precedence, in turn, snort module configuration has precedence + over other modules. * Configure the wizard and default bindings will be created based on configured inspectors. No need to explicitly bind ports in this case. @@ -1331,6 +1346,7 @@ a restart: * process.set_uid * snort.--bpf * snort.-l + * trace.output In addition, the following scenarios require a restart: @@ -6499,7 +6515,8 @@ configuring and using the bundled DAQ modules. As with a number of features in Snort 3, the LibDAQ and DAQ module configuration may be controlled using either the command line options -or by configuring the daq Snort module in the Lua configuration. +or by configuring the daq Snort module in the Lua configuration +(command line option has higher precedence). DAQ modules may be statically built into Snort, but the more common case is to use DAQ modules that have been built as dynamically