"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/reference/snort_reference.text" between
snort3-3.1.29.0.tar.gz and snort3-3.1.30.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

snort_reference.text  (snort3-3.1.29.0):snort_reference.text  (snort3-3.1.30.0)
--------------------------------------------------------------------- ---------------------------------------------------------------------
Snort 3 Reference Manual Snort 3 Reference Manual
--------------------------------------------------------------------- ---------------------------------------------------------------------
The Snort Team The Snort Team
Revision History Revision History
Revision 3.1.29.0 2022-05-04 08:07:08 EDT TST Revision 3.1.30.0 2022-05-19 00:40:10 EDT TST
--------------------------------------------------------------------- ---------------------------------------------------------------------
Table of Contents Table of Contents
1. Help 1. Help
2. Basic Modules 2. Basic Modules
2.1. active 2.1. active
2.2. alerts 2.2. alerts
skipping to change at line 3653 skipping to change at line 3653
template literal nesting that enhanced javascript normalizer will template literal nesting that enhanced javascript normalizer will
process { 0:255 } process { 0:255 }
* int http_inspect.js_norm_max_bracket_depth = 256: maximum depth * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth
of bracket nesting that enhanced JavaScript normalizer will of bracket nesting that enhanced JavaScript normalizer will
process { 1:65535 } process { 1:65535 }
* int http_inspect.js_norm_max_scope_depth = 256: maximum depth of * int http_inspect.js_norm_max_scope_depth = 256: maximum depth of
scope nesting that enhanced JavaScript normalizer will process { scope nesting that enhanced JavaScript normalizer will process {
1:65535 } 1:65535 }
* string http_inspect.js_norm_ident_ignore[].ident_name: name of * string http_inspect.js_norm_ident_ignore[].ident_name: name of
the identifier to ignore the identifier to ignore
* string http_inspect.js_norm_prop_ignore[].prop_name: name of the
object property to ignore
* int http_inspect.max_javascript_whitespaces = 200: maximum * int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 } data { 1:65535 }
* bit_list http_inspect.bad_characters: alert when any of specified * bit_list http_inspect.bad_characters: alert when any of specified
bytes are present in URI after percent decoding { 255 } bytes are present in URI after percent decoding { 255 }
* string http_inspect.ignore_unreserved: do not alert when the * string http_inspect.ignore_unreserved: do not alert when the
specified unreserved characters are percent-encoded in a specified unreserved characters are percent-encoded in a
URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
tilde, and minus. { (optional) } tilde, and minus. { (optional) }
* bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN
skipping to change at line 4455 skipping to change at line 4457
* int perf_monitor.max_file_size = 1073741824: files will be rolled * int perf_monitor.max_file_size = 1073741824: files will be rolled
over if they exceed this size { 4096:max53 } over if they exceed this size { 4096:max53 }
* int perf_monitor.flow_ports = 1023: maximum ports to track { * int perf_monitor.flow_ports = 1023: maximum ports to track {
0:65535 } 0:65535 }
* enum perf_monitor.output = file: output location for stats { file * enum perf_monitor.output = file: output location for stats { file
| console } | console }
* string perf_monitor.modules[].name: name of the module * string perf_monitor.modules[].name: name of the module
* string perf_monitor.modules[].pegs: list of statistics to track * string perf_monitor.modules[].pegs: list of statistics to track
or empty for all counters or empty for all counters
* enum perf_monitor.format = csv: output format for stats { csv | * enum perf_monitor.format = csv: output format for stats { csv |
text | json | flatbuffers } text | json }
* bool perf_monitor.summary = false: output summary at shutdown * bool perf_monitor.summary = false: output summary at shutdown
Commands: Commands:
* perf_monitor.enable_flow_ip_profiling(seconds, packets): enable * perf_monitor.enable_flow_ip_profiling(seconds, packets): enable
statistics on host pairs statistics on host pairs
* perf_monitor.disable_flow_ip_profiling(): disable statistics on * perf_monitor.disable_flow_ip_profiling(): disable statistics on
host pairs host pairs
* perf_monitor.show_flow_ip_profiling(): show status of statistics * perf_monitor.show_flow_ip_profiling(): show status of statistics
on host pairs on host pairs
skipping to change at line 8248 skipping to change at line 8250
configure --help. configure --help.
* --enable-shell: enable building local and remote command line * --enable-shell: enable building local and remote command line
shell support. shell support.
* --enable-tsc-clock: use the TSC register on x86 systems for * --enable-tsc-clock: use the TSC register on x86 systems for
improved performance of latency and profiler features. improved performance of latency and profiler features.
These options are built only if the required libraries and headers These options are built only if the required libraries and headers
are present. There is no need to explicitly enable. are present. There is no need to explicitly enable.
* flatbuffers: for an alternative perf_monitor logging format.
* hyperscan >= 4.4.0: for the regex and sd_pattern rule options and * hyperscan >= 4.4.0: for the regex and sd_pattern rule options and
the hyperscan search engine. the hyperscan search engine.
* iconv: for converting UTF16-LE filenames to UTF8 (usually * iconv: for converting UTF16-LE filenames to UTF8 (usually
included in glibc) included in glibc)
* libunwind: for printing a backtrace when a fatal signal is * libunwind: for printing a backtrace when a fatal signal is
received. received.
* lzma: for decompression of SWF and PDF files. * lzma: for decompression of SWF and PDF files.
