From: Steve Chew (stechew) Date: Mon, 25 Apr 2022 16:53:44 +0000 (+0000) Subject: Pull request #3392: build: generate and tag 3.1.28.0 X-Git-Tag: 3.1.28.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8ddb5869a045232162e529b23951be8de1458a5;p=thirdparty%2Fsnort3.git Pull request #3392: build: generate and tag 3.1.28.0 Merge in SNORT/snort3 from ~STECHEW/snort3:build_3.1.28.0 to master Squashed commit of the following: commit ae3c9a8e96c8040f01a7a34821dac54ba578aab8 Author: Steve Chew Date: Mon Apr 25 10:39:44 2022 -0400 build: generate and tag 3.1.28.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index d3b667a5a..f72a83aa6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 27) +set (VERSION_PATCH 28) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index 4c5d8f2de..68c133ea5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,55 @@ +2022/04/25 - 3.1.28.0 + +appid: add bytes_in_use and items_in_use peg counts +appid: ssl service detection for segmented server hello done +binder: add binder actions to flow reassignment. Thanks to Meridoff for the original report of the issue. +bufferlen: add missing relative override +conf: add cip and s7commplus to the default snort.lua +content: auto no-case non-alpha patterns +dce_rpc: Handling only named ioctls for smb +detection: add missing fast pattern buffer translations +detection: make CursorActionType generic +detection: map buffers to services +detection: rearrange startup rule counts +detection: remove now obsolete get buf support +doc: add clarification on default bindings in developer notes and user notes +events: add action logging to the event +flow, managers, binder: only publish flow state reloaded event from internal execute +flow: only select policies when deleting flow data if there is a policy selector +flow, snort_config: change service back to a pointer and add a method to return a non-volatile pointer for service +flow: use a flag instead off shared pointer use count for has service check +framework: make Cursor SO_PUBLIC +ftp: fix FTP response parsing +ftp: flush FTP cmds ending in just carriage return +host_cache: bytes_in_use and items_in_use peg counts +host_cache: fix unit test broken on some platforms +inspectors: add / update api buffer lists +ips: eliminate direct dependence on get_fp_buf of all ibt (by using rule options) +ips: eliminate PM_TYPE_* to make fast pattern buffers generic +ips: further limit port group rules +ips_options: eliminate obsolete RULE_OPTION_TYPE_BUFFER_* +ips_options: fix cursor action type overrides +main: check policy exists instead of index when setting network policy by id +mime: handle MIME header lines split between inspection sections and improve folded header line processing +mms: add check that BerElement argument isn't null before calling BerReader::read +mms: adding manual updates for the new service inspector for the IEC61850 MMS protocol +mms: adding new service inspector for the IEC61850 MMS protocol +mms_data: make a fast pattern buffer +mms: moved creation of TpktFlowData inspector ID to process init +module_manager: fix memory pegs display issue during packet processing, while also correctly computing the memory pegs in Analyzer::term +netflow: framework for netflow V5 and V9 events +packet_io: add rewrite action logging +parser: update dev notes +raw_data: only search pkt_data if no alt buffer or raw_data rules included in group +service inspectors: update fast pattern access +sfip: improve warning suppression +smtp: SMTPData initialization changed from memset to constructor +smtp: STARTTLS command injection event processing +stream: add can_set_no_ack() api to check if policy allows no-ack mode +stream: add current_flows, uni_flows and uni_ip_flows peg counts +utils: limit JS regex stack size +utils: track groups and escaped symbols in JavaScript regex literals + 2022/04/07 - 3.1.27.0 ac_full: refactor api access diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 24eb4c51a..bf33dbd0d 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.27.0 2022-04-07 13:35:35 EDT TST +Revision 3.1.28.0 2022-04-25 10:44:49 EDT TST --------------------------------------------------------------------- @@ -115,32 +115,33 @@ Table of Contents 5.26. iec104 5.27. imap 5.28. mem_test - 5.29. modbus - 5.30. netflow - 5.31. normalizer - 5.32. null_trace_logger - 5.33. packet_capture - 5.34. perf_monitor - 5.35. pop - 5.36. port_scan - 5.37. reputation - 5.38. rna - 5.39. rpc_decode - 5.40. s7commplus - 5.41. sip - 5.42. smtp - 5.43. so_proxy - 5.44. ssh - 5.45. ssl - 5.46. stream - 5.47. stream_file - 5.48. stream_icmp - 5.49. stream_ip - 5.50. stream_tcp - 5.51. stream_udp - 5.52. stream_user - 5.53. telnet - 5.54. wizard + 5.29. mms + 5.30. modbus + 5.31. netflow + 5.32. normalizer + 5.33. null_trace_logger + 5.34. packet_capture + 5.35. perf_monitor + 5.36. pop + 5.37. port_scan + 5.38. reputation + 5.39. rna + 5.40. rpc_decode + 5.41. s7commplus + 5.42. sip + 5.43. smtp + 5.44. so_proxy + 5.45. ssh + 5.46. ssl + 5.47. stream + 5.48. stream_file + 5.49. stream_icmp + 5.50. stream_ip + 5.51. stream_tcp + 5.52. stream_udp + 5.53. stream_user + 5.54. telnet + 5.55. wizard 6. IPS Action Modules @@ -231,49 +232,51 @@ Table of Contents 7.80. js_data 7.81. md5 7.82. metadata - 7.83. modbus_data - 7.84. modbus_func - 7.85. modbus_unit - 7.86. msg - 7.87. mss - 7.88. pcre - 7.89. pkt_data - 7.90. pkt_num - 7.91. priority - 7.92. raw_data - 7.93. reference - 7.94. regex - 7.95. rem - 7.96. replace - 7.97. rev - 7.98. rpc - 7.99. s7commplus_content - 7.100. s7commplus_func - 7.101. s7commplus_opcode - 7.102. sd_pattern - 7.103. seq - 7.104. service - 7.105. sha256 - 7.106. sha512 - 7.107. sid - 7.108. sip_body - 7.109. sip_header - 7.110. sip_method - 7.111. sip_stat_code - 7.112. so - 7.113. soid - 7.114. ssl_state - 7.115. ssl_version - 7.116. stream_reassemble - 7.117. stream_size - 7.118. tag - 7.119. target - 7.120. tos - 7.121. ttl - 7.122. urg - 7.123. vba_data - 7.124. window - 7.125. wscale + 7.83. mms_data + 7.84. mms_func + 7.85. modbus_data + 7.86. modbus_func + 7.87. modbus_unit + 7.88. msg + 7.89. mss + 7.90. pcre + 7.91. pkt_data + 7.92. pkt_num + 7.93. priority + 7.94. raw_data + 7.95. reference + 7.96. regex + 7.97. rem + 7.98. replace + 7.99. rev + 7.100. rpc + 7.101. s7commplus_content + 7.102. s7commplus_func + 7.103. s7commplus_opcode + 7.104. sd_pattern + 7.105. seq + 7.106. service + 7.107. sha256 + 7.108. sha512 + 7.109. sid + 7.110. sip_body + 