From: Michael Altizer (mialtize) Date: Thu, 11 Mar 2021 21:10:46 +0000 (+0000) Subject: Merge pull request #2791 in SNORT/snort3 from ~MIALTIZE/snort3:3_1_2_0 to master X-Git-Tag: 3.1.2.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f73ded202a0ca1072ecbf5852dfb639f11ecbfb6;p=thirdparty%2Fsnort3.git Merge pull request #2791 in SNORT/snort3 from ~MIALTIZE/snort3:3_1_2_0 to master Squashed commit of the following: commit 61f2ce2932087540afd85ba847dd164bdb68dd25 Author: Michael Altizer Date: Thu Mar 11 14:53:33 2021 -0500 build: Generate and tag 3.1.2.0 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 401e25228..ba3dcedb9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -3,7 +3,7 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 1) -set (VERSION_PATCH 1) +set (VERSION_PATCH 2) set (VERSION_SUBLEVEL 0) set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}") diff --git a/ChangeLog b/ChangeLog index 5a609eb29..3bf1d664d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,83 @@ +2021/03/11 - 3.1.2.0 + +-- action_manager: Remove unused cached reject action +-- appid: Always get appid inspector from default inspection policy +-- appid: Fixes for cppcheck warnings +-- appid: Get uri from http event even when http host is not present +-- appid: Load lua detectors for packet threads from compiled lua bytecode during detector reload +-- appid: Remove app forecast method +-- appid: Remove detectors for obsolete apps - AOL instant messenger and Yahoo messenger +-- appid: Send reloading detectors message to socket immediately +-- appid: Update IMAP service detector pattern +-- appid: Use opportunistic tls event to set decryption countdown for SMTP detector +-- binder: Apply host attribute table information at the beginning of flow setup +-- binder: Clean up std namespace usage +-- binder: Use service inspector caching to improve get_gadget() performance +-- binder: Use the first match for non-terminal binding usage +-- build: Do one more pass of modernizing the C++ code +-- dce_rpc: Handle async responses in smbv2 +-- dce_rpc: Pass proper file id in file api from smb1 +-- decompress: Add support for streaming ZIPs +-- detection: Use IP and port variables from the targeted policy +-- doc: Remove http detained inspection from user manual +-- doc: Update documentation for ips.states +-- file_magic: Add pattern for pcapng +-- flow: Add new flag to indicate elephant flow +-- ftp_telnet: Implement init_partial_flush for ftp data +-- ftp_telnet: Respect telnet_cmds config for raising 125:1 +-- host_attributes: Update api to reduce use of shared_pointer +-- http2_inspect: Limit number of concurrent streams +-- http2_inspect: Process rst_stream frame +-- http_inspect: IPv6 authority in URI +-- http_inspect: Javascript support cleanup +-- http_inspect: Partial inspection for 0 length chunk +-- http_inspect: Remove detained inspection +-- http_inspect: Remove unused events +-- http_inspect: Temporarily restore detained_inspection parameter +-- iec104: Add documentation for iec104 service inspector +-- iec104: Additional input sanitization, syntax, and style changes +-- iec104: Integrate new iec104 protocol service inspector +-- inspector_manager: Instantiate default binder as long as a wizard or stream are present +-- ips_options: Update cursor position for relative pcre +-- ipv4: Correct the calculation for illegal fragment offset checks +-- log: Add printf format attribute to TextLog_Print() and clean up the fallout +-- log: Base logging the Ethernet header on proto bits rather than DLT +-- loggers: Fix excessive byte reordering when printing MPLS labels in CSV and JSON +-- main: Fix accumulating and printing codec stats at run time +-- managers: Enforce strict parsing for binder aliases +-- managers: Pass the configuration to default module's end() +-- managers: Perform sanity checks on set_alias() parameters +-- memory: Free memory space while updating allocation +-- module: Introduced new api to clear global active module counters +-- module_manager: Enforce interest in global modules only in the default policy +-- mpls: Add next layer autodetection and implement codec logging +-- mpls: Refactor mpls.enable_mpls_overlapping_ip into packet.mpls_agnostic +-- mpls: Remove enable_mpls_multicast option +-- packet_capture: Add group filter for packet capture +-- packet_tracer: Add daq buffer to hold daq logs +-- perf_monitor: Fix finalizing JSON output files for trackers +-- portscan: Fix decoy and distributed scan logic +-- portscan: Fix delimiter for ports in config +-- portscan: Fix IP scans not alerting +-- protocols: Add initial support for multilayer compound codecs +-- protocols: Add peg count for decodes that exceeded the max layers +-- protocols: Consistently encapsulate exported protocol headers in the snort namespace +-- reputation: Add peg count for total alerts +-- reputation: Remove deprecated redundant terms +-- rna: Discover NetBIOS name +-- snort: Clear snort counter for modules, daq, file_id, appid +-- snort: Update for DAQ_FlowStats_t structure and field name changes +-- snort_config: Clean up and annotate command line config merge process +-- snort_config: Remove unnecessary command line options +-- stream: Always use latest splitter from tracker after paf_check +-- stream: Do not update service from appid to host attributes if nothing is changed +-- stream: Set block pending flag when a flow is dropped +-- stream_tcp: Ensure flows aren't pruned while processing a PDU +-- stream_tcp: Flush queued segments when FIN is received +-- stream_tcp: Support data on SYN by default with or without Fast Open option +-- trans_bridge: Lift the log() implementation from the root Ethernet codec +-- wizard: Add support for sslv2 detection + 2021/01/28 - 3.1.1.0 -- appid: Add support for snmpv3 report pdu diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text index 217ce759f..23aed7e43 100644 --- a/doc/reference/snort_reference.text +++ b/doc/reference/snort_reference.text @@ -8,7 +8,7 @@ Snort 3 Reference Manual The Snort Team Revision History -Revision 3.1.1.0 2021-01-28 10:50:42 EST TST +Revision 3.1.2.0 2021-03-11 14:57:04 EST TST --------------------------------------------------------------------- @@ -109,34 +109,35 @@ Table of Contents 5.22. gtp_inspect 5.23. http2_inspect 5.24. http_inspect - 5.25. imap - 5.26. mem_test - 5.27. modbus - 5.28. netflow - 5.29. normalizer - 5.30. null_trace_logger - 5.31. packet_capture - 5.32. perf_monitor - 5.33. pop - 5.34. port_scan - 5.35. reputation - 5.36. rna - 5.37. rpc_decode - 5.38. s7commplus - 5.39. sip - 5.40. smtp - 5.41. so_proxy - 5.42. ssh - 5.43. ssl - 5.44. stream - 5.45. stream_file - 5.46. stream_icmp - 5.47. stream_ip - 5.48. stream_tcp - 5.49. stream_udp - 5.50. stream_user - 5.51. telnet - 5.52. wizard + 5.25. iec104 + 5.26. imap + 5.27. mem_test + 5.28. modbus + 5.29. netflow + 5.30. normalizer + 5.31. null_trace_logger + 5.32. packet_capture + 5.33. perf_monitor + 5.34. pop + 5.35. port_scan + 5.36. reputation + 5.37. rna + 5.38. rpc_decode + 5.39. s7commplus + 5.40. sip + 5.41. smtp + 5.42. so_proxy + 5.43. ssh + 5.44. ssl + 5.45. stream + 5.46. stream_file + 5.47. stream_icmp + 5.48. stream_ip + 5.49. stream_tcp + 5.50. stream_udp + 5.51. stream_user + 5.52. telnet + 5.53. wizard 6. IPS Action Modules @@ -216,54 +217,56 @@ Table of Contents 7.68. icmp_seq 7.69. icode 7.70. id - 7.71. ip_proto - 7.72. ipopts - 7.73. isdataat - 7.74. itype - 7.75. md5 - 7.76. metadata - 7.77. modbus_data - 7.78. modbus_func - 7.79. modbus_unit - 7.80. msg - 7.81. mss - 7.82. pcre - 7.83. pkt_data - 7.84. pkt_num - 7.85. priority - 7.86. raw_data - 7.87. reference - 7.88. regex - 7.89. rem - 7.90. replace - 7.91. rev - 7.92. rpc - 7.93. s7commplus_content - 7.94. s7commplus_func - 7.95. s7commplus_opcode - 7.96. sd_pattern - 7.97. seq - 7.98. service - 7.99. sha256 - 7.100. sha512 - 7.101. sid - 7.102. sip_body - 7.103. sip_header - 7.104. sip_method - 7.105. sip_stat_code - 7.106. so - 7.107. soid - 7.108. ssl_state - 7.109. ssl_version - 7.110. stream_reassemble - 7.111. stream_size - 7.112. tag - 7.113. target - 7.114. tos - 7.115. ttl - 7.116. urg - 7.117. window - 7.118. wscale + 7.71. iec104_apci_type + 7.72. iec104_asdu_func + 7.73. ip_proto + 7.74. ipopts + 7.75. isdataat + 7.76. itype + 7.77. md5 + 7.78. metadata + 7.79. modbus_data + 7.80. modbus_func + 7.81. modbus_unit + 7.82. msg + 7.83. mss + 7.84. pcre + 7.85. pkt_data + 7.86. pkt_num + 7.87. priority + 7.88. raw_data + 7.89. reference + 7.90. regex + 7.91. rem + 7.92. replace + 7.93. rev + 7.94. rpc + 7.95. s7commplus_content + 7.96. s7commplus_func + 7.97. s7commplus_opcode + 7.98. sd_pattern + 7.99. seq + 7.100. service + 7.101. sha256 + 7.102. sha512 + 7.103. sid + 7.104. sip_body + 7.105. sip_header + 7.106. sip_method + 7.107. sip_stat_code + 7.108. so + 7.109. soid + 7.110. ssl_state + 7.111. ssl_version + 7.112. stream_reassemble + 7.113. stream_size + 7.114. tag + 7.115. target + 7.116. tos + 7.117. ttl + 7.118. urg + 7.119. window + 7.120. wscale 8. Search Engine Modules 9. SO Rule Modules @@ -1090,8 +1093,10 @@ Configuration: before stopping (0 is unlimited) { 0:max53 } * int packets.skip = 0: number of packets to skip before before processing { 0:max53 } - * bool packets.vlan_agnostic = false: determines whether VLAN info - is used to track fragments and connections + * bool packets.mpls_agnostic = true: determines whether MPLS labels + are used to track fragments and connections + * bool packets.vlan_agnostic = false: determines whether VLAN tags + are used to track fragments and connections 2.22. payload_injector @@ -1521,10 +1526,6 @@ Configuration: line starting with END is read * implied snort.--talos: enable Talos tweak (same as --tweaks talos) - * implied snort.--treat-drop-as-alert: converts drop, block, and - reset rules into alert rules when loaded - * implied snort.--treat-drop-as-ignore: use drop, block, and reset - rules to ignore session traffic when not inline * string snort.--tweaks: tune configuration * implied snort.--version: show version number (same as -V) * implied snort.