"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/user/http_inspect.txt" between
snort3-3.1.29.0.tar.gz and snort3-3.1.30.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

http_inspect.txt  (snort3-3.1.29.0):http_inspect.txt  (snort3-3.1.30.0)
skipping to change at line 82 skipping to change at line 82
will be removed. will be removed.
===== Enhanced Normalizer ===== Enhanced Normalizer
Having ips option 'js_data' in the rules automatically enables Enhanced Having ips option 'js_data' in the rules automatically enables Enhanced
Normalizer. The Enhanced Normalizer can normalize inline/external scripts. Normalizer. The Enhanced Normalizer can normalize inline/external scripts.
It supports scripts over multiple PDUs. It is a stateful JavaScript whitespace It supports scripts over multiple PDUs. It is a stateful JavaScript whitespace
and identifiers normalizer. Normalizer concatenates string literals whenever and identifiers normalizer. Normalizer concatenates string literals whenever
it's possible to do. This also works with any other normalizations that result it's possible to do. This also works with any other normalizations that result
in string literals. All JavaScript identifier names, except those from in string literals. All JavaScript identifier names, except those from
the ignore list, will be substituted with unified names in the following the ignore lists, will be substituted with unified names in the following
format: var_0000 -> var_ffff. But the unescape-like function names will be remov ed format: var_0000 -> var_ffff. But the unescape-like function names will be remov ed
from the normalized data. The Normalizer tries to expand an escaped text, from the normalized data. The Normalizer tries to expand an escaped text,
so it will appear in a usual form in the output. Moreover, Normalizer validates so it will appear in a usual form in the output. Moreover, Normalizer validates
the syntax concerning ECMA-262 Standard, including scope tracking and restrictio ns the syntax concerning ECMA-262 Standard, including scope tracking and restrictio ns
for script elements. For more information on how additionally configure for script elements. For more information on how additionally configure
Enhanced Normalizer check with the following configuration options: Enhanced Normalizer check with the following configuration options:
js_norm_bytes_depth, js_norm_identifier_depth, js_norm_max_tmpl_nest, js_norm_bytes_depth, js_norm_identifier_depth, js_norm_max_tmpl_nest,
js_norm_max_bracket_depth, js_norm_max_scope_depth, js_norm_ident_ignore. js_norm_max_bracket_depth, js_norm_max_scope_depth, js_norm_ident_ignore,
js_norm_prop_ignore.
Eventually Enhanced Normalizer will completely replace Legacy Normalizer. Eventually Enhanced Normalizer will completely replace Legacy Normalizer.
==== Configuration ==== Configuration
Configuration can be as simple as adding: Configuration can be as simple as adding:
http_inspect = {} http_inspect = {}
to your snort.lua file. The default configuration provides a thorough to your snort.lua file. The default configuration provides a thorough
inspection and may be all that you need. But there are some options that inspection and may be all that you need. But there are some options that
skipping to change at line 287 skipping to change at line 288
var a = console.log var a = console.log
a("hello") // will be substituted to 'console.log("hello")' a("hello") // will be substituted to 'console.log("hello")'
The default list of ignore-identifiers is present in "snort_defaults.lua". The default list of ignore-identifiers is present in "snort_defaults.lua".
Unescape function names should remain intact in the output. They ought to be Unescape function names should remain intact in the output. They ought to be
included in the ignore list. If for some reason the user wants to disable unesca pe included in the ignore list. If for some reason the user wants to disable unesca pe
related features, then removing function's name from the ignore list does the tr ick. related features, then removing function's name from the ignore list does the tr ick.
===== js_norm_prop_ignore
js_norm_prop_ignore = {<list of ignored properties>} is an option of the enhance
d
JavaScript normalizer that defines a list of object properties and methods that
will be kept intact during the identifiers normalization. This list should inclu
de
methods and properties of objects that will not be tracked by assignment substit
ution
functionality, for example, those that can be created implicitly.
Subsequent accessors, after dot, in square brackets or after function call, will
not be
normalized as well.
For example:
http_inspect.js_norm_prop_ignore = { 'split' }
in: "string".toUpperCase().split("").reverse().join("");
out: "string".var_0000().split("").reverse().join("");
The default list of ignored properties is present in "snort_defaults.lua".
===== xff_headers ===== xff_headers
This configuration supports defining custom x-forwarded-for type headers. In a This configuration supports defining custom x-forwarded-for type headers. In a
multi-vendor world, it is quite possible that the header name carrying the multi-vendor world, it is quite possible that the header name carrying the
original client IP could be vendor-specific. This is due to the absence original client IP could be vendor-specific. This is due to the absence
of standardization which would otherwise standardize the header name. of standardization which would otherwise standardize the header name.
In such a scenario, this configuration provides a way with which such headers In such a scenario, this configuration provides a way with which such headers
can be introduced to HI. The default value of this configuration can be introduced to HI. The default value of this configuration
is "x-forwarded-for true-client-ip". The default definition introduces the is "x-forwarded-for true-client-ip". The default definition introduces the
two commonly known headers and is preferred in the same order by the two commonly known headers and is preferred in the same order by the
 End of changes. 3 change blocks. 
2 lines changed or deleted 27 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)