7.111. sip_header + 7.112. sip_method + 7.113. sip_stat_code + 7.114. so + 7.115. soid + 7.116. ssl_state + 7.117. ssl_version + 7.118. stream_reassemble + 7.119. stream_size + 7.120. tag + 7.121. target + 7.122. tos + 7.123. ttl + 7.124. urg + 7.125. vba_data + 7.126. window + 7.127. wscale 8. Search Engine Modules 9. SO Rule Modules @@ -601,29 +604,10 @@ Peg counts: (sum) * detection.alt_searches: alt fast pattern searches in packet data (sum) - * detection.key_searches: fast pattern searches in key buffer (sum) - * detection.header_searches: fast pattern searches in header buffer - (sum) - * detection.body_searches: fast pattern searches in body buffer + * detection.pdu_searches: fast pattern searches in service buffers (sum) * detection.file_searches: fast pattern searches in file buffer (sum) - * detection.raw_key_searches: fast pattern searches in raw key - buffer (sum) - * detection.raw_header_searches: fast pattern searches in raw - header buffer (sum) - * detection.method_searches: fast pattern searches in method buffer - (sum) - * detection.stat_code_searches: fast pattern searches in status - code buffer (sum) - * detection.stat_msg_searches: fast pattern searches in status - message buffer (sum) - * detection.cookie_searches: fast pattern searches in cookie buffer - (sum) - * detection.js_data_searches: fast pattern searches in js_data - buffer (sum) - * detection.vba_searches: fast pattern searches in MS Office Visual - Basic for Applications buffer (sum) * detection.offloads: fast pattern searches that were offloaded (sum) * detection.alerts: alerts not including IP reputation (sum) @@ -826,6 +810,9 @@ Peg counts: * host_cache.adds: lru cache added new entry (sum) * host_cache.alloc_prunes: lru cache pruned entry to make space for new entry (sum) + * host_cache.bytes_in_use: current number of bytes in use (now) + * host_cache.items_in_use: current number of items in the cache + (now) * host_cache.find_hits: lru cache found entry in cache (sum) * host_cache.find_misses: lru cache did not find entry in cache (sum) @@ -2492,6 +2479,8 @@ Peg counts: open detector package is reloaded (sum) * appid.tp_reload_ignored_pkts: count of packets ignored after third-party module is reloaded (sum) + * appid.bytes_in_use: number of bytes in use in the cache (now) + * appid.items_in_use: items in use in the cache (now) 5.2. appid_listener @@ -4246,7 +4235,32 @@ Peg counts: * mem_test.packets: total packets (sum) -5.29. modbus +5.29. mms + +-------------- + +Help: mms inspection + +Type: inspector (service) + +Usage: inspect + +Instance Type: multiton + +Rules: + +no match + +Peg counts: + + * mms.sessions: total sessions processed (sum) + * mms.frames: total MMS messages (sum) + * mms.concurrent_sessions: total concurrent MMS sessions (now) + * mms.max_concurrent_sessions: maximum concurrent MMS sessions + (max) + + +5.30. modbus -------------- @@ -4275,7 +4289,7 @@ Peg counts: sessions (max) -5.30. netflow +5.31. netflow -------------- @@ -4325,7 +4339,7 @@ Peg counts: (sum) -5.31. normalizer +5.32. normalizer -------------- @@ -4461,7 +4475,7 @@ Peg counts: * normalizer.tcp_block: blocked segments (sum) -5.32. null_trace_logger +5.33. null_trace_logger -------------- @@ -4474,7 +4488,7 @@ Usage: global Instance Type: global -5.33. packet_capture +5.34. packet_capture -------------- @@ -4506,7 +4520,7 @@ Peg counts: filter (sum) -5.34. perf_monitor +5.35. perf_monitor -------------- @@ -4566,7 +4580,7 @@ Peg counts: by new flows (sum) -5.35. pop +5.36. pop -------------- @@ -4630,7 +4644,7 @@ Peg counts: * pop.non_encoded_bytes: total non-encoded extracted bytes (sum) -5.36. port_scan +5.37. port_scan -------------- @@ -4802,7 +4816,7 @@ Peg counts: to reduced memcap (sum) -5.37. reputation +5.38. reputation -------------- @@ -4859,7 +4873,7 @@ Peg counts: monitored (sum) -5.38. rna +5.39. rna -------------- @@ -5000,9 +5014,10 @@ Peg counts: * rna.dhcp_data: count of DHCP data events received (sum) * rna.dhcp_info: count of new DHCP lease events received (sum) * rna.smb: count of new SMB events received (sum) + * rna.netflow_record: count of netflow record events received (sum) -5.39. rpc_decode +5.40. rpc_decode -------------- @@ -5031,7 +5046,7 @@ Peg counts: sessions (max) -5.40. s7commplus +5.41. s7commplus -------------- @@ -5060,7 +5075,7 @@ Peg counts: sessions (max) -5.41. sip +5.42. sip -------------- @@ -5163,7 +5178,7 @@ Peg counts: * sip.code_9xx: 9xx (sum) -5.42. smtp +5.43. smtp -------------- @@ -5249,6 +5264,7 @@ Rules: * 124:14 (smtp) Cyrus SASL authentication attack * 124:15 (smtp) attempted authentication command buffer overflow * 124:16 (smtp) file decompression failed + * 124:17 (smtp) STARTTLS command injection attempt Peg counts: @@ -5274,7 +5290,7 @@ Peg counts: * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum) -5.43. so_proxy +5.44. so_proxy -------------- @@ -5288,7 +5304,7 @@ Usage: global Instance Type: global -5.44. ssh +5.45. ssh -------------- @@ -5328,7 +5344,7 @@ Peg counts: (max) -5.45. ssl +5.46. ssl -------------- @@ -5379,7 +5395,7 @@ Peg counts: (max) -5.46. stream +5.47. stream -------------- @@ -5464,9 +5480,12 @@ Peg counts: config reloads (sum) * stream.reload_offloaded_deletes: number of offloaded flows deleted by config reloads (sum) + * stream.current_flows: current number of flows in cache (now) + * stream.uni_flows: number of uni flows in cache (now) + * stream.uni_ip_flows: number of uni ip flows in cache (now) -5.47. stream_file +5.48. stream_file -------------- @@ -5483,7 +5502,7 @@ Configuration: * bool stream_file.upload = false: indicate file transfer direction -5.48. stream_icmp +5.49. stream_icmp -------------- @@ -5510,7 +5529,7 @@ Peg counts: * stream_icmp.prunes: icmp session prunes (sum) -5.49. stream_ip +5.50. stream_ip -------------- @@ -5582,7 +5601,7 @@ Peg counts: * stream_ip.fragmented_bytes: total fragmented bytes (sum) -5.50. stream_tcp +5.51. stream_tcp -------------- @@ -5758,7 +5777,7 @@ Peg counts: (sum) -5.51. stream_udp +5.52. stream_udp -------------- @@ -5787,7 +5806,7 @@ Peg counts: * stream_udp.ignored: udp packets ignored (sum) -5.52. stream_user +5.53. stream_user -------------- @@ -5805,7 +5824,7 @@ Configuration: 1:max31 } -5.53. telnet +5.54. telnet -------------- @@ -5841,7 +5860,7 @@ Peg counts: sessions (max) -5.54. wizard +5.55. wizard -------------- @@ -5874,7 +5893,7 @@ Configuration: * string wizard.spells[].to_client[].spell: sequence of data with wild cards (*) * multi wizard.curses: enable service identification based on - internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 } + internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 } * int wizard.max_search_depth = 8192: maximum scan depth per flow { 0:65535 } @@ -7472,7 +7491,33 @@ Configuration: pairs -7.83. modbus_data +7.83. mms_data + +-------------- + +Help: rule option to set cursor to MMS data + +Type: ips_option + +Usage: detect + + +7.84. mms_func + +-------------- + +Help: rule option to check MMS function + +Type: ips_option + +Usage: detect + +Configuration: + + * string mms_func.