--warn-all: enable all warnings @@ -1557,6 +1558,7 @@ Commands: * snort.delete_inspector(inspector): delete an inspector from the default policy * snort.dump_stats(): show summary statistics + * snort.reset_stats(): clear summary statistics * snort.rotate_stats(): roll perfmonitor log files * snort.reload_config(filename): load new configuration * snort.reload_policy(filename): reload part or all of the default @@ -1650,6 +1652,9 @@ Configuration: * int trace.modules.dpx.all: enable all trace options { 0:255 } * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } + * int trace.modules.iec104.all: enable all trace options { 0:255 } + * int trace.modules.iec104.identification: enable IEC104 APDU + identification trace logging { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } * int trace.modules.react.all: enable all trace options { 0:255 } * int trace.modules.rna.all: enable all trace options { 0:255 } @@ -2120,31 +2125,23 @@ Usage: context Configuration: - * bool mpls.enable_mpls_multicast = false: enables support for MPLS - multicast - * bool mpls.enable_mpls_overlapping_ip = false: enable if private - network addresses overlap and must be differentiated by MPLS - label(s) - * int mpls.max_mpls_stack_depth = -1: set MPLS stack depth { -1:255 - } - * enum mpls.mpls_payload_type = ip4: set encapsulated payload type - { eth | ip4 | ip6 } + * int mpls.max_stack_depth = -1: set maximum MPLS stack depth { + -1:255 } + * enum mpls.payload_type = auto: force encapsulated payload type { + auto | eth | ip4 | ip6 } Rules: * 116:170 (mpls) bad MPLS frame - * 116:171 (mpls) MPLS label 0 appears in non-bottom header + * 116:171 (mpls) MPLS label 0 appears in bottom header when not + decoding as ip4 * 116:172 (mpls) MPLS label 1 appears in bottom header - * 116:173 (mpls) MPLS label 2 appears in non-bottom header + * 116:173 (mpls) MPLS label 2 appears in bottom header when not + decoding as ip6 * 116:174 (mpls) MPLS label 3 appears in header * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header * 116:176 (mpls) too many MPLS headers -Peg counts: - - * mpls.total_packets: total mpls labeled packets processed (sum) - * mpls.total_bytes: total mpls labeled bytes processed (sum) - 3.19. pbb @@ -3602,6 +3599,10 @@ Rules: time * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2 settings frame + * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams + * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame + * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid + time Peg counts: @@ -3616,6 +3617,10 @@ Peg counts: transfers per HTTP/2 connection (max) * http2_inspect.total_bytes: total HTTP/2 data bytes inspected (sum) + * http2_inspect.max_concurrent_streams: maximum concurrent streams + per HTTP/2 connection (max) + * http2_inspect.flows_over_stream_limit: HTTP/2 flows exceeding 100 + concurrent streams (sum) 5.24. http_inspect @@ -3646,8 +3651,8 @@ Configuration: response bodies * bool http_inspect.decompress_zip = false: decompress zip files in response bodies - * bool http_inspect.detained_inspection = false: store-and-forward - as necessary to effectively block alerting JavaScript + * bool http_inspect.detained_inspection = false: obsolete, do not + configure * bool http_inspect.script_detection = false: inspect JavaScript immediately upon script end * bool http_inspect.normalize_javascript = false: normalize @@ -3694,7 +3699,6 @@ Rules: * 119:2 (http_inspect) double decoding attack * 119:3 (http_inspect) u encoding * 119:4 (http_inspect) bare byte unicode encoding - * 119:5 (http_inspect) obsolete event—deleted * 119:6 (http_inspect) UTF-8 encoding * 119:7 (http_inspect) unicode map code point encoding in URI * 119:8 (http_inspect) multi_slash encoding @@ -3706,35 +3710,21 @@ Rules: CR * 119:14 (http_inspect) non-RFC defined char * 119:15 (http_inspect) oversize request-uri directory - * 119:16 (http_inspect) oversize chunk encoding - * 119:17 (http_inspect) unauthorized proxy use detected * 119:18 (http_inspect) webroot directory traversal * 119:19 (http_inspect) long header * 119:20 (http_inspect) max header fields * 119:21 (http_inspect) multiple content length - * 119:22 (http_inspect) obsolete event—deleted - * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header - * 119:24 (http_inspect) multiple host hdrs detected - * 119:25 (http_inspect) hostname exceeds 255 characters - * 119:26 (http_inspect) too much whitespace in header (not - implemented yet) - * 119:27 (http_inspect) client consecutive small chunk sizes + * 119:24 (http_inspect) Host header field appears more than once or + has multiple values * 119:28 (http_inspect) POST or PUT w/o content-length or chunks - * 119:29 (http_inspect) multiple true ips in a session - * 119:30 (http_inspect) both true-client-IP and XFF hdrs present * 119:31 (http_inspect) unknown method * 119:32 (http_inspect) simple request * 119:33 (http_inspect) unescaped space in HTTP URI * 119:34 (http_inspect) too many pipelined requests - * 119:101 (http_inspect) obsolete event—deleted * 119:102 (http_inspect) invalid status code in HTTP response - * 119:103 (http_inspect) unused event number—should not appear * 119:104 (http_inspect) HTTP response has UTF charset that failed to normalize * 119:105 (http_inspect) HTTP response has UTF-7 charset - * 119:106 (http_inspect) HTTP response gzip decompression failed - * 119:107 (http_inspect) server consecutive small chunk sizes - * 119:108 (http_inspect) unused event number—should not appear * 119:109 (http_inspect) javascript obfuscation levels exceeds 1 * 119:110 (http_inspect) javascript whitespaces exceeds max allowed * 119:111 (http_inspect) multiple encodings within javascript @@ -3867,12 +3857,10 @@ Peg counts: (now) * http_inspect.max_concurrent_sessions: maximum concurrent http sessions (max) - * http_inspect.detains_requested: packet hold requests for detained - inspection (sum) * http_inspect.script_detections: early inspections of scripts in HTTP responses (sum) - * http_inspect.partial_inspections: pre-inspections for detained - inspection (sum) + * http_inspect.partial_inspections: early inspections done for + script detection (sum) * http_inspect.excess_parameters: repeat parameters exceeding max (sum) * http_inspect.parameters: HTTP parameters inspected (sum) @@ -3887,7 +3875,146 @@ Peg counts: * http_inspect.total_bytes: total HTTP data bytes inspected (sum) -5.25. imap +5.25. iec104 + +-------------- + +Help: iec104 inspection + +Type: inspector (service) + +Usage: inspect + +Instance Type: multiton + +Rules: + + * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does + not match the length needed for the given IEC104 ASDU type id. + * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match + 0x68. + * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use. + * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field + contains a non-default value. + * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set + to an invalid value. + * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field + contains a non-default value. + * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set + to zero. + * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU + that does not support the feature. + * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set + to greater than one on an ASDU that does not support the feature. + * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of + Initialization set to a reserved value. + * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Interrogation Command set to a reserved value. + * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter + Interrogation Command request parameter set to a reserved value. + * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter of Measured Values kind of parameter set to a reserved + value. + * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter of Measured Values local parameter change set to a + technically valid but unused value. + * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter of Measured Values parameter option set to a + technically valid but unused value. + * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter Activation set to a reserved value. + * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command + set to a reserved value. + * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset + Process set to a reserved value. + * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier + set to a reserved value. + * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready + Qualifier set to a reserved value. + * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call + Qualifier set to a reserved value. + * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or + Segment Qualifier set to a reserved value. + * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or + Section Qualifier set to a reserved value. + * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier + set on a message where it should have no effect. + * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point + Information Reserved field contains a non-default value. + * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point + Information Reserved field contains a non-default value. + * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission + set to a reserved value. + * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission + set to a value not allowed for the ASDU. + * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet + common address value detected. + * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor + Structure Reserved field contains a non-default value. + * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor + for Events of Protection Equipment Structure Reserved field + contains a non-default value. + * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value + results in NaN. + * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value + results in infinity. + * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of + Protection Equipment Structure Reserved field contains a + non-default value. + * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of + Protection Equipment Structure Reserved field contains a + non-default value. + * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit + Information Structure Reserved field contains a non-default + value. + * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test + Bit Pattern detected. + * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command + Structure Reserved field contains a non-default value. + * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command + Structure contains an invalid value. + * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step + Command Structure Reserved field contains a non-default value. + * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond + set outside of the allowable range. + * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set + outside of the allowable range. + * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute + Reserved field contains a non-default value. + * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set + outside of the allowable range. + * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved + field contains a non-default value. + * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month + set outside of the allowable range. + * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set + outside of the allowable range. + * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved + field contains a non-default value. + * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set + outside of the allowable range. + * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved + field contains a non-default value. + * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of + Segment value has been detected. + * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of + Segment value has been detected. + * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to + a reserved value. + * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set + Point Command ql field set to a reserved value. + +Peg counts: + + * iec104.sessions: total sessions processed (sum) + * iec104.frames: total IEC104 messages (sum) + * iec104.concurrent_sessions: total concurrent IEC104 sessions + (now) + * iec104.max_concurrent_sessions: maximum concurrent IEC104 + sessions (max) + + +5.26. imap -------------- @@ -3948,7 +4075,7 @@ Peg counts: * imap.non_encoded_bytes: total non-encoded extracted bytes (sum) -5.26. mem_test +5.27. mem_test -------------- @@ -3965,7 +4092,7 @@ Peg counts: * mem_test.packets: total packets (sum) -5.27. modbus +5.28. modbus -------------- @@ -3994,7 +4121,7 @@ Peg counts: sessions (max) -5.28. netflow +5.29. netflow -------------- @@ -4024,7 +4151,7 @@ Peg counts: * netflow.unique_flows: count of unique netflow flows (sum) -5.29. normalizer +5.30. normalizer -------------- @@ -4162,7 +4289,7 @@ Peg counts: * normalizer.tcp_block: blocked segments (sum) -5.30. null_trace_logger +5.31. null_trace_logger -------------- @@ -4175,7 +4302,7 @@ Usage: global Instance Type: global -5.31. packet_capture +5.32. packet_capture -------------- @@ -4192,10 +4319,12 @@ Configuration: * bool packet_capture.enable = false: initially enable packet dumping * string packet_capture.filter: bpf filter to use for packet dump + * int packet_capture.group = -1: group filter to use for the packet + dump { -1:32767 } Commands: - * packet_capture.enable(filter): dump raw packets + * packet_capture.enable(filter, group): dump raw packets * packet_capture.disable(): stop packet dump Peg counts: @@ -4205,7 +4334,7 @@ Peg counts: filter (sum) -5.32. perf_monitor +5.33. perf_monitor -------------- @@ -4265,7 +4394,7 @@ Peg counts: by new flows (sum) -5.33. pop +5.34. pop -------------- @@ -4327,7 +4456,7 @@ Peg counts: * pop.non_encoded_bytes: total non-encoded extracted bytes (sum) -5.34. port_scan +5.35. port_scan -------------- @@ -4499,7 +4628,7 @@ Peg counts: to reduced memcap (sum) -5.35. reputation +5.36. reputation -------------- @@ -4514,7 +4643,6 @@ Instance Type: global Configuration: * string reputation.blocklist: blocklist file name with IP lists - * string reputation.blacklist: blacklist file name with IP lists * string reputation.list_dir: directory for IP lists and manifest file * int reputation.memcap = 500: maximum total MB of memory allocated @@ -4522,16 +4650,12 @@ Configuration: * enum reputation.nested_ip = inner: IP to use when there is IP encapsulation { inner|outer|all } * enum reputation.priority = allowlist: defines priority when there - is a decision conflict during run-time { blocklist|allowlist| - blacklist|whitelist } + is a decision conflict during run-time { blocklist|allowlist } * bool reputation.scan_local = false: inspect local address defined in RFC 1918 * enum reputation.allow = do_not_block: specify the meaning of - allowlist { do_not_block|trust|unblack } - * enum reputation.white = do_not_block: specify the meaning of - whitelist { do_not_block|trust|unblack } + allowlist { do_not_block|trust } * string reputation.allowlist: allowlist file name with IP lists - * string reputation.whitelist: whitelist file name with IP lists Rules: @@ -4549,9 +4673,10 @@ Peg counts: * reputation.trusted: number of packets trusted (sum) * reputation.monitored: number of packets monitored (sum) * reputation.memory_allocated: total memory allocated (sum) + * reputation.total_alerts: total alerts triggered (sum) -5.36. rna +5.37. rna -------------- @@ -4661,7 +4786,7 @@ Peg counts: * rna.dhcp_info: count of new DHCP lease events received (sum) -5.37. rpc_decode +5.38. rpc_decode -------------- @@ -4690,7 +4815,7 @@ Peg counts: sessions (max) -5.38. s7commplus +5.39. s7commplus -------------- @@ -4719,7 +4844,7 @@ Peg counts: sessions (max) -5.39. sip +5.40. sip -------------- @@ -4820,7 +4945,7 @@ Peg counts: * sip.code_9xx: 9xx (sum) -5.40. smtp +5.41. smtp -------------- @@ -4929,7 +5054,7 @@ Peg counts: * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum) -5.41. so_proxy +5.42. so_proxy -------------- @@ -4943,7 +5068,7 @@ Usage: global Instance Type: global -5.42. ssh +5.43. ssh -------------- @@ -4983,7 +5108,7 @@ Peg counts: (max) -5.43. ssl +5.44. ssl -------------- @@ -5034,7 +5159,7 @@ Peg counts: (max) -5.44. stream +5.45. stream -------------- @@ -5123,7 +5248,7 @@ Peg counts: deleted by config reloads (sum) -5.45. stream_file +5.46. stream_file -------------- @@ -5140,7 +5265,7 @@ Configuration: * bool stream_file.upload = false: indicate file transfer direction -5.46. stream_icmp +5.47. stream_icmp -------------- @@ -5167,7 +5292,7 @@ Peg counts: * stream_icmp.prunes: icmp session prunes (sum) -5.47. stream_ip +5.48. stream_ip -------------- @@ -5239,7 +5364,7 @@ Peg counts: * stream_ip.fragmented_bytes: total fragmented bytes (sum) -5.48. stream_tcp +5.49. stream_tcp -------------- @@ -5404,7 +5529,7 @@ Peg counts: service stream splitter (sum) -5.49. stream_udp +5.50. stream_udp -------------- @@ -5433,7 +5558,7 @@ Peg counts: * stream_udp.ignored: udp packets ignored (sum) -5.50. stream_user +5.51. stream_user -------------- @@ -5451,7 +5576,7 @@ Configuration: 1:max31 } -5.51. telnet +5.52. telnet -------------- @@ -5487,7 +5612,7 @@ Peg counts: sessions (max) -5.52. wizard +5.53. wizard -------------- @@ -5520,7 +5645,7 @@ Configuration: * string wizard.spells[].to_client[].spell: sequence of data with wild cards (*) * multi wizard.curses: enable service identification based on - internal algorithm { dce_smb | dce_udp | dce_tcp } + internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 } Peg counts: @@ -6881,7 +7006,37 @@ Configuration: } -7.71. ip_proto +7.71. iec104_apci_type + +-------------- + +Help: rule option to check iec104 apci type + +Type: ips_option + +Usage: detect + +Configuration: + + * string iec104_apci_type.~: APCI type to match + + +7.72. iec104_asdu_func + +-------------- + +Help: rule option to check iec104 function code + +Type: ips_option + +Usage: detect + +Configuration: + + * string iec104_asdu_func.~: function code to match + + +7.73. ip_proto -------------- @@ -6896,7 +7051,7 @@ Configuration: * string ip_proto.~proto: [!|>|<] name or number -7.72. ipopts +7.74. ipopts -------------- @@ -6912,7 +7067,7 @@ Configuration: lsrre|ssrr|satid|any } -7.73. isdataat +7.75. isdataat -------------- @@ -6929,7 +7084,7 @@ Configuration: buffer -7.74. itype +7.76. itype -------------- @@ -6945,7 +7100,7 @@ Configuration: 0:255 } -7.75. md5 +7.77. md5 -------------- @@ -6965,7 +7120,7 @@ Configuration: of buffer -7.76. metadata +7.78. metadata -------------- @@ -6982,7 +7137,7 @@ Configuration: pairs -7.77. modbus_data +7.79. modbus_data -------------- @@ -6993,7 +7148,7 @@ Type: ips_option Usage: detect -7.78. modbus_func +7.80. modbus_func -------------- @@ -7008,7 +7163,7 @@ Configuration: * string modbus_func.~: function code to match -7.79. modbus_unit +7.81. modbus_unit -------------- @@ -7023,7 +7178,7 @@ Configuration: * int modbus_unit.~: Modbus unit ID { 0:255 } -7.80. msg +7.82. msg -------------- @@ -7038,7 +7193,7 @@ Configuration: * string msg.~: message describing rule -7.81. mss +7.83. mss -------------- @@ -7054,7 +7209,7 @@ Configuration: } -7.82. pcre +7.84. pcre -------------- @@ -7076,7 +7231,7 @@ Peg counts: * pcre.pcre_negated: total pcre rules using negation syntax (sum) -7.83. pkt_data +7.85. pkt_data -------------- @@ -7088,7 +7243,7 @@ Type: ips_option Usage: detect -7.84. pkt_num +7.86. pkt_num -------------- @@ -7104,7 +7259,7 @@ Configuration: { 1: } -7.85. priority +7.87. priority -------------- @@ -7120,7 +7275,7 @@ Configuration: 1:max31 } -7.86. raw_data +7.88. raw_data -------------- @@ -7131,7 +7286,7 @@ Type: ips_option Usage: detect -7.87. reference +7.89. reference -------------- @@ -7146,7 +7301,7 @@ Configuration: * string reference.~ref: reference: , -7.88. regex +7.90. regex -------------- @@ -7170,7 +7325,7 @@ Configuration: instead of start of buffer -7.89. rem +7.91. rem -------------- @@ -7185,7 +7340,7 @@ Configuration: * string rem.~: comment -7.90. replace +7.92. replace -------------- @@ -7200,7 +7355,7 @@ Configuration: * string replace.