From: Steve Chew (stechew) Date: Wed, 25 Jan 2023 20:05:46 +0000 (+0000) Subject: Pull request #3749: build: generate and tag 3.1.53.0 X-Git-Tag: 3.1.53.0^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b81d74d7397850bbdfd6fb50e1625e88f868d2ce;p=thirdparty%2Fsnort3.git Pull request #3749: build: generate and tag 3.1.53.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.1.53.0 to master Squashed commit of the following: commit cd3d7e926d0e257f69663229a6316f36c7956ff4 Author: Priyanka Gurudev Date: Wed Jan 25 11:37:17 2023 -0500 build: generate and tag 3.1.53.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 2a86e7b79..1b419b97f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 52) +set (VERSION_PATCH 53) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index b541205be..132f7c4b7 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,17 +1,26 @@ +2023-01-25: 3.1.53.0 + +* appid: publish tls host set in eve process event handler only when appid discovery is complete +* detection: show search algorithm configured +* file_api: handling filedata in multithreading context +* flow: add stream interface to get parent flow from child flow +* memory: added memusage pegs +* memory: fix unit test build w/o reg test + 2023-01-18: 3.1.52.0 -dce_rpc: add errno resets during uuid parsing -dce_rpc: handling dcerpc over smbv2 -flow: update flow creation to exclude non-syn packets with no payload -framework: change range check types to int64_t to fix ILP32 bit issues -main: Fix missing include file that caused build error on some platforms. -memory: add final epoch to capture stats -memory: add regression test hooks -memory: fix init sequence; thanks to amishmm and Xiche for reporting and debugging the problem -netflow: grab the proto off of the netflow record - not the wire packet -rna: reset host_tracker type when visibility changes -stream: fix iss and irs and mid-stream sent post processing -stream: refactor tcp state machine to handle mid-stream flow and more established cases +* dce_rpc: add errno resets during uuid parsing +* dce_rpc: handling dcerpc over smbv2 +* flow: update flow creation to exclude non-syn packets with no payload +* framework: change range check types to int64_t to fix ILP32 bit issues +* main: Fix missing include file that caused build error on some platforms. +* memory: add final epoch to capture stats +* memory: add regression test hooks +* memory: fix init sequence; thanks to amishmm and Xiche for reporting and debugging the problem +* netflow: grab the proto off of the netflow record - not the wire packet +* rna: reset host_tracker type when visibility changes +* stream: fix iss and irs and mid-stream sent post processing +* stream: refactor tcp state machine to handle mid-stream flow and more established cases 2023-01-11: 3.1.51.0 diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 3849e7091..567e5466b 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.52.0 2023-01-18 06:06:29 EST TST +Revision 3.1.53.0 2023-01-25 11:22:45 EST TST --------------------------------------------------------------------- @@ -16,6 +16,7 @@ Table of Contents 1. Help 2. Basic Modules + 2.1. active 2.2. alerts 2.3. attribute_table @@ -49,7 +50,9 @@ Table of Contents 2.31. snort 2.32. suppress 2.33. trace + 3. Codec Modules + 3.1. arp 3.2. auth 3.3. ciscometadata @@ -77,10 +80,14 @@ Table of Contents 3.25. udp 3.26. vlan 3.27. wlan + 4. Connector Modules + 4.1. file_connector 4.2. tcp_connector + 5. Inspector Modules + 5.1. appid 5.2. appid_listener 5.3. arp_spoof @@ -136,10 +143,14 @@ Table of Contents 5.53. stream_user 5.54. telnet 5.55. wizard + 6. IPS Action Modules + 6.1. react 6.2. reject + 7. IPS Option Modules + 7.1. ack 7.2. appids 7.3. asn1 @@ -271,9 +282,11 @@ Table of Contents 7.129. vba_data 7.130. window 7.131. wscale + 8. Search Engine Modules 9. SO Rule Modules 10. Logger Modules + 10.1. alert_csv 10.2. alert_ex 10.3. alert_fast @@ -286,7 +299,9 @@ Table of Contents 10.10. log_hext 10.11. log_pcap 10.12. unified2 + 11. Appendix + 11.1. Build Options 11.2. Environment Variables 11.3. Command Line Options @@ -4422,6 +4437,10 @@ Peg counts: (sum) * netflow.version_9: count of netflow version 9 packets received (sum) + * netflow.netflow_cache_bytes_in_use: number of bytes used in + netflow cache (now) + * netflow.template_cache_bytes_in_use: number of bytes used in + template cache (now) 5.32. normalizer @@ -4900,6 +4919,8 @@ Peg counts: of new tracking (sum) * port_scan.reload_prunes: number of trackers pruned on reload due to reduced memcap (sum) + * port_scan.bytes_in_use: number of bytes currently used by + portscan (now) 5.38. reputation @@ -11651,8 +11672,12 @@ libraries see the Getting Started section of the manual. its value (sum) * netflow.invalid_netflow_record: count of invalid netflow records (sum) + * netflow.netflow_cache_bytes_in_use: number of bytes used in + netflow cache (now) * netflow.packets: total packets processed (sum) * netflow.records: total records found in netflow data (sum) + * netflow.template_cache_bytes_in_use: number of bytes used in + template cache (now) * netflow.unique_flows: count of unique netflow flows (sum) * netflow.v9_missing_template: count of data records that are missing templates (sum) @@ -11789,6 +11814,8 @@ libraries see the Getting Started section of the manual. * pop.uu_decoded_bytes: total uu decoded bytes (sum) * port_scan.alloc_prunes: number of trackers pruned on allocation of new tracking (sum) + * port_scan.bytes_in_use: number of bytes currently used by + portscan (now) * port_scan.packets: number of packets processed by port scan (sum) * port_scan.reload_prunes: number of trackers pruned on reload due to reduced memcap (sum) @@ -12795,12 +12822,12 @@ session. The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST flag set. -116:424 (pbb) truncated ethernet header +116:424 (eth) truncated ethernet header The packet length is less than the minimum ethernet header size (14 bytes) -116:424 (pbb) truncated ethernet header +116:424 (eth) truncated ethernet header A truncated ethernet header was detected. diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 3ef73c406..f690c2023 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,19 +8,22 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.52.0 2023-01-18 06:06:50 EST TST +Revision 3.1.53.0 2023-01-25 11:23:51 EST TST --------------------------------------------------------------------- Table of Contents 1. Overview + 1.1. Efficacy 1.2. Performance 1.3. Scalability 1.4. Usability 1.5. Extensibility + 2. Snort 3 vs Snort 2 + 2.1. Features New to Snort 3 2.2. Features Improved over Snort 2 2.3. Build Options @@ -30,10 +33,13 @@ Table of Contents 2.7. Output 2.8. Sensitive Data 2.9. Features Not Yet Supported by Snort 3 + 3. Snort2Lua + 3.1. Snort2Lua Command Line 3.2. Known Problems 3.3. Usage + 4. Configuration Changes @@ -820,6 +826,7 @@ change -> config 'checksum_mode' ==> 'network.checksum_eval' change -> config 'daq_dir' ==> 'daq.module_dirs' change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' +change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' change -> config 'event_filter' ==> 'alerts.event_filter_memcap' change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' @@ -859,17 +866,17 @@ change -> daq: 'config daq:' ==> 'name' change -> daq_mode: 'config daq_mode:' ==> 'mode' change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' -change -> detection: 'ac-banded' ==> 'ac_banded' +change -> detection: 'ac-banded' ==> 'ac_full' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' change -> detection: 'ac-nq' ==> 'ac_full' change -> detection: 'ac-q' ==> 'ac_full' -change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' +change -> detection: 'ac-sparsebands' ==> 'ac_full' change -> detection: 'ac-split' ==> 'ac_full' change -> detection: 'ac-split' ==> 'split_any_any' -change -> detection: 'ac-std' ==> 'ac_std' -change -> detection: 'acs' ==> 'ac_sparse' +change -> detection: 'ac-std' ==> 'ac_full' +change -> detection: 'acs' ==> 