From: Michael Altizer (mialtize) Date: Thu, 22 Oct 2020 17:48:05 +0000 (+0000) Subject: Merge pull request #2567 in SNORT/snort3 from ~MIALTIZE/snort3:3_0_3_build_3 to master X-Git-Tag: 3.0.3-3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c20abf1f5c44290821c139a8097eaf965c376ebf;p=thirdparty%2Fsnort3.git Merge pull request #2567 in SNORT/snort3 from ~MIALTIZE/snort3:3_0_3_build_3 to master Squashed commit of the following: commit 7831cf47677e9dcc582b749506a3c8ac4511e907 Author: Michael Altizer Date: Thu Oct 22 13:12:40 2020 -0400 build: Generate and tag 3.0.3 build 3 commit 3825914a2ec69fbafc36f821698e98a9f80b9996 Author: Michael Altizer Date: Thu Oct 22 12:58:02 2020 -0400 doc: Tweak the template regex in get_differences.rb commit eb26281082e259f883394785728215eff7217d38 Author: Michael Altizer Date: Thu Oct 22 11:29:11 2020 -0400 style: Clean up accumulated tabs and trailing whitespace --- diff --git a/ChangeLog b/ChangeLog index f039195b3..133889c91 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,49 @@ +2020/10/22 - 3.0.3 build 3 + +-- actions: Update react documentation +-- actions: Use payload_injector for react +-- appid: Add service group and asid in AppIdServiceStateKey +-- appid: Continue appid inspection after third-party identifies an application +-- appid: Do not reset third-party session after third-party reload +-- build: Updates for libdaq changes that introduce significant groups in flow stats +-- codecs: Remove PIM and Mobility from bad protocol lists +-- dce_rpc: Add ingress/egress group and asid in SmbFlowKey and Smb2SidHashKey +-- doc: Tweak the template regex in get_differences.rb +-- dump_config: Don't print names for list elements +-- file_api: Add ingress/egress group and asid in FileHashKey +-- file_magic: Update POSIX tar archive pattern +-- flow: Add source/dest group id in flow key +-- flow: Stale and deleted flows due to EOF should generate would have dropped event +-- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted data channels +-- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp fingerprint and user agent fingerprint commands +-- host_tracker: Implement client and server delete commands +-- http2_inspect: Handle stream creation for push promise frames +-- ips_options: Fix retry calculation in IPS content when handling "within" field +-- lua: Use default IPS variables in the default config +-- main: Add lua variables for snort version and build +-- managers: Delete obsolete variable parsing code +-- managers: Skip snort_set lua function for non-table top level keys in finalize.lua +-- meta: Do not dump elided header fields or default message +-- meta: Dump full rule field +-- meta: Dump missing port field +-- packet: Add two new apis to parse ingress/egress group from packet's daq pkt_hdr +-- packet_tracer: Add groups in logging based on significant groups flag +-- port_scan: Add group and asid in PS_HASH_KEY +-- rna: Change ip to client instead of server for login events +-- rna: Change logic for payload discovery, eventing +-- rna: Conditionalize reload tuner registration on get_inspector() +-- rna: Log user-agent device information +-- rna: Move registration of reload tuner to configure() +-- snort2lua: Update comments for deleted rule_state options +-- ssh: Fix code indentation and CI breakage +-- ssh: SSH splitter implementation +-- stream: Initialize flow key's flags.ubits with 0 +-- stream_tcp: Don't attempt to drop 'meta_ack packets', there is no wire packet for these acks +-- style: Clean up accumulated tabs and trailing whitespace +-- trace: Refactor the test code +-- trace: Skip trace reload if no initial config present +-- utils: Add a generic function to get random seeds + 2020/10/07 - 3.0.3 build 2 -- appid: Create events for client user name, id and login success @@ -1167,16 +1213,16 @@ - Update sfdaq unit tests for DAQng - Update snort2lua to convert to new DAQ configuration -- filters: add peg count for when the thd_runtime XHash table gets full. --- filters: make thd_runtime and rf_hash thread local and allocate them from thread init +-- filters: make thd_runtime and rf_hash thread local and allocate them from thread init rather than from Module::end() --- http_inspect: fix status_code_num bug in HttpMsgHeader::update_flow() that leads to +-- http_inspect: fix status_code_num bug in HttpMsgHeader::update_flow() that leads to assert on input.length()>0 in norm_decimal_integer -- main: Fix File Descriptor leaks -- main: Include analyzer.h in snort.c -- packet_io: Refactor the Trough a bit -- perf_mon: Fixed time stamp and memory leak issue - Add real timestamp to empty perf_stats data - - Updated dbus default subscription code and perf_mon event subscirption code + - Updated dbus default subscription code and perf_mon event subscirption code to resolve memory leak and invalid event subscription from reloading - Moved flow_ip_tracker to thread local -- perf_monitor: Fixing heap-use-after-free after reload failure diff --git a/README.md b/README.md index 232a55ce4..045d0fdf9 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ Follow these steps: * If you are using a github clone: - ```shell + ```shell cd snort3/ ``` @@ -98,7 +98,7 @@ Follow these steps: tar zxf snort-tarball cd snort-3.0.0* ``` - + 2. Setup install path: ```shell @@ -201,7 +201,7 @@ It also covers new features not demonstrated here: * improved rule parsing - arbitrary whitespace, C style comments, #begin/#end comments * local and remote command line shell -# SQUEAL +# SQUEAL `o")~` We hope you are as excited about Snort++ as we are. Although a lot of work diff --git a/cmake/FindDNET.cmake b/cmake/FindDNET.cmake index ae117f441..c274fbd46 100644 --- a/cmake/FindDNET.cmake +++ b/cmake/FindDNET.cmake @@ -3,16 +3,16 @@ # Find the DUMBNET includes and library # http://code.google.com/p/libdnet/ # -# The environment variable DUMBNETDIR allows to specficy where to find +# The environment variable DUMBNETDIR allows to specficy where to find # libdnet in non standard location. -# +# # DNET_INCLUDE_DIR - where to find dnet.h, etc. # DNET_LIBRARIES - List of libraries when using dnet. # DNET_FOUND - True if dnet found. # HAVE_DUMBNET_H - True if found dumnet rather than dnet set(ERROR_MESSAGE - " + " ERROR! dnet header not found, go get it from http://code.google.com/p/libdnet/ or use the --with-dnet-* options, if you have it installed in an unusual place. @@ -39,7 +39,7 @@ else () endif() include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(DNET +find_package_handle_standard_args(DNET REQUIRED_VARS DNET_INCLUDE_DIR DNET_LIBRARIES FAIL_MESSAGE "${ERROR_MESSAGE}" ) diff --git a/cmake/FindPCRE.cmake b/cmake/FindPCRE.cmake index 742f58baa..0fec76c76 100644 --- a/cmake/FindPCRE.cmake +++ b/cmake/FindPCRE.cmake @@ -27,6 +27,6 @@ find_package_handle_standard_args(PCRE ) mark_as_advanced( - PCRE_LIBRARIES + PCRE_LIBRARIES PCRE_INCLUDE_DIR ) diff --git a/cmake/platforms.cmake b/cmake/platforms.cmake index e8acf4725..e1c4b081f 100644 --- a/cmake/platforms.cmake +++ b/cmake/platforms.cmake @@ -1,7 +1,7 @@ # # # Library containing all of the information regarding specific platforms, and their specific libraries. -# +# # APPLE is defined by Cmake @@ -16,7 +16,7 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin") if ("${CMAKE_CXX_COMPILER_ID}" STREQUAL "Clang") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -stdlib=libc++") - find_library(CLANG_CXX_LIBRARY + find_library(CLANG_CXX_LIBRARY NAMES c++ ) endif() diff --git a/cmake/sanity_checks.cmake b/cmake/sanity_checks.cmake index a748be228..78ea3879e 100644 --- a/cmake/sanity_checks.cmake +++ b/cmake/sanity_checks.cmake @@ -28,9 +28,9 @@ check_cxx_source_compiles( int main() { char buffer[1024]; - /* This will not compile if strerror_r does not return a char* */ - check(strerror_r(EACCES, buffer, sizeof(buffer))[0]); - return 0; + /* This will not compile if strerror_r does not return a char* */ + check(strerror_r(EACCES, buffer, sizeof(buffer))[0]); + return 0; } " HAVE_GNU_STRERROR_R) diff --git a/config.cmake.h.in b/config.cmake.h.in index 56b42fe96..94c416ee8 100644 --- a/config.cmake.h.in +++ b/config.cmake.h.in @@ -8,7 +8,7 @@ /** and type `ccmake ${PATH_TO_SOURCE}`". Change your options in the GUI. **/ /** Make sure to compile and regenerate the Makefiles when you are done by **/ /** either exiting the GUI by typing `c` following by `g`, or by typing **/ -/** `cmake ${PATH_TO_SOURCE}` from your build directory. **/ +/** `cmake ${PATH_TO_SOURCE}` from your build directory. **/ /** **/ /*****************************************************************************/ diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 8eea4893f..5d49538d5 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.0.3 (Build 2) 2020-10-07 13:11:06 EDT TST +Revision 3.0.3 (Build 3) 2020-10-22 13:10:50 EDT TST --------------------------------------------------------------------- @@ -765,6 +765,15 @@ Configuration: Commands: * host_cache.dump(file_name): dump host cache + * host_cache.delete_host(host_ip): delete host from host cache + * host_cache.delete_network_proto(host_ip, proto): delete network + protocol from host + * host_cache.delete_transport_proto(host_ip, proto): delete + transport protocol from host + * host_cache.delete_service(host_ip, port, proto): delete service + from host + * host_cache.delete_client(host_ip, id, service, version): delete + client from host Peg counts: @@ -1636,6 +1645,7 @@ Configuration: * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } + * int trace.modules.react.all: enable all trace options { 0:255 } * int trace.modules.rna.all: enable all trace options { 0:255 } * int trace.modules.snort.all: enable all trace options { 0:255 } * int trace.modules.snort.main: enable main trace logging { 0:255 } @@ -3571,6 +3581,19 @@ Rules: type * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero length + * 121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction + * 121:24 (http2_inspect) invalid HTTP/2 push promise frame + * 121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid + time + * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2 + settings frame + * 121:27 (http2_inspect) HTTP/2 push promise frame sent when + prohibited by receiver + * 121:28 (http2_inspect) HTTP/2 push promise frame with invalid + promised stream id + * 121:29 (http2_inspect) HTTP/2 stream initiated with invalid + stream id + * 121:30 (http2_inspect) invalid flag set on HTTP/2 frame Peg counts: @@ -5491,8 +5514,7 @@ Usage: detect Configuration: - * string react.page: file containing HTTP response (headers and - body) + * string react.page: file containing HTTP response body 6.2. reject @@ -9360,8 +9382,7 @@ these libraries see the Getting Started section of the manual. * int rate_filter[].timeout = 1: count interval { 0:max32 } * enum rate_filter[].track = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule } - * string react.page: file containing HTTP response (headers and - body) + * string react.page: file containing HTTP response body * string reference.~ref: reference: , * string references[].name: name used with reference rule option * string references[].url: where this reference is defined @@ -10001,6 +10022,7 @@ these libraries see the Getting Started section of the manual. * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } + * int trace.modules.react.all: enable all trace options { 0:255 } * int trace.modules.rna.all: enable all trace options { 0:255 } * int trace.modules.snort.all: enable all trace options { 0:255 } * int trace.modules.snort.inspector_manager: enable inspector @@ -11564,6 +11586,19 @@ these libraries see the Getting Started section of the manual. type * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero length + * 121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction + * 121:24 (http2_inspect) invalid HTTP/2 push promise frame + * 121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid + time + * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2 + settings frame + * 121:27 (http2_inspect) HTTP/2 push promise frame sent when + prohibited by receiver + * 121:28 (http2_inspect) HTTP/2 push promise frame with invalid + promised stream id + * 121:29 (http2_inspect) HTTP/2 stream initiated with invalid + stream id + * 121:30 (http2_inspect) invalid flag set on HTTP/2 frame * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -11855,6 +11890,15 @@ these libraries see the Getting Started section of the manual. * appid.reload_third_party(): reload appid third-party module * appid.reload_detectors(): reload appid detectors * host_cache.dump(file_name): dump host cache + * host_cache.delete_host(host_ip): delete host from host cache + * host_cache.delete_network_proto(host_ip, proto): delete network + protocol from host + * host_cache.delete_transport_proto(host_ip, proto): delete + transport protocol from host + * host_cache.delete_service(host_ip, port, proto): delete service + from host + * host_cache.delete_client(host_ip, id, service, version): delete + client from host * packet_capture.enable(filter): dump raw packets * packet_capture.disable(): stop packet dump * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port): diff --git a/doc/upgrade/config_changes.txt b/doc/upgrade/config_changes.txt index b55fb5541..67ba5ed10 100644 --- a/doc/upgrade/config_changes.txt +++ b/doc/upgrade/config_changes.txt @@ -1,28 +1,22 @@ -change -> dynamicdetection ==> 'snort.--plugin_path=' -change -> dynamicengine ==> 'snort.--plugin_path=' -change -> dynamicpreprocessor ==> 'snort.--plugin_path=' -change -> dynamicsidechannel ==> 'snort.--plugin_path=' -change -> alertfile: 'config alertfile:' ==> 'alert_fast.file' -change -> alertfile: 'config alertfile:' ==> 'alert_full.file' change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy' change -> attribute_table: 'filename ' ==> 'hosts[]' -change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic' -change -> config ' checksum_mode' ==> ' network. checksum_eval' -change -> config ' daq' ==> ' daq. type' -change -> config ' daq_dir' ==> ' daq. dir' -change -> config ' daq_mode' ==> ' daq. mode' -change -> config ' daq_var' ==> ' daq. var' -change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap' -change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection' -change -> config ' event_filter' ==> ' alerts. event_filter_memcap' -change -> config ' max_attribute_hosts' ==> ' attribute_table. max_hosts' -change -> config ' max_attribute_services_per_host' ==> ' attribute_table. max_services_per_host' -change -> config ' nopcre' ==> ' detection. pcre_enable' -change -> config ' pkt_count' ==> ' packets. limit' -change -> config ' rate_filter' ==> ' alerts. rate_filter_memcap' -change -> config ' react' ==> ' react. page' -change -> config ' threshold' ==> ' alerts. event_filter_memcap' -change -> csv: 'dgmlen' ==> 'dgm_len' +change -> config 'addressspace_agnostic' ==> 'packets.address_space_agnostic' +change -> config 'checksum_mode' ==> 'network.checksum_eval' +change -> config 'daq_dir' ==> 'daq.module_dirs' +change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' +change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' +change -> config 'event_filter' ==> 'alerts.event_filter_memcap' +change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' +change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' +change -> config 'nopcre' ==> 'detection.pcre_enable' +change -> config 'pkt_count' ==> 'packets.limit' +change -> config 'rate_filter' ==> 'alerts.rate_filter_memcap' +change -> config 'react' ==> 'react.page' +change -> config 'threshold' ==> 'alerts.event_filter_memcap' +change -> converter: 'gen_id' ==> 'gid' +change -> converter: 'sid_id' ==> 'sid' +change -> csv: 'csv' ==> 'fields' +change -> csv: 'dgmlen' ==> 'pkt_len' change -> csv: 'dst' ==> 'dst_addr' change -> csv: 'dstport' ==> 'dst_port' change -> csv: 'ethdst' ==> 'eth_dst' @@ -33,6 +27,7 @@ change -> csv: 'icmpcode' ==> 'icmp_code' change -> csv: 'icmpid' ==> 'icmp_id' change -> csv: 'icmpseq' ==> 'icmp_seq' change -> csv: 'icmptype' ==> 'icmp_type' +change -> csv: 'id' ==> 'ip_id' change -> csv: 'iplen' ==> 'ip_len' change -> csv: 'sig_generator' ==> 'gid' change -> csv: 'sig_id' ==> 'sid' @@ -45,35 +40,50 @@ change -> csv: 'tcplen' ==> 'tcp_len' change -> csv: 'tcpseq' ==> 'tcp_seq' change -> csv: 'tcpwindow' ==> 'tcp_win' change -> csv: 'udplength' ==> 'udp_len' -change -> detection: 'ac' ==> 'ac_full_q' +change -> daq: 'config daq:' ==> 'name' +change -> daq_mode: 'config daq_mode:' ==> 'mode' +change -> daq_var: 'config daq_var:' ==> 'variables' +change -> detection: 'ac' ==> 'ac_full' change -> detection: 'ac-banded' ==> 'ac_banded' -change -> detection: 'ac-bnfa' ==> 'ac_bnfa_q' +change -> detection: 'ac-bnfa' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' -change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa_q' +change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' change -> detection: 'ac-nq' ==> 'ac_full' -change -> detection: 'ac-q' ==> 'ac_full_q' +change -> detection: 'ac-q' ==> 'ac_full' change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' -change -> detection: 'ac-split' ==> 'ac_full_q' +change -> detection: 'ac-split' ==> 'ac_full' change -> detection: 'ac-split' ==> 'split_any_any' change -> detection: 'ac-std' ==> 'ac_std' change -> detection: 'acs' ==> 'ac_sparse' change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' -change -> detection: 'intel-cpm' ==> 'intel_cpm' -change -> detection: 'lowmem' ==> 'lowmem_q' +change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' +change -> detection: 'intel-cpm' ==> 'hyperscan' change -> detection: 'lowmem-nq' ==> 'lowmem' -change -> detection: 'lowmem-q' ==> 'lowmem_q' +change -> detection: 'lowmem-q' ==> 'lowmem' change -> detection: 'max-pattern-len' ==> 'max_pattern_len' +change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' change -> detection: 'search-method' ==> 'search_method' change -> detection: 'search-optimize' ==> 'search_optimize' +change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' +change -> dnp3: 'ports' ==> 'bindings' change -> dns: 'ports' ==> 'bindings' +change -> dynamicdetection ==> 'snort.--plugin_path=' +change -> dynamicengine ==> 'snort.