~: byte code to replace with -7.91. rev +7.93. rev -------------- @@ -7215,7 +7370,7 @@ Configuration: * int rev.~: revision { 1:max32 } -7.92. rpc +7.94. rpc -------------- @@ -7232,7 +7387,7 @@ Configuration: * string rpc.~proc: procedure number or * for any -7.93. s7commplus_content +7.95. s7commplus_content -------------- @@ -7243,7 +7398,7 @@ Type: ips_option Usage: detect -7.94. s7commplus_func +7.96. s7commplus_func -------------- @@ -7258,7 +7413,7 @@ Configuration: * string s7commplus_func.~: function code to match -7.95. s7commplus_opcode +7.97. s7commplus_opcode -------------- @@ -7273,7 +7428,7 @@ Configuration: * string s7commplus_opcode.~: opcode code to match -7.96. sd_pattern +7.98. sd_pattern -------------- @@ -7297,7 +7452,7 @@ Peg counts: * sd_pattern.terminated: hyperscan terminated (sum) -7.97. seq +7.99. seq -------------- @@ -7313,7 +7468,7 @@ Configuration: range { 0: } -7.98. service +7.100. service -------------- @@ -7328,7 +7483,7 @@ Configuration: * string service.*: one or more comma-separated service names -7.99. sha256 +7.101. sha256 -------------- @@ -7348,7 +7503,7 @@ Configuration: start of buffer -7.100. sha512 +7.102. sha512 -------------- @@ -7368,7 +7523,7 @@ Configuration: start of buffer -7.101. sid +7.103. sid -------------- @@ -7383,7 +7538,7 @@ Configuration: * int sid.~: signature id { 1:max32 } -7.102. sip_body +7.104. sip_body -------------- @@ -7394,7 +7549,7 @@ Type: ips_option Usage: detect -7.103. sip_header +7.105. sip_header -------------- @@ -7406,7 +7561,7 @@ Type: ips_option Usage: detect -7.104. sip_method +7.106. sip_method -------------- @@ -7421,7 +7576,7 @@ Configuration: * string sip_method.*method: sip method -7.105. sip_stat_code +7.107. sip_stat_code -------------- @@ -7436,7 +7591,7 @@ Configuration: * int sip_stat_code.*code: status code { 1:999 } -7.106. so +7.108. so -------------- @@ -7453,7 +7608,7 @@ Configuration: buffer -7.107. soid +7.109. soid -------------- @@ -7469,7 +7624,7 @@ Configuration: like 3_45678_9 -7.108. ssl_state +7.110. ssl_state -------------- @@ -7498,7 +7653,7 @@ Configuration: unknown -7.109. ssl_version +7.111. ssl_version -------------- @@ -7525,7 +7680,7 @@ Configuration: tls1.2 -7.110. stream_reassemble +7.112. stream_reassemble -------------- @@ -7546,7 +7701,7 @@ Configuration: remainder of the session -7.111. stream_size +7.113. stream_size -------------- @@ -7564,7 +7719,7 @@ Configuration: direction(s) { either|to_server|to_client|both } -7.112. tag +7.114. tag -------------- @@ -7583,7 +7738,7 @@ Configuration: * int tag.bytes: tag for this many bytes { 1:max32 } -7.113. target +7.115. target -------------- @@ -7599,7 +7754,7 @@ Configuration: dst_ip } -7.114. tos +7.116. tos -------------- @@ -7614,7 +7769,7 @@ Configuration: * interval tos.~range: check if IP TOS is in given range { 0:255 } -7.115. ttl +7.117. ttl -------------- @@ -7630,7 +7785,7 @@ Configuration: 0:255 } -7.116. urg +7.118. urg -------------- @@ -7646,7 +7801,7 @@ Configuration: { 0:65535 } -7.117. window +7.119. window -------------- @@ -7662,7 +7817,7 @@ Configuration: range { 0:65535 } -7.118. wscale +7.120. wscale -------------- @@ -8195,10 +8350,6 @@ these libraries see the Getting Started section of the manual. * --stdin-rules read rules from stdin until EOF or a line starting with END is read * --talos enable Talos tweak (same as --tweaks talos) - * --treat-drop-as-alert converts drop, block, and reset rules into - alert rules when loaded - * --treat-drop-as-ignore use drop, block, and reset rules to ignore - session traffic when not inline * --tweaks tune configuration * --version show version number (same as -V) * --warn-all enable all warnings @@ -8878,8 +9029,8 @@ these libraries see the Getting Started section of the manual. response bodies * bool http_inspect.decompress_zip = false: decompress zip files in response bodies - * bool http_inspect.detained_inspection = false: store-and-forward - as necessary to effectively block alerting JavaScript + * bool http_inspect.detained_inspection = false: obsolete, do not + configure * string http_inspect.ignore_unreserved: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, @@ -9028,6 +9179,8 @@ these libraries see the Getting Started section of the manual. 0:255 } * interval id.~range: check if the IP ID is in the given range { 0: } + * string iec104_apci_type.~: APCI type to match + * string iec104_asdu_func.~: function code to match * int imap.b64_decode_depth = -1: base64 decoding depth (-1 no limit) { -1:65535 } * int imap.bitenc_decode_depth = -1: non-Encoded MIME attachment @@ -9116,15 +9269,10 @@ these libraries see the Getting Started section of the manual. pairs * string modbus_func.~: function code to match * int modbus_unit.~: Modbus unit ID { 0:255 } - * bool mpls.enable_mpls_multicast = false: enables support for MPLS - multicast - * bool mpls.enable_mpls_overlapping_ip = false: enable if private - network addresses overlap and must be differentiated by MPLS - label(s) - * int mpls.max_mpls_stack_depth = -1: set MPLS stack depth { -1:255 - } - * enum mpls.mpls_payload_type = ip4: set encapsulated payload type - { eth | ip4 | ip6 } + * int mpls.max_stack_depth = -1: set maximum MPLS stack depth { + -1:255 } + * enum mpls.payload_type = auto: force encapsulated payload type { + auto | eth | ip4 | ip6 } * string msg.~: message describing rule * interval mss.~range: check if TCP MSS is in given range { 0:65535 } @@ -9213,16 +9361,20 @@ these libraries see the Getting Started section of the manual. * bool packet_capture.enable = false: initially enable packet dumping * string packet_capture.filter: bpf filter to use for packet dump + * int packet_capture.group = -1: group filter to use for the packet + dump { -1:32767 } * bool packets.address_space_agnostic = false: determines whether DAQ address space info is used to track fragments and connections * string packets.bpf_file: file with BPF to select traffic for Snort * int packets.limit = 0: maximum number of packets to process before stopping (0 is unlimited) { 0:max53 } + * bool packets.mpls_agnostic = true: determines whether MPLS labels + are used to track fragments and connections * int packets.skip = 0: number of packets to skip before before processing { 0:max53 } - * bool packets.vlan_agnostic = false: determines whether VLAN info - is used to track fragments and connections + * bool packets.vlan_agnostic = false: determines whether VLAN tags + are used to track fragments and connections * bool packet_tracer.enable = false: enable summary output of state that determined packet verdict * enum packet_tracer.output = console: select where to send packet @@ -9453,9 +9605,8 @@ these libraries see the Getting Started section of the manual. * string rem.~: comment * string replace.~: byte code to replace with * enum reputation.allow = do_not_block: specify the meaning of - allowlist { do_not_block|trust|unblack } + allowlist { do_not_block|trust } * string reputation.allowlist: allowlist file name with IP lists - * string reputation.blacklist: blacklist file name with IP lists * string reputation.blocklist: blocklist file name with IP lists * string reputation.list_dir: directory for IP lists and manifest file @@ -9464,13 +9615,9 @@ these libraries see the Getting Started section of the manual. * enum reputation.nested_ip = inner: IP to use when there is IP encapsulation { inner|outer|all } * enum reputation.priority = allowlist: defines priority when there - is a decision conflict during run-time { blocklist|allowlist| - blacklist|whitelist } + is a decision conflict during run-time { blocklist|allowlist } * bool reputation.scan_local = false: inspect local address defined in RFC 1918 - * enum reputation.white = do_not_block: specify the meaning of - whitelist { do_not_block|trust|unblack } - * string reputation.whitelist: whitelist file name with IP lists * int rev.~: revision { 1:max32 } * bool rewrite.disable_replace = false: disable replace of packet contents with rewrite rules @@ -9855,10 +10002,6 @@ these libraries see the Getting Started section of the manual. talos) * string snort.-t: chroots process to after initialization - * implied snort.--treat-drop-as-alert: converts drop, block, and - reset rules into alert rules when loaded - * implied snort.--treat-drop-as-ignore: use drop, block, and reset - rules to ignore session traffic when not inline * implied snort.-T: test and report on the current Snort configuration * string snort.--tweaks: tune configuration @@ -10095,6 +10238,9 @@ these libraries see the Getting Started section of the manual. * int trace.modules.dpx.all: enable all trace options { 0:255 } * int trace.modules.gtp_inspect.all: enable all trace options { 0:255 } + * int trace.modules.iec104.all: enable all trace options { 0:255 } + * int trace.modules.iec104.identification: enable IEC104 APDU + identification trace logging { 0:255 } * int trace.modules.latency.all: enable all trace options { 0:255 } * int trace.modules.react.all: enable all trace options { 0:255 } * int trace.modules.rna.all: enable all trace options { 0:255 } @@ -10137,7 +10283,7 @@ these libraries see the Getting Started section of the manual. * interval window.