From: Priyanka Bangalore Gurudev (prbg) Date: Thu, 7 Nov 2024 15:54:48 +0000 (+0000) Subject: Pull request #4511: build: generate and tag 3.5.1.0 X-Git-Tag: 3.5.1.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c411e66f569db4b166c58ceea5247675b080ed19;p=thirdparty%2Fsnort3.git Pull request #4511: build: generate and tag 3.5.1.0 Merge in SNORT/snort3 from ~PRBG/snort3:build_3.5.1.0 to master Squashed commit of the following: commit ad0968bb1e19953ef2a3483355ad08d0ca99e053 Author: Priyanka Gurudev Date: Wed Nov 6 12:32:14 2024 -0500 build: generate and tag 3.5.1.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 65589e806..2c31756ba 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 5) -set (VERSION_PATCH 0) +set (VERSION_PATCH 1) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index c05821ec9..96dd06159 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,19 @@ +2024-11-06: 3.5.1.0 + +* appid: add new api to check if service is over quic +* appid: add tls_version capture in appid_session +* appid: implement an API that allows users to specify values for data items used in lua detectors +* appid: unit-test added for is_service_over_quic +* doc: add details regarding RTN evaluation +* flow: new allowlist LRU +* http2_inspect: handle multiple cookie header fields +* js_norm: add cross-PDU PDF token reassembly +* side_channel: fix compiler warning in side channel formatting test +* smtp: fixing the processing of SMTP response in case of encrypted traffic +* stream: add thread instance number to dump_flows control command output +* stream_tcp: pass tracker and seglist to TcpReassembler\* as refs, define dummy tracker & seglist for use by TcpReassemblerIgnore +* stream_tcp: when queue limit thresholds are exceeded in IDS mode on asymmetric connections only skip a hole at the beginning of the seglist before flushing + 2024-10-20: 3.5.0.0 * connectors: fix tsan warning in tcp connector diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 0d86619a1..621956b99 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.5.0.0 2024-10-20 23:28:19 EDT TST +Revision 3.5.1.0 2024-11-06 12:04:16 EST TST --------------------------------------------------------------------- @@ -5777,6 +5777,8 @@ Configuration: being eligible for pruning { 1:max32 } * int stream.require_3whs = -1: don’t track midstream TCP sessions after given seconds from start up; -1 tracks all { -1:max31 } + * bool stream.allowlist_cache.enable = false: enable allowlist + cache * int stream.ip_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * int stream.icmp_cache.idle_timeout = 180: maximum inactive time @@ -5864,6 +5866,10 @@ Peg counts: memcap (sum) * stream.pdu_memcap_prunes: number of PDU flows pruned due to memcap (sum) + * stream.allowlist_memcap_prunes: number of allowlist flows pruned + due to memcap (sum) + * stream.allowlist_flows: number of flows moved to the allow list + (now) * stream.current_flows: current number of flows in cache (now) * stream.uni_flows: number of uni flows in cache (now) * stream.uni_ip_flows: number of uni ip flows in cache (now) @@ -6027,6 +6033,9 @@ Configuration: * int stream_tcp.queue_limit.max_segments = 3072: don’t queue more than given segments per session and direction, 0 = unlimited { 0:max32 } + * int stream_tcp.queue_limit.asymmetric_ids_flush_threshold = + 3145728: max bytes queued on asymmetric flow before flush in IDS + mode { 1:max31 } * int stream_tcp.small_segments.count = 0: number of consecutive (in the received order) TCP small segments considered to be excessive (129:12) { 0:2048 } @@ -6039,8 +6048,6 @@ Configuration: timeout { 1:max31 } * int stream_tcp.idle_timeout = 3600: session deletion on idle { 1:max31 } - * int stream_tcp.asymmetric_ids_flush_threshold = 65535: max bytes - queued on asymmetric flow before flush in IDS mode { 1:max31 } Rules: @@ -11294,6 +11301,8 @@ libraries see the Getting Started section of the manual. * implied ssl_version.!tls1.2: check for records that are not tls1.2 * implied ssl_version.tls1.2: check for tls1.2 + * bool stream.allowlist_cache.enable = false: enable allowlist + cache * int stream.file_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1:max32 } * bool stream_file.upload = false: indicate file transfer direction @@ -11337,8 +11346,6 @@ libraries see the Getting Started section of the manual. direction(s) { either|to_server|to_client|both } * interval stream_size.