"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/reference/snort_reference.text" between
snort3-3.1.28.0.tar.gz and snort3-3.1.29.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

snort_reference.text  (snort3-3.1.28.0):snort_reference.text  (snort3-3.1.29.0)
--------------------------------------------------------------------- ---------------------------------------------------------------------
Snort 3 Reference Manual Snort 3 Reference Manual
--------------------------------------------------------------------- ---------------------------------------------------------------------
The Snort Team The Snort Team
Revision History Revision History
Revision 3.1.28.0 2022-04-25 10:44:49 EDT TST Revision 3.1.29.0 2022-05-04 08:07:08 EDT TST
--------------------------------------------------------------------- ---------------------------------------------------------------------
Table of Contents Table of Contents
1. Help 1. Help
2. Basic Modules 2. Basic Modules
2.1. active 2.1. active
2.2. alerts 2.2. alerts
skipping to change at line 2480 skipping to change at line 2480
Help: back orifice detection Help: back orifice detection
Type: inspector (network) Type: inspector (network)
Usage: inspect Usage: inspect
Instance Type: multiton Instance Type: multiton
Rules: Rules:
* 105:1 (back_orifice) Back orifice traffic detected, unknown * 105:1 (back_orifice) Back Orifice traffic detected, unknown
direction direction
* 105:2 (back_orifice) Back orifice client traffic detected * 105:2 (back_orifice) Back Orifice client traffic detected
* 105:3 (back_orifice) Back orifice server traffic detected * 105:3 (back_orifice) Back Orifice server traffic detected
* 105:4 (back_orifice) Back orifice length field >= 1024 bytes * 105:4 (back_orifice) Back Orifice length field >= 1024 bytes
Peg counts: Peg counts:
* back_orifice.packets: total packets (sum) * back_orifice.packets: total packets (sum)
5.5. binder 5.5. binder
-------------- --------------
Help: configure processing based on CIDRs, ports, services, etc. Help: configure processing based on CIDRs, ports, services, etc.
skipping to change at line 3546 skipping to change at line 3546
* 121:8 (http2_inspect) HTTP/2 request missing required header * 121:8 (http2_inspect) HTTP/2 request missing required header
field field
* 121:9 (http2_inspect) HTTP/2 response has no status code * 121:9 (http2_inspect) HTTP/2 response has no status code
* 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path * 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path
* 121:11 (http2_inspect) error in HTTP/2 settings frame * 121:11 (http2_inspect) error in HTTP/2 settings frame
* 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
* 121:13 (http2_inspect) invalid HTTP/2 frame sequence * 121:13 (http2_inspect) invalid HTTP/2 frame sequence
* 121:14 (http2_inspect) HTTP/2 dynamic table has more than 512 * 121:14 (http2_inspect) HTTP/2 dynamic table has more than 512
entries entries
* 121:15 (http2_inspect) HTTP/2 push promise frame with promised * 121:15 (http2_inspect) HTTP/2 push promise frame with promised
stream ID already in use. stream ID already in use
* 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
data size data size
* 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header * 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
* 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers * 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
* 121:19 (http2_inspect) invalid HTTP/2 pseudo-header * 121:19 (http2_inspect) invalid HTTP/2 pseudo-header
* 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
* 121:21 (http2_inspect) HTTP/2 push promise frame sent when * 121:21 (http2_inspect) HTTP/2 push promise frame sent when
prohibited by receiver prohibited by receiver
* 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
length length
skipping to change at line 3696 skipping to change at line 3696
specifies the xff type headers to parse and consider in the same specifies the xff type headers to parse and consider in the same
order of preference as defined order of preference as defined
* bool http_inspect.request_body_app_detection = true: make HTTP/2 * bool http_inspect.request_body_app_detection = true: make HTTP/2
request message bodies available for application detection request message bodies available for application detection
(detection requires AppId) (detection requires AppId)
Rules: Rules:
* 119:1 (http_inspect) URI has percent-encoding of an unreserved * 119:1 (http_inspect) URI has percent-encoding of an unreserved
character character
* 119:2 (http_inspect) URI is percent encoded and the result is * 119:2 (http_inspect) URI contains double-encoded hexadecimal
percent encoded again characters
* 119:3 (http_inspect) URI has non-standard %u-style Unicode * 119:3 (http_inspect) URI has non-standard %u-style Unicode
encoding encoding
* 119:4 (http_inspect) URI has Unicode encodings containing bytes * 119:4 (http_inspect) URI has Unicode encodings containing bytes
