From: Russ Combs (rucombs) Date: Thu, 14 Dec 2017 23:01:55 +0000 (-0500) Subject: Merge pull request #1088 in SNORT/snort3 from 241 to master X-Git-Tag: 3.0.0-241 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3a6cccea6e921d4520dcd61a96cfc70ea3d85583;p=thirdparty%2Fsnort3.git Merge pull request #1088 in SNORT/snort3 from 241 to master Squashed commit of the following: commit 1f7ece85eb3ec05805490ed1e929d7e40cf6aa83 Author: Russ Combs Date: Thu Dec 14 10:32:15 2017 -0500 build 241 commit 922a74e6eef8aef64df290da43bb0a857c9a6591 Author: Russ Combs Date: Thu Dec 14 13:13:49 2017 -0500 doc: update default manuals commit f0ed802e05f056aa018bf511920899abd80053ae Author: Russ Combs Date: Thu Dec 14 09:39:24 2017 -0500 cmake: add --define to configure_cmake.sh for arbitrary defines --- diff --git a/ChangeLog b/ChangeLog index d12a3c694..a4c4211f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,98 @@ +17/12/15 - build 241 + +-- add back the ref count for file config +-- alert_csv: various fixes to match alert_json +-- alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers +-- alert_json: various fixes + thanks to Noah Dietrich for reporting the issues +-- appid: close all Lua states when thread exits +-- appid: gracefully handle failed Lua state instantiation + thanks to Noah Dietrich for reporting the issue. +-- appid: only update session flags and discovery state if service id actually set to http +-- appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow +-- appid: return false from is_third_party_appid_available when no third party module is available. +-- appid: tweak warnings and errors +-- binder: activate profiler support +-- binder: add FIXIT re creating default bindings when the wizard is not configured +-- binder: fix ingress / egress test +-- binder: minor perf and readability tweaks +-- build: fixed build issues on OSX with clang with cd_pbb, alert_json +-- build: fixed several dyanmic modules on OSX / clang +-- build: suppress appid warnings for valid case statement fall throughs +-- byte_test: fix string bounds check +-- catch: Update to Catch v2.0.1 +-- cmake: add --define to configure_cmake.sh for arbitrary defines +-- codec: added wlan support for arp_spoof +-- codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc +-- conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP +-- conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups +-- control: must execute from default policy only +-- control: process flow first +-- cppcheck: More miscellaneous fixes, mostly for new Catch +-- daq: explicitly initialize more fields in SFDAQInstance constructor +-- daq: handle real IP and port +-- data_bus: also publish to default policy +-- data_bus: refactor basic access for pub / sub +-- dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc) +-- detection: fix option tree looping issue +-- detection: rename ServiceInfo to SignatureServiceInfo +-- doc: fix type in style section +-- doc: update default manuals +-- file api: move file verdict enforcement out of file policy +-- file api: support file verdict delay during signature lookup +-- file policy and file config update to allow user define customized file policy through file api +-- file policy: add support for file event logging +-- file_api: Set the FileContext verdict, not a local verdict +-- file_id: add interface to access file info from file capture +-- file_id: support groups +-- hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable +-- http_inspect: add profiler support +-- http_inspect: fix bugs related to stream interaction +-- http_inspect: use configured max_pdu as base target reassembly size +-- inspection: default policy mode depends on adaptor mode +-- ips options: error if lookup fails due to bad case, typos, etc. + thanks to Noah Dietrich for reporting the issue +-- memory: no stats output unless configured +-- normalizer: added test mode +-- normalizer: fix enable checks +-- parsing: resolve paths from the current config directory instead of process directory +-- policy: added inspection policy config. +-- port_scan: add alert_all to make alerting on all events in window optional +-- port_scan: fix flow checks +-- profiler: fix focus of eventq +-- reputation: tweak warning message +-- rules: default msg = "no msg in rule" +-- sfrt: remove cruft and reformat header +-- shell: fixed crash when issuing control commands +-- sip: use log splitter for tcp +-- snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder +-- snort2lua: Convert file_magic.conf to Lua format. +-- snort2lua: added inspection uuid +-- snort2lua: added na_policy_mode. added ability amend tables if created. +-- snort2lua: added normalize_tcp: ftp +-- snort2lua: fix stream_size: to_client, to_server conversion +-- snort2lua: future proof --bind-wizard binding order +-- snort2lua: no sticky buffer for relative pcre +-- snort2lua: remove when udp from binding to support tcp too +-- snort2lua: tweak const name for clarity (internal) +-- snort2lua: urilen:<> --> bufferlen:<=> +-- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer +-- soid: allow stub to contain any or all options +-- --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static +-- stream: change tcp idle timeout to 3600 to match 2.X nominal timeout +-- stream_*: separate session profiler data from flow cache profiler data +-- stream_ip: fix non-frag counting +-- stream_size: fix eval packet checks +-- stream_tcp: delete superfluous memsets to zero +-- stream_tcp: ignore flush requests on unitialized sessions (early abort condition) +-- stream_tcp: instantiate wizard only when needed +-- stream_tcp: remove empty default state action +-- stream_user: clear splitter properly +-- target_based: Install header +-- wizard: abort if no match +-- wizard: activate profiler support +-- wizard: usage is inspect + 17/10/31 - build 240 -- active: fix packet modify vs resize handling diff --git a/configure_cmake.sh b/configure_cmake.sh index a86cf21f2..0ebb0d9f7 100755 --- a/configure_cmake.sh +++ b/configure_cmake.sh @@ -153,6 +153,9 @@ while [ $# -ne 0 ]; do --builddir=*) builddir=$optarg ;; + --define=*) + CMakeCacheEntries="$CMakeCacheEntries -D$optarg" + ;; --generator=*) CMakeGenerator="$optarg" ;; diff --git a/doc/snort_manual.html b/doc/snort_manual.html index 24dba57ae..05785cf8d 100644 --- a/doc/snort_manual.html +++ b/doc/snort_manual.html @@ -779,7 +779,7 @@ asciidoc.install(2); 
 ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 239) from 2.9.8-383
+o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
@@ -7087,6 +7087,30 @@ port hosts[].services[].port: port number
+

