From d1ae4e5e40cc083cc55f3ec771ca93b367eadb7b Mon Sep 17 00:00:00 2001
From: "Mike Stepanek (mstepane)"
Date: Wed, 9 Oct 2019 10:21:41 -0400
Subject: [PATCH] Merge pull request #1788 in SNORT/snort3 from
~MSTEPANE/snort3:build_262 to master
Squashed commit of the following:
commit 6c381d2eb2aaf2ba82d7ad0aaab1cd4efb252bf5
Author: Mike Stepanek
Date: Wed Oct 9 08:37:27 2019 -0400
build: generate and tag build 262
---
ChangeLog | 57 +++++++++++
doc/snort_manual.html | 232 +++++++++++++++++++++++++++++++++++++++---
doc/snort_manual.pdf | Bin 823847 -> 826309 bytes
doc/snort_manual.text | 85 ++++++++++++----
src/main/build.h | 2 +-
5 files changed, 344 insertions(+), 32 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 54f4a7e76..4784b728e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,60 @@
+19/10/09 - build 262
+
+-- analyzer: move setting pkth to nullptr to after publishing finalize event
+-- analyzer: publish other message event for unknown DAQ messages
+-- appid: add support for bittorrent detection over standard ports
+-- appid: add support for Lua detector callback mechanism
+-- appid: add support for wildcard ports in host tracker
+-- appid: extract forward ip from http tunneled traffic and use it for dynamic host cache lookup
+-- appid: fix populating dns_query for DNS traffic
+-- binder: allow binder to support global level service inspectors
+-- binder: remove global check for stream inspectors and revert module_map changes
+-- codecs: fix checksumming a single byte of unaligned data
+-- codecs: use checksum validation from DAQ packet decode data when available
+-- detection: consistently prefer service rules over port rules
+-- detection: do not split service groups by ip proto to avoid extra searches
+-- detection: map file rules to services
+-- detection: non-service rules must match on rule header proto
+-- detection: remove cruft from match accumulator
+-- detection: remove more cruft from match tracker
+-- detection: remove the inappropriate match tracker from mpse batch setup
+-- detection: remove unnecessary match data from eval context
+-- detection: support alert file rules w/o optional services
+-- detection: update trace to indicate eval task
+-- detection: use reference for signature eval data
+-- doc: add Snort2Lua note on ips rule action rewrite
+-- flow: check if control packet has a valid daq instance before setting up daq expected flow and
+ add pegcounts for expected flows
+-- flow: patch to allocate Flow objects individually on demand. Once allocated the Flow objects are
+ reused until snort exits or reload changes the max_flows setting
+-- flow: when walking uni_list stop before reaching head
+-- helpers: discovery filter support for zone matching
+-- helpers: implement port exclusion in discovery filter
+-- http2_inspect: cut headers from frame_data buffer
+-- http2_inspect: parse hpack header representations and decode string literals
+-- http2_inspect: validate connection preface
+-- ips_options: minor code style changes
+-- libtcp: turn off no-ack mode if packet is out of order
+-- lua: added move constructor and move assignment operator to Lua::State to fix segv
+-- lua: fixed whitespace to match style guidelines
+-- managers: add null check in reload_module to prevent crash when trying to reload module that has
+ not been configured
+-- profiler: increase width of checks and alloc fields so values don't run together
+-- protocols: remove reference to obsolete DAQ_PKT_FLAG_HW_TCP_CS_GOOD flag
+-- pub_sub: replace DaqMetaEvent and OtherMessageEvent with DaqMessageEvent
+-- reputation: prevent reload module crash when reputation is not configured in lua at startup
+-- reputation: SIDs for source and destination-triggered events added
+-- snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured
+ in wizard and add --bind-port option to enable port bindings conversion
+-- snort2lua: remove identity related options from firewall
+-- snort2lua: reset the sticky buffer name while converting unchanged sticky rule options and
+ file_data
+-- stream: clean up cppcheck warnings
+-- stream: clean up update_direction
+-- stream: code cleanup and dead-code removal
+-- unit-tests: fix compiler warnings that snuck into CppUTest unit tests
+-- utils: prevent integer overflow/underflow when reading BER elements
+
19/09/12 - build 261
-- analyzer: Process retry queue and onloads when no DAQ messages are received
