From: Mike Stepanek (mstepane) Date: Wed, 22 May 2019 20:41:32 +0000 (-0400) Subject: Merge pull request #1615 in SNORT/snort3 from ~NIHDESAI/snort3:build_256 to master X-Git-Tag: 3.0.0-256 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2976b29108b1248e7ad672443d217735fd25f55;p=thirdparty%2Fsnort3.git Merge pull request #1615 in SNORT/snort3 from ~NIHDESAI/snort3:build_256 to master Squashed commit of the following: commit 68d6c61b35320abc1301d55a0bac95d57e25ec3c Author: Nihal Desai Date: Wed May 22 13:42:31 2019 -0400 build: generate build 256 --- diff --git a/ChangeLog b/ChangeLog index eec8027ff..5f5cd92ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,33 @@ +19/05/22 - build 256 + +-- DAQng: Port Snort and its DAQ modules to DAQ3 + - Massive refactoring of the Analyzer thread + - Handle multiple offloaded wire packets + - Port hext and file DAQ modules to DAQng + - Reimplement the RETRY verdict internal to Snort + - Revamp skip-n/exit-after-n/pause-after-n handling + - Update lua tweaks with new DAQ configuration format + - Update sfdaq unit tests for DAQng + - Update snort2lua to convert to new DAQ configuration +-- filters: add peg count for when the thd_runtime XHash table gets full. +-- filters: make thd_runtime and rf_hash thread local and allocate them from thread init + rather than from Module::end() +-- http_inspect: fix status_code_num bug in HttpMsgHeader::update_flow() that leads to + assert on input.length()>0 in norm_decimal_integer +-- main: Fix File Descriptor leaks +-- main: Include analyzer.h in snort.c +-- packet_io: Refactor the Trough a bit +-- perf_mon: Fixed time stamp and memory leak issue + - Add real timestamp to empty perf_stats data + - Updated dbus default subscription code and perf_mon event subscirption code + to resolve memory leak and invalid event subscription from reloading + - Moved flow_ip_tracker to thread local +-- perf_monitor: Fixing heap-use-after-free after reload failure +-- port_scan: Change minimum memcap value to 1024 to avoid divide by zero crash +-- rule_state: change enable values "true" / "false" to "yes" / "no" +-- snort2lua: Remove sticky buffer duplicates +-- stream: disable inspection of flow on reset + 19/05/03 - build 255 -- ips: add includer for better relative path support diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 03414af31..4ffb514c9 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 254) from 2.9.11
+o"  )~   Version 3.0.0 (Build 256) from 2.9.11
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
@@ -1203,6 +1203,50 @@ include statement.  In addition you can load rules like:

You can use both approaches together.

+

Includes

+

Your configuration file file may include other files, either directly via Lua or via +various parameters. Snort will find relative includes in the following order:

+
    +
  1. +

    +If you specify --include-path, this directory will be tried first. +

    +
    2. +
  2. +

    +Snort will try the directory containing the including file. +

    +
    3. +
  3. +

    +Snort will try the directory containing the -c configuration file. +

    +
    4. +
+

Some things to keep in mind:

+
    +
  • +

    +If you use the Lua dofile function, then you must specify absolute paths + or paths relative to your working directory since Lua will execute the + include before Snort sees the file contents. +

    +
    • +
  • +

    +For best results, use include in place of dofile. This function is + provided to follow Snort’s include logic. +

    +
    • +
  • +

    +As of now, appid and reputation paths must be absolute or relative to the + working directory. These will be updated in a future release. +

    +
    • +
+
+

Converting Your 2.X Configuration

If you have a working 2.X configuration snort2lua makes it easy to get up and running with Snort 3. This tool will convert your configuration and/or @@ -7110,47 +7154,37 @@ string classifications[].text: description of clas

  • -string daq.module_dirs[].str: string parameter -

    -
    • -
  • -

    -string daq.input_spec: input specification +string daq.module_dirs[].path: directory path

  • -string daq.module: DAQ module to use +string daq.inputs[].input: input source

  • -string daq.variables[].str: string parameter +int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 }