~: func to match + + +7.85. modbus_data -------------- @@ -7483,7 +7528,7 @@ Type: ips_option Usage: detect -7.84. modbus_func +7.86. modbus_func -------------- @@ -7498,7 +7543,7 @@ Configuration: * string modbus_func.~: function code to match -7.85. modbus_unit +7.87. modbus_unit -------------- @@ -7513,7 +7558,7 @@ Configuration: * int modbus_unit.~: Modbus unit ID { 0:255 } -7.86. msg +7.88. msg -------------- @@ -7528,7 +7573,7 @@ Configuration: * string msg.~: message describing rule -7.87. mss +7.89. mss -------------- @@ -7544,7 +7589,7 @@ Configuration: } -7.88. pcre +7.90. pcre -------------- @@ -7566,7 +7611,7 @@ Peg counts: * pcre.pcre_negated: total pcre rules using negation syntax (sum) -7.89. pkt_data +7.91. pkt_data -------------- @@ -7578,7 +7623,7 @@ Type: ips_option Usage: detect -7.90. pkt_num +7.92. pkt_num -------------- @@ -7594,7 +7639,7 @@ Configuration: { 1: } -7.91. priority +7.93. priority -------------- @@ -7610,7 +7655,7 @@ Configuration: 1:max31 } -7.92. raw_data +7.94. raw_data -------------- @@ -7621,7 +7666,7 @@ Type: ips_option Usage: detect -7.93. reference +7.95. reference -------------- @@ -7636,7 +7681,7 @@ Configuration: * string reference.~ref: reference: , -7.94. regex +7.96. regex -------------- @@ -7660,7 +7705,7 @@ Configuration: instead of start of buffer -7.95. rem +7.97. rem -------------- @@ -7675,7 +7720,7 @@ Configuration: * string rem.~: comment -7.96. replace +7.98. replace -------------- @@ -7691,7 +7736,7 @@ Configuration: * string replace.~: byte code to replace with -7.97. rev +7.99. rev -------------- @@ -7706,7 +7751,7 @@ Configuration: * int rev.~: revision { 1:max32 } -7.98. rpc +7.100. rpc -------------- @@ -7723,7 +7768,7 @@ Configuration: * string rpc.~proc: procedure number or * for any -7.99. s7commplus_content +7.101. s7commplus_content -------------- @@ -7734,7 +7779,7 @@ Type: ips_option Usage: detect -7.100. s7commplus_func +7.102. s7commplus_func -------------- @@ -7749,7 +7794,7 @@ Configuration: * string s7commplus_func.~: function code to match -7.101. s7commplus_opcode +7.103. s7commplus_opcode -------------- @@ -7764,7 +7809,7 @@ Configuration: * string s7commplus_opcode.~: opcode code to match -7.102. sd_pattern +7.104. sd_pattern -------------- @@ -7788,7 +7833,7 @@ Peg counts: * sd_pattern.terminated: hyperscan terminated (sum) -7.103. seq +7.105. seq -------------- @@ -7804,7 +7849,7 @@ Configuration: range { 0: } -7.104. service +7.106. service -------------- @@ -7819,7 +7864,7 @@ Configuration: * string service.*: one or more comma-separated service names -7.105. sha256 +7.107. sha256 -------------- @@ -7839,7 +7884,7 @@ Configuration: start of buffer -7.106. sha512 +7.108. sha512 -------------- @@ -7859,7 +7904,7 @@ Configuration: start of buffer -7.107. sid +7.109. sid -------------- @@ -7874,7 +7919,7 @@ Configuration: * int sid.~: signature id { 1:max32 } -7.108. sip_body +7.110. sip_body -------------- @@ -7885,7 +7930,7 @@ Type: ips_option Usage: detect -7.109. sip_header +7.111. sip_header -------------- @@ -7897,7 +7942,7 @@ Type: ips_option Usage: detect -7.110. sip_method +7.112. sip_method -------------- @@ -7912,7 +7957,7 @@ Configuration: * string sip_method.*method: sip method -7.111. sip_stat_code +7.113. sip_stat_code -------------- @@ -7927,7 +7972,7 @@ Configuration: * int sip_stat_code.*code: status code { 1:999 } -7.112. so +7.114. so -------------- @@ -7944,7 +7989,7 @@ Configuration: buffer -7.113. soid +7.115. soid -------------- @@ -7960,7 +8005,7 @@ Configuration: like 3_45678_9 -7.114. ssl_state +7.116. ssl_state -------------- @@ -7989,7 +8034,7 @@ Configuration: unknown -7.115. ssl_version +7.117. ssl_version -------------- @@ -8016,7 +8061,7 @@ Configuration: tls1.2 -7.116. stream_reassemble +7.118. stream_reassemble -------------- @@ -8037,7 +8082,7 @@ Configuration: remainder of the session -7.117. stream_size +7.119. stream_size -------------- @@ -8055,7 +8100,7 @@ Configuration: direction(s) { either|to_server|to_client|both } -7.118. tag +7.120. tag -------------- @@ -8074,7 +8119,7 @@ Configuration: * int tag.bytes: tag for this many bytes { 1:max32 } -7.119. target +7.121. target -------------- @@ -8090,7 +8135,7 @@ Configuration: dst_ip } -7.120. tos +7.122. tos -------------- @@ -8105,7 +8150,7 @@ Configuration: * interval tos.~range: check if IP TOS is in given range { 0:255 } -7.121. ttl +7.123. ttl -------------- @@ -8121,7 +8166,7 @@ Configuration: 0:255 } -7.122. urg +7.124. urg -------------- @@ -8137,7 +8182,7 @@ Configuration: { 0:65535 } -7.123. vba_data +7.125. vba_data -------------- @@ -8149,7 +8194,7 @@ Type: ips_option Usage: detect -7.124. window +7.126. window -------------- @@ -8165,7 +8210,7 @@ Configuration: range { 0:65535 } -7.125. wscale +7.127. wscale -------------- @@ -9694,6 +9739,7 @@ these libraries see the Getting Started section of the manual. overhead { 1:100 } * string metadata.*: comma-separated list of arbitrary name value pairs + * string mms_func.~: func to match * string modbus_func.~: function code to match * int modbus_unit.~: Modbus unit ID { 0:255 } * int mpls.max_stack_depth = -1: set maximum MPLS stack depth { @@ -10740,7 +10786,7 @@ these libraries see the Getting Started section of the manual. * interval window.