inspection

+

What: configure basic inspection policy parameters

+

Type: basic

+

Usage: inspect

+

Configuration:

+
    +
  • +

    +int inspection.id = 0: correlate policy and events with other items in configuration { 0:65535 } +

    +
    • +
  • +

    +string inspection.uuid: correlate events by uuid +

    +
    • +
  • +

    +enum inspection.mode = inline-test: set policy mode { inline | inline-test } +

    +
    • +
+
+

ips

What: configure IPS rule processing

Type: basic

@@ -7120,7 +7144,7 @@ string ips.rules: snort rules and includes

  • -string ips.uuid: IPS policy uuid +string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS policy uuid

    • @@ -8192,6 +8216,11 @@ implied snort.--pause: wait for resume/quit command before proc

  • +implied snort.--parsing-follows-files: parse relative paths from the perspective of the current configuration file +

    +
    • +
  • +

    string snort.--pcap-file: <file> file that contains a list of pcaps to read - read mode is implied

    • @@ -9238,6 +9267,11 @@ bool esp.decode_esp = false: enable for inspection of esp traff 116:456 (ipv6) too many IPv6 extension headers

    +
  • +

    +116:475 (ipv6) IPv6 mobility header includes an invalid value for the payload protocol field +

    +
    • @@ -11296,6 +11330,11 @@ string file_id.file_rules[].category: file type category

  • +string file_id.file_rules[].group: comma separated list of groups associated with file type +

    +
    • +
  • +

    string file_id.file_rules[].version: file type version

    • @@ -11354,6 +11393,11 @@ bool file_id.trace_signature = false: enable runtime dump of si bool file_id.trace_stream = false: enable runtime dump of file data

    +
  • +

    +int file_id.verdict_delay = 0: number of queries to return final verdict { 0: } +

    +

    • Peg counts:

      @@ -12783,17 +12827,12 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip4_trim: eth packets trimmed to datagram size (sum) -

        -
        • -
      • -

        normalizer.test_ip4_trim: test eth packets trimmed to datagram size (sum)

      • -normalizer.ip4_tos: type of service normalizations (sum) +normalizer.ip4_trim: eth packets trimmed to datagram size (sum)

      • @@ -12803,7 +12842,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip4_df: don’t frag bit normalizations (sum) +normalizer.ip4_tos: type of service normalizations (sum)

