From: Russ Combs Date: Thu, 15 Dec 2016 23:06:22 +0000 (-0500) Subject: adjust builtin rule text for consistent formatting X-Git-Tag: 3.0.0-233~139 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c98c853bdce08e3a631b7377106f46520c4a51a3;p=thirdparty%2Fsnort3.git adjust builtin rule text for consistent formatting --- diff --git a/extra/src/codecs/cd_token_ring/cd_token_ring.cc b/extra/src/codecs/cd_token_ring/cd_token_ring.cc index cfcdc6905..618c8184c 100644 --- a/extra/src/codecs/cd_token_ring/cd_token_ring.cc +++ b/extra/src/codecs/cd_token_ring/cd_token_ring.cc @@ -38,10 +38,10 @@ namespace static const RuleMap tkr_rules[] = { - { DECODE_BAD_TRH, "(" TR_NAME ") Bad Token Ring Header" }, - { DECODE_BAD_TR_ETHLLC, "(" TR_NAME ") Bad Token Ring ETHLLC Header" }, - { DECODE_BAD_TR_MR_LEN, "(" TR_NAME ") Bad Token Ring MRLENHeader" }, - { DECODE_BAD_TRHMR, "(" TR_NAME ") Bad Token Ring MR Header" }, + { DECODE_BAD_TRH, "bad Token Ring header" }, + { DECODE_BAD_TR_ETHLLC, "bad Token Ring ETHLLC header" }, + { DECODE_BAD_TR_MR_LEN, "bad Token Ring MRLEN header" }, + { DECODE_BAD_TRHMR, "bad Token Ring MR header" }, { 0, nullptr } }; diff --git a/src/codecs/codec_module.cc b/src/codecs/codec_module.cc index 54d20fbc7..4bbd4b317 100644 --- a/src/codecs/codec_module.cc +++ b/src/codecs/codec_module.cc @@ -27,13 +27,13 @@ CodecModule::CodecModule() : Module("decode", codec_module_help) static const RuleMap general_decode_rules[] = { - { DECODE_IP_BAD_PROTO, "BAD-TRAFFIC bad IP protocol" }, + { DECODE_IP_BAD_PROTO, "bad IP protocol" }, { DECODE_IP_MULTIPLE_ENCAPSULATION, "two or more IP (v4 and/or v6) encapsulation layers present" }, { DECODE_ZERO_LENGTH_FRAG, "fragment with zero length" }, - { DECODE_BAD_TRAFFIC_LOOPBACK, "bad traffic loopback IP" }, - { DECODE_BAD_TRAFFIC_SAME_SRCDST, "bad traffic same src/dst IP" }, - { DECODE_IP_UNASSIGNED_PROTO, "BAD-TRAFFIC unassigned/reserved IP protocol" }, + { DECODE_BAD_TRAFFIC_LOOPBACK, "loopback IP" }, + { DECODE_BAD_TRAFFIC_SAME_SRCDST, "same src/dst IP" }, + { DECODE_IP_UNASSIGNED_PROTO, "unassigned/reserved IP protocol" }, { DECODE_TOO_MANY_LAYERS, "too many protocols present" }, { 0, nullptr }, diff --git a/src/codecs/ip/cd_icmp4.cc b/src/codecs/ip/cd_icmp4.cc index e552d9fba..30597a030 100644 --- a/src/codecs/ip/cd_icmp4.cc +++ b/src/codecs/ip/cd_icmp4.cc @@ -62,7 +62,7 @@ static const RuleMap icmp4_rules[] = { DECODE_ICMP4_DST_MULTICAST, "ICMP4 packet to multicast dest address" }, { DECODE_ICMP4_DST_BROADCAST, "ICMP4 packet to broadcast dest address" }, { DECODE_ICMP4_TYPE_OTHER, "ICMP4 type other" }, - { DECODE_ICMP_PING_NMAP, "ICMP ping NMAP" }, + { DECODE_ICMP_PING_NMAP, "ICMP ping Nmap" }, { DECODE_ICMP_ICMPENUM, "ICMP icmpenum v1.1.1" }, { DECODE_ICMP_REDIRECT_HOST, "ICMP redirect host" }, { DECODE_ICMP_REDIRECT_NET, "ICMP redirect net" }, @@ -72,11 +72,13 @@ static const RuleMap icmp4_rules[] = { DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED, "ICMP destination unreachable communication administratively prohibited" }, { DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED, - "ICMP destination unreachable communication with destination host is administratively prohibited" }, + "ICMP destination unreachable communication with destination host is " + "administratively prohibited" }, { DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED, - "ICMP destination unreachable communication with destination network is administratively prohibited" }, + "ICMP destination unreachable communication with destination network is " + "administratively prohibited" }, { DECODE_ICMP_PATH_MTU_DOS, "ICMP path MTU denial of service attempt" }, - { DECODE_ICMP_DOS_ATTEMPT, "BAD-TRAFFIC Linux ICMP header DOS attempt" }, + { DECODE_ICMP_DOS_ATTEMPT, "Linux ICMP header DOS attempt" }, { DECODE_ICMP4_HDR_TRUNC, "truncated ICMP4 header" }, { 0, nullptr } }; diff --git a/src/codecs/ip/cd_icmp6.cc b/src/codecs/ip/cd_icmp6.cc index eb7fd6693..e59a8c995 100644 --- a/src/codecs/ip/cd_icmp6.cc +++ b/src/codecs/ip/cd_icmp6.cc @@ -57,8 +57,8 @@ static THREAD_LOCAL Stats stats; static const RuleMap icmp6_rules[] = { { DECODE_ICMP6_HDR_TRUNC, "truncated ICMP6 header" }, - { DECODE_ICMP6_TYPE_OTHER, "ICMP6 type not decoded" }, - { DECODE_ICMP6_DST_MULTICAST, "ICMP6 packet to multicast address" }, + { DECODE_ICMP6_TYPE_OTHER, "ICMPv6 type not decoded" }, + { DECODE_ICMP6_DST_MULTICAST, "ICMPv6 packet to multicast address" }, { DECODE_ICMPV6_TOO_BIG_BAD_MTU, "ICMPv6 packet of type 2 (message too big) with MTU field < 1280" }, { DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE, diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index 0f7e5b17d..46e0ff49e 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -66,27 +66,27 @@ static sfip_var_t* MulticastReservedIp = nullptr; static const RuleMap ipv4_rules[] = { - { DECODE_NOT_IPV4_DGRAM, "Not IPv4 datagram" }, - { DECODE_IPV4_INVALID_HEADER_LEN, "hlen < minimum" }, - { DECODE_IPV4_DGRAM_LT_IPHDR, "IP dgm len < IP Hdr len" }, - { DECODE_IPV4OPT_BADLEN, "Ipv4 Options found with bad lengths" }, - { DECODE_IPV4OPT_TRUNCATED, "Truncated Ipv4 Options" }, - { DECODE_IPV4_DGRAM_GT_CAPLEN, "IP dgm len > captured len" }, - { DECODE_ZERO_TTL, "IPV4 packet with zero TTL" }, - { DECODE_BAD_FRAGBITS, "IPV4 packet with bad frag bits (both MF and DF set)" }, - { DECODE_IP4_LEN_OFFSET, "IPV4 packet frag offset + length exceed maximum" }, - { DECODE_IP4_SRC_THIS_NET, "IPV4 packet from 'current net' source address" }, - { DECODE_IP4_DST_THIS_NET, "IPV4 packet to 'current net' dest address" }, - { DECODE_IP4_SRC_MULTICAST, "IPV4 packet from multicast source address" }, - { DECODE_IP4_SRC_RESERVED, "IPV4 packet from reserved source address" }, - { DECODE_IP4_DST_RESERVED, "IPV4 packet to reserved