--plugin_path=' +change -> dynamicpreprocessor ==> 'snort.--plugin_path=' +change -> dynamicsidechannel ==> 'snort.--plugin_path=' change -> event_filter: 'gen_id' ==> 'gid' change -> event_filter: 'sig_id' ==> 'sid' change -> event_filter: 'threshold' ==> 'event_filter' change -> file: 'config file: file_block_timeout' ==> 'block_timeout' +change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size' +change -> file: 'config file: file_capture_max' ==> 'capture_max_size' +change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap' +change -> file: 'config file: file_capture_min' ==> 'capture_min_size' change -> file: 'config file: file_type_depth' ==> 'type_depth' change -> file: 'config file: signature' ==> 'enable_signature' change -> file: 'config file: type_id' ==> 'enable_type' +change -> file: 'ver' ==> 'version' change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length' change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps' change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right' @@ -81,59 +91,54 @@ change -> frag3_engine: 'timeout' ==> 'session_timeout' change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity' change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan' change -> ftp_telnet_protocol: 'ports' ==> 'bindings' -change -> gtp: 'ports' ==> 'gtp_ports' -change -> http_inspect: 'http_inspect' ==> 'http_global' -change -> http_inspect_server: 'apache_whitespace' ==> 'profile.apache_whitespace' -change -> http_inspect_server: 'ascii' ==> 'profile.ascii' -change -> http_inspect_server: 'bare_byte' ==> 'profile.bare_byte' -change -> http_inspect_server: 'chunk_length' ==> 'profile.chunk_length' -change -> http_inspect_server: 'client_flow_depth' ==> 'profile.client_flow_depth' -change -> http_inspect_server: 'directory' ==> 'profile.directory' -change -> http_inspect_server: 'double_decode' ==> 'profile.double_decode' -change -> http_inspect_server: 'enable_cookie' ==> 'enable_cookies' -change -> http_inspect_server: 'flow_depth' ==> 'server_flow_depth' +change -> gtp: 'ports' ==> 'bindings' +change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte' +change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth' +change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode' change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect' -change -> http_inspect_server: 'iis_backslash' ==> 'profile.iis_backslash' -change -> http_inspect_server: 'iis_delimiter' ==> 'profile.iis_delimiter' -change -> http_inspect_server: 'iis_unicode' ==> 'profile.iis_unicode' -change -> http_inspect_server: 'max_header_length' ==> 'profile.max_header_length' -change -> http_inspect_server: 'max_headers' ==> 'profile.max_headers' -change -> http_inspect_server: 'max_spaces' ==> 'profile.max_spaces' -change -> http_inspect_server: 'multi_slash' ==> 'profile.multi_slash' -change -> http_inspect_server: 'non_rfc_char' ==> 'non_rfc_chars' -change -> http_inspect_server: 'non_strict' ==> 'profile.non_strict' -change -> http_inspect_server: 'normalize_utf' ==> 'profile.normalize_utf' +change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash' +change -> http_inspect_server: 'inspect_gzip' ==> 'unzip' +change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters' change -> http_inspect_server: 'ports' ==> 'bindings' -change -> http_inspect_server: 'u_encode' ==> 'profile.u_encode' -change -> http_inspect_server: 'utf_8' ==> 'profile.utf_8' -change -> http_inspect_server: 'webroot' ==> 'profile.webroot' -change -> http_inspect_server: 'whitespace_chars' ==> 'profile.whitespace_chars' +change -> http_inspect_server: 'u_encode' ==> 'percent_u' +change -> http_inspect_server: 'utf_8' ==> 'utf8' change -> imap: 'ports' ==> 'bindings' -change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:63780]' -change -> perfmonitor: 'accumulate' ==> 'reset = false' -change -> perfmonitor: 'flow-file' ==> 'flow_file = true' +change -> modbus: 'ports' ==> 'bindings' +change -> na_policy_mode: 'na_policy_mode' ==> 'mode' +change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]' +change -> perfmonitor: 'console' ==> 'format = 'text'' +change -> perfmonitor: 'console' ==> 'output = 'console'' +change -> perfmonitor: 'file' ==> 'format = 'csv'' +change -> perfmonitor: 'file' ==> 'output = 'file'' +change -> perfmonitor: 'flow-file' ==> 'format = 'csv'' +change -> perfmonitor: 'flow-file' ==> 'output = 'file'' change -> perfmonitor: 'flow-ip' ==> 'flow_ip' -change -> perfmonitor: 'flow-ip-file' ==> 'flow_ip_file = true' +change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv'' +change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file'' change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap' change -> perfmonitor: 'flow-ports' ==> 'flow_ports' change -> perfmonitor: 'pktcnt' ==> 'packets' -change -> perfmonitor: 'snortfile' ==> 'file = true' +change -> perfmonitor: 'snortfile' ==> 'format = 'csv'' +change -> perfmonitor: 'snortfile' ==> 'output = 'file'' change -> perfmonitor: 'time' ==> 'seconds' change -> policy_mode: 'inline_test' ==> 'inline-test' change -> pop: 'ports' ==> 'bindings' -change -> ppm: 'max-pkt-time' ==> 'max_pkt_time' -change -> ppm: 'max-rule-time' ==> 'max_rule_time' -change -> ppm: 'pkt-log' ==> 'pkt_log' -change -> ppm: 'rule-log' ==> 'rule_log' -change -> ppm: 'suspend-timeout' ==> 'suspend_timeout' -change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4' -change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6' -change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6' +change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath' +change -> ppm: 'max-pkt-time' ==> 'packet.max_time' +change -> ppm: 'max-rule-time' ==> 'rule.max_time' +change -> ppm: 'ppm' ==> 'latency' +change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend' +change -> ppm: 'suspend-timeout' ==> 'max_suspend_time' +change -> ppm: 'threshold' ==> 'rule.suspend_threshold' +change -> preprocessor 'normalize_icmp4' ==> 'normalize.icmp4' +change -> preprocessor 'normalize_icmp6' ==> 'normalize.icmp6' +change -> preprocessor 'normalize_ip6' ==> 'normalize.ip6' change -> profile: 'print' ==> 'count' +change -> profile: 'sort avg_ticks' ==> 'sort = avg_check' +change -> profile: 'sort total_ticks' ==> 'sort = total_time' change -> rate_filter: 'gen_id' ==> 'gid' change -> rate_filter: 'sig_id' ==> 'sid' -change -> rule_state: 'disabled' ==> 'enable' -change -> rule_state: 'enabled' ==> 'enable' +change -> reputation: 'shared_mem' ==> 'list_dir' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' change -> sip: 'ports' ==> 'bindings' @@ -141,16 +146,13 @@ change -> smtp: 'ports' ==> 'bindings' change -> ssh: 'server_ports' ==> 'bindings' change -> ssl: 'ports' ==> 'bindings' change -> stream5_global: 'max_active_responses' ==> 'max_responses' -change -> stream5_global: 'max_icmp' ==> 'max_sessions' -change -> stream5_global: 'max_ip' ==> 'max_sessions' -change -> stream5_global: 'max_tcp' ==> 'max_sessions' -change -> stream5_global: 'max_udp' ==> 'max_sessions' change -> stream5_global: 'min_response_seconds' ==> 'min_interval' -change -> stream5_global: 'prune_log_max' ==> 'histogram' -change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'pruning_timeout' -change -> stream5_global: 'tcp_cache_pruning_timeout' ==> 'idle_timeout' +change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout' change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout' -change -> stream5_global: 'udp_cache_pruning_timeout' ==> 'pruning_timeout' +change -> stream5_ha: 'min_session_lifetime' ==> 'min_age' +change -> stream5_ha: 'min_sync_interval' ==> 'min_sync' +change -> stream5_ha: 'stream5_ha' ==> 'high_availability' +change -> stream5_ha: 'use_daq' ==> 'daq_channel' change -> stream5_ip: 'timeout' ==> 'session_timeout' change -> stream5_tcp: 'bind_to' ==> 'bindings' change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async' @@ -158,7 +160,6 @@ change -> stream5_tcp: 'max_queued_bytes' ==> 'queue_limit.max_bytes' change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments' change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11' change -> stream5_tcp: 'timeout' ==> 'session_timeout' -change -> stream5_tcp: 'use_static_footprint_sizes' ==> 'footprint' change -> stream5_udp: 'timeout' ==> 'session_timeout' change -> suppress: 'gen_id' ==> 'gid' change -> suppress: 'sig_id' ==> 'sid' @@ -187,9 +188,9 @@ change -> syslog: 'log_pid' ==> 'options = pid' change -> syslog: 'log_user' ==> 'facility = user' change -> syslog: 'log_warning' ==> 'level = warning' change -> threshold: 'ips_option: threshold' ==> 'event_filter' -change -> unified2: ' alert_unified2' ==> 'unified2' -change -> unified2: ' log_unified2' ==> 'unified2' -change -> unified2: ' unified2' ==> 'unified2' +change -> unified2: 'alert_unified2' ==> 'unified2' +change -> unified2: 'log_unified2' ==> 'unified2' +change -> unified2: 'unified2' ==> 'unified2' deleted -> arpspoof: 'unicast' deleted -> attribute_table: 'hpux' deleted -> attribute_table: 'irix' @@ -197,78 +198,116 @@ deleted -> attribute_table: 'old-linux' deleted -> attribute_table: 'unknown' deleted -> attribute_table: 'noack' deleted -> attribute_table: 'unknown' -deleted -> config ' cs_dir' -deleted -> config ' disable_attribute_reload_thread' -deleted -> config ' disable_decode_alerts' -deleted -> config ' disable_decode_drops' -deleted -> config ' disable_ipopt_alerts' -deleted -> config ' disable_ipopt_drops' -deleted -> config ' disable_tcpopt_alerts' -deleted -> config ' disable_tcpopt_drops' -deleted -> config ' disable_tcpopt_experimental_alerts' -deleted -> config ' disable_tcpopt_experimental_drops' -deleted -> config ' disable_tcpopt_obsolete_alerts' -deleted -> config ' disable_tcpopt_obsolete_drops' -deleted -> config ' disable_tcpopt_ttcp_alerts' -deleted -> config ' disable_ttcp_alerts' -deleted -> config ' disable_ttcp_drops' -deleted -> config ' dump_dynamic_rules_path' -deleted -> config ' enable_decode_drops' -deleted -> config ' enable_decode_oversized_alerts' -deleted -> config ' enable_decode_oversized_drops' -deleted -> config ' enable_ipopt_drops' -deleted -> config ' enable_tcpopt_drops' -deleted -> config ' enable_tcpopt_experimental_drops' -deleted -> config ' enable_tcpopt_obsolete_drops' -deleted -> config ' enable_tcpopt_ttcp_drops' -deleted -> config ' enable_ttcp_drops' -deleted -> config ' flexresp2_attempts' -deleted -> config ' flexresp2_interface' -deleted -> config ' flexresp2_memcap' -deleted -> config ' flexresp2_rows' -deleted -> config ' flowbits_size' -deleted -> config ' include_vlan_in_alerts' -deleted -> config ' interface' -deleted -> config ' layer2resets' -deleted -> config ' policy_version' -deleted -> config ' so_rule_memcap' +deleted -> config 'cs_dir' +deleted -> config 'decode_data_link' +deleted -> config 'disable_attribute_reload_thread' +deleted -> config 'disable_decode_alerts' +deleted -> config 'disable_decode_drops' +deleted -> config 'disable_inline_init_failopen' +deleted -> config 'disable_ipopt_alerts' +deleted -> config 'disable_ipopt_drops' +deleted -> config 'disable_tcpopt_alerts' +deleted -> config 'disable_tcpopt_drops' +deleted -> config 'disable_tcpopt_experimental_alerts' +deleted -> config 'disable_tcpopt_experimental_drops' +deleted -> config 'disable_tcpopt_obsolete_alerts' +deleted -> config 'disable_tcpopt_obsolete_drops' +deleted -> config 'disable_tcpopt_ttcp_alerts' +deleted -> config 'disable_ttcp_alerts' +deleted -> config 'disable_ttcp_drops' +deleted -> config 'dump_dynamic_rules_path' +deleted -> config 'dynamicoutput' +deleted -> config 'enable_decode_drops' +deleted -> config 'enable_decode_oversized_alerts' +deleted -> config 'enable_decode_oversized_drops' +deleted -> config 'enable_gtp' +deleted -> config 'enable_ipopt_drops' +deleted -> config 'enable_tcpopt_drops' +deleted -> config 'enable_tcpopt_experimental_drops' +deleted -> config 'enable_tcpopt_obsolete_drops' +deleted -> config 'enable_tcpopt_ttcp_drops' +deleted -> config 'enable_ttcp_drops' +deleted -> config 'flexresp2_attempts' +deleted -> config 'flexresp2_interface' +deleted -> config 'flexresp2_memcap' +deleted -> config 'flexresp2_rows' +deleted -> config 'flowbits_size' +deleted -> config 'include_vlan_in_alerts' +deleted -> config 'interface' +deleted -> config 'layer2resets' +deleted -> config 'log_ipv6_extra_data' +deleted -> config 'no_promisc' +deleted -> config 'nolog' +deleted -> config 'protected_content' +deleted -> config 'sfalert_unified2' +deleted -> config 'sflog_unified2' +deleted -> config 'sidechannel' +deleted -> config 'so_rule_memcap' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' deleted -> detection: 'mwm' +deleted -> dnp3: 'disabled' +deleted -> dnp3: 'memcap' deleted -> dns: 'enable_experimental_types' deleted -> dns: 'enable_obsolete_types' deleted -> dns: 'enable_rdata_overflow' +deleted -> event_trace: 'file' deleted -> fast: ' can no longer be specific' deleted -> frag3_engine: 'detect_anomalies' deleted -> frag3_global: 'disabled' deleted -> ftp_telnet_protocol: 'detect_anomalies' deleted -> full: ' can no longer be specific' +deleted -> http_inspect: 'detect_anomalous_servers' deleted -> http_inspect: 'disabled' +deleted -> http_inspect: 'proxy_alert' +deleted -> http_inspect_server: 'allow_proxy_use' +deleted -> http_inspect_server: 'enable_cookie' +deleted -> http_inspect_server: 'enable_xff' +deleted -> http_inspect_server: 'extended_ascii_uri' +deleted -> http_inspect_server: 'extended_response_inspection' +deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever' +deleted -> http_inspect_server: 'inspect_uri_only' +deleted -> http_inspect_server: 'log_hostname' +deleted -> http_inspect_server: 'log_uri' deleted -> http_inspect_server: 'no_alerts' +deleted -> http_inspect_server: 'no_pipeline_req' +deleted -> http_inspect_server: 'non_strict' +deleted -> http_inspect_server: 'normalize_cookies' +deleted -> http_inspect_server: 'normalize_headers' +deleted -> http_inspect_server: 'small_chunk_length' +deleted -> http_inspect_server: 'tab_uri_delimiter' +deleted -> http_inspect_server: 'unlimited_decompress' deleted -> imap: 'disabled' deleted -> imap: 'max_mime_mem' deleted -> imap: 'memcap' +deleted -> perfmonitor: 'accumulate' deleted -> perfmonitor: 'atexitonly' deleted -> perfmonitor: 'atexitonly: base-stats' deleted -> perfmonitor: 'atexitonly: events-stats' deleted -> perfmonitor: 'atexitonly: flow-ip-stats' deleted -> perfmonitor: 'atexitonly: flow-stats' +deleted -> perfmonitor: 'atexitonly: reset' +deleted -> perfmonitor: 'events' +deleted -> perfmonitor: 'max' deleted -> pop: 'disabled' deleted -> pop: 'max_mime_mem' deleted -> pop: 'memcap' deleted -> ppm: 'debug-pkts' -deleted -> react: 'block' -deleted -> react: 'warn' +deleted -> reputation: 'shared_max_instances' +deleted -> reputation: 'shared_refresh' deleted -> rpc_decode: 'alert_fragments' deleted -> rpc_decode: 'no_alert_incomplete' deleted -> rpc_decode: 'no_alert_large_fragments' deleted -> rpc_decode: 'no_alert_multiple_requests' deleted -> rule_state: 'action' +deleted -> rule_state: 'enable' deleted -> sfportscan: 'detect_ack_scans' deleted -> sfportscan: 'disabled' deleted -> sfportscan: 'logfile' +deleted -> sfportscan: 'sense_level' deleted -> sip: 'disabled' +deleted -> sip: 'max_sessions' deleted -> smtp: 'alert_unknown_cmds' deleted -> smtp: 'disabled' deleted -> smtp: 'enable_mime_decoding' @@ -289,13 +328,19 @@ deleted -> ssh: 'enable_ssh1crc32' deleted -> ssl: 'noinspect_encrypted' deleted -> stream5_global: 'disabled' deleted -> stream5_global: 'flush_on_alert' +deleted -> stream5_global: 'memcap' deleted -> stream5_global: 'no_midstream_drop_alerts' deleted -> stream5_tcp: 'check_session_hijacking' deleted -> stream5_tcp: 'detect_anomalies' deleted -> stream5_tcp: 'dont_store_large_packets' +deleted -> stream5_tcp: 'ignore_any_rules' +deleted -> stream5_tcp: 'log_asymmetric_traffic' deleted -> stream5_tcp: 'policy noack' deleted -> stream5_tcp: 'policy unknown' +deleted -> stream5_udp: 'ignore_any_rules' deleted -> tcpdump: ' can no longer be specific' deleted -> test: 'file' deleted -> test: 'stdout' deleted -> unified2: 'filename' +deleted -> unified2: 'mpls_event_types' +deleted -> unified2: 'vlan_event_types' diff --git a/doc/upgrade/get_differences.rb b/doc/upgrade/get_differences.rb index 30924893c..028d50288 100755 --- a/doc/upgrade/get_differences.rb +++ b/doc/upgrade/get_differences.rb @@ -3,7 +3,7 @@ # CONST REG_EX. DO NOT CHANGE delete_pattern = /add_deleted_comment\(\"(.*)\"\);/ diff_pattern = /add_diff_option_comment\(\"(.*)\",\s?\"(.*)\"\)/ -template_diff = /<\s*&(.*),\s*&(.*),\s*&(.*)>/ +template_diff = /<\s*&(.*),\s*&(.*),\s*&(.*?)(?:, true)?>/ config_delete_template = /deleted_ctor<&(.*)>/ paths_diff = /paths_ctor<\s*&(.*)\s*>/ # check kws_paths.cc normalizers_diff = /norm_sans_options_ctor<\s?&(.*)>/ # check pps_normalizers @@ -37,7 +37,7 @@ Dir.glob("#{dir}/**/*cc").each do |file| File.open(file) do |f| f.each_line do |line| - # gets rid of all lines which dreference pointers + # gets rid of all lines which dereference pointers if line =~ star_reg next end @@ -63,7 +63,7 @@ Dir.glob("#{dir}/**/*cc").each do |file| if line =~ paths_diff arr << "change -> #{$1.strip} ==> 'snort.--plugin_path='" end - + if line =~ normalizers_diff arr << "change -> preprocessor 'normalize_#{$1.strip}' ==> 'normalize.#{$1.strip}'" end diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 79eebbb3d..3123d0332 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.0.3 (Build 1) 2020-09-23 11:56:13 EDT TST +Revision 3.0.3 (Build 3) 2020-10-22 13:10:41 EDT TST --------------------------------------------------------------------- @@ -433,7 +433,6 @@ Some things Snort++ can do today that Snort can not do as well: * all rules must have a sid * sid == 0 not allowed * deleted activate / dynamic rules - * deleted unused rule_state.action * deleted metadata engine shared * deleted metadata: rule-flushing (with PDU flushing rule flushing can cause missed attacks, the opposite of its intent) @@ -821,25 +820,21 @@ appended to the original filename. --------------------------------------------------------------------- -change -> dynamicdetection ==> 'snort.