From: Michael Altizer (mialtize) Date: Wed, 7 Oct 2020 19:00:02 +0000 (+0000) Subject: Merge pull request #2531 in SNORT/snort3 from ~MIALTIZE/snort3:3_0_3_build_2 to master X-Git-Tag: 3.0.3-2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d71e3e5c8155aba093704af5b916f6a79d9a2d4e;p=thirdparty%2Fsnort3.git Merge pull request #2531 in SNORT/snort3 from ~MIALTIZE/snort3:3_0_3_build_2 to master Squashed commit of the following: commit 930eedee00095c97b70df46b59eebe48d9360fa9 Author: Michael Altizer Date: Wed Oct 7 13:03:59 2020 -0400 build: Generate and tag 3.0.3 build 2 --- diff --git a/ChangeLog b/ChangeLog index fa31a877a..f039195b3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,41 @@ +2020/10/07 - 3.0.3 build 2 + +-- appid: Create events for client user name, id and login success +-- appid: Inform third-party about snort's idle state during reload +-- appid: Reload detector patterns on reload_config for the sake of hyperscan +-- appid: Update appid to use instance based reload tuner +-- binder: Allow binding based on address spaces +-- binder: Allow directional binding based on interfaces +-- binder: Enforce directionality, add intfs, rename groups, cleanup +-- framework: Update packet constraints comparison to check only set fields +-- host_tracker: Update host tracker to use instance based reload tuner +-- http2_inspect: Fix frame padding handling +-- http2_inspect: Free up HI flow data when we are finished with it +-- http2_inspect: Stream state tracking +-- http_inspect: Implement can_start_tls(), add support of ssl search abandoned event +-- http_inspect: Support for custom xff type headers +-- main: Change reload memcap framework to use object instances +-- main: Remove deprecated rule_state module +-- main: Update host attribute class to use instance based reload tuner +-- normalizer: Move TTL configuration toggle to inspector configure() +-- perf_monitor: Update perf monitor to use instance based reload tuner +-- policy: Copy uuid, user_policy_id, and policy_mode when an inspection policy is cloned +-- pop: Generate alert for unknown command if file policy is attached. +-- port_scan: Update port scan to use instance based reload tuner +-- rna: Add event_time to rna logger events +-- rna: Add payload discovery logic +-- rna: Check user-agent processor early to skip some work +-- rna: Port host type discovery logic +-- rna: Set the thread local fingerprint processors during reload_config +-- rna: Update rna to use instance based reload tuner +-- rna: Update methods for user-agent processor +-- rna: User discovery for successful login +-- snort2lua: Convert rule_state into ips.states +-- stream_tcp: Update trace messages to use trace framework +-- stream: Update stream to use instance based reload tuner +-- trace: Update parser unit tests +-- wizard: Clean up parameter parsing and make it a bit stricter + 2020/09/23 - 3.0.3 build 1 -- ac_bnfa: Disable broken fail state reduction diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 00b3d5456..8eea4893f 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.0.3 (Build 1) 2020-09-23 11:56:23 EDT TST +Revision 3.0.3 (Build 2) 2020-10-07 13:11:06 EDT TST --------------------------------------------------------------------- @@ -43,12 +43,11 @@ Table of Contents 2.24. profiler 2.25. rate_filter 2.26. references - 2.27. rule_state - 2.28. search_engine - 2.29. side_channel - 2.30. snort - 2.31. suppress - 2.32. trace + 2.27. search_engine + 2.28. side_channel + 2.29. snort + 2.30. suppress + 2.31. trace 3. Codec Modules @@ -1215,28 +1214,7 @@ Configuration: * string references[].url: where this reference is defined -2.27. rule_state - --------------- - -Help: enable/disable and set actions for specific IPS rules; -deprecated, use rule state stubs with enable instead - -Type: basic - -Usage: detect - -Configuration: - - * enum rule_state.$gid_sid[].action = alert: apply action if rule - matches or inherit from rule definition { log | pass | alert | - drop | block | reset } - * enum rule_state.$gid_sid[].enable = inherit: enable or disable - rule in current ips policy or use default defined by ips policy { - no | yes | inherit } - - -2.28. search_engine +2.27. search_engine -------------- @@ -1302,7 +1280,7 @@ Peg counts: * search_engine.searched_bytes: total bytes searched (sum) -2.29. side_channel +2.28. side_channel -------------- @@ -1324,7 +1302,7 @@ Peg counts: * side_channel.packets: total packets (sum) -2.30. snort +2.29. snort -------------- @@ -1599,7 +1577,7 @@ Peg counts: failed due to attribute table full (sum) -2.31. suppress +2.30. suppress -------------- @@ -1619,7 +1597,7 @@ Configuration: according to track -2.32. trace +2.31. trace -------------- @@ -1654,6 +1632,7 @@ Configuration: logging { 0:255 } * int trace.modules.detection.tag: enable tag trace logging { 0:255 } + * int trace.modules.dpx.all: enable all trace options { 0:255 } * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } @@ -1665,6 +1644,12 @@ Configuration: * int trace.modules.stream.all: enable all trace options { 0:255 } * int trace.modules.stream_ip.all: enable all trace options { 0:255 } + * int trace.modules.stream_tcp.all: enable all trace options { + 0:255 } + * int trace.modules.stream_tcp.segments: enable stream TCP segments + trace logging { 0:255 } + * int trace.modules.stream_tcp.state: enable stream TCP state trace + logging { 0:255 } * int trace.modules.stream_user.all: enable all trace options { 0:255 } * int trace.modules.wizard.all: enable all trace options { 0:255 } @@ -2526,9 +2511,8 @@ Instance Type: singleton Configuration: - * int binder[].when.ips_policy_id = 0: unique ID for selection of - this config by external logic { 0:max32 } - * bit_list binder[].when.ifaces: list of interface indices { 255 } + * int binder[].when.ips_policy_id: unique ID for selection of this + config by external logic { 0:max32 } * bit_list binder[].when.vlans: list of VLAN IDs { 4095 } * addr_list binder[].when.nets: list of networks * addr_list binder[].when.src_nets: list of source networks @@ -2539,12 +2523,20 @@ Configuration: * bit_list binder[].when.src_ports: list of source ports { 65535 } * bit_list binder[].when.dst_ports: list of destination ports { 65535 } - * bit_list binder[].when.zones: zones { 63 } - * bit_list binder[].when.src_zone: source zone { 63 } - * bit_list binder[].when.dst_zone: destination zone { 63 } + * string binder[].when.intfs: list of interface IDs + * string binder[].when.src_intfs: list of source interface IDs + * string binder[].when.dst_intfs: list of destination interface IDs + * string binder[].when.groups: list of interface group IDs + * string binder[].when.src_groups: list of source interface group + IDs + * string binder[].when.dst_groups: list of destination group IDs + * string binder[].when.addr_spaces: list of address space IDs * enum binder[].when.role = any: use the given configuration on one or any end of a session { client | server | any } * string binder[].when.service: override default configuration + * string binder[].when.zones: deprecated alias for groups + * string binder[].when.src_zone: deprecated alias for src_groups + * string binder[].when.dst_zone: deprecated alias for dst_groups * enum binder[].use.action = inspect: what to do with matching traffic { reset | block | allow | inspect } * string binder[].use.file: use configuration in given file @@ -2558,11 +2550,16 @@ Configuration: Peg counts: - * binder.packets: initial bindings (sum) - * binder.resets: reset bindings (sum) - * binder.blocks: block bindings (sum) - * binder.allows: allow bindings (sum) - * binder.inspects: inspect bindings (sum) + * binder.new_flows: new flows evaluated (sum) + * binder.service_changes: flow service changes evaluated (sum) + * binder.assistant_inspectors: flow assistant inspector requests + handled (sum) + * binder.new_standby_flows: new HA flows evaluated (sum) + * binder.no_match: binding evaluations that had no matches (sum) + * binder.resets: reset actions bound (sum) + * binder.blocks: block actions bound (sum) + * binder.allows: allow actions bound (sum) + * binder.inspects: inspect actions bound (sum) 5.6. cip @@ -3569,6 +3566,11 @@ Rules: * 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header * 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers * 121:19 (http2_inspect) invalid HTTP/2 pseudo-header + * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit + * 121:21 (http2_inspect) padding flag set on invalid HTTP/2 frame + type + * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero + length Peg counts: @@ -3649,6 +3651,9 @@ Configuration: normalizing URIs * bool http_inspect.simplify_path = true: reduce URI directory path to simplest form + * string http_inspect.xff_headers = x-forwarded-for true-client-ip: + specifies the xff type headers to parse and consider in the same + order of preference as defined Rules: @@ -3836,6 +3841,8 @@ Peg counts: * http_inspect.parameters: HTTP parameters inspected (sum) * http_inspect.connect_tunnel_cutovers: CONNECT tunnel flow cutovers to wizard (sum) + * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned + too soon (sum) 5.25. imap @@ -8299,13 +8306,17 @@ these libraries see the Getting Started section of the manual. * string binder[].use.service: override automatic service identification * string binder[].use.type: select module for binding + * string binder[].when.addr_spaces: list of address space IDs + * string binder[].when.dst_groups: list of destination group IDs + * string binder[].when.dst_intfs: list of destination interface IDs * addr_list binder[].when.dst_nets: list of destination networks * bit_list binder[].when.dst_ports: list of destination ports { 65535 } - * bit_list binder[].when.dst_zone: destination zone { 63 } - * bit_list binder[].when.ifaces: list of interface indices { 255 } - * int binder[].when.ips_policy_id = 0: unique ID for selection of - this config by external logic { 0:max32 } + * string binder[].when.dst_zone: deprecated alias for dst_groups + * string binder[].when.groups: list of interface group IDs + * string binder[].when.intfs: list of interface IDs + * int binder[].when.ips_policy_id: unique ID for selection of this + config by external logic { 0:max32 } * addr_list binder[].when.nets: list of networks * bit_list binder[].when.ports: list of ports { 65535 } * enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp @@ -8313,11 +8324,14 @@ these libraries see the Getting Started section of the manual. * enum binder[].when.role = any: use the given configuration on one or any end of a session { client | server | any } * string binder[].when.service: override default configuration + * string binder[].when.src_groups: list of source interface group + IDs + * string binder[].when.src_intfs: list of source interface IDs * addr_list binder[].when.src_nets: list of source networks * bit_list binder[].when.src_ports: list of source ports { 65535 } - * bit_list binder[].when.src_zone: source zone { 63 } + * string binder[].when.src_zone: deprecated alias for src_groups * bit_list binder[].when.vlans: list of VLAN IDs { 4095 } - * bit_list binder[].when.zones: zones { 63 } + * string binder[].when.zones: deprecated alias for groups * interval bufferlen.~range: check that total length of current buffer is in given range { 0:65535 } * implied bufferlen.relative: use remaining length (from current @@ -8835,6 +8849,9 @@ these libraries see the Getting Started section of the manual. encoded * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte + * string http_inspect.xff_headers = x-forwarded-for true-client-ip: + specifies the xff type headers to parse and consider in the same + order of preference as defined * implied http_method.with_body: parts of this rule examine HTTP message body * implied http_method.with_header: this rule is limited to @@ -9429,12 +9446,6 @@ these libraries see the Getting Started section of the manual. * int rpc.~app: application number { 0:max32 } * string rpc.~proc: procedure number or * for any * string rpc.~ver: version number or * for any - * enum rule_state.$gid_sid[].action = alert: apply action if rule - matches or inherit from rule definition { log | pass | alert | - drop | block | reset } - * enum rule_state.$gid_sid[].enable = inherit: enable or disable - rule in current ips policy or use default defined by ips policy { - no | yes | inherit } * string s7commplus_func.~: function code to match * string s7commplus_opcode.~: opcode code to match * string sd_pattern.~pattern: The pattern to search for @@ -9986,6 +9997,7 @@ these libraries see the Getting Started section of the manual. trace logging { 0:255 } * int trace.modules.detection.tag: enable tag trace logging { 0:255 } + * int trace.modules.dpx.all: enable all trace options { 0:255 } * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } @@ -9997,6 +10009,12 @@ these libraries see the Getting Started section of the manual. * int trace.modules.stream.all: enable all trace options { 0:255 } * int trace.modules.stream_ip.all: enable all trace options { 0:255 } + * int trace.modules.stream_tcp.all: enable all trace options { + 0:255 } + * int trace.modules.stream_tcp.segments: enable stream TCP segments + trace logging { 0:255 } + * int trace.modules.stream_tcp.state: enable stream TCP state trace + logging { 0:255 } * int trace.modules.stream_user.all: enable all trace options { 0:255 } * int trace.modules.wizard.all: enable all trace options { 0:255 } @@ -10076,11 +10094,16 @@ these libraries see the Getting Started section of the manual. third-party module is reloaded (sum) * arp_spoof.packets: total packets (sum) * back_orifice.packets: total packets (sum) - * binder.allows: allow bindings (sum) - * binder.blocks: block bindings (sum) - * binder.inspects: inspect bindings (sum) - * binder.packets: initial bindings (sum) - * binder.resets: reset bindings (sum) + * binder.allows: allow actions bound (sum) + * binder.assistant_inspectors: flow assistant inspector requests + handled (sum) + * binder.blocks: block actions bound (sum) + * binder.inspects: inspect actions bound (sum) + * binder.new_flows: new flows evaluated (sum) + * binder.new_standby_flows: new HA flows evaluated (sum) + * binder.no_match: binding evaluations that had no matches (sum) + * binder.resets: reset actions bound (sum) + * binder.service_changes: flow service changes evaluated (sum) * cip.concurrent_sessions: total concurrent SIP sessions (now) * cip.max_concurrent_sessions: maximum concurrent SIP sessions (max) @@ -10582,6 +10605,8 @@ these libraries see the Getting Started section of the manual. messages (sum) * http_inspect.script_detections: early inspections of scripts in HTTP responses (sum) + * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned + too soon (sum) * http_inspect.trace_requests: TRACE requests inspected (sum) * http_inspect.uri_coding: URIs with character coding problems (sum) @@ -11534,6 +11559,11 @@ these libraries see the Getting Started section of the manual. * 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header * 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers * 121:19 (http2_inspect) invalid HTTP/2 pseudo-header + * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit + * 121:21 (http2_inspect) padding flag set on invalid HTTP/2 frame + type + * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero + length * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -12151,8 +12181,6 @@ and are not applicable elsewhere. fingerprinting (experimental) * rpc (ips_option): rule option to check SUNRPC CALL parameters * rpc_decode (inspector): RPC inspector - * rule_state (basic): enable/disable and set actions for specific - IPS rules; deprecated, use rule state stubs with enable instead * s7commplus (inspector): s7commplus inspection * s7commplus_content (ips_option): rule option to set cursor to s7commplus content diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 84cc175f3..882b9d330 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.0.3 (Build 1) 2020-09-23 11:56:13 EDT TST +Revision 3.0.3 (Build 2) 2020-10-07 13:10:58 EDT TST --------------------------------------------------------------------- @@ -662,8 +662,7 @@ additional information about the type and use of the parameter: by a *. Used for unquoted, comma-separated lists such as service and metadata. * The snort module has command line options starting with a -. - * $ denotes variable names, eg rule_state.$gid_sid which would be - used like rule_state["1:23456"] = { }. + * $ denotes variable names. Some additional details to note: @@ -3858,7 +3857,22 @@ decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also replaces consecutive whitespaces with a single space and normalizes the plus by concatenating the strings. -5.10.2.9. URI processing +5.10.2.9. xff_headers + +This configuration supports defining custom x-forwarded-for type +headers. In a multi-vendor world, it is quite possible that the +header name carrying the original client IP could be vendor-specific. +This is due to the absence of standardization which would otherwise +standardize the header name. In such a scenario, this configuration +provides a way with which such headers can be introduced to HI. The +default value of this configuration is "x-forwarded-for +true-client-ip". The default definition introduces the two commonly +known headers and is preferred in the same order by the inspector as +they are defined, e.g "x-forwarded-for" will be preferred than +"true-client-ip" if both headers are present in the stream. The +header names should be delimited by a space. + +5.10.2.10. URI processing Normalization and inspection of the URI in the HTTP request message is a key aspect of what http_inspect does. The best way to normalize @@ -4171,9 +4185,10 @@ applied to http_header when no specific header is specified. This provides the original IP address of the client sending the request as it was stored by a proxy in the request message headers. -Specifically it is the last IP address listed in the X-Forwarded-For -or True-Client-IP header. If both headers are present the former is -used. +Specifically it is the last IP address listed in the X-Forwarded-For, +True-Client-IP or any other custom x-forwarded-for type header. If +multiple headers are present the preference defined in xff_headers +configuration is considered. 5.10.4.6. http_client_body diff --git a/src/main/build.h b/src/main/build.h index 46eb73211..ac84188a7 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 1 +#define BUILD_NUMBER 2 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)