From: Mike Stepanek (mstepane) Date: Wed, 25 Mar 2020 14:13:20 +0000 (+0000) Subject: Merge pull request #2106 in SNORT/snort3 from ~MSTEPANE/snort3:build_270 to master X-Git-Tag: 3.0.0-270 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aeafe89107842e35125e7752422d175e5f695dca;p=thirdparty%2Fsnort3.git Merge pull request #2106 in SNORT/snort3 from ~MSTEPANE/snort3:build_270 to master Squashed commit of the following: commit 6155a90e061a401368f4c31c22c36cbae2a85a64 Author: Mike Stepanek Date: Wed Mar 25 09:08:03 2020 -0400 build: generate and tag build 270 --- diff --git a/ChangeLog b/ChangeLog index b100b58b7..ae6a93a8e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,48 @@ +2020/03/25 - build 270 + +-- active: Base hold_packet() decision on DAQ message pool usage +-- active: Fix direction of RST packet being sent to server +-- active: Move packet hold realization for Stream detainment to verdict handling +-- active: Send entire buffer at once when send_data uses ioctl +-- appid: Adding UT for client_app_aim_test +-- appid: Fix SMB session data memory leak +-- appid: Include DNS over TLS port for classification +-- appid: Restart service detection on start of decryption +-- appid: Support appid detection for outer protocol service +-- appid: Support detection for first stream in http/2 session +-- binder: Ignore the network_policy binding +-- build: Bump the C++ compiler supported feature set requirement to C++14 +-- build: Don't try to use libuuid headers/libraries when not found. + Thanks to James Lay for reporting the issue. +-- build: Refactor included headers +-- codecs: Add new proto bit for udp tunneled traffic +-- codecs: Add vxlan codec +-- dce_rpc: Inspect midstream sessions for file inspection +-- file_api: Reading the new data for the overlapped file_data +-- filters: Update threshold tracking functions +-- flow: Allow the ExpectCache to force prune, so that we can always make room when the cache is + full +-- flow: Change the ExpectCache prune logic to only remove a specified number of oldest entries, + regardless of node expiration time +-- flow: Do away altogether with the loop in ExpectCache::prune, just remove one, only when the + cache is full +-- http2_inspect: Refactor data cutter - preparation for multi packet processing +-- http2_inspect: Support single data frame sent to http, multiple flushes +-- http2_inspect: Update dev notes with memory calculations +-- http_inspect: Create http2 message body type +-- http_inspect: Gzip detained inspection +-- http_inspect: Refactor print_section for message bodies +-- loggers: Update usage to GLOBAL for all loggers +-- lua: Enable a rewrite plugin in a default config +-- main: Check if flow state is blocked while applying verdicts +-- main: Setting higher maximum pruning when idle +-- snort2lua: Convert a replace option to a rewrite plugin/action +-- snort2lua: Don't print out network_policy binding +-- stream: Short-circuit stream when handling retry packets in no-ack mode +-- stream_tcp: Cancel hold requests on the current packet when flushing +-- stream_tcp: Finalize held packets in TcpSession::clear_session() +-- stream_tcp: Moved retry check to TcpSession::process + 2020/03/12 - build 269 -- active: Add ability to inject resets and payload via IOCTLs diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 2331aed8e..3d5a53298 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 269)
+o"  )~   Version 3.0.0 (Build 270)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
@@ -2084,17 +2084,17 @@ out more advanced usage.

  • -cmake to build from source +a compiler that supports the C++14 feature set

  • -daq from https://github.com/snort3/libdaq for packet IO +cmake to build from source

  • -g++ >= 4.8 or other recent C++11 compiler +daq from https://github.com/snort3/libdaq for packet IO

  • @@ -7079,6 +7079,16 @@ int active.min_interval = 255: minimum number of seconds betwee active.failed_direct_injects: total crafted packet direct injects that failed (sum)

    • +
  • +

    +active.holds_denied: total number of packet hold requests denied (sum) +

    +
    • +
  • +

    +active.holds_canceled: total number of packet hold requests canceled (sum) +

    +
@@ -7130,7 +7140,7 @@ bool alerts.stateful = false: don’t alert w/o established

