The Snort Team
Revision History
-Revision 3.7.3.0 2025-04-20 11:40:57 EDT TST
+Revision 3.7.4.0 2025-05-08 07:20:33 EDT TST
---------------------------------------------------------------------
2.18. js_norm
2.19. latency
2.20. memory
- 2.21. network
- 2.22. output
- 2.23. packet_tracer
- 2.24. packets
- 2.25. payload_injector
- 2.26. process
- 2.27. profiler
- 2.28. rate_filter
- 2.29. references
- 2.30. search_engine
- 2.31. side_channel
- 2.32. snort
- 2.33. suppress
- 2.34. trace
+ 2.21. mp_data_bus
+ 2.22. network
+ 2.23. output
+ 2.24. packet_tracer
+ 2.25. packets
+ 2.26. payload_injector
+ 2.27. process
+ 2.28. profiler
+ 2.29. rate_filter
+ 2.30. references
+ 2.31. search_engine
+ 2.32. side_channel
+ 2.33. snort
+ 2.34. suppress
+ 2.35. trace
3. Codec Modules
* memory.retained: total bytes not returned to OS (now)
-2.21. network
+2.21. mp_data_bus
+
+--------------
+
+Help: configure multiprocess data bus
+
+Type: basic
+
+Usage: global
+
+Configuration:
+
+ * int mp_data_bus.max_eventq_size = 1000: maximum events to queue {
+ 100:65535 }
+ * string mp_data_bus.transport: transport to use for inter-process
+ communication
+ * bool mp_data_bus.debug = false: enable debugging
+
+Commands:
+
+ * mp_data_bus.enable(): enable multiprocess data bus debugging
+ * mp_data_bus.disable(): disable multiprocess data bus debugging
+ * mp_data_bus.dump_stats(): dump multiprocess data bus statistics
+ * mp_data_bus.dump_events(): dump multiprocess data bus events
+ * mp_data_bus.show_channel_status(): show multiprocess data bus
+ channel status
+
+Peg counts:
+
+ * mp_data_bus.total_messages_sent: total messages sent (sum)
+ * mp_data_bus.total_messages_received: total messages received
+ (sum)
+ * mp_data_bus.total_messages_dropped: total messages dropped (sum)
+ * mp_data_bus.total_messages_published: total messages published
+ (sum)
+ * mp_data_bus.total_messages_delivered: total messages delivered
+ (sum)
+
+
+2.22. network
--------------
the user policy id
-2.22. output
+2.23. output
--------------
* 2:1 (output) tagged packet
-2.23. packet_tracer
+2.24. packet_tracer
--------------
* packet_tracer.disable(): disable packet tracer
-2.24. packets
+2.25. packets
--------------
are used to track fragments and connections
-2.25. payload_injector
+2.26. payload_injector
--------------
inject mid-frame (sum)
-2.26. process
+2.27. process
--------------
preferred|bind|local memory policy for NUMA
-2.27. profiler
+2.28. profiler
--------------
* profiler.module_status(): show module time profiler status
-2.28. rate_filter
+2.29. rate_filter
--------------
memory (sum)
-2.29. references
+2.30. references
--------------
* string references[].url: where this reference is defined
-2.30. search_engine
+2.31. search_engine
--------------
* search_engine.qualified_events: total qualified events (sum)
-2.31. side_channel
+2.32. side_channel
--------------
* side_channel.packets: total packets (sum)
-2.32. snort
+2.33. snort
--------------
failed due to attribute table full (sum)
-2.33. suppress
+2.34. suppress
--------------
according to track
-2.34. trace
+2.35. trace
--------------
* enum extractor.default_filter = pick: default action for protocol
with no filter provided { pick | skip }
* enum extractor.protocols[].service: service to extract from {
- http | ftp | conn | dns }
+ http | ftp | conn | dns | weird | notice }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* string extractor.protocols[].on_events: specify events to log
* string extractor.protocols[].fields: specify fields to log
* string extractor.protocols[].on_events: specify events to log
* enum extractor.protocols[].service: service to extract from {
- http | ftp | conn | dns }
+ http | ftp | conn | dns | weird | notice }
* int extractor.protocols[].tenant_id = 0: tenant_id of target
tenant { 0:max32 }
* enum extractor.time = unix: output format for timestamp values {
* string mms_func.~: func to match
* string modbus_func.~: function code to match
* int modbus_unit.~: Modbus unit ID { 0:255 }
+ * bool mp_data_bus.debug = false: enable debugging
+ * int mp_data_bus.max_eventq_size = 1000: maximum events to queue {
+ 100:65535 }
+ * string mp_data_bus.transport: transport to use for inter-process
+ communication
* int mpls.max_stack_depth = -1: set maximum MPLS stack depth {
-1:255 }
* enum mpls.payload_type = auto: force encapsulated payload type {
seconds { 1:50 }
* enum unixdomain_connector[].setup: stream establishment { call |
