From: Russ Combs (rucombs) Date: Wed, 18 Jan 2023 15:17:32 +0000 (+0000) Subject: Pull request #3737: build: generate and tag 3.1.52.0 X-Git-Tag: 3.1.52.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e9b2fb4d615f9c38f31932370ff31260035bc9e3;p=thirdparty%2Fsnort3.git Pull request #3737: build: generate and tag 3.1.52.0 Merge in SNORT/snort3 from ~RUCOMBS/snort3:build_3.1.52.0 to master Squashed commit of the following: commit 5485284744482ab0ba403836875732fedf1dbfc1 Author: Russ Combs Date: Wed Jan 18 06:11:25 2023 -0500 build: generate and tag 3.1.52.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 846efe100..2a86e7b79 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 51) +set (VERSION_PATCH 52) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog.md b/ChangeLog.md index 182171f64..b541205be 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,18 @@ +2023-01-18: 3.1.52.0 + +dce_rpc: add errno resets during uuid parsing +dce_rpc: handling dcerpc over smbv2 +flow: update flow creation to exclude non-syn packets with no payload +framework: change range check types to int64_t to fix ILP32 bit issues +main: Fix missing include file that caused build error on some platforms. +memory: add final epoch to capture stats +memory: add regression test hooks +memory: fix init sequence; thanks to amishmm and Xiche for reporting and debugging the problem +netflow: grab the proto off of the netflow record - not the wire packet +rna: reset host_tracker type when visibility changes +stream: fix iss and irs and mid-stream sent post processing +stream: refactor tcp state machine to handle mid-stream flow and more established cases + 2023-01-11: 3.1.51.0 * appid: add support for cip service, client and payload detection diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 5b962578b..3849e7091 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.51.0 2023-01-11 19:39:29 EST TST +Revision 3.1.52.0 2023-01-18 06:06:29 EST TST --------------------------------------------------------------------- @@ -16,7 +16,6 @@ Table of Contents 1. Help 2. Basic Modules - 2.1. active 2.2. alerts 2.3. attribute_table @@ -50,9 +49,7 @@ Table of Contents 2.31. snort 2.32. suppress 2.33. trace - 3. Codec Modules - 3.1. arp 3.2. auth 3.3. ciscometadata @@ -80,14 +77,10 @@ Table of Contents 3.25. udp 3.26. vlan 3.27. wlan - 4. Connector Modules - 4.1. file_connector 4.2. tcp_connector - 5. Inspector Modules - 5.1. appid 5.2. appid_listener 5.3. arp_spoof @@ -143,14 +136,10 @@ Table of Contents 5.53. stream_user 5.54. telnet 5.55. wizard - 6. IPS Action Modules - 6.1. react 6.2. reject - 7. IPS Option Modules - 7.1. ack 7.2. appids 7.3. asn1 @@ -282,11 +271,9 @@ Table of Contents 7.129. vba_data 7.130. window 7.131. wscale - 8. Search Engine Modules 9. SO Rule Modules 10. Logger Modules - 10.1. alert_csv 10.2. alert_ex 10.3. alert_fast @@ -299,9 +286,7 @@ Table of Contents 10.10. log_hext 10.11. log_pcap 10.12. unified2 - 11. Appendix - 11.1. Build Options 11.2. Environment Variables 11.3. Command Line Options @@ -1073,8 +1058,8 @@ Configuration: * int memory.cap = 0: set the process cap on memory in bytes (0 to disable) { 0:maxSZ } - * int memory.interval = 50: approximate ms between memory epochs { - 1:max32 } + * int memory.interval = 50: approximate ms between memory epochs (0 + to disable) { 0:max32 } * int memory.prune_target = 1048576: bytes to prune per packet thread prune cycle { 1:max32 } * int memory.threshold = 100: scale cap to account for heap @@ -2691,8 +2676,6 @@ Configuration: * enum binder[].use.action = inspect: what to do with matching traffic { reset | block | allow | inspect } * string binder[].use.file: use configuration in given file - * string binder[].use.network_policy: use network policy from given - file * string binder[].use.inspection_policy: use inspection policy from given file * string binder[].use.ips_policy: use ips policy from given file @@ -9072,8 +9055,6 @@ libraries see the Getting Started section of the manual. given file * string binder[].use.ips_policy: use ips policy from given file * string binder[].use.name: symbol name (defaults to type) - * string binder[].use.network_policy: use network policy from given - file * string binder[].use.service: override automatic service identification * string binder[].use.type: select module for binding @@ -9923,8 +9904,8 @@ libraries see the Getting Started section of the manual. of buffer * int memory.cap = 0: set the process cap on memory in bytes (0 to disable) { 0:maxSZ } - * int memory.interval = 50: approximate ms between memory epochs { - 1:max32 } + * int memory.interval = 50: approximate ms between memory epochs (0 + to disable) { 0:max32 } * int memory.prune_target = 1048576: bytes to prune per packet thread prune cycle { 1:max32 } * int memory.threshold = 100: scale cap to account for heap @@ -12814,12 +12795,12 @@ session. The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST flag set. -116:424 (eth) truncated ethernet header +116:424 (pbb) truncated ethernet header The packet length is less than the minimum ethernet header size (14 bytes) -116:424 (eth) truncated ethernet header +116:424 (pbb) truncated ethernet header A truncated ethernet header was detected. diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 709f6e1e0..3ef73c406 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,22 +8,19 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.51.0 2023-01-11 19:40:33 EST TST +Revision 3.1.52.0 2023-01-18 06:06:50 EST TST --------------------------------------------------------------------- Table of Contents 1. Overview - 1.1. Efficacy 1.2. Performance 1.3. Scalability 1.4. Usability 1.5. Extensibility - 2. Snort 3 vs Snort 2 - 2.1. Features New to Snort 3 2.2. Features Improved over Snort 2 2.3. Build Options @@ -33,13 +30,10 @@ Table of Contents 2.7. Output 2.8. Sensitive Data 2.9. Features Not Yet Supported by Snort 3 - 3. Snort2Lua - 3.1. Snort2Lua Command Line 3.2. Known Problems 3.3. Usage - 4. Configuration Changes @@ -826,7 +820,6 @@ change -> config 'checksum_mode' ==> 'network.checksum_eval' change -> config 'daq_dir' ==> 'daq.module_dirs' change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' -change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' change -> config 'event_filter' ==> 'alerts.event_filter_memcap' change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' @@ -866,17 +859,17 @@ change -> daq: 'config daq:' ==> 'name' change -> daq_mode: 'config daq_mode:' ==> 'mode' change -> daq_var: 'config daq_var:' ==> 'variables' change -> detection: 'ac' ==> 'ac_full' -change -> detection: 'ac-banded' ==> 'ac_full' +change -> detection: 'ac-banded' ==> 'ac_banded' change -> detection: 'ac-bnfa' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' change -> detection: 'ac-nq' ==> 'ac_full' change -> detection: 'ac-q' ==> 'ac_full' -change -> detection: 'ac-sparsebands' ==> 'ac_full' +change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' change -> detection: 'ac-split' ==> 'ac_full' change -> detection: 'ac-split' ==> 'split_any_any' -change -> detection: 'ac-std' ==> 'ac_full' -change -> detection: 'acs' ==> 'ac_full' +change -> detection: 'ac-std' ==> 'ac_std' +change -> detection: 'acs' ==> 'ac_sparse' change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' change -> detection: 'intel-cpm' ==> 'hyperscan' @@ -885,6 +878,7 @@ change -> detection: 'lowmem-q' ==> 'lowmem' change -> detection: 'max-pattern-len' ==> 'max_pattern_len' change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' change -> detection: 'search-method' ==> 'search_method' +change -> detection: 'search-optimize' ==> 'search_optimize' change -> detection: 'split-any-any' ==> 'split_any_any = true by default' change -> detection: 'split-any-any' ==> 'split_any_any' change -> dnp3: 'ports' ==> 'bindings' @@ -962,7 +956,6 @@ change -> rate_filter: 'sig_id' ==> 'sid' change -> reputation: 'shared_mem' ==> 'list_dir' change -> sfportscan: 'proto' ==> 'protos' change -> sfportscan: 'scan_type' ==> 'scan_types' -change -> sip: 'max_requestName_len' ==> 'max_request_name_len' change -> sip: 'ports' ==> 'bindings' change -> smtp: 'ports' ==> 'bindings' change -> ssh: 'server_ports' ==> 'bindings' @@ -1028,7 +1021,6 @@ deleted -> config 'disable_decode_drops' deleted -> config 'disable_inline_init_failopen' deleted -> config 'disable_ipopt_alerts' deleted -> config 'disable_ipopt_drops' -deleted -> config 'disable_replace' deleted -> config 'disable_tcpopt_alerts' deleted -> config 'disable_tcpopt_drops' deleted -> config 'disable_tcpopt_experimental_alerts' @@ -1045,7 +1037,6 @@ deleted -> config 'enable_decode_oversized_alerts' deleted -> config 'enable_decode_oversized_drops' deleted -> config 'enable_gtp' deleted -> config 'enable_ipopt_drops' -deleted -> config 'enable_mpls_multicast' deleted -> config 'enable_tcpopt_drops' deleted -> config 'enable_tcpopt_experimental_drops' deleted -> config 'enable_tcpopt_obsolete_drops' @@ -1067,12 +1058,10 @@ deleted -> config 'sfalert_unified2' deleted -> config 'sflog_unified2' deleted -> config 'sidechannel' deleted -> config 'so_rule_memcap' -deleted -> config 'stateful' deleted -> csv: ' can no longer be specific' deleted -> csv: 'default' deleted -> csv: 'trheader' deleted -> detection: 'mwm' -deleted -> detection: 'search-optimize is always true' deleted -> dnp3: 'disabled' deleted -> dnp3: 'memcap' deleted -> dns: 'enable_experimental_types' @@ -1086,8 +1075,6 @@ deleted -> ftp_telnet_protocol: 'detect_anomalies' deleted -> full: ' can no longer be specific' deleted -> http_inspect: 'detect_anomalous_servers' deleted -> http_inspect: 'disabled' -deleted -> http_inspect: 'fast_blocking' -deleted -> http_inspect: 'normalize_random_nulls_in_text' deleted -> http_inspect: 'proxy_alert' deleted -> http_inspect_server: 'allow_proxy_use' deleted -> http_inspect_server: 'enable_cookie' @@ -1165,7 +1152,6 @@ deleted -> stream5_tcp: 'ignore_any_rules' deleted -> stream5_tcp: 'log_asymmetric_traffic' deleted -> stream5_tcp: 'policy noack' deleted -> stream5_tcp: 'policy unknown' -deleted -> stream5_tcp: 'use_static_footprint_sizes' deleted -> stream5_udp: 'ignore_any_rules' deleted -> tcpdump: ' can no longer be specific' deleted -> test: 'file' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 1af4ddb62..65c5b476c 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,20 +8,17 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.51.0 2023-01-11 19:39:50 EST TST +Revision 3.1.52.0 2023-01-18 06:05:36 EST TST --------------------------------------------------------------------- Table of Contents 1. Overview - 1.1. First Steps 1.2. Configuration 1.3. Output - 2. Concepts - 2.1. Terminology 2.2. Modules 2.3. Parameters @@ -29,9 +26,7 @@ Table of Contents 2.5. Operation 2.6. Rules 2.7. Pattern Matching - 3. Tutorial - 3.1. Dependencies 3.2. Building 3.3. Running @@ -39,9 +34,7 @@ Table of Contents 3.5. Common Errors 3.6. Gotchas 3.7. Known Issues - 4. Usage - 4.1. Help 4.2. Sniffing and Logging 4.3. Configuration @@ -52,9 +45,7 @@ Table of Contents 4.8. Logger Alternatives 4.9. Shell 4.10. Signals - 5. Features - 5.1. Active Response 5.2. AppId 5.3. Binder @@ -77,9 +68,7 @@ Table of Contents 5.20. Telnet 5.21. Trace 5.22. Wizard - 6. DAQ Configuration and Modules - 6.1. Building the DAQ Library and Its Bundled DAQ Modules 6.2. Configuration 6.3. Interaction With Multiple Packet Threads