dest address" }, - { DECODE_IP4_SRC_BROADCAST, "IPV4 packet from broadcast source address" }, - { DECODE_IP4_DST_BROADCAST, "IPV4 packet to broadcast dest address" }, - { DECODE_IP4_MIN_TTL, "IPV4 packet below TTL limit" }, - { DECODE_IP4_DF_OFFSET, "IPV4 packet both DF and offset set" }, - { DECODE_IP_RESERVED_FRAG_BIT, "BAD-TRAFFIC IP reserved bit set" }, - { DECODE_IP_OPTION_SET, "MISC IP option set" }, - { DECODE_IP4_HDR_TRUNC, "truncated IP4 header" }, + { DECODE_NOT_IPV4_DGRAM, "not IPv4 datagram" }, + { DECODE_IPV4_INVALID_HEADER_LEN, "IPv4 header length < minimum" }, + { DECODE_IPV4_DGRAM_LT_IPHDR, "IPv4 datagram length < header field" }, + { DECODE_IPV4OPT_BADLEN, "IPv4 options found with bad lengths" }, + { DECODE_IPV4OPT_TRUNCATED, "truncated IPv4 options" }, + { DECODE_IPV4_DGRAM_GT_CAPLEN, "IPv4 datagram length > captured length" }, + { DECODE_ZERO_TTL, "IPv4 packet with zero TTL" }, + { DECODE_BAD_FRAGBITS, "IPv4 packet with bad frag bits (both MF and DF set)" }, + { DECODE_IP4_LEN_OFFSET, "IPv4 packet frag offset + length exceed maximum" }, + { DECODE_IP4_SRC_THIS_NET, "IPv4 packet from 'current net' source address" }, + { DECODE_IP4_DST_THIS_NET, "IPv4 packet to 'current net' dest address" }, + { DECODE_IP4_SRC_MULTICAST, "IPv4 packet from multicast source address" }, + { DECODE_IP4_SRC_RESERVED, "IPv4 packet from reserved source address" }, + { DECODE_IP4_DST_RESERVED, "IPv4 packet to reserved dest address" }, + { DECODE_IP4_SRC_BROADCAST, "IPv4 packet from broadcast source address" }, + { DECODE_IP4_DST_BROADCAST, "IPv4 packet to broadcast dest address" }, + { DECODE_IP4_MIN_TTL, "IPv4 packet below TTL limit" }, + { DECODE_IP4_DF_OFFSET, "IPv4 packet both DF and offset set" }, + { DECODE_IP_RESERVED_FRAG_BIT, "IPv4 reserved bit set" }, + { DECODE_IP_OPTION_SET, "IPv4 option set" }, + { DECODE_IP4_HDR_TRUNC, "truncated IPv4 header" }, { 0, nullptr } }; diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc index f8841f9aa..6ea817a3b 100644 --- a/src/codecs/ip/cd_ipv6.cc +++ b/src/codecs/ip/cd_ipv6.cc @@ -44,10 +44,10 @@ static const RuleMap ipv6_rules[] = { { DECODE_IPV6_MIN_TTL, "IPv6 packet below TTL limit" }, { DECODE_IPV6_IS_NOT, "IPv6 header claims to not be IPv6" }, - { DECODE_IPV6_TRUNCATED_EXT, "IPV6 truncated extension header" }, - { DECODE_IPV6_TRUNCATED, "IPV6 truncated header" }, - { DECODE_IPV6_DGRAM_LT_IPHDR, "IP dgm len < IP Hdr len" }, - { DECODE_IPV6_DGRAM_GT_CAPLEN, "IP dgm len > captured len" }, + { DECODE_IPV6_TRUNCATED_EXT, "IPv6 truncated extension header" }, + { DECODE_IPV6_TRUNCATED, "IPv6 truncated header" }, + { DECODE_IPV6_DGRAM_LT_IPHDR, "IPv6 datagram length < header field" }, + { DECODE_IPV6_DGRAM_GT_CAPLEN, "IPv6 datagram length > captured length" }, { DECODE_IPV6_DST_ZERO, "IPv6 packet with destination address ::0" }, { DECODE_IPV6_SRC_MULTICAST, "IPv6 packet with multicast source address" }, { DECODE_IPV6_DST_RESERVED_MULTICAST, @@ -67,11 +67,11 @@ static const RuleMap ipv6_rules[] = { DECODE_IPV6_BAD_OPT_LEN, "IPv6 header includes an option which is too big for the containing header" }, { DECODE_IPV6_UNORDERED_EXTENSIONS, "IPv6 packet includes out-of-order extension headers" }, - { DECODE_IP6_ZERO_HOP_LIMIT, "IPV6 packet has zero hop limit" }, - { DECODE_IPV6_ISATAP_SPOOF, "BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt" }, + { DECODE_IP6_ZERO_HOP_LIMIT, "IPv6 packet has zero hop limit" }, + { DECODE_IPV6_ISATAP_SPOOF, "ISATAP-addressed IPv6 traffic spoofing attempt" }, { DECODE_IPV6_BAD_FRAG_PKT, "bogus fragmentation packet, possible BSD attack" }, - { DECODE_IPV6_ROUTE_ZERO, "IPV6 routing type 0 extension header" }, - { DECODE_IP6_EXCESS_EXT_HDR, "too many IP6 extension headers" }, + { DECODE_IPV6_ROUTE_ZERO, "IPv6 routing type 0 extension header" }, + { DECODE_IP6_EXCESS_EXT_HDR, "too many IPv6 extension headers" }, { 0, nullptr } }; diff --git a/src/codecs/ip/cd_pgm.cc b/src/codecs/ip/cd_pgm.cc index 56fac1d88..c09f9fed6 100644 --- a/src/codecs/ip/cd_pgm.cc +++ b/src/codecs/ip/cd_pgm.cc @@ -34,7 +34,7 @@ namespace static const RuleMap pgm_rules[] = { - { DECODE_PGM_NAK_OVERFLOW, "BAD-TRAFFIC PGM nak list overflow attempt" }, + { DECODE_PGM_NAK_OVERFLOW, "PGM nak list overflow attempt" }, { 0, nullptr } }; diff --git a/src/codecs/ip/cd_tcp.cc b/src/codecs/ip/cd_tcp.cc index 6f4927946..6c6ab6beb 100644 --- a/src/codecs/ip/cd_tcp.cc +++ b/src/codecs/ip/cd_tcp.cc @@ -63,10 +63,9 @@ static THREAD_LOCAL Stats stats; static const RuleMap tcp_rules[] = { - { DECODE_TCP_DGRAM_LT_TCPHDR, "TCP packet len is smaller than 20 bytes" }, + { DECODE_TCP_DGRAM_LT_TCPHDR, "TCP packet length is smaller than 20 bytes" }, { DECODE_TCP_INVALID_OFFSET, "TCP data offset is less than 5" }, { DECODE_TCP_LARGE_OFFSET, "TCP header length exceeds packet length" }, - { DECODE_TCPOPT_BADLEN, "TCP options found with bad lengths" }, { DECODE_TCPOPT_TRUNCATED, "truncated TCP options" }, { DECODE_TCPOPT_TTCP, "T/TCP detected" }, @@ -81,9 +80,9 @@ static const RuleMap tcp_rules[] = { DECODE_TCP_MUST_ACK, "TCP PDU missing ack for established session" }, { DECODE_TCP_NO_SYN_ACK_RST, "TCP has no SYN, ACK, or RST" }, { DECODE_TCP_SHAFT_SYNFLOOD, "DDOS shaft SYN flood" }, - { DECODE_TCP_PORT_ZERO, "BAD-TRAFFIC TCP port 0 traffic" }, + { DECODE_TCP_PORT_ZERO, "TCP port 0 traffic" }, { DECODE_DOS_NAPTHA, "DOS NAPTHA vulnerability detected" }, - { DECODE_SYN_TO_MULTICAST, "bad traffic SYN to multicast address" }, + { DECODE_SYN_TO_MULTICAST, "SYN to multicast address" }, { 0, nullptr } }; diff --git a/src/codecs/ip/cd_udp.cc b/src/codecs/ip/cd_udp.cc index f6cc00693..672dbada1 100644 --- a/src/codecs/ip/cd_udp.cc +++ b/src/codecs/ip/cd_udp.cc @@ -81,8 +81,8 @@ static const RuleMap udp_rules[] = { DECODE_UDP_DGRAM_SHORT_PACKET, "short UDP