      • @@ -12813,7 +12852,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip4_rf: reserved flag bit clears (sum) +normalizer.ip4_df: don’t frag bit normalizations (sum)

      • @@ -12823,7 +12862,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip4_ttl: time-to-live normalizations (sum) +normalizer.ip4_rf: reserved flag bit clears (sum)

      • @@ -12833,7 +12872,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip4_opts: ip4 options cleared (sum) +normalizer.ip4_ttl: time-to-live normalizations (sum)

      • @@ -12843,7 +12882,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.icmp4_echo: icmp4 ping normalizations (sum) +normalizer.ip4_opts: ip4 options cleared (sum)

      • @@ -12853,7 +12892,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip6_hops: ip6 hop limit normalizations (sum) +normalizer.icmp4_echo: icmp4 ping normalizations (sum)

      • @@ -12863,7 +12902,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.ip6_options: ip6 options cleared (sum) +normalizer.ip6_hops: ip6 hop limit normalizations (sum)

      • @@ -12873,7 +12912,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.icmp6_echo: icmp6 echo normalizations (sum) +normalizer.ip6_options: ip6 options cleared (sum)

      • @@ -12883,7 +12922,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_syn_options: SYN only options cleared from non-SYN packets (sum) +normalizer.icmp6_echo: icmp6 echo normalizations (sum)

      • @@ -12893,7 +12932,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_options: packets with options cleared (sum) +normalizer.tcp_syn_options: SYN only options cleared from non-SYN packets (sum)

      • @@ -12903,7 +12942,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_padding: packets with padding cleared (sum) +normalizer.tcp_options: packets with options cleared (sum)

      • @@ -12913,7 +12952,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_reserved: packets with reserved bits cleared (sum) +normalizer.tcp_padding: packets with padding cleared (sum)

      • @@ -12923,7 +12962,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_nonce: packets with nonce bit cleared (sum) +normalizer.tcp_reserved: packets with reserved bits cleared (sum)

      • @@ -12933,7 +12972,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_urgent_ptr: packets without data with urgent pointer cleared (sum) +normalizer.tcp_nonce: packets with nonce bit cleared (sum)

      • @@ -12943,7 +12982,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum) +normalizer.tcp_urgent_ptr: packets without data with urgent pointer cleared (sum)

      • @@ -12953,7 +12992,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum) +normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum)

      • @@ -12963,7 +13002,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_req_urg: cleared urgent pointer when urgent flag is not set (sum) +normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum)

      • @@ -12973,7 +13012,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_req_pay: cleared urgent pointer and urgent flag when there is no payload (sum) +normalizer.tcp_req_urg: cleared urgent pointer when urgent flag is not set (sum)

      • @@ -12983,7 +13022,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_req_urp: cleared the urgent flag if the urgent pointer is not set (sum) +normalizer.tcp_req_pay: cleared urgent pointer and urgent flag when there is no payload (sum)

      • @@ -12993,7 +13032,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum) +normalizer.tcp_req_urp: cleared the urgent flag if the urgent pointer is not set (sum)

      • @@ -13003,7 +13042,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_trim_rst: RST packets with data trimmed (sum) +normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum)

      • @@ -13013,7 +13052,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_trim_win: data trimmed to window (sum) +normalizer.tcp_trim_rst: RST packets with data trimmed (sum)

      • @@ -13023,7 +13062,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_trim_mss: data trimmed to MSS (sum) +normalizer.tcp_trim_win: data trimmed to window (sum)

      • @@ -13033,7 +13072,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_ecn_session: ECN bits cleared (sum) +normalizer.tcp_trim_mss: data trimmed to MSS (sum)

      • @@ -13043,7 +13082,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_ts_nop: timestamp options cleared (sum) +normalizer.tcp_ecn_session: ECN bits cleared (sum)

      • @@ -13053,7 +13092,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_ips_data: normalized segments (sum) +normalizer.tcp_ts_nop: timestamp options cleared (sum)

      • @@ -13063,7 +13102,7 @@ bool normalizer.icmp6 = false: clear reserved flag

      • -normalizer.tcp_block: blocked segments (sum) +normalizer.tcp_ips_data: normalized segments (sum)