that were not percent-encoded that were not percent-encoded
* 119:6 (http_inspect) URI has two-byte or three-byte UTF-8 * 119:6 (http_inspect) URI has two-byte or three-byte UTF-8
encoding encoding
* 119:7 (http_inspect) URI has unicode map code point encoding * 119:7 (http_inspect) URI has unicode map code point encoding
* 119:8 (http_inspect) URI path contains consecutive slash * 119:8 (http_inspect) URI path contains consecutive slash
characters characters
* 119:9 (http_inspect) backslash character appears in the path * 119:9 (http_inspect) backslash character appears in the path
portion of a URI. portion of a URI
* 119:10 (http_inspect) URI path contains /./ pattern repeating the * 119:10 (http_inspect) URI path contains /./ pattern repeating the
current directory current directory
* 119:11 (http_inspect) URI path contains /../ pattern moving up a * 119:11 (http_inspect) URI path contains /../ pattern moving up a
directory directory
* 119:12 (http_inspect) Tab character in HTTP start line * 119:12 (http_inspect) Tab character in HTTP start line
* 119:13 (http_inspect) HTTP start line or header line terminated * 119:13 (http_inspect) HTTP start line or header line terminated
by LF without a CR by LF without a CR
* 119:14 (http_inspect) Normalized URI includes character from * 119:14 (http_inspect) Normalized URI includes character from
bad_characters list bad_characters list
* 119:15 (http_inspect) URI path contains a segment that is longer * 119:15 (http_inspect) URI path contains a segment that is longer
skipping to change at line 3862 skipping to change at line 3862
* 119:265 (http_inspect) bad token in JavaScript * 119:265 (http_inspect) bad token in JavaScript
* 119:266 (http_inspect) unexpected script opening tag in * 119:266 (http_inspect) unexpected script opening tag in
JavaScript JavaScript
* 119:267 (http_inspect) unexpected script closing tag in * 119:267 (http_inspect) unexpected script closing tag in
JavaScript JavaScript
* 119:268 (http_inspect) JavaScript code under the external script * 119:268 (http_inspect) JavaScript code under the external script
tags tags
* 119:269 (http_inspect) script opening tag in a short form * 119:269 (http_inspect) script opening tag in a short form
* 119:270 (http_inspect) max number of unique JavaScript * 119:270 (http_inspect) max number of unique JavaScript
identifiers reached identifiers reached
* 119:271 (http_inspect) JavaScript bracket nesting is over * 119:271 (http_inspect) excessive JavaScript bracket nesting
capacity
* 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding * 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
header header
* 119:273 (http_inspect) missed PDUs during JavaScript * 119:273 (http_inspect) missed PDUs during JavaScript
normalization normalization
* 119:274 (http_inspect) JavaScript scope nesting is over capacity * 119:274 (http_inspect) excessive JavaScript scope nesting
* 119:275 (http_inspect) HTTP/1 version other than 1.0 or 1.1 * 119:275 (http_inspect) HTTP/1 version other than 1.0 or 1.1
* 119:276 (http_inspect) HTTP version in start line is 0 * 119:276 (http_inspect) HTTP version in start line is 0
* 119:277 (http_inspect) HTTP version in start line is higher than * 119:277 (http_inspect) HTTP version in start line is higher than
1 1
* 119:278 (http_inspect) HTTP gzip body with the FEXTRA flag set * 119:278 (http_inspect) HTTP gzip body with the FEXTRA flag set
Peg counts: Peg counts:
* http_inspect.flows: HTTP connections inspected (sum) * http_inspect.flows: HTTP connections inspected (sum)
* http_inspect.scans: TCP segments scanned looking for HTTP * http_inspect.scans: TCP segments scanned looking for HTTP
skipping to change at line 11748 skipping to change at line 11747
* 256: dpx * 256: dpx
11.7. Builtin Rules 11.7. Builtin Rules
-------------- --------------
2:1 (output) tagged packet 2:1 (output) tagged packet
A tagged packet was logged. A tagged packet was logged.
105:1 (back_orifice) Back orifice traffic detected, unknown direction 105:1 (back_orifice) Back Orifice traffic detected, unknown direction
Back orifice traffic detected, unknown direction Back Orifice traffic detected, unknown direction
105:2 (back_orifice) Back orifice client traffic detected 105:2 (back_orifice) Back Orifice client traffic detected
Back orifice client traffic detected Back Orifice client traffic detected
105:3 (back_orifice) Back orifice server traffic detected 105:3 (back_orifice) Back Orifice server traffic detected
Back orifice server traffic detected Back Orifice server traffic detected
105:4 (back_orifice) Back orifice length field >= 1024 bytes 105:4 (back_orifice) Back Orifice length field >= 1024 bytes
Back orifice length field >= 1024 bytes Back Orifice length field >= 1024 bytes
106:1 (rpc_decode) fragmented RPC records 106:1 (rpc_decode) fragmented RPC records
Detected fragmented RPC records. Detected fragmented RPC records.
