From: Mike Stepanek (mstepane) Date: Wed, 20 May 2020 14:29:30 +0000 (+0000) Subject: Merge pull request #2222 in SNORT/snort3 from ~MSTEPANE/snort3:3_0_1_build_4 to master X-Git-Tag: 3.0.1-4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c415a05705d6ca03f6e64210efdcfe7c1ba52d9;p=thirdparty%2Fsnort3.git Merge pull request #2222 in SNORT/snort3 from ~MSTEPANE/snort3:3_0_1_build_4 to master Squashed commit of the following: commit 238dfa82de8dd72a79574d83fad0e2f9deda3dc2 Author: Mike Stepanek Date: Wed May 20 07:55:59 2020 -0400 generate and tag 3.0.1 build 4 --- diff --git a/ChangeLog b/ChangeLog index 2e5a5c198..3833ab8bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,42 @@ +2020/05/20 - 3.0.1 build 4 + +-- appid: Do not allocate DNS session for non-DNS flows and update memory tracker for HTTP sessions +-- appid: Get inspector for the current snort config during reload +-- binder: print configured bindings in show() method +-- build: fix cppcheck warnings and typos +-- coverity: fixed issues discovered by Coverity tool +-- daq: Configure DAQ instances with total instances and instance IDs +-- dce_rpc: code style cleanups +-- dce_rpc: generate alert when dce splitter aborts due to invalid fragment length +-- flow: If a retry packet does not belong to a flow, block it. +-- ftp_telnet: fix FTP race condition +-- http2_inspect: change partial flush handling +-- log: do not truncate config option names in ConfigLogger +-- loggers: when logging alert only use inspector buffers and name when the inspector's paf + splitter is assigned for the direction of the alert" +-- main: Fixing some issues reported by Coverity +-- managers: print alphabetically sorted verbose inspector config output within an inspection + policy +-- mpse: constify snort config args +-- network_inspectors: Fixing a few minor issues reported by Coverity +-- parser: print enabled rules for each ips policy +-- search_tool: refactor initialization +-- snort_config: constify Inspector::show and remove unnecessary logger args +-- snort_config: make const for packet threads +-- snort_config: minimize thread local access to snort_config +-- snort_config: pseudo packet initialization +-- snort_config: refactor access methods +-- snort_config: use provided conf +-- stream: add a configurable timeout for held packets +-- stream: move held packet timeout to Stream and support changing it on reload +-- stream_tcp: call splitter->finish() before reassemble() when flushing when PAF aborts due to gap + in queued data +-- stream_tcp: change the DAQ verdict from drop to blacklist for held packets that timed out +-- stream_tcp: clear gadget from Flow object once fallback has happened in both directions +-- stream_tcp: only clear gadget after both splitters have aborted +-- stream_tcp: when paf aborts due to gap in data set splitter state to ABORT +-- trace: move module trace configuration into the trace module. + 2020/05/06 - 3.0.1 build 3 -- appid: Do not process retry packets but continue processing future packets in AppId diff --git a/doc/snort_manual.html b/doc/snort_manual.html index c21d70608..bf5efe334 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.1 (Build 3)
+o"  )~   Version 3.0.1 (Build 4)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
@@ -7412,14 +7412,6 @@ string daq.modules[].variables[].variable: DAQ mod
 
What: general decoder rules

 
Type: basic

 
Usage: context

-
Configuration:

-
    
-
  • 
-
    
-int decode.trace.all = 0: enable traces in module { 0:255 }
-
    
-
    • 
-

 
Rules:

 
    
 
  • 
@@ -7531,51 +7523,6 @@ bool detection.pcre_to_regex = false: enable the use of regex i
 bool detection.enable_address_anomaly_checks = false: enable check and alerting of address anomalies
 
    
 
    • 
-
  • 
-
    
-int detection.trace.all = 0: enable detection module trace logging options { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.detect_engine = 0: enable detection engine trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.rule_eval = 0: enable rule evaluation trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.buffer = 0: enable buffer trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.rule_vars = 0: enable rule variables trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.fp_search = 0: enable fast pattern search trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.pkt_detect = 0: enable packet detection trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.opt_tree = 0: enable tree option trace logging { 0:255 }
-
    