      • @@ -13071,6 +13110,11 @@ bool normalizer.icmp6 = false: clear reserved flag normalizer.test_tcp_block: test blocked segments (sum)

        • +
      • +

        +normalizer.tcp_block: blocked segments (sum) +

        +
    @@ -13364,6 +13408,11 @@ string port_scan.ignore_scanned: list of CIDRs with optional po

  • +bool port_scan.alert_all = false: alert on all events over threshold within window if true; else alert on first only +

    +
    • +
  • +

    bool port_scan.include_midstream = false: list of CIDRs with optional ports

    • @@ -14878,7 +14927,7 @@ int stream.tcp_cache.pruning_timeout = 30: minimum inactive tim

  • -int stream.tcp_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1: } +int stream.tcp_cache.idle_timeout = 3600: maximum inactive time before retiring session tracker { 1: }

  • @@ -15491,7 +15540,7 @@ int stream_tcp.overlap_limit = 0: maximum number of allowed ove

  • -int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { 1460:65535 } +int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { 1460:32768 }

  • @@ -15977,7 +16026,7 @@ bool telnet.normalize = false: eliminate escape sequences

    wizard

    What: inspector that implements port-independent protocol identification

    Type: inspector

    -

    Usage: global

    +

    Usage: inspect

    Configuration:

    • @@ -17989,7 +18038,7 @@ string so.~func: name of eval function

      • -string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345 +string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev> like 3_45678_9

      @@ -18310,7 +18359,7 @@ bool alert_csv.file = false: output to alert_csv.txt instead of

    • -multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

    • @@ -18396,7 +18445,7 @@ bool alert_json.file = false: output to alert_json.txt instead

    • -multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

    • @@ -19930,6 +19979,11 @@ options into a Snort++ configuration file

  • +--bind-wizard Add default wizard to bindings +

    +
    • +
  • +

    --conf-file Same as -c. A Snort <snort_conf> file which will be converted

    @@ -21552,7 +21606,7 @@ Write comments sparingly with a mind towards future proofing. Often the

  • -Heed Tim Ottinger’s Rule on Comments (https://disqus.com/by/tim_ottinger/): +Heed Tim Ottinger’s Rules on Comments (https://disqus.com/by/tim_ottinger/):

    1. @@ -22482,6 +22536,11 @@ these libraries see the Getting Started section of the manual.

  • +--parsing-follows-files parse relative paths from the perspective of the current configuration file +

    +
    • +
  • +

    --pause wait for resume/quit command before processing packets/terminating

    • @@ -22792,7 +22851,7 @@ int active.min_interval = 255: minimum number of seconds betwee

  • -multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

  • @@ -22842,7 +22901,7 @@ int alert_full.limit = 0: set maximum size in MB before rollove

  • -multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } +multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }

  • @@ -23962,6 +24021,11 @@ string file_id.file_rules[].category: file type category

  • +string file_id.file_rules[].group: comma separated list of groups associated with file type +

    +
    • +
  • +

    int file_id.file_rules[].id = 0: file type id { 0: }

    • @@ -24037,6 +24101,11 @@ int file_id.type_depth = 1460: stop type ID at this point { 0:

  • +int file_id.verdict_delay = 0: number of queries to return final verdict { 0: } +

    +
    • +
  • +

    bool file_log.log_pkt_time = true: log the packet time when event generated

    • @@ -24852,6 +24921,21 @@ int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth {

  • +int inspection.id = 0: correlate policy and events with other items in configuration { 0:65535 } +

    +
    • +
  • +

    +enum inspection.mode = inline-test: set policy mode { inline | inline-test } +

    +
    • +
  • +

    +string inspection.uuid: correlate events by uuid +

    +
    • +
  • +

    select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }

    • @@ -24887,7 +24971,7 @@ string ips.rules: snort rules and includes

  • -string ips.uuid: IPS policy uuid +string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS policy uuid

  • @@ -25437,6 +25521,11 @@ int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth {

  • +bool port_scan.alert_all = false: alert on all events over threshold within window if true; else alert on first only +

    +
    • +
  • +

    int port_scan.icmp_sweep.nets = 25: number of times address changed from prior attempt { 0: }

    • @@ -26717,6 +26806,11 @@ string snort.-?: <option prefix> output matching command

  • +implied snort.--parsing-follows-files: parse relative paths from the perspective of the current configuration file +