diff --git a/doc/snort_manual.html b/doc/snort_manual.html
index 4d11ba62a..c555073ef 100644
--- a/doc/snort_manual.html
+++ b/doc/snort_manual.html
@@ -782,7 +782,7 @@ asciidoc.install(2);
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0 (Build 261)
+o" )~ Version 3.0.0 (Build 262)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
@@ -7286,6 +7286,11 @@ string daq.modules[].variables[].variable: DAQ mod
+daq.expected_flows: expected flows created in DAQ (sum)
+
+
+
+
daq.retries_queued: messages queued for retry (sum)
@@ -7304,6 +7309,21 @@ string daq.modules[].variables[].variable: DAQ mod
daq.retries_discarded: messages discarded when purging the retry queue (sum)
+
+
+daq.sof_messages: start of flow messages received from DAQ (sum)
+
+
+
+
+daq.eof_messages: end of flow messages received from DAQ (sum)
+
+
+
+
+daq.other_messages: messages received from DAQ with unrecognized message type (sum)
+
+
@@ -8521,7 +8541,7 @@ string
references[].url: where this reference is d
-
-enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
+enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }
-
@@ -9843,6 +9863,11 @@ bool esp.decode_esp = false: enable for inspection of esp traff
icmp4.bad_checksum: non-zero icmp checksums (sum)
+-
+
+icmp4.checksum_bypassed: checksum calculations bypassed (sum)
+
+
@@ -9920,6 +9945,11 @@ bool
esp.decode_esp = false: enable for inspection of esp traff
icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
+
+
+icmp6.checksum_bypassed: checksum calculations bypassed (sum)
+
+
@@ -10056,6 +10086,11 @@ bool
esp.decode_esp = false: enable for inspection of esp traff
ipv4.bad_checksum: nonzero ip checksums (sum)
+
+
+ipv4.checksum_bypassed: checksum calculations bypassed (sum)
+
+
@@ -10448,6 +10483,11 @@ enum
mpls.mpls_payload_type = ip4: set encapsulated payload typ
tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
+
+
+tcp.checksum_bypassed: checksum calculations bypassed (sum)
+
+
@@ -10552,6 +10592,11 @@ bit_list
udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
+
+
+udp.checksum_bypassed: checksum calculations bypassed (sum)
+
+
@@ -12519,6 +12564,11 @@ bool
finalize_packet.switch_to_wizard = false: switch to wizard
finalize_packet.events: total events seen (sum)
+
+
+finalize_packet.other_messages: total other message seen (sum)
+
+
@@ -12886,6 +12936,16 @@ int
gtp_inspect.trace: mask for enabling debug traces in module
121:5 (http2_inspect) unexpected continuation frame
+
+
+121:6 (http2_inspect) misformatted HTTP/2 traffic
+
+
+
+
+121:7 (http2_inspect) HTTP/2 connection preface does not match
+
+
@@ -15083,17 +15143,32 @@ string reputation.whitelist: whitelist file name with IP lists
-
-136:1 (reputation) packets blacklisted
+136:1 (reputation) packets blacklisted based on source
+
+
+-
+
+136:2 (reputation) packets whitelisted based on source
+
+
+-
+
+136:3 (reputation) packets monitored based on source
+
+
+-
+
+136:4 (reputation) packets blacklisted based on destination
-
-136:2 (reputation) packets whitelisted
+136:5 (reputation) packets whitelisted based on destination
-
-136:3 (reputation) packets monitored
+136:6 (reputation) packets monitored based on destination
@@ -16386,6 +16461,26 @@ int stream.trace: mask for enabling debug traces in module { 0:
stream.ha_prunes: sessions pruned by high availability sync (sum)
+-
+
+stream.expected_flows: total expected flows created within snort (sum)
+
+
+-
+
+stream.expected_realized: number of expected flows realized (sum)
+
+
+-
+
+stream.expected_pruned: number of expected flows pruned (sum)
+
+
+-
+
+stream.expected_overflows: number of expected cache overflows (sum)
+
+
@@ -16738,12 +16833,12 @@ int
stream_tcp.queue_limit.max_segments = 2621: don’t que
-int stream_tcp.small_segments.count = 0: limit number of small segments queued { 0:2048 }
+int stream_tcp.small_segments.count = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }
-int stream_tcp.small_segments.maximum_size = 0: limit number of small segments queued { 0:2048 }
+int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }
@@ -21377,6 +21472,11 @@ options into a Snort++ configuration file
+--bind-port Convert port bindings
+
+
+
+
--conf-file Same as -c. A Snort <snort_conf> file which will be
converted
@@ -21552,6 +21652,15 @@ If the original configuration contains a binding that points to another
into one output.
