From: Michael Altizer (mialtize) Date: Tue, 27 Oct 2020 19:55:27 +0000 (+0000) Subject: Merge pull request #2583 in SNORT/snort3 from ~MIALTIZE/snort3:3_0_3_build_4 to master X-Git-Tag: 3.0.3-4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8feb44ee29178472832302ba976fbb59799b7b7c;p=thirdparty%2Fsnort3.git Merge pull request #2583 in SNORT/snort3 from ~MIALTIZE/snort3:3_0_3_build_4 to master Squashed commit of the following: commit 8f13561e286e5c834a75c2ef71c24ff8bdd0058e Author: Michael Altizer Date: Tue Oct 27 14:14:27 2020 -0400 build: Generate and tag 3.0.3 build 4 --- diff --git a/ChangeLog b/ChangeLog index 133889c91..94b6767b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,20 @@ +2020/10/27 - 3.0.3 build 4 + +-- actions: Add support to react for HTTP/2 +-- appid: Fix -Wunused-private-field Clang warning in service_state.h +-- build: Various build fixes for OS X +-- file_api: Remove deletion of file_mempool +-- framework: Fix ConnectorConfig dtor to be virtual +-- ips: Move IPS variables to sub-tables which designate type +-- lua: Update default_variables with 'nets', 'paths', and 'ports' tables in snort_defaults.lua +-- module: Fix modules that accept their configuration as a list +-- payload_injector: Support pages > 16k +-- rna: Add unit tests for TCP fingerprint methods +-- snort: Remove support for -S option +-- src: Clean up zero-initialization of arrays +-- tools: Update snort2lua to convert custom variables into ips.variables.nets/.paths/.ports tables +-- trace: Add timestamps in trace log messages for stdout logger + 2020/10/22 - 3.0.3 build 3 -- actions: Update react documentation @@ -14,8 +31,10 @@ -- file_magic: Update POSIX tar archive pattern -- flow: Add source/dest group id in flow key -- flow: Stale and deleted flows due to EOF should generate would have dropped event --- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted data channels --- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp fingerprint and user agent fingerprint commands +-- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted + data channels +-- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp + fingerprint and user agent fingerprint commands -- host_tracker: Implement client and server delete commands -- http2_inspect: Handle stream creation for push promise frames -- ips_options: Fix retry calculation in IPS content when handling "within" field diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 5d49538d5..53151f511 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.0.3 (Build 3) 2020-10-22 13:10:50 EDT TST +Revision 3.0.3 (Build 4) 2020-10-27 14:24:13 EDT TST --------------------------------------------------------------------- @@ -899,7 +899,9 @@ Configuration: rules too) * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS policy uuid - * string ips.variables.$var: IPS policy variable + * string ips.variables.nets.$var: IPS policy variable + * string ips.variables.paths.$var: IPS policy variable + * string ips.variables.ports.$var: IPS policy variable 2.16. latency @@ -1301,10 +1303,10 @@ Usage: global Configuration: - * bit_list side_channel.ports: side channel message port list { + * bit_list side_channel[].ports: side channel message port list { 65535 } - * string side_channel.connectors[].connector: connector handle - * string side_channel.connector: connector handle + * string side_channel[].connectors[].connector: connector handle + * string side_channel[].connector: connector handle Peg counts: @@ -1356,7 +1358,6 @@ Configuration: * string snort.-R: include this rules file in the default policy * string snort.-r: … (same as --pcap-list) - * string snort.-S: set config variable x equal to value v * int snort.-s = 1518: (same as --snaplen); default is 1518 { 68:65535 } * implied snort.-T: test and report on the current Snort @@ -1674,13 +1675,15 @@ Configuration: traces * enum trace.output: output method for trace log messages { stdout | syslog } - * bool trace.log_ntuple = false: use extended trace output with - n-tuple packet info + * bool trace.ntuple = false: print packet n-tuple info with trace + messages + * bool trace.timestamp = false: print message timestamps with trace + messages Commands: - * trace.set(modules, constraints, log_ntuple): set modules traces, - constraints and log_ntuple option + * trace.set(modules, constraints, ntuple, timestamp): set modules + traces, constraints, ntuple and timestamp options * trace.clear(): clear modules traces and constraints @@ -2328,10 +2331,10 @@ Usage: global Configuration: - * string file_connector.connector: connector name - * string file_connector.name: channel name - * enum file_connector.format: file format { binary | text } - * enum file_connector.direction: usage { receive | transmit | + * string file_connector[].connector: connector name + * string file_connector[].name: channel name + * enum file_connector[].format: file format { binary | text } + * enum file_connector[].direction: usage { receive | transmit | duplex } Peg counts: @@ -2351,10 +2354,11 @@ Usage: global Configuration: - * string tcp_connector.connector: connector name - * string tcp_connector.address: address - * port tcp_connector.base_port: base port number - * enum tcp_connector.setup: stream establishment { call | answer } + * string tcp_connector[].connector: connector name + * string tcp_connector[].address: address + * port tcp_connector[].base_port: base port number + * enum tcp_connector[].setup: stream establishment { call | answer + } Peg counts: @@ -8011,7 +8015,6 @@ these libraries see the Getting Started section of the manual. * -q quiet mode - suppress normal logging on stdout * -R include this rules file in the default policy * -r … (same as --pcap-list) - * -S set config variable x equal to value v * -s (same as --snaplen); default is 1518 (68:65535) * -T test and report on the current Snort configuration * -t chroots process to after initialization @@ -8610,11 +8613,11 @@ these libraries see the Getting Started section of the manual. ordering incoming events { priority|content_length } * bool event_queue.process_all_events = false: process just first action group or all action groups - * string file_connector.connector: connector name - * enum file_connector.direction: usage { receive | transmit | + * string file_connector[].connector: connector name + * enum file_connector[].direction: usage { receive | transmit | duplex } - * enum file_connector.format: file format { binary | text } - * string file_connector.name: channel name + * enum file_connector[].format: file format { binary | text } + * string file_connector[].name: channel name * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no limit) { -1:65535 } * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment @@ -9019,7 +9022,9 @@ these libraries see the Getting Started section of the manual. rules too) * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS policy uuid - * string ips.variables.$var: IPS policy variable + * string ips.variables.nets.$var: IPS policy variable + * string ips.variables.paths.$var: IPS policy variable + * string ips.variables.ports.$var: IPS policy variable * string isdataat.~length: num | !num * implied isdataat.relative: offset from cursor instead of start of buffer @@ -9524,9 +9529,9 @@ these libraries see the Getting Started section of the manual. to start search * implied sha512.relative = false: offset from cursor instead of start of buffer - * string side_channel.connector: connector handle - * string side_channel.connectors[].connector: connector handle - * bit_list side_channel.ports: side channel message port list { + * string side_channel[].connector: connector handle + * string side_channel[].connectors[].connector: connector handle + * bit_list side_channel[].ports: side channel message port list { 65535 } * int sid.~: signature id { 1:max32 } * bool sip.ignore_call_channel = false: enables the support for @@ -9775,7 +9780,6 @@ these libraries see the Getting Started section of the manual. -s) { 68:65535 } * implied snort.--stdin-rules: read rules from stdin until EOF or a line starting with END is read - * string snort.-S: set config variable x equal to value v * implied snort.--talos: enable Talos tweak (same as --tweaks talos) * string snort.-t: chroots process to after @@ -9974,10 +9978,11 @@ these libraries see the Getting Started section of the manual. * int tag.seconds: tag for this many seconds { 1:max32 } * enum target.~: indicate the target of the attack { src_ip | dst_ip } - * string tcp_connector.address: address - * port tcp_connector.base_port: base port number - * string tcp_connector.connector: connector name - * enum tcp_connector.setup: stream establishment { call | answer } + * string tcp_connector[].address: address + * port tcp_connector[].base_port: base port number + * string tcp_connector[].connector: connector name + * enum tcp_connector[].setup: stream establishment { call | answer + } * int telnet.ayt_attack_thresh = -1: alert on this number of consecutive Telnet AYT commands { -1:max31 } * bool telnet.check_encrypted = false: check for end of encryption @@ -9993,8 +9998,6 @@ these libraries see the Getting Started section of the manual. traces * string trace.constraints.src_ip: source IP address filter * int trace.constraints.src_port: source port filter { 0:65535 } - * bool trace.log_ntuple = false: use extended trace output with - n-tuple packet info * int trace.modules.all: enable trace for all modules { 0:255 } * int trace.modules.appid.all: enable all trace options { 0:255 } * int trace.modules.dce_smb.all: enable all trace options { 0:255 } @@ -10040,8 +10043,12 @@ these libraries see the Getting Started section of the manual. * int trace.modules.stream_user.all: enable all trace options { 0:255 } * int trace.modules.wizard.all: enable all trace options { 0:255 } + * bool trace.ntuple = false: print packet n-tuple info with trace + messages * enum trace.output: output method for trace log messages { stdout | syslog } + * bool trace.timestamp = false: print message timestamps with trace + messages * interval ttl.