    +
    • +
  • +

    implied snort.--pause: wait for resume/quit command before processing packets/terminating

    • @@ -26997,7 +27091,7 @@ string so.~func: name of eval function

  • -string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345 +string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev> like 3_45678_9

  • @@ -27257,7 +27351,7 @@ interval stream_size.~range: check if the stream size is in the

  • -int stream.tcp_cache.idle_timeout = 180: maximum inactive time before retiring session tracker { 1: } +int stream.tcp_cache.idle_timeout = 3600: maximum inactive time before retiring session tracker { 1: }

  • @@ -27282,7 +27376,7 @@ bool stream_tcp.ignore_any_rules = false: process tcp content r

  • -int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { 1460:65535 } +int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { 1460:32768 }

  • @@ -31487,6 +31581,11 @@ interval wscale.~range: check if TCP window scale is in given r

  • +116:475 (ipv6) IPv6 mobility header includes an invalid value for the payload protocol field +

    +
    • +
  • +

    119:1 (http_inspect) ascii encoding

    • @@ -33993,6 +34092,11 @@ deleted -> unified2: 'filename'

  • +inspection (basic): configure basic inspection policy parameters +

    +
    • +
  • +

    ip_proto (ips_option): rule option to check the IP protocol number

    • @@ -34523,6 +34627,11 @@ deleted -> unified2: 'filename'

  • +codec::bad_proto: bad protocol id +

    +
    • +
  • +

    codec::ciscometadata: support for cisco metadata

    • @@ -34668,11 +34777,6 @@ deleted -> unified2: 'filename'

  • -codec::pim: support for protocol independent multicast -

    -
    • -
  • -

    codec::ppp: support for point-to-point encapsulation (DLT 9)

    • @@ -34708,16 +34812,6 @@ deleted -> unified2: 'filename'

