From: Mike Stepanek (mstepane) Date: Thu, 18 Jun 2020 13:59:31 +0000 (+0000) Subject: Merge pull request #2270 in SNORT/snort3 from ~MSTEPANE/snort3:3_0_1_build_5 to master X-Git-Tag: 3.0.1-5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efae0b169fdc8ca1b7bca899582c95e775178056;p=thirdparty%2Fsnort3.git Merge pull request #2270 in SNORT/snort3 from ~MSTEPANE/snort3:3_0_1_build_5 to master Squashed commit of the following: commit 0e8227fbe2c3b6989e0f1834a785c48413f1f20d Author: Mike Stepanek Date: Wed Jun 17 08:24:31 2020 -0400 build: generate and tag 3.0.1 build 5 --- diff --git a/ChangeLog b/ChangeLog index 3833ab8bf..9c03a413b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,63 @@ +2020/06/18 - 3.0.1 build 5 + +-- actions: on a reload_config() free the memory allocated for react page on previous configuration + loading +-- actions: refactor to store react page response in std::string +-- active: add a facility to prevent a DAQ whitelist verdict +-- appid: add api to check if appid needs inspection +-- appid: add braces to fix static analysis complaint +-- appid: add response message to reload_third_party +-- appid: check fqn before registering rrt +-- appid: for http2, if metadata doesn't give a match on payload, set payload id to unknown +-- appid: free memory allocated when appid is configured initially and then not configured on a + subsequent reload +-- appid: lua APIs to get IP and port tunneled through a proxy +-- appid: match http2 response to request +-- appid: remove unnecessary stuff from appid apis +-- appid: revert snort protocol id changes and fixed warnings +-- appid: set appid_tlshost_bit when we set tls_cname +-- appid: set snort protocol id on the flow and remove ssl squelch code +-- appid: update cert viz API to handle subject alt name and SNI mismatch +-- codecs: fix issues found by static analysis +-- dce_rpc: suppport for DCE/RPC future session +-- detection: do not apply global rule state to the empty policy +-- doc: update user manual for trace feature +-- file_api: making sure that file malware inspection is turned off and only file-type detection is + enabled when file_id config is defined without any parameter +-- flow: make client_initiated flag depend on the DAQ reverse flow flag +-- hash: replace the cache entry if found +-- host_cache: add new peg to module test +-- host_cache: allowing module to accept 64 bit memcap value +-- http2_inspect: fix hpack infractions +-- http2_inspect: partial inspect with less than 8 bytes of frame header in the same packet +-- http2_inspect: track memory usage for http_inspect flows in http2_inspect +-- log: fix issues found by static analysis +-- managers: add inspector execution and timing traces to InspectorManager +-- packet: add client and server direction methods that use the client initiator flow flag +-- parser: free memory allocated for RTN when SO rule load fails +-- parser: print loaded and shared rules for each ips policy +-- perf_monitor: fix count and interval during disable cli execution +-- port_scan: cleanup port scan memory allocations in module tterm +-- rpc_decode: remove unused config object +-- search_engines: fix potential memory leaks and an error in a printed value +-- service_inspectors: remove some redundant initializations and lookups, move some field + initializations into the constructor +-- shell: if initial load of snort configuration fails release memory allocated for modules and + plugins +-- snort2lua: deprecate react::msg option, display of rule message in react page not currently + supported +-- snort2lua: fix issues found by static analysis +-- snort_config: only perform FatalError cleanup from main thread +-- stream: add final check to free allocated memory when module tterm is called +-- stream: fixed ip family in the flow->key during StreamHAClient::consume +-- stream_tcp: fix issues for tcp simultaneous close +-- stream_tcp: unconditionally release held packets that have timed out, regardless of flushing +-- trace: add control channel command +-- trace: add support for passing in the packet pointer to loggers +-- trace: filter traces by packet constraints +-- trace: fix for trace messages in the test-mode ('-T' option) +-- trace: remove redundant include + 2020/05/20 - 3.0.1 build 4 -- appid: Do not allocate DNS session for non-DNS flows and update memory tracker for HTTP sessions diff --git a/doc/snort_manual.html b/doc/snort_manual.html index bf5efe334..6b28fd1bd 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -782,7 +782,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.1 (Build 4)
+o"  )~   Version 3.0.1 (Build 5)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
@@ -5885,208 +5885,6 @@ support for http implies http2 may be deprecated and removed.
provide full inspection of the individual HTTP/1.1 streams.

-

Module Trace

-

Snort 3 retired the different flavors of debug macros that used to be set -through environment variable SNORT_DEBUG. It was replaced by a module specific -trace. Trace is turned on by setting the module-specific trace bitmask in -snort.lua. As before, in order to enable it, snort has to be configured and -built with --enable-debug-msgs.

-
-

Debugging rules using detection trace

-

Detection engine is responsible for rule evaluation. Turning on the -trace for it can help with debugging new rules.

-

The relevant options for detection are as follow (represented as hex):

-
-
-
0x2 - follow rule evaluation
-0x4 - print evaluated buffer if it changed
-0x8 - print evaluated buffer at every step
-0x10 - print value of ips rule options vars
-0x20 - print information on fast pattern search
-
-

Buffer print is useful, but in case the buffer is very big can be too verbose. -Choose between 0x4, 0x8 or no buffer trace accordingly.

-

0x10 is useful when the rule is using ips rule options vars.

-
-
-

Example - rule evaluation traces:

-

In snort.lua, the following line was added:

-

detection = {trace = 0x20 + 0x10 + 0x2 + 0x4}

-

The pcap has a single packet with payload: -10.AAAAAAAfoobar

-

Evaluated on rules:

-
-
-
# byte_math + oper with byte extract and content
-# VAL = 1, byte_math = 0 + 10
-alert tcp ( byte_extract: 1, 0, VAL, string, dec;
-byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
-content:"foo", offset var1; sid:3)
-
-
-
-
#This rule should not trigger
-alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
-content:"foo", within 3; sid:2)
-
-

The output:

-
-
-
detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678
-detection: Fast pattern search
-detection: 1 fp packet[16]
-
-
-
-
snort.raw[16]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: Processing pattern match #1
-detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
-detection: Starting tree eval
-detection: Evaluating option content, cursor name pkt_data, cursor position 0
-
-
-
-
snort.raw[16]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: Rule options variables:
-var[0]=0 var[1]=0 var[2]=0
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
-
-
-
-
snort.raw[8]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-41 41 66 6F 6F 62 61 72                                       AAfoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: no match
-detection: Rule options variables:
-var[0]=0 var[1]=0 var[2]=0
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
-
-
-
-
snort.raw[7]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-41 66 6F 6F 62 61 72                                          Afoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: no match
-detection: Rule options variables:
-var[0]=0 var[1]=0 var[2]=0
-detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
-
-
-
-
snort.raw[6]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-66 6F 6F 62 61 72                                             foobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: no match
-detection: no match
-detection: Processing pattern match #2
-detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
-detection: Starting tree eval
-detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
-
-
-
-
snort.raw[16]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: Rule options variables:
-var[0]=1 var[1]=0 var[2]=0
-detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1
-
-
-
-
snort.raw[15]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-30 00 41 41 41 41 41 41 41 66  6F 6F 62 61 72                 0.AAAAAAAfoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: Rule options variables:
-var[0]=1 var[1]=10 var[2]=0
-detection: Evaluating option content, cursor name pkt_data, cursor position 2
-
-
-
-
snort.raw[14]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-00 41 41 41 41 41 41 41 66 6F  6F 62 61 72                    .AAAAAAAfoobar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: Rule options variables:
-var[0]=1 var[1]=10 var[2]=0
-detection: Reached leaf, cursor name pkt_data, cursor position 13
-
-
-
-
snort.raw[3]:
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-62 61 72                                                      bar
-- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
-detection: Matched rule gid:sid:rev 1:3:0
-detection: Rule options variables:
-var[0]=1 var[1]=10 var[2]=0
-04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
-
-
-
-

Protocols decoding trace

-

Turning on decode trace will print out information about the packets decoded -protocols. Can be useful in case of tunneling.

-

Example for a icmpv4-in-ipv6 packet:

-

In snort.lua, the following line was added:

-

decode = { trace = 1 }

-

The output:

-
-
-
decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
-decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
-decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
-decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
-
-
-
-

Other available traces

-

There are more trace options supported by detection:

-
-
-
0x1 - prints statistics about the engine
-0x40 - prints a message when disabling content detect for packet
-0x80 - prints option tree data structure
-0x100 - prints a message when a new tag is added
-
-

Detection is the only module that support multiple options for trace.

-

The rest support only 1 option, and can be turned on by adding trace = 1 to -their lua config.

-
    -
  • -

    -stream module trace: -

    -
    • -
-

When turned on prints a message in case inspection is stopped on a flow. -Example for output:

-

stream: stop inspection on flow, dir BOTH

-
    -
  • -

    -stream_ip, stream_user: trace will output general processing messages -

    -
    • -
-

Other modules that support trace have messages as seemed fit to the developer. -Some are for corner cases, other for complex data structures prints. Current -list of additional modules supporting trace: appid, dce_smb, gtp_inspect and -dce_udp.

-
-
-

Performance Monitor

The new and improved performance monitor! Is your sensor being bogged down by too many flows? perf_monitor! Why are certain TCP segments being dropped without @@ -6991,6 +6789,637 @@ relating to bsd-based implementations of telnet.

+

Trace

+

Snort 3 retired the different flavors of debug macros that used to be set +through the SNORT_DEBUG environment variable. It was replaced by per-module +trace functionality. Trace is turned on by setting the specific trace module +configuration in snort.lua. As before, to enable debug tracing, Snort must be +configured at build time with --enable-debug-msgs. However, a growing number +of modules (such as wizard and snort.inspector_manager) are providing non-debug +trace messages in normal production builds.

+
+

Trace module

+

The trace module is responsible for configuring traces and supports the +following parameters:

+
+
+
output - configure the output method for trace messages
+modules - trace configuration for specific modules
+constraints - filter traces by the packet constraints
+
+

The following lines, added in snort.lua, will enable trace messages for +detection and codec modules. The messages will be printed to syslog if +the packet filtering constraints match.

+
+
+
trace =
+{
+    output = "syslog",
+    modules =
+    {
+        detection = { detect_engine = 1 },
+        decode = { all = 1 }
+    },
+    constraints =
+    {
+        ip_proto = 17,
+        dst_ip = "10.1.1.2",
+        src_port = 100,
+        dst_port = 200
+    }
+}
+
+

The trace module supports config reloading. Also, it’s possible to set or clear +modules traces and packet filter constraints via the control channel command.

