From: Michael Altizer (mialtize) Date: Sat, 27 Mar 2021 18:13:03 +0000 (+0000) Subject: Merge pull request #2814 in SNORT/snort3 from ~MIALTIZE/snort3:3_1_3_0 to master X-Git-Tag: 3.1.3.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfaf673eef1dcd2c285e23297122a95a431d7d37;p=thirdparty%2Fsnort3.git Merge pull request #2814 in SNORT/snort3 from ~MIALTIZE/snort3:3_1_3_0 to master Squashed commit of the following: commit 80376763f888930cc887eb988326b4fdde38d06c Author: Michael Altizer Date: Sat Mar 27 11:43:36 2021 -0400 build: Generate and tag 3.1.3.0 This release requires LibDAQ 3.0.2. --- diff --git a/CMakeLists.txt b/CMakeLists.txt index ba3dcedb9..8503ebf13 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 2) +set (VERSION_PATCH 3) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index 3bf1d664d..16d614b07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,37 @@ +2021/03/27 - 3.1.3.0 + +-- actions: Dynamically construct the default eval order for all the loaded IPS actions +-- actions: Make all IPS actions pluggable +-- appid: Make netbios domain available through appid API +-- appid: SMB fingerprinting support +-- cmake: Add flex build dependency +-- dce_rpc: Refactor SMB code +-- detection: Update detection.alert, to be used instead of reputation.total_alerts +-- detection: Update dump_rule_meta function to only print rules from default IPS policy +-- detection: Update the rtn's listHead to reflect the new action set in the rule state +-- doc: Update http_inspect feature documentation +-- flow: Add packet tracer output to DAQ expected flow requests +-- host_tracker: Fully populate local hostclient before logging +-- http2_inspect: Alert on uppercase header name encoded in HPACK +-- http_inspect: Add JavaScript whitespace normalization +-- http_inspect: Add normalization_depth config option +-- http_inspect: Alert on HTTP/2 upgrade attempts +-- http_inspect: Integrate JSNormalizer (whitespace normalization) keeping the old one +-- packet_io: Update for the removal of the RETRY DAQ verdict +-- packet_tracer: Do not log non-IP packets when enabled from shell and a constraint is set +-- parser: Support duped RTN if its header has been changed +-- rate_filter: Get the available IPS actions dynamically to configure the new_action +-- rna: Make discovery filter use client and server interfaces if they are not unknown +-- rna: SMB fingerprinting support +-- snort2lua: Delete conversion of disable_replace option +-- snort2lua: Fix lua conversion of http preproc options +-- snort: Add -h to output the help overview (same as --help) +-- snort_config: Remove is_active_enabled and set_active_enabled functions +-- style: Change C++ comment NULL to null +-- style: Remove unnecessary cruft +-- style: Remove unused cruft +-- utils: Add JSNormalizer + 2021/03/11 - 3.1.2.0 -- action_manager: Remove unused cached reject action diff --git a/cmake/FindDAQ.cmake b/cmake/FindDAQ.cmake index 907c65583..f9b6f3aa7 100644 --- a/cmake/FindDAQ.cmake +++ b/cmake/FindDAQ.cmake @@ -16,7 +16,7 @@ This module defines: #]=======================================================================] find_package(PkgConfig) -pkg_check_modules(PC_DAQ libdaq>=3.0.0) +pkg_check_modules(PC_DAQ libdaq>=3.0.2) # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints # and then package config information after that. diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 23aed7e43..24a81a1a2 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.2.0 2021-03-11 14:57:04 EST TST +Revision 3.1.3.0 2021-03-27 11:49:00 EDT TST --------------------------------------------------------------------- @@ -143,7 +143,6 @@ Table of Contents 6.1. react 6.2. reject - 6.3. rewrite 7. IPS Option Modules @@ -412,8 +411,7 @@ Configuration: memory for event_filters { 0:max32 } * bool alerts.log_references = false: include rule references in alert info (full only) - * string alerts.order = pass reset block drop alert log: change the - order of rule action application + * string alerts.order: change the order of rule action application * int alerts.rate_filter_memcap = 1048576: set available MB of memory for rate_filters { 0:max32 } * string