packet, length field > payload length" }, { DECODE_UDP_DGRAM_LONG_PACKET, "long UDP packet, length field < payload length" }, { DECODE_UDP_IPV6_ZERO_CHECKSUM, "invalid IPv6 UDP packet, checksum zero" }, - { DECODE_UDP_LARGE_PACKET, "misc large UDP Packet" }, - { DECODE_UDP_PORT_ZERO, "BAD-TRAFFIC UDP port 0 traffic" }, + { DECODE_UDP_LARGE_PACKET, "large UDP packet (> 4000 bytes)" }, + { DECODE_UDP_PORT_ZERO, "UDP port 0 traffic" }, { 0, nullptr } }; diff --git a/src/codecs/link/cd_erspan2.cc b/src/codecs/link/cd_erspan2.cc index 89fb78df4..457358277 100644 --- a/src/codecs/link/cd_erspan2.cc +++ b/src/codecs/link/cd_erspan2.cc @@ -30,7 +30,7 @@ namespace static const RuleMap erspan2_rules[] = { { DECODE_ERSPAN_HDR_VERSION_MISMATCH, "ERSpan header version mismatch" }, - { DECODE_ERSPAN2_DGRAM_LT_HDR, "captured < ERSpan type2 header length" }, + { DECODE_ERSPAN2_DGRAM_LT_HDR, "captured length < ERSpan type2 header length" }, { 0, nullptr } }; diff --git a/src/codecs/link/cd_mpls.cc b/src/codecs/link/cd_mpls.cc index bce857f86..edae2aaef 100644 --- a/src/codecs/link/cd_mpls.cc +++ b/src/codecs/link/cd_mpls.cc @@ -50,9 +50,6 @@ static const Parameter mpls_params[] = { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; -// rules which will loaded into snort. -// You can now reference these rules by calling a codec_event -// in your main codec's functions static const RuleMap mpls_rules[] = { { DECODE_BAD_MPLS, "bad MPLS frame" }, diff --git a/src/codecs/root/cd_eth.cc b/src/codecs/root/cd_eth.cc index cdee74e2d..f5fc29967 100644 --- a/src/codecs/root/cd_eth.cc +++ b/src/codecs/root/cd_eth.cc @@ -41,7 +41,7 @@ namespace { static const RuleMap eth_rules[] = { - { DECODE_ETH_HDR_TRUNC, "truncated eth header" }, + { DECODE_ETH_HDR_TRUNC, "truncated ethernet header" }, { 0, nullptr } }; diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index be9ddea9b..3f2a5e7f4 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -155,7 +155,7 @@ static const Parameter s_params[] = { "thirdparty_appid_dir", Parameter::PT_STRING, nullptr, nullptr, "directory to load thirdparty appid detectors from" }, { "session_log_filter", Parameter::PT_TABLE, session_log_filter, nullptr, - "session log filter options" }, + "session log filter options" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/network_inspectors/arp_spoof/arp_module.cc b/src/network_inspectors/arp_spoof/arp_module.cc index b98e7f996..d32da07ff 100644 --- a/src/network_inspectors/arp_spoof/arp_module.cc +++ b/src/network_inspectors/arp_spoof/arp_module.cc @@ -56,17 +56,10 @@ static const Parameter s_params[] = static const RuleMap s_rules[] = { - { ARPSPOOF_UNICAST_ARP_REQUEST, - ARPSPOOF_UNICAST_ARP_REQUEST_STR }, - - { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, - ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR }, - - { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST, - ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR }, - - { ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, - ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR }, + { ARPSPOOF_UNICAST_ARP_REQUEST, ARPSPOOF_UNICAST_ARP_REQUEST_STR }, + { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR }, + { ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR }, + { ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR }, { 0, nullptr } }; diff --git a/src/network_inspectors/reputation/reputation_module.cc b/src/network_inspectors/reputation/reputation_module.cc index 0263e7209..4673265d5 100644 --- a/src/network_inspectors/reputation/reputation_module.cc +++ b/src/network_inspectors/reputation/reputation_module.cc @@ -33,9 +33,9 @@ using namespace std; #define REPUTATION_EVENT_BLACKLIST_STR \ "packets blacklisted" #define REPUTATION_EVENT_WHITELIST_STR \ - "Packets whitelisted" + "packets whitelisted" #define REPUTATION_EVENT_MONITOR_STR \ - "Packets monitored" + "packets monitored" static const Parameter s_params[] = { diff --git a/src/service_inspectors/dce_rpc/dce_co.h b/src/service_inspectors/dce_rpc/dce_co.h index 23c95be5b..2de7d8397 100644 --- a/src/service_inspectors/dce_rpc/dce_co.h +++ b/src/service_inspectors/dce_rpc/dce_co.h @@ -39,34 +39,34 @@ #define DCE2_CO_FRAG_DIFF_OPNUM 38 #define DCE2_CO_FRAG_DIFF_CTX_ID 39 -#define DCE2_CO_BAD_MAJOR_VERSION_STR "Connection oriented DCE/RPC - Invalid major version." -#define DCE2_CO_BAD_MINOR_VERSION_STR "Connection oriented DCE/RPC - Invalid minor version." -#define DCE2_CO_BAD_PDU_TYPE_STR "Connection-oriented DCE/RPC - Invalid pdu type." +#define DCE2_CO_BAD_MAJOR_VERSION_STR "connection oriented DCE/RPC - invalid major version" +#define DCE2_CO_BAD_MINOR_VERSION_STR "connection oriented DCE/RPC - invalid minor version" +#define DCE2_CO_BAD_PDU_TYPE_STR "connection-oriented DCE/RPC - invalid PDU type" #define DCE2_CO_FRAG_LEN_LT_HDR_STR \ - "Connection-oriented DCE/RPC - Fragment length less than header size." + "connection-oriented DCE/RPC - fragment length less than header size" #define DCE2_CO_REM_FRAG_LEN_LT_SIZE_STR \ - "Connection-oriented DCE/RPC - Remaining fragment length less than size needed." + "connection-oriented DCE/RPC - remaining fragment length less than size needed" #define DCE2_CO_NO_CTX_ITEMS_SPECFD_STR \ - "Connection-oriented DCE/RPC - No context items specified." + "connection-oriented DCE/RPC - no context items specified" #define DCE2_CO_NO_TFER_SYNTAX_SPECFD_STR \ - "Connection-oriented DCE/RPC -No transfer syntaxes specified." + "connection-oriented DCE/RPC -no transfer syntaxes specified" #define DCE2_CO_FRAG_LT_MAX_XMIT_FRAG_STR \ - "Connection-oriented DCE/RPC - Fragment length on non-last fragment less than \ -maximum negotiated fragment transmit size for client." + "connection-oriented DCE/RPC - fragment length on non-last fragment