  • -codec::sun_nd: support for Sun ND -

    -
    • -
  • -

    -codec::swipe: support for Swipe -

    -
    • -
  • -

    codec::tcp: support for transmission control protocol

    • @@ -36449,7 +36543,7 @@ Note that on OpenBSD, divert sockets don’t work with bridges!
    diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf index f424366fb..fbc30d57c 100644 Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ diff --git a/doc/snort_manual.text b/doc/snort_manual.text index b04fac5fb..cae9c2574 100644 --- a/doc/snort_manual.text +++ b/doc/snort_manual.text @@ -82,21 +82,22 @@ Table of Contents 6.11. host_cache 6.12. host_tracker 6.13. hosts - 6.14. ips - 6.15. latency - 6.16. memory - 6.17. network - 6.18. output - 6.19. packets - 6.20. process - 6.21. profiler - 6.22. rate_filter - 6.23. references - 6.24. rule_state - 6.25. search_engine - 6.26. side_channel - 6.27. snort - 6.28. suppress + 6.14. inspection + 6.15. ips + 6.16. latency + 6.17. memory + 6.18. network + 6.19. output + 6.20. packets + 6.21. process + 6.22. profiler + 6.23. rate_filter + 6.24. references + 6.25. rule_state + 6.26. search_engine + 6.27. side_channel + 6.28. snort + 6.29. suppress 7. Codec Modules @@ -371,7 +372,7 @@ Table of Contents Snorty ,,_ -*> Snort++ <*- -o" )~ Version 3.0.0 (Build 239) from 2.9.8-383 +o" )~ Version 3.0.0 (Build 240) from 2.9.8-383 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. @@ -5144,7 +5145,26 @@ Configuration: * port hosts[].services[].port: port number -6.14. ips +6.14. inspection + +-------------- + +What: configure basic inspection policy parameters + +Type: basic + +Usage: inspect + +Configuration: + + * int inspection.id = 0: correlate policy and events with other + items in configuration { 0:65535 } + * string inspection.uuid: correlate events by uuid + * enum inspection.mode = inline-test: set policy mode { inline | + inline-test } + + +6.15. ips -------------- @@ -5163,7 +5183,8 @@ Configuration: * string ips.include: legacy snort rules and includes * enum ips.mode: set policy mode { tap | inline | inline-test } * string ips.rules: snort rules and includes - * string ips.uuid: IPS policy uuid + * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS + policy uuid Peg counts: @@ -5171,7 +5192,7 @@ Peg counts: provided (sum) -6.15. latency +6.16. latency -------------- @@ -5217,7 +5238,7 @@ Peg counts: * latency.rule_tree_enables: rule tree re-enables (sum) -6.16. memory +6.17. memory -------------- @@ -5237,7 +5258,7 @@ Configuration: preemptive cleanup actions (percent, 0 to disable) { 0: } -6.17. network +6.18. network -------------- @@ -5272,7 +5293,7 @@ Configuration: unlimited) { 0:255 } -6.18. output +6.19. output -------------- @@ -5310,7 +5331,7 @@ Configuration: state that determined packet verdict -6.19. packets +6.20. packets -------------- @@ -5334,7 +5355,7 @@ Configuration: is used to track fragments and connections -6.20. process +6.21. process -------------- @@ -5360,7 +5381,7 @@ Configuration: timestamps -6.21. profiler +6.22. profiler -------------- @@ -5395,7 +5416,7 @@ Configuration: avg_match | avg_no_match } -6.22. rate_filter +6.23. rate_filter -------------- @@ -5421,7 +5442,7 @@ Configuration: according to track -6.23. references +6.24. references -------------- @@ -5437,7 +5458,7 @@ Configuration: * string references[].url: where this reference is defined -6.24. rule_state +6.25. rule_state -------------- @@ -5455,7 +5476,7 @@ Configuration: policies -6.25. search_engine +6.26. search_engine -------------- @@ -5513,7 +5534,7 @@ Peg counts: * search_engine.searched_bytes: total bytes searched (sum) -6.26. side_channel +6.27. side_channel -------------- @@ -5535,7 +5556,7 @@ Peg counts: * side_channel.packets: total packets (sum) -6.27. snort +6.28. snort -------------- @@ -5674,6 +5695,8 @@ Configuration: * implied snort.--nolock-pidfile: do not try to lock Snort PID file * implied snort.--pause: wait for resume/quit command before processing packets/terminating + * implied snort.--parsing-follows-files: parse relative paths from + the perspective of the current configuration file * string snort.--pcap-file: file that contains a list of pcaps to read - read mode is implied * string snort.--pcap-list: a space separated list of pcaps @@ -5774,7 +5797,7 @@ Peg counts: * snort.attribute_table_hosts: total number of hosts in table (sum) -6.28. suppress +6.29. suppress -------------- @@ -6172,6 +6195,8 @@ Rules: * 116:458 (ipv6) bogus fragmentation packet, possible BSD attack * 116:461 (ipv6) IPv6 routing type 0 extension header * 116:456 (ipv6) too many IPv6 extension headers + * 116:475 (ipv6) IPv6 mobility header includes an invalid value for + the payload protocol field 7.17. llc @@ -7114,6 +7139,8 @@ Configuration: * string file_id.file_rules[].type: file type name * int file_id.file_rules[].id = 0: file type id { 0: } * string file_id.file_rules[].category: file type category + * string file_id.file_rules[].group: comma separated list