-
    • 
-
  • 
-
    
-int detection.trace.tag = 0: enable tag trace logging { 0:255 }
-
    
-
    • 
 

 
Peg counts:

 
    
@@ -8170,11 +8117,6 @@ int latency.rule.suspend_threshold = 5: set threshold for numbe
 int latency.rule.max_suspend_time = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }
 
    
 
-
  • 
-
    
-int latency.trace.all = 0: enable traces in module { 0:255 }
-
    
-
    • 
 

 
Rules:

 
    
@@ -8314,11 +8256,6 @@ multi network.checksum_eval = all: checksums to verify { all |
 
 
  • 
 
    
-bool network.decode_drops = false: enable dropping of packets by the decoder
-
    
-
    • 
-
  • 
-
    
 int network.id = 0: correlate unified2 events with configuration { 0:65535 }
 
    
 
    • 
@@ -9503,11 +9440,6 @@ string snort.--x2s: output ASCII string for given byte code (se
 implied snort.--trace: turn on main loop debug trace
 
    
 
-
  • 
-
    
-int snort.trace.all = 0: enable traces in module { 0:255 }
-
    
-
    • 
 

 
Commands:

 
    
@@ -9674,6 +9606,101 @@ string suppress[].ip: restrict suppression to thes
 
      
 
    • 
 
      
+int trace.modules.detection.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.detect_engine: enable detection engine trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.rule_eval: enable rule evaluation trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.buffer: enable buffer trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.rule_vars: enable rule variables trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.fp_search: enable fast pattern search trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.pkt_detect: enable packet detection trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.opt_tree: enable tree option trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.detection.tag: enable tag trace logging { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.stream_user.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.stream_ip.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.stream.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.dce_smb.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.dce_udp.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.latency.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.wizard.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.gtp_inspect.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.appid.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
+int trace.modules.decode.all: enable all trace options { 0:255 }
+
      
+
      • 
+
    • 
+
      
 enum trace.output: output method for trace log messages { stdout | syslog }
 
      
 
      • 
@@ -11004,11 +11031,6 @@ bool appid.tp_appid_config_dump: print third party configuratio
 bool appid.log_all_sessions = false: enable logging of all appid sessions
 
      
 
-
    • 
-
      
-int appid.trace.all = 0: enable traces in module { 0:255 }
-
      
-
      • 
 
    
 
    Commands:
    
 
      
@@ -11523,11 +11545,6 @@ string dce_smb.smb_invalid_shares: SMB shares to alert on
 bool dce_smb.smb_legacy_mode = false: inspect only SMBv1
 
      
 
-
    • 
-
      
-int dce_smb.trace.all = 0: enable traces in module { 0:255 }
-
      
-
      • 
 
    
 
    Rules:
    
 
      
@@ -12243,11 +12260,6 @@ bool dce_udp.disable_defrag = false: disable DCE/RPC defragment
 int dce_udp.max_frag_len = 65535: maximum fragment size for defragmentation { 1514:65535 }
 
      
 
-
    • 
-
      
-int dce_udp.trace.all = 0: enable traces in module { 0:255 }
-
      
-
      • 
 
    
 
    Rules:
    
 
      
@@ -13192,11 +13204,6 @@ string gtp_inspect[].infos[].name: information ele
 int gtp_inspect[].infos[].length = 0: information element type code { 0:255 }
 
      
 
-
    • 
-
      
-int gtp_inspect.trace.all = 0: enable traces in module { 0:255 }
-
      
-
      • 
 
    
 
    Rules:
    
 
      
@@ -15901,6 +15908,11 @@ int rt_global.downshift_mode = 3: 1 = unconditional, 2 = !ctl a
 int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 }
 
      
 
+
    • 
+
      
+bool rt_global.empty_ips = false: ips policy with no rules
+
      
+
      • 
 
    
 
