From: Mike Stepanek (mstepane) Date: Wed, 7 Nov 2018 20:02:02 +0000 (-0500) Subject: Merge pull request #1422 in SNORT/snort3 from ~MSTEPANE/snort3:build_249 to master X-Git-Tag: 3.0.0-249 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=960a6539bd3d03875475491c84586236a8405246;p=thirdparty%2Fsnort3.git Merge pull request #1422 in SNORT/snort3 from ~MSTEPANE/snort3:build_249 to master Squashed commit of the following: commit f2e69f3d00b67095834902aebbe3914fe88ef89a Author: Mike Stepanek Date: Wed Nov 7 09:32:23 2018 -0500 Build 249 --- diff --git a/ChangeLog b/ChangeLog index 190171821..29991b6c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,65 @@ +18/11/07 - build 249 + +-- appid: Fixing profiler data race and registration issues +-- appid: make third party appid stats configurable +-- appid: Remove detector flows from the list for faulty lua detectors +-- build: remove dead code +-- build: support dynamic imap, pop, and smtp +-- comments: additional cleanup +-- comments: delete obsolete comments +-- comments: fixup format, spelling, priority, etc. +-- comments: remove XXX and convert to FIXIT where appropriate +-- connectors: Fix TCP connector unit test compilation on Alpine Linux (musl) +-- cppcheck: cleanup some warnings +-- dcerpc: fixed build warning with struct packing +-- dcerpc: fixed setting endianness on one packet and checking on another +-- detection : add function to clear ips_id from unit tests +-- detectionengine: Only clear inspector data after offloads have completed +-- detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload of HTTP flows +-- doc: Adding performance consideration for developers +-- file_api: revert deleting gid 146 so existing 146 rulesets dont attempt empty rule eval +-- fixits: prioritize for RC +-- flow: fixed build warning +-- flow: track multiple offloads +-- fp_detect: onload before running local to ensure event ordering +-- framework: replace the newly introduced loop to reset the reload_type flags with the existing Inspector::update_policy function +-- framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in anticipation of future reloads. +-- host_tracker: fixed uppcase IP param issue +-- http2_inspect: Change http2 GID from 219 to 121 +-- ips_flowbits: move static structures to snort config +-- main: initialize shell_map and other maps in PolicyMap::clone() +-- main: size analyzer notification ring appropriately +-- manual: fix some typos +-- mime: made the mime hdr info and current search thread local +-- mime: move the decode buffer used by mime attachments to mime context data +-- packet_tracer: can't emplace vector until c++14 +-- parser: bad filename during reload is not a fatal error +-- perfmon: fix issue for report correct stats after passing -n pkts +-- perf_monitor: trackers keep copy of the relevant config items from the inspector +-- reload: fixed smtp seg fault when reload failed +-- reputation: delete old conf before allocating a new one in ReputationModule::begin() if conf not null +-- rule_state: indicate list format +-- search_tool: include bytes searched in pattern match stats +-- search_tool: validate ac_full and ac_bnfa wrt search and search_all +-- snort2lua: Add support for enable/disable iprep logging using suppress mechanism +-- snort2lua: Avoid returning reference of local variable +-- snort2lua: comment out deleted gid 146 rules +-- snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string sanity checks +-- snort2lua: fixed paf_max to stream_tcp.max_pdu convertion +-- snort2lua: tweak for style consistency +-- snort: add --rule-path to load rules from all files under given dir +-- snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping reputation_id in flow instead of flow_data, and appid code improvements +-- source: fix some typos +-- source: minor refactoring +-- spell: fix typo +-- stream, detection, flow: don't force onloads between pdus unless absolutey necessary +-- stream: fixed build warning +-- stream: only delete flows after all onloads +-- stream tcp: don't delete flow data on rst, let session close handle it +-- textlog: removed unused TextLog_Tell function +-- thread_idle: call timeout flows with packet time for pcap replay +-- utils: fixed deprecation build warning on register keyword + 18/09/26 - build 248 -- appid: adding detector builder and fixing stats to recognize custom appid diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 53de3d0b8..1fea7401b 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -779,7 +779,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 246) from 2.9.11
+o"  )~   Version 3.0.0 (Build 248) from 2.9.11
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
@@ -3177,7 +3177,7 @@ resetting it.