  • -int daq.instances[].id: instance ID (required) { 0:max32 } +int daq.batch_size = 64: set receive batch size (same as --daq-batch-size) { 1: }

  • -string daq.instances[].input_spec: input specification +string daq.modules[].name: DAQ module name (required)

  • -string daq.instances[].variables[].str: string parameter +enum daq.modules[].mode = passive: DAQ module mode { passive | inline | read-file }

  • -int daq.snaplen: set snap length (same as -s) { 0:65535 } -

    -
    • -
  • -

    -bool daq.no_promisc = false: whether to put DAQ device into promiscuous mode +string daq.modules[].variables[].variable: DAQ module variable (foo[=bar])

@@ -7258,6 +7292,14 @@ bool daq.no_promisc = false: whether to put DAQ device into pro

What: general decoder rules

Type: basic

Usage: context

+

Configuration:

+
    +
  • +

    +int decode.trace: mask for enabling debug traces in module { 0:max53 } +

    +
    • +

Rules:

  • @@ -7512,6 +7554,19 @@ string event_filter[].ip: restrict filter to these

+

Peg counts:

+
    +
  • +

    +event_filter.no_memory_local: number of times event filter ran out of local memory (sum) +

    +
    • +
  • +

    +event_filter.no_memory_global: number of times event filter ran out of global memory (sum) +

    +
    • +

event_queue

@@ -7765,7 +7820,7 @@ enum inspection.mode = inline-test: set policy mode { inline |

  • -enum ips.default_rule_state = inherit: enable or disable ips rules { false | true | inherit } +enum ips.default_rule_state = inherit: enable or disable ips rules { no | yes | inherit }

  • @@ -7780,7 +7835,12 @@ int ips.id = 0: correlate unified2 events with configuration {

  • -string ips.include: legacy snort rules and includes +string ips.include: snort rules and includes +

    +
    • +
  • +

    +string ips.includer: for internal use; where includes are included from { (optional) }

  • @@ -8322,6 +8382,14 @@ string rate_filter[].apply_to: restrict filter to

+

Peg counts:

+
    +
  • +

    +rate_filter.no_memory: number of times rate filter ran out of memory (sum) +

    +
    • +

references

@@ -8356,7 +8424,7 @@ enum rule_state.([0-9]+):([0-9]+)[].action = inher

  • -enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit } +enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }

    • @@ -8744,6 +8812,11 @@ string snort.--daq: <type> select packet acquisition modu

  • +int snort.--daq-batch-size = 64: <size> set the DAQ receive batch size { 1: } +

    +
    • +
  • +

    string snort.--daq-dir: <dir> tell snort where to find desired DAQ

    • @@ -8754,6 +8827,11 @@ implied snort.--daq-list: list packet acquisition modules avail

  • +enum snort.--daq-mode: <mode> select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file } +

    +
    • +
  • +

    string snort.--daq-var: <name=value> specify extra DAQ configuration variable

    • @@ -14296,7 +14374,7 @@ int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1

    • -int port_scan.memcap = 1048576: maximum tracker memory in bytes { 1:maxSZ } +int port_scan.memcap = 1048576: maximum tracker memory in bytes { 1024:maxSZ }

    • @@ -23576,6 +23654,11 @@ these libraries see the Getting Started section of the manual.

  • +--daq-batch-size <size> set the DAQ receive batch size (1:) +

    +
    • +
  • +

    --daq-dir <dir> tell snort where to find desired DAQ

    • @@ -23586,6 +23669,11 @@ these libraries see the Getting Started section of the manual.