~range: check if TCP window size is in given range { 0:65535 } * multi wizard.curses: enable service identification based on - internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 } + internal algorithm { dce_smb | dce_udp | dce_tcp | mms | sslv2 } * bool wizard.hexes[].client_first = true: which end initiates data transfer * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp } @@ -10784,7 +10830,9 @@ these libraries see the Getting Started section of the manual. * address_space_selector.no_match: selection evaluations that had no matches (sum) * address_space_selector.packets: packets evaluated (sum) + * appid.bytes_in_use: number of bytes in use in the cache (now) * appid.ignored_packets: count of packets ignored (sum) + * appid.items_in_use: items in use in the cache (now) * appid.odp_reload_ignored_pkts: count of packets ignored after open detector package is reloaded (sum) * appid.packets: count of packets received (sum) @@ -11128,28 +11176,17 @@ these libraries see the Getting Started section of the manual. * detection.alt_searches: alt fast pattern searches in packet data (sum) * detection.analyzed: total packets processed (now) - * detection.body_searches: fast pattern searches in body buffer - (sum) * detection.context_stalls: times processing stalled to wait for an available context (sum) * detection.cooked_searches: fast pattern searches in cooked packet data (sum) - * detection.cookie_searches: fast pattern searches in cookie buffer - (sum) * detection.event_limit: events filtered (sum) * detection.file_searches: fast pattern searches in file buffer (sum) * detection.hard_evals: non-fast pattern rule evaluations (sum) - * detection.header_searches: fast pattern searches in header buffer - (sum) - * detection.js_data_searches: fast pattern searches in js_data - buffer (sum) - * detection.key_searches: fast pattern searches in key buffer (sum) * detection.logged: logged packets (sum) * detection.log_limit: events queued but not logged (sum) * detection.match_limit: fast pattern matches not processed (sum) - * detection.method_searches: fast pattern searches in method buffer - (sum) * detection.offload_busy: times offload was not available (sum) * detection.offload_failures: fast pattern offload search failures (sum) @@ -11168,22 +11205,14 @@ these libraries see the Getting Started section of the manual. match limit (sum) * detection.pcre_recursion_limit: total number of times pcre hit the recursion limit (sum) + * detection.pdu_searches: fast pattern searches in service buffers + (sum) * detection.pkt_searches: fast pattern searches in packet data (sum) * detection.queue_limit: events not queued because queue full (sum) - * detection.raw_header_searches: fast pattern searches in raw - header buffer (sum) - * detection.raw_key_searches: fast pattern searches in raw key - buffer (sum) * detection.raw_searches: fast pattern searches in raw packet data (sum) - * detection.stat_code_searches: fast pattern searches in status - code buffer (sum) - * detection.stat_msg_searches: fast pattern searches in status - message buffer (sum) * detection.total_alerts: alerts including IP reputation (sum) - * detection.vba_searches: fast pattern searches in MS Office Visual - Basic for Applications buffer (sum) * dnp3.concurrent_sessions: total concurrent dnp3 sessions (now) * dnp3.dnp3_application_pdus: total dnp3 application pdus (sum) * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames (sum) @@ -11266,9 +11295,12 @@ these libraries see the Getting Started section of the manual. * host_cache.adds: lru cache added new entry (sum) * host_cache.alloc_prunes: lru cache pruned entry to make space for new entry (sum) + * host_cache.bytes_in_use: current number of bytes in use (now) * host_cache.find_hits: lru cache found entry in cache (sum) * host_cache.find_misses: lru cache did not find entry in cache (sum) + * host_cache.items_in_use: current number of items in the cache + (now) * host_cache.reload_prunes: lru cache pruned entry for lower memcap during reload (sum) * host_cache.removes: lru cache found entry and removed it (sum) @@ -11404,6 +11436,11 @@ these libraries see the Getting Started section of the manual. * memory.reap_attempts: attempts to reclaim memory (now) * memory.reap_failures: failures to reclaim memory (now) * mem_test.packets: total packets (sum) + * mms.concurrent_sessions: total concurrent MMS sessions (now) + * mms.frames: total MMS messages (sum) + * mms.max_concurrent_sessions: maximum concurrent MMS sessions + (max) + * mms.sessions: total sessions processed (sum) * modbus.concurrent_sessions: total concurrent modbus sessions (now) * modbus.frames: total Modbus messages (sum) @@ -11578,6 +11615,7 @@ these libraries see the Getting Started section of the manual. * rna.icmp_new: count of new ICMP flows received (sum) * rna.ip_bidirectional: count of bidirectional IP received (sum) * rna.ip_new: count of new IP flows received (sum) + * rna.netflow_record: count of netflow record events received (sum) * rna.other_packets: count of packets received without session tracking (sum) * rna.smb: count of new SMB events received (sum) @@ -11712,6 +11750,7 @@ these libraries see the Getting Started section of the manual. * ssl.server_key_exchange: total server key exchanges (sum) * ssl.sessions_ignored: total sessions ignore (sum) * ssl.unrecognized_records: total unrecognized records (sum) + * stream.current_flows: current number of flows in cache (now) * stream.excess_prunes: sessions pruned due to excess (sum) * stream.expected_flows: total expected flows created within snort (sum) @@ -11874,6 +11913,8 @@ these libraries see the Getting Started section of the manual. * stream_udp.sessions: total udp sessions (sum) * stream_udp.timeouts: udp session timeouts (sum) * stream_udp.total_bytes: total number of bytes processed (sum) + * stream.uni_flows: number of uni flows in cache (now) + * stream.uni_ip_flows: number of uni ip flows in cache (now) * stream.uni_prunes: uni sessions pruned (sum) * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) @@ -11966,6 +12007,7 @@ these libraries see the Getting Started section of the manual. * 149: s7commplus * 150: file_id * 151: iec104 + * 152: mms * 175: domain_filter * 256: dpx @@ -15457,6 +15499,9 @@ and are not applicable elsewhere. * memory (basic): memory management configuration * metadata (ips_option): rule option for conveying arbitrary comma-separated name, value data within the rule text + * mms (inspector): mms inspection + * mms_data (ips_option): rule option to set cursor to MMS data + * mms_func (ips_option): rule option to check MMS function * modbus (inspector): modbus inspection * modbus_data (ips_option): rule option to set cursor to modbus data @@ -15683,6 +15728,7 @@ and are not applicable elsewhere. * inspector::iec104: iec104 inspection * inspector::imap: imap inspection * inspector::mem_test: for testing memory management + * inspector::mms: mms inspection * inspector::modbus: modbus inspection * inspector::netflow: netflow inspection * inspector::normalizer: packet scrubbing for inline mode @@ -15866,6 +15912,8 @@ and are not applicable elsewhere. * ips_option::md5: payload rule option for hash matching * ips_option::metadata: rule option for conveying arbitrary comma-separated name, value data within the rule text + * ips_option::mms_data: rule option to set cursor to MMS data + * ips_option::mms_func: rule option to check MMS function * ips_option::modbus_data: rule option to set cursor to modbus data * ips_option::modbus_func: rule option to check modbus function code diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 2fc46ebf7..b636eb663 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.27.0 2022-04-07 13:35:21 EDT TST +Revision 3.1.28.0 2022-04-25 10:44:39 EDT TST --------------------------------------------------------------------- @@ -827,7 +827,6 @@ change -> config 'checksum_mode' ==> 'network.checksum_eval' change -> config 'daq_dir' ==> 'daq.module_dirs' change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' -change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' change -> config 'event_filter' ==> 'alerts.event_filter_memcap' change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' @@ -867,17 +866,17 @@ change -> daq: 'config daq:' ==> 'name' change -> daq_mode: 'config daq_mode:' ==> 'mode' change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' -change -> detection: 'ac-banded' ==> 'ac_full' +change -> detection: 'ac-banded' ==> 'ac_banded' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' change -> detection: 'ac-nq' ==> 'ac_full' change -> detection: 'ac-q' ==> 'ac_full' -change -> detection: 'ac-sparsebands' ==> 'ac_full' +change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' change -> detection: 'ac-split' ==> 'ac_full' change -> detection: 'ac-split' ==> 'split_any_any' -change -> detection: 'ac-std' ==> 'ac_full' -change -> detection: 'acs' ==> 'ac_full' +change -> detection: 'ac-std' ==> 'ac_std' +change -> detection: 'acs' ==> 'ac_sparse' change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' change -> detection: 'intel-cpm' ==> 'hyperscan' @@ -886,6 +885,7 @@ change -> detection: 'lowmem-q' ==> 'lowmem' change -> detection: 'max-pattern-len' ==> 'max_pattern_len' change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' change -> detection: 'search-method' ==> 'search_method' +change -> detection: 'search-optimize' ==> 'search_optimize' change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' change -> dnp3: 'ports' ==> 'bindings' @@ -963,7 +963,6 @@ change -> rate_filter: 'sig_id' ==> 'sid' change -> reputation: 'shared_mem' ==> 'list_dir' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' -change -> sip: 'max_requestName_len' ==> 'max_request_name_len' change -> sip: 'ports' ==> 'bindings' change -> smtp: 'ports' ==> 'bindings' change -> ssh: 'server_ports' ==> 'bindings' @@ -1029,7 +1028,6 @@ deleted -> config 'disable_decode_drops' deleted -> config 'disable_inline_init_failopen' deleted -> config 'disable_ipopt_alerts' deleted -> config 'disable_ipopt_drops' -deleted -> config 'disable_replace' deleted -> config 'disable_tcpopt_alerts' deleted -> config 'disable_tcpopt_drops' deleted -> config 'disable_tcpopt_experimental_alerts' @@ -1046,7 +1044,6 @@ deleted -> config 'enable_decode_oversized_alerts' deleted -> config 'enable_decode_oversized_drops' deleted -> config 'enable_gtp' deleted -> config 'enable_ipopt_drops' -deleted -> config 'enable_mpls_multicast' deleted -> config 'enable_tcpopt_drops' deleted -> config 'enable_tcpopt_experimental_drops' deleted -> config 'enable_tcpopt_obsolete_drops' @@ -1068,12 +1065,10 @@ deleted -> config 'sfalert_unified2' deleted -> config 'sflog_unified2' deleted -> config 'sidechannel' deleted -> config 'so_rule_memcap' -deleted -> config 'stateful' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' deleted -> detection: 'mwm' -deleted -> detection: 'search-optimize is always true' deleted -> dnp3: 'disabled' deleted -> dnp3: 'memcap' deleted -> dns: 'enable_experimental_types' @@ -1087,8 +1082,6 @@ deleted -> ftp_telnet_protocol: 'detect_anomalies' deleted -> full: ' can no longer be specific' deleted -> http_inspect: 'detect_anomalous_servers' deleted -> http_inspect: 'disabled' -deleted -> http_inspect: 'fast_blocking' -deleted -> http_inspect: 'normalize_random_nulls_in_text' deleted -> http_inspect: 'proxy_alert' deleted -> http_inspect_server: 'allow_proxy_use' deleted -> http_inspect_server: 'enable_cookie' @@ -1166,7 +1159,6 @@ deleted -> stream5_tcp: 'ignore_any_rules' deleted -> stream5_tcp: 'log_asymmetric_traffic' deleted -> stream5_tcp: 'policy noack' deleted -> stream5_tcp: 'policy unknown' -deleted -> stream5_tcp: 'use_static_footprint_sizes' deleted -> stream5_udp: 'ignore_any_rules' deleted -> tcpdump: ' can no longer be specific' deleted -> test: 'file' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index f175785f2..9f62be662 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.27.0 2022-04-07 13:35:21 EDT TST +Revision 3.1.28.0 2022-04-25 10:44:39 EDT TST --------------------------------------------------------------------- @@ -67,14 +67,15 @@ Table of Contents 5.10. HTTP Inspector 5.11. HTTP/2 Inspector 5.12. IEC104 Inspector - 5.13. Performance Monitor - 5.14. POP and IMAP - 5.15. Port Scan - 5.16. Sensitive Data Filtering - 5.17. SMTP - 5.18. Telnet - 5.19. Trace - 5.20. Wizard + 5.13. MMS Inspector + 5.14. Performance Monitor + 5.15. POP and IMAP + 5.16. Port Scan + 5.17. Sensitive Data Filtering + 5.18. SMTP + 5.19. Telnet + 5.20. Trace + 5.21. Wizard 6. DAQ Configuration and Modules @@ -2236,6 +2237,11 @@ matching network and service configurations are applied. binder.when can contain any combination of criteria and binder.use can specify an action, config file, or inspector configuration. +If binder is not explicitly configured (via file *.lua or option +--lua), a default binder will be instantiated in which bindings will +be created for all service inspectors configured. Some bindings may +require a configured wizard to detect the service type. + 5.4. Byte rule options @@ -4890,7 +4896,120 @@ option can be specified in one of two ways: the uppercase function name, or the lowercase function name. -5.13. Performance Monitor +5.13. MMS Inspector + +-------------- + +MMS inspector is a service inspector for the MMS protocol within the +IEC 61850 specification. + +5.13.1. Overview + +IEC 61850 is a family of protocols, including MMS, distributed by the +International Electrotechnical Commission (IEC) that provide a +standardized