    Peg counts:
    
 
      
@@ -16944,6 +16956,11 @@ int stream.pruning_timeout = 30: minimum inactive time before b
 
 
    • 
 
      
+int stream.held_packet_timeout = 1000: timeout in milliseconds for held packets { 1:max32 }
+
      
+
      • 
+
    • 
+
      
 int stream.ip_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 }
 
      
 
      • 
@@ -17002,11 +17019,6 @@ int stream.file_cache.idle_timeout = 180: maximum inactive time
 int stream.file_cache.cap_weight = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }
 
      
 
-
    • 
-
      
-int stream.trace.all = 0: enable traces in module { 0:255 }
-
      
-
      • 
 
    
 
    Rules:
    
 
      
@@ -17233,11 +17245,6 @@ enum stream_ip.policy = linux: fragment reassembly policy { fir
 int stream_ip.session_timeout = 30: session tracking timeout { 1:max31 }
 
      
 
-
    • 
-
      
-int stream_ip.trace.all = 0: enable traces in module { 0:255 }
-
      
-
      • 
 
    
 
    Rules:
    
 
      
@@ -17836,6 +17843,11 @@ bool stream_tcp.track_only = false: disable reassembly if true
 
 
    • 
 
      
+stream_tcp.held_packet_timeouts: number of held packets that timed out (sum)
+
      
+
      • 
+
    • 
+
      
 stream_tcp.cur_packets_held: number of packets currently held (now)
 
      
 
      • 
@@ -17854,6 +17866,16 @@ bool stream_tcp.track_only = false: disable reassembly if true
 stream_tcp.partial_flush_bytes: partial flush total bytes (sum)
 
      
 
+
    • 
+
      
+stream_tcp.inspector_fallbacks: count of fallbacks from assigned service inspector (sum)
+
      
+
      • 
+
    • 
+
      
+stream_tcp.partial_fallbacks: count of fallbacks from assigned service stream splitter (sum)
+
      
+
      • 
 
    
 

 

@@ -17925,11 +17947,6 @@ int stream_udp.session_timeout = 30: session tracking timeout {
 int stream_user.session_timeout = 30: session tracking timeout { 1:max31 }
 

 
-
  • 
-
    
-int stream_user.trace.all = 0: enable traces in module { 0:255 }
-
    
-
    •
    @@ -18059,11 +18076,6 @@ string wizard.spells[].to_client[].spell: sequence multi wizard.curses: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }

    -
  • -

    -int wizard.trace.all = 0: enable traces in module { 0:255 } -

    -

    • Peg counts:

      @@ -25531,11 +25543,6 @@ bool appid.tp_appid_stats_enable: enable collection of stats an

    • -int appid.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      ip4 arp_spoof.hosts[].ip: host ip address

      • @@ -26261,11 +26268,6 @@ int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255

    • -int dce_smb.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 | v2 | all }

      • @@ -26311,16 +26313,6 @@ int dce_udp.max_frag_len = 65535: maximum fragment size for def

    • -int dce_udp.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      -int decode.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      int detection.asn1 = 0: maximum decode nodes { 0:65535 }

      • @@ -26396,51 +26388,6 @@ bool detection.pcre_to_regex = false: enable the use of regex i

    • -int detection.trace.all = 0: enable detection module trace logging options { 0:255 } -

      -
      • -
    • -

      -int detection.trace.buffer = 0: enable buffer trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.detect_engine = 0: enable detection engine trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.fp_search = 0: enable fast pattern search trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.opt_tree = 0: enable tree option trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.pkt_detect = 0: enable packet detection trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.rule_eval = 0: enable rule evaluation trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.rule_vars = 0: enable rule variables trace logging { 0:255 } -

      -
      • -
    • -

      -int detection.trace.tag = 0: enable tag trace logging { 0:255 } -

      -
      • -
    • -

      bool dnp3.check_crc = false: validate checksums in DNP3 link layer frames

      • @@ -27066,11 +27013,6 @@ int gtp_inspect[].messages[].type = 0: message typ

    • -int gtp_inspect.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      int gtp_inspect[].version = 2: GTP version { 0:2 }