alerts.reference_net: set the CIDR for homenet (for use @@ -503,7 +501,6 @@ Peg counts: * daq.whitelist: total whitelist verdicts (sum) * daq.blacklist: total blacklist verdicts (sum) * daq.ignore: total ignore verdicts (sum) - * daq.retry: total retry verdicts (sum) * daq.internal_blacklist: packets blacklisted internally due to lack of DAQ support (sum) * daq.internal_whitelist: packets whitelisted internally due to @@ -1205,8 +1202,9 @@ Configuration: * int rate_filter[].count = 1: number of events in interval before tripping { 0:max32 } * int rate_filter[].seconds = 1: count interval { 0:max32 } - * enum rate_filter[].new_action = alert: take this action on future - hits until timeout { log | pass | alert | drop | block | reset } + * dynamic rate_filter[].new_action = alert: take this action on + future hits until timeout { alert | block | drop | log | pass | + react | reject | rewrite } * int rate_filter[].timeout = 1: count interval { 0:max32 } * string rate_filter[].apply_to: restrict filter to these addresses according to track @@ -1349,6 +1347,7 @@ Configuration: * string snort.-g: run snort gid as group (or gid) after initialization * implied snort.-H: make hash tables deterministic + * implied snort.-h: show help overview (same as --help) * string snort.-i: … list of interfaces * port snort.-j: to listen for Telnet connections * enum snort.-k = all: checksum mode; default is all { all| @@ -1427,7 +1426,7 @@ Configuration: Operation * implied snort.--gen-msg-map: dump configured rules in gen-msg.map format for use by other tools - * implied snort.--help: list command line options + * implied snort.--help: show help overview * string snort.--help-commands: [] output matching commands { (optional) } * string snort.--help-config: [] output matching @@ -2879,17 +2878,15 @@ Peg counts: * dce_smb.v2_wrt: total number of SMBv2 write packets seen (sum) * dce_smb.v2_wrt_err_resp: total number of SMBv2 write error response packets seen (sum) - * dce_smb.v2_wrt_ignored: total number of SMBv2 write packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_wrt_inv_str_sz: total number of SMBv2 write packets seen with invalid structure size (sum) * dce_smb.v2_wrt_req_hdr_err: total number of SMBv2 write request packets ignored due to corrupted header (sum) + * dce_smb.v2_wrt_resp_hdr_err: total number of SMBv2 write response + packets ignored due to corrupted header (sum) * dce_smb.v2_read: total number of SMBv2 read packets seen (sum) * dce_smb.v2_read_err_resp: total number of SMBv2 read error response packets seen (sum) - * dce_smb.v2_read_ignored: total number of SMBv2 write packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_read_inv_str_sz: total number of SMBv2 read packets seen with invalid structure size (sum) * dce_smb.v2_read_rtrkr_misng: total number of SMBv2 read response @@ -2898,12 +2895,10 @@ Peg counts: packets ignored due to corrupted header (sum) * dce_smb.v2_read_req_hdr_err: total number of SMBv2 read request packets ignored due to corrupted header (sum) - * dce_smb.v2_stinf: total number of SMBv2 set info packets seen + * dce_smb.v2_setinfo: total number of SMBv2 set info packets seen (sum) * dce_smb.v2_stinf_err_resp: total number of SMBv2 set info error response packets seen (sum) - * dce_smb.v2_stinf_ignored: total number of SMBv2 set info packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_stinf_inv_str_sz: total number of SMBv2 set info packets seen with invalid structure size (sum) * dce_smb.v2_stinf_req_ftrkr_misng: total number of SMBv2 set info @@ -2913,8 +2908,6 @@ Peg counts: * dce_smb.v2_cls: total number of SMBv2 close packets seen (sum) * dce_smb.v2_cls_err_resp: total number of SMBv2 close error response packets seen (sum) - * dce_smb.v2_cls_ignored: total number of SMBv2 close packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_cls_inv_str_sz: total number of SMBv2 close packets seen with invalid structure size (sum) * dce_smb.v2_cls_req_ftrkr_misng: total number of SMBv2 close @@ -2937,8 +2930,6 @@ Peg counts: corrupted hdr (sum) * dce_smb.v2_bad_next_cmd_offset: total number of SMBv2 packets seen with invalid next command offset (sum) - * dce_smb.v2_extra_file_data_err: total number of SMBv2 packets - seen with where file data beyond file size is observed (sum) * dce_smb.v2_inv_file_ctx_err: total number of times null file context are seen resulting in not being able to set file size (sum) @@ -2947,6 +2938,10 @@ Peg counts: * dce_smb.v2_cmpnd_req_lt_crossed: total number of SMBv2 packets seen where compound requests exceed the smb_max_compound limit (sum) + * dce_smb.v2_tree_ignored: total number of packets ignored due to + missing tree tracker (sum) + * dce_smb.v2_session_ignored: total number of packets ignored due + to missing session tracker (sum) * dce_smb.concurrent_sessions: total concurrent sessions (now) * dce_smb.max_concurrent_sessions: maximum concurrent sessions (max) @@ -3603,6 +3598,7 @@ Rules: * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time + * 121:30 (http2_inspect) uppercase HTTP/2 header field name Peg counts: @@ -3657,6 +3653,8 @@ Configuration: immediately upon script end * bool http_inspect.normalize_javascript = false: normalize JavaScript in response bodies + * int http_inspect.normalization_depth = 0: number of input + JavaScript bytes to normalize { -1:65535 } * int http_inspect.max_javascript_whitespaces = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 } @@ -3824,6 +3822,8 @@ Rules: truncated * 119:261 (http_inspect) HTTP chunked message body was truncated * 119:262 (http_inspect) HTTP URI scheme longer than 10 characters + * 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade + * 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade Peg counts: @@ -4673,7 +4673,6 @@ Peg counts: * reputation.trusted: number of packets trusted (sum) * reputation.monitored: number of packets monitored (sum) * reputation.memory_allocated: total memory allocated (sum) - * reputation.total_alerts: total alerts triggered (sum) 5.37. rna @@ -4717,6 +4716,9 @@ Configuration: * string rna.tcp_fingerprints[].device: device information * string rna.tcp_fingerprints[].dhcp55: dhcp option 55 values * string rna.tcp_fingerprints[].dhcp60: dhcp option 60 values + * int rna.tcp_fingerprints[].major: smb major version { 0:max31 } + * int rna.tcp_fingerprints[].minor: smb minor version { 0:max31 } + * int rna.tcp_fingerprints[].flags: smb flags { 0:max32 } * int rna.ua_fingerprints[].fpid = 0: fingerprint id { 0:max32 } * int rna.ua_fingerprints[].type = 0: fingerprint type { 0:max32 } * string rna.ua_fingerprints[].uuid: fingerprint uuid @@ -4736,6 +4738,9 @@ Configuration: * string rna.ua_fingerprints[].device: device information * string rna.ua_fingerprints[].dhcp55: dhcp option 55 values * string rna.ua_fingerprints[].dhcp60: dhcp option 60 values + * int rna.ua_fingerprints[].major: smb major version { 0:max31 } + * int rna.ua_fingerprints[].minor: smb minor version { 0:max31 } + * int rna.ua_fingerprints[].flags: smb flags { 0:max32 } * int rna.udp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } * int rna.udp_fingerprints[].type = 0: fingerprint type { 0:max32 } * string rna.udp_fingerprints[].uuid: fingerprint uuid @@ -4755,6 +4760,31 @@ Configuration: * string rna.udp_fingerprints[].device: device information * string rna.udp_fingerprints[].dhcp55: dhcp option 55 values * string rna.udp_fingerprints[].dhcp60: dhcp option 60 values + * int rna.udp_fingerprints[].major: smb major version { 0:max31 } + * int rna.udp_fingerprints[].minor: smb minor version { 0:max31 } + * int rna.udp_fingerprints[].flags: smb flags { 0:max32 } + * int rna.smb_fingerprints[].fpid = 0: fingerprint id { 0:max32 } + * int rna.smb_fingerprints[].type = 0: fingerprint type { 0:max32 } + * string rna.smb_fingerprints[].uuid: fingerprint uuid + * int rna.smb_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } + * string rna.smb_fingerprints[].tcp_window: fingerprint tcp window + * string rna.smb_fingerprints[].mss = X: fingerprint mss + * string rna.smb_fingerprints[].id = X: id + * string rna.smb_fingerprints[].topts: fingerprint tcp options + * string rna.smb_fingerprints[].ws = X: fingerprint window size + * bool rna.smb_fingerprints[].df = false: fingerprint don’t + fragment flag + * enum rna.smb_fingerprints[].ua_type = os: type of user agent + fingerprints { os | device | jail-broken | jail-broken-host } + * string rna.smb_fingerprints[].user_agent[].substring: a substring + of user agent string + * string rna.smb_fingerprints[].host_name: host name information + * string rna.smb_fingerprints[].device: device information + * string rna.smb_fingerprints[].dhcp55: dhcp option 55 values + * string rna.smb_fingerprints[].dhcp60: dhcp option 60 values + * int rna.smb_fingerprints[].major: smb major version { 0:max31 } + * int rna.smb_fingerprints[].minor: smb minor version { 0:max31 } + * int rna.smb_fingerprints[].flags: smb flags { 0:max32 } Commands: @@ -4784,6 +4814,7 @@ Peg counts: (sum) * rna.dhcp_data: count of DHCP data events received (sum) * rna.dhcp_info: count of new DHCP lease events received (sum) + * rna.smb: count of new SMB events received (sum) 5.38. rpc_decode @@ -5708,22 +5739,6 @@ Configuration: network|host|port|forward|all } -6.3. rewrite - --------------- - -Help: overwrite packet contents - -Type: ips_action - -Usage: detect - -Configuration: - - * bool rewrite.disable_replace = false: disable replace of packet - contents with rewrite rules - - --------------------------------------------------------------------- 7. IPS Option Modules @@ -8200,6 +8215,7 @@ these libraries see the Getting Started section of the manual. * -g run snort gid as group (or gid) after initialization * -H make hash tables deterministic + * -h show help overview (same as --help) * -i … list of interfaces * -j to listen for Telnet connections * -k checksum mode; default is all (all|noip|notcp|noudp| @@ -8262,7 +8278,7 @@ these libraries see the Getting Started section of the manual. * --enable-inline-test enable Inline-Test Mode Operation * --gen-msg-map dump configured rules in gen-msg.map format for use by other tools - * --help list command line options + * --help show help overview * --help-commands [] output matching commands (optional) * --help-config [] output matching config options @@ -8443,8 +8459,7 @@ these libraries see the Getting Started section of the manual. * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1:max32 } * bool alerts.log_references = false: include rule references in alert info (full only) - * string alerts.order = pass reset block drop alert log: change the - order of rule action application + * string alerts.order: change the order of rule action application * int alerts.rate_filter_memcap = 1048576: set available MB of memory for rate_filters { 0:max32 } * string alerts.reference_net: set the CIDR for homenet (for use @@ -9046,6 +9061,8 @@ these libraries see the Getting Started section of the manual. * int http_inspect.max_javascript_whitespaces = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 } + * int http_inspect.normalization_depth = 0: number of input + JavaScript bytes to normalize { -1:65535 } * bool http_inspect.normalize_javascript = false: normalize JavaScript in response bodies * bool http_inspect.normalize_utf = true: normalize charset utf @@ -9578,8 +9595,9 @@ these libraries see the Getting Started section of the manual. * int rate_filter[].count = 1: number of events in interval before tripping { 0:max32 } * int rate_filter[].gid = 1: rule generator ID { 0:max32 } - * enum rate_filter[].new_action = alert: take this action on future - hits until timeout { log | pass | alert | drop | block | reset } + * dynamic rate_filter[].new_action = alert: take this action on + future hits until timeout { alert | block | drop | log | pass | + react | reject | rewrite } * int rate_filter[].seconds = 1: count interval { 0:max32 } * int rate_filter[].sid = 1: rule signature ID { 0:max32 } * int rate_filter[].timeout = 1: count interval { 0:max32 } @@ -9619,8 +9637,6 @@ these libraries see the Getting Started section of the manual. * bool reputation.scan_local = false: inspect local address defined in RFC 1918 * int rev.