  • +--daq-mode <mode> select DAQ module operating mode (overrides automatic selection) (passive | inline | read-file) +

    +
    • +
  • +

    --daq-var <name=value> specify extra DAQ configuration variable

    • @@ -24751,47 +24839,37 @@ implied cvs.invalid-entry: looks for an invalid Entry string

  • -string daq.input_spec: input specification -

    -
    • -
  • -

    -int daq.instances[].id: instance ID (required) { 0:max32 } -

    -
    • -
  • -

    -string daq.instances[].input_spec: input specification +int daq.batch_size = 64: set receive batch size (same as --daq-batch-size) { 1: }

  • -string daq.instances[].variables[].str: string parameter +string daq.inputs[].input: input source

  • -string daq.module: DAQ module to use +string daq.module_dirs[].path: directory path

  • -string daq.module_dirs[].str: string parameter +enum daq.modules[].mode = passive: DAQ module mode { passive | inline | read-file }

  • -bool daq.no_promisc = false: whether to put DAQ device into promiscuous mode +string daq.modules[].name: DAQ module name (required)

  • -int daq.snaplen: set snap length (same as -s) { 0:65535 } +string daq.modules[].variables[].variable: DAQ module variable (foo[=bar])

  • -string daq.variables[].str: string parameter +int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 }

  • @@ -26141,7 +26219,7 @@ string ip_proto.~proto: [!|>|<] name or number

  • -enum ips.default_rule_state = inherit: enable or disable ips rules { false | true | inherit } +enum ips.default_rule_state = inherit: enable or disable ips rules { no | yes | inherit }

  • @@ -26156,7 +26234,12 @@ int ips.id = 0: correlate unified2 events with configuration {

  • -string ips.include: legacy snort rules and includes +string ips.includer: for internal use; where includes are included from { (optional) } +

    +
    • +
  • +

    +string ips.include: snort rules and includes

  • @@ -26866,7 +26949,7 @@ int port_scan.ip_window = 0: detection interval for all IP scan

  • -int port_scan.memcap = 1048576: maximum tracker memory in bytes { 1:maxSZ } +int port_scan.memcap = 1048576: maximum tracker memory in bytes { 1024:maxSZ }

  • @@ -27356,7 +27439,7 @@ enum rule_state.([0-9]+):([0-9]+)[].action = inher

  • -enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit } +enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }

  • @@ -27776,6 +27859,11 @@ implied snort.--create-pidfile: create PID file, even when not

  • +int snort.--daq-batch-size = 64: <size> set the DAQ receive batch size { 1: } +

    +
    • +
  • +

    string snort.--daq-dir: <dir> tell snort where to find desired DAQ

    • @@ -27786,6 +27874,11 @@ implied snort.--daq-list: list packet acquisition modules avail

  • +enum snort.--daq-mode: <mode> select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file } +

    +
    • +
  • +

    string snort.--daq: <type> select packet acquisition module (default is pcap)

    • @@ -29831,6 +29924,16 @@ interval wscale.~range: check if TCP window scale is in given r

  • +event_filter.no_memory_global: number of times event filter ran out of global memory (sum) +

    +
    • +
  • +

    +event_filter.no_memory_local: number of times event filter ran out of local memory (sum) +

    +
    • +
  • +

    file_connector.messages: total messages (sum)

    • @@ -30641,6 +30744,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +rate_filter.no_memory: number of times rate filter ran out of memory (sum) +

    +
    • +
  • +

    reg_test.packets: total packets (sum)