  • -string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic +string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic

    • @@ -8564,7 +8574,7 @@ enum profiler.rules.sort = total_time: sort by given field { no

    rate_filter

    What: configure rate filters (which change rule actions)

    Type: basic

    -

    Usage: detect

    +

    Usage: context

    Configuration:

    • @@ -9588,7 +9598,7 @@ int snort.trace.all = 0: enabling traces in module { 0:max32 }

      suppress

      What: configure event suppressions

      Type: basic

      -

      Usage: detect

      +

      Usage: context

      Configuration:

      • @@ -10657,12 +10667,12 @@ bool udp.deep_teredo_inspection = false: look for Teredo on all

      • -bool udp.enable_gtp = false: decode GTP encapsulations +bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }

      • -bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } +bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 }

      @@ -11179,7 +11189,7 @@ string binder[].use.ips_policy: use ips policy fro

    • -string binder[].use.network_policy: use network policy from given file +string binder[].use.network_policy: deprecated, ignored by binder

    • @@ -15808,6 +15818,16 @@ bool rt_packet.retry_all = false: request retry for all non-ret rt_service.search_requests: total splitter search requests (sum)

      • +
    • +

      +rt_service.send_data_requests: total send data via daq inject requests (sum) +

      +
      • +
    • +

      +rt_service.send_data_direct_requests: total send data via direct inject requests (sum) +

      +
    @@ -17663,11 +17683,6 @@ bool stream_tcp.track_only = false: disable reassembly if true

  • -stream_tcp.held_packet_limit_exceeded: number of times limit of max held packets exceeded (sum) -

    -
    • -
  • -

    stream_tcp.partial_flushes: number of partial flushes initiated (sum)

    • @@ -20458,7 +20473,7 @@ have associated modules.

    alert_csv

    What: output event in csv format

    Type: logger

    -

    Usage: context

    +

    Usage: global

    Configuration:

    • @@ -20501,7 +20516,7 @@ bool alert_ex.upper = false: true/false → convert to uppe

      alert_fast

      What: output event with brief text format

      Type: logger

      -

      Usage: context

      +

      Usage: global

      Configuration:

      • @@ -20525,7 +20540,7 @@ int alert_fast.limit = 0: set maximum size in MB before rollove

        alert_full

        What: output event with full packet dump

        Type: logger

        -

        Usage: context

        +

        Usage: global

        Configuration:

        • @@ -20544,7 +20559,7 @@ int alert_full.limit = 0: set maximum size in MB before rollove

          alert_json

          What: output event in json format

          Type: logger

          -

          Usage: context

          +

          Usage: global

          Configuration:

          • @@ -20573,7 +20588,7 @@ string alert_json.separator = , : separate fields with this cha

            alert_sfsocket

            What: output event over socket

            Type: logger

            -

            Usage: context

            +

            Usage: global

            Configuration:

            • @@ -20597,7 +20612,7 @@ int alert_sfsocket.rules[].sid = 1: rule signature

              alert_syslog

              What: output event to syslog

              Type: logger

              -

              Usage: context

              +

              Usage: global

              Configuration:

              • @@ -20621,19 +20636,19 @@ multi alert_syslog.options: used to open the syslog connection

                alert_talos

                What: output event in Talos alert format

                Type: logger

                -

                Usage: context

                +

                Usage: global

              alert_unixsock

              What: output event over unix socket

              Type: logger

              -

              Usage: context

              +

              Usage: global

              log_codecs

              What: log protocols in packet by layer

              Type: logger

              -

              Usage: context

              +

              Usage: global

              Configuration:

              • @@ -20652,7 +20667,7 @@ bool log_codecs.msg = false: include alert msg

                log_hext

                What: output payload suitable for daq hext

                Type: logger

                -

                Usage: context

                +

                Usage: global

                Configuration:

                • @@ -20681,7 +20696,7 @@ int log_hext.width = 20: set line width (0 is unlimited) { 0:ma

                  log_pcap

                  What: log packet in pcap format

                  Type: logger

                  -

                  Usage: context

                  +

                  Usage: global

                  Configuration:

                  • @@ -20695,7 +20710,7 @@ int log_pcap.limit = 0: set maximum size in MB before rollover

                    unified2

                    What: output event and packet in unified2 format file

                    Type: logger

                    -

                    Usage: context

                    +

                    Usage: global

                    Configuration:

                    • @@ -23888,10 +23903,10 @@ Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a

                    • -Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis, - warning, perf, high, med, or low priority. Place A and W comments on the - exact warning line so we can match up comments and build output. Supporting - comments can be added above. +Presently using FIXIT-X where X = A | W | P | H | M | L | D, indicating + analysis, warning, perf, high, med, low priority, or deprecated. Place A and + W comments on the exact warning line so we can match up comments and build + output. Supporting comments can be added above.

                    • @@ -25238,7 +25253,7 @@ bool alerts.stateful = false: don’t alert w/o established

                    • -string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic +string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic

                    • @@ -25448,7 +25463,7 @@ string binder[].use.name: symbol name (defaults to

                    • -string binder[].use.network_policy: use network policy from given file +string binder[].use.network_policy: deprecated, ignored by binder

                    • @@ -30243,12 +30258,12 @@ bool udp.deep_teredo_inspection = false: look for Teredo on all

                    • -bool udp.enable_gtp = false: decode GTP encapsulations +bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }

                    • -bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } +bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 }

                    • @@ -30358,6 +30373,16 @@ interval wscale.~range: check if TCP window scale is in given r

                    • +active.holds_canceled: total number of packet hold requests canceled (sum) +

                      +
                      • +
                    • +

                      +active.holds_denied: total number of packet hold requests denied (sum) +

                      +
                      • +
                    • +

                      active.injects: total crafted packets encoded and injected (sum)

                      • @@ -32473,6 +32498,16 @@ interval wscale.~range: check if TCP window scale is in given r

                    • +rt_service.send_data_direct_requests: total send data via direct inject requests (sum) +

                      +
                      • +
                    • +

                      +rt_service.send_data_requests: total send data via daq inject requests (sum) +

                      +
                      • +
                    • +

                      s7commplus.concurrent_sessions: total concurrent s7commplus sessions (now)

                      • @@ -33258,11 +33293,6 @@ interval wscale.~range: check if TCP window scale is in given r

                    • -stream_tcp.held_packet_limit_exceeded: number of times limit of max held packets exceeded (sum) -

                      -
                      • -
                    • -

                      stream_tcp.held_packet_rexmits: number of retransmits of held packets (sum)

                      • @@ -36863,6 +36893,7 @@ deleted -> config ' dump_dynamic_rules_path' deleted -> config ' enable_decode_drops' deleted -> config ' enable_decode_oversized_alerts' deleted -> config ' enable_decode_oversized_drops' +deleted -> config ' enable_gtp' deleted -> config ' enable_ipopt_drops' deleted -> config ' enable_tcpopt_drops' deleted -> config ' enable_tcpopt_experimental_drops' @@ -38459,6 +38490,11 @@ deleted -> unified2: 'vlan_event_types'

                    • +codec::vxlan: support for Virtual Extensible LAN +

                      +
                      • +
                    • +

                      codec::wlan: support for wireless local area network protocol (DLT 105)

