"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/user/snort_user.text" between
snort3-3.1.29.0.tar.gz and snort3-3.1.30.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

snort_user.text  (snort3-3.1.29.0):snort_user.text  (snort3-3.1.30.0)
--------------------------------------------------------------------- ---------------------------------------------------------------------
Snort 3 User Manual Snort 3 User Manual
--------------------------------------------------------------------- ---------------------------------------------------------------------
The Snort Team The Snort Team
Revision History Revision History
Revision 3.1.29.0 2022-05-04 08:06:54 EDT TST Revision 3.1.30.0 2022-05-19 00:39:56 EDT TST
--------------------------------------------------------------------- ---------------------------------------------------------------------
Table of Contents Table of Contents
1. Overview 1. Overview
1.1. First Steps 1.1. First Steps
1.2. Configuration 1.2. Configuration
1.3. Output 1.3. Output
skipping to change at line 118 skipping to change at line 118
* Hyperscan support * Hyperscan support
* Rewritten TCP handling * Rewritten TCP handling
* New rule parser and syntax * New rule parser and syntax
* Service rules like alert http * Service rules like alert http
* Rule "sticky" buffers * Rule "sticky" buffers
* Way better SO rules * Way better SO rules
* New HTTP inspector * New HTTP inspector
* New performance monitor * New performance monitor
* New time and space profiling * New time and space profiling
* New latency monitoring and enforcement * New latency monitoring and enforcement
* Piglets to facilitate component testing
* Inspection Events * Inspection Events
* Autogenerate reference documentation * Autogenerate reference documentation
Additional features are on the road map: Additional features are on the road map:
* Use a shared network map * Use a shared network map
* Support hardware offload for fast pattern acceleration * Support hardware offload for fast pattern acceleration
* Provide support for DPDK and ODP * Provide support for DPDK and ODP
* Support pipelining of packet processing * Support pipelining of packet processing
* Support proxy mode * Support proxy mode
skipping to change at line 618 skipping to change at line 617
-------------- --------------
Modules are the building blocks of Snort. They encapsulate the types Modules are the building blocks of Snort. They encapsulate the types
of data that many components need including parameters, peg counts, of data that many components need including parameters, peg counts,
profiling, builtin rules, and commands. This allows Snort to handle profiling, builtin rules, and commands. This allows Snort to handle
them generically and consistently. You can learn quite a lot about them generically and consistently. You can learn quite a lot about
any given module from the command line. For example, to see what any given module from the command line. For example, to see what
stream_tcp is all about, do this: stream_tcp is all about, do this:
$ snort --help-config stream_tcp $ snort --help-module stream_tcp
Modules are configured using Lua tables with the same name. So the Modules are configured using Lua tables with the same name. So the
stream_tcp module is configured with defaults like this: stream_tcp module is configured with defaults like this:
stream_tcp = { } stream_tcp = { }
The earlier help output showed that the default session tracking The earlier help output showed that the default session tracking
timeout is 30 seconds. To change that to 60 seconds, you can timeout is 30 seconds. To change that to 60 seconds, you can
configure it this way: configure it this way:
skipping to change at line 1008 skipping to change at line 1007
recommended) recommended)
Optional: Optional:
* asciidoc from http://www.methods.co.nz/asciidoc/ to build the * asciidoc from http://www.methods.co.nz/asciidoc/ to build the
HTML manual HTML manual
* cpputest from http://cpputest.github.io to run additional unit * cpputest from http://cpputest.github.io to run additional unit
tests with make check tests with make check
* dblatex from http://dblatex.sourceforge.net to build the pdf * dblatex from http://dblatex.sourceforge.net to build the pdf
manual (in addition to asciidoc) manual (in addition to asciidoc)
* flatbuffers from https://google.github.io/flatbuffers/ for
enabling the flatbuffers serialization format
* hyperscan >= 4.4.0 from https://github.com/01org/hyperscan to * hyperscan >= 4.4.0 from https://github.com/01org/hyperscan to
build new the regex and sd_pattern rule options and hyperscan build new the regex and sd_pattern rule options and hyperscan
search engine. Hyperscan is large so it recommended to follow search engine. Hyperscan is large so it recommended to follow
their instructions for building it as a shared library. their instructions for building it as a shared library.
* iconv from https://ftp.gnu.org/pub/gnu/libiconv/ for converting * iconv from https://ftp.gnu.org/pub/gnu/libiconv/ for converting
UTF16-LE filenames to UTF8 (usually included in glibc) UTF16-LE filenames to UTF8 (usually included in glibc)
* libunwind from https://www.nongnu.org/libunwind/ to attempt to * libunwind from https://www.nongnu.org/libunwind/ to attempt to
dump a somewhat readable backtrace when a fatal signal is dump a somewhat readable backtrace when a fatal signal is
received received
* lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of * lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
skipping to change at line 3856 skipping to change at line 3853
Normalizer, Legacy Normalizer will be removed. Normalizer, Legacy Normalizer will be removed.
5.10.2.2. Enhanced Normalizer 5.10.2.2. Enhanced Normalizer
Having ips option js_data in the rules automatically enables Enhanced Having ips option js_data in the rules automatically enables Enhanced
Normalizer. The Enhanced Normalizer can normalize inline/external Normalizer. The Enhanced Normalizer can normalize inline/external
scripts. It supports scripts over multiple PDUs. It is a stateful scripts. It supports scripts over multiple PDUs. It is a stateful
JavaScript whitespace and identifiers normalizer. Normalizer JavaScript whitespace and identifiers normalizer. Normalizer
concatenates string literals whenever it’s possible to do. This also concatenates string literals whenever it’s possible to do. This also
works with any other normalizations that result in string literals. works with any other normalizations that result in string literals.
All JavaScript identifier names, except those from the ignore list, All JavaScript identifier names, except those from the ignore lists,
will be substituted with unified names in the following format: will be substituted with unified names in the following format:
var_0000 → var_ffff. But the unescape-like function names will be var_0000 → var_ffff. But the unescape-like function names will be
removed from the normalized data. The Normalizer tries to expand an removed from the normalized data. The Normalizer tries to expand an
escaped text, so it will appear in a usual form in the output. escaped text, so it will appear in a usual form in the output.
Moreover, Normalizer validates the syntax concerning ECMA-262 Moreover, Normalizer validates the syntax concerning ECMA-262
Standard, including scope tracking and restrictions for script Standard, including scope tracking and restrictions for script
elements. For more information on how additionally configure Enhanced elements. For more information on how additionally configure Enhanced
Normalizer check with the following configuration options: Normalizer check with the following configuration options:
js_norm_bytes_depth, js_norm_identifier_depth, js_norm_max_tmpl_nest, js_norm_bytes_depth, js_norm_identifier_depth, js_norm_max_tmpl_nest,
js_norm_max_bracket_depth, js_norm_max_scope_depth, js_norm_max_bracket_depth, js_norm_max_scope_depth,
js_norm_ident_ignore. Eventually Enhanced Normalizer will completely js_norm_ident_ignore, js_norm_prop_ignore. Eventually Enhanced
replace Legacy Normalizer. Normalizer will completely replace Legacy Normalizer.
5.10.3. Configuration 5.10.3. Configuration
Configuration can be as simple as adding: Configuration can be as simple as adding:
http_inspect = {} http_inspect = {}
to your snort.lua file. The default configuration provides a thorough to your snort.lua file. The default configuration provides a thorough
inspection and may be all that you need. But there are some options inspection and may be all that you need. But there are some options
that provide extra features, tweak how things are done, or conserve that provide extra features, tweak how things are done, or conserve
skipping to change at line 4082 skipping to change at line 4079
a("hello") // will be substituted to 'console.log("hello")' a("hello") // will be substituted to 'console.log("hello")'
The default list of ignore-identifiers is present in The default list of ignore-identifiers is present in
"snort_defaults.lua". "snort_defaults.lua".
Unescape function names should remain intact in the output. They Unescape function names should remain intact in the output. They
ought to be included in the ignore list. If for some reason the user ought to be included in the ignore list. If for some reason the user
wants to disable unescape related features, then removing function’s wants to disable unescape related features, then removing function’s
name from the ignore list does the trick. name from the ignore list does the trick.
5.10.3.16. xff_headers 5.10.3.16. js_norm_prop_ignore
js_norm_prop_ignore = {<list of ignored properties>} is an option of
the enhanced JavaScript normalizer that defines a list of object
properties and methods that will be kept intact during the
identifiers normalization. This list should include methods and
properties of objects that will not be tracked by assignment
substitution functionality, for example, those that can be created
implicitly.
Subsequent accessors, after dot, in square brackets or after function
call, will not be normalized as well.
For example:
http_inspect.js_norm_prop_ignore = { 'split' }
in: "string".toUpperCase().split("").reverse().join("");
out: "string".var_0000().split("").reverse().join("");
The default list of ignored properties is present in
"snort_defaults.lua".
5.10.3.17. xff_headers
This configuration supports defining custom x-forwarded-for type This configuration supports defining custom x-forwarded-for type
headers. In a multi-vendor world, it is quite possible that the headers. In a multi-vendor world, it is quite possible that the
header name carrying the original client IP could be vendor-specific. header name carrying the original client IP could be vendor-specific.
This is due to the absence of standardization which would otherwise This is due to the absence of standardization which would otherwise
standardize the header name. In such a scenario, this configuration standardize the header name. In such a scenario, this configuration
provides a way with which such headers can be introduced to HI. The provides a way with which such headers can be introduced to HI. The
default value of this configuration is "x-forwarded-for default value of this configuration is "x-forwarded-for
true-client-ip". The default definition introduces the two commonly true-client-ip". The default definition introduces the two commonly
known headers and is preferred in the same order by the inspector as known headers and is preferred in the same order by the inspector as
they are defined, e.g "x-forwarded-for" will be preferred than they are defined, e.g "x-forwarded-for" will be preferred than
"true-client-ip" if both headers are present in the stream. The "true-client-ip" if both headers are present in the stream. The
header names should be delimited by a space. header names should be delimited by a space.
5.10.3.17. maximum_host_length 5.10.3.18. maximum_host_length
Setting maximum_host_length causes http_inspect to generate 119:25 if Setting maximum_host_length causes http_inspect to generate 119:25 if
the Host header value including optional white space exceeds the the Host header value including optional white space exceeds the
specified length. In the abnormal case of multiple Host headers, the specified length. In the abnormal case of multiple Host headers, the
total length of the combined values is used. The default value is -1, total length of the combined values is used. The default value is -1,
meaning do not perform this check. meaning do not perform this check.
5.10.3.18. maximum_chunk_length 5.10.3.19. maximum_chunk_length
http_inspect strictly limits individual chunks within a chunked http_inspect strictly limits individual chunks within a chunked
message body to be less than four gigabytes. message body to be less than four gigabytes.
A lower limit may be configured by setting maximum_chunk_length. Any A lower limit may be configured by setting maximum_chunk_length. Any
chunk longer than maximum chunk length will generate a 119:16 alert. chunk longer than maximum chunk length will generate a 119:16 alert.
5.10.3.19. URI processing 5.10.3.20. URI processing
Normalization and inspection of the URI in the HTTP request message Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize is a key aspect of what http_inspect does. The best way to normalize
a URI is very dependent on the idiosyncrasies of the HTTP server a URI is very dependent on the idiosyncrasies of the HTTP server
being accessed. The goal is to interpret the URI the same way as the being accessed. The goal is to interpret the URI the same way as the
server will so that nothing the server will see can be hidden from server will so that nothing the server will see can be hidden from
the rule engine. the rule engine.
The default URI inspection parameters are oriented toward following The default URI inspection parameters are oriented toward following
the HTTP RFCs—reading the URI the way the standards say it should be the HTTP RFCs—reading the URI the way the standards say it should be
skipping to change at line 5075 skipping to change at line 5095
processing thread. processing thread.
To enable: To enable:
perf_monitor = { cpu = true } perf_monitor = { cpu = true }
5.14.6. Formatters 5.14.6. Formatters
Performance monitor allows statistics to be output in a few formats. Performance monitor allows statistics to be output in a few formats.
Along with human readable text (as seen at shutdown) and csv formats, Along with human readable text (as seen at shutdown) and csv formats,
a Flatbuffers binary format is also available if Flatbuffers is a JSON format format is also available.
present at build. A utility for accessing the statistics generated in
this format has been included for convenience (see fbstreamer in
tools). This tool generates a YAML array of records found, allowing
the data to be read by humans or passed into other analysis tools.
For information on working directly with the Flatbuffers file format
used by Performance monitor, see the developer notes for Performance
monitor or the code provided for fbstreamer.
5.15. POP and IMAP 5.15. POP and IMAP
-------------- --------------
POP inspector is a service inspector for POP3 protocol and IMAP POP inspector is a service inspector for POP3 protocol and IMAP
inspector is for IMAP4 protocol. inspector is for IMAP4 protocol.
5.15.1. Overview 5.15.1. Overview
skipping to change at line 5483 skipping to change at line 5496
sd_pattern:"This is a string literal", threshold 300; sd_pattern:"This is a string literal", threshold 300;
This example requires 300 matches of the pattern "This is a string This example requires 300 matches of the pattern "This is a string
literal" to qualify as a positive match. That is, if the string only literal" to qualify as a positive match. That is, if the string only
occurred 299 times in a packet, you will not see an event. occurred 299 times in a packet, you will not see an event.
5.17.2.3. Obfuscating Credit Cards and Social Security Numbers 5.17.2.3. Obfuscating Credit Cards and Social Security Numbers
Snort provides discreet logging for the built in patterns Snort provides discreet logging for the built in patterns
"credit_card", "us_social" and "us_social_nodashes". Enabling "credit_card", "us_social" and "us_social_nodashes". Enabling
output.obfuscate_pii makes Snort obfuscate the suspect packet payload ips.obfuscate_pii makes Snort obfuscate the suspect packet payload
which was matched by the patterns. This configuration is disabled by which was matched by the patterns. This configuration is disabled by
default. default.
output = ips =
{ {
obfuscate_pii = true obfuscate_pii = true
} }
5.17.3. Example 5.17.3. Example
A complete Snort IPS rule A complete Snort IPS rule
alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; ) alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )
 End of changes. 13 change blocks. 
22 lines changed or deleted 35 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)