    • @@ -34737,9 +34845,7 @@ change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy' change -> attribute_table: 'filename <file_name>' ==> 'hosts[]' change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic' change -> config ' checksum_mode' ==> ' network. checksum_eval' -change -> config ' daq' ==> ' daq. module' change -> config ' daq_dir' ==> ' daq. module_dirs, true' -change -> config ' daq_var' ==> ' daq. variables, true' change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap' change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection' change -> config ' event_filter' ==> ' alerts. event_filter_memcap' @@ -34777,6 +34883,9 @@ change -> csv: 'tcplen' ==> 'tcp_len' change -> csv: 'tcpseq' ==> 'tcp_seq' change -> csv: 'tcpwindow' ==> 'tcp_win' change -> csv: 'udplength' ==> 'udp_len' +change -> daq: 'config daq:' ==> 'name' +change -> daq_mode: 'config daq_mode:' ==> 'mode' +change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' change -> detection: 'ac-banded' ==> 'ac_banded' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' @@ -34937,7 +35046,6 @@ deleted -> attribute_table: '<FRAG_POLICY>unknown</FRAG_POLICY>' deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>' deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>' deleted -> config ' cs_dir' -deleted -> config ' daq_mode' deleted -> config ' decode_data_link' deleted -> config ' disable_attribute_reload_thread' deleted -> config ' disable_decode_alerts' @@ -34973,6 +35081,7 @@ deleted -> config ' include_vlan_in_alerts' deleted -> config ' interface' deleted -> config ' layer2resets' deleted -> config ' log_ipv6_extra_data' +deleted -> config ' no_promisc' deleted -> config ' nolog' deleted -> config ' protected_content' deleted -> config ' sidechannel' @@ -38157,7 +38266,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index e95b45548..891894a72 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index 22567f3d1..88a6e7a50 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -386,7 +386,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 254) from 2.9.11 +o" )~ Version 3.0.0 (Build 256) from 2.9.11 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. @@ -667,7 +667,30 @@ $ sort -c snort.lua -R rules.txt You can use both approaches together. -1.2.4. Converting Your 2.X Configuration +1.2.4. Includes + +Your configuration file file may include other files, either directly +via Lua or via various parameters. Snort will find relative includes +in the following order: + + 1. If you specify --include-path, this directory will be tried + first. + 2. Snort will try the directory containing the including file. + 3. Snort will try the directory containing the -c configuration + file. + +Some things to keep in mind: + + * If you use the Lua dofile function, then you must specify + absolute paths or paths relative to your working directory since + Lua will execute the include before Snort sees the file contents. + * For best results, use include in place of dofile. This function + is provided to follow Snort’s include logic. + * As of now, appid and reputation paths must be absolute or + relative to the working directory. These will be updated in a + future release. + +1.2.5. Converting Your 2.X Configuration If you have a working 2.X configuration snort2lua makes it easy to get up and running with Snort 3. This tool will convert your @@ -5446,16 +5469,16 @@ Usage: global Configuration: - * string daq.module_dirs[].str: string parameter - * string daq.input_spec: input specification - * string daq.module: DAQ module to use - * string daq.variables[].str: string parameter - * int daq.instances[].id: instance ID (required) { 0:max32 } - * string daq.instances[].input_spec: input specification - * string daq.instances[].variables[].str: string parameter - * int daq.snaplen: set snap length (same as -s) { 0:65535 } - * bool daq.no_promisc = false: whether to put DAQ device into - promiscuous mode + * string daq.module_dirs[].path: directory path + * string daq.inputs[].input: input source + * int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 } + * int daq.batch_size = 64: set receive batch size (same as + --daq-batch-size) { 1: } + * string daq.modules[].name: DAQ module name (required) + * enum daq.modules[].mode = passive: DAQ module mode { passive | + inline | read-file } + * string daq.modules[].variables[].variable: DAQ module variable + (foo[=bar]) Peg counts: @@ -5493,6 +5516,11 @@ Type: basic Usage: context +Configuration: + + * int decode.trace: mask for enabling debug traces in module { + 0:max53 } + Rules: * 116:450 (decode) bad IP protocol @@ -5596,6 +5624,13 @@ Configuration: * string event_filter[].ip: restrict filter to these addresses according to track +Peg counts: + + * event_filter.no_memory_local: number of times event filter