From: Priyanka Bangalore Gurudev (prbg) Date: Wed, 13 Mar 2024 14:17:33 +0000 (+0000) Subject: Pull request #4241: build: generate and tag 3.1.82.0 X-Git-Tag: 3.1.82.0^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd6cbf1bbd3dcad9cd09261786b664d819357d94;p=thirdparty%2Fsnort3.git Pull request #4241: build: generate and tag 3.1.82.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.1.82.0 to master Squashed commit of the following: commit d9bb586ef7e5317954321e6ff1934b399014ac6c Author: Priyanka Gurudev Date: Tue Mar 12 12:20:50 2024 -0400 build: generate and tag 3.1.82.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index daaeaf74f..37f295ee7 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 81) +set (VERSION_PATCH 82) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index 0c32a6cb8..6704e05a6 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,29 @@ +2024-03-12: 3.1.82.0 + +* appid: broadcast commands with ctrlcon +* appid: change eve pattern matching logic +* appid: replaced warning log with logging api for CBD +* file_api: do not clear the file capture and user file data pointers when updating the verdict from the cache +* filters: updated dyn array with vector +* flow: updated flow_data linklist with STL container +* framework: validate parameter of number type in a string form +* kaizen: rename to Snort ML +* main: clear lua stack when registering commands in a shell +* main: reset main-thread stats from the main thread +* main: update limits help +* packet_capture: add packet capturing per tenant +* sfip: remove references to unused mode feature +* sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload +* smb: fix for improper session cache destruction in tterm during config reload +* snort2lua: change deprecated use of ptr_fn to lambda +* stats: fix timing stats +* stats: perf improvement changes +* stream: remove splitter from session before inspectors +* stream_tcp: add reasons for drops due to trims +* stream_tcp: implement support for proxy mode normalization behavior +* stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts +* trace: add tenants logging + 2024-02-20: 3.1.81.0 * appid: check tenant_match() if required diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 3217e83b2..eb1400481 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.81.0 2024-02-16 22:51:25 UTC TST +Revision 3.1.82.0 2024-03-12 12:50:44 EDT TST --------------------------------------------------------------------- @@ -16,6 +16,7 @@ Table of Contents 1. Help 2. Basic Modules + 2.1. active 2.2. alerts 2.3. attribute_table @@ -49,7 +50,9 @@ Table of Contents 2.31. snort 2.32. suppress 2.33. trace + 3. Codec Modules + 3.1. arp 3.2. auth 3.3. ciscometadata @@ -77,10 +80,14 @@ Table of Contents 3.25. udp 3.26. vlan 3.27. wlan + 4. Connector Modules + 4.1. file_connector 4.2. tcp_connector + 5. Inspector Modules + 5.1. appid 5.2. appid_listener 5.3. arp_spoof @@ -136,10 +143,14 @@ Table of Contents 5.53. stream_user 5.54. telnet 5.55. wizard + 6. IPS Action Modules + 6.1. react 6.2. reject + 7. IPS Option Modules + 7.1. ack 7.2. appids 7.3. base64_decode @@ -270,9 +281,11 @@ Table of Contents 7.128. vba_data 7.129. window 7.130. wscale + 8. Search Engine Modules 9. SO Rule Modules 10. Logger Modules + 10.1. alert_csv 10.2. alert_ex 10.3. alert_fast @@ -285,7 +298,9 @@ Table of Contents 10.10. log_hext 10.11. log_pcap 10.12. unified2 + 11. Appendix + 11.1. Build Options 11.2. Environment Variables 11.3. Command Line Options @@ -1815,6 +1830,7 @@ Configuration: } * bool trace.constraints.match = true: use constraints to filter traces + * string trace.constraints.tenants: tenants filter * enum trace.output: output method for trace log messages { stdout | syslog } * bool trace.ntuple = false: print packet n-tuple info with trace @@ -4670,22 +4686,25 @@ Instance Type: global Configuration: - * bool packet_capture.enable = false: initially enable packet - dumping - * string packet_capture.filter: bpf filter to use for packet dump - * int packet_capture.group = -1: group filter to use for the packet - dump { -1:32767 } + * bool packet_capture.enable = false: state of packet capturing + * string packet_capture.filter: bpf filter to use for packet + capturing + * int packet_capture.group = -1: group filter to use for packet + capturing { -1:32767 } + * string packet_capture.tenants: comma-separated tenants filter to + use for packet capturing Commands: - * packet_capture.enable(filter, group): dump raw packets - * packet_capture.disable(): stop packet dump + * packet_capture.enable(filter, group, tenants): capture raw + packets + * packet_capture.disable(): stop packet capturing Peg counts: * packet_capture.processed: packets processed against filter (sum) - * packet_capture.captured: packets matching dumped after matching - filter (sum) + * packet_capture.captured: packets captured after