* safec: for additional runtime error checking of some memory copy * safec: for additional runtime error checking of some memory copy
operations. operations.
If you need to use headers and/or libraries in non-standard If you need to use headers and/or libraries in non-standard
locations, you can use these options: locations, you can use these options:
* --with-pkg-includes: specify the directory containing the package * --with-pkg-includes: specify the directory containing the package
headers. headers.
* --with-pkg-libraries: specify the directory containing the * --with-pkg-libraries: specify the directory containing the
package libraries. package libraries.
These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl, These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl,
flatbuffers, iconv, and hyperscan packages. For more information on iconv, and hyperscan packages. For more information on these
these libraries see the Getting Started section of the manual. libraries see the Getting Started section of the manual.
11.2. Environment Variables 11.2. Environment Variables
-------------- --------------
* HOSTTYPE: optional string that is output with the version at end * HOSTTYPE: optional string that is output with the version at end
of line. of line.
* SNORT_IGNORE: the list of symbols Snort should ignore when * SNORT_IGNORE: the list of symbols Snort should ignore when
parsing the Lua conf. Unknown symbols not in SNORT_IGNORE will parsing the Lua conf. Unknown symbols not in SNORT_IGNORE will
cause warnings with --warn-unknown or fatals with --warn-unknown cause warnings with --warn-unknown or fatals with --warn-unknown
skipping to change at line 9183 skipping to change at line 9184
the identifier to ignore the identifier to ignore
* int http_inspect.js_norm_max_bracket_depth = 256: maximum depth * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth
of bracket nesting that enhanced JavaScript normalizer will of bracket nesting that enhanced JavaScript normalizer will
process { 1:65535 } process { 1:65535 }
* int http_inspect.js_norm_max_scope_depth = 256: maximum depth of * int http_inspect.js_norm_max_scope_depth = 256: maximum depth of
scope nesting that enhanced JavaScript normalizer will process { scope nesting that enhanced JavaScript normalizer will process {
1:65535 } 1:65535 }
* int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of * int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of
template literal nesting that enhanced javascript normalizer will template literal nesting that enhanced javascript normalizer will
process { 0:255 } process { 0:255 }
* string http_inspect.js_norm_prop_ignore[].prop_name: name of the
object property to ignore
* int http_inspect.maximum_chunk_length = 4294967295: maximum * int http_inspect.maximum_chunk_length = 4294967295: maximum
allowed length for a message body chunk { 0:4294967295 } allowed length for a message body chunk { 0:4294967295 }
* int http_inspect.maximum_host_length = -1: maximum allowed length * int http_inspect.maximum_host_length = -1: maximum allowed length
for Host header value (-1 no limit) { -1:max53 } for Host header value (-1 no limit) { -1:max53 }
* int http_inspect.max_javascript_whitespaces = 200: maximum * int http_inspect.max_javascript_whitespaces = 200: maximum
consecutive whitespaces allowed within the JavaScript obfuscated consecutive whitespaces allowed within the JavaScript obfuscated
data { 1:65535 } data { 1:65535 }
* bool http_inspect.normalize_javascript = false: use legacy * bool http_inspect.normalize_javascript = false: use legacy
normalizer to normalize JavaScript in response bodies normalizer to normalize JavaScript in response bodies
* bool http_inspect.normalize_utf = true: normalize charset utf * bool http_inspect.normalize_utf = true: normalize charset utf
skipping to change at line 9606 skipping to change at line 9609
* bool perf_monitor.base = true: enable base statistics * bool perf_monitor.base = true: enable base statistics
* bool perf_monitor.cpu = false: enable cpu statistics * bool perf_monitor.cpu = false: enable cpu statistics
* bool perf_monitor.flow = false: enable traffic statistics * bool perf_monitor.flow = false: enable traffic statistics
* bool perf_monitor.flow_ip = false: enable statistics on host * bool perf_monitor.flow_ip = false: enable statistics on host
pairs pairs
* int perf_monitor.flow_ip_memcap = 52428800: maximum memory in * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
bytes for flow tracking { 236:maxSZ } bytes for flow tracking { 236:maxSZ }
* int perf_monitor.flow_ports = 1023: maximum ports to track { * int perf_monitor.flow_ports = 1023: maximum ports to track {
0:65535 } 0:65535 }
* enum perf_monitor.format = csv: output format for stats { csv | * enum perf_monitor.format = csv: output format for stats { csv |
text | json | flatbuffers } text | json }
* int perf_monitor.max_file_size = 1073741824: files will be rolled * int perf_monitor.max_file_size = 1073741824: files will be rolled
over if they exceed this size { 4096:max53 } over if they exceed this size { 4096:max53 }
* string perf_monitor.modules[].name: name of the module * string perf_monitor.modules[].name: name of the module
* string perf_monitor.modules[].pegs: list of statistics to track * string perf_monitor.modules[].pegs: list of statistics to track
or empty for all counters or empty for all counters
* enum perf_monitor.output = file: output location for stats { file * enum perf_monitor.output = file: output location for stats { file
| console } | console }
* int perf_monitor.packets = 10000: minimum packets to report { * int perf_monitor.packets = 10000: minimum packets to report {
0:max32 } 0:max32 }
* int perf_monitor.seconds = 60: report interval { 0:max32 } * int perf_monitor.seconds = 60: report interval { 0:max32 }
 End of changes. 7 change blocks. 
6 lines changed or deleted 9 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)