+
+
+

Trace module - configuring traces

+

The trace module has the modules option - a table with trace configuration +for specific modules. The following lines placed in snort.lua will enable trace +messages for detection, codec and wizard modules:

+
+
+
trace =
+{
+    modules =
+    {
+        detection = { all = 1 },
+        decode = { all = 1 },
+        wizard = { all = 1 }
+    }
+}
+
+

The detection and snort modules are currently the only modules to support +multiple trace options. Others have only the default all option, which will +enable or disable all traces in a given module. It’s available for multi-option +modules also and works as a global switcher:

+
+
+
trace =
+{
+    modules =
+    {
+        detection = { all = 1 }  -- set each detection option to level 1
+    }
+}
+
+
+
+
trace =
+{
+    modules =
+    {
+        detection = { all = 1, tag = 2 }  -- set each detection option to level 1 but the 'tag' to level 2
+    }
+}
+
+

The full list of available trace parameters is placed into +the "Basic Modules.trace" chapter.

+

Each option must be assigned an integer value between 0 and 255 to specify +a level of verbosity for that option:

+
+
+
0 - turn off trace messages printing for the option
+1 - print most significant trace messages for the option
+255 - print all available trace messages for the option
+
+

Tracing is disabled by default (verbosity level equals 0). The verbosity level +is treated as a threshold, so specifying a higher value will result in all +messages with a lower level being printed as well. For example:

+
+
+
trace =
+{
+    modules =
+    {
+        decode = { all = 3 }  -- messages with levels 1, 2, and 3 will be printed
+    }
+}
+
+
+
+

Trace module - configuring packet filter constraints for packet related trace messages

+

There is a capability to filter traces by the packet constraints. The trace +module has the constraints option - a table with filtering configuration that +will be applied to all trace messages that include a packet. Filtering is done +on a flow that packet is related. By default filtering is disabled.

+

Available constraints options:

+
+
+
ip_proto - numerical IP protocol ID
+src_ip - match all packets with a flow that has this client IP address (passed as a string)
+src_port - match all packets with a flow that has this source port
+dst_ip - match all packets with a flow that has this server IP address (passed as a string)
+dst_port - match all packets with a flow that has this destination port
+
+

The following lines placed in snort.lua will enable all trace messages for +detection filtered by ip_proto, dst_ip, src_port and dst_port:

+
+
+
trace =
+{
+    modules =
+    {
+        detection = { all = 1 }
+    },
+    constraints =
+    {
+        ip_proto = 6, -- tcp
+        dst_ip = "10.1.1.10",
+        src_port = 150,
+        dst_port = 250
+    }
+}
+
+
+
+

Trace module - configuring trace output method

+

There is a capability to configure the output method for trace messages. +The trace module has the output option with two acceptable values:

+
+
+
"stdout" - printing to stdout
+"syslog" - printing to syslog
+
+

By default, the output method will be set based on the Snort run mode. Normally +it will use stdout, but if -D (daemon mode) and/or -M (alert-syslog mode) +are set, it will instead use syslog.

+

Example - set output method as syslog:

+

In snort.lua, the following lines were added:

+
+
+
trace =
+{
+    output = "syslog",
+    modules =
+    {
+        detection = { all = 1 }
+    }
+}
+
+

As a result, each trace message will be printed into syslog +(the Snort run-mode will be ignored).

+
+
+

Configuring traces via control channel command

+

There is a capability to configure module trace options and packet constraints +via the control channel command by using a Snort shell. In order to enable +shell, Snort has to be configured and built with --enable-shell.

+

The trace control channel command is a way how to configure module trace +options and/or packet filter constraints directly during Snort run and +without reloading the entire config.

+

After entering the Snort shell, there are two commands available for +the trace module:

+
+
+
trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry)
+
+
+
+
trace.clear() - clear modules traces and constraints
+
+

Also, it’s possible to omit tables in the trace.set() command:

+
+
+
trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces
+
+
+
+
trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints
+
+
+
+
trace.set({}) - disable traces and constraints (set to empty)
+
+
+
+

Trace messages format

+

Each tracing message has a standard format:

+
+
+
<module_name>:<option_name>:<message_log_level>: <particular_message>
+
+
+
+

Example - Debugging rules using detection trace

+

The detection engine is responsible for rule evaluation. Turning on the +trace for it can help with debugging new rules.

+

The relevant options for detection are as follow:

+
+
+
rule_eval - follow rule evaluation
+buffer - print evaluated buffer if it changed (level 1) or at every step (level 5)
+rule_vars - print value of ips rule options vars
+fp_search - print information on fast pattern search
+
+

Buffer print is useful, but in case the buffer is very big can be too verbose. +Choose between verbosity levels 1, 5, or no buffer trace accordingly.

+

rule_vars is useful when the rule is using ips rule options vars.

+

In snort.lua, the following lines were added:

+
+
+
trace =
+{
+    modules =
+    {
+        detection =
+        {
+            rule_eval = 1,
+            buffer = 1,
+            rule_vars = 1,
+            fp_search = 1
+        }
+    }
+}
+
+

The pcap has a single packet with payload:

+
+
+
10.AAAAAAAfoobar
+
+

Evaluated on rules:

+
+
+
# byte_math + oper with byte extract and content
+# VAL = 1, byte_math = 0 + 10
+alert tcp ( byte_extract: 1, 0, VAL, string, dec;
+byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
+content:"foo", offset var1; sid:3)
+
+
+
+
#This rule should not trigger
+alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
+content:"foo", within 3; sid:2)
+
+

The output:

+
+
+
detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns)
+detection:rule_eval:1: Fast pattern search
+detection:fp_search:1: 1 fp packet[16]
+
+
+
+
snort.raw[16]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_eval:1: Processing pattern match #1
+detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
+detection:rule_eval:1: Starting tree eval
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0
+
+
+
+
snort.raw[16]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8
+
+
+
+
snort.raw[8]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+41 41 66 6F 6F 62 61 72                                       AAfoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_eval:1: no match
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9
+
+
+
+
snort.raw[7]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+41 66 6F 6F 62 61 72                                          Afoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_eval:1: no match
+detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10
+
+
+
+
snort.raw[6]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+66 6F 6F 62 61 72                                             foobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_eval:1: no match
+detection:rule_eval:1: no match
+detection:rule_eval:1: Processing pattern match #2
+detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
+detection:rule_eval:1: Starting tree eval
+detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0
+
+
+
+
snort.raw[16]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0
+detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1
+
+
+
+
snort.raw[15]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+30 00 41 41 41 41 41 41 41 66  6F 6F 62 61 72                 0.AAAAAAAfoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2
+
+
+
+
snort.raw[14]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+00 41 41 41 41 41 41 41 66 6F  6F 62 61 72                    .AAAAAAAfoobar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13
+
+
+
+
snort.raw[3]:
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+62 61 72                                                      bar
+- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
+detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0
+detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
+04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
+
+
+
+

Example - Protocols decoding trace

+

Turning on decode trace will print out information about the packets decoded +protocols. Can be useful in case of tunneling.

+

Example for a icmpv4-in-ipv6 packet:

+

In snort.lua, the following line was added:

+
+
+
trace =
+{
+    modules =
+    {
+        decode = { all = 1 }
+    }
+}
+
+

The output:

+
+
+
decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
+decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
+decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
+decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
+
+
+
+

Example - Track the time packet spends in each inspector

+

There is a capability to track which inspectors evaluate a packet, and how much +time the inspector consumes doing so. These trace messages could be enabled by +the Snort module trace options:

+
+
+
main - command execution traces (main trace logging)
+inspector_manager - inspectors execution and time tracking traces
+
+

Example for a single packet with payload:

+
+
+
10.AAAAAAAfoobar
+
+

In snort.lua, the following lines were added:

+
+
+
trace =
+{
+    modules =
+    {
+        snort =
+        {
+            -- could be replaced by 'all = 1'
+            main = 1,
+            inspector_manager = 1
+        }
+    }
+}
+
+

The output:

+
+
+
snort:main:1: [0] Queuing command START for execution (refcount 1)
+snort:main:1: [0] Queuing command RUN for execution (refcount 1)
+snort:main:1: [0] Destroying completed command START
+snort:inspector_manager:1: start inspection, raw, packet 1, context 1
+snort:inspector_manager:1: enter stream
+snort:inspector_manager:1: exit stream, elapsed time: 2 usec
+snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec
+snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1
+snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
+snort:main:1: [0] Destroying completed command RUN
+
+
+
+

Example - trace filtering by packet constraints:

+

In snort.lua, the following lines were added:

+
+
+
ips =
+{
+    rules =
+    [[
+        alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
+        alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
+    ]]
+}
+
+
+
+
trace =
+{
+    modules =
+    {
+        detection = { rule_eval = 1 }
+    },
+    constraints =
+    {
+        ip_proto = 17, -- udp
+        dst_ip = "10.1.1.2",
+        src_port = 100,
+        dst_port = 200
+    }
+}
+
+

The processed traffic was next:

+
+
+
d ( stack="eth:ip4:udp" )
+
+
+
+
c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
+a ( pay="pass" )
+b ( pay="pass" )
+
+
+
+
c ( ip4:a="10.2.1.1" )
+a ( pay="pass" )
+b ( pay="pass" )
+
+
+
+
c ( udp:a=101 )
+a ( pay="block" )
+b ( pay="block" )
+
+

The output:

+
+
+
detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns)
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns)
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns)
+detection:rule_eval:1: Fast pattern processing - no matches found
+detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns)
+
+

The trace messages for two last packets (numbers 5 and 6) weren’t printed.

+
+
+

Example - configuring traces via trace.set() command

+

In snort.lua, the following lines were added:

+
+
+
ips =
+{
+    rules =
+    [[
+        alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 )
+        alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 )
+    ]]
+}
+
+
+
+
trace =
+{
+    constraints =
+    {
+        ip_proto = 17, -- udp
+        dst_ip = "10.1.1.2",
+        src_port = 100,
+        dst_port = 200
+    },
+    modules =
+    {
+        detection = { rule_eval = 1 }
+    }
+}
+
+

The processed traffic was next:

+
+
+
# Flow 1
+d ( stack="eth:ip4:udp" )
+c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 )
+a ( data="udp packet 1" )
+a ( data="udp packet 2" )
+
+
+
+
# Flow 2
+d ( stack="eth:ip4:tcp" )
+c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 )
+a ( syn )
+b ( syn, ack )
+a ( ack )
+a ( ack, data="tcp packet 1" )
+a ( ack, data="tcp packet 2" )
+a ( fin, ack )
+b ( fin, ack )
+
+

After 1 packet, entering shell and pass the trace.set() command as follows:

+
+
+
trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } })
+
+

The output (not full, only descriptive lines):

+
+
+
detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns)
+detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns)
+decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
+detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns)
+detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns)
+decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns)
+detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns)
+
+

The new configuration was applied. decode:all:1 messages aren’t filtered +because they don’t include a packet (a packet isn’t well-formed at the point +when the message is printing).