matching filter + (sum) 5.35. perf_monitor @@ -5982,6 +6001,8 @@ Peg counts: (sum) * stream_tcp.zero_win_probes: number of tcp zero window probes (sum) + * stream_tcp.proxy_mode_flows: number of flows set to proxy + normalization policy (sum) 5.52. stream_udp @@ -10134,11 +10155,13 @@ libraries see the Getting Started section of the manual. * bool output.verbose = false: be verbose (same as -v) * bool output.wide_hex_dump = false: output 20 bytes per lines instead of 16 when dumping buffers - * bool packet_capture.enable = false: initially enable packet - dumping - * string packet_capture.filter: bpf filter to use for packet dump - * int packet_capture.group = -1: group filter to use for the packet - dump { -1:32767 } + * bool packet_capture.enable = false: state of packet capturing + * string packet_capture.filter: bpf filter to use for packet + capturing + * int packet_capture.group = -1: group filter to use for packet + capturing { -1:32767 } + * string packet_capture.tenants: comma-separated tenants filter to + use for packet capturing * bool packets.address_space_agnostic = false: determines whether DAQ address space info is used to track fragments and connections * string packets.bpf_file: file with BPF to select traffic for @@ -11034,6 +11057,7 @@ libraries see the Getting Started section of the manual. traces * string trace.constraints.src_ip: source IP address filter * int trace.constraints.src_port: source port filter { 0:65535 } + * string trace.constraints.tenants: tenants filter * int trace.modules.all: enable trace for all modules { 0:255 } * int trace.modules.appid.all: enable all trace options { 0:255 } * int trace.modules.dce_smb.all: enable all trace options { 0:255 } @@ -11904,8 +11928,8 @@ libraries see the Getting Started section of the manual. * normalizer.test_tcp_ts_nop: test timestamp options cleared (sum) * normalizer.test_tcp_urgent_ptr: test packets without data with urgent pointer cleared (sum) - * packet_capture.captured: packets matching dumped after matching - filter (sum) + * packet_capture.captured: packets captured after matching filter + (sum) * packet_capture.processed: packets processed against filter (sum) * payload_injector.http2_injects: total number of http2 injections (sum) @@ -12267,6 +12291,8 @@ libraries see the Getting Started section of the manual. (sum) * stream_tcp.payload_fully_trimmed: segments with no data after trimming (sum) + * stream_tcp.proxy_mode_flows: number of flows set to proxy + normalization policy (sum) * stream_tcp.prunes: tcp session prunes (sum) * stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum) * stream_tcp.rebuilt_bytes: total rebuilt bytes (sum) @@ -14590,6 +14616,18 @@ TCP window was closed before receiving data. The TCP 3-way handshake was not seen for this TCP session. +129:21 (stream_tcp) TCP max queued reassembly bytes exceeded +threshold + +The maximum bytes allowed to be queued for reassembly for an endpoint +has been exceeded. + +129:22 (stream_tcp) TCP max queued reassembly segments exceeded +threshold + +The maximum number of segments allowed to be queued for reassembly +for an endpoint has been exceeded. + 131:1 (dns) obsolete DNS RR types DNS Response Resource Record Type is Obsolete. @@ -15716,8 +15754,9 @@ alert is raised by the enhanced JavaScript normalizer. cache segment(s) * network.set_policy(id): set the network policy for commands given the user policy id - * packet_capture.enable(filter, group): dump raw packets - * packet_capture.disable(): stop packet dump + * packet_capture.enable(filter, group, tenants): capture raw + packets + * packet_capture.disable(): stop packet capturing * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port, tenants): enable packet tracer debugging * packet_tracer.disable(): disable packet tracer diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 1e1578cf0..81d89cdd3 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,19 +8,22 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.81.0 2024-02-16 22:51:13 UTC TST +Revision 3.1.82.0 2024-03-12 12:51:51 EDT TST --------------------------------------------------------------------- Table of Contents 1. Overview + 1.1. Efficacy 1.2. Performance 1.3. Scalability 1.4. Usability 1.5. Extensibility + 2. Snort 3 vs Snort 2 + 2.1. Features New to Snort 3 2.2. Features Improved over Snort 2 2.3. Build Options @@ -30,10 +33,13 @@ Table of Contents 2.7. Output 2.8. Sensitive Data 2.9. Features Not Yet Supported by Snort 3 + 3. Snort2Lua + 3.1. Snort2Lua Command Line 3.2. Known Problems 3.3. Usage + 4. Configuration Changes @@ -820,6 +826,7 @@ change -> config 'checksum_mode' ==> 'network.checksum_eval' change -> config 'daq_dir' ==> 'daq.module_dirs' change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' +change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' change -> config 'event_filter' ==> 