of groups + associated with file type * string file_id.file_rules[].version: file type version * string file_id.file_rules[].magic[].content: file magic content * int file_id.file_rules[].magic[].offset = 0: file magic offset { @@ -7134,6 +7161,8 @@ Configuration: signature info * bool file_id.trace_stream = false: enable runtime dump of file data + * int file_id.verdict_delay = 0: number of queries to return final + verdict { 0: } Peg counts: @@ -7675,84 +7704,84 @@ Configuration: Peg counts: - * normalizer.ip4_trim: eth packets trimmed to datagram size (sum) * normalizer.test_ip4_trim: test eth packets trimmed to datagram size (sum) - * normalizer.ip4_tos: type of service normalizations (sum) + * normalizer.ip4_trim: eth packets trimmed to datagram size (sum) * normalizer.test_ip4_tos: test type of service normalizations (sum) - * normalizer.ip4_df: don’t frag bit normalizations (sum) + * normalizer.ip4_tos: type of service normalizations (sum) * normalizer.test_ip4_df: test don’t frag bit normalizations (sum) - * normalizer.ip4_rf: reserved flag bit clears (sum) + * normalizer.ip4_df: don’t frag bit normalizations (sum) * normalizer.test_ip4_rf: test reserved flag bit clears (sum) - * normalizer.ip4_ttl: time-to-live normalizations (sum) + * normalizer.ip4_rf: reserved flag bit clears (sum) * normalizer.test_ip4_ttl: test time-to-live normalizations (sum) - * normalizer.ip4_opts: ip4 options cleared (sum) + * normalizer.ip4_ttl: time-to-live normalizations (sum) * normalizer.test_ip4_opts: test ip4 options cleared (sum) - * normalizer.icmp4_echo: icmp4 ping normalizations (sum) + * normalizer.ip4_opts: ip4 options cleared (sum) * normalizer.test_icmp4_echo: test icmp4 ping normalizations (sum) - * normalizer.ip6_hops: ip6 hop limit normalizations (sum) + * normalizer.icmp4_echo: icmp4 ping normalizations (sum) * normalizer.test_ip6_hops: test ip6 hop limit normalizations (sum) - * normalizer.ip6_options: ip6 options cleared (sum) + * normalizer.ip6_hops: ip6 hop limit normalizations (sum) * normalizer.test_ip6_options: test ip6 options cleared (sum) - * normalizer.icmp6_echo: icmp6 echo normalizations (sum) + * normalizer.ip6_options: ip6 options cleared (sum) * normalizer.test_icmp6_echo: test icmp6 echo normalizations (sum) - * normalizer.tcp_syn_options: SYN only options cleared from non-SYN - packets (sum) + * normalizer.icmp6_echo: icmp6 echo normalizations (sum) * normalizer.test_tcp_syn_options: test SYN only options cleared from non-SYN packets (sum) - * normalizer.tcp_options: packets with options cleared (sum) + * normalizer.tcp_syn_options: SYN only options cleared from non-SYN + packets (sum) * normalizer.test_tcp_options: test packets with options cleared (sum) - * normalizer.tcp_padding: packets with padding cleared (sum) + * normalizer.tcp_options: packets with options cleared (sum) * normalizer.test_tcp_padding: test packets with padding cleared (sum) - * normalizer.tcp_reserved: packets with reserved bits cleared (sum) + * normalizer.tcp_padding: packets with padding cleared (sum) * normalizer.test_tcp_reserved: test packets with reserved bits cleared (sum) - * normalizer.tcp_nonce: packets with nonce bit cleared (sum) + * normalizer.tcp_reserved: packets with reserved bits cleared (sum) * normalizer.test_tcp_nonce: test packets with nonce bit cleared (sum) - * normalizer.tcp_urgent_ptr: packets without data with urgent - pointer cleared (sum) + * normalizer.tcp_nonce: packets with nonce bit cleared (sum) * normalizer.test_tcp_urgent_ptr: test packets without data with urgent pointer cleared (sum) - * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum) + * normalizer.tcp_urgent_ptr: packets without data with urgent + pointer cleared (sum) * normalizer.test_tcp_ecn_pkt: test packets with ECN bits cleared (sum) - * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum) + * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum) * normalizer.test_tcp_ts_ecr: test timestamp cleared on non-ACKs (sum) - * normalizer.tcp_req_urg: cleared urgent pointer when urgent flag - is not set (sum) + * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum) * normalizer.test_tcp_req_urg: test cleared urgent pointer when urgent flag is not set (sum) - * normalizer.tcp_req_pay: cleared urgent pointer and urgent flag - when there is no payload (sum) + * normalizer.tcp_req_urg: cleared urgent pointer when urgent flag + is not set (sum) * normalizer.test_tcp_req_pay: test cleared urgent pointer and urgent flag when there is no payload (sum) - * normalizer.tcp_req_urp: cleared the urgent flag if the urgent - pointer is not set (sum) + * normalizer.tcp_req_pay: cleared urgent pointer and urgent flag + when there is no payload (sum) * normalizer.test_tcp_req_urp: test cleared the urgent flag if the urgent pointer is not set (sum) - * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum) + * normalizer.tcp_req_urp: cleared the urgent flag if the urgent + pointer is not set (sum) * normalizer.test_tcp_trim_syn: test tcp segments trimmed on SYN (sum) - * normalizer.tcp_trim_rst: RST packets with data trimmed (sum) + * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum) * normalizer.test_tcp_trim_rst: test RST packets with data trimmed (sum) - * normalizer.tcp_trim_win: data trimmed to window (sum) + * normalizer.tcp_trim_rst: RST packets with data trimmed (sum) * normalizer.test_tcp_trim_win: test data trimmed to window (sum) - * normalizer.tcp_trim_mss: data trimmed to MSS (sum) + * normalizer.tcp_trim_win: data trimmed to window (sum) * normalizer.test_tcp_trim_mss: test data trimmed to MSS (sum) - * normalizer.tcp_ecn_session: ECN bits cleared (sum) + * normalizer.tcp_trim_mss: data trimmed to MSS (sum) * normalizer.test_tcp_ecn_session: test ECN bits cleared (sum) - * normalizer.tcp_ts_nop: timestamp options cleared (sum) + * normalizer.tcp_ecn_session: ECN bits cleared (sum) * normalizer.test_tcp_ts_nop: test timestamp options cleared (sum) - * normalizer.tcp_ips_data: normalized segments (sum) + * normalizer.tcp_ts_nop: timestamp options cleared (sum) * normalizer.test_tcp_ips_data: test normalized segments (sum) - * normalizer.tcp_block: blocked segments (sum) + * normalizer.tcp_ips_data: normalized segments (sum) * normalizer.test_tcp_block: test blocked segments (sum) + * normalizer.tcp_block: blocked segments (sum) 9.24. packet_capture @@ -7896,6 +7925,8 @@ Configuration: ports to ignore if the source of scan alerts * string port_scan.ignore_scanned: list of CIDRs with optional ports to ignore if the destination of scan alerts + * bool port_scan.alert_all = false: alert on all events over + threshold within window if true; else alert on first only * bool port_scan.include_midstream = false: list of CIDRs with optional ports * int port_scan.tcp_ports.scans = 100: scan attempts { 0: } @@ -8434,7 +8465,7 @@ Configuration: sessions tracked before pruning { 2: } * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time before being eligible for pruning { 1: } - * int stream.tcp_cache.idle_timeout = 180: maximum inactive time + * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time before retiring session tracker { 1: } * int stream.udp_cache.max_sessions = 131072: maximum simultaneous sessions tracked before pruning { 2: } @@ -8661,7 +8692,7 @@ Configuration: * int stream_tcp.overlap_limit = 0: maximum number of allowed overlapping segments per session { 0:255 } * int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { - 1460:65535 } + 1460:32768 } * enum stream_tcp.policy = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | @@ -8853,7 +8884,7 @@ identification Type: inspector -Usage: global +Usage: inspect Configuration: @@ -10519,7 +10550,8 @@ Usage: detect Configuration: - * string soid.~: SO rule ID has | format, like 3|12345 + * string soid.~: SO rule ID is unique key, eg __ + like 3_45678_9 11.89. ssl_state @@ -10783,9 +10815,10 @@ Configuration: dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num - | priority | proto | rev | rule | service | sid | src_addr | - src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | - tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } + | priority | proto | rev | rule | seconds | service | sid | + src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | + tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | + vlan } * int alert_csv.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: } * string alert_csv.separator = , : separate fields with this @@ -10865,9 +10898,10 @@ Configuration: dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num - | priority | proto | rev | rule | service | sid | src_addr | - src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | - tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan } + | priority | proto | rev | rule | seconds | service | sid | + src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | + tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | + vlan } * int alert_json.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0: } * string alert_json.separator = , : separate fields with this @@ -11737,6 +11771,7 @@ Converts the Snort configuration file specified by the -c or information, excluding rules, to . Meaningless if -i provided * -V Print the current Snort2Lua version + * --bind-wizard Add default wizard to bindings * --conf-file Same as -c. A Snort file which will be converted * --dont-parse-includes Same as -p. if file contains @@ -12604,7 +12639,7 @@ with. * Write comments sparingly with a mind towards future proofing. Often the comments can be obviated with better code. Clear code is better than a comment. - * Heed Tim Ottinger’s Rule on Comments (https://disqus.com/by/ + * Heed Tim Ottinger’s Rules on Comments (https://disqus.com/by/ tim_ottinger/): 1. Comments should only say what the code is incapable of @@ -13043,6 +13078,8 @@ these libraries see the Getting Started section of the manual. * -O obfuscate the logged IP addresses * -?