106:2 (rpc_decode) multiple RPC records 106:2 (rpc_decode) multiple RPC records
Detected multiple RPC records in the packet. Detected multiple RPC records in the packet.
106:3 (rpc_decode) large RPC record fragment 106:3 (rpc_decode) large RPC record fragment
skipping to change at line 12561 skipping to change at line 12560
The IPv6 mobility header includes an invalid value for the payload The IPv6 mobility header includes an invalid value for the payload
protocol field. protocol field.
119:1 (http_inspect) URI has percent-encoding of an unreserved 119:1 (http_inspect) URI has percent-encoding of an unreserved
character character
URI has percent encoding of an unreserved character. The URI has percent encoding of an unreserved character. The
ignore_unreserved option designates specific unreserved characters ignore_unreserved option designates specific unreserved characters
that are exempted from triggering this alert. that are exempted from triggering this alert.
119:2 (http_inspect) URI is percent encoded and the result is percent 119:2 (http_inspect) URI contains double-encoded hexadecimal
encoded again characters
URI is percent encoded and the result is percent encoded again. This URI contains double-encoded hexadecimal characters. This alert can
alert can only be generated if the iis_double_decode option is only be generated if the iis_double_decode option is configured.
configured.
119:3 (http_inspect) URI has non-standard %u-style Unicode encoding 119:3 (http_inspect) URI has non-standard %u-style Unicode encoding
URI has non-standard %u-style Unicode encoding. This alert can only URI has non-standard %u-style Unicode encoding. This alert can only
be generated if the percent_u option is configured. be generated if the percent_u option is configured.
119:4 (http_inspect) URI has Unicode encodings containing bytes that 119:4 (http_inspect) URI has Unicode encodings containing bytes that
were not percent-encoded were not percent-encoded
URI has Unicode encodings containing bytes that were not URI has Unicode encodings containing bytes that were not
skipping to change at line 12599 skipping to change at line 12597
normalized through the unicode map to some byte other than 0xFF. This normalized through the unicode map to some byte other than 0xFF. This
alert can only be generated if the iis_unicode option is configured. alert can only be generated if the iis_unicode option is configured.
119:8 (http_inspect) URI path contains consecutive slash characters 119:8 (http_inspect) URI path contains consecutive slash characters
URI path contains consecutive slash characters which are redundant. URI path contains consecutive slash characters which are redundant.
This alert can only be generated if the simplify_path option is This alert can only be generated if the simplify_path option is
configured. configured.
119:9 (http_inspect) backslash character appears in the path portion 119:9 (http_inspect) backslash character appears in the path portion
of a URI. of a URI
The backslash character appears in the path portion of a URI. This The backslash character appears in the path portion of a URI. This
alert can only be generated if the backslash_to_slash option is alert can only be generated if the backslash_to_slash option is
configured. configured
119:10 (http_inspect) URI path contains /./ pattern repeating the 119:10 (http_inspect) URI path contains /./ pattern repeating the
current directory current directory
URI path contains "/./" pattern repeating the current directory. URI path contains "/./" pattern repeating the current directory.
Alternatively the path may end with "/." repeating the current Alternatively the path may end with "/." repeating the current
directory. This alert can only be generated if the simplify_path directory. This alert can only be generated if the simplify_path
option is configured. option is configured.
119:11 (http_inspect) URI path contains /../ pattern moving up a 119:11 (http_inspect) URI path contains /../ pattern moving up a
skipping to change at line 13194 skipping to change at line 13192
JavaScript normalization includes identifier substitution, which JavaScript normalization includes identifier substitution, which
brings arbitrary JavaScript identifiers to a common form. Amount of brings arbitrary JavaScript identifiers to a common form. Amount of
unique identifiers to normalize is limited, for memory unique identifiers to normalize is limited, for memory
considerations, with http_inspect.js_norm_identifier_depth parameter. considerations, with http_inspect.js_norm_identifier_depth parameter.