+
+
+

Other available traces

+

There are more trace options supported by detection:

+
+
+
detect_engine - prints statistics about the engine
+pkt_detect - prints a message when disabling content detect for packet
+opt_tree - prints option tree data structure
+tag - prints a message when a new tag is added
+
+

The rest support only 1 option, and can be turned on by adding all = 1 to +their table in trace lua config.

+
    +
  • +

    +stream module trace: +

    +
    • +
+

When turned on prints a message in case inspection is stopped on a flow. +Example for output:

+
+
+
stream:all:1: stop inspection on flow, dir BOTH
+
+
    +
  • +

    +stream_ip, stream_user: trace will output general processing messages +

    +
    • +
+

Other modules that support trace have messages as seemed fit to the developer. +Some are for corner cases, others for complex data structures.

+
+
+

Wizard

Using the wizard enables port-independent configuration and the detection of malware command and control channels. If the wizard is bound to a session, it @@ -7875,7 +8304,7 @@ string host_cache.dump_file: file name to dump host cache on sh

  • -int host_cache.memcap = 8388608: maximum host cache size in bytes { 512:max32 } +int host_cache.memcap = 8388608: maximum host cache size in bytes { 512:maxSZ }

    • @@ -7919,6 +8348,11 @@ int host_cache.memcap = 8388608: maximum host cache size in byt host_cache.removes: lru cache found entry and removed it (sum)

    +
  • +

    +host_cache.replaced: lru cache found entry and replaced it (sum) +

    +
    • @@ -9598,7 +10032,7 @@ string suppress[].ip: restrict suppression to thes
    -

    trace

    +

    trace

    What: configure trace log messages

    Type: basic

    Usage: global

    @@ -9666,6 +10100,21 @@ int trace.modules.stream.all: enable all trace options { 0:255

  • +int trace.modules.snort.all: enable all trace options { 0:255 } +

    +
    • +
  • +

    +int trace.modules.snort.main: enable main trace logging { 0:255 } +

    +
    • +
  • +

    +int trace.modules.snort.inspector_manager: enable inspector manager trace logging { 0:255 } +

    +
    • +
  • +

    int trace.modules.dce_smb.all: enable all trace options { 0:255 }

    • @@ -9701,10 +10150,48 @@ int trace.modules.decode.all: enable all trace options { 0:255

  • +int trace.constraints.ip_proto: numerical IP protocol ID filter { 0:255 } +

    +
    • +
  • +

    +string trace.constraints.src_ip: source IP address filter +

    +
    • +
  • +

    +int trace.constraints.src_port: source port filter { 0:65535 } +

    +
    • +
  • +

    +string trace.constraints.dst_ip: destination IP address filter +

    +
    • +
  • +

    +int trace.constraints.dst_port: destination port filter { 0:65535 } +

    +
    • +
  • +

    enum trace.output: output method for trace log messages { stdout | syslog }

    • +

    Commands:

    +
      +
    • +

      +trace.set(modules, constraints): set modules traces and constraints +

      +
      • +
    • +

      +trace.clear(): clear modules traces and constraints +

      +
      • +
    @@ -11095,6 +11582,12 @@ bool appid.log_all_sessions = false: enable logging of all appi
    +

    appid_listener

    +

    What: log selected published data to appid_listener.log

    +

    Type: inspector

    +

    Usage: context

    +
    +

    arp_spoof

    What: detect ARP attacks and anomalies

    Type: inspector

    @@ -12223,6 +12716,16 @@ enum dce_tcp.policy = WinXP: target based policy to use { Win20

  • +dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint expected sessions (sum) +

    +
    • +
  • +

    +dce_tcp.tcp_expected_realized: total tcp dynamic endpoint expected realized sessions (sum) +

    +
    • +
  • +

    dce_tcp.tcp_packets: total tcp packets (sum)

    • @@ -12684,7 +13187,7 @@ bool file_id.enable_type = true: enable type ID

  • -bool file_id.enable_signature = true: enable signature calculation +bool file_id.enable_signature = false: enable signature calculation

  • @@ -12792,6 +13295,41 @@ bool file_id.trace_stream = false: enable runtime dump of file int file_id.verdict_delay = 0: number of queries to return final verdict { 0:max53 }

    • +
  • +

    +int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no limit) { -1:65535 } +

    +
    • +
  • +

    +int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 } +

    +
    • +
  • +

    +bool file_id.decompress_pdf = false: decompress pdf files in MIME attachments +

    +
    • +
  • +

    +bool file_id.decompress_swf = false: decompress swf files in MIME attachments +

    +
    • +
  • +

    +bool file_id.decompress_zip = false: decompress zip files in MIME attachments +

    +
    • +
  • +

    +int file_id.qp_decode_depth = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 } +

    +
    • +
  • +

    +int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 } +

    +

    • Rules:

      @@ -15913,6 +16451,11 @@ int rt_global.memcap = 2048: cap on amount of memory used (0 is bool rt_global.empty_ips = false: ips policy with no rules

      +
    • +

      +bool rt_global.init_drop_reason = false: populate drop reason map +

      +

    Peg counts:

      @@ -17848,6 +18391,11 @@ bool stream_tcp.track_only = false: disable reassembly if true

    • +stream_tcp.held_packet_purges: number of held packets that were purged without flushing (sum) +

      +
      • +
    • +

      stream_tcp.cur_packets_held: number of packets currently held (now)

      • @@ -18131,11 +18679,6 @@ parse.

    • -bool react.msg = false: use rule msg in response page instead of default message -

      -
      • -
    • -

      string react.page: file containing HTTP response (headers and body)

      • @@ -26528,6 +27071,16 @@ string file_connector.name: channel name

    • +int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no limit) { -1:65535 } +

      +
      • +
    • +

      +int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 } +

      +
      • +
    • +

      int file_id.block_timeout = 86400: stop blocking after this many seconds { 0:max31 }

      • @@ -26558,12 +27111,27 @@ int file_id.capture_min_size = 0: stop file capture if file siz

    • +bool file_id.decompress_pdf = false: decompress pdf files in MIME attachments +

      +
      • +
    • +

      +bool file_id.decompress_swf = false: decompress swf files in MIME attachments +

      +
      • +
    • +

      +bool file_id.decompress_zip = false: decompress zip files in MIME attachments +

      +
      • +
    • +

      bool file_id.enable_capture = false: enable file capture

    • -bool file_id.enable_signature = true: enable signature calculation +bool file_id.enable_signature = false: enable signature calculation

    • @@ -26663,6 +27231,11 @@ int file_id.max_files_per_flow = 32: maximal number of files ab

    • +int file_id.qp_decode_depth = -1: Quoted Printable decoding depth (-1 no limit) { -1:65535 } +

      +
      • +
    • +

      int file_id.show_data_depth = 100: print this many octets { 0:max53 }

      • @@ -26693,6 +27266,11 @@ int file_id.type_depth = 1460: stop type ID at this point { 0:m

    • +int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 } +

      +
      • +
    • +

      int file_id.verdict_delay = 0: number of queries to return final verdict { 0:max53 }

      • @@ -27058,7 +27636,7 @@ string host_cache.dump_file: file name to dump host cache on sh

    • -int host_cache.memcap = 8388608: maximum host cache size in bytes { 512:max32 } +int host_cache.memcap = 8388608: maximum host cache size in bytes { 512:maxSZ }

    • @@ -28673,11 +29251,6 @@ enum rate_filter[].track = by_src: filter only mat

    • -bool react.msg = false: use rule msg in response page instead of default message -

      -
      • -
    • -

      string react.page: file containing HTTP response (headers and body)

      • @@ -28858,6 +29431,11 @@ bool rt_global.empty_ips = false: ips policy with no rules

    • +bool rt_global.init_drop_reason = false: populate drop reason map +

      +
      • +
    • +

      int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 }

      • @@ -30363,6 +30941,31 @@ interval tos.~range: check if IP TOS is in given range { 0:255

    • +string trace.constraints.dst_ip: destination IP address filter +

      +
      • +
    • +

      +int trace.constraints.dst_port: destination port filter { 0:65535 } +

      +
      • +
    • +

      +int trace.constraints.ip_proto: numerical IP protocol ID filter { 0:255 } +

      +
      • +
    • +

      +string trace.constraints.src_ip: source IP address filter +

      +
      • +
    • +

      +int trace.constraints.src_port: source port filter { 0:65535 } +

      +
      • +
    • +

      int trace.modules.appid.all: enable all trace options { 0:255 }

      • @@ -30438,6 +31041,21 @@ int trace.modules.latency.all: enable all trace options { 0:255

    • +int trace.modules.snort.all: enable all trace options { 0:255 } +

      +
      • +
    • +

      +int trace.modules.snort.inspector_manager: enable inspector manager trace logging { 0:255 } +

      +
      • +
    • +

      +int trace.modules.snort.main: enable main trace logging { 0:255 } +

      +
      • +
    • +

      int trace.modules.stream.all: enable all trace options { 0:255 }

      • @@ -31263,6 +31881,16 @@ interval wscale.~range: check if TCP window scale is in given r

    • +dce_tcp.tcp_expected_realized: total tcp dynamic endpoint expected realized sessions (sum) +

      +
      • +
    • +

      +dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint expected sessions (sum) +

      +
      • +
    • +

      dce_tcp.tcp_packets: total tcp packets (sum)

      • @@ -31818,6 +32446,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +host_cache.replaced: lru cache found entry and replaced it (sum) +

      +
      • +
    • +

      host_tracker.service_adds: host service adds (sum)

      • @@ -33558,6 +34191,11 @@ interval wscale.~range: check if TCP window scale is in given r

    • +stream_tcp.held_packet_purges: number of held packets that were purged without flushing (sum) +

      +
      • +
    • +

      stream_tcp.held_packet_rexmits: number of retransmits of held packets (sum)

      • @@ -36951,6 +37589,16 @@ interval wscale.~range: check if TCP window scale is in given r snort.help(): this output