~range: check if TCP window size is in given range { 0:65535 } * multi wizard.curses: enable service identification based on - internal algorithm { dce_smb | dce_udp | dce_tcp } + internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 } * bool wizard.hexes[].client_first = true: which end initiates data transfer * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp } @@ -10670,10 +10816,14 @@ these libraries see the Getting Started section of the manual. * http2_inspect.concurrent_sessions: total concurrent HTTP/2 sessions (now) * http2_inspect.flows: HTTP/2 connections inspected (sum) + * http2_inspect.flows_over_stream_limit: HTTP/2 flows exceeding 100 + concurrent streams (sum) * http2_inspect.max_concurrent_files: maximum concurrent file transfers per HTTP/2 connection (max) * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2 sessions (max) + * http2_inspect.max_concurrent_streams: maximum concurrent streams + per HTTP/2 connection (max) * http2_inspect.max_table_entries: maximum entries in an HTTP/2 dynamic table (max) * http2_inspect.total_bytes: total HTTP/2 data bytes inspected @@ -10685,8 +10835,6 @@ these libraries see the Getting Started section of the manual. * http_inspect.connect_tunnel_cutovers: CONNECT tunnel flow cutovers to wizard (sum) * http_inspect.delete_requests: DELETE requests inspected (sum) - * http_inspect.detains_requested: packet hold requests for detained - inspection (sum) * http_inspect.excess_parameters: repeat parameters exceeding max (sum) * http_inspect.flows: HTTP connections inspected (sum) @@ -10699,8 +10847,8 @@ these libraries see the Getting Started section of the manual. * http_inspect.other_requests: other request methods inspected (sum) * http_inspect.parameters: HTTP parameters inspected (sum) - * http_inspect.partial_inspections: pre-inspections for detained - inspection (sum) + * http_inspect.partial_inspections: early inspections done for + script detection (sum) * http_inspect.pipelined_flows: total HTTP connections containing pipelined requests (sum) * http_inspect.pipelined_requests: total requests placed in a @@ -10730,6 +10878,12 @@ these libraries see the Getting Started section of the manual. * icmp4.checksum_bypassed: checksum calculations bypassed (sum) * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum) * icmp6.checksum_bypassed: checksum calculations bypassed (sum) + * iec104.concurrent_sessions: total concurrent IEC104 sessions + (now) + * iec104.frames: total IEC104 messages (sum) + * iec104.max_concurrent_sessions: maximum concurrent IEC104 + sessions (max) + * iec104.sessions: total sessions processed (sum) * imap.b64_attachments: total base64 attachments decoded (sum) * imap.b64_decoded_bytes: total base64 decoded bytes (sum) * imap.concurrent_sessions: total concurrent imap sessions (now) @@ -10773,8 +10927,6 @@ these libraries see the Getting Started section of the manual. * modbus.max_concurrent_sessions: maximum concurrent modbus sessions (max) * modbus.sessions: total sessions processed (sum) - * mpls.total_bytes: total mpls labeled bytes processed (sum) - * mpls.total_packets: total mpls labeled packets processed (sum) * netflow.invalid_netflow_pkts: count of invalid netflow packets (sum) * netflow.packets: total packets processed (sum) @@ -10920,6 +11072,7 @@ these libraries see the Getting Started section of the manual. * reputation.memory_allocated: total memory allocated (sum) * reputation.monitored: number of packets monitored (sum) * reputation.packets: total packets processed (sum) + * reputation.total_alerts: total alerts triggered (sum) * reputation.trusted: number of packets trusted (sum) * rna.appid_change: count of appid change events received (sum) * rna.change_host_update: count number of change host update events @@ -11306,6 +11459,7 @@ these libraries see the Getting Started section of the manual. * 148: cip * 149: s7commplus * 150: file_id + * 151: iec104 * 175: domain_filter * 256: dpx @@ -11372,9 +11526,11 @@ these libraries see the Getting Started section of the manual. * 116:164 (gre) invalid GRE v.1 PPTP header * 116:165 (gre) GRE trans header length > payload length * 116:170 (mpls) bad MPLS frame - * 116:171 (mpls) MPLS label 0 appears in non-bottom header + * 116:171 (mpls) MPLS label 0 appears in bottom header when not + decoding as ip4 * 116:172 (mpls) MPLS label 1 appears in bottom header - * 116:173 (mpls) MPLS label 2 appears in non-bottom header + * 116:173 (mpls) MPLS label 2 appears in bottom header when not + decoding as ip6 * 116:174 (mpls) MPLS label 3 appears in header * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header * 116:176 (mpls) too many MPLS headers @@ -11517,7 +11673,6 @@ these libraries see the Getting Started section of the manual. * 119:2 (http_inspect) double decoding attack * 119:3 (http_inspect) u encoding * 119:4 (http_inspect) bare byte unicode encoding - * 119:5 (http_inspect) obsolete event—deleted * 119:6 (http_inspect) UTF-8 encoding * 119:7 (http_inspect) unicode map code point encoding in URI * 119:8 (http_inspect) multi_slash encoding @@ -11529,35 +11684,21 @@ these libraries see the Getting Started section of the manual. CR * 119:14 (http_inspect) non-RFC defined char * 119:15 (http_inspect) oversize request-uri directory - * 119:16 (http_inspect) oversize chunk encoding - * 119:17 (http_inspect) unauthorized proxy use detected * 119:18 (http_inspect) webroot directory traversal * 119:19 (http_inspect) long header * 119:20 (http_inspect) max header fields * 119:21 (http_inspect) multiple content length - * 119:22 (http_inspect) obsolete event—deleted - * 119:23 (http_inspect) invalid IP in true-client-IP/XFF header - * 119:24 (http_inspect) multiple host hdrs detected - * 119:25 (http_inspect) hostname exceeds 255 characters - * 119:26 (http_inspect) too much whitespace in header (not - implemented yet) - * 119:27 (http_inspect) client consecutive small chunk sizes + * 119:24 (http_inspect) Host header field appears more than once or + has multiple values * 119:28 (http_inspect) POST or PUT w/o content-length or chunks - * 119:29 (http_inspect) multiple true ips in a session - * 119:30 (http_inspect) both true-client-IP and XFF hdrs present * 119:31 (http_inspect) unknown method * 119:32 (http_inspect) simple request * 119:33 (http_inspect) unescaped space in HTTP URI * 119:34 (http_inspect) too many pipelined requests - * 119:101 (http_inspect) obsolete event—deleted * 119:102 (http_inspect) invalid status code in HTTP response - * 119:103 (http_inspect) unused event number—should not appear * 119:104 (http_inspect) HTTP response has UTF charset that failed to normalize * 119:105 (http_inspect) HTTP response has UTF-7 charset - * 119:106 (http_inspect) HTTP response gzip decompression failed - * 119:107 (http_inspect) server consecutive small chunk sizes - * 119:108 (http_inspect) unused event number—should not appear * 119:109 (http_inspect) javascript obfuscation levels exceeds 1 * 119:110 (http_inspect) javascript whitespaces exceeds max allowed * 119:111 (http_inspect) multiple encodings within javascript @@ -11691,6 +11832,10 @@ these libraries see the Getting Started section of the manual. time * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2 settings frame + * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams + * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame + * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid + time * 122:1 (port_scan) TCP portscan * 122:2 (port_scan) TCP decoy portscan * 122:3 (port_scan) TCP portsweep @@ -11968,6 +12113,120 @@ these libraries see the Getting Started section of the manual. * 149:2 (s7commplus) S7commplus protocol ID is non-zero * 149:3 (s7commplus) reserved S7commplus function code in use * 150:1 (file_id) file not processed due to per flow limit + * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does + not match the length needed for the given IEC104 ASDU type id. + * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match + 0x68. + * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use. + * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field + contains a non-default value. + * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set + to an invalid value. + * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field + contains a non-default value. + * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set + to zero. + * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU + that does not support the feature. + * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set + to greater than one on an ASDU that does not support the feature. + * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of + Initialization set to a reserved value. + * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Interrogation Command set to a reserved value. + * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter + Interrogation Command request parameter set to a reserved value. + * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter of Measured Values kind of parameter set to a reserved + value. + * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter of Measured Values local parameter change set to a + technically valid but unused value. + * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter of Measured Values parameter option set to a + technically valid but unused value. + * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of + Parameter Activation set to a reserved value. + * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command + set to a reserved value. + * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset + Process set to a reserved value. + * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier + set to a reserved value. + * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready + Qualifier set to a reserved value. + * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call + Qualifier set to a reserved value. + * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or + Segment Qualifier set to a reserved value. + * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or + Section Qualifier set to a reserved value. + * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier + set on a message where it should have no effect. + * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point + Information Reserved field contains a non-default value. + * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point + Information Reserved field contains a non-default value. + * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission + set to a reserved value. + * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission + set to a value not allowed for the ASDU. + * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet + common address value detected. + * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor + Structure Reserved field contains a non-default value. + * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor + for Events of Protection Equipment Structure Reserved field + contains a non-default value. + * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value + results in NaN. + * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value + results in infinity. + * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of + Protection Equipment Structure Reserved field contains a + non-default value. + * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of + Protection Equipment Structure Reserved field contains a + non-default value. + * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit + Information Structure Reserved field contains a non-default + value. + * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test + Bit Pattern detected. + * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command + Structure Reserved field contains a non-default value. + * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command + Structure contains an invalid value. + * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step + Command Structure Reserved field contains a non-default value. + * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond + set outside of the allowable range. + * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set + outside of the allowable range. + * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute + Reserved field contains a non-default value. + * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set + outside of the allowable range. + * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved + field contains a non-default value. + * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month + set outside of the allowable range. + * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set + outside of the allowable range. + * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved + field contains a non-default value. + * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set + outside of the allowable range. + * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved + field contains a non-default value. + * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of + Segment value has been detected. + * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of + Segment value has been detected. + * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to + a reserved value. + * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set + Point Command ql field set to a reserved value. * 175:1 (domain_filter) configured domain detected * 256:1 (dpx) too much data sent to port @@ -11992,7 +12251,7 @@ these libraries see the Getting Started section of the manual. * host_cache.delete_client(host_ip, id, service, version): delete client from host * host_cache.get_stats(): get current host cache usage and pegs - * packet_capture.enable(filter): dump raw packets + * packet_capture.enable(filter, group): dump raw packets * packet_capture.disable(): stop packet dump * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging @@ -12012,6 +12271,7 @@ these libraries see the Getting Started section of the manual. * snort.delete_inspector(inspector): delete an inspector from the default policy * snort.dump_stats(): show summary statistics + * snort.reset_stats(): clear summary statistics * snort.rotate_stats(): roll perfmonitor log files * snort.reload_config(filename): load new configuration * snort.reload_policy(filename): reload part or all of the default @@ -12241,6 +12501,11 @@ and are not applicable elsewhere. * icmp_seq (ips_option): rule option to check ICMP sequence number * icode (ips_option): rule option to check ICMP code * id (ips_option): rule option to check the IP ID field + * iec104 (inspector): iec104 inspection + * iec104_apci_type (ips_option): rule option to check iec104 apci + type + * iec104_asdu_func (ips_option): rule option to check iec104 + function code * igmp (codec): support for Internet group management protocol * imap (inspector): imap inspection * inspection (basic): configure basic inspection policy parameters @@ -12480,6 +12745,7 @@ and are not applicable elsewhere. * inspector::gtp_inspect: gtp control channel inspection * inspector::http2_inspect: the HTTP/2 inspector * inspector::http_inspect: the new HTTP inspector! + * inspector::iec104: iec104 inspection * inspector::imap: imap inspection * inspector::mem_test: for testing memory management * inspector::modbus: modbus inspection @@ -12636,6 +12902,10 @@ and are not applicable elsewhere. * ips_option::icmp_seq: rule option to check ICMP sequence number * ips_option::icode: rule option to check ICMP code * ips_option::id: rule option to check the IP ID field + * ips_option::iec104_apci_type: rule option to check iec104 apci + type + * ips_option::iec104_asdu_func: rule option to check iec104 + function code * ips_option::ip_proto: rule option to check the IP protocol number * ips_option::ipopts: rule option to check for IP options * ips_option::isdataat: rule option to check for the presence of diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text index 135d029db..125688aad 100644 --- a/doc/upgrade/snort_upgrade.text +++ b/doc/upgrade/snort_upgrade.text @@ -8,7 +8,7 @@ Snort 3 Upgrade Manual The Snort Team Revision History -Revision 3.1.1.0 2021-01-28 10:50:31 EST TST +Revision 3.1.2.0 2021-03-11 14:56:52 EST TST --------------------------------------------------------------------- @@ -828,6 +828,7 @@ change -> config 'checksum_mode' ==> 'network.checksum_eval' change -> config 'daq_dir' ==> 'daq.module_dirs' change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' +change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' change -> config 'event_filter' ==> 'alerts.event_filter_memcap' change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' @@ -1045,6 +1046,7 @@ deleted -> config 'enable_decode_oversized_alerts' deleted -> config 'enable_decode_oversized_drops' deleted -> config 'enable_gtp' deleted -> config 'enable_ipopt_drops' +deleted -> config 'enable_mpls_multicast' deleted -> config 'enable_tcpopt_drops' deleted -> config 'enable_tcpopt_experimental_drops' deleted -> config 'enable_tcpopt_obsolete_drops' diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text index 86d3c73ef..4a1b4967f 100644 --- a/doc/user/snort_user.text +++ b/doc/user/snort_user.text @@ -8,7 +8,7 @@ Snort 3 User Manual The Snort Team Revision History -Revision 3.1.1.0 2021-01-28 10:50:32 EST TST +Revision 3.1.2.0 2021-03-11 14:56:53 EST TST --------------------------------------------------------------------- @@ -73,14 +73,15 @@ Table of Contents 6.9. FTP 6.10. HTTP Inspector 6.11. HTTP/2 Inspector - 6.12. Performance Monitor - 6.13. POP and IMAP - 6.14. Port Scan - 6.15. Sensitive Data Filtering - 6.16. SMTP - 6.17. Telnet - 6.18. Trace - 6.19. Wizard + 6.12. IEC104 Inspector + 6.13. Performance Monitor + 6.14. POP and IMAP + 6.15. Port Scan + 6.16. Sensitive Data Filtering + 6.17. SMTP + 6.18. Telnet + 6.19. Trace + 6.20. Wizard 7. DAQ Configuration and Modules @@ -1207,6 +1208,14 @@ There are multiple ways to load rules too: * Use --lua to specify one or more rules as a command line argument. +Ips states are similar to ips rules, except that they are parsed +after the rules. That way rules can be overwritten in custom +policies. + +States without the enable option are loaded as stub rules with +default gid:0, sid:0. A user should specify gid, sid, enable options +to avoid dummy rules. + Output Files To make it simple to configure outputs when you run with multiple @@ -3847,29 +3856,19 @@ omit the depth parameter entirely because that is the default. These limits have no effect on how much data is forwarded to file processing. -6.10.2.2. detained_inspection - -Detained inspection is an experimental feature currently under -development. It enables Snort to more quickly detect and block -response messages containing malicious JavaScript. As this feature -involves actively blocking traffic it is designed for use with inline -mode operation (-Q). - -This feature is off by default. detained_inspection = true will -activate it. - -6.10.2.3. script_detection +6.10.2.2. script_detection -Script detection is an alternative to detained inspection. When -http_inspect detects the end of a script it immediately forwards the -available part of the message body for early detection. This enables -malicious Javascripts to be detected more quickly but consumes -somewhat more of the sensor’s resources. +Script detection is a feature that enables Snort to more quickly +detect and block response messages containing malicious JavaScript. +When http_inspect detects the end of a script it immediately forwards +the available part of the message body for early detection. This +enables malicious Javascripts to be detected more quickly but +consumes somewhat more of the sensor’s resources. This feature is off by default. script_detection = true will activate it. -6.10.2.4. gzip +6.10.2.3. gzip http_inspect by default decompresses deflate and gzip message bodies before inspecting them. This feature can be turned off by unzip = @@ -3878,14 +3877,14 @@ improvement but at a very high price. It is unlikely that any meaningful inspection of message bodies will be possible. Effectively HTTP processing would be limited to the headers. -6.10.2.5. normalize_utf +6.10.2.4. normalize_utf http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le, and utf-32be in response message bodies based on the Content-Type header. This feature is on by default: normalize_utf = false will deactivate it. -6.10.2.6. decompress_pdf +6.10.2.5. decompress_pdf decompress_pdf = true will enable decompression of compressed portions of PDF files encountered in a response body. http_inspect @@ -3894,7 +3893,7 @@ locate PDF streams with a single /FlateDecode filter. The compressed content is decompressed and made available through the file data rule option. -6.10.2.7. decompress_swf +6.10.2.6. decompress_swf decompress_swf = true will enable decompression of compressed SWF (Adobe Flash content) files encountered in a response body. The @@ -3904,7 +3903,7 @@ LZMA. The compressed content is decompressed and made available through the file data rule option. The compressed SWF file signature is converted to FWS to indicate an uncompressed file. -6.10.2.8. normalize_javascript +6.10.2.7. normalize_javascript normalize_javascript = true will enable normalization of JavaScript within the HTTP response body. http_inspect looks for JavaScript by @@ -3916,7 +3915,7 @@ decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also replaces consecutive whitespaces with a single space and normalizes the plus by concatenating the strings. -6.10.2.9. xff_headers +6.10.2.8. xff_headers This configuration supports defining custom x-forwarded-for type headers. In a multi-vendor world, it is quite possible that the @@ -3931,7 +3930,7 @@ they are defined, e.g "x-forwarded-for" will be preferred than "true-client-ip" if both headers are present in the stream. The header names should be delimited by a space. -6.10.2.10. URI processing +6.10.2.9. URI processing Normalization and inspection of the URI in the HTTP request message is a key aspect of what http_inspect does. The best way to normalize @@ -4467,7 +4466,134 @@ http_inspect to provide full inspection of the individual HTTP/1.1 streams. -6.12. Performance Monitor +6.12. IEC104 Inspector + +-------------- + +iec104 inspector is a service inspector for the IEC 60870-5-104 +protocol. + +6.12.1. Overview + +IEC 60870-5-104 (iec104) is a protocol distributed by the +International Electrotechnical Commission (IEC) that provides a +standardized method of sending telecontrol messages between central +stations and outstations, typically running on TCP port 2404. + +It is used in combination with the companion specifications in the +IEC 60870-5 family, most notably IEC 60870-5-101, to provide reliable +transport via TCP/IP. + +An iec104 Application Protocol Data Unit (APDU) consists of one of +three Application Protocol Control Information (APCI) structures, +each beginning with the start byte 0x68. In the case of an +Information Transfer APCI, an Application Service Data Unit (ASDU) +follows the APCI. + +The iec104 inspector decodes the iec104 protocol and provides rule +options to access certain protocol fields and data content. This +allows the user to write rules for iec104 packets without decoding +the protocol. + +6.12.2. Configuration + +iec104 messages can be normalized to either combine a message spread +across multiple frames, or to split apart multiple messages within +one frame. No manual configuration is necessary to leverage this +functionality. + +6.12.3. Quick Guide + +A typical iec104 configuration looks like this: + +binder = +{ + { + when = + { + proto = 'tcp', + ports = '2404' + }, + use = + { + type = 'iec104' + }, + }, +} + +iec104 = { } + +In this example, the tcp inspector is defined based on port. All +configurations are default. + +Debug logging can be enabled with the following additional +configuration: + +trace = +{ + modules = + { + iec104 = + { + all = 1 + } + } +} + +6.12.4. Rule Options + +New rule options are supported by enabling the iec104 inspector: + + * iec104_apci_type + * iec104_asdu_func + +6.12.4.1. iec104_apci_type + +Determining the APCI type of an iec104 message involves checking the +state of one to two bits in the message’s first control field octet. +This can be completed with a byte_test in a plaintext rule, however +it adds unnecessary complexity to the rule. Since most rules +inspecting iec104 traffic will target APCI Type I messages, this +option was created to alleviate the need to manually check the type +and subsequently reduce the complexity of the rule. + +This option takes one argument with three acceptable configurations. + +Examples: + +iec104_apci_type:unnumbered_control_function; +iec104_apci_type:S; +iec104_apci_type:i; + +This option is used to verify that the message being processed is of +the specified type. The argument passed to this rule option can be +specified in one of three ways: the full type name, the lowercase +type abbreviation, or the uppercase type abbreviation. + +6.12.4.2. iec104_asdu_func + +Determining the ASDU function of an iec104 message can be completed +with a plaintext rule that checks a single byte in the message, +however it also requires verifying that the message’s APCI is of Type +I. Since a rule writer may not necessarily know that this additional +check must be made, this option was created to simplify the process +of verifying the function type and subsequently reduce the complexity +of the rule. + +This option takes one argument with two acceptable configurations. + +Examples: + +iec104_asdu_func:M_SP_NA_1; +iec104_asdu_func:m_ps_na_1; + +This option is used to verify that the message being processed is +using the specified ASDU function. The argument passed to this rule +option can be specified in one of two ways: the uppercase function +name, or the lowercase function name. + + +6.13. Performance Monitor -------------- @@ -4476,14 +4602,14 @@ down by too many flows? perf_monitor! Why are certain TCP segments being dropped without hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check with stream… -6.12.1. Overview +6.13.1. Overview The Snort performance monitor is the built-in utility for monitoring system and traffic statistics. All statistics are separated by processing thread. perf_monitor supports several trackers for monitoring such data: -6.12.2. Base Tracker +6.13.2. Base Tracker The base tracker is used to gather running statistics about Snort and its running modules. All Snort modules gather, at the very least, @@ -4540,7 +4666,7 @@ perf_monitor = Note: Event stats from prior Snorts are now located within base statistics. -6.12.3. Flow Tracker +6.13.3. Flow Tracker Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This data can be used to build a profile of traffic @@ -4550,7 +4676,7 @@ To enable: perf_monitor = { flow = true } -6.12.4. FlowIP Tracker +6.13.4. FlowIP Tracker FlowIP provides statistics for individual hosts within a network. This data can be used for identifying communication habits, such as @@ -4562,7 +4688,7 @@ To enable: perf_monitor = { flow_ip = true } -6.12.5. CPU Tracker +6.13.5. CPU Tracker This tracker monitors the CPU and wall time spent by a given processing thread. @@ -4571,7 +4697,7 @@ To enable: perf_monitor = { cpu = true } -6.12.6. Formatters +6.13.6. Formatters Performance monitor allows statistics to be output in a few formats. Along with human readable text (as seen at shutdown) and csv formats, @@ -4585,14 +4711,14 @@ used by Performance monitor, see the developer notes for Performance monitor or the code provided for fbstreamer. -6.13. POP and IMAP +6.14. POP and IMAP -------------- POP inspector is a service inspector for POP3 protocol and IMAP inspector is for IMAP4 protocol. -6.13.1. Overview +6.14.1. Overview POP and IMAP inspectors examine data traffic and find POP and IMAP commands and responses. The inspectors also identify the command, @@ -4600,7 +4726,7 @@ header, body sections and extract the MIME attachments and decode it appropriately. The pop and imap also identify and whitelist the pop and imap traffic. -6.13.2. Configuration +6.14.2. Configuration POP inspector and IMAP inspector offer same set of configuration options for MIME decoding depth. These depths range from 0 to 65535 @@ -4610,27 +4736,27 @@ be decoded. If you do not specify the default value is 1460 bytes. The depth limits apply per attachment. They are: -6.13.2.1. b64_decode_depth +6.14.2.1. b64_decode_depth Set the base64 decoding depth used to decode the base64-encoded MIME attachments. -6.13.2.2. qp_decode_depth +6.14.2.2. qp_decode_depth Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded MIME attachments. -6.13.2.3. bitenc_decode_depth +6.14.2.3. bitenc_decode_depth Set the non-encoded MIME extraction depth used for non-encoded MIME attachments. -6.13.2.4. uu_decode_depth +6.14.2.4. uu_decode_depth Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded attachments. -6.13.2.5. Examples +6.14.2.5. Examples stream = { } @@ -4664,13 +4790,13 @@ pop = } -6.14. Port Scan +6.15. Port Scan -------------- A module to detect port scanning -6.14.1. Overview +6.15.1. Overview This module is designed to detect the first phase in a network attack: Reconnaissance. In the Reconnaissance phase, an attacker @@ -4770,7 +4896,7 @@ however, Portscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based off the original scan alert. -6.14.2. Scan levels +6.15.2. Scan levels There are 3 default scan levels that can be set. @@ -4824,7 +4950,7 @@ setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune Portscan. -6.14.3. Tuning Portscan +6.15.3. Tuning Portscan The most important aspect in detecting portscans is tuning the detection engine for your network(s). Here are some tuning tips: @@ -4901,7 +5027,7 @@ require the least tuning. The low sensitivity level does not catch filtered scans, since these are more prone to false positives. -6.15. Sensitive Data Filtering +6.16. Sensitive Data Filtering -------------- @@ -4911,21 +5037,21 @@ credit card numbers, U.S. Social Security numbers, and email addresses. A rich regular expression syntax is available for defining your own PII. -6.15.1. Hyperscan +6.16.1. Hyperscan The sd_pattern rule option is powered by the open source Hyperscan library from Intel. It provides a regex grammar which is mostly PCRE compatible. To learn more about Hyperscan see https://intel.github.io /hyperscan/dev-reference/ -6.15.2. Syntax +6.16.2. Syntax Snort provides sd_pattern as IPS rule option with no additional inspector overhead. The Rule option takes the following syntax. sd_pattern: ""[, threshold ]; -6.15.2.1. Pattern +6.16.2.1. Pattern Pattern is the most important and is the only required parameter to sd_pattern. It supports 3 built in patterns which are configured by @@ -4963,7 +5089,7 @@ but would not match 1@ourdomain.com ab12@ourdomain.com or Note: This is just an example, this pattern is not suitable to detect many correctly formatted emails. -6.15.2.2. Threshold +6.16.2.2. Threshold Threshold is an optional parameter allowing you to change built in default value (default value is 1). The following two instances are @@ -4981,7 +5107,7 @@ This example requires 300 matches of the pattern "This is a string literal" to qualify as a positive match. That is, if the string only occurred 299 times in a packet, you will not see an event. -6.15.2.3. Obfuscating Credit Cards and Social Security Numbers +6.16.2.3. Obfuscating Credit Cards and Social Security Numbers Snort provides discreet logging for the built in patterns "credit_card", "us_social" and "us_social_nodashes". Enabling @@ -4994,7 +5120,7 @@ output = obfuscate_pii = true } -6.15.3. Example +6.16.3. Example A complete Snort IPS rule @@ -5010,7 +5136,7 @@ Logged output when running Snort in "cmg" alert format. 