~range: check if IP TTL is in the given range { 0:255 } * bool udp.deep_teredo_inspection = false: look for Teredo on all @@ -11928,8 +11935,8 @@ these libraries see the Getting Started section of the manual. * snort.detach(): exit shell w/o shutdown * snort.quit(): shutdown and dump-stats * snort.help(): this output - * trace.set(modules, constraints, log_ntuple): set modules traces, - constraints and log_ntuple option + * trace.set(modules, constraints, ntuple, timestamp): set modules + traces, constraints, ntuple and timestamp options * trace.clear(): clear modules traces and constraints diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 3123d0332..7e086b430 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.0.3 (Build 3) 2020-10-22 13:10:41 EDT TST +Revision 3.0.3 (Build 4) 2020-10-27 14:24:05 EDT TST --------------------------------------------------------------------- @@ -422,8 +422,9 @@ Some things Snort++ can do today that Snort can not do as well: * stream5_tcp: prune_log_max deleted; to be replaced with histogram * stream5_tcp: max_active_responses, min_response_seconds moved to active.max_responses, min_interval - * ips policies support snort variables (_PATH, _PORT, _NET, - _SERVER), ips = { variables = { var1 = expr1, var2 = expr2, … } } + * ips policies support snort variables configured based on type, + ips = { variables = { nets = { var1 = expr1, … }, paths = { var2 + = expr2, … }, ports = { var3 = expr3, … } } } 2.6. Rules diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 9cf3ccc75..7d632c30a 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.0.3 (Build 3) 2020-10-22 13:10:41 EDT TST +Revision 3.0.3 (Build 4) 2020-10-27 14:24:05 EDT TST --------------------------------------------------------------------- @@ -1787,7 +1787,7 @@ The headers used are: "HTTP/1.1 403 Forbidden\r\n" \ "Connection: close\r\n" \ "Content-Type: text/html; charset=utf-8\r\n" \ -"Content-Length: 439\r\n" \ +"Content-Length: 438\r\n" \ "\r\n" The page to be sent can be read from a file: @@ -1811,13 +1811,25 @@ or else the default is used: "\r\n" Note that the file contains the message body only. The headers will -be added with an updated value for Content-Length. +be added with an updated value for Content-Length. For HTTP/2 traffic +Snort will translate the page to HTTP/2 format. -When using react, payload injector must be configured as well. +Limitations for HTTP/2: + + * Packet will be injected against the last received stream id. + * Injection triggered while server-to-client flow of traffic is in + a middle of a frame is not supported. The traffic will be + blocked, but the page will not be injected/displayed. + +When using react, payload injector must be configured as well. Also +Snort should be in ips mode, so the rule is triggered on the client +packet, and not delayed until the server sends ACK. To achieve this +use the default normalizer. It will set normalizer.tcp.ips = true. Example: react = { page = "my_block_page.html" } payload_injector = { } +normalizer = { } local_rules = [[ @@ -5273,13 +5285,14 @@ the following parameters: output - configure the output method for trace messages modules - trace configuration for specific modules constraints - filter traces by the packet constraints -log_ntuple - on/off packet n-tuple info logging +ntuple - on/off packet n-tuple info logging +timestamp - on/off message timestamps logging The following lines, added in snort.lua, will enable trace messages for detection and codec modules. The messages will be printed to syslog if the packet filtering constraints match. Messages will be in -extended format, including n-tuple packet info at the beginning of -each trace message. +extended format, including timestamp and n-tuple packet info at the +beginning of each trace message. trace = { @@ -5296,7 +5309,8 @@ trace = src_port = 100, dst_port = 200 }, - log_ntuple = true + ntuple = true, + timestamp = true } The trace module supports config reloading. Also, it’s possible to @@ -5481,7 +5495,7 @@ trace options and/or packet filter constraints directly during Snort run and without reloading the entire config. Control channel also allow adjusting trace output format by setting -log_ntuple switcher. +ntuple and timestamp switchers. After entering the Snort shell, there are two commands available for the trace module: @@ -5490,7 +5504,9 @@ trace.set({ modules = {...}, constraints = {...} }) - set modules traces and con trace.set({ modules = { all = N } }) - enable traces for all modules with verbosity level N -trace.set({ log_ntuple = true/false }) - on/off packet n-tuple info logging +trace.set({ ntuple = true/false }) - on/off packet n-tuple info logging + +trace.set({ timestamp = true/false }) - on/off timestamp logging trace.clear() - clear modules traces and constraints @@ -5517,9 +5533,8 @@ the thread type. Possible thread types: C – main (control) thread P – packet thread O – other thread -Setting the option - log_ntuple allows you to change the trace -message format, expanding it with information about the processed -packet. +Setting the option - ntuple allows you to change the trace message +format, expanding it with information about the processed packet. It will be added at the beginning, right after the thread type and instance ID, in the following format: @@ -5538,6 +5553,20 @@ address_space - unique ID of the address space Those info can be displayed only for IP packets. Port defaults to zero if a packet doesn’t have it. +The timestamp option extends output format by logging the message +time in the next format: + +MM/DD-hh:mm:ss.SSSSSS + +Where: + +M – month +D – day +h – hours +m – minutes +s – seconds +S – milliseconds + 6.18.7. Example - Debugging rules using detection trace The detection engine is responsible for rule evaluation. Turning on diff --git a/src/main/build.h b/src/main/build.h index bc520a46b..58355b176 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 3 +#define BUILD_NUMBER 4 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)