      +
    • +

      +trace.set(modules, constraints): set modules traces and constraints +

      +
      • +
    • +

      +trace.clear(): clear modules traces and constraints +

      +
    @@ -37308,8 +37956,6 @@ deleted -> pop: 'disabled' deleted -> pop: 'max_mime_mem' deleted -> pop: 'memcap' deleted -> ppm: 'debug-pkts' -deleted -> react: 'block' -deleted -> react: 'warn' deleted -> reputation: 'shared_max_instances' deleted -> reputation: 'shared_refresh' deleted -> rpc_decode: 'alert_fragments' @@ -37432,6 +38078,11 @@ deleted -> unified2: 'vlan_event_types'

  • +appid_listener (inspector): log selected published data to appid_listener.log +

    +
    • +
  • +

    appids (ips_option): detection option for application ids

    • @@ -38857,6 +39508,11 @@ deleted -> unified2: 'vlan_event_types'

  • +inspector::appid_listener: log selected published data to appid_listener.log +

    +
    • +
  • +

    inspector::arp_spoof: detect ARP attacks and anomalies

    • @@ -39965,7 +40621,7 @@ Adding/removing stream_* inspectors if stream was already configured diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index 42a4cf9ee..47863d415 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index aa5d80fb3..7d713db2a 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -63,13 +63,13 @@ Table of Contents 5.8. FTP 5.9. HTTP Inspector 5.10. HTTP/2 Inspector - 5.11. Module Trace - 5.12. Performance Monitor - 5.13. POP and IMAP - 5.14. Port Scan - 5.15. Sensitive Data Filtering - 5.16. SMTP - 5.17. Telnet + 5.11. Performance Monitor + 5.12. POP and IMAP + 5.13. Port Scan + 5.14. Sensitive Data Filtering + 5.15. SMTP + 5.16. Telnet + 5.17. Trace 5.18. Wizard 6. Basic Modules @@ -143,58 +143,59 @@ Table of Contents 9. Inspector Modules 9.1. appid - 9.2. arp_spoof - 9.3. back_orifice - 9.4. binder - 9.5. cip - 9.6. data_log - 9.7. dce_http_proxy - 9.8. dce_http_server - 9.9. dce_smb - 9.10. dce_tcp - 9.11. dce_udp - 9.12. dnp3 - 9.13. dns - 9.14. domain_filter - 9.15. dpx - 9.16. file_id - 9.17. file_log - 9.18. finalize_packet - 9.19. ftp_client - 9.20. ftp_data - 9.21. ftp_server - 9.22. gtp_inspect - 9.23. http2_inspect - 9.24. http_inspect - 9.25. imap - 9.26. mem_test - 9.27. modbus - 9.28. normalizer - 9.29. packet_capture - 9.30. perf_monitor - 9.31. pop - 9.32. port_scan - 9.33. reputation - 9.34. rna - 9.35. rpc_decode - 9.36. rt_global - 9.37. rt_packet - 9.38. rt_service - 9.39. s7commplus - 9.40. sip - 9.41. smtp - 9.42. so_proxy - 9.43. ssh - 9.44. ssl - 9.45. stream - 9.46. stream_file - 9.47. stream_icmp - 9.48. stream_ip - 9.49. stream_tcp - 9.50. stream_udp - 9.51. stream_user - 9.52. telnet - 9.53. wizard + 9.2. appid_listener + 9.3. arp_spoof + 9.4. back_orifice + 9.5. binder + 9.6. cip + 9.7. data_log + 9.8. dce_http_proxy + 9.9. dce_http_server + 9.10. dce_smb + 9.11. dce_tcp + 9.12. dce_udp + 9.13. dnp3 + 9.14. dns + 9.15. domain_filter + 9.16. dpx + 9.17. file_id + 9.18. file_log + 9.19. finalize_packet + 9.20. ftp_client + 9.21. ftp_data + 9.22. ftp_server + 9.23. gtp_inspect + 9.24. http2_inspect + 9.25. http_inspect + 9.26. imap + 9.27. mem_test + 9.28. modbus + 9.29. normalizer + 9.30. packet_capture + 9.31. perf_monitor + 9.32. pop + 9.33. port_scan + 9.34. reputation + 9.35. rna + 9.36. rpc_decode + 9.37. rt_global + 9.38. rt_packet + 9.39. rt_service + 9.40. s7commplus + 9.41. sip + 9.42. smtp + 9.43. so_proxy + 9.44. ssh + 9.45. ssl + 9.46. stream + 9.47. stream_file + 9.48. stream_icmp + 9.49. stream_ip + 9.50. stream_tcp + 9.51. stream_udp + 9.52. stream_user + 9.53. telnet + 9.54. wizard 10. IPS Action Modules @@ -411,7 +412,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.1 (Build 4) +o" )~ Version 3.0.1 (Build 5) '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. @@ -4405,190 +4406,7 @@ http_inspect to provide full inspection of the individual HTTP/1.1 streams. -5.11. Module Trace - --------------- - -Snort 3 retired the different flavors of debug macros that used to be -set through environment variable SNORT_DEBUG. It was replaced by a -module specific trace. Trace is turned on by setting the -module-specific trace bitmask in snort.lua. As before, in order to -enable it, snort has to be configured and built with ---enable-debug-msgs. - -5.11.1. Debugging rules using detection trace - -Detection engine is responsible for rule evaluation. Turning on the -trace for it can help with debugging new rules. - -The relevant options for detection are as follow (represented as -hex): - -0x2 - follow rule evaluation -0x4 - print evaluated buffer if it changed -0x8 - print evaluated buffer at every step -0x10 - print value of ips rule options vars -0x20 - print information on fast pattern search - -Buffer print is useful, but in case the buffer is very big can be too -verbose. Choose between 0x4, 0x8 or no buffer trace accordingly. - -0x10 is useful when the rule is using ips rule options vars. - -5.11.2. Example - rule evaluation traces: - -In snort.lua, the following line was added: - -detection = {trace = 0x20 + 0x10 + 0x2 + 0x4} - -The pcap has a single packet with payload: 10.AAAAAAAfoobar - -Evaluated on rules: - -# byte_math + oper with byte extract and content -# VAL = 1, byte_math = 0 + 10 -alert tcp ( byte_extract: 1, 0, VAL, string, dec; -byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec; -content:"foo", offset var1; sid:3) - -#This rule should not trigger -alert tcp (content:"AAAAA"; byte_jump:2,0,relative; -content:"foo", within 3; sid:2) - -The output: - -detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 -detection: Fast pattern search -detection: 1 fp packet[16] - -snort.raw[16]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: Processing pattern match #1 -detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( ) -detection: Starting tree eval -detection: Evaluating option content, cursor name pkt_data, cursor position 0 - -snort.raw[16]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: Rule options variables: -var[0]=0 var[1]=0 var[2]=0 -detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8 - -snort.raw[8]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -41 41 66 6F 6F 62 61 72 AAfoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: no match -detection: Rule options variables: -var[0]=0 var[1]=0 var[2]=0 -detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9 - -snort.raw[7]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -41 66 6F 6F 62 61 72 Afoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: no match -detection: Rule options variables: -var[0]=0 var[1]=0 var[2]=0 -detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10 - -snort.raw[6]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -66 6F 6F 62 61 72 foobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: no match -detection: no match -detection: Processing pattern match #2 -detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( ) -detection: Starting tree eval -detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0 - -snort.raw[16]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: Rule options variables: -var[0]=1 var[1]=0 var[2]=0 -detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1 - -snort.raw[15]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: Rule options variables: -var[0]=1 var[1]=10 var[2]=0 -detection: Evaluating option content, cursor name pkt_data, cursor position 2 - -snort.raw[14]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: Rule options variables: -var[0]=1 var[1]=10 var[2]=0 -detection: Reached leaf, cursor name pkt_data, cursor position 13 - -snort.raw[3]: -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -62 61 72 bar -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -detection: Matched rule gid:sid:rev 1:3:0 -detection: Rule options variables: -var[0]=1 var[1]=10 var[2]=0 -04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow - -5.11.3. Protocols decoding trace - -Turning on decode trace will print out information about the packets -decoded protocols. Can be useful in case of tunneling. - -Example for a icmpv4-in-ipv6 packet: - -In snort.lua, the following line was added: - -decode = { trace = 1 } - -The output: - -decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14 -decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40 -decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8 -decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0 - -5.11.4. Other available traces - -There are more trace options supported by detection: - -0x1 - prints statistics about the engine -0x40 - prints a message when disabling content detect for packet -0x80 - prints option tree data structure -0x100 - prints a message when a new tag is added - -Detection is the only module that support multiple options for trace. - -The rest support only 1 option, and can be turned on by adding trace -= 1 to their lua config. - - * stream module trace: - -When turned on prints a message in case inspection is stopped on a -flow. Example for output: - -stream: stop inspection on flow, dir BOTH - - * stream_ip, stream_user: trace will output general processing - messages - -Other modules that support trace have messages as seemed fit to the -developer. Some are for corner cases, other for complex data -structures prints. Current list of additional modules supporting -trace: appid, dce_smb, gtp_inspect and dce_udp. - - -5.12. Performance Monitor +5.11. Performance Monitor -------------- @@ -4597,14 +4415,14 @@ down by too many flows? perf_monitor! Why are certain TCP segments being dropped without hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check with stream… -5.12.1. Overview +5.11.1. Overview The Snort performance monitor is the built-in utility for monitoring system and traffic statistics. All statistics are separated by processing thread. perf_monitor supports several trackers for monitoring such data: -5.12.2. Base Tracker +5.11.2. Base Tracker The base tracker is used to gather running statistics about Snort and its running modules. All Snort modules gather, at the very least, @@ -4661,7 +4479,7 @@ perf_monitor = Note: Event stats from prior Snorts are now located within base statistics. -5.12.3. Flow Tracker +5.11.3. Flow Tracker Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This data can be used to build a profile of traffic @@ -4671,7 +4489,7 @@ To enable: perf_monitor = { flow = true } -5.12.4. FlowIP Tracker +5.11.4. FlowIP Tracker FlowIP provides statistics for individual hosts within a network. This data can be used for identifying communication habits, such as @@ -4683,7 +4501,7 @@ To enable: perf_monitor = { flow_ip = true } -5.12.5. CPU Tracker +5.11.5. CPU Tracker This tracker monitors the CPU and wall time spent by a given processing thread. @@ -4692,7 +4510,7 @@ To enable: perf_monitor = { cpu = true } -5.12.6. Formatters +5.11.6. Formatters Performance monitor allows statistics to be output in a few formats. Along with human readable text (as seen at shutdown) and csv formats, @@ -4706,14 +4524,14 @@ used by Performance monitor, see the developer notes for Performance monitor or the code provided for fbstreamer. -5.13. POP and IMAP +5.12. POP and IMAP -------------- POP