The page to be sent can be read from a file:

-
react = { page = "custmized_block_page.html", }
+
react = { page = "customized_block_page.html", }

or else the default is used:

@@ -7407,7 +7407,7 @@ int detection.trace: mask for enabling debug traces in module

  • -detection.analyzed: packets sent to detection (sum) +detection.analyzed: packets sent to detection (now)

  • @@ -7683,7 +7683,7 @@ int host_cache[].size: size of host cache

    • -addr host_tracker[].IP = 0.0.0.0/32: hosts address / cidr +addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr

    • @@ -8346,17 +8346,17 @@ string references[].url: where this reference is defined

      • -int rule_state.gid = 0: rule generator ID { 0: } +int rule_state[].gid = 0: rule generator ID { 0: }

      • -int rule_state.sid = 0: rule signature ID { 0: } +int rule_state[].sid = 0: rule signature ID { 0: }

      • -bool rule_state.enable = true: enable or disable rule in all policies +bool rule_state[].enable = true: enable or disable rule in all policies

      @@ -8919,6 +8919,11 @@ implied snort.--pause: wait for resume/quit command before proc

    • +int snort.--pause-after-n: <count> pause after count packets, to be used with single packet thread only { 1: } +

      +
      • +
    • +

      implied snort.--parsing-follows-files: parse relative paths from the perspective of the current configuration file

      • @@ -8984,6 +8989,11 @@ string snort.--rule: <rules> to be added to configuration

    • +string snort.--rule-path: <path> where to find rules files +

      +
      • +
    • +

      implied snort.--rule-to-hex: output so rule header to stdout for text rule on stdin

      • @@ -10558,6 +10568,16 @@ string appid.tp_appid_config: path to third party appid configu

    • +bool appid.tp_appid_stats_enable: enable collection of stats and print stats on exit in third party module +

      +
      • +
    • +

      +bool appid.tp_appid_config_dump: print third party configuration on startup +

      +
      • +
    • +

      bool appid.log_all_sessions = false: enable logging of all appid sessions

      • @@ -11030,6 +11050,11 @@ int dce_smb.trace: mask for enabling debug traces in module

    • +133:11 (dce_smb) SMB - remaining NetBIOS data length less than command length +

      +
      • +
    • +

      133:12 (dce_smb) SMB - remaining NetBIOS data length less than command byte count

      • @@ -11455,6 +11480,11 @@ enum dce_tcp.policy = WinXP: Target based policy to use { Win2

    • +133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed +

      +
      • +
    • +

      133:32 (dce_tcp) connection-oriented DCE/RPC - no context items specified

      • @@ -12929,7 +12959,7 @@ bool http_inspect.show_scan = false: display scanned segments

    • -119:101 (http_inspect) anomalous http server on undefined HTTP port +119:101 (http_inspect) obsolete event—deleted

    • @@ -21523,11 +21553,6 @@ determine verdict. (Conversely, builtin actions don’t have an associated plugin function.)

-

Developers Guide

-

Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to -the source tree.

-
-

Piglet Test Harness

In order to assist with plugin development, an experimental mode called "piglet" mode is provided. With piglet mode, you can call individual methods for a specific plugin. @@ -22417,6 +22442,62 @@ types described above in any order

+
+

Developers Guide

+

Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to +the source tree.