ran + out of local memory (sum) + * event_filter.no_memory_global: number of times event filter ran + out of global memory (sum) + 6.9. event_queue @@ -5760,12 +5795,14 @@ Usage: detect Configuration: * enum ips.default_rule_state = inherit: enable or disable ips - rules { false | true | inherit } + rules { no | yes | inherit } * bool ips.enable_builtin_rules = false: enable events from builtin rules w/o stubs * int ips.id = 0: correlate unified2 events with configuration { 0:65535 } - * string ips.include: legacy snort rules and includes + * string ips.include: snort rules and includes + * string ips.includer: for internal use; where includes are + included from { (optional) } * enum ips.mode: set policy mode { tap | inline | inline-test } * string ips.rules: snort rules and includes * bool ips.obfuscate_pii = false: mask all but the last 4 @@ -6053,6 +6090,11 @@ Configuration: * string rate_filter[].apply_to: restrict filter to these addresses according to track +Peg counts: + + * rate_filter.no_memory: number of times rate filter ran out of + memory (sum) + 6.25. references @@ -6087,7 +6129,7 @@ Configuration: pass | alert | drop | block | reset | inherit } * enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips - policy { false | true | inherit } + policy { no | yes | inherit } 6.27. search_engine @@ -6250,10 +6292,14 @@ Configuration: Daemon mode * string snort.--daq: select packet acquisition module (default is pcap) + * int snort.--daq-batch-size = 64: set the DAQ receive batch + size { 1: } * string snort.--daq-dir: tell snort where to find desired DAQ * implied snort.--daq-list: list packet acquisition modules available in optional dir, default is static modules only + * enum snort.--daq-mode: select DAQ module operating mode + (overrides automatic selection) { passive | inline | read-file } * string snort.--daq-var: specify extra DAQ configuration variable * implied snort.--dirty-pig: don’t flush packets on shutdown @@ -8655,7 +8701,7 @@ Usage: global Configuration: * int port_scan.memcap = 1048576: maximum tracker memory in bytes { - 1:maxSZ } + 1024:maxSZ } * multi port_scan.protos = all: choose the protocols to monitor { tcp | udp | icmp | ip | all } * multi port_scan.scan_types = all: choose type of scans to look @@ -13917,9 +13963,12 @@ these libraries see the Getting Started section of the manual. * --control-socket to create unix socket * --create-pidfile create PID file, even when not in Daemon mode * --daq select packet acquisition module (default is pcap) + * --daq-batch-size set the DAQ receive batch size (1:) * --daq-dir tell snort where to find desired DAQ * --daq-list list packet acquisition modules available in optional dir, default is static modules only + * --daq-mode select DAQ module operating mode (overrides + automatic selection) (passive | inline | read-file) * --daq-var specify extra DAQ configuration variable * --dirty-pig don’t flush packets on shutdown * --dump-builtin-rules [] output stub rules for @@ -14318,16 +14367,16 @@ these libraries see the Getting Started section of the manual. * string content.within: var or maximum number of bytes to search from cursor * implied cvs.invalid-entry: looks for an invalid Entry string - * string daq.input_spec: input specification - * int daq.instances[].id: instance ID (required) { 0:max32 } - * string daq.instances[].input_spec: input specification - * string daq.instances[].variables[].str: string parameter - * string daq.module: DAQ module to use - * string daq.module_dirs[].str: string parameter - * bool daq.no_promisc = false: whether to put DAQ device into - promiscuous mode - * int daq.snaplen: set snap length (same as -s) { 0:65535 } - * string daq.variables[].str: string parameter + * int daq.batch_size = 64: set receive batch size (same as + --daq-batch-size) { 1: } + * string daq.inputs[].input: input source + * string daq.module_dirs[].path: directory path + * enum daq.modules[].mode = passive: DAQ module mode { passive | + inline | read-file } + * string daq.modules[].name: DAQ module name (required) + * string daq.modules[].variables[].variable: DAQ module variable + (foo[=bar]) + * int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 } * select data_log.key = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event } @@ -14796,12 +14845,14 @@ these libraries see the Getting Started section of the manual. lsrre|ssrr|satid|any } * string ip_proto.~proto: [!