                      • @@ -39587,7 +39623,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index f8fdabf36..25d075a47 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index 4ebbd6c1a..3a796612d 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -410,7 +410,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 269) +o" )~ Version 3.0.0 (Build 270) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. @@ -1284,9 +1284,9 @@ to figure out more advanced usage. Required: + * a compiler that supports the C++14 feature set * cmake to build from source * daq from https://github.com/snort3/libdaq for packet IO - * g++ >= 4.8 or other recent C++11 compiler * dnet from https://github.com/dugsong/libdnet.git for network utility functions * hwloc from https://www.open-mpi.org/projects/hwloc/ for CPU @@ -5429,6 +5429,10 @@ Peg counts: (sum) * active.failed_direct_injects: total crafted packet direct injects that failed (sum) + * active.holds_denied: total number of packet hold requests denied + (sum) + * active.holds_canceled: total number of packet hold requests + canceled (sum) 6.2. alerts @@ -5460,7 +5464,7 @@ Configuration: * bool alerts.stateful = false: don’t alert w/o established session (note: rule action still taken) * string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts - for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic + for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic 6.3. attribute_table @@ -6187,7 +6191,7 @@ What: configure rate filters (which change rule actions) Type: basic -Usage: detect +Usage: context Configuration: @@ -6606,7 +6610,7 @@ What: configure event suppressions Type: basic -Usage: detect +Usage: context Configuration: @@ -7175,8 +7179,8 @@ Configuration: * bool udp.deep_teredo_inspection = false: look for Teredo on all UDP ports (default is only 3544) - * bool udp.enable_gtp = false: decode GTP encapsulations * bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } + * bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 } Rules: @@ -7439,8 +7443,7 @@ Configuration: * string binder[].use.inspection_policy: use inspection policy from given file * string binder[].use.ips_policy: use ips policy from given file - * string binder[].use.network_policy: use network policy from given - file + * string binder[].use.network_policy: deprecated, ignored by binder * string binder[].use.service: override automatic service identification * string binder[].use.type: select module for binding @@ -9295,6 +9298,10 @@ Peg counts: * rt_service.flush_requests: total splitter flush requests (sum) * rt_service.hold_requests: total splitter hold requests (sum) * rt_service.search_requests: total splitter search requests (sum) + * rt_service.send_data_requests: total send data via daq inject + requests (sum) + * rt_service.send_data_direct_requests: total send data via direct + inject requests (sum) 9.39. s7commplus @@ -9950,8 +9957,6 @@ Peg counts: (now) * stream_tcp.max_packets_held: maximum number of packets held simultaneously (max) - * stream_tcp.held_packet_limit_exceeded: number of times limit of - max held packets exceeded (sum) * stream_tcp.partial_flushes: number of partial flushes initiated (sum) * stream_tcp.partial_flush_bytes: partial flush total bytes (sum) @@ -12279,7 +12284,7 @@ What: output event in csv format Type: logger -Usage: context +Usage: global Configuration: @@ -12326,7 +12331,7 @@ What: output event with brief text format Type: logger -Usage: context +Usage: global Configuration: @@ -12345,7 +12350,7 @@ What: output event with full packet dump Type: logger -Usage: context +Usage: global Configuration: @@ -12363,7 +12368,7 @@ What: output event in json format Type: logger -Usage: context +Usage: global Configuration: @@ -12394,7 +12399,7 @@ What: output event over socket Type: logger -Usage: context +Usage: global Configuration: @@ -12411,7 +12416,7 @@ What: output event to syslog Type: logger -Usage: context +Usage: global Configuration: @@ -12433,7 +12438,7 @@ What: output event in Talos alert format Type: logger -Usage: context +Usage: global 14.9. alert_unixsock @@ -12444,7 +12449,7 @@ What: output event over unix socket Type: logger -Usage: context +Usage: global 14.10. log_codecs @@ -12455,7 +12460,7 @@ What: log protocols in packet by layer Type: logger -Usage: context +Usage: global Configuration: @@ -12472,7 +12477,7 @@ What: output payload suitable for daq hext Type: logger -Usage: context +Usage: global Configuration: @@ -12494,7 +12499,7 @@ What: log packet in pcap format Type: logger -Usage: context +Usage: global Configuration: @@ -12510,7 +12515,7 @@ What: output event and packet in unified2 format file Type: logger -Usage: context +Usage: global Configuration: @@ -14216,11 +14221,11 @@ with. * Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a day or even just a