less than \ +maximum negotiated fragment transmit size for client" #define DCE2_CO_FRAG_GT_MAX_XMIT_FRAG_STR \ - "Connection-oriented DCE/RPC - Fragment length greater than \ -maximum negotiated fragment transmit size." + "connection-oriented DCE/RPC - fragment length greater than \ +maximum negotiated fragment transmit size" #define DCE2_CO_ALTER_CHANGE_BYTE_ORDER_STR \ - "Connection-oriented DCE/RPC - Alter Context byte order different from Bind" + "connection-oriented DCE/RPC - alter context byte order different from bind" #define DCE2_CO_FRAG_DIFF_CALL_ID_STR \ - "Connection-oriented DCE/RPC - Call id of non first/last fragment different \ -from call id established for fragmented request." + "connection-oriented DCE/RPC - call id of non first/last fragment different \ +from call id established for fragmented request" #define DCE2_CO_FRAG_DIFF_OPNUM_STR \ - "Connection-oriented DCE/RPC - Opnum of non first/last fragment different \ -from opnum established for fragmented request." + "connection-oriented DCE/RPC - opnum of non first/last fragment different \ +from opnum established for fragmented request" #define DCE2_CO_FRAG_DIFF_CTX_ID_STR \ - "Connection-oriented DCE/RPC - Context id of non first/last fragment different \ -from context id established for fragmented request." + "connection-oriented DCE/RPC - context id of non first/last fragment different \ +from context id established for fragmented request" #define DCE2_MAX_XMIT_SIZE_FUZZ 500 #define DCE2_MOCK_HDR_LEN__CO_CLI (sizeof(DceRpcCoHdr) + sizeof(DceRpcCoRequest)) diff --git a/src/service_inspectors/dce_rpc/dce_smb.h b/src/service_inspectors/dce_rpc/dce_smb.h index 9947aef6a..1b21890f3 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.h +++ b/src/service_inspectors/dce_rpc/dce_smb.h @@ -78,58 +78,58 @@ #define DCE2_SMB_INVALID_FILE_OFFSET 58 #define DCE2_SMB_BAD_NEXT_COMMAND_OFFSET 59 -#define DCE2_SMB_BAD_NBSS_TYPE_STR "SMB - Bad NetBIOS Session Service session type." -#define DCE2_SMB_BAD_TYPE_STR "SMB - Bad SMB message type." -#define DCE2_SMB_BAD_ID_STR "SMB - Bad SMB Id (not \\xffSMB for SMB1 or not \\xfeSMB for SMB2)." -#define DCE2_SMB_BAD_WCT_STR "SMB - Bad word count or structure size." -#define DCE2_SMB_BAD_BCC_STR "SMB - Bad byte count." -#define DCE2_SMB_BAD_FORM_STR "SMB - Bad format type." -#define DCE2_SMB_BAD_OFF_STR "SMB - Bad offset." -#define DCE2_SMB_TDCNT_ZE_STR "SMB - Zero total data count." -#define DCE2_SMB_NB_LT_SMBHDR_STR "SMB - NetBIOS data length less than SMB header length." -#define DCE2_SMB_NB_LT_COM_STR "SMB - Remaining NetBIOS data length less than command length." -#define DCE2_SMB_NB_LT_BCC_STR "SMB - Remaining NetBIOS data length less than command byte count." +#define DCE2_SMB_BAD_NBSS_TYPE_STR "SMB - bad NetBIOS session service session type" +#define DCE2_SMB_BAD_TYPE_STR "SMB - bad SMB message type" +#define DCE2_SMB_BAD_ID_STR "SMB - bad SMB Id (not \\xffSMB for SMB1 or not \\xfeSMB for SMB2)" +#define DCE2_SMB_BAD_WCT_STR "SMB - bad word count or structure size" +#define DCE2_SMB_BAD_BCC_STR "SMB - bad byte count" +#define DCE2_SMB_BAD_FORM_STR "SMB - bad format type" +#define DCE2_SMB_BAD_OFF_STR "SMB - bad offset" +#define DCE2_SMB_TDCNT_ZE_STR "SMB - zero total data count" +#define DCE2_SMB_NB_LT_SMBHDR_STR "SMB - NetBIOS data length less than SMB header length" +#define DCE2_SMB_NB_LT_COM_STR "SMB - remaining NetBIOS data length less than command length" +#define DCE2_SMB_NB_LT_BCC_STR "SMB - remaining NetBIOS data length less than command byte count" #define DCE2_SMB_NB_LT_DSIZE_STR \ - "SMB - Remaining NetBIOS data length less than command data size." + "SMB - remaining NetBIOS data length less than command data size" #define DCE2_SMB_TDCNT_LT_DSIZE_STR \ - "SMB - Remaining total data count less than this command data size." + "SMB - remaining total data count less than this command data size" #define DCE2_SMB_DSENT_GT_TDCNT_STR \ - "SMB - Total data sent (STDu64) greater than command total data expected." -#define DCE2_SMB_BCC_LT_DSIZE_STR "SMB - Byte count less than command data size (STDu64)" -#define DCE2_SMB_INVALID_DSIZE_STR "SMB - Invalid command data size for byte count." + "SMB - total data sent (STDu64) greater than command total data expected" +#define DCE2_SMB_BCC_LT_DSIZE_STR "SMB - byte count less than command data size (STDu64)" +#define DCE2_SMB_INVALID_DSIZE_STR "SMB - invalid command data size for byte count" #define DCE2_SMB_EXCESSIVE_TREE_CONNECTS_STR \ - "SMB - Excessive Tree Connect requests with pending Tree Connect responses." -#define DCE2_SMB_EXCESSIVE_READS_STR "SMB - Excessive Read requests with pending Read responses." -#define DCE2_SMB_EXCESSIVE_CHAINING_STR "SMB - Excessive command chaining." -#define DCE2_SMB_MULT_CHAIN_SS_STR "SMB - Multiple chained tree connect requests." -#define DCE2_SMB_MULT_CHAIN_TC_STR "SMB - Multiple chained tree connect requests." -#define DCE2_SMB_CHAIN_SS_LOGOFF_STR "SMB - Chained/Compounded login followed by logoff." + "SMB - excessive tree connect requests with pending tree connect responses" +#define DCE2_SMB_EXCESSIVE_READS_STR "SMB - excessive read requests with pending read responses" +#define DCE2_SMB_EXCESSIVE_CHAINING_STR "SMB - excessive command chaining" +#define DCE2_SMB_MULT_CHAIN_SS_STR "SMB - multiple chained tree connect requests" +#define DCE2_SMB_MULT_CHAIN_TC_STR "SMB - multiple chained tree connect requests" +#define DCE2_SMB_CHAIN_SS_LOGOFF_STR "SMB - chained/compounded login followed by logoff" #define DCE2_SMB_CHAIN_TC_TDIS_STR \ - "SMB - Chained/Compounded tree connect followed by tree disconnect." + "SMB - chained/compounded tree connect followed by tree disconnect" #define DCE2_SMB_CHAIN_OPEN_CLOSE_STR \ - "SMB - Chained/Compounded open pipe followed by close