When this threshold is reached, a corresponding alert is raised. This When this threshold is reached, a corresponding alert is raised. This
alert is not expected for typical network traffic and may be an alert is not expected for typical network traffic and may be an
indication that an attacker is trying to exhaust resources. This indication that an attacker is trying to exhaust resources. This
alert is raised by the enhanced JavaScript normalizer. alert is raised by the enhanced JavaScript normalizer.
119:271 (http_inspect) JavaScript bracket nesting is over capacity 119:271 (http_inspect) excessive JavaScript bracket nesting
In JavaScript, template literals can have substitutions, that in turn In JavaScript, template literals can have substitutions, that in turn
can have nested template literals, which requires a stack to track can have nested template literals, which requires a stack to track
for proper whitespace normalization. Also, the normalization tracks for proper whitespace normalization. Also, the normalization tracks
the current bracket scope, which requires a stack as well. When the the current bracket scope, which requires a stack as well. When the
depth of nesting exceeds limit set in depth of nesting exceeds limit set in
http_inspect.js_norm_max_tmpl_nest or in http_inspect.js_norm_max_tmpl_nest or in
http_inspect.js_norm_max_bracket_depth, this alert is raised. This http_inspect.js_norm_max_bracket_depth, this alert is raised. This
alert is not expected for typical network traffic and may be an alert is not expected for typical network traffic and may be an
indication that an attacker is trying to exhaust resources. This indication that an attacker is trying to exhaust resources. This
skipping to change at line 13226 skipping to change at line 13224
This alert is raised for the following situation. During JavaScript This alert is raised for the following situation. During JavaScript
normalization middle PDUs can be missed and not normalized. Usually normalization middle PDUs can be missed and not normalized. Usually
it happens when rules have file_data and js_data ips options and it happens when rules have file_data and js_data ips options and
fast-pattern (FP) search is applying to file_data. Some PDUs don’t fast-pattern (FP) search is applying to file_data. Some PDUs don’t
match file_data FP search and JavaScript normalization won’t be match file_data FP search and JavaScript normalization won’t be
executed for these PDUs. The normalization of the following PDUs for executed for these PDUs. The normalization of the following PDUs for
inline/external scripts will be stopped for current request within inline/external scripts will be stopped for current request within
the flow. This alert is raised by the enhanced JavaScript normalizer. the flow. This alert is raised by the enhanced JavaScript normalizer.
119:274 (http_inspect) JavaScript scope nesting is over capacity 119:274 (http_inspect) excessive JavaScript scope nesting
To resolve variable names in JavaScript, a current stack of variable To resolve variable names in JavaScript, a current stack of variable
scopes has to be tracked. When the depth of nesting exceeds the limit scopes has to be tracked. When the depth of nesting exceeds the limit
set in http_inspect.js_norm_max_scope_depth, this alert is raised. set in http_inspect.js_norm_max_scope_depth, this alert is raised.
This alert is not expected for typical network traffic and may be an This alert is not expected for typical network traffic and may be an
indication that an attacker is trying to exhaust resources. This indication that an attacker is trying to exhaust resources. This
alert is raised by the enhanced JavaScript normalizer. alert is raised by the enhanced JavaScript normalizer.
119:275 (http_inspect) HTTP/1 version other than 1.0 or 1.1 119:275 (http_inspect) HTTP/1 version other than 1.0 or 1.1
skipping to change at line 13322 skipping to change at line 13320
121:13 (http2_inspect) invalid HTTP/2 frame sequence 121:13 (http2_inspect) invalid HTTP/2 frame sequence
Invalid HTTP/2 frame sequence. Frame type is not valid for current Invalid HTTP/2 frame sequence. Frame type is not valid for current
stream state. stream state.
121:14 (http2_inspect) HTTP/2 dynamic table has more than 512 entries 121:14 (http2_inspect) HTTP/2 dynamic table has more than 512 entries
HTTP/2 dynamic table has more than 512 entries HTTP/2 dynamic table has more than 512 entries
121:15 (http2_inspect) HTTP/2 push promise frame with promised stream 121:15 (http2_inspect) HTTP/2 push promise frame with promised stream
ID already in use. ID already in use
HTTP/2 push promise frame with promised stream ID already in use. HTTP/2 push promise frame with promised stream ID already in use
121:16 (http2_inspect) HTTP/2 padding length is bigger than frame 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
data size data size
HTTP/2 padding length is bigger than frame data size HTTP/2 padding length is bigger than frame data size
121:17 (http2_inspect) HTTP/2 pseudo-header after regular header 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
HTTP/2 pseudo-header after regular header HTTP/2 pseudo-header after regular header
 End of changes. 24 change blocks. 
31 lines changed or deleted 29 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)