method of sending service messages between various +manufacturing and process control devices, typically running on TCP +port 102. + +It is used in combination with various parts of the OSI model, most +notably the TPKT, COTP, Session, Presentation, and ACSE layers, to +provide reliable transport via TCP/IP. + +The MMS inspector decodes the OSI layers encapsulating the MMS +protocol and provides rule writers access to certain protocol fields +and data content through rule options. This allows the user to write +rules for MMS messages without decoding the protocol. + +5.13.2. Configuration + +MMS messages can be sent in a variety of ways including multiple PDUs +within one TCP packet, one PDU split across multiple TCP packets, or +a combination of the two. It is the aim of the MMS service inspector +to normalize the traffic such that only complete MMS messages are +presented to the user. No manual configuration other than enabling +the MMS service inspector is necessary to leverage this +functionality. + +5.13.3. Quick Guide + +A typical MMS configuration looks like this: + +wizard = { curses = {'mms'}, } +mms = { } + +binder = +{ + { when = { service = 'mms' }, use = { type = 'mms' } }, + { use = { type = 'wizard' } } +} + +In this example, the mms inspector is defined based on patterns known +to be consistent with MMS messages. + +5.13.4. Rule Options + +New rule options are supported by enabling the MMS inspector: + + * mms_data + * mms_func + +5.13.4.1. mms_data + +mms_data moves the cursor to the start of the MMS message, bypassing +all of the OSI encapsulation layers and allowing subsequent rule +options to start processing from the MMS PDU field. + +This option takes no arguments. + +In the following example, the rule is using the mms_data rule option +to set the cursor position to the beginning of the MMS PDU, and then +checking the byte at that position for the value indicative of an +Initiate-Request message. + +alert tcp ( \ + msg: "PROTOCOL-SCADA MMS Initiate-Request"; \ + flow: to_server, established; \ + mms_data; \ + content:"|A8|", depth 1; \ + sid:1000000; \ +) + +5.13.4.2. mms_func + +mms_func takes the supplied function name or number and compares it +with the Confirmed Service Request/Response in the message being +analyzed. + +This option takes one argument. + +In the following example the rule is using the mms_func rule option +with a string argument containing the Confirmed Service Request +service name on which to alert. This is combined with a content match +for a Confirmed Service Request message (0xA0) to allow for use of +the fast pattern matcher. + +alert tcp ( \ + msg: "PROTOCOL-SCADA MMS svc get_name_list"; \ + flow: to_server, established; \ + content:"|A0|"; \ + mms_func: get_name_list; \ + sid:1000000; \ +) + +The following example also uses the mms_func rule option to alert on +a GetNameList message, but this time an integer argument containing +the function number is used. + +alert tcp ( \ + msg: "PROTOCOL-SCADA MMS svc get_name_list"; \ + flow: to_server, established; \ + content:"|A0|"; \ + mms_func:1; \ + sid:1000001; \ +) + + +5.14. Performance Monitor -------------- @@ -4899,14 +5018,14 @@ down by too many flows? perf_monitor! Why are certain TCP segments being dropped without hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check with stream… -5.13.1. Overview +5.14.1. Overview The Snort performance monitor is the built-in utility for monitoring system and traffic statistics. All statistics are separated by processing thread. perf_monitor supports several trackers for monitoring such data: -5.13.2. Base Tracker +5.14.2. Base Tracker The base tracker is used to gather running statistics about Snort and its running modules. All Snort modules gather, at the very least, @@ -4963,7 +5082,7 @@ perf_monitor = Note: Event stats from prior Snorts are now located within base statistics. -5.13.3. Flow Tracker +5.14.3. Flow Tracker Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This data can be used to build a profile of traffic @@ -4973,7 +5092,7 @@ To enable: perf_monitor = { flow = true } -5.13.4. FlowIP Tracker +5.14.4. FlowIP Tracker FlowIP provides statistics for individual hosts within a network. This data can be used for identifying communication habits, such as @@ -4985,7 +5104,7 @@ To enable: perf_monitor = { flow_ip = true } -5.13.5. CPU Tracker +5.14.5. CPU Tracker This tracker monitors the CPU and wall time spent by a given processing thread. @@ -4994,7 +5113,7 @@ To enable: perf_monitor = { cpu = true } -5.13.6. Formatters +5.14.6. Formatters Performance monitor allows statistics to be output in a few formats. Along with human readable text (as seen at shutdown) and csv formats, @@ -5008,14 +5127,14 @@ used by Performance monitor, see the developer notes for Performance monitor or the code provided for fbstreamer. -5.14. POP and IMAP +5.15. POP and IMAP -------------- POP inspector is a service inspector for POP3 protocol and IMAP inspector is for IMAP4 protocol. -5.14.1. Overview +5.15.1. Overview POP and IMAP inspectors examine data traffic and find POP and IMAP commands and responses. The inspectors also identify the command, @@ -5023,7 +5142,7 @@ header, body sections and extract the MIME attachments and decode it appropriately. The pop and imap also identify and whitelist the pop and imap traffic. -5.14.2. Configuration +5.15.2. Configuration POP inspector and IMAP inspector offer same set of configuration options for MIME decoding depth. These depths range from 0 to 65535 @@ -5034,27 +5153,27 @@ be decoded. If you do not specify the default value is -1 The depth limits apply per attachment. They are: -5.14.2.1. b64_decode_depth +5.15.2.1. b64_decode_depth Set the base64 decoding depth used to decode the base64-encoded MIME attachments. -5.14.2.2. qp_decode_depth +5.15.2.2. qp_decode_depth Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded MIME attachments. -5.14.2.3. bitenc_decode_depth +5.15.2.3. bitenc_decode_depth Set the non-encoded MIME extraction depth used for non-encoded MIME attachments. -5.14.2.4. uu_decode_depth +5.15.2.4. uu_decode_depth Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded attachments. -5.14.2.5. Examples +5.15.2.5. Examples stream = { } @@ -5088,13 +5207,13 @@ pop = } -5.15. Port Scan +5.16. Port Scan -------------- A module to detect port scanning -5.15.1. Overview +5.16.1. Overview This module is designed to detect the first phase in a network attack: Reconnaissance. In the