--plugin_path=' -change -> dynamicengine ==> 'snort.--plugin_path=' -change -> dynamicpreprocessor ==> 'snort.--plugin_path=' -change -> dynamicsidechannel ==> 'snort.--plugin_path=' change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy' change -> attribute_table: 'filename ' ==> 'hosts[]' -change -> config ' addressspace_agnostic' ==> ' packets. address_space_agnostic' -change -> config ' checksum_mode' ==> ' network. checksum_eval' -change -> config ' daq_dir' ==> ' daq. module_dirs, true' -change -> config ' detection_filter' ==> ' alerts. detection_filter_memcap' -change -> config ' enable_deep_teredo_inspection' ==> ' udp. deep_teredo_inspection' -change -> config ' event_filter' ==> ' alerts. event_filter_memcap' -change -> config ' max_attribute_hosts' ==> ' attribute_table. max_hosts' -change -> config ' max_attribute_services_per_host' ==> ' attribute_table. max_services_per_host' -change -> config ' nopcre' ==> ' detection. pcre_enable' -change -> config ' pkt_count' ==> ' packets. limit' -change -> config ' rate_filter' ==> ' alerts. rate_filter_memcap' -change -> config ' react' ==> ' react. page' -change -> config ' threshold' ==> ' alerts. event_filter_memcap' +change -> config 'addressspace_agnostic' ==> 'packets.address_space_agnostic' +change -> config 'checksum_mode' ==> 'network.checksum_eval' +change -> config 'daq_dir' ==> 'daq.module_dirs' +change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' +change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' +change -> config 'event_filter' ==> 'alerts.event_filter_memcap' +change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' +change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' +change -> config 'nopcre' ==> 'detection.pcre_enable' +change -> config 'pkt_count' ==> 'packets.limit' +change -> config 'rate_filter' ==> 'alerts.rate_filter_memcap' +change -> config 'react' ==> 'react.page' +change -> config 'threshold' ==> 'alerts.event_filter_memcap' change -> converter: 'gen_id' ==> 'gid' change -> converter: 'sid_id' ==> 'sid' change -> csv: 'csv' ==> 'fields' @@ -895,6 +890,10 @@ change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' change -> dnp3: 'ports' ==> 'bindings' change -> dns: 'ports' ==> 'bindings' +change -> dynamicdetection ==> 'snort.--plugin_path=' +change -> dynamicengine ==> 'snort.--plugin_path=' +change -> dynamicpreprocessor ==> 'snort.--plugin_path=' +change -> dynamicsidechannel ==> 'snort.--plugin_path=' change -> event_filter: 'gen_id' ==> 'gid' change -> event_filter: 'sig_id' ==> 'sid' change -> event_filter: 'threshold' ==> 'event_filter' @@ -953,17 +952,15 @@ change -> ppm: 'ppm' ==> 'latency' change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend' change -> ppm: 'suspend-timeout' ==> 'max_suspend_time' change -> ppm: 'threshold' ==> 'rule.suspend_threshold' -change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4' -change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6' -change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6' +change -> preprocessor 'normalize_icmp4' ==> 'normalize.icmp4' +change -> preprocessor 'normalize_icmp6' ==> 'normalize.icmp6' +change -> preprocessor 'normalize_ip6' ==> 'normalize.ip6' change -> profile: 'print' ==> 'count' change -> profile: 'sort avg_ticks' ==> 'sort = avg_check' change -> profile: 'sort total_ticks' ==> 'sort = total_time' change -> rate_filter: 'gen_id' ==> 'gid' change -> rate_filter: 'sig_id' ==> 'sid' change -> reputation: 'shared_mem' ==> 'list_dir' -change -> rule_state: 'enabled/disabled' ==> 'enable' -change -> rule_state: 'sdrop' ==> 'drop' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' change -> sip: 'ports' ==> 'bindings' @@ -1013,9 +1010,9 @@ change -> syslog: 'log_pid' ==> 'options = pid' change -> syslog: 'log_user' ==> 'facility = user' change -> syslog: 'log_warning' ==> 'level = warning' change -> threshold: 'ips_option: threshold' ==> 'event_filter' -change -> unified2: ' alert_unified2' ==> 'unified2' -change -> unified2: ' log_unified2' ==> 'unified2' -change -> unified2: ' unified2' ==> 'unified2' +change -> unified2: 'alert_unified2' ==> 'unified2' +change -> unified2: 'log_unified2' ==> 'unified2' +change -> unified2: 'unified2' ==> 'unified2' deleted -> arpspoof: 'unicast' deleted -> attribute_table: 'hpux' deleted -> attribute_table: 'irix' @@ -1023,52 +1020,51 @@ deleted -> attribute_table: 'old-linux' deleted -> attribute_table: 'unknown' deleted -> attribute_table: 'noack' deleted -> attribute_table: 'unknown' -deleted -> config ' cs_dir' -deleted -> config ' decode_data_link' -deleted -> config ' disable_attribute_reload_thread' -deleted -> config ' disable_decode_alerts' -deleted -> config ' disable_decode_drops' -deleted -> config ' disable_inline_init_failopen' -deleted -> config ' disable_ipopt_alerts' -deleted -> config ' disable_ipopt_drops' -deleted -> config ' disable_tcpopt_alerts' -deleted -> config ' disable_tcpopt_drops' -deleted -> config ' disable_tcpopt_experimental_alerts' -deleted -> config ' disable_tcpopt_experimental_drops' -deleted -> config ' disable_tcpopt_obsolete_alerts' -deleted -> config ' disable_tcpopt_obsolete_drops' -deleted -> config ' disable_tcpopt_ttcp_alerts' -deleted -> config ' disable_ttcp_alerts' -deleted -> config ' disable_ttcp_drops' -deleted -> config ' dump_dynamic_rules_path' -deleted -> config ' enable_decode_drops' -deleted -> config ' enable_decode_oversized_alerts' -deleted -> config ' enable_decode_oversized_drops' -deleted -> config ' enable_gtp' -deleted -> config ' enable_ipopt_drops' -deleted -> config ' enable_tcpopt_drops' -deleted -> config ' enable_tcpopt_experimental_drops' -deleted -> config ' enable_tcpopt_obsolete_drops' -deleted -> config ' enable_tcpopt_ttcp_drops' -deleted -> config ' enable_ttcp_drops' -deleted -> config ' flexresp2_attempts' -deleted -> config ' flexresp2_interface' -deleted -> config ' flexresp2_memcap' -deleted -> config ' flexresp2_rows' -deleted -> config ' flowbits_size' -deleted -> config ' include_vlan_in_alerts' -deleted -> config ' interface' -deleted -> config ' layer2resets' -deleted -> config ' log_ipv6_extra_data' -deleted -> config ' no_promisc' -deleted -> config ' nolog' -deleted -> config ' protected_content' -deleted -> config ' sidechannel' -deleted -> config ' so_rule_memcap' +deleted -> config 'cs_dir' +deleted -> config 'decode_data_link' +deleted -> config 'disable_attribute_reload_thread' +deleted -> config 'disable_decode_alerts' +deleted -> config 'disable_decode_drops' +deleted -> config 'disable_inline_init_failopen' +deleted -> config 'disable_ipopt_alerts' +deleted -> config 'disable_ipopt_drops' +deleted -> config 'disable_tcpopt_alerts' +deleted -> config 'disable_tcpopt_drops' +deleted -> config 'disable_tcpopt_experimental_alerts' +deleted -> config 'disable_tcpopt_experimental_drops' +deleted -> config 'disable_tcpopt_obsolete_alerts' +deleted -> config 'disable_tcpopt_obsolete_drops' +deleted -> config 'disable_tcpopt_ttcp_alerts' +deleted -> config 'disable_ttcp_alerts' +deleted -> config 'disable_ttcp_drops' +deleted -> config 'dump_dynamic_rules_path' deleted -> config 'dynamicoutput' +deleted -> config 'enable_decode_drops' +deleted -> config 'enable_decode_oversized_alerts' +deleted -> config 'enable_decode_oversized_drops' +deleted -> config 'enable_gtp' +deleted -> config 'enable_ipopt_drops' +deleted -> config 'enable_tcpopt_drops' +deleted -> config 'enable_tcpopt_experimental_drops' +deleted -> config 'enable_tcpopt_obsolete_drops' +deleted -> config 'enable_tcpopt_ttcp_drops' +deleted -> config 'enable_ttcp_drops' +deleted -> config 'flexresp2_attempts' +deleted -> config 'flexresp2_interface' +deleted -> config 'flexresp2_memcap' +deleted -> config 'flexresp2_rows' +deleted -> config 'flowbits_size' +deleted -> config 'include_vlan_in_alerts' +deleted -> config 'interface' +deleted -> config 'layer2resets' +deleted -> config 'log_ipv6_extra_data' +deleted -> config 'no_promisc' +deleted -> config 'nolog' +deleted -> config 'protected_content' deleted -> config 'sfalert_unified2' deleted -> config 'sflog_unified2' deleted -> config 'sidechannel' +deleted -> config 'so_rule_memcap' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' @@ -1126,6 +1122,8 @@ deleted -> rpc_decode: 'alert_fragments' deleted -> rpc_decode: 'no_alert_incomplete' deleted -> rpc_decode: 'no_alert_large_fragments' deleted -> rpc_decode: 'no_alert_multiple_requests' +deleted -> rule_state: 'action' +deleted -> rule_state: 'enable' deleted -> sfportscan: 'detect_ack_scans' deleted -> sfportscan: 'disabled' deleted -> sfportscan: 'logfile' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 882b9d330..9cf3ccc75 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.0.3 (Build 2) 2020-10-07 13:10:58 EDT TST +Revision 3.0.3 (Build 3) 2020-10-22 13:10:41 EDT TST --------------------------------------------------------------------- @@ -18,69 +18,76 @@ Table of Contents 1.1. First Steps 1.2. Configuration - 1.3. Output - -2. Concepts - - 2.1. Terminology - 2.2. Modules - 2.3. Parameters - 2.4. Plugins - 2.5. Operation - 2.6. Rules - 2.7. Pattern Matching - -3. Tutorial - - 3.1. Dependencies - 3.2. Building - 3.3. Running - 3.4. Tips - 3.5. Common Errors - 3.6. Gotchas - 3.7. Known Issues - -4. Usage - - 4.1. Help - 4.2. Sniffing and Logging - 4.3. Configuration - 4.4. IDS mode - 4.5. Plugins - 4.6. Output Files - 4.7. DAQ Alternatives - 4.8. Logger Alternatives - 4.9. Shell - 4.10. Signals - -5. Features - - 5.1. Active Response - 5.2. AppId - 5.3. Binder - 5.4. Byte rule options - 5.5. Consolidated Config - 5.6. DCE Inspectors - 5.7. File Processing - 5.8. High Availability - 5.9. FTP - 5.10. HTTP Inspector - 5.11. HTTP/2 Inspector - 5.12. Performance Monitor - 5.13. POP and IMAP - 5.14. Port Scan - 5.15. Sensitive Data Filtering - 5.16. SMTP - 5.17. Telnet - 5.18. Trace - 5.19. Wizard - -6. DAQ Configuration and Modules - - 6.1. Building the DAQ Library and Its Bundled DAQ Modules - 6.2. Configuration - 6.3. Interaction With Multiple Packet Threads - 6.4. DAQ Modules Included With Snort 3 + +2. Lua Variables + + 2.1. Whitelist + 2.2. Rules + 2.3. Includes + 2.4. Converting Your 2.X Configuration + 2.5. Output + +3. Concepts + + 3.1. Terminology + 3.2. Modules + 3.3. Parameters + 3.4. Plugins + 3.5. Operation + 3.6. Rules + 3.7. Pattern Matching + +4. Tutorial + + 4.1. Dependencies + 4.2. Building + 4.3. Running + 4.4. Tips + 4.5. Common Errors + 4.6. Gotchas + 4.7. Known Issues + +5. Usage + + 5.1. Help + 5.2. Sniffing and Logging + 5.3. Configuration + 5.4. IDS mode + 5.5. Plugins + 5.6. Output Files + 5.7. DAQ Alternatives + 5.8. Logger Alternatives + 5.9. Shell + 5.10. Signals + +6. Features + + 6.1. Active Response + 6.2. AppId + 6.3. Binder + 6.4. Byte rule options + 6.5. Consolidated Config + 6.6. DCE Inspectors + 6.7. File Processing + 6.8. High Availability + 6.9. FTP + 6.10. HTTP Inspector + 6.11. HTTP/2 Inspector + 6.12. Performance Monitor + 6.13. POP and IMAP + 6.14. Port Scan + 6.15. Sensitive Data Filtering + 6.16. SMTP + 6.17. Telnet + 6.18. Trace + 6.19. Wizard + +7. DAQ Configuration and Modules + + 7.1. Building the DAQ Library and Its Bundled DAQ Modules + 7.2. Configuration + 7.3. Interaction With Multiple Packet Threads + 7.4. DAQ Modules Included With Snort 3 Snorty @@ -339,7 +346,37 @@ do: active = { max_responses = 1, min_interval = 5 } -1.2.3. Whitelist + +--------------------------------------------------------------------- + +2. Lua Variables + +--------------------------------------------------------------------- + +The following Global Lua Variables are available when Snort is run +with a lua config using -c option. + + * SNORT_VERSION: points to a string containing snort version and + build as follows: + + SNORT_VERSION = "3.0.2-x" + + * SNORT_MAJOR_VERSION: Snort version’s major number. + + SNORT_MAJOR_VERSION = 3 + + * SNORT_MINOR_VERSION: Snort version’s minor number. + + SNORT_MINOR_VERSION = 0 + + * SNORT_PATCH_VERSION: Snort version’s patch number. + + SNORT_PATCH_VERSION = 2 + + +2.1. Whitelist + +-------------- When Snort is run with the --warn-conf-strict option, warnings will be generated for all Lua tables present in the configuration files @@ -359,7 +396,10 @@ snort_whitelist_add_prefix("local_ foobar_") The accumulated contents of the whitelist (both exact and prefix) will be dumped when Snort is run in verbose mode (-v). -1.2.4. Rules + +2.2. Rules + +-------------- Rules determine what Snort is looking for. They can be put directly in your Lua configuration file with the ips module, on the command @@ -378,11 +418,14 @@ $ sort -c snort.lua -R rules.txt You can use both approaches together. -1.2.5. Includes -Your configuration file file may include other files, either directly -via Lua or via various parameters. Snort will find relative includes -in the following order: +2.3. Includes + +-------------- + +Your configuration file may include other files, either directly via +Lua or via various parameters. Snort will find relative includes in +the following order: 1. If you specify --include-path, this directory will be tried first. @@ -401,7 +444,10 @@ Some things to keep in mind: relative to the working directory. These will be updated in a future release. -1.2.6. Converting Your 2.X Configuration + +2.4. Converting Your 2.X Configuration + +-------------- If you have a working 2.X configuration snort2lua makes it easy to get up and running with Snort 3. This tool will convert your @@ -417,7 +463,7 @@ sophisticated use cases, see the Snort2Lua section later in the manual. -1.3. Output +2.5. Output -------------- @@ -425,7 +471,7 @@ Snort can produce quite a lot of data. In the following we will summarize the key aspects of the core output types. Additional data such as from appid is covered later. -1.3.1. Basic Statistics +2.5.1. Basic Statistics At shutdown, Snort will output various counts depending on configuration and the traffic processed. Generally, you may see: @@ -447,7 +493,7 @@ available counts: $ snort --help-counts -1.3.2. Alerts +2.5.2. Alerts If you configured rules, you will need to configure alerts to see the details of detection events. Use the -A option like this: @@ -471,7 +517,7 @@ To see the available alert types, you can run this command: $ snort --list-plugins | grep logger -1.3.3. Files and Paths +2.5.3. Files and Paths Note that output is specific to each packet thread. If you run 4 packet threads with u2 output, you will get 4 different u2 files. The @@ -494,7 +540,7 @@ Additional considerations: issues with multiple packet threads. * All text mode outputs default to stdout -1.3.4. Performance Statistics +2.5.4. Performance Statistics Still more data is available beyond the above. @@ -510,7 +556,7 @@ Still more data is available beyond the above. --------------------------------------------------------------------- -2. Concepts +3. Concepts --------------------------------------------------------------------- @@ -518,7 +564,7 @@ This section provides background on essential aspects of Snort’s operation. -2.1. Terminology +3.1. Terminology -------------- @@ -578,7 +624,7 @@ operation. binding. See hex and spell. -2.2. Modules +3.2. Modules -------------- @@ -621,7 +667,7 @@ Other things to note about modules: the snort module. -2.3. Parameters +3.3. Parameters -------------- @@ -690,7 +736,7 @@ Parameter limits: * maxSZ = 9007199254740992 -2.4. Plugins +3.4. Plugins -------------- @@ -723,7 +769,7 @@ example, an inspector will typically be packaged together with any associated rule options. -2.5. Operation +3.5. Operation -------------- @@ -760,7 +806,7 @@ The steps are: resulting from the earlier steps. More generally, this is where other actions can be taken as well such as blocking the packet. -2.5.1. Snort 2 Processing +3.5.1. Snort 2 Processing The preprocess step in Snort 2 is highly configurable. Arbitrary preprocessors can be loaded dynamically at startup, configured in @@ -785,7 +831,7 @@ pass some HTTP and SIP preprocessor data to appID. However, it remains a peripheral feature and still requires the production of data that may not be consumed. -2.5.2. Snort 3 Processing +3.5.2. Snort 3 Processing One of the goals of Snort 3 is to provide a more flexible framework for packet processing by implementing an event-driven approach. @@ -828,7 +874,7 @@ stuffers allow Snort to work smarter, not harder. These capabilities will be leveraged more and more as Snort development continues. -2.6. Rules +3.6. Rules -------------- @@ -887,7 +933,7 @@ $ snort --list-builtin For details on these and other options, see the reference section. -2.7. Pattern Matching +3.7. Pattern Matching -------------- @@ -895,7 +941,7 @@ Snort evaluates rules in a two-step process which includes a fast pattern search and full evaluation of the signature. More details on this process follow. -2.7.1. Rule Groups +3.7.1. Rule Groups When Snort starts or reloads configuration, rules are grouped by protocol, port and service. For example, all TCP rules using the @@ -909,7 +955,7 @@ balances speed and memory. For a faster search at the expense of significantly more memory, use ac_full. For best performance and reasonable memory, download the hyperscan source from Intel. -2.7.2. Fast Patterns +3.7.2. Fast Patterns Fast patterns are content strings that have the fast_pattern option or which have been selected by Snort automatically to be used as a @@ -926,7 +972,7 @@ Specifically, if a content is negated, then if it is also relative to another content, case sensitive, or has non-zero offset or depth, then it is not eligible to be used as a fast pattern. -2.7.3. Rule Evaluation +3.7.3. Rule Evaluation For each fast pattern match, the corresponding rule(s) are evaluated left-to-right. Rule evaluation requires checking each detection @@ -942,7 +988,7 @@ cases. This is one less thing for the rule writer to worry about. --------------------------------------------------------------------- -3. Tutorial +4. Tutorial --------------------------------------------------------------------- @@ -951,7 +997,7 @@ not exhaustive but, once you master this material, you should be able to figure out more advanced usage. -3.1. Dependencies +4.1. Dependencies -------------- @@ -1006,7 +1052,7 @@ Optional: * uuid from uuid-dev package for unique identifiers -3.2. Building +4.2. Building -------------- @@ -1051,7 +1097,7 @@ Optional: export CXX=g++ -3.3. Running +4.3. Running -------------- @@ -1092,7 +1138,7 @@ Examples: For more examples, see the usage section. -3.4. Tips +4.4. Tips -------------- @@ -1178,7 +1224,7 @@ you can use the options below to format the paths: * all text mode outputs default to stdout -3.5. Common Errors +4.5. Common Errors -------------- @@ -1227,7 +1273,7 @@ WARNING: unknown symbol x export SNORT_IGNORE="x y z" -3.6. Gotchas +4.6. Gotchas -------------- @@ -1252,7 +1298,7 @@ WARNING: unknown symbol x semantic error but it will tell you the fully qualified name. -3.7. Known Issues +4.7. Known Issues -------------- @@ -1276,7 +1322,7 @@ WARNING: unknown symbol x Uninstall gperftools 2.5 provided by the distribution and install gperftools 2.7 before building Snort. -3.7.1. Reload Limitations +4.7.1. Reload Limitations The following parameters can’t be changed during reload, and require a restart: @@ -1315,7 +1361,7 @@ in use. --------------------------------------------------------------------- -4. Usage +5. Usage --------------------------------------------------------------------- @@ -1324,7 +1370,7 @@ the Snort install directory. Additionally, it is assumed that "$my_path/bin" is in your PATH. -4.1. Help +5.1. Help -------------- @@ -1354,7 +1400,7 @@ Snort stops reading command-line options after the "--help-" and "--list-" options, so any other options should be placed before them. -4.2. Sniffing and Logging +5.2. Sniffing and Logging -------------- @@ -1385,7 +1431,7 @@ Log packets to a directory: snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir -4.3. Configuration +5.3. Configuration -------------- @@ -1410,7 +1456,7 @@ Tell Snort where to look for additional Lua scripts: snort --script-path /path/to/script/dir -4.4. IDS mode +5.4. IDS mode -------------- @@ -1455,7 +1501,7 @@ snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \ -A cmg -4.5. Plugins +5.5. Plugins -------------- @@ -1476,7 +1522,7 @@ alert tcp any any -> any 80 ( END -4.6. Output Files +5.6. Output Files -------------- @@ -1516,7 +1562,7 @@ based on module name that writes the file. All text mode outputs default to stdout. These options can be combined. -4.7. DAQ Alternatives +5.7. DAQ Alternatives -------------- @@ -1549,7 +1595,7 @@ snort -c $my_path/etc/snort/snort.lua \ --daq-dir $my_path/lib/snort/daqs --daq socket -4.8. Logger Alternatives +5.8. Logger Alternatives -------------- @@ -1568,7 +1614,7 @@ snort -c $my_path/etc/snort/snort.lua \ --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }" -4.9. Shell +5.9. Shell -------------- @@ -1603,7 +1649,7 @@ The command line interface is still under development. Suggestions are welcome. -4.10. Signals +5.10. Signals -------------- @@ -1640,14 +1686,14 @@ The available signals may vary from platform to platform. --------------------------------------------------------------------- -5. Features +6. Features --------------------------------------------------------------------- This section explains how to use key features of Snort. -5.1. Active Response +6.1. Active Response -------------- @@ -1656,7 +1702,7 @@ responses to shutdown offending sessions. When active responses is enabled, snort will send TCP RST or ICMP unreachable when dropping a session. -5.1.1. Changes from Snort 2.9 +6.1.1. Changes from Snort 2.9 * stream5_global:max_active_responses and min_response_seconds are now active.max_responses and active.min_interval. @@ -1668,7 +1714,7 @@ session. means don’t forward the current packet only whereas block means don’t forward this or any following packet on the flow. -5.1.2. Configure Active +6.1.2. Configure Active Active response is enabled by configuring one of following IPS action plugins: @@ -1710,7 +1756,7 @@ active = dst_mac = "00:06:76:DD:5F:E3", } -5.1.3. Reject +6.1.3. Reject IPS action reject perform active response to shutdown hostile network session by injecting TCP resets (TCP connections) or ICMP unreachable @@ -1731,54 +1777,47 @@ ips = rules = local_rules, } -5.1.4. React +6.1.4. React IPS action react enables sending an HTML page on a session and then resetting it. +The headers used are: + +"HTTP/1.1 403 Forbidden\r\n" \ +"Connection: close\r\n" \ +"Content-Type: text/html; charset=utf-8\r\n" \ +"Content-Length: 439\r\n" \ +"\r\n" + The page to be sent can be read from a file: react = { page = "customized_block_page.html", } or else the default is used: - ::= \ - "HTTP/1.1 403 Forbidden\r\n" - "Connection: close\r\n" - "Content-Type: text/html; charset=utf-8\r\n" - "\r\n" - "\r\n" \ - "\r\n" \ - "\r\n" \ - "\r\n" \ - "Access Denied\r\n" \ - "\r\n" \ - "\r\n" \ - "

Access Denied

\r\n" \ - "

%s

\r\n" \ - "\r\n" \ - "\r\n"; - -Note that the file must contain the entire response, including any -HTTP headers. In fact, the response isn’t strictly limited to HTTP. -You could craft a binary payload of arbitrary content. - -When the rule is configured, the page is loaded and the %s is -replaced with the selected message, which defaults to: - -"You are attempting to access a forbidden site.
" \ -"Consult your system administrator for details." - -Additional formatting operators beyond a single %s are prohibited, -including %d, %x, %s, as well as any URL encodings such as as %20 -(space) that may be within a reference URL. - +"\r\n" \ +"\r\n" \ +"\r\n" \ +"\r\n" \ +"Access Denied\r\n" \ +"\r\n" \ +"\r\n" \ +"

Access Denied

\r\n" \ +"

You are attempting to access a forbidden site.
" \ +"Consult your system administrator for details.

\r\n" \ +"\r\n" \ +"\r\n" + +Note that the file contains the message body only. The headers will +be added with an updated value for Content-Length. + +When using react, payload injector must be configured as well. Example: react = { page = "my_block_page.html" } +payload_injector = { } local_rules = [[ @@ -1791,7 +1830,15 @@ ips = rules = local_rules, } -5.1.5. Rewrite +React has debug trace functionality. It can be used to get traces in +case injection is not successful. To turn it on: + +trace = +{ + modules = { react = { all = 1 } } +} + +6.1.5. Rewrite IPS action rewrite enables overwrite packet contents based on "replace" option in the rules. @@ -1827,7 +1874,7 @@ the replace operation can be disabled by changing the configuration: rewrite = { disable_replace = true } -5.2. AppId +6.2. AppId -------------- @@ -1838,7 +1885,7 @@ administrator to create rules for applications as needed by the business. The rules can be used to take action based on the application, such as block, allow or alert. -5.2.1. Overview +6.2.1. Overview The AppId inspector provides an application level view when managing networks by providing the following features: @@ -1856,7 +1903,7 @@ networks by providing the following features: detectors are provided by the Snort team and can be downloaded from snort.org. -5.2.2. Dependency Requirements +6.2.2. Dependency Requirements For proper functioning of the AppId inspector, at a minimum stream flow tracking must be enabled. In addition, to identify TCP-based or @@ -1872,7 +1919,7 @@ inspectors, such as the HTTP and SSL inspectors, to gain access to the data needed. It uses that data to help determine the application ID. -5.2.3. Configuration +6.2.3. Configuration The AppId feature can be enabled via configuration. To enable it with the default settings use: @@ -1940,7 +1987,7 @@ ips = rules = local_rules, } -5.2.4. Session Application Identifiers +6.2.4. Session Application Identifiers There are up to four AppIds stored in a session as defined below: @@ -1964,14 +2011,14 @@ The same logic is followed for packets originating from the server with one exception. The order of matching is changed to make serviceAppId come before clientAppId. -5.2.5. AppId Usage Statistics +6.2.5. AppId Usage Statistics The AppId inspector prints application network usage periodically in the snort log directory in unified2 format. File name, time interval for statistic and file rollover are controlled by appId inspection configuration. -5.2.6. Open Detector Package (ODP) Installation +6.2.6. Open Detector Package (ODP) Installation Application detectors from Snort team will be delivered in a separate package called the Open Detector Package (ODP) that can be downloaded @@ -1999,7 +2046,7 @@ When installed, ODP will create following sub-directories: * odp/lua //Cisco Lua detectors * odp/libs //Cisco Lua modules -5.2.7. User Created Application Detectors +6.2.7. User Created Application Detectors Users can detect new applications by adding detectors in the Lua language. A document will be posted on the Snort Website with details @@ -2028,7 +2075,7 @@ openappid/custom/lua/ None of the directories below /usr/local/lib/openappid/ would be added for you. -5.2.8. Application Detector Creation Tool +6.2.8. Application Detector Creation Tool For rudimentary Lua detectors, there is a tool provided called appid_detector_builder.sh. This is a simple, menu-driven bash script @@ -2065,7 +2112,7 @@ The resulting .lua file will need to be placed in the directory, called "User Created Application Detectors" -5.3. Binder +6.3. Binder -------------- @@ -2118,11 +2165,11 @@ can contain any combination of criteria and binder.use can specify an action, config file, or inspector configuration. -5.4. Byte rule options +6.4. Byte rule options -------------- -5.4.1. byte_test +6.4.1. byte_test This rule option tests a byte field against a specific value (with operator). Capable of testing binary values or converting @@ -2144,7 +2191,7 @@ converted. The result will be right-shifted by the number of bits equal to the number of trailing zeros in the mask. This applies for the other rule options as well. -5.4.1.1. Examples +6.4.1.1. Examples alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;) @@ -2157,7 +2204,7 @@ alert udp (byte_test:4, =, 1234, 0, string, dec; alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex; msg:"got DEADBEEF!";) -5.4.2. byte_jump +6.4.2. byte_jump The byte_jump rule option allows rules to be written for length encoded protocols trivially. By having an option that reads the @@ -2166,7 +2213,7 @@ packet, rules can be written that skip over specific portions of length-encoded protocols and perform detection in very specific locations. -5.4.2.1. Examples +6.4.2.1. Examples alert tcp (content:"Begin"; byte_jump:0, 0, from_end, post_offset -6; @@ -2178,7 +2225,7 @@ alert tcp (content:"catalog"; byte_test:2, =, 968, 0, relative; msg:"Bitmask applied on the 2 bytes extracted for byte_jump";) -5.4.3. byte_extract +6.4.3. byte_extract The byte_extract keyword is another useful option for writing rules against length-encoded protocols. It reads in some number of bytes @@ -2186,7 +2233,7 @@ from the packet payload and saves it to a variable. These variables can be referenced later in the rule, instead of using hard-coded values. -5.4.3.1. Other options which use byte_extract variables +6.4.3.1. Other options which use byte_extract variables A byte_extract rule option detects nothing by itself. Its use is in extracting packet data for use in other rule options. @@ -2198,7 +2245,7 @@ Here is a list of places where byte_extract variables can be used: * byte_jump: offset, post_offset * isdataat: offset -5.4.3.2. Examples +6.4.3.2. Examples alert tcp (byte_extract:1, 0, str_offset; byte_extract:1, 1, str_depth; @@ -2222,7 +2269,7 @@ alert tcp (content:"|04 63 34 35|", offset 4, depth 4; byte_test: 2, =, var_match, 2, relative; msg:"Test value match, after applying bitmask on bytes extracted";) -5.4.4. byte_math +6.4.4. byte_math Perform a mathematical operation on an extracted value and a specified value or existing variable, and store the outcome in a new @@ -2241,7 +2288,7 @@ Byte_math operations are performed on unsigned 32-bit values. When writing a rule it should be taken into consideration to avoid wrap around. -5.4.4.1. Examples +6.4.4.1. Examples alert tcp ( byte_math: bytes 2, offset 0, oper *, rvalue 10, result area; byte_test:2,>,area,16;) @@ -2254,7 +2301,7 @@ Let’s consider 2 bytes of extracted data is 5. The rvalue is 10. Result variable area is 50 ( 5 * 10 ). Area variable can be used in either byte_test offset/value options. -5.4.5. Testing Numerical Values +6.4.5. Testing Numerical Values The rule options byte_test and byte_jump were written to support writing rules for protocols that have length encoded data. RPC was @@ -2411,7 +2458,7 @@ content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8; byte_test:4,>,200,36; -5.5. Consolidated Config +6.5. Consolidated Config -------------- @@ -2469,7 +2516,7 @@ wizard = } } -5.5.1. Text Format +6.5.1. Text Format The --dump-config-text option verifies the configuration and dumps it to stdout in text format. The output contains a config of the main @@ -2518,7 +2565,7 @@ wizard.spells[0].to_server[0].spell="INVITE" For lists, the index next to the option name designates an element parsing order. -5.5.2. JSON Format +6.5.2. JSON Format The --dump-config=all command-line option verifies the configuration and dumps it to stdout in JSON format. The output contains a config @@ -2712,7 +2759,7 @@ Example: snort -c snort.lua --dump-config=top | jq . } -5.6. DCE Inspectors +6.6. DCE Inspectors -------------- @@ -2720,7 +2767,7 @@ The main purpose of these inspector are to perform SMB desegmentation and DCE/RPC defragmentation to avoid rule evasion using these techniques. -5.6.1. Overview +6.6.1. Overview The following transports are supported for DCE/RPC: SMB, TCP, and UDP. New rule options have been implemented to improve performance, @@ -2736,7 +2783,7 @@ defragmentation, are copied into each inspector configuration. The address/port mapping is handled by the binder. Autodetect functionality is replaced by wizard curses. -5.6.2. Quick Guide +6.6.2. Quick Guide A typical dcerpce configuration looks like this: @@ -2786,7 +2833,7 @@ dce_udp = { } In this example, it defines smb, tcp and udp inspectors based on port. All the configurations are default. -5.6.3. Target Based +6.6.3. Target Based There are enough important differences between Windows and Samba versions that a target based approach has been implemented. Some @@ -2815,7 +2862,7 @@ different policy. Here are the list of policies supported: * Samba-3.0.22 * Samba-3.0.20 -5.6.4. Reassembling +6.6.4. Reassembling Both SMB inspector and TCP inspector support reassemble. Reassemble threshold specifies a minimum number of bytes in the DCE/RPC @@ -2826,13 +2873,13 @@ before full defragmentation is done. A value of 0 s supplied as an argument to this option will, in effect, disable this option. Default is disabled. -5.6.5. SMB +6.6.5. SMB SMB inspector is one of the most complex inspectors. In addition to supporting rule options and lots of inspector rule events, it also supports file processing for both SMB version 1, 2, and 3. -5.6.5.1. Finger Print Policy +6.6.5.1. Finger Print Policy In the initial phase of an SMB session, the client needs to authenticate with a SessionSetupAndX. Both the request and response @@ -2840,7 +2887,7 @@ to this command contain OS and version information that can allow the inspector to dynamically set the policy for a session which allows for better protection against Windows and Samba specific evasions. -5.6.5.2. File Inspection +6.6.5.2. File Inspection SMB inspector supports file inspection. A typical configuration looks like this: @@ -2895,16 +2942,16 @@ inspection in rules. An argument of 0 to "file_depth" means unlimited. Default is "off", i.e. no SMB file inspection is done in the inspector. -5.6.6. TCP +6.6.6. TCP dce_tcp inspector supports defragmentation, reassembling, and policy that is similar to SMB. -5.6.7. UDP +6.6.7. UDP dce_udp is a very simple inspector that only supports defragmentation -5.6.8. Rule Options +6.6.8. Rule Options New rule options are supported by enabling the dcerpc2 inspectors: @@ -2917,7 +2964,7 @@ New modifiers to existing byte_test and byte_jump rule options: * byte_test: dce * byte_jump: dce -5.6.8.1. dce_iface +6.6.8.1. dce_iface For DCE/RPC based rules it has been necessary to set flow-bits based on a client bind to a service to avoid false positives. It is @@ -3028,7 +3075,7 @@ longest) pattern will be used. If a content in the rule uses the fast_pattern rule option, it will unequivocally be used over the above mentioned patterns. -5.6.8.2. dce_opnum +6.6.8.2. dce_opnum The opnum represents a specific function call to an interface. After is has been determined that a client has bound to a specific @@ -3050,7 +3097,7 @@ opnum of a DCE/RPC request will be matched against the opnums specified with this option. This option matches if any one of the opnums specified match the opnum of the DCE/RPC request. -5.6.8.3. dce_stub_data +6.6.8.3. dce_stub_data Since most DCE/RPC based rules had to do protocol decoding only to get to the DCE/RPC stub data, i.e. the remote procedure call or @@ -3079,7 +3126,7 @@ that does not specify a relative modifier will be evaluated from the start of the stub data buffer. To leave the stub data buffer and return to the main payload buffer, use the "pkt_data" rule option. -5.6.8.4. byte_test and byte_jump +6.6.8.4. byte_test and byte_jump A DCE/RPC request can specify whether numbers are represented in big or little endian. These rule options will take as a new argument @@ -3105,7 +3152,7 @@ byte_jump arguments will not be allowed: "big", "little", "string", "hex", "dec", "oct" and "from_beginning" -5.7. File Processing +6.7. File Processing -------------- @@ -3114,7 +3161,7 @@ network file inspection becomes more and more important. This feature will provide file type identification, file signature creation, and file capture capabilities to help users deal with those challenges. -5.7.1. Overview +6.7.1. Overview There are two parts of file services: file APIs and file policy. File APIs provides all the file inspection functionalities, such as file @@ -3129,7 +3176,7 @@ file policy along with file event log. * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB. * Supported file signature calculation: SHA256 -5.7.2. Quick Guide +6.7.2. Quick Guide A very simple configuration has been included in lua/snort.lua file. A typical file