+
+
+

Performance Considerations for Developers

+
    +
  • +

    +Since C compilers evaluate compound conditional expression from left to + right, put the costly condition last. Put the often-false condition first + in && expression. Put the often-true condition first in || expression. +

    +
    • +
  • +

    +Use emplace_back/emplace instead of push_back/insert on STL containers. +

    +
    • +
  • +

    +In general, unordered_map is faster than map for frequent lookups using + integer key on relatively static collection of unsorted elements. Whereas, + map is faster for frequent insertions/deletions/iterations and for + non-integer key such as string or custom objects. Consider the same factors + when deciding ordered vs. unordered multimap and set. +

    +
    • +
  • +

    +Iterate using range-based for loop with reference (i.e., auto&). +

    +
    • +
  • +

    +Be mindful of construction and destruction of temporary objects which can + be wasteful. Consider using std::move, std::swap, lvalue reference (&), + and rvalue reference (&&). +

    +
    • +
  • +

    +Avoid thread-local storage. When unavoidable, minimize frequent TLS access + by caching it to a local variable. +

    +
    • +
  • +

    +When writing inter-library APIs, consider interfaces depending on use cases + to minimize context switching. For example, if two APIs foo() and bar() are + needed to call, combine these into a single API to minimize jumps. +

    +
    • +
+
@@ -23590,6 +23671,11 @@ these libraries see the Getting Started section of the manual.

  • +--pause-after-n <count> pause after count packets, to be used with single packet thread only (1:) +

    +
    • +
  • +

    --parsing-follows-files parse relative paths from the perspective of the current configuration file

    • @@ -23655,6 +23741,11 @@ these libraries see the Getting Started section of the manual.

  • +--rule-path <path> where to find rules files +

    +
    • +
  • +

    --rule-to-hex output so rule header to stdout for text rule on stdin

    • @@ -24045,6 +24136,11 @@ string appids.~: comma separated list of application names

  • +bool appid.tp_appid_config_dump: print third party configuration on startup +

    +
    • +
  • +

    string appid.tp_appid_config: path to third party appid configuration file

    • @@ -24055,6 +24151,11 @@ string appid.tp_appid_path: path to third party appid dynamic l

  • +bool appid.tp_appid_stats_enable: enable collection of stats and print stats on exit in third party module +

    +
    • +
  • +

    int appid.trace: mask for enabling debug traces in module

    • @@ -25475,7 +25576,7 @@ enum host_tracker[].frag_policy: defragmentation policy { first

  • -addr host_tracker[].IP = 0.0.0.0/32: hosts address / cidr +addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr

  • @@ -27150,17 +27251,17 @@ string rpc.~ver: version number or * for any

  • -bool rule_state.enable = true: enable or disable rule in all policies +bool rule_state[].enable = true: enable or disable rule in all policies

  • -int rule_state.gid = 0: rule generator ID { 0: } +int rule_state[].gid = 0: rule generator ID { 0: }

  • -int rule_state.sid = 0: rule signature ID { 0: } +int rule_state[].sid = 0: rule signature ID { 0: }

  • @@ -27830,6 +27931,11 @@ implied snort.--parsing-follows-files: parse relative paths fro

  • +int snort.--pause-after-n: <count> pause after count packets, to be used with single packet thread only { 1: } +

    +
    • +
  • +

    implied snort.--pause: wait for resume/quit command before processing packets/terminating

    • @@ -27915,6 +28021,11 @@ string snort.-R: <rules> include this rules file in the d

  • +string snort.--rule-path: <path> where to find rules files +

    +
    • +
  • +

    string snort.--rule: <rules> to be added to configuration; may be repeated

    • @@ -29410,7 +29521,7 @@ interval wscale.~range: check if TCP window scale is in given r

  • -detection.analyzed: packets sent to detection (sum) +detection.analyzed: packets sent to detection (now)

  • @@ -31685,6 +31796,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +121: http2_inspect +

    +
    • +
  • +

    122: port_scan

    • @@ -31810,11 +31926,6 @@ interval wscale.~range: check if TCP window scale is in given r

  • -219: http2_inspect -

    -
    • -
  • -

    256: dpx

    • @@ -32865,7 +32976,7 @@ interval wscale.~range: check if TCP window scale is in given r

  • -119:101 (http_inspect) anomalous http server on undefined HTTP port +119:101 (http_inspect) obsolete event—deleted

  • @@ -33695,6 +33806,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +133:11 (dce_smb) SMB - remaining NetBIOS data length less than command length +