Reconnaissance phase, an attacker @@ -5194,7 +5313,7 @@ however, Portscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based off the original scan alert. -5.15.2. Scan levels +5.16.2. Scan levels There are 3 default scan levels that can be set. @@ -5248,7 +5367,7 @@ setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune Portscan. -5.15.3. Tuning Portscan +5.16.3. Tuning Portscan The most important aspect in detecting portscans is tuning the detection engine for your network(s). Here are some tuning tips: @@ -5325,7 +5444,7 @@ require the least tuning. The low sensitivity level does not catch filtered scans, since these are more prone to false positives. -5.16. Sensitive Data Filtering +5.17. Sensitive Data Filtering -------------- @@ -5335,21 +5454,21 @@ credit card numbers, U.S. Social Security numbers, and email addresses. A rich regular expression syntax is available for defining your own PII. -5.16.1. Hyperscan +5.17.1. Hyperscan The sd_pattern rule option is powered by the open source Hyperscan library from Intel. It provides a regex grammar which is mostly PCRE compatible. To learn more about Hyperscan see https://intel.github.io /hyperscan/dev-reference/ -5.16.2. Syntax +5.17.2. Syntax Snort provides sd_pattern as IPS rule option with no additional inspector overhead. The Rule option takes the following syntax. sd_pattern: ""[, threshold ]; -5.16.2.1. Pattern +5.17.2.1. Pattern Pattern is the most important and is the only required parameter to sd_pattern. It supports 3 built in patterns which are configured by @@ -5387,7 +5506,7 @@ but would not match 1@ourdomain.com ab12@ourdomain.com or Note: This is just an example, this pattern is not suitable to detect many correctly formatted emails. -5.16.2.2. Threshold +5.17.2.2. Threshold Threshold is an optional parameter allowing you to change built in default value (default value is 1). The following two instances are @@ -5405,7 +5524,7 @@ This example requires 300 matches of the pattern "This is a string literal" to qualify as a positive match. That is, if the string only occurred 299 times in a packet, you will not see an event. -5.16.2.3. Obfuscating Credit Cards and Social Security Numbers +5.17.2.3. Obfuscating Credit Cards and Social Security Numbers Snort provides discreet logging for the built in patterns "credit_card", "us_social" and "us_social_nodashes". Enabling @@ -5418,7 +5537,7 @@ output = obfuscate_pii = true } -5.16.3. Example +5.17.3. Example A complete Snort IPS rule @@ -5434,7 +5553,7 @@ Logged output when running Snort in "cmg" alert format. 58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5.16.4. Caveats +5.17.4. Caveats 1. Snort currently requires setting the fast pattern engine to use "hyperscan" in order for sd_pattern ips option to function @@ -5451,13 +5570,13 @@ Logged output when running Snort in "cmg" alert format. (This is a known bug). -5.17. SMTP +5.18. SMTP -------------- SMTP inspector is a service inspector for SMTP protocol. -5.17.1. Overview +5.18.1. Overview The SMTP inspector examines SMTP connections looking for commands and responses. It also identifies the command, header and body sections, @@ -5467,7 +5586,7 @@ identifies and whitelists the SMTP traffic. SMTP inspector logs the filename, email addresses, attachment names when configured. -5.17.2. Configuration +5.18.2. Configuration SMTP command lines can be normalized to remove extraneous spaces. TLS-encrypted traffic can be ignored, which improves performance. In @@ -5476,7 +5595,7 @@ performance boost. The configuration options are described below: -5.17.2.1. normalize and normalize_cmds +5.18.2.1. normalize and normalize_cmds Normalization checks for more than one space character after a command. Space characters are defined as space (ASCII 0x20) or tab @@ -5487,34 +5606,34 @@ example: smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' } -5.17.2.2. ignore_data +5.18.2.2. ignore_data Set it to true to ignore data section of mail (except for mail headers) when processing rules. -5.17.2.3. ignore_tls_data +5.18.2.3. ignore_tls_data Set it to true to ignore TLS-encrypted data when processing rules. -5.17.2.4. max_command_line_len +5.18.2.4. max_command_line_len Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length. -5.17.2.5. max_header_line_len +5.18.2.5. max_header_line_len Alert if an SMTP DATA header line is longer than this value. Absence of this option or a "0" means never alert on data header line length. RFC 2821 recommends 1024 as a maximum data header line length. -5.17.2.6. max_response_line_len +5.18.2.6. max_response_line_len Alert if an SMTP response line is longer than this value. Absence of this option or a "0" means never alert on response line length. RFC 2821 recommends 512 as a maximum response line length. -5.17.2.7. alt_max_command_line_len +5.18.2.7. alt_max_command_line_len Overrides max_command_line_len for specific commands For example: @@ -5530,11 +5649,11 @@ alt_max_command_line_len = }, } -5.17.2.8. invalid_cmds +5.18.2.8. invalid_cmds Alert if this command is sent from client side. -5.17.2.9. valid_cmds +5.18.2.9. valid_cmds List of valid commands. We do not alert on commands in this list. @@ -5544,36 +5663,36 @@ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]] -5.17.2.10. data_cmds +5.18.2.10. data_cmds List of commands that initiate sending of data with an end of data delimiter the same as that of the DATA command per RFC 5321 - " .". -5.17.2.11. binary_data_cmds +5.18.2.11. binary_data_cmds List of commands that initiate sending of data and use a length value after the command to indicate the amount of data to be sent, similar to that of the BDAT command per RFC 3030. -5.17.2.12. auth_cmds +5.18.2.12. auth_cmds List of commands that initiate an authentication exchange between client and server. -5.17.2.13. xlink2state +5.18.2.13. xlink2state Enable/disable xlink2state alert, options are {disable | alert | drop}. See CVE-2005-0560 for a description of the vulnerability. -5.17.2.14. MIME processing depth parameters +5.18.2.14. MIME processing depth parameters These four MIME processing depth parameters are identical to their POP and IMAP counterparts. See that section for further details. b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth -5.17.2.15. Log Options +5.18.2.15. Log Options Following log options allow SMTP inspector to log email addresses and filenames. Please note, this is logged only with the unified2 output @@ -5616,7 +5735,7 @@ This option