      • @@ -27771,11 +27713,6 @@ int latency.rule.suspend_threshold = 5: set threshold for numbe

    • -int latency.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      bool log_codecs.file = false: output to log_codecs.txt instead of stdout

      • @@ -27896,11 +27833,6 @@ multi network.checksum_eval = all: checksums to verify { all |

    • -bool network.decode_drops = false: enable dropping of packets by the decoder -

      -
      • -
    • -

      int network.id = 0: correlate unified2 events with configuration { 0:65535 }

      • @@ -28921,6 +28853,11 @@ int rt_global.downshift_packet = 0: attempt downshift at this p

    • +bool rt_global.empty_ips = false: ips policy with no rules +

      +
      • +
    • +

      int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 }

      • @@ -29826,11 +29763,6 @@ string snort.-t: <dir> chroots process to <dir> aft

    • -int snort.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      implied snort.--trace: turn on main loop debug trace

      • @@ -30121,6 +30053,11 @@ bool stream_file.upload = false: indicate file transfer directi

    • +int stream.held_packet_timeout = 1000: timeout in milliseconds for held packets { 1:max32 } +

      +
      • +
    • +

      int stream.icmp_cache.cap_weight = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }

      • @@ -30181,11 +30118,6 @@ int stream_ip.session_timeout = 30: session tracking timeout {

    • -int stream_ip.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      int stream.max_flows = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }

      • @@ -30311,11 +30243,6 @@ bool stream_tcp.track_only = false: disable reassembly if true

    • -int stream.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      int stream.udp_cache.cap_weight = 0: additional bytes to track per flow for better estimation against cap { 0:65535 }

      • @@ -30346,11 +30273,6 @@ int stream_user.session_timeout = 30: session tracking timeout

    • -int stream_user.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      int suppress[].gid = 0: rule generator ID { 0:max32 }

      • @@ -30441,6 +30363,101 @@ interval tos.~range: check if IP TOS is in given range { 0:255

    • +int trace.modules.appid.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.dce_smb.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.dce_udp.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.decode.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.buffer: enable buffer trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.detect_engine: enable detection engine trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.fp_search: enable fast pattern search trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.opt_tree: enable tree option trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.pkt_detect: enable packet detection trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.rule_eval: enable rule evaluation trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.rule_vars: enable rule variables trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.detection.tag: enable tag trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.latency.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.stream.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.stream_ip.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.stream_user.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.wizard.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      enum trace.output: output method for trace log messages { stdout | syslog }

      • @@ -30546,11 +30563,6 @@ string wizard.spells[].to_server[].spell: sequence

    • -int wizard.trace.all = 0: enable traces in module { 0:255 } -

      -
      • -
    • -

      interval wscale.~range: check if TCP window scale is in given range { 0:65535 }

      • @@ -33561,6 +33573,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream_tcp.held_packet_timeouts: number of held packets that timed out (sum) +

      +
      • +
    • +

      stream_tcp.ignored: tcp packets ignored (sum)

      • @@ -33571,6 +33588,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream_tcp.inspector_fallbacks: count of fallbacks from assigned service inspector (sum) +

      +
      • +
    • +

      stream_tcp.instantiated: new sessions instantiated (sum)

      • @@ -33606,6 +33628,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream_tcp.partial_fallbacks: count of fallbacks from assigned service stream splitter (sum) +

      +
      • +
    • +

      stream_tcp.partial_flush_bytes: partial flush total bytes (sum)