inspector is a service inspector for POP3 protocol and IMAP inspector is for IMAP4 protocol. -5.13.1. Overview +5.12.1. Overview POP and IMAP inspectors examine data traffic and find POP and IMAP commands and responses. The inspectors also identify the command, @@ -4721,7 +4539,7 @@ header, body sections and extract the MIME attachments and decode it appropriately. The pop and imap also identify and whitelist the pop and imap traffic. -5.13.2. Configuration +5.12.2. Configuration POP inspector and IMAP inspector offer same set of configuration options for MIME decoding depth. These depths range from 0 to 65535 @@ -4731,27 +4549,27 @@ be decoded. If you do not specify the default value is 1460 bytes. The depth limits apply per attachment. They are: -5.13.2.1. b64_decode_depth +5.12.2.1. b64_decode_depth Set the base64 decoding depth used to decode the base64-encoded MIME attachments. -5.13.2.2. qp_decode_depth +5.12.2.2. qp_decode_depth Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded MIME attachments. -5.13.2.3. bitenc_decode_depth +5.12.2.3. bitenc_decode_depth Set the non-encoded MIME extraction depth used for non-encoded MIME attachments. -5.13.2.4. uu_decode_depth +5.12.2.4. uu_decode_depth Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded attachments. -5.13.2.5. Examples +5.12.2.5. Examples stream = { } @@ -4785,13 +4603,13 @@ pop = } -5.14. Port Scan +5.13. Port Scan -------------- A module to detect port scanning -5.14.1. Overview +5.13.1. Overview This module is designed to detect the first phase in a network attack: Reconnaissance. In the Reconnaissance phase, an attacker @@ -4891,7 +4709,7 @@ however, Portscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based off the original scan alert. -5.14.2. Scan levels +5.13.2. Scan levels There are 3 default scan levels that can be set. @@ -4945,7 +4763,7 @@ setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune Portscan. -5.14.3. Tuning Portscan +5.13.3. Tuning Portscan The most important aspect in detecting portscans is tuning the detection engine for your network(s). Here are some tuning tips: @@ -5022,7 +4840,7 @@ require the least tuning. The low sensitivity level does not catch filtered scans, since these are more prone to false positives. -5.15. Sensitive Data Filtering +5.14. Sensitive Data Filtering -------------- @@ -5032,21 +4850,21 @@ credit card numbers, U.S. Social Security numbers, and email addresses. A rich regular expression syntax is available for defining your own PII. -5.15.1. Hyperscan +5.14.1. Hyperscan The sd_pattern rule option is powered by the open source Hyperscan library from Intel. It provides a regex grammar which is mostly PCRE compatible. To learn more about Hyperscan see https://intel.github.io /hyperscan/dev-reference/ -5.15.2. Syntax +5.14.2. Syntax Snort provides sd_pattern as IPS rule option with no additional inspector overhead. The Rule option takes the following syntax. sd_pattern: ""[, threshold ]; -5.15.2.1. Pattern +5.14.2.1. Pattern Pattern is the most important and is the only required parameter to sd_pattern. It supports 3 built in patterns which are configured by @@ -5084,7 +4902,7 @@ but would not match 1@ourdomain.com ab12@ourdomain.com or Note: This is just an example, this pattern is not suitable to detect many correctly formatted emails. -5.15.2.2. Threshold +5.14.2.2. Threshold Threshold is an optional parameter allowing you to change built in default value (default value is 1). The following two instances are @@ -5102,7 +4920,7 @@ This example requires 300 matches of the pattern "This is a string literal" to qualify as a positive match. That is, if the string only occurred 299 times in a packet, you will not see an event. -5.15.2.3. Obfuscating Credit Cards and Social Security Numbers +5.14.2.3. Obfuscating Credit Cards and Social Security Numbers Snort provides discreet logging for the built in patterns "credit_card", "us_social" and "us_social_nodashes". Enabling @@ -5115,7 +4933,7 @@ output = obfuscate_pii = true } -5.15.3. Example +5.14.3. Example A complete Snort IPS rule @@ -5131,7 +4949,7 @@ Logged output when running Snort in "cmg" alert format. 58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5.15.4. Caveats +5.14.4. Caveats 1. Snort currently requires setting the fast pattern engine to use "hyperscan" in order for sd_pattern ips option to function @@ -5148,13 +4966,13 @@ Logged output when running Snort in "cmg" alert format. (This is a known bug). -5.16. SMTP +5.15. SMTP -------------- SMTP inspector is a service inspector for SMTP protocol. -5.16.1. Overview +5.15.1. Overview The SMTP inspector examines SMTP connections looking for commands and responses. It also identifies the command, header and body sections, @@ -5164,7 +4982,7 @@ identifies and whitelists the SMTP traffic. SMTP inspector logs the filename, email addresses, attachment names when configured. -5.16.2. Configuration +5.15.2. Configuration SMTP command lines can be normalized to remove extraneous spaces. TLS-encrypted traffic can be ignored, which improves performance. In @@ -5173,7 +4991,7 @@ performance boost. The configuration options are described below: -5.16.2.1. normalize and normalize_cmds +5.15.2.1. normalize and normalize_cmds Normalization checks for more than one space character after a command. Space characters are defined as space (ASCII 0x20) or tab @@ -5184,34 +5002,34 @@ example: smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' } -5.16.2.2. ignore_data +5.15.2.2. ignore_data Set it to true to ignore data section of mail (except for mail headers) when processing rules. -5.16.2.3. ignore_tls_data +5.15.2.3. ignore_tls_data Set it to true to ignore TLS-encrypted data when processing rules. -5.16.2.4. max_command_line_len +5.15.2.4. max_command_line_len Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length. -5.16.2.5. max_header_line_len +5.15.2.5. max_header_line_len Alert if an SMTP DATA header line is longer than this value. Absence of this option or a "0" means never alert on data header line length. RFC 2821 recommends 1024 as a maximum data header line length. -5.16.2.6. max_response_line_len +5.15.2.6. max_response_line_len Alert if an SMTP response line is longer than this value. Absence of this option or a "0" means never alert on response line length. RFC 2821 recommends 512 as a maximum response line length. -5.16.2.7. alt_max_command_line_len +5.15.2.7. alt_max_command_line_len Overrides max_command_line_len for specific commands For example: @@ -5227,11 +5045,11 @@ alt_max_command_line_len = }, } -5.16.2.8. invalid_cmds +5.15.2.8. invalid_cmds Alert if this command is sent from client side. -5.16.2.9. valid_cmds +5.15.2.9. valid_cmds List of valid commands. We do not alert on commands in this list. @@ -5241,36 +5059,36 @@ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]] -5.16.2.10. data_cmds +5.15.2.10. data_cmds List of commands that initiate sending of data with an end of data delimiter the same as that of the DATA command per RFC 5321 - " .". -5.16.2.11. binary_data_cmds +5.15.2.11. binary_data_cmds List of commands that initiate sending of data and use a length value after the command to indicate the amount of data to be sent, similar to that of the BDAT command per RFC 3030. -5.16.2.12. auth_cmds +5.15.2.12. auth_cmds List of commands that initiate an authentication exchange between client and server. -5.16.2.13. xlink2state +5.15.2.13. xlink2state Enable/disable xlink2state alert, options are {disable | alert | drop}. See CVE-2005-0560 for a description of the vulnerability. -5.16.2.14. MIME processing depth parameters +5.15.2.14. MIME processing depth parameters These four MIME processing depth parameters are identical to their POP and IMAP counterparts. See that section for further details. b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth -5.16.2.15. Log Options +5.15.2.15. Log Options Following log options allow SMTP inspector to log email addresses and filenames. Please note, this is logged only with the unified2 output @@ -5313,7 +5131,7 @@ This option specifies the depth for logging email headers. The allowed range for this option is 0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. -5.16.3. Example +5.15.3. Example smtp = { @@ -5366,7 +5184,7 @@ smtp = } -5.17. Telnet +5.16. Telnet -------------- @@ -5376,7 +5194,7 @@ command sequences per RFC 854. It will also determine when a telnet connection is encrypted, per the use of the telnet encryption option per RFC 2946. -5.17.1. Configuring the inspector to block exploits and attacks +5.16.1. Configuring the inspector to block exploits and attacks ayt_attack_thresh number @@ -5385,6 +5203,577 @@ the threshold number specified. This addresses a few specific vulnerabilities relating to bsd-based implementations of telnet. +5.17. Trace + +-------------- + +Snort 3 retired the different flavors of debug macros that used to be +set through the SNORT_DEBUG environment variable. It was replaced by +per-module trace functionality. Trace is turned on by setting the +specific trace module configuration in snort.lua. As before, to +enable debug tracing, Snort must be configured at build time with +--enable-debug-msgs. However, a growing number of modules (such as +wizard and snort.inspector_manager) are providing non-debug trace +messages in normal production builds. + +5.17.1. Trace module + +The trace module is responsible for configuring traces and supports +the following parameters: + +output - configure the output method for trace messages +modules - trace configuration for specific modules +constraints - filter traces by the packet constraints + +The following lines, added in snort.lua, will enable trace messages +for detection and codec modules. The messages will be printed to +syslog if the packet filtering constraints match. + +trace = +{ + output = "syslog", + modules = + { + detection = { detect_engine = 1 }, + decode = { all = 1 } + }, + constraints = + { + ip_proto = 17, + dst_ip = "10.1.1.2", + src_port = 100, + dst_port = 200 + } +} + +The trace module supports config reloading. Also, it’s possible to +set or clear modules traces and packet filter constraints via the +control channel command. + +5.17.2. Trace module - configuring traces + +The trace module has the modules option - a table with trace +configuration for specific modules. The following lines placed in +snort.lua will enable trace messages for detection, codec and wizard +modules: + +trace = +{ + modules = + { + detection = { all = 1 }, + decode = { all = 1 }, + wizard = { all = 1 } + } +} + +The detection and snort modules are currently the only modules to +support multiple trace options. Others have only the default all +option, which will enable or disable all traces in a given module. +It’s available for multi-option modules also and works as a global +switcher: + +trace = +{ + modules = + { + detection = { all = 1 } -- set each detection option to level 1 + } +} + +trace = +{ + modules = + { + detection = { all = 1, tag = 2 } -- set each detection option to level 1 but the 'tag' to level 2 + } +} + +The full list of available trace parameters is placed into the "Basic +Modules.trace" chapter. + +Each option