specifies the depth for logging email headers. The allowed range for this option is 0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. -5.17.3. Example +5.18.3. Example smtp = { @@ -5669,7 +5788,7 @@ smtp = } -5.18. Telnet +5.19. Telnet -------------- @@ -5679,7 +5798,7 @@ command sequences per RFC 854. It will also determine when a telnet connection is encrypted, per the use of the telnet encryption option per RFC 2946. -5.18.1. Configuring the inspector to block exploits and attacks +5.19.1. Configuring the inspector to block exploits and attacks ayt_attack_thresh number @@ -5688,7 +5807,7 @@ the threshold number specified. This addresses a few specific vulnerabilities relating to bsd-based implementations of telnet. -5.19. Trace +5.20. Trace -------------- @@ -5701,7 +5820,7 @@ enable debug tracing, Snort must be configured at build time with wizard and snort.inspector_manager) are providing non-debug trace messages in normal production builds. -5.19.1. Trace module +5.20.1. Trace module The trace module is responsible for configuring traces and supports the following parameters: @@ -5741,7 +5860,7 @@ The trace module supports config reloading. Also, it’s possible to set or clear modules traces and packet filter constraints via the control channel command. -5.19.2. Trace module - configuring traces +5.20.2. Trace module - configuring traces The trace module has the modules option - a table with trace configuration for specific modules. The following lines placed in @@ -5823,7 +5942,7 @@ trace = } } -5.19.3. Trace module - configuring packet filter constraints for +5.20.3. Trace module - configuring packet filter constraints for packet related trace messages There is a capability to filter traces by the packet constraints. The @@ -5878,7 +5997,7 @@ trace = } } -5.19.4. Trace module - configuring trace output method +5.20.4. Trace module - configuring trace output method There is a capability to configure the output method for trace messages. The trace module has the output option with two acceptable @@ -5907,7 +6026,7 @@ trace = As a result, each trace message will be printed into syslog (the Snort run-mode will be ignored). -5.19.5. Configuring traces via control channel command +5.20.5. Configuring traces via control channel command There is a capability to configure module trace options and packet constraints via the control channel command by using a Snort shell. @@ -5942,7 +6061,7 @@ trace.set({modules = {...}}) - set only module trace options keeping old filteri trace.set({}) - disable traces and constraints (set to empty) -5.19.6. Trace messages format +5.20.6. Trace messages format Each tracing message has a standard format: @@ -5991,7 +6110,7 @@ m – minutes s – seconds S – milliseconds -5.19.7. Example - Debugging rules using detection trace +5.20.7. Example - Debugging rules using detection trace The detection engine is responsible for rule evaluation. Turning on the trace for it can help with debugging new rules. @@ -6119,7 +6238,7 @@ detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0 detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0 04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow -5.19.8. Example - Protocols decoding trace +5.20.8. Example - Protocols decoding trace Turning on decode trace will print out information about the packets decoded protocols. Can be useful in case of tunneling. @@ -6143,7 +6262,7 @@ decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, l decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8 decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0 -5.19.9. Example - Track the time packet spends in each inspector +5.20.9. Example - Track the time packet spends in each inspector There is a capability to track which inspectors evaluate a packet, and how much time the inspector consumes doing so. These trace @@ -6184,7 +6303,7 @@ snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1 snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec snort:main:1: [0] Destroying completed command RUN -5.19.10. Example - trace filtering by packet constraints: +5.20.10. Example - trace filtering by packet constraints: In snort.lua, the following lines were added: @@ -6246,7 +6365,7 @@ detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns The trace messages for two last packets (numbers 5 and 6) weren’t printed. -5.19.11. Example - configuring traces via trace.set() command +5.20.11. Example - configuring traces via trace.set() command In snort.lua, the following lines were added: @@ -6329,7 +6448,7 @@ The new configuration was applied. decode:all:1 messages aren’t filtered because they don’t include a packet (a packet isn’t well-formed at the point when the message is printing). -5.19.12. Other available traces +5.20.12. Other available traces There are more trace options supported by detection: @@ -6356,7 +6475,7 @@ developer. Some are for corner cases, others for complex data structures. -5.20. Wizard +5.21. Wizard -------------- @@ -6369,7 +6488,7 @@ the session can be handed off to the appropriate inspector. The wizard is still under development; if you find you need to tweak the defaults please let us know. -5.20.1. Wizard patterns +5.21.1. Wizard patterns Wizard supports 3 kinds of patterns: @@ -6395,7 +6514,7 @@ looks at the first arriving packet from the meta-flow. If no pattern matches that packet or wizard’s max_search_depth is reached, the meta-flow is abandoned by wizard. -5.20.2. Wizard patterns - Spells +5.21.2. Wizard patterns - Spells Spell is a text based pattern. The best area of usage - text protocols: http, smtp, sip, etc. Spells are: @@ -6433,7 +6552,7 @@ contain following options: to_client = { '220*SMTP', '220*MAIL' } } -5.20.3. Wizard patterns - Hexes +5.21.3. Wizard patterns - Hexes Hexes can be used to match binary protocols: dnp3, http2, ssl, etc. Hexes use hexadecimal representation of the data for pattern @@ -6458,7 +6577,7 @@ Example of a hex definition in Lua: to_client = { '|05 64|' } } -5.20.4. Wizard patterns - Curses +5.21.4. Wizard patterns - Curses Curses are internal algorithms of service identification. They are implemented as state machines in C++ code and can have their own @@ -6470,7 +6589,7 @@ A list of available services can be obtained using snort A configuration which enables some curses: curses = {'dce_udp', 'dce_tcp', 'dce_smb', 'sslv2'} -5.20.5. Additional Details: +5.21.5. Additional Details: * Note that usually more specific patterns have higher precedence.