      • @@ -39938,7 +39965,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index cbc557c35..42a4cf9ee 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index f90e349b0..aa5d80fb3 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -411,7 +411,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.1 (Build 3) +o" )~ Version 3.0.1 (Build 4) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. @@ -5614,10 +5614,6 @@ Type: basic Usage: context -Configuration: - - * int decode.trace.all = 0: enable traces in module { 0:255 } - Rules: * 116:150 (decode) loopback IP @@ -5665,23 +5661,6 @@ Configuration: instead of pcre for compatible expressions * bool detection.enable_address_anomaly_checks = false: enable check and alerting of address anomalies - * int detection.trace.all = 0: enable detection module trace - logging options { 0:255 } - * int detection.trace.detect_engine = 0: enable detection engine - trace logging { 0:255 } - * int detection.trace.rule_eval = 0: enable rule evaluation trace - logging { 0:255 } - * int detection.trace.buffer = 0: enable buffer trace logging { - 0:255 } - * int detection.trace.rule_vars = 0: enable rule variables trace - logging { 0:255 } - * int detection.trace.fp_search = 0: enable fast pattern search - trace logging { 0:255 } - * int detection.trace.pkt_detect = 0: enable packet detection trace - logging { 0:255 } - * int detection.trace.opt_tree = 0: enable tree option trace - logging { 0:255 } - * int detection.trace.tag = 0: enable tag trace logging { 0:255 } Peg counts: @@ -5991,7 +5970,6 @@ Configuration: * int latency.rule.max_suspend_time = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 } - * int latency.trace.all = 0: enable traces in module { 0:255 } Rules: @@ -6055,8 +6033,6 @@ Configuration: | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } * multi network.checksum_eval = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } - * bool network.decode_drops = false: enable dropping of packets by - the decoder * int network.id = 0: correlate unified2 events with configuration { 0:65535 } * int network.min_ttl = 1: alert / normalize packets with lower TTL @@ -6599,7 +6575,6 @@ Configuration: * string snort.--x2s: output ASCII string for given byte code (see also --x2c) * implied snort.--trace: turn on main loop debug trace - * int snort.trace.all = 0: enable traces in module { 0:255 } Commands: @@ -6674,6 +6649,37 @@ Usage: global Configuration: + * int trace.modules.detection.all: enable all trace options { 0:255 + } + * int trace.modules.detection.detect_engine: enable detection + engine trace logging { 0:255 } + * int trace.modules.detection.rule_eval: enable rule evaluation + trace logging { 0:255 } + * int trace.modules.detection.buffer: enable buffer trace logging { + 0:255 } + * int trace.modules.detection.rule_vars: enable rule variables + trace logging { 0:255 } + * int trace.modules.detection.fp_search: enable fast pattern search + trace logging { 0:255 } + * int trace.modules.detection.pkt_detect: enable packet detection + trace logging { 0:255 } + * int trace.modules.detection.opt_tree: enable tree option trace + logging { 0:255 } + * int trace.modules.detection.tag: enable tag trace logging { 0:255 + } + * int trace.modules.stream_user.all: enable all trace options { + 0:255 } + * int trace.modules.stream_ip.all: enable all trace options { 0:255 + } + * int trace.modules.stream.all: enable all trace options { 0:255 } + * int trace.modules.dce_smb.all: enable all trace options { 0:255 } + * int trace.modules.dce_udp.all: enable all trace options { 0:255 } + * int trace.modules.latency.all: enable all trace options { 0:255 } + * int trace.modules.wizard.all: enable all trace options { 0:255 } + * int trace.modules.gtp_inspect.all: enable all trace options { + 0:255 } + * int trace.modules.appid.all: enable all trace options { 0:255 } + * int trace.modules.decode.all: enable all trace options { 0:255 } * enum trace.output: output method for trace log messages { stdout | syslog } @@ -7398,7 +7404,6 @@ Configuration: on startup * bool appid.log_all_sessions = false: enable logging of all appid sessions - * int appid.trace.all = 0: enable traces in module { 0:255 } Commands: @@ -7656,7 +7661,6 @@ Configuration: (-1 = disabled, 0 = unlimited) { -1:32767 } * string dce_smb.smb_invalid_shares: SMB shares to alert on * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1 - * int dce_smb.trace.all = 0: enable traces in module { 0:255 } Rules: @@ -7918,7 +7922,6 @@ Configuration: defragmentation * int dce_udp.max_frag_len = 65535: maximum fragment size for defragmentation { 1514:65535 } - * int dce_udp.trace.all = 0: enable traces in module { 0:255 } Rules: @@ -8358,7 +8361,6 @@ Configuration: * string gtp_inspect[].infos[].name: information element name * int gtp_inspect[].infos[].length = 0: information element type code { 0:255 } - * int gtp_inspect.trace.all = 0: enable traces in module { 0:255 } Rules: @@ -9349,6 +9351,7 @@ Configuration: !tls, 3 = !ctl and !file { 1:3 } * int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 } + * bool rt_global.empty_ips = false: ips policy with no rules Peg counts: @@ -9748,6 +9751,8 @@ Configuration: before pruning { 2:max32 } * int stream.pruning_timeout = 30: minimum inactive time before being eligible for pruning { 1:max32 } + * int stream.held_packet_timeout = 1000: timeout in milliseconds + for held packets { 1:max32 } * int stream.ip_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * int stream.ip_cache.cap_weight = 0: additional bytes to track per @@ -9772,7 +9777,6 @@ Configuration: before retiring session tracker { 1:max32 } * int stream.file_cache.cap_weight = 32: additional bytes to track per flow for better estimation against cap { 0:65535 } - * int stream.trace.all = 0: enable traces in module { 0:255 } Rules: @@ -9881,7 +9885,6 @@ Configuration: | linux | bsd | bsd_right | last | windows | solaris } * int stream_ip.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_ip.trace.all = 0: enable traces in module { 0:255 } Rules: @@ -10063,6 +10066,8 @@ Peg counts: (sum) * stream_tcp.held_packets_passed: number of held packets passed (sum) + * stream_tcp.held_packet_timeouts: number of held packets that + timed out (sum) * stream_tcp.cur_packets_held: number of packets currently held (now) * stream_tcp.max_packets_held: maximum number of packets held @@ -10070,6 +10075,10 @@ Peg counts: * stream_tcp.partial_flushes: number of partial flushes initiated (sum) * stream_tcp.partial_flush_bytes: partial flush total bytes (sum) + * stream_tcp.inspector_fallbacks: count of fallbacks from assigned + service inspector (sum) + * stream_tcp.partial_fallbacks: count of fallbacks from assigned + service stream splitter (sum) 9.50. stream_udp @@ -10113,7 +10122,6 @@ Configuration: * int stream_user.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_user.trace.all = 0: enable traces in module { 0:255 } 9.52. telnet @@ -10182,7 +10190,6 @@ Configuration: wild cards (*) * multi wizard.curses: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp } - * int wizard.trace.all = 0: enable traces in module { 0:255 } Peg counts: @@ -14947,7 +14954,6 @@ these libraries see the Getting Started section of the manual. library * bool appid.tp_appid_stats_enable: enable collection of stats and print stats on exit in third party module - * int appid.trace.all = 0: enable traces in module { 0:255 } * ip4 arp_spoof.hosts[].ip: host ip address * mac arp_spoof.hosts[].mac: host mac address * int asn1.absolute_offset: absolute offset from the beginning of @@ -15175,7 +15181,6 @@ these libraries see the Getting Started section of the manual. * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1 * int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 } * int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 } - * int dce_smb.trace.all = 0: enable traces in module { 0:255 } * multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 | v2 | all } * bool dce_tcp.disable_defrag = false: disable DCE/RPC @@ -15195,8 +15200,6 @@ these libraries see the Getting Started section of the manual. per signature per flow * int dce_udp.max_frag_len = 65535: maximum fragment size for defragmentation { 1514:65535 } - * int dce_udp.trace.all = 0: enable traces in module { 0:255 } - * int decode.trace.all = 0: enable traces in module { 0:255 } * int detection.asn1 = 0: maximum decode nodes { 0:65535 } * bool detection.enable_address_anomaly_checks = false: enable check and alerting of address anomalies @@ -15225,23 +15228,6 @@ these libraries see the Getting Started section of the manual. overrides when pattern matching (ie ignore /O) * bool detection.pcre_to_regex = false: enable the use of regex instead of pcre for compatible expressions - * int detection.trace.all = 0: enable detection module trace - logging options { 0:255 } - * int detection.trace.buffer = 0: enable buffer trace logging { - 0:255 } - * int detection.trace.detect_engine = 0: enable detection engine - trace logging { 0:255 } - * int detection.trace.fp_search = 0: enable fast pattern search - trace logging { 0:255 } - * int detection.trace.opt_tree = 0: enable tree option trace - logging { 0:255 } - * int detection.trace.pkt_detect = 0: enable packet detection trace - logging { 0:255 } - * int detection.trace.rule_eval = 0: enable rule evaluation trace - logging { 0:255 } - * int detection.trace.rule_vars = 0: enable rule variables trace - logging { 0:255 } - * int detection.trace.tag = 0: enable tag trace logging { 0:255 } * bool dnp3.check_crc = false: validate checksums in DNP3 link layer frames * string dnp3_func.~: match DNP3 function code or name @@ -15446,7 +15432,6 @@ these libraries see the Getting Started section of the manual. * string gtp_inspect[].messages[].name: message name * int gtp_inspect[].messages[].type = 0: message type code { 0:255 } - * int gtp_inspect.trace.all = 0: enable traces in module { 0:255 } * int gtp_inspect[].version = 2: GTP version { 0:2 } * string gtp_type.~: list of types to match * int gtp_version.~: version to match { 0:2 } @@ -15707,7 +15692,6 @@ these libraries see the Getting Started section of the manual. rules * int latency.rule.suspend_threshold = 5: set threshold for number of timeouts before suspending a rule { 1:max32 } - * int latency.trace.all = 0: enable traces in module { 0:255 } * bool log_codecs.file = false: output to log_codecs.txt instead of stdout * bool log_codecs.msg = false: include alert msg @@ -15751,8 +15735,6 @@ these libraries see the Getting Started section of the manual. | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } * multi network.checksum_eval = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } - * bool network.decode_drops = false: enable dropping of packets by - the decoder * int network.id = 0: correlate unified2 events with configuration { 0:65535 } * int network.layers = 40: the maximum number of protocols that @@ -16104,6 +16086,7 @@ these libraries see the Getting Started section of the manual. !tls, 3 = !ctl and !file { 1:3 } * int rt_global.downshift_packet = 0: attempt downshift at this packet on flow (0 is disabled) { 0:max32 } + * bool rt_global.empty_ips = false: ips policy with no rules * int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 } * bool rt_packet.retry_all = false: request retry for all non-retry @@ -16421,7 +16404,6 @@ these libraries see the Getting Started section of the manual. talos) * string snort.-t: chroots process to after initialization - * int snort.trace.all = 0: enable traces in module { 0:255 } * implied snort.--trace: turn on main loop debug trace * implied snort.--treat-drop-as-alert: converts drop, block, and reset rules into alert rules when loaded @@ -16516,6 +16498,8 @@ these libraries see the Getting Started section of the manual. * int stream.file_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * bool stream_file.upload = false: indicate file transfer direction + * int stream.held_packet_timeout = 1000: timeout in milliseconds + for held packets { 1:max32 } * int stream.icmp_cache.cap_weight = 0: additional bytes to track per flow for better estimation against cap { 0:65535 } * int stream.icmp_cache.idle_timeout = 180: maximum inactive time @@ -16539,7 +16523,6 @@ these libraries see the Getting Started section of the manual. | linux | bsd | bsd_right | last | windows | solaris } * int stream_ip.