pipe." -#define DCE2_SMB_INVALID_SHARE_STR "SMB - Invalid share access." - -#define DCE2_SMB_V1_STR "SMB - Invalid SMB version 1 seen." -#define DCE2_SMB_V2_STR "SMB - Invalid SMB version 2 seen." -#define DCE2_SMB_INVALID_BINDING_STR "SMB - Invalid user, tree connect, file binding." -#define DCE2_SMB2_EXCESSIVE_COMPOUNDING_STR "SMB - Excessive command compounding." -#define DCE2_SMB_DCNT_ZERO_STR "SMB - Zero data count." -#define DCE2_SMB_DCNT_MISMATCH_STR "SMB - Data count mismatch in command and format" -#define DCE2_SMB_MAX_REQS_EXCEEDED_STR "SMB - Maximum number of outstanding requests exceeded." -#define DCE2_SMB_REQS_SAME_MID_STR "SMB - Outstanding requests with same MID." -#define DCE2_SMB_DEPR_DIALECT_NEGOTIATED_STR "SMB - Deprecated dialect negotiated." -#define DCE2_SMB_DEPR_COMMAND_USED_STR "SMB - Deprecated command used." -#define DCE2_SMB_UNUSUAL_COMMAND_USED_STR "SMB - Unusual command used." -#define DCE2_SMB_INVALID_SETUP_COUNT_STR "SMB - Invalid setup count for command." + "SMB - chained/compounded open pipe followed by close pipe" +#define DCE2_SMB_INVALID_SHARE_STR "SMB - invalid share access" + +#define DCE2_SMB_V1_STR "SMB - invalid SMB version 1 seen" +#define DCE2_SMB_V2_STR "SMB - invalid SMB version 2 seen" +#define DCE2_SMB_INVALID_BINDING_STR "SMB - invalid user, tree connect, file binding" +#define DCE2_SMB2_EXCESSIVE_COMPOUNDING_STR "SMB - excessive command compounding" +#define DCE2_SMB_DCNT_ZERO_STR "SMB - zero data count" +#define DCE2_SMB_DCNT_MISMATCH_STR "SMB - data count mismatch in command and format" +#define DCE2_SMB_MAX_REQS_EXCEEDED_STR "SMB - maximum number of outstanding requests exceeded" +#define DCE2_SMB_REQS_SAME_MID_STR "SMB - outstanding requests with same MID" +#define DCE2_SMB_DEPR_DIALECT_NEGOTIATED_STR "SMB - deprecated dialect negotiated" +#define DCE2_SMB_DEPR_COMMAND_USED_STR "SMB - deprecated command used" +#define DCE2_SMB_UNUSUAL_COMMAND_USED_STR "SMB - unusual command used" +#define DCE2_SMB_INVALID_SETUP_COUNT_STR "SMB - invalid setup count for command" #define DCE2_SMB_MULTIPLE_NEGOTIATIONS_STR \ - "SMB - Client attempted multiple dialect negotiations on session." + "SMB - client attempted multiple dialect negotiations on session" #define DCE2_SMB_EVASIVE_FILE_ATTRS_STR \ - "SMB - Client attempted to create or set a file's attributes to readonly/hidden/system." + "SMB - client attempted to create or set a file's attributes to readonly/hidden/system" #define DCE2_SMB_INVALID_FILE_OFFSET_STR \ - "SMB - File offset provided is greater than file size specified" + "SMB - file offset provided is greater than file size specified" #define DCE2_SMB_BAD_NEXT_COMMAND_OFFSET_STR \ - "SMB - Next command specified in SMB2 header is beyond payload boundary" + "SMB - next command specified in SMB2 header is beyond payload boundary" struct dce2SmbStats { diff --git a/src/service_inspectors/dce_rpc/dce_tcp_module.cc b/src/service_inspectors/dce_rpc/dce_tcp_module.cc index 22789ee3d..c34a2ff23 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp_module.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp_module.cc @@ -35,8 +35,8 @@ static const Parameter s_params[] = { "reassemble_threshold", Parameter::PT_INT, "0:65535", "0", " Minimum bytes received before performing reassembly" }, { "policy", Parameter::PT_ENUM, - "Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20", - "WinXP", + "Win2000 | WinXP | WinVista | Win2003 | Win2008 | Win7 | " + "Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20", "WinXP", " Target based policy to use" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/service_inspectors/dce_rpc/dce_udp_module.h b/src/service_inspectors/dce_rpc/dce_udp_module.h index 5b15a448f..2551ba77e 100644 --- a/src/service_inspectors/dce_rpc/dce_udp_module.h +++ b/src/service_inspectors/dce_rpc/dce_udp_module.h @@ -24,17 +24,15 @@ #include "dce_common.h" #include "framework/module.h" -#define DCE2_CL_BAD_MAJOR_VERSION 40 -#define DCE2_CL_BAD_PDU_TYPE 41 -#define DCE2_CL_DATA_LT_HDR 42 -#define DCE2_CL_BAD_SEQ_NUM 43 +#define DCE2_CL_BAD_MAJOR_VERSION 40 +#define DCE2_CL_BAD_PDU_TYPE 41 +#define DCE2_CL_DATA_LT_HDR 42 +#define DCE2_CL_BAD_SEQ_NUM 43 -#define DCE2_CL_BAD_MAJOR_VERSION_STR "Connection-less DCE/RPC - Invalid major version." -#define DCE2_CL_BAD_PDU_TYPE_STR "Connection-less DCE/RPC - Invalid pdu type." -#define DCE2_CL_DATA_LT_HDR_STR \ - "Connection-less DCE/RPC - Data length less than header size." -#define DCE2_CL_BAD_SEQ_NUM_STR \ - "Connection-less DCE/RPC - Bad sequence number." +#define DCE2_CL_BAD_MAJOR_VERSION_STR "connection-less DCE/RPC - invalid major version" +#define DCE2_CL_BAD_PDU_TYPE_STR "connection-less DCE/RPC - invalid PDU type" +#define DCE2_CL_DATA_LT_HDR_STR "connection-less DCE/RPC - data length less than header size" +#define DCE2_CL_BAD_SEQ_NUM_STR "connection-less DCE/RPC - bad sequence number" struct SnortConfig; diff --git a/src/service_inspectors/dnp3/dnp3.h b/src/service_inspectors/dnp3/dnp3.h index c57c38097..1a9d2e483 100644 --- a/src/service_inspectors/dnp3/dnp3.h +++ b/src/service_inspectors/dnp3/dnp3.h @@ -29,13 +29,13 @@ #define DNP3_NAME "dnp3" #define DNP3_HELP "dnp3 inspection" -#define DNP3_BAD_CRC_STR "DNP3 Link-Layer Frame contains bad CRC." -#define DNP3_DROPPED_FRAME_STR "DNP3 Link-Layer Frame was dropped." -#define DNP3_DROPPED_SEGMENT_STR "DNP3 Transport-Layer Segment was dropped during reassembly." +#define DNP3_BAD_CRC_STR "DNP3 link-layer frame contains bad CRC" +#define DNP3_DROPPED_FRAME_STR "DNP3 link-layer frame was dropped" +#define DNP3_DROPPED_SEGMENT_STR "DNP3 transport-layer segment was dropped during reassembly" #define DNP3_REASSEMBLY_BUFFER_CLEARED_STR \ - "DNP3 Reassembly Buffer was cleared without reassembling a complete