~: revision { 1:max32 } - * bool rewrite.disable_replace = false: disable replace of packet - contents with rewrite rules * string rna.dump_file: file name to dump RNA mac cache on shutdown; won’t dump by default * bool rna.enable_logger = true: enable or disable writing @@ -9628,14 +9644,39 @@ these libraries see the Getting Started section of the manual. * bool rna.log_when_idle = false: enable host update logging when snort is idle * string rna.rna_conf_path: path to rna configuration + * string rna.smb_fingerprints[].device: device information + * bool rna.smb_fingerprints[].df = false: fingerprint don’t + fragment flag + * string rna.smb_fingerprints[].dhcp55: dhcp option 55 values + * string rna.smb_fingerprints[].dhcp60: dhcp option 60 values + * int rna.smb_fingerprints[].flags: smb flags { 0:max32 } + * int rna.smb_fingerprints[].fpid = 0: fingerprint id { 0:max32 } + * string rna.smb_fingerprints[].host_name: host name information + * string rna.smb_fingerprints[].id = X: id + * int rna.smb_fingerprints[].major: smb major version { 0:max31 } + * int rna.smb_fingerprints[].minor: smb minor version { 0:max31 } + * string rna.smb_fingerprints[].mss = X: fingerprint mss + * string rna.smb_fingerprints[].tcp_window: fingerprint tcp window + * string rna.smb_fingerprints[].topts: fingerprint tcp options + * int rna.smb_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } + * int rna.smb_fingerprints[].type = 0: fingerprint type { 0:max32 } + * enum rna.smb_fingerprints[].ua_type = os: type of user agent + fingerprints { os | device | jail-broken | jail-broken-host } + * string rna.smb_fingerprints[].user_agent[].substring: a substring + of user agent string + * string rna.smb_fingerprints[].uuid: fingerprint uuid + * string rna.smb_fingerprints[].ws = X: fingerprint window size * string rna.tcp_fingerprints[].device: device information * bool rna.tcp_fingerprints[].df = false: fingerprint don’t fragment flag * string rna.tcp_fingerprints[].dhcp55: dhcp option 55 values * string rna.tcp_fingerprints[].dhcp60: dhcp option 60 values + * int rna.tcp_fingerprints[].flags: smb flags { 0:max32 } * int rna.tcp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } * string rna.tcp_fingerprints[].host_name: host name information * string rna.tcp_fingerprints[].id = X: id + * int rna.tcp_fingerprints[].major: smb major version { 0:max31 } + * int rna.tcp_fingerprints[].minor: smb minor version { 0:max31 } * string rna.tcp_fingerprints[].mss = X: fingerprint mss * string rna.tcp_fingerprints[].tcp_window: fingerprint tcp window * string rna.tcp_fingerprints[].topts: fingerprint tcp options @@ -9652,9 +9693,12 @@ these libraries see the Getting Started section of the manual. flag * string rna.ua_fingerprints[].dhcp55: dhcp option 55 values * string rna.ua_fingerprints[].dhcp60: dhcp option 60 values + * int rna.ua_fingerprints[].flags: smb flags { 0:max32 } * int rna.ua_fingerprints[].fpid = 0: fingerprint id { 0:max32 } * string rna.ua_fingerprints[].host_name: host name information * string rna.ua_fingerprints[].id = X: id + * int rna.ua_fingerprints[].major: smb major version { 0:max31 } + * int rna.ua_fingerprints[].minor: smb minor version { 0:max31 } * string rna.ua_fingerprints[].mss = X: fingerprint mss * string rna.ua_fingerprints[].tcp_window: fingerprint tcp window * string rna.ua_fingerprints[].topts: fingerprint tcp options @@ -9671,9 +9715,12 @@ these libraries see the Getting Started section of the manual. fragment flag * string rna.udp_fingerprints[].dhcp55: dhcp option 55 values * string rna.udp_fingerprints[].dhcp60: dhcp option 60 values + * int rna.udp_fingerprints[].flags: smb flags { 0:max32 } * int rna.udp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } * string rna.udp_fingerprints[].host_name: host name information * string rna.udp_fingerprints[].id = X: id + * int rna.udp_fingerprints[].major: smb major version { 0:max31 } + * int rna.udp_fingerprints[].minor: smb minor version { 0:max31 } * string rna.udp_fingerprints[].mss = X: fingerprint mss * string rna.udp_fingerprints[].tcp_window: fingerprint tcp window * string rna.udp_fingerprints[].topts: fingerprint tcp options @@ -9887,7 +9934,6 @@ these libraries see the Getting Started section of the manual. counts { (optional) } * implied snort.--help-limits: print the int upper bounds denoted by max* - * implied snort.--help: list command line options * string snort.