    +
    • +
  • +

    133:12 (dce_smb) SMB - remaining NetBIOS data length less than command byte count

    • @@ -33790,6 +33906,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed +

    +
    • +
  • +

    133:32 (dce_tcp) connection-oriented DCE/RPC - no context items specified

    • @@ -37578,7 +37699,7 @@ Note that on OpenBSD, divert sockets don’t work with bridges!
    diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index 1c35ba2e5..9da387e20 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index d466b9597..2ecdac088 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -346,9 +346,10 @@ Table of Contents 18.3. Inspectors 18.4. Codecs 18.5. IPS Actions - 18.6. Developers Guide - 18.7. Piglet Test Harness - 18.8. Piglet Lua API + 18.6. Piglet Test Harness + 18.7. Piglet Lua API + 18.8. Developers Guide + 18.9. Performance Considerations for Developers 19. Coding Style @@ -383,7 +384,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 246) from 2.9.11 +o" )~ Version 3.0.0 (Build 248) from 2.9.11 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved. @@ -2020,7 +2021,7 @@ resetting it. The page to be sent can be read from a file: -react = { page = "custmized_block_page.html", } +react = { page = "customized_block_page.html", } or else the default is used: @@ -5571,7 +5572,7 @@ Configuration: Peg counts: - * detection.analyzed: packets sent to detection (sum) + * detection.analyzed: packets sent to detection (now) * detection.hard_evals: non-fast pattern rule evaluations (sum) * detection.raw_searches: fast pattern searches in raw packet data (sum) @@ -5716,7 +5717,7 @@ Usage: global Configuration: - * addr host_tracker[].IP = 0.0.0.0/32: hosts address / cidr + * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr * enum host_tracker[].frag_policy: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris } * enum host_tracker[].tcp_policy: TCP reassembly policy { first | @@ -6099,9 +6100,9 @@ Usage: detect Configuration: - * int rule_state.gid = 0: rule generator ID { 0: } - * int rule_state.sid = 0: rule signature ID { 0: } - * bool rule_state.enable = true: enable or disable rule in all + * int rule_state[].gid = 0: rule generator ID { 0: } + * int rule_state[].sid = 0: rule signature ID { 0: } + * bool rule_state[].enable = true: enable or disable rule in all policies @@ -6324,6 +6325,8 @@ Configuration: * implied snort.--nolock-pidfile: do not try to lock Snort PID file * implied snort.--pause: wait for resume/quit command before processing packets/terminating + * int snort.--pause-after-n: pause after count packets, to + be used with single packet thread only { 1: } * implied snort.--parsing-follows-files: parse relative paths from the perspective of the current configuration file * string snort.--pcap-file: file that contains a list of @@ -6347,6 +6350,7 @@ Configuration: * implied snort.--process-all-events: process all action groups * string snort.--rule: to be added to configuration; may be repeated + * string snort.--rule-path: where to find rules files * implied snort.--rule-to-hex: output so rule header to stdout for text rule on stdin * string snort.--rule-to-text = [SnortFoo]: output plain so rule @@ -7150,6 +7154,10 @@ Configuration: library * string appid.tp_appid_config: path to third party appid configuration file + * bool appid.tp_appid_stats_enable: enable collection of stats and + print stats on exit in third party module + * bool appid.tp_appid_config_dump: print third party configuration + on startup * bool appid.log_all_sessions = false: enable logging of all appid sessions * int appid.trace: mask for enabling debug traces in module @@ -7378,6 +7386,8 @@ Rules: * 133:9 (dce_smb) SMB - zero total data count * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header length + * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than + command length * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than command byte count * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than @@ -7528,6 +7538,8 @@ Rules: * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size + * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment + length less than size needed * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items specified * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer @@ -8157,8 +8169,7 @@ Rules: * 119:32 (http_inspect) simple request * 119:33 (http_inspect) unescaped space in HTTP URI * 119:34 (http_inspect) too many pipelined requests - * 119:101 (http_inspect) anomalous http server on undefined HTTP - port + * 119:101 (http_inspect) obsolete event—deleted * 119:102 (http_inspect) invalid status code in HTTP response * 119:103 (http_inspect) unused event number—should not appear * 119:104 (http_inspect) HTTP response has UTF charset that failed @@ -12983,15 +12994,7 @@ determine verdict. (Conversely, builtin actions don’t have an associated plugin function.) -18.6. Developers Guide - --------------- - -Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated -guide to the source tree. - - -18.7. Piglet Test Harness +18.6. Piglet Test Harness -------------- @@ -13037,7 +13040,7 @@ The test runner will generate a check-like output, indicating the the results of each test script. -18.8. Piglet Lua API +18.7. Piglet Lua API -------------- @@ -13050,7 +13053,7 @@ the underlying C\++ member functions. Every effort has been made to keep the mappings consist, but there are still some differences. They are documented below. -18.8.1. Plugin Instances +18.7.1. Plugin Instances For each test, piglet instantiates plugin specified in the name field of the plugin table. The virtual methods of the instance are exposed @@ -13124,7 +13127,7 @@ SoRule Currently, SoRule does not expose any methods. -18.8.1.1. Interface Objects +18.7.1.1. Interface Objects Many of the plugins take C++ classes and structs as arguments. These objects are exposed to the Lua API as Lua userdata. Exposed objects @@ -13331,6 +13334,42 @@ Note: StreamSplitter does not have a new() method, it must be created by an inspector via Inspector.get_splitter() +18.8. Developers Guide + +-------------- + +Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated +guide to the source tree. + + +18.9. Performance Considerations for Developers + +-------------- + + * Since C compilers evaluate compound conditional expression from + left to right, put the costly condition last. Put the often-false + condition first in && expression. Put the often-true condition + first in || expression. + * Use emplace_back/emplace instead of push_back/insert on STL + containers. + * In general, unordered_map is faster than map for frequent lookups + using integer key on relatively static collection of unsorted + elements. Whereas, map is faster for frequent insertions/ + deletions/iterations and for non-integer key such as string or + custom objects. Consider the same factors when deciding ordered + vs. unordered multimap and set. + * Iterate using range-based for loop with reference (i.e., auto&). + * Be mindful of construction and destruction of temporary objects + which can be wasteful. Consider using std::move, std::swap, + lvalue reference (&), and rvalue reference (&&). + * Avoid thread-local storage. When unavoidable, minimize frequent + TLS access by caching it to a local variable. + * When writing inter-library APIs, consider interfaces depending on + use cases to minimize context switching. For example, if two APIs + foo() and bar() are needed to call, combine these into a single + API to minimize jumps. + + --------------------------------------------------------------------- 19. Coding Style @@ -13875,6 +13914,8 @@ these libraries see the Getting Started section of the manual. * --nolock-pidfile do not try to lock Snort PID file * --pause wait for resume/quit command before processing packets/ terminating + * --pause-after-n pause after count packets, to be used + with single packet thread only (1:) * --parsing-follows-files parse relative paths from the perspective of the current configuration file * --pcap-file file that contains a list of pcaps to read - @@ -13896,6 +13937,7 @@ these libraries see the Getting Started section of the manual. * --plugin-path where to find plugins * --process-all-events process all action groups * --rule to be added to configuration; may be repeated + * --rule-path where to find rules files * --rule-to-hex output so rule header to stdout for text rule on stdin * --rule-to-text output plain so rule header to stdout for text @@ -14044,10 +14086,14 @@ these libraries see the Getting Started section of the manual. * bool appid.log_stats = false: enable logging of appid statistics * int appid.memcap = 0: disregard - not implemented { 0: } * string appids.