answer }
+ * int unix_transport.connect_timeout_seconds = 30: connect timeout
+ in seconds
+ * int unix_transport.consume_message_batch_size = 5: consume
+ message batch size
+ * int unix_transport.consume_message_timeout_milliseconds = 100:
+ consume message timeout in milliseconds
+ * bool unix_transport.enable_logging = false: enable logging
+ * int unix_transport.max_connect_retries = 5: max connection
+ retries
+ * int unix_transport.retry_interval_seconds = 30: retry interval in
+ seconds
+ * string unix_transport.unix_domain_socket_path = /tmp/
+ snort_unix_connectors: unix socket folder
* interval urg.~range: check if tcp urgent offset is in given range
{ 0:65535 }
* int_list vlan.extra_tpid_ether_types = 0x9100 0x9200: set
* modbus.max_concurrent_sessions: maximum concurrent modbus
sessions (max)
* modbus.sessions: total sessions processed (sum)
+ * mp_data_bus.total_messages_delivered: total messages delivered
+ (sum)
+ * mp_data_bus.total_messages_dropped: total messages dropped (sum)
+ * mp_data_bus.total_messages_published: total messages published
+ (sum)
+ * mp_data_bus.total_messages_received: total messages received
+ (sum)
+ * mp_data_bus.total_messages_sent: total messages sent (sum)
* netflow.cache_adds: netflow cache added new entry (sum)
* netflow.cache_hits: netflow cache found existing entry (sum)
* netflow.cache_max: netflow cache’s maximum byte usage (max)
* udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)
* udp.checksum_bypassed: checksum calculations bypassed (sum)
* unixdomain_connector.messages: total messages (sum)
+ * unix_transport.closed_connections: closed mp_transport
+ connections count (sum)
+ * unix_transport.connection_retries: mp_transport connection
+ retries count (sum)
+ * unix_transport.receive_bytes: mp_transport events bytes received
+ count (sum)
+ * unix_transport.receive_events: mp_transport events received count
+ (sum)
+ * unix_transport.sent_bytes: mp_transport events bytes sent count
+ (sum)
+ * unix_transport.sent_errors: mp_transport events errors count
+ (sum)
+ * unix_transport.sent_events: mp_transport events sent count (sum)
+ * unix_transport.successful_connections: successful mp_transport
+ connections count (sum)
* wizard.tcp_hits: tcp identifications (sum)
* wizard.tcp_misses: tcp searches abandoned (sum)
* wizard.tcp_scans: tcp payload scans (sum)
* host_cache.get_stats(): get current host cache usage and pegs
* host_cache.get_segment_stats(segment): get usage and pegs for
cache segment(s)
+ * mp_data_bus.enable(): enable multiprocess data bus debugging
+ * mp_data_bus.disable(): disable multiprocess data bus debugging
+ * mp_data_bus.dump_stats(): dump multiprocess data bus statistics
+ * mp_data_bus.dump_events(): dump multiprocess data bus events
+ * mp_data_bus.show_channel_status(): show multiprocess data bus
+ channel status
* network.set_policy(id): set the network policy for commands given
the user policy id
* packet_capture.enable(filter, group, tenants, check_inner_pkt,
* modbus_func (ips_option): rule option to check modbus function
code
* modbus_unit (ips_option): rule option to check Modbus unit ID
+ * mp_data_bus (basic): configure multiprocess data bus
* mpls (codec): support for multiprotocol label switching
* msg (ips_option): rule option summarizing rule purpose output
with events
* udp (codec): support for user datagram protocol
* unified2 (logger): output event and packet in unified2 format
file
+ * unix_transport (mp_transport): manage the unix transport layer
* unixdomain_connector (connector): implement the unix domain
stream connector
* urg (ips_option): detection for TCP urgent pointer
* logger::log_null: disable logging of packets
* logger::log_pcap: log packet in pcap format
* logger::unified2: output event and packet in unified2 format file
+ * mp_transport::unix_transport: manage the unix transport layer
* policy_selector::address_space_selector: configure traffic
processing based on address space
* policy_selector::tenant_selector: configure traffic processing
The Snort Team
Revision History
-Revision 3.7.3.0 2025-04-20 11:41:15 EDT TST
+Revision 3.7.4.0 2025-05-08 07:20:47 EDT TST
---------------------------------------------------------------------
--------------
-Snort 3 can log IPS events with some meta data and dump packets. The
-Data Logging feature extends that ability to log protocol-specific
-data, sniffing traffic alongside with normal inspection.