message." -#define DNP3_RESERVED_ADDRESS_STR "DNP3 Link-Layer Frame uses a reserved address." -#define DNP3_RESERVED_FUNCTION_STR "DNP3 Application-Layer Fragment uses a reserved function code." + "DNP3 reassembly buffer was cleared without reassembling a complete message" +#define DNP3_RESERVED_ADDRESS_STR "DNP3 link-layer frame uses a reserved address" +#define DNP3_RESERVED_FUNCTION_STR "DNP3 application-layer fragment uses a reserved function code" #define DNP3_BAD_CRC 1 #define DNP3_DROPPED_FRAME 2 diff --git a/src/service_inspectors/dns/dns_module.cc b/src/service_inspectors/dns/dns_module.cc index 4e6da3d5f..7817a6bec 100644 --- a/src/service_inspectors/dns/dns_module.cc +++ b/src/service_inspectors/dns/dns_module.cc @@ -25,11 +25,11 @@ using namespace std; #define DNS_EVENT_OBSOLETE_TYPES_STR \ - "Obsolete DNS RR Types" + "obsolete DNS RR types" #define DNS_EVENT_EXPERIMENTAL_TYPES_STR \ - "Experimental DNS RR Types" + "experimental DNS RR types" #define DNS_EVENT_RDATA_OVERFLOW_STR \ - "DNS Client rdata txt Overflow" + "DNS client rdata txt overflow" static const Parameter s_params[] = { diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index bd51f1ce2..3c6c1c082 100644 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -335,34 +335,34 @@ const RuleMap HttpModule::http_events[] = { EVENT_PDF_UNSUP_COMP_TYPE, "PDF file unsupported compression type" }, { EVENT_PDF_CASC_COMP, "PDF file cascaded compression" }, { EVENT_PDF_PARSE_FAILURE, "PDF file parse failure" }, - { EVENT_LOSS_OF_SYNC, "Not HTTP traffic" }, - { EVENT_CHUNK_ZEROS, "Chunk length has excessive leading zeros" }, - { EVENT_WS_BETWEEN_MSGS, "White space before or between messages" }, - { EVENT_URI_MISSING, "Request message without URI" }, - { EVENT_CTRL_IN_REASON, "Control character in reason phrase" }, - { EVENT_IMPROPER_WS, "Illegal extra whitespace in start line" }, - { EVENT_BAD_VERS, "Corrupted HTTP version" }, - { EVENT_UNKNOWN_VERS, "Unknown HTTP version" }, - { EVENT_BAD_HEADER, "Format error in HTTP header" }, - { EVENT_CHUNK_OPTIONS, "Chunk header options present" }, + { EVENT_LOSS_OF_SYNC, "not HTTP traffic" }, + { EVENT_CHUNK_ZEROS, "chunk length has excessive leading zeros" }, + { EVENT_WS_BETWEEN_MSGS, "white space before or between messages" }, + { EVENT_URI_MISSING, "request message without URI" }, + { EVENT_CTRL_IN_REASON, "control character in reason phrase" }, + { EVENT_IMPROPER_WS, "illegal extra whitespace in start line" }, + { EVENT_BAD_VERS, "corrupted HTTP version" }, + { EVENT_UNKNOWN_VERS, "unknown HTTP version" }, + { EVENT_BAD_HEADER, "format error in HTTP header" }, + { EVENT_CHUNK_OPTIONS, "chunk header options present" }, { EVENT_URI_BAD_FORMAT, "URI badly formatted" }, - { EVENT_UNKNOWN_PERCENT, "Unrecognized type of percent encoding in URI" }, + { EVENT_UNKNOWN_PERCENT, "unrecognized type of percent encoding in URI" }, { EVENT_BROKEN_CHUNK, "HTTP chunk misformatted" }, - { EVENT_CHUNK_WHITESPACE, "White space following chunk length" }, - { EVENT_HEAD_NAME_WHITESPACE, "White space within header name" }, - { EVENT_GZIP_OVERRUN, "Excessive gzip compression" }, - { EVENT_GZIP_FAILURE, "Gzip decompression failed" }, + { EVENT_CHUNK_WHITESPACE, "white space following chunk length" }, + { EVENT_HEAD_NAME_WHITESPACE, "white space within header name" }, + { EVENT_GZIP_OVERRUN, "excessive gzip compression" }, + { EVENT_GZIP_FAILURE, "gzip decompression failed" }, { EVENT_ZERO_NINE_CONTINUE, "HTTP 0.9 requested followed by another request" }, { EVENT_ZERO_NINE_NOT_FIRST, "HTTP 0.9 request following a normal request" }, - { EVENT_BOTH_CL_AND_TE, "Message has both Content-Length and Transfer-Encoding" }, - { EVENT_BAD_CODE_BODY_HEADER, "Status code implying no body combined with Transfer-" - "Encoding or nonzero Content-Length" }, + { EVENT_BOTH_CL_AND_TE, "message has both Content-Length and Transfer-Encoding" }, + { EVENT_BAD_CODE_BODY_HEADER, "status code implying no body combined with Transfer-" + "Encoding or nonzero Content-Length" }, { EVENT_FINAL_NOT_CHUNKED, "Transfer-Encoding did not end with chunked" }, { EVENT_CHUNKED_BEFORE_END, "Transfer-Encoding with chunked not at end" }, - { EVENT_MISFORMATTED_HTTP, "Misformatted HTTP traffic" }, - { EVENT_UNSUPPORTED_ENCODING, "Unsupported Transfer-Encoding or Content-Encoding used" }, - { EVENT_UNKNOWN_ENCODING, "Unknown Transfer-Encoding or Content-Encoding used" }, - { EVENT_STACKED_ENCODINGS, "Multiple layers of compression encodings applied" }, + { EVENT_MISFORMATTED_HTTP, "misformatted HTTP traffic" }, + { EVENT_UNSUPPORTED_ENCODING, "unsupported Transfer-Encoding or Content-Encoding used" }, + { EVENT_UNKNOWN_ENCODING, "unknown Transfer-Encoding or Content-Encoding used" }, + { EVENT_STACKED_ENCODINGS, "multiple layers of compression encodings applied" }, { 0, nullptr } }; diff --git a/src/service_inspectors/imap/imap_module.cc b/src/service_inspectors/imap/imap_module.cc index e3b3e0c1c..99188bf93 100644 --- a/src/service_inspectors/imap/imap_module.cc +++ b/src/service_inspectors/imap/imap_module.cc @@ -28,25 +28,25 @@ using namespace std; -#define IMAP_UNKNOWN_CMD_STR "Unknown IMAP3 command" -#define IMAP_UNKNOWN_RESP_STR "Unknown IMAP3 response" -#define IMAP_B64_DECODING_FAILED_STR "Base64 Decoding failed." -#define IMAP_QP_DECODING_FAILED_STR "Quoted-Printable Decoding failed." -#define IMAP_UU_DECODING_FAILED_STR "Unix-to-Unix Decoding failed." +#define IMAP_UNKNOWN_CMD_STR "unknown IMAP3 command" +#define IMAP_UNKNOWN_RESP_STR "unknown IMAP3 response" +#define IMAP_B64_DECODING_FAILED_STR "base64 decoding failed" +#define IMAP_QP_DECODING_FAILED_STR "quoted-printable decoding failed" +#define IMAP_UU_DECODING_FAILED_STR "Unix-to-Unix decoding failed" static const Parameter