~range: check if the stream size is in the given range { 0: } - * int stream_tcp.asymmetric_ids_flush_threshold = 65535: max bytes - queued on asymmetric flow before flush in IDS mode { 1:max31 } * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time before retiring session tracker { 1:max32 } * int stream_tcp.embryonic_timeout = 30: Non-established connection @@ -11360,6 +11367,9 @@ libraries see the Getting Started section of the manual. characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy | asymmetric } + * int stream_tcp.queue_limit.asymmetric_ids_flush_threshold = + 3145728: max bytes queued on asymmetric flow before flush in IDS + mode { 1:max31 } * int stream_tcp.queue_limit.max_bytes = 4194304: don’t queue more than given bytes per session and direction, 0 = unlimited { 0:max32 } @@ -12575,6 +12585,10 @@ libraries see the Getting Started section of the manual. * ssl.server_key_exchange: total server key exchanges (sum) * ssl.sessions_ignored: total sessions ignore (sum) * ssl.unrecognized_records: total unrecognized records (sum) + * stream.allowlist_flows: number of flows moved to the allow list + (now) + * stream.allowlist_memcap_prunes: number of allowlist flows pruned + due to memcap (sum) * stream.current_flows: current number of flows in cache (now) * stream.excess_prunes: sessions pruned due to excess (sum) * stream.expected_flows: total expected flows created within snort diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index e05d00c5b..a14b28a76 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.5.0.0 2024-10-20 23:28:54 EDT TST +Revision 3.5.1.0 2024-11-06 12:04:56 EST TST --------------------------------------------------------------------- diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index be5e1c86f..f2fc2b809 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.5.0.0 2024-10-20 23:28:30 EDT TST +Revision 3.5.1.0 2024-11-06 12:04:30 EST TST --------------------------------------------------------------------- @@ -958,6 +958,9 @@ balances speed and memory. For a faster search at the expense of significantly more memory, use ac_full. For best performance and reasonable memory, download the hyperscan source from Intel. +Rule group summary is printed at start up under "port rule counts" +and "service rule counts" sections. + 2.7.2. Fast Patterns Fast patterns are content strings that have the fast_pattern option @@ -983,6 +986,50 @@ option in a rule and is a fairly costly process which is why fast patterns are so important. Rule evaluation aborts on the first non-matching option. +For a port-based rule, all components of the rule header have to +match before the rule fires. For a service-based rule, evaluation of +the header is skipped. A rule becomes service-based in the following +cases: + + * "service" IPS option is present in the rule body + * a service specific IPS option is present (like http_param, + file_data, dnp3_data) + * a service protocol is defined in the rule header + +Examples: + +# Port group - protocol and ports are evaluated in any case +alert tcp any 90 -> any 5321 (msg: "Port group rule";) + +# "any" port group - protocol and ports are evaluated in any case +alert tcp (msg: "Port group rule with default header";) + +# "service" option puts the rule to SMTP group and port group. +# If the SMTP service is assigned on flow, "tcp" proto and port "90" have no effect. +# In other case, header is evaluated - since matched as a part of port group +alert tcp any 90 -> any any (service: smtp; msg: "SMTP and port group";) + +# DNP3 service is detected automatically, DNP3 group only. +# In a fact, "tcp" proto and port "90" has no effect at all. +alert tcp any 90 -> any any (dnp3_data; msg: "DNP3 group";) + +# Service protocol in the header puts the rule to DNP3 group. +# In a fact, "tcp" proto and port "90" has no effect at all. +alert dnp3 any 90 -> any any (msg: "DNP3 group";) + +Note that detection module can extend a rule with more services. For +details, check detection.service_extension option. + +In case you need to match the service-based rule with regard to +specific protocol, take a look at IPS option "ip_proto" - it +guarantees that specified protocol is used. + +Example when such explicit check is required: + +# Since the rule is added to both "any" port-group and "igmp" service group, +# to decrease false-positive due to "any" port-group, ip_proto:2 is used. +alert ip ( ip_proto:2; content:"foo"; service:igmp; ) + When rule evaluation takes place, the fast pattern match will automatically be skipped if possible. Note that this differs from Snort 2 which provided the fast_pattern:only option to designate such @@ -1005,9 +1052,7 @@ Stateful evaluation is supported for the following buffers: 1. pkt_data — as a sequence of TCP session bytes with respect to their direction (client-to-server, server-to-client) - 2. js_data — normalized JavaScript text from the same data transfer - session - 3. file_data — the same file bytes, e.g. flows from different files + 2. file_data — the same file bytes, e.g. flows from different files do not overlap