~: comma separated list of application names + * bool appid.tp_appid_config_dump: print third party configuration + on startup * string appid.tp_appid_config: path to third party appid configuration file * string appid.tp_appid_path: path to third party appid dynamic library + * bool appid.tp_appid_stats_enable: enable collection of stats and + print stats on exit in third party module * int appid.trace: mask for enabling debug traces in module * ip4 arp_spoof.hosts[].ip: host ip address * mac arp_spoof.hosts[].mac: host mac address @@ -14490,7 +14536,7 @@ these libraries see the Getting Started section of the manual. hpux10 | windows | win_2003 | vista | proxy } * enum host_tracker[].frag_policy: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris } - * addr host_tracker[].IP = 0.0.0.0/32: hosts address / cidr + * addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr * string host_tracker[].services[].name: service identifier * port host_tracker[].services[].port: port number * enum host_tracker[].services[].proto = tcp: IP protocol { tcp | @@ -15083,10 +15129,10 @@ these libraries see the Getting Started section of the manual. * int rpc.~app: application number * string rpc.~proc: procedure number or * for any * string rpc.~ver: version number or * for any - * bool rule_state.enable = true: enable or disable rule in all + * bool rule_state[].enable = true: enable or disable rule in all policies - * int rule_state.gid = 0: rule generator ID { 0: } - * int rule_state.sid = 0: rule signature ID { 0: } + * int rule_state[].gid = 0: rule generator ID { 0: } + * int rule_state[].sid = 0: rule signature ID { 0: } * string sd_pattern.~pattern: The pattern to search for * int sd_pattern.threshold: number of matches before alerting { 1 } * int search_engine.bleedover_port_limit = 1024: maximum ports in @@ -15311,6 +15357,8 @@ these libraries see the Getting Started section of the manual. option quick help (same as --help-options) { (optional) } * implied snort.--parsing-follows-files: parse relative paths from the perspective of the current configuration file + * int snort.--pause-after-n: pause after count packets, to + be used with single packet thread only { 1: } * implied snort.--pause: wait for resume/quit command before processing packets/terminating * string snort.--pcap-dir: a directory to recurse to look for @@ -15339,6 +15387,7 @@ these libraries see the Getting Started section of the manual. * string snort.-r: … (same as --pcap-list) * string snort.-R: include this rules file in the default policy + * string snort.--rule-path: where to find rules files * string snort.--rule: to be added to configuration; may be repeated * implied snort.--rule-to-hex: output so rule header to stdout for @@ -15809,7 +15858,7 @@ these libraries see the Getting Started section of the manual. * detection.alerts: alerts not including IP reputation (sum) * detection.alt_searches: alt fast pattern searches in packet data (sum) - * detection.analyzed: packets sent to detection (sum) + * detection.analyzed: packets sent to detection (now) * detection.body_searches: fast pattern searches in body buffer (sum) * detection.cooked_searches: fast pattern searches in cooked packet @@ -16379,6 +16428,7 @@ these libraries see the Getting Started section of the manual. * 116: vlan * 116: wlan * 119: http_inspect + * 121: http2_inspect * 122: port_scan * 123: stream_ip * 124: smtp @@ -16404,7 +16454,6 @@ these libraries see the Getting Started section of the manual. * 145: dnp3 * 146: file_id * 175: domain_filter - * 219: http2_inspect * 256: dpx @@ -16647,8 +16696,7 @@ these libraries see the Getting Started section of the manual. * 119:32 (http_inspect) simple request * 119:33 (http_inspect) unescaped space in HTTP URI * 119:34 (http_inspect) too many pipelined requests - * 119:101 (http_inspect) anomalous http server on undefined HTTP - port + * 119:101 (http_inspect) obsolete event—deleted * 119:102 (http_inspect) invalid status code in HTTP response * 119:103 (http_inspect) unused event number—should not appear * 119:104 (http_inspect) HTTP response has UTF charset that failed @@ -16846,6 +16894,8 @@ these libraries see the Getting Started section of the manual. * 133:9 (dce_smb) SMB - zero total data count * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header length + * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than + command length * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than command byte count * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than @@ -16878,6 +16928,8 @@ these libraries see the Getting Started section of the manual. * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size + * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment + length less than size needed * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items specified * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer diff --git a/src/main/build.h b/src/main/build.h index de76a9961..b32c589dd 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 248 +#define BUILD_NUMBER 249 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)