'alerts.event_filter_memcap' change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' @@ -859,17 +866,17 @@ change -> daq: 'config daq:' ==> 'name' change -> daq_mode: 'config daq_mode:' ==> 'mode' change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' -change -> detection: 'ac-banded' ==> 'ac_banded' +change -> detection: 'ac-banded' ==> 'ac_full' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' change -> detection: 'ac-nq' ==> 'ac_full' change -> detection: 'ac-q' ==> 'ac_full' -change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' +change -> detection: 'ac-sparsebands' ==> 'ac_full' change -> detection: 'ac-split' ==> 'ac_full' change -> detection: 'ac-split' ==> 'split_any_any' -change -> detection: 'ac-std' ==> 'ac_std' -change -> detection: 'acs' ==> 'ac_sparse' +change -> detection: 'ac-std' ==> 'ac_full' +change -> detection: 'acs' ==> 'ac_full' change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' change -> detection: 'intel-cpm' ==> 'hyperscan' @@ -878,7 +885,6 @@ change -> detection: 'lowmem-q' ==> 'lowmem' change -> detection: 'max-pattern-len' ==> 'max_pattern_len' change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' change -> detection: 'search-method' ==> 'search_method' -change -> detection: 'search-optimize' ==> 'search_optimize' change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' change -> dnp3: 'ports' ==> 'bindings' @@ -956,6 +962,7 @@ change -> rate_filter: 'sig_id' ==> 'sid' change -> reputation: 'shared_mem' ==> 'list_dir' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' +change -> sip: 'max_requestName_len' ==> 'max_request_name_len' change -> sip: 'ports' ==> 'bindings' change -> smtp: 'ports' ==> 'bindings' change -> ssh: 'server_ports' ==> 'bindings' @@ -1021,6 +1028,7 @@ deleted -> config 'disable_decode_drops' deleted -> config 'disable_inline_init_failopen' deleted -> config 'disable_ipopt_alerts' deleted -> config 'disable_ipopt_drops' +deleted -> config 'disable_replace' deleted -> config 'disable_tcpopt_alerts' deleted -> config 'disable_tcpopt_drops' deleted -> config 'disable_tcpopt_experimental_alerts' @@ -1037,6 +1045,7 @@ deleted -> config 'enable_decode_oversized_alerts' deleted -> config 'enable_decode_oversized_drops' deleted -> config 'enable_gtp' deleted -> config 'enable_ipopt_drops' +deleted -> config 'enable_mpls_multicast' deleted -> config 'enable_tcpopt_drops' deleted -> config 'enable_tcpopt_experimental_drops' deleted -> config 'enable_tcpopt_obsolete_drops' @@ -1058,10 +1067,12 @@ deleted -> config 'sfalert_unified2' deleted -> config 'sflog_unified2' deleted -> config 'sidechannel' deleted -> config 'so_rule_memcap' +deleted -> config 'stateful' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' deleted -> detection: 'mwm' +deleted -> detection: 'search-optimize is always true' deleted -> dnp3: 'disabled' deleted -> dnp3: 'memcap' deleted -> dns: 'enable_experimental_types' @@ -1075,6 +1086,8 @@ deleted -> ftp_telnet_protocol: 'detect_anomalies' deleted -> full: ' can no longer be specific' deleted -> http_inspect: 'detect_anomalous_servers' deleted -> http_inspect: 'disabled' +deleted -> http_inspect: 'fast_blocking' +deleted -> http_inspect: 'normalize_random_nulls_in_text' deleted -> http_inspect: 'proxy_alert' deleted -> http_inspect_server: 'allow_proxy_use' deleted -> http_inspect_server: 'enable_cookie' @@ -1152,6 +1165,7 @@ deleted -> stream5_tcp: 'ignore_any_rules' deleted -> stream5_tcp: 'log_asymmetric_traffic' deleted -> stream5_tcp: 'policy noack' deleted -> stream5_tcp: 'policy unknown' +deleted -> stream5_tcp: 'use_static_footprint_sizes' deleted -> stream5_udp: 'ignore_any_rules' deleted -> tcpdump: ' can no longer be specific' deleted -> test: 'file' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 5d96f45fd..d30f9be76 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,17 +8,20 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.81.0 2024-02-16 22:51:13 UTC TST +Revision 3.1.82.0 2024-03-12 12:51:07 EDT TST --------------------------------------------------------------------- Table of Contents 1. Overview + 1.1. First Steps 1.2. Configuration 1.3. Output + 2. Concepts + 2.1. Terminology 2.2. Modules 2.3. Parameters @@ -26,7 +29,9 @@ Table of Contents 2.5. Operation 2.6. Rules 2.7. Pattern Matching + 3. Tutorial + 3.1. Dependencies 3.2. Building 3.3. Running @@ -34,7 +39,9 @@ Table of Contents 3.5. Common Errors 3.6. Gotchas 3.7. Known Issues + 4. Usage + 4.1. Help 4.2. Sniffing and Logging 4.3. Configuration @@ -45,7 +52,9 @@ Table of Contents 4.8. Logger Alternatives 4.9. Shell 4.10. Signals + 5. Features + 5.1. Active Response 5.2. AppId 5.3. Binder @@ -68,7 +77,9 @@ Table of Contents 5.20. Telnet 5.21. Trace 5.22. Wizard + 6. DAQ Configuration and Modules + 6.1. Building the DAQ Library and Its Bundled DAQ Modules 6.2. Configuration 6.3. Interaction With Multiple Packet Threads