s_params[] = { { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460", - " base64 decoding depth" }, + "base64 decoding depth" }, { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460", - " Non-Encoded MIME attachment extraction depth" }, + "non-Encoded MIME attachment extraction depth" }, { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460", - " Quoted Printable decoding depth" }, + "quoted Printable decoding depth" }, { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460", - " Unix-to-Unix decoding depth" }, + "Unix-to-Unix decoding depth" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/service_inspectors/modbus/modbus_module.cc b/src/service_inspectors/modbus/modbus_module.cc index 109285bc5..3bac15999 100644 --- a/src/service_inspectors/modbus/modbus_module.cc +++ b/src/service_inspectors/modbus/modbus_module.cc @@ -51,7 +51,7 @@ PegCount* ModbusModule::get_counts() const "length in Modbus MBAP header does not match the length needed for the given function" #define MODBUS_BAD_PROTO_ID_STR "Modbus protocol ID is non-zero" -#define MODBUS_RESERVED_FUNCTION_STR "Reserved Modbus function code in use" +#define MODBUS_RESERVED_FUNCTION_STR "reserved Modbus function code in use" static const RuleMap modbus_rules[] = { diff --git a/src/service_inspectors/pop/pop_module.cc b/src/service_inspectors/pop/pop_module.cc index 4b2362bab..ee1d039f7 100644 --- a/src/service_inspectors/pop/pop_module.cc +++ b/src/service_inspectors/pop/pop_module.cc @@ -28,11 +28,11 @@ using namespace std; -#define POP_UNKNOWN_CMD_STR "Unknown POP3 command" -#define POP_UNKNOWN_RESP_STR "Unknown POP3 response" -#define POP_B64_DECODING_FAILED_STR "Base64 Decoding failed." -#define POP_QP_DECODING_FAILED_STR "Quoted-Printable Decoding failed." -#define POP_UU_DECODING_FAILED_STR "Unix-to-Unix Decoding failed." +#define POP_UNKNOWN_CMD_STR "unknown POP3 command" +#define POP_UNKNOWN_RESP_STR "unknown POP3 response" +#define POP_B64_DECODING_FAILED_STR "base64 decoding failed" +#define POP_QP_DECODING_FAILED_STR "quoted-printable decoding failed" +#define POP_UU_DECODING_FAILED_STR "Unix-to-Unix decoding failed" static const Parameter s_params[] = { diff --git a/src/service_inspectors/sip/sip_module.cc b/src/service_inspectors/sip/sip_module.cc index bb8e1e69d..7cb313ddd 100644 --- a/src/service_inspectors/sip/sip_module.cc +++ b/src/service_inspectors/sip/sip_module.cc @@ -27,33 +27,33 @@ using namespace std; -#define SIP_EVENT_MAX_SESSIONS_STR "Maximum sessions reached" -#define SIP_EVENT_EMPTY_REQUEST_URI_STR "Empty request URI" +#define SIP_EVENT_MAX_SESSIONS_STR "maximum sessions reached" +#define SIP_EVENT_EMPTY_REQUEST_URI_STR "empty request URI" #define SIP_EVENT_BAD_URI_STR "URI is too long" -#define SIP_EVENT_EMPTY_CALL_ID_STR "Empty call-Id" +#define SIP_EVENT_EMPTY_CALL_ID_STR "empty call-Id" #define SIP_EVENT_BAD_CALL_ID_STR "Call-Id is too long" #define SIP_EVENT_BAD_CSEQ_NUM_STR "CSeq number is too large or negative" -#define SIP_EVENT_BAD_CSEQ_NAME_STR "Request name in CSeq is too long" -#define SIP_EVENT_EMPTY_FROM_STR "Empty From header" +#define SIP_EVENT_BAD_CSEQ_NAME_STR "request name in CSeq is too long" +#define SIP_EVENT_EMPTY_FROM_STR "empty From header" #define SIP_EVENT_BAD_FROM_STR "From header is too long" -#define SIP_EVENT_EMPTY_TO_STR "Empty To header" +#define SIP_EVENT_EMPTY_TO_STR "empty To header" #define SIP_EVENT_BAD_TO_STR "To header is too long" -#define SIP_EVENT_EMPTY_VIA_STR "Empty Via header" +#define SIP_EVENT_EMPTY_VIA_STR "empty Via header" #define SIP_EVENT_BAD_VIA_STR "Via header is too long" -#define SIP_EVENT_EMPTY_CONTACT_STR "Empty Contact" -#define SIP_EVENT_BAD_CONTACT_STR "Contact is too long" -#define SIP_EVENT_BAD_CONTENT_LEN_STR "Content length is too large or negative" -#define SIP_EVENT_MULTI_MSGS_STR "Multiple SIP messages in a packet" -#define SIP_EVENT_MISMATCH_CONTENT_LEN_STR "Content length mismatch" -#define SIP_EVENT_INVALID_CSEQ_NAME_STR "Request name is invalid" +#define SIP_EVENT_EMPTY_CONTACT_STR "empty Contact" +#define SIP_EVENT_BAD_CONTACT_STR "contact is too long" +#define SIP_EVENT_BAD_CONTENT_LEN_STR "content length is too large or negative" +#define SIP_EVENT_MULTI_MSGS_STR "multiple SIP messages in a packet" +#define SIP_EVENT_MISMATCH_CONTENT_LEN_STR "content length mismatch" +#define SIP_EVENT_INVALID_CSEQ_NAME_STR "request name is invalid" #define SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK_STR "Invite replay attack" -#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR "Illegal session information modification" -#define SIP_EVENT_BAD_STATUS_CODE_STR "Response status code is not a 3 digit number" -#define SIP_EVENT_EMPTY_CONTENT_TYPE_STR "Empty Content-type header" +#define SIP_EVENT_AUTH_INVITE_DIFF_SESSION_STR "illegal session information modification" +#define SIP_EVENT_BAD_STATUS_CODE_STR "response status code is not a 3 digit number" +#define SIP_EVENT_EMPTY_CONTENT_TYPE_STR "empty Content-type header" #define SIP_EVENT_INVALID_VERSION_STR "SIP version is invalid" -#define SIP_EVENT_MISMATCH_METHOD_STR "Mismatch in METHOD of request and the CSEQ header" -#define SIP_EVENT_UNKOWN_METHOD_STR "Method is unknown" -#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR "Maximum dialogs within a session reached" +#define SIP_EVENT_MISMATCH_METHOD_STR "mismatch in METHOD of request and the CSEQ header" +#define SIP_EVENT_UNKOWN_METHOD_STR "method is unknown" +#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR "maximum dialogs within a session reached" #define default_methods "invite cancel ack bye register options" diff --git a/src/service_inspectors/smtp/smtp_module.cc b/src/service_inspectors/smtp/smtp_module.cc index 567a0ab17..e1e2edf10 100644 --- a/src/service_inspectors/smtp/smtp_module.cc +++ b/src/service_inspectors/smtp/smtp_module.cc @@ -140,19 +140,19 @@ static const Parameter s_params[] = static const RuleMap smtp_rules[] = { - { SMTP_COMMAND_OVERFLOW, "Attempted command buffer overflow" }, - { SMTP_DATA_HDR_OVERFLOW, "Attempted data header buffer overflow" }, - { SMTP_RESPONSE_OVERFLOW, "Attempted response buffer overflow" }, - { SMTP_SPECIFIC_CMD_OVERFLOW, "Attempted specific command buffer overflow" }, - { SMTP_UNKNOWN_CMD, "Unknown command" }, - { SMTP_ILLEGAL_CMD, "Illegal command" }, - { SMTP_HEADER_NAME_OVERFLOW, "Attempted header name buffer overflow" }, - { SMTP_XLINK2STATE_OVERFLOW, "Attempted X-Link2State command buffer overflow" }, - { SMTP_B64_DECODING_FAILED, "Base64 Decoding failed" }, - { SMTP_QP_DECODING_FAILED, "Quoted-Printable Decoding failed" }, - { SMTP_UU_DECODING_FAILED, "Unix-to-Unix Decoding failed" }, + { SMTP_COMMAND_OVERFLOW, "attempted command buffer overflow" }, + { SMTP_DATA_HDR_OVERFLOW, "attempted data header buffer overflow" }, + { SMTP_RESPONSE_OVERFLOW, "attempted response buffer overflow" }, + { SMTP_SPECIFIC_CMD_OVERFLOW, "attempted specific command buffer overflow" }, + { SMTP_UNKNOWN_CMD, "unknown command" }, + { SMTP_ILLEGAL_CMD, "illegal command" }, + { SMTP_HEADER_NAME_OVERFLOW, "attempted header name buffer overflow" }, + { SMTP_XLINK2STATE_OVERFLOW, "attempted X-Link2State command buffer overflow" }, + { SMTP_B64_DECODING_FAILED, "base64 decoding failed" }, + { SMTP_QP_DECODING_FAILED, "quoted-printable decoding failed" }, + { SMTP_UU_DECODING_FAILED, "Unix-to-Unix decoding failed" }, { SMTP_AUTH_ABORT_AUTH, "Cyrus SASL authentication attack" }, - { SMTP_AUTH_COMMAND_OVERFLOW, "Attempted authentication command buffer overflow" }, + { SMTP_AUTH_COMMAND_OVERFLOW, "attempted authentication command buffer overflow" }, { 0, nullptr } }; diff --git a/src/service_inspectors/ssh/ssh_module.cc b/src/service_inspectors/ssh/ssh_module.cc index 2d9bcb66f..d73746eb5 100644 --- a/src/service_inspectors/ssh/ssh_module.cc +++ b/src/service_inspectors/ssh/ssh_module.cc @@ -25,17 +25,17 @@ using namespace std; #define SSH_EVENT_RESPOVERFLOW_STR \ - "Challenge-Response Overflow exploit" + "challenge-response overflow exploit" #define SSH_EVENT_CRC32_STR \ "SSH1 CRC32 exploit" #define SSH_EVENT_SECURECRT_STR \ - "Server version string overflow" + "server version string overflow" #define SSH_EVENT_WRONGDIR_STR \ - "Bad message direction" + "bad message direction" #define SSH_PAYLOAD_SIZE_STR \ - "Payload size incorrect for the given payload" + "payload size incorrect for the given payload" #define SSH_VERSION_STR \ - "Failed to detect SSH version string" + "failed to detect SSH version string" static const Parameter s_params[] = { diff --git a/src/service_inspectors/ssl/ssl_module.cc b/src/service_inspectors/ssl/ssl_module.cc index d6806b495..af564e55f 100644 --- a/src/service_inspectors/ssl/ssl_module.cc +++ b/src/service_inspectors/ssl/ssl_module.cc @@ -28,10 +28,10 @@ using namespace std; -#define SSL_INVALID_CLIENT_HELLO_STR "Invalid Client HELLO after Server HELLO Detected" -#define SSL_INVALID_SERVER_HELLO_STR "Invalid Server HELLO without Client HELLO Detected" -#define SSL_HEARTBLEED_REQUEST_STR "Heartbeat Read Overrun Attempt Detected" -#define SSL_HEARTBLEED_RESPONSE_STR "Large Heartbeat Response Detected" +#define SSL_INVALID_CLIENT_HELLO_STR "invalid client HELLO after server HELLO detected" +#define SSL_INVALID_SERVER_HELLO_STR "invalid server HELLO without client HELLO detected" +#define SSL_HEARTBLEED_REQUEST_STR "heartbeat read overrun attempt detected" +#define SSL_HEARTBLEED_RESPONSE_STR "large heartbeat response detected" static const Parameter s_params[] = { diff --git a/src/stream/ip/ip_module.cc b/src/stream/ip/ip_module.cc index 28eca68bd..a335468e9 100644 --- a/src/stream/ip/ip_module.cc +++ b/src/stream/ip/ip_module.cc @@ -54,10 +54,10 @@ using namespace std; #if 0 // OBE #define DEFRAG_IPV6_BSD_ICMP_FRAG_STR -"IPv6 BSD mbufs remote kernel buffer overflow" + "IPv6 BSD mbufs remote kernel buffer overflow" #define DEFRAG_IPV6_BAD_FRAG_PKT_STR -"bogus fragmentation packet, possible BSD attack" + "bogus fragmentation packet, possible BSD attack" #endif #define DEFRAG_MIN_TTL_EVASION_STR \ diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc index 97524a3b4..3c516a1e3 100644 --- a/src/stream/tcp/tcp_module.cc +++ b/src/stream/tcp/tcp_module.cc @@ -85,17 +85,17 @@ THREAD_LOCAL TcpStats tcpStats; #define STREAM_TCP_BAD_TIMESTAMP_STR \ "TCP timestamp is outside of PAWS window" #define STREAM_TCP_BAD_SEGMENT_STR \ - "bad segment, adjusted size <= 0" + "bad segment, adjusted size <= 0 (deprecated)" #define STREAM_TCP_WINDOW_TOO_LARGE_STR \ "window size (after scaling) larger than policy allows" #define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS_STR \ "limit on number of overlapping TCP packets reached" #define STREAM_TCP_DATA_AFTER_RESET_STR \ - "data sent on stream after TCP Reset sent" + "data sent on stream after TCP reset sent" #define STREAM_TCP_SESSION_HIJACKED_CLIENT_STR \ "TCP client possibly hijacked, different ethernet address" #define STREAM_TCP_SESSION_HIJACKED_SERVER_STR \ - "TCP Server possibly hijacked, different ethernet address" + "TCP server possibly hijacked, different ethernet address" #define STREAM_TCP_DATA_WITHOUT_FLAGS_STR \ "TCP data with no TCP flags set" #define STREAM_TCP_SMALL_SEGMENT_STR \ @@ -111,7 +111,7 @@ THREAD_LOCAL TcpStats tcpStats; #define STREAM_TCP_BAD_ACK_STR \ "ACK number is greater than prior FIN" #define STREAM_TCP_DATA_AFTER_RST_RCVD_STR \ - "data sent on stream after TCP Reset received" + "data sent on stream after TCP reset received" #define STREAM_TCP_WINDOW_SLAM_STR \ "TCP window closed before receiving data" #define STREAM_TCP_NO_3WHS_STR \