configuration looks like this: @@ -3168,7 +3215,7 @@ There are 3 steps to enable file processing: * At last, enable file_log to get detailed information about file event -5.7.3. Pre-packaged File Magic Rules +6.7.3. Pre-packaged File Magic Rules A set of file magic rules is packaged with Snort. They can be located at "lua/file_magic.lua". To use this feature, it is recommended that @@ -3191,7 +3238,7 @@ look at content at particular file offset to identify the file type. In this case, two magics look at the beginning of the file. You can use character if it is printable or hex value in between "|". -5.7.4. File Policy +6.7.4. File Policy You can enabled file type, file signature, or file capture by configuring file_id. In addition, you can enable trace to see file @@ -3217,7 +3264,7 @@ In this example, it enables this policy: * For all file types identified, they will be logged with signature, and also captured onto log folder. -5.7.5. File Capture +6.7.5. File Capture File can be captured and stored to log folder. We use SHA as file name instead of actual file name to avoid conflicts. You can capture @@ -3233,7 +3280,7 @@ or enable it for some file or file type in your file policy: The above rule will enable PDF file capture. -5.7.6. File Events +6.7.6. File Events File inspect preprocessor also works as a dynamic output plugin for file events. It logs basic information about file. The log file is in @@ -3255,14 +3302,14 @@ File event example: [Size: 1039328] -5.8. High Availability +6.8. High Availability -------------- High Availability includes the HA flow synchronization and the SideChannel messaging subsystems. -5.8.1. HA +6.8.1. HA HighAvailability (or HA) is a Snort module that provides state coherency between two partner snort instances. It uses SideChannel @@ -3307,7 +3354,7 @@ message content. The stream HA content is always present in the messages while the ancillary module content is only present when requested via a status change request. -5.8.2. Connector +6.8.2. Connector Connectors are a set of modules that are used to exchange message-oriented data among Snort threads and the external world. A @@ -3318,7 +3365,7 @@ forms of message transport. Connectors are a Snort plugin type. -5.8.2.1. Connector (parent plugin class) +6.8.2.1. Connector (parent plugin class) Connectors may either be a simplex channel and perform unidirectional communications. Or may be duplex and perform bidirectional @@ -3336,7 +3383,7 @@ There are currently two implementations of Connectors: * FileConnector - Write messages to files and read messages from files. -5.8.2.2. TcpConnector +6.8.2.2. TcpConnector TcpConnector is a subclass of Connector and implements a DUPLEX type Connector, able to send and receive messages over a tcp session. @@ -3363,7 +3410,7 @@ tcp_connector = }, } -5.8.2.3. FileConnector +6.8.2.3. FileConnector FileConnector implements a Connector that can either read from files or write to files. FileConnector’s are simplex and must be configured @@ -3406,7 +3453,7 @@ file_connector = }, } -5.8.3. Side Channel +6.8.3. Side Channel SideChannel is a Snort module that uses Connectors to implement a messaging infrastructure that is used to communicate between Snort @@ -3472,7 +3519,7 @@ file_connector = } -5.9. FTP +6.9. FTP -------------- @@ -3482,9 +3529,9 @@ codes and messages. It will enforce correctness of the parameters, determine when an FTP command connection is encrypted, and determine when an FTP data channel is opened. -5.9.1. Configuring the inspector to block exploits and attacks +6.9.1. Configuring the inspector to block exploits and attacks -5.9.1.1. ftp_server configuration +6.9.1.1. ftp_server configuration * ftp_cmds @@ -3649,7 +3696,7 @@ to large file transfers from a trusted source — by ignoring traffic. If your rule set includes virus-type rules, it is recommended that this option not be used. -5.9.1.2. ftp_client configuration +6.9.1.2. ftp_client configuration * max_resp_len @@ -3671,7 +3718,7 @@ character (TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some FTP clients do not process those telnet escape sequences. -5.9.1.3. ftp_data +6.9.1.3. ftp_data In order to enable file inspection for ftp, the following should be added to the configuration: @@ -3679,14 +3726,14 @@ added to the configuration: ftp_data = {} -5.10. HTTP Inspector +6.10. HTTP Inspector -------------- One of the major undertakings for Snort 3 is developing a completely new HTTP inspector. -5.10.1. Overview +6.10.1. Overview You can configure it by adding: @@ -3749,7 +3796,7 @@ user to write rules against it. If for example a header is supposed to be a date then normalization means put that date in a standard format. -5.10.2. Configuration +6.10.2. Configuration Configuration can be as simple as adding: @@ -3760,7 +3807,7 @@ inspection and may be all that you need. But there are some options that provide extra features, tweak how things are done, or conserve resources by doing less. -5.10.2.1. request_depth and response_depth +6.10.2.1. request_depth and response_depth These replace the flow depth parameters used by the old HTTP inspector but they work differently. @@ -3788,7 +3835,7 @@ omit the depth parameter entirely because that is the default. These limits have no effect on how much data is forwarded to file processing. -5.10.2.2. detained_inspection +6.10.2.2. detained_inspection Detained inspection is an experimental feature currently under development. It enables Snort to more quickly detect and block @@ -3799,7 +3846,7 @@ mode operation (-Q). This feature is off by default. detained_inspection = true will activate it. -5.10.2.3. script_detection +6.10.2.3. script_detection Script detection is an alternative to detained inspection. When http_inspect detects the end of a script it immediately forwards the @@ -3810,7 +3857,7 @@ somewhat more of the sensor’s resources. This feature is off by default. script_detection = true will activate it. -5.10.2.4. gzip +6.10.2.4. gzip http_inspect by default decompresses deflate and gzip message bodies before inspecting them. This feature can be turned off by unzip = @@ -3819,14 +3866,14 @@ improvement but at a very high price. It is unlikely that any meaningful inspection of message bodies will be possible. Effectively HTTP processing would be limited to the headers. -5.10.2.5. normalize_utf +6.10.2.5. normalize_utf http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le, and utf-32be in response message bodies based on the Content-Type header. This feature is on by default: normalize_utf = false will deactivate it. -5.10.2.6. decompress_pdf +6.10.2.6. decompress_pdf decompress_pdf = true will enable decompression of compressed portions of PDF files encountered in a response body. http_inspect @@ -3835,7 +3882,7 @@ locate PDF streams with a single /FlateDecode filter. The compressed content is decompressed and made available through the file data rule option. -5.10.2.7. decompress_swf +6.10.2.7. decompress_swf decompress_swf = true will enable decompression of compressed SWF (Adobe Flash content) files encountered in a response body. The @@ -3845,7 +3892,7 @@ LZMA. The compressed content is decompressed and made available through the file data rule option. The compressed SWF file signature is converted to FWS to indicate an uncompressed file. -5.10.2.8. normalize_javascript +6.10.2.8. normalize_javascript normalize_javascript = true will enable normalization of JavaScript within the HTTP response body. http_inspect looks for JavaScript by @@ -3857,7 +3904,7 @@ decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also replaces consecutive whitespaces with a single space and normalizes the plus by concatenating the strings. -5.10.2.9. xff_headers +6.10.2.9. xff_headers This configuration supports defining custom x-forwarded-for type headers. In a multi-vendor world, it is quite possible that the @@ -3872,7 +3919,7 @@ they are defined, e.g "x-forwarded-for" will be preferred than "true-client-ip" if both headers are present in the stream. The header names should be delimited by a space. -5.10.2.10. URI processing +6.10.2.10. URI processing Normalization and inspection of the URI in the HTTP request message is a key aspect of what http_inspect does. The best way to normalize @@ -3968,7 +4015,7 @@ allow directories to be separated by backslashes: backslash_to_slash is turned on by default. It replaces all the backslashes with slashes during normalization. -5.10.3. CONNECT processing +6.10.3. CONNECT processing The HTTP CONNECT method is used by a client to establish a tunnel to a destination via an HTTP proxy server. If the connection is @@ -3999,7 +4046,7 @@ tactic, the HTTP inspector will not cut over to the wizard if it sees any early client-to-server traffic, but will continue normal HTTP processing of the flow regardless of the eventual server response. -5.10.4. Detection rules +6.10.4. Detection rules http_inspect parses HTTP messages into their components and makes them available to the detection engine through rule options. Let’s @@ -4070,7 +4117,7 @@ list. In addition to the headers there are rule options for virtually every part of the HTTP message. -5.10.4.1. http_uri and http_raw_uri +6.10.4.1. http_uri and http_raw_uri These provide the URI of the request message. The raw form is exactly as it appeared in the message and the normalized form is determined @@ -4130,7 +4177,7 @@ Note: this section uses informal language to explain some things. Nothing here is intended to conflict with the technical language of the HTTP RFCs and the implementation follows the RFCs. -5.10.4.2. http_header and http_raw_header +6.10.4.2. http_header and http_raw_header These cover all the header lines except the first one. You may specify an individual header by name using the field option as shown @@ -4160,7 +4207,7 @@ In most cases specifying individual headers creates a more efficient and accurate rule. It is recommended that new rules be written using individual headers whenever possible. -5.10.4.3. http_trailer and http_raw_trailer +6.10.4.3. http_trailer and http_raw_trailer HTTP permits header lines to appear after a chunked body ends. Typically they contain information about the message content that was @@ -4172,7 +4219,7 @@ counterparts except they apply to these end headers. If you want a rule to inspect both kinds of headers you need to write two rules, one using header and one using trailer. -5.10.4.4. http_cookie and http_raw_cookie +6.10.4.4. http_cookie and http_raw_cookie These provide the value of the Cookie header for a request message and the Set-Cookie for a response message. If multiple cookies are @@ -4181,7 +4228,7 @@ present they will be concatenated into a comma-separated list. Normalization for http_cookie is the same URI-style normalization applied to http_header when no specific header is specified. -5.10.4.5. http_true_ip +6.10.4.5. http_true_ip This provides the original IP address of the client sending the request as it was stored by a proxy in the request message headers. @@ -4190,13 +4237,13 @@ True-Client-IP or any other custom x-forwarded-for type header. If multiple headers are present the preference defined in xff_headers configuration is considered. -5.10.4.6. http_client_body +6.10.4.6. http_client_body This is the body of a request message such as POST or PUT. Normalization for http_client_body is the same URI-like normalization applied to http_header when no specific header is specified. -5.10.4.7. http_raw_body +6.10.4.7. http_raw_body This is the body of a request or response message. It will be dechunked and unzipped if applicable but will not be normalized in @@ -4205,30 +4252,30 @@ is a rule that uses packet data will search and may match an HTTP header, but http_raw_body is limited to the message body. Thus the latter is more efficient and more accurate for most uses. -5.10.4.8. http_method +6.10.4.8. http_method The method field of a request message. Common values are "GET", "POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT". -5.10.4.9. http_stat_code +6.10.4.9. http_stat_code The status code field of a response message. This is normally a 3-digit number between 100 and 599. In this example it is 200. HTTP/1.1 200 OK -5.10.4.10. http_stat_msg +6.10.4.10. http_stat_msg The reason phrase field of a response message. This is the human-readable text following the status code. "OK" in the previous example. -5.10.4.11. http_version +6.10.4.11. http_version The protocol version information that appears on the first line of an HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1". -5.10.4.12. http_raw_request and http_raw_status +6.10.4.12. http_raw_request and http_raw_status These are the unmodified first header line of the HTTP request and response messages respectively. These rule options are a safety valve @@ -4238,7 +4285,7 @@ first header line. For a request message those are http_method, http_raw_uri, and http_version. For a response message those are http_version, http_stat_code, and http_stat_msg. -5.10.4.13. file_data and packet data +6.10.4.13. file_data and packet data file_data contains the normalized message body. This is the normalization described above under gzip, normalize_utf, @@ -4247,7 +4294,7 @@ decompress_pdf, decompress_swf, and normalize_javascript. The unnormalized message content is available in the packet data. If gzip is configured the packet data will be unzipped. -5.10.5. Timing issues and combining rule options +6.10.5. Timing issues and combining rule options HTTP inspector is stateful. That means it is aware of a bigger picture than the packet in front of it. It knows what all the pieces @@ -4353,7 +4400,7 @@ are received. Headers may be combined with later items but the body cannot. -5.11. HTTP/2 Inspector +6.11. HTTP/2 Inspector -------------- @@ -4408,7 +4455,7 @@ http_inspect to provide full inspection of the individual HTTP/1.1 streams. -5.12. Performance Monitor +6.12. Performance Monitor -------------- @@ -4417,14 +4464,14 @@ down by too many flows? perf_monitor! Why are certain TCP segments being dropped without hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check with stream… -5.12.1. Overview +6.12.1. Overview The Snort performance monitor is the built-in utility for monitoring system and traffic statistics. All statistics are separated by processing thread. perf_monitor supports several trackers for monitoring such data: -5.12.2. Base Tracker +6.12.2. Base Tracker The base tracker is used to gather running statistics about Snort and its running modules. All Snort modules gather, at the very least, @@ -4481,7 +4528,7 @@ perf_monitor = Note: Event stats from prior Snorts are now located within base statistics. -5.12.3. Flow Tracker +6.12.3. Flow Tracker Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This data can be used to build a profile of traffic @@ -4491,7 +4538,7 @@ To enable: perf_monitor = { flow = true } -5.12.4. FlowIP Tracker +6.12.4. FlowIP Tracker FlowIP provides statistics for individual hosts within a network. This data can be used for identifying communication habits, such as @@ -4503,7 +4550,7 @@ To enable: perf_monitor = { flow_ip = true } -5.12.5. CPU Tracker +6.12.5. CPU Tracker This tracker monitors the CPU and wall time spent by a given processing thread. @@ -4512,7 +4559,7 @@ To enable: perf_monitor = { cpu = true } -5.12.6. Formatters +6.12.6. Formatters Performance monitor allows statistics to be output in a few formats. Along with human readable text (as seen at shutdown) and csv formats, @@ -4526,14 +4573,14 @@ used by Performance monitor, see the developer notes for Performance monitor or the code provided for fbstreamer. -5.13. POP and IMAP +6.13. POP and IMAP -------------- POP inspector is a service inspector for POP3 protocol and IMAP inspector is for IMAP4 protocol. -5.13.1. Overview +6.13.1. Overview POP and IMAP inspectors examine data traffic and find POP and IMAP commands and responses. The inspectors also identify the command, @@ -4541,7 +4588,7 @@ header, body sections and extract the MIME attachments and decode it appropriately. The pop and imap also identify and whitelist the pop and imap traffic. -5.13.2. Configuration +6.13.2. Configuration POP inspector and IMAP inspector offer same set of configuration options for MIME decoding depth. These depths range from 0 to 65535 @@ -4551,27 +4598,27 @@ be decoded. If you do not specify the default value is 1460 bytes. The depth limits apply per attachment. They are: -5.13.2.1. b64_decode_depth +6.13.2.1. b64_decode_depth Set the base64 decoding depth used to decode the base64-encoded MIME attachments. -5.13.2.2. qp_decode_depth +6.13.2.2. qp_decode_depth Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded MIME attachments. -5.13.2.3. bitenc_decode_depth +6.13.2.3. bitenc_decode_depth Set the non-encoded MIME extraction depth used for non-encoded MIME attachments. -5.13.2.4. uu_decode_depth +6.13.2.4. uu_decode_depth Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded attachments. -5.13.2.5. Examples +6.13.2.5. Examples stream = { } @@ -4605,13 +4652,13 @@ pop = } -5.14. Port Scan +6.14. Port Scan -------------- A module to detect port scanning -5.14.1. Overview +6.14.1. Overview This module is designed to detect the first phase in a network attack: Reconnaissance. In the Reconnaissance phase, an attacker @@ -4711,7 +4758,7 @@ however, Portscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based off the original scan alert. -5.14.2. Scan levels +6.14.2. Scan levels There are 3 default scan levels that can be set. @@ -4765,7 +4812,7 @@ setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune Portscan. -5.14.3. Tuning Portscan +6.14.3. Tuning Portscan The most important aspect in detecting portscans is tuning the detection engine for your network(s). Here are some tuning tips: @@ -4842,7 +4889,7 @@ require the least tuning. The low sensitivity level does not catch filtered scans, since these are more prone to false positives. -5.15. Sensitive Data Filtering +6.15. Sensitive Data Filtering -------------- @@ -4852,21 +4899,21 @@ credit card numbers, U.S. Social Security numbers, and email addresses. A rich regular expression syntax is available for defining your own PII. -5.15.1. Hyperscan +6.15.1. Hyperscan The sd_pattern rule option is powered by the open source Hyperscan library from Intel. It provides a regex grammar which is mostly PCRE compatible. To learn more about Hyperscan see https://intel.github.io /hyperscan/dev-reference/ -5.15.2. Syntax +6.15.2. Syntax Snort provides sd_pattern as IPS rule option with no additional inspector overhead. The Rule option takes the following syntax. sd_pattern: ""[, threshold ]; -5.15.2.1. Pattern +6.15.2.1. Pattern Pattern is the most important and is the only required parameter to sd_pattern. It supports 3 built in patterns which are configured by @@ -4904,7 +4951,7 @@ but would not match 1@ourdomain.com ab12@ourdomain.com or Note: This is just an example, this pattern is not suitable to detect many correctly formatted emails. -5.15.2.2. Threshold +6.15.2.2. Threshold Threshold is an optional parameter allowing you to change built in default value (default value is 1). The following two instances are @@ -4922,7 +4969,7 @@ This example requires 300 matches of the pattern "This is a string literal" to qualify as a positive match. That is, if the string only occurred 299 times in a packet, you will not see an event. -5.15.2.3. Obfuscating Credit Cards and Social Security Numbers +6.15.2.3. Obfuscating Credit Cards and Social Security Numbers Snort provides discreet logging for the built in patterns "credit_card", "us_social" and "us_social_nodashes". Enabling @@ -4935,7 +4982,7 @@ output = obfuscate_pii = true } -5.15.3. Example +6.15.3. Example A complete Snort IPS rule @@ -4951,7 +4998,7 @@ Logged output when running Snort in "cmg" alert format. 