|>|<] name or number * enum ips.default_rule_state = inherit: enable or disable ips - rules { false | true | inherit } + rules { no | yes | inherit } * bool ips.enable_builtin_rules = false: enable events from builtin rules w/o stubs * int ips.id = 0: correlate unified2 events with configuration { 0:65535 } - * string ips.include: legacy snort rules and includes + * string ips.includer: for internal use; where includes are + included from { (optional) } + * string ips.include: snort rules and includes * enum ips.mode: set policy mode { tap | inline | inline-test } * bool ips.obfuscate_pii = false: mask all but the last 4 characters of credit card and social security numbers @@ -15055,7 +15106,7 @@ these libraries see the Getting Started section of the manual. * int port_scan.ip_window = 0: detection interval for all IP scans { 0:max32 } * int port_scan.memcap = 1048576: maximum tracker memory in bytes { - 1:maxSZ } + 1024:maxSZ } * multi port_scan.protos = all: choose the protocols to monitor { tcp | udp | icmp | ip | all } * multi port_scan.scan_types = all: choose type of scans to look @@ -15220,7 +15271,7 @@ these libraries see the Getting Started section of the manual. pass | alert | drop | block | reset | inherit } * enum rule_state.([0-9]+):([0-9]+)[].enable = inherit: enable or disable rule in current ips policy or use default defined by ips - policy { false | true | inherit } + policy { no | yes | inherit } * string sd_pattern.~pattern: The pattern to search for * int sd_pattern.threshold = 1: number of matches before alerting { 1:max32 } @@ -15368,10 +15419,14 @@ these libraries see the Getting Started section of the manual. hex) * implied snort.--create-pidfile: create PID file, even when not in Daemon mode + * int snort.--daq-batch-size = 64: set the DAQ receive batch + size { 1: } * string snort.--daq-dir: tell snort where to find desired DAQ * implied snort.--daq-list: list packet acquisition modules available in optional dir, default is static modules only + * enum snort.--daq-mode: select DAQ module operating mode + (overrides automatic selection) { passive | inline | read-file } * string snort.--daq: select packet acquisition module (default is pcap) * string snort.--daq-var: specify extra DAQ @@ -16021,6 +16076,10 @@ these libraries see the Getting Started section of the manual. * domain_filter.checked: domains checked (sum) * domain_filter.filtered: domains filtered (sum) * dpx.packets: total packets (sum) + * event_filter.no_memory_global: number of times event filter ran + out of global memory (sum) + * event_filter.no_memory_local: number of times event filter ran + out of local memory (sum) * file_connector.messages: total messages (sum) * file_id.cache_failures: number of file cache add failures (sum) * file_id.total_file_data: number of file data bytes processed @@ -16232,6 +16291,8 @@ these libraries see the Getting Started section of the manual. * pop.uu_attachments: total uu attachments decoded (sum) * pop.uu_decoded_bytes: total uu decoded bytes (sum) * port_scan.packets: total packets (sum) + * rate_filter.no_memory: number of times rate filter ran out of + memory (sum) * reg_test.packets: total packets (sum) * reg_test.retry_packets: total retried packets received (sum) * reg_test.retry_requests: total retry packets requested (sum) @@ -17239,9 +17300,7 @@ change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy' change -> attribute_table: 'filename ' ==> 'hosts[]' change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic' change -> config ' checksum_mode' ==> ' network. checksum_eval' -change -> config ' daq' ==> ' daq. module' change -> config ' daq_dir' ==> ' daq. module_dirs, true' -change -> config ' daq_var' ==> ' daq. variables, true' change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap' change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection' change -> config ' event_filter' ==> ' alerts. event_filter_memcap' @@ -17279,6 +17338,9 @@ change -> csv: 'tcplen' ==> 'tcp_len' change -> csv: 'tcpseq' ==> 'tcp_seq' change -> csv: 'tcpwindow' ==> 'tcp_win' change -> csv: 'udplength' ==> 'udp_len' +change -> daq: 'config daq:' ==> 'name' +change -> daq_mode: 'config daq_mode:' ==> 'mode' +change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' change -> detection: 'ac-banded' ==> 'ac_banded' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' @@ -17439,7 +17501,6 @@ deleted -> attribute_table: 'unknown' deleted -> attribute_table: 'noack' deleted -> attribute_table: 'unknown' deleted -> config ' cs_dir' -deleted -> config ' daq_mode' deleted -> config ' decode_data_link' deleted -> config ' disable_attribute_reload_thread' deleted -> config ' disable_decode_alerts' @@ -17475,6 +17536,7 @@ deleted -> config ' include_vlan_in_alerts' deleted -> config ' interface' deleted -> config ' layer2resets' deleted -> config ' log_ipv6_extra_data' +deleted -> config ' no_promisc' deleted -> config ' nolog' deleted -> config ' protected_content' deleted -> config ' sidechannel' diff --git a/src/main/build.h b/src/main/build.h index 16d3c7e22..a29f3e7c4 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 255 +#define BUILD_NUMBER 256 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)