--help-module: output description of given module * implied snort.--help-modules-json: dump description of all @@ -9898,8 +9944,10 @@ these libraries see the Getting Started section of the manual. command line option quick help (same as -?) { (optional) } * implied snort.--help-plugins: list all available plugins with brief help + * implied snort.--help: show help overview * implied snort.--help-signals: dump available control signals * implied snort.-H: make hash tables deterministic + * implied snort.-h: show help overview (same as --help) * int snort.--id-offset = 0: offset to add to instance IDs when logging to files { 0:65535 } * implied snort.--id-subdir: create/use instance subdirectories in @@ -10396,7 +10444,6 @@ these libraries see the Getting Started section of the manual. * daq.retries_processed: messages processed from the retry queue (sum) * daq.retries_queued: messages queued for retry (sum) - * daq.retry: total retry verdicts (sum) * daq.rx_bytes: total bytes received (sum) * daq.skipped: packets skipped at startup (sum) * daq.sof_messages: start of flow messages received from DAQ (sum) @@ -10470,8 +10517,6 @@ these libraries see the Getting Started section of the manual. seen with invalid next command offset (sum) * dce_smb.v2_cls_err_resp: total number of SMBv2 close error response packets seen (sum) - * dce_smb.v2_cls_ignored: total number of SMBv2 close packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_cls_inv_str_sz: total number of SMBv2 close packets seen with invalid structure size (sum) * dce_smb.v2_cls_req_ftrkr_misng: total number of SMBv2 close @@ -10499,8 +10544,6 @@ these libraries see the Getting Started section of the manual. * dce_smb.v2_crt: total number of SMBv2 create packets seen (sum) * dce_smb.v2_crt_tree_trkr_misng: total number of SMBv2 create response packets ignored due to missing tree tracker (sum) - * dce_smb.v2_extra_file_data_err: total number of SMBv2 packets - seen with where file data beyond file size is observed (sum) * dce_smb.v2_hdr_err: total number of SMBv2 packets seen with corrupted hdr (sum) * dce_smb.v2_inv_file_ctx_err: total number of times null file @@ -10513,8 +10556,6 @@ these libraries see the Getting Started section of the manual. where command is not being inspected (sum) * dce_smb.v2_read_err_resp: total number of SMBv2 read error response packets seen (sum) - * dce_smb.v2_read_ignored: total number of SMBv2 write packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_read_inv_str_sz: total number of SMBv2 read packets seen with invalid structure size (sum) * dce_smb.v2_read_req_hdr_err: total number of SMBv2 read request @@ -10524,6 +10565,10 @@ these libraries see the Getting Started section of the manual. * dce_smb.v2_read_rtrkr_misng: total number of SMBv2 read response packets ignored due to missing read request tracker (sum) * dce_smb.v2_read: total number of SMBv2 read packets seen (sum) + * dce_smb.v2_session_ignored: total number of packets ignored due + to missing session tracker (sum) + * dce_smb.v2_setinfo: total number of SMBv2 set info packets seen + (sum) * dce_smb.v2_setup_err_resp: total number of SMBv2 setup error response packets seen (sum) * dce_smb.v2_setup_inv_str_sz: total number of SMBv2 setup packets @@ -10533,16 +10578,12 @@ these libraries see the Getting Started section of the manual. * dce_smb.v2_setup: total number of SMBv2 setup packets seen (sum) * dce_smb.v2_stinf_err_resp: total number of SMBv2 set info error response packets seen (sum) - * dce_smb.v2_stinf_ignored: total number of SMBv2 set info packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_stinf_inv_str_sz: total number of SMBv2 set info packets seen with invalid structure size (sum) * dce_smb.v2_stinf_req_ftrkr_misng: total number of SMBv2 set info request packets ignored due to missing file tracker (sum) * dce_smb.v2_stinf_req_hdr_err: total number of SMBv2 set info request packets ignored due to corrupted header (sum) - * dce_smb.v2_stinf: total number of SMBv2 set info packets seen - (sum) * dce_smb.v2_tree_cnct_err_resp: total number of SMBv2 tree connect error response packets seen (sum) * dce_smb.v2_tree_cnct_ignored: total