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_ip.trace.all = 0: enable traces in module { 0:255 } * int stream.max_flows = 476288: maximum simultaneous flows tracked before pruning { 2:max32 } * int stream.pruning_timeout = 30: minimum inactive time before @@ -16591,7 +16574,6 @@ these libraries see the Getting Started section of the manual. * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 } * bool stream_tcp.track_only = false: disable reassembly if true - * int stream.trace.all = 0: enable traces in module { 0:255 } * int stream.udp_cache.cap_weight = 0: additional bytes to track per flow for better estimation against cap { 0:65535 } * int stream.udp_cache.idle_timeout = 180: maximum inactive time @@ -16604,7 +16586,6 @@ these libraries see the Getting Started section of the manual. before retiring session tracker { 1:max32 } * int stream_user.session_timeout = 30: session tracking timeout { 1:max31 } - * int stream_user.trace.all = 0: enable traces in module { 0:255 } * int suppress[].gid = 0: rule generator ID { 0:max32 } * string suppress[].ip: restrict suppression to these addresses according to track @@ -16628,6 +16609,37 @@ these libraries see the Getting Started section of the manual. * bool telnet.encrypted_traffic = false: check for encrypted Telnet * bool telnet.normalize = false: eliminate escape sequences * interval tos.~range: check if IP TOS is in given range { 0:255 } + * int trace.modules.appid.all: enable all trace options { 0:255 } + * int trace.modules.dce_smb.all: enable all trace options { 0:255 } + * int trace.modules.dce_udp.all: enable all trace options { 0:255 } + * int trace.modules.decode.all: enable all trace options { 0:255 } + * int trace.modules.detection.all: enable all trace options { 0:255 + } + * int trace.modules.detection.buffer: enable buffer trace logging { + 0:255 } + * int trace.modules.detection.detect_engine: enable detection + engine trace logging { 0:255 } + * int trace.modules.detection.fp_search: enable fast pattern search + trace logging { 0:255 } + * int trace.modules.detection.opt_tree: enable tree option trace + logging { 0:255 } + * int trace.modules.detection.pkt_detect: enable packet detection + trace logging { 0:255 } + * int trace.modules.detection.rule_eval: enable rule evaluation + trace logging { 0:255 } + * int trace.modules.detection.rule_vars: enable rule variables + trace logging { 0:255 } + * int trace.modules.detection.tag: enable tag trace logging { 0:255 + } + * int trace.modules.gtp_inspect.all: enable all trace options { + 0:255 } + * int trace.modules.latency.all: enable all trace options { 0:255 } + * int trace.modules.stream.all: enable all trace options { 0:255 } + * int trace.modules.stream_ip.all: enable all trace options { 0:255 + } + * int trace.modules.stream_user.all: enable all trace options { + 0:255 } + * int trace.modules.wizard.all: enable all trace options { 0:255 } * enum trace.output: output method for trace log messages { stdout | syslog } * interval ttl.~range: check if IP TTL is in the given range { @@ -16665,7 +16677,6 @@ these libraries see the Getting Started section of the manual. wild cards (*) * string wizard.spells[].to_server[].spell: sequence of data with wild cards (*) - * int wizard.trace.all = 0: enable traces in module { 0:255 } * interval wscale.~range: check if TCP window scale is in given range { 0:65535 } @@ -17492,9 +17503,13 @@ these libraries see the Getting Started section of the manual. (sum) * stream_tcp.held_packets_passed: number of held packets passed (sum) + * stream_tcp.held_packet_timeouts: number of held packets that + timed out (sum) * stream_tcp.ignored: tcp packets ignored (sum) * stream_tcp.initializing: number of sessions currently initializing (now) + * stream_tcp.inspector_fallbacks: count of fallbacks from assigned + service inspector (sum) * stream_tcp.instantiated: new sessions instantiated (sum) * stream_tcp.internal_events: 135:X events generated (sum) * stream_tcp.max: max tcp sessions (max) @@ -17503,6 +17518,8 @@ these libraries see the Getting Started section of the manual. * stream_tcp.memory: current memory in use (now) * stream_tcp.overlaps: overlapping segments queued (sum) * stream_tcp.packets_held: number of packets held (sum) + * stream_tcp.partial_fallbacks: count of fallbacks from assigned + service stream splitter (sum) * stream_tcp.partial_flush_bytes: partial flush total bytes (sum) * stream_tcp.partial_flushes: number of partial flushes initiated (sum) diff --git a/src/main/build.h b/src/main/build.h index bc520a46b..58355b176 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 3 +#define BUILD_NUMBER 4 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)