must be assigned an integer value between 0 and 255 to +specify a level of verbosity for that option: + +0 - turn off trace messages printing for the option +1 - print most significant trace messages for the option +255 - print all available trace messages for the option + +Tracing is disabled by default (verbosity level equals 0). The +verbosity level is treated as a threshold, so specifying a higher +value will result in all messages with a lower level being printed as +well. For example: + +trace = +{ + modules = + { + decode = { all = 3 } -- messages with levels 1, 2, and 3 will be printed + } +} + +5.17.3. Trace module - configuring packet filter constraints for +packet related trace messages + +There is a capability to filter traces by the packet constraints. The +trace module has the constraints option - a table with filtering +configuration that will be applied to all trace messages that include +a packet. Filtering is done on a flow that packet is related. By +default filtering is disabled. + +Available constraints options: + +ip_proto - numerical IP protocol ID +src_ip - match all packets with a flow that has this client IP address (passed as a string) +src_port - match all packets with a flow that has this source port +dst_ip - match all packets with a flow that has this server IP address (passed as a string) +dst_port - match all packets with a flow that has this destination port + +The following lines placed in snort.lua will enable all trace +messages for detection filtered by ip_proto, dst_ip, src_port and +dst_port: + +trace = +{ + modules = + { + detection = { all = 1 } + }, + constraints = + { + ip_proto = 6, -- tcp + dst_ip = "10.1.1.10", + src_port = 150, + dst_port = 250 + } +} + +5.17.4. Trace module - configuring trace output method + +There is a capability to configure the output method for trace +messages. The trace module has the output option with two acceptable +values: + +"stdout" - printing to stdout +"syslog" - printing to syslog + +By default, the output method will be set based on the Snort run +mode. Normally it will use stdout, but if -D (daemon mode) and/or -M +(alert-syslog mode) are set, it will instead use syslog. + +Example - set output method as syslog: + +In snort.lua, the following lines were added: + +trace = +{ + output = "syslog", + modules = + { + detection = { all = 1 } + } +} + +As a result, each trace message will be printed into syslog (the +Snort run-mode will be ignored). + +5.17.5. Configuring traces via control channel command + +There is a capability to configure module trace options and packet +constraints via the control channel command by using a Snort shell. +In order to enable shell, Snort has to be configured and built with +--enable-shell. + +The trace control channel command is a way how to configure module +trace options and/or packet filter constraints directly during Snort +run and without reloading the entire config. + +After entering the Snort shell, there are two commands available for +the trace module: + +trace.set({ modules = {...}, constraints = {...} }) - set modules traces and constraints (should pass a valid Lua-entry) + +trace.clear() - clear modules traces and constraints + +Also, it’s possible to omit tables in the trace.set() command: + +trace.set({constraints = {...}}) - set only filtering configuration keeping old modules traces + +trace.set({modules = {...}}) - set only module trace options keeping old filtering constraints + +trace.set({}) - disable traces and constraints (set to empty) + +5.17.6. Trace messages format + +Each tracing message has a standard format: + +::: + +5.17.7. Example - Debugging rules using detection trace + +The detection engine is responsible for rule evaluation. Turning on +the trace for it can help with debugging new rules. + +The relevant options for detection are as follow: + +rule_eval - follow rule evaluation +buffer - print evaluated buffer if it changed (level 1) or at every step (level 5) +rule_vars - print value of ips rule options vars +fp_search - print information on fast pattern search + +Buffer print is useful, but in case the buffer is very big can be too +verbose. Choose between verbosity levels 1, 5, or no buffer trace +accordingly. + +rule_vars is useful when the rule is using ips rule options vars. + +In snort.lua, the following lines were added: + +trace = +{ + modules = + { + detection = + { + rule_eval = 1, + buffer = 1, + rule_vars = 1, + fp_search = 1 + } + } +} + +The pcap has a single packet with payload: + +10.AAAAAAAfoobar + +Evaluated on rules: + +# byte_math + oper with byte extract and content +# VAL = 1, byte_math = 0 + 10 +alert tcp ( byte_extract: 1, 0, VAL, string, dec; +byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec; +content:"foo", offset var1; sid:3) + +#This rule should not trigger +alert tcp (content:"AAAAA"; byte_jump:2,0,relative; +content:"foo", within 3; sid:2) + +The output: + +detection:rule_eval:1: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678 (fast-patterns) +detection:rule_eval:1: Fast pattern search +detection:fp_search:1: 1 fp packet[16] + +snort.raw[16]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_eval:1: Processing pattern match #1 +detection:rule_eval:1: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( ) +detection:rule_eval:1: Starting tree eval +detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 0 + +snort.raw[16]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0 +detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 8 + +snort.raw[8]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +41 41 66 6F 6F 62 61 72 AAfoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_eval:1: no match +detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0 +detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 9 + +snort.raw[7]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +41 66 6F 6F 62 61 72 Afoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_eval:1: no match +detection:rule_vars:1: Rule options variables: var[0]=0 var[1]=0 var[2]=0 +detection:rule_eval:1: Evaluating option byte_jump, cursor name pkt_data, cursor position 10 + +snort.raw[6]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +66 6F 6F 62 61 72 foobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_eval:1: no match +detection:rule_eval:1: no match +detection:rule_eval:1: Processing pattern match #2 +detection:rule_eval:1: Fast pattern packet[3] = 'foo' |66 6F 6F | ( ) +detection:rule_eval:1: Starting tree eval +detection:rule_eval:1: Evaluating option byte_extract, cursor name pkt_data, cursor position 0 + +snort.raw[16]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +31 30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 10.AAAAAAAfoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=0 var[2]=0 +detection:rule_eval:1: Evaluating option byte_math, cursor name pkt_data, cursor position 1 + +snort.raw[15]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +30 00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 0.AAAAAAAfoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0 +detection:rule_eval:1: Evaluating option content, cursor name pkt_data, cursor position 2 + +snort.raw[14]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +00 41 41 41 41 41 41 41 66 6F 6F 62 61 72 .AAAAAAAfoobar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0 +detection:rule_eval:1: Reached leaf, cursor name pkt_data, cursor position 13 + +snort.raw[3]: +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +62 61 72 bar +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0 +detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0 +04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow + +5.17.8. Example - Protocols decoding trace + +Turning on decode trace will print out information about the packets +decoded protocols. Can be useful in case of tunneling. + +Example for a icmpv4-in-ipv6 packet: + +In snort.lua, the following line was added: + +trace = +{ + modules = + { + decode = { all = 1 } + } +} + +The output: + +decode:all:1: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14 +decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40 +decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8 +decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0 + +5.17.9. Example - Track the time packet spends in each inspector + +There is a capability to track which inspectors evaluate a packet, +and how much time the inspector consumes doing so. These trace +messages could be enabled by the Snort module trace options: + +main - command execution traces (main trace logging) +inspector_manager - inspectors execution and time tracking traces + +Example for a single packet with payload: + +10.AAAAAAAfoobar + +In snort.lua, the following lines were added: + +trace = +{ + modules = + { + snort = + { + -- could be replaced by 'all = 1' + main = 1, + inspector_manager = 1 + } + } +} + +The output: + +snort:main:1: [0] Queuing command START for execution (refcount 1) +snort:main:1: [0] Queuing command RUN for execution (refcount 1) +snort:main:1: [0] Destroying completed command START +snort:inspector_manager:1: start inspection, raw, packet 1, context 1 +snort:inspector_manager:1: enter stream +snort:inspector_manager:1: exit stream, elapsed time: 2 usec +snort:inspector_manager:1: stop inspection, raw, packet 1, context 1, total time: 14 usec +snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1 +snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec +snort:main:1: [0] Destroying completed command RUN + +5.17.10. Example - trace filtering by packet constraints: + +In snort.lua, the following lines were added: + +ips = +{ + rules = + [[ + alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 ) + alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 ) + ]] +} + +trace = +{ + modules = + { + detection = { rule_eval = 1 } + }, + constraints = + { + ip_proto = 17, -- udp + dst_ip = "10.1.1.2", + src_port = 100, + dst_port = 200 + } +} + +The processed traffic was next: + +d ( stack="eth:ip4:udp" ) + +c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 ) +a ( pay="pass" ) +b ( pay="pass" ) + +c ( ip4:a="10.2.1.1" ) +a ( pay="pass" ) +b ( pay="pass" ) + +c ( udp:a=101 ) +a ( pay="block" ) +b ( pay="block" ) + +The output: + +detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns) +detection:rule_eval:1: Fast pattern processing - no matches found +detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns) +detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (fast-patterns) +detection:rule_eval:1: Fast pattern processing - no matches found +detection:rule_eval:1: packet 2 UNK 10.1.1.2:200 10.1.1.1:100 (non-fast-patterns) +detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (fast-patterns) +detection:rule_eval:1: Fast pattern processing - no matches found +detection:rule_eval:1: packet 3 UNK 10.2.1.1:100 10.1.1.2:200 (non-fast-patterns) +detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (fast-patterns) +detection:rule_eval:1: Fast pattern processing - no matches found +detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns) + +The trace messages for two last packets (numbers 5 and 6) weren’t +printed. + +5.17.11. Example - configuring traces via trace.set() command + +In snort.lua, the following lines were added: + +ips = +{ + rules = + [[ + alert tcp any any -> any any ( msg: "ALERT_TCP"; gid: 1001; sid: 1001 ) + alert udp any any -> any any ( msg: "ALERT_UDP"; gid: 1002; sid: 1002 ) + ]] +} + +trace = +{ + constraints = + { + ip_proto = 17, -- udp + dst_ip = "10.1.1.2", + src_port = 100, + dst_port = 200 + }, + modules = + { + detection = { rule_eval = 1 } + } +} + +The processed traffic was next: + +# Flow 1 +d ( stack="eth:ip4:udp" ) +c ( ip4:a="10.1.1.1", ip4:b="10.1.1.2", udp:a=100, udp:b=200 ) +a ( data="udp packet 1" ) +a ( data="udp packet 2" ) + +# Flow 2 +d ( stack="eth:ip4:tcp" ) +c ( ip4:a="10.1.1.3", ip4:b="10.1.1.4", tcp:a=5000, tcp:b=6000 ) +a ( syn ) +b ( syn, ack ) +a ( ack ) +a ( ack, data="tcp packet 1" ) +a ( ack, data="tcp packet 2" ) +a ( fin, ack ) +b ( fin, ack ) + +After 1 packet, entering shell and pass the trace.set() command as +follows: + +trace.set({ constraints = { ip_proto = 6, dst_ip = "10.1.1.4", src_port = 5000, dst_port = 6000 }, modules = { decode = { all = 1 }, detection = { rule_eval = 1 } } }) + +The output (not full, only descriptive lines): + +detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (fast-patterns) +detection:rule_eval:1: packet 1 UNK 10.1.1.1:100 10.1.1.2:200 (non-fast-patterns) +decode:all:1: Codec udp (protocol_id: 256) ip header starts length is 8 +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns) +detection:rule_eval:1: packet 3 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns) +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns) +detection:rule_eval:1: packet 4 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns) +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns) +detection:rule_eval:1: packet 5 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns) +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns) +detection:rule_eval:1: packet 6 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns) +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns) +detection:rule_eval:1: packet 7 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns) +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (fast-patterns) +detection:rule_eval:1: packet 8 UNK 10.1.1.3:5000 10.1.1.4:6000 (non-fast-patterns) +decode:all:1: Codec tcp (protocol_id: 256) ip header starts length is 20 +detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (fast-patterns) +detection:rule_eval:1: packet 9 UNK 10.1.1.4:6000 10.1.1.3:5000 (non-fast-patterns) + +The new configuration was applied. decode:all:1 messages aren’t +filtered because they don’t include a packet (a packet isn’t +well-formed at the point when the message is printing). + +5.17.12. Other available traces + +There are more trace options supported by detection: + +detect_engine - prints statistics about the engine +pkt_detect - prints a message when disabling content detect for packet +opt_tree - prints option tree data structure +tag - prints a message when a new tag is added + +The rest support only 1 option, and can be turned on by adding all = +1 to their table in trace lua config. + + * stream module trace: + +When turned on prints a message in case inspection is stopped on a +flow. Example for output: + +stream:all:1: stop inspection on flow, dir BOTH + + * stream_ip, stream_user: trace will output general processing + messages + +Other modules that support trace have messages as seemed fit to the +developer. Some are for corner cases, others for complex data +structures. + + 5.18. Wizard -------------- @@ -5829,7 +6218,7 @@ Configuration: * string host_cache.dump_file: file name to dump host cache on shutdown; won’t dump by default * int host_cache.memcap = 8388608: maximum host cache size in bytes - { 512:max32 } + { 512:maxSZ } Commands: @@ -5846,6 +6235,7 @@ Peg counts: * host_cache.reload_prunes: lru cache pruned entry for lower memcap during reload (sum) * host_cache.removes: lru cache found entry and removed it (sum) + * host_cache.replaced: lru cache found entry and replaced it (sum) 6.12. host_tracker @@ -6672,6 +7062,10 @@ Configuration: * int trace.modules.stream_ip.all: enable all trace options { 0:255 } * int trace.modules.stream.all: enable all trace options { 0:255 } + * int trace.modules.snort.all: enable all trace options { 0:255 } + * int trace.modules.snort.main: enable main trace logging { 0:255 } + * int trace.modules.snort.inspector_manager: enable inspector + manager trace logging { 0:255 } * int trace.modules.dce_smb.all: enable all trace options { 0:255 } * int trace.modules.dce_udp.all: enable all trace options { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } @@ -6680,9 +7074,22 @@ Configuration: 0:255 } * int trace.modules.appid.all: enable all trace options { 0:255 } * int trace.modules.decode.all: enable all trace options { 0:255 } + * int trace.constraints.ip_proto: numerical IP protocol ID filter { + 0:255 } + * string trace.constraints.src_ip: source IP address filter + * int trace.constraints.src_port: source port filter { 0:65535 } + * string trace.constraints.dst_ip: destination IP address filter + * int trace.constraints.dst_port: destination port filter { 0:65535 + } * enum trace.output: output method for trace log messages { stdout | syslog } +Commands: + + * trace.set(modules, constraints): set modules traces and + constraints + * trace.clear(): clear modules traces and constraints + --------------------------------------------------------------------- @@ -7428,7 +7835,18 @@ Peg counts: from the service cache (sum) -9.2. arp_spoof +9.2. appid_listener + +-------------- + +What: log selected published data to appid_listener.log + +Type: inspector + +Usage: context + + +9.3. arp_spoof -------------- @@ -7455,7 +7873,7 @@ Peg counts: * arp_spoof.packets: total packets (sum) -9.3. back_orifice +9.4. back_orifice -------------- @@ -7477,7 +7895,7 @@ Peg counts: * back_orifice.packets: total packets (sum) -9.4. binder +9.5. binder -------------- @@ -7529,7 +7947,7 @@ Peg counts: * binder.inspects: inspect bindings (sum) -9.5. cip +9.6. cip -------------- @@ -7567,7 +7985,7 @@ Peg counts: (max) -9.6. data_log +9.7. data_log -------------- @@ -7590,7 +8008,7 @@ Peg counts: * data_log.packets: total packets (sum) -9.7. dce_http_proxy +9.8. dce_http_proxy -------------- @@ -7608,7 +8026,7 @@ Peg counts: sessions (sum) -9.8. dce_http_server +9.9. dce_http_server -------------- @@ -7626,7 +8044,7 @@ Peg counts: sessions (sum) -9.9. dce_smb +9.10. dce_smb -------------- @@ -7796,7 +8214,7 @@ Peg counts: (max) -9.10. dce_tcp +9.11. dce_tcp -------------- @@ -7898,13 +8316,17 @@ Peg counts: * dce_tcp.server_frags_reassembled: total connection-oriented server fragments reassembled (sum) * dce_tcp.tcp_sessions: total tcp sessions (sum) + * dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint + expected sessions (sum) + * dce_tcp.tcp_expected_realized: total tcp dynamic endpoint + expected realized sessions (sum) * dce_tcp.tcp_packets: total tcp packets (sum) * dce_tcp.concurrent_sessions: total concurrent sessions (now) * dce_tcp.max_concurrent_sessions: maximum concurrent sessions (max) -9.11. dce_udp +9.12. dce_udp -------------- @@ -7963,7 +8385,7 @@ Peg counts: (max) -9.12. dnp3 +9.13. dnp3 -------------- @@ -8002,7 +8424,7 @@ Peg counts: (max) -9.13. dns +9.14. dns -------------- @@ -8028,7 +8450,7 @@ Peg counts: (max) -9.14. domain_filter +9.15. domain_filter -------------- @@ -8055,7 +8477,7 @@ Peg counts: * domain_filter.filtered: domains filtered (sum) -9.15. dpx +9.16. dpx -------------- @@ -8079,7 +8501,7 @@ Peg counts: * dpx.packets: total packets (sum) -9.16. file_id +9.17. file_id -------------- @@ -8114,7 +8536,7 @@ Configuration: * int file_id.max_files_per_flow = 32: maximal number of files able to be concurrently processed per flow { 1:max53 } * bool file_id.enable_type = true: enable type ID - * bool file_id.enable_signature = true: enable signature + * bool file_id.enable_signature = false: enable signature calculation * bool file_id.enable_capture = false: enable file capture * int file_id.show_data_depth = 100: print this many octets { @@ -8148,6 +8570,20 @@ Configuration: data * int file_id.verdict_delay = 0: number of queries to return final verdict { 0:max53 } + * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no + limit) { -1:65535 } + * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment + extraction depth (-1 no limit) { -1:65535 } + * bool file_id.decompress_pdf = false: decompress pdf files in MIME + attachments + * bool file_id.decompress_swf = false: decompress swf files in MIME + attachments + * bool file_id.decompress_zip = false: decompress zip files in MIME + attachments + * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth + (-1 no limit) { -1:65535 } + * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 + no limit) { -1:65535 } Rules: @@ -8165,7 +8601,7 @@ Peg counts: concurrently on a flow (max) -9.17. file_log +9.18. file_log -------------- @@ -8187,7 +8623,7 @@ Peg counts: * file_log.total_events: total file events (sum) -9.18. finalize_packet +9.19. finalize_packet -------------- @@ -8223,7 +8659,7 @@ Peg counts: * finalize_packet.other_messages: total other message seen (sum) -9.19. ftp_client +9.20. ftp_client -------------- @@ -8249,7 +8685,7 @@ Configuration: sequences on FTP control channel -9.20. ftp_data +9.21. ftp_data -------------- @@ -8264,7 +8700,7 @@ Peg counts: * ftp_data.packets: total packets (sum) -9.21. ftp_server +9.22. ftp_server -------------- @@ -8340,7 +8776,7 @@ Peg counts: sessions (max) -9.22. gtp_inspect +9.23. gtp_inspect -------------- @@ -8381,7 +8817,7 @@ Peg counts: * gtp_inspect.unknown_infos: unknown information elements (sum) -9.23. http2_inspect +9.24. http2_inspect -------------- @@ -8425,7 +8861,7 @@ Peg counts: transfers per HTTP/2 connection (max) -9.24. http_inspect +9.25. http_inspect -------------- @@ -8672,7 +9108,7 @@ Peg counts: cutovers to wizard (sum) -9.25. imap +9.26. imap -------------- @@ -8727,7 +9163,7 @@ Peg counts: * imap.non_encoded_bytes: total non-encoded extracted bytes (sum) -9.26. mem_test +9.27. mem_test -------------- @@ -8742,7 +9178,7 @@ Peg counts: * mem_test.packets: total packets (sum) -9.27. modbus +9.28. modbus -------------- @@ -8769,7 +9205,7 @@ Peg counts: sessions (max) -9.28. normalizer +9.29. normalizer -------------- @@ -8905,7 +9341,7 @@ Peg counts: * normalizer.tcp_block: blocked segments (sum) -9.29. packet_capture +9.30. packet_capture -------------- @@ -8933,7 +9369,7 @@ Peg counts: filter (sum) -9.30. perf_monitor +9.31. perf_monitor -------------- @@ -8991,7 +9427,7 @@ Peg counts: by new flows (sum) -9.31. pop +9.32. pop -------------- @@ -9047,7 +9483,7 @@ Peg counts: * pop.non_encoded_bytes: total non-encoded extracted bytes (sum) -9.32. port_scan +9.33. port_scan -------------- @@ -9217,7 +9653,7 @@ Peg counts: to reduced memcap (sum) -9.33. reputation +9.34. reputation -------------- @@ -9262,7 +9698,7 @@ Peg counts: * reputation.memory_allocated: total memory allocated (sum) -9.34. rna +9.35. rna -------------- @@ -9305,7 +9741,7 @@ Peg counts: (sum) -9.35. rpc_decode +9.36. rpc_decode -------------- @@ -9332,7 +9768,7 @@ Peg counts: sessions (max) -9.36. rt_global +9.37. rt_global -------------- @@ -9352,13 +9788,14 @@ Configuration: * int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 } * bool rt_global.empty_ips = false: ips policy with no rules + * bool rt_global.init_drop_reason = false: populate drop reason map Peg counts: * rt_global.packets: total packets (sum) -9.37. rt_packet +9.38. rt_packet -------------- @@ -9383,7 +9820,7 @@ Peg counts: * rt_packet.retry_packets: total retried packets received (sum) -9.38. rt_service +9.39. rt_service -------------- @@ -9406,7 +9843,7 @@ Peg counts: inject requests (sum) -9.39. s7commplus +9.40. s7commplus -------------- @@ -9433,7 +9870,7 @@ Peg counts: sessions (max) -9.40. sip +9.41. sip -------------- @@ -9532,7 +9969,7 @@ Peg counts: * sip.code_9xx: 9xx (sum) -9.41. smtp +9.42. smtp -------------- @@ -9635,7 +10072,7 @@ Peg counts: * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum) -9.42. so_proxy +9.43. so_proxy -------------- @@ -9647,7 +10084,7 @@ Type: inspector Usage: global -9.43. ssh +9.44. ssh -------------- @@ -9685,7 +10122,7 @@ Peg counts: (max) -9.44. ssl +9.45. ssl -------------- @@ -9734,7 +10171,7 @@ Peg counts: (max) -9.45. stream +9.46. stream -------------- @@ -9821,7 +10258,7 @@ Peg counts: deleted by config reloads (sum) -9.46. stream_file +9.47. stream_file -------------- @@ -9836,7 +10273,7 @@ Configuration: * bool stream_file.upload = false: indicate file transfer direction -9.47. stream_icmp +9.48. stream_icmp -------------- @@ -9861,7 +10298,7 @@ Peg counts: * stream_icmp.prunes: icmp session prunes (sum) -9.48. stream_ip +9.49. stream_ip -------------- @@ -9931,7 +10368,7 @@ Peg counts: * stream_ip.fragmented_bytes: total fragmented bytes (sum) -9.49. stream_tcp +9.50. stream_tcp -------------- @@ -10068,6 +10505,8 @@ Peg counts: (sum) * stream_tcp.held_packet_timeouts: number of held packets that timed out (sum) + * stream_tcp.held_packet_purges: number of held packets that were + purged without flushing (sum) * stream_tcp.cur_packets_held: number of packets currently held (now) * stream_tcp.max_packets_held: maximum number of packets held @@ -10081,7 +10520,7 @@ Peg counts: service stream splitter (sum) -9.50. stream_udp +9.51. stream_udp -------------- @@ -10108,7 +10547,7 @@ Peg counts: * stream_udp.ignored: udp packets ignored (sum) -9.51. stream_user +9.52. stream_user -------------- @@ -10124,7 +10563,7 @@ Configuration: 1:max31 } -9.52. telnet +9.53. telnet -------------- @@ -10158,7 +10597,7 @@ Peg counts: sessions (max) -9.53. wizard +9.54. wizard -------------- @@ -10228,8 +10667,6 @@ Usage: detect Configuration: - * bool react.msg = false: use rule msg in response page instead of - default message * string react.page: file containing HTTP response (headers and body) @@ -15273,6 +15710,10 @@ these libraries see the Getting Started section of the manual. duplex } * enum file_connector.format: file format { binary | text } * string file_connector.name: channel name + * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no + limit) { -1:65535 } + * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment + extraction depth (-1 no limit) { -1:65535 } * int file_id.block_timeout = 86400: stop blocking after this many seconds { 0:max31 } * bool file_id.block_timeout_lookup = false: block if lookup times @@ -15285,8 +15726,14 @@ these libraries see the Getting Started section of the manual. megabytes { 0:max53 } * int file_id.capture_min_size = 0: stop file capture if file size less than this { 0:max53 } + * bool file_id.decompress_pdf = false: decompress pdf files in MIME + attachments + * bool file_id.decompress_swf = false: decompress swf files in MIME + attachments + * bool file_id.decompress_zip = false: decompress zip files in MIME + attachments * bool file_id.enable_capture = false: enable file capture - * bool file_id.enable_signature = true: enable signature + * bool file_id.enable_signature = false: enable signature calculation * bool file_id.enable_type = true: enable type ID * bool file_id.file_policy[].use.enable_file_capture = false: true/ @@ -15317,6 +15764,8 @@ these libraries see the Getting Started section of the manual. cached in memory { 8:max53 } * int file_id.max_files_per_flow = 32: maximal number of files able to be concurrently processed per flow { 1:max53 } + * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth + (-1 no limit) { -1:65535 } * int file_id.show_data_depth = 100: print this many octets { 0:max53 } * int file_id.signature_depth = 10485760: stop signature at this @@ -15328,6 +15777,8 @@ these libraries see the Getting Started section of the manual. * bool file_id.trace_type = false: enable runtime dump of type info * int file_id.type_depth = 1460: stop type ID at this point { 0:max53 } + * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 + no limit) { -1:65535 } * int file_id.verdict_delay = 0: number of queries to return final verdict { 0:max53 } * bool file_log.log_pkt_time = true: log the packet time when event @@ -15447,7 +15898,7 @@ these libraries see the Getting Started section of the manual. * string host_cache.dump_file: file name to dump host cache on shutdown; won’t dump by default * int host_cache.memcap = 8388608: maximum host cache size in bytes - { 512:max32 } + { 512:maxSZ } * enum hosts[].frag_policy: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris } * addr hosts[].ip = 0.0.0.0/32: hosts address / CIDR @@ -16030,8 +16481,6 @@ these libraries see the Getting Started section of the manual. * int rate_filter[].timeout = 1: count interval { 0:max32 } * enum rate_filter[].track = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule } - * bool react.msg = false: use rule msg in response page instead of - default message * string react.page: file containing HTTP response (headers and body) * string reference.~ref: reference: , @@ -16087,6 +16536,7 @@ these libraries see the Getting Started section of the manual. * int rt_global.downshift_packet = 0: attempt downshift at this packet on flow (0 is disabled) { 0:max32 } * bool rt_global.empty_ips = false: ips policy with no rules + * bool rt_global.init_drop_reason = false: populate drop reason map * int rt_global.memcap = 2048: cap on amount of memory used (0 is disabled) { 0:max53 } * bool rt_packet.retry_all = false: request retry for all non-retry @@ -16609,6 +17059,13 @@ these libraries see the Getting Started section of the manual. * bool telnet.encrypted_traffic = false: check for encrypted Telnet * bool telnet.normalize = false: eliminate escape sequences * interval tos.~range: check if IP TOS is in given range { 0:255 } + * string trace.constraints.dst_ip: destination IP address filter + * int trace.constraints.dst_port: destination port filter { 0:65535 + } + * int trace.constraints.ip_proto: numerical IP protocol ID filter { + 0:255 } + * string trace.constraints.src_ip: source IP address filter + * int trace.constraints.src_port: source port filter { 0:65535 } * int trace.modules.appid.all: enable all trace options { 0:255 } * int trace.modules.dce_smb.all: enable all trace options { 0:255 } * int trace.modules.dce_udp.all: enable all trace options { 0:255 } @@ -16634,6 +17091,10 @@ these libraries see the Getting Started section of the manual. * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } + * int trace.modules.snort.all: enable all trace options { 0:255 } + * int trace.modules.snort.inspector_manager: enable inspector + manager trace logging { 0:255 } + * int trace.modules.snort.main: enable main trace logging { 0:255 } * int trace.modules.stream.all: enable all trace options { 0:255 } * int trace.modules.stream_ip.all: enable all trace options { 0:255 } @@ -16892,6 +17353,10 @@ these libraries see the Getting Started section of the manual. * dce_tcp.server_segs_reassembled: total connection-oriented server segments reassembled (sum) * dce_tcp.shutdowns: total connection-oriented shutdowns (sum) + * dce_tcp.tcp_expected_realized: total tcp dynamic endpoint + expected realized sessions (sum) + * dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint + expected sessions (sum) * dce_tcp.tcp_packets: total tcp packets (sum) * dce_tcp.tcp_sessions: total tcp sessions (sum) * dce_udp.acks: total connection-less acks (sum) @@ -17049,6 +17514,7 @@ these libraries see the Getting Started section of the manual. * host_cache.reload_prunes: lru cache pruned entry for lower memcap during reload (sum) * host_cache.removes: lru cache found entry and removed it (sum) + * host_cache.replaced: lru cache found entry and replaced it (sum) * host_tracker.service_adds: host service adds (sum) * host_tracker.service_finds: host service finds (sum) * http2_inspect.concurrent_sessions: total concurrent HTTP/2 @@ -17497,6 +17963,8 @@ these libraries see the Getting Started section of the manual. segment limit was reached (sum) * stream_tcp.fins: number of fin packets (sum) * stream_tcp.gaps: missing data between PDUs (sum) + * stream_tcp.held_packet_purges: number of held packets that were + purged without flushing (sum) * stream_tcp.held_packet_rexmits: number of retransmits of held packets (sum) * stream_tcp.held_packets_dropped: number of held packets dropped @@ -18324,6 +18792,9 @@ these libraries see the Getting Started section of the manual. * snort.detach(): exit shell w/o shutdown * snort.quit(): shutdown and dump-stats * snort.help(): this output + * trace.set(modules, constraints): set modules traces and + constraints + * trace.clear(): clear modules traces and constraints 20.9. Signals @@ -18650,8 +19121,6 @@ deleted -> pop: 'disabled' deleted -> pop: 'max_mime_mem' deleted -> pop: 'memcap' deleted -> ppm: 'debug-pkts' -deleted -> react: 'block' -deleted -> react: 'warn' deleted -> reputation: 'shared_max_instances' deleted -> reputation: 'shared_refresh' deleted -> rpc_decode: 'alert_fragments' @@ -18721,6 +19190,8 @@ deleted -> unified2: 'vlan_event_types' * alert_unixsock (logger): output event over unix socket * alerts (basic): configure alerts * appid (inspector): application and service identification + * appid_listener (inspector): log selected published data to + appid_listener.log * appids (ips_option): detection option for application ids * arp (codec): support for address resolution protocol * arp_spoof (inspector): detect ARP attacks and anomalies @@ -19114,6 +19585,8 @@ deleted -> unified2: 'vlan_event_types' * connector::file_connector: implement the file based connector * connector::tcp_connector: implement the tcp stream connector * inspector::appid: application and service identification + * inspector::appid_listener: log selected published data to + appid_listener.log * inspector::arp_spoof: detect ARP attacks and anomalies * inspector::back_orifice: back orifice detection * inspector::binder: configure processing based on CIDRs, ports, diff --git a/src/main/build.h b/src/main/build.h index 58355b176..63325a081 100644 --- a/src/main/build.h +++ b/src/main/build.h @@ -12,7 +12,7 @@ // // //-----------------------------------------------// -#define BUILD_NUMBER 4 +#define BUILD_NUMBER 5 #ifndef EXTRABUILD #define BUILD STRINGIFY_MX(BUILD_NUMBER)