number of SMBv2 setup @@ -10563,14 +10604,16 @@ these libraries see the Getting Started section of the manual. disconnect request packets ignored due to corrupted header (sum) * dce_smb.v2_tree_discn: total number of SMBv2 tree disconnect packets seen (sum) + * dce_smb.v2_tree_ignored: total number of packets ignored due to + missing tree tracker (sum) * dce_smb.v2_wrt_err_resp: total number of SMBv2 write error response packets seen (sum) - * dce_smb.v2_wrt_ignored: total number of SMBv2 write packets - ignored due to missing trackers or invalid share type (sum) * dce_smb.v2_wrt_inv_str_sz: total number of SMBv2 write packets seen with invalid structure size (sum) * dce_smb.v2_wrt_req_hdr_err: total number of SMBv2 write request packets ignored due to corrupted header (sum) + * dce_smb.v2_wrt_resp_hdr_err: total number of SMBv2 write response + packets ignored due to corrupted header (sum) * dce_smb.v2_wrt: total number of SMBv2 write packets seen (sum) * dce_tcp.alter_context_responses: total connection-oriented alter context responses (sum) @@ -11072,7 +11115,6 @@ these libraries see the Getting Started section of the manual. * reputation.memory_allocated: total memory allocated (sum) * reputation.monitored: number of packets monitored (sum) * reputation.packets: total packets processed (sum) - * reputation.total_alerts: total alerts triggered (sum) * reputation.trusted: number of packets trusted (sum) * rna.appid_change: count of appid change events received (sum) * rna.change_host_update: count number of change host update events @@ -11086,6 +11128,7 @@ these libraries see the Getting Started section of the manual. * rna.ip_new: count of new IP flows received (sum) * rna.other_packets: count of packets received without session tracking (sum) + * rna.smb: count of new SMB events received (sum) * rna.tcp_midstream: count of TCP midstream packets received (sum) * rna.tcp_syn_ack: count of TCP SYN-ACK packets received (sum) * rna.tcp_syn: count of TCP SYN packets received (sum) @@ -11798,6 +11841,8 @@ these libraries see the Getting Started section of the manual. truncated * 119:261 (http_inspect) HTTP chunked message body was truncated * 119:262 (http_inspect) HTTP URI scheme longer than 10 characters + * 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade + * 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame * 121:2 (http2_inspect) HPACK integer value has leading zeros * 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream @@ -11836,6 +11881,7 @@ these libraries see the Getting Started section of the manual. * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time + * 121:30 (http2_inspect) uppercase HTTP/2 header field name * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -12582,7 +12628,6 @@ and are not applicable elsewhere. * reputation (inspector): reputation inspection * rev (ips_option): rule option to indicate current revision of signature - * rewrite (ips_action): overwrite packet contents * rna (inspector): Real-time network awareness and OS fingerprinting (experimental) * rpc (ips_option): rule option to check SUNRPC CALL parameters @@ -12783,6 +12828,12 @@ and are not applicable elsewhere. * inspector::telnet: telnet inspection and normalization * inspector::wizard: inspector that implements port-independent protocol identification + * ips_action::alert: generate alert on the current packet + * ips_action::block: block current packet and all the subsequent + packets in this flow + * ips_action::drop: drop the current packet + * ips_action::log: log the current packet + * ips_action::pass: mark the current packet as passed * ips_action::react: send response to client and terminate session * ips_action::reject: terminate session with TCP reset or ICMP unreachable diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 125688aad..4c93e260f 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.2.0 2021-03-11 14:56:52 EST TST +Revision 3.1.3.0 2021-03-27 11:48:49 EDT TST --------------------------------------------------------------------- @@ -1030,6 +1030,7 @@ deleted -> config 'disable_decode_drops' deleted -> config 'disable_inline_init_failopen' deleted -> config 'disable_ipopt_alerts' deleted -> config 'disable_ipopt_drops' +deleted -> config 'disable_replace' deleted -> config 'disable_tcpopt_alerts' deleted -> config 'disable_tcpopt_drops' deleted -> config 'disable_tcpopt_experimental_alerts' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 4a1b4967f..032f3bea9 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.2.0 2021-03-11 14:56:53 EST TST +Revision 3.1.3.0 2021-03-27 11:48:49 EDT TST --------------------------------------------------------------------- @@ -1730,7 +1730,9 @@ plugins: react = { } reject = { } -rewrite = { } + +When these active responses are not configured the default +configuration is used. Active responses will be performed for reject, react or rewrite IPS rule actions, and response packets are encoded based on the @@ -1866,7 +1868,6 @@ IPS action rewrite enables overwrite packet contents based on For example: -rewrite = { } local_rules = [[ rewrite tcp 10.1.1.87 any -> 10.1.1.0/24 80 @@ -1886,14 +1887,6 @@ ips = this rule replaces "index.php" with "indax.php", and rewrite action updates that packet. -to enable rewrite action: - -rewrite = { } - -the replace operation can be disabled by changing the configuration: - -rewrite = { disable_replace = true } - 6.2. AppId @@ -3913,9 +3906,24 @@ decodeURI, and decodeURIComponent are normalized. The different encodings handled within the unescape, decodeURI, or decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also replaces consecutive whitespaces with a single space and normalizes -the plus by concatenating the strings. +the plus by concatenating the strings. Such normalizations refer to +basic JavaScript normalization. + +6.10.2.8. normalization_depth -6.10.2.8. xff_headers +normalization_depth = N {-1 : 65535} will set a number of input +JavaScript bytes to normalize and enable the whitespace normalizer +instead of the basic one. Meanwhile, normalize_javascript = true must +be configured as well. When the depth is reached, normalization will +be stopped. It’s implemented per-script. normalization_depth = -1 +will configure max depth value. By default, the value is set to 0. +Configure this option to enable more precise whitespace normalization +of JavaScript, that removes all redundant whitespaces and line +terminators from the JavaScript syntax point of view (between +identifier and punctuator, between identifier and operator, etc.) +according to ECMAScript 5.1 standard. + +6.10.2.9. xff_headers This configuration supports defining custom x-forwarded-for type headers. In a multi-vendor world, it is quite possible that the @@ -3930,7 +3938,7 @@ they are defined, e.g "x-forwarded-for" will be preferred than "true-client-ip" if both headers are present in the stream. The header names should be delimited by a space. -6.10.2.9. URI processing +6.10.2.10. URI processing Normalization and inspection of the URI in the HTTP request message is a key aspect of what http_inspect does. The best way to normalize @@ -4258,10 +4266,7 @@ applied to http_header when no specific header is specified. This is the body of a request or response message. It will be dechunked and unzipped if applicable but will not be normalized in -any other way. The difference between http_raw_body and packet data -is a rule that uses packet data will search and may match an HTTP -header, but http_raw_body is limited to the message body. Thus the -latter is more efficient and more accurate for most uses. +any other way. 6.10.4.8. http_method @@ -4296,15 +4301,12 @@ first header line. For a request message those are http_method, http_raw_uri, and http_version. For a response message those are http_version, http_stat_code, and http_stat_msg. -6.10.4.13. file_data and packet data +6.10.4.13. file_data file_data contains the normalized message body. This is the normalization described above under gzip, normalize_utf, decompress_pdf, decompress_swf, and normalize_javascript. -The unnormalized message content is available in the packet data. If -gzip is configured the packet data will be unzipped. - 6.10.5. Timing issues and combining rule options HTTP inspector is stateful. That means it is aware of a bigger