+Snort 3 can log IPS events with some meta data and dump packets.
+Advanced Logging feature extends that ability to log
+protocol-specific data, sniffing traffic alongside with normal
+inspection.
5.18.1. Configurations
will be ignored)
Configuration from different bindings do not interfere. Among other
-things it allows tenants to get independent data logging
-configurations.
+things it allows tenants to get independent logging configurations.
extractor =
{
{ service = 'http', on_events = 'eot', fields = 'ts, uri' },
{ service = 'conn', on_events = 'eof', fields = 'ts, uid, service' },
{ service = 'dns', on_events = 'response', fields = 'ts, uid, query, answers' }
+ { service = 'weird', on_events = 'builtin', fields = 'ts, msg, gid, sid' }
+ { service = 'notice', on_events = 'ips_logging', fields = 'msg, sid, refs' }
}
}
* connection (conn)
+ eof (end of flow)
+ * internal built-in checks which failed (weird)
+
+ + builtin (internally-detected infraction is queued for further
+ processing)
+ * triggered IPS rule, whether built-in or text or SO (notice)
+
+ + ips_logging (matched rules sent to IPS logging)
Common fields available for every service:
* auth - The list of authoritative responses
* addl - The list of additional responses
-In the answers, auth, and addl lists the decoding of the following RR
-types is supported: A, AAAA, CNAME, DS, MX, NS, NSEC, PTR, RRSIG,
-SOA, TXT
+The answers, auth, and addl lists contain all the RRs found in the
+corresponding message sections. Each RR is represented by a summary
+of its decoding. For these RR types the decoding contains type
+specific information (ip addresses, domain names, etc.): A, AAAA,
+BIND9 signing, CNAME, DNSKEY, DS, LOC, MX, NS, NSEC, OPT, PTR, RRSIG,
+SOA, SPF, SRV, SSHFP, TXT. For these RR types: CAA, HINFO, HTTPS,
+NSEC3, NSEC3PARAM, SVCB, TKEY, TSIG, the decoding contains only the
+name of the RR type. This is also the default decoding applied to all
+RR types that don’t have a type specific decoder. When the name of
+the type is not known it is decoded as UNKNOWN-N, where N is RR type
+numeric value.
Fields supported for connection:
* duration - connection duration in seconds
* proto - transport layer protocol of the connection
* service - connection’s application protocol
- * orig_pkts - number of packets originator sent
- * resp_pkts - number of packets responder sent
+ * orig_pkts - number of packets client sent
+ * resp_pkts - number of packets server sent
+ * orig_bytes - tcp/udp payload bytes client sent
+ * resp_bytes - tcp/udp payload bytes server sent
+
+For TCP orig_bytes and resp_bytes are calculated using first seen
+sequence number and next expected sequence number. These are reset
+during TCP flow restart. For this case only bytes seen following the
+restart will be reported.
+
+Fields supported for weird and notice logs:
+
+ * sid - unique signature number of the rule
+ * gid - component ID which generated the event
+ * msg - rule message
+ * proto - transport protocol
+ * source - assigned inspector
+
+notice events for text rules also get the following fields:
+
+ * action - action of triggered event
+ * refs - references mentioned in a rule
+ * rev - particular revision number of the rule
5.18.3. Example
projects / thirdparty / snort3.git / commitdiff