'ac_full' change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' change -> detection: 'intel-cpm' ==> 'hyperscan' @@ -878,7 +885,6 @@ change -> detection: 'lowmem-q' ==> 'lowmem' change -> detection: 'max-pattern-len' ==> 'max_pattern_len' change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' change -> detection: 'search-method' ==> 'search_method' -change -> detection: 'search-optimize' ==> 'search_optimize' change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' change -> dnp3: 'ports' ==> 'bindings' @@ -956,6 +962,7 @@ change -> rate_filter: 'sig_id' ==> 'sid' change -> reputation: 'shared_mem' ==> 'list_dir' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' +change -> sip: 'max_requestName_len' ==> 'max_request_name_len' change -> sip: 'ports' ==> 'bindings' change -> smtp: 'ports' ==> 'bindings' change -> ssh: 'server_ports' ==> 'bindings' @@ -1021,6 +1028,7 @@ deleted -> config 'disable_decode_drops' deleted -> config 'disable_inline_init_failopen' deleted -> config 'disable_ipopt_alerts' deleted -> config 'disable_ipopt_drops' +deleted -> config 'disable_replace' deleted -> config 'disable_tcpopt_alerts' deleted -> config 'disable_tcpopt_drops' deleted -> config 'disable_tcpopt_experimental_alerts' @@ -1037,6 +1045,7 @@ deleted -> config 'enable_decode_oversized_alerts' deleted -> config 'enable_decode_oversized_drops' deleted -> config 'enable_gtp' deleted -> config 'enable_ipopt_drops' +deleted -> config 'enable_mpls_multicast' deleted -> config 'enable_tcpopt_drops' deleted -> config 'enable_tcpopt_experimental_drops' deleted -> config 'enable_tcpopt_obsolete_drops' @@ -1058,10 +1067,12 @@ deleted -> config 'sfalert_unified2' deleted -> config 'sflog_unified2' deleted -> config 'sidechannel' deleted -> config 'so_rule_memcap' +deleted -> config 'stateful' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' deleted -> detection: 'mwm' +deleted -> detection: 'search-optimize is always true' deleted -> dnp3: 'disabled' deleted -> dnp3: 'memcap' deleted -> dns: 'enable_experimental_types' @@ -1075,6 +1086,8 @@ deleted -> ftp_telnet_protocol: 'detect_anomalies' deleted -> full: ' can no longer be specific' deleted -> http_inspect: 'detect_anomalous_servers' deleted -> http_inspect: 'disabled' +deleted -> http_inspect: 'fast_blocking' +deleted -> http_inspect: 'normalize_random_nulls_in_text' deleted -> http_inspect: 'proxy_alert' deleted -> http_inspect_server: 'allow_proxy_use' deleted -> http_inspect_server: 'enable_cookie' @@ -1152,6 +1165,7 @@ deleted -> stream5_tcp: 'ignore_any_rules' deleted -> stream5_tcp: 'log_asymmetric_traffic' deleted -> stream5_tcp: 'policy noack' deleted -> stream5_tcp: 'policy unknown' +deleted -> stream5_tcp: 'use_static_footprint_sizes' deleted -> stream5_udp: 'ignore_any_rules' deleted -> tcpdump: ' can no longer be specific' deleted -> test: 'file' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 65c5b476c..bf9b7f3d4 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,17 +8,20 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.52.0 2023-01-18 06:05:36 EST TST +Revision 3.1.53.0 2023-01-25 11:23:07 EST TST --------------------------------------------------------------------- Table of Contents 1. Overview + 1.1. First Steps 1.2. Configuration 1.3. Output + 2. Concepts + 2.1. Terminology 2.2. Modules 2.3. Parameters @@ -26,7 +29,9 @@ Table of Contents 2.5. Operation 2.6. Rules 2.7. Pattern Matching + 3. Tutorial + 3.1. Dependencies 3.2. Building 3.3. Running @@ -34,7 +39,9 @@ Table of Contents 3.5. Common Errors 3.6. Gotchas 3.7. Known Issues + 4. Usage + 4.1. Help 4.2. Sniffing and Logging 4.3. Configuration @@ -45,7 +52,9 @@ Table of Contents 4.8. Logger Alternatives 4.9. Shell 4.10. Signals + 5. Features + 5.1. Active Response 5.2. AppId 5.3. Binder @@ -68,7 +77,9 @@ Table of Contents 5.20. Telnet 5.21. Trace 5.22. Wizard + 6. DAQ Configuration and Modules + 6.1. Building the DAQ Library and Its Bundled DAQ Modules 6.2. Configuration 6.3. Interaction With Multiple Packet Threads