"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/reference/snort_reference.text" between
snort3-3.1.36.0.tar.gz and snort3-3.1.38.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

snort_reference.text  (snort3-3.1.36.0):snort_reference.text  (snort3-3.1.38.0)
--------------------------------------------------------------------- ---------------------------------------------------------------------
Snort 3 Reference Manual Snort 3 Reference Manual
--------------------------------------------------------------------- ---------------------------------------------------------------------
The Snort Team The Snort Team
Revision History Revision History
Revision 3.1.36.0 2022-07-14 13:46:25 EDT TST Revision 3.1.38.0 2022-07-28 09:09:42 EDT TST
--------------------------------------------------------------------- ---------------------------------------------------------------------
Table of Contents Table of Contents
1. Help 1. Help
2. Basic Modules 2. Basic Modules
2.1. active 2.1. active
2.2. alerts 2.2. alerts
skipping to change at line 3575 skipping to change at line 3575
* 121:35 (http2_inspect) More than two HTTP/2 HPACK table size * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size
updates in a single header block updates in a single header block
* 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max
value set by decoder in SETTINGS frame value set by decoder in SETTINGS frame
* 121:37 (http2_inspect) Nonempty HTTP/2 Data frame where message * 121:37 (http2_inspect) Nonempty HTTP/2 Data frame where message
body not expected body not expected
* 121:38 (http2_inspect) HTTP/2 non-Data frame longer than 63780 * 121:38 (http2_inspect) HTTP/2 non-Data frame longer than 63780
bytes bytes
* 121:39 (http2_inspect) not HTTP/2 traffic or unrecoverable HTTP/2 * 121:39 (http2_inspect) not HTTP/2 traffic or unrecoverable HTTP/2
protocol error protocol error
* 121:40 (http2_inspect) invalid HTTP/2 PRIORITY frame
* 121:41 (http2_inspect) invalid HTTP/2 GOAWAY frame
Peg counts: Peg counts:
* http2_inspect.flows: HTTP/2 connections inspected (sum) * http2_inspect.flows: HTTP/2 connections inspected (sum)
* http2_inspect.concurrent_sessions: total concurrent HTTP/2 * http2_inspect.concurrent_sessions: total concurrent HTTP/2
sessions (now) sessions (now)
* http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2 * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
sessions (max) sessions (max)
* http2_inspect.max_table_entries: maximum entries in an HTTP/2 * http2_inspect.max_table_entries: maximum entries in an HTTP/2
dynamic table (max) dynamic table (max)
skipping to change at line 5328 skipping to change at line 5330
* bool stream.ip_frags_only = false: don’t process non-frag flows * bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream.max_flows = 476288: maximum simultaneous flows tracked * int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 } before pruning { 2:max32 }
* int stream.pruning_timeout = 30: minimum inactive time before * int stream.pruning_timeout = 30: minimum inactive time before
being eligible for pruning { 1:max32 } being eligible for pruning { 1:max32 }
* int stream.held_packet_timeout = 1000: timeout in milliseconds * int stream.held_packet_timeout = 1000: timeout in milliseconds
for held packets { 1:max32 } for held packets { 1:max32 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time * int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream.ip_cache.cap_weight = 0: additional bytes to track per
flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time * int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream.icmp_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream.tcp_cache.cap_weight = 11000: additional bytes to
track per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time * int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream.udp_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time * int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream.user_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time * int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream.file_cache.cap_weight = 32: additional bytes to track
per flow for better estimation against cap { 0:65535 }
Rules: Rules:
* 135:1 (stream) TCP SYN received * 135:1 (stream) TCP SYN received
* 135:2 (stream) TCP session established * 135:2 (stream) TCP session established
* 135:3 (stream) TCP session cleared * 135:3 (stream) TCP session cleared
Peg counts: Peg counts:
* stream.flows: total sessions (sum) * stream.flows: total sessions (sum)
skipping to change at line 10388 skipping to change at line 10378
* implied ssl_version.sslv3: check for sslv3 * implied ssl_version.sslv3: check for sslv3
* implied ssl_version.!tls1.0: check for records that are not * implied ssl_version.!tls1.0: check for records that are not
tls1.0 tls1.0
* implied ssl_version.tls1.0: check for tls1.0 * implied ssl_version.tls1.0: check for tls1.0
* implied ssl_version.!tls1.1: check for records that are not * implied ssl_version.!tls1.1: check for records that are not
tls1.1 tls1.1
* implied ssl_version.tls1.1: check for tls1.1 * implied ssl_version.tls1.1: check for tls1.1
* implied ssl_version.!tls1.2: check for records that are not * implied ssl_version.!tls1.2: check for records that are not
tls1.2 tls1.2
* implied ssl_version.tls1.2: check for tls1.2 * implied ssl_version.tls1.2: check for tls1.2
* int stream.file_cache.cap_weight = 32: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.file_cache.idle_timeout = 180: maximum inactive time * int stream.file_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* bool stream_file.upload = false: indicate file transfer direction * bool stream_file.upload = false: indicate file transfer direction
* int stream.held_packet_timeout = 1000: timeout in milliseconds * int stream.held_packet_timeout = 1000: timeout in milliseconds
for held packets { 1:max32 } for held packets { 1:max32 }
* int stream.icmp_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time * int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream_icmp.session_timeout = 60: session tracking timeout { * int stream_icmp.session_timeout = 60: session tracking timeout {
1:max31 } 1:max31 }
* int stream.ip_cache.cap_weight = 0: additional bytes to track per
flow for better estimation against cap { 0:65535 }
* int stream.ip_cache.idle_timeout = 180: maximum inactive time * int stream.ip_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* bool stream.ip_frags_only = false: don’t process non-frag flows * bool stream.ip_frags_only = false: don’t process non-frag flows
* int stream_ip.max_frags = 8192: maximum number of simultaneous * int stream_ip.max_frags = 8192: maximum number of simultaneous
fragments being tracked { 1:max32 } fragments being tracked { 1:max32 }
* int stream_ip.max_overlaps = 0: maximum allowed overlaps per * int stream_ip.max_overlaps = 0: maximum allowed overlaps per
datagram; 0 is unlimited { 0:max32 } datagram; 0 is unlimited { 0:max32 }
* int stream_ip.min_frag_length = 0: alert if fragment length is * int stream_ip.min_frag_length = 0: alert if fragment length is
below this limit before or after trimming { 0:65535 } below this limit before or after trimming { 0:65535 }
* int stream_ip.min_ttl = 1: discard fragments with TTL below the * int stream_ip.min_ttl = 1: discard fragments with TTL below the
skipping to change at line 10433 skipping to change at line 10417
disable|enable } disable|enable }
* enum stream_reassemble.direction: action applies to the given * enum stream_reassemble.direction: action applies to the given
direction(s) { client|server|both } direction(s) { client|server|both }
* implied stream_reassemble.fastpath: optionally trust the * implied stream_reassemble.fastpath: optionally trust the
remainder of the session remainder of the session
* implied stream_reassemble.noalert: don’t alert when rule matches * implied stream_reassemble.noalert: don’t alert when rule matches
* enum stream_size.~direction: compare applies to the given * enum stream_size.~direction: compare applies to the given
direction(s) { either|to_server|to_client|both } direction(s) { either|to_server|to_client|both }
* interval stream_size.~range: check if the stream size is in the * interval stream_size.~range: check if the stream size is in the
given range { 0: } given range { 0: }
* int stream.tcp_cache.cap_weight = 11000: additional bytes to
track per flow for better estimation against cap { 0:65535 }
* int stream.tcp_cache.idle_timeout = 3600: maximum inactive time * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream_tcp.flush_factor = 0: flush upon seeing a drop in * int stream_tcp.flush_factor = 0: flush upon seeing a drop in
segment size after given number of non-decreasing segments { segment size after given number of non-decreasing segments {
0:65535 } 0:65535 }
* int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { * int stream_tcp.max_pdu = 16384: maximum reassembled PDU size {
1460:32768 } 1460:32768 }
* int stream_tcp.max_window = 0: maximum allowed TCP window { * int stream_tcp.max_window = 0: maximum allowed TCP window {
0:1073725440 } 0:1073725440 }
* bool stream_tcp.no_ack = false: received data is implicitly acked * bool stream_tcp.no_ack = false: received data is implicitly acked
skipping to change at line 10472 skipping to change at line 10454
* int stream_tcp.session_timeout = 180: session tracking timeout { * int stream_tcp.session_timeout = 180: session tracking timeout {
1:max31 } 1:max31 }
* bool stream_tcp.show_rebuilt_packets = false: enable cmg like * bool stream_tcp.show_rebuilt_packets = false: enable cmg like
output of reassembled packets output of reassembled packets
* int stream_tcp.small_segments.count = 0: number of consecutive * int stream_tcp.small_segments.count = 0: number of consecutive
(in the received order) TCP small segments considered to be (in the received order) TCP small segments considered to be
excessive (129:12) { 0:2048 } excessive (129:12) { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 } a TCP segment not to be considered small (129:12) { 0:2048 }
* bool stream_tcp.track_only = false: disable reassembly if true * bool stream_tcp.track_only = false: disable reassembly if true
* int stream.udp_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.udp_cache.idle_timeout = 180: maximum inactive time * int stream.udp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream_udp.session_timeout = 30: session tracking timeout { * int stream_udp.session_timeout = 30: session tracking timeout {
1:max31 } 1:max31 }
* int stream.user_cache.cap_weight = 0: additional bytes to track
per flow for better estimation against cap { 0:65535 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time * int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 } before retiring session tracker { 1:max32 }
* int stream_user.session_timeout = 60: session tracking timeout { * int stream_user.session_timeout = 60: session tracking timeout {
1:max31 } 1:max31 }
* int suppress[].gid = 0: rule generator ID { 0:max32 } * int suppress[].gid = 0: rule generator ID { 0:max32 }
* string suppress[].ip: restrict suppression to these addresses * string suppress[].ip: restrict suppression to these addresses
according to track according to track
* int suppress[].sid = 0: rule signature ID { 0:max32 } * int suppress[].sid = 0: rule signature ID { 0:max32 }
* enum suppress[].track: suppress only matching source or * enum suppress[].track: suppress only matching source or
destination addresses { by_src | by_dst } destination addresses { by_src | by_dst }
skipping to change at line 13533 skipping to change at line 13511
continuation frames. continuation frames.
121:39 (http2_inspect) not HTTP/2 traffic or unrecoverable HTTP/2 121:39 (http2_inspect) not HTTP/2 traffic or unrecoverable HTTP/2
protocol error protocol error
HTTP/2 inspector is unable to parse this flow. Either the connection HTTP/2 inspector is unable to parse this flow. Either the connection
is not actually using HTTP/2 or some sort of unrecoverable HTTP/2 is not actually using HTTP/2 or some sort of unrecoverable HTTP/2
protocol error has occurred. This conclusion applies only to one protocol error has occurred. This conclusion applies only to one
direction of the flow. The opposite direction may be OK. direction of the flow. The opposite direction may be OK.
121:40 (http2_inspect) invalid HTTP/2 PRIORITY frame
Invalid HTTP/2 PRIORITY frame. Stream ID is 0 or length is not 5.
121:41 (http2_inspect) invalid HTTP/2 GOAWAY frame
Invalid HTTP/2 GOAWAY frame. R bit is set or stream ID is not 0 or
length is less than 8.
122:1 (port_scan) TCP portscan 122:1 (port_scan) TCP portscan
Basic one host to one host TCP portscan where multiple TCP ports are Basic one host to one host TCP portscan where multiple TCP ports are
scanned on the destination host from a single host scanned on the destination host from a single host
122:2 (port_scan) TCP decoy portscan 122:2 (port_scan) TCP decoy portscan
Decoy TCP portscan where the real scanner’s host address was mixed Decoy TCP portscan where the real scanner’s host address was mixed
with multiple decoy hosts to connect to a single port multiple times with multiple decoy hosts to connect to a single port multiple times
 End of changes. 15 change blocks. 
25 lines changed or deleted 12 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)