minute. That way we can find them easily and won’t lose track of them. - * Presently using FIXIT-X where X = A | W | P | H | M | L, - indicating analysis, warning, perf, high, med, or low priority. - Place A and W comments on the exact warning line so we can match - up comments and build output. Supporting comments can be added - above. + * Presently using FIXIT-X where X = A | W | P | H | M | L | D, + indicating analysis, warning, perf, high, med, low priority, or + deprecated. Place A and W comments on the exact warning line so + we can match up comments and build output. Supporting comments + can be added above. * Put the copyright(s) and license in a comment block at the top of each source file (.h and .cc). Don’t bother with trivial scripts and make foo. Some interesting Lua code should get a comment @@ -14805,7 +14810,7 @@ these libraries see the Getting Started section of the manual. * bool alerts.stateful = false: don’t alert w/o established session (note: rule action still taken) * string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts - for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic + for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic * enum alert_syslog.facility = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 } @@ -14879,8 +14884,7 @@ these libraries see the Getting Started section of the manual. given file * string binder[].use.ips_policy: use ips policy from given file * string binder[].use.name: symbol name (defaults to type) - * string binder[].use.network_policy: use network policy from given - file + * string binder[].use.network_policy: deprecated, ignored by binder * string binder[].use.service: override automatic service identification * string binder[].use.type: select module for binding @@ -16524,8 +16528,8 @@ these libraries see the Getting Started section of the manual. 0:255 } * bool udp.deep_teredo_inspection = false: look for Teredo on all UDP ports (default is only 3544) - * bool udp.enable_gtp = false: decode GTP encapsulations * bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } + * bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 } * bool unified2.legacy_events = false: generate Snort 2.X style events for barnyard2 compatibility * int unified2.limit = 0: set maximum size in MB before rollover (0 @@ -16569,6 +16573,10 @@ these libraries see the Getting Started section of the manual. that failed (sum) * active.failed_injects: total crafted packet encode + injects that failed (sum) + * active.holds_canceled: total number of packet hold requests + canceled (sum) + * active.holds_denied: total number of packet hold requests denied + (sum) * active.injects: total crafted packets encoded and injected (sum) * appid.appid_unknown: count of sessions where appid could not be determined (sum) @@ -17153,6 +17161,10 @@ these libraries see the Getting Started section of the manual. * rt_service.hold_requests: total splitter hold requests (sum) * rt_service.packets: total packets (sum) * rt_service.search_requests: total splitter search requests (sum) + * rt_service.send_data_direct_requests: total send data via direct + inject requests (sum) + * rt_service.send_data_requests: total send data via daq inject + requests (sum) * s7commplus.concurrent_sessions: total concurrent s7commplus sessions (now) * s7commplus.frames: total S7commplus messages (sum) @@ -17346,8 +17358,6 @@ these libraries see the Getting Started section of the manual. segment limit was reached (sum) * stream_tcp.fins: number of fin packets (sum) * stream_tcp.gaps: missing data between PDUs (sum) - * stream_tcp.held_packet_limit_exceeded: number of times limit of - max held packets exceeded (sum) * stream_tcp.held_packet_rexmits: number of retransmits of held packets (sum) * stream_tcp.held_packets_dropped: number of held packets dropped @@ -18398,6 +18408,7 @@ deleted -> config ' dump_dynamic_rules_path' deleted -> config ' enable_decode_drops' deleted -> config ' enable_decode_oversized_alerts' deleted -> config ' enable_decode_oversized_drops' +deleted -> config ' enable_gtp' deleted -> config ' enable_ipopt_drops' deleted -> config ' enable_tcpopt_drops' deleted -> config ' enable_tcpopt_experimental_drops' @@ -18932,6 +18943,7 @@ deleted -> unified2: 'vlan_event_types' * codec::udp: support for user datagram protocol * codec::user: support for user sessions (DLT 230) * codec::vlan: support for local area network + * codec::vxlan: support for Virtual Extensible LAN * codec::wlan: support for wireless local area network protocol (DLT 105) * connector::file_connector: implement the file based connector diff --git a/src/main/build.h b/src/main/build.h index b9e6bf8a1..d5e3a7586 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 269 +#define BUILD_NUMBER 270 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)