58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -6.15.4. Caveats +6.16.4. Caveats 1. Snort currently requires setting the fast pattern engine to use "hyperscan" in order for sd_pattern ips option to function @@ -5027,13 +5153,13 @@ Logged output when running Snort in "cmg" alert format. (This is a known bug). -6.16. SMTP +6.17. SMTP -------------- SMTP inspector is a service inspector for SMTP protocol. -6.16.1. Overview +6.17.1. Overview The SMTP inspector examines SMTP connections looking for commands and responses. It also identifies the command, header and body sections, @@ -5043,7 +5169,7 @@ identifies and whitelists the SMTP traffic. SMTP inspector logs the filename, email addresses, attachment names when configured. -6.16.2. Configuration +6.17.2. Configuration SMTP command lines can be normalized to remove extraneous spaces. TLS-encrypted traffic can be ignored, which improves performance. In @@ -5052,7 +5178,7 @@ performance boost. The configuration options are described below: -6.16.2.1. normalize and normalize_cmds +6.17.2.1. normalize and normalize_cmds Normalization checks for more than one space character after a command. Space characters are defined as space (ASCII 0x20) or tab @@ -5063,34 +5189,34 @@ example: smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' } -6.16.2.2. ignore_data +6.17.2.2. ignore_data Set it to true to ignore data section of mail (except for mail headers) when processing rules. -6.16.2.3. ignore_tls_data +6.17.2.3. ignore_tls_data Set it to true to ignore TLS-encrypted data when processing rules. -6.16.2.4. max_command_line_len +6.17.2.4. max_command_line_len Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length. -6.16.2.5. max_header_line_len +6.17.2.5. max_header_line_len Alert if an SMTP DATA header line is longer than this value. Absence of this option or a "0" means never alert on data header line length. RFC 2821 recommends 1024 as a maximum data header line length. -6.16.2.6. max_response_line_len +6.17.2.6. max_response_line_len Alert if an SMTP response line is longer than this value. Absence of this option or a "0" means never alert on response line length. RFC 2821 recommends 512 as a maximum response line length. -6.16.2.7. alt_max_command_line_len +6.17.2.7. alt_max_command_line_len Overrides max_command_line_len for specific commands For example: @@ -5106,11 +5232,11 @@ alt_max_command_line_len = }, } -6.16.2.8. invalid_cmds +6.17.2.8. invalid_cmds Alert if this command is sent from client side. -6.16.2.9. valid_cmds +6.17.2.9. valid_cmds List of valid commands. We do not alert on commands in this list. @@ -5120,36 +5246,36 @@ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]] -6.16.2.10. data_cmds +6.17.2.10. data_cmds List of commands that initiate sending of data with an end of data delimiter the same as that of the DATA command per RFC 5321 - " .". -6.16.2.11. binary_data_cmds +6.17.2.11. binary_data_cmds List of commands that initiate sending of data and use a length value after the command to indicate the amount of data to be sent, similar to that of the BDAT command per RFC 3030. -6.16.2.12. auth_cmds +6.17.2.12. auth_cmds List of commands that initiate an authentication exchange between client and server. -6.16.2.13. xlink2state +6.17.2.13. xlink2state Enable/disable xlink2state alert, options are {disable | alert | drop}. See CVE-2005-0560 for a description of the vulnerability. -6.16.2.14. MIME processing depth parameters +6.17.2.14. MIME processing depth parameters These four MIME processing depth parameters are identical to their POP and IMAP counterparts. See that section for further details. b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth -6.16.2.15. Log Options +6.17.2.15. Log Options Following log options allow SMTP inspector to log email addresses and filenames. Please note, this is logged only with the unified2 output @@ -5192,7 +5318,7 @@ This option specifies the depth for logging email headers. The allowed range for this option is 0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. -6.16.3. Example +6.17.3. Example smtp = { @@ -5245,7 +5371,7 @@ smtp = } -6.17. Telnet +6.18. Telnet -------------- @@ -5255,7 +5381,7 @@ command sequences per RFC 854. It will also determine when a telnet connection is encrypted, per the use of the telnet encryption option per RFC 2946. -6.17.1. Configuring the inspector to block exploits and attacks +6.18.1. Configuring the inspector to block exploits and attacks ayt_attack_thresh number @@ -5264,7 +5390,7 @@ the threshold number specified. This addresses a few specific vulnerabilities relating to bsd-based implementations of telnet. -6.18. Trace +6.19. Trace -------------- @@ -5277,7 +5403,7 @@ enable debug tracing, Snort must be configured at build time with wizard and snort.inspector_manager) are providing non-debug trace messages in normal production builds. -6.18.1. Trace module +6.19.1. Trace module The trace module is responsible for configuring traces and supports the following parameters: @@ -5317,7 +5443,7 @@ The trace module supports config reloading. Also, it’s possible to set or clear modules traces and packet filter constraints via the control channel command. -6.18.2. Trace module - configuring traces +6.19.2. Trace module - configuring traces The trace module has the modules option - a table with trace configuration for specific modules. The following lines placed in @@ -5399,7 +5525,7 @@ trace = } } -6.18.3. Trace module - configuring packet filter constraints for +6.19.3. Trace module - configuring packet filter constraints for packet related trace messages There is a capability to filter traces by the packet constraints. The @@ -5454,7 +5580,7 @@ trace = } } -6.18.4. Trace module - configuring trace output method +6.19.4. Trace module - configuring trace output method There is a capability to configure the output method for trace messages. The trace module has the output option with two acceptable @@ -5483,7 +5609,7 @@ trace = As a result, each trace message will be printed into syslog (the Snort run-mode will be ignored). -6.18.5. Configuring traces via control channel command +6.19.5. Configuring traces via control channel command There is a capability to configure module trace options and packet constraints via the control channel command by using a Snort shell. @@ -5518,7 +5644,7 @@ trace.set({modules = {...}}) - set only module trace options keeping old filteri trace.set({}) - disable traces and constraints (set to empty) -6.18.6. Trace messages format +6.19.6. Trace messages format Each tracing message has a standard format: @@ -5567,7 +5693,7 @@ m – minutes s – seconds S – milliseconds -6.18.7. Example - Debugging rules using detection trace +6.19.7. Example - Debugging rules using detection trace The detection engine is responsible for rule evaluation. Turning on the trace for it can help with debugging new rules. @@ -5695,7 +5821,7 @@ detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0 detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0 04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow -6.18.8. Example - Protocols decoding trace +6.19.8. Example - Protocols decoding trace Turning on decode trace will print out information about the packets decoded protocols. Can be useful in case of tunneling. @@ -5719,7 +5845,7 @@ decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, l decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8 decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0 -6.18.9. Example - Track the time packet spends in each inspector +6.19.9. Example - Track the time packet spends in each inspector There is a capability to track which inspectors evaluate a packet, and how much time the inspector consumes doing so. These trace @@ -5760,7 +5886,7 @@ snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1 snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec snort:main:1: [0] Destroying completed command RUN -6.18.10. Example - trace filtering by packet constraints: +6.19.10. Example - trace filtering by packet constraints: In snort.lua, the following lines were added: @@ -5822,7 +5948,7 @@ detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns The trace messages for two last packets (numbers 5 and 6) weren’t printed. -6.18.11. Example - configuring traces via trace.set() command +6.19.11. Example - configuring traces via trace.set() command In snort.lua, the following lines were added: @@ -5905,7 +6031,7 @@ The new configuration was applied. decode:all:1 messages aren’t filtered because they don’t include a packet (a packet isn’t well-formed at the point when the message is printing). -6.18.12. Other available traces +6.19.12. Other available traces There are more trace options supported by detection: @@ -5932,7 +6058,7 @@ developer. Some are for corner cases, others for complex data structures. -6.19. Wizard +6.20. Wizard -------------- @@ -6268,7 +6394,7 @@ another packet with the same tuple as the prior one. $sof and $eof commands generate Start of Flow and End of Flow metapackets respectively. They are followed by a definition of a -Flow_Stats_t data structure which will be fed into Snort via the +DAQ_FlowStats_t data structure which will be fed into Snort via the metadata callback. Strings may contain the following escape sequences: