<div class="literalblock">\r
<div class="content">\r
<pre><code> ,,_ -*> Snort++ <*-\r
-o" )~ Version 3.0.0-a4 (Build 237) from 2.9.8-383\r
+o" )~ Version 3.0.0 (Build 239) from 2.9.8-383\r
'''' By Martin Roesch & The Snort Team\r
http://snort.org/contact#team\r
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.\r
</li>\r
<li>\r
<p>\r
+<strong>interval</strong>: a set of ints (see below)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ip4</strong>: an IP4 address or CIDR\r
</p>\r
</li>\r
<li>\r
<p>\r
IPS rules may also have a wild card parameter, which is indicated by a\r
- *. Only used for metadata that Snort ignores.\r
+ *. Used for unquoted, comma-separated lists such as service and metadata.\r
</p>\r
</li>\r
<li>\r
values.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+interval takes the form [operator]i, j<>k, or j<⇒k where i,j,k are\r
+ integers and operator is one of =, !, != (same as !), <, ⇐, >, >=.\r
+ j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+iconv from <a href="https://ftp.gnu.org/pub/gnu/libiconv/">https://ftp.gnu.org/pub/gnu/libiconv/</a> for converting\r
+ UTF16-LE filenames to UTF8 (usually included in glibc)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
lzma >= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a> for decompression of SWF and\r
PDF files\r
</p>\r
manual\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+uuid from uuid-dev package for unique identifiers\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="content">\r
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full</code></pre>\r
</div></div>\r
+<div class="paragraph"><p>Capture separate stdout, stderr, and stdlog files (out has startup and\r
+shutdown output, err has warnings and errors, and log has alerts):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \\r
+ 1>out 2>err 3>log</code></pre>\r
+</div></div>\r
<div class="paragraph"><p>Add or modify a configuration from the command line using the "--lua" option:</p></div>\r
<div class="literalblock">\r
<div class="content">\r
<div class="paragraph"><p>Snort uses the C operators for each of these operators. If the &\r
operator is used, then it would be the same as using</p></div>\r
<div class="listingblock">\r
-<div class="content"><!-- Generator: GNU source-highlight 3.1.6\r
+<div class="content"><!-- Generator: GNU source-highlight 3.1.8\r
by Lorenzo Bettini\r
http://www.lorenzobettini.it\r
http://www.gnu.org/software/src-highlite -->\r
to http_header when no specific header is specified.</p></div>\r
</div>\r
<div class="sect4">\r
+<h5 id="_http_true_ip">http_true_ip</h5>\r
+<div class="paragraph"><p>This provides the original IP address of the client sending the request as\r
+it was stored by a proxy in the request message headers. Specifically it\r
+is the last IP address listed in the X-Forwarded-For or True-Client-IP\r
+header. If both headers are present the former is used.</p></div>\r
+</div>\r
+<div class="sect4">\r
<h5 id="_http_client_body">http_client_body</h5>\r
<div class="paragraph"><p>This is the body of a request message such as POST or PUT. Normalization\r
for http_client_body is the same URI-like normalization applied to\r
http_header when no specific header is specified.</p></div>\r
</div>\r
<div class="sect4">\r
+<h5 id="_http_raw_body">http_raw_body</h5>\r
+<div class="paragraph"><p>This is the body of a request or response message. It will be dechunked\r
+and unzipped if applicable but will not be normalized in any other way.\r
+The difference between http_raw_body and packet data is a rule that uses\r
+packet data will search and may match an HTTP header, but http_raw_body\r
+is limited to the message body. Thus the latter is more efficient and\r
+more accurate for most uses.</p></div>\r
+</div>\r
+<div class="sect4">\r
<h5 id="_http_method">http_method</h5>\r
<div class="paragraph"><p>The method field of a request message. Common values are "GET", "POST",\r
"OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".</p></div>\r
<div class="paragraph"><p>file_data contains the normalized message body. This is the normalization\r
described above under gzip, normalize_utf, decompress_pdf, decompress_swf,\r
and normalize_javascript.</p></div>\r
-<div class="paragraph"><p>The unnormalized message body is available in the packet data. If gzip is\r
-configured the packet data will be unzipped.</p></div>\r
+<div class="paragraph"><p>The unnormalized message content is available in the packet data. If gzip\r
+is configured the packet data will be unzipped.</p></div>\r
</div>\r
</div>\r
<div class="sect3">\r
</div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_pop_and_imap">POP and IMAP</h3>\r
+<div class="paragraph"><p>POP inspector is a service inspector for POP3 protocol and IMAP inspector\r
+is for IMAP4 protocol.</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_7">Overview</h4>\r
+<div class="paragraph"><p>POP and IMAP inspectors examine data traffic and find POP and IMAP\r
+commands and responses. The inspectors also identify the command, header,\r
+body sections and extract the MIME attachments and decode it\r
+appropriately. The pop and imap also identify and whitelist the pop and\r
+imap traffic.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_configuration_5">Configuration</h4>\r
+<div class="paragraph"><p>POP inspector and IMAP inspector offer same set of configuration options\r
+for MIME decoding depth:</p></div>\r
+<div class="sect4">\r
+<h5 id="_b64_decode_depth">b64_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the base64 decoding depth\r
+used to decode the base64 encoded MIME attachments. The value ranges from\r
+-1 to 65535. A value of -1 turns off the base64 decoding of MIME\r
+attachments. The value of 0 sets the decoding of base64 encoded MIME\r
+attachments to unlimited. A value other than 0 or -1 restricts the\r
+decoding of base64 MIME attachments, and applies per attachment. The\r
+default value is 1460.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_qp_decode_depth">qp_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the Quoted-Printable\r
+decoding depth used to decode the Quoted-Printable(QP) encoded MIME\r
+attachments. The value ranges from -1 to 65535. A value of -1 turns off\r
+the QP decoding of MIME attachments.\r
+The value of 0 sets the decoding of QP encoded MIME attachments to\r
+unlimited. A value other than 0 or -1 restricts the decoding of QP MIME\r
+attachments, and applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_bitenc_decode_depth">bitenc_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the non-encoded MIME\r
+extraction depth used to extract the non-encoded MIME attachments. The\r
+value ranges from -1 to 65535. A value of -1 turns off the extraction of\r
+these MIME attachments.\r
+The value of 0 sets the extraction of these MIME attachments to unlimited.\r
+A value other than 0 or -1 restricts the extraction of these MIME\r
+attachments, and applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_uu_decode_depth">uu_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the Unix-to-Unix decoding\r
+depth used to decode the Unix-to-Unix(UU) encoded attachments. The value\r
+ranges from -1 to 65535. A value of -1 turns off the UU decoding of POP\r
+attachments.\r
+The value of 0 sets the decoding of UU encoded POP attachments to\r
+unlimited. A value other than 0 or -1 restricts the decoding of UU POP\r
+attachments, and applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_examples_5">Examples</h5>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>stream = { }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>stream_tcp = { }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>stream_ip = { }</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>binder =\r
+{\r
+ {\r
+ {\r
+ when = { proto = 'tcp', ports = '110', },\r
+ use = { type = 'pop', },\r
+ },\r
+ {\r
+ when = { proto = 'tcp', ports = '143', },\r
+ use = { type = 'imap', },\r
+ },\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>imap =\r
+{\r
+ qp_decode_depth = 15,\r
+}</code></pre>\r
+</div></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>pop =\r
+{\r
+ qp_decode_depth = 0,\r
+ b64_decode_depth = 10,\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_port_scan">Port Scan</h3>\r
+<div class="paragraph"><p>A module to detect port scanning</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_8">Overview</h4>\r
+<div class="paragraph"><p>This module is designed to detect the first phase in a network attack:\r
+Reconnaissance. In the Reconnaissance phase, an attacker determines\r
+what types of network protocols or services a host supports. This is\r
+the traditional place where a portscan takes place. This phase assumes\r
+the attacking host has no prior knowledge of what protocols or\r
+services are supported by the target, otherwise this phase would not\r
+be necessary.</p></div>\r
+<div class="paragraph"><p>As the attacker has no beforehand knowledge of its intended target,\r
+most queries sent by the attacker will be negative (meaning that the\r
+services are closed). In the nature of legitimate network\r
+communications, negative responses from hosts are rare, and rarer\r
+still are multiple negative responses within a given amount of time.\r
+Our primary objective in detecting portscans is to detect and track\r
+these negative responses.</p></div>\r
+<div class="paragraph"><p>One of the most common portscanning tools in use today is Nmap. Nmap\r
+encompasses many, if not all, of the current portscanning techniques.\r
+Portscan was designed to be able to detect the different types of\r
+scans Nmap can produce.</p></div>\r
+<div class="paragraph"><p>The following are a list of the types of Nmap scans Portscan\r
+will currently alert for.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+TCP Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Portscan\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>These alerts are for one to one portscans, which are the traditional\r
+types of scans; one host scans multiple ports on another host. Most of\r
+the port queries will be negative, since most hosts have relatively\r
+few services available.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+TCP Decoy Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Decoy Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Decoy Portscan\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Decoy portscans are much like regular, only the attacker has spoofed\r
+source address inter-mixed with the real scanning address. This tactic\r
+helps hide the true identity of the attacker.</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+TCP Distributed Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Distributed Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Distributed Portscan\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>These are many to one portscans. Distributed portscans occur when\r
+multiple hosts query one host for open services. This is used to evade\r
+an IDS and obfuscate command and control hosts.</p></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">Negative queries will be distributed among scanning hosts, so\r
+we track this type of scan through the scanned host.</td>\r
+</tr></table>\r
+</div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+TCP Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+ICMP Portsweep\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>These alerts are for one to many portsweeps. One host scans a single\r
+port on multiple hosts. This usually occurs when a new exploit comes out\r
+and the attacker is looking for a specific service.</p></div>\r
+<div class="admonitionblock">\r
+<table><tr>\r
+<td class="icon">\r
+<img src="./images/icons/note.png" alt="Note" />\r
+</td>\r
+<td class="content">The characteristics of a portsweep scan may not result in many\r
+negative responses. For example, if an attacker portsweeps a web farm\r
+for port 80, we will most likely not see many negative responses.</td>\r
+</tr></table>\r
+</div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+TCP Filtered Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Filtered Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Filtered Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+TCP Filtered Decoy Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Filtered Decoy Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Filtered Decoy Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+TCP Filtered Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Filtered Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Filtered Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+ICMP Filtered Portsweep\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+TCP Filtered Distributed Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+UDP Filtered Distributed Portscan\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+IP Filtered Distributed Portscan\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>"Filtered" alerts indicate that there were no network errors (ICMP\r
+unreachables or TCP RSTs) or responses on closed ports have been\r
+suppressed. It’s also a good indicator on whether the alert is just a\r
+very active legitimate host. Active hosts, such as NATs, can trigger\r
+these alerts because they can send out many connection attempts within\r
+a very small amount of time. A filtered alert may go off before\r
+responses from the remote hosts are received.</p></div>\r
+<div class="paragraph"><p>Portscan only generates one alert for each host pair in question\r
+during the time window. On TCP scan alerts, Portscan\r
+will also display any open ports that were scanned. On TCP sweep alerts\r
+however, Portscan will only track open ports after the alert has been\r
+triggered. Open port events are not individual alerts, but tags based\r
+off the original scan alert.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_scan_levels">Scan levels</h4>\r
+<div class="paragraph"><p>There are 3 default scan levels that can be set.</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>1) default_hi_port_scan\r
+2) default_med_port_scan\r
+3) default_low_port_scan</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>Each of these default levels have separate options that can be edited\r
+to alter the scan sensitivity levels (scans, rejects, nets or ports)</p></div>\r
+<div class="paragraph"><p>Example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>port_scan = default_low_port_scan\r
+\r
+port_scan.tcp_decoy.ports = 1\r
+port_scan.tcp_decoy.scans = 1\r
+port_scan.tcp_decoy.rejects = 1\r
+port_scan.tcp_ports.nets = 1</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>The example above would change each of the individual settings to 1.</p></div>\r
+<div class="paragraph"><p>NOTE:The default levels for scans, rejects, nets and ports can be\r
+seen in the snort_defaults.lua file.</p></div>\r
+<div class="paragraph"><p>The counts can be seen in the alert outputs (-Acmg shown below):</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:\r
+30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 0.Connec tion Cou\r
+6E 74 3A 20 34 35 0A 49 50 20 43 6F 75 6E 74 3A nt: 45.I P Count:\r
+20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scann er IP Ra\r
+6E 67 65 3A 20 31 2E 32 2E 33 2E 34 3A 31 2E 32 nge: 1.2 .3.4:1.2\r
+2E 33 2E 34 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 .3.4.Por t/Proto\r
+43 6F 75 6E 74 3A 20 33 37 0A 50 6F 72 74 2F 50 Count: 3 7.Port/P\r
+72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 3A 39 0A roto Ran ge: 1:9.</code></pre>\r
+</div></div>\r
+<div class="paragraph"><p>"Low" alerts are only generated on error packets sent from the\r
+target host, and because of the nature of error responses, this\r
+setting should see very few false positives. However, this setting\r
+will never trigger a Filtered Scan alert because of a lack of error\r
+responses. This setting is based on a static time window of 60\r
+seconds, after which this window is reset.</p></div>\r
+<div class="paragraph"><p>"Medium" alerts track Connection Counts, and so will generate\r
+Filtered Scan alerts. This setting may false positive on active\r
+hosts (NATs, proxies, DNS caches, etc), so the user may need to\r
+deploy the use of Ignore directives to properly tune this directive.</p></div>\r
+<div class="paragraph"><p>"High" alerts continuously track hosts on a network using a time\r
+window to evaluate portscan statistics for that host. A "High"\r
+setting will catch some slow scans because of the continuous\r
+monitoring, but is very sensitive to active hosts. This most\r
+definitely will require the user to tune Portscan.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_tuning_portscan">Tuning Portscan</h4>\r
+<div class="paragraph"><p>The most important aspect in detecting portscans is tuning the detection\r
+engine for your network(s). Here are some tuning tips:</p></div>\r
+<div class="paragraph"><p>Use the watch_ip, ignore_scanners, and ignore_scanned options.\r
+It’s important to correctly set these options. The watch_ip option\r
+is easy to understand. The analyst should set this option to the\r
+list of Cidr blocks and IPs that they want to watch. If no\r
+watch_ip is defined, Portscan will watch all network traffic.\r
+The ignore_scanners and ignore_scanned options come into play in\r
+weeding out legitimate hosts that are very active on your network.\r
+Some of the most common examples are NAT IPs, DNS cache servers,\r
+syslog servers, and nfs servers. Portscan may not generate false\r
+positives for these types of hosts, but be aware when first tuning\r
+Portscan for these IPs. Depending on the type of alert that the\r
+host generates, the analyst will know which to ignore it as. If\r
+the host is generating portsweep events, then add it to the\r
+ignore_scanners option. If the host is generating portscan alerts\r
+(and is the host that is being scanned), add it to the\r
+ignore_scanned option.</p></div>\r
+<div class="paragraph"><p>Filtered scan alerts are much more prone to false positives.\r
+When determining false positives, the alert type is very important.\r
+Most of the false positives that Portscan may generate are of the\r
+filtered scan alert type. So be much more suspicious of filtered\r
+portscans. Many times this just indicates that a host was very\r
+active during the time period in question. If the host continually\r
+generates these types of alerts, add it to the ignore_scanners list\r
+or use a lower sensitivity level.</p></div>\r
+<div class="paragraph"><p>Make use of the Priority Count, Connection Count, IP Count,\r
+Port Count, IP range, and Port range to determine false positives.\r
+The portscan alert details are vital in determining the scope of a\r
+portscan and also the confidence of the portscan. In the future,\r
+we hope to automate much of this analysis in assigning a scope\r
+level and confidence level, but for now the user must manually do\r
+this. The easiest way to determine false positives is through\r
+simple ratio estimations. The following is a list of ratios to\r
+estimate and the associated values that indicate a legitimate scan\r
+and not a false positive.</p></div>\r
+<div class="paragraph"><p>Connection Count / IP Count: This ratio indicates an estimated\r
+average of connections per IP. For portscans, this ratio should be\r
+high, the higher the better. For portsweeps, this ratio should be\r
+low.</p></div>\r
+<div class="paragraph"><p>Port Count / IP Count: This ratio indicates an estimated average\r
+of ports connected to per IP. For portscans, this ratio should be\r
+high and indicates that the scanned host’s ports were connected to\r
+by fewer IPs. For portsweeps, this ratio should be low, indicating\r
+that the scanning host connected to few ports but on many hosts.</p></div>\r
+<div class="paragraph"><p>Connection Count / Port Count: This ratio indicates an estimated\r
+average of connections per port. For portscans, this ratio should\r
+be low. This indicates that each connection was to a different\r
+port. For portsweeps, this ratio should be high. This indicates\r
+that there were many connections to the same port.</p></div>\r
+<div class="paragraph"><p>The reason that Priority Count is not included, is because the\r
+priority count is included in the connection count and the above\r
+comparisons take that into consideration. The Priority Count play\r
+an important role in tuning because the higher the priority count\r
+the more likely it is a real portscan or portsweep (unless the host\r
+is firewalled).</p></div>\r
+<div class="paragraph"><p>If all else fails, lower the sensitivity level.\r
+If none of these other tuning techniques work or the analyst\r
+doesn’t have the time for tuning, lower the sensitivity level. You\r
+get the best protection the higher the sensitivity level, but it’s\r
+also important that the portscan detection engine generates alerts\r
+that the analyst will find informative. The low sensitivity level\r
+only generates alerts based on error responses. These responses\r
+indicate a portscan and the alerts generated by the low sensitivity\r
+level are highly accurate and require the least tuning. The low\r
+sensitivity level does not catch filtered scans, since these are\r
+more prone to false positives.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_sensitive_data_filtering">Sensitive Data Filtering</h3>\r
<div class="paragraph"><p>The <code>sd_pattern</code> IPS option provides detection and filtering of Personally\r
Identifiable Information (PII). This information includes credit card\r
</div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_smtp">SMTP</h3>\r
+<div class="paragraph"><p>SMTP inspector is a service inspector for SMTP protocol.</p></div>\r
+<div class="sect3">\r
+<h4 id="_overview_9">Overview</h4>\r
+<div class="paragraph"><p>The SMTP inspector examines SMTP connections looking for commands and\r
+responses. It also identifies the command, header and body sections, TLS\r
+data and extracts the MIME attachments. This inspector also identifies and\r
+whitelists the SMTP traffic.</p></div>\r
+<div class="paragraph"><p>SMTP inspector logs the filename, email addresses, attachment names when\r
+configured.</p></div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_configuration_6">Configuration</h4>\r
+<div class="paragraph"><p>SMTP command lines can be normalized to remove extraneous spaces.\r
+TLS-encrypted traffic can be ignored, which improves performance. In\r
+addition, plain-text mail data can be ignored for an additional\r
+performance boost.</p></div>\r
+<div class="paragraph"><p>The configuration options are described below:</p></div>\r
+<div class="sect4">\r
+<h5 id="_normalize_and_normalize_cmds">normalize and normalize_cmds</h5>\r
+<div class="paragraph"><p>Normalization checks for more than one space character after a command.\r
+Space characters are defined as space (ASCII 0x20) or tab (ASCII 0x09).\r
+"normalize" provides options all|none|cmds, <em>all</em> checks all commands,\r
+<em>none</em> turns off normalization for all commands. <em>cmds</em> just checks\r
+commands listed with the "normalize_cmds" parameter.\r
+For example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_ignore_data">ignore_data</h5>\r
+<div class="paragraph"><p>Set it to true to ignore data section of mail (except for mail headers)\r
+when processing rules.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_ignore_tls_data">ignore_tls_data</h5>\r
+<div class="paragraph"><p>Set it to true to ignore TLS-encrypted data when processing rules.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_max_command_line_len">max_command_line_len</h5>\r
+<div class="paragraph"><p>Alert if an SMTP command line is longer than this value. Absence of this\r
+option or a "0" means never alert on command line length. RFC 2821\r
+recommends 512 as a maximum command line length.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_max_header_line_len">max_header_line_len</h5>\r
+<div class="paragraph"><p>Alert if an SMTP DATA header line is longer than this value. Absence of\r
+this option or a "0" means never alert on data header line length. RFC\r
+2821 recommends 1024 as a maximum data header line length.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_max_response_line_len">max_response_line_len</h5>\r
+<div class="paragraph"><p>Alert if an SMTP response line is longer than this value. Absence of this\r
+option or a "0" means never alert on response line length. RFC 2821\r
+recommends 512 as a maximum response line length.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_alt_max_command_line_len">alt_max_command_line_len</h5>\r
+<div class="paragraph"><p>Overrides max_command_line_len for specific commands\r
+For example:</p></div>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>alt_max_command_line_len =\r
+{\r
+ {\r
+ command = 'MAIL',\r
+ length = 260,\r
+ },\r
+ {\r
+ command = 'RCPT',\r
+ length = 300,\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_invalid_cmds">invalid_cmds</h5>\r
+<div class="paragraph"><p>Alert if this command is sent from client side.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_valid_cmds">valid_cmds</h5>\r
+<div class="paragraph"><p>List of valid commands. We do not alert on commands in this list.</p></div>\r
+<div class="paragraph"><p>DEFAULT empty list, but SMTP inspector has this list hard-coded:\r
+[[ ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN\r
+ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE\r
+ STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE\r
+ XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_data_cmds">data_cmds</h5>\r
+<div class="paragraph"><p>List of commands that initiate sending of data with an end of data\r
+delimiter the same as that of the DATA command per RFC 5321 -\r
+"<CRLF>.<CRLF>".</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_binary_data_cmds">binary_data_cmds</h5>\r
+<div class="paragraph"><p>List of commands that initiate sending of data and use a length value\r
+after the command to indicate the amount of data to be sent, similar to\r
+that of the BDAT command per RFC 3030.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_auth_cmds">auth_cmds</h5>\r
+<div class="paragraph"><p>List of commands that initiate an authentication exchange between client\r
+and server.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_xlink2state">xlink2state</h5>\r
+<div class="paragraph"><p>Enable/disable xlink2state alert, options are {disable | alert | drop}.\r
+See CVE-2005-0560 for a description of the vulnerability.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_b64_decode_depth_2">b64_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the base64 decoding depth\r
+used to decode the base64 encoded MIME attachments. The value ranges from\r
+-1 to 65535. A value of -1 turns off the base64 decoding of MIME\r
+attachments. The value of 0\r
+sets the decoding of base64 encoded MIME attachments to unlimited. A value\r
+other than 0 or -1 restricts the decoding of base64 MIME attachments, and\r
+applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_qp_decode_depth_2">qp_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the Quoted-Printable\r
+decoding depth used to decode the Quoted-Printable(QP) encoded MIME\r
+attachments. The value ranges from -1 to 65535. A value of -1 turns off\r
+the QP decoding of MIME attachments.\r
+The value of 0 sets the decoding of QP encoded MIME attachments to\r
+unlimited. A value other than 0 or -1 restricts the decoding of QP MIME\r
+attachments, and applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_bitenc_decode_depth_default_to_25">bitenc_decode_depth * default to 25</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the non-encoded MIME\r
+extraction depth used to extract the non-encoded MIME attachments. The\r
+value ranges from -1 to 65535. A value of -1 turns off the extraction of\r
+these MIME attachments.\r
+The value of 0 sets the extraction of these MIME attachments to unlimited.\r
+A value other than 0 or -1 restricts the extraction of these MIME\r
+attachments, and applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_uu_decode_depth_2">uu_decode_depth</h5>\r
+<div class="paragraph"><p>This config option is used to turn off/on or set the Unix-to-Unix decoding\r
+depth used to decode the Unix-to-Unix(UU) encoded attachments. The value\r
+ranges from -1 to 65535. A value of -1 turns off the UU decoding of SMTP\r
+attachments.\r
+The value of 0 sets the decoding of UU encoded SMTP attachments to\r
+unlimited. A value other than 0 or -1 restricts the decoding of UU SMTP\r
+attachments, and applies per attachment.</p></div>\r
+</div>\r
+<div class="sect4">\r
+<h5 id="_log_options">Log Options</h5>\r
+<div class="paragraph"><p>Following log options allow SMTP inspector to log email addresses and\r
+filenames.\r
+Please note, this is logged only with the unified2 output and is not\r
+logged with the console output (-A cmg). u2spewfoo can be used to read\r
+this data from the unified2.</p></div>\r
+<div class="paragraph"><p><em>log_mailfrom</em></p></div>\r
+<div class="paragraph"><p>This option enables SMTP inspector to parse and log the sender’s email\r
+address extracted from the "MAIL FROM" command along with all the\r
+generated events for that session. The maximum number of bytes logged for\r
+this option is 1024.</p></div>\r
+<div class="paragraph"><p><em>log_rcptto</em></p></div>\r
+<div class="paragraph"><p>This option enables SMTP inspector to parse and log the recipient email\r
+addresses extracted from the "RCPT TO" command along with all the\r
+generated events for that session. Multiple recipients are appended with\r
+commas. The maximum number of bytes logged for this option is 1024.</p></div>\r
+<div class="paragraph"><p><em>log_filename</em></p></div>\r
+<div class="paragraph"><p>This option enables SMTP inspector to parse and log the MIME attachment\r
+filenames extracted from the Content-Disposition header within the MIME\r
+body along with all the generated events for that session. Multiple\r
+filenames are appended with commas. The maximum number of bytes logged for\r
+this option is 1024.</p></div>\r
+<div class="paragraph"><p><em>log_email_hdrs</em></p></div>\r
+<div class="paragraph"><p>This option enables SMTP inspector to parse and log the SMTP email headers\r
+extracted from SMTP data along with all generated events for that session.\r
+The number of bytes extracted and logged depends upon the\r
+email_hdrs_log_depth.</p></div>\r
+<div class="paragraph"><p><em>email_hdrs_log_depth</em></p></div>\r
+<div class="paragraph"><p>This option specifies the depth for logging email headers. The allowed\r
+range for this option is 0 - 20480. A value of 0 will disable email\r
+headers logging. The default value for this option is 1464.</p></div>\r
+</div>\r
+</div>\r
+<div class="sect3">\r
+<h4 id="_example_2">Example</h4>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>smtp =\r
+{\r
+ normalize = 'cmds',\r
+ normalize_cmds = 'EXPN VRFY RCPT',\r
+ b64_decode_depth = 0,\r
+ qp_decode_depth = 0,\r
+ bitenc_decode_depth = 0,\r
+ uu_decode_depth = 0,\r
+ log_mailfrom = true,\r
+ log_rcptto = true,\r
+ log_filename = true,\r
+ log_email_hdrs = true,\r
+ max_command_line_len = 512,\r
+ max_header_line_len = 1000,\r
+ max_response_line_len = 512,\r
+ max_auth_command_line_len = 50,\r
+ xlink2state = 'alert',\r
+ alt_max_command_line_len =\r
+ {\r
+ {\r
+ command = 'MAIL',\r
+ length = 260,\r
+ },\r
+ {\r
+ command = 'RCPT',\r
+ length = 300,\r
+ },\r
+ {\r
+ command = 'HELP',\r
+ length = 500,\r
+ },\r
+ {\r
+ command = 'HELO',\r
+ length = 500,\r
+ },\r
+ {\r
+ command = 'ETRN',\r
+ length = 500,\r
+ },\r
+ {\r
+ command = 'EXPN',\r
+ length = 255,\r
+ },\r
+ {\r
+ command = 'VRFY',\r
+ length = 255,\r
+ },\r
+ },\r
+}</code></pre>\r
+</div></div>\r
+</div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_wizard">Wizard</h3>\r
<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of\r
malware command and control channels. If the wizard is bound to a session, it\r
<h3 id="_active">active</h3>\r
<div class="paragraph"><p>What: configure responses</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alerts_2">alerts</h3>\r
<div class="paragraph"><p>What: configure alerts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>alerts.log_references</strong> = false: include rule references in alert info (full only)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic\r
+string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_attribute_table">attribute_table</h3>\r
<div class="paragraph"><p>What: configure hosts loading</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_classifications">classifications</h3>\r
<div class="paragraph"><p>What: define rule categories with priority</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_daq">daq</h3>\r
<div class="paragraph"><p>What: configure packet acquisition interface</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed\r
+<strong>daq.pcaps</strong>: total files and interfaces processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.received</strong>: total packets received from DAQ\r
+<strong>daq.received</strong>: total packets received from DAQ (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.analyzed</strong>: total packets analyzed from DAQ\r
+<strong>daq.analyzed</strong>: total packets analyzed from DAQ (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.dropped</strong>: packets dropped\r
+<strong>daq.dropped</strong>: packets dropped (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.filtered</strong>: packets filtered out\r
+<strong>daq.filtered</strong>: packets filtered out (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.outstanding</strong>: packets unprocessed\r
+<strong>daq.outstanding</strong>: packets unprocessed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.injected</strong>: active responses or replacements\r
+<strong>daq.injected</strong>: active responses or replacements (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.allow</strong>: total allow verdicts\r
+<strong>daq.allow</strong>: total allow verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.block</strong>: total block verdicts\r
+<strong>daq.block</strong>: total block verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.replace</strong>: total replace verdicts\r
+<strong>daq.replace</strong>: total replace verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.whitelist</strong>: total whitelist verdicts\r
+<strong>daq.whitelist</strong>: total whitelist verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.blacklist</strong>: total blacklist verdicts\r
+<strong>daq.blacklist</strong>: total blacklist verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.ignore</strong>: total ignore verdicts\r
+<strong>daq.ignore</strong>: total ignore verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support\r
+<strong>daq.retry</strong>: total retry verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support\r
+<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.skipped</strong>: packets skipped at startup\r
+<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets\r
+<strong>daq.skipped</strong>: packets skipped at startup (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.rx_bytes</strong>: total bytes received\r
+<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>daq.rx_bytes</strong>: total bytes received (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_decode">decode</h3>\r
<div class="paragraph"><p>What: general decoder rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_detection">detection</h3>\r
<div class="paragraph"><p>What: configure general IPS rule processing parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection\r
+<strong>detection.analyzed</strong>: packets sent to detection (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations\r
+<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data\r
+<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data\r
+<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.pkt_searches</strong>: fast pattern searches in packet data\r
+<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data\r
+<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.key_searches</strong>: fast pattern searches in key buffer\r
+<strong>detection.key_searches</strong>: fast pattern searches in key buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.header_searches</strong>: fast pattern searches in header buffer\r
+<strong>detection.header_searches</strong>: fast pattern searches in header buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.body_searches</strong>: fast pattern searches in body buffer\r
+<strong>detection.body_searches</strong>: fast pattern searches in body buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.file_searches</strong>: fast pattern searches in file buffer\r
+<strong>detection.file_searches</strong>: fast pattern searches in file buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.offloads</strong>: fast pattern searches that were offloaded\r
+<strong>detection.offloads</strong>: fast pattern searches that were offloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alerts</strong>: alerts not including IP reputation\r
+<strong>detection.alerts</strong>: alerts not including IP reputation (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.total_alerts</strong>: alerts including IP reputation\r
+<strong>detection.total_alerts</strong>: alerts including IP reputation (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.logged</strong>: logged packets\r
+<strong>detection.logged</strong>: logged packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.passed</strong>: passed packets\r
+<strong>detection.passed</strong>: passed packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.match_limit</strong>: fast pattern matches not processed\r
+<strong>detection.match_limit</strong>: fast pattern matches not processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.queue_limit</strong>: events not queued because queue full\r
+<strong>detection.queue_limit</strong>: events not queued because queue full (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.log_limit</strong>: events queued but not logged\r
+<strong>detection.log_limit</strong>: events queued but not logged (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.event_limit</strong>: events filtered\r
+<strong>detection.event_limit</strong>: events filtered (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alert_limit</strong>: events previously triggered on same PDU\r
+<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_event_filter">event_filter</h3>\r
<div class="paragraph"><p>What: configure thresholding of events</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_event_queue">event_queue</h3>\r
<div class="paragraph"><p>What: configure event queue parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_high_availability_2">high_availability</h3>\r
<div class="paragraph"><p>What: implement flow tracking high availability</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>high_availability.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_host_cache">host_cache</h3>\r
<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry\r
+<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_replaces</strong>: lru cache replaced existing entry\r
+<strong>host_cache.lru_cache_replaces</strong>: lru cache replaced existing entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry\r
+<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache\r
+<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache\r
+<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it\r
+<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_clears</strong>: lru cache clear API calls\r
+<strong>host_cache.lru_cache_clears</strong>: lru cache clear API calls (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_host_tracker">host_tracker</h3>\r
<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>host_tracker.service_adds</strong>: host service adds\r
+<strong>host_tracker.service_adds</strong>: host service adds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service_finds</strong>: host service finds\r
+<strong>host_tracker.service_finds</strong>: host service finds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service_removes</strong>: host service removes\r
+<strong>host_tracker.service_removes</strong>: host service removes (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_hosts">hosts</h3>\r
<div class="paragraph"><p>What: configure hosts</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ips">ips</h3>\r
<div class="paragraph"><p>What: configure IPS rule processing</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
string <strong>ips.rules</strong>: snort rules and includes\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+string <strong>ips.uuid</strong>: IPS policy uuid\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>ips.invalid_policy_ids</strong>: Number of times an invalid policy ID was provided (sum)\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_latency">latency</h3>\r
<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>latency.total_packets</strong>: total packets monitored\r
+<strong>latency.total_packets</strong>: total packets monitored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_usecs</strong>: total usecs elapsed\r
+<strong>latency.total_usecs</strong>: total usecs elapsed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.max_usecs</strong>: maximum usecs elapsed\r
+<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.packet_timeouts</strong>: packets that timed out\r
+<strong>latency.packet_timeouts</strong>: packets that timed out (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_rule_evals</strong>: total rule evals monitored\r
+<strong>latency.total_rule_evals</strong>: total rule evals monitored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out\r
+<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables\r
+<strong>latency.rule_tree_enables</strong>: rule tree re-enables (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_memory">memory</h3>\r
<div class="paragraph"><p>What: memory management configuration</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_network">network</h3>\r
<div class="paragraph"><p>What: configure basic network parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_output_2">output</h3>\r
<div class="paragraph"><p>What: configure general output parameters</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }\r
</p>\r
</li>\r
<h3 id="_packets">packets</h3>\r
<div class="paragraph"><p>What: configure basic packet handling</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_process">process</h3>\r
<div class="paragraph"><p>What: configure basic process setup</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_profiler">profiler</h3>\r
<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_rate_filter">rate_filter</h3>\r
<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_references">references</h3>\r
<div class="paragraph"><p>What: define reference systems used in rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_rule_state">rule_state</h3>\r
<div class="paragraph"><p>What: enable/disable specific IPS rules</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_search_engine">search_engine</h3>\r
<div class="paragraph"><p>What: configure fast pattern matcher</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
+bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation\r
+<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow\r
+<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_inserts</strong>: total fast pattern hits\r
+<strong>search_engine.total_inserts</strong>: total fast pattern hits (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_unique</strong>: total unique fast pattern hits\r
+<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.non_qualified_events</strong>: total non-qualified events\r
+<strong>search_engine.non_qualified_events</strong>: total non-qualified events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.qualified_events</strong>: total qualified events\r
+<strong>search_engine.qualified_events</strong>: total qualified events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.searched_bytes</strong>: total bytes searched\r
+<strong>search_engine.searched_bytes</strong>: total bytes searched (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_side_channel_2">side_channel</h3>\r
<div class="paragraph"><p>What: implement the side-channel asynchronous messaging subsystem</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</p>\r
</li>\r
</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>side_channel.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_snort">snort</h3>\r
<div class="paragraph"><p>What: command line configuration and shell commands</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules\r
+string <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules { (optional) }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--gen-msg-map</strong>: dump builtin rules in gen-msg.map format for use by other tools\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--help</strong>: list command line options\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-options</strong>: <option prefix> output matching command line option quick help (same as -?) { (optional) }\r
+string <strong>snort.--help-options</strong>: [<option prefix>] output matching command line option quick help (same as -?) { (optional) }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--id-offset</strong> = 0: offset to add to instance IDs when logging to files { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-builtin</strong>: <module prefix> output matching builtin rules { (optional) }\r
+string <strong>snort.--list-builtin</strong>: [<module prefix>] output matching builtin rules { (optional) }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--mem-check</strong>: like -T but also compile search engines\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--nostamps</strong>: don’t include timestamps in log file names\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.dump_stats</strong>(): show summary statistics\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.reload_daq</strong>(): reload daq module\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>snort.local_commands</strong>: total local commands processed\r
+<strong>snort.local_commands</strong>: total local commands processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>snort.remote_commands</strong>: total remote commands processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>snort.signals</strong>: total signals processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.remote_commands</strong>: total remote commands processed\r
+<strong>snort.conf_reloads</strong>: number of times configuration was reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.signals</strong>: total signals processed\r
+<strong>snort.policy_reloads</strong>: number of times policies were reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.conf_reloads</strong>: number of times configuration was reloaded\r
+<strong>snort.inspector_deletions</strong>: number of times inspectors were deleted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded\r
+<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.attribute_table_reloads</strong>: number of times hosts table was reloaded\r
+<strong>snort.attribute_table_reloads</strong>: number of times hosts table was reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.attribute_table_hosts</strong>: total number of hosts in table\r
+<strong>snort.attribute_table_hosts</strong>: total number of hosts in table (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_suppress">suppress</h3>\r
<div class="paragraph"><p>What: configure event suppressions</p></div>\r
<div class="paragraph"><p>Type: basic</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_arp">arp</h3>\r
<div class="paragraph"><p>What: support for address resolution protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_auth">auth</h3>\r
<div class="paragraph"><p>What: support for IP authentication header</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ciscometadata">ciscometadata</h3>\r
<div class="paragraph"><p>What: support for cisco metadata</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_eapol">eapol</h3>\r
<div class="paragraph"><p>What: support for extensible authentication protocol over LAN</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_erspan2">erspan2</h3>\r
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_erspan3">erspan3</h3>\r
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 3</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_esp">esp</h3>\r
<div class="paragraph"><p>What: support for encapsulating security payload</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_eth">eth</h3>\r
<div class="paragraph"><p>What: support for ethernet protocol (DLT 1) (DLT 51)</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_fabricpath">fabricpath</h3>\r
<div class="paragraph"><p>What: support for fabricpath</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_gre">gre</h3>\r
<div class="paragraph"><p>What: support for generic routing encapsulation</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_gtp">gtp</h3>\r
<div class="paragraph"><p>What: support for general-packet-radio-service tunneling protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_icmp4">icmp4</h3>\r
<div class="paragraph"><p>What: support for Internet control message protocol v4</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums\r
+<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_icmp6">icmp6</h3>\r
<div class="paragraph"><p>What: support for Internet control message protocol v6</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums\r
+<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_igmp">igmp</h3>\r
<div class="paragraph"><p>What: support for Internet group management protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ipv4">ipv4</h3>\r
<div class="paragraph"><p>What: support for Internet protocol v4</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ipv4.bad_checksum</strong>: nonzero ip checksums\r
+<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ipv6">ipv6</h3>\r
<div class="paragraph"><p>What: support for Internet protocol v6</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_llc">llc</h3>\r
<div class="paragraph"><p>What: support for logical link control</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_mpls">mpls</h3>\r
<div class="paragraph"><p>What: support for multiprotocol label switching</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>mpls.total_packets</strong>: total mpls labeled packets processed\r
+<strong>mpls.total_packets</strong>: total mpls labeled packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed\r
+<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_pbb">pbb</h3>\r
+<div class="paragraph"><p>What: support for 802.1ah protocol</p></div>\r
+<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Rules:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>116:424</strong> (pbb) truncated ethernet header\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_pgm">pgm</h3>\r
<div class="paragraph"><p>What: support for pragmatic general multicast</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_pppoe">pppoe</h3>\r
<div class="paragraph"><p>What: support for point-to-point protocol over ethernet</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_tcp_2">tcp</h3>\r
<div class="paragraph"><p>What: support for transmission control protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums\r
+<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums\r
+<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_token_ring">token_ring</h3>\r
<div class="paragraph"><p>What: support for token ring decoding</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_udp_2">udp</h3>\r
<div class="paragraph"><p>What: support for user datagram protocol</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums\r
+<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums\r
+<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_vlan">vlan</h3>\r
<div class="paragraph"><p>What: support for local area network</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_wlan">wlan</h3>\r
<div class="paragraph"><p>What: support for wireless local area network protocol (DLT 105)</p></div>\r
<div class="paragraph"><p>Type: codec</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_file_connector">file_connector</h3>\r
<div class="paragraph"><p>What: implement the file based connector</p></div>\r
<div class="paragraph"><p>Type: connector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>file_connector.messages</strong>: total messages\r
+<strong>file_connector.messages</strong>: total messages (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_tcp_connector">tcp_connector</h3>\r
<div class="paragraph"><p>What: implement the tcp stream connector</p></div>\r
<div class="paragraph"><p>Type: connector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>tcp_connector.messages</strong>: total messages\r
+<strong>tcp_connector.messages</strong>: total messages (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_appid_2">appid</h3>\r
<div class="paragraph"><p>What: application and service identification</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.instance_id</strong> = 0: instance id - need more details for what this is { 0: }\r
+int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0: }\r
</p>\r
</li>\r
<li>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>Peg counts:</p></div>\r
-<div class="ulist"><ul>\r
-<li>\r
-<p>\r
-<strong>appid.packets</strong>: count of packets received\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.processed_packets</strong>: count of packets processed\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ignored_packets</strong>: count of packets ignored\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.aim_clients</strong>: count of aim clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.battlefield_flows</strong>: count of battle field flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bgp_flows</strong>: count of bgp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bit_clients</strong>: count of bittorrent clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bit_flows</strong>: count of bittorrent flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bittracker_clients</strong>: count of bittorrent tracker clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bootp_flows</strong>: count of bootp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dcerpc_udp_flows</strong>: count of dce rpc flows over udp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dns_udp_flows</strong>: count of dns flows over udp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ftp_flows</strong>: count of ftp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ftps_flows</strong>: count of ftps flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.http_flows</strong>: count of http flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.imap_flows</strong>: count of imap service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.imaps_flows</strong>: count of imap TLS service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.irc_flows</strong>: count of irc service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.kerberos_clients</strong>: count of kerberos clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.kerberos_flows</strong>: count of kerberos service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.kerberos_users</strong>: count of kerberos users discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.lpr_flows</strong>: count of lpr service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.mdns_flows</strong>: count of mdns service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.msn_clients</strong>: count of msn clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.mysql_flows</strong>: count of mysql service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.nntp_flows</strong>: count of nntp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ntp_flows</strong>: count of ntp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.pop_flows</strong>: count of pop service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.pop3_clients</strong>: count of pop3 clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.pop3s_clients</strong>: count of pop3s clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.radius_flows</strong>: count of radius flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rexec_flows</strong>: count of rexec flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rfb_flows</strong>: count of rfb flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rpc_flows</strong>: count of rpc flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rshell_flows</strong>: count of rshell flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rsync_flows</strong>: count of rsync service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.rtp_clients</strong>: count of rtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.sip_clients</strong>: count of SIP clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.sip_flows</strong>: count of SIP flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtp_flows</strong>: count of smtp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.smtps_flows</strong>: count of smtps flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.snmp_flows</strong>: count of snmp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ssh_clients</strong>: count of ssh clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ssh_flows</strong>: count of ssh flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ssl_flows</strong>: count of ssl flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.telnet_flows</strong>: count of telnet flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.tftp_flows</strong>: count of tftp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.timbuktu_clients</strong>: count of timbuktu clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.tns_clients</strong>: count of tns clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.tns_flows</strong>: count of tns flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.vnc_clients</strong>: count of vnc clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered\r
-</p>\r
-</li>\r
-</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_arp_spoof">arp_spoof</h3>\r
<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>arp_spoof.packets</strong>: total packets\r
+<strong>arp_spoof.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_back_orifice">back_orifice</h3>\r
<div class="paragraph"><p>What: back orifice detection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>back_orifice.packets</strong>: total packets\r
+<strong>back_orifice.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_binder_2">binder</h3>\r
<div class="paragraph"><p>What: configure processing based on CIDRs, ports, services, etc.</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>binder[].when.policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }\r
+int <strong>binder[].when.ips_policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+addr_list <strong>binder[].when.src_nets</strong>: list of source networks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+addr_list <strong>binder[].when.dst_nets</strong>: list of destination networks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+bit_list <strong>binder[].when.src_ports</strong>: list of source ports { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list <strong>binder[].when.dst_ports</strong>: list of destination ports { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>binder[].when.src_zone</strong>: source zone { 0:2147483647 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>binder[].when.dst_zone</strong>: destination zone { 0:2147483647 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+string <strong>binder[].use.inspection_policy</strong>: use inspection policy from given file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>binder[].use.ips_policy</strong>: use ips policy from given file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>binder[].use.network_policy</strong>: use network policy from given file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>binder[].use.service</strong>: override automatic service identification\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>binder.packets</strong>: initial bindings\r
+<strong>binder.packets</strong>: initial bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.resets</strong>: reset bindings\r
+<strong>binder.resets</strong>: reset bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.blocks</strong>: block bindings\r
+<strong>binder.blocks</strong>: block bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.allows</strong>: allow bindings\r
+<strong>binder.allows</strong>: allow bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.inspects</strong>: inspect bindings\r
+<strong>binder.inspects</strong>: inspect bindings (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_data_log">data_log</h3>\r
<div class="paragraph"><p>What: log selected published data to data.log</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-select <strong>data_log.key</strong> = http_raw_uri: name of data buffer to log { http_uri | http_raw_uri }\r
+select <strong>data_log.key</strong> = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
</ul></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>data_log.packets</strong>: total packets\r
+<strong>data_log.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dce_http_proxy">dce_http_proxy</h3>\r
<div class="paragraph"><p>What: dce over http inspection - client to/from proxy</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions\r
+<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions\r
+<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dce_http_server">dce_http_server</h3>\r
<div class="paragraph"><p>What: dce over http inspection - proxy to/from server</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions\r
+<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions\r
+<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dce_smb">dce_smb</h3>\r
<div class="paragraph"><p>What: dce over smb inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>133:27</strong> (dce_smb) connection oriented DCE/RPC - invalid major version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:28</strong> (dce_smb) connection oriented DCE/RPC - invalid minor version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:29</strong> (dce_smb) connection-oriented DCE/RPC - invalid PDU type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:30</strong> (dce_smb) connection-oriented DCE/RPC - fragment length less than header size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:32</strong> (dce_smb) connection-oriented DCE/RPC - no context items specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:33</strong> (dce_smb) connection-oriented DCE/RPC -no transfer syntaxes specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:34</strong> (dce_smb) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:35</strong> (dce_smb) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:36</strong> (dce_smb) connection-oriented DCE/RPC - alter context byte order different from bind\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:37</strong> (dce_smb) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:38</strong> (dce_smb) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>133:39</strong> (dce_smb) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen\r
</p>\r
</li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_smb.events</strong>: total events\r
+<strong>dce_smb.events</strong>: total events (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.pdus</strong>: total connection-oriented PDUs (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_smb.binds</strong>: total connection-oriented binds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.pdus</strong>: total connection-oriented PDUs\r
+<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.binds</strong>: total connection-oriented binds\r
+<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks\r
+<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_smb.requests</strong>: total connection-oriented requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks\r
+<strong>dce_smb.responses</strong>: total connection-oriented responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.requests</strong>: total connection-oriented requests\r
+<strong>dce_smb.cancels</strong>: total connection-oriented cancels (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.responses</strong>: total connection-oriented responses\r
+<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.cancels</strong>: total connection-oriented cancels\r
+<strong>dce_smb.faults</strong>: total connection-oriented faults (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.faults</strong>: total connection-oriented faults\r
+<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_smb.rejects</strong>: total connection-oriented rejects (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.rejects</strong>: total connection-oriented rejects\r
+<strong>dce_smb.other_requests</strong>: total connection-oriented other requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>dce_smb.other_responses</strong>: total connection-oriented other responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.other_requests</strong>: total connection-oriented other requests\r
+<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.other_responses</strong>: total connection-oriented other responses\r
+<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_smb.sessions</strong>: total smb sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_smb.packets</strong>: total smb packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.sessions</strong>: total smb sessions\r
+<strong>dce_smb.ignored_bytes</strong>: total ignored bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.packets</strong>: total smb packets\r
+<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.ignored_bytes</strong>: total ignored bytes\r
+<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled\r
+<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled\r
+<strong>dce_smb.files_processed</strong>: total smb files processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests\r
+<strong>dce_smb.smbv2_create</strong>: total number of SMBv2 create packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.files_processed</strong>: total smb files processed\r
+<strong>dce_smb.smbv2_write</strong>: total number of SMBv2 write packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_create</strong>: total number of SMBv2 create packets seen\r
+<strong>dce_smb.smbv2_read</strong>: total number of SMBv2 read packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_write</strong>: total number of SMBv2 write packets seen\r
+<strong>dce_smb.smbv2_set_info</strong>: total number of SMBv2 set info packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_read</strong>: total number of SMBv2 read packets seen\r
+<strong>dce_smb.smbv2_tree_connect</strong>: total number of SMBv2 tree connect packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_set_info</strong>: total number of SMBv2 set info packets seen\r
+<strong>dce_smb.smbv2_tree_disconnect</strong>: total number of SMBv2 tree disconnect packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_tree_connect</strong>: total number of SMBv2 tree connect packets seen\r
+<strong>dce_smb.smbv2_close</strong>: total number of SMBv2 close packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_tree_disconnect</strong>: total number of SMBv2 tree disconnect packets seen\r
+<strong>dce_smb.concurrent_sessions</strong>: total concurrent sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_close</strong>: total number of SMBv2 close packets seen\r
+<strong>dce_smb.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dce_tcp">dce_tcp</h3>\r
<div class="paragraph"><p>What: dce over tcp inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_tcp.events</strong>: total events\r
+<strong>dce_tcp.events</strong>: total events (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs\r
+<strong>dce_tcp.binds</strong>: total connection-oriented binds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.binds</strong>: total connection-oriented binds\r
+<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks\r
+<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks\r
+<strong>dce_tcp.requests</strong>: total connection-oriented requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.requests</strong>: total connection-oriented requests\r
+<strong>dce_tcp.responses</strong>: total connection-oriented responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.responses</strong>: total connection-oriented responses\r
+<strong>dce_tcp.cancels</strong>: total connection-oriented cancels (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.cancels</strong>: total connection-oriented cancels\r
+<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_tcp.faults</strong>: total connection-oriented faults (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.faults</strong>: total connection-oriented faults\r
+<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_tcp.rejects</strong>: total connection-oriented rejects (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.rejects</strong>: total connection-oriented rejects\r
+<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests\r
+<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses\r
+<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions\r
+<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp_packets</strong>: total tcp packets\r
+<strong>dce_tcp.concurrent_sessions</strong>: total concurrent sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_tcp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dce_udp">dce_udp</h3>\r
<div class="paragraph"><p>What: dce over udp inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dce_udp.events</strong>: total events\r
+<strong>dce_udp.events</strong>: total events (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.udp_sessions</strong>: total udp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.udp_sessions</strong>: total udp sessions\r
+<strong>dce_udp.udp_packets</strong>: total udp packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.udp_packets</strong>: total udp packets\r
+<strong>dce_udp.requests</strong>: total connection-less requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.requests</strong>: total connection-less requests\r
+<strong>dce_udp.acks</strong>: total connection-less acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.acks</strong>: total connection-less acks\r
+<strong>dce_udp.cancels</strong>: total connection-less cancels (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.cancels</strong>: total connection-less cancels\r
+<strong>dce_udp.client_facks</strong>: total connection-less client facks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.client_facks</strong>: total connection-less client facks\r
+<strong>dce_udp.ping</strong>: total connection-less ping (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.ping</strong>: total connection-less ping\r
+<strong>dce_udp.responses</strong>: total connection-less responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.responses</strong>: total connection-less responses\r
+<strong>dce_udp.rejects</strong>: total connection-less rejects (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.rejects</strong>: total connection-less rejects\r
+<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks\r
+<strong>dce_udp.server_facks</strong>: total connection-less server facks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.server_facks</strong>: total connection-less server facks\r
+<strong>dce_udp.faults</strong>: total connection-less faults (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.faults</strong>: total connection-less faults\r
+<strong>dce_udp.no_calls</strong>: total connection-less no calls (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.no_calls</strong>: total connection-less no calls\r
+<strong>dce_udp.working</strong>: total connection-less working (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.working</strong>: total connection-less working\r
+<strong>dce_udp.other_requests</strong>: total connection-less other requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.other_requests</strong>: total connection-less other requests\r
+<strong>dce_udp.other_responses</strong>: total connection-less other responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.other_responses</strong>: total connection-less other responses\r
+<strong>dce_udp.fragments</strong>: total connection-less fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.fragments</strong>: total connection-less fragments\r
+<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size\r
+<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled\r
+<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum\r
+<strong>dce_udp.concurrent_sessions</strong>: total concurrent sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dce_udp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dnp3">dnp3</h3>\r
<div class="paragraph"><p>What: dnp3 inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dnp3.total_packets</strong>: total packets\r
+<strong>dnp3.total_packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.udp_packets</strong>: total udp packets\r
+<strong>dnp3.udp_packets</strong>: total udp packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.tcp_pdus</strong>: total tcp pdus\r
+<strong>dnp3.tcp_pdus</strong>: total tcp pdus (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames\r
+<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus\r
+<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dnp3.concurrent_sessions</strong>: total concurrent dnp3 sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dnp3.max_concurrent_sessions</strong>: maximum concurrent dnp3 sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dns">dns</h3>\r
<div class="paragraph"><p>What: dns inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dns.packets</strong>: total packets processed\r
+<strong>dns.packets</strong>: total packets processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dns.requests</strong>: total dns requests (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>dns.responses</strong>: total dns responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.requests</strong>: total dns requests\r
+<strong>dns.concurrent_sessions</strong>: total concurrent dns sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.responses</strong>: total dns responses\r
+<strong>dns.max_concurrent_sessions</strong>: maximum concurrent dns sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_dpx">dpx</h3>\r
<div class="paragraph"><p>What: dynamic inspector example</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>dpx.packets</strong>: total packets\r
+<strong>dpx.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_file_id">file_id</h3>\r
<div class="paragraph"><p>What: configure file identification</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>file_id.total_files</strong>: number of files processed\r
+<strong>file_id.total_files</strong>: number of files processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.total_file_data</strong>: number of file data bytes processed\r
+<strong>file_id.total_file_data</strong>: number of file data bytes processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.cache_failures</strong>: number of file cache add failures\r
+<strong>file_id.cache_failures</strong>: number of file cache add failures (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_file_log">file_log</h3>\r
<div class="paragraph"><p>What: log file event to file.log</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>file_log.total_events</strong>: total file events\r
+<strong>file_log.total_events</strong>: total file events (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ftp_client">ftp_client</h3>\r
<div class="paragraph"><p>What: FTP client configuration module for use with ftp_server</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ftp_data">ftp_data</h3>\r
<div class="paragraph"><p>What: FTP data channel handler</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Peg counts:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ftp_data.packets</strong>: total packets\r
+<strong>ftp_data.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ftp_server">ftp_server</h3>\r
<div class="paragraph"><p>What: main FTP module; ftp_client should also be configured</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ftp_server.packets</strong>: total packets\r
+<strong>ftp_server.total_packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ftp_server.concurrent_sessions</strong>: total concurrent ftp sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ftp_server.max_concurrent_sessions</strong>: maximum concurrent ftp sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_gtp_inspect">gtp_inspect</h3>\r
<div class="paragraph"><p>What: gtp control channel inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>gtp_inspect.sessions</strong>: total sessions processed\r
+<strong>gtp_inspect.sessions</strong>: total sessions processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>gtp_inspect.concurrent_sessions</strong>: total concurrent gtp sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.events</strong>: requests\r
+<strong>gtp_inspect.max_concurrent_sessions</strong>: maximum concurrent gtp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown_types</strong>: unknown message types\r
+<strong>gtp_inspect.events</strong>: requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown_infos</strong>: unknown information elements\r
+<strong>gtp_inspect.unknown_types</strong>: unknown message types (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>gtp_inspect.unknown_infos</strong>: unknown information elements (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_http_inspect">http_inspect</h3>\r
<div class="paragraph"><p>What: HTTP inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:5</strong> (http_inspect) obsolete event—should not appear\r
+<strong>119:5</strong> (http_inspect) obsolete event—deleted\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:22</strong> (http_inspect) obsolete event—should not appear\r
+<strong>119:22</strong> (http_inspect) obsolete event—deleted\r
</p>\r
</li>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>http_inspect.flows</strong>: HTTP connections inspected\r
+<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
+<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
+<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.inspections</strong>: total message sections inspected\r
+<strong>http_inspect.inspections</strong>: total message sections inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
+<strong>http_inspect.requests</strong>: HTTP request messages inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
+<strong>http_inspect.responses</strong>: HTTP response messages inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.get_requests</strong>: GET requests inspected\r
+<strong>http_inspect.get_requests</strong>: GET requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.head_requests</strong>: HEAD requests inspected\r
+<strong>http_inspect.head_requests</strong>: HEAD requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.post_requests</strong>: POST requests inspected\r
+<strong>http_inspect.post_requests</strong>: POST requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.put_requests</strong>: PUT requests inspected\r
+<strong>http_inspect.put_requests</strong>: PUT requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.delete_requests</strong>: DELETE requests inspected\r
+<strong>http_inspect.delete_requests</strong>: DELETE requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected\r
+<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected\r
+<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.trace_requests</strong>: TRACE requests inspected\r
+<strong>http_inspect.trace_requests</strong>: TRACE requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.other_requests</strong>: other request methods inspected\r
+<strong>http_inspect.other_requests</strong>: other request methods inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies\r
+<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.chunked</strong>: chunked message bodies\r
+<strong>http_inspect.chunked</strong>: chunked message bodies (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization\r
+<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.uri_path</strong>: URIs with path problems\r
+<strong>http_inspect.uri_path</strong>: URIs with path problems (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.uri_coding</strong>: URIs with character coding problems\r
+<strong>http_inspect.uri_coding</strong>: URIs with character coding problems (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http_inspect.concurrent_sessions</strong>: total concurrent http sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>http_inspect.max_concurrent_sessions</strong>: maximum concurrent http sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_imap">imap</h3>\r
<div class="paragraph"><p>What: imap inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>imap.packets</strong>: total packets processed\r
+<strong>imap.packets</strong>: total packets processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>imap.sessions</strong>: total imap sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.sessions</strong>: total imap sessions\r
+<strong>imap.concurrent_sessions</strong>: total concurrent imap sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64_attachments</strong>: total base64 attachments decoded\r
+<strong>imap.max_concurrent_sessions</strong>: maximum concurrent imap sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes\r
+<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded\r
+<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes\r
+<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu_attachments</strong>: total uu attachments decoded\r
+<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes\r
+<strong>imap.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted\r
+<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes\r
+<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_modbus">modbus</h3>\r
<div class="paragraph"><p>What: modbus inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>modbus.sessions</strong>: total sessions processed\r
+<strong>modbus.sessions</strong>: total sessions processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>modbus.frames</strong>: total Modbus messages (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>modbus.frames</strong>: total Modbus messages\r
+<strong>modbus.max_concurrent_sessions</strong>: maximum concurrent modbus sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_normalizer">normalizer</h3>\r
<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size\r
+<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size\r
+<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_tos</strong>: type of service normalizations\r
+<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations\r
+<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations\r
+<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_df</strong>: test don’t frag bit normalizations\r
+<strong>normalizer.test_ip4_df</strong>: test don’t frag bit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_rf</strong>: reserved flag bit clears\r
+<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears\r
+<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations\r
+<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations\r
+<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_opts</strong>: ip4 options cleared\r
+<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared\r
+<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations\r
+<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations\r
+<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations\r
+<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations\r
+<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6_options</strong>: ip6 options cleared\r
+<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared\r
+<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations\r
+<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations\r
+<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets\r
+<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets\r
+<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_options</strong>: packets with options cleared\r
+<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_options</strong>: test packets with options cleared\r
+<strong>normalizer.test_tcp_options</strong>: test packets with options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_padding</strong>: packets with padding cleared\r
+<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared\r
+<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared\r
+<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared\r
+<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared\r
+<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared\r
+<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared\r
+<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared\r
+<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared\r
+<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared\r
+<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs\r
+<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs\r
+<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set\r
+<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set\r
+<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload\r
+<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload\r
+<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set\r
+<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set\r
+<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN\r
+<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN\r
+<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed\r
+<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed\r
+<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_win</strong>: data trimmed to window\r
+<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window\r
+<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS\r
+<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS\r
+<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared\r
+<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared\r
+<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared\r
+<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared\r
+<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ips_data</strong>: normalized segments\r
+<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments\r
+<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_block</strong>: blocked segments\r
+<strong>normalizer.tcp_block</strong>: blocked segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_block</strong>: test blocked segments\r
+<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_packet_capture">packet_capture</h3>\r
<div class="paragraph"><p>What: raw packet dumping facility</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>packet_capture.processed</strong>: packets processed against filter\r
+<strong>packet_capture.processed</strong>: packets processed against filter (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>packet_capture.captured</strong>: packets matching dumped after matching filter\r
+<strong>packet_capture.captured</strong>: packets matching dumped after matching filter (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_perf_monitor">perf_monitor</h3>\r
<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>perf_monitor.packets</strong>: total packets\r
+<strong>perf_monitor.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_pop">pop</h3>\r
<div class="paragraph"><p>What: pop inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>pop.packets</strong>: total packets processed\r
+<strong>pop.packets</strong>: total packets processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pop.sessions</strong>: total pop sessions (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>pop.concurrent_sessions</strong>: total concurrent pop sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.sessions</strong>: total pop sessions\r
+<strong>pop.max_concurrent_sessions</strong>: maximum concurrent pop sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64_attachments</strong>: total base64 attachments decoded\r
+<strong>pop.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes\r
+<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded\r
+<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes\r
+<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu_attachments</strong>: total uu attachments decoded\r
+<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes\r
+<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted\r
+<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes\r
+<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_port_scan">port_scan</h3>\r
+<h3 id="_port_scan_2">port_scan</h3>\r
<div class="paragraph"><p>What: detect various ip, icmp, tcp, and udp port or protocol scans</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>port_scan.packets</strong>: total packets\r
+<strong>port_scan.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_reg_test">reg_test</h3>\r
+<div class="paragraph"><p>What: The regression test inspector (rti) is used when special packet handling is required for a reg test</p></div>\r
+<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+bool <strong>reg_test.test_daq_retry</strong> = true: test daq packet retry feature\r
+</p>\r
+</li>\r
+</ul></div>\r
+<div class="paragraph"><p>Peg counts:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+<strong>reg_test.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>reg_test.retry_requests</strong>: total retry packets requested (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>reg_test.retry_packets</strong>: total retried packets received (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_reputation">reputation</h3>\r
<div class="paragraph"><p>What: reputation inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>reputation.packets</strong>: total packets processed\r
+<strong>reputation.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.blacklisted</strong>: number of packets blacklisted\r
+<strong>reputation.blacklisted</strong>: number of packets blacklisted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.whitelisted</strong>: number of packets whitelisted\r
+<strong>reputation.whitelisted</strong>: number of packets whitelisted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.monitored</strong>: number of packets monitored\r
+<strong>reputation.monitored</strong>: number of packets monitored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated\r
+<strong>reputation.memory_allocated</strong>: total memory allocated (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_rpc_decode">rpc_decode</h3>\r
<div class="paragraph"><p>What: RPC inspector</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Rules:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>rpc_decode.packets</strong>: total packets\r
+<strong>rpc_decode.total_packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rpc_decode.concurrent_sessions</strong>: total concurrent rpc sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>rpc_decode.max_concurrent_sessions</strong>: maximum concurrent rpc sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_sip">sip</h3>\r
<div class="paragraph"><p>What: sip inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sip.packets</strong>: total packets\r
+<strong>sip.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.sessions</strong>: total sessions\r
+<strong>sip.sessions</strong>: total sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.events</strong>: events generated\r
+<strong>sip.concurrent_sessions</strong>: total concurrent sip sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.dialogs</strong>: total dialogs\r
+<strong>sip.max_concurrent_sessions</strong>: maximum concurrent sip sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored_channels</strong>: total channels ignored\r
+<strong>sip.events</strong>: events generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored_sessions</strong>: total sessions ignored\r
+<strong>sip.dialogs</strong>: total dialogs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total_requests</strong>: total requests\r
+<strong>sip.ignored_channels</strong>: total channels ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.invite</strong>: invite\r
+<strong>sip.ignored_sessions</strong>: total sessions ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.cancel</strong>: cancel\r
+<strong>sip.total_requests</strong>: total requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ack</strong>: ack\r
+<strong>sip.invite</strong>: invite (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.bye</strong>: bye\r
+<strong>sip.cancel</strong>: cancel (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.register</strong>: register\r
+<strong>sip.ack</strong>: ack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.options</strong>: options\r
+<strong>sip.bye</strong>: bye (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.refer</strong>: refer\r
+<strong>sip.register</strong>: register (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.subscribe</strong>: subscribe\r
+<strong>sip.options</strong>: options (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.update</strong>: update\r
+<strong>sip.refer</strong>: refer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.join</strong>: join\r
+<strong>sip.subscribe</strong>: subscribe (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.info</strong>: info\r
+<strong>sip.update</strong>: update (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.message</strong>: message\r
+<strong>sip.join</strong>: join (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.notify</strong>: notify\r
+<strong>sip.info</strong>: info (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.prack</strong>: prack\r
+<strong>sip.message</strong>: message (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total_responses</strong>: total responses\r
+<strong>sip.notify</strong>: notify (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_1xx</strong>: 1xx\r
+<strong>sip.prack</strong>: prack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_2xx</strong>: 2xx\r
+<strong>sip.total_responses</strong>: total responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_3xx</strong>: 3xx\r
+<strong>sip.code_1xx</strong>: 1xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_4xx</strong>: 4xx\r
+<strong>sip.code_2xx</strong>: 2xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_5xx</strong>: 5xx\r
+<strong>sip.code_3xx</strong>: 3xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_6xx</strong>: 6xx\r
+<strong>sip.code_4xx</strong>: 4xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_7xx</strong>: 7xx\r
+<strong>sip.code_5xx</strong>: 5xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_8xx</strong>: 8xx\r
+<strong>sip.code_6xx</strong>: 6xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_9xx</strong>: 9xx\r
+<strong>sip.code_7xx</strong>: 7xx (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>sip.code_8xx</strong>: 8xx (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>sip.code_9xx</strong>: 9xx (sum)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_smtp">smtp</h3>\r
+<h3 id="_smtp_2">smtp</h3>\r
<div class="paragraph"><p>What: smtp inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>smtp.packets</strong>: total packets processed\r
+<strong>smtp.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.sessions</strong>: total smtp sessions\r
+<strong>smtp.sessions</strong>: total smtp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions\r
+<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions\r
+<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64_attachments</strong>: total base64 attachments decoded\r
+<strong>smtp.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes\r
+<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded\r
+<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes\r
+<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu_attachments</strong>: total uu attachments decoded\r
+<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes\r
+<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted\r
+<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes\r
+<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ssh">ssh</h3>\r
<div class="paragraph"><p>What: ssh inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssh.packets</strong>: total packets\r
+<strong>ssh.packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ssh.max_concurrent_sessions</strong>: maximum concurrent ssh sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ssl">ssl</h3>\r
<div class="paragraph"><p>What: ssl inspection</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>ssl.packets</strong>: total packets processed\r
+<strong>ssl.packets</strong>: total packets processed (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ssl.decoded</strong>: ssl packets decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.decoded</strong>: ssl packets decoded\r
+<strong>ssl.client_hello</strong>: total client hellos (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client_hello</strong>: total client hellos\r
+<strong>ssl.server_hello</strong>: total server hellos (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_hello</strong>: total server hellos\r
+<strong>ssl.certificate</strong>: total ssl certificates (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.certificate</strong>: total ssl certificates\r
+<strong>ssl.server_done</strong>: total server done (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_done</strong>: total server done\r
+<strong>ssl.client_key_exchange</strong>: total client key exchanges (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client_key_exchange</strong>: total client key exchanges\r
+<strong>ssl.server_key_exchange</strong>: total server key exchanges (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_key_exchange</strong>: total server key exchanges\r
+<strong>ssl.change_cipher</strong>: total change cipher records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.change_cipher</strong>: total change cipher records\r
+<strong>ssl.finished</strong>: total handshakes finished (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.finished</strong>: total handshakes finished\r
+<strong>ssl.client_application</strong>: total client application records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client_application</strong>: total client application records\r
+<strong>ssl.server_application</strong>: total server application records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_application</strong>: total server application records\r
+<strong>ssl.alert</strong>: total ssl alert records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.alert</strong>: total ssl alert records\r
+<strong>ssl.unrecognized_records</strong>: total unrecognized records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.unrecognized_records</strong>: total unrecognized records\r
+<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes\r
+<strong>ssl.bad_handshakes</strong>: total bad handshakes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.bad_handshakes</strong>: total bad handshakes\r
+<strong>ssl.sessions_ignored</strong>: total sessions ignore (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.sessions_ignored</strong>: total sessions ignore\r
+<strong>ssl.detection_disabled</strong>: total detection disabled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.detection_disabled</strong>: total detection disabled\r
+<strong>ssl.concurrent_sessions</strong>: total concurrent ssl sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>ssl.max_concurrent_sessions</strong>: maximum concurrent ssl sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_stream">stream</h3>\r
<div class="paragraph"><p>What: common flow tracking</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream.ip_flows</strong>: total ip sessions\r
+<strong>stream.ip_flows</strong>: total ip sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_total_prunes</strong>: total ip sessions pruned\r
+<strong>stream.ip_total_prunes</strong>: total ip sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_idle_prunes</strong>: ip sessions pruned due to timeout\r
+<strong>stream.ip_idle_prunes</strong>: ip sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_excess_prunes</strong>: ip sessions pruned due to excess\r
+<strong>stream.ip_excess_prunes</strong>: ip sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_uni_prunes</strong>: ip uni sessions pruned\r
+<strong>stream.ip_uni_prunes</strong>: ip uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_preemptive_prunes</strong>: ip sessions pruned during preemptive pruning\r
+<strong>stream.ip_preemptive_prunes</strong>: ip sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_memcap_prunes</strong>: ip sessions pruned due to memcap\r
+<strong>stream.ip_memcap_prunes</strong>: ip sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_ha_prunes</strong>: ip sessions pruned by high availability sync\r
+<strong>stream.ip_ha_prunes</strong>: ip sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_flows</strong>: total icmp sessions\r
+<strong>stream.icmp_flows</strong>: total icmp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_total_prunes</strong>: total icmp sessions pruned\r
+<strong>stream.icmp_total_prunes</strong>: total icmp sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_idle_prunes</strong>: icmp sessions pruned due to timeout\r
+<strong>stream.icmp_idle_prunes</strong>: icmp sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_excess_prunes</strong>: icmp sessions pruned due to excess\r
+<strong>stream.icmp_excess_prunes</strong>: icmp sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_uni_prunes</strong>: icmp uni sessions pruned\r
+<strong>stream.icmp_uni_prunes</strong>: icmp uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_preemptive_prunes</strong>: icmp sessions pruned during preemptive pruning\r
+<strong>stream.icmp_preemptive_prunes</strong>: icmp sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_memcap_prunes</strong>: icmp sessions pruned due to memcap\r
+<strong>stream.icmp_memcap_prunes</strong>: icmp sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_ha_prunes</strong>: icmp sessions pruned by high availability sync\r
+<strong>stream.icmp_ha_prunes</strong>: icmp sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_flows</strong>: total tcp sessions\r
+<strong>stream.tcp_flows</strong>: total tcp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_total_prunes</strong>: total tcp sessions pruned\r
+<strong>stream.tcp_total_prunes</strong>: total tcp sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_idle_prunes</strong>: tcp sessions pruned due to timeout\r
+<strong>stream.tcp_idle_prunes</strong>: tcp sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_excess_prunes</strong>: tcp sessions pruned due to excess\r
+<strong>stream.tcp_excess_prunes</strong>: tcp sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_uni_prunes</strong>: tcp uni sessions pruned\r
+<strong>stream.tcp_uni_prunes</strong>: tcp uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_preemptive_prunes</strong>: tcp sessions pruned during preemptive pruning\r
+<strong>stream.tcp_preemptive_prunes</strong>: tcp sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_memcap_prunes</strong>: tcp sessions pruned due to memcap\r
+<strong>stream.tcp_memcap_prunes</strong>: tcp sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_ha_prunes</strong>: tcp sessions pruned by high availability sync\r
+<strong>stream.tcp_ha_prunes</strong>: tcp sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_flows</strong>: total udp sessions\r
+<strong>stream.udp_flows</strong>: total udp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_total_prunes</strong>: total udp sessions pruned\r
+<strong>stream.udp_total_prunes</strong>: total udp sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_idle_prunes</strong>: udp sessions pruned due to timeout\r
+<strong>stream.udp_idle_prunes</strong>: udp sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_excess_prunes</strong>: udp sessions pruned due to excess\r
+<strong>stream.udp_excess_prunes</strong>: udp sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_uni_prunes</strong>: udp uni sessions pruned\r
+<strong>stream.udp_uni_prunes</strong>: udp uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_preemptive_prunes</strong>: udp sessions pruned during preemptive pruning\r
+<strong>stream.udp_preemptive_prunes</strong>: udp sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_memcap_prunes</strong>: udp sessions pruned due to memcap\r
+<strong>stream.udp_memcap_prunes</strong>: udp sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_ha_prunes</strong>: udp sessions pruned by high availability sync\r
+<strong>stream.udp_ha_prunes</strong>: udp sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_flows</strong>: total user sessions\r
+<strong>stream.user_flows</strong>: total user sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_total_prunes</strong>: total user sessions pruned\r
+<strong>stream.user_total_prunes</strong>: total user sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_idle_prunes</strong>: user sessions pruned due to timeout\r
+<strong>stream.user_idle_prunes</strong>: user sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_excess_prunes</strong>: user sessions pruned due to excess\r
+<strong>stream.user_excess_prunes</strong>: user sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_uni_prunes</strong>: user uni sessions pruned\r
+<strong>stream.user_uni_prunes</strong>: user uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_preemptive_prunes</strong>: user sessions pruned during preemptive pruning\r
+<strong>stream.user_preemptive_prunes</strong>: user sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_memcap_prunes</strong>: user sessions pruned due to memcap\r
+<strong>stream.user_memcap_prunes</strong>: user sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_ha_prunes</strong>: user sessions pruned by high availability sync\r
+<strong>stream.user_ha_prunes</strong>: user sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_flows</strong>: total file sessions\r
+<strong>stream.file_flows</strong>: total file sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_total_prunes</strong>: total file sessions pruned\r
+<strong>stream.file_total_prunes</strong>: total file sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_idle_prunes</strong>: file sessions pruned due to timeout\r
+<strong>stream.file_idle_prunes</strong>: file sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_excess_prunes</strong>: file sessions pruned due to excess\r
+<strong>stream.file_excess_prunes</strong>: file sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_uni_prunes</strong>: file uni sessions pruned\r
+<strong>stream.file_uni_prunes</strong>: file uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_preemptive_prunes</strong>: file sessions pruned during preemptive pruning\r
+<strong>stream.file_preemptive_prunes</strong>: file sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_memcap_prunes</strong>: file sessions pruned due to memcap\r
+<strong>stream.file_memcap_prunes</strong>: file sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_ha_prunes</strong>: file sessions pruned by high availability sync\r
+<strong>stream.file_ha_prunes</strong>: file sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_stream_file">stream_file</h3>\r
<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_stream_icmp">stream_icmp</h3>\r
<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions\r
+<strong>stream_icmp.sessions</strong>: total icmp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions\r
+<strong>stream_icmp.max</strong>: max icmp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created\r
+<strong>stream_icmp.created</strong>: icmp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released\r
+<strong>stream_icmp.released</strong>: icmp session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
+<strong>stream_icmp.timeouts</strong>: icmp session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.prunes</strong>: icmp session prunes\r
+<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_stream_ip">stream_ip</h3>\r
<div class="paragraph"><p>What: stream inspector for IP flow tracking and defragmentation</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_ip.sessions</strong>: total ip sessions\r
+<strong>stream_ip.sessions</strong>: total ip sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max</strong>: max ip sessions\r
+<strong>stream_ip.max</strong>: max ip sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.created</strong>: ip session trackers created\r
+<strong>stream_ip.created</strong>: ip session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.released</strong>: ip session trackers released\r
+<strong>stream_ip.released</strong>: ip session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.timeouts</strong>: ip session timeouts\r
+<strong>stream_ip.timeouts</strong>: ip session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.prunes</strong>: ip session prunes\r
+<strong>stream_ip.prunes</strong>: ip session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.total_frags</strong>: total fragments\r
+<strong>stream_ip.total_frags</strong>: total fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.current_frags</strong>: current fragments\r
+<strong>stream_ip.current_frags</strong>: current fragments (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max_frags</strong>: max fragments\r
+<strong>stream_ip.max_frags</strong>: max fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled</strong>: reassembled datagrams\r
+<strong>stream_ip.reassembled</strong>: reassembled datagrams (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.discards</strong>: fragments discarded\r
+<strong>stream_ip.discards</strong>: fragments discarded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned\r
+<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.overlaps</strong>: overlapping fragments\r
+<strong>stream_ip.overlaps</strong>: overlapping fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.anomalies</strong>: anomalies detected\r
+<strong>stream_ip.anomalies</strong>: anomalies detected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.alerts</strong>: alerts generated\r
+<strong>stream_ip.alerts</strong>: alerts generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.drops</strong>: fragments dropped\r
+<strong>stream_ip.drops</strong>: fragments dropped (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_added</strong>: datagram trackers created\r
+<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_freed</strong>: datagram trackers released\r
+<strong>stream_ip.trackers_freed</strong>: datagram trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared\r
+<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_completed</strong>: datagram trackers completed\r
+<strong>stream_ip.trackers_completed</strong>: datagram trackers completed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker\r
+<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker\r
+<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory_used</strong>: current memory usage in bytes\r
+<strong>stream_ip.memory_used</strong>: current memory usage in bytes (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes\r
+<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes\r
+<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_stream_tcp">stream_tcp</h3>\r
<div class="paragraph"><p>What: stream inspector for TCP flow tracking and stream normalization and reassembly</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_tcp.sessions</strong>: total tcp sessions\r
+<strong>stream_tcp.sessions</strong>: total tcp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max</strong>: max tcp sessions\r
+<strong>stream_tcp.max</strong>: max tcp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.created</strong>: tcp session trackers created\r
+<strong>stream_tcp.created</strong>: tcp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.released</strong>: tcp session trackers released\r
+<strong>stream_tcp.released</strong>: tcp session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
+<strong>stream_tcp.timeouts</strong>: tcp session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.prunes</strong>: tcp session prunes\r
+<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.resyns</strong>: SYN received on established session\r
+<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.discards</strong>: tcp packets discarded\r
+<strong>stream_tcp.discards</strong>: tcp packets discarded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.events</strong>: events generated\r
+<strong>stream_tcp.events</strong>: events generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
+<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.untracked</strong>: tcp packets not tracked\r
+<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn\r
+<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack\r
+<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack\r
+<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data\r
+<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_queued</strong>: total segments queued\r
+<strong>stream_tcp.segs_queued</strong>: total segments queued (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_released</strong>: total segments released\r
+<strong>stream_tcp.segs_released</strong>: total segments released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs\r
+<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs\r
+<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs\r
+<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections\r
+<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes\r
+<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.overlaps</strong>: overlapping segments queued\r
+<strong>stream_tcp.overlaps</strong>: overlapping segments queued (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
+<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached\r
+<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached\r
+<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.internal_events</strong>: 135:X events generated\r
+<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released\r
+<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released\r
+<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.memory</strong>: current memory in use\r
+<strong>stream_tcp.memory</strong>: current memory in use (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.initializing</strong>: number of sessions currently initializing\r
+<strong>stream_tcp.initializing</strong>: number of sessions currently initializing (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.established</strong>: number of sessions currently established\r
+<strong>stream_tcp.established</strong>: number of sessions currently established (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.closing</strong>: number of sessions currently closing\r
+<strong>stream_tcp.closing</strong>: number of sessions currently closing (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syns</strong>: number of syn packets\r
+<strong>stream_tcp.syns</strong>: number of syn packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets\r
+<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.resets</strong>: number of reset packets\r
+<strong>stream_tcp.resets</strong>: number of reset packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.fins</strong>: number of fin packets\r
+<strong>stream_tcp.fins</strong>: number of fin packets (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_stream_udp">stream_udp</h3>\r
<div class="paragraph"><p>What: stream inspector for UDP flow tracking</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>stream_udp.sessions</strong>: total udp sessions\r
+<strong>stream_udp.sessions</strong>: total udp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.max</strong>: max udp sessions\r
+<strong>stream_udp.max</strong>: max udp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created\r
+<strong>stream_udp.created</strong>: udp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.released</strong>: udp session trackers released\r
+<strong>stream_udp.released</strong>: udp session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.timeouts</strong>: udp session timeouts\r
+<strong>stream_udp.timeouts</strong>: udp session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.prunes</strong>: udp session prunes\r
+<strong>stream_udp.prunes</strong>: udp session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.ignored</strong>: udp packets ignored\r
+<strong>stream_udp.ignored</strong>: udp packets ignored (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_stream_user">stream_user</h3>\r
<div class="paragraph"><p>What: stream inspector for user flow tracking and reassembly</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_telnet">telnet</h3>\r
<div class="paragraph"><p>What: telnet inspection and normalization</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: inspect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>telnet.packets</strong>: total packets\r
+<strong>telnet.total_packets</strong>: total packets (sum)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>telnet.concurrent_sessions</strong>: total concurrent telnet sessions (now)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+<strong>telnet.max_concurrent_sessions</strong>: maximum concurrent telnet sessions (max)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_wizard_2">wizard</h3>\r
<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>\r
<div class="paragraph"><p>Type: inspector</p></div>\r
+<div class="paragraph"><p>Usage: global</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>wizard.tcp_scans</strong>: tcp payload scans\r
+<strong>wizard.tcp_scans</strong>: tcp payload scans (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.tcp_hits</strong>: tcp identifications\r
+<strong>wizard.tcp_hits</strong>: tcp identifications (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.udp_scans</strong>: udp payload scans\r
+<strong>wizard.udp_scans</strong>: udp payload scans (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.udp_hits</strong>: udp identifications\r
+<strong>wizard.udp_hits</strong>: udp identifications (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.user_scans</strong>: user payload scans\r
+<strong>wizard.user_scans</strong>: user payload scans (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>wizard.user_hits</strong>: user identifications\r
+<strong>wizard.user_hits</strong>: user identifications (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_react">react</h3>\r
<div class="paragraph"><p>What: send response to client and terminate session</p></div>\r
<div class="paragraph"><p>Type: ips_action</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_reject">reject</h3>\r
<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>\r
<div class="paragraph"><p>Type: ips_action</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_rewrite">rewrite</h3>\r
<div class="paragraph"><p>What: overwrite packet contents</p></div>\r
<div class="paragraph"><p>Type: ips_action</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ack">ack</h3>\r
<div class="paragraph"><p>What: rule option to match on TCP ack numbers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em>\r
+interval <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em> { 0: }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_appids">appids</h3>\r
<div class="paragraph"><p>What: detection option for application ids</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_asn1">asn1</h3>\r
<div class="paragraph"><p>What: rule option for asn1 detection</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_base64_decode">base64_decode</h3>\r
<div class="paragraph"><p>What: rule option to decode base64 data - must be used with base64_data option</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_bufferlen">bufferlen</h3>\r
<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>bufferlen.~range</strong>: len | min<>max | <max | >min, range is 0:65535\r
+interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_byte_extract_2">byte_extract</h3>\r
<div class="paragraph"><p>What: rule option to convert data to an integer variable</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_byte_jump_2">byte_jump</h3>\r
<div class="paragraph"><p>What: rule option to move the detection cursor</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_byte_math_2">byte_math</h3>\r
<div class="paragraph"><p>What: rule option to perform mathematical operations on extracted value and a specified value or existing variable</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_byte_test_2">byte_test</h3>\r
<div class="paragraph"><p>What: rule option to convert data to integer and compare</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_classtype">classtype</h3>\r
<div class="paragraph"><p>What: general rule option for rule classification</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_content">content</h3>\r
<div class="paragraph"><p>What: payload rule option for basic pattern matching</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_cvs">cvs</h3>\r
<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_dce_iface_2">dce_iface</h3>\r
<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>dce_iface.version</strong>: interface version\r
+interval <strong>dce_iface.version</strong>: interface version { 0: }\r
</p>\r
</li>\r
<li>\r
<h3 id="_dce_opnum_2">dce_opnum</h3>\r
<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_dce_stub_data_2">dce_stub_data</h3>\r
<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_detection_filter">detection_filter</h3>\r
<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_dnp3_data">dnp3_data</h3>\r
<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_dnp3_func">dnp3_func</h3>\r
<div class="paragraph"><p>What: detection option to check dnp3 function code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_dnp3_ind">dnp3_ind</h3>\r
<div class="paragraph"><p>What: detection option to check dnp3 indicator flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_dnp3_obj">dnp3_obj</h3>\r
<div class="paragraph"><p>What: detection option to check dnp3 object headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_dsize">dsize</h3>\r
<div class="paragraph"><p>What: rule option to test payload size</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>dsize.~range</strong>: check if packet payload size is in the given range { 0:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_file_data">file_data</h3>\r
<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_file_type">file_type</h3>\r
<div class="paragraph"><p>What: rule option to check file type</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_flags">flags</h3>\r
<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_flow">flow</h3>\r
<div class="paragraph"><p>What: rule option to check session properties</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_flowbits">flowbits</h3>\r
<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_fragbits">fragbits</h3>\r
<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_fragoffset">fragoffset</h3>\r
<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>, range is 0:8192\r
+interval <strong>fragoffset.~range</strong>: check if ip fragment offset is in given range { 0:8192 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_gid">gid</h3>\r
<div class="paragraph"><p>What: rule option specifying rule generator</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_gtp_info">gtp_info</h3>\r
<div class="paragraph"><p>What: rule option to check gtp info element</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_gtp_type">gtp_type</h3>\r
<div class="paragraph"><p>What: rule option to check gtp types</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_gtp_version">gtp_version</h3>\r
<div class="paragraph"><p>What: rule option to check gtp version</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_client_body_2">http_client_body</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_http_cookie">http_cookie</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_header">http_header</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_method_2">http_method</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http_raw_body_2">http_raw_body</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized message body</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http_raw_cookie">http_raw_cookie</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_raw_header">http_raw_header</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_raw_request">http_raw_request</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized request line</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_raw_status">http_raw_status</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized status line</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_raw_trailer">http_raw_trailer</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized trailers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_raw_uri">http_raw_uri</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_stat_code_2">http_stat_code</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_stat_msg_2">http_stat_msg</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_trailer">http_trailer</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized trailers</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_http_true_ip_2">http_true_ip</h3>\r
+<div class="paragraph"><p>What: rule option to set the detection cursor to the final client IP address</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_http_uri">http_uri</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_http_version_2">http_version</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the version buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_icmp_id">icmp_id</h3>\r
<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>icmp_id.~range</strong>: check if icmp id is <em>id | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>icmp_id.~range</strong>: check if icmp id is in given range { 0:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_icmp_seq">icmp_seq</h3>\r
<div class="paragraph"><p>What: rule option to check ICMP sequence number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>icmp_seq.~range</strong>: check if icmp sequence number is <em>seq | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>icmp_seq.~range</strong>: check if icmp sequence number is in given range { 0:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_icode">icode</h3>\r
<div class="paragraph"><p>What: rule option to check ICMP code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>icode.~range</strong>: check if ICMP code is <em>code | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>icode.~range</strong>: check if icmp code is in given range is { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_id">id</h3>\r
<div class="paragraph"><p>What: rule option to check the IP ID field</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>id.~range</strong>: check if the IP ID is <em>id | min<>max | <max | >min</em>\r
+interval <strong>id.~range</strong>: check if the ip id is in the given range { 0: }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ip_proto">ip_proto</h3>\r
<div class="paragraph"><p>What: rule option to check the IP protocol number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ipopts">ipopts</h3>\r
<div class="paragraph"><p>What: rule option to check for IP options</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_isdataat">isdataat</h3>\r
<div class="paragraph"><p>What: rule option to check for the presence of payload data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_itype">itype</h3>\r
<div class="paragraph"><p>What: rule option to check ICMP type</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>itype.~range</strong>: check if icmp type is <em>type | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>itype.~range</strong>: check if icmp type is in given range { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_md5">md5</h3>\r
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_metadata">metadata</h3>\r
<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>metadata.service</strong>: service name\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>metadata.</strong>*: additional parameters not used by snort\r
+string <strong>metadata.</strong>*: comma-separated list of arbitrary name value pairs\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_modbus_data">modbus_data</h3>\r
<div class="paragraph"><p>What: rule option to set cursor to modbus data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_modbus_func">modbus_func</h3>\r
<div class="paragraph"><p>What: rule option to check modbus function code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_modbus_unit">modbus_unit</h3>\r
<div class="paragraph"><p>What: rule option to check modbus unit ID</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_msg">msg</h3>\r
<div class="paragraph"><p>What: rule option summarizing rule purpose output with events</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_mss">mss</h3>\r
+<div class="paragraph"><p>What: detection for TCP maximum segment size</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>mss.~range</strong>: check if TCP MSS is in given range { 0:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_pcre">pcre</h3>\r
<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_pkt_data">pkt_data</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_pkt_num">pkt_num</h3>\r
<div class="paragraph"><p>What: alert on raw packet number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>pkt_num.~range</strong>: check if packet number is in given range\r
+interval <strong>pkt_num.~range</strong>: check if packet number is in given range { 1: }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_priority">priority</h3>\r
<div class="paragraph"><p>What: rule option for prioritizing events</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_raw_data">raw_data</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the raw packet data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_reference">reference</h3>\r
<div class="paragraph"><p>What: rule option to indicate relevant attack identification system</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_regex">regex</h3>\r
<div class="paragraph"><p>What: rule option for matching payload data with hyperscan regex</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>regex.nocase</strong>: case insensitive match\r
+implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data\r
</p>\r
</li>\r
<li>\r
<p>\r
-implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data\r
+implied <strong>regex.nocase</strong>: case insensitive match\r
</p>\r
</li>\r
<li>\r
<h3 id="_rem">rem</h3>\r
<div class="paragraph"><p>What: rule option to convey an arbitrary comment in the rule body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_replace">replace</h3>\r
<div class="paragraph"><p>What: rule option to overwrite payload data; use with rewrite action</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_rev">rev</h3>\r
<div class="paragraph"><p>What: rule option to indicate current revision of signature</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_rpc">rpc</h3>\r
<div class="paragraph"><p>What: rule option to check SUNRPC CALL parameters</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_sd_pattern">sd_pattern</h3>\r
<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold\r
+<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match\r
+<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sd_pattern.terminated</strong>: hyperscan terminated\r
+<strong>sd_pattern.terminated</strong>: hyperscan terminated (sum)\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_seq">seq</h3>\r
<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>seq.~range</strong>: check if tcp sequence number value is <em>value | min<>max | <max | >min</em>\r
+interval <strong>seq.~range</strong>: check if tcp sequence number is in given range { 0: }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_service">service</h3>\r
+<div class="paragraph"><p>What: rule option to specify list of services for grouping rules</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+string <strong>service.</strong>*: one or more comma-separated service names\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_session">session</h3>\r
<div class="paragraph"><p>What: rule option to check user data from TCP sessions</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_sha256">sha256</h3>\r
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_sha512">sha512</h3>\r
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_sid">sid</h3>\r
<div class="paragraph"><p>What: rule option to indicate signature number</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_sip_body">sip_body</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_sip_header">sip_header</h3>\r
<div class="paragraph"><p>What: rule option to set the detection cursor to the SIP header buffer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_sip_method">sip_method</h3>\r
<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_sip_stat_code">sip_stat_code</h3>\r
<div class="paragraph"><p>What: detection option for sip stat code</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_so">so</h3>\r
<div class="paragraph"><p>What: rule option to call custom eval function</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_soid">soid</h3>\r
<div class="paragraph"><p>What: rule option to specify a shared object rule ID</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ssl_state">ssl_state</h3>\r
<div class="paragraph"><p>What: detection option for ssl state</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_ssl_version">ssl_version</h3>\r
<div class="paragraph"><p>What: detection option for ssl version</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_stream_reassemble">stream_reassemble</h3>\r
<div class="paragraph"><p>What: detection option for stream reassembly control</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_stream_size">stream_size</h3>\r
<div class="paragraph"><p>What: detection option for stream size checking</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>stream_size.~range</strong>: size for comparison\r
+interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }\r
</p>\r
</li>\r
<li>\r
<h3 id="_tag">tag</h3>\r
<div class="paragraph"><p>What: rule option to log additional packets</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
+<h3 id="_target">target</h3>\r
+<div class="paragraph"><p>What: rule option to indicate target of attack</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+enum <strong>target.~</strong>: indicate the target of the attack { src_ip | dst_ip }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
<h3 id="_tos">tos</h3>\r
<div class="paragraph"><p>What: rule option to check type of service field</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>tos.~range</strong>: check if ip tos value is <em>value | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>tos.~range</strong>: check if ip tos is in given range { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_ttl">ttl</h3>\r
<div class="paragraph"><p>What: rule option to check time to live field</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ttl.~range</strong>: check if ip ttl field value is <em>value | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>ttl.~range</strong>: check if ip ttl is in the given range { 0:255 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_urg">urg</h3>\r
<div class="paragraph"><p>What: detection for TCP urgent pointer</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>urg.~range</strong>: check if urgent offset is min<>max | <max | >min, range is 0:65535\r
+interval <strong>urg.~range</strong>: check if tcp urgent offset is in given range { 0:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_window">window</h3>\r
<div class="paragraph"><p>What: rule option to check TCP window field</p></div>\r
<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+interval <strong>window.~range</strong>: check if tcp window size is in given range { 0:65535 }\r
+</p>\r
+</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_wscale">wscale</h3>\r
+<div class="paragraph"><p>What: detection for TCP window scale</p></div>\r
+<div class="paragraph"><p>Type: ips_option</p></div>\r
+<div class="paragraph"><p>Usage: detect</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>window.~range</strong>: check if tcp window field size is <em>size | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_alert_csv">alert_csv</h3>\r
<div class="paragraph"><p>What: output event in csv format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen dgm_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | dir | dgm_len | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid | src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_csv.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>alert_csv.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-enum <strong>alert_csv.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_alert_ex">alert_ex</h3>\r
<div class="paragraph"><p>What: output gid:sid:rev for alerts</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_fast">alert_fast</h3>\r
<div class="paragraph"><p>What: output event with brief text format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_fast.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>alert_fast.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
+</ul></div>\r
+</div>\r
+<div class="sect2">\r
+<h3 id="_alert_full">alert_full</h3>\r
+<div class="paragraph"><p>What: output event with full packet dump</p></div>\r
+<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
+<div class="paragraph"><p>Configuration:</p></div>\r
+<div class="ulist"><ul>\r
<li>\r
<p>\r
-enum <strong>alert_fast.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>alert_full.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_alert_full">alert_full</h3>\r
-<div class="paragraph"><p>What: output event with full packet dump</p></div>\r
+<h3 id="_alert_json">alert_json</h3>\r
+<div class="paragraph"><p>What: output event in json format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
+bool <strong>alert_json.file</strong> = false: output to alert_json.txt instead of stdout\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>alert_json.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }\r
+string <strong>alert_json.separator</strong> = , : separate fields with this character sequence\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_alert_sfsocket">alert_sfsocket</h3>\r
<div class="paragraph"><p>What: output event over socket</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_syslog">alert_syslog</h3>\r
<div class="paragraph"><p>What: output event to syslog</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_alert_unixsock">alert_unixsock</h3>\r
<div class="paragraph"><p>What: output event over unix socket</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_log_codecs">log_codecs</h3>\r
<div class="paragraph"><p>What: log protocols in packet by layer</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<h3 id="_log_hext">log_hext</h3>\r
<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>log_hext.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>log_hext.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+int <strong>log_hext.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<h3 id="_log_pcap">log_pcap</h3>\r
<div class="paragraph"><p>What: log packet in pcap format</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>log_pcap.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>log_pcap.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+int <strong>log_pcap.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
</ul></div>\r
<h3 id="_unified2">unified2</h3>\r
<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>\r
<div class="paragraph"><p>Type: logger</p></div>\r
+<div class="paragraph"><p>Usage: context</p></div>\r
<div class="paragraph"><p>Configuration:</p></div>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-int <strong>unified2.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+bool <strong>unified2.legacy_events</strong> = false: generate Snort 2.X style events for barnyard2 compatibility\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>unified2.units</strong> = B: limit multiplier { B | K | M | G }\r
+int <strong>unified2.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)\r
</p>\r
</li>\r
-<li>\r
-<p>\r
-bool <strong>unified2.mpls_event_types</strong> = false: include mpls labels in events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>unified2.vlan_event_types</strong> = false: include vlan IDs in events\r
-</p>\r
-</li>\r
</ul></div>\r
</div>\r
</div>\r
to the version that came with your installation’s source code.</p></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_configuration_5">Configuration</h3>\r
+<h3 id="_configuration_7">Configuration</h3>\r
<div class="paragraph"><p>As with a number of features in Snort 3, the LibDAQ and DAQ module\r
configuration may be controlled using either the command line options or direct\r
Snort module configuration.</p></div>\r
</li>\r
<li>\r
<p>\r
-pub/sub inspection events (currently used by sip and http to appid)\r
+pub/sub inspection events (currently used by sip and http_inspect to appid)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-fully stateful http_inspect with 83 builtin alerts\r
+fully stateful http_inspect with 97 builtin alerts\r
(Snort 2 is only partly stateful with 33 builtin alerts)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-alert service (eg http) and alert file rules\r
+alert file rules\r
+ (Snort 2 must use multiple rules)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+alert service rules, eg alert http\r
(Snort 2 must use metadata:service)\r
</p>\r
</li>\r
<li>\r
<p>\r
+automatic fast_pattern only\r
+ (Snort 2 requires explicit fast_pattern:only)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
elided rule headers omit nets and/or ports\r
(Snort 2 requires explicit <em>any</em>)\r
</p>\r
</li>\r
<li>\r
<p>\r
-optional warnings output, can be fatal\r
- (Snort 2 warnings are not optional or fatal)\r
+optional, expanded warnings output, can be fatal\r
+ (Snort 2 warnings limited and are not optional or fatal)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+detection trace\r
+ (Snort 2 has more limited buffer dumping)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+updated unified2 events with MPLS, VLAN, and IP6\r
+ (Snort 2 requires configuration and extra data)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+significantly more unit tests, including --catch and make check\r
+ (Snort 2 has very few unit tests)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
better modularity 346K/1534 = 226 lines/file, max=2700\r
(Snort 2 has 440K/1021 = 431 lines/file, max=13K)\r
</p>\r
</li>\r
<li>\r
<p>\r
+sid == 0 not allowed\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
deleted activate / dynamic rules\r
</p>\r
</li>\r
<li>\r
<p>\r
+deleted unused rule_state.action\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
deleted metadata engine shared\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-deleted unused rule_state.action\r
+changed metadata:service one[, service two]; to service:one[, two];\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+soid is now a non-metadata option\r
</p>\r
</li>\r
<li>\r
<p>\r
-fastpattern_offset, fast_pattern_length\r
+metadata is now truly metadata with no impact on detection\r
+ (Snort doesn’t care about metadata internal structure / syntax)\r
</p>\r
</li>\r
<li>\r
<p>\r
-no ; separated content suboptions\r
+deleted fast_pattern:only; use fast_pattern, nocase\r
+ (option is not added to detection tree if not required)\r
</p>\r
</li>\r
<li>\r
<p>\r
-offset, depth, distance, and within must use a space separator not colon\r
- (e.g. offset:5; becomes offset 5;)\r
+changed fast_pattern:<offset>,<length> to\r
+ fastpattern_offset: <offset>, fast_pattern_length <length>\r
</p>\r
</li>\r
<li>\r
<p>\r
-rule option sequence: <stub> soid <hidden>\r
+fast pattern sensitive data with sd_pattern using hyperscan\r
</p>\r
</li>\r
<li>\r
<p>\r
-sid == 0 not allowed\r
+hyperscan regex fast patterns with regex:"<regex>", fast_pattern;\r
</p>\r
</li>\r
<li>\r
<p>\r
-soid is now a non-metadata option\r
+no ; separated content suboptions\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+offset, depth, distance, and within must use a space separator not colon\r
+ (e.g. offset:5; becomes offset 5;)\r
</p>\r
</li>\r
<li>\r
<p>\r
-content suboptions http_* are now full options and should be place before content\r
+content suboptions http_* are now full options\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+added sticky buffers: buffer selector options must precede contents and remain\r
+ in effect until changed\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-deleted uricontent ips rule option.\r
+deleted uricontent option; use sticky buffer\r
uricontent:"foo" -→ http_uri; content:"foo"\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-multiline rules w/o \n\r
+the all new http_inspect has new buffers and rule options\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+added alert file and alert service rules\r
+ (service in body not required if there is only one and it is in header;\r
+ alert service / file rules disable fast pattern searching of raw packets)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+rule option sequence: <stub> soid <hidden>\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+arbitrary whitespace and multiline rules w/o \n\r
</p>\r
</li>\r
<li>\r
<p>\r
-#begin … #end comments\r
+#begin … #end comments to easily comment out multiple lines\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+add rule remarks option with rem:"arbitrary comment"\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+nets and/or ports may be omitted from rule headers (matches any)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+parse all rules and output all errors before quitting\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+read rules from conf, separate rules file, or stdin\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>--ips-policy-pattern</strong> Convert config bindings matching this path to ips policy\r
+ bindings\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--markup</strong> print help in asciidoc compatible format\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>--print-binding-order</strong>\r
+ Print sorting priority used when generating binder table\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--print-differences</strong> Same as <em>-d</em>. output the differences, and only the\r
differences, between the Snort and Snort++ configurations to\r
the <out_file>\r
give an overview of the file so the reader knows what’s going on.\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+Use the following comment on switch cases that intentionally fall through\r
+ to the next case to suppress compiler warning on known valid cases:\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><code>// fallthrough</code></pre>\r
+</div></div>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+<strong>iconv</strong>: for converting UTF16-LE filenames to UTF8 (usually included in glibc)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>lzma</strong>: for decompression of SWF and PDF files.\r
</p>\r
</li>\r
</p>\r
</li>\r
</ul></div>\r
-<div class="paragraph"><p>These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl, flatbuffers,\r
-and hyperscan packages. For more information on these libraries see the Getting\r
-Started section of the manual.</p></div>\r
+<div class="paragraph"><p>These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl,\r
+flatbuffers, iconv, and hyperscan packages. For more information on\r
+these libraries see the Getting Started section of the manual.</p></div>\r
</div>\r
<div class="sect2">\r
<h3 id="_environment_variables">Environment Variables</h3>\r
</li>\r
<li>\r
<p>\r
-<strong>--dump-builtin-rules</strong> [<module prefix>] output stub rules for selected modules\r
+<strong>--dump-builtin-rules</strong> [<module prefix>] output stub rules for selected modules (optional)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--gen-msg-map</strong> dump builtin rules in gen-msg.map format for use by other tools\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>-g</strong> <gname> run snort gid as <gname> group (or gid) after initialization\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--help-options</strong> <option prefix> output matching command line option quick help (same as -?) (optional)\r
+<strong>--help-options</strong> [<option prefix>] output matching command line option quick help (same as -?) (optional)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--id-offset</strong> offset to add to instance IDs when logging to files (0:65535)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>--list-builtin</strong> <module prefix> output matching builtin rules (optional)\r
+<strong>--list-builtin</strong> [<module prefix>] output matching builtin rules (optional)\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+<strong>--mem-check</strong> like -T but also compile search engines\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>-M</strong> log messages to syslog (not alerts)\r
</p>\r
</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
-<h3 id="_configuration_6">Configuration</h3>\r
+<h3 id="_configuration_8">Configuration</h3>\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-string <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em>\r
+interval <strong>ack.~range</strong>: check if tcp ack value is <em>value | min<>max | <max | >min</em> { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen dgm_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | dir | dgm_len | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid | src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }\r
+multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_csv.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>alert_csv.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_csv.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+bool <strong>alert_ex.upper</strong> = false: true/false → convert to upper/lower case\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alert_ex.upper</strong> = false: true/false → convert to upper/lower case\r
+bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout\r
+int <strong>alert_fast.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_fast.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+bool <strong>alert_fast.packet</strong> = false: output packet dump with alert\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alert_fast.packet</strong> = false: output packet dump with alert\r
+bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_fast.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+int <strong>alert_full.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout\r
+multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>alert_full.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+bool <strong>alert_json.file</strong> = false: output to alert_json.txt instead of stdout\r
</p>\r
</li>\r
<li>\r
<p>\r
-enum <strong>alert_full.units</strong> = B: limit is in bytes | KB | MB | GB { B | K | M | G }\r
+int <strong>alert_json.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>alert_json.separator</strong> = , : separate fields with this character sequence\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>alerts.log_references</strong> = false: include rule references in alert info (full only)\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>alerts.order</strong> = pass drop alert log: change the order of rule action application\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic\r
+string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>appid.instance_id</strong> = 0: instance id - need more details for what this is { 0: }\r
+int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>binder[].use.inspection_policy</strong>: use inspection policy from given file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+string <strong>binder[].use.ips_policy</strong>: use ips policy from given file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>binder[].use.name</strong>: symbol name (defaults to type)\r
</p>\r
</li>\r
<li>\r
<p>\r
+string <strong>binder[].use.network_policy</strong>: use network policy from given file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>binder[].use.service</strong>: override automatic service identification\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+addr_list <strong>binder[].when.dst_nets</strong>: list of destination networks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list <strong>binder[].when.dst_ports</strong>: list of destination ports { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>binder[].when.dst_zone</strong>: destination zone { 0:2147483647 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-addr_list <strong>binder[].when.nets</strong>: list of networks\r
+int <strong>binder[].when.ips_policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>binder[].when.policy_id</strong> = 0: unique ID for selection of this config by external logic { 0: }\r
+addr_list <strong>binder[].when.nets</strong>: list of networks\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+addr_list <strong>binder[].when.src_nets</strong>: list of source networks\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+bit_list <strong>binder[].when.src_ports</strong>: list of source ports { 65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>binder[].when.src_zone</strong>: source zone { 0:2147483647 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>bufferlen.~range</strong>: len | min<>max | <max | >min, range is 0:65535\r
+interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-select <strong>data_log.key</strong> = http_raw_uri: name of data buffer to log { http_uri | http_raw_uri }\r
+select <strong>data_log.key</strong> = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>dce_iface.version</strong>: interface version\r
+interval <strong>dce_iface.version</strong>: interface version { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>dsize.~range</strong>: check if packet payload size is <em>size | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>dsize.~range</strong>: check if packet payload size is in the given range { 0:65535 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>fragoffset.~range</strong>: check if ip fragment offset value is <em>value | min<>max | <max | >min</em>, range is 0:8192\r
+interval <strong>fragoffset.~range</strong>: check if ip fragment offset is in given range { 0:8192 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>http_uri.fragment</strong>: match against fragment section of URI only\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>icmp_id.~range</strong>: check if icmp id is <em>id | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>icmp_id.~range</strong>: check if icmp id is in given range { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>icmp_seq.~range</strong>: check if icmp sequence number is <em>seq | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>icmp_seq.~range</strong>: check if icmp sequence number is in given range { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>icode.~range</strong>: check if ICMP code is <em>code | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>icode.~range</strong>: check if icmp code is in given range is { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>id.~range</strong>: check if the IP ID is <em>id | min<>max | <max | >min</em>\r
+interval <strong>id.~range</strong>: check if the ip id is in the given range { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+string <strong>ips.uuid</strong>: IPS policy uuid\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>isdataat.~length</strong>: num | !num\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>itype.~range</strong>: check if icmp type is <em>type | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>itype.~range</strong>: check if icmp type is in given range { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>log_hext.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+int <strong>log_hext.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>log_hext.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-int <strong>log_pcap.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-enum <strong>log_pcap.units</strong> = B: bytes | KB | MB | GB { B | K | M | G }\r
+int <strong>log_pcap.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-string <strong>metadata.</strong>*: additional parameters not used by snort\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>metadata.service</strong>: service name\r
+string <strong>metadata.</strong>*: comma-separated list of arbitrary name value pairs\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+interval <strong>mss.~range</strong>: check if TCP MSS is in given range { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>output.log_ipv6_extra_data</strong> = false: log IPv6 source and destination addresses as unified2 extra data records\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>pkt_num.~range</strong>: check if packet number is in given range\r
+interval <strong>pkt_num.~range</strong>: check if packet number is in given range { 1: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+bool <strong>reg_test.test_daq_retry</strong> = true: test daq packet retry feature\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
enum <strong>reject.control</strong>: send icmp unreachable(s) { network|host|port|all }\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory\r
+bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+interval <strong>seq.~range</strong>: check if tcp sequence number is in given range { 0: }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>seq.~range</strong>: check if tcp sequence number value is <em>value | min<>max | <max | >min</em>\r
+string <strong>service.</strong>*: one or more comma-separated service names\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-implied <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules\r
+string <strong>snort.--dump-builtin-rules</strong>: [<module prefix>] output stub rules for selected modules { (optional) }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--gen-msg-map</strong>: dump builtin rules in gen-msg.map format for use by other tools\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>snort.-g</strong>: <gname> run snort gid as <gname> group (or gid) after initialization\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--help-options</strong>: <option prefix> output matching command line option quick help (same as -?) { (optional) }\r
+string <strong>snort.--help-options</strong>: [<option prefix>] output matching command line option quick help (same as -?) { (optional) }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+int <strong>snort.--id-offset</strong> = 0: offset to add to instance IDs when logging to files { 0:65535 }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>snort.--list-builtin</strong>: <module prefix> output matching builtin rules { (optional) }\r
+string <strong>snort.--list-builtin</strong>: [<module prefix>] output matching builtin rules { (optional) }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+implied <strong>snort.--mem-check</strong>: like -T but also compile search engines\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
implied <strong>snort.-M</strong>: log messages to syslog (not alerts)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>stream_size.~range</strong>: size for comparison\r
+interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
+enum <strong>target.~</strong>: indicate the target of the attack { src_ip | dst_ip }\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
string <strong>tcp_connector.address</strong>: address\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-string <strong>tos.~range</strong>: check if ip tos value is <em>value | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>tos.~range</strong>: check if ip tos is in given range { 0:255 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>ttl.~range</strong>: check if ip ttl field value is <em>value | min<>max | <max | >min</em>, range is 0:255\r
+interval <strong>ttl.~range</strong>: check if ip ttl is in the given range { 0:255 }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-int <strong>unified2.limit</strong> = 0: set limit (0 is unlimited) { 0: }\r
+bool <strong>unified2.legacy_events</strong> = false: generate Snort 2.X style events for barnyard2 compatibility\r
</p>\r
</li>\r
<li>\r
<p>\r
-bool <strong>unified2.mpls_event_types</strong> = false: include mpls labels in events\r
+int <strong>unified2.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0: }\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-enum <strong>unified2.units</strong> = B: limit multiplier { B | K | M | G }\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-bool <strong>unified2.vlan_event_types</strong> = false: include vlan IDs in events\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-string <strong>urg.~range</strong>: check if urgent offset is min<>max | <max | >min, range is 0:65535\r
+interval <strong>urg.~range</strong>: check if tcp urgent offset is in given range { 0:65535 }\r
</p>\r
</li>\r
<li>\r
<p>\r
-string <strong>window.~range</strong>: check if tcp window field size is <em>size | min<>max | <max | >min</em>, range is 0:65535\r
+interval <strong>window.~range</strong>: check if tcp window size is in given range { 0:65535 }\r
</p>\r
</li>\r
<li>\r
string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
<div class="ulist"><ul>\r
<li>\r
<p>\r
-<strong>appid.aim_clients</strong>: count of aim clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.battlefield_flows</strong>: count of battle field flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bgp_flows</strong>: count of bgp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bit_clients</strong>: count of bittorrent clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bit_flows</strong>: count of bittorrent flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bittracker_clients</strong>: count of bittorrent tracker clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.bootp_flows</strong>: count of bootp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dcerpc_udp_flows</strong>: count of dce rpc flows over udp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.dns_udp_flows</strong>: count of dns flows over udp discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ftp_flows</strong>: count of ftp flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ftps_flows</strong>: count of ftps flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.http_flows</strong>: count of http flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.ignored_packets</strong>: count of packets ignored\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.imap_flows</strong>: count of imap service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.imaps_flows</strong>: count of imap TLS service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.irc_flows</strong>: count of irc service flows discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.kerberos_clients</strong>: count of kerberos clients discovered\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>appid.kerberos_flows</strong>: count of kerberos service flows discovered\r
+<strong>arp_spoof.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.kerberos_users</strong>: count of kerberos users discovered\r
+<strong>back_orifice.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.lpr_flows</strong>: count of lpr service flows discovered\r
+<strong>binder.allows</strong>: allow bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.mdns_flows</strong>: count of mdns service flows discovered\r
+<strong>binder.blocks</strong>: block bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.msn_clients</strong>: count of msn clients discovered\r
+<strong>binder.inspects</strong>: inspect bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.mysql_flows</strong>: count of mysql service flows discovered\r
+<strong>binder.packets</strong>: initial bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered\r
+<strong>binder.resets</strong>: reset bindings (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered\r
+<strong>daq.allow</strong>: total allow verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered\r
+<strong>daq.analyzed</strong>: total packets analyzed from DAQ (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.nntp_flows</strong>: count of nntp flows discovered\r
+<strong>daq.blacklist</strong>: total blacklist verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ntp_flows</strong>: count of ntp flows discovered\r
+<strong>daq.block</strong>: total block verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.packets</strong>: count of packets received\r
+<strong>daq.dropped</strong>: packets dropped (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.pop3_clients</strong>: count of pop3 clients discovered\r
+<strong>daq.filtered</strong>: packets filtered out (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.pop3s_clients</strong>: count of pop3s clients discovered\r
+<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.pop_flows</strong>: count of pop service flows discovered\r
+<strong>daq.ignore</strong>: total ignore verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.processed_packets</strong>: count of packets processed\r
+<strong>daq.injected</strong>: active responses or replacements (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.radius_flows</strong>: count of radius flows discovered\r
+<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rexec_flows</strong>: count of rexec flows discovered\r
+<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rfb_flows</strong>: count of rfb flows discovered\r
+<strong>daq.outstanding</strong>: packets unprocessed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered\r
+<strong>daq.pcaps</strong>: total files and interfaces processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rpc_flows</strong>: count of rpc flows discovered\r
+<strong>daq.received</strong>: total packets received from DAQ (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rshell_flows</strong>: count of rshell flows discovered\r
+<strong>daq.replace</strong>: total replace verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rsync_flows</strong>: count of rsync service flows discovered\r
+<strong>daq.retry</strong>: total retry verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered\r
+<strong>daq.rx_bytes</strong>: total bytes received (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.rtp_clients</strong>: count of rtp clients discovered\r
+<strong>daq.skipped</strong>: packets skipped at startup (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.sip_clients</strong>: count of SIP clients discovered\r
+<strong>daq.whitelist</strong>: total whitelist verdicts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.sip_flows</strong>: count of SIP flows discovered\r
+<strong>data_log.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered\r
+<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered\r
+<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered\r
+<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered\r
+<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered\r
+<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_flows</strong>: count of smtp flows discovered\r
+<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered\r
+<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered\r
+<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered\r
+<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered\r
+<strong>dce_smb.binds</strong>: total connection-oriented binds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered\r
+<strong>dce_smb.cancels</strong>: total connection-oriented cancels (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered\r
+<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtps_flows</strong>: count of smtps flows discovered\r
+<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered\r
+<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.snmp_flows</strong>: count of snmp flows discovered\r
+<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssh_clients</strong>: count of ssh clients discovered\r
+<strong>dce_smb.concurrent_sessions</strong>: total concurrent sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssh_flows</strong>: count of ssh flows discovered\r
+<strong>dce_smb.events</strong>: total events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.ssl_flows</strong>: count of ssl flows discovered\r
+<strong>dce_smb.faults</strong>: total connection-oriented faults (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.telnet_flows</strong>: count of telnet flows discovered\r
+<strong>dce_smb.files_processed</strong>: total smb files processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tftp_flows</strong>: count of tftp flows discovered\r
+<strong>dce_smb.ignored_bytes</strong>: total ignored bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.timbuktu_clients</strong>: count of timbuktu clients discovered\r
+<strong>dce_smb.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered\r
+<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tns_clients</strong>: count of tns clients discovered\r
+<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.tns_flows</strong>: count of tns flows discovered\r
+<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.vnc_clients</strong>: count of vnc clients discovered\r
+<strong>dce_smb.other_requests</strong>: total connection-oriented other requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered\r
+<strong>dce_smb.other_responses</strong>: total connection-oriented other responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>arp_spoof.packets</strong>: total packets\r
+<strong>dce_smb.packets</strong>: total smb packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>back_orifice.packets</strong>: total packets\r
+<strong>dce_smb.pdus</strong>: total connection-oriented PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.allows</strong>: allow bindings\r
+<strong>dce_smb.rejects</strong>: total connection-oriented rejects (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.blocks</strong>: block bindings\r
+<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.inspects</strong>: inspect bindings\r
+<strong>dce_smb.requests</strong>: total connection-oriented requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.packets</strong>: initial bindings\r
+<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>binder.resets</strong>: reset bindings\r
+<strong>dce_smb.responses</strong>: total connection-oriented responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.allow</strong>: total allow verdicts\r
+<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.analyzed</strong>: total packets analyzed from DAQ\r
+<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.blacklist</strong>: total blacklist verdicts\r
+<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.block</strong>: total block verdicts\r
+<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.dropped</strong>: packets dropped\r
+<strong>dce_smb.sessions</strong>: total smb sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.filtered</strong>: packets filtered out\r
+<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets\r
+<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.ignore</strong>: total ignore verdicts\r
+<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.injected</strong>: active responses or replacements\r
+<strong>dce_smb.smbv2_close</strong>: total number of SMBv2 close packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support\r
+<strong>dce_smb.smbv2_create</strong>: total number of SMBv2 create packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support\r
+<strong>dce_smb.smbv2_read</strong>: total number of SMBv2 read packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.outstanding</strong>: packets unprocessed\r
+<strong>dce_smb.smbv2_set_info</strong>: total number of SMBv2 set info packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.pcaps</strong>: total files and interfaces processed\r
+<strong>dce_smb.smbv2_tree_connect</strong>: total number of SMBv2 tree connect packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.received</strong>: total packets received from DAQ\r
+<strong>dce_smb.smbv2_tree_disconnect</strong>: total number of SMBv2 tree disconnect packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.replace</strong>: total replace verdicts\r
+<strong>dce_smb.smbv2_write</strong>: total number of SMBv2 write packets seen (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.rx_bytes</strong>: total bytes received\r
+<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.skipped</strong>: packets skipped at startup\r
+<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>daq.whitelist</strong>: total whitelist verdicts\r
+<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>data_log.packets</strong>: total packets\r
+<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions\r
+<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions\r
+<strong>dce_tcp.binds</strong>: total connection-oriented binds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions\r
+<strong>dce_tcp.cancels</strong>: total connection-oriented cancels (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions\r
+<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks\r
+<strong>dce_tcp.concurrent_sessions</strong>: total concurrent sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks\r
+<strong>dce_tcp.events</strong>: total events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.binds</strong>: total connection-oriented binds\r
+<strong>dce_tcp.faults</strong>: total connection-oriented faults (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.cancels</strong>: total connection-oriented cancels\r
+<strong>dce_tcp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size\r
+<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size\r
+<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.events</strong>: total events\r
+<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.faults</strong>: total connection-oriented faults\r
+<strong>dce_tcp.rejects</strong>: total connection-oriented rejects (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.files_processed</strong>: total smb files processed\r
+<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.ignored_bytes</strong>: total ignored bytes\r
+<strong>dce_tcp.requests</strong>: total connection-oriented requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests\r
+<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>dce_tcp.responses</strong>: total connection-oriented responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned\r
+<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.other_requests</strong>: total connection-oriented other requests\r
+<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.other_responses</strong>: total connection-oriented other responses\r
+<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.packets</strong>: total smb packets\r
+<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.pdus</strong>: total connection-oriented PDUs\r
+<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.rejects</strong>: total connection-oriented rejects\r
+<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments\r
+<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.requests</strong>: total connection-oriented requests\r
+<strong>dce_udp.acks</strong>: total connection-less acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments\r
+<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.responses</strong>: total connection-oriented responses\r
+<strong>dce_udp.cancels</strong>: total connection-less cancels (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>dce_udp.client_facks</strong>: total connection-less client facks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size\r
+<strong>dce_udp.concurrent_sessions</strong>: total concurrent sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size\r
+<strong>dce_udp.events</strong>: total events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dce_udp.faults</strong>: total connection-less faults (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.sessions</strong>: total smb sessions\r
+<strong>dce_udp.fragments</strong>: total connection-less fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled\r
+<strong>dce_udp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled\r
+<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_close</strong>: total number of SMBv2 close packets seen\r
+<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_create</strong>: total number of SMBv2 create packets seen\r
+<strong>dce_udp.no_calls</strong>: total connection-less no calls (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_read</strong>: total number of SMBv2 read packets seen\r
+<strong>dce_udp.other_requests</strong>: total connection-less other requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_set_info</strong>: total number of SMBv2 set info packets seen\r
+<strong>dce_udp.other_responses</strong>: total connection-less other responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_tree_connect</strong>: total number of SMBv2 tree connect packets seen\r
+<strong>dce_udp.ping</strong>: total connection-less ping (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_tree_disconnect</strong>: total number of SMBv2 tree disconnect packets seen\r
+<strong>dce_udp.rejects</strong>: total connection-less rejects (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_smb.smbv2_write</strong>: total number of SMBv2 write packets seen\r
+<strong>dce_udp.requests</strong>: total connection-less requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses\r
+<strong>dce_udp.responses</strong>: total connection-less responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts\r
+<strong>dce_udp.server_facks</strong>: total connection-less server facks (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s\r
+<strong>dce_udp.udp_packets</strong>: total udp packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks\r
+<strong>dce_udp.udp_sessions</strong>: total udp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks\r
+<strong>dce_udp.working</strong>: total connection-less working (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.binds</strong>: total connection-oriented binds\r
+<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.cancels</strong>: total connection-oriented cancels\r
+<strong>detection.alerts</strong>: alerts not including IP reputation (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled\r
+<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size\r
+<strong>detection.analyzed</strong>: packets sent to detection (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size\r
+<strong>detection.body_searches</strong>: fast pattern searches in body buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled\r
+<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.events</strong>: total events\r
+<strong>detection.event_limit</strong>: events filtered (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.faults</strong>: total connection-oriented faults\r
+<strong>detection.file_searches</strong>: fast pattern searches in file buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP\r
+<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned\r
+<strong>detection.header_searches</strong>: fast pattern searches in header buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests\r
+<strong>detection.key_searches</strong>: fast pattern searches in key buffer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses\r
+<strong>detection.logged</strong>: logged packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs\r
+<strong>detection.log_limit</strong>: events queued but not logged (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.rejects</strong>: total connection-oriented rejects\r
+<strong>detection.match_limit</strong>: fast pattern matches not processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments\r
+<strong>detection.offloads</strong>: fast pattern searches that were offloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.requests</strong>: total connection-oriented requests\r
+<strong>detection.passed</strong>: passed packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments\r
+<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.responses</strong>: total connection-oriented responses\r
+<strong>detection.queue_limit</strong>: events not queued because queue full (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled\r
+<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size\r
+<strong>detection.total_alerts</strong>: alerts including IP reputation (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size\r
+<strong>dnp3.concurrent_sessions</strong>: total concurrent dnp3 sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled\r
+<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns\r
+<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp_packets</strong>: total tcp packets\r
+<strong>dnp3.max_concurrent_sessions</strong>: maximum concurrent dnp3 sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions\r
+<strong>dnp3.tcp_pdus</strong>: total tcp pdus (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.acks</strong>: total connection-less acks\r
+<strong>dnp3.total_packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks\r
+<strong>dnp3.udp_packets</strong>: total udp packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.cancels</strong>: total connection-less cancels\r
+<strong>dns.concurrent_sessions</strong>: total concurrent dns sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.client_facks</strong>: total connection-less client facks\r
+<strong>dns.max_concurrent_sessions</strong>: maximum concurrent dns sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.events</strong>: total events\r
+<strong>dns.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.faults</strong>: total connection-less faults\r
+<strong>dns.requests</strong>: total dns requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.fragments</strong>: total connection-less fragments\r
+<strong>dns.responses</strong>: total dns responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled\r
+<strong>dpx.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size\r
+<strong>file_connector.messages</strong>: total messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum\r
+<strong>file_id.cache_failures</strong>: number of file cache add failures (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.no_calls</strong>: total connection-less no calls\r
+<strong>file_id.total_file_data</strong>: number of file data bytes processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.other_requests</strong>: total connection-less other requests\r
+<strong>file_id.total_files</strong>: number of files processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.other_responses</strong>: total connection-less other responses\r
+<strong>file_log.total_events</strong>: total file events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.ping</strong>: total connection-less ping\r
+<strong>ftp_data.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.rejects</strong>: total connection-less rejects\r
+<strong>ftp_server.concurrent_sessions</strong>: total concurrent ftp sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.requests</strong>: total connection-less requests\r
+<strong>ftp_server.max_concurrent_sessions</strong>: maximum concurrent ftp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.responses</strong>: total connection-less responses\r
+<strong>ftp_server.total_packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.server_facks</strong>: total connection-less server facks\r
+<strong>gtp_inspect.concurrent_sessions</strong>: total concurrent gtp sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.udp_packets</strong>: total udp packets\r
+<strong>gtp_inspect.events</strong>: requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.udp_sessions</strong>: total udp sessions\r
+<strong>gtp_inspect.max_concurrent_sessions</strong>: maximum concurrent gtp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dce_udp.working</strong>: total connection-less working\r
+<strong>gtp_inspect.sessions</strong>: total sessions processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alert_limit</strong>: events previously triggered on same PDU\r
+<strong>gtp_inspect.unknown_infos</strong>: unknown information elements (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alerts</strong>: alerts not including IP reputation\r
+<strong>gtp_inspect.unknown_types</strong>: unknown message types (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data\r
+<strong>high_availability.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.analyzed</strong>: packets sent to detection\r
+<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.body_searches</strong>: fast pattern searches in body buffer\r
+<strong>host_cache.lru_cache_clears</strong>: lru cache clear API calls (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data\r
+<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.event_limit</strong>: events filtered\r
+<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.file_searches</strong>: fast pattern searches in file buffer\r
+<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations\r
+<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.header_searches</strong>: fast pattern searches in header buffer\r
+<strong>host_cache.lru_cache_replaces</strong>: lru cache replaced existing entry (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.key_searches</strong>: fast pattern searches in key buffer\r
+<strong>host_tracker.service_adds</strong>: host service adds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.logged</strong>: logged packets\r
+<strong>host_tracker.service_finds</strong>: host service finds (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.log_limit</strong>: events queued but not logged\r
+<strong>host_tracker.service_removes</strong>: host service removes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.match_limit</strong>: fast pattern matches not processed\r
+<strong>http_inspect.chunked</strong>: chunked message bodies (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.offloads</strong>: fast pattern searches that were offloaded\r
+<strong>http_inspect.concurrent_sessions</strong>: total concurrent http sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.passed</strong>: passed packets\r
+<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.pkt_searches</strong>: fast pattern searches in packet data\r
+<strong>http_inspect.delete_requests</strong>: DELETE requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.queue_limit</strong>: events not queued because queue full\r
+<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data\r
+<strong>http_inspect.get_requests</strong>: GET requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>detection.total_alerts</strong>: alerts including IP reputation\r
+<strong>http_inspect.head_requests</strong>: HEAD requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus\r
+<strong>http_inspect.inspections</strong>: total message sections inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames\r
+<strong>http_inspect.max_concurrent_sessions</strong>: maximum concurrent http sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.tcp_pdus</strong>: total tcp pdus\r
+<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.total_packets</strong>: total packets\r
+<strong>http_inspect.other_requests</strong>: other request methods inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dnp3.udp_packets</strong>: total udp packets\r
+<strong>http_inspect.post_requests</strong>: POST requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.packets</strong>: total packets processed\r
+<strong>http_inspect.put_requests</strong>: PUT requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.requests</strong>: total dns requests\r
+<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dns.responses</strong>: total dns responses\r
+<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>dpx.packets</strong>: total packets\r
+<strong>http_inspect.requests</strong>: HTTP request messages inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_connector.messages</strong>: total messages\r
+<strong>http_inspect.responses</strong>: HTTP response messages inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.cache_failures</strong>: number of file cache add failures\r
+<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.total_file_data</strong>: number of file data bytes processed\r
+<strong>http_inspect.trace_requests</strong>: TRACE requests inspected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_id.total_files</strong>: number of files processed\r
+<strong>http_inspect.uri_coding</strong>: URIs with character coding problems (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>file_log.total_events</strong>: total file events\r
+<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ftp_data.packets</strong>: total packets\r
+<strong>http_inspect.uri_path</strong>: URIs with path problems (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ftp_server.packets</strong>: total packets\r
+<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.events</strong>: requests\r
+<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.sessions</strong>: total sessions processed\r
+<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown_infos</strong>: unknown information elements\r
+<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>gtp_inspect.unknown_types</strong>: unknown message types\r
+<strong>imap.concurrent_sessions</strong>: total concurrent imap sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry\r
+<strong>imap.max_concurrent_sessions</strong>: maximum concurrent imap sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_clears</strong>: lru cache clear API calls\r
+<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache\r
+<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache\r
+<strong>imap.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry\r
+<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it\r
+<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_cache.lru_cache_replaces</strong>: lru cache replaced existing entry\r
+<strong>imap.sessions</strong>: total imap sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service_adds</strong>: host service adds\r
+<strong>imap.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service_finds</strong>: host service finds\r
+<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>host_tracker.service_removes</strong>: host service removes\r
+<strong>ips.invalid_policy_ids</strong>: Number of times an invalid policy ID was provided (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.chunked</strong>: chunked message bodies\r
+<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected\r
+<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.delete_requests</strong>: DELETE requests inspected\r
+<strong>latency.packet_timeouts</strong>: packets that timed out (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.flows</strong>: HTTP connections inspected\r
+<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.get_requests</strong>: GET requests inspected\r
+<strong>latency.rule_tree_enables</strong>: rule tree re-enables (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.head_requests</strong>: HEAD requests inspected\r
+<strong>latency.total_packets</strong>: total packets monitored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.inspections</strong>: total message sections inspected\r
+<strong>latency.total_rule_evals</strong>: total rule evals monitored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected\r
+<strong>latency.total_usecs</strong>: total usecs elapsed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.other_requests</strong>: other request methods inspected\r
+<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.post_requests</strong>: POST requests inspected\r
+<strong>modbus.frames</strong>: total Modbus messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.put_requests</strong>: PUT requests inspected\r
+<strong>modbus.max_concurrent_sessions</strong>: maximum concurrent modbus sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages\r
+<strong>modbus.sessions</strong>: total sessions processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies\r
+<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.requests</strong>: HTTP request messages inspected\r
+<strong>mpls.total_packets</strong>: total mpls labeled packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.responses</strong>: HTTP response messages inspected\r
+<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages\r
+<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.trace_requests</strong>: TRACE requests inspected\r
+<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.uri_coding</strong>: URIs with character coding problems\r
+<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization\r
+<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>http_inspect.uri_path</strong>: URIs with path problems\r
+<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums\r
+<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums\r
+<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64_attachments</strong>: total base64 attachments decoded\r
+<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes\r
+<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted\r
+<strong>normalizer.tcp_block</strong>: blocked segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes\r
+<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.packets</strong>: total packets processed\r
+<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded\r
+<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes\r
+<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.sessions</strong>: total imap sessions\r
+<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu_attachments</strong>: total uu attachments decoded\r
+<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes\r
+<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ipv4.bad_checksum</strong>: nonzero ip checksums\r
+<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.max_usecs</strong>: maximum usecs elapsed\r
+<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.packet_timeouts</strong>: packets that timed out\r
+<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out\r
+<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables\r
+<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_packets</strong>: total packets monitored\r
+<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_rule_evals</strong>: total rule evals monitored\r
+<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>latency.total_usecs</strong>: total usecs elapsed\r
+<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>modbus.frames</strong>: total Modbus messages\r
+<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>modbus.sessions</strong>: total sessions processed\r
+<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed\r
+<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>mpls.total_packets</strong>: total mpls labeled packets processed\r
+<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations\r
+<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations\r
+<strong>normalizer.test_ip4_df</strong>: test don’t frag bit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_df</strong>: don’t frag bit normalizations\r
+<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_opts</strong>: ip4 options cleared\r
+<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_rf</strong>: reserved flag bit clears\r
+<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_tos</strong>: type of service normalizations\r
+<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size\r
+<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations\r
+<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations\r
+<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.ip6_options</strong>: ip6 options cleared\r
+<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_block</strong>: blocked segments\r
+<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared\r
+<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared\r
+<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ips_data</strong>: normalized segments\r
+<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared\r
+<strong>normalizer.test_tcp_options</strong>: test packets with options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_options</strong>: packets with options cleared\r
+<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_padding</strong>: packets with padding cleared\r
+<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload\r
+<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set\r
+<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set\r
+<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared\r
+<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets\r
+<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS\r
+<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed\r
+<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN\r
+<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_trim_win</strong>: data trimmed to window\r
+<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs\r
+<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared\r
+<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared\r
+<strong>packet_capture.captured</strong>: packets matching dumped after matching filter (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations\r
+<strong>packet_capture.processed</strong>: packets processed against filter (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations\r
+<strong>perf_monitor.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_df</strong>: test don’t frag bit normalizations\r
+<strong>pop.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared\r
+<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears\r
+<strong>pop.concurrent_sessions</strong>: total concurrent pop sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations\r
+<strong>pop.max_concurrent_sessions</strong>: maximum concurrent pop sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size\r
+<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations\r
+<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations\r
+<strong>pop.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared\r
+<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_block</strong>: test blocked segments\r
+<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared\r
+<strong>pop.sessions</strong>: total pop sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared\r
+<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments\r
+<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared\r
+<strong>port_scan.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_options</strong>: test packets with options cleared\r
+<strong>reg_test.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared\r
+<strong>reg_test.retry_packets</strong>: total retried packets received (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload\r
+<strong>reg_test.retry_requests</strong>: total retry packets requested (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set\r
+<strong>reputation.blacklisted</strong>: number of packets blacklisted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set\r
+<strong>reputation.memory_allocated</strong>: total memory allocated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared\r
+<strong>reputation.monitored</strong>: number of packets monitored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets\r
+<strong>reputation.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS\r
+<strong>reputation.whitelisted</strong>: number of packets whitelisted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed\r
+<strong>rpc_decode.concurrent_sessions</strong>: total concurrent rpc sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN\r
+<strong>rpc_decode.max_concurrent_sessions</strong>: maximum concurrent rpc sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window\r
+<strong>rpc_decode.total_packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs\r
+<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared\r
+<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared\r
+<strong>sd_pattern.terminated</strong>: hyperscan terminated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>packet_capture.captured</strong>: packets matching dumped after matching filter\r
+<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>packet_capture.processed</strong>: packets processed against filter\r
+<strong>search_engine.non_qualified_events</strong>: total non-qualified events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>perf_monitor.packets</strong>: total packets\r
+<strong>search_engine.qualified_events</strong>: total qualified events (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64_attachments</strong>: total base64 attachments decoded\r
+<strong>search_engine.searched_bytes</strong>: total bytes searched (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes\r
+<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted\r
+<strong>search_engine.total_inserts</strong>: total fast pattern hits (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes\r
+<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.packets</strong>: total packets processed\r
+<strong>side_channel.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded\r
+<strong>sip.ack</strong>: ack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes\r
+<strong>sip.bye</strong>: bye (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.sessions</strong>: total pop sessions\r
+<strong>sip.cancel</strong>: cancel (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu_attachments</strong>: total uu attachments decoded\r
+<strong>sip.code_1xx</strong>: 1xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes\r
+<strong>sip.code_2xx</strong>: 2xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>port_scan.packets</strong>: total packets\r
+<strong>sip.code_3xx</strong>: 3xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.blacklisted</strong>: number of packets blacklisted\r
+<strong>sip.code_4xx</strong>: 4xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.memory_allocated</strong>: total memory allocated\r
+<strong>sip.code_5xx</strong>: 5xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.monitored</strong>: number of packets monitored\r
+<strong>sip.code_6xx</strong>: 6xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.packets</strong>: total packets processed\r
+<strong>sip.code_7xx</strong>: 7xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>reputation.whitelisted</strong>: number of packets whitelisted\r
+<strong>sip.code_8xx</strong>: 8xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>rpc_decode.packets</strong>: total packets\r
+<strong>sip.code_9xx</strong>: 9xx (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold\r
+<strong>sip.concurrent_sessions</strong>: total concurrent sip sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match\r
+<strong>sip.dialogs</strong>: total dialogs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sd_pattern.terminated</strong>: hyperscan terminated\r
+<strong>sip.events</strong>: events generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation\r
+<strong>sip.ignored_channels</strong>: total channels ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.non_qualified_events</strong>: total non-qualified events\r
+<strong>sip.ignored_sessions</strong>: total sessions ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.qualified_events</strong>: total qualified events\r
+<strong>sip.info</strong>: info (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.searched_bytes</strong>: total bytes searched\r
+<strong>sip.invite</strong>: invite (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow\r
+<strong>sip.join</strong>: join (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_inserts</strong>: total fast pattern hits\r
+<strong>sip.max_concurrent_sessions</strong>: maximum concurrent sip sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>search_engine.total_unique</strong>: total unique fast pattern hits\r
+<strong>sip.message</strong>: message (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ack</strong>: ack\r
+<strong>sip.notify</strong>: notify (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.bye</strong>: bye\r
+<strong>sip.options</strong>: options (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.cancel</strong>: cancel\r
+<strong>sip.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_1xx</strong>: 1xx\r
+<strong>sip.prack</strong>: prack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_2xx</strong>: 2xx\r
+<strong>sip.refer</strong>: refer (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_3xx</strong>: 3xx\r
+<strong>sip.register</strong>: register (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_4xx</strong>: 4xx\r
+<strong>sip.sessions</strong>: total sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_5xx</strong>: 5xx\r
+<strong>sip.subscribe</strong>: subscribe (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_6xx</strong>: 6xx\r
+<strong>sip.total_requests</strong>: total requests (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_7xx</strong>: 7xx\r
+<strong>sip.total_responses</strong>: total responses (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_8xx</strong>: 8xx\r
+<strong>sip.update</strong>: update (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.code_9xx</strong>: 9xx\r
+<strong>smtp.b64_attachments</strong>: total base64 attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.dialogs</strong>: total dialogs\r
+<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.events</strong>: events generated\r
+<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored_channels</strong>: total channels ignored\r
+<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.ignored_sessions</strong>: total sessions ignored\r
+<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.info</strong>: info\r
+<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.invite</strong>: invite\r
+<strong>smtp.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.join</strong>: join\r
+<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.message</strong>: message\r
+<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.notify</strong>: notify\r
+<strong>smtp.sessions</strong>: total smtp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.options</strong>: options\r
+<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.packets</strong>: total packets\r
+<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.prack</strong>: prack\r
+<strong>snort.attribute_table_hosts</strong>: total number of hosts in table (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.refer</strong>: refer\r
+<strong>snort.attribute_table_reloads</strong>: number of times hosts table was reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.register</strong>: register\r
+<strong>snort.conf_reloads</strong>: number of times configuration was reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.sessions</strong>: total sessions\r
+<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.subscribe</strong>: subscribe\r
+<strong>snort.inspector_deletions</strong>: number of times inspectors were deleted (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total_requests</strong>: total requests\r
+<strong>snort.local_commands</strong>: total local commands processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.total_responses</strong>: total responses\r
+<strong>snort.policy_reloads</strong>: number of times policies were reloaded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>sip.update</strong>: update\r
+<strong>snort.remote_commands</strong>: total remote commands processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64_attachments</strong>: total base64 attachments decoded\r
+<strong>snort.signals</strong>: total signals processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes\r
+<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions\r
+<strong>ssh.max_concurrent_sessions</strong>: maximum concurrent ssh sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions\r
+<strong>ssh.packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted\r
+<strong>ssl.alert</strong>: total ssl alert records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes\r
+<strong>ssl.bad_handshakes</strong>: total bad handshakes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.packets</strong>: total packets processed\r
+<strong>ssl.certificate</strong>: total ssl certificates (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded\r
+<strong>ssl.change_cipher</strong>: total change cipher records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes\r
+<strong>ssl.client_application</strong>: total client application records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.sessions</strong>: total smtp sessions\r
+<strong>ssl.client_hello</strong>: total client hellos (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu_attachments</strong>: total uu attachments decoded\r
+<strong>ssl.client_key_exchange</strong>: total client key exchanges (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes\r
+<strong>ssl.concurrent_sessions</strong>: total concurrent ssl sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.attribute_table_hosts</strong>: total number of hosts in table\r
+<strong>ssl.decoded</strong>: ssl packets decoded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.attribute_table_reloads</strong>: number of times hosts table was reloaded\r
+<strong>ssl.detection_disabled</strong>: total detection disabled (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.conf_reloads</strong>: number of times configuration was reloaded\r
+<strong>ssl.finished</strong>: total handshakes finished (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded\r
+<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.local_commands</strong>: total local commands processed\r
+<strong>ssl.max_concurrent_sessions</strong>: maximum concurrent ssl sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.remote_commands</strong>: total remote commands processed\r
+<strong>ssl.packets</strong>: total packets processed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>snort.signals</strong>: total signals processed\r
+<strong>ssl.server_application</strong>: total server application records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssh.packets</strong>: total packets\r
+<strong>ssl.server_done</strong>: total server done (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.alert</strong>: total ssl alert records\r
+<strong>ssl.server_hello</strong>: total server hellos (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.bad_handshakes</strong>: total bad handshakes\r
+<strong>ssl.server_key_exchange</strong>: total server key exchanges (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.certificate</strong>: total ssl certificates\r
+<strong>ssl.sessions_ignored</strong>: total sessions ignore (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.change_cipher</strong>: total change cipher records\r
+<strong>ssl.unrecognized_records</strong>: total unrecognized records (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client_application</strong>: total client application records\r
+<strong>stream.file_excess_prunes</strong>: file sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client_hello</strong>: total client hellos\r
+<strong>stream.file_flows</strong>: total file sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.client_key_exchange</strong>: total client key exchanges\r
+<strong>stream.file_ha_prunes</strong>: file sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.decoded</strong>: ssl packets decoded\r
+<strong>stream.file_idle_prunes</strong>: file sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.detection_disabled</strong>: total detection disabled\r
+<strong>stream.file_memcap_prunes</strong>: file sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.finished</strong>: total handshakes finished\r
+<strong>stream.file_preemptive_prunes</strong>: file sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes\r
+<strong>stream.file_total_prunes</strong>: total file sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.packets</strong>: total packets processed\r
+<strong>stream.file_uni_prunes</strong>: file uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_application</strong>: total server application records\r
+<strong>stream_icmp.created</strong>: icmp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_done</strong>: total server done\r
+<strong>stream.icmp_excess_prunes</strong>: icmp sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_hello</strong>: total server hellos\r
+<strong>stream.icmp_flows</strong>: total icmp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.server_key_exchange</strong>: total server key exchanges\r
+<strong>stream.icmp_ha_prunes</strong>: icmp sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.sessions_ignored</strong>: total sessions ignore\r
+<strong>stream.icmp_idle_prunes</strong>: icmp sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>ssl.unrecognized_records</strong>: total unrecognized records\r
+<strong>stream_icmp.max</strong>: max icmp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_excess_prunes</strong>: file sessions pruned due to excess\r
+<strong>stream.icmp_memcap_prunes</strong>: icmp sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_flows</strong>: total file sessions\r
+<strong>stream.icmp_preemptive_prunes</strong>: icmp sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_ha_prunes</strong>: file sessions pruned by high availability sync\r
+<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_idle_prunes</strong>: file sessions pruned due to timeout\r
+<strong>stream_icmp.released</strong>: icmp session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_memcap_prunes</strong>: file sessions pruned due to memcap\r
+<strong>stream_icmp.sessions</strong>: total icmp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_preemptive_prunes</strong>: file sessions pruned during preemptive pruning\r
+<strong>stream_icmp.timeouts</strong>: icmp session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_total_prunes</strong>: total file sessions pruned\r
+<strong>stream.icmp_total_prunes</strong>: total icmp sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.file_uni_prunes</strong>: file uni sessions pruned\r
+<strong>stream.icmp_uni_prunes</strong>: icmp uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.created</strong>: icmp session trackers created\r
+<strong>stream_ip.alerts</strong>: alerts generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_excess_prunes</strong>: icmp sessions pruned due to excess\r
+<strong>stream_ip.anomalies</strong>: anomalies detected (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_flows</strong>: total icmp sessions\r
+<strong>stream_ip.created</strong>: ip session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_ha_prunes</strong>: icmp sessions pruned by high availability sync\r
+<strong>stream_ip.current_frags</strong>: current fragments (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_idle_prunes</strong>: icmp sessions pruned due to timeout\r
+<strong>stream_ip.discards</strong>: fragments discarded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.max</strong>: max icmp sessions\r
+<strong>stream_ip.drops</strong>: fragments dropped (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_memcap_prunes</strong>: icmp sessions pruned due to memcap\r
+<strong>stream.ip_excess_prunes</strong>: ip sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_preemptive_prunes</strong>: icmp sessions pruned during preemptive pruning\r
+<strong>stream.ip_flows</strong>: total ip sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.prunes</strong>: icmp session prunes\r
+<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.released</strong>: icmp session trackers released\r
+<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.sessions</strong>: total icmp sessions\r
+<strong>stream.ip_ha_prunes</strong>: ip sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_icmp.timeouts</strong>: icmp session timeouts\r
+<strong>stream.ip_idle_prunes</strong>: ip sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_total_prunes</strong>: total icmp sessions pruned\r
+<strong>stream_ip.max_frags</strong>: max fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.icmp_uni_prunes</strong>: icmp uni sessions pruned\r
+<strong>stream_ip.max</strong>: max ip sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.alerts</strong>: alerts generated\r
+<strong>stream.ip_memcap_prunes</strong>: ip sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.anomalies</strong>: anomalies detected\r
+<strong>stream_ip.memory_used</strong>: current memory usage in bytes (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.created</strong>: ip session trackers created\r
+<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.current_frags</strong>: current fragments\r
+<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.discards</strong>: fragments discarded\r
+<strong>stream_ip.overlaps</strong>: overlapping fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.drops</strong>: fragments dropped\r
+<strong>stream.ip_preemptive_prunes</strong>: ip sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_excess_prunes</strong>: ip sessions pruned due to excess\r
+<strong>stream_ip.prunes</strong>: ip session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_flows</strong>: total ip sessions\r
+<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes\r
+<strong>stream_ip.reassembled</strong>: reassembled datagrams (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned\r
+<strong>stream_ip.released</strong>: ip session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_ha_prunes</strong>: ip sessions pruned by high availability sync\r
+<strong>stream_ip.sessions</strong>: total ip sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_idle_prunes</strong>: ip sessions pruned due to timeout\r
+<strong>stream_ip.timeouts</strong>: ip session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max_frags</strong>: max fragments\r
+<strong>stream_ip.total_frags</strong>: total fragments (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.max</strong>: max ip sessions\r
+<strong>stream.ip_total_prunes</strong>: total ip sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_memcap_prunes</strong>: ip sessions pruned due to memcap\r
+<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.memory_used</strong>: current memory usage in bytes\r
+<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker\r
+<strong>stream_ip.trackers_completed</strong>: datagram trackers completed (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker\r
+<strong>stream_ip.trackers_freed</strong>: datagram trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.overlaps</strong>: overlapping fragments\r
+<strong>stream.ip_uni_prunes</strong>: ip uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_preemptive_prunes</strong>: ip sessions pruned during preemptive pruning\r
+<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.prunes</strong>: ip session prunes\r
+<strong>stream_tcp.closing</strong>: number of sessions currently closing (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes\r
+<strong>stream_tcp.created</strong>: tcp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.reassembled</strong>: reassembled datagrams\r
+<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.released</strong>: ip session trackers released\r
+<strong>stream_tcp.discards</strong>: tcp packets discarded (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.sessions</strong>: total ip sessions\r
+<strong>stream_tcp.established</strong>: number of sessions currently established (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.timeouts</strong>: ip session timeouts\r
+<strong>stream_tcp.events</strong>: events generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.total_frags</strong>: total fragments\r
+<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_total_prunes</strong>: total ip sessions pruned\r
+<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_added</strong>: datagram trackers created\r
+<strong>stream.tcp_excess_prunes</strong>: tcp sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared\r
+<strong>stream_tcp.fins</strong>: number of fin packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_completed</strong>: datagram trackers completed\r
+<strong>stream.tcp_flows</strong>: total tcp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_ip.trackers_freed</strong>: datagram trackers released\r
+<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.ip_uni_prunes</strong>: ip uni sessions pruned\r
+<strong>stream.tcp_ha_prunes</strong>: tcp sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released\r
+<strong>stream.tcp_idle_prunes</strong>: tcp sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.closing</strong>: number of sessions currently closing\r
+<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.created</strong>: tcp session trackers created\r
+<strong>stream_tcp.initializing</strong>: number of sessions currently initializing (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data\r
+<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.discards</strong>: tcp packets discarded\r
+<strong>stream_tcp.max</strong>: max tcp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.established</strong>: number of sessions currently established\r
+<strong>stream.tcp_memcap_prunes</strong>: tcp sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.events</strong>: events generated\r
+<strong>stream_tcp.memory</strong>: current memory in use (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached\r
+<strong>stream_tcp.overlaps</strong>: overlapping segments queued (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached\r
+<strong>stream.tcp_preemptive_prunes</strong>: tcp sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_excess_prunes</strong>: tcp sessions pruned due to excess\r
+<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.fins</strong>: number of fin packets\r
+<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_flows</strong>: total tcp sessions\r
+<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.gaps</strong>: missing data between PDUs\r
+<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_ha_prunes</strong>: tcp sessions pruned by high availability sync\r
+<strong>stream_tcp.released</strong>: tcp session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_idle_prunes</strong>: tcp sessions pruned due to timeout\r
+<strong>stream_tcp.resets</strong>: number of reset packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.ignored</strong>: tcp packets ignored\r
+<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.initializing</strong>: number of sessions currently initializing\r
+<strong>stream_tcp.segs_queued</strong>: total segments queued (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.internal_events</strong>: 135:X events generated\r
+<strong>stream_tcp.segs_released</strong>: total segments released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.max</strong>: max tcp sessions\r
+<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_memcap_prunes</strong>: tcp sessions pruned due to memcap\r
+<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.memory</strong>: current memory in use\r
+<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.overlaps</strong>: overlapping segments queued\r
+<strong>stream_tcp.sessions</strong>: total tcp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_preemptive_prunes</strong>: tcp sessions pruned during preemptive pruning\r
+<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.prunes</strong>: tcp session prunes\r
+<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections\r
+<strong>stream_tcp.syns</strong>: number of syn packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes\r
+<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs\r
+<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.released</strong>: tcp session trackers released\r
+<strong>stream_tcp.timeouts</strong>: tcp session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.resets</strong>: number of reset packets\r
+<strong>stream.tcp_total_prunes</strong>: total tcp sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.resyns</strong>: SYN received on established session\r
+<strong>stream.tcp_uni_prunes</strong>: tcp uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_queued</strong>: total segments queued\r
+<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_released</strong>: total segments released\r
+<strong>stream_udp.created</strong>: udp session trackers created (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs\r
+<strong>stream.udp_excess_prunes</strong>: udp sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs\r
+<strong>stream.udp_flows</strong>: total udp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released\r
+<strong>stream.udp_ha_prunes</strong>: udp sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.sessions</strong>: total tcp sessions\r
+<strong>stream.udp_idle_prunes</strong>: udp sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets\r
+<strong>stream_udp.ignored</strong>: udp packets ignored (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack\r
+<strong>stream_udp.max</strong>: max udp sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syns</strong>: number of syn packets\r
+<strong>stream.udp_memcap_prunes</strong>: udp sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn\r
+<strong>stream.udp_preemptive_prunes</strong>: udp sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack\r
+<strong>stream_udp.prunes</strong>: udp session prunes (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.timeouts</strong>: tcp session timeouts\r
+<strong>stream_udp.released</strong>: udp session trackers released (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_total_prunes</strong>: total tcp sessions pruned\r
+<strong>stream_udp.sessions</strong>: total udp sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.tcp_uni_prunes</strong>: tcp uni sessions pruned\r
+<strong>stream_udp.timeouts</strong>: udp session timeouts (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_tcp.untracked</strong>: tcp packets not tracked\r
+<strong>stream.udp_total_prunes</strong>: total udp sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.created</strong>: udp session trackers created\r
+<strong>stream.udp_uni_prunes</strong>: udp uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_excess_prunes</strong>: udp sessions pruned due to excess\r
+<strong>stream.user_excess_prunes</strong>: user sessions pruned due to excess (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_flows</strong>: total udp sessions\r
+<strong>stream.user_flows</strong>: total user sessions (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_ha_prunes</strong>: udp sessions pruned by high availability sync\r
+<strong>stream.user_ha_prunes</strong>: user sessions pruned by high availability sync (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_idle_prunes</strong>: udp sessions pruned due to timeout\r
+<strong>stream.user_idle_prunes</strong>: user sessions pruned due to timeout (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.ignored</strong>: udp packets ignored\r
+<strong>stream.user_memcap_prunes</strong>: user sessions pruned due to memcap (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.max</strong>: max udp sessions\r
+<strong>stream.user_preemptive_prunes</strong>: user sessions pruned during preemptive pruning (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_memcap_prunes</strong>: udp sessions pruned due to memcap\r
+<strong>stream.user_total_prunes</strong>: total user sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_preemptive_prunes</strong>: udp sessions pruned during preemptive pruning\r
+<strong>stream.user_uni_prunes</strong>: user uni sessions pruned (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.prunes</strong>: udp session prunes\r
+<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.released</strong>: udp session trackers released\r
+<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.sessions</strong>: total udp sessions\r
+<strong>tcp_connector.messages</strong>: total messages (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream_udp.timeouts</strong>: udp session timeouts\r
+<strong>telnet.concurrent_sessions</strong>: total concurrent telnet sessions (now)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_total_prunes</strong>: total udp sessions pruned\r
+<strong>telnet.max_concurrent_sessions</strong>: maximum concurrent telnet sessions (max)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.udp_uni_prunes</strong>: udp uni sessions pruned\r
+<strong>telnet.total_packets</strong>: total packets (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_excess_prunes</strong>: user sessions pruned due to excess\r
+<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_flows</strong>: total user sessions\r
+<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_ha_prunes</strong>: user sessions pruned by high availability sync\r
+<strong>wizard.tcp_hits</strong>: tcp identifications (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_idle_prunes</strong>: user sessions pruned due to timeout\r
+<strong>wizard.tcp_scans</strong>: tcp payload scans (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_memcap_prunes</strong>: user sessions pruned due to memcap\r
+<strong>wizard.udp_hits</strong>: udp identifications (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_preemptive_prunes</strong>: user sessions pruned during preemptive pruning\r
+<strong>wizard.udp_scans</strong>: udp payload scans (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_total_prunes</strong>: total user sessions pruned\r
+<strong>wizard.user_hits</strong>: user identifications (sum)\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>stream.user_uni_prunes</strong>: user uni sessions pruned\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>tcp_connector.messages</strong>: total messages\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>telnet.packets</strong>: total packets\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.tcp_hits</strong>: tcp identifications\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.tcp_scans</strong>: tcp payload scans\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.udp_hits</strong>: udp identifications\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.udp_scans</strong>: udp payload scans\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.user_hits</strong>: user identifications\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
-<strong>wizard.user_scans</strong>: user payload scans\r
+<strong>wizard.user_scans</strong>: user payload scans (sum)\r
</p>\r
</li>\r
</ul></div>\r
</li>\r
<li>\r
<p>\r
+<strong>116</strong>: pbb\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>116</strong>: pgm\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>116:424</strong> (pbb) truncated ethernet header\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>116:425</strong> (ipv4) truncated IPv4 header\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:5</strong> (http_inspect) obsolete event—should not appear\r
+<strong>119:5</strong> (http_inspect) obsolete event—deleted\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>119:22</strong> (http_inspect) obsolete event—should not appear\r
+<strong>119:22</strong> (http_inspect) obsolete event—deleted\r
</p>\r
</li>\r
<li>\r
</li>\r
<li>\r
<p>\r
-<strong>133:27</strong> (dce_smb) connection oriented DCE/RPC - invalid major version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:28</strong> (dce_smb) connection oriented DCE/RPC - invalid minor version\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:29</strong> (dce_smb) connection-oriented DCE/RPC - invalid PDU type\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:30</strong> (dce_smb) connection-oriented DCE/RPC - fragment length less than header size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:32</strong> (dce_smb) connection-oriented DCE/RPC - no context items specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:33</strong> (dce_smb) connection-oriented DCE/RPC -no transfer syntaxes specified\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:34</strong> (dce_smb) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:35</strong> (dce_smb) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:36</strong> (dce_smb) connection-oriented DCE/RPC - alter context byte order different from bind\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:37</strong> (dce_smb) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:38</strong> (dce_smb) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request\r
</p>\r
</li>\r
<li>\r
<p>\r
-<strong>133:39</strong> (dce_smb) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
-</p>\r
-</li>\r
-<li>\r
-<p>\r
<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.detach</strong>(): exit shell w/o shutdown\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>snort.resume</strong>(): continue packet processing\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>alert_json</strong> (logger): output event in json format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>alert_sfsocket</strong> (logger): output event over socket\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>http_raw_body</strong> (ips_option): rule option to set the detection cursor to the unnormalized message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_raw_cookie</strong> (ips_option): rule option to set the detection cursor to the unnormalized cookie\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>http_true_ip</strong> (ips_option): rule option to set the detection cursor to the final client IP address\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>http_uri</strong> (ips_option): rule option to set the detection cursor to the normalized URI buffer\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>mss</strong> (ips_option): detection for TCP maximum segment size\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>network</strong> (basic): configure basic network parameters\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>pbb</strong> (codec): support for 802.1ah protocol\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>pcre</strong> (ips_option): rule option for matching payload data with pcre\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>reg_test</strong> (inspector): The regression test inspector (rti) is used when special packet handling is required for a reg test\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>regex</strong> (ips_option): rule option for matching payload data with hyperscan regex\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>service</strong> (ips_option): rule option to specify list of services for grouping rules\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>session</strong> (ips_option): rule option to check user data from TCP sessions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>target</strong> (ips_option): rule option to indicate target of attack\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>tcp</strong> (codec): support for transmission control protocol\r
</p>\r
</li>\r
<strong>wlan</strong> (codec): support for wireless local area network protocol (DLT 105)\r
</p>\r
</li>\r
+<li>\r
+<p>\r
+<strong>wscale</strong> (ips_option): detection for TCP window scale\r
+</p>\r
+</li>\r
</ul></div>\r
</div>\r
<div class="sect2">\r
</li>\r
<li>\r
<p>\r
+<strong>codec::pbb</strong>: support for 802.1ah protocol\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>codec::pflog</strong>: support for OpenBSD PF log (DLT 117)\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>inspector::reg_test</strong>: The regression test inspector (rti) is used when special packet handling is required for a reg test\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>inspector::reputation</strong>: reputation inspection\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http_raw_body</strong>: rule option to set the detection cursor to the unnormalized message body\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::http_raw_cookie</strong>: rule option to set the detection cursor to the unnormalized cookie\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::http_true_ip</strong>: rule option to set the detection cursor to the final client IP address\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::http_uri</strong>: rule option to set the detection cursor to the normalized URI buffer\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::mss</strong>: detection for TCP maximum segment size\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::pcre</strong>: rule option for matching payload data with pcre\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::service</strong>: rule option to specify list of services for grouping rules\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::session</strong>: rule option to check user data from TCP sessions\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::target</strong>: rule option to indicate target of attack\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>ips_option::tos</strong>: rule option to check type of service field\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>ips_option::wscale</strong>: detection for TCP window scale\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>logger::alert_csv</strong>: output event in csv format\r
</p>\r
</li>\r
</li>\r
<li>\r
<p>\r
+<strong>logger::alert_json</strong>: output event in json format\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
<strong>logger::alert_sfsocket</strong>: output event over socket\r
</p>\r
</li>\r
<div id="footnotes"><hr /></div>\r
<div id="footer">\r
<div id="footer-text">\r
-Last updated 2017-07-23 23:01:50 EDT\r
+Last updated 2017-10-31 00:00:56 EDT\r
</div>\r
</div>\r
</body>\r
5.6. High Availability
5.7. HTTP Inspector
5.8. Performance Monitor
- 5.9. Sensitive Data Filtering
- 5.10. Wizard
+ 5.9. POP and IMAP
+ 5.10. Port Scan
+ 5.11. Sensitive Data Filtering
+ 5.12. SMTP
+ 5.13. Wizard
6. Basic Modules
7.16. ipv6
7.17. llc
7.18. mpls
- 7.19. pgm
- 7.20. pppoe
- 7.21. tcp
- 7.22. token_ring
- 7.23. udp
- 7.24. vlan
- 7.25. wlan
+ 7.19. pbb
+ 7.20. pgm
+ 7.21. pppoe
+ 7.22. tcp
+ 7.23. token_ring
+ 7.24. udp
+ 7.25. vlan
+ 7.26. wlan
8. Connector Modules
9.25. perf_monitor
9.26. pop
9.27. port_scan
- 9.28. reputation
- 9.29. rpc_decode
- 9.30. sip
- 9.31. smtp
- 9.32. ssh
- 9.33. ssl
- 9.34. stream
- 9.35. stream_file
- 9.36. stream_icmp
- 9.37. stream_ip
- 9.38. stream_tcp
- 9.39. stream_udp
- 9.40. stream_user
- 9.41. telnet
- 9.42. wizard
+ 9.28. reg_test
+ 9.29. reputation
+ 9.30. rpc_decode
+ 9.31. sip
+ 9.32. smtp
+ 9.33. ssh
+ 9.34. ssl
+ 9.35. stream
+ 9.36. stream_file
+ 9.37. stream_icmp
+ 9.38. stream_ip
+ 9.39. stream_tcp
+ 9.40. stream_udp
+ 9.41. stream_user
+ 9.42. telnet
+ 9.43. wizard
10. IPS Action Modules
11.34. http_cookie
11.35. http_header
11.36. http_method
- 11.37. http_raw_cookie
- 11.38. http_raw_header
- 11.39. http_raw_request
- 11.40. http_raw_status
- 11.41. http_raw_trailer
- 11.42. http_raw_uri
- 11.43. http_stat_code
- 11.44. http_stat_msg
- 11.45. http_trailer
- 11.46. http_uri
- 11.47. http_version
- 11.48. icmp_id
- 11.49. icmp_seq
- 11.50. icode
- 11.51. id
- 11.52. ip_proto
- 11.53. ipopts
- 11.54. isdataat
- 11.55. itype
- 11.56. md5
- 11.57. metadata
- 11.58. modbus_data
- 11.59. modbus_func
- 11.60. modbus_unit
- 11.61. msg
- 11.62. pcre
- 11.63. pkt_data
- 11.64. pkt_num
- 11.65. priority
- 11.66. raw_data
- 11.67. reference
- 11.68. regex
- 11.69. rem
- 11.70. replace
- 11.71. rev
- 11.72. rpc
- 11.73. sd_pattern
- 11.74. seq
- 11.75. session
- 11.76. sha256
- 11.77. sha512
- 11.78. sid
- 11.79. sip_body
- 11.80. sip_header
- 11.81. sip_method
- 11.82. sip_stat_code
- 11.83. so
- 11.84. soid
- 11.85. ssl_state
- 11.86. ssl_version
- 11.87. stream_reassemble
- 11.88. stream_size
- 11.89. tag
- 11.90. tos
- 11.91. ttl
- 11.92. urg
- 11.93. window
+ 11.37. http_raw_body
+ 11.38. http_raw_cookie
+ 11.39. http_raw_header
+ 11.40. http_raw_request
+ 11.41. http_raw_status
+ 11.42. http_raw_trailer
+ 11.43. http_raw_uri
+ 11.44. http_stat_code
+ 11.45. http_stat_msg
+ 11.46. http_trailer
+ 11.47. http_true_ip
+ 11.48. http_uri
+ 11.49. http_version
+ 11.50. icmp_id
+ 11.51. icmp_seq
+ 11.52. icode
+ 11.53. id
+ 11.54. ip_proto
+ 11.55. ipopts
+ 11.56. isdataat
+ 11.57. itype
+ 11.58. md5
+ 11.59. metadata
+ 11.60. modbus_data
+ 11.61. modbus_func
+ 11.62. modbus_unit
+ 11.63. msg
+ 11.64. mss
+ 11.65. pcre
+ 11.66. pkt_data
+ 11.67. pkt_num
+ 11.68. priority
+ 11.69. raw_data
+ 11.70. reference
+ 11.71. regex
+ 11.72. rem
+ 11.73. replace
+ 11.74. rev
+ 11.75. rpc
+ 11.76. sd_pattern
+ 11.77. seq
+ 11.78. service
+ 11.79. session
+ 11.80. sha256
+ 11.81. sha512
+ 11.82. sid
+ 11.83. sip_body
+ 11.84. sip_header
+ 11.85. sip_method
+ 11.86. sip_stat_code
+ 11.87. so
+ 11.88. soid
+ 11.89. ssl_state
+ 11.90. ssl_version
+ 11.91. stream_reassemble
+ 11.92. stream_size
+ 11.93. tag
+ 11.94. target
+ 11.95. tos
+ 11.96. ttl
+ 11.97. urg
+ 11.98. window
+ 11.99. wscale
12. Search Engine Modules
13. SO Rule Modules
14.2. alert_ex
14.3. alert_fast
14.4. alert_full
- 14.5. alert_sfsocket
- 14.6. alert_syslog
- 14.7. alert_unixsock
- 14.8. log_codecs
- 14.9. log_hext
- 14.10. log_pcap
- 14.11. unified2
+ 14.5. alert_json
+ 14.6. alert_sfsocket
+ 14.7. alert_syslog
+ 14.8. alert_unixsock
+ 14.9. log_codecs
+ 14.10. log_hext
+ 14.11. log_pcap
+ 14.12. unified2
15. DAQ Configuration and Modules
Snorty
,,_ -*> Snort++ <*-
-o" )~ Version 3.0.0-a4 (Build 237) from 2.9.8-383
+o" )~ Version 3.0.0 (Build 239) from 2.9.8-383
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
* enum: a string selected from the given range
* implied: an IPS rule option that takes no value but means true
* int: a whole number in the given range
+ * interval: a set of ints (see below)
* ip4: an IP4 address or CIDR
* mac: an ethernet address with the form 01:02:03:04:05:06
* multi: one or more space separated strings from the given range
parameters. The names of such parameters do not appear in the
rule.
* IPS rules may also have a wild card parameter, which is indicated
- by a *. Only used for metadata that Snort ignores.
+ by a *. Used for unquoted, comma-separated lists such as service
+ and metadata.
* The snort module has command line options starting with a -.
Some additional details to note:
otherwise there is no hard limit.
* bit_list is typically used to store a set of byte, port, or VLAN
ID values.
+ * interval takes the form [operator]i, j<>k, or j<⇒k where i,j,k
+ are integers and operator is one of =, !, != (same as !), <, ⇐,
+ >, >=. j<>k means j < int < k and j<⇒k means j ⇐ int ⇐ k.
2.4. Plugins
* hyperscan >= 4.4.0 from https://github.com/01org/hyperscan to
build new the regex and sd_pattern rule options and hyperscan
search engine
+ * iconv from https://ftp.gnu.org/pub/gnu/libiconv/ for converting
+ UTF16-LE filenames to UTF8 (usually included in glibc)
* lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
SWF and PDF files
* safec from https://sourceforge.net/projects/safeclib/ for runtime
to generate the dev guide
* w3m from http://sourceforge.net/projects/w3m/ to build the plain
text manual
+ * uuid from uuid-dev package for unique identifiers
3.2. Building
snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full
+Capture separate stdout, stderr, and stdlog files (out has startup
+and shutdown output, err has warnings and errors, and log has
+alerts):
+
+snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \
+ 1>out 2>err 3>log
+
Add or modify a configuration from the command line using the "--lua"
option:
Normalization for http_cookie is the same URI-style normalization
applied to http_header when no specific header is specified.
-5.7.3.5. http_client_body
+5.7.3.5. http_true_ip
+
+This provides the original IP address of the client sending the
+request as it was stored by a proxy in the request message headers.
+Specifically it is the last IP address listed in the X-Forwarded-For
+or True-Client-IP header. If both headers are present the former is
+used.
+
+5.7.3.6. http_client_body
This is the body of a request message such as POST or PUT.
Normalization for http_client_body is the same URI-like normalization
applied to http_header when no specific header is specified.
-5.7.3.6. http_method
+5.7.3.7. http_raw_body
+
+This is the body of a request or response message. It will be
+dechunked and unzipped if applicable but will not be normalized in
+any other way. The difference between http_raw_body and packet data
+is a rule that uses packet data will search and may match an HTTP
+header, but http_raw_body is limited to the message body. Thus the
+latter is more efficient and more accurate for most uses.
+
+5.7.3.8. http_method
The method field of a request message. Common values are "GET",
"POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
-5.7.3.7. http_stat_code
+5.7.3.9. http_stat_code
The status code field of a response message. This is normally a
3-digit number between 100 and 599. In this example it is 200.
HTTP/1.1 200 OK
-5.7.3.8. http_stat_msg
+5.7.3.10. http_stat_msg
The reason phrase field of a response message. This is the
human-readable text following the status code. "OK" in the previous
example.
-5.7.3.9. http_version
+5.7.3.11. http_version
The protocol version information that appears on the first line of an
HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
-5.7.3.10. http_raw_request and http_raw_status
+5.7.3.12. http_raw_request and http_raw_status
These are the unmodified first header line of the HTTP request and
response messages respectively. These rule options are a safety valve
http_raw_uri, and http_version. For a response message those are
http_version, http_stat_code, and http_stat_msg.
-5.7.3.11. file_data and packet data
+5.7.3.13. file_data and packet data
file_data contains the normalized message body. This is the
normalization described above under gzip, normalize_utf,
decompress_pdf, decompress_swf, and normalize_javascript.
-The unnormalized message body is available in the packet data. If
+The unnormalized message content is available in the packet data. If
gzip is configured the packet data will be unzipped.
5.7.4. Timing issues and combining rule options
monitor or the code provided for fbstreamer.
-5.9. Sensitive Data Filtering
+5.9. POP and IMAP
+
+--------------
+
+POP inspector is a service inspector for POP3 protocol and IMAP
+inspector is for IMAP4 protocol.
+
+5.9.1. Overview
+
+POP and IMAP inspectors examine data traffic and find POP and IMAP
+commands and responses. The inspectors also identify the command,
+header, body sections and extract the MIME attachments and decode it
+appropriately. The pop and imap also identify and whitelist the pop
+and imap traffic.
+
+5.9.2. Configuration
+
+POP inspector and IMAP inspector offer same set of configuration
+options for MIME decoding depth:
+
+5.9.2.1. b64_decode_depth
+
+This config option is used to turn off/on or set the base64 decoding
+depth used to decode the base64 encoded MIME attachments. The value
+ranges from -1 to 65535. A value of -1 turns off the base64 decoding
+of MIME attachments. The value of 0 sets the decoding of base64
+encoded MIME attachments to unlimited. A value other than 0 or -1
+restricts the decoding of base64 MIME attachments, and applies per
+attachment. The default value is 1460.
+
+5.9.2.2. qp_decode_depth
+
+This config option is used to turn off/on or set the Quoted-Printable
+decoding depth used to decode the Quoted-Printable(QP) encoded MIME
+attachments. The value ranges from -1 to 65535. A value of -1 turns
+off the QP decoding of MIME attachments. The value of 0 sets the
+decoding of QP encoded MIME attachments to unlimited. A value other
+than 0 or -1 restricts the decoding of QP MIME attachments, and
+applies per attachment.
+
+5.9.2.3. bitenc_decode_depth
+
+This config option is used to turn off/on or set the non-encoded MIME
+extraction depth used to extract the non-encoded MIME attachments.
+The value ranges from -1 to 65535. A value of -1 turns off the
+extraction of these MIME attachments. The value of 0 sets the
+extraction of these MIME attachments to unlimited. A value other than
+0 or -1 restricts the extraction of these MIME attachments, and
+applies per attachment.
+
+5.9.2.4. uu_decode_depth
+
+This config option is used to turn off/on or set the Unix-to-Unix
+decoding depth used to decode the Unix-to-Unix(UU) encoded
+attachments. The value ranges from -1 to 65535. A value of -1 turns
+off the UU decoding of POP attachments. The value of 0 sets the
+decoding of UU encoded POP attachments to unlimited. A value other
+than 0 or -1 restricts the decoding of UU POP attachments, and
+applies per attachment.
+
+5.9.2.5. Examples
+
+stream = { }
+
+stream_tcp = { }
+
+stream_ip = { }
+
+binder =
+{
+ {
+ {
+ when = { proto = 'tcp', ports = '110', },
+ use = { type = 'pop', },
+ },
+ {
+ when = { proto = 'tcp', ports = '143', },
+ use = { type = 'imap', },
+ },
+ },
+}
+
+imap =
+{
+ qp_decode_depth = 15,
+}
+
+pop =
+{
+ qp_decode_depth = 0,
+ b64_decode_depth = 10,
+}
+
+
+5.10. Port Scan
+
+--------------
+
+A module to detect port scanning
+
+5.10.1. Overview
+
+This module is designed to detect the first phase in a network
+attack: Reconnaissance. In the Reconnaissance phase, an attacker
+determines what types of network protocols or services a host
+supports. This is the traditional place where a portscan takes place.
+This phase assumes the attacking host has no prior knowledge of what
+protocols or services are supported by the target, otherwise this
+phase would not be necessary.
+
+As the attacker has no beforehand knowledge of its intended target,
+most queries sent by the attacker will be negative (meaning that the
+services are closed). In the nature of legitimate network
+communications, negative responses from hosts are rare, and rarer
+still are multiple negative responses within a given amount of time.
+Our primary objective in detecting portscans is to detect and track
+these negative responses.
+
+One of the most common portscanning tools in use today is Nmap. Nmap
+encompasses many, if not all, of the current portscanning techniques.
+Portscan was designed to be able to detect the different types of
+scans Nmap can produce.
+
+The following are a list of the types of Nmap scans Portscan will
+currently alert for.
+
+ * TCP Portscan
+ * UDP Portscan
+ * IP Portscan
+
+These alerts are for one to one portscans, which are the traditional
+types of scans; one host scans multiple ports on another host. Most
+of the port queries will be negative, since most hosts have
+relatively few services available.
+
+ * TCP Decoy Portscan
+ * UDP Decoy Portscan
+ * IP Decoy Portscan
+
+Decoy portscans are much like regular, only the attacker has spoofed
+source address inter-mixed with the real scanning address. This
+tactic helps hide the true identity of the attacker.
+
+ * TCP Distributed Portscan
+ * UDP Distributed Portscan
+ * IP Distributed Portscan
+
+These are many to one portscans. Distributed portscans occur when
+multiple hosts query one host for open services. This is used to
+evade an IDS and obfuscate command and control hosts.
+
+Note
+
+Negative queries will be distributed among scanning hosts, so we
+track this type of scan through the scanned host.
+
+ * TCP Portsweep
+ * UDP Portsweep
+ * IP Portsweep
+ * ICMP Portsweep
+
+These alerts are for one to many portsweeps. One host scans a single
+port on multiple hosts. This usually occurs when a new exploit comes
+out and the attacker is looking for a specific service.
+
+Note
+
+The characteristics of a portsweep scan may not result in many
+negative responses. For example, if an attacker portsweeps a web farm
+for port 80, we will most likely not see many negative responses.
+
+ * TCP Filtered Portscan
+ * UDP Filtered Portscan
+ * IP Filtered Portscan
+ * TCP Filtered Decoy Portscan
+ * UDP Filtered Decoy Portscan
+ * IP Filtered Decoy Portscan
+ * TCP Filtered Portsweep
+ * UDP Filtered Portsweep
+ * IP Filtered Portsweep
+ * ICMP Filtered Portsweep
+ * TCP Filtered Distributed Portscan
+ * UDP Filtered Distributed Portscan
+ * IP Filtered Distributed Portscan
+
+"Filtered" alerts indicate that there were no network errors (ICMP
+unreachables or TCP RSTs) or responses on closed ports have been
+suppressed. It’s also a good indicator on whether the alert is just a
+very active legitimate host. Active hosts, such as NATs, can trigger
+these alerts because they can send out many connection attempts
+within a very small amount of time. A filtered alert may go off
+before responses from the remote hosts are received.
+
+Portscan only generates one alert for each host pair in question
+during the time window. On TCP scan alerts, Portscan will also
+display any open ports that were scanned. On TCP sweep alerts
+however, Portscan will only track open ports after the alert has been
+triggered. Open port events are not individual alerts, but tags based
+off the original scan alert.
+
+5.10.2. Scan levels
+
+There are 3 default scan levels that can be set.
+
+1) default_hi_port_scan
+2) default_med_port_scan
+3) default_low_port_scan
+
+Each of these default levels have separate options that can be edited
+to alter the scan sensitivity levels (scans, rejects, nets or ports)
+
+Example:
+
+port_scan = default_low_port_scan
+
+port_scan.tcp_decoy.ports = 1
+port_scan.tcp_decoy.scans = 1
+port_scan.tcp_decoy.rejects = 1
+port_scan.tcp_ports.nets = 1
+
+The example above would change each of the individual settings to 1.
+
+NOTE:The default levels for scans, rejects, nets and ports can be
+seen in the snort_defaults.lua file.
+
+The counts can be seen in the alert outputs (-Acmg shown below):
+
+50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
+30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 0.Connec tion Cou
+6E 74 3A 20 34 35 0A 49 50 20 43 6F 75 6E 74 3A nt: 45.I P Count:
+20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scann er IP Ra
+6E 67 65 3A 20 31 2E 32 2E 33 2E 34 3A 31 2E 32 nge: 1.2 .3.4:1.2
+2E 33 2E 34 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 .3.4.Por t/Proto
+43 6F 75 6E 74 3A 20 33 37 0A 50 6F 72 74 2F 50 Count: 3 7.Port/P
+72 6F 74 6F 20 52 61 6E 67 65 3A 20 31 3A 39 0A roto Ran ge: 1:9.
+
+"Low" alerts are only generated on error packets sent from the target
+host, and because of the nature of error responses, this setting
+should see very few false positives. However, this setting will never
+trigger a Filtered Scan alert because of a lack of error responses.
+This setting is based on a static time window of 60 seconds, after
+which this window is reset.
+
+"Medium" alerts track Connection Counts, and so will generate
+Filtered Scan alerts. This setting may false positive on active hosts
+(NATs, proxies, DNS caches, etc), so the user may need to deploy the
+use of Ignore directives to properly tune this directive.
+
+"High" alerts continuously track hosts on a network using a time
+window to evaluate portscan statistics for that host. A "High"
+setting will catch some slow scans because of the continuous
+monitoring, but is very sensitive to active hosts. This most
+definitely will require the user to tune Portscan.
+
+5.10.3. Tuning Portscan
+
+The most important aspect in detecting portscans is tuning the
+detection engine for your network(s). Here are some tuning tips:
+
+Use the watch_ip, ignore_scanners, and ignore_scanned options. It’s
+important to correctly set these options. The watch_ip option is easy
+to understand. The analyst should set this option to the list of Cidr
+blocks and IPs that they want to watch. If no watch_ip is defined,
+Portscan will watch all network traffic. The ignore_scanners and
+ignore_scanned options come into play in weeding out legitimate hosts
+that are very active on your network. Some of the most common
+examples are NAT IPs, DNS cache servers, syslog servers, and nfs
+servers. Portscan may not generate false positives for these types of
+hosts, but be aware when first tuning Portscan for these IPs.
+Depending on the type of alert that the host generates, the analyst
+will know which to ignore it as. If the host is generating portsweep
+events, then add it to the ignore_scanners option. If the host is
+generating portscan alerts (and is the host that is being scanned),
+add it to the ignore_scanned option.
+
+Filtered scan alerts are much more prone to false positives. When
+determining false positives, the alert type is very important. Most
+of the false positives that Portscan may generate are of the filtered
+scan alert type. So be much more suspicious of filtered portscans.
+Many times this just indicates that a host was very active during the
+time period in question. If the host continually generates these
+types of alerts, add it to the ignore_scanners list or use a lower
+sensitivity level.
+
+Make use of the Priority Count, Connection Count, IP Count, Port
+Count, IP range, and Port range to determine false positives. The
+portscan alert details are vital in determining the scope of a
+portscan and also the confidence of the portscan. In the future, we
+hope to automate much of this analysis in assigning a scope level and
+confidence level, but for now the user must manually do this. The
+easiest way to determine false positives is through simple ratio
+estimations. The following is a list of ratios to estimate and the
+associated values that indicate a legitimate scan and not a false
+positive.
+
+Connection Count / IP Count: This ratio indicates an estimated
+average of connections per IP. For portscans, this ratio should be
+high, the higher the better. For portsweeps, this ratio should be
+low.
+
+Port Count / IP Count: This ratio indicates an estimated average of
+ports connected to per IP. For portscans, this ratio should be high
+and indicates that the scanned host’s ports were connected to by
+fewer IPs. For portsweeps, this ratio should be low, indicating that
+the scanning host connected to few ports but on many hosts.
+
+Connection Count / Port Count: This ratio indicates an estimated
+average of connections per port. For portscans, this ratio should be
+low. This indicates that each connection was to a different port. For
+portsweeps, this ratio should be high. This indicates that there were
+many connections to the same port.
+
+The reason that Priority Count is not included, is because the
+priority count is included in the connection count and the above
+comparisons take that into consideration. The Priority Count play an
+important role in tuning because the higher the priority count the
+more likely it is a real portscan or portsweep (unless the host is
+firewalled).
+
+If all else fails, lower the sensitivity level. If none of these
+other tuning techniques work or the analyst doesn’t have the time for
+tuning, lower the sensitivity level. You get the best protection the
+higher the sensitivity level, but it’s also important that the
+portscan detection engine generates alerts that the analyst will find
+informative. The low sensitivity level only generates alerts based on
+error responses. These responses indicate a portscan and the alerts
+generated by the low sensitivity level are highly accurate and
+require the least tuning. The low sensitivity level does not catch
+filtered scans, since these are more prone to false positives.
+
+
+5.11. Sensitive Data Filtering
--------------
addresses. A rich regular expression syntax is available for defining
your own PII.
-5.9.1. Hyperscan
+5.11.1. Hyperscan
The sd_pattern rule option is powered by the open source Hyperscan
library from Intel. It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see http://01org.github.io/
hyperscan/dev-reference/
-5.9.2. Syntax
+5.11.2. Syntax
Snort provides sd_pattern as IPS rule option with no additional
inspector overhead. The Rule option takes the following syntax.
sd_pattern: "<pattern>"[, threshold <count>];
-5.9.2.1. Pattern
+5.11.2.1. Pattern
Pattern is the most important and is the only required parameter to
sd_pattern. It supports 3 built in patterns which are configured by
Note: This is just an example, this pattern is not suitable to detect
many correctly formatted emails.
-5.9.2.2. Threshold
+5.11.2.2. Threshold
Threshold is an optional parameter allowing you to change built in
default value (default value is 1). The following two instances are
literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event.
-5.9.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.11.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling
obfuscate_pii = true
}
-5.9.3. Example
+5.11.3. Example
A complete Snort IPS rule
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34 XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-5.9.4. Caveats
+5.11.4. Caveats
1. Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for sd_pattern ips option to function
(This is a known bug).
-5.10. Wizard
+5.12. SMTP
+
+--------------
+
+SMTP inspector is a service inspector for SMTP protocol.
+
+5.12.1. Overview
+
+The SMTP inspector examines SMTP connections looking for commands and
+responses. It also identifies the command, header and body sections,
+TLS data and extracts the MIME attachments. This inspector also
+identifies and whitelists the SMTP traffic.
+
+SMTP inspector logs the filename, email addresses, attachment names
+when configured.
+
+5.12.2. Configuration
+
+SMTP command lines can be normalized to remove extraneous spaces.
+TLS-encrypted traffic can be ignored, which improves performance. In
+addition, plain-text mail data can be ignored for an additional
+performance boost.
+
+The configuration options are described below:
+
+5.12.2.1. normalize and normalize_cmds
+
+Normalization checks for more than one space character after a
+command. Space characters are defined as space (ASCII 0x20) or tab
+(ASCII 0x09). "normalize" provides options all|none|cmds, all checks
+all commands, none turns off normalization for all commands. cmds
+just checks commands listed with the "normalize_cmds" parameter. For
+example:
+
+smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
+
+5.12.2.2. ignore_data
+
+Set it to true to ignore data section of mail (except for mail
+headers) when processing rules.
+
+5.12.2.3. ignore_tls_data
+
+Set it to true to ignore TLS-encrypted data when processing rules.
+
+5.12.2.4. max_command_line_len
+
+Alert if an SMTP command line is longer than this value. Absence of
+this option or a "0" means never alert on command line length. RFC
+2821 recommends 512 as a maximum command line length.
+
+5.12.2.5. max_header_line_len
+
+Alert if an SMTP DATA header line is longer than this value. Absence
+of this option or a "0" means never alert on data header line length.
+RFC 2821 recommends 1024 as a maximum data header line length.
+
+5.12.2.6. max_response_line_len
+
+Alert if an SMTP response line is longer than this value. Absence of
+this option or a "0" means never alert on response line length. RFC
+2821 recommends 512 as a maximum response line length.
+
+5.12.2.7. alt_max_command_line_len
+
+Overrides max_command_line_len for specific commands For example:
+
+alt_max_command_line_len =
+{
+ {
+ command = 'MAIL',
+ length = 260,
+ },
+ {
+ command = 'RCPT',
+ length = 300,
+ },
+}
+
+5.12.2.8. invalid_cmds
+
+Alert if this command is sent from client side.
+
+5.12.2.9. valid_cmds
+
+List of valid commands. We do not alert on commands in this list.
+
+DEFAULT empty list, but SMTP inspector has this list hard-coded: [[
+ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN
+HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE
+STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
+XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
+
+5.12.2.10. data_cmds
+
+List of commands that initiate sending of data with an end of data
+delimiter the same as that of the DATA command per RFC 5321 - "
+<CRLF>.<CRLF>".
+
+5.12.2.11. binary_data_cmds
+
+List of commands that initiate sending of data and use a length value
+after the command to indicate the amount of data to be sent, similar
+to that of the BDAT command per RFC 3030.
+
+5.12.2.12. auth_cmds
+
+List of commands that initiate an authentication exchange between
+client and server.
+
+5.12.2.13. xlink2state
+
+Enable/disable xlink2state alert, options are {disable | alert |
+drop}. See CVE-2005-0560 for a description of the vulnerability.
+
+5.12.2.14. b64_decode_depth
+
+This config option is used to turn off/on or set the base64 decoding
+depth used to decode the base64 encoded MIME attachments. The value
+ranges from -1 to 65535. A value of -1 turns off the base64 decoding
+of MIME attachments. The value of 0 sets the decoding of base64
+encoded MIME attachments to unlimited. A value other than 0 or -1
+restricts the decoding of base64 MIME attachments, and applies per
+attachment.
+
+5.12.2.15. qp_decode_depth
+
+This config option is used to turn off/on or set the Quoted-Printable
+decoding depth used to decode the Quoted-Printable(QP) encoded MIME
+attachments. The value ranges from -1 to 65535. A value of -1 turns
+off the QP decoding of MIME attachments. The value of 0 sets the
+decoding of QP encoded MIME attachments to unlimited. A value other
+than 0 or -1 restricts the decoding of QP MIME attachments, and
+applies per attachment.
+
+5.12.2.16. bitenc_decode_depth * default to 25
+
+This config option is used to turn off/on or set the non-encoded MIME
+extraction depth used to extract the non-encoded MIME attachments.
+The value ranges from -1 to 65535. A value of -1 turns off the
+extraction of these MIME attachments. The value of 0 sets the
+extraction of these MIME attachments to unlimited. A value other than
+0 or -1 restricts the extraction of these MIME attachments, and
+applies per attachment.
+
+5.12.2.17. uu_decode_depth
+
+This config option is used to turn off/on or set the Unix-to-Unix
+decoding depth used to decode the Unix-to-Unix(UU) encoded
+attachments. The value ranges from -1 to 65535. A value of -1 turns
+off the UU decoding of SMTP attachments. The value of 0 sets the
+decoding of UU encoded SMTP attachments to unlimited. A value other
+than 0 or -1 restricts the decoding of UU SMTP attachments, and
+applies per attachment.
+
+5.12.2.18. Log Options
+
+Following log options allow SMTP inspector to log email addresses and
+filenames. Please note, this is logged only with the unified2 output
+and is not logged with the console output (-A cmg). u2spewfoo can be
+used to read this data from the unified2.
+
+log_mailfrom
+
+This option enables SMTP inspector to parse and log the sender’s
+email address extracted from the "MAIL FROM" command along with all
+the generated events for that session. The maximum number of bytes
+logged for this option is 1024.
+
+log_rcptto
+
+This option enables SMTP inspector to parse and log the recipient
+email addresses extracted from the "RCPT TO" command along with all
+the generated events for that session. Multiple recipients are
+appended with commas. The maximum number of bytes logged for this
+option is 1024.
+
+log_filename
+
+This option enables SMTP inspector to parse and log the MIME
+attachment filenames extracted from the Content-Disposition header
+within the MIME body along with all the generated events for that
+session. Multiple filenames are appended with commas. The maximum
+number of bytes logged for this option is 1024.
+
+log_email_hdrs
+
+This option enables SMTP inspector to parse and log the SMTP email
+headers extracted from SMTP data along with all generated events for
+that session. The number of bytes extracted and logged depends upon
+the email_hdrs_log_depth.
+
+email_hdrs_log_depth
+
+This option specifies the depth for logging email headers. The
+allowed range for this option is 0 - 20480. A value of 0 will disable
+email headers logging. The default value for this option is 1464.
+
+5.12.3. Example
+
+smtp =
+{
+ normalize = 'cmds',
+ normalize_cmds = 'EXPN VRFY RCPT',
+ b64_decode_depth = 0,
+ qp_decode_depth = 0,
+ bitenc_decode_depth = 0,
+ uu_decode_depth = 0,
+ log_mailfrom = true,
+ log_rcptto = true,
+ log_filename = true,
+ log_email_hdrs = true,
+ max_command_line_len = 512,
+ max_header_line_len = 1000,
+ max_response_line_len = 512,
+ max_auth_command_line_len = 50,
+ xlink2state = 'alert',
+ alt_max_command_line_len =
+ {
+ {
+ command = 'MAIL',
+ length = 260,
+ },
+ {
+ command = 'RCPT',
+ length = 300,
+ },
+ {
+ command = 'HELP',
+ length = 500,
+ },
+ {
+ command = 'HELO',
+ length = 500,
+ },
+ {
+ command = 'ETRN',
+ length = 500,
+ },
+ {
+ command = 'EXPN',
+ length = 255,
+ },
+ {
+ command = 'VRFY',
+ length = 255,
+ },
+ },
+}
+
+
+5.13. Wizard
--------------
Type: basic
+Usage: global
+
Configuration:
* int active.attempts = 0: number of TCP packets sent per response
Type: basic
+Usage: global
+
Configuration:
* bool alerts.alert_with_interface_name = false: include interface
of memory for detection_filters { 0: }
* int alerts.event_filter_memcap = 1048576: set available bytes of
memory for event_filters { 0: }
+ * bool alerts.log_references = false: include rule references in
+ alert info (full only)
* string alerts.order = pass drop alert log: change the order of
rule action application
* int alerts.rate_filter_memcap = 1048576: set available bytes of
* bool alerts.stateful = false: don’t alert w/o established session
(note: rule action still taken)
* string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
- for GTP|Teredo|6in4|4in6 traffic
+ for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic
6.3. attribute_table
Type: basic
+Usage: global
+
Configuration:
* int attribute_table.max_hosts = 1024: maximum number of hosts in
Type: basic
+Usage: global
+
Configuration:
* string classifications[].name: name used with classtype rule
Type: basic
+Usage: global
+
Configuration:
* string daq.module_dirs[].str: string parameter
Peg counts:
- * daq.pcaps: total files and interfaces processed
- * daq.received: total packets received from DAQ
- * daq.analyzed: total packets analyzed from DAQ
- * daq.dropped: packets dropped
- * daq.filtered: packets filtered out
- * daq.outstanding: packets unprocessed
- * daq.injected: active responses or replacements
- * daq.allow: total allow verdicts
- * daq.block: total block verdicts
- * daq.replace: total replace verdicts
- * daq.whitelist: total whitelist verdicts
- * daq.blacklist: total blacklist verdicts
- * daq.ignore: total ignore verdicts
+ * daq.pcaps: total files and interfaces processed (sum)
+ * daq.received: total packets received from DAQ (sum)
+ * daq.analyzed: total packets analyzed from DAQ (sum)
+ * daq.dropped: packets dropped (sum)
+ * daq.filtered: packets filtered out (sum)
+ * daq.outstanding: packets unprocessed (sum)
+ * daq.injected: active responses or replacements (sum)
+ * daq.allow: total allow verdicts (sum)
+ * daq.block: total block verdicts (sum)
+ * daq.replace: total replace verdicts (sum)
+ * daq.whitelist: total whitelist verdicts (sum)
+ * daq.blacklist: total blacklist verdicts (sum)
+ * daq.ignore: total ignore verdicts (sum)
+ * daq.retry: total retry verdicts (sum)
* daq.internal_blacklist: packets blacklisted internally due to
- lack of DAQ support
+ lack of DAQ support (sum)
* daq.internal_whitelist: packets whitelisted internally due to
- lack of DAQ support
- * daq.skipped: packets skipped at startup
+ lack of DAQ support (sum)
+ * daq.skipped: packets skipped at startup (sum)
* daq.idle: attempts to acquire from DAQ without available packets
- * daq.rx_bytes: total bytes received
+ (sum)
+ * daq.rx_bytes: total bytes received (sum)
6.6. decode
Type: basic
+Usage: context
+
Rules:
* 116:450 (decode) bad IP protocol
Type: basic
+Usage: global
+
Configuration:
* int detection.asn1 = 256: maximum decode nodes { 1: }
Peg counts:
- * detection.analyzed: packets sent to detection
- * detection.hard_evals: non-fast pattern rule evaluations
+ * detection.analyzed: packets sent to detection (sum)
+ * detection.hard_evals: non-fast pattern rule evaluations (sum)
* detection.raw_searches: fast pattern searches in raw packet data
+ (sum)
* detection.cooked_searches: fast pattern searches in cooked packet
- data
+ data (sum)
* detection.pkt_searches: fast pattern searches in packet data
+ (sum)
* detection.alt_searches: alt fast pattern searches in packet data
- * detection.key_searches: fast pattern searches in key buffer
+ (sum)
+ * detection.key_searches: fast pattern searches in key buffer (sum)
* detection.header_searches: fast pattern searches in header buffer
+ (sum)
* detection.body_searches: fast pattern searches in body buffer
+ (sum)
* detection.file_searches: fast pattern searches in file buffer
+ (sum)
* detection.offloads: fast pattern searches that were offloaded
- * detection.alerts: alerts not including IP reputation
- * detection.total_alerts: alerts including IP reputation
- * detection.logged: logged packets
- * detection.passed: passed packets
- * detection.match_limit: fast pattern matches not processed
- * detection.queue_limit: events not queued because queue full
- * detection.log_limit: events queued but not logged
- * detection.event_limit: events filtered
+ (sum)
+ * detection.alerts: alerts not including IP reputation (sum)
+ * detection.total_alerts: alerts including IP reputation (sum)
+ * detection.logged: logged packets (sum)
+ * detection.passed: passed packets (sum)
+ * detection.match_limit: fast pattern matches not processed (sum)
+ * detection.queue_limit: events not queued because queue full (sum)
+ * detection.log_limit: events queued but not logged (sum)
+ * detection.event_limit: events filtered (sum)
* detection.alert_limit: events previously triggered on same PDU
+ (sum)
6.8. event_filter
Type: basic
+Usage: context
+
Configuration:
* int event_filter[].gid = 1: rule generator ID { 0: }
Type: basic
+Usage: context
+
Configuration:
* int event_queue.max_queue = 8: maximum events to queue { 1: }
Type: basic
+Usage: global
+
Configuration:
* bool high_availability.enable = false: enable high availability
* real high_availability.min_sync = 1.0: minimum interval between
HA updates { 0.0:100.0 }
+Peg counts:
+
+ * high_availability.packets: total packets (sum)
+
6.11. host_cache
Type: basic
+Usage: global
+
Configuration:
* int host_cache[].size: size of host cache
Peg counts:
- * host_cache.lru_cache_adds: lru cache added new entry
+ * host_cache.lru_cache_adds: lru cache added new entry (sum)
* host_cache.lru_cache_replaces: lru cache replaced existing entry
+ (sum)
* host_cache.lru_cache_prunes: lru cache pruned entry to make space
- for new entry
+ for new entry (sum)
* host_cache.lru_cache_find_hits: lru cache found entry in cache
+ (sum)
* host_cache.lru_cache_find_misses: lru cache did not find entry in
- cache
+ cache (sum)
* host_cache.lru_cache_removes: lru cache found entry and removed
- it
- * host_cache.lru_cache_clears: lru cache clear API calls
+ it (sum)
+ * host_cache.lru_cache_clears: lru cache clear API calls (sum)
6.12. host_tracker
Type: basic
+Usage: global
+
Configuration:
* addr host_tracker[].ip = 0.0.0.0/32: hosts address / cidr
Peg counts:
- * host_tracker.service_adds: host service adds
- * host_tracker.service_finds: host service finds
- * host_tracker.service_removes: host service removes
+ * host_tracker.service_adds: host service adds (sum)
+ * host_tracker.service_finds: host service finds (sum)
+ * host_tracker.service_removes: host service removes (sum)
6.13. hosts
Type: basic
+Usage: global
+
Configuration:
* addr hosts[].ip = 0.0.0.0/32: hosts address / cidr
Type: basic
+Usage: detect
+
Configuration:
* bool ips.enable_builtin_rules = false: enable events from builtin
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
+ * string ips.uuid: IPS policy uuid
+
+Peg counts:
+
+ * ips.invalid_policy_ids: Number of times an invalid policy ID was
+ provided (sum)
6.15. latency
Type: basic
+Usage: context
+
Configuration:
* int latency.packet.max_time = 500: set timeout for packet latency
Peg counts:
- * latency.total_packets: total packets monitored
- * latency.total_usecs: total usecs elapsed
- * latency.max_usecs: maximum usecs elapsed
- * latency.packet_timeouts: packets that timed out
- * latency.total_rule_evals: total rule evals monitored
- * latency.rule_eval_timeouts: rule evals that timed out
- * latency.rule_tree_enables: rule tree re-enables
+ * latency.total_packets: total packets monitored (sum)
+ * latency.total_usecs: total usecs elapsed (sum)
+ * latency.max_usecs: maximum usecs elapsed (sum)
+ * latency.packet_timeouts: packets that timed out (sum)
+ * latency.total_rule_evals: total rule evals monitored (sum)
+ * latency.rule_eval_timeouts: rule evals that timed out (sum)
+ * latency.rule_tree_enables: rule tree re-enables (sum)
6.16. memory
Type: basic
+Usage: global
+
Configuration:
* int memory.cap = 0: set the per-packet-thread cap on memory
Type: basic
+Usage: context
+
Configuration:
* multi network.checksum_drop = none: drop if checksum is bad { all
Type: basic
+Usage: global
+
Configuration:
* bool output.dump_chars_only = false: turns on character dumps
as -d)
* bool output.dump_payload_verbose = false: dumps raw packet
starting at link layer (same as -X)
- * bool output.log_ipv6_extra_data = false: log IPv6 source and
- destination addresses as unified2 extra data records
* int output.event_trace.max_data = 0: maximum amount of packet
data to capture { 0:65535 }
* bool output.quiet = false: suppress non-fatal information (still
Type: basic
+Usage: global
+
Configuration:
* bool packets.address_space_agnostic = false: determines whether
Type: basic
+Usage: global
+
Configuration:
* string process.chroot: set chroot directory (same as -t)
Type: basic
+Usage: global
+
Configuration:
* bool profiler.modules.show = true: show module time profile stats
Type: basic
+Usage: detect
+
Configuration:
* int rate_filter[].gid = 1: rule generator ID { 0: }
Type: basic
+Usage: global
+
Configuration:
* string references[].name: name used with reference rule option
Type: basic
+Usage: detect
+
Configuration:
* int rule_state.gid = 0: rule generator ID { 0: }
Type: basic
+Usage: global
+
Configuration:
* int search_engine.bleedover_port_limit = 1024: maximum ports in
construction for better performance
* bool search_engine.show_fast_patterns = false: print fast pattern
info for each rule
- * bool search_engine.split_any_any = false: evaluate any-any rules
+ * bool search_engine.split_any_any = true: evaluate any-any rules
separately to save memory
Peg counts:
* search_engine.max_queued: maximum fast pattern matches queued for
- further evaluation
+ further evaluation (sum)
* search_engine.total_flushed: fast pattern matches discarded due
- to overflow
- * search_engine.total_inserts: total fast pattern hits
- * search_engine.total_unique: total unique fast pattern hits
+ to overflow (sum)
+ * search_engine.total_inserts: total fast pattern hits (sum)
+ * search_engine.total_unique: total unique fast pattern hits (sum)
* search_engine.non_qualified_events: total non-qualified events
- * search_engine.qualified_events: total qualified events
- * search_engine.searched_bytes: total bytes searched
+ (sum)
+ * search_engine.qualified_events: total qualified events (sum)
+ * search_engine.searched_bytes: total bytes searched (sum)
6.26. side_channel
Type: basic
+Usage: global
+
Configuration:
* bit_list side_channel.ports: side channel message port list {
* string side_channel.connectors[].connector: connector handle
* string side_channel.connector: connector handle
+Peg counts:
+
+ * side_channel.packets: total packets (sum)
+
6.27. snort
Type: basic
+Usage: global
+
Configuration:
* string snort.-?: <option prefix> output matching command line
* string snort.--daq-var: <name=value> specify extra DAQ
configuration variable
* implied snort.--dirty-pig: don’t flush packets on shutdown
- * implied snort.--dump-builtin-rules: [<module prefix>] output stub
- rules for selected modules
+ * string snort.--dump-builtin-rules: [<module prefix>] output stub
+ rules for selected modules { (optional) }
* implied snort.--dump-dynamic-rules: output stub rules for all
loaded rules libraries
* string snort.--dump-defaults: [<module prefix>] output module
version, and only the version
* implied snort.--enable-inline-test: enable Inline-Test Mode
Operation
+ * implied snort.--gen-msg-map: dump builtin rules in gen-msg.map
+ format for use by other tools
* implied snort.--help: list command line options
* string snort.--help-commands: [<module prefix>] output matching
commands { (optional) }
module
* implied snort.--help-modules: list all available modules with
brief help
- * string snort.--help-options: <option prefix> output matching
+ * string snort.--help-options: [<option prefix>] output matching
command line option quick help (same as -?) { (optional) }
* implied snort.--help-plugins: list all available plugins with
brief help
* implied snort.--help-signals: dump available control signals
+ * int snort.--id-offset = 0: offset to add to instance IDs when
+ logging to files { 0:65535 }
* implied snort.--id-subdir: create/use instance subdirectories in
logdir instead of instance filename prefix
* implied snort.--id-zero: use id prefix / subdirectory even with
one packet thread
* implied snort.--list-buffers: output available inspection buffers
- * string snort.--list-builtin: <module prefix> output matching
+ * string snort.--list-builtin: [<module prefix>] output matching
builtin rules { (optional) }
* string snort.--list-gids: [<module prefix>] output matching
generators { (optional) }
* implied snort.--markup: output help in asciidoc compatible format
* int snort.--max-packet-threads = 1: <count> configure maximum
number of packet threads (same as -z) { 0: }
+ * implied snort.--mem-check: like -T but also compile search
+ engines
* implied snort.--nostamps: don’t include timestamps in log file
names
* implied snort.--nolock-pidfile: do not try to lock Snort PID file
Commands:
* snort.show_plugins(): show available plugins
+ * snort.delete_inspector(inspector): delete an inspector from the
+ default policy
* snort.dump_stats(): show summary statistics
* snort.rotate_stats(): roll perfmonitor log files
* snort.reload_config(filename): load new configuration
+ * snort.reload_policy(filename): reload part or all of the default
+ policy
* snort.reload_daq(): reload daq module
* snort.reload_hosts(filename): load a new hosts table
* snort.pause(): suspend packet processing
Peg counts:
- * snort.local_commands: total local commands processed
- * snort.remote_commands: total remote commands processed
- * snort.signals: total signals processed
+ * snort.local_commands: total local commands processed (sum)
+ * snort.remote_commands: total remote commands processed (sum)
+ * snort.signals: total signals processed (sum)
* snort.conf_reloads: number of times configuration was reloaded
+ (sum)
+ * snort.policy_reloads: number of times policies were reloaded
+ (sum)
+ * snort.inspector_deletions: number of times inspectors were
+ deleted (sum)
* snort.daq_reloads: number of times daq configuration was reloaded
+ (sum)
* snort.attribute_table_reloads: number of times hosts table was
- reloaded
- * snort.attribute_table_hosts: total number of hosts in table
+ reloaded (sum)
+ * snort.attribute_table_hosts: total number of hosts in table (sum)
6.28. suppress
Type: basic
+Usage: detect
+
Configuration:
* int suppress[].gid = 0: rule generator ID { 0: }
Type: codec
+Usage: context
+
Rules:
* 116:109 (arp) truncated ARP
Type: codec
+Usage: context
+
Rules:
* 116:465 (auth) truncated authentication header
Type: codec
+Usage: context
+
Rules:
* 116:468 (ciscometadata) truncated Cisco Metadata header
Type: codec
+Usage: context
+
Rules:
* 116:110 (eapol) truncated EAP header
Type: codec
+Usage: context
+
Rules:
* 116:462 (erspan2) ERSpan header version mismatch
Type: codec
+Usage: context
+
Rules:
* 116:464 (erspan3) captured < ERSpan type3 header length
Type: codec
+Usage: context
+
Configuration:
* bool esp.decode_esp = false: enable for inspection of esp traffic
Type: codec
+Usage: context
+
Rules:
* 116:424 (eth) truncated ethernet header
Type: codec
+Usage: context
+
Rules:
* 116:467 (fabricpath) truncated FabricPath header
Type: codec
+Usage: context
+
Rules:
* 116:160 (gre) GRE header length > payload length
Type: codec
+Usage: context
+
Rules:
* 116:297 (gtp) two or more GTP encapsulation layers present
Type: codec
+Usage: context
+
Rules:
* 116:105 (icmp4) ICMP header truncated
Peg counts:
- * icmp4.bad_checksum: non-zero icmp checksums
+ * icmp4.bad_checksum: non-zero icmp checksums (sum)
7.13. icmp6
Type: codec
+Usage: context
+
Rules:
* 116:427 (icmp6) truncated ICMPv6 header
Peg counts:
- * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums
+ * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
7.14. igmp
Type: codec
+Usage: context
+
Rules:
* 116:455 (igmp) DOS IGMP IP options validation attempt
Type: codec
+Usage: context
+
Rules:
* 116:1 (ipv4) not IPv4 datagram
Peg counts:
- * ipv4.bad_checksum: nonzero ip checksums
+ * ipv4.bad_checksum: nonzero ip checksums (sum)
7.16. ipv6
Type: codec
+Usage: context
+
Rules:
* 116:270 (ipv6) IPv6 packet below TTL limit
Type: codec
+Usage: context
+
Rules:
* 116:131 (llc) bad LLC header
Type: codec
+Usage: context
+
Configuration:
* bool mpls.enable_mpls_multicast = false: enables support for MPLS
Peg counts:
- * mpls.total_packets: total mpls labeled packets processed
- * mpls.total_bytes: total mpls labeled bytes processed
+ * mpls.total_packets: total mpls labeled packets processed (sum)
+ * mpls.total_bytes: total mpls labeled bytes processed (sum)
+
+
+7.19. pbb
+
+--------------
+
+What: support for 802.1ah protocol
+
+Type: codec
+
+Usage: context
+
+Rules:
+ * 116:424 (pbb) truncated ethernet header
-7.19. pgm
+
+7.20. pgm
--------------
Type: codec
+Usage: context
+
Rules:
* 116:454 (pgm) PGM nak list overflow attempt
-7.20. pppoe
+7.21. pppoe
--------------
Type: codec
+Usage: context
+
Rules:
* 116:120 (pppoe) bad PPPOE frame detected
-7.21. tcp
+7.22. tcp
--------------
Type: codec
+Usage: context
+
Rules:
* 116:45 (tcp) TCP packet length is smaller than 20 bytes
Peg counts:
- * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums
- * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums
+ * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
+ * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
-7.22. token_ring
+7.23. token_ring
--------------
Type: codec
+Usage: context
+
Rules:
* 116:140 (token_ring) bad Token Ring header
* 116:143 (token_ring) bad Token Ring MR header
-7.23. udp
+7.24. udp
--------------
Type: codec
+Usage: context
+
Configuration:
* bool udp.deep_teredo_inspection = false: look for Teredo on all
Peg counts:
- * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums
- * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums
+ * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
+ * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
-7.24. vlan
+7.25. vlan
--------------
Type: codec
+Usage: context
+
Rules:
* 116:130 (vlan) bad VLAN frame
-7.25. wlan
+7.26. wlan
--------------
Type: codec
+Usage: context
+
Rules:
* 116:133 (wlan) bad 802.11 LLC header
Type: connector
+Usage: global
+
Configuration:
* string file_connector.connector: connector name
Peg counts:
- * file_connector.messages: total messages
+ * file_connector.messages: total messages (sum)
8.2. tcp_connector
Type: connector
+Usage: global
+
Configuration:
* string tcp_connector.connector: connector name
Peg counts:
- * tcp_connector.messages: total messages
+ * tcp_connector.messages: total messages (sum)
---------------------------------------------------------------------
Type: inspector
+Usage: context
+
Configuration:
* int appid.memcap = 0: disregard - not implemented { 0: }
collection appid stats before rolling over the log file { 0: }
* string appid.app_detector_dir: directory to load appid detectors
from
- * int appid.instance_id = 0: instance id - need more details for
- what this is { 0: }
+ * int appid.instance_id = 0: instance id - ignored { 0: }
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
-Peg counts:
-
- * appid.packets: count of packets received
- * appid.processed_packets: count of packets processed
- * appid.ignored_packets: count of packets ignored
- * appid.aim_clients: count of aim clients discovered
- * appid.battlefield_flows: count of battle field flows discovered
- * appid.bgp_flows: count of bgp flows discovered
- * appid.bit_clients: count of bittorrent clients discovered
- * appid.bit_flows: count of bittorrent flows discovered
- * appid.bittracker_clients: count of bittorrent tracker clients
- discovered
- * appid.bootp_flows: count of bootp flows discovered
- * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
- discovered
- * appid.dcerpc_udp_flows: count of dce rpc flows over udp
- discovered
- * appid.direct_connect_flows: count of direct connect flows
- discovered
- * appid.dns_tcp_flows: count of dns flows over tcp discovered
- * appid.dns_udp_flows: count of dns flows over udp discovered
- * appid.ftp_flows: count of ftp flows discovered
- * appid.ftps_flows: count of ftps flows discovered
- * appid.http_flows: count of http flows discovered
- * appid.imap_flows: count of imap service flows discovered
- * appid.imaps_flows: count of imap TLS service flows discovered
- * appid.irc_flows: count of irc service flows discovered
- * appid.kerberos_clients: count of kerberos clients discovered
- * appid.kerberos_flows: count of kerberos service flows discovered
- * appid.kerberos_users: count of kerberos users discovered
- * appid.lpr_flows: count of lpr service flows discovered
- * appid.mdns_flows: count of mdns service flows discovered
- * appid.msn_clients: count of msn clients discovered
- * appid.mysql_flows: count of mysql service flows discovered
- * appid.netbios_dgm_flows: count of netbios-dgm service flows
- discovered
- * appid.netbios_ns_flows: count of netbios-ns service flows
- discovered
- * appid.netbios_ssn_flows: count of netbios-ssn service flows
- discovered
- * appid.nntp_flows: count of nntp flows discovered
- * appid.ntp_flows: count of ntp flows discovered
- * appid.pop_flows: count of pop service flows discovered
- * appid.pop3_clients: count of pop3 clients discovered
- * appid.pop3s_clients: count of pop3s clients discovered
- * appid.radius_flows: count of radius flows discovered
- * appid.rexec_flows: count of rexec flows discovered
- * appid.rfb_flows: count of rfb flows discovered
- * appid.rlogin_flows: count of rlogin flows discovered
- * appid.rpc_flows: count of rpc flows discovered
- * appid.rshell_flows: count of rshell flows discovered
- * appid.rsync_flows: count of rsync service flows discovered
- * appid.rtmp_flows: count of rtmp flows discovered
- * appid.rtp_clients: count of rtp clients discovered
- * appid.sip_clients: count of SIP clients discovered
- * appid.sip_flows: count of SIP flows discovered
- * appid.smtp_aol_clients: count of AOL smtp clients discovered
- * appid.smtp_applemail_clients: count of Apple Mail smtp clients
- discovered
- * appid.smtp_eudora_clients: count of Eudora smtp clients
- discovered
- * appid.smtp_eudora_pro_clients: count of Eudora Pro smtp clients
- discovered
- * appid.smtp_evolution_clients: count of Evolution smtp clients
- discovered
- * appid.smtp_kmail_clients: count of KMail smtp clients discovered
- * appid.smtp_lotus_notes_clients: count of Lotus Notes smtp clients
- discovered
- * appid.smtp_microsoft_outlook_clients: count of Microsoft Outlook
- smtp clients discovered
- * appid.smtp_microsoft_outlook_express_clients: count of Microsoft
- Outlook Express smtp clients discovered
- * appid.smtp_microsoft_outlook_imo_clients: count of Microsoft
- Outlook IMO smtp clients discovered
- * appid.smtp_mutt_clients: count of Mutt smtp clients discovered
- * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
- discovered
- * appid.smtp_flows: count of smtp flows discovered
- * appid.smtps_flows: count of smtps flows discovered
- * appid.snmp_flows: count of snmp flows discovered
- * appid.ssh_clients: count of ssh clients discovered
- * appid.ssh_flows: count of ssh flows discovered
- * appid.ssl_flows: count of ssl flows discovered
- * appid.telnet_flows: count of telnet flows discovered
- * appid.tftp_flows: count of tftp flows discovered
- * appid.timbuktu_clients: count of timbuktu clients discovered
- * appid.timbuktu_flows: count of timbuktu flows discovered
- * appid.tns_clients: count of tns clients discovered
- * appid.tns_flows: count of tns flows discovered
- * appid.vnc_clients: count of vnc clients discovered
- * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
- discovered
-
9.2. arp_spoof
Type: inspector
+Usage: inspect
+
Configuration:
* ip4 arp_spoof.hosts[].ip: host ip address
Peg counts:
- * arp_spoof.packets: total packets
+ * arp_spoof.packets: total packets (sum)
9.3. back_orifice
Type: inspector
+Usage: inspect
+
Rules:
* 105:1 (back_orifice) BO traffic detected
Peg counts:
- * back_orifice.packets: total packets
+ * back_orifice.packets: total packets (sum)
9.4. binder
Type: inspector
+Usage: inspect
+
Configuration:
- * int binder[].when.policy_id = 0: unique ID for selection of this
- config by external logic { 0: }
+ * int binder[].when.ips_policy_id = 0: unique ID for selection of
+ this config by external logic { 0: }
* bit_list binder[].when.ifaces: list of interface indices { 255 }
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
* addr_list binder[].when.nets: list of networks
+ * addr_list binder[].when.src_nets: list of source networks
+ * addr_list binder[].when.dst_nets: list of destination networks
* enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp
| user | file }
* bit_list binder[].when.ports: list of ports { 65535 }
+ * bit_list binder[].when.src_ports: list of source ports { 65535 }
+ * bit_list binder[].when.dst_ports: list of destination ports {
+ 65535 }
+ * int binder[].when.src_zone: source zone { 0:2147483647 }
+ * int binder[].when.dst_zone: destination zone { 0:2147483647 }
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
* string binder[].when.service: override default configuration
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
+ * string binder[].use.inspection_policy: use inspection policy from
+ given file
+ * string binder[].use.ips_policy: use ips policy from given file
+ * string binder[].use.network_policy: use network policy from given
+ file
* string binder[].use.service: override automatic service
identification
* string binder[].use.type: select module for binding
Peg counts:
- * binder.packets: initial bindings
- * binder.resets: reset bindings
- * binder.blocks: block bindings
- * binder.allows: allow bindings
- * binder.inspects: inspect bindings
+ * binder.packets: initial bindings (sum)
+ * binder.resets: reset bindings (sum)
+ * binder.blocks: block bindings (sum)
+ * binder.allows: allow bindings (sum)
+ * binder.inspects: inspect bindings (sum)
9.5. data_log
Type: inspector
+Usage: inspect
+
Configuration:
- * select data_log.key = http_raw_uri: name of data buffer to log {
- http_uri | http_raw_uri }
+ * select data_log.key = http_request_header_event : name of the
+ event to log { http_request_header_event |
+ http_response_header_event }
+ * int data_log.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
Peg counts:
- * data_log.packets: total packets
+ * data_log.packets: total packets (sum)
9.6. dce_http_proxy
Type: inspector
+Usage: inspect
+
Peg counts:
* dce_http_proxy.http_proxy_sessions: successful http proxy
- sessions
+ sessions (sum)
* dce_http_proxy.http_proxy_session_failures: failed http proxy
- sessions
+ sessions (sum)
9.7. dce_http_server
Type: inspector
+Usage: inspect
+
Peg counts:
* dce_http_server.http_server_sessions: successful http server
- sessions
+ sessions (sum)
* dce_http_server.http_server_session_failures: failed http server
- sessions
+ sessions (sum)
9.8. dce_smb
Type: inspector
+Usage: inspect
+
Configuration:
* bool dce_smb.disable_defrag = false: Disable DCE/RPC
* 133:25 (dce_smb) SMB - chained/compounded open pipe followed by
close pipe
* 133:26 (dce_smb) SMB - invalid share access
- * 133:27 (dce_smb) connection oriented DCE/RPC - invalid major
- version
- * 133:28 (dce_smb) connection oriented DCE/RPC - invalid minor
- version
- * 133:29 (dce_smb) connection-oriented DCE/RPC - invalid PDU type
- * 133:30 (dce_smb) connection-oriented DCE/RPC - fragment length
- less than header size
- * 133:32 (dce_smb) connection-oriented DCE/RPC - no context items
- specified
- * 133:33 (dce_smb) connection-oriented DCE/RPC -no transfer
- syntaxes specified
- * 133:34 (dce_smb) connection-oriented DCE/RPC - fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client
- * 133:35 (dce_smb) connection-oriented DCE/RPC - fragment length
- greater than maximum negotiated fragment transmit size
- * 133:36 (dce_smb) connection-oriented DCE/RPC - alter context byte
- order different from bind
- * 133:37 (dce_smb) connection-oriented DCE/RPC - call id of non
- first/last fragment different from call id established for
- fragmented request
- * 133:38 (dce_smb) connection-oriented DCE/RPC - opnum of non first
- /last fragment different from opnum established for fragmented
- request
- * 133:39 (dce_smb) connection-oriented DCE/RPC - context id of non
- first/last fragment different from context id established for
- fragmented request
* 133:44 (dce_smb) SMB - invalid SMB version 1 seen
* 133:45 (dce_smb) SMB - invalid SMB version 2 seen
* 133:46 (dce_smb) SMB - invalid user, tree connect, file binding
Peg counts:
- * dce_smb.events: total events
- * dce_smb.pdus: total connection-oriented PDUs
- * dce_smb.binds: total connection-oriented binds
- * dce_smb.bind_acks: total connection-oriented binds acks
+ * dce_smb.events: total events (sum)
+ * dce_smb.pdus: total connection-oriented PDUs (sum)
+ * dce_smb.binds: total connection-oriented binds (sum)
+ * dce_smb.bind_acks: total connection-oriented binds acks (sum)
* dce_smb.alter_contexts: total connection-oriented alter contexts
+ (sum)
* dce_smb.alter_context_responses: total connection-oriented alter
- context responses
- * dce_smb.bind_naks: total connection-oriented bind naks
- * dce_smb.requests: total connection-oriented requests
- * dce_smb.responses: total connection-oriented responses
- * dce_smb.cancels: total connection-oriented cancels
- * dce_smb.orphaned: total connection-oriented orphaned
- * dce_smb.faults: total connection-oriented faults
- * dce_smb.auth3s: total connection-oriented auth3s
- * dce_smb.shutdowns: total connection-oriented shutdowns
- * dce_smb.rejects: total connection-oriented rejects
+ context responses (sum)
+ * dce_smb.bind_naks: total connection-oriented bind naks (sum)
+ * dce_smb.requests: total connection-oriented requests (sum)
+ * dce_smb.responses: total connection-oriented responses (sum)
+ * dce_smb.cancels: total connection-oriented cancels (sum)
+ * dce_smb.orphaned: total connection-oriented orphaned (sum)
+ * dce_smb.faults: total connection-oriented faults (sum)
+ * dce_smb.auth3s: total connection-oriented auth3s (sum)
+ * dce_smb.shutdowns: total connection-oriented shutdowns (sum)
+ * dce_smb.rejects: total connection-oriented rejects (sum)
* dce_smb.ms_rpc_http_pdus: total connection-oriented MS requests
- to send RPC over HTTP
+ to send RPC over HTTP (sum)
* dce_smb.other_requests: total connection-oriented other requests
+ (sum)
* dce_smb.other_responses: total connection-oriented other
- responses
+ responses (sum)
* dce_smb.request_fragments: total connection-oriented request
- fragments
+ fragments (sum)
* dce_smb.response_fragments: total connection-oriented response
- fragments
+ fragments (sum)
* dce_smb.client_max_fragment_size: connection-oriented client
- maximum fragment size
+ maximum fragment size (sum)
* dce_smb.client_min_fragment_size: connection-oriented client
- minimum fragment size
+ minimum fragment size (sum)
* dce_smb.client_segs_reassembled: total connection-oriented client
- segments reassembled
+ segments reassembled (sum)
* dce_smb.client_frags_reassembled: total connection-oriented
- client fragments reassembled
+ client fragments reassembled (sum)
* dce_smb.server_max_fragment_size: connection-oriented server
- maximum fragment size
+ maximum fragment size (sum)
* dce_smb.server_min_fragment_size: connection-oriented server
- minimum fragment size
+ minimum fragment size (sum)
* dce_smb.server_segs_reassembled: total connection-oriented server
- segments reassembled
+ segments reassembled (sum)
* dce_smb.server_frags_reassembled: total connection-oriented
- server fragments reassembled
- * dce_smb.sessions: total smb sessions
- * dce_smb.packets: total smb packets
- * dce_smb.ignored_bytes: total ignored bytes
+ server fragments reassembled (sum)
+ * dce_smb.sessions: total smb sessions (sum)
+ * dce_smb.packets: total smb packets (sum)
+ * dce_smb.ignored_bytes: total ignored bytes (sum)
* dce_smb.smb_client_segs_reassembled: total smb client segments
- reassembled
+ reassembled (sum)
* dce_smb.smb_server_segs_reassembled: total smb server segments
- reassembled
+ reassembled (sum)
* dce_smb.max_outstanding_requests: total smb maximum outstanding
- requests
- * dce_smb.files_processed: total smb files processed
+ requests (sum)
+ * dce_smb.files_processed: total smb files processed (sum)
* dce_smb.smbv2_create: total number of SMBv2 create packets seen
+ (sum)
* dce_smb.smbv2_write: total number of SMBv2 write packets seen
- * dce_smb.smbv2_read: total number of SMBv2 read packets seen
+ (sum)
+ * dce_smb.smbv2_read: total number of SMBv2 read packets seen (sum)
* dce_smb.smbv2_set_info: total number of SMBv2 set info packets
- seen
+ seen (sum)
* dce_smb.smbv2_tree_connect: total number of SMBv2 tree connect
- packets seen
+ packets seen (sum)
* dce_smb.smbv2_tree_disconnect: total number of SMBv2 tree
- disconnect packets seen
+ disconnect packets seen (sum)
* dce_smb.smbv2_close: total number of SMBv2 close packets seen
+ (sum)
+ * dce_smb.concurrent_sessions: total concurrent sessions (now)
+ * dce_smb.max_concurrent_sessions: maximum concurrent sessions
+ (max)
9.9. dce_tcp
Type: inspector
+Usage: inspect
+
Configuration:
* bool dce_tcp.disable_defrag = false: Disable DCE/RPC
Peg counts:
- * dce_tcp.events: total events
- * dce_tcp.pdus: total connection-oriented PDUs
- * dce_tcp.binds: total connection-oriented binds
- * dce_tcp.bind_acks: total connection-oriented binds acks
+ * dce_tcp.events: total events (sum)
+ * dce_tcp.pdus: total connection-oriented PDUs (sum)
+ * dce_tcp.binds: total connection-oriented binds (sum)
+ * dce_tcp.bind_acks: total connection-oriented binds acks (sum)
* dce_tcp.alter_contexts: total connection-oriented alter contexts
+ (sum)
* dce_tcp.alter_context_responses: total connection-oriented alter
- context responses
- * dce_tcp.bind_naks: total connection-oriented bind naks
- * dce_tcp.requests: total connection-oriented requests
- * dce_tcp.responses: total connection-oriented responses
- * dce_tcp.cancels: total connection-oriented cancels
- * dce_tcp.orphaned: total connection-oriented orphaned
- * dce_tcp.faults: total connection-oriented faults
- * dce_tcp.auth3s: total connection-oriented auth3s
- * dce_tcp.shutdowns: total connection-oriented shutdowns
- * dce_tcp.rejects: total connection-oriented rejects
+ context responses (sum)
+ * dce_tcp.bind_naks: total connection-oriented bind naks (sum)
+ * dce_tcp.requests: total connection-oriented requests (sum)
+ * dce_tcp.responses: total connection-oriented responses (sum)
+ * dce_tcp.cancels: total connection-oriented cancels (sum)
+ * dce_tcp.orphaned: total connection-oriented orphaned (sum)
+ * dce_tcp.faults: total connection-oriented faults (sum)
+ * dce_tcp.auth3s: total connection-oriented auth3s (sum)
+ * dce_tcp.shutdowns: total connection-oriented shutdowns (sum)
+ * dce_tcp.rejects: total connection-oriented rejects (sum)
* dce_tcp.ms_rpc_http_pdus: total connection-oriented MS requests
- to send RPC over HTTP
+ to send RPC over HTTP (sum)
* dce_tcp.other_requests: total connection-oriented other requests
+ (sum)
* dce_tcp.other_responses: total connection-oriented other
- responses
+ responses (sum)
* dce_tcp.request_fragments: total connection-oriented request
- fragments
+ fragments (sum)
* dce_tcp.response_fragments: total connection-oriented response
- fragments
+ fragments (sum)
* dce_tcp.client_max_fragment_size: connection-oriented client
- maximum fragment size
+ maximum fragment size (sum)
* dce_tcp.client_min_fragment_size: connection-oriented client
- minimum fragment size
+ minimum fragment size (sum)
* dce_tcp.client_segs_reassembled: total connection-oriented client
- segments reassembled
+ segments reassembled (sum)
* dce_tcp.client_frags_reassembled: total connection-oriented
- client fragments reassembled
+ client fragments reassembled (sum)
* dce_tcp.server_max_fragment_size: connection-oriented server
- maximum fragment size
+ maximum fragment size (sum)
* dce_tcp.server_min_fragment_size: connection-oriented server
- minimum fragment size
+ minimum fragment size (sum)
* dce_tcp.server_segs_reassembled: total connection-oriented server
- segments reassembled
+ segments reassembled (sum)
* dce_tcp.server_frags_reassembled: total connection-oriented
- server fragments reassembled
- * dce_tcp.tcp_sessions: total tcp sessions
- * dce_tcp.tcp_packets: total tcp packets
+ server fragments reassembled (sum)
+ * dce_tcp.tcp_sessions: total tcp sessions (sum)
+ * dce_tcp.tcp_packets: total tcp packets (sum)
+ * dce_tcp.concurrent_sessions: total concurrent sessions (now)
+ * dce_tcp.max_concurrent_sessions: maximum concurrent sessions
+ (max)
9.10. dce_udp
Type: inspector
+Usage: inspect
+
Configuration:
* bool dce_udp.disable_defrag = false: Disable DCE/RPC
Peg counts:
- * dce_udp.events: total events
- * dce_udp.udp_sessions: total udp sessions
- * dce_udp.udp_packets: total udp packets
- * dce_udp.requests: total connection-less requests
- * dce_udp.acks: total connection-less acks
- * dce_udp.cancels: total connection-less cancels
- * dce_udp.client_facks: total connection-less client facks
- * dce_udp.ping: total connection-less ping
- * dce_udp.responses: total connection-less responses
- * dce_udp.rejects: total connection-less rejects
- * dce_udp.cancel_acks: total connection-less cancel acks
- * dce_udp.server_facks: total connection-less server facks
- * dce_udp.faults: total connection-less faults
- * dce_udp.no_calls: total connection-less no calls
- * dce_udp.working: total connection-less working
+ * dce_udp.events: total events (sum)
+ * dce_udp.udp_sessions: total udp sessions (sum)
+ * dce_udp.udp_packets: total udp packets (sum)
+ * dce_udp.requests: total connection-less requests (sum)
+ * dce_udp.acks: total connection-less acks (sum)
+ * dce_udp.cancels: total connection-less cancels (sum)
+ * dce_udp.client_facks: total connection-less client facks (sum)
+ * dce_udp.ping: total connection-less ping (sum)
+ * dce_udp.responses: total connection-less responses (sum)
+ * dce_udp.rejects: total connection-less rejects (sum)
+ * dce_udp.cancel_acks: total connection-less cancel acks (sum)
+ * dce_udp.server_facks: total connection-less server facks (sum)
+ * dce_udp.faults: total connection-less faults (sum)
+ * dce_udp.no_calls: total connection-less no calls (sum)
+ * dce_udp.working: total connection-less working (sum)
* dce_udp.other_requests: total connection-less other requests
+ (sum)
* dce_udp.other_responses: total connection-less other responses
- * dce_udp.fragments: total connection-less fragments
+ (sum)
+ * dce_udp.fragments: total connection-less fragments (sum)
* dce_udp.max_fragment_size: connection-less maximum fragment size
+ (sum)
* dce_udp.frags_reassembled: total connection-less fragments
- reassembled
- * dce_udp.max_seqnum: max connection-less seqnum
+ reassembled (sum)
+ * dce_udp.max_seqnum: max connection-less seqnum (sum)
+ * dce_udp.concurrent_sessions: total concurrent sessions (now)
+ * dce_udp.max_concurrent_sessions: maximum concurrent sessions
+ (max)
9.11. dnp3
Type: inspector
+Usage: inspect
+
Configuration:
* bool dnp3.check_crc = false: validate checksums in DNP3 link
Peg counts:
- * dnp3.total_packets: total packets
- * dnp3.udp_packets: total udp packets
- * dnp3.tcp_pdus: total tcp pdus
- * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames
- * dnp3.dnp3_application_pdus: total dnp3 application pdus
+ * dnp3.total_packets: total packets (sum)
+ * dnp3.udp_packets: total udp packets (sum)
+ * dnp3.tcp_pdus: total tcp pdus (sum)
+ * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames (sum)
+ * dnp3.dnp3_application_pdus: total dnp3 application pdus (sum)
+ * dnp3.concurrent_sessions: total concurrent dnp3 sessions (now)
+ * dnp3.max_concurrent_sessions: maximum concurrent dnp3 sessions
+ (max)
9.12. dns
Type: inspector
+Usage: inspect
+
Rules:
* 131:1 (dns) obsolete DNS RR types
Peg counts:
- * dns.packets: total packets processed
- * dns.requests: total dns requests
- * dns.responses: total dns responses
+ * dns.packets: total packets processed (sum)
+ * dns.requests: total dns requests (sum)
+ * dns.responses: total dns responses (sum)
+ * dns.concurrent_sessions: total concurrent dns sessions (now)
+ * dns.max_concurrent_sessions: maximum concurrent dns sessions
+ (max)
9.13. dpx
Type: inspector
+Usage: inspect
+
Configuration:
* port dpx.port: port to check
Peg counts:
- * dpx.packets: total packets
+ * dpx.packets: total packets (sum)
9.14. file_id
Type: inspector
+Usage: global
+
Configuration:
* int file_id.type_depth = 1460: stop type ID at this point { 0: }
Peg counts:
- * file_id.total_files: number of files processed
+ * file_id.total_files: number of files processed (sum)
* file_id.total_file_data: number of file data bytes processed
- * file_id.cache_failures: number of file cache add failures
+ (sum)
+ * file_id.cache_failures: number of file cache add failures (sum)
9.15. file_log
Type: inspector
+Usage: inspect
+
Configuration:
* bool file_log.log_pkt_time = true: log the packet time when event
Peg counts:
- * file_log.total_events: total file events
+ * file_log.total_events: total file events (sum)
9.16. ftp_client
Type: inspector
+Usage: inspect
+
Configuration:
* bool ftp_client.bounce = false: check for bounces
Type: inspector
+Usage: inspect
+
Peg counts:
- * ftp_data.packets: total packets
+ * ftp_data.packets: total packets (sum)
9.18. ftp_server
Type: inspector
+Usage: inspect
+
Configuration:
* string ftp_server.chk_str_fmt: check the formatting of the given
Peg counts:
- * ftp_server.packets: total packets
+ * ftp_server.total_packets: total packets (sum)
+ * ftp_server.concurrent_sessions: total concurrent ftp sessions
+ (now)
+ * ftp_server.max_concurrent_sessions: maximum concurrent ftp
+ sessions (max)
9.19. gtp_inspect
Type: inspector
+Usage: inspect
+
Configuration:
* int gtp_inspect[].version = 2: gtp version { 0:2 }
Peg counts:
- * gtp_inspect.sessions: total sessions processed
- * gtp_inspect.events: requests
- * gtp_inspect.unknown_types: unknown message types
- * gtp_inspect.unknown_infos: unknown information elements
+ * gtp_inspect.sessions: total sessions processed (sum)
+ * gtp_inspect.concurrent_sessions: total concurrent gtp sessions
+ (now)
+ * gtp_inspect.max_concurrent_sessions: maximum concurrent gtp
+ sessions (max)
+ * gtp_inspect.events: requests (sum)
+ * gtp_inspect.unknown_types: unknown message types (sum)
+ * gtp_inspect.unknown_infos: unknown information elements (sum)
9.20. http_inspect
Type: inspector
+Usage: inspect
+
Configuration:
* int http_inspect.request_depth = -1: maximum request message body
* 119:2 (http_inspect) double decoding attack
* 119:3 (http_inspect) u encoding
* 119:4 (http_inspect) bare byte unicode encoding
- * 119:5 (http_inspect) obsolete event—should not appear
+ * 119:5 (http_inspect) obsolete event—deleted
* 119:6 (http_inspect) UTF-8 encoding
* 119:7 (http_inspect) unicode map code point encoding in URI
* 119:8 (http_inspect) multi_slash encoding
* 119:19 (http_inspect) long header
* 119:20 (http_inspect) max header fields
* 119:21 (http_inspect) multiple content length
- * 119:22 (http_inspect) obsolete event—should not appear
+ * 119:22 (http_inspect) obsolete event—deleted
* 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
* 119:24 (http_inspect) multiple host hdrs detected
* 119:25 (http_inspect) hostname exceeds 255 characters
Peg counts:
- * http_inspect.flows: HTTP connections inspected
+ * http_inspect.flows: HTTP connections inspected (sum)
* http_inspect.scans: TCP segments scanned looking for HTTP
- messages
+ messages (sum)
* http_inspect.reassembles: TCP segments combined into HTTP
- messages
- * http_inspect.inspections: total message sections inspected
- * http_inspect.requests: HTTP request messages inspected
- * http_inspect.responses: HTTP response messages inspected
- * http_inspect.get_requests: GET requests inspected
- * http_inspect.head_requests: HEAD requests inspected
- * http_inspect.post_requests: POST requests inspected
- * http_inspect.put_requests: PUT requests inspected
- * http_inspect.delete_requests: DELETE requests inspected
- * http_inspect.connect_requests: CONNECT requests inspected
- * http_inspect.options_requests: OPTIONS requests inspected
- * http_inspect.trace_requests: TRACE requests inspected
+ messages (sum)
+ * http_inspect.inspections: total message sections inspected (sum)
+ * http_inspect.requests: HTTP request messages inspected (sum)
+ * http_inspect.responses: HTTP response messages inspected (sum)
+ * http_inspect.get_requests: GET requests inspected (sum)
+ * http_inspect.head_requests: HEAD requests inspected (sum)
+ * http_inspect.post_requests: POST requests inspected (sum)
+ * http_inspect.put_requests: PUT requests inspected (sum)
+ * http_inspect.delete_requests: DELETE requests inspected (sum)
+ * http_inspect.connect_requests: CONNECT requests inspected (sum)
+ * http_inspect.options_requests: OPTIONS requests inspected (sum)
+ * http_inspect.trace_requests: TRACE requests inspected (sum)
* http_inspect.other_requests: other request methods inspected
+ (sum)
* http_inspect.request_bodies: POST, PUT, and other requests with
- message bodies
- * http_inspect.chunked: chunked message bodies
+ message bodies (sum)
+ * http_inspect.chunked: chunked message bodies (sum)
* http_inspect.uri_normalizations: URIs needing to be normalization
- * http_inspect.uri_path: URIs with path problems
+ (sum)
+ * http_inspect.uri_path: URIs with path problems (sum)
* http_inspect.uri_coding: URIs with character coding problems
+ (sum)
+ * http_inspect.concurrent_sessions: total concurrent http sessions
+ (now)
+ * http_inspect.max_concurrent_sessions: maximum concurrent http
+ sessions (max)
9.21. imap
Type: inspector
+Usage: inspect
+
Configuration:
* int imap.b64_decode_depth = 1460: base64 decoding depth {
Peg counts:
- * imap.packets: total packets processed
- * imap.sessions: total imap sessions
- * imap.b64_attachments: total base64 attachments decoded
- * imap.b64_decoded_bytes: total base64 decoded bytes
+ * imap.packets: total packets processed (sum)
+ * imap.sessions: total imap sessions (sum)
+ * imap.concurrent_sessions: total concurrent imap sessions (now)
+ * imap.max_concurrent_sessions: maximum concurrent imap sessions
+ (max)
+ * imap.b64_attachments: total base64 attachments decoded (sum)
+ * imap.b64_decoded_bytes: total base64 decoded bytes (sum)
* imap.qp_attachments: total quoted-printable attachments decoded
- * imap.qp_decoded_bytes: total quoted-printable decoded bytes
- * imap.uu_attachments: total uu attachments decoded
- * imap.uu_decoded_bytes: total uu decoded bytes
+ (sum)
+ * imap.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
+ * imap.uu_attachments: total uu attachments decoded (sum)
+ * imap.uu_decoded_bytes: total uu decoded bytes (sum)
* imap.non_encoded_attachments: total non-encoded attachments
- extracted
- * imap.non_encoded_bytes: total non-encoded extracted bytes
+ extracted (sum)
+ * imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
9.22. modbus
Type: inspector
+Usage: inspect
+
Rules:
* 144:1 (modbus) length in Modbus MBAP header does not match the
Peg counts:
- * modbus.sessions: total sessions processed
- * modbus.frames: total Modbus messages
+ * modbus.sessions: total sessions processed (sum)
+ * modbus.frames: total Modbus messages (sum)
+ * modbus.concurrent_sessions: total concurrent modbus sessions
+ (now)
+ * modbus.max_concurrent_sessions: maximum concurrent modbus
+ sessions (max)
9.23. normalizer
Type: inspector
+Usage: inspect
+
Configuration:
* bool normalizer.ip4.base = true: clear options
Peg counts:
- * normalizer.ip4_trim: eth packets trimmed to datagram size
+ * normalizer.ip4_trim: eth packets trimmed to datagram size (sum)
* normalizer.test_ip4_trim: test eth packets trimmed to datagram
- size
- * normalizer.ip4_tos: type of service normalizations
+ size (sum)
+ * normalizer.ip4_tos: type of service normalizations (sum)
* normalizer.test_ip4_tos: test type of service normalizations
- * normalizer.ip4_df: don’t frag bit normalizations
- * normalizer.test_ip4_df: test don’t frag bit normalizations
- * normalizer.ip4_rf: reserved flag bit clears
- * normalizer.test_ip4_rf: test reserved flag bit clears
- * normalizer.ip4_ttl: time-to-live normalizations
- * normalizer.test_ip4_ttl: test time-to-live normalizations
- * normalizer.ip4_opts: ip4 options cleared
- * normalizer.test_ip4_opts: test ip4 options cleared
- * normalizer.icmp4_echo: icmp4 ping normalizations
- * normalizer.test_icmp4_echo: test icmp4 ping normalizations
- * normalizer.ip6_hops: ip6 hop limit normalizations
- * normalizer.test_ip6_hops: test ip6 hop limit normalizations
- * normalizer.ip6_options: ip6 options cleared
- * normalizer.test_ip6_options: test ip6 options cleared
- * normalizer.icmp6_echo: icmp6 echo normalizations
- * normalizer.test_icmp6_echo: test icmp6 echo normalizations
+ (sum)
+ * normalizer.ip4_df: don’t frag bit normalizations (sum)
+ * normalizer.test_ip4_df: test don’t frag bit normalizations (sum)
+ * normalizer.ip4_rf: reserved flag bit clears (sum)
+ * normalizer.test_ip4_rf: test reserved flag bit clears (sum)
+ * normalizer.ip4_ttl: time-to-live normalizations (sum)
+ * normalizer.test_ip4_ttl: test time-to-live normalizations (sum)
+ * normalizer.ip4_opts: ip4 options cleared (sum)
+ * normalizer.test_ip4_opts: test ip4 options cleared (sum)
+ * normalizer.icmp4_echo: icmp4 ping normalizations (sum)
+ * normalizer.test_icmp4_echo: test icmp4 ping normalizations (sum)
+ * normalizer.ip6_hops: ip6 hop limit normalizations (sum)
+ * normalizer.test_ip6_hops: test ip6 hop limit normalizations (sum)
+ * normalizer.ip6_options: ip6 options cleared (sum)
+ * normalizer.test_ip6_options: test ip6 options cleared (sum)
+ * normalizer.icmp6_echo: icmp6 echo normalizations (sum)
+ * normalizer.test_icmp6_echo: test icmp6 echo normalizations (sum)
* normalizer.tcp_syn_options: SYN only options cleared from non-SYN
- packets
+ packets (sum)
* normalizer.test_tcp_syn_options: test SYN only options cleared
- from non-SYN packets
- * normalizer.tcp_options: packets with options cleared
+ from non-SYN packets (sum)
+ * normalizer.tcp_options: packets with options cleared (sum)
* normalizer.test_tcp_options: test packets with options cleared
- * normalizer.tcp_padding: packets with padding cleared
+ (sum)
+ * normalizer.tcp_padding: packets with padding cleared (sum)
* normalizer.test_tcp_padding: test packets with padding cleared
- * normalizer.tcp_reserved: packets with reserved bits cleared
+ (sum)
+ * normalizer.tcp_reserved: packets with reserved bits cleared (sum)
* normalizer.test_tcp_reserved: test packets with reserved bits
- cleared
- * normalizer.tcp_nonce: packets with nonce bit cleared
+ cleared (sum)
+ * normalizer.tcp_nonce: packets with nonce bit cleared (sum)
* normalizer.test_tcp_nonce: test packets with nonce bit cleared
+ (sum)
* normalizer.tcp_urgent_ptr: packets without data with urgent
- pointer cleared
+ pointer cleared (sum)
* normalizer.test_tcp_urgent_ptr: test packets without data with
- urgent pointer cleared
- * normalizer.tcp_ecn_pkt: packets with ECN bits cleared
+ urgent pointer cleared (sum)
+ * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum)
* normalizer.test_tcp_ecn_pkt: test packets with ECN bits cleared
- * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs
+ (sum)
+ * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum)
* normalizer.test_tcp_ts_ecr: test timestamp cleared on non-ACKs
+ (sum)
* normalizer.tcp_req_urg: cleared urgent pointer when urgent flag
- is not set
+ is not set (sum)
* normalizer.test_tcp_req_urg: test cleared urgent pointer when
- urgent flag is not set
+ urgent flag is not set (sum)
* normalizer.tcp_req_pay: cleared urgent pointer and urgent flag
- when there is no payload
+ when there is no payload (sum)
* normalizer.test_tcp_req_pay: test cleared urgent pointer and
- urgent flag when there is no payload
+ urgent flag when there is no payload (sum)
* normalizer.tcp_req_urp: cleared the urgent flag if the urgent
- pointer is not set
+ pointer is not set (sum)
* normalizer.test_tcp_req_urp: test cleared the urgent flag if the
- urgent pointer is not set
- * normalizer.tcp_trim_syn: tcp segments trimmed on SYN
+ urgent pointer is not set (sum)
+ * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum)
* normalizer.test_tcp_trim_syn: test tcp segments trimmed on SYN
- * normalizer.tcp_trim_rst: RST packets with data trimmed
+ (sum)
+ * normalizer.tcp_trim_rst: RST packets with data trimmed (sum)
* normalizer.test_tcp_trim_rst: test RST packets with data trimmed
- * normalizer.tcp_trim_win: data trimmed to window
- * normalizer.test_tcp_trim_win: test data trimmed to window
- * normalizer.tcp_trim_mss: data trimmed to MSS
- * normalizer.test_tcp_trim_mss: test data trimmed to MSS
- * normalizer.tcp_ecn_session: ECN bits cleared
- * normalizer.test_tcp_ecn_session: test ECN bits cleared
- * normalizer.tcp_ts_nop: timestamp options cleared
- * normalizer.test_tcp_ts_nop: test timestamp options cleared
- * normalizer.tcp_ips_data: normalized segments
- * normalizer.test_tcp_ips_data: test normalized segments
- * normalizer.tcp_block: blocked segments
- * normalizer.test_tcp_block: test blocked segments
+ (sum)
+ * normalizer.tcp_trim_win: data trimmed to window (sum)
+ * normalizer.test_tcp_trim_win: test data trimmed to window (sum)
+ * normalizer.tcp_trim_mss: data trimmed to MSS (sum)
+ * normalizer.test_tcp_trim_mss: test data trimmed to MSS (sum)
+ * normalizer.tcp_ecn_session: ECN bits cleared (sum)
+ * normalizer.test_tcp_ecn_session: test ECN bits cleared (sum)
+ * normalizer.tcp_ts_nop: timestamp options cleared (sum)
+ * normalizer.test_tcp_ts_nop: test timestamp options cleared (sum)
+ * normalizer.tcp_ips_data: normalized segments (sum)
+ * normalizer.test_tcp_ips_data: test normalized segments (sum)
+ * normalizer.tcp_block: blocked segments (sum)
+ * normalizer.test_tcp_block: test blocked segments (sum)
9.24. packet_capture
Type: inspector
+Usage: context
+
Configuration:
* bool packet_capture.enable = false: initially enable packet
Peg counts:
- * packet_capture.processed: packets processed against filter
+ * packet_capture.processed: packets processed against filter (sum)
* packet_capture.captured: packets matching dumped after matching
- filter
+ filter (sum)
9.25. perf_monitor
Type: inspector
+Usage: context
+
Configuration:
* bool perf_monitor.base = true: enable base statistics { nullptr }
Peg counts:
- * perf_monitor.packets: total packets
+ * perf_monitor.packets: total packets (sum)
9.26. pop
Type: inspector
+Usage: inspect
+
Configuration:
* int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
Peg counts:
- * pop.packets: total packets processed
- * pop.sessions: total pop sessions
- * pop.b64_attachments: total base64 attachments decoded
- * pop.b64_decoded_bytes: total base64 decoded bytes
+ * pop.packets: total packets processed (sum)
+ * pop.sessions: total pop sessions (sum)
+ * pop.concurrent_sessions: total concurrent pop sessions (now)
+ * pop.max_concurrent_sessions: maximum concurrent pop sessions
+ (max)
+ * pop.b64_attachments: total base64 attachments decoded (sum)
+ * pop.b64_decoded_bytes: total base64 decoded bytes (sum)
* pop.qp_attachments: total quoted-printable attachments decoded
- * pop.qp_decoded_bytes: total quoted-printable decoded bytes
- * pop.uu_attachments: total uu attachments decoded
- * pop.uu_decoded_bytes: total uu decoded bytes
+ (sum)
+ * pop.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
+ * pop.uu_attachments: total uu attachments decoded (sum)
+ * pop.uu_decoded_bytes: total uu decoded bytes (sum)
* pop.non_encoded_attachments: total non-encoded attachments
- extracted
- * pop.non_encoded_bytes: total non-encoded extracted bytes
+ extracted (sum)
+ * pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
9.27. port_scan
Type: inspector
+Usage: context
+
Configuration:
* int port_scan.memcap = 1048576: maximum tracker memory in bytes {
Peg counts:
- * port_scan.packets: total packets
+ * port_scan.packets: total packets (sum)
-9.28. reputation
+9.28. reg_test
+
+--------------
+
+What: The regression test inspector (rti) is used when special packet
+handling is required for a reg test
+
+Type: inspector
+
+Usage: context
+
+Configuration:
+
+ * bool reg_test.test_daq_retry = true: test daq packet retry
+ feature
+
+Peg counts:
+
+ * reg_test.packets: total packets (sum)
+ * reg_test.retry_requests: total retry packets requested (sum)
+ * reg_test.retry_packets: total retried packets received (sum)
+
+
+9.29. reputation
--------------
Type: inspector
+Usage: global
+
Configuration:
* string reputation.blacklist: blacklist file name with ip lists
Peg counts:
- * reputation.packets: total packets processed
- * reputation.blacklisted: number of packets blacklisted
- * reputation.whitelisted: number of packets whitelisted
- * reputation.monitored: number of packets monitored
- * reputation.memory_allocated: total memory allocated
+ * reputation.packets: total packets processed (sum)
+ * reputation.blacklisted: number of packets blacklisted (sum)
+ * reputation.whitelisted: number of packets whitelisted (sum)
+ * reputation.monitored: number of packets monitored (sum)
+ * reputation.memory_allocated: total memory allocated (sum)
-9.29. rpc_decode
+9.30. rpc_decode
--------------
Type: inspector
+Usage: inspect
+
Rules:
* 106:1 (rpc_decode) fragmented RPC records
Peg counts:
- * rpc_decode.packets: total packets
+ * rpc_decode.total_packets: total packets (sum)
+ * rpc_decode.concurrent_sessions: total concurrent rpc sessions
+ (now)
+ * rpc_decode.max_concurrent_sessions: maximum concurrent rpc
+ sessions (max)
-9.30. sip
+9.31. sip
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* bool sip.ignore_call_channel = false: enables the support for
Peg counts:
- * sip.packets: total packets
- * sip.sessions: total sessions
- * sip.events: events generated
- * sip.dialogs: total dialogs
- * sip.ignored_channels: total channels ignored
- * sip.ignored_sessions: total sessions ignored
- * sip.total_requests: total requests
- * sip.invite: invite
- * sip.cancel: cancel
- * sip.ack: ack
- * sip.bye: bye
- * sip.register: register
- * sip.options: options
- * sip.refer: refer
- * sip.subscribe: subscribe
- * sip.update: update
- * sip.join: join
- * sip.info: info
- * sip.message: message
- * sip.notify: notify
- * sip.prack: prack
- * sip.total_responses: total responses
- * sip.code_1xx: 1xx
- * sip.code_2xx: 2xx
- * sip.code_3xx: 3xx
- * sip.code_4xx: 4xx
- * sip.code_5xx: 5xx
- * sip.code_6xx: 6xx
- * sip.code_7xx: 7xx
- * sip.code_8xx: 8xx
- * sip.code_9xx: 9xx
-
-
-9.31. smtp
+ * sip.packets: total packets (sum)
+ * sip.sessions: total sessions (sum)
+ * sip.concurrent_sessions: total concurrent sip sessions (now)
+ * sip.max_concurrent_sessions: maximum concurrent sip sessions
+ (max)
+ * sip.events: events generated (sum)
+ * sip.dialogs: total dialogs (sum)
+ * sip.ignored_channels: total channels ignored (sum)
+ * sip.ignored_sessions: total sessions ignored (sum)
+ * sip.total_requests: total requests (sum)
+ * sip.invite: invite (sum)
+ * sip.cancel: cancel (sum)
+ * sip.ack: ack (sum)
+ * sip.bye: bye (sum)
+ * sip.register: register (sum)
+ * sip.options: options (sum)
+ * sip.refer: refer (sum)
+ * sip.subscribe: subscribe (sum)
+ * sip.update: update (sum)
+ * sip.join: join (sum)
+ * sip.info: info (sum)
+ * sip.message: message (sum)
+ * sip.notify: notify (sum)
+ * sip.prack: prack (sum)
+ * sip.total_responses: total responses (sum)
+ * sip.code_1xx: 1xx (sum)
+ * sip.code_2xx: 2xx (sum)
+ * sip.code_3xx: 3xx (sum)
+ * sip.code_4xx: 4xx (sum)
+ * sip.code_5xx: 5xx (sum)
+ * sip.code_6xx: 6xx (sum)
+ * sip.code_7xx: 7xx (sum)
+ * sip.code_8xx: 8xx (sum)
+ * sip.code_9xx: 9xx (sum)
+
+
+9.32. smtp
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* string smtp.alt_max_command_line_len[].command: command string
Peg counts:
- * smtp.packets: total packets processed
- * smtp.sessions: total smtp sessions
- * smtp.concurrent_sessions: total concurrent smtp sessions
+ * smtp.packets: total packets processed (sum)
+ * smtp.sessions: total smtp sessions (sum)
+ * smtp.concurrent_sessions: total concurrent smtp sessions (now)
* smtp.max_concurrent_sessions: maximum concurrent smtp sessions
- * smtp.b64_attachments: total base64 attachments decoded
- * smtp.b64_decoded_bytes: total base64 decoded bytes
+ (max)
+ * smtp.b64_attachments: total base64 attachments decoded (sum)
+ * smtp.b64_decoded_bytes: total base64 decoded bytes (sum)
* smtp.qp_attachments: total quoted-printable attachments decoded
- * smtp.qp_decoded_bytes: total quoted-printable decoded bytes
- * smtp.uu_attachments: total uu attachments decoded
- * smtp.uu_decoded_bytes: total uu decoded bytes
+ (sum)
+ * smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
+ * smtp.uu_attachments: total uu attachments decoded (sum)
+ * smtp.uu_decoded_bytes: total uu decoded bytes (sum)
* smtp.non_encoded_attachments: total non-encoded attachments
- extracted
- * smtp.non_encoded_bytes: total non-encoded extracted bytes
+ extracted (sum)
+ * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
-9.32. ssh
+9.33. ssh
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int ssh.max_encrypted_packets = 25: ignore session after this
Peg counts:
- * ssh.packets: total packets
+ * ssh.packets: total packets (sum)
+ * ssh.concurrent_sessions: total concurrent ssh sessions (now)
+ * ssh.max_concurrent_sessions: maximum concurrent ssh sessions
+ (max)
-9.33. ssl
+9.34. ssl
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* bool ssl.trust_servers = false: disables requirement that
Peg counts:
- * ssl.packets: total packets processed
- * ssl.decoded: ssl packets decoded
- * ssl.client_hello: total client hellos
- * ssl.server_hello: total server hellos
- * ssl.certificate: total ssl certificates
- * ssl.server_done: total server done
- * ssl.client_key_exchange: total client key exchanges
- * ssl.server_key_exchange: total server key exchanges
- * ssl.change_cipher: total change cipher records
- * ssl.finished: total handshakes finished
- * ssl.client_application: total client application records
- * ssl.server_application: total server application records
- * ssl.alert: total ssl alert records
- * ssl.unrecognized_records: total unrecognized records
- * ssl.handshakes_completed: total completed ssl handshakes
- * ssl.bad_handshakes: total bad handshakes
- * ssl.sessions_ignored: total sessions ignore
- * ssl.detection_disabled: total detection disabled
-
-
-9.34. stream
+ * ssl.packets: total packets processed (sum)
+ * ssl.decoded: ssl packets decoded (sum)
+ * ssl.client_hello: total client hellos (sum)
+ * ssl.server_hello: total server hellos (sum)
+ * ssl.certificate: total ssl certificates (sum)
+ * ssl.server_done: total server done (sum)
+ * ssl.client_key_exchange: total client key exchanges (sum)
+ * ssl.server_key_exchange: total server key exchanges (sum)
+ * ssl.change_cipher: total change cipher records (sum)
+ * ssl.finished: total handshakes finished (sum)
+ * ssl.client_application: total client application records (sum)
+ * ssl.server_application: total server application records (sum)
+ * ssl.alert: total ssl alert records (sum)
+ * ssl.unrecognized_records: total unrecognized records (sum)
+ * ssl.handshakes_completed: total completed ssl handshakes (sum)
+ * ssl.bad_handshakes: total bad handshakes (sum)
+ * ssl.sessions_ignored: total sessions ignore (sum)
+ * ssl.detection_disabled: total detection disabled (sum)
+ * ssl.concurrent_sessions: total concurrent ssl sessions (now)
+ * ssl.max_concurrent_sessions: maximum concurrent ssl sessions
+ (max)
+
+
+9.35. stream
--------------
Type: inspector
+Usage: global
+
Configuration:
* int stream.footprint = 0: use zero for production, non-zero for
Peg counts:
- * stream.ip_flows: total ip sessions
- * stream.ip_total_prunes: total ip sessions pruned
- * stream.ip_idle_prunes: ip sessions pruned due to timeout
- * stream.ip_excess_prunes: ip sessions pruned due to excess
- * stream.ip_uni_prunes: ip uni sessions pruned
+ * stream.ip_flows: total ip sessions (sum)
+ * stream.ip_total_prunes: total ip sessions pruned (sum)
+ * stream.ip_idle_prunes: ip sessions pruned due to timeout (sum)
+ * stream.ip_excess_prunes: ip sessions pruned due to excess (sum)
+ * stream.ip_uni_prunes: ip uni sessions pruned (sum)
* stream.ip_preemptive_prunes: ip sessions pruned during preemptive
- pruning
- * stream.ip_memcap_prunes: ip sessions pruned due to memcap
+ pruning (sum)
+ * stream.ip_memcap_prunes: ip sessions pruned due to memcap (sum)
* stream.ip_ha_prunes: ip sessions pruned by high availability sync
- * stream.icmp_flows: total icmp sessions
- * stream.icmp_total_prunes: total icmp sessions pruned
+ (sum)
+ * stream.icmp_flows: total icmp sessions (sum)
+ * stream.icmp_total_prunes: total icmp sessions pruned (sum)
* stream.icmp_idle_prunes: icmp sessions pruned due to timeout
+ (sum)
* stream.icmp_excess_prunes: icmp sessions pruned due to excess
- * stream.icmp_uni_prunes: icmp uni sessions pruned
+ (sum)
+ * stream.icmp_uni_prunes: icmp uni sessions pruned (sum)
* stream.icmp_preemptive_prunes: icmp sessions pruned during
- preemptive pruning
+ preemptive pruning (sum)
* stream.icmp_memcap_prunes: icmp sessions pruned due to memcap
+ (sum)
* stream.icmp_ha_prunes: icmp sessions pruned by high availability
- sync
- * stream.tcp_flows: total tcp sessions
- * stream.tcp_total_prunes: total tcp sessions pruned
- * stream.tcp_idle_prunes: tcp sessions pruned due to timeout
- * stream.tcp_excess_prunes: tcp sessions pruned due to excess
- * stream.tcp_uni_prunes: tcp uni sessions pruned
+ sync (sum)
+ * stream.tcp_flows: total tcp sessions (sum)
+ * stream.tcp_total_prunes: total tcp sessions pruned (sum)
+ * stream.tcp_idle_prunes: tcp sessions pruned due to timeout (sum)
+ * stream.tcp_excess_prunes: tcp sessions pruned due to excess (sum)
+ * stream.tcp_uni_prunes: tcp uni sessions pruned (sum)
* stream.tcp_preemptive_prunes: tcp sessions pruned during
- preemptive pruning
- * stream.tcp_memcap_prunes: tcp sessions pruned due to memcap
+ preemptive pruning (sum)
+ * stream.tcp_memcap_prunes: tcp sessions pruned due to memcap (sum)
* stream.tcp_ha_prunes: tcp sessions pruned by high availability
- sync
- * stream.udp_flows: total udp sessions
- * stream.udp_total_prunes: total udp sessions pruned
- * stream.udp_idle_prunes: udp sessions pruned due to timeout
- * stream.udp_excess_prunes: udp sessions pruned due to excess
- * stream.udp_uni_prunes: udp uni sessions pruned
+ sync (sum)
+ * stream.udp_flows: total udp sessions (sum)
+ * stream.udp_total_prunes: total udp sessions pruned (sum)
+ * stream.udp_idle_prunes: udp sessions pruned due to timeout (sum)
+ * stream.udp_excess_prunes: udp sessions pruned due to excess (sum)
+ * stream.udp_uni_prunes: udp uni sessions pruned (sum)
* stream.udp_preemptive_prunes: udp sessions pruned during
- preemptive pruning
- * stream.udp_memcap_prunes: udp sessions pruned due to memcap
+ preemptive pruning (sum)
+ * stream.udp_memcap_prunes: udp sessions pruned due to memcap (sum)
* stream.udp_ha_prunes: udp sessions pruned by high availability
- sync
- * stream.user_flows: total user sessions
- * stream.user_total_prunes: total user sessions pruned
+ sync (sum)
+ * stream.user_flows: total user sessions (sum)
+ * stream.user_total_prunes: total user sessions pruned (sum)
* stream.user_idle_prunes: user sessions pruned due to timeout
+ (sum)
* stream.user_excess_prunes: user sessions pruned due to excess
- * stream.user_uni_prunes: user uni sessions pruned
+ (sum)
+ * stream.user_uni_prunes: user uni sessions pruned (sum)
* stream.user_preemptive_prunes: user sessions pruned during
- preemptive pruning
+ preemptive pruning (sum)
* stream.user_memcap_prunes: user sessions pruned due to memcap
+ (sum)
* stream.user_ha_prunes: user sessions pruned by high availability
- sync
- * stream.file_flows: total file sessions
- * stream.file_total_prunes: total file sessions pruned
+ sync (sum)
+ * stream.file_flows: total file sessions (sum)
+ * stream.file_total_prunes: total file sessions pruned (sum)
* stream.file_idle_prunes: file sessions pruned due to timeout
+ (sum)
* stream.file_excess_prunes: file sessions pruned due to excess
- * stream.file_uni_prunes: file uni sessions pruned
+ (sum)
+ * stream.file_uni_prunes: file uni sessions pruned (sum)
* stream.file_preemptive_prunes: file sessions pruned during
- preemptive pruning
+ preemptive pruning (sum)
* stream.file_memcap_prunes: file sessions pruned due to memcap
+ (sum)
* stream.file_ha_prunes: file sessions pruned by high availability
- sync
+ sync (sum)
-9.35. stream_file
+9.36. stream_file
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* bool stream_file.upload = false: indicate file transfer direction
-9.36. stream_icmp
+9.37. stream_icmp
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int stream_icmp.session_timeout = 30: session tracking timeout {
Peg counts:
- * stream_icmp.sessions: total icmp sessions
- * stream_icmp.max: max icmp sessions
- * stream_icmp.created: icmp session trackers created
- * stream_icmp.released: icmp session trackers released
- * stream_icmp.timeouts: icmp session timeouts
- * stream_icmp.prunes: icmp session prunes
+ * stream_icmp.sessions: total icmp sessions (sum)
+ * stream_icmp.max: max icmp sessions (max)
+ * stream_icmp.created: icmp session trackers created (sum)
+ * stream_icmp.released: icmp session trackers released (sum)
+ * stream_icmp.timeouts: icmp session timeouts (sum)
+ * stream_icmp.prunes: icmp session prunes (sum)
-9.37. stream_ip
+9.38. stream_ip
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int stream_ip.max_frags = 8192: maximum number of simultaneous
Peg counts:
- * stream_ip.sessions: total ip sessions
- * stream_ip.max: max ip sessions
- * stream_ip.created: ip session trackers created
- * stream_ip.released: ip session trackers released
- * stream_ip.timeouts: ip session timeouts
- * stream_ip.prunes: ip session prunes
- * stream_ip.total_frags: total fragments
- * stream_ip.current_frags: current fragments
- * stream_ip.max_frags: max fragments
- * stream_ip.reassembled: reassembled datagrams
- * stream_ip.discards: fragments discarded
- * stream_ip.frag_timeouts: datagrams abandoned
- * stream_ip.overlaps: overlapping fragments
- * stream_ip.anomalies: anomalies detected
- * stream_ip.alerts: alerts generated
- * stream_ip.drops: fragments dropped
- * stream_ip.trackers_added: datagram trackers created
- * stream_ip.trackers_freed: datagram trackers released
- * stream_ip.trackers_cleared: datagram trackers cleared
- * stream_ip.trackers_completed: datagram trackers completed
- * stream_ip.nodes_inserted: fragments added to tracker
- * stream_ip.nodes_deleted: fragments deleted from tracker
- * stream_ip.memory_used: current memory usage in bytes
- * stream_ip.reassembled_bytes: total reassembled bytes
- * stream_ip.fragmented_bytes: total fragmented bytes
-
-
-9.38. stream_tcp
+ * stream_ip.sessions: total ip sessions (sum)
+ * stream_ip.max: max ip sessions (max)
+ * stream_ip.created: ip session trackers created (sum)
+ * stream_ip.released: ip session trackers released (sum)
+ * stream_ip.timeouts: ip session timeouts (sum)
+ * stream_ip.prunes: ip session prunes (sum)
+ * stream_ip.total_frags: total fragments (sum)
+ * stream_ip.current_frags: current fragments (now)
+ * stream_ip.max_frags: max fragments (sum)
+ * stream_ip.reassembled: reassembled datagrams (sum)
+ * stream_ip.discards: fragments discarded (sum)
+ * stream_ip.frag_timeouts: datagrams abandoned (sum)
+ * stream_ip.overlaps: overlapping fragments (sum)
+ * stream_ip.anomalies: anomalies detected (sum)
+ * stream_ip.alerts: alerts generated (sum)
+ * stream_ip.drops: fragments dropped (sum)
+ * stream_ip.trackers_added: datagram trackers created (sum)
+ * stream_ip.trackers_freed: datagram trackers released (sum)
+ * stream_ip.trackers_cleared: datagram trackers cleared (sum)
+ * stream_ip.trackers_completed: datagram trackers completed (sum)
+ * stream_ip.nodes_inserted: fragments added to tracker (sum)
+ * stream_ip.nodes_deleted: fragments deleted from tracker (sum)
+ * stream_ip.memory_used: current memory usage in bytes (now)
+ * stream_ip.reassembled_bytes: total reassembled bytes (sum)
+ * stream_ip.fragmented_bytes: total fragmented bytes (sum)
+
+
+9.39. stream_tcp
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in
Peg counts:
- * stream_tcp.sessions: total tcp sessions
- * stream_tcp.max: max tcp sessions
- * stream_tcp.created: tcp session trackers created
- * stream_tcp.released: tcp session trackers released
- * stream_tcp.timeouts: tcp session timeouts
- * stream_tcp.prunes: tcp session prunes
- * stream_tcp.resyns: SYN received on established session
- * stream_tcp.discards: tcp packets discarded
- * stream_tcp.events: events generated
- * stream_tcp.ignored: tcp packets ignored
- * stream_tcp.untracked: tcp packets not tracked
+ * stream_tcp.sessions: total tcp sessions (sum)
+ * stream_tcp.max: max tcp sessions (max)
+ * stream_tcp.created: tcp session trackers created (sum)
+ * stream_tcp.released: tcp session trackers released (sum)
+ * stream_tcp.timeouts: tcp session timeouts (sum)
+ * stream_tcp.prunes: tcp session prunes (sum)
+ * stream_tcp.resyns: SYN received on established session (sum)
+ * stream_tcp.discards: tcp packets discarded (sum)
+ * stream_tcp.events: events generated (sum)
+ * stream_tcp.ignored: tcp packets ignored (sum)
+ * stream_tcp.untracked: tcp packets not tracked (sum)
* stream_tcp.syn_trackers: tcp session tracking started on syn
+ (sum)
* stream_tcp.syn_ack_trackers: tcp session tracking started on
- syn-ack
+ syn-ack (sum)
* stream_tcp.three_way_trackers: tcp session tracking started on
- ack
+ ack (sum)
* stream_tcp.data_trackers: tcp session tracking started on data
- * stream_tcp.segs_queued: total segments queued
- * stream_tcp.segs_released: total segments released
+ (sum)
+ * stream_tcp.segs_queued: total segments queued (sum)
+ * stream_tcp.segs_released: total segments released (sum)
* stream_tcp.segs_split: tcp segments split when reassembling PDUs
+ (sum)
* stream_tcp.segs_used: queued tcp segments applied to reassembled
- PDUs
- * stream_tcp.rebuilt_packets: total reassembled PDUs
- * stream_tcp.rebuilt_buffers: rebuilt PDU sections
- * stream_tcp.rebuilt_bytes: total rebuilt bytes
- * stream_tcp.overlaps: overlapping segments queued
- * stream_tcp.gaps: missing data between PDUs
+ PDUs (sum)
+ * stream_tcp.rebuilt_packets: total reassembled PDUs (sum)
+ * stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum)
+ * stream_tcp.rebuilt_bytes: total rebuilt bytes (sum)
+ * stream_tcp.overlaps: overlapping segments queued (sum)
+ * stream_tcp.gaps: missing data between PDUs (sum)
* stream_tcp.exceeded_max_segs: number of times the maximum queued
- segment limit was reached
+ segment limit was reached (sum)
* stream_tcp.exceeded_max_bytes: number of times the maximum queued
- byte limit was reached
- * stream_tcp.internal_events: 135:X events generated
+ byte limit was reached (sum)
+ * stream_tcp.internal_events: 135:X events generated (sum)
* stream_tcp.client_cleanups: number of times data from server was
- flushed when session released
+ flushed when session released (sum)
* stream_tcp.server_cleanups: number of times data from client was
- flushed when session released
- * stream_tcp.memory: current memory in use
+ flushed when session released (sum)
+ * stream_tcp.memory: current memory in use (now)
* stream_tcp.initializing: number of sessions currently
- initializing
+ initializing (now)
* stream_tcp.established: number of sessions currently established
- * stream_tcp.closing: number of sessions currently closing
- * stream_tcp.syns: number of syn packets
- * stream_tcp.syn_acks: number of syn-ack packets
- * stream_tcp.resets: number of reset packets
- * stream_tcp.fins: number of fin packets
+ (now)
+ * stream_tcp.closing: number of sessions currently closing (now)
+ * stream_tcp.syns: number of syn packets (sum)
+ * stream_tcp.syn_acks: number of syn-ack packets (sum)
+ * stream_tcp.resets: number of reset packets (sum)
+ * stream_tcp.fins: number of fin packets (sum)
-9.39. stream_udp
+9.40. stream_udp
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int stream_udp.session_timeout = 30: session tracking timeout {
Peg counts:
- * stream_udp.sessions: total udp sessions
- * stream_udp.max: max udp sessions
- * stream_udp.created: udp session trackers created
- * stream_udp.released: udp session trackers released
- * stream_udp.timeouts: udp session timeouts
- * stream_udp.prunes: udp session prunes
- * stream_udp.ignored: udp packets ignored
+ * stream_udp.sessions: total udp sessions (sum)
+ * stream_udp.max: max udp sessions (max)
+ * stream_udp.created: udp session trackers created (sum)
+ * stream_udp.released: udp session trackers released (sum)
+ * stream_udp.timeouts: udp session timeouts (sum)
+ * stream_udp.prunes: udp session prunes (sum)
+ * stream_udp.ignored: udp packets ignored (sum)
-9.40. stream_user
+9.41. stream_user
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int stream_user.session_timeout = 30: session tracking timeout {
* int stream_user.trace: mask for enabling debug traces in module
-9.41. telnet
+9.42. telnet
--------------
Type: inspector
+Usage: inspect
+
Configuration:
* int telnet.ayt_attack_thresh = -1: alert on this number of
Peg counts:
- * telnet.packets: total packets
+ * telnet.total_packets: total packets (sum)
+ * telnet.concurrent_sessions: total concurrent telnet sessions
+ (now)
+ * telnet.max_concurrent_sessions: maximum concurrent telnet
+ sessions (max)
-9.42. wizard
+9.43. wizard
--------------
Type: inspector
+Usage: global
+
Configuration:
* string wizard.hexes[].service: name of service
Peg counts:
- * wizard.tcp_scans: tcp payload scans
- * wizard.tcp_hits: tcp identifications
- * wizard.udp_scans: udp payload scans
- * wizard.udp_hits: udp identifications
- * wizard.user_scans: user payload scans
- * wizard.user_hits: user identifications
+ * wizard.tcp_scans: tcp payload scans (sum)
+ * wizard.tcp_hits: tcp identifications (sum)
+ * wizard.udp_scans: udp payload scans (sum)
+ * wizard.udp_hits: udp identifications (sum)
+ * wizard.user_scans: user payload scans (sum)
+ * wizard.user_hits: user identifications (sum)
---------------------------------------------------------------------
Type: ips_action
+Usage: detect
+
Configuration:
* bool react.msg = false: use rule msg in response page instead of
Type: ips_action
+Usage: detect
+
Configuration:
* enum reject.reset: send tcp reset to one or both ends { source|
Type: ips_action
+Usage: detect
+
Configuration:
* bool rewrite.disable_replace = false: disable replace of packet
Type: ips_option
+Usage: detect
+
Configuration:
- * string ack.~range: check if tcp ack value is value | min<>max |
- <max | >min
+ * interval ack.~range: check if tcp ack value is value | min<>max |
+ <max | >min { 0: }
11.2. appids
Type: ips_option
+Usage: detect
+
Configuration:
* string appids.~: comma separated list of application names
Type: ips_option
+Usage: detect
+
Configuration:
* implied asn1.bitstring_overflow: detects invalid bitstring
Type: ips_option
+Usage: detect
+
Configuration:
* int base64_decode.bytes: number of base64 encoded bytes to decode
Type: ips_option
+Usage: detect
+
Configuration:
- * string bufferlen.~range: len | min<>max | <max | >min, range is
- 0:65535
+ * interval bufferlen.~range: check that length of current buffer is
+ in given range { 0:65535 }
11.6. byte_extract
Type: ips_option
+Usage: detect
+
Configuration:
* int byte_extract.~count: number of bytes to pick up from the
Type: ips_option
+Usage: detect
+
Configuration:
* int byte_jump.~count: number of bytes to pick up from the buffer
Type: ips_option
+Usage: detect
+
Configuration:
* int byte_math.bytes: number of bytes to pick up from the buffer {
Type: ips_option
+Usage: detect
+
Configuration:
* int byte_test.~count: number of bytes to pick up from the buffer
Type: ips_option
+Usage: detect
+
Configuration:
* string classtype.~: classification for this rule
Type: ips_option
+Usage: detect
+
Configuration:
* string content.~data: data to match
Type: ips_option
+Usage: detect
+
Configuration:
* implied cvs.invalid-entry: looks for an invalid Entry string
Type: ips_option
+Usage: detect
+
Configuration:
* string dce_iface.uuid: match given dcerpc uuid
- * string dce_iface.version: interface version
+ * interval dce_iface.version: interface version { 0: }
* implied dce_iface.any_frag: match on any fragment
Type: ips_option
+Usage: detect
+
Configuration:
* string dce_opnum.~: match given dcerpc operation number, range or
Type: ips_option
+Usage: detect
+
11.16. detection_filter
Type: ips_option
+Usage: detect
+
Configuration:
* enum detection_filter.track: track hits by source or destination
Type: ips_option
+Usage: detect
+
11.18. dnp3_func
Type: ips_option
+Usage: detect
+
Configuration:
* string dnp3_func.~: match dnp3 function code or name
Type: ips_option
+Usage: detect
+
Configuration:
* string dnp3_ind.~: match given dnp3 indicator flags
Type: ips_option
+Usage: detect
+
Configuration:
* int dnp3_obj.group = 0: match given dnp3 object header group {
Type: ips_option
+Usage: detect
+
Configuration:
- * string dsize.~range: check if packet payload size is size | min<>
- max | <max | >min, range is 0:65535
+ * interval dsize.~range: check if packet payload size is in the
+ given range { 0:65535 }
11.22. file_data
Type: ips_option
+Usage: detect
+
11.23. file_type
Type: ips_option
+Usage: detect
+
Configuration:
* string file_type.~: list of file type IDs to match
Type: ips_option
+Usage: detect
+
Configuration:
* string flags.~test_flags: these flags are tested
Type: ips_option
+Usage: detect
+
Configuration:
* implied flow.to_client: match on server responses
Type: ips_option
+Usage: detect
+
Configuration:
* string flowbits.~command: set|reset|isset|etc.
Type: ips_option
+Usage: detect
+
Configuration:
* string fragbits.~flags: these flags are tested
Type: ips_option
+Usage: detect
+
Configuration:
- * string fragoffset.~range: check if ip fragment offset value is
- value | min<>max | <max | >min, range is 0:8192
+ * interval fragoffset.~range: check if ip fragment offset is in
+ given range { 0:8192 }
11.29. gid
Type: ips_option
+Usage: detect
+
Configuration:
* int gid.~: generator id { 1: }
Type: ips_option
+Usage: detect
+
Configuration:
* string gtp_info.~: info element to match
Type: ips_option
+Usage: detect
+
Configuration:
* string gtp_type.~: list of types to match
Type: ips_option
+Usage: detect
+
Configuration:
* int gtp_version.~: version to match { 0:2 }
Type: ips_option
+Usage: detect
+
11.34. http_cookie
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_cookie.request: match against the cookie from the
Type: ips_option
+Usage: detect
+
Configuration:
* string http_header.field: restrict to given header. Header name
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_method.with_body: parts of this rule examine HTTP
message trailers
-11.37. http_raw_cookie
+11.37. http_raw_body
+
+--------------
+
+What: rule option to set the detection cursor to the unnormalized
+message body
+
+Type: ips_option
+
+Usage: detect
+
+
+11.38. http_raw_cookie
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_raw_cookie.request: match against the cookie from
HTTP message trailers
-11.38. http_raw_header
+11.39. http_raw_header
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_raw_header.request: match against the headers from
HTTP message trailers
-11.39. http_raw_request
+11.40. http_raw_request
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_raw_request.with_body: parts of this rule examine
HTTP message trailers
-11.40. http_raw_status
+11.41. http_raw_status
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_raw_status.with_body: parts of this rule examine
HTTP message trailers
-11.41. http_raw_trailer
+11.42. http_raw_trailer
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_raw_trailer.request: match against the trailers from
HTTP response message body (must be combined with request)
-11.42. http_raw_uri
+11.43. http_raw_uri
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_raw_uri.with_body: parts of this rule examine HTTP
URI only
-11.43. http_stat_code
+11.44. http_stat_code
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_stat_code.with_body: parts of this rule examine HTTP
HTTP message trailers
-11.44. http_stat_msg
+11.45. http_stat_msg
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_stat_msg.with_body: parts of this rule examine HTTP
HTTP message trailers
-11.45. http_trailer
+11.46. http_trailer
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string http_trailer.field: restrict to given trailer
message body (must be combined with request)
-11.46. http_uri
+11.47. http_true_ip
+
+--------------
+
+What: rule option to set the detection cursor to the final client IP
+address
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * implied http_true_ip.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_true_ip.with_trailer: parts of this rule examine
+ HTTP message trailers
+
+
+11.48. http_uri
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_uri.with_body: parts of this rule examine HTTP
only
-11.47. http_version
+11.49. http_version
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied http_version.request: match against the version from the
HTTP message trailers
-11.48. icmp_id
+11.50. icmp_id
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string icmp_id.~range: check if icmp id is id | min<>max | <max |
- >min, range is 0:65535
+ * interval icmp_id.~range: check if icmp id is in given range {
+ 0:65535 }
-11.49. icmp_seq
+11.51. icmp_seq
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string icmp_seq.~range: check if icmp sequence number is seq |
- min<>max | <max | >min, range is 0:65535
+ * interval icmp_seq.~range: check if icmp sequence number is in
+ given range { 0:65535 }
-11.50. icode
+11.52. icode
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string icode.~range: check if ICMP code is code | min<>max | <max
- | >min, range is 0:255
+ * interval icode.~range: check if icmp code is in given range is {
+ 0:255 }
-11.51. id
+11.53. id
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string id.~range: check if the IP ID is id | min<>max | <max | >
- min
+ * interval id.~range: check if the ip id is in the given range { 0:
+ }
-11.52. ip_proto
+11.54. ip_proto
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string ip_proto.~proto: [!|>|<] name or number
-11.53. ipopts
+11.55. ipopts
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
lsrre|ssrr|satid|any }
-11.54. isdataat
+11.56. isdataat
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string isdataat.~length: num | !num
buffer
-11.55. itype
+11.57. itype
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string itype.~range: check if icmp type is type | min<>max | <max
- | >min, range is 0:255
+ * interval itype.~range: check if icmp type is in given range {
+ 0:255 }
-11.56. md5
+11.58. md5
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string md5.~hash: data to match
of buffer
-11.57. metadata
+11.59. metadata
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string metadata.service: service name
- * string metadata.*: additional parameters not used by snort
+ * string metadata.*: comma-separated list of arbitrary name value
+ pairs
-11.58. modbus_data
+11.60. modbus_data
--------------
Type: ips_option
+Usage: detect
-11.59. modbus_func
+
+11.61. modbus_func
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string modbus_func.~: function code to match
-11.60. modbus_unit
+11.62. modbus_unit
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* int modbus_unit.~: modbus unit ID { 0:255 }
-11.61. msg
+11.63. msg
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string msg.~: message describing rule
-11.62. pcre
+11.64. mss
+
+--------------
+
+What: detection for TCP maximum segment size
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * interval mss.~range: check if TCP MSS is in given range { 0:65535
+ }
+
+
+11.65. pcre
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string pcre.~re: Snort regular expression
-11.63. pkt_data
+11.66. pkt_data
--------------
Type: ips_option
+Usage: detect
+
-11.64. pkt_num
+11.67. pkt_num
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string pkt_num.~range: check if packet number is in given range
+ * interval pkt_num.~range: check if packet number is in given range
+ { 1: }
-11.65. priority
+11.68. priority
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* int priority.~: relative severity level; 1 is highest priority {
1: }
-11.66. raw_data
+11.69. raw_data
--------------
Type: ips_option
+Usage: detect
+
-11.67. reference
+11.70. reference
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string reference.~scheme: reference scheme
* string reference.~id: reference id
-11.68. regex
+11.71. regex
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string regex.~re: hyperscan regular expression
* implied regex.dotall: matching a . will not exclude newlines
* implied regex.fast_pattern: use this content in the fast pattern
matcher instead of the content selected by default
- * implied regex.nocase: case insensitive match
* implied regex.multiline: ^ and $ anchors match any newlines in
data
+ * implied regex.nocase: case insensitive match
* implied regex.relative: start search from end of last match
instead of start of buffer
-11.69. rem
+11.72. rem
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string rem.~: comment
-11.70. replace
+11.73. replace
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string replace.~: byte code to replace with
-11.71. rev
+11.74. rev
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* int rev.~: revision { 1: }
-11.72. rpc
+11.75. rpc
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* int rpc.~app: application number
* string rpc.~proc: procedure number or * for any
-11.73. sd_pattern
+11.76. sd_pattern
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string sd_pattern.~pattern: The pattern to search for
Peg counts:
* sd_pattern.below_threshold: sd_pattern matched but missed
- threshold
- * sd_pattern.pattern_not_found: sd_pattern did not not match
- * sd_pattern.terminated: hyperscan terminated
+ threshold (sum)
+ * sd_pattern.pattern_not_found: sd_pattern did not not match (sum)
+ * sd_pattern.terminated: hyperscan terminated (sum)
-11.74. seq
+11.77. seq
--------------
Type: ips_option
+Usage: detect
+
+Configuration:
+
+ * interval seq.~range: check if tcp sequence number is in given
+ range { 0: }
+
+
+11.78. service
+
+--------------
+
+What: rule option to specify list of services for grouping rules
+
+Type: ips_option
+
+Usage: detect
+
Configuration:
- * string seq.~range: check if tcp sequence number value is value |
- min<>max | <max | >min
+ * string service.*: one or more comma-separated service names
-11.75. session
+11.79. session
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* enum session.~mode: output format { printable|binary|all }
-11.76. sha256
+11.80. sha256
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string sha256.~hash: data to match
start of buffer
-11.77. sha512
+11.81. sha512
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string sha512.~hash: data to match
start of buffer
-11.78. sid
+11.82. sid
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* int sid.~: signature id { 1: }
-11.79. sip_body
+11.83. sip_body
--------------
Type: ips_option
+Usage: detect
-11.80. sip_header
+
+11.84. sip_header
--------------
Type: ips_option
+Usage: detect
+
-11.81. sip_method
+11.85. sip_method
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string sip_method.*method: sip method
-11.82. sip_stat_code
+11.86. sip_stat_code
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* int sip_stat_code.*code: stat code { 1:999 }
-11.83. so
+11.87. so
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string so.~func: name of eval function
-11.84. soid
+11.88. soid
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
-11.85. ssl_state
+11.89. ssl_state
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied ssl_state.client_hello: check for client hello
unknown
-11.86. ssl_version
+11.90. ssl_version
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* implied ssl_version.sslv2: check for sslv2
tls1.2
-11.87. stream_reassemble
+11.91. stream_reassemble
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* enum stream_reassemble.action: stop or start stream reassembly {
remainder of the session
-11.88. stream_size
+11.92. stream_size
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string stream_size.~range: size for comparison
+ * interval stream_size.~range: check if the stream size is in the
+ given range { 0: }
* enum stream_size.~direction: compare applies to the given
direction(s) { either|to_server|to_client|both }
-11.89. tag
+11.93. tag
--------------
Type: ips_option
+Usage: detect
+
Configuration:
* enum tag.~: log all packets in session or all packets to or from
* int tag.bytes: tag for this many bytes { 1: }
-11.90. tos
+11.94. target
+
+--------------
+
+What: rule option to indicate target of attack
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+ * enum target.~: indicate the target of the attack { src_ip |
+ dst_ip }
+
+
+11.95. tos
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string tos.~range: check if ip tos value is value | min<>max |
- <max | >min, range is 0:255
+ * interval tos.~range: check if ip tos is in given range { 0:255 }
-11.91. ttl
+11.96. ttl
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string ttl.~range: check if ip ttl field value is value | min<>
- max | <max | >min, range is 0:255
+ * interval ttl.~range: check if ip ttl is in the given range {
+ 0:255 }
-11.92. urg
+11.97. urg
--------------
Type: ips_option
+Usage: detect
+
Configuration:
- * string urg.~range: check if urgent offset is min<>max | <max | >
- min, range is 0:65535
+ * interval urg.~range: check if tcp urgent offset is in given range
+ { 0:65535 }
-11.93. window
+11.98. window
--------------
Type: ips_option
+Usage: detect
+
+Configuration:
+
+ * interval window.~range: check if tcp window size is in given
+ range { 0:65535 }
+
+
+11.99. wscale
+
+--------------
+
+What: detection for TCP window scale
+
+Type: ips_option
+
+Usage: detect
+
Configuration:
- * string window.~range: check if tcp window field size is size |
- min<>max | <max | >min, range is 0:65535
+ * interval wscale.~range: check if TCP window scale is in given
+ range { 0:65535 }
---------------------------------------------------------------------
Type: logger
+Usage: context
+
Configuration:
* bool alert_csv.file = false: output to alert_csv.txt instead of
stdout
- * multi alert_csv.fields = timestamp pkt_num proto pkt_gen dgm_len
+ * multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | dir | dgm_len | dst_addr |
- dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid
- | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid |
- src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }
- * int alert_csv.limit = 0: set limit (0 is unlimited) { 0: }
+ given order left to right { action | class | b64_data | dir |
+ dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
+ eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | service | sid | src_addr |
+ src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
+ tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ * int alert_csv.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
* string alert_csv.separator = , : separate fields with this
character sequence
- * enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
14.2. alert_ex
Type: logger
+Usage: context
+
Configuration:
* bool alert_ex.upper = false: true/false → convert to upper/lower
Type: logger
+Usage: context
+
Configuration:
* bool alert_fast.file = false: output to alert_fast.txt instead of
stdout
* bool alert_fast.packet = false: output packet dump with alert
- * int alert_fast.limit = 0: set limit (0 is unlimited) { 0: }
- * enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * int alert_fast.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
14.4. alert_full
Type: logger
+Usage: context
+
Configuration:
* bool alert_full.file = false: output to alert_full.txt instead of
stdout
- * int alert_full.limit = 0: set limit (0 is unlimited) { 0: }
- * enum alert_full.units = B: limit is in bytes | KB | MB | GB { B |
- K | M | G }
+ * int alert_full.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
+
+
+14.5. alert_json
+
+--------------
+
+What: output event in json format
+
+Type: logger
+
+Usage: context
+
+Configuration:
+
+ * bool alert_json.file = false: output to alert_json.txt instead of
+ stdout
+ * multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len
+ dir src_ap dst_ap rule action: selected fields will be output in
+ given order left to right { action | class | b64_data | dir |
+ dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
+ eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | service | sid | src_addr |
+ src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
+ tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ * int alert_json.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
+ * string alert_json.separator = , : separate fields with this
+ character sequence
-14.5. alert_sfsocket
+14.6. alert_sfsocket
--------------
Type: logger
+Usage: context
+
Configuration:
* string alert_sfsocket.file: name of unix socket file
* int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
-14.6. alert_syslog
+14.7. alert_syslog
--------------
Type: logger
+Usage: context
+
Configuration:
* enum alert_syslog.facility = auth: part of priority applied to
cons | ndelay | perror | pid }
-14.7. alert_unixsock
+14.8. alert_unixsock
--------------
Type: logger
+Usage: context
+
-14.8. log_codecs
+14.9. log_codecs
--------------
Type: logger
+Usage: context
+
Configuration:
* bool log_codecs.file = false: output to log_codecs.txt instead of
* bool log_codecs.msg = false: include alert msg
-14.9. log_hext
+14.10. log_hext
--------------
Type: logger
+Usage: context
+
Configuration:
* bool log_hext.file = false: output to log_hext.txt instead of
stdout
* bool log_hext.raw = false: output all full packets if true, else
just TCP payload
- * int log_hext.limit = 0: set limit (0 is unlimited) { 0: }
- * enum log_hext.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * int log_hext.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
* int log_hext.width = 20: set line width (0 is unlimited) { 0: }
-14.10. log_pcap
+14.11. log_pcap
--------------
Type: logger
+Usage: context
+
Configuration:
- * int log_pcap.limit = 0: set limit (0 is unlimited) { 0: }
- * enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * int log_pcap.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
-14.11. unified2
+14.12. unified2
--------------
Type: logger
+Usage: context
+
Configuration:
- * int unified2.limit = 0: set limit (0 is unlimited) { 0: }
- * enum unified2.units = B: limit multiplier { B | K | M | G }
+ * bool unified2.legacy_events = false: generate Snort 2.X style
+ events for barnyard2 compatibility
+ * int unified2.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
* bool unified2.nostamp = true: append file creation time to name
(in Unix Epoch format)
- * bool unified2.mpls_event_types = false: include mpls labels in
- events
- * bool unified2.vlan_event_types = false: include vlan IDs in
- events
---------------------------------------------------------------------
* regex fast patterns, not just literals
* FlatBuffers and JSON perf monitor logs
* LuaJIT scriptable rule options and loggers
- * pub/sub inspection events (currently used by sip and http to
- appid)
+ * pub/sub inspection events (currently used by sip and http_inspect
+ to appid)
* JIT buffer stuffers (notably with new http_inspect)
* C-style comments in rules
* #begin … #end comment blocks in rules
* nested policy binding (Snort 2 has just one level)
* decode arbitrary layers (Snort 2 supports only 2 IP layers)
* process PDU buffers (Snort 2 only processes packets)
- * fully stateful http_inspect with 83 builtin alerts (Snort 2 is
+ * fully stateful http_inspect with 97 builtin alerts (Snort 2 is
only partly stateful with 33 builtin alerts)
* output all semantic errors before quitting (Snort 2 stops at
first one)
- * alert service (eg http) and alert file rules (Snort 2 must use
+ * alert file rules (Snort 2 must use multiple rules)
+ * alert service rules, eg alert http (Snort 2 must use
metadata:service)
+ * automatic fast_pattern only (Snort 2 requires explicit
+ fast_pattern:only)
* elided rule headers omit nets and/or ports (Snort 2 requires
explicit any)
* dump builtin rule stubs (Snort 2 can only dump SO stubs)
requires newline escapes)
* properly parse rules (Snort 2 can actually completely ignore
stuff)
- * optional warnings output, can be fatal (Snort 2 warnings are not
- optional or fatal)
+ * optional, expanded warnings output, can be fatal (Snort 2
+ warnings limited and are not optional or fatal)
* define and use arbitrary variables and functions in config with
Lua (Snort 2 has variables just for rule headers)
* text-based command line shell (Snort 2 has binary control socket)
* port_scan can block scans (Snort 2 can only detect scans)
* sigquit will cause a --dirty-pig style exit (Snort 2 handles
sigquit the same as sigterm and sigint)
+ * detection trace (Snort 2 has more limited buffer dumping)
+ * updated unified2 events with MPLS, VLAN, and IP6 (Snort 2
+ requires configuration and extra data)
+ * significantly more unit tests, including --catch and make check
+ (Snort 2 has very few unit tests)
* better modularity 346K/1534 = 226 lines/file, max=2700 (Snort 2
has 440K/1021 = 431 lines/file, max=13K)
--------------
* all rules must have a sid
+ * sid == 0 not allowed
* deleted activate / dynamic rules
+ * deleted unused rule_state.action
* deleted metadata engine shared
* deleted metadata: rule-flushing (with PDU flushing rule flushing
can cause missed attacks, the opposite of its intent)
- * deleted unused rule_state.action
- * fastpattern_offset, fast_pattern_length
+ * changed metadata:service one[, service two]; to service:one[,
+ two];
+ * soid is now a non-metadata option
+ * metadata is now truly metadata with no impact on detection (Snort
+ doesn’t care about metadata internal structure / syntax)
+ * deleted fast_pattern:only; use fast_pattern, nocase (option is
+ not added to detection tree if not required)
+ * changed fast_pattern:<offset>,<length> to fastpattern_offset:
+ <offset>, fast_pattern_length <length>
+ * fast pattern sensitive data with sd_pattern using hyperscan
+ * hyperscan regex fast patterns with regex:"<regex>", fast_pattern;
* no ; separated content suboptions
* offset, depth, distance, and within must use a space separator
not colon (e.g. offset:5; becomes offset 5;)
- * rule option sequence: <stub> soid <hidden>
- * sid == 0 not allowed
- * soid is now a non-metadata option
- * content suboptions http_* are now full options and should be
- place before content
+ * content suboptions http_* are now full options
+ * added sticky buffers: buffer selector options must precede
+ contents and remain in effect until changed
* the following pcre options have been deleted: use sticky buffers
instead B, U, P, H, M, C, I, D, K, S, Y
- * deleted uricontent ips rule option. uricontent:"foo" -→ http_uri;
- content:"foo"
+ * deleted uricontent option; use sticky buffer uricontent:"foo" -→
+ http_uri; content:"foo"
* deleted urilen raw and norm; must use http_raw_uri and http_uri
instead
* deleted unused http_encode option
sticky buffer
* added optional selector to http_header, e.g.
http_header:User-Agent;
- * multiline rules w/o \n
- * #begin … #end comments
+ * the all new http_inspect has new buffers and rule options
+ * added alert file and alert service rules (service in body not
+ required if there is only one and it is in header; alert service
+ / file rules disable fast pattern searching of raw packets)
+ * rule option sequence: <stub> soid <hidden>
+ * arbitrary whitespace and multiline rules w/o \n
+ * #begin … #end comments to easily comment out multiple lines
+ * add rule remarks option with rem:"arbitrary comment"
+ * nets and/or ports may be omitted from rule headers (matches any)
+ * parse all rules and output all errors before quitting
+ * read rules from conf, separate rules file, or stdin
16.7. Output
* --error-file=<error_file> Same as -e. output all errors to
<error_file>
* --help Same as -h. this overview of snort2lua
+ * --ips-policy-pattern Convert config bindings matching this path
+ to ips policy bindings
* --markup print help in asciidoc compatible format
* --output-file=<out_file> Same as -o. output the new Snort++ lua
configuration to <out_file>
* --print-all Same as -a. default option. print all data
+ * --print-binding-order Print sorting priority used when generating
+ binder table
* --print-differences Same as -d. output the differences, and only
the differences, between the Snort and Snort++ configurations to
the <out_file>
* Each header should have a comment immediately after the header
guard to give an overview of the file so the reader knows what’s
going on.
+ * Use the following comment on switch cases that intentionally fall
+ through to the next case to suppress compiler warning on known
+ valid cases:
+
+ // fallthrough
19.5. Logging
* flatbuffers: for an alternative perf_monitor logging format.
* hyperscan >= 4.4.0: for the regex and sd_pattern rule options and
the hyperscan search engine.
+ * iconv: for converting UTF16-LE filenames to UTF8 (usually
+ included in glibc)
* lzma: for decompression of SWF and PDF files.
* safec: for additional runtime error checking of some memory copy
operations.
package libraries.
These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl,
-flatbuffers, and hyperscan packages. For more information on these
-libraries see the Getting Started section of the manual.
+flatbuffers, iconv, and hyperscan packages. For more information on
+these libraries see the Getting Started section of the manual.
20.2. Environment Variables
* --dirty-pig don’t flush packets on shutdown
* -D run Snort in background (daemon) mode
* --dump-builtin-rules [<module prefix>] output stub rules for
- selected modules
+ selected modules (optional)
* --dump-defaults [<module prefix>] output module defaults in Lua
format (optional)
* --dump-dynamic-rules output stub rules for all loaded rules
* --enable-inline-test enable Inline-Test Mode Operation
* -f turn off fflush() calls after binary log writes
* -G <0xid> (same as --logid) (0:65535)
+ * --gen-msg-map dump builtin rules in gen-msg.map format for use by
+ other tools
* -g <gname> run snort gid as <gname> group (or gid) after
initialization
* --help-commands [<module prefix>] output matching commands
* --help list command line options
* --help-module <module> output description of given module
* --help-modules list all available modules with brief help
- * --help-options <option prefix> output matching command line
+ * --help-options [<option prefix>] output matching command line
option quick help (same as -?) (optional)
* --help-plugins list all available plugins with brief help
* --help-signals dump available control signals
* -H make hash tables deterministic
+ * --id-offset offset to add to instance IDs when logging to files
+ (0:65535)
* --id-subdir create/use instance subdirectories in logdir instead
of instance filename prefix
* --id-zero use id prefix / subdirectory even with one packet
* -k <mode> checksum mode; default is all (all|noip|notcp|noudp|
noicmp|none)
* --list-buffers output available inspection buffers
- * --list-builtin <module prefix> output matching builtin rules
+ * --list-builtin [<module prefix>] output matching builtin rules
(optional)
* --list-gids [<module prefix>] output matching generators
(optional)
* --markup output help in asciidoc compatible format
* --max-packet-threads <count> configure maximum number of packet
threads (same as -z) (0:)
+ * --mem-check like -T but also compile search engines
* -M log messages to syslog (not alerts)
* -m <umask> set umask = <umask> (0:)
* -n <count> stop after count packets (0:)
--------------
- * string ack.~range: check if tcp ack value is value | min<>max |
- <max | >min
+ * interval ack.~range: check if tcp ack value is value | min<>max |
+ <max | >min { 0: }
* int active.attempts = 0: number of TCP packets sent per response
(with varying sequence numbers) { 0:20 }
* string active.device: use ip for network layer responses or eth0
* int active.max_responses = 0: maximum number of responses { 0: }
* int active.min_interval = 255: minimum number of seconds between
responses { 1: }
- * multi alert_csv.fields = timestamp pkt_num proto pkt_gen dgm_len
+ * multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len
dir src_ap dst_ap rule action: selected fields will be output in
- given order left to right { action | dir | dgm_len | dst_addr |
- dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid
- | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id |
- ip_len | msg | pkt_gen | pkt_num | proto | rev | rule | sid |
- src_addr | src_ap | src_port | tcp_ack | tcp_flags | tcp_len |
- tcp_seq | tcp_win | timestamp | tos | ttl | udp_len }
+ given order left to right { action | class | b64_data | dir |
+ dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
+ eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | service | sid | src_addr |
+ src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
+ tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
* bool alert_csv.file = false: output to alert_csv.txt instead of
stdout
- * int alert_csv.limit = 0: set limit (0 is unlimited) { 0: }
+ * int alert_csv.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
* string alert_csv.separator = , : separate fields with this
character sequence
- * enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
* bool alert_ex.upper = false: true/false → convert to upper/lower
case
* bool alert_fast.file = false: output to alert_fast.txt instead of
stdout
- * int alert_fast.limit = 0: set limit (0 is unlimited) { 0: }
+ * int alert_fast.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
* bool alert_fast.packet = false: output packet dump with alert
- * enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
* bool alert_full.file = false: output to alert_full.txt instead of
stdout
- * int alert_full.limit = 0: set limit (0 is unlimited) { 0: }
- * enum alert_full.units = B: limit is in bytes | KB | MB | GB { B |
- K | M | G }
+ * int alert_full.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
+ * multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len
+ dir src_ap dst_ap rule action: selected fields will be output in
+ given order left to right { action | class | b64_data | dir |
+ dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src |
+ eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type |
+ iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num
+ | priority | proto | rev | rule | service | sid | src_addr |
+ src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len |
+ tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
+ * bool alert_json.file = false: output to alert_json.txt instead of
+ stdout
+ * int alert_json.limit = 0: set maximum size in MB before rollover
+ (0 is unlimited) { 0: }
+ * string alert_json.separator = , : separate fields with this
+ character sequence
* bool alerts.alert_with_interface_name = false: include interface
in alert info (fast, full, or syslog only)
* bool alerts.default_rule_state = true: enable or disable ips
* string alert_sfsocket.file: name of unix socket file
* int alert_sfsocket.rules[].gid = 1: rule generator ID { 1: }
* int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
+ * bool alerts.log_references = false: include rule references in
+ alert info (full only)
* string alerts.order = pass drop alert log: change the order of
rule action application
* int alerts.rate_filter_memcap = 1048576: set available bytes of
* bool alerts.stateful = false: don’t alert w/o established session
(note: rule action still taken)
* string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts
- for GTP|Teredo|6in4|4in6 traffic
+ for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic
* enum alert_syslog.facility = auth: part of priority applied to
each message { auth | authpriv | daemon | user | local0 | local1
| local2 | local3 | local4 | local5 | local6 | local7 }
* bool appid.debug = false: enable appid debug logging
* bool appid.dump_ports = false: enable dump of appid port
information
- * int appid.instance_id = 0: instance id - need more details for
- what this is { 0: }
+ * int appid.instance_id = 0: instance id - ignored { 0: }
* bool appid.log_all_sessions = false: enable logging of all appid
sessions
* bool appid.log_stats = false: enable logging of appid statistics
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
+ * string binder[].use.inspection_policy: use inspection policy from
+ given file
+ * string binder[].use.ips_policy: use ips policy from given file
* string binder[].use.name: symbol name (defaults to type)
+ * string binder[].use.network_policy: use network policy from given
+ file
* string binder[].use.service: override automatic service
identification
* string binder[].use.type: select module for binding
+ * addr_list binder[].when.dst_nets: list of destination networks
+ * bit_list binder[].when.dst_ports: list of destination ports {
+ 65535 }
+ * int binder[].when.dst_zone: destination zone { 0:2147483647 }
* bit_list binder[].when.ifaces: list of interface indices { 255 }
+ * int binder[].when.ips_policy_id = 0: unique ID for selection of
+ this config by external logic { 0: }
* addr_list binder[].when.nets: list of networks
- * int binder[].when.policy_id = 0: unique ID for selection of this
- config by external logic { 0: }
* bit_list binder[].when.ports: list of ports { 65535 }
* enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp
| user | file }
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
* string binder[].when.service: override default configuration
+ * addr_list binder[].when.src_nets: list of source networks
+ * bit_list binder[].when.src_ports: list of source ports { 65535 }
+ * int binder[].when.src_zone: source zone { 0:2147483647 }
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
- * string bufferlen.~range: len | min<>max | <max | >min, range is
- 0:65535
+ * interval bufferlen.~range: check that length of current buffer is
+ in given range { 0:65535 }
* int byte_extract.align = 0: round the number of converted bytes
up to the next 2- or 4-byte boundary { 0:4 }
* implied byte_extract.big: big endian
promiscuous mode
* int daq.snaplen: set snap length (same as -s) { 0:65535 }
* string daq.variables[].str: string parameter
- * select data_log.key = http_raw_uri: name of data buffer to log {
- http_uri | http_raw_uri }
+ * select data_log.key = http_request_header_event : name of the
+ event to log { http_request_header_event |
+ http_response_header_event }
+ * int data_log.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
* implied dce_iface.any_frag: match on any fragment
* string dce_iface.uuid: match given dcerpc uuid
- * string dce_iface.version: interface version
+ * interval dce_iface.version: interface version { 0: }
* string dce_opnum.~: match given dcerpc operation number, range or
list
* bool dce_smb.disable_defrag = false: Disable DCE/RPC
}
* int dpx.max = 0: maximum payload before alert { 0:65535 }
* port dpx.port: port to check
- * string dsize.~range: check if packet payload size is size | min<>
- max | <max | >min, range is 0:65535
+ * interval dsize.~range: check if packet payload size is in the
+ given range { 0:65535 }
* bool esp.decode_esp = false: enable for inspection of esp traffic
that has authentication but not encryption
* int event_filter[].count = 0: number of events in interval before
* implied flow.to_client: match on server responses
* implied flow.to_server: match on client requests
* string fragbits.~flags: these flags are tested
- * string fragoffset.~range: check if ip fragment offset value is
- value | min<>max | <max | >min, range is 0:8192
+ * interval fragoffset.~range: check if ip fragment offset is in
+ given range { 0:8192 }
* bool ftp_client.bounce = false: check for bounces
* addr ftp_client.bounce_to[].address = 1.0.0.0/32: allowed ip
address in CIDR format
message body (must be combined with request)
* implied http_trailer.with_header: parts of this rule examine HTTP
response message headers (must be combined with request)
+ * implied http_true_ip.with_body: parts of this rule examine HTTP
+ message body
+ * implied http_true_ip.with_trailer: parts of this rule examine
+ HTTP message trailers
* implied http_uri.fragment: match against fragment section of URI
only
* implied http_uri.host: match against host section of URI only
message body
* implied http_version.with_trailer: parts of this rule examine
HTTP message trailers
- * string icmp_id.~range: check if icmp id is id | min<>max | <max |
- >min, range is 0:65535
- * string icmp_seq.~range: check if icmp sequence number is seq |
- min<>max | <max | >min, range is 0:65535
- * string icode.~range: check if ICMP code is code | min<>max | <max
- | >min, range is 0:255
- * string id.~range: check if the IP ID is id | min<>max | <max | >
- min
+ * interval icmp_id.~range: check if icmp id is in given range {
+ 0:65535 }
+ * interval icmp_seq.~range: check if icmp sequence number is in
+ given range { 0:65535 }
+ * interval icode.~range: check if icmp code is in given range is {
+ 0:255 }
+ * interval id.~range: check if the ip id is in the given range { 0:
+ }
* int imap.b64_decode_depth = 1460: base64 decoding depth {
-1:65535 }
* int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
* string ips.include: legacy snort rules and includes
* enum ips.mode: set policy mode { tap | inline | inline-test }
* string ips.rules: snort rules and includes
+ * string ips.uuid: IPS policy uuid
* string isdataat.~length: num | !num
* implied isdataat.relative: offset from cursor instead of start of
buffer
- * string itype.~range: check if icmp type is type | min<>max | <max
- | >min, range is 0:255
+ * interval itype.~range: check if icmp type is in given range {
+ 0:255 }
* enum latency.packet.action = none: event action if packet times
out and is fastpathed { none | alert | log | alert_and_log }
* bool latency.packet.fastpath = false: fastpath expensive packets
* bool log_codecs.msg = false: include alert msg
* bool log_hext.file = false: output to log_hext.txt instead of
stdout
- * int log_hext.limit = 0: set limit (0 is unlimited) { 0: }
+ * int log_hext.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
* bool log_hext.raw = false: output all full packets if true, else
just TCP payload
- * enum log_hext.units = B: bytes | KB | MB | GB { B | K | M | G }
* int log_hext.width = 20: set line width (0 is unlimited) { 0: }
- * int log_pcap.limit = 0: set limit (0 is unlimited) { 0: }
- * enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
+ * int log_pcap.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
* string md5.~hash: data to match
* int md5.length: number of octets in plain text { 1:65535 }
* string md5.offset: var or number of bytes from start of buffer to
even if above the cap
* int memory.threshold = 0: set the per-packet-thread threshold for
preemptive cleanup actions (percent, 0 to disable) { 0: }
- * string metadata.*: additional parameters not used by snort
- * string metadata.service: service name
+ * string metadata.*: comma-separated list of arbitrary name value
+ pairs
* string modbus_func.~: function code to match
* int modbus_unit.~: modbus unit ID { 0:255 }
* bool mpls.enable_mpls_multicast = false: enables support for MPLS
* enum mpls.mpls_payload_type = ip4: set encapsulated payload type
{ eth | ip4 | ip6 }
* string msg.~: message describing rule
+ * interval mss.~range: check if TCP MSS is in given range { 0:65535
+ }
* multi network.checksum_drop = none: drop if checksum is bad { all
| ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
* multi network.checksum_eval = none: checksums to verify { all |
* int output.event_trace.max_data = 0: maximum amount of packet
data to capture { 0:65535 }
* string output.logdir = .: where to put log files (same as -l)
- * bool output.log_ipv6_extra_data = false: log IPv6 source and
- destination addresses as unified2 extra data records
* bool output.obfuscate = false: obfuscate the logged IP addresses
(same as -O)
* bool output.obfuscate_pii = false: mask all but the last 4
}
* int perf_monitor.seconds = 60: report interval { 1: }
* bool perf_monitor.summary = false: output summary at shutdown
- * string pkt_num.~range: check if packet number is in given range
+ * interval pkt_num.~range: check if packet number is in given range
+ { 1: }
* int pop.b64_decode_depth = 1460: base64 decoding depth { -1:65535
}
* int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
* string regex.~re: hyperscan regular expression
* implied regex.relative: start search from end of last match
instead of start of buffer
+ * bool reg_test.test_daq_retry = true: test daq packet retry
+ feature
* enum reject.control: send icmp unreachable(s) { network|host|port
|all }
* enum reject.reset: send tcp reset to one or both ends { source|
construction for better performance
* bool search_engine.show_fast_patterns = false: print fast pattern
info for each rule
- * bool search_engine.split_any_any = false: evaluate any-any rules
+ * bool search_engine.split_any_any = true: evaluate any-any rules
separately to save memory
- * string seq.~range: check if tcp sequence number value is value |
- min<>max | <max | >min
+ * interval seq.~range: check if tcp sequence number is in given
+ range { 0: }
+ * string service.*: one or more comma-separated service names
* enum session.~mode: output format { printable|binary|all }
* string sha256.~hash: data to match
* int sha256.length: number of octets in plain text { 1:65535 }
* implied snort.-d: dump the Application Layer
* implied snort.--dirty-pig: don’t flush packets on shutdown
* implied snort.-D: run Snort in background (daemon) mode
- * implied snort.--dump-builtin-rules: [<module prefix>] output stub
- rules for selected modules
+ * string snort.--dump-builtin-rules: [<module prefix>] output stub
+ rules for selected modules { (optional) }
* string snort.--dump-defaults: [<module prefix>] output module
defaults in Lua format { (optional) }
* implied snort.--dump-dynamic-rules: output stub rules for all
Operation
* implied snort.-f: turn off fflush() calls after binary log writes
* int snort.-G: <0xid> (same as --logid) { 0:65535 }
+ * implied snort.--gen-msg-map: dump builtin rules in gen-msg.map
+ format for use by other tools
* string snort.-g: <gname> run snort gid as <gname> group (or gid)
after initialization
* string snort.--help-commands: [<module prefix>] output matching
module
* implied snort.--help-modules: list all available modules with
brief help
- * string snort.--help-options: <option prefix> output matching
+ * string snort.--help-options: [<option prefix>] output matching
command line option quick help (same as -?) { (optional) }
* implied snort.--help-plugins: list all available plugins with
brief help
* implied snort.--help-signals: dump available control signals
* implied snort.-H: make hash tables deterministic
+ * int snort.--id-offset = 0: offset to add to instance IDs when
+ logging to files { 0:65535 }
* implied snort.--id-subdir: create/use instance subdirectories in
logdir instead of instance filename prefix
* implied snort.--id-zero: use id prefix / subdirectory even with
* enum snort.-k = all: <mode> checksum mode; default is all { all|
noip|notcp|noudp|noicmp|none }
* implied snort.--list-buffers: output available inspection buffers
- * string snort.--list-builtin: <module prefix> output matching
+ * string snort.--list-builtin: [<module prefix>] output matching
builtin rules { (optional) }
* string snort.--list-gids: [<module prefix>] output matching
generators { (optional) }
* implied snort.--markup: output help in asciidoc compatible format
* int snort.--max-packet-threads = 1: <count> configure maximum
number of packet threads (same as -z) { 0: }
+ * implied snort.--mem-check: like -T but also compile search
+ engines
* implied snort.-M: log messages to syslog (not alerts)
* int snort.-m: <umask> set umask = <umask> { 0: }
* int snort.-n: <count> stop after count packets { 0: }
* implied stream_reassemble.noalert: don’t alert when rule matches
* enum stream_size.~direction: compare applies to the given
direction(s) { either|to_server|to_client|both }
- * string stream_size.~range: size for comparison
+ * interval stream_size.~range: check if the stream size is in the
+ given range { 0: }
* int stream.tcp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1: }
* int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
host { session|host_src|host_dst }
* int tag.packets: tag this many packets { 1: }
* int tag.seconds: tag for this many seconds { 1: }
+ * enum target.~: indicate the target of the attack { src_ip |
+ dst_ip }
* string tcp_connector.address: address
* port tcp_connector.base_port: base port number
* string tcp_connector.connector: connector name
* bool telnet.encrypted_traffic = false: check for encrypted telnet
and ftp
* bool telnet.normalize = false: eliminate escape sequences
- * string tos.~range: check if ip tos value is value | min<>max |
- <max | >min, range is 0:255
- * string ttl.~range: check if ip ttl field value is value | min<>
- max | <max | >min, range is 0:255
+ * interval tos.~range: check if ip tos is in given range { 0:255 }
+ * interval ttl.~range: check if ip ttl is in the given range {
+ 0:255 }
* bool udp.deep_teredo_inspection = false: look for Teredo on all
UDP ports (default is only 3544)
* bool udp.enable_gtp = false: decode GTP encapsulations
* bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 }
- * int unified2.limit = 0: set limit (0 is unlimited) { 0: }
- * bool unified2.mpls_event_types = false: include mpls labels in
- events
+ * bool unified2.legacy_events = false: generate Snort 2.X style
+ events for barnyard2 compatibility
+ * int unified2.limit = 0: set maximum size in MB before rollover (0
+ is unlimited) { 0: }
* bool unified2.nostamp = true: append file creation time to name
(in Unix Epoch format)
- * enum unified2.units = B: limit multiplier { B | K | M | G }
- * bool unified2.vlan_event_types = false: include vlan IDs in
- events
- * string urg.~range: check if urgent offset is min<>max | <max | >
- min, range is 0:65535
- * string window.~range: check if tcp window field size is size |
- min<>max | <max | >min, range is 0:65535
+ * interval urg.~range: check if tcp urgent offset is in given range
+ { 0:65535 }
+ * interval window.~range: check if tcp window size is in given
+ range { 0:65535 }
* multi wizard.curses: enable service identification based on
internal algorithm { dce_smb | dce_udp | dce_tcp }
* bool wizard.hexes[].client_first = true: which end initiates data
wild cards (*)
* string wizard.spells[].to_server[].spell: sequence of data with
wild cards (*)
+ * interval wscale.~range: check if TCP window scale is in given
+ range { 0:65535 }
20.5. Counts
--------------
- * appid.aim_clients: count of aim clients discovered
- * appid.battlefield_flows: count of battle field flows discovered
- * appid.bgp_flows: count of bgp flows discovered
- * appid.bit_clients: count of bittorrent clients discovered
- * appid.bit_flows: count of bittorrent flows discovered
- * appid.bittracker_clients: count of bittorrent tracker clients
- discovered
- * appid.bootp_flows: count of bootp flows discovered
- * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
- discovered
- * appid.dcerpc_udp_flows: count of dce rpc flows over udp
- discovered
- * appid.direct_connect_flows: count of direct connect flows
- discovered
- * appid.dns_tcp_flows: count of dns flows over tcp discovered
- * appid.dns_udp_flows: count of dns flows over udp discovered
- * appid.ftp_flows: count of ftp flows discovered
- * appid.ftps_flows: count of ftps flows discovered
- * appid.http_flows: count of http flows discovered
- * appid.ignored_packets: count of packets ignored
- * appid.imap_flows: count of imap service flows discovered
- * appid.imaps_flows: count of imap TLS service flows discovered
- * appid.irc_flows: count of irc service flows discovered
- * appid.kerberos_clients: count of kerberos clients discovered
- * appid.kerberos_flows: count of kerberos service flows discovered
- * appid.kerberos_users: count of kerberos users discovered
- * appid.lpr_flows: count of lpr service flows discovered
- * appid.mdns_flows: count of mdns service flows discovered
- * appid.msn_clients: count of msn clients discovered
- * appid.mysql_flows: count of mysql service flows discovered
- * appid.netbios_dgm_flows: count of netbios-dgm service flows
- discovered
- * appid.netbios_ns_flows: count of netbios-ns service flows
- discovered
- * appid.netbios_ssn_flows: count of netbios-ssn service flows
- discovered
- * appid.nntp_flows: count of nntp flows discovered
- * appid.ntp_flows: count of ntp flows discovered
- * appid.packets: count of packets received
- * appid.pop3_clients: count of pop3 clients discovered
- * appid.pop3s_clients: count of pop3s clients discovered
- * appid.pop_flows: count of pop service flows discovered
- * appid.processed_packets: count of packets processed
- * appid.radius_flows: count of radius flows discovered
- * appid.rexec_flows: count of rexec flows discovered
- * appid.rfb_flows: count of rfb flows discovered
- * appid.rlogin_flows: count of rlogin flows discovered
- * appid.rpc_flows: count of rpc flows discovered
- * appid.rshell_flows: count of rshell flows discovered
- * appid.rsync_flows: count of rsync service flows discovered
- * appid.rtmp_flows: count of rtmp flows discovered
- * appid.rtp_clients: count of rtp clients discovered
- * appid.sip_clients: count of SIP clients discovered
- * appid.sip_flows: count of SIP flows discovered
- * appid.smtp_aol_clients: count of AOL smtp clients discovered
- * appid.smtp_applemail_clients: count of Apple Mail smtp clients
- discovered
- * appid.smtp_eudora_clients: count of Eudora smtp clients
- discovered
- * appid.smtp_eudora_pro_clients: count of Eudora Pro smtp clients
- discovered
- * appid.smtp_evolution_clients: count of Evolution smtp clients
- discovered
- * appid.smtp_flows: count of smtp flows discovered
- * appid.smtp_kmail_clients: count of KMail smtp clients discovered
- * appid.smtp_lotus_notes_clients: count of Lotus Notes smtp clients
- discovered
- * appid.smtp_microsoft_outlook_clients: count of Microsoft Outlook
- smtp clients discovered
- * appid.smtp_microsoft_outlook_express_clients: count of Microsoft
- Outlook Express smtp clients discovered
- * appid.smtp_microsoft_outlook_imo_clients: count of Microsoft
- Outlook IMO smtp clients discovered
- * appid.smtp_mutt_clients: count of Mutt smtp clients discovered
- * appid.smtps_flows: count of smtps flows discovered
- * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
- discovered
- * appid.snmp_flows: count of snmp flows discovered
- * appid.ssh_clients: count of ssh clients discovered
- * appid.ssh_flows: count of ssh flows discovered
- * appid.ssl_flows: count of ssl flows discovered
- * appid.telnet_flows: count of telnet flows discovered
- * appid.tftp_flows: count of tftp flows discovered
- * appid.timbuktu_clients: count of timbuktu clients discovered
- * appid.timbuktu_flows: count of timbuktu flows discovered
- * appid.tns_clients: count of tns clients discovered
- * appid.tns_flows: count of tns flows discovered
- * appid.vnc_clients: count of vnc clients discovered
- * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
- discovered
- * arp_spoof.packets: total packets
- * back_orifice.packets: total packets
- * binder.allows: allow bindings
- * binder.blocks: block bindings
- * binder.inspects: inspect bindings
- * binder.packets: initial bindings
- * binder.resets: reset bindings
- * daq.allow: total allow verdicts
- * daq.analyzed: total packets analyzed from DAQ
- * daq.blacklist: total blacklist verdicts
- * daq.block: total block verdicts
- * daq.dropped: packets dropped
- * daq.filtered: packets filtered out
+ * arp_spoof.packets: total packets (sum)
+ * back_orifice.packets: total packets (sum)
+ * binder.allows: allow bindings (sum)
+ * binder.blocks: block bindings (sum)
+ * binder.inspects: inspect bindings (sum)
+ * binder.packets: initial bindings (sum)
+ * binder.resets: reset bindings (sum)
+ * daq.allow: total allow verdicts (sum)
+ * daq.analyzed: total packets analyzed from DAQ (sum)
+ * daq.blacklist: total blacklist verdicts (sum)
+ * daq.block: total block verdicts (sum)
+ * daq.dropped: packets dropped (sum)
+ * daq.filtered: packets filtered out (sum)
* daq.idle: attempts to acquire from DAQ without available packets
- * daq.ignore: total ignore verdicts
- * daq.injected: active responses or replacements
+ (sum)
+ * daq.ignore: total ignore verdicts (sum)
+ * daq.injected: active responses or replacements (sum)
* daq.internal_blacklist: packets blacklisted internally due to
- lack of DAQ support
+ lack of DAQ support (sum)
* daq.internal_whitelist: packets whitelisted internally due to
- lack of DAQ support
- * daq.outstanding: packets unprocessed
- * daq.pcaps: total files and interfaces processed
- * daq.received: total packets received from DAQ
- * daq.replace: total replace verdicts
- * daq.rx_bytes: total bytes received
- * daq.skipped: packets skipped at startup
- * daq.whitelist: total whitelist verdicts
- * data_log.packets: total packets
+ lack of DAQ support (sum)
+ * daq.outstanding: packets unprocessed (sum)
+ * daq.pcaps: total files and interfaces processed (sum)
+ * daq.received: total packets received from DAQ (sum)
+ * daq.replace: total replace verdicts (sum)
+ * daq.retry: total retry verdicts (sum)
+ * daq.rx_bytes: total bytes received (sum)
+ * daq.skipped: packets skipped at startup (sum)
+ * daq.whitelist: total whitelist verdicts (sum)
+ * data_log.packets: total packets (sum)
* dce_http_proxy.http_proxy_session_failures: failed http proxy
- sessions
+ sessions (sum)
* dce_http_proxy.http_proxy_sessions: successful http proxy
- sessions
+ sessions (sum)
* dce_http_server.http_server_session_failures: failed http server
- sessions
+ sessions (sum)
* dce_http_server.http_server_sessions: successful http server
- sessions
+ sessions (sum)
* dce_smb.alter_context_responses: total connection-oriented alter
- context responses
+ context responses (sum)
* dce_smb.alter_contexts: total connection-oriented alter contexts
- * dce_smb.auth3s: total connection-oriented auth3s
- * dce_smb.bind_acks: total connection-oriented binds acks
- * dce_smb.bind_naks: total connection-oriented bind naks
- * dce_smb.binds: total connection-oriented binds
- * dce_smb.cancels: total connection-oriented cancels
+ (sum)
+ * dce_smb.auth3s: total connection-oriented auth3s (sum)
+ * dce_smb.bind_acks: total connection-oriented binds acks (sum)
+ * dce_smb.bind_naks: total connection-oriented bind naks (sum)
+ * dce_smb.binds: total connection-oriented binds (sum)
+ * dce_smb.cancels: total connection-oriented cancels (sum)
* dce_smb.client_frags_reassembled: total connection-oriented
- client fragments reassembled
+ client fragments reassembled (sum)
* dce_smb.client_max_fragment_size: connection-oriented client
- maximum fragment size
+ maximum fragment size (sum)
* dce_smb.client_min_fragment_size: connection-oriented client
- minimum fragment size
+ minimum fragment size (sum)
* dce_smb.client_segs_reassembled: total connection-oriented client
- segments reassembled
- * dce_smb.events: total events
- * dce_smb.faults: total connection-oriented faults
- * dce_smb.files_processed: total smb files processed
- * dce_smb.ignored_bytes: total ignored bytes
+ segments reassembled (sum)
+ * dce_smb.concurrent_sessions: total concurrent sessions (now)
+ * dce_smb.events: total events (sum)
+ * dce_smb.faults: total connection-oriented faults (sum)
+ * dce_smb.files_processed: total smb files processed (sum)
+ * dce_smb.ignored_bytes: total ignored bytes (sum)
+ * dce_smb.max_concurrent_sessions: maximum concurrent sessions
+ (max)
* dce_smb.max_outstanding_requests: total smb maximum outstanding
- requests
+ requests (sum)
* dce_smb.ms_rpc_http_pdus: total connection-oriented MS requests
- to send RPC over HTTP
- * dce_smb.orphaned: total connection-oriented orphaned
+ to send RPC over HTTP (sum)
+ * dce_smb.orphaned: total connection-oriented orphaned (sum)
* dce_smb.other_requests: total connection-oriented other requests
+ (sum)
* dce_smb.other_responses: total connection-oriented other
- responses
- * dce_smb.packets: total smb packets
- * dce_smb.pdus: total connection-oriented PDUs
- * dce_smb.rejects: total connection-oriented rejects
+ responses (sum)
+ * dce_smb.packets: total smb packets (sum)
+ * dce_smb.pdus: total connection-oriented PDUs (sum)
+ * dce_smb.rejects: total connection-oriented rejects (sum)
* dce_smb.request_fragments: total connection-oriented request
- fragments
- * dce_smb.requests: total connection-oriented requests
+ fragments (sum)
+ * dce_smb.requests: total connection-oriented requests (sum)
* dce_smb.response_fragments: total connection-oriented response
- fragments
- * dce_smb.responses: total connection-oriented responses
+ fragments (sum)
+ * dce_smb.responses: total connection-oriented responses (sum)
* dce_smb.server_frags_reassembled: total connection-oriented
- server fragments reassembled
+ server fragments reassembled (sum)
* dce_smb.server_max_fragment_size: connection-oriented server
- maximum fragment size
+ maximum fragment size (sum)
* dce_smb.server_min_fragment_size: connection-oriented server
- minimum fragment size
+ minimum fragment size (sum)
* dce_smb.server_segs_reassembled: total connection-oriented server
- segments reassembled
- * dce_smb.sessions: total smb sessions
- * dce_smb.shutdowns: total connection-oriented shutdowns
+ segments reassembled (sum)
+ * dce_smb.sessions: total smb sessions (sum)
+ * dce_smb.shutdowns: total connection-oriented shutdowns (sum)
* dce_smb.smb_client_segs_reassembled: total smb client segments
- reassembled
+ reassembled (sum)
* dce_smb.smb_server_segs_reassembled: total smb server segments
- reassembled
+ reassembled (sum)
* dce_smb.smbv2_close: total number of SMBv2 close packets seen
+ (sum)
* dce_smb.smbv2_create: total number of SMBv2 create packets seen
- * dce_smb.smbv2_read: total number of SMBv2 read packets seen
+ (sum)
+ * dce_smb.smbv2_read: total number of SMBv2 read packets seen (sum)
* dce_smb.smbv2_set_info: total number of SMBv2 set info packets
- seen
+ seen (sum)
* dce_smb.smbv2_tree_connect: total number of SMBv2 tree connect
- packets seen
+ packets seen (sum)
* dce_smb.smbv2_tree_disconnect: total number of SMBv2 tree
- disconnect packets seen
+ disconnect packets seen (sum)
* dce_smb.smbv2_write: total number of SMBv2 write packets seen
+ (sum)
* dce_tcp.alter_context_responses: total connection-oriented alter
- context responses
+ context responses (sum)
* dce_tcp.alter_contexts: total connection-oriented alter contexts
- * dce_tcp.auth3s: total connection-oriented auth3s
- * dce_tcp.bind_acks: total connection-oriented binds acks
- * dce_tcp.bind_naks: total connection-oriented bind naks
- * dce_tcp.binds: total connection-oriented binds
- * dce_tcp.cancels: total connection-oriented cancels
+ (sum)
+ * dce_tcp.auth3s: total connection-oriented auth3s (sum)
+ * dce_tcp.bind_acks: total connection-oriented binds acks (sum)
+ * dce_tcp.bind_naks: total connection-oriented bind naks (sum)
+ * dce_tcp.binds: total connection-oriented binds (sum)
+ * dce_tcp.cancels: total connection-oriented cancels (sum)
* dce_tcp.client_frags_reassembled: total connection-oriented
- client fragments reassembled
+ client fragments reassembled (sum)
* dce_tcp.client_max_fragment_size: connection-oriented client
- maximum fragment size
+ maximum fragment size (sum)
* dce_tcp.client_min_fragment_size: connection-oriented client
- minimum fragment size
+ minimum fragment size (sum)
* dce_tcp.client_segs_reassembled: total connection-oriented client
- segments reassembled
- * dce_tcp.events: total events
- * dce_tcp.faults: total connection-oriented faults
+ segments reassembled (sum)
+ * dce_tcp.concurrent_sessions: total concurrent sessions (now)
+ * dce_tcp.events: total events (sum)
+ * dce_tcp.faults: total connection-oriented faults (sum)
+ * dce_tcp.max_concurrent_sessions: maximum concurrent sessions
+ (max)
* dce_tcp.ms_rpc_http_pdus: total connection-oriented MS requests
- to send RPC over HTTP
- * dce_tcp.orphaned: total connection-oriented orphaned
+ to send RPC over HTTP (sum)
+ * dce_tcp.orphaned: total connection-oriented orphaned (sum)
* dce_tcp.other_requests: total connection-oriented other requests
+ (sum)
* dce_tcp.other_responses: total connection-oriented other
- responses
- * dce_tcp.pdus: total connection-oriented PDUs
- * dce_tcp.rejects: total connection-oriented rejects
+ responses (sum)
+ * dce_tcp.pdus: total connection-oriented PDUs (sum)
+ * dce_tcp.rejects: total connection-oriented rejects (sum)
* dce_tcp.request_fragments: total connection-oriented request
- fragments
- * dce_tcp.requests: total connection-oriented requests
+ fragments (sum)
+ * dce_tcp.requests: total connection-oriented requests (sum)
* dce_tcp.response_fragments: total connection-oriented response
- fragments
- * dce_tcp.responses: total connection-oriented responses
+ fragments (sum)
+ * dce_tcp.responses: total connection-oriented responses (sum)
* dce_tcp.server_frags_reassembled: total connection-oriented
- server fragments reassembled
+ server fragments reassembled (sum)
* dce_tcp.server_max_fragment_size: connection-oriented server
- maximum fragment size
+ maximum fragment size (sum)
* dce_tcp.server_min_fragment_size: connection-oriented server
- minimum fragment size
+ minimum fragment size (sum)
* dce_tcp.server_segs_reassembled: total connection-oriented server
- segments reassembled
- * dce_tcp.shutdowns: total connection-oriented shutdowns
- * dce_tcp.tcp_packets: total tcp packets
- * dce_tcp.tcp_sessions: total tcp sessions
- * dce_udp.acks: total connection-less acks
- * dce_udp.cancel_acks: total connection-less cancel acks
- * dce_udp.cancels: total connection-less cancels
- * dce_udp.client_facks: total connection-less client facks
- * dce_udp.events: total events
- * dce_udp.faults: total connection-less faults
- * dce_udp.fragments: total connection-less fragments
+ segments reassembled (sum)
+ * dce_tcp.shutdowns: total connection-oriented shutdowns (sum)
+ * dce_tcp.tcp_packets: total tcp packets (sum)
+ * dce_tcp.tcp_sessions: total tcp sessions (sum)
+ * dce_udp.acks: total connection-less acks (sum)
+ * dce_udp.cancel_acks: total connection-less cancel acks (sum)
+ * dce_udp.cancels: total connection-less cancels (sum)
+ * dce_udp.client_facks: total connection-less client facks (sum)
+ * dce_udp.concurrent_sessions: total concurrent sessions (now)
+ * dce_udp.events: total events (sum)
+ * dce_udp.faults: total connection-less faults (sum)
+ * dce_udp.fragments: total connection-less fragments (sum)
* dce_udp.frags_reassembled: total connection-less fragments
- reassembled
+ reassembled (sum)
+ * dce_udp.max_concurrent_sessions: maximum concurrent sessions
+ (max)
* dce_udp.max_fragment_size: connection-less maximum fragment size
- * dce_udp.max_seqnum: max connection-less seqnum
- * dce_udp.no_calls: total connection-less no calls
+ (sum)
+ * dce_udp.max_seqnum: max connection-less seqnum (sum)
+ * dce_udp.no_calls: total connection-less no calls (sum)
* dce_udp.other_requests: total connection-less other requests
+ (sum)
* dce_udp.other_responses: total connection-less other responses
- * dce_udp.ping: total connection-less ping
- * dce_udp.rejects: total connection-less rejects
- * dce_udp.requests: total connection-less requests
- * dce_udp.responses: total connection-less responses
- * dce_udp.server_facks: total connection-less server facks
- * dce_udp.udp_packets: total udp packets
- * dce_udp.udp_sessions: total udp sessions
- * dce_udp.working: total connection-less working
+ (sum)
+ * dce_udp.ping: total connection-less ping (sum)
+ * dce_udp.rejects: total connection-less rejects (sum)
+ * dce_udp.requests: total connection-less requests (sum)
+ * dce_udp.responses: total connection-less responses (sum)
+ * dce_udp.server_facks: total connection-less server facks (sum)
+ * dce_udp.udp_packets: total udp packets (sum)
+ * dce_udp.udp_sessions: total udp sessions (sum)
+ * dce_udp.working: total connection-less working (sum)
* detection.alert_limit: events previously triggered on same PDU
- * detection.alerts: alerts not including IP reputation
+ (sum)
+ * detection.alerts: alerts not including IP reputation (sum)
* detection.alt_searches: alt fast pattern searches in packet data
- * detection.analyzed: packets sent to detection
+ (sum)
+ * detection.analyzed: packets sent to detection (sum)
* detection.body_searches: fast pattern searches in body buffer
+ (sum)
* detection.cooked_searches: fast pattern searches in cooked packet
- data
- * detection.event_limit: events filtered
+ data (sum)
+ * detection.event_limit: events filtered (sum)
* detection.file_searches: fast pattern searches in file buffer
- * detection.hard_evals: non-fast pattern rule evaluations
+ (sum)
+ * detection.hard_evals: non-fast pattern rule evaluations (sum)
* detection.header_searches: fast pattern searches in header buffer
- * detection.key_searches: fast pattern searches in key buffer
- * detection.logged: logged packets
- * detection.log_limit: events queued but not logged
- * detection.match_limit: fast pattern matches not processed
+ (sum)
+ * detection.key_searches: fast pattern searches in key buffer (sum)
+ * detection.logged: logged packets (sum)
+ * detection.log_limit: events queued but not logged (sum)
+ * detection.match_limit: fast pattern matches not processed (sum)
* detection.offloads: fast pattern searches that were offloaded
- * detection.passed: passed packets
+ (sum)
+ * detection.passed: passed packets (sum)
* detection.pkt_searches: fast pattern searches in packet data
- * detection.queue_limit: events not queued because queue full
+ (sum)
+ * detection.queue_limit: events not queued because queue full (sum)
* detection.raw_searches: fast pattern searches in raw packet data
- * detection.total_alerts: alerts including IP reputation
- * dnp3.dnp3_application_pdus: total dnp3 application pdus
- * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames
- * dnp3.tcp_pdus: total tcp pdus
- * dnp3.total_packets: total packets
- * dnp3.udp_packets: total udp packets
- * dns.packets: total packets processed
- * dns.requests: total dns requests
- * dns.responses: total dns responses
- * dpx.packets: total packets
- * file_connector.messages: total messages
- * file_id.cache_failures: number of file cache add failures
+ (sum)
+ * detection.total_alerts: alerts including IP reputation (sum)
+ * dnp3.concurrent_sessions: total concurrent dnp3 sessions (now)
+ * dnp3.dnp3_application_pdus: total dnp3 application pdus (sum)
+ * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames (sum)
+ * dnp3.max_concurrent_sessions: maximum concurrent dnp3 sessions
+ (max)
+ * dnp3.tcp_pdus: total tcp pdus (sum)
+ * dnp3.total_packets: total packets (sum)
+ * dnp3.udp_packets: total udp packets (sum)
+ * dns.concurrent_sessions: total concurrent dns sessions (now)
+ * dns.max_concurrent_sessions: maximum concurrent dns sessions
+ (max)
+ * dns.packets: total packets processed (sum)
+ * dns.requests: total dns requests (sum)
+ * dns.responses: total dns responses (sum)
+ * dpx.packets: total packets (sum)
+ * file_connector.messages: total messages (sum)
+ * file_id.cache_failures: number of file cache add failures (sum)
* file_id.total_file_data: number of file data bytes processed
- * file_id.total_files: number of files processed
- * file_log.total_events: total file events
- * ftp_data.packets: total packets
- * ftp_server.packets: total packets
- * gtp_inspect.events: requests
- * gtp_inspect.sessions: total sessions processed
- * gtp_inspect.unknown_infos: unknown information elements
- * gtp_inspect.unknown_types: unknown message types
- * host_cache.lru_cache_adds: lru cache added new entry
- * host_cache.lru_cache_clears: lru cache clear API calls
+ (sum)
+ * file_id.total_files: number of files processed (sum)
+ * file_log.total_events: total file events (sum)
+ * ftp_data.packets: total packets (sum)
+ * ftp_server.concurrent_sessions: total concurrent ftp sessions
+ (now)
+ * ftp_server.max_concurrent_sessions: maximum concurrent ftp
+ sessions (max)
+ * ftp_server.total_packets: total packets (sum)
+ * gtp_inspect.concurrent_sessions: total concurrent gtp sessions
+ (now)
+ * gtp_inspect.events: requests (sum)
+ * gtp_inspect.max_concurrent_sessions: maximum concurrent gtp
+ sessions (max)
+ * gtp_inspect.sessions: total sessions processed (sum)
+ * gtp_inspect.unknown_infos: unknown information elements (sum)
+ * gtp_inspect.unknown_types: unknown message types (sum)
+ * high_availability.packets: total packets (sum)
+ * host_cache.lru_cache_adds: lru cache added new entry (sum)
+ * host_cache.lru_cache_clears: lru cache clear API calls (sum)
* host_cache.lru_cache_find_hits: lru cache found entry in cache
+ (sum)
* host_cache.lru_cache_find_misses: lru cache did not find entry in
- cache
+ cache (sum)
* host_cache.lru_cache_prunes: lru cache pruned entry to make space
- for new entry
+ for new entry (sum)
* host_cache.lru_cache_removes: lru cache found entry and removed
- it
+ it (sum)
* host_cache.lru_cache_replaces: lru cache replaced existing entry
- * host_tracker.service_adds: host service adds
- * host_tracker.service_finds: host service finds
- * host_tracker.service_removes: host service removes
- * http_inspect.chunked: chunked message bodies
- * http_inspect.connect_requests: CONNECT requests inspected
- * http_inspect.delete_requests: DELETE requests inspected
- * http_inspect.flows: HTTP connections inspected
- * http_inspect.get_requests: GET requests inspected
- * http_inspect.head_requests: HEAD requests inspected
- * http_inspect.inspections: total message sections inspected
- * http_inspect.options_requests: OPTIONS requests inspected
+ (sum)
+ * host_tracker.service_adds: host service adds (sum)
+ * host_tracker.service_finds: host service finds (sum)
+ * host_tracker.service_removes: host service removes (sum)
+ * http_inspect.chunked: chunked message bodies (sum)
+ * http_inspect.concurrent_sessions: total concurrent http sessions
+ (now)
+ * http_inspect.connect_requests: CONNECT requests inspected (sum)
+ * http_inspect.delete_requests: DELETE requests inspected (sum)
+ * http_inspect.flows: HTTP connections inspected (sum)
+ * http_inspect.get_requests: GET requests inspected (sum)
+ * http_inspect.head_requests: HEAD requests inspected (sum)
+ * http_inspect.inspections: total message sections inspected (sum)
+ * http_inspect.max_concurrent_sessions: maximum concurrent http
+ sessions (max)
+ * http_inspect.options_requests: OPTIONS requests inspected (sum)
* http_inspect.other_requests: other request methods inspected
- * http_inspect.post_requests: POST requests inspected
- * http_inspect.put_requests: PUT requests inspected
+ (sum)
+ * http_inspect.post_requests: POST requests inspected (sum)
+ * http_inspect.put_requests: PUT requests inspected (sum)
* http_inspect.reassembles: TCP segments combined into HTTP
- messages
+ messages (sum)
* http_inspect.request_bodies: POST, PUT, and other requests with
- message bodies
- * http_inspect.requests: HTTP request messages inspected
- * http_inspect.responses: HTTP response messages inspected
+ message bodies (sum)
+ * http_inspect.requests: HTTP request messages inspected (sum)
+ * http_inspect.responses: HTTP response messages inspected (sum)
* http_inspect.scans: TCP segments scanned looking for HTTP
- messages
- * http_inspect.trace_requests: TRACE requests inspected
+ messages (sum)
+ * http_inspect.trace_requests: TRACE requests inspected (sum)
* http_inspect.uri_coding: URIs with character coding problems
+ (sum)
* http_inspect.uri_normalizations: URIs needing to be normalization
- * http_inspect.uri_path: URIs with path problems
- * icmp4.bad_checksum: non-zero icmp checksums
- * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums
- * imap.b64_attachments: total base64 attachments decoded
- * imap.b64_decoded_bytes: total base64 decoded bytes
+ (sum)
+ * http_inspect.uri_path: URIs with path problems (sum)
+ * icmp4.bad_checksum: non-zero icmp checksums (sum)
+ * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
+ * imap.b64_attachments: total base64 attachments decoded (sum)
+ * imap.b64_decoded_bytes: total base64 decoded bytes (sum)
+ * imap.concurrent_sessions: total concurrent imap sessions (now)
+ * imap.max_concurrent_sessions: maximum concurrent imap sessions
+ (max)
* imap.non_encoded_attachments: total non-encoded attachments
- extracted
- * imap.non_encoded_bytes: total non-encoded extracted bytes
- * imap.packets: total packets processed
+ extracted (sum)
+ * imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
+ * imap.packets: total packets processed (sum)
* imap.qp_attachments: total quoted-printable attachments decoded
- * imap.qp_decoded_bytes: total quoted-printable decoded bytes
- * imap.sessions: total imap sessions
- * imap.uu_attachments: total uu attachments decoded
- * imap.uu_decoded_bytes: total uu decoded bytes
- * ipv4.bad_checksum: nonzero ip checksums
- * latency.max_usecs: maximum usecs elapsed
- * latency.packet_timeouts: packets that timed out
- * latency.rule_eval_timeouts: rule evals that timed out
- * latency.rule_tree_enables: rule tree re-enables
- * latency.total_packets: total packets monitored
- * latency.total_rule_evals: total rule evals monitored
- * latency.total_usecs: total usecs elapsed
- * modbus.frames: total Modbus messages
- * modbus.sessions: total sessions processed
- * mpls.total_bytes: total mpls labeled bytes processed
- * mpls.total_packets: total mpls labeled packets processed
- * normalizer.icmp4_echo: icmp4 ping normalizations
- * normalizer.icmp6_echo: icmp6 echo normalizations
- * normalizer.ip4_df: don’t frag bit normalizations
- * normalizer.ip4_opts: ip4 options cleared
- * normalizer.ip4_rf: reserved flag bit clears
- * normalizer.ip4_tos: type of service normalizations
- * normalizer.ip4_trim: eth packets trimmed to datagram size
- * normalizer.ip4_ttl: time-to-live normalizations
- * normalizer.ip6_hops: ip6 hop limit normalizations
- * normalizer.ip6_options: ip6 options cleared
- * normalizer.tcp_block: blocked segments
- * normalizer.tcp_ecn_pkt: packets with ECN bits cleared
- * normalizer.tcp_ecn_session: ECN bits cleared
- * normalizer.tcp_ips_data: normalized segments
- * normalizer.tcp_nonce: packets with nonce bit cleared
- * normalizer.tcp_options: packets with options cleared
- * normalizer.tcp_padding: packets with padding cleared
+ (sum)
+ * imap.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
+ * imap.sessions: total imap sessions (sum)
+ * imap.uu_attachments: total uu attachments decoded (sum)
+ * imap.uu_decoded_bytes: total uu decoded bytes (sum)
+ * ips.invalid_policy_ids: Number of times an invalid policy ID was
+ provided (sum)
+ * ipv4.bad_checksum: nonzero ip checksums (sum)
+ * latency.max_usecs: maximum usecs elapsed (sum)
+ * latency.packet_timeouts: packets that timed out (sum)
+ * latency.rule_eval_timeouts: rule evals that timed out (sum)
+ * latency.rule_tree_enables: rule tree re-enables (sum)
+ * latency.total_packets: total packets monitored (sum)
+ * latency.total_rule_evals: total rule evals monitored (sum)
+ * latency.total_usecs: total usecs elapsed (sum)
+ * modbus.concurrent_sessions: total concurrent modbus sessions
+ (now)
+ * modbus.frames: total Modbus messages (sum)
+ * modbus.max_concurrent_sessions: maximum concurrent modbus
+ sessions (max)
+ * modbus.sessions: total sessions processed (sum)
+ * mpls.total_bytes: total mpls labeled bytes processed (sum)
+ * mpls.total_packets: total mpls labeled packets processed (sum)
+ * normalizer.icmp4_echo: icmp4 ping normalizations (sum)
+ * normalizer.icmp6_echo: icmp6 echo normalizations (sum)
+ * normalizer.ip4_df: don’t frag bit normalizations (sum)
+ * normalizer.ip4_opts: ip4 options cleared (sum)
+ * normalizer.ip4_rf: reserved flag bit clears (sum)
+ * normalizer.ip4_tos: type of service normalizations (sum)
+ * normalizer.ip4_trim: eth packets trimmed to datagram size (sum)
+ * normalizer.ip4_ttl: time-to-live normalizations (sum)
+ * normalizer.ip6_hops: ip6 hop limit normalizations (sum)
+ * normalizer.ip6_options: ip6 options cleared (sum)
+ * normalizer.tcp_block: blocked segments (sum)
+ * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum)
+ * normalizer.tcp_ecn_session: ECN bits cleared (sum)
+ * normalizer.tcp_ips_data: normalized segments (sum)
+ * normalizer.tcp_nonce: packets with nonce bit cleared (sum)
+ * normalizer.tcp_options: packets with options cleared (sum)
+ * normalizer.tcp_padding: packets with padding cleared (sum)
* normalizer.tcp_req_pay: cleared urgent pointer and urgent flag
- when there is no payload
+ when there is no payload (sum)
* normalizer.tcp_req_urg: cleared urgent pointer when urgent flag
- is not set
+ is not set (sum)
* normalizer.tcp_req_urp: cleared the urgent flag if the urgent
- pointer is not set
- * normalizer.tcp_reserved: packets with reserved bits cleared
+ pointer is not set (sum)
+ * normalizer.tcp_reserved: packets with reserved bits cleared (sum)
* normalizer.tcp_syn_options: SYN only options cleared from non-SYN
- packets
- * normalizer.tcp_trim_mss: data trimmed to MSS
- * normalizer.tcp_trim_rst: RST packets with data trimmed
- * normalizer.tcp_trim_syn: tcp segments trimmed on SYN
- * normalizer.tcp_trim_win: data trimmed to window
- * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs
- * normalizer.tcp_ts_nop: timestamp options cleared
+ packets (sum)
+ * normalizer.tcp_trim_mss: data trimmed to MSS (sum)
+ * normalizer.tcp_trim_rst: RST packets with data trimmed (sum)
+ * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum)
+ * normalizer.tcp_trim_win: data trimmed to window (sum)
+ * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum)
+ * normalizer.tcp_ts_nop: timestamp options cleared (sum)
* normalizer.tcp_urgent_ptr: packets without data with urgent
- pointer cleared
- * normalizer.test_icmp4_echo: test icmp4 ping normalizations
- * normalizer.test_icmp6_echo: test icmp6 echo normalizations
- * normalizer.test_ip4_df: test don’t frag bit normalizations
- * normalizer.test_ip4_opts: test ip4 options cleared
- * normalizer.test_ip4_rf: test reserved flag bit clears
+ pointer cleared (sum)
+ * normalizer.test_icmp4_echo: test icmp4 ping normalizations (sum)
+ * normalizer.test_icmp6_echo: test icmp6 echo normalizations (sum)
+ * normalizer.test_ip4_df: test don’t frag bit normalizations (sum)
+ * normalizer.test_ip4_opts: test ip4 options cleared (sum)
+ * normalizer.test_ip4_rf: test reserved flag bit clears (sum)
* normalizer.test_ip4_tos: test type of service normalizations
+ (sum)
* normalizer.test_ip4_trim: test eth packets trimmed to datagram
- size
- * normalizer.test_ip4_ttl: test time-to-live normalizations
- * normalizer.test_ip6_hops: test ip6 hop limit normalizations
- * normalizer.test_ip6_options: test ip6 options cleared
- * normalizer.test_tcp_block: test blocked segments
+ size (sum)
+ * normalizer.test_ip4_ttl: test time-to-live normalizations (sum)
+ * normalizer.test_ip6_hops: test ip6 hop limit normalizations (sum)
+ * normalizer.test_ip6_options: test ip6 options cleared (sum)
+ * normalizer.test_tcp_block: test blocked segments (sum)
* normalizer.test_tcp_ecn_pkt: test packets with ECN bits cleared
- * normalizer.test_tcp_ecn_session: test ECN bits cleared
- * normalizer.test_tcp_ips_data: test normalized segments
+ (sum)
+ * normalizer.test_tcp_ecn_session: test ECN bits cleared (sum)
+ * normalizer.test_tcp_ips_data: test normalized segments (sum)
* normalizer.test_tcp_nonce: test packets with nonce bit cleared
+ (sum)
* normalizer.test_tcp_options: test packets with options cleared
+ (sum)
* normalizer.test_tcp_padding: test packets with padding cleared
+ (sum)
* normalizer.test_tcp_req_pay: test cleared urgent pointer and
- urgent flag when there is no payload
+ urgent flag when there is no payload (sum)
* normalizer.test_tcp_req_urg: test cleared urgent pointer when
- urgent flag is not set
+ urgent flag is not set (sum)
* normalizer.test_tcp_req_urp: test cleared the urgent flag if the
- urgent pointer is not set
+ urgent pointer is not set (sum)
* normalizer.test_tcp_reserved: test packets with reserved bits
- cleared
+ cleared (sum)
* normalizer.test_tcp_syn_options: test SYN only options cleared
- from non-SYN packets
- * normalizer.test_tcp_trim_mss: test data trimmed to MSS
+ from non-SYN packets (sum)
+ * normalizer.test_tcp_trim_mss: test data trimmed to MSS (sum)
* normalizer.test_tcp_trim_rst: test RST packets with data trimmed
+ (sum)
* normalizer.test_tcp_trim_syn: test tcp segments trimmed on SYN
- * normalizer.test_tcp_trim_win: test data trimmed to window
+ (sum)
+ * normalizer.test_tcp_trim_win: test data trimmed to window (sum)
* normalizer.test_tcp_ts_ecr: test timestamp cleared on non-ACKs
- * normalizer.test_tcp_ts_nop: test timestamp options cleared
+ (sum)
+ * normalizer.test_tcp_ts_nop: test timestamp options cleared (sum)
* normalizer.test_tcp_urgent_ptr: test packets without data with
- urgent pointer cleared
+ urgent pointer cleared (sum)
* packet_capture.captured: packets matching dumped after matching
- filter
- * packet_capture.processed: packets processed against filter
- * perf_monitor.packets: total packets
- * pop.b64_attachments: total base64 attachments decoded
- * pop.b64_decoded_bytes: total base64 decoded bytes
+ filter (sum)
+ * packet_capture.processed: packets processed against filter (sum)
+ * perf_monitor.packets: total packets (sum)
+ * pop.b64_attachments: total base64 attachments decoded (sum)
+ * pop.b64_decoded_bytes: total base64 decoded bytes (sum)
+ * pop.concurrent_sessions: total concurrent pop sessions (now)
+ * pop.max_concurrent_sessions: maximum concurrent pop sessions
+ (max)
* pop.non_encoded_attachments: total non-encoded attachments
- extracted
- * pop.non_encoded_bytes: total non-encoded extracted bytes
- * pop.packets: total packets processed
+ extracted (sum)
+ * pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
+ * pop.packets: total packets processed (sum)
* pop.qp_attachments: total quoted-printable attachments decoded
- * pop.qp_decoded_bytes: total quoted-printable decoded bytes
- * pop.sessions: total pop sessions
- * pop.uu_attachments: total uu attachments decoded
- * pop.uu_decoded_bytes: total uu decoded bytes
- * port_scan.packets: total packets
- * reputation.blacklisted: number of packets blacklisted
- * reputation.memory_allocated: total memory allocated
- * reputation.monitored: number of packets monitored
- * reputation.packets: total packets processed
- * reputation.whitelisted: number of packets whitelisted
- * rpc_decode.packets: total packets
+ (sum)
+ * pop.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
+ * pop.sessions: total pop sessions (sum)
+ * pop.uu_attachments: total uu attachments decoded (sum)
+ * pop.uu_decoded_bytes: total uu decoded bytes (sum)
+ * port_scan.packets: total packets (sum)
+ * reg_test.packets: total packets (sum)
+ * reg_test.retry_packets: total retried packets received (sum)
+ * reg_test.retry_requests: total retry packets requested (sum)
+ * reputation.blacklisted: number of packets blacklisted (sum)
+ * reputation.memory_allocated: total memory allocated (sum)
+ * reputation.monitored: number of packets monitored (sum)
+ * reputation.packets: total packets processed (sum)
+ * reputation.whitelisted: number of packets whitelisted (sum)
+ * rpc_decode.concurrent_sessions: total concurrent rpc sessions
+ (now)
+ * rpc_decode.max_concurrent_sessions: maximum concurrent rpc
+ sessions (max)
+ * rpc_decode.total_packets: total packets (sum)
* sd_pattern.below_threshold: sd_pattern matched but missed
- threshold
- * sd_pattern.pattern_not_found: sd_pattern did not not match
- * sd_pattern.terminated: hyperscan terminated
+ threshold (sum)
+ * sd_pattern.pattern_not_found: sd_pattern did not not match (sum)
+ * sd_pattern.terminated: hyperscan terminated (sum)
* search_engine.max_queued: maximum fast pattern matches queued for
- further evaluation
+ further evaluation (sum)
* search_engine.non_qualified_events: total non-qualified events
- * search_engine.qualified_events: total qualified events
- * search_engine.searched_bytes: total bytes searched
+ (sum)
+ * search_engine.qualified_events: total qualified events (sum)
+ * search_engine.searched_bytes: total bytes searched (sum)
* search_engine.total_flushed: fast pattern matches discarded due
- to overflow
- * search_engine.total_inserts: total fast pattern hits
- * search_engine.total_unique: total unique fast pattern hits
- * sip.ack: ack
- * sip.bye: bye
- * sip.cancel: cancel
- * sip.code_1xx: 1xx
- * sip.code_2xx: 2xx
- * sip.code_3xx: 3xx
- * sip.code_4xx: 4xx
- * sip.code_5xx: 5xx
- * sip.code_6xx: 6xx
- * sip.code_7xx: 7xx
- * sip.code_8xx: 8xx
- * sip.code_9xx: 9xx
- * sip.dialogs: total dialogs
- * sip.events: events generated
- * sip.ignored_channels: total channels ignored
- * sip.ignored_sessions: total sessions ignored
- * sip.info: info
- * sip.invite: invite
- * sip.join: join
- * sip.message: message
- * sip.notify: notify
- * sip.options: options
- * sip.packets: total packets
- * sip.prack: prack
- * sip.refer: refer
- * sip.register: register
- * sip.sessions: total sessions
- * sip.subscribe: subscribe
- * sip.total_requests: total requests
- * sip.total_responses: total responses
- * sip.update: update
- * smtp.b64_attachments: total base64 attachments decoded
- * smtp.b64_decoded_bytes: total base64 decoded bytes
- * smtp.concurrent_sessions: total concurrent smtp sessions
+ to overflow (sum)
+ * search_engine.total_inserts: total fast pattern hits (sum)
+ * search_engine.total_unique: total unique fast pattern hits (sum)
+ * side_channel.packets: total packets (sum)
+ * sip.ack: ack (sum)
+ * sip.bye: bye (sum)
+ * sip.cancel: cancel (sum)
+ * sip.code_1xx: 1xx (sum)
+ * sip.code_2xx: 2xx (sum)
+ * sip.code_3xx: 3xx (sum)
+ * sip.code_4xx: 4xx (sum)
+ * sip.code_5xx: 5xx (sum)
+ * sip.code_6xx: 6xx (sum)
+ * sip.code_7xx: 7xx (sum)
+ * sip.code_8xx: 8xx (sum)
+ * sip.code_9xx: 9xx (sum)
+ * sip.concurrent_sessions: total concurrent sip sessions (now)
+ * sip.dialogs: total dialogs (sum)
+ * sip.events: events generated (sum)
+ * sip.ignored_channels: total channels ignored (sum)
+ * sip.ignored_sessions: total sessions ignored (sum)
+ * sip.info: info (sum)
+ * sip.invite: invite (sum)
+ * sip.join: join (sum)
+ * sip.max_concurrent_sessions: maximum concurrent sip sessions
+ (max)
+ * sip.message: message (sum)
+ * sip.notify: notify (sum)
+ * sip.options: options (sum)
+ * sip.packets: total packets (sum)
+ * sip.prack: prack (sum)
+ * sip.refer: refer (sum)
+ * sip.register: register (sum)
+ * sip.sessions: total sessions (sum)
+ * sip.subscribe: subscribe (sum)
+ * sip.total_requests: total requests (sum)
+ * sip.total_responses: total responses (sum)
+ * sip.update: update (sum)
+ * smtp.b64_attachments: total base64 attachments decoded (sum)
+ * smtp.b64_decoded_bytes: total base64 decoded bytes (sum)
+ * smtp.concurrent_sessions: total concurrent smtp sessions (now)
* smtp.max_concurrent_sessions: maximum concurrent smtp sessions
+ (max)
* smtp.non_encoded_attachments: total non-encoded attachments
- extracted
- * smtp.non_encoded_bytes: total non-encoded extracted bytes
- * smtp.packets: total packets processed
+ extracted (sum)
+ * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
+ * smtp.packets: total packets processed (sum)
* smtp.qp_attachments: total quoted-printable attachments decoded
- * smtp.qp_decoded_bytes: total quoted-printable decoded bytes
- * smtp.sessions: total smtp sessions
- * smtp.uu_attachments: total uu attachments decoded
- * smtp.uu_decoded_bytes: total uu decoded bytes
- * snort.attribute_table_hosts: total number of hosts in table
+ (sum)
+ * smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum)
+ * smtp.sessions: total smtp sessions (sum)
+ * smtp.uu_attachments: total uu attachments decoded (sum)
+ * smtp.uu_decoded_bytes: total uu decoded bytes (sum)
+ * snort.attribute_table_hosts: total number of hosts in table (sum)
* snort.attribute_table_reloads: number of times hosts table was
- reloaded
+ reloaded (sum)
* snort.conf_reloads: number of times configuration was reloaded
+ (sum)
* snort.daq_reloads: number of times daq configuration was reloaded
- * snort.local_commands: total local commands processed
- * snort.remote_commands: total remote commands processed
- * snort.signals: total signals processed
- * ssh.packets: total packets
- * ssl.alert: total ssl alert records
- * ssl.bad_handshakes: total bad handshakes
- * ssl.certificate: total ssl certificates
- * ssl.change_cipher: total change cipher records
- * ssl.client_application: total client application records
- * ssl.client_hello: total client hellos
- * ssl.client_key_exchange: total client key exchanges
- * ssl.decoded: ssl packets decoded
- * ssl.detection_disabled: total detection disabled
- * ssl.finished: total handshakes finished
- * ssl.handshakes_completed: total completed ssl handshakes
- * ssl.packets: total packets processed
- * ssl.server_application: total server application records
- * ssl.server_done: total server done
- * ssl.server_hello: total server hellos
- * ssl.server_key_exchange: total server key exchanges
- * ssl.sessions_ignored: total sessions ignore
- * ssl.unrecognized_records: total unrecognized records
+ (sum)
+ * snort.inspector_deletions: number of times inspectors were
+ deleted (sum)
+ * snort.local_commands: total local commands processed (sum)
+ * snort.policy_reloads: number of times policies were reloaded
+ (sum)
+ * snort.remote_commands: total remote commands processed (sum)
+ * snort.signals: total signals processed (sum)
+ * ssh.concurrent_sessions: total concurrent ssh sessions (now)
+ * ssh.max_concurrent_sessions: maximum concurrent ssh sessions
+ (max)
+ * ssh.packets: total packets (sum)
+ * ssl.alert: total ssl alert records (sum)
+ * ssl.bad_handshakes: total bad handshakes (sum)
+ * ssl.certificate: total ssl certificates (sum)
+ * ssl.change_cipher: total change cipher records (sum)
+ * ssl.client_application: total client application records (sum)
+ * ssl.client_hello: total client hellos (sum)
+ * ssl.client_key_exchange: total client key exchanges (sum)
+ * ssl.concurrent_sessions: total concurrent ssl sessions (now)
+ * ssl.decoded: ssl packets decoded (sum)
+ * ssl.detection_disabled: total detection disabled (sum)
+ * ssl.finished: total handshakes finished (sum)
+ * ssl.handshakes_completed: total completed ssl handshakes (sum)
+ * ssl.max_concurrent_sessions: maximum concurrent ssl sessions
+ (max)
+ * ssl.packets: total packets processed (sum)
+ * ssl.server_application: total server application records (sum)
+ * ssl.server_done: total server done (sum)
+ * ssl.server_hello: total server hellos (sum)
+ * ssl.server_key_exchange: total server key exchanges (sum)
+ * ssl.sessions_ignored: total sessions ignore (sum)
+ * ssl.unrecognized_records: total unrecognized records (sum)
* stream.file_excess_prunes: file sessions pruned due to excess
- * stream.file_flows: total file sessions
+ (sum)
+ * stream.file_flows: total file sessions (sum)
* stream.file_ha_prunes: file sessions pruned by high availability
- sync
+ sync (sum)
* stream.file_idle_prunes: file sessions pruned due to timeout
+ (sum)
* stream.file_memcap_prunes: file sessions pruned due to memcap
+ (sum)
* stream.file_preemptive_prunes: file sessions pruned during
- preemptive pruning
- * stream.file_total_prunes: total file sessions pruned
- * stream.file_uni_prunes: file uni sessions pruned
- * stream_icmp.created: icmp session trackers created
+ preemptive pruning (sum)
+ * stream.file_total_prunes: total file sessions pruned (sum)
+ * stream.file_uni_prunes: file uni sessions pruned (sum)
+ * stream_icmp.created: icmp session trackers created (sum)
* stream.icmp_excess_prunes: icmp sessions pruned due to excess
- * stream.icmp_flows: total icmp sessions
+ (sum)
+ * stream.icmp_flows: total icmp sessions (sum)
* stream.icmp_ha_prunes: icmp sessions pruned by high availability
- sync
+ sync (sum)
* stream.icmp_idle_prunes: icmp sessions pruned due to timeout
- * stream_icmp.max: max icmp sessions
+ (sum)
+ * stream_icmp.max: max icmp sessions (max)
* stream.icmp_memcap_prunes: icmp sessions pruned due to memcap
+ (sum)
* stream.icmp_preemptive_prunes: icmp sessions pruned during
- preemptive pruning
- * stream_icmp.prunes: icmp session prunes
- * stream_icmp.released: icmp session trackers released
- * stream_icmp.sessions: total icmp sessions
- * stream_icmp.timeouts: icmp session timeouts
- * stream.icmp_total_prunes: total icmp sessions pruned
- * stream.icmp_uni_prunes: icmp uni sessions pruned
- * stream_ip.alerts: alerts generated
- * stream_ip.anomalies: anomalies detected
- * stream_ip.created: ip session trackers created
- * stream_ip.current_frags: current fragments
- * stream_ip.discards: fragments discarded
- * stream_ip.drops: fragments dropped
- * stream.ip_excess_prunes: ip sessions pruned due to excess
- * stream.ip_flows: total ip sessions
- * stream_ip.fragmented_bytes: total fragmented bytes
- * stream_ip.frag_timeouts: datagrams abandoned
+ preemptive pruning (sum)
+ * stream_icmp.prunes: icmp session prunes (sum)
+ * stream_icmp.released: icmp session trackers released (sum)
+ * stream_icmp.sessions: total icmp sessions (sum)
+ * stream_icmp.timeouts: icmp session timeouts (sum)
+ * stream.icmp_total_prunes: total icmp sessions pruned (sum)
+ * stream.icmp_uni_prunes: icmp uni sessions pruned (sum)
+ * stream_ip.alerts: alerts generated (sum)
+ * stream_ip.anomalies: anomalies detected (sum)
+ * stream_ip.created: ip session trackers created (sum)
+ * stream_ip.current_frags: current fragments (now)
+ * stream_ip.discards: fragments discarded (sum)
+ * stream_ip.drops: fragments dropped (sum)
+ * stream.ip_excess_prunes: ip sessions pruned due to excess (sum)
+ * stream.ip_flows: total ip sessions (sum)
+ * stream_ip.fragmented_bytes: total fragmented bytes (sum)
+ * stream_ip.frag_timeouts: datagrams abandoned (sum)
* stream.ip_ha_prunes: ip sessions pruned by high availability sync
- * stream.ip_idle_prunes: ip sessions pruned due to timeout
- * stream_ip.max_frags: max fragments
- * stream_ip.max: max ip sessions
- * stream.ip_memcap_prunes: ip sessions pruned due to memcap
- * stream_ip.memory_used: current memory usage in bytes
- * stream_ip.nodes_deleted: fragments deleted from tracker
- * stream_ip.nodes_inserted: fragments added to tracker
- * stream_ip.overlaps: overlapping fragments
+ (sum)
+ * stream.ip_idle_prunes: ip sessions pruned due to timeout (sum)
+ * stream_ip.max_frags: max fragments (sum)
+ * stream_ip.max: max ip sessions (max)
+ * stream.ip_memcap_prunes: ip sessions pruned due to memcap (sum)
+ * stream_ip.memory_used: current memory usage in bytes (now)
+ * stream_ip.nodes_deleted: fragments deleted from tracker (sum)
+ * stream_ip.nodes_inserted: fragments added to tracker (sum)
+ * stream_ip.overlaps: overlapping fragments (sum)
* stream.ip_preemptive_prunes: ip sessions pruned during preemptive
- pruning
- * stream_ip.prunes: ip session prunes
- * stream_ip.reassembled_bytes: total reassembled bytes
- * stream_ip.reassembled: reassembled datagrams
- * stream_ip.released: ip session trackers released
- * stream_ip.sessions: total ip sessions
- * stream_ip.timeouts: ip session timeouts
- * stream_ip.total_frags: total fragments
- * stream.ip_total_prunes: total ip sessions pruned
- * stream_ip.trackers_added: datagram trackers created
- * stream_ip.trackers_cleared: datagram trackers cleared
- * stream_ip.trackers_completed: datagram trackers completed
- * stream_ip.trackers_freed: datagram trackers released
- * stream.ip_uni_prunes: ip uni sessions pruned
+ pruning (sum)
+ * stream_ip.prunes: ip session prunes (sum)
+ * stream_ip.reassembled_bytes: total reassembled bytes (sum)
+ * stream_ip.reassembled: reassembled datagrams (sum)
+ * stream_ip.released: ip session trackers released (sum)
+ * stream_ip.sessions: total ip sessions (sum)
+ * stream_ip.timeouts: ip session timeouts (sum)
+ * stream_ip.total_frags: total fragments (sum)
+ * stream.ip_total_prunes: total ip sessions pruned (sum)
+ * stream_ip.trackers_added: datagram trackers created (sum)
+ * stream_ip.trackers_cleared: datagram trackers cleared (sum)
+ * stream_ip.trackers_completed: datagram trackers completed (sum)
+ * stream_ip.trackers_freed: datagram trackers released (sum)
+ * stream.ip_uni_prunes: ip uni sessions pruned (sum)
* stream_tcp.client_cleanups: number of times data from server was
- flushed when session released
- * stream_tcp.closing: number of sessions currently closing
- * stream_tcp.created: tcp session trackers created
+ flushed when session released (sum)
+ * stream_tcp.closing: number of sessions currently closing (now)
+ * stream_tcp.created: tcp session trackers created (sum)
* stream_tcp.data_trackers: tcp session tracking started on data
- * stream_tcp.discards: tcp packets discarded
+ (sum)
+ * stream_tcp.discards: tcp packets discarded (sum)
* stream_tcp.established: number of sessions currently established
- * stream_tcp.events: events generated
+ (now)
+ * stream_tcp.events: events generated (sum)
* stream_tcp.exceeded_max_bytes: number of times the maximum queued
- byte limit was reached
+ byte limit was reached (sum)
* stream_tcp.exceeded_max_segs: number of times the maximum queued
- segment limit was reached
- * stream.tcp_excess_prunes: tcp sessions pruned due to excess
- * stream_tcp.fins: number of fin packets
- * stream.tcp_flows: total tcp sessions
- * stream_tcp.gaps: missing data between PDUs
+ segment limit was reached (sum)
+ * stream.tcp_excess_prunes: tcp sessions pruned due to excess (sum)
+ * stream_tcp.fins: number of fin packets (sum)
+ * stream.tcp_flows: total tcp sessions (sum)
+ * stream_tcp.gaps: missing data between PDUs (sum)
* stream.tcp_ha_prunes: tcp sessions pruned by high availability
- sync
- * stream.tcp_idle_prunes: tcp sessions pruned due to timeout
- * stream_tcp.ignored: tcp packets ignored
+ sync (sum)
+ * stream.tcp_idle_prunes: tcp sessions pruned due to timeout (sum)
+ * stream_tcp.ignored: tcp packets ignored (sum)
* stream_tcp.initializing: number of sessions currently
- initializing
- * stream_tcp.internal_events: 135:X events generated
- * stream_tcp.max: max tcp sessions
- * stream.tcp_memcap_prunes: tcp sessions pruned due to memcap
- * stream_tcp.memory: current memory in use
- * stream_tcp.overlaps: overlapping segments queued
+ initializing (now)
+ * stream_tcp.internal_events: 135:X events generated (sum)
+ * stream_tcp.max: max tcp sessions (max)
+ * stream.tcp_memcap_prunes: tcp sessions pruned due to memcap (sum)
+ * stream_tcp.memory: current memory in use (now)
+ * stream_tcp.overlaps: overlapping segments queued (sum)
* stream.tcp_preemptive_prunes: tcp sessions pruned during
- preemptive pruning
- * stream_tcp.prunes: tcp session prunes
- * stream_tcp.rebuilt_buffers: rebuilt PDU sections
- * stream_tcp.rebuilt_bytes: total rebuilt bytes
- * stream_tcp.rebuilt_packets: total reassembled PDUs
- * stream_tcp.released: tcp session trackers released
- * stream_tcp.resets: number of reset packets
- * stream_tcp.resyns: SYN received on established session
- * stream_tcp.segs_queued: total segments queued
- * stream_tcp.segs_released: total segments released
+ preemptive pruning (sum)
+ * stream_tcp.prunes: tcp session prunes (sum)
+ * stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum)
+ * stream_tcp.rebuilt_bytes: total rebuilt bytes (sum)
+ * stream_tcp.rebuilt_packets: total reassembled PDUs (sum)
+ * stream_tcp.released: tcp session trackers released (sum)
+ * stream_tcp.resets: number of reset packets (sum)
+ * stream_tcp.resyns: SYN received on established session (sum)
+ * stream_tcp.segs_queued: total segments queued (sum)
+ * stream_tcp.segs_released: total segments released (sum)
* stream_tcp.segs_split: tcp segments split when reassembling PDUs
+ (sum)
* stream_tcp.segs_used: queued tcp segments applied to reassembled
- PDUs
+ PDUs (sum)
* stream_tcp.server_cleanups: number of times data from client was
- flushed when session released
- * stream_tcp.sessions: total tcp sessions
- * stream_tcp.syn_acks: number of syn-ack packets
+ flushed when session released (sum)
+ * stream_tcp.sessions: total tcp sessions (sum)
+ * stream_tcp.syn_acks: number of syn-ack packets (sum)
* stream_tcp.syn_ack_trackers: tcp session tracking started on
- syn-ack
- * stream_tcp.syns: number of syn packets
+ syn-ack (sum)
+ * stream_tcp.syns: number of syn packets (sum)
* stream_tcp.syn_trackers: tcp session tracking started on syn
+ (sum)
* stream_tcp.three_way_trackers: tcp session tracking started on
- ack
- * stream_tcp.timeouts: tcp session timeouts
- * stream.tcp_total_prunes: total tcp sessions pruned
- * stream.tcp_uni_prunes: tcp uni sessions pruned
- * stream_tcp.untracked: tcp packets not tracked
- * stream_udp.created: udp session trackers created
- * stream.udp_excess_prunes: udp sessions pruned due to excess
- * stream.udp_flows: total udp sessions
+ ack (sum)
+ * stream_tcp.timeouts: tcp session timeouts (sum)
+ * stream.tcp_total_prunes: total tcp sessions pruned (sum)
+ * stream.tcp_uni_prunes: tcp uni sessions pruned (sum)
+ * stream_tcp.untracked: tcp packets not tracked (sum)
+ * stream_udp.created: udp session trackers created (sum)
+ * stream.udp_excess_prunes: udp sessions pruned due to excess (sum)
+ * stream.udp_flows: total udp sessions (sum)
* stream.udp_ha_prunes: udp sessions pruned by high availability
- sync
- * stream.udp_idle_prunes: udp sessions pruned due to timeout
- * stream_udp.ignored: udp packets ignored
- * stream_udp.max: max udp sessions
- * stream.udp_memcap_prunes: udp sessions pruned due to memcap
+ sync (sum)
+ * stream.udp_idle_prunes: udp sessions pruned due to timeout (sum)
+ * stream_udp.ignored: udp packets ignored (sum)
+ * stream_udp.max: max udp sessions (max)
+ * stream.udp_memcap_prunes: udp sessions pruned due to memcap (sum)
* stream.udp_preemptive_prunes: udp sessions pruned during
- preemptive pruning
- * stream_udp.prunes: udp session prunes
- * stream_udp.released: udp session trackers released
- * stream_udp.sessions: total udp sessions
- * stream_udp.timeouts: udp session timeouts
- * stream.udp_total_prunes: total udp sessions pruned
- * stream.udp_uni_prunes: udp uni sessions pruned
+ preemptive pruning (sum)
+ * stream_udp.prunes: udp session prunes (sum)
+ * stream_udp.released: udp session trackers released (sum)
+ * stream_udp.sessions: total udp sessions (sum)
+ * stream_udp.timeouts: udp session timeouts (sum)
+ * stream.udp_total_prunes: total udp sessions pruned (sum)
+ * stream.udp_uni_prunes: udp uni sessions pruned (sum)
* stream.user_excess_prunes: user sessions pruned due to excess
- * stream.user_flows: total user sessions
+ (sum)
+ * stream.user_flows: total user sessions (sum)
* stream.user_ha_prunes: user sessions pruned by high availability
- sync
+ sync (sum)
* stream.user_idle_prunes: user sessions pruned due to timeout
+ (sum)
* stream.user_memcap_prunes: user sessions pruned due to memcap
+ (sum)
* stream.user_preemptive_prunes: user sessions pruned during
- preemptive pruning
- * stream.user_total_prunes: total user sessions pruned
- * stream.user_uni_prunes: user uni sessions pruned
- * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums
- * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums
- * tcp_connector.messages: total messages
- * telnet.packets: total packets
- * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums
- * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums
- * wizard.tcp_hits: tcp identifications
- * wizard.tcp_scans: tcp payload scans
- * wizard.udp_hits: udp identifications
- * wizard.udp_scans: udp payload scans
- * wizard.user_hits: user identifications
- * wizard.user_scans: user payload scans
+ preemptive pruning (sum)
+ * stream.user_total_prunes: total user sessions pruned (sum)
+ * stream.user_uni_prunes: user uni sessions pruned (sum)
+ * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
+ * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
+ * tcp_connector.messages: total messages (sum)
+ * telnet.concurrent_sessions: total concurrent telnet sessions
+ (now)
+ * telnet.max_concurrent_sessions: maximum concurrent telnet
+ sessions (max)
+ * telnet.total_packets: total packets (sum)
+ * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
+ * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
+ * wizard.tcp_hits: tcp identifications (sum)
+ * wizard.tcp_scans: tcp payload scans (sum)
+ * wizard.udp_hits: udp identifications (sum)
+ * wizard.udp_scans: udp payload scans (sum)
+ * wizard.user_hits: user identifications (sum)
+ * wizard.user_scans: user payload scans (sum)
20.6. Generators
* 116: ipv6
* 116: llc
* 116: mpls
+ * 116: pbb
* 116: pgm
* 116: pppoe
* 116: tcp
* 116:422 (tcp) TCP PDU missing ack for established session
* 116:423 (tcp) TCP has no SYN, ACK, or RST
* 116:424 (eth) truncated ethernet header
+ * 116:424 (pbb) truncated ethernet header
* 116:425 (ipv4) truncated IPv4 header
* 116:426 (icmp4) truncated ICMP4 header
* 116:427 (icmp6) truncated ICMPv6 header
* 119:2 (http_inspect) double decoding attack
* 119:3 (http_inspect) u encoding
* 119:4 (http_inspect) bare byte unicode encoding
- * 119:5 (http_inspect) obsolete event—should not appear
+ * 119:5 (http_inspect) obsolete event—deleted
* 119:6 (http_inspect) UTF-8 encoding
* 119:7 (http_inspect) unicode map code point encoding in URI
* 119:8 (http_inspect) multi_slash encoding
* 119:19 (http_inspect) long header
* 119:20 (http_inspect) max header fields
* 119:21 (http_inspect) multiple content length
- * 119:22 (http_inspect) obsolete event—should not appear
+ * 119:22 (http_inspect) obsolete event—deleted
* 119:23 (http_inspect) invalid IP in true-client-IP/XFF header
* 119:24 (http_inspect) multiple host hdrs detected
* 119:25 (http_inspect) hostname exceeds 255 characters
* 133:25 (dce_smb) SMB - chained/compounded open pipe followed by
close pipe
* 133:26 (dce_smb) SMB - invalid share access
- * 133:27 (dce_smb) connection oriented DCE/RPC - invalid major
- version
* 133:27 (dce_tcp) connection oriented DCE/RPC - invalid major
version
- * 133:28 (dce_smb) connection oriented DCE/RPC - invalid minor
- version
* 133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor
version
- * 133:29 (dce_smb) connection-oriented DCE/RPC - invalid PDU type
* 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
- * 133:30 (dce_smb) connection-oriented DCE/RPC - fragment length
- less than header size
* 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length
less than header size
- * 133:32 (dce_smb) connection-oriented DCE/RPC - no context items
- specified
* 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
specified
- * 133:33 (dce_smb) connection-oriented DCE/RPC -no transfer
- syntaxes specified
* 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer
syntaxes specified
- * 133:34 (dce_smb) connection-oriented DCE/RPC - fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client
* 133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on
non-last fragment less than maximum negotiated fragment transmit
size for client
- * 133:35 (dce_smb) connection-oriented DCE/RPC - fragment length
- greater than maximum negotiated fragment transmit size
* 133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length
greater than maximum negotiated fragment transmit size
- * 133:36 (dce_smb) connection-oriented DCE/RPC - alter context byte
- order different from bind
* 133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte
order different from bind
- * 133:37 (dce_smb) connection-oriented DCE/RPC - call id of non
- first/last fragment different from call id established for
- fragmented request
* 133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non
first/last fragment different from call id established for
fragmented request
- * 133:38 (dce_smb) connection-oriented DCE/RPC - opnum of non first
- /last fragment different from opnum established for fragmented
- request
* 133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first
/last fragment different from opnum established for fragmented
request
- * 133:39 (dce_smb) connection-oriented DCE/RPC - context id of non
- first/last fragment different from context id established for
- fragmented request
* 133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non
first/last fragment different from context id established for
fragmented request
* packet_capture.disable(): stop packet dump
* packet_capture.enable(filter): dump raw packets
+ * snort.delete_inspector(inspector): delete an inspector from the
+ default policy
* snort.detach(): exit shell w/o shutdown
* snort.dump_stats(): show summary statistics
* snort.help(): this output
* snort.reload_config(filename): load new configuration
* snort.reload_daq(): reload daq module
* snort.reload_hosts(filename): load a new hosts table
+ * snort.reload_policy(filename): reload part or all of the default
+ policy
* snort.resume(): continue packet processing
* snort.rotate_stats(): roll perfmonitor log files
* snort.show_plugins(): show available plugins
* alert_ex (logger): output gid:sid:rev for alerts
* alert_fast (logger): output event with brief text format
* alert_full (logger): output event with full packet dump
+ * alert_json (logger): output event in json format
* alert_sfsocket (logger): output event over socket
* alert_syslog (logger): output event to syslog
* alert_unixsock (logger): output event over unix socket
* http_inspect (inspector): HTTP inspector
* http_method (ips_option): rule option to set the detection cursor
to the HTTP request method
+ * http_raw_body (ips_option): rule option to set the detection
+ cursor to the unnormalized message body
* http_raw_cookie (ips_option): rule option to set the detection
cursor to the unnormalized cookie
* http_raw_header (ips_option): rule option to set the detection
cursor to the HTTP status message
* http_trailer (ips_option): rule option to set the detection
cursor to the normalized trailers
+ * http_true_ip (ips_option): rule option to set the detection
+ cursor to the final client IP address
* http_uri (ips_option): rule option to set the detection cursor to
the normalized URI buffer
* http_version (ips_option): rule option to set the detection
* mpls (codec): support for multiprotocol label switching
* msg (ips_option): rule option summarizing rule purpose output
with events
+ * mss (ips_option): detection for TCP maximum segment size
* network (basic): configure basic network parameters
* normalizer (inspector): packet scrubbing for inline mode
* output (basic): configure general output parameters
* packet_capture (inspector): raw packet dumping facility
* packets (basic): configure basic packet handling
+ * pbb (codec): support for 802.1ah protocol
* pcre (ips_option): rule option for matching payload data with
pcre
* perf_monitor (inspector): performance monitoring and flow
* reference (ips_option): rule option to indicate relevant attack
identification system
* references (basic): define reference systems used in rules
+ * reg_test (inspector): The regression test inspector (rti) is used
+ when special packet handling is required for a reg test
* regex (ips_option): rule option for matching payload data with
hyperscan regex
* reject (ips_action): terminate session with TCP reset or ICMP
* sd_pattern (ips_option): rule option for detecting sensitive data
* search_engine (basic): configure fast pattern matcher
* seq (ips_option): rule option to check TCP sequence number
+ * service (ips_option): rule option to specify list of services for
+ grouping rules
* session (ips_option): rule option to check user data from TCP
sessions
* sha256 (ips_option): payload rule option for hash matching
and reassembly
* suppress (basic): configure event suppressions
* tag (ips_option): rule option to log additional packets
+ * target (ips_option): rule option to indicate target of attack
* tcp (codec): support for transmission control protocol
* tcp_connector (connector): implement the tcp stream connector
* telnet (inspector): telnet inspection and normalization
protocol identification
* wlan (codec): support for wireless local area network protocol
(DLT 105)
+ * wscale (ips_option): detection for TCP window scale
20.12. Plugin Listing
* codec::llc: support for logical link control
* codec::mpls: support for multiprotocol label switching
* codec::null: support for null encapsulation (DLT 0)
+ * codec::pbb: support for 802.1ah protocol
* codec::pflog: support for OpenBSD PF log (DLT 117)
* codec::pgm: support for pragmatic general multicast
* codec::pim: support for protocol independent multicast
* inspector::pop: pop inspection
* inspector::port_scan: detect various ip, icmp, tcp, and udp port
or protocol scans
+ * inspector::reg_test: The regression test inspector (rti) is used
+ when special packet handling is required for a reg test
* inspector::reputation: reputation inspection
* inspector::rpc_decode: RPC inspector
* inspector::sip: sip inspection
to the normalized headers
* ips_option::http_method: rule option to set the detection cursor
to the HTTP request method
+ * ips_option::http_raw_body: rule option to set the detection
+ cursor to the unnormalized message body
* ips_option::http_raw_cookie: rule option to set the detection
cursor to the unnormalized cookie
* ips_option::http_raw_header: rule option to set the detection
cursor to the HTTP status message
* ips_option::http_trailer: rule option to set the detection cursor
to the normalized trailers
+ * ips_option::http_true_ip: rule option to set the detection cursor
+ to the final client IP address
* ips_option::http_uri: rule option to set the detection cursor to
the normalized URI buffer
* ips_option::http_version: rule option to set the detection cursor
* ips_option::modbus_unit: rule option to check modbus unit ID
* ips_option::msg: rule option summarizing rule purpose output with
events
+ * ips_option::mss: detection for TCP maximum segment size
* ips_option::pcre: rule option for matching payload data with pcre
* ips_option::pkt_data: rule option to set the detection cursor to
the normalized packet data
* ips_option::rpc: rule option to check SUNRPC CALL parameters
* ips_option::sd_pattern: rule option for detecting sensitive data
* ips_option::seq: rule option to check TCP sequence number
+ * ips_option::service: rule option to specify list of services for
+ grouping rules
* ips_option::session: rule option to check user data from TCP
sessions
* ips_option::sha256: payload rule option for hash matching
* ips_option::stream_size: detection option for stream size
checking
* ips_option::tag: rule option to log additional packets
+ * ips_option::target: rule option to indicate target of attack
* ips_option::tos: rule option to check type of service field
* ips_option::ttl: rule option to check time to live field
* ips_option::urg: detection for TCP urgent pointer
* ips_option::window: rule option to check TCP window field
+ * ips_option::wscale: detection for TCP window scale
* logger::alert_csv: output event in csv format
* logger::alert_ex: output gid:sid:rev for alerts
* logger::alert_fast: output event with brief text format
* logger::alert_full: output event with full packet dump
+ * logger::alert_json: output event in json format
* logger::alert_sfsocket: output event over socket
* logger::alert_syslog: output event to syslog
* logger::alert_unixsock: output event over unix socket
projects / thirdparty / snort3.git / commitdiff