+
@@ -27779,7 +27888,7 @@ bool
rt_packet.retry_targeted = false: request retry for packet
-enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
+enum rule_state.$gid_sid[].action = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | react | reject | rewrite | inherit }
@@ -29114,12 +29223,12 @@ bool stream_tcp.show_rebuilt_packets = false: enable cmg like o
-int stream_tcp.small_segments.count = 0: limit number of small segments queued { 0:2048 }
+int stream_tcp.small_segments.count = 0: number of consecutive TCP small segments considered to be excessive (129:12) { 0:2048 }
-int stream_tcp.small_segments.maximum_size = 0: limit number of small segments queued { 0:2048 }
+int stream_tcp.small_segments.maximum_size = 0: minimum bytes for a TCP segment not to be considered small (129:12) { 0:2048 }
@@ -29459,6 +29568,16 @@ interval wscale.~range: check if TCP window scale is in given r
+daq.eof_messages: end of flow messages received from DAQ (sum)
+
+
+
+
+daq.expected_flows: expected flows created in DAQ (sum)
+
+
+
+
daq.filtered: packets filtered out (sum)
@@ -29489,6 +29608,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+daq.other_messages: messages received from DAQ with unrecognized message type (sum)
+
+
+
+
daq.outstanding: packets unprocessed (sum)
@@ -29544,6 +29668,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+daq.sof_messages: start of flow messages received from DAQ (sum)
+
+
+
+
daq.whitelist: total whitelist verdicts (sum)
@@ -30329,6 +30458,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+finalize_packet.other_messages: total other message seen (sum)
+
+
+
+
finalize_packet.pdus: total PDUs seen (sum)
@@ -30624,11 +30758,21 @@ interval
wscale.~range: check if TCP window scale is in given r
+icmp4.checksum_bypassed: checksum calculations bypassed (sum)
+
+
+
+
icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
+icmp6.checksum_bypassed: checksum calculations bypassed (sum)
+
+
+
+
imap.b64_attachments: total base64 attachments decoded (sum)
@@ -30694,6 +30838,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+ipv4.checksum_bypassed: checksum calculations bypassed (sum)
+
+
+
+
latency.max_usecs: maximum usecs elapsed (sum)
@@ -31759,6 +31908,26 @@ interval
wscale.~range: check if TCP window scale is in given r
+stream.expected_flows: total expected flows created within snort (sum)
+
+
+
+
+stream.expected_overflows: number of expected cache overflows (sum)
+
+
+
+
+stream.expected_pruned: number of expected flows pruned (sum)
+
+
+
+
+stream.expected_realized: number of expected flows realized (sum)
+
+
+
+
stream.flows: total sessions (sum)
@@ -32234,6 +32403,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+tcp.checksum_bypassed: checksum calculations bypassed (sum)
+
+
+
+
tcp_connector.messages: total messages (sum)
@@ -32264,6 +32438,11 @@ interval
wscale.~range: check if TCP window scale is in given r
+udp.checksum_bypassed: checksum calculations bypassed (sum)
+
+
+
+
wizard.tcp_hits: tcp identifications (sum)
@@ -33984,6 +34163,16 @@ interval
wscale.~range: check if TCP window scale is in given r
+121:6 (http2_inspect) misformatted HTTP/2 traffic
+
+
+
+
+121:7 (http2_inspect) HTTP/2 connection preface does not match
+
+
+
+
122:1 (port_scan) TCP portscan
@@ -34764,17 +34953,32 @@ interval
wscale.~range: check if TCP window scale is in given r
-136:1 (reputation) packets blacklisted
+136:1 (reputation) packets blacklisted based on source
+
+
+
+
+136:2 (reputation) packets whitelisted based on source
+
+
+
+
+136:3 (reputation) packets monitored based on source
+
+
+
+
+136:4 (reputation) packets blacklisted based on destination
-136:2 (reputation) packets whitelisted
+136:5 (reputation) packets whitelisted based on destination
-136:3 (reputation) packets monitored
+136:6 (reputation) packets monitored based on destination
@@ -38093,7 +38297,7 @@ Adding/removing stream_* inspectors if stream was already configured