58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5.15.4. Caveats +6.15.4. Caveats 1. Snort currently requires setting the fast pattern engine to use "hyperscan" in order for sd_pattern ips option to function @@ -4968,13 +5015,13 @@ Logged output when running Snort in "cmg" alert format. (This is a known bug). -5.16. SMTP +6.16. SMTP -------------- SMTP inspector is a service inspector for SMTP protocol. -5.16.1. Overview +6.16.1. Overview The SMTP inspector examines SMTP connections looking for commands and responses. It also identifies the command, header and body sections, @@ -4984,7 +5031,7 @@ identifies and whitelists the SMTP traffic. SMTP inspector logs the filename, email addresses, attachment names when configured. -5.16.2. Configuration +6.16.2. Configuration SMTP command lines can be normalized to remove extraneous spaces. TLS-encrypted traffic can be ignored, which improves performance. In @@ -4993,7 +5040,7 @@ performance boost. The configuration options are described below: -5.16.2.1. normalize and normalize_cmds +6.16.2.1. normalize and normalize_cmds Normalization checks for more than one space character after a command. Space characters are defined as space (ASCII 0x20) or tab @@ -5004,34 +5051,34 @@ example: smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' } -5.16.2.2. ignore_data +6.16.2.2. ignore_data Set it to true to ignore data section of mail (except for mail headers) when processing rules. -5.16.2.3. ignore_tls_data +6.16.2.3. ignore_tls_data Set it to true to ignore TLS-encrypted data when processing rules. -5.16.2.4. max_command_line_len +6.16.2.4. max_command_line_len Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length. -5.16.2.5. max_header_line_len +6.16.2.5. max_header_line_len Alert if an SMTP DATA header line is longer than this value. Absence of this option or a "0" means never alert on data header line length. RFC 2821 recommends 1024 as a maximum data header line length. -5.16.2.6. max_response_line_len +6.16.2.6. max_response_line_len Alert if an SMTP response line is longer than this value. Absence of this option or a "0" means never alert on response line length. RFC 2821 recommends 512 as a maximum response line length. -5.16.2.7. alt_max_command_line_len +6.16.2.7. alt_max_command_line_len Overrides max_command_line_len for specific commands For example: @@ -5047,11 +5094,11 @@ alt_max_command_line_len = }, } -5.16.2.8. invalid_cmds +6.16.2.8. invalid_cmds Alert if this command is sent from client side. -5.16.2.9. valid_cmds +6.16.2.9. valid_cmds List of valid commands. We do not alert on commands in this list. @@ -5061,36 +5108,36 @@ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]] -5.16.2.10. data_cmds +6.16.2.10. data_cmds List of commands that initiate sending of data with an end of data delimiter the same as that of the DATA command per RFC 5321 - " .". -5.16.2.11. binary_data_cmds +6.16.2.11. binary_data_cmds List of commands that initiate sending of data and use a length value after the command to indicate the amount of data to be sent, similar to that of the BDAT command per RFC 3030. -5.16.2.12. auth_cmds +6.16.2.12. auth_cmds List of commands that initiate an authentication exchange between client and server. -5.16.2.13. xlink2state +6.16.2.13. xlink2state Enable/disable xlink2state alert, options are {disable | alert | drop}. See CVE-2005-0560 for a description of the vulnerability. -5.16.2.14. MIME processing depth parameters +6.16.2.14. MIME processing depth parameters These four MIME processing depth parameters are identical to their POP and IMAP counterparts. See that section for further details. b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth -5.16.2.15. Log Options +6.16.2.15. Log Options Following log options allow SMTP inspector to log email addresses and filenames. Please note, this is logged only with the unified2 output @@ -5133,7 +5180,7 @@ This option specifies the depth for logging email headers. The allowed range for this option is 0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. -5.16.3. Example +6.16.3. Example smtp = { @@ -5186,7 +5233,7 @@ smtp = } -5.17. Telnet +6.17. Telnet -------------- @@ -5196,7 +5243,7 @@ command sequences per RFC 854. It will also determine when a telnet connection is encrypted, per the use of the telnet encryption option per RFC 2946. -5.17.1. Configuring the inspector to block exploits and attacks +6.17.1. Configuring the inspector to block exploits and attacks ayt_attack_thresh number @@ -5205,7 +5252,7 @@ the threshold number specified. This addresses a few specific vulnerabilities relating to bsd-based implementations of telnet. -5.18. Trace +6.18. Trace -------------- @@ -5218,7 +5265,7 @@ enable debug tracing, Snort must be configured at build time with wizard and snort.inspector_manager) are providing non-debug trace messages in normal production builds. -5.18.1. Trace module +6.18.1. Trace module The trace module is responsible for configuring traces and supports the following parameters: @@ -5256,7 +5303,7 @@ The trace module supports config reloading. Also, it’s possible to set or clear modules traces and packet filter constraints via the control channel command. -5.18.2. Trace module - configuring traces +6.18.2. Trace module - configuring traces The trace module has the modules option - a table with trace configuration for specific modules. The following lines placed in @@ -5338,7 +5385,7 @@ trace = } } -5.18.3. Trace module - configuring packet filter constraints for +6.18.3. Trace module - configuring packet filter constraints for packet related trace messages There is a capability to filter traces by the packet constraints. The @@ -5393,7 +5440,7 @@ trace = } } -5.18.4. Trace module - configuring trace output method +6.18.4. Trace module - configuring trace output method There is a capability to configure the output method for trace messages. The trace module has the output option with two acceptable @@ -5422,7 +5469,7 @@ trace = As a result, each trace message will be printed into syslog (the Snort run-mode will be ignored). -5.18.5. Configuring traces via control channel command +6.18.5. Configuring traces via control channel command There is a capability to configure module trace options and packet constraints via the control channel command by using a Snort shell. @@ -5455,7 +5502,7 @@ trace.set({modules = {...}}) - set only module trace options keeping old filteri trace.set({}) - disable traces and constraints (set to empty) -5.18.6. Trace messages format +6.18.6. Trace messages format Each tracing message has a standard format: @@ -5491,7 +5538,7 @@ address_space - unique ID of the address space Those info can be displayed only for IP packets. Port defaults to zero if a packet doesn’t have it. -5.18.7. Example - Debugging rules using detection trace +6.18.7. Example - Debugging rules using detection trace The detection engine is responsible for rule evaluation. Turning on the trace for it can help with debugging new rules. @@ -5619,7 +5666,7 @@ detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0 detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0 04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow -5.18.8. Example - Protocols decoding trace +6.18.8. Example - Protocols decoding trace Turning on decode trace will print out information about the packets decoded protocols. Can be useful in case of tunneling. @@ -5643,7 +5690,7 @@ decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, l decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8 decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0 -5.18.9. Example - Track the time packet spends in each inspector +6.18.9. Example - Track the time packet spends in each inspector There is a capability to track which inspectors evaluate a packet, and how much time the inspector consumes doing so. These trace @@ -5684,7 +5731,7 @@ snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1 snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec snort:main:1: [0] Destroying completed command RUN -5.18.10. Example - trace filtering by packet constraints: +6.18.10. Example - trace filtering by packet constraints: In snort.lua, the following lines were added: @@ -5746,7 +5793,7 @@ detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns The trace messages for two last packets (numbers 5 and 6) weren’t printed. -5.18.11. Example - configuring traces via trace.set() command +6.18.11. Example - configuring traces via trace.set() command In snort.lua, the following lines were added: @@ -5829,7 +5876,7 @@ The new configuration was applied. decode:all:1 messages aren’t filtered because they don’t include a packet (a packet isn’t well-formed at the point when the message is printing). -5.18.12. Other available traces +6.18.12. Other available traces There are more trace options supported by detection: @@ -5856,7 +5903,7 @@ developer. Some are for corner cases, others for complex data structures. -5.19. Wizard +6.19. Wizard -------------- @@ -5894,7 +5941,7 @@ Additional Details: --------------------------------------------------------------------- -6. DAQ Configuration and Modules +7. DAQ Configuration and Modules --------------------------------------------------------------------- @@ -5916,7 +5963,7 @@ modules developed by third parties to facilitate the usage of their own hardware and software platforms exist. -6.1. Building the DAQ Library and Its Bundled DAQ Modules +7.1. Building the DAQ Library and Its Bundled DAQ Modules -------------- @@ -5925,7 +5972,7 @@ how to build the library and modules as well as details on configuring and using the bundled DAQ modules. -6.2. Configuration +7.2. Configuration -------------- @@ -5990,12 +6037,12 @@ default can be overridden with the --daq-batch-size command line option or daq.batch_size property. The message pool size requested from the DAQ module will be four times this batch size. -6.2.1. Command Line Example +7.2.1. Command Line Example snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket --daq-var debug --daq-var fanout_type=hash -i eth1:eth2 -Q -6.2.2. Configuration File Example +7.2.2. Configuration File Example The following is the equivalent of the above command line DAQ configuration in Lua form: @@ -6029,7 +6076,7 @@ daq = The daq.snaplen property was included for completeness and may be omitted if the default value is acceptable. -6.2.3. DAQ Module Configuration Stacks +7.2.3. DAQ Module Configuration Stacks Like briefly mentioned above, a DAQ configuration consists of a base DAQ module and zero or more wrapper DAQ modules. DAQ wrapper modules @@ -6066,7 +6113,7 @@ configure via a Lua configuration file rather than using the command line options. -6.3. Interaction With Multiple Packet Threads +7.3. Interaction With Multiple Packet Threads -------------- @@ -6093,11 +6140,11 @@ falling back to the first if the number of packet threads exceeds the number of inputs. -6.4. DAQ Modules Included With Snort 3 +7.4. DAQ Modules Included With Snort 3 -------------- -6.4.1. Socket Module +7.4.1. Socket Module The socket module provides provides a stream socket server that will accept up to 2 simultaneous connections and bridge them together @@ -6129,7 +6176,7 @@ To use the socket DAQ, start Snort like this: with Snort 2. * This module is primarily for development and test. -6.4.2. File Module +7.4.2. File Module The file module provides the ability to process files directly without having to extract them from pcaps. Use the file module with @@ -6146,7 +6193,7 @@ threads with these Snort options: with Snort 2. * This module is primarily for development and test. -6.4.3. Hext Module +7.4.3. Hext Module The hext module generates packets suitable for processing by Snort from hex/plain text. Raw packets include full headers and are diff --git a/lua/file_magic.lua b/lua/file_magic.lua index e67e7830f..4160c2ef9 100644 --- a/lua/file_magic.lua +++ b/lua/file_magic.lua @@ -184,7 +184,7 @@ file_magic = { type = 'IntelHEX', id = 302, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 33 |', offset = 7, }, }, }, { type = 'IntelHEX', id = 303, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 34 |', offset = 7, }, }, }, { type = 'IntelHEX', id = 304, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 35 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 305, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 30 |', offset = 7, }, }, }, + { type = 'IntelHEX', id = 305, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 30 |', offset = 7, }, }, }, { type = 'IntelHEX', id = 306, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 32 |', offset = 7, }, }, }, { type = 'REG', id = 307, category = 'System files', msg = 'Windows Registry and Registry Undo files (REG)', rev = 1, magic = { { content = '| FF FE |', offset = 0, }, }, }, { type = 'MSHTML', id = 308, category = 'Office Documents', msg = 'Proprietary layout engine for Microsoft Internet Explorer', rev = 1, magic = { { content = '| 3D 22 2D 2D 2D 2D 3D 5F |', offset = 60, }, }, }, diff --git a/lua/snort.lua b/lua/snort.lua index 29283e9f7..30a55c4ea 100644 --- a/lua/snort.lua +++ b/lua/snort.lua @@ -171,7 +171,7 @@ ips = -- use include for rules files; be sure to set your path -- note that rules files can include other rules files --include = 'snort3-community.rules', - + variables = default_variables } diff --git a/piglet/tests/instance/logger.lua b/piglet/tests/instance/logger.lua index 177f46385..de19c4ae6 100644 --- a/piglet/tests/instance/logger.lua +++ b/piglet/tests/instance/logger.lua @@ -41,7 +41,7 @@ tests = Logger.alert(p, "foo", e) end, - + log = function() local p = packet.construct_ip4(IP4:encode_hex(), DATA) local e = Event.new() diff --git a/piglet/tests/instance/logger_csv.lua b/piglet/tests/instance/logger_csv.lua index 177f46385..de19c4ae6 100644 --- a/piglet/tests/instance/logger_csv.lua +++ b/piglet/tests/instance/logger_csv.lua @@ -41,7 +41,7 @@ tests = Logger.alert(p, "foo", e) end, - + log = function() local p = packet.construct_ip4(IP4:encode_hex(), DATA) local e = Event.new() diff --git a/piglet/tests/instance/logger_fast.lua b/piglet/tests/instance/logger_fast.lua index 204117bf6..91402aff6 100644 --- a/piglet/tests/instance/logger_fast.lua +++ b/piglet/tests/instance/logger_fast.lua @@ -41,7 +41,7 @@ tests = Logger.alert(p, "foo", e) end, - + log = function() local p = packet.construct_ip4(IP4:encode_hex(), DATA) local e = Event.new() diff --git a/piglet/tests/instance/logger_full.lua b/piglet/tests/instance/logger_full.lua index 5fbe9a179..dbd3f02c0 100644 --- a/piglet/tests/instance/logger_full.lua +++ b/piglet/tests/instance/logger_full.lua @@ -41,7 +41,7 @@ tests = Logger.alert(p, "foo", e) end, - + log = function() local p = packet.construct_ip4(IP4:encode_hex(), DATA) local e = Event.new() diff --git a/piglet/tests/interface/raw_buffer.lua b/piglet/tests/interface/raw_buffer.lua index aada788f6..4b19a1381 100644 --- a/piglet/tests/interface/raw_buffer.lua +++ b/piglet/tests/interface/raw_buffer.lua @@ -119,7 +119,7 @@ tests = check.raises(function() rb:read(-1, rb:size()) end) check.raises(function() rb:read(0, rb:size() + 1) end) end, - + resize = function() local rb = RawBuffer.new() -- resize diff --git a/src/codecs/ip/cd_udp.cc b/src/codecs/ip/cd_udp.cc index 50125b644..f9187ec2c 100644 --- a/src/codecs/ip/cd_udp.cc +++ b/src/codecs/ip/cd_udp.cc @@ -172,7 +172,7 @@ public: config = nullptr; return tmp; } - + private: UdpCodecConfig* config; }; diff --git a/src/dump_config/config_data.cc b/src/dump_config/config_data.cc index a7e71e179..cd838ea41 100644 --- a/src/dump_config/config_data.cc +++ b/src/dump_config/config_data.cc @@ -97,7 +97,7 @@ void ValueConfigNode::set_value(const snort::Value& v) BaseConfigNode* ValueConfigNode::get_node(const std::string& name) { if ( !custom_name.empty() ) - return ((custom_name == name) and value.has_default()) ? this : nullptr; + return ((custom_name == name) and value.has_default()) ? this : nullptr; else return value.is(name.c_str()) and value.has_default() ? this : nullptr; } @@ -231,7 +231,7 @@ TEST_CASE("value_config_node", "[ValueConfigNode]") { BaseConfigNode* parent_node = new TreeConfigNode(nullptr, "parent_node", Parameter::Type::PT_TABLE); - + const Parameter p_string("param_str", Parameter::PT_STRING, nullptr, nullptr, "test param PT_STRING type"); @@ -333,7 +333,7 @@ TEST_CASE("value_config_node", "[ValueConfigNode]") Value new_val3_multi("test3"); value_node_multi->set_value(new_val3_multi); - + SECTION("get_value_after_update") { CHECK(value_node_str->get_value()->get_origin_string() == "new_value"); diff --git a/src/events/CMakeLists.txt b/src/events/CMakeLists.txt index 08aeaa2f7..c690af09f 100644 --- a/src/events/CMakeLists.txt +++ b/src/events/CMakeLists.txt @@ -6,8 +6,8 @@ set (INCLUDES add_library (events OBJECT event.cc - event_queue.cc - sfeventq.cc + event_queue.cc + sfeventq.cc sfeventq.h ${INCLUDES} ) diff --git a/src/file_api/CMakeLists.txt b/src/file_api/CMakeLists.txt index dadac33b0..2eddff699 100644 --- a/src/file_api/CMakeLists.txt +++ b/src/file_api/CMakeLists.txt @@ -4,33 +4,33 @@ set( FILE_API_INCLUDES file_capture.h file_config.h file_flows.h - file_identifier.h + file_identifier.h file_lib.h - file_module.h + file_module.h file_policy.h file_segment.h - file_service.h + file_service.h ) add_library ( file_api OBJECT ${FILE_API_INCLUDES} - circular_buffer.cc + circular_buffer.cc circular_buffer.h file_capture.cc file_cache.cc file_cache.h - file_config.cc - file_flows.cc + file_config.cc + file_flows.cc file_identifier.cc - file_lib.cc - file_log.cc + file_lib.cc + file_log.cc file_mempool.cc file_mempool.h file_module.cc file_policy.cc file_segment.cc - file_service.cc - file_stats.cc + file_service.cc + file_stats.cc file_stats.h ) diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc index 715be9a92..1abc997f0 100644 --- a/src/file_api/file_service.cc +++ b/src/file_api/file_service.cc @@ -183,7 +183,7 @@ int64_t FileService::get_max_file_depth() void FileService::reset_depths() { FileConfig* file_config = get_file_config(); - + if (file_config) file_config->file_depth = 0; diff --git a/src/flow/flow_key.cc b/src/flow/flow_key.cc index 3251a7392..a655bf988 100644 --- a/src/flow/flow_key.cc +++ b/src/flow/flow_key.cc @@ -495,7 +495,7 @@ unsigned FlowHashKeyOps::do_hash(const unsigned char* k, int) c += d[11]; // addressSpaceId, vlan mix(a, b, c); - + a += d[12]; // ip_proto, pkt_type, version, 8 bits of zeroed pad finalize(a, b, c); diff --git a/src/flow/flow_key.h b/src/flow/flow_key.h index 1db84829e..3295f7d9b 100644 --- a/src/flow/flow_key.h +++ b/src/flow/flow_key.h @@ -80,7 +80,7 @@ struct SO_PUBLIC FlowKey const snort::SfIp *dstIP, uint16_t dstPort, uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, int16_t group_h = DAQ_PKTHDR_UNKNOWN, int16_t group_l = DAQ_PKTHDR_UNKNOWN); - + bool init( const SnortConfig*, PktType, IpProtocol, const snort::SfIp *srcIP, const snort::SfIp *dstIP, @@ -93,11 +93,11 @@ struct SO_PUBLIC FlowKey const snort::SfIp *srcIP, uint16_t srcPort, const snort::SfIp *dstIP, uint16_t dstPort, uint16_t vlanId, uint32_t mplsId, const DAQ_PktHdr_t&); - + bool init( const SnortConfig*, PktType, IpProtocol, const snort::SfIp *srcIP, const snort::SfIp *dstIP, - uint32_t id, uint16_t vlanId, uint32_t mplsId, const DAQ_PktHdr_t&); + uint32_t id, uint16_t vlanId, uint32_t mplsId, const DAQ_PktHdr_t&); void init_mpls(const SnortConfig*, uint32_t); void init_vlan(const SnortConfig*, uint16_t); diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index 0fcd8eff2..09cdb7de7 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -153,7 +153,7 @@ bool FlowKey::init( PktType, IpProtocol, const SfIp*, const SfIp*, uint32_t, uint16_t, - uint32_t, const DAQ_PktHdr_t&) + uint32_t, const DAQ_PktHdr_t&) { return true; } diff --git a/src/framework/api_options.h.in b/src/framework/api_options.h.in index ab4688930..92cc42558 100644 --- a/src/framework/api_options.h.in +++ b/src/framework/api_options.h.in @@ -12,7 +12,7 @@ // loading (that should be true for virtuals as well). // for example, suppose we had this: -// +// // struct SnortConfig // { // // some member data @@ -23,7 +23,7 @@ // }; // and then we did this: -// +// // 1. build and install snort with build option set A. // 2. build and install external plugins. These use A and are compatible. // 3. build and install snort with build option set B (changing FOO). diff --git a/src/hash/lru_cache_shared.h b/src/hash/lru_cache_shared.h index e772548de..4bdc10742 100644 --- a/src/hash/lru_cache_shared.h +++ b/src/hash/lru_cache_shared.h @@ -285,7 +285,7 @@ find_else_insert(const Key& key, std::shared_ptr& data, bool replace) { // Explicitly calling the reset so its more clear that destructor could be called for the object map_iter->second->second.reset(); - map_iter->second->second = data; + map_iter->second->second = data; stats.replaced++; } list.splice(list.begin(), list, map_iter->second); // update LRU diff --git a/src/helpers/discovery_filter.cc b/src/helpers/discovery_filter.cc index 20fceb68b..a3e3a3602 100644 --- a/src/helpers/discovery_filter.cc +++ b/src/helpers/discovery_filter.cc @@ -244,7 +244,7 @@ bool DiscoveryFilter::is_monitored(const Packet* p, FilterType type, const SfIp* if ( is_port_excluded(p) ) return false; - // check interface + // check interface if (intf_ip_list[type].empty()) return false; // the configuration did not have this type of rule @@ -382,7 +382,7 @@ TEST_CASE("Discovery Filter", "[is_monitored]") ofstream out_stream(conf.c_str()); out_stream << "config Error\n"; // invalid out_stream << "config AnalyzeUser ::/0 0\n"; // any ipv6, interface 0 - out_stream << "config AnalyzeApplication 1.1.1.0/24 -1\n"; // targeted ipv4, any interface + out_stream << "config AnalyzeApplication 1.1.1.0/24 -1\n"; // targeted ipv4, any interface out_stream.close(); Packet p; diff --git a/src/lua/test/CMakeLists.txt b/src/lua/test/CMakeLists.txt index 0edbdd0ce..a0d3237a6 100644 --- a/src/lua/test/CMakeLists.txt +++ b/src/lua/test/CMakeLists.txt @@ -1,5 +1,5 @@ add_catch_test( lua_stack_test - LIBS + LIBS ${LUAJIT_LIBRARIES} ${CMAKE_DL_LIBS} ) diff --git a/src/main/build.h b/src/main/build.h index ac84188a7..bc520a46b 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 2 +#define BUILD_NUMBER 3 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER) diff --git a/src/main/snort_debug.cc b/src/main/snort_debug.cc index 6207658ea..362df68a9 100644 --- a/src/main/snort_debug.cc +++ b/src/main/snort_debug.cc @@ -191,7 +191,7 @@ TEST_CASE("debug_log, debug_logf", "[trace]") CHECK( (strlen(testing_dump) == 0) ); testing_dump[0] = '\0'; - debug_log(&test_trace, nullptr, "my message"); + debug_log(&test_trace, nullptr, "my message"); CHECK( !strcmp(testing_dump, "test_module:all:1: my message") ); testing_dump[0] = '\0'; diff --git a/src/mime/CMakeLists.txt b/src/mime/CMakeLists.txt index 713be80a8..31f0f119b 100644 --- a/src/mime/CMakeLists.txt +++ b/src/mime/CMakeLists.txt @@ -4,21 +4,21 @@ set( MIME_INCLUDES decode_base.h file_mime_config.h file_mime_context_data.h - file_mime_decode.h - file_mime_log.h - file_mime_paf.h - file_mime_process.h + file_mime_decode.h + file_mime_log.h + file_mime_paf.h + file_mime_process.h ) add_library ( mime OBJECT ${MIME_INCLUDES} - file_mime_config.cc - file_mime_context_data.cc - file_mime_decode.cc - file_mime_log.cc - file_mime_paf.cc - file_mime_process.cc - decode_base.cc + file_mime_config.cc + file_mime_context_data.cc + file_mime_decode.cc + file_mime_log.cc + file_mime_paf.cc + file_mime_process.cc + decode_base.cc decode_b64.cc decode_bit.cc decode_bit.h diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index 816d605dc..50efedae9 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -674,7 +674,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, set_referred_payload(referredPayloadAppId, change_bits); } - is_payload_processed = true; + is_payload_processed = true; asd.scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; if ( version ) snort_free(version); diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 8603937da..20307e0a7 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -577,7 +577,7 @@ public: { return std::make_tuple(&service_ip, service_port, service_group); } - + uint16_t get_service_port() const { return service_port; diff --git a/src/network_inspectors/appid/service_plugins/service_detector.cc b/src/network_inspectors/appid/service_plugins/service_detector.cc index 7bd7c8f06..b697c8cd8 100644 --- a/src/network_inspectors/appid/service_plugins/service_detector.cc +++ b/src/network_inspectors/appid/service_plugins/service_detector.cc @@ -112,7 +112,7 @@ int ServiceDetector::update_service_data(AppIdSession& asd, const Packet* pkt, port = pkt->ptrs.sp; group = pkt->get_ingress_group(); } - if (asd.get_service_port()) + if (asd.get_service_port()) port = asd.get_service_port(); } else diff --git a/src/network_inspectors/appid/service_state.cc b/src/network_inspectors/appid/service_state.cc index 419acc5a0..7d4179bb6 100644 --- a/src/network_inspectors/appid/service_state.cc +++ b/src/network_inspectors/appid/service_state.cc @@ -226,7 +226,7 @@ ServiceDiscoveryState* AppIdServiceState::get(const SfIp* ip, IpProtocol proto, asid, decrypted), do_touch); } -void AppIdServiceState::remove(const SfIp* ip, IpProtocol proto, uint16_t port, +void AppIdServiceState::remove(const SfIp* ip, IpProtocol proto, uint16_t port, int16_t group, uint16_t asid, bool decrypted) { AppIdServiceStateKey ssk(ip, proto, port, group, asid, decrypted); diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index a0f7b2ee5..b7796aa6e 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -133,8 +133,8 @@ TEST(appid_session_api, get_tls_host) change_bits.set(APPID_TLSHOST_BIT); mock_session->tsession->set_tls_host(nullptr, 0, change_bits); mock_session->set_tls_host(change_bits); - const char* val = mock_session->get_api().get_tls_host(); - STRCMP_EQUAL(val, nullptr); + const char* val = mock_session->get_api().get_tls_host(); + STRCMP_EQUAL(val, nullptr); char* host = snort_strdup(APPID_UT_TLS_HOST); mock_session->tsession->set_tls_host(host, 0, change_bits); mock_session->set_tls_host(change_bits); diff --git a/src/network_inspectors/arp_spoof/CMakeLists.txt b/src/network_inspectors/arp_spoof/CMakeLists.txt index 93b9c83d1..26100c17a 100644 --- a/src/network_inspectors/arp_spoof/CMakeLists.txt +++ b/src/network_inspectors/arp_spoof/CMakeLists.txt @@ -12,5 +12,5 @@ if (STATIC_INSPECTORS) else (STATIC_INSPECTORS) add_dynamic_module(arp_spoof inspectors ${FILE_LIST}) - + endif (STATIC_INSPECTORS) diff --git a/src/network_inspectors/binder/CMakeLists.txt b/src/network_inspectors/binder/CMakeLists.txt index d74028fad..ec93bbfde 100644 --- a/src/network_inspectors/binder/CMakeLists.txt +++ b/src/network_inspectors/binder/CMakeLists.txt @@ -12,6 +12,6 @@ add_library(binder OBJECT ${FILE_LIST}) #else (STATIC_INSPECTORS) # add_dynamic_module(binder inspectors ${FILE_LIST}) -# +# #endif (STATIC_INSPECTORS) diff --git a/src/network_inspectors/packet_tracer/packet_tracer.cc b/src/network_inspectors/packet_tracer/packet_tracer.cc index 9e0f46f9e..273a7b5e7 100644 --- a/src/network_inspectors/packet_tracer/packet_tracer.cc +++ b/src/network_inspectors/packet_tracer/packet_tracer.cc @@ -279,7 +279,7 @@ void PacketTracer::add_ip_header_info(const Packet& p) actual_dip->ntop(dipstr, sizeof(dipstr)); char gr_buf[32] = {0}; - if (p.is_inter_group_flow()) + if (p.is_inter_group_flow()) snprintf(gr_buf, sizeof(gr_buf), " GR=%hd-%hd", p.pkth->ingress_group, p.pkth->egress_group); @@ -396,8 +396,7 @@ void PacketTracer::open_file() void PacketTracer::dump_to_daq(Packet* p) { assert(p); - p->daq_instance->set_packet_trace_data(p->daq_msg, - (uint8_t *)buffer, buff_len + 1); + p->daq_instance->set_packet_trace_data(p->daq_msg, (uint8_t *)buffer, buff_len + 1); } void PacketTracer::reset() diff --git a/src/network_inspectors/reputation/reputation_module.cc b/src/network_inspectors/reputation/reputation_module.cc index 611f61526..ba0693d27 100644 --- a/src/network_inspectors/reputation/reputation_module.cc +++ b/src/network_inspectors/reputation/reputation_module.cc @@ -147,7 +147,7 @@ bool ReputationModule::set(const char*, Value& v, SnortConfig*) if (priority == 3) // blacklist priority = 1; - + else if (priority == 4) // whitelist priority = 2; diff --git a/src/network_inspectors/rna/rna_app_discovery.cc b/src/network_inspectors/rna/rna_app_discovery.cc index f7cf148e8..c83995aa1 100644 --- a/src/network_inspectors/rna/rna_app_discovery.cc +++ b/src/network_inspectors/rna/rna_app_discovery.cc @@ -199,12 +199,12 @@ void RnaAppDiscovery::discover_payload(const Packet* p, IpProtocol proto, RnaTra if ( new_pld ) { - if ( proto == IpProtocol::TCP ) - logger.log(RNA_EVENT_CHANGE, CHANGE_TCP_SERVICE_INFO, p, &rt, - (const struct in6_addr*) src_ip, src_mac, &local_ha); - else - logger.log(RNA_EVENT_CHANGE, CHANGE_UDP_SERVICE_INFO, p, &rt, - (const struct in6_addr*) src_ip, src_mac, &local_ha); + if ( proto == IpProtocol::TCP ) + logger.log(RNA_EVENT_CHANGE, CHANGE_TCP_SERVICE_INFO, p, &rt, + (const struct in6_addr*) src_ip, src_mac, &local_ha); + else + logger.log(RNA_EVENT_CHANGE, CHANGE_UDP_SERVICE_INFO, p, &rt, + (const struct in6_addr*) src_ip, src_mac, &local_ha); } } diff --git a/src/network_inspectors/rna/rna_logger.h b/src/network_inspectors/rna/rna_logger.h index 4deb0a5ba..76d2eed93 100644 --- a/src/network_inspectors/rna/rna_logger.h +++ b/src/network_inspectors/rna/rna_logger.h @@ -105,7 +105,7 @@ public: const uint8_t* src_mac, RnaTracker* ht, const snort::Packet* p = nullptr, uint32_t event_time = 0, uint16_t proto = 0, const snort::HostMac* hm = nullptr, const snort::HostApplication* ha = nullptr, const snort::FpFingerprint* fp = nullptr, - void* cond_var = nullptr, const snort::HostClient* hc = nullptr, + void* cond_var = nullptr, const snort::HostClient* hc = nullptr, const char* user = nullptr, AppId appid = APP_ID_NONE, const char* device_info = nullptr, bool jail_broken = false); diff --git a/src/network_inspectors/rna/test/rna_module_mock.h b/src/network_inspectors/rna/test/rna_module_mock.h index d32d8dba1..d35393c3b 100644 --- a/src/network_inspectors/rna/test/rna_module_mock.h +++ b/src/network_inspectors/rna/test/rna_module_mock.h @@ -83,10 +83,10 @@ RnaInspector(RnaModule* mod) { if (mod_conf) { - delete mod_conf->tcp_processor; - delete mod_conf->ua_processor; - delete mod_conf; - } + delete mod_conf->tcp_processor; + delete mod_conf->ua_processor; + delete mod_conf; + } } TcpFpProcessor* get_fp_processor() diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc index ef94c65c3..2905fcfe0 100644 --- a/src/parser/parse_rule.cc +++ b/src/parser/parse_rule.cc @@ -1331,7 +1331,7 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn) if ( is_service_protocol(otn->snort_protocol_id) ) { - // copy required because the call to add_service_to_otn can + // copy required because the call to add_service_to_otn can // invalidate the service name pointer std::string service = sc->proto_ref->get_name(otn->snort_protocol_id); add_service_to_otn(sc, otn, service.c_str()); diff --git a/src/payload_injector/payload_injector_module.h b/src/payload_injector/payload_injector_module.h index 3e874a3ae..069ff2d04 100644 --- a/src/payload_injector/payload_injector_module.h +++ b/src/payload_injector/payload_injector_module.h @@ -77,7 +77,7 @@ public: InjectionControl& control); static const char* get_err_string(InjectionReturnStatus status); - + #ifdef UNIT_TEST void set_configured(bool val) { configured = val; } #endif @@ -96,8 +96,7 @@ public: }; #ifdef UNIT_TEST -InjectionReturnStatus write_7_bit_prefix_int(uint32_t val, uint8_t*& out, - uint32_t& out_free_space); +InjectionReturnStatus write_7_bit_prefix_int(uint32_t val, uint8_t*& out, uint32_t& out_free_space); #endif #endif diff --git a/src/payload_injector/test/payload_injector_test.cc b/src/payload_injector/test/payload_injector_test.cc index 42608fe62..322399aaa 100644 --- a/src/payload_injector/test/payload_injector_test.cc +++ b/src/payload_injector/test/payload_injector_test.cc @@ -118,7 +118,7 @@ Http2FlowData::Http2FlowData(snort::Flow*) : hpack_decoder { Http2HpackDecoder(this, SRC_CLIENT, events[SRC_CLIENT], infractions[SRC_CLIENT]), - Http2HpackDecoder(this, SRC_SERVER, events[SRC_SERVER], infractions[SRC_SERVER]) + Http2HpackDecoder(this, SRC_SERVER, events[SRC_SERVER], infractions[SRC_SERVER]) } { } Http2FlowData::~Http2FlowData() { } diff --git a/src/payload_injector/test/payload_injector_translate_test.cc b/src/payload_injector/test/payload_injector_translate_test.cc index df9af32f0..b62006889 100644 --- a/src/payload_injector/test/payload_injector_translate_test.cc +++ b/src/payload_injector/test/payload_injector_translate_test.cc @@ -311,7 +311,7 @@ TEST(payload_injector_translate_test, val_len1) 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x0, 0x0, 0x4, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x0, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x62, 0x6f, 0x64, 0x79 }; CHECK(payload_len == sizeof(out)); @@ -343,10 +343,10 @@ TEST(payload_injector_translate_test, val_len2) 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x0, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x62, 0x6f, 0x64, 0x79 }; @@ -382,35 +382,35 @@ TEST(payload_injector_translate_test, val_len3) 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, - 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, + 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x0, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x62, 0x6f, 0x64, 0x79 diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc index 787efa58a..8d043cea2 100644 --- a/src/protocols/packet.cc +++ b/src/protocols/packet.cc @@ -265,7 +265,7 @@ uint16_t Packet::get_flow_vlan_id() const } bool Packet::is_from_application_client() const -{ +{ if (flow) return flow->flags.app_direction_swapped ? is_from_server() : is_from_client(); else @@ -273,7 +273,7 @@ bool Packet::is_from_application_client() const } bool Packet::is_from_application_server() const -{ +{ if (flow) return flow->flags.app_direction_swapped ? is_from_client() : is_from_server(); else diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc index ff9c6efa6..f5450bfb1 100644 --- a/src/protocols/packet_manager.cc +++ b/src/protocols/packet_manager.cc @@ -120,7 +120,7 @@ static inline bool payload_offset_from_daq_mismatch(const uint8_t* pkt, const Ra (const DAQ_PktDecodeData_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_DECODE_DATA); if ( !pdd || (pdd->payload_offset == DAQ_PKT_DECODE_OFFSET_INVALID) ) return false; - // compare payload offset from DAQ with decoded data offset + // compare payload offset from DAQ with decoded data offset if ( raw.data - pkt != pdd->payload_offset ) return true; return false; diff --git a/src/pub_sub/dcerpc_events.h b/src/pub_sub/dcerpc_events.h index 3b28ff800..d2267e59e 100644 --- a/src/pub_sub/dcerpc_events.h +++ b/src/pub_sub/dcerpc_events.h @@ -29,22 +29,22 @@ public: const snort::Packet* get_packet() override { return p; } - const snort::SfIp* get_src_ip() const + const snort::SfIp* get_src_ip() const { return src_ip; } - - const snort::SfIp* get_dst_ip() const + + const snort::SfIp* get_dst_ip() const { return dst_ip; } - - uint16_t get_src_port() const + + uint16_t get_src_port() const { return src_port; } - - uint16_t get_dst_port() const + + uint16_t get_dst_port() const { return dst_port; } - SnortProtocolId get_proto_id() const + SnortProtocolId get_proto_id() const { return protocol_id; } - IpProtocol get_ip_proto() const + IpProtocol get_ip_proto() const { return proto; } private: diff --git a/src/search_engines/CMakeLists.txt b/src/search_engines/CMakeLists.txt index 05b9ede43..e3f3f8aa4 100644 --- a/src/search_engines/CMakeLists.txt +++ b/src/search_engines/CMakeLists.txt @@ -5,7 +5,7 @@ set (SEARCH_ENGINE_INCLUDES ) set (ACSMX_SOURCES - ac_std.cc + ac_std.cc acsmx.cc acsmx.h ) diff --git a/src/service_inspectors/cip/CMakeLists.txt b/src/service_inspectors/cip/CMakeLists.txt index 1ac317fbb..a02896687 100644 --- a/src/service_inspectors/cip/CMakeLists.txt +++ b/src/service_inspectors/cip/CMakeLists.txt @@ -12,10 +12,10 @@ set( FILE_LIST cip_session.h ips_cip_attribute.cc ips_cip_class.cc - ips_cip_connpathclass.cc + ips_cip_connpathclass.cc ips_cip_enipcommand.cc ips_cip_enipreq.cc - ips_cip_eniprsp.cc + ips_cip_eniprsp.cc ips_cip_instance.cc ips_cip_req.cc ips_cip_rsp.cc diff --git a/src/service_inspectors/dce_rpc/dce_co.cc b/src/service_inspectors/dce_rpc/dce_co.cc index cb8a87cec..ac8b121fe 100644 --- a/src/service_inspectors/dce_rpc/dce_co.cc +++ b/src/service_inspectors/dce_rpc/dce_co.cc @@ -146,7 +146,7 @@ static void DCE2_CoEptMapResponse(DCE2_SsnData* sd, const DceRpcCoHdr* co_hdr, * 2 * +-------------+---------+---------+---------+---------+ * | floor count | floor 1 | floor 2 | ... | floor n | - * +-------------+---------+---------+---------+---------+ + * +-------------+---------+---------+---------+---------+ * The target is 4th & 5th floors */ if (ndr_flen > dlen) @@ -172,12 +172,11 @@ static void DCE2_CoEptMapResponse(DCE2_SsnData* sd, const DceRpcCoHdr* co_hdr, dce2_move(stub_data, dlen, fc_offset); /* No needed data for the pinhole creation */ - if (floor_count < 5) + if (floor_count < 5) continue; - floor3_start = 2 * DCE2_CO_MAP_TWR_FLOOR12_OFS + - DCE2_CO_MAP_FLR_COUNT_OFS; - + floor3_start = 2 * DCE2_CO_MAP_TWR_FLOOR12_OFS + DCE2_CO_MAP_FLR_COUNT_OFS; + /* Skipping 1st & 2nd floors up to 3rd floor protocol id */ proto_offset = floor3_start + DCE2_CO_MAP_FLR_LHS_RHS_OFS; @@ -815,7 +814,7 @@ static void dce_co_process_ctx_result(DCE2_SsnData*, DCE2_CoTracker* cot, if (DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND_ACK) cot->got_bind = 1; - /* Need to check accepted transfer syntax + /* Need to check accepted transfer syntax * for further EPT_MAP response parsing */ if (!DCE2_UuidCompare(transport, &uuid_ndr64)) { @@ -1872,11 +1871,11 @@ static void DCE2_CoResponse(DCE2_SsnData* sd, DCE2_CoTracker* cot, (uint16_t)(frag_len - (uint16_t)auth_len)); } } - + /* If this is the last fragment, we can proceed with stub data processing */ if (DceRpcCoLastFrag(co_hdr)) { - const uint8_t* stub_data; + const uint8_t* stub_data; uint16_t stub_data_len; if (DCE2_BufferIsEmpty(cot->frag_tracker.srv_stub_buf)) { diff --git a/src/service_inspectors/dce_rpc/dce_co.h b/src/service_inspectors/dce_rpc/dce_co.h index 78671c632..9a50f5524 100644 --- a/src/service_inspectors/dce_rpc/dce_co.h +++ b/src/service_inspectors/dce_rpc/dce_co.h @@ -286,7 +286,7 @@ struct DCE2_CoCtxIdNode /* Whether or not the server accepted or rejected the client bind/alter context * request. Initially set to pending until server response */ DCE2_CoCtxState state; - DCE2_CoCtxTransport transport; + DCE2_CoCtxTransport transport; }; enum DceRpcCoAuthLevelType @@ -456,7 +456,7 @@ inline int DCE2_GetNdrUint32(const uint8_t* data_ptr, uint32_t& data, int align_offset = 0; /* Alignment */ - if (offset % 4) + if (offset % 4) { align_offset = 4 - (offset % 4); } @@ -474,7 +474,7 @@ inline int DCE2_GetNdrUint64(const uint8_t* data_ptr, uint64_t& data, int align_offset = 0; /* Alignment */ - if (offset % 8) + if (offset % 8) { align_offset = 8 - (offset % 8); } diff --git a/src/service_inspectors/dce_rpc/dce_expected_session.cc b/src/service_inspectors/dce_rpc/dce_expected_session.cc index a4c61eef9..f4b41557b 100644 --- a/src/service_inspectors/dce_rpc/dce_expected_session.cc +++ b/src/service_inspectors/dce_rpc/dce_expected_session.cc @@ -33,7 +33,7 @@ using namespace snort; DceExpSsnManager::DceExpSsnManager(const char* protocol, - IpProtocol proto, PktType type): proto(proto), type(type) + IpProtocol proto, PktType type): proto(proto), type(type) { protocol_id = SnortConfig::get_conf()->proto_ref->add(protocol); } diff --git a/src/service_inspectors/dce_rpc/dce_smb.cc b/src/service_inspectors/dce_rpc/dce_smb.cc index 904f6a215..2768f6710 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.cc +++ b/src/service_inspectors/dce_rpc/dce_smb.cc @@ -393,7 +393,7 @@ void Dce2Smb::eval(Packet* p) { //smb_version is DCE2_SMB_VERSION_NULL //This means there is no flow data and this is not an SMB packet - //if it is a TCP packet for smb data, the flow must have been + //if it is a TCP packet for smb data, the flow must have been //already identified with version. debug_logf(dce_smb_trace, nullptr, "non-smb packet detected\n"); return; diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc index e9218b75a..3f55341b7 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2.cc @@ -104,7 +104,7 @@ DCE2_Smb2RequestTracker::~DCE2_Smb2RequestTracker() DCE2_Smb2FileTracker::DCE2_Smb2FileTracker(uint64_t file_id_v, DCE2_Smb2TreeTracker* ttr_v, DCE2_Smb2SessionTracker* str_v) : file_id(file_id_v), ttr(ttr_v), str(str_v) -{ +{ debug_logf(dce_smb_trace, nullptr, "file tracker %" PRIu64 " created\n", file_id); memory::MemoryCap::update_allocations(sizeof(*this)); } @@ -145,8 +145,8 @@ DCE2_Smb2TreeTracker::~DCE2_Smb2TreeTracker(void) { debug_logf(dce_smb_trace, nullptr, "mid %" PRIu64 "\n", h.first); removeRtracker(h.first); - } - } + } + } memory::MemoryCap::update_deallocations(sizeof(*this)); } diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc index a96300af8..ae760df9a 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.cc +++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc @@ -1029,7 +1029,6 @@ static int do_stateful_checks(FTP_SESSION* session, Packet* p, session->flags &= ~FTP_PROTP_CMD_ISSUED; session->flags |= FTP_PROTP_CMD_ACCEPT; } - } else if (session->data_chan_state & DATA_CHAN_PASV_CMD_ISSUED) { diff --git a/src/service_inspectors/http2_inspect/http2_data_cutter.cc b/src/service_inspectors/http2_inspect/http2_data_cutter.cc index 61b4a1940..5ea64fa58 100644 --- a/src/service_inspectors/http2_inspect/http2_data_cutter.cc +++ b/src/service_inspectors/http2_inspect/http2_data_cutter.cc @@ -99,7 +99,7 @@ bool Http2DataCutter::http2_scan(uint32_t length, uint32_t* flush_offset, uint32 } if (data_state == FULL_FRAME) - session_data->reading_frame[source_id] = false; + session_data->reading_frame[source_id] = false; //FIXIT-E shouldn't need both scan_remaining_frame_octets and frame_bytes_seen frame_bytes_seen += (cur_pos - leftover_bytes - data_offset - leftover_padding); diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame_header.h b/src/service_inspectors/http2_inspect/http2_headers_frame_header.h index 13b5e3ab0..a4af8f04e 100644 --- a/src/service_inspectors/http2_inspect/http2_headers_frame_header.h +++ b/src/service_inspectors/http2_inspect/http2_headers_frame_header.h @@ -29,7 +29,7 @@ class Http2HeadersFrameHeader : public Http2HeadersFrame { public: ~Http2HeadersFrameHeader() override; - + friend Http2Frame* Http2Frame::new_frame(const uint8_t*, const uint32_t, const uint8_t*, const uint32_t, Http2FlowData*, HttpCommon::SourceId, Http2Stream* stream); diff --git a/src/service_inspectors/http2_inspect/http2_hpack.cc b/src/service_inspectors/http2_inspect/http2_hpack.cc index 8ba4edd3d..1b2841c60 100644 --- a/src/service_inspectors/http2_inspect/http2_hpack.cc +++ b/src/service_inspectors/http2_inspect/http2_hpack.cc @@ -283,7 +283,7 @@ bool Http2HpackDecoder::decode_header_line(const uint8_t* encoded_header_buffer, encoded_header_length, bytes_consumed); table_size_update_allowed = false; - + // Indexed header representation if (encoded_header_buffer[0] & INDEX_MASK) ret = decode_indexed_header(encoded_header_buffer, diff --git a/src/service_inspectors/http2_inspect/http2_hpack_dynamic_table.h b/src/service_inspectors/http2_inspect/http2_hpack_dynamic_table.h index 7387ff47f..df921a9a4 100644 --- a/src/service_inspectors/http2_inspect/http2_hpack_dynamic_table.h +++ b/src/service_inspectors/http2_inspect/http2_hpack_dynamic_table.h @@ -32,7 +32,7 @@ struct HpackTableEntry; class HpackDynamicTable { public: - // FIXIT-P This array can be optimized to start smaller and grow on demand + // FIXIT-P This array can be optimized to start smaller and grow on demand HpackDynamicTable() : circular_buf(ARRAY_CAPACITY, nullptr) {} ~HpackDynamicTable(); const HpackTableEntry* get_entry(uint32_t index) const; diff --git a/src/service_inspectors/http2_inspect/http2_settings_frame.cc b/src/service_inspectors/http2_inspect/http2_settings_frame.cc index 8d794de18..8021fcb22 100644 --- a/src/service_inspectors/http2_inspect/http2_settings_frame.cc +++ b/src/service_inspectors/http2_inspect/http2_settings_frame.cc @@ -91,7 +91,7 @@ bool Http2SettingsFrame::sanity_check() { const bool ack = SfAck & get_flags(); - // FIXIT-E this next check should possibly be moved to valid_sequence() + // FIXIT-E this next check should possibly be moved to valid_sequence() if (get_stream_id() != 0) bad_frame = true; else if (!ack and ((data.length() % 6) != 0)) diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc index 9162d3a06..131e711e9 100644 --- a/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc +++ b/src/service_inspectors/http2_inspect/http2_stream_splitter_impl.cc @@ -117,7 +117,7 @@ StreamSplitter::Status Http2StreamSplitter::non_data_frame_header_checks( // FIXIT-M long non-data frame needs to be supported return StreamSplitter::ABORT; } - + if (type == FT_CONTINUATION and !session_data->continuation_expected[source_id]) { *session_data->infractions[source_id] += INF_UNEXPECTED_CONTINUATION; @@ -125,7 +125,7 @@ StreamSplitter::Status Http2StreamSplitter::non_data_frame_header_checks( EVENT_UNEXPECTED_CONTINUATION); return StreamSplitter::ABORT; } - + session_data->total_bytes_in_split[source_id] += FRAME_HEADER_LENGTH + frame_length; @@ -325,7 +325,7 @@ StreamSplitter::Status Http2StreamSplitter::implement_scan(Http2FlowData* sessio session_data->stream_in_hi = NO_STREAM_ID; return StreamSplitter::FLUSH; } - + assert(session_data->scan_remaining_frame_octets[source_id] == 0); session_data->scan_remaining_frame_octets[source_id] = frame_length; @@ -401,7 +401,7 @@ StreamSplitter::Status Http2StreamSplitter::implement_scan(Http2FlowData* sessio else status = non_data_scan(session_data, length, flush_offset, source_id, type, frame_flags, data_offset); - assert(status != StreamSplitter::SEARCH or + assert(status != StreamSplitter::SEARCH or session_data->scan_state[source_id] != SCAN_EMPTY_DATA); break; } diff --git a/src/service_inspectors/http_inspect/http_msg_head_shared.cc b/src/service_inspectors/http_inspect/http_msg_head_shared.cc index b80f3c4f4..002407053 100755 --- a/src/service_inspectors/http_inspect/http_msg_head_shared.cc +++ b/src/service_inspectors/http_inspect/http_msg_head_shared.cc @@ -373,7 +373,7 @@ uint64_t HttpMsgHeadShared::get_file_cache_index() if (cd_filename.length() > 0) file_cache_index = str_to_hash(cd_filename.start(), cd_filename.length()); } - file_cache_index_computed = true; + file_cache_index_computed = true; return file_cache_index; } diff --git a/src/service_inspectors/imap/imap.h b/src/service_inspectors/imap/imap.h index 3de95a256..b109a9666 100644 --- a/src/service_inspectors/imap/imap.h +++ b/src/service_inspectors/imap/imap.h @@ -38,7 +38,7 @@ #define STATE_TLS_DATA 3 // Successful handshake, TLS encrypted data #define STATE_COMMAND 4 #define STATE_UNKNOWN 5 -#define STATE_DECRYPTION_REQ 6 +#define STATE_DECRYPTION_REQ 6 // session flags #define IMAP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 diff --git a/src/service_inspectors/imap/imap_config.h b/src/service_inspectors/imap/imap_config.h index 0cd7daa66..5728cd8b0 100644 --- a/src/service_inspectors/imap/imap_config.h +++ b/src/service_inspectors/imap/imap_config.h @@ -37,7 +37,7 @@ struct ImapStats PegCount max_concurrent_sessions; PegCount start_tls; PegCount ssl_search_abandoned; - PegCount ssl_srch_abandoned_early; + PegCount ssl_srch_abandoned_early; snort::MimeStats mime_stats; }; diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index 5d5a74608..1b41b53e5 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -442,16 +442,16 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) tmp = SnortStrcasestr((const char*)cmd_start, (eol - cmd_start), "octets"); if (tmp != nullptr) { - if (!(pop_ssn->session_flags & POP_FLAG_ABANDON_EVT) - and !p->flow->flags.data_decrypted) - { - pop_ssn->session_flags |= POP_FLAG_ABANDON_EVT; - DataBus::publish(SSL_SEARCH_ABANDONED, p); - popstats.ssl_search_abandoned++; - } + if (!(pop_ssn->session_flags & POP_FLAG_ABANDON_EVT) + and !p->flow->flags.data_decrypted) + { + pop_ssn->session_flags |= POP_FLAG_ABANDON_EVT; + DataBus::publish(SSL_SEARCH_ABANDONED, p); + popstats.ssl_search_abandoned++; + } pop_ssn->state = STATE_DATA; - } + } else if (pop_ssn->state == STATE_TLS_CLIENT_PEND) { if ((pop_ssn->session_flags & POP_FLAG_ABANDON_EVT) @@ -463,7 +463,7 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) OpportunisticTlsEvent event(p, p->flow->service); DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow); popstats.start_tls++; - pop_ssn->state = STATE_DECRYPTION_REQ; + pop_ssn->state = STATE_DECRYPTION_REQ; } else { @@ -541,8 +541,7 @@ static void snort_pop(POP_PROTO_CONF* config, Packet* p) if (pkt_dir == POP_PKT_FROM_CLIENT) { /* This packet should be a tls client hello */ - if ((pop_ssn->state == STATE_TLS_CLIENT_PEND) - || (pop_ssn->state == STATE_DECRYPTION_REQ)) + if ((pop_ssn->state == STATE_TLS_CLIENT_PEND) || (pop_ssn->state == STATE_DECRYPTION_REQ)) { if (IsTlsClientHello(p->data, p->data + p->dsize)) { diff --git a/src/service_inspectors/pop/pop.h b/src/service_inspectors/pop/pop.h index a998e1347..fe1e21680 100644 --- a/src/service_inspectors/pop/pop.h +++ b/src/service_inspectors/pop/pop.h @@ -38,7 +38,7 @@ #define STATE_TLS_DATA 3 // Successful handshake, TLS encrypted data #define STATE_COMMAND 4 #define STATE_UNKNOWN 5 -#define STATE_DECRYPTION_REQ 6 +#define STATE_DECRYPTION_REQ 6 // session flags #define POP_FLAG_NEXT_STATE_UNKNOWN 0x00000004 diff --git a/src/service_inspectors/pop/pop_config.h b/src/service_inspectors/pop/pop_config.h index 16e7d3f81..c54a0ac15 100644 --- a/src/service_inspectors/pop/pop_config.h +++ b/src/service_inspectors/pop/pop_config.h @@ -38,7 +38,7 @@ struct PopStats PegCount max_concurrent_sessions; PegCount start_tls; PegCount ssl_search_abandoned; - PegCount ssl_srch_abandoned_early; + PegCount ssl_srch_abandoned_early; snort::MimeStats mime_stats; }; diff --git a/src/sfip/CMakeLists.txt b/src/sfip/CMakeLists.txt index 547aa5857..8eeca04f6 100644 --- a/src/sfip/CMakeLists.txt +++ b/src/sfip/CMakeLists.txt @@ -13,7 +13,7 @@ add_library ( sfip OBJECT sf_ipvar.cc sf_ipvar.h sf_vartable.cc - sf_vartable.h + sf_vartable.h ) install (FILES ${SFIP_INCLUDES} diff --git a/src/stream/stream.cc b/src/stream/stream.cc index a8db60d72..90f5781a9 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -104,7 +104,7 @@ Flow* Stream::get_flow( PktType type, IpProtocol proto, const SfIp* srcIP, uint16_t srcPort, const SfIp* dstIP, uint16_t dstPort, - uint16_t vlan, uint32_t mplsId, const DAQ_PktHdr_t& pkth) + uint16_t vlan, uint32_t mplsId, const DAQ_PktHdr_t& pkth) { FlowKey key; const SnortConfig* sc = SnortConfig::get_conf(); @@ -178,7 +178,7 @@ FlowData* Stream::get_flow_data( { Flow* flow = get_flow( type, proto, srcIP, srcPort, dstIP, dstPort, - vlan, mplsId, pkth); + vlan, mplsId, pkth); if (!flow) return nullptr; diff --git a/src/target_based/CMakeLists.txt b/src/target_based/CMakeLists.txt index f38dd713d..fc38367a8 100644 --- a/src/target_based/CMakeLists.txt +++ b/src/target_based/CMakeLists.txt @@ -1,6 +1,6 @@ add_library( target_based OBJECT - host_attributes.cc + host_attributes.cc host_attributes.h snort_protocols.cc ) diff --git a/tools/appid_detector_builder.sh b/tools/appid_detector_builder.sh index 1e9e90e3f..919f5adaf 100755 --- a/tools/appid_detector_builder.sh +++ b/tools/appid_detector_builder.sh @@ -19,7 +19,7 @@ ##-------------------------------------------------------------------------- ##-------------------------------------------------------------------- -## Generate custom lua detector for appid +## Generate custom lua detector for appid ##-------------------------------------------------------------------- echo "Snort Application Id - Detector Creation Tool" @@ -314,7 +314,7 @@ fi } function output_port_pattern_server() { -if [[ "$port" = "-1" ]]; then +if [[ "$port" = "-1" ]]; then echo -en "\t\tgDetector:addPortPatternServer($protocol_string,0,\"" >>"${INTERMEDIATEFILE_SERVER}" echo -n "${pattern_string}" >>"${INTERMEDIATEFILE_SERVER}" echo -e "\",$pattern_offset, gAppId);" >>"${INTERMEDIATEFILE_SERVER}" @@ -589,7 +589,7 @@ case "$protocol_choice" in hex_pattern_prompt ;; esac - offset_number_prompt + offset_number_prompt direction_prompt case "$direction_choice" in "CLIENT" ) @@ -611,7 +611,7 @@ case "$protocol_choice" in hex_pattern_prompt ;; esac - offset_number_prompt + offset_number_prompt direction_prompt case "$direction_choice" in "CLIENT") @@ -700,6 +700,6 @@ echo " ${OUTPUTFILE}" echo "When you add the .lua file, the AppId," echo -en " \"" echo -n "${APPIDSTRING}" -echo -e "\"," +echo -e "\"," echo " will be the name reported as detected." ### end ###